EP1449342A1 - Internet access system and method - Google Patents

Internet access system and method

Info

Publication number
EP1449342A1
EP1449342A1 EP02781393A EP02781393A EP1449342A1 EP 1449342 A1 EP1449342 A1 EP 1449342A1 EP 02781393 A EP02781393 A EP 02781393A EP 02781393 A EP02781393 A EP 02781393A EP 1449342 A1 EP1449342 A1 EP 1449342A1
Authority
EP
European Patent Office
Prior art keywords
module
internet access
workstation
access system
uid
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
EP02781393A
Other languages
German (de)
French (fr)
Inventor
Stephen Arnot
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Serendipity Interactive Ltd
Original Assignee
Serendipity Interactive Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Serendipity Interactive Ltd filed Critical Serendipity Interactive Ltd
Publication of EP1449342A1 publication Critical patent/EP1449342A1/en
Withdrawn legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/102Entity profiles

Definitions

  • This invention relates to the Internet access, in particular filtering access to the World Wide Web.
  • an Internet access system comprising a plurality of workstation modules adapted to transmit requests marked with a workstation UID (Unique IDentity) and a proxy server module adapted to receive said requests from said workstation modules, characterised in that said proxy server module retrieves rules from a database by matching workstation UIDs.
  • a workstation UID Unique IDentity
  • requests are HTTP (Hyper Text Transport Protocol) requests.
  • an Internet access system comprising a plurality of workstation modules and a proxy server module, characterised in that the proxy server module is adapted to parse documents requested by said workstation modules and remove links.
  • said documents are HTML (Hyper Text Mark-up Language) documents.
  • said links are HREF (Hypertext REFerence)
  • said proxy server module is adapted to drop
  • said request is an HTTP (Hyper Text Transport
  • a proxy server module parsing a document retrieval, responsive to said HTTP request
  • said document is an HTML (Hyper Text Mark-up Language) .
  • said links are HREF (Hypertext REFerence) statements.
  • a method of approving websites for inclusion into a list of allowed websites comprising the steps of:
  • said lists of good and bad words are related to at least one category.
  • said workstation module comprises a browser plugin module for adding the workstation identity (UID) as a parameter to all outgoing HTTP headers.
  • UID workstation identity
  • said browser plugin module blocks access to all ports except port 80.
  • More preferably said browser plugin module only allows access to one web server URL (Uniform Resource Locator) .
  • the workstation module further comprises a driver module adapted to filter all outgoing packets coming to the transport layer of said workstation module.
  • said workstation module further comprises a service module.
  • Preferably said service module communicates to said proxy server module in order to update a list of ports allowed for said workstation module.
  • said service module is automatically loaded at the start-up of said workstation module.
  • said service module cannot be switched off or uninstalled unless a user possesses an administrator password.
  • said service module transfers the list of IP (Internet Protocol) addresses allowed for said workstation module to said driver module.
  • IP Internet Protocol
  • said service module commands said driver module to drop all IP packets responsive to an integrity check of the workstation module software system.
  • said service module freezes said workstation module responsive to said service module detecting that said driver is uninstalled or corrupted.
  • said freezing of said workstation module is ended responsive to the entering of a password into said workstation module.
  • Preferably said proxy server module stores web pages that have been requested in a cache area.
  • said web server module responsive to user input of a login name and password, checks user authorisation and defines the user session which, combined with said UID from said workstation module, creates a record in a database for linking a user profile with its current workstation module UID that has been used to login.
  • Figure 1 illustrates in schematic form a block diagram of a workstation and servers in accordance with the present invention
  • Figure 2 is a flowchart illustrating the steps of Internet access filtering
  • Figure 3 is a screen shot illustrating a ToolBand
  • Figure 4 is a screen shot illustrating a mini-window
  • Figures 5 to 7 are screen shots illustrating group management
  • Figures 8 to 10 are screens shot illustrating access rights management
  • Figure 11 is an illustration of a screen shot of a scheduling screen for access rights.
  • Figure 12 is a screen shot illustrating access rights that have been set being displayed.
  • the invention is an Internet access system that functions to provide administration and application of allowed website and filtering rules.
  • the embodiments of the invention described with reference to the drawings comprise computer apparatus and processes performed in computer apparatus, the invention also extends to computer programs, particularly computer programs on or in a carrier, adapted for putting the invention into practice.
  • the program may be in the form of source code, object code, a code of intermediate source and object code such as in partially compiled form suitable for use in the implementation of the processes according to the invention.
  • the carrier may be any entity or device capable of carrying the program.
  • the carrier may comprise a storage medium, such as ROM, for example a CD ROM or a semiconductor ROM, or a magnetic recording medium, for example, floppy disc or hard disc.
  • the carrier may be a transmissible carrier such as an electrical or optical signal which may be conveyed via electrical or optical cable or by radio or other means.
  • the carrier may be constituted by such cable or other device or means.
  • the carrier may be an integrated circuit in which the program is embedded, the integrated circuit being adapted for performing, or for use in the performance of, the relevant processes.
  • FIG. 1 illustrates a block diagram of an Internet access system 10 a system for school pupils to access the Internet and a web service referred to herein as Mylnternet.
  • the workstation module 11 for use by pupils comprises a driver module 12, a browser plugin module 13 and a service module 17.
  • An installer module 14 comprises a master installer module 15 that generates at least one workstation installer module 16.
  • the workstation module is connected via an Internet connection to a proxy server module 18 and a web server module 19.
  • the Driver 12 is an NDIS (Network Driver Interface Specification) Pseudo-Intermediate (PIM) driver for Windows 9x.
