Access control of networked data

US 6,233,618 B1
Filed: 03/31/1998
Issued: 05/15/2001
Est. Priority Date: 03/31/1998
Status: Expired

First Claim

Patent Images

1. A network device for controlling access by clients on a private network to a data file stored at servers in a public network, the network device being interconnected between the private and public networks, the network device comprising:

a first interface receiving a request from a client on the private network to access a data file stored at servers on the public network;

an access control processor coupled to first interface, the access control processor analyzing data in the request from the client and determining if the request should be forwarded to the public network for processing by a server to which it is destined, the determination being made by cross referencing resource identifier information in the request with access control data in at least one access control database, the access control data containing categorized resource identifier information the categorized resource identifier information specifying a content subject matter category to which the data file is assigned, and the categorized resource identifier information associated with each data file being assigned by prior human interpretation of the content in the data file, and then, as a result of such human interpretation, determining a subject matter category to which the data file is to be assigned, the data file stored at the servers on the public network;

a second interface coupled between the first interface and the public network and coupled to the access control processor, the second interface forwarding the requests from the first interface to the servers on the public network if the access control processor determines the request should be forwarded to the public network for processing by a server to which it is destined; and

means permitting a network administrator of the public network to control the operation of the network device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An access control technique to limit access to information content such as available on the Internet. The technique is implemented within a network device such as a proxy server, router, switch, firewall, bridge or other network gateway. The access control process analyzes data in each request from the clients and determines if the request should be forwarded for processing by a server to which it is destined. Access control may be determined by comparing client source information against a database of Uniform Resource Locators (URLs), IP addresses, or other resource identification data specifying the data requested by the client. The invention therefore provides access control not based only upon content, but rather, based primarily upon the identity of the computers or users making the requests. The technique further avoids the problems of the prior art which categories or filters the content of only web pages based solely upon objectionable words. This is becauase a category database is used by the network device to control access and is created via a process involving human editors who assist in the creation and maintenance of the category database.

Citations

27 Claims

1. A network device for controlling access by clients on a private network to a data file stored at servers in a public network, the network device being interconnected between the private and public networks, the network device comprising:
- a first interface receiving a request from a client on the private network to access a data file stored at servers on the public network;
  
  an access control processor coupled to first interface, the access control processor analyzing data in the request from the client and determining if the request should be forwarded to the public network for processing by a server to which it is destined, the determination being made by cross referencing resource identifier information in the request with access control data in at least one access control database, the access control data containing categorized resource identifier information the categorized resource identifier information specifying a content subject matter category to which the data file is assigned, and the categorized resource identifier information associated with each data file being assigned by prior human interpretation of the content in the data file, and then, as a result of such human interpretation, determining a subject matter category to which the data file is to be assigned, the data file stored at the servers on the public network;
  
  a second interface coupled between the first interface and the public network and coupled to the access control processor, the second interface forwarding the requests from the first interface to the servers on the public network if the access control processor determines the request should be forwarded to the public network for processing by a server to which it is destined; and
  
