Classifications

• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
  • H04L41/02—Standardisation; Integration
  • H04L41/0246—Exchanging or transporting network management information using the Internet; Embedding network management web servers in network elements; Web-services-based protocols
  • H04L41/0253—Exchanging or transporting network management information using the Internet; Embedding network management web servers in network elements; Web-services-based protocols using browsers or web-pages for accessing management information
• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F15/00—Digital computers in general; Data processing equipment in general
  • G06F15/16—Combinations of two or more digital computers each having at least an arithmetic unit, a program unit and a register, e.g. for a simultaneous processing of several programs
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L63/00—Network architectures or network communication protocols for network security
  • H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
  • H04L63/102—Entity profiles
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L67/00—Network arrangements or protocols for supporting network services or applications
  • H04L67/50—Network services
  • H04L67/51—Discovery or management thereof, e.g. service location protocol [SLP] or web services
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L2463/00—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
  • H04L2463/101—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00 applying security measures for digital rights management
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L63/00—Network architectures or network communication protocols for network security
  • H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
  • H04L63/0227—Filtering policies

Definitions

• This invention is directed to the field of computer network connectivity. It is more particularly directed to Internet access via a publicly accessible networking infrastructure.
• This invention is concerned with mechanisms by that users, using their own personal devices such as notebook computers and personal digital assistants (PDAs), access packet-based networking services, that are offered by service providers at public locations such as airports, malls, hotels, etc.
• PDAs personal digital assistants
• Such public-access service providers may offer a variety of wireline or wireless technologies by that people connect their personal devices to the network and its associated services.
• wireless LANs and wireless PANs respectively
• public wireless access may be provided through wireless LAN technologies, such as those based on the IEEE 802.11 family of standards, or wireless PAN technologies, such as the Bluetooth wireless technology.
• packet-based, data service offerings require users to first pre-register, e.g,. subscribe, to a data service provider, like an Internet Service Provider (ISP), thereby establishing a long "paying" relation with the provider.
• ISP Internet Service Provider
• Such a process is usually accomplished in an off-line manner, with the provider-subscriber relationship established and activated before the user can gain access to such public services.
• Such a subscriber relationship includes the definition of a user profile, that specifies the range of services that the individual user is authorized to access.
• An ISP typically provides a local or even toll-free telephone number that permits access to the same ISP at an additional incremental cost (in addition to the subscription fee) from many geographically remote locations.
• a typical service is the mere access to the World- Wide- Web (or simply "the Web").
• Such a definition of services does not consider scenarios where users can access certain premium services on demand through their own devices.
• the selected service tier remains unchanged for the duration that a user accesses services provided by the service provider.
• a possible solution in providing tiered services on demand is by installing a special code in a client (i.e., user's) device.
• This special code would affect the communications protocol stack, and necessitate the use of a new specific protocol. Every packet generated by these client devices needs to be modified using this extra and special code.
• the network elements inside these networks must run a complementary part of the new specific protocol in order to be able to read these modified packets. It would be advantageous to have methods in which this change in the protocol stack is not required.
• the methods should be able to use existing [TCP/IP] standards so as not to require a new protocol to be implemented by client devices, not to require that a client device needs to modify each and every transmission it makes, and not to require that the devices in the network need to modify their communication protocols stacks to understand a newly designed protocol.
• the personal devices should be built on a software and hardware platform that is independent of the software and hardware platform that the network support devices with which the personal device interacts for its configuration.
• the aforementioned systems don't allow for dynamic reassignment of billing policies in the middle of an ongoing session.
• Another aspect of the this invention is an enforcement mechanism that is applicable in the communications infrastructure supporting such public service offerings.
• the enforcement mechanism is applicable to elements internal to the infrastructure, such as a router device, or at its edge, such as a wireless access point.
• the enforcement mechanism ensures that individual users are able to access only those application services that are within the application service tier that they have selected and denies access to all application services that do not fall within that tier.