  • the driver filters all outgoing TCP/IP (Transmission Control Protocol/Internet Protocol) packets coming to the transport layer of the workstation (client) computer and: 1. checks if the destination IP/destination port combination falls into the allowed region obtained from the service component; 2. the only allowed destination IP for ports 80 and 8080 should be proxy-server IP address; 3. if packet destination address does not meet the allowed region, the packet is dropped; 4. if packet destination address meets the allowed region the packet is transparently sent; 5. the driver should not affect LAN services; 6. the driver should test the integrity of the whole system and if service component is suspected to be cracked the driver should turn off Internet connection completely, preferably leaving LAN connectivity active.
  • NDIS Network Driver Interface Specification
  • PIM Pseudo-Intermediate
  • the browser plugin module 13 is a Microsoft ⁇ Internet Explorer (MSIE) plugin.
  • MSIE Microsoft ⁇ Internet Explorer
  • the plugin adds a ToolBand 30 on top of the MSIE window and browser panel on the bottom and synchronises their content with main browser window.
  • the plugin works on MSIE version 4.x and higher.
  • the ToolBand includes the following objects: - Login button 31 - Home button 32 - Search input box with drop-down menu of recent queries 33 - Search options radio-switch (search site, subject, category, Mylnternet) 34 - Restore browser panel button.
  • the browser panel includes MSIE control displaying relevant information to the page browsed in main browser window.
  • the ToolBand should provide means to easily- restore itself if user attempts to switch it off by means of placing COM-menu button on menu area of the MSIE window.
  • the browser plugin adds the unique workstation ID (UID) as a parameter to all HTTP headers outgoing.
  • UID unique workstation ID
  • the browser plugin module 13 is a Netscape Navigator plugin.
  • the plugin draws a mini-window 40 on top of Navigator and synchronises its content with focused Navigator window.
  • the mini-window includes all the same objects as the MSIE plugin.
  • the ToolBand should provide means to easily-restore itself if user attempts to switch it off by means of placing COM-menu button on menu area of the MSIE window.
  • the ToolBand adds Workstation ID (UID) as a parameter to all HTTP headers outgoing.
  • UID Workstation ID
  • the Installer 14 is a two-step installer: - a master installer 15 for location administration; and - a workstation installer 16.
  • the master installer obtains location ID during installation/online registering process. Then it generates workstation installers identified with location ID.
  • UID workstation ID
  • Plugins installed by workstation installers use these UID' s to mark each HTTP packet outgoing, so that there always can be built relation between person logged in to particular PC (Personal Computer) and its UID.
  • While installing to workstation an administrator user can select "admin install” using her administrator password to conform rights to do so; in this case location admin is allowed from this workstation.
  • location admin While performing master installation, location admin should determine its LAN/WAN (Local Area Network/Wide Area Network) topology in the form of the IP addresses mask and/or IP addresses range allowed, DNS (Domain Name Server) server IP etc. This info is later used by drivers on pupils' workstations to allow or drop IP packets.
  • LAN/WAN Local Area Network/Wide Area Network
  • DNS Domain Name Server
  • the service module 17 is a Windows service (console application running in background) .
  • the service When a user switches on a computer, the service is automatically loaded at start up. It cannot be switched off or uninstalled unless the user possesses an admin password.
  • the service communicates to the server each, say, 5 minutes to update the list of ports allowed for this workstation.
  • the service transfers the list of IP addresses allowed for this workstation to the driver.
  • the service checks integrity of the whole system and if suspects that plug-in has been uninstalled or corrupted, commands the driver to drop all IP packets; if the service detects that driver is uninstalled or corrupted, it freezes the computer not allowing users to work on it any more, without an admin password.
  • the proxy server software 18 is a dynamic filtering non- transparent proxy server with caching.
  • the proxy server queries database using the UID to determine user settings and: 1. Either allows URL (Uniform Resource Locator) opening or drops at least one packet 2. Either allows port opening or drops at least one packet.
  • URL Uniform Resource Locator
  • proxy parses the HTML result document and cuts away unwanted HREF statements according to the rules.
  • Web pages requested by any user and parsed (with unwanted HREFs erased) are stored into cache area for specified period of time (e.g. one hour) . This eliminates unnecessary server load in cases when the whole group (e.g. 30 pupils) are working together on the same web site, having all the same access rights defined for group. Proxy server may then just retrieve a cached version of the page parsed before. The cache period is selected so that it is unlikely that dynamically built web sites change their content within this period.
  • the web server software 19 provides dynamic JSP (Java Service Pages) based portal pages to users.
  • the server should generate default web page for the users who are not yet logged in or their session timed-out.
  • the plug in will block access to all ports except port 80 and will only allow access to the Mylnternet home page. Any Internet access attempting to be made will be denied unless it is browsing to a specific (e.g. Mylnternet) home page.
  • Content on the home page should be editable via admin interface and include general interest areas like sports, weather, education, etc.
  • the server When the user browses to the Mylnternet Home page the server will use the users location so a location specific page can be viewed as the home page.
  • User log in is provided by the web server using a web form with LOGIN NAME and PASSWORD fields to be posted to server for authentication.
  • the action of this form is to check validity and define user session. Together with the marking of HTTP packets with UIDs by the browser module, this creates record in database which links the user profile with the current workstation ID he or she used to log in.
  • the web server After the user has logged in, the web server generates a default web page taking into consideration the user' s profile and schedule of activities. The default page includes a list of categories allowed for this user. When user selects some category from this list, a sub-list of subjects allowed opens. Again, if the user selects some subject, a sub-list of web sites allowed appears.
