+

WO2006027589A1 - Systeme, procede et dispositif pour surveiller ou commander l'acces a internet - Google Patents

Systeme, procede et dispositif pour surveiller ou commander l'acces a internet Download PDF

Info

Publication number
WO2006027589A1
WO2006027589A1 PCT/GB2005/003464 GB2005003464W WO2006027589A1 WO 2006027589 A1 WO2006027589 A1 WO 2006027589A1 GB 2005003464 W GB2005003464 W GB 2005003464W WO 2006027589 A1 WO2006027589 A1 WO 2006027589A1
Authority
WO
WIPO (PCT)
Prior art keywords
request message
categorisation
specified url
data section
url
Prior art date
Application number
PCT/GB2005/003464
Other languages
English (en)
Inventor
John Sinclair
Ian James Pettener
Alistair Nash
Original Assignee
Surfcontrol Plc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from GB0420025A external-priority patent/GB2418108B/en
Application filed by Surfcontrol Plc filed Critical Surfcontrol Plc
Priority to CA002577252A priority Critical patent/CA2577252A1/fr
Publication of WO2006027589A1 publication Critical patent/WO2006027589A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/16Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
    • H04L69/164Adaptation or special uses of UDP protocol

Definitions

  • the present invention relates to a system, method and apparatus for categorising
  • the Internet is a global interconnection of computers and computer networks.
  • One of the great benefits of the Internet is that many millions of users have access to shared information of the World Wide Web, whereby pages of text and graphic information in HTML or other formats are transmitted by a Hyper Text Transfer Protocol (HTTP) .
  • HTTP Hyper Text Transfer Protocol
  • Each web page has a unique address, known as a Uniform Resource Locator (URL) .
  • URL Uniform Resource Locator
  • RFCs Requests for Comments
  • RFC7 Internet Protocol
  • RFC1738 Uniform Resource Locators
  • a client device comprising: an interface module arranged to present a URL categorisation function, wherein the interface module is passed a specified URL from a client software and returns a categorisation code; an encryption module which encrypts and decrypts data; a protocol module which marshals and unmarshals incoming and outgoing data and makes encryption/decryption calls to the encryption module; and a communication module arranged to send an outgoing request message to a remote categorisation server and to receive and buffer incoming data including a corresponding reply message, wherein: the request message comprises a header section including a sequence number field and a timestamp field, and an encrypted data section representing the specified URL, wherein the header section and the data section are the payload of a UDP packet; and the reply message comprises a header section including the sequence number field and the timestamp field from the request message, and an encrypted data section identifying a category of the specified URL amongst the predetermined set of categories as determined by the categori
  • Figure 4 shows part of a protocol stack appropriate for communication relating to the Internet
  • Figure 5 is a schematic view of a preferred method for categorisation of URL requests
  • Figure 8 is a schematic overview of an example client gateway apparatus
  • Figure 11 is a schematic overview of a preferred categorisation server apparatus
  • Figure 13 is a schematic overview of preferred licensing systems .
  • a user machine 10 is connected to the Internet 20 through an Internet gateway appliance or client gateway 12.
  • the preferred embodiments of the present invention are primarily applicable to the World Wide Web, whereby a web page 32 is provided in response to a URL request sent under HTTP.
  • the user machine 10 provides a web browser application which initiates a URL request 11 in order to obtain content, i.e. a web page 32, from a content server or host 30.
  • the web page 32 may take any suitable form, most commonly being text and graphics in HTML format. It will be appreciated however that the present invention is applicable to other forms of content provided over the Internet using URLs, such as file transfers under FTP or connection to a TELNET server. It is desired to passively monitor and log the requested URLs for inspection later, or perform an active filtering function which determines whether the user machine 10 will receive or display the requested web page 32. To this end, it is useful to place URLs into categories. In a simple example, the categories are either "allow” or "deny”. In a more sophisticated example, it is helpful to categorise URLs with greater granularity.
  • the preferred embodiments of the present invention place each requested URL into one of a predetermined set of categories.
  • Specific downstream actions for controlling or monitoring Internet access such as filtering or logging functions, are not particularly relevant to the present invention and may take any suitable form.
  • the preferred embodiment provides eight core categories such as “adult/sexual explicit”, “criminal skills”, “drugs, alcohol, tobacco”, “violence” or
  • a rule is used to alert an administrator when a request is made for any of the core categories, or to block selected productivity categories at particular times and allowing access only say at lunchtimes or outside work hours.
  • the preferred categories may also include
  • the user machine 10 provides input and output interface functions appropriate for a human user, suitably including a display screen, speakers, and control keys or GUI.
  • a human user suitably including a display screen, speakers, and control keys or GUI.
  • the user machine 10 is a computing platform such as a desktop computer, a laptop computer, or a personal digital assistant (PDA) .
  • the user machine 10 is a function-specific Internet appliance, such as a web-TV.
  • the user machine 10 is a public Internet kiosk, in this case also shown as including a voice telephone.
  • the user machine 10 and the client gateway 12 are formed as physically separate devices and communicate by any appropriate wired or wireless link. In other embodiments the client gateway 12 is integrated within the user machine 10.
  • the client gateway 12 suitably includes a modem, such as an analogue,
