METHOD FOR THE PROVISION OF A NETWORK SERVICE

US 20100082979A1
Filed: 09/23/2009
Published: 04/01/2010
Est. Priority Date: 09/23/2005
Status: Active Grant

First Claim

Patent Images

1. A method for the provision of a network service, the method being implemented using:

(a) a network processing service comprising;

i. a service network comprising one or more service devices, each of which can provide a service over a network,ii. a client network comprising one or more client devices, one or more of which is a client of the service network, and(b) information available to the client network, but not the service network, which is necessary for the functioning of the network processing service provided by the service devices of the service network,wherein a client device comprising a data propagation agent acts toi. retrieve the information from the client network necessary for the service network to fulfil a request from the client network,ii. create a UID, which uniquely identifies the client device on the client networkiii. aggregate UID and associated information into a key-value bundle, and issue said bundle to the service networkiv. amend one or more network communication agents on the client device such that every network communication issued by the network communication agent contains the UID, andwherein the service device;

v. on receipt of a new key-value bundle, acts to store the key-value bundle in its local data-store, and propagate that key-value bundle to all other service devices on the service network, andvi. on receipt of a network communication from the network communication agent located on a client device acts to;

A. extract the UID from the request issued by the network communication agentB. interrogate its data-store for information associated with that UID, such information being essential to the provision of the network processing service, andC. perform the requested service described in the network communication and issue a network communication in turn to the client device with a suitable response.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems provide for sharing information between computer networks in which the information to be shared is required at one location (e.g. for the provision of a data-processing service) but is only available at a separate location. The information may be deliberately absent (e.g. for privacy reasons) or may be unavailable as an artifact of the computer network(s) involved. For the provision of a data-processing service, where several different devices on one network may service contiguous requests from a client device on another network according to a load-balancing strategy, data is propagated once only through the service network. Network communication software is subsequently amended to provide the minimal information necessary for a device on the service network to retrieve the information pertinent to the client device and necessary for its service. Therefore, a web-based single sign-on scheme can operate over HTTP to authorize data-processing services, such as web-filtering services.

116 Citations

View as Search Results

45 Claims

1. A method for the provision of a network service, the method being implemented using:
- (a) a network processing service comprising;
  
  i. a service network comprising one or more service devices, each of which can provide a service over a network,ii. a client network comprising one or more client devices, one or more of which is a client of the service network, and(b) information available to the client network, but not the service network, which is necessary for the functioning of the network processing service provided by the service devices of the service network,wherein a client device comprising a data propagation agent acts toi. retrieve the information from the client network necessary for the service network to fulfil a request from the client network,ii. create a UID, which uniquely identifies the client device on the client networkiii. aggregate UID and associated information into a key-value bundle, and issue said bundle to the service networkiv. amend one or more network communication agents on the client device such that every network communication issued by the network communication agent contains the UID, andwherein the service device;
  
  v. on receipt of a new key-value bundle, acts to store the key-value bundle in its local data-store, and propagate that key-value bundle to all other service devices on the service network, andvi. on receipt of a network communication from the network communication agent located on a client device acts to;
  
  A. extract the UID from the request issued by the network communication agentB. interrogate its data-store for information associated with that UID, such information being essential to the provision of the network processing service, andC. perform the requested service described in the network communication and issue a network communication in turn to the client device with a suitable response.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 41, 42, 43)
- - 2. The method of claim 1, including an external network linking the service network and client network, through which a client device of the client network issues a network communication to any of the devices on the service network, and to which a single processing device of the service network responds by issuing a network communication in turn.
  - 3. The method of claim 1 where on receipt of a key-value bundle, the service device augments the key with further information contained within the request, which may optionally include the network address of a gateway device on the client network, such augmented key being used for the persistence and retrieval of associated data, and optionally its propagation.
  - 4. The method of claim 1 where the UID is derived from one or more data of(a) a Media Access Control (MAC) address of the network adapter on the client network device(b) any Internet Protocol (IP) address assigned to the client network devicec) an identifier of a user who is currently controlling the client device, such an identifier optionally comprising one or more ofi. a username assigned to the userii. a password assigned to the useriii. names of one or more groups assigned to the user.
  - 5. The method of claim 4 where the derivation of the UID from data is carried out by functions of the data, used alone or in conjunction, optionally including, but not limited to, one or more of:
    - (a) a subset of the data(b) a concatenation of the data(c) an encrypted concatenation of the data, using a symmetric cipher, such as Blowfish, the Digital Encryption Standard (DES), the Advanced Encryption Standard (AES) and Twofish.(d) an encrypted concatenation of the data, using an asymmetric (“
      
      public-private-key”
      