  • a cross-reference panel contains on a first tab a list of web sites allowed for this user, which are relevant to the page which the user is currently viewing in main browser window. Relevancy is measured using keywords linked to the current page.
  • a second tab contains information obtained from page meta tags and while page admission process, including: - title of page (META) - keywords of page (META) - keyword of page used while admission by admin (AUTO) - author of page (META) - date of page indexing (AUTO) - date of page creation (META)
  • the panel further contains in a third tab page views statistics regarding Mylnternet views only; and voting for page (two-level voting "good/not good") : - page views - average time spent on page - votes meter in form of percentage of "good" votes against total votes - button to vote for this page Reasonable measures against vote cheating should be taken.
  • a fourth tab displays the user name.
  • the web server provides a pupils' search engine to display search results in main browser window.
  • a pupil can enter search query in browser ToolBand and select restrictions on search: weather to perform it within the current site, subject or category. When the pupil presses the SEARCH button, search results should appear in main browser window.
  • the search engine looks up relevant pages using Mylnternet database of indexed pages only. Relevancy criteria should take into consideration e.g.; - number of words from search query found on page; - how close these words are to each other - if page meta tags (content and keywords) include query words.
  • the web server provides a location administration backend. Location authorised personnel should be able to control Mylnternet restrictions. If the logged in user has administrator privileges, and installed version of plug-in is an admin version, then the web server should add "Admin" link to default page. This links leads to location administration page.
  • a location administrator can perform the following actions: - search web sites in unrestricted Internet search engines and add found pages to approval queue; - create location specific category with its own subjects, adding web sites without Mylnternet approval; - Manage user groups - Manage access rights
  • the web server provides a Mylnternet administrator backend to approve web sites for inclusion into the Mylnternet index. Requests for web pages approval come in queue from all locations and from a central office.
  • web page body text is indexed into the Mylnternet database word-by-word.
  • the web server provides management of location accounts.
  • a web server administrator is able to create, edit and delete location accounts.
  • the web server administrator should have the same rights inside a location as location administrators; for remote assistance.
  • both panels can display either groups or pupils. If user changes the state of pull-down menu 51, which has two options: Users and Groups, full list of all Pupils (users) or Groups in this location is displayed in corresponding panel. If groups are displayed in a panel 52, double-clicking on any group will open users belonging to this group (like e.g. panel 53) . This is similar to folders and files in Norton Commander.
  • Users can be: - moved to any group selected or opened in panel 52 from a complete list of users or from any group opened in panel 53; - created (Make button) which makes them appear in complete list of users only; - deleted (Delete button) which erases them from the group view which is opened in panel 52; to delete user from complete list admin should select Users in pull-down menu 51, thus opening the complete list, then press Delete button, and after confirmation message selected user will be erased from all groups she belongs and from the complete list.
  • Groups can be: - copied to another group: it means copying group from panel 53 with both users who belong to original group and Mylnternet access rights assigned for original group; - cloned to another group: it means that new group will have the same access rights as original group selected in panel 53 but new group will be empty (no users) ; - spawned to another group: it means that new group will have the same list of users as original group selected in panel 53 but new group will have no access rights assigned to it; - created (Make button) which results in empty group with no users and no access rights; - deleted (Delete button) which erases the group selected in panel 52 after confirmation message "Are you sure?".
  • Panel 87 displays complete list of existing web sites with their categories and subjects when pull-down menu 88 is set to "Sites". First, it displays categories existing in system; if user double-clicks on a category then panel 87 will show subjects within this category; if user double-clicks subjects then panel 87 will show web pages (i.e. their titles) belonging to this subject. Label 89 shows what we see in panel 87: categories, subjects or web pages.
  • pull-down menu 88 is set to "Ports” then panel 87 will display possible ports settings. Ports are grouped in commonly used groups labelled e.g. "HTTP” or "FTP”. If user double-clicks on a label (e.g. "HTTP”) panel 87 will display list of ports assigned to this label (e.g. "80, 8080”) .
  • HTTP HyperText Transfer Protocol
  • Panel 86 displays web sites and ports (depending on pull- down menu 85 setting) allowed for the selected group (designated by label 84), in the same manner as panel 87 with some differences explained here under. First, we describe some examples how to give access rights to a group permanently.
  • example B give permanent access to subject "Middlesex" in category “Geography”: 1. Switch 88 to "Sites” 2. Double-click “Geography” in 87 3. Select “Middlesex” in 87 4. Press “Permanent” button 4. Intermediate dialogue box Dl will show up containing: You are giving permanent access rights for category “Geography” to group “B-Geography” ⁇ OK> ⁇ Cancel>. 6. "Middlesex" category will appear in 86.
  • a user points and clicks on grid items. Multiple grid items can be selected at once (usual shift- and control- operations applicable) .
  • the invention allow teachers or managers or employees to give unmonitored Internet access to pupils with the knowledge that the only materials they can access are directly relevant to the curriculum and more importantly the lessons or business at hand.
  • This is accomplished by creating a dynamic and intelligent web catalogue of curriculum or business relevant web sites, and a specialised "Client Side Plug In” that allows access to only sites that are listed within the catalogue.
  • the "Client Side Plug In” also allows authorised users (e.g., teachers) the ability to refine this catalogue to only allow access to materials that the individual teacher deems necessary for that specific class.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

