Controlling client access to networked data based on content subject matter categorization

US RE41,168 E1
Filed: 10/14/2004
Issued: 03/23/2010
Est. Priority Date: 03/31/1998
Status: Expired due to Term

First Claim

Patent Images

1. A hardware network device for controlling access by clients on a private network to a data file data files stored at servers in a public network, the hardware network device being interconnected between the private network and the public networks network, the hardware network device comprising:

a first interface receiving a request from a client one of the clients on the private network to access a data file one of the data files stored at servers on in the public network;

an access control processor coupled to the first interface, the access control processor analyzing data in the request from the client one of the clients and determining if the request should be forwarded to the public network for processing by a server, of the servers in the public network, to which it the request is destined, the determination being made by cross referencing resource identifier information in the request with access control data in at least one access control database, the access control data containing categorized resource identifier information, the categorized resource identifier information specifying a content subject matter category to which the data file one of the data files is assigned, and the categorized resource identifier information associated with each data file so categorized being assigned by prior locating of each data file, storing data file information comprising a uniform resource locator for each data file in a first database, reading the data file information for each data file from the first database, human interpretation of the content in the each data file, and then, as a result of such human interpretation, determining a subject matter category to which the each data file is to be assigned, the data file stored at the servers on the public network and storing said data file information and said subject matter category in the access control database;

a second interface coupled between the first interface and the public network and coupled to the access control processor, the second interface forwarding the requests request from the first interface to the servers on in the public network if the access control processor determines the request should be forwarded to the public network for processing by a the server to which it the request is destined; and

means for permitting a network administrator of the public network to control the operation of the hardware network device.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An access control technique to limit access to information content such as available on the Internet. The technique is implemented within a network device such as a proxy server, router, switch, firewall, bridge or other network gateway. The access control process analyzes data in each request from the clients and determines if the request should be forwarded for processing by a server to which it is destined. Access control may be determined by comparing client source information against a database of Uniform Resource Locators (URLs), IP addresses, or other resource identification data specifying the data requested by the client. The invention therefore provides access control not based only upon content, but rather, based primarily upon the identity of the computers or users making the requests. The technique further avoids the problems of the prior art which categories or filters the content of only web pages based solely upon objectionable words. This is because a category database is used by the network device to control access and is created via a process involving human editors who assist in the creation and maintenance of the category database.

40 Citations

View as Search Results

34 Claims

1. A hardware network device for controlling access by clients on a private network to a data file data files stored at servers in a public network, the hardware network device being interconnected between the private network and the public networks network, the hardware network device comprising:
- a first interface receiving a request from a client one of the clients on the private network to access a data file one of the data files stored at servers on in the public network;
  
  an access control processor coupled to the first interface, the access control processor analyzing data in the request from the client one of the clients and determining if the request should be forwarded to the public network for processing by a server, of the servers in the public network, to which it the request is destined, the determination being made by cross referencing resource identifier information in the request with access control data in at least one access control database, the access control data containing categorized resource identifier information, the categorized resource identifier information specifying a content subject matter category to which the data file one of the data files is assigned, and the categorized resource identifier information associated with each data file so categorized being assigned by prior locating of each data file, storing data file information comprising a uniform resource locator for each data file in a first database, reading the data file information for each data file from the first database, human interpretation of the content in the each data file, and then, as a result of such human interpretation, determining a subject matter category to which the each data file is to be assigned, the data file stored at the servers on the public network and storing said data file information and said subject matter category in the access control database;
  
  a second interface coupled between the first interface and the public network and coupled to the access control processor, the second interface forwarding the requests request from the first interface to the servers on in the public network if the access control processor determines the request should be forwarded to the public network for processing by a the server to which it the request is destined; and
  
  means for permitting a network administrator of the public network to control the operation of the hardware network device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 28, 29, 30, 31, 32)
- - 2. The hardware network device of claim 1, wherein the access control database is stored locally on a storage medium within the hardware network device.
  - 3. The hardware network device of claim 2, wherein the access control database is downloaded by a download process on the hardware network device onto the storage medium from an access control server.
  - 4. The hardware network device of claim 3, wherein the download process is automatically performed at regular intervals.
  - 5. The hardware network device of claim 3, wherein the download process is a subscription service to with which the hardware network device must be registered with so that the download process can be performed.
  - 6. The hardware network device of claim 1, wherein the access control database is stored remotely on at least one access control server on the private network and access to the access control data in the access control database by the hardware network device is performed by accessing the access control server.
  - 7. The hardware network device of claim 1, wherein the access control database is stored remotely on at least one access control server on the public network and access to the access control data in the access control database by the hardware network device is performed by accessing the access control server.
  - 8. The hardware network device of claim 6, wherein access to the access control data is a subscription service to with which the hardware network device must be registered with in order to be allowed access to the access control data.
  - 9. The hardware network device of claim 1, wherein:
    - the request includes a source designation and the resource identifier information of the request specifies a destination of the request;
      