• the enforcement mechanism is further supplemented with means to alert users when they attempt to access a particular application service that does not fall within their current selected tier, and with means by which users, again using their own devices, may renegotiate new desired application service tiers on-the-fly so that they can access new application services if desired.
• Yet another aspect of this invention is an enforcement mechanism, with the same objectives as aforementioned, which is applicable beyond the communications elements of the infrastructure (e.g., the routers and the wireless access points), such as the devices and software that operate at protocol layers higher than those used in the communications infrastructure.
• filter servers can be used over the communication infrastructure to restrict, say, Web traffic from users to reach only Web services belonging to the tier of application service they have selected.
• a further aspect of the present invention is to enable users to access dynamically selectable tiered application services offered at public places using their own devices on a "pay-per-use" basis, using various means of "on-the-spot" payment, such as credit card information, frequent flier information, a temporary identification information such as a hotel room number, and so on, without requiring a preexisting subscription with the service provider of the data offering.
• these payment policies are based on various criteria including the degree of user activity in terms of the amount of traffic transferred to and/or from the user, or the duration for which a selected tier of application service is provided (the session time).
• the charging policies may dynamically change in mid-session allowing a user upgrade or modify his or her tier of service and payment policy.
• Fig. 1 shows an example architecture of a system for providing wireless network access, along with the actions executed by a user and the system for providing a desired tier of application service.
• Fig. 2 shows an example of three major functional steps used in accordance with this invention to allow individual users to specify and obtain access to authorized application services.
• the three steps are:
• control notification which lets the specific enforcement devices know the appropriate access profile for a specific user
• c) enforcement which allows the appropriate network devices to police individual packets, connections or sessions related to a specific user's device to ensure that they always correspond to authorized application services.
• Fig. 3 shows steps taken by registration-related entities (especially the user device and the registration server) during a user's registration process, and includes mechanisms on the network side to verify a user's credentials, and to accept the user's choice among the available tiers of application service.
• Fig. 4 shows an example of steps included in an actual enforcement process.
• This enforcement mechanism includes an inspection of the specific packet to verify that it conforms to the application services currently authorized for the specific user, as well as any necessary updates for accounting purposes.
• Fig. 5 shows steps included in a process by which individual users can dynamically alter their chosen tier of application service.
• Fig. 6 shows a process by which users terminate (de-register) their current sessions. Such de-registration is useful to ensure that the network frees up any resources that have been reserved for a specific user, and also to ensure that users are charged accurately for their own activity (especially when the users are charged on the basis of the duration of their sessions).
• Fig. 9 shows an example of a precise mechanism of access control (i.e., enforcement). It describes an example implementation of such an enforcement mechanism via the use of tables in a router that list specific destinations, protocols or combination thereof, that an individual user can or cannot access.
• the access control framework of Fig. 9 can also be applied to enforcement mechanisms that occur at different layers, and possibly at service-level entities.
• Fig. 10 shows an analogue of Fig. 9, for a case when access control is performed via a wireless access point or a Web proxy.
• the present invention provides methods, apparatus and system for a user to choose between multiple tiers of application services that are made available over a public network access infrastructure. It allows users to obtain access to such differentiated tiers of application services even though they have no previously provisioned subscriber relationship with the corresponding service provider. It also allows users to dynamically select and re-select their desired tier of application services automatically, without the intervention of a service provider operator. In some embodiments, such changes also result in appropriate changes to the charging (or billing) mechanism.
• a service is defined as a destination end-point, such as: a company's Web page; a corporate server application; a corporate Lotus Notes mail server; and so on.
• This application level definition of a service is in contrast to network level services, such as the communications bandwidth allowed for communicating over the Internet, say 56 Kbps, or 128 Kbps, independently of what the destination of communications is.
• users may use their own personal data devices, such as notebook computers or personal digital assistants (PDAs). Users may temporary use other computing devices as well, such as a kiosk, the like.
• PDAs personal digital assistants
• those other devices are assumed to behave exactly as if they were the users' own “everyday” computing devices, without the requirement of incorporating into these devices any additional set of software or hardware components that would uniquely and exclusively empower these devices to operate according to, and their users harvest the benefits of, the teachings of this invention.
