FR2969888A1 - Method for processing data for content access on e.g. new computer, via Internet from local area network, involves transmitting connection data relating to categorization, and providing access to content based on data from connection box - Google Patents

Abstract

The method involves determining data relating to an address by a connection box (104) or box operator, and the address is transmitted for connection to a remote computer device such as a central server (118). The central server is utilized for categorization of data by comparing an address list (210) with one predetermined address, and connection data relating to the categorization is transmitted by the central server to connection box, and access to content (120) is based on the data provided from the connection box. An independent claim is also included for a system for processing data for content access.

Description

"Data processing method for accessing content over the Internet"

The present invention relates to a digital data processing method for accessing content over the Internet network from a home or business local network implementing a connection box to the Internet network. It also relates to a system implementing such a method.

The field of the invention is the computer field, and more particularly the field of managing access to content over the Internet network from a home network or a professional network using a connection box, commonly called "Box Operator ".

Currently, there are methods of controlling access to content over the Internet from a home network. Some of these methods offer the possibility of making Internet access settings according to a profile or type of users.

The parameterization achieved by these methods may be a function of an address of the content, for example a URL (of the English "Uniform Resource Locator"), or function of time slots. Thus, it is possible to allow or prohibit, to a predetermined user such as a teenager or a child, access to the Internet or to one or more Internet sites between such and such time. Current access control methods have major drawbacks that make access control inefficient. When a user device not equipped with such a method accesses the Internet it is not possible to control this access and to apply a parental control setting. Thus, in the context of a home network comprising a connection box, it is not possible to exercise access control on a user device not equipped with a control method, for example a new computer added to the network 2969888 -2- domestic, or on a computer device does not allow to perform such a method, for example a specific terminal such as a smartphone. In addition, the current parental control methods require as many executions and settings as there are devices in the home network. Equipping and setting up each user device on a home network is a time-consuming and time-consuming operation, especially when it is necessary to frequently update prohibited or authorized content or addresses. In addition, the current access control methods being installed on each user device, for example in the form of software, it is possible for a user to be able to disable the control or bypass the control by resetting his user device. Finally, the current parental control methods can not be executed by all types of user devices. For example, some phones or smartphones are not equipped with a platform or operating system to perform these processes or require different versions.

An object of the present invention is to overcome the aforementioned drawbacks. Another object of the present invention is to provide a method and an access control system for performing access control for all types of Internet access devices. Another object of the present invention is to provide a method and system for access control simpler and faster to implement, configure and use. Finally, another object of the present invention is to provide a method and system of access control more effective than current access control methods. The invention proposes to achieve the aforementioned aims by a data processing method for access to at least one content over the Internet network, from a so-called local network, comprising: a box for connecting to a provider Internet access, 2969888 -3- generally called "Box Operator", making the connection to the Internet; and at least one user device connecting to said Internet network via said connection box; Said method comprising the steps of: - determining, by said connection box, data relating to an address, called an address, of a content by analyzing an access request to said content transmitted by said user device; 10 - transmission of said address by said connection box to a remote computing device, said central server; determining, by said central server, categorization data by comparing said data relating to said address with at least one predetermined address list; - transmission, by said central server to said data connection box relating to said categorization; and - authorization or not access to said content by said connection box.