      the categorized resource identifier information in the access control data is categorized by associating predetermined destinations to specific categories of content; and
      
      the access control processor determines if the client one of the clients making the request is associated with a category of content which contains a predetermined destination having a portion that is equal to the destination specified in the resource identifier information of the request.
  - 10. The hardware network device of claim 9, wherein the portion that is equal to the destination specified in the resource identifier information of the request is a segment of the resource identifier information.
  - 11. The hardware network device of claim 9, wherein the resource identifier information of the request is an internet protocol address.
  - 12. The hardware network device of claim 9, wherein the categorized resource identifier information in the access control database is categorized by searching for uncategorized content provided by the servers located on in the public network and presenting the uncategorized content of the data files to humans for evaluation and categorization to produce categorized content, the categorized content being represented in the access control database by an identification of a location of the categorized content on the servers of in the public network.
  - 13. The hardware network device of claim 12, wherein the uncategorized content provided by the servers on in the public network is discovered by a network walker process which records new content destinations as they are discovered.
  - 14. The hardware network device of claim 1, wherein:
    - the request includes a source designation and the resource identifier information of the request specifies a destination of the request and the at least one access control database includes a group-source database and the access control processor, in determining if the request should be forwarded to the public network, matches the source designation of the request to the group-source database to determine the group of the client one of the clients making the request.
  - 15. The hardware network device of claim 14, wherein:
    - the at least one access control database further includes a group-category database and the access control processor, in determining if the request should be forwarded to the public network, matches the group of the client one of the clients making the request to at least one category to determine which categories of content may be accessed by that group.
  - 16. The hardware network device of claim 14, wherein:
    - at least one access control database further includes a category-destination database and the access control processor, in determining if the request should be forwarded to the public network, attempts to match the destination specified in the resource identifier information to at least one resource identifier destination listed within categories in the category-destination database, and if a match is made, the access control processor denies access to the server to which the request is destined.
  - 17. The hardware network device of claim 16, wherein the access control processor, in determining if the request should be forwarded to the public network, matches the group of the client one of the clients making the request to at least one category having an associated block of allowed access times, to determine which categories of content may be accessed by that group and at which times.
  - 28. A hardware network device according to claim 1, the hardware network device comprising one or more processors and one or more memories operable to store program instructions executable by the one or more processors to implement:
    - the first interface, the access control processor, the second interface, and the means for permitting the network administrator of the private network to control the operation of the hardware network device.
  - 29. A hardware network device according to claim 28, wherein:
    - the request includes a source designation and the resource identifier information of the request specifies a destination of the request and the at least one access control database includes a group-source database and the access control processor, in determining if the request should be forwarded to the public network, matches the source designation of the request to the group-source database to determine the group of the one of the clients making the request.
  - 30. A hardware network device according to claim 29, wherein:
    - the at least one access control database further includes a group-category database and the access control processor, in determining if the request should be forwarded to the public network, matches the group of the one of the clients making the request to at least one category to determine which categories of content may be accessed by that group.
  - 31. A hardware network device according to claim 28, wherein the access control database is stored remotely on at least one access control server on the public network and access to the access control data in the access control database by the hardware network device is performed by accessing the access control server.
  - 32. A hardware network device according to claim 1, the categorized resource identifier information associated with each data file so categorized being further assigned by, prior to storing the data file information comprising the uniform resource locator for each data file in the first database, determining whether the data file information comprising the uniform resource locator is already stored in either a queue database, the first database or the access control database and, if not, initially storing the data file information comprising the uniform resource locator in the queue database.