• the service offerings considered for an embodiment of this invention are based on ubiquitous, IP -based Internet technologies; an access technology is based on a wireless local communications technology that operates in an unlicensed radio frequency band, such as IEEE 802.1 lb wireless LAN or Bluetooth wireless PAN.
• an access technology is based on a wireless local communications technology that operates in an unlicensed radio frequency band, such as IEEE 802.1 lb wireless LAN or Bluetooth wireless PAN.
• wireless local communications technology such as IEEE 802.1 lb wireless LAN or Bluetooth wireless PAN.
• those skilled in the art could implement other embodiments of this invention without departing from the spirit and concepts of this invention.
• they could use alternative access technologies such as infrared or Ethernet, or could use the dynamic pay-per-use arrangement as a way for subscription-based customers to occasionally access a tier of premium application services that does not fall within their default subscription profile.
• FIG 1 shows an architecture of a system for providing wireless network access to mobile users and their devices at wireless hot-spots in public areas such as airports. The figure also highlights steps that need to be executed by a user to obtain a desired tier of application service.
• the access network 101 includes routers (e.g., 106, 107) and wireless access points (WiAPs) (e.g., 110, 111).
• WiAPs wireless access points
• User devices, or user terminals (108) connect to this access network through a wireless connection 109 to an access point (110 in Figure 1).
• the access network may also include network support services such as a DHCP (Dynamic Host Configuration Protocol) server 102, a DNS (Domain Name Service) server 113, and Web proxies (e.g., 112, 117).
• the DHCP and DNS entities are commonplace elements in most IP -based networks known to those skilled in the art, and provide various pieces of configuration information and query-resolution support to IP -based user terminals.
• the Web proxies are used to manage access to Web servers from user terminals.
• the access network includes a registration server 114, which is used to interactively establish the tier of application service desired by an individual user.
• Figure 1 shows two application service tiers, Gold 103 and Silver 105.
• Each tier of application services is defined by a collection (or group) of one or more services.
• the Silver service tier 104 includes access to the general Internet 105 in Figure 1.
• the Gold service tier could include a service for providing video clips to the user terminal, in addition to all services included in the Silver service tier.
• These tiers of application services can exist statically, i.e., the Silver, say, application service tier may always include the same set of application services in it (or at least be updated infrequently).
• the assignment of application services in tiers can be dynamic, where the application services "assigned" into a tier may change based on various criteria.
• services are added or subtracted based on a combination of criteria such as being based on: quality of application service considerations; on enforcing admission control; on the time of the day; applying different charging models to application services at different times, and so on.
• a user terminal 108 After a user terminal 108 enters such a system and establishes a wireless link with an access point, it executes the DHCP protocol to obtain an IP address for the user terminal. This step is shown as item 116 in Figure 1. Following this step, the user terminal contacts the registration server 114 using a standard Web browser, using the standard HTTP protocol.
• the registration server provides, among other things, a Web-based listing on the user terminal of the various tiers of application services that are available, and their associated charges. The assignment of services into tiers may be static or dynamic based on the current availability of a service, promotional or other considerations, and so on.
• the user enters an identifier, e.g., a credit card number or a frequent flier number, and the desired tier of application service into the 1 browser and sends this information to the registration server.
• the registration server issues a control notification to the appropriate
• Figure 2 shows three functional steps used for this invention to allow individual users to specify
• Figure 2 highlights steps of this invention for providing user terminals access to various
• a user terminal 108 first goes tlirough registration 201
• the user terminal is registered with a registration authority 202.
• the user terminal is registered with a registration authority 202.
• the user terminal is
• This identifier should be unique for the duration of the
• 28 network can be controlled, configured and/or reconfigured on-the-fly based on application
• the access network (101) in Figure 1 is also identified as a controllable infrastructure in Figure 2.
• This identifier may be a fixed one, like the medium access (MAC) address of the communication hardware subsystem that the user terminal uses, or a temporary one as are IP addresses assigned by a DHCP server to a user terminal, or a Web cookie provided to a Web browser application running on the user terminal.
• MAC medium access
• the registration mechanism allows a user terminal to maintain its association with the registration server even if its network connectivity changes (e.g., a new network interface is plugged in, or DHCP configures a new IP address). In these cases, the user terminal may share part of the responsibility for informing the registration server of any changes in its device or network specific configuration parameters.
• a network interface e.g., the MAC address