The data exchange between the connection box and the central server is done in the private network of the Internet access provider. This private network is not accessible by the user benefiting from the Internet service or by a third party from outside. The invention therefore proposes access control to a content produced, not on the user device, but by the connection box in collaboration with at least one external central server accessible by a private network according to a known or proprietary protocol. . Thus, the access control performed by the method according to the invention is carried out independently of the nature of the user devices of the local or home network. The invention thus provides access control for all types of Internet access devices using this connection box regardless of the platform or the operating system of the user device. The parental control method according to the invention is faster and simpler to implement, configure and use, since it requires execution on a single device of the local or home network. the configuration of the method according to the invention on the connection box can be carried out remotely, for example by an administrator operator of the local or home network. Finally, the method according to the invention makes it possible to achieve a more effective access control than the current access control methods since it does not give a user of an Internet access device of the local network the possibility to bypass it or disable it. The prohibition of access to a content may be a stopping or non-transmission, by the connection box, of the access request to the Internet network or a stopping or non-transmission, by the connection box, of the content to the Internet. user device. The central server may be a central server belonging to the ISP. Thus, the method according to the invention can be integrated with / collaborate with the internal computer tools of the Internet access provider, such as computer tools providing provisioning, billing or the like. Thus, the method according to the invention can be activated or deactivated from the information system of the access provider. In a non-limiting exemplary embodiment, the method according to the invention can be activated or deactivated on a single telephone call. In the case where a part of the information system of the access provider is accessible to a user, for example by means of an interface / a computer portal making it possible to manage his invoices, his options, etc., the user can himself even activate or deactivate the method according to the invention.

Content address data may include data representing a URL, a domain name and / or a protocol for accessing the content address. Indeed, the categorization can be carried out with respect to a URL, a domain name or a type of protocol used to access the content, for example peer-to-peer protocols, messaging protocols or chat .

In the present application, the term "address" is used to refer to "address data" to avoid red tape and includes a URL, a domain name and / or a protocol.

The method according to the invention may further comprise a step of determining authorization data by comparing the categorization data determined by the central server with at least one list of allowed and / or forbidden address categories, which is at least one list of URL categories, domain names, authorized or prohibited protocols. At least one list of allowed and / or prohibited categories may include a time setting associated with at least one category, making this category allowed / prohibited over a period of time, daily, weekly or otherwise. At least one list of allowed and / or prohibited categories may further comprise a setting relating to a quota, for example a quota of maximum usage time or maximum authorized volume, associated with at least one category and making this category authorized. / prohibited based on the total access time to content in this category or the total amount of data accessed for that category. A quota can be defined by hour, day, week or other. The authorization data may include authorization data, for example "OK" data for an access authorization, or prohibition data, for example "NOK" for an access prohibition. According to a first embodiment of the method according to the invention, the determination of authorization data can be carried out by the central server. In this case, the at least one list of authorized and / or prohibited categories is stored on the central server and the data relating to the categorization transmitted by said central server to the connection box are / include the data of authorization. In this embodiment, the connection box transmits to the central server the address of the content, that is to say for example data relating to a URL, a domain name or a protocol. The central server performs a comparison of this address with one or more pre-established address lists to determine the category in which this content is classified. This category is then compared to one or more lists of 10 authorized / prohibited categories previously established to determine the authorization data, such as an authorization data granting access to the targeted content or an authorization data refusing the authorization. access to the targeted content. This authorization data is transmitted to the connection box which authorizes or prohibits access to the content targeted by the user device.

According to a second embodiment of the method according to the invention, the determination of authorization data is carried out by the connection box. In this case, the at least one list of authorized and / or forbidden categories is stored on the connection box and the data relating to the categorization transmitted by the central server to the connection box include the categorization data determined by said server. central. In this embodiment, the connection box transmits to the central server the address of the content. The central server performs a comparison of the address with one or more pre-established address lists to determine the category in which this content is classified. This category is then transmitted to the connection box. At the level of the connection box, the category is compared with one or more lists of authorized / prohibited categories previously established for determining the authorization data, such as authorization data granting access to the targeted content or data. authorization refusing access to the targeted content. Based on this authorization data, the connection box 2969888 -7- authorizes or prohibits access to the content targeted by the user device. In this embodiment, the allowed / forbidden category lists can be determined remotely from the connection box and transmitted to the connection box, for example, during an initialization step of the method according to the invention.