The invention relates to systems and method of accessing the Internet. In particular, it relates to using unique identity markers to label requests, such that for each request certain rules are retrieved from a database depending on the user or workstation in question, and this controls access to certain Internet sites.

Description

Internet Access System and Method
This invention relates to the Internet access, in particular filtering access to the World Wide Web.
In the field of the Internet and the World Wide Web, web browsers are used to provide Internet access to web pages. A problem that faces all sectors of industry is Internet misuse in the work place. Internet misuse is also common in the classroom. This misuse takes the form of users accessing inappropriate materials or wasting time surfing the Internet unproductively .
Products that help to restrict misuse of Internet access fall into the categories of web proxies; walled gardens; web filters and web catalogues.
The prior art solutions have an emphasis on negative management of access by banning access to URLs (Uniform Resource Locators) that are stored in a catalogue or list of banned websites. Web filters such as Cyber Patrol from SurfControl are known with drag and drop rule administration modules for administrators to set filtering and blocking rules at the user, group, workstation or global level . Such web filters use different techniques to classify websites into a set of standard categories, such as adult, gambling and sports. The technology of such prior art web filters focuses on URL reviewing and categorising using human researchers and automated methods .
It would be advantageous for a web filter to have an emphasis on positive management rather than negative banning or blocking or URLs.
It would be advantageous to provide an Internet access system that restricts Internet access to pre-approved websites and furthermore allows banners and hyperlinks only to work if they link to a site of a similar category to the presently browsed site.
It would be further advantageous for searches to be limited in the same way.
It would be advantageous to provide an Internet access system that automatically predicted and personalised the content based not only on the individual's past activities, but also similar users' activities and experiences.
It would be further advantageous to provide an Internet access system that monitored the specific areas of the Internet that a user visited most often and biased search results to those areas, and added similar information as it becomes available. It would be further advantageous to provide an Internet access system that administrators could tailor to their specific needs to allow time bands of restricted access and specific categories to be made available at specific times.
It is an object of the present invention to provide an Internet access system with improved administration of allowed web sites and application of categories to web access and searching.
According to a first aspect of the present invention, there is provided an Internet access system comprising a plurality of workstation modules adapted to transmit requests marked with a workstation UID (Unique IDentity) and a proxy server module adapted to receive said requests from said workstation modules, characterised in that said proxy server module retrieves rules from a database by matching workstation UIDs.
Preferably said requests are HTTP (Hyper Text Transport Protocol) requests.
According to a second aspect of the present invention, there is provided an Internet access system comprising a plurality of workstation modules and a proxy server module, characterised in that the proxy server module is adapted to parse documents requested by said workstation modules and remove links.
Preferably said documents are HTML (Hyper Text Mark-up Language) documents. 1 Preferably said links are HREF (Hypertext REFerence)
2 statements. 3
4 Preferably said parsing of said results is responsive to
5 said rules retrieved from said database. 6
7 Preferably said proxy server module is adapted to drop
8 packets responsive to 'said rules. 9
10 Preferably said rules specify allowed URLs (Universal
11 Resource Locators). 12
13 Alternatively said rules specify allowed ports. 14
15 According to a third aspect of the present invention,
16 there is provided a method of Internet access comprising
17 the steps of: 18
19 • a browser module transmitting a request that is marked
20 with a UID; 21
22 • a proxy server module responsive to said request,
23 querying a database of rules matched to said UID; and
25 • a proxy server module dropping packets responsive to
26 said rules. 27
28 Preferably said request is an HTTP (Hyper Text Transport
29 Protocol) request. 30
31 According to a fourth aspect of the present invention,
32 there is provided a method of Internet access comprising
33 the steps of: • a browser transmitting a request;
• a proxy server module parsing a document retrieval, responsive to said HTTP request; and
• a proxy server module deleting links in said document according to rules.
Preferably said document is an HTML (Hyper Text Mark-up Language) .
Preferably said links are HREF (Hypertext REFerence) statements.
Preferably said rules are according to the third aspect of the present invention:
According to a fifth aspect of the present invention, there is provided a method of approving websites for inclusion into a list of allowed websites, comprising the steps of:
• approving websites responsive to a count of the number of approved keywords in a meta tag;
• approving a website responsive to a count of the number of keywords in the website body text that are found in a list of good keywords; and
• approving a website responsive to a count of the number of keywords in the website body text that are found in a list of bad keywords. Optionally if a keyword is found in the list of good words and the list of bad words, then said count of the number of keywords that are found in the list of bad keywords is not incremented.
Preferably said lists of good and bad words are related to at least one category.
Preferably said workstation module comprises a browser plugin module for adding the workstation identity (UID) as a parameter to all outgoing HTTP headers.
Preferably said browser plugin module blocks access to all ports except port 80.
More preferably said browser plugin module only allows access to one web server URL (Uniform Resource Locator) .
Preferably the workstation module further comprises a driver module adapted to filter all outgoing packets coming to the transport layer of said workstation module.
Preferably said workstation module further comprises a service module.
Preferably said service module communicates to said proxy server module in order to update a list of ports allowed for said workstation module.