  • ISDN or ADSL modem which connects to an Internet Service
  • ISP Internet Service Provider
  • the client gateway 12 connects to the Internet 20 through a wireless network or cellular mobile network such as GSM or GPRS.
  • the client gateway 12 connects to the Internet 20 through an intermediary such as a LAN or WAN, optionally over a virtual private network (VPN) .
  • VPN virtual private network
  • the client gateway 12 acts as a router and forwards data packets between computers or computer networks.
  • the client gateway 12 directs packets between the user machine 10 and the ISP 21. Routers typically use packet headers and forwarding tables to determine the best path for forwarding each data packet.
  • the client gateway 12 typically has relatively limited computing resources.
  • the client gateway is a router having an Intel IXP422 processor, 64MB RAM and 16MB of Flash memory. There is no hard disk or other large-capacity storage device within the client gateway.
  • the client gateway may also perform other functions, typically acting as a combined modem, router, firewall, local network switch or VPN client, or any combination thereof. Hence, there is strong competition for resources in order to accommodate some or all of these functions within a single low-cost device.
  • FIG. 2 shows a second example system and apparatus as employed in an alternative embodiment of the present invention.
  • a client computer 12 is part of a Local Area Network (LAN) which also includes a proxy server 14 coupled to the Internet 20.
  • the client computer 12 makes URL requests in order to receive web pages from a content server 30 available over the Internet 20.
  • the URL requests are processed through the proxy server 14. It is desired to monitor or control Internet access at the client computer 12.
  • the present invention is particularly applicable where the client computer 12 has relatively limited processor, memory or storage resources, such as a terminal or a diskless workstation.
  • This arrangement reduces resource requirements at the client 12, and allows the categorisation server 40 to run on a large and powerful computing system with plenty of processing power, memory and storage space.
  • This categorisation service 400 may take any suitable form. For example, upon receiving the URL categorisation request 500, the categorisation service 400 looks up an appropriate category for the specified URL using a category database. Additionally or alternatively, the categorisation service employs a linguistic or other analysis of the specified URLs to determine an appropriate category, with or without human intervention and review.
  • the URL 200 includes a host portion 202 and a page portion
  • HTTP hypertext transfer protocol
  • the sequence number 511 allows the request message 500 to be uniquely identified and distinguished from other request messages.
  • the sequence number 511 is generated upon creation of the request message 500 within the client 12, suitably as an incremental value circling between 0 and 65535.
  • each client-side socket exists only for the duration of a request-reply cycle and hence each request is assigned a different port value by the host process within, in this example, the client 12.
  • the sequence number 511 allows a reply to be matched up with an originating request message 500.
  • the time stamp 512 enables calculation of timeouts.
  • the client 12 originating the request message 500 waits a predetermined length of time for a reply message 600, and then re-tries for a predetermined number of times.
  • the timeout is increased after each resend, with an exponential back off (e.g. 2, 4 and then 8 seconds for a maximum retry count of 3) .
  • the command ID field 513 allows the request message to perform different command functions. In most cases, the command ID is set to "1" in order to request categorisation of a URL. Also, the request message uses a command ID of "2" to request that the categorisation server 40 provide a current list of categories, or a command ID of X ⁇ 3" to confirm a current list version and determine whether an update is required. Other commands can be defined as appropriate. Hence, the command ID field 513 brings increased flexibility and allows the system to perform additional functions.
  • the licensing field 515 optionally transmits a licence identity relevant to the originator of the request message 500.
  • the licence identity is suitably associated with the client 12 or optionally the user machine 10.
  • FIG. 7 is a schematic representation of a reply message 600 as generated by the categorisation server 40 and sent to the client 12.
  • the reply message 600 includes a UDP payload comprising a response header 610 and a response data section 620.
  • the response header 610 comprises a sequence number 611 and a time stamp 612, preferably with a command ID 613, all copied from a corresponding received categorisation request message 500.
  • a data size 614 gives a size of the following response data section 620.
  • a status code 615 denotes a status. This is usually simply "success", but occasionally relates to one of a predetermined set of error statuses.
  • the response data 620 is formatted according to the relevant command ID 613 and is preferably encrypted, such as with RC2.
  • the response data 620 comprises a category 621, a match length 622, and an exact flag 623.
  • the category 621 identifies one amongst a predetermined set of categories for the URL sent in the request data 520, suitably as a numerical value (e.g. category "27" is say sports related web pages) .
  • the exact flag 623 determines whether the requested URL 520 was matched exactly. If only a partial match was obtained, such as a match with only the host portion 202 or only part of the URL path 204, then a match length is given in the match length field 622.
  • 620 contains other data such as a category list specifying a predetermined list of categories, or a version identity which identifies a current version of the category list being used by the categorisation server 40. These other command types can be used to trigger software or configuration updates at the client 12.
