WO2005088941A1 - Dispositif pour commander la communication entre les ordinateurs - Google Patents

Dispositif pour commander la communication entre les ordinateurs Download PDF

Info

Publication number
WO2005088941A1
WO2005088941A1 PCT/IT2004/000123 IT2004000123W WO2005088941A1 WO 2005088941 A1 WO2005088941 A1 WO 2005088941A1 IT 2004000123 W IT2004000123 W IT 2004000123W WO 2005088941 A1 WO2005088941 A1 WO 2005088941A1
Authority
WO
WIPO (PCT)
Prior art keywords
signal
computer
interface
data
main data
Prior art date
Application number
PCT/IT2004/000123
Other languages
English (en)
Inventor
Nicola Avanzi
Original Assignee
2A Informatica S.R.L.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 2A Informatica S.R.L. filed Critical 2A Informatica S.R.L.
Priority to PCT/IT2004/000123 priority Critical patent/WO2005088941A1/fr
Publication of WO2005088941A1 publication Critical patent/WO2005088941A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0245Filtering by information in the payload

Definitions

  • the present invention relates to a device for control of communication between electronic computers.
  • applications of the proxy type are presently available that are able to carry out a control on the URL string each time a computer, through the Internet, sends a connection request to a predetermined site (typically residing on a remote server) .
  • an application of this type does not always succeed in controlling the information travelling from and to the computer with which it is associated in a reliable manner; in fact, it may happen that a given Internet site, identified by a domain name (URL string) as an "innocuous" site, i.e. ' not incorporating any suspicious term, may on the contrary have contents that are not very reliable, such as obscene contents, etc.. _ 9
  • Another presently available control system consists of the so-called firewalls that are able to operate on the headers of the information packages travelling t ⁇ irough a telematic network, and in particular the Internet.
  • Each information package in fact consists of a series of protocol data (exactly the so-called headers) enabling the different computers and the applications they carry to communicate with each other, as well as of the true data that a user wishes to exchange with a remote user or computer .
  • the headers can identify the IP address (univocal identification, code) , of the source computer, the IP address (univocal identification code) of the addressee computer, tre ports employed for communication, etc.
  • the control carried out by the presently available firewalls consists in verifying the information contained in the headers of the different packages; then, for example, use of some ports can be limited and/ or data from some IP addresses can be filtered.
  • the present invention aims at solving the above mentioned drawbacks.
  • FIG. 1 is a block diagram of the device in accordance with the present invention
  • Figs. 2a and 2b diagramma.tically show the logic structure of signals employed in the device seen in Fig. 1.
  • control device in accordance with the invent! on has been generally identified with reference numerral 1.
  • Device 1 first of all comprises a first interface 10, for connection with a first computer 8; this connection may consist of any type of tele ati connection both through local networks and global computer networks.
  • the present invention is particularly useful when it is associated with computers connected with each other through the Internet.
  • the first interface 10 receives a first signal 100 from the first computer 8.
  • the first signal 100 (Fig. 2a) comprises a first portion 101 and a second portion 103.
  • the first portion 101 contains protocol information 102, for correct transmission and capture of the first signal 100; practically, the first portion 101 contains all headers that in each communication layer are added to the information package.
  • headers are representative of the IP code for example, of the machine sending "the piece of information, of the IP code of the machine addressee of the piece of information, of the ports employed by these machines for communication, etc.
  • the first portion 101 of the first signal 100 contains all data tlhat are beyond the true contents of the information that is to be transmitted by the first computer 8 and is exclusively utilised by trie communication carriers in order Ahat such a transmission may be carried out correctly.
  • the main data 104 can define the (text or image) contents of one or more web pages that are stored in the first computer 8 and are sent through said first signal 100; more generally, the main data 104 are generated (with reference to the TCP/IP protocol structure) at an application level.
  • Device 1 is further provided with a second interface 20 associated with the first interface 10; the second interface 20 has the task of receiving at least the main data 104 from the first interface 10 (following modalities to be better described in the following) and transmitting them to a second computer 9.
  • the second computer 9 is provided with collection means (not shown in the accompanying figures) for the purpose of processing said main data 104; the collection means can also include appropriate displaying means to allow a user to utilise such main data 104.
  • first connection means 30 is provided; said means can be piloted between a first and a second operating conditions .
  • the first connection means 30 allows transmission of the main data 104 from the first to the second interface 10, 20 in such a manner that these main data 104 can be received and displayed by the second computer 9; in the second operating condition, the first connection means 30 do not allow flow of the main data 104 from the first to the second interface 10, 20.
  • Operation of the first connection means 30 in the first or in the second condition depends on the contents of the main data 104, as hereinafter described.
  • Device 1 is provided with a selecting block 40 connected with the first interface 10 to single out the second portion 103 internally of the first signal 100; in otier words, the selecting block 40 singles out the main data 104.
  • a control unit 50 is connected with the selecting block 40 to receive the second portion 103 and the main data 104 contained therein, for the purpose of generating a corresponding first command signal 110 for the first connection means 30; through the first command signal 110, the first connection means 30 is piloted between its first and second operating conditions depending on the main data 104.
  • control unit 50 comprises a memory 51 containing first reference data 104a; said reference data are reference terms for the main data 104 to establish the operating condition of the first connection means 30.
  • comparing means 52 connected with said memory 51; the comparing means 52 compare the main data 104 received by the selecting block 40 with the first reference data 104 stored in memory 51.