The data transmissions between the connection box and the central server can be carried out according to a predetermined protocol known or proprietary through the private network, for example the private network of the Internet access provider. This private network is only accessible by the service provider. It can not be accessed by: - the user from the home or business local network, and - by a third party from the Internet. The address lists used to determine the category 15 include one or more categories in which are classified one or more domain names, URLs and / or data exchange protocols. The categories can be for example "information", "sport", "pornography", "social network", etc. This list is not exhaustive. The category list or lists authorized to determine the authorization data may be an "authorized category" list comprising a list of authorized categories, for example "sport, information,". The prohibited category list or lists authorized to determine the authorization data may be a "rejected category" list 25 including a listing of the refused categories, for example "social networks, pornography".

The method according to the invention may further comprise storing, at the level of the connection box, a list or cache of URLs, domain names and / or protocols, called dynamic, corresponding to the contents targeted by the last access requests sent to said connection box in association with data relating to an authorization or prohibition for each of said contents. Thus, to allow or prohibit access to content whose address, URL or access protocol has been recently processed, it will not be necessary to exchange with the central server. It will be sufficient to consult the cache at the connection box. For example, the dynamic list or the cache may include the last five or ten URLs, domain name and / or 5 different protocols processed.

Thus, when a new request for access to a content is received by the reception box, the method according to the invention can comprise, before the step of transmitting address data to the authorization server, a consultation. automatic dynamic list or cache to determine if the URL, domain name, or protocol associated with the content was recently processed. If so, the authorization or the prohibition of access is carried out according to the decision previously taken.

According to a particularly advantageous version of the method according to the invention, the determination of the authorization data can be carried out according to a previously defined user profile associated with the user of the user device issuing the request for access to the content. Thus, the allowed / forbidden category lists can be associated with each profile and can be different from one profile to another. For this, the method according to the invention comprises a determination, by analysis of the access request, of data, called profile, relating to the profile of the user of the user device. The profile data is used for selection of at least one list of allowed and / or prohibited categories prior to the determination of authorization data. Thus, the allowed or prohibited categories may be different for different user profiles. The setting of the allowed or forbidden categories for each of the profiles can be performed during an initialization step. Thus, according to the method according to the invention, there can for example exist two profiles: "adult profile", "child profile". Each user is associated with one of these two profiles. The list of categories authorized for the "adult profile" may include the categories "sport, information, social networks, pornography", while the list of authorized categories 2969888 -9- for the "child profile" may include the categories "sport, information ".

For this, the method according to the invention may comprise an association of a profile with at least one identifier of an apparatus and / or a user, the determination of profile data being carried out as a function of said identifier. The user's identifier may include a user name entered for this user to log on to the user device. The device identifier may be a mac address, a type of device, or any other identifier such as a client identifier for another service provided by the Internet access provider, for example a service of type fixed or mobile telephony. In the case where the ISP is also the telephony operator of one or more users in the home or business network, using a client identifier may facilitate the configuration and setting of the control of the Internet. access by pooling available data in the central servers of the access provider who is also the telephony operator.

The method according to the invention may further comprise a constitution of at least one list of categories allowed or prohibited for at least one profile during an initialization step of the method according to the invention or during the creation of a new profile, for example a "visitor profile". Each profile may include a time setting 25 as described above associated with a multiple categories allowed / prohibited for this profile.

The method according to the invention may further comprise a constitution of at least one list of categories by classification of an address, i.e., a URL, a domain name or a protocol, in at least one of a plurality of categories. The classification of an address in a category can be carried out manually and / or automatically by semantic analysis of the content or contents at this address. According to the invention, at least one list of addresses or categories may be constituted and / or remotely modified by connection to said central server through the Internet network. This connection can be done through a user interface using a user ID and a password and can be secured by encrypting the exchanged data.

The method according to the invention may further comprise, for each user of the network, a constitution of one or more connection logs, also called connection logs. These connection logs include data about the content accessed by each user in the network.