Preferably said service module is automatically loaded at the start-up of said workstation module. Preferably said service module cannot be switched off or uninstalled unless a user possesses an administrator password.
Preferably said service module transfers the list of IP (Internet Protocol) addresses allowed for said workstation module to said driver module.
Preferably said service module commands said driver module to drop all IP packets responsive to an integrity check of the workstation module software system.
Preferably said service module freezes said workstation module responsive to said service module detecting that said driver is uninstalled or corrupted.
Preferably said freezing of said workstation module is ended responsive to the entering of a password into said workstation module.
Preferably said proxy server module stores web pages that have been requested in a cache area.
Preferably said web server module responsive to user input of a login name and password, checks user authorisation and defines the user session which, combined with said UID from said workstation module, creates a record in a database for linking a user profile with its current workstation module UID that has been used to login.
In order to provide a better understanding of the present invention, an embodiment will now be described by way of example only and with reference to the accompanying Figures, in which:
Figure 1 illustrates in schematic form a block diagram of a workstation and servers in accordance with the present invention;
Figure 2 is a flowchart illustrating the steps of Internet access filtering;
Figure 3 is a screen shot illustrating a ToolBand;
Figure 4 is a screen shot illustrating a mini-window;
Figures 5 to 7 are screen shots illustrating group management;
Figures 8 to 10 are screens shot illustrating access rights management; and
Figure 11 is an illustration of a screen shot of a scheduling screen for access rights.
Figure 12 is a screen shot illustrating access rights that have been set being displayed.
The invention is an Internet access system that functions to provide administration and application of allowed website and filtering rules.
Although the embodiments of the invention described with reference to the drawings comprise computer apparatus and processes performed in computer apparatus, the invention also extends to computer programs, particularly computer programs on or in a carrier, adapted for putting the invention into practice. The program may be in the form of source code, object code, a code of intermediate source and object code such as in partially compiled form suitable for use in the implementation of the processes according to the invention. The carrier may be any entity or device capable of carrying the program.
For example, the carrier may comprise a storage medium, such as ROM, for example a CD ROM or a semiconductor ROM, or a magnetic recording medium, for example, floppy disc or hard disc. Further, the carrier may be a transmissible carrier such as an electrical or optical signal which may be conveyed via electrical or optical cable or by radio or other means.
When the program is embodied in a signal which may be conveyed directly by a cable or other device or means, the carrier may be constituted by such cable or other device or means.
Alternatively, the carrier may be an integrated circuit in which the program is embedded, the integrated circuit being adapted for performing, or for use in the performance of, the relevant processes.
With reference to Figure 1 that illustrates a block diagram of an Internet access system 10 a system for school pupils to access the Internet and a web service referred to herein as Mylnternet. The workstation module 11 for use by pupils comprises a driver module 12, a browser plugin module 13 and a service module 17. An installer module 14 comprises a master installer module 15 that generates at least one workstation installer module 16.
The workstation module is connected via an Internet connection to a proxy server module 18 and a web server module 19.
Within the workstation module 11 there is included a driver module 12. The Driver 12 is an NDIS (Network Driver Interface Specification) Pseudo-Intermediate (PIM) driver for Windows 9x. The driver filters all outgoing TCP/IP (Transmission Control Protocol/Internet Protocol) packets coming to the transport layer of the workstation (client) computer and: 1. checks if the destination IP/destination port combination falls into the allowed region obtained from the service component; 2. the only allowed destination IP for ports 80 and 8080 should be proxy-server IP address; 3. if packet destination address does not meet the allowed region, the packet is dropped; 4. if packet destination address meets the allowed region the packet is transparently sent; 5. the driver should not affect LAN services; 6. the driver should test the integrity of the whole system and if service component is suspected to be cracked the driver should turn off Internet connection completely, preferably leaving LAN connectivity active.
The browser plugin module 13 is a Microsoft © Internet Explorer (MSIE) plugin. With reference to Figure 3, the plugin adds a ToolBand 30 on top of the MSIE window and browser panel on the bottom and synchronises their content with main browser window. The plugin works on MSIE version 4.x and higher. The ToolBand includes the following objects: - Login button 31 - Home button 32 - Search input box with drop-down menu of recent queries 33 - Search options radio-switch (search site, subject, category, Mylnternet) 34 - Restore browser panel button.
The browser panel includes MSIE control displaying relevant information to the page browsed in main browser window. The ToolBand should provide means to easily- restore itself if user attempts to switch it off by means of placing COM-menu button on menu area of the MSIE window. The browser plugin adds the unique workstation ID (UID) as a parameter to all HTTP headers outgoing.
Alternatively, the browser plugin module 13 is a Netscape Navigator plugin. With reference to Figure 4, the plugin draws a mini-window 40 on top of Navigator and synchronises its content with focused Navigator window. The mini-window includes all the same objects as the MSIE plugin. Thus, the ToolBand should provide means to easily-restore itself if user attempts to switch it off by means of placing COM-menu button on menu area of the MSIE window. The ToolBand adds Workstation ID (UID) as a parameter to all HTTP headers outgoing.
The Installer 14 is a two-step installer: - a master installer 15 for location administration; and - a workstation installer 16.
The master installer obtains location ID during installation/online registering process. Then it generates workstation installers identified with location ID.