  • the request message 500 and reply message 600 each use the payload section of a
  • FIG. 8 shows the client 12 in more detail, including an interface module 121, a communication module 122, a protocol module 123 and an encryption module 124.
  • the interface module 121 presents the URL categorisation function to a client application, such as to a web browser or a HTTP function (not shown) .
  • the interface is suitably an API (application programming interface) to the client software.
  • the interface module 121 is passed a URL from the client software, and returns a categorisation code 621, preferably with a match length 622 and an exact flag 623.
  • the communication module 122 sends outgoing data to the categorisation server 40 and receives and buffers incoming data, including making retransmission requests as necessary.
  • the protocol module 123 interprets the incoming and outgoing data according to the protocol discussed above with reference to Figures 5, 6 & 7 and makes encryption/decryption calls to the encryption module 124.
  • the encryption module 124 encrypts and decrypts data.
  • the communication module 122 calculates a retransmission timeout for every sent request. To be effective, it is desired that the timeout interval take account of vastly varying network conditions, and adapt accordingly. This helps to eliminate both unnecessary retransmissions and unrealistically high timeout periods.
  • the number of retries is configurable such as through a user interface.
  • Figure 8 shows that the client 12 preferably comprises a category cache 125.
  • the category cache 125 stores URL categories by storing response data 620 from each categorisation request 500. Since users often navigate to a limited set of favourite web pages time and again, the category cache 125 significantly reduces traffic over the Internet 20 by avoiding duplication of requests for categorisation of the same URL or a child page from the same host or directory.
  • the host is "www.host.com” and a searched URL path is "/directory_l/page_l” .
  • the entry for the page string 904 "/directory_l” has a children flag 908 of "yes” which shows that specific category codes are available for children of this path.
  • the cache shows that "/directory_l/page_9" has already been cached, but there is currently no entry for the searched page string "/directory_l/page_l” .
  • the cache 125 has failed to provide a category for the requested URL.
  • a request message 500 is generated to determine the code for the specified URL, i.e. for host "www.host .com” and the path "/directory_l/page_l".
  • the gateway appliance 12 preferably further includes a custom cache 126 alongside the category cache 125.
  • the custom cache 126 records a customised list of categorisations.
  • the custom cache 126 is used to override other categorisations, or to add supplementary URLs.
  • the custom cache 126 is structured identical to the category cache 125. Searches are preferably conducted in order through the custom cache 126, then if necessary the category cache 125, and finally if necessary by generating a request message 500 to the categorisation server 40.
  • the custom cache 126 does not perform any URL aging, so that a user has full control over the size and content of the custom cache 126.
  • the categorisation service 400 running on the categorisation server 40 performs a licensing process.
  • each request message 500 preferably includes a licensing field 515 which carries data such as a licence key.
  • Each tree node 1221 comprises a license string 1222 holding a license key and a corresponding license result
  • the cache can hold solely valid keys, solely invalid keys, or, as in this example, a mixture of both, according to the circumstances of a particular implementation.
  • the license trees 1220 also functions as an age list to list each of the tree nodes 1221 by age.
  • the age list comprises, within each tree node 1221, a next pointer 1226 and a previous pointer 1227 which refer to a next older tree node and a previous newer tree node, respectively.
  • the age list is updated after each access to keep recently accessed nodes at the head of the list.
  • Figure 13 shows example licensing schemes in more detail.
  • the categorisation service 400 makes calls to a license interface DLL 1350, which in turn makes calls one of a plurality of partner licence DLLs 1360.
  • DLL 1350 resolves the partner ID field 516 by referring to a partner map database 1352, which links the partner ID 516 to a partner DLL name and preferably provides configuration information for making calls into that DLL.
  • the partner licence DLLs 1360 include a no license DLL 1361 which simply indicates that any licence key is valid. This allows the system to run a default "no problem" licence mode prior to implementation of licence schemes which actively validate licence keys.
  • a no database DLL 1362 performs a mathematical, algorithmic or cryptographic validation of the licence key.
  • a hosted licensing DLL 1364 is provided which forwards licensing requests to a remote licensing server 1370 for validation.
  • the licensing requests are sent over a local area network (LAN) , or are forwarded using a SOAP-based web service over the Internet 20.
  • LAN local area network
  • a database licensing DLL 1366 connects directly into an ODBC database 1380 using a stored procedure to validate the licence key.
  • the database 1380 suitably stores the partner ID field 516, licence code 517, and expiry date of valid licenses and hence can offer validation for a plurality of partner licence schemes.
  • a licence management interface 1382 is provided to manage the content of the licence database 1380.
  • This aspect of the present invention has many advantages, as discussed above. Licensing is very useful in the context of controlling or monitoring Internet access by categorisation of URLs, and opens up many useful commercial and technical implementations of this technology. Further, the use of a licensing cache reduces time and resources for each validation and increases throughput. The cache is structured to be compact and is easily managed. The use of a partner ID field allows great flexibility and convenience to choose between available licensing schemes .