18. A method executing on a first client computer connected to a public network and on an access controller connected to a private network, the method being for controlling access by clients of a the private network to data files stored on servers connected in a the public network, the method comprising the steps of:
- at a the first client computer connected to the public network, using the first client computer to;
  
  searchingsearch for uncategorized data files being stored on servers connected in the public network, the uncategorized data files being available on demand;
  
  store data file information comprising at least a uniform resource locator (URL) for each of the uncategorized data files in at least one initial database;
  
  retrieve one or more selected data files from the initial database, at a time after the step of using the first client computer to store data file information in the at least one initial database;
  
  presentingpresent a view of each selected data file in human readable form on the first client computer connected to the public network;
  
  permittingpermit a human being to review the contents of each selected data file so presented;
  
  determining aassociate, with each selected data file, a determined content rating for each selected data file in response to presenting the contents of the selected data file to a human being, the content rating being determined as a result of the human being assigning the selected data file to at least one content subject matter category;
  
  and storingstore a uniform resource locator (URL) of each selected data file together with the associated content subject matter categoriescategory in a category-destination database;
  
  at an access controller connected to the private network, using the access controller to;
  
  downloadingdownload the category-destination database;
  
  receivingreceive requests from second client computers connected to the private network, the requests from the second client computers indicating requested data files stored on the servers ofconnected in the public network;
  
  analyzinganalyze the data in each request from a client computer of the second client computers against the data from the category-destination database; and
  
  determiningdetermine whether to forward the request from the client computer of the second client computers to a server of the servers connected in the public network for processing, the determination being made based upon the content rating of the requested data file.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27, 33, 34)
- - 19. The method of claim 18, wherein the step of analyzing using the access controller to analyze the data in each request further comprises the steps of using the access controller to:
    - examiningexamine a source of the request against a group-source database to determine a group associated with the client making the request;
      
      examiningexamine the group associated with the client making the request against a group-category database to determine the content ratings that the group may access;
      
      obtainingobtain URL information from the request; and
      
      determiningdetermine if the URL information has been assigned a content rating that the group may access, and if so, allowingusing the access controller to allow the request, and if not, denyingusing the access controller to deny the request.
  - 20. The method of claim 18, further comprising the step of filtering using the access controller to filter contents of return data sent from servers on connected in the public network in response to a request which is allowed.
  - 21. The method of claim 18, wherein the URL information is an Internet Protocol (IP) address.
  - 22. The method of claim 18, wherein the URL information is a world wide web page address.
  - 23. The method of claim 18, wherein the URL information is a portion of a world wide web page address.
  - 24. The method of claim 18, wherein the downloading using the access controller to download is automatically performed at regular intervals.
  - 25. The method of claim 24, wherein the downloading using the access controller to download is a subscription service to which the access controller must be registered so that the downloading using the access controller to download can be performed.
  - 26. The method of claim 18, wherein the step of searching using the first client computer to search for new uncategorized data files on the public network is performed by a network walker process.
  - 27. The method of claim 19, wherein the group-category database includes at least one group that is associated with different content ratings depending on the time of day of the request.
  - 33. A method according to claim 18, wherein the at least one initial database comprises (i) a queue database for holding the URLs associated with the uncategorized data files and (ii) an uncategorized database, wherein the using the first client computer to retrieve one or more selected data files retrieves such files from the uncategorized database, and wherein the using the first client computer to store data file information further comprises:
    - if the data file information located in the using the first client computer to search for uncategorized data files is not already stored in either the queue database, the uncategorized database, or the category-destination database, then using the first client computer to store the data file information in the queue database.
  - 34. A method according to claim 33, further comprising:
    - using the first client computer to obtain further information for the data file information located in the using the first client computer to search for uncategorized data files, the further information including information other than the URL, and using the first client computer to store that information in the uncategorized database.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Content Advisor Incorporated
Original Assignee
Content Advisor Incorporated
Inventors
Shannon, Steven
Primary Examiner(s)
Harrell, Robert B

Application Number

US10/965,710
Time in Patent Office

1,986 Days
Field of Search

707/10, 709/225, 709/229
US Class Current

709/229
CPC Class Codes

G06F 16/9566   URL specific, e.g. using al...

H04L 63/0236   Filtering by address, proto...

H04L 63/0263   Rule management

H04L 63/10   for controlling access to d...

H04L 67/06   specially adapted for file ...

Controlling client access to networked data based on content subject matter categorization

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

40 Citations

34 Claims

Specification

Solutions

Use Cases

Quick Links

Controlling client access to networked data based on content subject matter categorization

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

40 Citations

34 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links