• the specific configuration parameters provided by the access network infrastructure e.g., the IP address
• the registration authority 202 will record this identifier, as well as the tier of application service that the user of the terminal has requested. With this knowledge, the registration authority will then condition the communication network to accommodate the new user and his/her selected tier of application service.
• the conditioning action includes principally of passing on this binding information between the device's identifier and the tier of application service, information via control signaling 203 to some or all of the nodes of the controllable access infrastructure.
• the registration authority also called the registration server
• a) pass the MAC address of the user terminal, along with the tier of application service, to access points and LAN switches, or
• FIG. 3 shows an example of individual steps in an initial interaction of a user terminal with the system. It includes functions such as obtaining an IP address (116), contacting the registration server and selecting the desired tier of application service (115), and the resulting control notification, such as updating the state of the generic control infrastructure (117 and 203).
• This invention embodiment uses the standard DHCP protocol for configuring individual user terminals.
• a user terminal After a user terminal enters the system, the physical layer of its network connection is activated, and its system software is notified. As a result, the user terminal broadcasts a DHCP request on the system network (item 1 in 301). This request is processed by the machine running the DHCP server 102, which sends back a response to the user terminal (108 and item 2 in 301).
• the DHCP response contains the IP address assigned to the user terminal by the system, the IP address of the default node for relaying messages (the gateway IP address) and the IP address of machine running the DNS server.
• a particular embodiment of the invention has the client configuration software modified from its default behavior 302.
• a system-specific option is added to the DHCP protocol, that can be done according to existing standards for adding options in DHCP, and the DHCP server and client software is extended to respectively generate and interpret, the new option.
• the system-specific DHCP option includes the address of the registration server.
• the extended DHCP client software Upon processing the DHCP response, the extended DHCP client software, using this address, starts a browser directed to the registration server 304.
• This aforementioned embodiment of this invention represents one example embodiment of autoconfiguration of a user terminal without explicit user intervention using an extended DHCP client and server software.
• no extensions are made to the DHCP protocol or to the DHCP client and server software 302.
• a browser is started manually on the user terminal and the browser is directed to the registration server.
• the identity of the registration server may be available as a URL from the browser's set of bookmarks, or may be provided to the user through an out-of-band mechanism such as a visual notice 303 that may be printed or displayed prominently in the public place.
• DHCP is the most common mechanism for initial configuration of user terminals
• alternative configuration protocols can be used just as effectively.
• IPv6 allows a node to autoconfigure itself without any help from the DHCP server.
• Web requests from a client devices to a destination Web may be redirected to any desired location, for 1 example, the registration server, independently to where on the Internet the browser user would
• the user will then select the desired tier
• Figure 4 shows steps followed in an example process by an element of the generic access
• the packet is related to a particular user terminal and/or tier of application
• the packet is forwarded to the next hop 404
• the enforcement node redirects the packet, and/or generates a failure
• the registration server could then respond, using the HTTP protocol, to the
• This Web-based notification could provide the user with an
• Out-of-band notifications may include the transmission of a message to a pager, an interactive
• 11 personal e-mail device e.g., a wireless personal device, a phone call to a cellular phone, an SMS
• the user may also find, at
• a user's service profile could facilitate the selection of the application service tier.
• Figure 5 shows steps included in changing the tier of application service
• the user terminal contacts the registration server by directing a
• the process of providing the necessary information 503 may not be as detailed as the original process, 305 in Figure 3.
• the user may not need to re-furnish personal information (e.g., credit card numbers); rather the software on the user terminal may be capable of directly furnishing the user-specific identifier (e.g., by using a Web cookie) to the registration server, thereby helping the server to relate this request for change in application service tier to an existing user-network association.
• FIG. 6 shows steps in a (potentially) final interaction of a user terminal with a public access network, when the user terminal effectively closes all sessions and terminates its access to the various network services.
• the user terminal directs a browser to the registration server 601 and uses the standard HTTP protocol to request the termination of its session 602.
• the user terminal may include a user-specific unique identifier 602 established during the registration process, see 201 in Figure 2.