According to another aspect of the invention there is provided a data processing system for access to at least one content over the Internet network, from a so-called local network, comprising: a box for connecting to a provider Internet access, generally called "Operator Box", making the connection to the Internet, and 20 - at least one user device connecting to said Internet network via said connection box, said system comprising: - means arranged in said connection box for determining data relating to an address, said address, of a content by analysis of a request for access to said content transmitted by said user device to said connection box, and transmitting said address to a device remote computer, said central server, means arranged in said central server to determine categorization data by comparison of said address to with at least one predetermined address list, - transmission means, arranged in said central server, for transmitting to said connection box data relating to said categorization, and 2969888 -11- - authorization or not access to said content by said connection box.

By "address" is meant any data relating to an address of a content, namely a URL, a domain name, a protocol for accessing content, etc.

Other advantages and features will become apparent upon consideration of the detailed description of a non-limitative embodiment, and the accompanying drawings, in which: FIG. 1 is a schematic representation of an access control configuration of a content according to the invention; FIG. 2 is a schematic representation of a first embodiment of a system according to the invention; FIG. 3 is a schematic representation of a second embodiment of a system according to the invention; and FIG. 4 is a representation in the form of a diagram of the steps of a method according to the invention.

In the figures and in the following description, the elements common to several figures retain the same reference.

FIG. 1 is a schematic representation of a configuration 100 for controlling access to a content according to the invention. With reference to FIG. 1, the invention proposes to carry out access control of contents from a home network 102 comprising: a connection box 104, and user devices 106-114, such as a computer 106, a television 108, a smartphone 110, a multimedia tablet 112 and a media player 114. All the 106-114 user devices access the Internet network 116 through the connection box 104. The connection box 104 is a box operator provided by an ISP. The access control according to the invention implements a central server 118 accessible by the connection box 104 through the Internet and with which the connection box 104 exchanges digital data over the Internet network. according to a known or proprietary protocol. The data exchanges are symbolized by arrows. In the configuration shown in Figure 1, it is proposed to control access to a content 120 on a server 122 accessible to the user devices 106-114 through the Internet network 116 e through the connection box 104. 10 Figure 2 is a schematic representation of a first embodiment 200 of a system according to the invention. In this embodiment, the system 200 comprises a module 202 installed in the connection box arranged to perform the analysis of a request for access to a content in order firstly to determine data relating to the address of the user. content 120, and secondly an identifier associated with the user using the device at the origin of the access request. The box 104 further comprises a list of profiles 204 stored on the connection box 104 which is searchable by the analysis module 202 to determine the profile associated with the user through the user identifier. The list of profiles 204 associates with each user identifier a profile name, for example for the "Bernard" identifier the "Adult" profile and for the "Zoé" identifier, the "Child" profile. In the context of a professional network, the list of profiles can include for the identifier "Michelle" the profile "Service Accounting", for the identifier "Sylvain" the profile "Leader", for the identifiers "Valérie", "Muriel" the profile "Administrative Service" and for the identifiers "Sébastien" and "François" the profile "Consultants". The connection box 104 comprises a dynamic list or cache 206, for example, of the last ten addresses for which a decision of authorization of access or of prohibition of access has been taken in association with the decision taken, and possibly the user for whom the decision was made. The central server 118 includes a user interface 208 allowing a user to create and feed a list 210 of addresses used to perform an address categorization. Specifically, in the list 210, a category is associated with each URL address or domain name or protocol. For example, the domain name "lemonde.fr" is associated with the category "Information", the domain name "Playboy.fr" is associated with the category "pornography", and the "peer-to-peer" protocol is associated with the category "Download" etc. This categorization can also be performed automatically by semantic analysis of the content of the site, the domain concerned or the protocol. The central server 118 further comprises one or more profiles 212, comprising for each profile one or more lists of categories of content allowed or prohibited. These profiles can be created using the user interface 208. Specifically, the user defines one or more profiles, for example "Adult", "Child", "Visitor". In each profile one or more categories allowed or prohibited are defined. For example: - for the "Adult" profile, the categories allowed are: o Information, o pornography, o sport, and o social networks; and - for the "Child" profile, the categories allowed are: o Information, and o sport. A time setting, as well as time or data volume quotas can be associated with one or more categories in a profile, for example with regard to the "Child" profile, a time setting can be associated with each category. Thus, for the "information" category the time setting can be "8: 00-20: 00" and for the "sport" category the time setting can be "10:00 to 18:00". Thus, these categories will be allowed during these time slots. The central server 118 further comprises a categorization module 214, which according to an address, i.e., a URL, a domain name or a protocol , determines the category of the address by consulting the address list 210. The central server 118 further comprises a decision-making module 216, which according to the category determined by the categorization module 214 determines a granted authorization data, for example "OK" or a denied authorization data, for example "NOK" by comparing the determined category with a profile 212. FIG. 3 is a representation of a second embodiment of a system according to the invention. In the embodiment 300 shown in FIG. 3, all the elements are identical to the first embodiment 200 shown in FIG. 2, with the difference that the decision module 216 and the profiles 212 are arranged in the connection box. 104 and not on the central server 118. In this embodiment 300 the determination of authorization data is performed in the home local area network 102 at the connection box 104, and not at the central server 118.

