Network access control based on program state

US 8,590,012 B2
Filed: 08/27/2007
Issued: 11/19/2013
Est. Priority Date: 08/27/2007
Status: Active Grant

First Claim

Patent Images

1. One or more computer-readable storage device comprising executable instructions to perform a method of controlling access, the method comprising:

granting a machine access to a first region of a network;

determining that a program that meets one or more criteria is running on said machine; and

based on said determining, granting said machine access to a second region of said network, wherein said program sends data, while said program operates, to a site that is in said network, outside of said second region, and separate from a gateway through which said machine connects to said network, and wherein said determining comprises;

sending an inquiry to said site; and

receiving, from said site in response to said inquiry, a message that indicates;

(a) that an initial message was received at said site from said program, (b) that said data is continually being received by said site from said program, (c) that said program is running, and (d) that access to said second region is to be granted to said machine, said site authenticates said initial message to distinguish said initial message sent by said program from a message sent by an imposter program,said method further comprising;

subsequent to said receiving of said message from said site, said site receiving a callback that is exposed by a first component that performs said method, said site invoking said callback to indicate that conditions under which said machine is to be granted access are no longer being met, said callback being a mechanism that is exposed by said first component, said callback being invocable by a second component to report a change in said machine'"'"'s authorization status, said second component being associated with a service provider.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A gateway controls access to a region of a network by either granting or denying a client machine access to the network region based on whether a particular program is running on the client machine. A program is installed on the client machine which sends a detectable indication that the program is running. When it is detected that the program is running, the gateway allows the client machine access to the network region. When the program is not detected to be running, the gateway denies the client machine access to the network region.

42 Citations

View as Search Results

20 Claims

1. One or more computer-readable storage device comprising executable instructions to perform a method of controlling access, the method comprising:
- granting a machine access to a first region of a network;
  
  determining that a program that meets one or more criteria is running on said machine; and
  
  based on said determining, granting said machine access to a second region of said network, wherein said program sends data, while said program operates, to a site that is in said network, outside of said second region, and separate from a gateway through which said machine connects to said network, and wherein said determining comprises;
  
  sending an inquiry to said site; and
  
  receiving, from said site in response to said inquiry, a message that indicates;
  
  (a) that an initial message was received at said site from said program, (b) that said data is continually being received by said site from said program, (c) that said program is running, and (d) that access to said second region is to be granted to said machine, said site authenticates said initial message to distinguish said initial message sent by said program from a message sent by an imposter program,said method further comprising;
  
  subsequent to said receiving of said message from said site, said site receiving a callback that is exposed by a first component that performs said method, said site invoking said callback to indicate that conditions under which said machine is to be granted access are no longer being met, said callback being a mechanism that is exposed by said first component, said callback being invocable by a second component to report a change in said machine'"'"'s authorization status, said second component being associated with a service provider.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 17)
- - 2. The one or more computer-readable storage media of claim 1, wherein said program sends data while said program operates, and wherein said determining is based on a finding that said data is being sent.
  - 3. The one or more computer-readable storage media of claim 2, wherein said finding is based on said data'"'"'s having been sent within an amount of time.
  - 4. The one or more computer-readable storage media of claim 1, wherein said message is received by a RADIUS component that determines whether said gateway is to grant said machine access to said second region.
  - 5. The one or more computer-readable storage media of claim 1, wherein said determining comprises:
    - receiving, from said site, a message indicating that said program has changed from a state in which said one or more criteria are met to a state in which said one or more criteria are not met.
  - 6. The one or more computer-readable storage media of claim 1, wherein said one or more criteria comprise said program'"'"'s being running.
  - 7. The one or more computer-readable storage media of claim 1, wherein said program sends data while said program operates, wherein said one or more criteria comprise said program'"'"'s being running in a particular one of said plurality of modes, and wherein said data comprises an indication of which of said plurality of modes said program is running in.
  - 8. The one or more computer-readable storage media of claim 1, wherein said program sends data while said program operates, wherein said program comprises an identifier that distinguishes different instances of said program from each other, and wherein said data comprises said identifier.
  - 17. The one or more computer-readable storage media of claim 1, wherein said site is not in said first region of said network, wherein said gateway determines whether to allow or to deny access to said second region, and wherein said program, which is running on said machine, communicates with said site irrespective of whether said gateway allows or denies said device access to said second region.