• the registration server retrieves the appropriate usage statistics from the relevant enforcement devices 603 and provides the appropriate usage information 604 to the user terminal. Based on this usage information, users will then decide 605 to either confirm the termination of their association or to continue utilizing the publicly available service infrastructure. If a user decides to continue, then the termination process is suspended, and the user resumes his or her normal network access. This mechanism provides users a means to simply verify their activity history and associated charges. If a user, however, 1 decides to terminate their current association 605, the registration server will take the steps
• the registration server will also inform the
• FIG. 7 shows another example embodiment for managing and terminating a session without the
• the server 18 user terminal by the DHCP server 102, the server informs 701 the registration server 114 that a
• the registration server associates this IP 3 address with a record 703 in a user session database 702. In any case, the registration server is 4 notified of a new IP address assignment.
• the new IP address assignment may indeed be given to an brand new user terminal, or a terminal 6 that may have an ongoing session.
• the latter case may occur when for various reasons, such as 7 temporary link 109 failure, user device reboot, change of the wireless access point due to 8 mobility, adjustment of the access technology from, say, wireless LAN to wired Ethernet, to 9 Bluetooth wireless technology, and so on.
• the user device may obtain a brand new IP address 0 that is different than the one previously used.
• the user may have selected a payment 1 policy that is still valid. For example, the user may have requested a 30 minute block of time, and the communications interruption happened between minutes 7 and 10 from this block of time.
• the brand new IP address should not be associated with an entirely new session but used instead to update session information related to the existing session.
• a Web cookie is a small piece of information that a Web server sends to a Web browser that interacts with the server.
• the Web browser stores the cookie locally in the user terminal running the browser.
• This cookie is uploaded by the browser each time the particular Web browser revisits the particular Web server. This could be used to track user visits to a particular Web site.
• the cookie can be provided again to the registration server and the registration can use this cookie to retrieve the session record (if one exists) for this user terminal, and update it accordingly.
• the transmission of the new IP address from the DHCP server to the registration server is omitted. It allows session data for newly initiated sessions or ongoing sessions to be handled exclusively by the registration server. This is possible because Web servers, like the registration server, apart from the cookie, can retrieve a large amount of information pertaining the user terminal, including its IP address.
• the IP address transmission in 701, or a similar address in the opposite direction is something used to verify that the IP address used by the client device is a legitimate IP address assigned by the DHCP server.
• FIG 8 shows an embodiment for the steps followed by the registration server to decide how to proceed if it receives a cookie.
• a cookie is referred to as valid, if it is associated with an active/ongoing session.
• To invalidate a cookie a number of events 807 may contribute.
• the DHCP server may invalidate an IP address. This happens when the "lease" time associated with an IP address assigned by the DHCP server expires before the user terminal requests renewal of the lease.
• the DHCP server communicates this information by transmitting a "remove IP address" message 704.
• the granularity of the DHCP leases dictates how accurately a pay-while-I-am-on billing policy could be; for example, if the leases are given in two-minute increments, then a user that chooses to pay based on the duration of her session will be billed for using the system for 2, or 4, or 6, and so on, minutes.
• a session may also be invalidated if a user has selected to pay for a block of 30 minutes and the 30 minutes have passed.
• the session record 703 in Figure 1 can be calculated from the session record entries describing the selection time of a payment policy (paymentSelectionTime) and/or the time covered by the selected payment policy (paymentDuration), or other pertinent data stored in the session record.
• the time of selecting a payment may be tight with the time that a tier of service is selected, but this is not generally a requirement.
• the various time intervals may be further associated with grace periods to account for the possibility that the user has temporarily disconnected. These grace periods are advantageously coordinated with the DHCP server, so that the DHCP server does not assign an already removed IP address to a new user terminal, but the registration server has not updated its session records yet.
• Momentary connection interruptions can occur due to user mobility and other reasons such as: temporary link failure; user device reboot; change of the wireless access point due to mobility; adjustment of the access technology from, say, wireless LAN to wired Ethernet, to Bluetooth wireless technology; and so on.
• Tlirough the use of cookies, that are sometimes used as session identifiers that can persist past the connectivity interruption users can continue accessing the selected tier of services without the need to reregister with the registration server.
• the registration server can restore any session information that it needs ignoring the connectivity interruption caused by any number of reasons. This capability is frequently referred to as service roaming.
• Figure 9 shows more details on how access control can be enforced by using a router in the access network 101 in Figure 1, or the equivalent controllable infrastructure 204 in Figure 2.
• a user terminal 901 is assigned the IP address, 10.0.0.1, using the DHCP protocol; in other embodiments this and the IP addresses that follow could be different.
