DE19958638C2 - Device and method for individually filtering information transmitted over a network - Google Patents

Description

The invention relates to devices and methods for individual duel filtering of information transmitted over a network nen, which are aimed at a user device.

Due to the strong growth of the Internet and its unstructured tured, uncontrollable structure there is a Rei hey of information related to specific occupations or personalities groups should not be accessible. Especially children shouldn't have access to issues like violence. Even in Un There is a need for companies to access the Internet troll and only provide information that the Er can serve the employee's task. The primary Its services to be controlled are WWW, email and FTP. Known network filters, such as those from CyberPatrol and NetNanny offered are only static in nature. It user-specific filtering is not possible with them of information. Rather, they assign data bank, in which all pages are stored, on which a Zu did not have to be accessed or accessed can. This property only enables these known ones Use filters in large company networks where the Filter requirements for a large number of users are identical. A use by Internet providers that have a variety of have different users, the different requirement  to filter the information is hereby not possible.

A filter is known from EP 0762707, which is based on the IP Filtering addresses. In contrast to the present The present invention is the invention from this document unable to analyze the content of the transferred data Sieren.

A filter can be found in EP 0957 618, which additionally checked the content of the information for the IP addresses. The List of words is only an exclusion list.

WO 98/41913 describes a device and a method knows both the IP addresses of certain Internet Si block as well as a list of words that are not included in the transmitted information may be.

From US 5996 011 a device and a Known procedures that both the IP addresses of certain Internet sites also block a list of words accounted for that is not in the transmitted information may be included. Furthermore, both positive lists and also kept negative lists, which are checked one after the other the. If a term is not in a positive list the negative list is checked.

WO 99/48261 shows a firewall that filters on the Based on the IP addresses and port addresses, however does not perform content-related analyzes.

WO 99/54827 discloses a firewall and a proxy that an analysis of the IP address only Internet data. A review of the content of the Inter net data does not take place.

The object of the present invention is a network filter that manages different filter profiles,  that can be individually assigned to a user and de Ren rules can be adjusted as needed.

This task is solved by devices and methods the features of the independent claims, in particular by a device for individual filtering over a network information transmitted to a user device are. This device has at least one user profile memory in which user-specific filter profiles are stored. It also has at least one input device that can be used to fil receiving information from the network, and at least an output device that provides the filtered information to the user device sends. Furthermore, the device has a machining unit, which is a network address of the user device based on the user identification data transmitted at least once to the assigns user-specific filter profile and the following based on the filter profile, the information from the network, the directly or indirectly to the appropriate network are addressed according to the criteria of the filter profile filters.

The network is preferably the Internet, with the device device between the Internet and the user device is arranged. The device can logically as well as physically between be arranged between the user device and the Internet. The Input device, which preferably represents a network card, is connected to the internet to get information from the To receive internet. The filed are via the output device Results from the Internet are then transferred to the user device bermittelt. The processing unit uses the transmitted user identification data a user-specific Filter profile of the IP address of the user device. The Bear The processing unit filters below based on the filter profile the information from the network that is immediate or with are addressed to the corresponding IP address or from you come from, according to the criteria of the filter profile.  

In a further advantageous embodiment, the Vorrich the functionality of a well-known Internet Proxies on a local socket connection to the user device builds up through which the exchange of information with the Internet takes place, based on the at least one transmitted User identification data that depends on the IP Address of the user device, the processing unit assigns user-specific filter profile to the IP address. The The functionality of an Internet proxy is therefore crucial true that the IP addresses of the user devices on one unit IP address are mapped, whereby this uniform IP address is masked to allow a reverse transformation ben. The Internet proxy also has a cache function on, which allows information already retrieved faster provide.

It is also possible to achieve the desired result with a transpa to reach Internet proxy. A transparent proxy listens to the information traffic between the user devices and the internet. It is therefore not necessary that the user device establishes a local IP connection to the proxy. When using a transparent proxy, however, it is necessary that the NAS (Network access system) every time a new user is dialed in advises IP address and user identification data to the informa tion filter transfers independently.

Furthermore, the task is individualized through a process len filtering information transmitted over a network, which are aimed at a user device with user profiles solves. After assigning the network address of the user device to a user profile based on the at least one-time transfer NEN user identification data, that from the user device required information based on the information saved in the user profile filtered rules. The rules set amounts of In formations that are transferred to the user device may or may not be transferred. The so defi nated sets can be ver by known set operations be knotted. These amounts can be found in the information  Words contained, by domain names, by the time in the Internet or who is determined by the size of the information the.