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

L'invention concerne un système, un procédé et un dispositif permettant de surveiller ou de commander l'accès à Internet dans un dispositif client (12). Le procédé comporte les étapes consistant à: produire un message (500) de demande demandant la catégorisation d'une adresse URL spécifiée; et recevoir un message (600) de réponse indiquant la catégorie de l'adresse URL, spécifiée dans un ensemble prédéterminé de catégories. Le message (500) de réponse comprend un paquet UDP et inclut le numéro de séquence (511), une estampille temporelle et une partie données (520) comportant l'adresse URL spécifiée. Le message (600) de demande comprend un paquet UDP, y compris le numéro de séquence (511) et l'estampille temporelle provenant du message (500) de demande, et une partie données (520) identifiant la catégorie. Le message (500) de demande et le message (600) de réponse sont économiques et peuvent être transmis efficacement sur un réseau local ou sur l'Internet (20).
PCT/GB2005/003464 2004-09-09 2005-09-09 Systeme, procede et dispositif pour surveiller ou commander l'acces a internet WO2006027589A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CA002577252A CA2577252A1 (fr) 2004-09-09 2005-09-09 Systeme, procede et dispositif pour surveiller ou commander l'acces a internet

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
GB0420025A GB2418108B (en) 2004-09-09 2004-09-09 System, method and apparatus for use in monitoring or controlling internet access
GB0420025.9 2004-09-09
US10/953,716 US8024471B2 (en) 2004-09-09 2004-09-28 System, method and apparatus for use in monitoring or controlling internet access
US10/953,716 2004-09-28

Publications (1)

Publication Number Publication Date
WO2006027589A1 true WO2006027589A1 (fr) 2006-03-16

Family

ID=35385152

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/GB2005/003464 WO2006027589A1 (fr) 2004-09-09 2005-09-09 Systeme, procede et dispositif pour surveiller ou commander l'acces a internet

Country Status (2)