      ) cipher using a public key available to the client device, such as Rivest, Shamir, Adleman (RSA) algorithm(e) a selection of the bits emitted by a hash function applied to a concatenation of the data, such a hash function including Message Digest 4 (MD4), Message Digest 5 (MD5), Secure Hashing Algorithm 1 (SHA-1), Secure Hashing Algorithm 256 (SHA-256), Secure Hashing Algorithm 384 (SHA-384), Secure Hashing Algorithm 512 (SHA-512), Whirlpool and Tiger.
  - 6. The method of claim 1 where the network processing operates over the HTTP protocol.
  - 7. The method of claim 1 where the UID is embedded in a new header in a standard network communication from the network communicator.
  - 8. The method of claim 1 where the UID is appended to the existing value of a standard header in a standard network communication from the network communicator.
  - 9. The method of claim 7 where the network communicator is a Microsoft Internet Explorer and is instructed to incorporate the UID in a new header by using the BeforeNavigate2( ) event handler to add a new header to the request, the BeforeNavigate2( ) event handler being a part of the DWebBrowserEvents2 interface, the resulting code being integrated with Internet explorer by way of a Browser Helper Object.
  - 10. The method of claim 8 where the network communicator is a Microsoft Internet Explorer and is instructed to incorporate the UID into an existing header'"'"'s value by using the BeforeNavigate2( ) event handler to modify a header within the request, the BeforeNavigate2( ) event handler being a part of the DWebBrowserEvents2 interface, the resulting code being integrated with Internet explorer by way of a Browser Helper Object.
  - 11. The method of claim 7 where the network communicator is Mozilla Firefox and is instructed to incorporate the UID in a new header by using the Mozilla observer service to intercept http-on-modify-request events, the intercept is used to interrogate the state of the request to extract the header structure, and the header structure is amended to incorporate the UID in a new header.
  - 12. The method of claim 8 where the network communicator is Mozilla Firefox and is instructed to incorporate the UID into the value of an existing header by using the Mozilla observer service to intercept http-on-modify-request events, the intercept is used to interrogate the state of the request to extract the header structure, and the header structure is amended to incorporate the UID in an existing header'"'"'s value.
  - 13. The method of claim 8 where the network communicator is Internet Explorer, the header is “
    - User-Agent” and
      
      the method of incorporating the UID in the “
      
      User-Agent”
      
      header consists of;
      
      (a) changing the value of the standard “
      
      User-Agent”
      
      header as stored as an element of the configuration of the “
      
      Trident”
      
      browser component which underpins Internet Explorer and other software applications that incorporate the browser component(b) the configuration being stored within the Microsoft Windows registry(c) the name of the configuration element being the concatenation ofi. “
      
      \\HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentControl Set\Internet Settings\”
      
      ii. the version of the browser component andiii. “
      
      \User Agent\Post Platform”
      
      (d) the value of the “
      
      User-Agent”
      
      header optionally consisting of zero or more of the followingi. an Engine-Compatibility Identifier and Version, delimited by a forward slashii. a Platform Identifier in parenthesis, the platform identifier consisting of details of platform components delimited by semi-colonsiii. a Browser Engine Identifier and Version, delimited by a forward slash(e) a value consisting of the UID and a particular prefix that identifies the start of the value(f) the value being inserted within the platform identifier field
  - 14. The method of claim 8 where the network communicator is the Mozilla Gecko-based web-browser such as Mozilla Firefox, the header is “
    - User-Agent” and
      
      the method of incorporating the UID in the “
      
      User-Agent”
      
      header consists of;
      
      (a) changing the value of the standard “
      
      User-Agent”
      
      header as stored as an element of the configuration of the “
      
      Gecko”
      
      browser component which underpins Mozilla Firefox and other software applications that incorporate the browser component(b) the configuration being stored within a text file on the file-system called which is accessible by the web-browser employing that component and accessed by it on start-up(c) the value of a typical “
      
      User-Agent”
      
      header optionally consisting of zero or more of the followingi. an Engine-Compatibility Identifier and Version, delimited by a forward slashii. a Platform Identifier in parenthesis, the platform identifier consisting of details of platform components delimited by semi-colonsiii. a Browser Engine Identifier and Version, delimited by a forward slash(d) a value consisting of the UID and a particular prefix that identifies the start of the value(e) a new user-agent header value in the format in (c) which describes the web-browser, but contains the value created in step (d) within the platform identifier,(f) adding a user_ref( ) function call to the file in (b) which amends the user-agent either byi. assigning a value for the User-Agent with the key “
      
      general.useragent.override” and
      
      the value of the new user-agent as created in step (e), orii. assigning an addendum to be appended to the standard User-Agent with the key “
      