• the service provider has defined two application service tiers, Gold and Silver, that allow the user to access the devices with IP addresses 10.1.1.2 and 10.1.2.2 respectively. (The generalization to multiple application service tiers, each with multiple lists of IP addresses and/or port numbers is straightforward to those familiar with the art.)
• the client then contacts the registration authority 903 via a wireless access point 902, to specify its desired tier of application services.
• the registration authority 903 provides 904 a Web page listing of all the available tiers of application service, and their associated charges. The user then chooses between the two tiers of application service 909 (Gold or Silver) and sends this choice back 905 1 to the registration server (along with other personal credentials). The grouping of services into
• the various application service tiers could be incremental, in that, say, the selecting the Gold
• 3 service tier may enable access to all the services in the Silver service tier as well.
• router-based access control scheme can be achieved by communicating a set of filtering rules
• the router Upon reception of these filtering rules, the router stores them in its local routing table
• the routing table shows that IP address 10.0.0.1 (the IP address of the user 0 terminal in question) can access application services offered on TCP port 80 on destination 1 address 10.1.2.2. This corresponds to the Web server for the Silver service; accordingly, the user 2 terminal associated with IP address 10.0.0.1 can access only the Silver service.
• the enforcement mechanism can also be performed at alternative nodes in the access network 4 infrastructure, such as the wireless access points or at a Web proxy. These alternatives are shown 5 in Figure 10, where we assume, as before, that the user terminal has the IP address 10.0.0.1. 6 Moreover, let us assume that the hardware (MAC) address of the wireless device associated with 7 the user terminal is "MAC_ADDR_1".
• the 8 registration authority 1002 may pass a set of filtering rules 1003, 1004 to one or more wireless 9 access points (WiAPs) 1005, 1006.
• WiAPs wireless 9 access points
• the filtering table 1007 in a wireless access point (1005 in Figure 10) will 1 typically contain the MAC address of the user terminal (in our example, this is 2 "MAC_ADDR_1") and the destination IP addresses and/or port numbers of the set of 3 permissible destination nodes.
• the figure shows an example where the user terminal has 4 selected the Silver tier of application service 1008 (destination address 10.1.2.2).
• FIG. 10 The right side of Figure 10 depicts the case when access control is enforced via placement of a 6 filter at a Web proxy 1009.
• the registration authority 1002 passes the appropriate set 7 of filtering rules 1010 to the Web proxy.
• the Web proxy then updates the corresponding 8 information in its filtering table 1011. It should be understood that this is really an 9 application-layer filtering mechanism, since the Web proxy intercepts only that traffic from the 0 user terminal that is Web-based.
• the user terminal may be uniquely identified by either a network-layer identifier, such as the IP address (10.0.0.1 in our example) or by an application-layer identifier, such as a collection of Web cookies.
• FIG 10 shows a case when the filtering table 1011 identifies the user terminal via its IP address (10.0.0.1), and the set of permitted destinations through a set of URLs (uniform resource locators).
• URLs Uniform Resource Locators
• the present invention can be realized in hardware, software, or a combination of hardware and software.
• a visualization tool according to the present invention can be realized in a centralized fashion in one computer system, or in a distributed fashion where different elements are spread across several interconnected computer systems. Any kind of computer system - or other apparatus adapted for carrying out the methods and/or functions described herein - is suitable.
• a typical combination of hardware and software could be a general purpose computer system with a computer program that, when being loaded and executed, controls the computer system such that it carries out the methods described herein.
• the present invention can also be embedded in a computer program product, that comprises all the features enabling the implementation of the methods described herein, and that - when loaded in a computer system - is able to carry out these methods.
• Computer program means or computer program in the present context include any expression, in any language, code or notation, of a set of instructions intended to cause a system having an information processing capability to perform a particular function either directly or after conversion to another language, code or notation, and/or reproduction in a different material form.
• the invention includes an article of manufacture that comprises a computer usable medium having computer readable program code means embodied therein for causing a function described above.
• the computer readable program code means in the article of manufacture comprises computer readable program code means for causing a computer to effect the steps of a method of this invention.
• the present invention may be implemented as a computer program product comprising a computer usable medium having computer readable program code means embodied therein for causing a function described above.
• the computer readable program code means in the computer program product comprising computer readable program code means for causing a computer to effect one of more functions of this invention.
• the present invention may be implemented as a program storage device readable by machine, tangibly embodying a program of instructions executable by the machine to perform method steps for causing one or more functions of this invention.