9. A system comprising:
- one or more processors;
  
  one or more data remembrance devices;
  
  software that is stored in one or more of said data remembrance devices and that executes on one or more of said processors, said software comprising;
  
  a first component that receives heartbeat data from a program that runs at a first device, said first component storing said heartbeat data, and a timestamp indicating a time at which said heartbeat data is received by said first component, in a database that is stored in one or more of said data remembrance devices; and
  
  a second component that makes a determination based at least in part on whether said heartbeat data has been received from said program within an amount of time and that, based on said determination, either (a) instructs a second device either to grant or to deny said first device access to a network region;
  
  or (b) informs said second device as to whether said heartbeat data is being received from said program; and
  
  a server that communicates with said first device through said second device, said server communicating with said first device irrespective of whether said second device allows said first device access to said network region, said network region comprising said server and at least one location other than said server, the system receiving an inquiry from said second device; and
  
  instructing of said second device to grant or deny said first device access to said network region, or informing of said second device as to whether said heartbeat data is being received from said program, being done by said second component in response to said inquiry, said second component instructing said second device to deny said first device access to a network region by issuing a callback exposed by said second device, said callback being a mechanism that is exposed by said second device, said callback being invocable by said second component to report a change in said first device'"'"'s authorization status, said second component being associated with a service provider.
- View Dependent Claims (10, 11, 12, 18, 19)
- - 10. The system of claim 9, wherein said software further comprises:
    - a third component that implements a RADIUS protocol or a portion of said RADIUS protocol, said second component instructing or informing said second device through said third component.
  - 11. The system of claim 9, wherein said second component makes said determination further based on an identifier of an instance of said program, said heartbeat data comprising said identifier.
  - 12. The system of claim 9, wherein said second component makes said determination further based on an indication of a mode in which said program is running, said heartbeat data comprising said indication.
  - 18. The method of claim 9, wherein said network region is the Internet, wherein said second device grants or denies said first device access to the Internet, and wherein said server communicates with said first device even if said second device has denied said first device access to the Internet.
  - 19. The system of claim 9, said first component further receiving an initial message from said program, said second component authenticating said initial message to distinguish said initial message from a message sent by an imposter program.

13. A method of controlling use of a gateway, the method comprising:
- providing, to a device, a program that sends data over a network while said program is running;
  
  receiving, from said program, said data while said program is running;
  
  determining that said data has ceased being received; and
  
  based on said determining, sending a message to the gateway that either (a) informs the gateway that said program is not running on said device, or (b) instructs the gateway to deny said device access to a region of said network, said message being sent by issuing a callback exposed by said gateway, said callback being a mechanism that is exposed by said gateway, said callback being invocable by a component that performs said method to report a change in said device'"'"'s authorization status, said component being associated with a service provider,wherein said region is the Internet, receiving and said sending are performed by a server that is in said region, and wherein said program communicates with said server even when said gateway has denied said device access to the Internet, said program displaying advertisements on a display while said program runs.
- View Dependent Claims (14, 15, 16, 20)
- - 14. The method of claim 13, wherein said data is sent recurrently while said program is running, and wherein the method further comprises:
    - storing said data in a database with a timestamp indicating when said data has been received; and
      
      monitoring said database to determine whether said data is continuing to be received;
15. The method of claim 13, wherein said program comprises an identifier that distinguishes different instances of said program from each other, and wherein said data comprises said identifier.
16. The method of claim 13, wherein said program sends a message upon startup, and wherein the gateway allows said device access to said region of said network from a time after said message is sent until the gateway has been informed that said program is not running on said device or has been instructed to deny said device access to said region of said network.
20. The method of claim 13, further comprising:
- receiving an initial message from said program, said program being operable in a plurality of modes that include a state other than running and a state other than not-running;
  
  authenticating said initial message to distinguishing said initial message from a message sent by an imposter program.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Roy, Paul, Al-Azzawe, Khalid, Carter, Cale, Chitnis, Ambarish, Hawes, Richard Masao
Primary Examiner(s)
Orgad, Edan
Assistant Examiner(s)
TURCHEN, JAMES R

Application Number

US11/895,755
Publication Number

US 20090064306A1
Time in Patent Office

2,276 Days
Field of Search

726/3, 726/12
US Class Current

726/3
CPC Class Codes

H04L 63/102 Entity profiles

Network access control based on program state

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

42 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Network access control based on program state

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

42 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others