Workstation installers generate unique workstation ID (UID) for each machine they are being installed to. UID has location ID encoded into its integrity so, that it is difficult to fault the resulting UID.
Plugins installed by workstation installers use these UID' s to mark each HTTP packet outgoing, so that there always can be built relation between person logged in to particular PC (Personal Computer) and its UID.
While installing to workstation, an administrator user can select "admin install" using her administrator password to conform rights to do so; in this case location admin is allowed from this workstation.
While performing master installation, location admin should determine its LAN/WAN (Local Area Network/Wide Area Network) topology in the form of the IP addresses mask and/or IP addresses range allowed, DNS (Domain Name Server) server IP etc. This info is later used by drivers on pupils' workstations to allow or drop IP packets.
The service module 17 is a Windows service (console application running in background) . When a user switches on a computer, the service is automatically loaded at start up. It cannot be switched off or uninstalled unless the user possesses an admin password. The service communicates to the server each, say, 5 minutes to update the list of ports allowed for this workstation. The service transfers the list of IP addresses allowed for this workstation to the driver. Furthermore the service checks integrity of the whole system and if suspects that plug-in has been uninstalled or corrupted, commands the driver to drop all IP packets; if the service detects that driver is uninstalled or corrupted, it freezes the computer not allowing users to work on it any more, without an admin password.
The proxy server software 18 is a dynamic filtering non- transparent proxy server with caching.
With respect to content filtering functionality, for each HTTP request marked with UID, the proxy server queries database using the UID to determine user settings and: 1. Either allows URL (Uniform Resource Locator) opening or drops at least one packet 2. Either allows port opening or drops at least one packet.
If the URL requested is allowed to this particular user, proxy parses the HTML result document and cuts away unwanted HREF statements according to the rules.
Web pages requested by any user and parsed (with unwanted HREFs erased) are stored into cache area for specified period of time (e.g. one hour) . This eliminates unnecessary server load in cases when the whole group (e.g. 30 pupils) are working together on the same web site, having all the same access rights defined for group. Proxy server may then just retrieve a cached version of the page parsed before. The cache period is selected so that it is unlikely that dynamically built web sites change their content within this period.
The web server software 19 provides dynamic JSP (Java Service Pages) based portal pages to users. The server should generate default web page for the users who are not yet logged in or their session timed-out. In default behaviour mode the plug in will block access to all ports except port 80 and will only allow access to the Mylnternet home page. Any Internet access attempting to be made will be denied unless it is browsing to a specific (e.g. Mylnternet) home page.
Content on the home page should be editable via admin interface and include general interest areas like sports, weather, education, etc.
When the user browses to the Mylnternet Home page the server will use the users location so a location specific page can be viewed as the home page.
User log in is provided by the web server using a web form with LOGIN NAME and PASSWORD fields to be posted to server for authentication. The action of this form is to check validity and define user session. Together with the marking of HTTP packets with UIDs by the browser module, this creates record in database which links the user profile with the current workstation ID he or she used to log in. After the user has logged in, the web server generates a default web page taking into consideration the user' s profile and schedule of activities. The default page includes a list of categories allowed for this user. When user selects some category from this list, a sub-list of subjects allowed opens. Again, if the user selects some subject, a sub-list of web sites allowed appears.
A cross-reference panel contains on a first tab a list of web sites allowed for this user, which are relevant to the page which the user is currently viewing in main browser window. Relevancy is measured using keywords linked to the current page. A second tab contains information obtained from page meta tags and while page admission process, including: - title of page (META) - keywords of page (META) - keyword of page used while admission by admin (AUTO) - author of page (META) - date of page indexing (AUTO) - date of page creation (META)
The panel further contains in a third tab page views statistics regarding Mylnternet views only; and voting for page (two-level voting "good/not good") : - page views - average time spent on page - votes meter in form of percentage of "good" votes against total votes - button to vote for this page Reasonable measures against vote cheating should be taken. A fourth tab displays the user name. The web server provides a pupils' search engine to display search results in main browser window. A pupil can enter search query in browser ToolBand and select restrictions on search: weather to perform it within the current site, subject or category. When the pupil presses the SEARCH button, search results should appear in main browser window.
The search engine looks up relevant pages using Mylnternet database of indexed pages only. Relevancy criteria should take into consideration e.g.; - number of words from search query found on page; - how close these words are to each other - if page meta tags (content and keywords) include query words.
The web server provides a location administration backend. Location authorised personnel should be able to control Mylnternet restrictions. If the logged in user has administrator privileges, and installed version of plug-in is an admin version, then the web server should add "Admin" link to default page. This links leads to location administration page.
A location administrator can perform the following actions: - search web sites in unrestricted Internet search engines and add found pages to approval queue; - create location specific category with its own subjects, adding web sites without Mylnternet approval; - Manage user groups - Manage access rights The web server provides a Mylnternet administrator backend to approve web sites for inclusion into the Mylnternet index. Requests for web pages approval come in queue from all locations and from a central office. Automatic approval is provided when web site matches inclusion criteria: - meta tag contains pre-set number of keywords, - body text contains pre-set number of keywords from GOODLIST (a list of good words), - body text does not contain words from BADLIST (a list of bad works) , - if the same keyword is in both lists, GOODLIST prevails.