Further advantageous embodiments are in the subclaims Chen listed. A detailed description follows based on of the drawings. It shows:

. Figure 1 shows the arrangement of the information filter between the In ternet and the user equipment, wherein the user devices are connected via a NAS to the Internet and the information is passed either through the filter or information already available proxy;

Fig. 2 is a flowchart of the connection establishment of the user device with the NAS, the user device dialing in and being assigned an IP address by the NAS, which can be read out in connection with the user identification data by the information filter; furthermore, user statistics are simultaneously carried out;

Fig. 3 is a flowchart of a request from a user device that is passed once through a standard proxy and alternatively an inventive information filter with the functionality of a proxy, which checks on the basis of rules to determine whether a request or response is permitted to a request;

FIG. 4 is a flowchart of a request from a user's device, it being checked whether a request should be made point at this time whether the Internet addresses is permitted, if the requested file types is admissible and whether personal data are disclosed;

Fig. 5 is a flowchart of a response to a request from a user's device, it being checked whether Tags are included that are excluded if the file has been exceeded in size, if the domain name was included in the positive list, where statistics are chert vomit.

Fig. 1 shows the information filter 10 in its arrangement enables an access to the Internet 17 through a NAS (Network Access System) 26 with a provider 24. A user 23 dials in via his user device 15, preferably with the help of a modem, from the provider 24 . Other forms of connection are also conceivable. Dial-in can be made via a cable modem, via a dedicated line or via radio.

Due to the limited number of IP addresses that are assigned to the providers, these are only assigned dynamically by the NAS 26 when they are required. To this end, ei ne device 13 to assign IP addresses is used, the forwards these IP addresses via a modem or ISDN pool 12 with which the user device 15 are connected to the user equipment 15th The NAS 26 also has a memory area (not shown) in which the user identification data are stored in order to be able to check when dialing in whether the respective user has an access right or not. Furthermore, the NAS 26 offers the possibility to access the user identification data from the outside, which in turn is stored in relation to the assigned IP address as soon as a connection is established.

Based on the user identification data, the area or the mask of the IP addresses is also determined, so that routing via a router 16 is possible. As a result, it can already be determined at this point in time whether the inquiries and answers of the user device 15 are to be routed via the information filter 10 or directly to the Internet. As can be seen from FIG. 1, information that is not to be routed via the information filter 10 is routed via an already existing proxy 11 . Alternatively, this information can also be sent directly to the Internet without having to use a proxy.

The information filter 10 has an input device 20 and an output device 21 , which in the present example have both input and output functionalities. The input device 20 is connected to the user devices 15 . The device advises 20 is connected to the Internet 17 via the router 16 . Furthermore, the information filter 10 has a processing unit 22 and a user profile memory 18 . Filter profiles 19 are stored in the user profile memory 18 and contain a set of rules for inquiries and answers.

In addition, the information filter 10 , which preferably has the functionality of a proxy or a transparent proxy, comprises a cache memory 25 for temporarily storing information. Access to information on the Internet 17 can be considerably accelerated by the cache memory 25 . If this information has already been requested at an earlier point in time, it is no longer necessary to reload this information from the Internet 17 .

Fig. 2 is shown in the sequence of the application of a user device 15 at the NAS 26th The user device 15 dials in via the modem and ISDN pool 12 of the NAS 26 . Here, the NAS 20 checks the user identification data in order to determine whether the user device 15 may have access to the Internet 17 . Furthermore, the NAS 26 uses the user identification data to check which IP address from the IP pool is to be assigned to the user devices 15 . The NAS 26 transmits an IP address to the user device 15 and enters this IP address in an internal router table in order to forward incoming answers to the correct user device 15 . It also assigned the IP address to the user identification data.

Fig. 3 shows the processing of a request and an Ant word of a user device 15 , wherein different ways be taken. In the first variant, the request is made via a proxy 11 that has no filter. When there is a request from a user, it is checked whether this request cannot already be answered by the information in the cache memory. If this is the case, the answer is given from the cache memory. If the page is not available, a connection to the Internet will be established and the page e.g. B. loaded from a WWW server.