      general.useragent.extra.XXX” and
      
      the value of the UID with prefix created in step (d), where any text may be substituted for the sub-string XXX in the key.
  - 15. The method of claim 1 where the data propagation agent is passed the necessary information to create a UID as it is started via a command-line parameter.
  - 16. The method of claim 1 where the data propagation agent queries a client device to retrieve the necessary information to create a UID.
  - 17. The method of claim 16 where the client device queried is a computer on which is running a Lightweight Directory Access Protocol (LDAP) Server which can be queried using the LDAP protocol to retrieve data optionally including but not limited to user name, password, email, organization name, country.
  - 18. The method of claim 16 where the client device queried is a computer on which is running a Microsoft Active Directory Server which can be queried using the active directory protocol to retrieve data optionally including but not limited to user name, password, email, organization name, country.
  - 19. The method of claim 16 where the device queried is a computer on which is running a Microsoft Windows Primary Domain controller, a Samba server, or any server software accepting requests using the Server Message Block (SMB) protocol which can be queried using that protocol to retrieve data optionally including but not limited to user name, password, email, organization name, country.
  - 20. The method of claim 1 where the data propagation agent initiates a single sign-on (SSO) request over HTTP in conjunction with a service device on the service network to retrieve information to be associated with a UID and issued to a service device on the server network for propagation, the information including but not limited to the user'"'"'s name and password, the process consisting of.(a) a service device providing a service on the service network.(b) a service provision (SP) server accepting network communications containing requests formatted using the Security Assertion Markup Language (SAML) on the service network(c) an identity provision (IdP) server accepting network communications containing requests formatted using SAML on the client network(d) a service device on the service network receiving a network communication with a UID, and failing to retrieve associated value, the service device then operating to retrieve this data, the retrieval process consisting of:
    - i. the service device issuing a network communication to the client device from which the request originated, specifying that the client device should request identification from the SP serverii. the SP server operating to create a SAML assertion, thence issuing a network communication to the client device instructing the client device to present the constructed SAML assertion to the IdP serveriii. the IdP server retrieving the SAML assertion, and acting to retrieve the identity.iv. the IdP server optionallyA. issuing a network communication to the client device, instructing the client device to issue a request for authentication to the IdP server with the SAML assertion.B. the IdP server operating to retrieve the user detailsv. the IdP server operating to construct a SAML assertion with the user details retrieved from steps (iii) and (iv)vi. the IdP server issuing a network communication to the client device with the SAML assertion constructed in (v), the response instructing the client device to present the retrieved details with UID to a service device for propagation.
  - 21. The method of claim 1, wherein the service device, on receipt of a key-value bundle, operates to propagate that data using a peer to peer technology consisting of(a) a network of service devices providing a service,(b) each service device being aware of zero or more service devices providing an identical service on the network, hereafter referred to as peers.(c) one said service device, hereafter referred to as the seed, receiving a key value bundle and operating toi. store the value with the associated key in a data-storeii. optionally issue a network message to all known peers on the service network, the network message consisting of at leastA. the key,B. the associated data, andC. optionally time-to-live information, enumerating the number of transmissions the data has carried from the initial receipt of the request within the service network.iii. all other service devices in the service network, on receipt of the message, optionally proceeding to operate as described in steps (i) and (ii).
  - 22. The method of claim 2 where the external network is an internet-level network.
  - 23. The method of claim 22 where the internet-level network is the Internet operating of Internet Protocol (IP) version 4.
  - 24. The method of claim 22 where the internet-level network is the Internet operating of Internet Protocol (IP) version 6
  - 25. The method of claim 1, wherein a device on the service network operates to process a network communication, the processing optionally depending on data retrieved from a data-store, the data identified by the UID, the UID being embedded in the network communication.
  - 26. The method of claim 1 where the data propagated by the data propagation agent is first encrypted
  - 27. The method of claim 1 where the UID is encrypted.
  - 28. The method of claim 27 where the UID is decrypted before it is used to retrieve associated data.
  - 29. The method of claim 1 where the data associated with a UID is encrypted before transmission.
  - 30. The method of claim 29 where a service device on the service network operates to decrypt data associated with a key, the data having been previously encrypted.
  - 31. The method of claim 30 where data, having been decrypted on receipt, is once again encrypted when propagated as described in claim 21
  - 32. The method of claim 1, wherein the additional information associated with a UID comprises local network information.
  - 33. The method of claim 1, wherein the additional information associated with a UID comprises any one or more of a user'"'"'s user ID, group membership, phone number, location, address or other information obtained from a local network directory or directories.
  - 34. The method of claim 1, wherein the additional information associated with a UID comprises other data associated with the network communication, derived data associated with the network communication, and/or other information independent of the specific network communication.
  - 35. The method of claim 1 where on a failure by the service device to retrieve the UID or to retrieve the associated data, the service device operates to issue a network communication to the client device notifying it of a data discovery failure.
  - 41. Computer program code that when run on a computer or computer network causes the computer or network to operate in accordance with a method according to claim 1.
  - 42. Computer program code according to claim 41 stored on a computer readable medium.
  - 43. An Internet-level network processing service operable in accordance with a method or comprising a system according to claim 1.