FIG. 4 is a representation in the form of a diagram of a method according to the invention, which can be implemented in the systems represented in FIGS. 2 and 3 or in the control configuration 100 shown in FIG. The method comprises a first initialization step 402. The list of profiles 204, the profiles 212 are created during this step. The list of addresses 210 containing URLs, domain names and / or type of protocols may also be created during a step or downloaded at this step from the central server 118 or from another computer device (not shown in FIG. Figures 1-3). This step 402 is performed only once. The following steps are performed at each reception / detection by the connection box 104 of a new request for access to a content 2969888 issued by a user device 106-114 within the local home network 102. receiving a new request for access to a content, the access request is analyzed in a step 404 by the analysis module 202 to determine the user's identifier ID and the address AD content covered by the access request. In step 406, the profile of the user of the apparatus at the origin of the request is determined by consulting the list of profiles 204. In step 408, the analysis module consults the dynamic list 206 10 to determine if a decision has been made for that content as a result of an access request issued for that profile. If so, the connection box allows or not access to this content during a step 424 according to the decision previously made. If not, the AD address of the content, i.e., a URL, a domain name and / or an associated protocol, is transmitted to the central server 118 in a step 410. When the decision module 216 is arranged on the central server 118, the PR profile of the user is also transmitted to the central server 118 during this step 408. In step 412, the category of the content is determined by the categorization module 214 by consulting the list of addresses 210. When the decision module 216 and the profiles 212 are arranged on the central server 118, then authorization or prohibition data are determined at the step 414, at the central server 118, according to PR profile and categorization data. The authorization or prohibition data are transmitted to the connection box in step 416. When the decision module 216 and the profiles 212 are arranged on the connection box, then the categorization data are transmitted to the box of the connection box. connection 104 during a step 418 executed after step 412. The authorization or prohibition data is then determined in step 420, at the connection box 104, according to the PR profile and the data. categorization received in step 418. In step 422, the dynamic list is updated. In step 424, the connection box 104 authorizes or denies access to the targeted content according to the authorization / prohibition data.

In the examples given, the modules can be either electronic components such as processors or computers or computer modules in the form of software or programs. Furthermore, in a third embodiment of the system according to the invention the list of profiles 204 can be arranged on the central server 118. In this case, the step 406 of determining the profile of the user of the apparatus at the origin of the request is determined on the central server according to the identification data ID previously transmitted by the connection box 104 to the central server 118. In addition, the address data of the content can be determined by the analysis module 202 by consulting one or more external DNS servers (not shown).

Local network 102 may also be a professional network.

Naturally, the invention is not limited to the examples which have just been described.