If web page does not qualify for automatic inclusion it goes into a queue for manual approval. When approved, web page body text is indexed into the Mylnternet database word-by-word.
The web server provides management of location accounts. A web server administrator is able to create, edit and delete location accounts. The web server administrator should have the same rights inside a location as location administrators; for remote assistance.
With reference to Figure 5, that shows a Norton Commander - style web form 50 with two panels (left and right) , both panels can display either groups or pupils. If user changes the state of pull-down menu 51, which has two options: Users and Groups, full list of all Pupils (users) or Groups in this location is displayed in corresponding panel. If groups are displayed in a panel 52, double-clicking on any group will open users belonging to this group (like e.g. panel 53) . This is similar to folders and files in Norton Commander.
With reference to Figures 5 and 6 that illustrates adding user William to group B-Geography, Users can be: - moved to any group selected or opened in panel 52 from a complete list of users or from any group opened in panel 53; - created (Make button) which makes them appear in complete list of users only; - deleted (Delete button) which erases them from the group view which is opened in panel 52; to delete user from complete list admin should select Users in pull-down menu 51, thus opening the complete list, then press Delete button, and after confirmation message selected user will be erased from all groups she belongs and from the complete list.
With reference to Figure 5 and 7 Groups can be: - copied to another group: it means copying group from panel 53 with both users who belong to original group and Mylnternet access rights assigned for original group; - cloned to another group: it means that new group will have the same access rights as original group selected in panel 53 but new group will be empty (no users) ; - spawned to another group: it means that new group will have the same list of users as original group selected in panel 53 but new group will have no access rights assigned to it; - created (Make button) which results in empty group with no users and no access rights; - deleted (Delete button) which erases the group selected in panel 52 after confirmation message "Are you sure?".
With reference to Figure 8 that illustrates Access rights management, when an administrator selects a group in any mode illustrated in of Figures 5 to 7, and then presses "Access" tab 80, he or she can now assign access rights for the last selected group, which is referred by label 84. In this view we use the same Norton Commander approach.
Panel 87 displays complete list of existing web sites with their categories and subjects when pull-down menu 88 is set to "Sites". First, it displays categories existing in system; if user double-clicks on a category then panel 87 will show subjects within this category; if user double-clicks subjects then panel 87 will show web pages (i.e. their titles) belonging to this subject. Label 89 shows what we see in panel 87: categories, subjects or web pages.
If pull-down menu 88 is set to "Ports" then panel 87 will display possible ports settings. Ports are grouped in commonly used groups labelled e.g. "HTTP" or "FTP". If user double-clicks on a label (e.g. "HTTP") panel 87 will display list of ports assigned to this label (e.g. "80, 8080") .
Panel 86 displays web sites and ports (depending on pull- down menu 85 setting) allowed for the selected group (designated by label 84), in the same manner as panel 87 with some differences explained here under. First, we describe some examples how to give access rights to a group permanently.
With reference to Figures 8 and 9, we describe example A - give permanent access to category "Geography": 1. Switch 88 to "Sites" 2. Select "Geography" in 87 3. Press "Permanent" button 4. Intermediate dialogue box Dl will show up containing: You are giving permanent access rights for category "Geography" to group "B-Geography" <0K> <Cancel>. 5. Geography category will appear in 86.
With reference to Figures 8 and 10, we describe example B - give permanent access to subject "Middlesex" in category "Geography": 1. Switch 88 to "Sites" 2. Double-click "Geography" in 87 3. Select "Middlesex" in 87 4. Press "Permanent" button 4. Intermediate dialogue box Dl will show up containing: You are giving permanent access rights for category "Geography" to group "B-Geography" <OK> <Cancel>. 6. "Middlesex" category will appear in 86.
We now describe setting inclusive and exclusive access rights. These access rights are time-dependent. Inclusive access rights are added to existing permanent rights for a given period of time. Exclusive access rights substitute all the rest rights for a given period of time. Assigning inclusive and exclusive access rights involves different intermediate dialogue box, as illustrated in Figure 11. This dialogue box is used for scheduling. It draws calendar for one week since current date. User can select exact date for which to schedule inclusive or exclusive access for a particular category/subject/site/port or select repetition rules (weekly, be-weekly, monthly) .
To schedule time a user points and clicks on grid items. Multiple grid items can be selected at once (usual shift- and control- operations applicable) .
With reference to Figures 8 and 12, when exclusive or inclusive access rights are assigned, their category/subject/site/ports are displayed in panel 86 with symbols: - [I] for inclusive - [E] for exclusive
To view time dependent settings user should select a line in 86 and press Details button. It will bring a page similar to that illustrated in Figure 11 showing settings for the selected category/subject/site/port.
In summary, the invention allow teachers or managers or employees to give unmonitored Internet access to pupils with the knowledge that the only materials they can access are directly relevant to the curriculum and more importantly the lessons or business at hand. This is accomplished by creating a dynamic and intelligent web catalogue of curriculum or business relevant web sites, and a specialised "Client Side Plug In" that allows access to only sites that are listed within the catalogue. The "Client Side Plug In" also allows authorised users (e.g., teachers) the ability to refine this catalogue to only allow access to materials that the individual teacher deems necessary for that specific class.
Further modifications and improvements may be added without departing from the scope of the invention herein described.