In the case of a request that is routed via the information filter 10 , a check is carried out before the request is forwarded on the basis of the filter profile 19 as to whether this type of file can be loaded from this domain or IP address at the given time. If a request is permitted, the cache memory 25 is checked, as already described above, to determine whether the request can be answered by cached information. If this is not the case, the information is retrieved from the Internet. The information loaded in this way is temporarily stored in the cache memory 25 . Before the answer is forwarded to the user device, the information is checked using keywords. If an excluded keyword is found in the response, the answer is withheld and subjected to further review. This further check is carried out on the basis of a positive list in which all domains or IP addresses are listed, the information of which may contain the keywords. So z. B. the word "violence" in an article of the magazine "Spie gel" are listed, whereas this word should be excluded in another context. The keywords can be individually linked to the entries in the positive list. Furthermore, all profile entries are to be made variable. After checking the positive list, the answer is also checked for its size. If the answer exceeds a prescribed file size, the answer will also be held back.

Statistics on the behavior of all users will continue to be like this how user statistics are kept for individual users. The statis Tics contain a range of information. Possible information are the number of accesses per month and per day Average per week, day and hour, access geor depending on the selected domain, e.g. B. Evaluation per country, the  Access ordered by chosen Internet addresses, the number and size of the downloaded files, e.g. B. by type and Size. The evaluation can be both tabella be illustrated graphically as well as graphically. Furthermore, Inquiries and answers are saved, their access or whose forwarding was not permitted due to the rules. In addition, a period can be determined by using the Infor mations can be saved. This can e.g. B. 12 months.

FIG. 4 shows a detailed flow chart of the filtering of a request. At the beginning, it is checked whether the user is surfing the Internet at the given time or whether he is allowed to access it. If this is the case, the next step is to check whether the IP addresses to which the request is directed are listed in a negative list or blocking list. These lists can be obtained online from other service providers, such as CyberPatrol. CyberPatrol is a provider that regularly checks the Internet for domains and IP addresses, the content of which does not correspond to the decency of the ordinary user. This negative list can also be expanded manually. If the IP addresses are not included in the negative list, it is further checked whether the requested file type can be called up at all. So z. For example, ftp jobs can be prevented from loading executable files that may contain viruses. The file list contains a number of file types that must not be downloaded from the Internet.

Finally, it is checked whether personal data is passed on the. This can e.g. B. be the case if in emails passwords be transmitted. Furthermore, certain can be prevented File types are sent by the user. This will secure provides that no mission-critical data in the Internet reach.

Fig. 5 shows the flow chart of the filtering when the response arrives. When a response arrives, the entire content of the response is checked. The entire file is checked for keywords. A list of keywords can e.g. B. obtained from other services. They can also be added manually. If certain keywords are included, a positive list is used to check whether information containing the keyword can be obtained from this IP address or domain. After this check, the file size of the information is determined and compared with the maximum permissible file size. If this criterion is also met, the information is forwarded to the user.

The user determines the rules either by simply designing them tied forms in which he made up a predefined set of rules can choose that can be customized, or sen sen detects an email to a corresponding email server. The in the Email defined rules correspond to a specific one syntax. The email server processes these emails and enters the rules in the corresponding filter profile.

The quantities determined by the rules can be defined by quantities operations such as union, intersection and complementary set with be linked together. It is not important here whether the rules determined a set of answers or a set of questions ben.

An integrated firewall, which is usually a combination from hardware and software is used to protect the groove against attacks from the Internet. All information The exchange of information is carried out exclusively via the firewall. The firewall worked on different levels.

A packet filter analyzes the information in the form of Data packets are transmitted on the network layer.

With the help of a circuit relay, all connections are on The firewall is interrupted in order to return it to the exit to set up, so that a direct connection of the user device with the Internet at the end of the log will prevent.  

The application level gateway provides protection on the An application levels. So there is a gateway service for every application (Proxy service) integrated, via which the user device with the corresponding application reaches the Internet. This gate way service is available e.g. B. for web browsers and FTP clients. here only the proxy has access to the Internet through the user devices but not itself.

Another protective measure is that the IP addresses of the groove devices are masked by the firewall, so that only the device according to the invention has connection to the Internet.

The information filter 10 is preferably designed as a high-performance computer, the processing unit 22 consisting of one or more microprocessors. The input devices 20 and the output device 21 are network cards or network adapters which provide a connection to the corresponding networks. The functionality of this high-performance computer is preferably determined by software.

The user profile memory 18 and the cache memory 25 are standard storage media such as hard disks or RAM memory. It is also possible that the content of the memory is accessed via high-performance databases.