36. A system for providing a network service, the system comprising:
- (a) a network processing service that comprises;
  
  i. a service network comprising one or more service devices, each of which can provide a service over a network,ii. a client network comprising one or more client devices, one or more of which is a client of the service network, and(b) information available to the client network, but not available to the service network, which is necessary for the functioning of the network processing service provided by the service devices of the service network,wherein a client device comprises a data propagation agent that operates to;
  
  i. retrieve the information from the client network necessary for the service network to fulfil a request from the client network,ii. create a UID, which uniquely identifies the client device on the client networkiii. aggregate the UID and associated information into a key-value bundle and issue said bundle to the service networkiv. amend one or more network communication agents on the client device such that every network communication issued by the network communication agent contains the UID, andwherein the service device operates;
  
  v. on receipt of a new key-value bundle, to store the key-value bundle in its local data-store, and propagate that key-value bundle to all other service devices on the service network, andvi. on receipt of a network communication from the network communication agent located on a client device, to;
  
  A. extract the UID from the request issued by the network communication agentB. interrogate its data-store for information associated with that UID, such information being essential to the provision of the network processing service, andC. perform the requested service described in the network communication and issue a network communication in turn to the client device with a suitable response.
- View Dependent Claims (37, 38)
- - 37. A system according to claim 36, including an external network linking the service network and client network, through which a client device of the client network issues a network communication to any of the devices on the service network, and to which a single processing device of the service network responds by issuing a network communication in turn.
  - 38. A system according to claim 37, in which the external network is an internet-level network.

39. A method of providing a network service using a service network comprising one or more service devices, and a client network comprising one or more client devices, the method comprising:
- (a) a client device;
  
  i. retrieving from the client network information necessary for the service network to fulfil a request from the client network, said information being available to the client network but not the service network, and necessary for the functioning of a network processing service provided by a service device of the service networkii. creating a UID that uniquely identifies the client device on the client networkiii. aggregating the UID and associated information into a key-value bundle, and issuing said bundle to the service networkiv. amending one or more network communication agents on the client device such that every network communication issued by the network communication agent contains the UID, and(b) the service device;
  
  i. on receipt of a new key-value bundle, acting to store the key-value bundle in a local data-store, and propagating that key-value bundle to all other service devices on the service network, andii. on receipt of a network communication from the network communication agent located on a client device;
  
  A. extracting the UID from the request issued by the network communication agentB. interrogating the local data-store for information associated with that UID, such information being essential to the provision of the network processing service, andC. performing the requested service described in the network communication and issuing a network communication in turn to the client device with a suitable response.

40. A system for providing a network service, the system comprising:
- (a) a service network comprising one or more service devices, each of which can provide a service over a network, and(b) a client network comprising one or more client devices, one or more of which is a client of the service network,wherein at least one said client device comprises a data propagation agent that operates to;
  
  i. retrieve the information from the client network necessary for the service network to fulfil a request from the client network, said information being available to the client network, but not available to the service network, which is necessary for the functioning of the network processing service provided by the service devices of the service network,ii. create a UID, which uniquely identifies the client device on the client networkiii. aggregate the UID and associated information into a key-value bundle and issue said bundle to the service networkiv. amend one or more network communication agents on the client device such that every network communication issued by the network communication agent contains the UID, andwherein the service device operates;
  
  v. on receipt of a new key-value bundle, to store the key-value bundle in its local data-store, and propagate that key-value bundle to all other service devices on the service network, andvi. on receipt of a network communication from the network communication agent located on a client device, to;
  
  A. extract the UID from the request issued by the network communication agentB. interrogate its data-store for information associated with that UID, such information being essential to the provision of the network processing service, andC. perform the requested service described in the network communication and issue a network communication in turn to the client device with a suitable response.

44. An Internet-level network processing service operable according to claim 44, which is a web security service.
- View Dependent Claims (45)
- - 45. A web security service according to claim 44 comprising any one or more of web virus scanning, web filtering and web spyware screening.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
ScanSafe Ltd. (Cisco Systems, Inc.)
Inventors
EDWARDS, John

Granted Patent

US 8,200,971 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/168
CPC Class Codes

H04L 63/0428   wherein the data content is...

H04L 63/083   using passwords cryptograph...

H04L 67/561   Adding application-function...

METHOD FOR THE PROVISION OF A NETWORK SERVICE

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

116 Citations

45 Claims

Specification

Use Cases

Quick Links

Others

METHOD FOR THE PROVISION OF A NETWORK SERVICE

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

116 Citations

45 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others