Claims (11)

REVENDICATIONS1. Data processing method for access to CLAIMS1. A data processing method for accessing at least one content (120) through the network -Internet (116) from a local network (102) comprising - a connection box (104) to a provider access-: internet, usually called "Box Operator", making the connection to the network -internet (116), and - at least. an apparatus (106-114) -using a user connecting to said Internet network (116) via said connection box (1041) said method comprising the steps of: - determining (404) by said connection box (104) ), data relating to an address, referred to as address, of a content (120) 15 by analyzing an access request to said content (120) transmitted by said user device (106-114), - transmission (410) of said address by said connection box to a remote computing device, said central server, said determination (412) by said central server (1-18), of data I, m-ison-e It is necessary to have at least one predetermined list (210) of addresses, transmission by said central server (118) to said connection box (104) of data relating to said categorization, authorization or not of access. said content (120) being controlled by said connection box (104). The method of claim 1, characterized in that it further comprises a determination (414, 420) of authorization data by comparing the categorization data. determined. by the central server (118) to at least one list (212) of permitted and / or prohibited address categories. 3. Method according to claim 2, characterized in that the determination (414) of authorization data is performed by the central server (118) and 2969888 ~ 18- the at least - a list (212) of categories of authorized and / or forbidden addresses is stored on said server. central (118), the categorization data transmitted by said central server (118) to the connection box (104) including said authorization data. 4. Method according to claim 2, characterized in that the determination (420) of authorization data is performed by the connection box (104) and the at least one list (212) of authorized address categories and / or prohibited is stored on said connection box (104), the categorization data transmitted by the central server (118) to said connection box (104) including the categorization data determined by said central server (118). 5. A process according to any one of the preceding claims; Characterized in that it further comprises. a "storage" (422), at the level of the connection box (104), of a list or cache (206) of addresses, called dynamic, corresponding to the addresses of the contents for the last access requests sent to said limp connection (104) in association with data relating to an authorization or prohibition 20 ~ o >> r each of said addresses. 6. Method according to claim 5, characterized in that it comprises, before the step (410) for transmitting the data to the central server (118), a step (408) of consu) .tetion of the dynamic lèse or cache (206) for at least one new access request to a content. 7. A method according to any one of claims 2 to 6, characterized in that the determination (414, 420) of the authorization data is performed according to a profile (PR) user _previously defined and associated with the user 30 the user device (106/114) issuing the content access inquiry. 8. Method according to claim 7, characterized in that it comprises a determination (406), by analysis of the access request, of data, called profile, relating to the profile of the user of the user device. (1067114), said profile data being used for selection of at least one list (212) of permitted address categories - and / or prohibited prior to the determination (414, 420) of; authorization data. 9. The method of claim 8. characterized in that it comprises: associating (402) a profile with at least one identifier of an apparatus and / or a user, the determination (408) of profile data being performed according to said identifier : 10 10. A method according to any one of the preceding revisions, characterized in that it comprises a constitution (402) of at least one list (212) of .categories of addresses allowed or prohibited for at least one profile. 15 11. Method according to any one of the preceding claims, characterized in that it comprises a constitution of at least one list (210) of categories of addresses, by classification of a addressed 'in at least. a category.by a plurality of categories: any of the claims 10 or 11, characterized in that at least one list (204, 21.0, 212) of address is constituted and / or modified remotely by connection to said central server (118) over the Internet {116). 13. A data processing system (200,300) for accessing at least one content (120) through the Internet (116) from a so-called local network (102) comprising a housing ( 104) of 'connection to an internet service provider, generally referred to as an' Operator Box ', - making the connection to the internet network (116), and - at least one user device (106-114) connecting to said network an Internet network (116) through said connection box (104), said system (200; 300) comprising means (202) arranged in said connection box (104) for determining and transmitting to a remote computer apparatus (118), said server-.central, data relating to an address, said addresses, of a content by analysis of an access request to said transmitted content - pa'r .. said-apparatus user (106-114) to said connection box (104); means (214, 210) arranged in said central server (.118). to determine categorization data by cor- parparison. of said address with at least one predetermined address list (210); transmission means (214, 216) arranged in said central server (118) for transmitting to said connection box (104) data relating thereto; to said cégégôrisation, .and - authorization or. no access -audit content (120) by said box of .connection (104).