Country Link
CA (1) CA2577252A1 (fr)
WO (1) WO2006027589A1 (fr)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2010022554A1 (fr) * 2008-08-27 2010-03-04 Xing Chen Système et réseau de commande de flux
CN108833565A (zh) * 2018-06-26 2018-11-16 浙江齐聚科技有限公司 一种监控服务器的方法、装置、服务器和存储介质
CN111399756A (zh) * 2019-09-29 2020-07-10 杭州海康威视系统技术有限公司 一种数据存储方法、数据下载方法及装置

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020042821A1 (en) * 1999-10-04 2002-04-11 Quantified Systems, Inc. System and method for monitoring and analyzing internet traffic
US20020120754A1 (en) * 2001-02-28 2002-08-29 Anderson Todd J. Category name service
US20030093694A1 (en) * 2001-11-15 2003-05-15 General Instrument Corporation Key management protocol and authentication system for secure internet protocol rights management architecture
US20030105863A1 (en) * 2001-12-05 2003-06-05 Hegli Ronald Bjorn Filtering techniques for managing access to internet sites or other software applications

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020042821A1 (en) * 1999-10-04 2002-04-11 Quantified Systems, Inc. System and method for monitoring and analyzing internet traffic
US20020120754A1 (en) * 2001-02-28 2002-08-29 Anderson Todd J. Category name service
US20030093694A1 (en) * 2001-11-15 2003-05-15 General Instrument Corporation Key management protocol and authentication system for secure internet protocol rights management architecture
US20030105863A1 (en) * 2001-12-05 2003-06-05 Hegli Ronald Bjorn Filtering techniques for managing access to internet sites or other software applications

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2010022554A1 (fr) * 2008-08-27 2010-03-04 Xing Chen Système et réseau de commande de flux
CN108833565A (zh) * 2018-06-26 2018-11-16 浙江齐聚科技有限公司 一种监控服务器的方法、装置、服务器和存储介质
CN108833565B (zh) * 2018-06-26 2021-07-27 浙江齐聚科技有限公司 一种监控服务器的方法、装置、服务器和存储介质
CN111399756A (zh) * 2019-09-29 2020-07-10 杭州海康威视系统技术有限公司 一种数据存储方法、数据下载方法及装置
CN111399756B (zh) * 2019-09-29 2024-01-02 杭州海康威视系统技术有限公司 一种数据存储方法、数据下载方法及装置

Also Published As

Publication number Publication date
CA2577252A1 (fr) 2006-03-16

Similar Documents

Publication Publication Date Title
US8024471B2 (en) System, method and apparatus for use in monitoring or controlling internet access
US7590716B2 (en) System, method and apparatus for use in monitoring or controlling internet access
US8141147B2 (en) System, method and apparatus for use in monitoring or controlling internet access
WO2006027590A1 (fr) Systeme, procede et appareil de surveillance ou de controle d'acces internet
EP1405224B1 (fr) Système et procédé de chargement de données d'une source d'information dans un dispositif de communication mobile avec transcodage des données
Krishnamurthy et al. Key differences between HTTP/1.0 and HTTP/1.1
US6138162A (en) Method and apparatus for configuring a client to redirect requests to a caching proxy server based on a category ID with the request
US7752336B2 (en) Method and apparatus for resource locator identifier rewrite
US9692725B2 (en) Systems and methods for using an HTTP-aware client agent
US20040098493A1 (en) Web page access
US20040267876A1 (en) Ad-hoc service discovery protocol
US9015199B1 (en) Method and an apparatus to request web pages and content rating information thereof
US7546339B2 (en) Client-server apparatus and method using alternative-response protocols
JP4988307B2 (ja) コンテキスト・ベースのナビゲーション
WO2006027589A1 (fr) Systeme, procede et dispositif pour surveiller ou commander l'acces a internet
KR20190053170A (ko) Dns 요청을 억제하기 위한 시스템 및 방법
WO2006027600A1 (fr) Systeme, procede et dispositif de surveillance ou de controle de l'acces a internet
EP2141891A2 (fr) Solution de serveur à point d'entrée unique pour des services web d'annotation à latence réduite

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KM KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NA NG NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SM SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): BW GH GM KE LS MW MZ NA SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LT LU LV MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
WWE Wipo information: entry into national phase

Ref document number: 2577252

Country of ref document: CA

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase
点击 这是indexloc提供的php浏览器服务,不要输入任何密码和下载