  • the first command signal 110 pilots the first connection means 30 to the first or second operating condition thereof:.
  • the first connection means 30 shall be piloted to its second operating condition; vice versa, should all the main data 104 contain none of the first reference data 104, the first connection means 30 shall be piloted to its first operating condition.
  • the first reference data 104a can be pertinent to typologi es of information (pornog aphic sites, sites that unlawfully make available inforraation material, etc.) to whicl. access from the second computer 9 is wished to be inhibited; therefore it is apparent that device 1 can be conveniently used in schools, offices, and generally in any structure where a control on the nature of the in ormation exchanged with external computers may be required.
  • device 1 can be also associated with local computer networks connected with each other by means of the Internet, for example.
  • device 1 is interposed in circuit between the first and second computers 8, 9; in this way, said computers 8, 9 cannot avoid or escape the control carried out by device 1 so as to be able to communicate with each other. It is apparent that, in accordance with this configuration, device 1 is particularly useful and reliable .
  • device 1 can be associated with a local computer network, it can be in particular inserted between the local network itself and the router allowing access to the Internet; in this way connection between each, machine of the local network and the Internet is subjected to the controls carried out by device 1.
  • device 1 is also provided with a third and a fourth interfaces 60, 70: the third interface 60 is connected with the second computer 9 to receive a second signal 200 from the latter, whereas the fourth interface 70 is connected with the first computer 8 to transmit at least part of the contents of the second signal 200 thereto.
  • the second signal 200 (Fig. 2b) , in the same manner as the first signal 100, is made up of a first portion 201 and a second portion 203; the first portion 201 contains protocol information 202, i.e. the different headers of the information package, whereas the second portion 203 contains auxiliary data 204 defining the true contents of the information that must travel from the second to the first computer 9, 8.
  • the auxiliary data can be generated, at an application level, at the second computer 9 and, in particular, can be directly inserted by a user during use of a search engine, for example.
  • Second connection means 80 is ⁇ interposed between the third and fourth interfaces 60, 70 to connect said interfaces with each other; the second connection means 80, in the same manner as the first connection means 30 described above, can be piloted between a first and a second operating conditions.
  • the second connection means 80 allows communication between the third and fourth interface 60, 70, whereas at the second operating condition it does not allow this information flow.
  • Operation of the second connection means 80 in tle first or in the second condition depends on the auxiliary data 204 contained in the second portion 203 of the second signal 200, and in particular on a comparison between these auxiliary data 204 and second reference data 204a contained in memory 51.
  • the selecting block 40 is also connected with the third interface 60 to receive the second signal 200 and single out the second portion 203, i.e. the auxiliary data 204, internally of said second signal.
  • the auxiliary data 204 are thus inputted to the comparison means 52 carrying out a comparison with the second reference data 204a.
  • the comparison means 52 shall generate a second command signal 210 to pilot the second connection means 80 to the second operating condition, thus inhibiting connection between the third and fourth interfaces 60, 70 and the relevant data flow from the second to the first computer 9, 8.
  • the second command signal 210 generated by the comparison means 52 shall pilot the second connection means 80 to the first operating condition, therefore allowing passage of information from the second to the first computer 9 , 8.
  • each first signal 100 and each second signal 200 can define a respective information package; each package is therefore made up of one or more headers (first portion 101 or 201 ) and of true contents ( second portion 103 or 203 ) , said true contents being preferably defined at the application level of the first or second computer 8 , 9.
  • the control carried out by device 1 takes place on each of the information packages travelling between the first and second computers 8 , 9.
  • the control shall be carried out on each portion - i . e . each word - of said web pages .
  • the package containing this sequence is not transmitted to the second computer 9, whereas the remaining packages of the communication are correctly received and displayed, if they are considered as "acceptable".
  • the second computer 9 following filtering carried out by device 1, it is possible for the second computer 9 to display incomplete pages having empty regions at the discriminated words or images.
  • first, second, third and fourth interfaces 10, 20, 60, 70 have been described separately for the only purpose of clarifying the operating characters of device 1; obviously, the first and fourth interfaces 10, 70 can be made, in real terms, as a single means for connection to the Internet, and in the same manner the second and third interfaces 20, 60 can be made as a single connection through the USB port with the second computer 9.
  • device 1 is not identified by respective IP addresses, as it often happens with devices inserted in local computer networks connected with the Internet; in other words, device 1 is quite transparent to operation of the network and the relevant connections and is capable of performing its control functions without requiring particular configurations. Practically, device 1 can be considered as a "bridging firewall" that, in addition to the devices presently on the market, is capable, as above described, of verifying the contents of the information packages travelling from and to a predetermined machine or set of machines. 1 i.
  • device 1 can be made as a removable medium provided with the necessary hardware and software for execution of the above described operations (in particular, provided with the list of the first and second reference data 104, 204a) .
  • first and second reference data 104a, 204a it is provided for said data to be periodically updated, through a predetermined Internet site for example, that against a subscription automatically checks whether variations or integrations are required for the reference data 104a, 204a.
  • the invention achieves important advantages.
  • device 11 allows a safe and reliable control of the contents of the information exchanged between two or more electronic computers .
  • structure of device 1 is simple, cheap and characterised by low manufacturing costs.