  means permitting a network administrator of the public network to control the operation of the network device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The network device of claim 1, wherein the access control database is stored locally on a storage medium within the network device.
  - 3. The network device of claim 2, wherein the access control database is downloaded by a download process on the network device onto the storage medium from an access control server.
  - 4. The network device of claim 3, wherein the download process is automatically performed at regular intervals.
  - 5. The network device of claim 3, wherein the download process is a subscription service to which the network device must be registered with so that the download process can be performed.
  - 6. The network device of claim 1, wherein the access control database is stored remotely on at least one access control server on the private network and access to the access control data in the access control database by the network device is performed by accessing the access control server.
  - 7. The network device of claim 1, wherein the access control database is stored remotely on at least one access control server on the public network and access to the access control data in the access control database by the network device is performed by accessing the access control server.
  - 8. The network device of claim 6, wherein access to the access control data is a subscription service to which the network device must be registered with in order to be allowed access to the access control data.
  - 9. The network device of claim 1, wherein:
10. The network device of claim 9, wherein the portion that is equal to the destination specified in the resource identifier information of the request is a segment of the resource identifier information.
11. The network device of claim 9, wherein the resource identifier information is an internet protocol address.
12. The network device of claim 9, wherein categorized resource identifier information in the access control database is categorized by searching for uncategorized content provided by servers located on the public network and presenting the content of the data files to humans for evaluation and categorization, the categorized content being represented in the access control database by an identification of a location of the content on servers of the public network.
13. The network device of claim 12, wherein the uncategorized content provided by the servers on the public network is discovered by a network walker process which records new content destinations as they are discovered.
14. The network device of claim 1, wherein:
- the request includes a source designation and the resource identifier information specifies a destination of the request and the at least one access control database includes a group-source database and the access control processor, in determining if the request should be forwarded to the public network, matches the source designation of the request to the group-source database to determine the group of the client making the request.
15. The network device of claim 14, wherein:
- the at least one access control database further includes a group-category database and the access control processor, in determining if the request should be forwarded to the public network, matches the group of the client making the request to at least one category to determine which categories of content may be accessed by that group.
16. The network device of claim 14, wherein:
- at least one access control database further includes a category-destination database and the access control processor, in determining if the request should be forwarded to the public network, attempts to match the destination specified in the resource identifier information to at least one resource identifier destination listed within categories in the category-destination database, and if a match is made, the access control processor denies access to the server to which the request is destined.
17. The network device of claim 16, wherein the access control processor, in determining if the request should be forwarded to the public network, matches the group of the client making the request to at least one category having an associated block of allowed access times, to determine which categories of content may be accessed by that group and at which times.

18. A method for controlling access by clients of a private network to data files stored on servers connected in a public network, the method comprising the steps of:
- at a client computer connected to the public network, searching for uncategorized data files being stored on servers connected in the public network, the data files being available on demand;
  
  presenting a view of each selected data file in human readable form on the client computer connected to the public network;
  
  permitting a human being to review the contents of each selected data file so presented;
  
  determining a content rating for each data file in response to presenting the contents of the data file to a human being, the content rating being determined as a result of the human being assigning the data file to at least one content subject matter category;
  
  storing a uniform resource locator (URL) of each data file together with the associated content subject matter categories in a category-destination database;
  
  at an access controller connected to the private network, downloading the category-destination database;
  
  receiving requests from client computers connected to the private network, the requests indicating data files stored on the servers of the public network;
  
  analyzing the data in each request against the data from the category-destination database; and
  
  determining whether to forward the request to a server of the public network for processing, the determination being made based upon the content rating of the requested data file.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27)
- - 19. The method of claim 18, wherein the step of analyzing the data in each request further comprises the steps of:
20. The method of claim 18, further comprising the step of filtering contents of return data sent from servers on the public network in response to a request which is allowed.
21. The method of claim 18, wherein the URL information is an Internet Protocol (IP) address.
22. The method of claim 18, wherein the URL information is a world wide web page address.
23. The method of claim 18, wherein the URL information is a portion of a world wide web page address.
24. The method of claim 18, wherein the downloading is automatically performed at regular intervals.
25. The method of claim 24, wherein the downloading is a subscription service to which the access controller must be registered so that the downloading can be performed.
26. The method of claim 18, wherein the step of searching for new data files on the public network is performed by a network walker process.
27. The method of claim 19, wherein the group-category database includes at least one group that is associated with different content ratings depending on the time of day of the request.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Content Advisor Incorporated
Original Assignee
Content Advisor Incorporated
Inventors
Shannon, Steven
Primary Examiner(s)
Geckil, Mehmet B.

Application Number

US09/052,236
Time in Patent Office

1,141 Days
Field of Search

709/229, 709/225, 709/224, 709/223, 709/217, 709/219, 714/39, 714/47, 714/51, 710/17, 710/18, 707/1-6, 707/9, 707/10, 707/501
US Class Current

709/229
CPC Class Codes

G06F 16/9566   URL specific, e.g. using al...

H04L 63/0236   Filtering by address, proto...

H04L 63/0263   Rule management

H04L 63/10   for controlling access to d...

H04L 67/06   specially adapted for file ...

Access control of networked data

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Access control of networked data

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links