Claims

1. An Internet access system comprising one or more workstation modules adapted to transmit requests marked with a UID (Unique IDentity) and a proxy server module adapted to receive said requests from said workstation module (s), characterised in that said proxy server module retrieves rules from a database by matching workstation UIDs.
2. An Internet access system as in Claim 1 wherein the UID may be a workstation UID.
3. An Internet access system as in Claim 1 wherein the UID may be an individual user ID.
4. An Internet access system as in any of the previous Claims wherein said requests are HTTP (Hyper Text Transport Protocol) requests.
5. An Internet access system as in any of the previous Claims wherein said workstation modules comprises a browser plugin module for adding the workstation identity (UID) as a parameter to all outgoing HTTP headers.
6. An Internet access system as in Claim 5 wherein said browser plugin module only allows access to one web server URL (Uniform Resource Locator) .
7. An Internet access system as in any of the previous Claims wherein the workstation module further comprises a driver module adapted to filter all outgoing packets coming to the transport layer of said workstation modules.
8. An Internet access system as in any of the previous Claims wherein said workstation modules further comprises a service module.
9. An Internet access system as in Claim 8 wherein said service module communicates to said proxy server module in order to update a list of ports allowed for said workstation module.
10. An Internet access system as in Claims 8 or 9 wherein said service module is automatically loaded at the start-up of said workstation module.
11. An Internet access system as in Claims 8-10 wherein said service module cannot be switched off or uninstalled unless a user possesses an administrator password.
12. An Internet access system as in Claims 8-11 wherein said service module transfers the list of IP (Internet Protocol) addresses allowed for said workstation module to said driver module.
13. An Internet access system as in Claims 8-12 wherein said service module commands said driver module to drop all IP packets responsive to an integrity check of the workstation module software system.
14. An Internet access system as in Claims 8-13 wherein said service module freezes said workstation module responsive to said service module detecting that said driver is uninstalled or corrupted.
15. An Internet access system as in Claim 14 wherein said freezing of said workstation module is ended responsive to the entering of a password into said workstation module.
16. An Internet access system as in any of the previous Claims wherein said server module responsive to user input of a login name and password, checks user authorisation and defines the user session which, combined with a workstation UID from said workstation module, creates a record in a database for linking a user profile with its current workstation module that has been used to login.
17. An Internet access system as in any of the previous Claims comprising a plurality of workstation modules and a proxy server module, characterised in that the proxy server module is adapted to parse documents requested by said workstation modules and remove links.
18. An Internet access system as in as in Claim 17 wherein said parsing of said results is responsive to said rules retrieved from a database.
19. An Internet access system as in as in any of the previous Claims wherein said proxy server module is adapted to drop packets responsive to said rules.
20. An Internet access system as in as in any of the previous Claims wherein said rules specify allowed URLs (Universal Resource Locators).
21. An Internet access system as in as in any of the previous Claims wherein said rules specify allowed ports.
22. A method of Internet access comprising the steps of:
(a) transmitting a request that is marked with a UID;
(b) querying a database of rules in response to the request, matched to said UID; and
(c) controlling Internet access in a manner responsive to said rules.
characterised in that steps b) and c) are carried out by a proxy server.
23. A method of Internet access as in Claim 22 wherein the UID may be a workstation UID.
24. A method of Internet access as in Claim 22 wherein the UID may be an individual user ID.
25. A method of Internet access comprising the steps of:
(a) transmitting a request marked with a UID; (b) parsing a document retrieval, responsive to said HTTP request; and
(c) deleting links in said document according to rules.
Characterised in that steps b) and c) are carried out by a proxy server.
26. A method of modifying a database of rules by approving websites for inclusion into a list of allowed websites, comprising the steps of:
(a) approving websites responsive to a count of the number of approved keywords in a meta tag;
(b) approving a website responsive to a count of the number of keywords in the website body text that are found in a list of good keywords; and
(c) approving a website responsive to a count of the number of keywords in the website body text that are found in a list of bad keywords.
27. A method of modifying a database of rules by approving websites for inclusion into a list of allowed websites as in Claim 26, wherein if a keyword is found in the list of good words and the list of bad words, then said count of the number of keywords that are found in the list of bad keywords is not incremented.
EP02781393A 2001-11-15 2002-11-14 Internet access system and method Withdrawn EP1449342A1 (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
GB0127416A GB0127416D0 (en) 2001-11-15 2001-11-15 Internet access system and method
GB0127416 2001-11-15
PCT/GB2002/005143 WO2003043287A1 (en) 2001-11-15 2002-11-14 Internet access system and method

Publications (1)

Publication Number Publication Date
EP1449342A1 true EP1449342A1 (en) 2004-08-25

Family

ID=9925821

Family Applications (1)

Application Number Title Priority Date Filing Date
EP02781393A Withdrawn EP1449342A1 (en) 2001-11-15 2002-11-14 Internet access system and method

Country Status (3)

Country Link
EP (1) EP1449342A1 (en)
GB (1) GB0127416D0 (en)
WO (1) WO2003043287A1 (en)

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5696898A (en) * 1995-06-06 1997-12-09 Lucent Technologies Inc. System and method for database access control
US6233618B1 (en) * 1998-03-31 2001-05-15 Content Advisor, Inc. Access control of networked data

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See references of WO03043287A1 *

Also Published As

Publication number Publication date
WO2003043287A1 (en) 2003-05-22
GB0127416D0 (en) 2002-01-09

Similar Documents

Publication Publication Date Title
US10009356B2 (en) Redirection method for electronic content
Chau et al. Analysis of the query logs of a web site search engine
CA2413057C (en) System and method for adapting an internet filter
US6983320B1 (en) System, method and computer program product for analyzing e-commerce competition of an entity by utilizing predetermined entity-specific metrics and analyzed statistics from web pages
US7062475B1 (en) Personalized multi-service computer environment
DE602005003449T2 (en) IMPROVED USER INTERFACE
US7552109B2 (en) System, method, and service for collaborative focused crawling of documents on a network
US7089246B1 (en) Overriding content ratings and restricting access to requested resources
US5826267A (en) Web information kiosk
CA2418568C (en) Method and system for classifying content and prioritizing web site content issues
US7689666B2 (en) System and method for restricting internet access of a computer
JPH0926975A (en) System and method for database access control
CN102594934B (en) Method and device for identifying hijacked website
US20050210102A1 (en) System and method for enabling identification of network users having similar interests and facilitating communication between them
US20090055354A1 (en) Method and Apparatus for Searching
WO2006110850A2 (en) System and method for tracking user activity related to network resources using a browser
CN1430753A (en) Internet browsing control method
WO2005089336A2 (en) Integration of personalized portals with web content syndication
US20020032870A1 (en) Web browser for limiting access to content on the internet
US20100125781A1 (en) Page generation by keyword
Ding et al. Centralized content-based Web filtering and blocking: how far can it go?
KR20010025209A (en) Business method for providing harmful information intercept service using network and computer readable medium having stored thereon computer executable instruction for performing the method
EP1449342A1 (en) Internet access system and method
Sun et al. Botseer: An automated information system for analyzing web robots
JP4945776B2 (en) Filtering processing apparatus, content filter creation method, content filter creation program, and content filter creation program recording medium

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 20040615

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR IE IT LI LU MC NL PT SE SK TR

AX Request for extension of the european patent

Extension state: AL LT LV MK RO SI

17Q First examination report despatched

Effective date: 20061013

GRAP Despatch of communication of intention to grant a patent

Free format text: ORIGINAL CODE: EPIDOSNIGR1

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN

18D Application deemed to be withdrawn

Effective date: 20090213