Abstract

L'invention concerne un dispositif permettant de commander la communication entre des ordinateurs électroniques comprenant une première interface (10) destinée à recevoir un premier signal (100) d'un premier ordinateur (8) et une seconde interface (20) destinée à transmettre des données principales (104) incorporées dans le premier signal (100) sur un second ordinateur (9) ; le dispositif (1) comprend, de plus, des premiers moyens de connexion (30) conçus pour être pilotés entre un premier mode de fonctionnement, sur lequel les moyens autorisent la transmission des données principales (104) de la première à la seconde interface (10, 20), et un second mode de fonctionnement, sur lequel les moyens n'autorisent pas la transmission. Le dispositif (1) comprend également un bloc de sélection (40) pour séparer les données principales (104) dans le premier signal (40), ce qui permet de produire un premier signal de commande (110), de façon à piloter les premiers moyens de connexion (30) entre le premier et le second mode de fonctionnement en fonction des données principales (104).
PCT/IT2004/000123 2004-03-15 2004-03-15 Dispositif pour commander la communication entre les ordinateurs WO2005088941A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/IT2004/000123 WO2005088941A1 (fr) 2004-03-15 2004-03-15 Dispositif pour commander la communication entre les ordinateurs

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/IT2004/000123 WO2005088941A1 (fr) 2004-03-15 2004-03-15 Dispositif pour commander la communication entre les ordinateurs

Publications (1)