Landscapes

• Engineering & Computer Science (AREA)
• Computer Networks & Wireless Communication (AREA)
• Signal Processing (AREA)
• Computer Hardware Design (AREA)
• General Engineering & Computer Science (AREA)
• Theoretical Computer Science (AREA)
• Computing Systems (AREA)
• Computer Security & Cryptography (AREA)
• Software Systems (AREA)
• Physics & Mathematics (AREA)
• General Physics & Mathematics (AREA)
• Mobile Radio Communication Systems (AREA)
• Computer And Data Communications (AREA)

Applications Claiming Priority (3)

Publications (2)

Family

ID=28041752

Family Applications (1)

Country Status (6)

Families Citing this family (8)

Citations (4)

Family Cites Families (11)

• 2002
  • 2002-08-30 EP EP02766197A patent/EP1483676A4/de not_active Withdrawn
  • 2002-08-30 AU AU2002329940A patent/AU2002329940A1/en not_active Abandoned
  • 2002-08-30 CN CNB028284941A patent/CN1326065C/zh not_active Expired - Fee Related
  • 2002-08-30 JP JP2003577141A patent/JP4817602B2/ja not_active Expired - Fee Related
  • 2002-08-30 WO PCT/US2002/027790 patent/WO2003079210A1/en active Application Filing
  • 2002-08-30 KR KR1020047013248A patent/KR100745434B1/ko not_active IP Right Cessation

Patent Citations (4)

Non-Patent Citations (1)

Also Published As

Similar Documents

Legal Events