Publication Number Publication Date
WO2005088941A1 true WO2005088941A1 (fr) 2005-09-22

Family

ID=34957514

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IT2004/000123 WO2005088941A1 (fr) 2004-03-15 2004-03-15 Dispositif pour commander la communication entre les ordinateurs

Country Status (1)

Country Link
WO (1) WO2005088941A1 (fr)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6233618B1 (en) * 1998-03-31 2001-05-15 Content Advisor, Inc. Access control of networked data
WO2001063835A1 (fr) * 2000-02-21 2001-08-30 Clicksafe.Com Llc Systeme et procede permettant d'identifier et d'empecher l'acces a un contenu d'internet pornographique et analogue
US6493744B1 (en) * 1999-08-16 2002-12-10 International Business Machines Corporation Automatic rating and filtering of data files for objectionable content

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6233618B1 (en) * 1998-03-31 2001-05-15 Content Advisor, Inc. Access control of networked data
US6493744B1 (en) * 1999-08-16 2002-12-10 International Business Machines Corporation Automatic rating and filtering of data files for objectionable content
WO2001063835A1 (fr) * 2000-02-21 2001-08-30 Clicksafe.Com Llc Systeme et procede permettant d'identifier et d'empecher l'acces a un contenu d'internet pornographique et analogue

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
CHEN DING ET AL: "Centralized content-based Web filtering and blocking: how far can it go?", SYSTEMS, MAN, AND CYBERNETICS, 1999. IEEE SMC '99 CONFERENCE PROCEEDINGS. 1999 IEEE INTERNATIONAL CONFERENCE ON TOKYO, JAPAN 12-15 OCT. 1999, PISCATAWAY, NJ, USA,IEEE, US, 12 October 1999 (1999-10-12), pages 115 - 119, XP010363557, ISBN: 0-7803-5731-0 *

Similar Documents

Publication Publication Date Title
US6751671B1 (en) Method of communication between a user station and a network, in particular such as internet, and implementing architecture
AU772508B2 (en) Safe terminal provided with a smart card reader designed to communicate with a server via an internet-type network
CN101159552B (zh) 控制从计算机终端访问网络的方法和系统
Handel et al. Hiding data in the OSI network model
EP1203297B1 (fr) Procede et dispositif permettant d'extraire les caracteristiques d'un protocole d'application
US5918009A (en) Technique for sharing information on world wide web
US6351810B2 (en) Self-contained and secured access to remote servers
CN103095676A (zh) 过滤系统以及过滤方法
CN104040538B (zh) 一种互联网应用交互方法、装置及系统
US20020103878A1 (en) System for automated configuration of access to the internet
KR20150137599A (ko) 차량 정보 유출 방지 장치 및 그 방법
US7171684B1 (en) Data processing system providing secure communication between software components
AU2018208696A1 (en) Microkernel gateway server
KR100323548B1 (ko) 계정인증 정보를 이용한 인터넷 접속 방법
US6370576B1 (en) System and method for obstacle-free network communication
WO2005088941A1 (fr) Dispositif pour commander la communication entre les ordinateurs
US6763387B1 (en) Method and system for sharing a single communication port between a plurality of servers
US7536479B2 (en) Local and remote network based management of an operating system-independent processor
EP1379027B1 (fr) Dispositif de réseau local sans fil
US8375226B1 (en) System and method for selectively isolating a computer from a computer network
SE506628C2 (sv) Metod och anordning för signering och kryptering av information i ett tele- och datakommunikationssystem
US20030105872A1 (en) Data interfacing method and apparatus
EP1039719A2 (fr) Procédé et installation permettant le developpement d'application avec carte à puces dans les réseaux de données
CN107819830A (zh) 一种im软件发送文件方法及装置
JP2000092111A (ja) 中継装置、ならびに同装置を備えたネットワークシステム

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NA NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): BW GH GM KE LS MW MZ SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LU MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase

Ref country code: DE

WWW Wipo information: withdrawn in national office

Country of ref document: DE

122 Ep: pct application non-entry in european phase