Computer software, characterized by the features of the An claim 13 and one or more of its subclaims.  

reference numeral

10

information filter

11

Proxy, already exists

12

Modem, ISDN pool

13

Device for assigning IP addresses

14

dial-up connections

15

User devices of the user

16

router

17

Network, internet

18

User Profile Memory

19

filter profile

20

input device

21

output device

22

processing unit

23

user

24

provider

25

Cache

26

NAS (Network Access System)

Claims (19)

1. Device for individually filtering information transmitted via a network ( 17 ), which is directed to a user device ( 15 ),
with at least one user profile memory ( 18 ) in which user-specific filter profiles ( 19 ) are stored in the form of a set of rules, the rules defining approval and exclusion amounts for inquiries and answers,
with at least one input device ( 20 ) which receives the queries to be filtered and sends them to the network ( 17 ),
with at least one output device ( 21 ) which sends the filtered responses to the user device ( 15 ),
with at least one machining unit (22), the network address is a network of the user device (15) assigns the basis of the at least once transmitted user identification data to the user-specific filtering profile (19) and below the nut zerspezifischen filter section (19) based on the information from the network (17) that are addressed directly or indirectly to the corresponding network addresses or originate from them, according to the rules of the filter profile ( 19 ). 2. Device according to claim 1, characterized by a further information store ( 25 ) which serves for caching information from the network ( 17 ). 3. Device according to one or more of claims 1 or 2, characterized in that
that the network ( 17 ) is the Internet and the device ( 10 ) is arranged between the Internet ( 17 ) and the user device ( 15 ), and
that the input device ( 20 ) is connected to the Internet ( 17 ) in order to receive information from the Internet ( 17 ), and
that the output device ( 21 ) transmits the filtered results from the Internet ( 17 ) to the user device ( 15 ),
that the processing unit ( 22 ) uses the transmitted user identification data to assign a user-specific filter profile ( 19 ) to the IP address of the user device ( 15 ) and the processing unit ( 22 ) uses the filter profile ( 19 ) to subsequently provide the information from the network ( 17 ) that are addressed directly or indirectly to the corresponding IP address or originate from it, according to the criteria of the filter profile ( 19 ). 4. The device according to one or more of claims 1 to 3, characterized by the functionality of an Internet proxy that establishes a local socket connection to the user device ( 15 ), via which the information exchange with the Internet ( 17 ) follows, based on the at least one transmitted user identification data, which are dependent on the IP address of the user device ( 15 ), the processing unit ( 22 ) assigns the user-specific filter profile ( 19 ) to the IP address and, based on the filter profile ( 19 ), the inquiries of User device ( 15 ) and the information from the Internet ( 17 ), which was requested by the corresponding user device ( 15 ), according to the criteria of the filter profile ( 19 ) in order to then filter the information filtered via the socket connection to the user device ( 15 ) transferred to. 5. The device according to claim 4, characterized in that in the case of information requested by the user device ( 15 ) in the Ca che memory ( 25 ), the information is searched for, in the absence of this information, to forward the request to the Internet ( 17 ), after the arrival or the finding of the information, it is only forwarded to the user device ( 15 ) via the socket connection if the filter profile ( 19 ) allows this. 6. The device according to one or more of claims 1 to 5, characterized in that the Rules determine words that are included in the information may or may not be.   7. The device according to one or more of claims 1 to 6, characterized in that the rules determine domain names, from which the information may or may not be obtained. 8. The device according to one or more of claims 1 to 7, characterized in that the rules the size, the type and / or the time at which the information was accessed will limit. 9. The device according to one or more of claims 1 to 8, characterized in that the rules change user-specifically are cash. 10. The device according to one or more of claims 1 to 9, characterized in that a review of the requested Information on viruses using known detection methods ren is done. 11. The device according to one or more of claims 1 to 10, characterized by the functionality of a firewall, wherein
the input device ( 20 ) is designed as an input and output device,
the output device ( 21 ) is designed as an input and output device, and
the device ( 10 ) via the input and output devices ( 20 , 21 ) physically connects the user device ( 15 ) to the Internet ( 17 ) and a direct physical connection to the Internet ( 17 ) is not possible for the user device ( 15 ) , 12. The device according to one or more of claims 1 to 11, characterized in that statistical information about the request behavior for each user profile is saved. 13.A method for individually filtering information transmitted via a network in the form of inquiries and responses which are directed to a user device, with individual user profiles for a user device and / or its user, the user profiles being determined by a computer-readable control system and the rules define several user-specific admission quantities and exclusion quantities for inquiries and answers, at which
in one step, a network address of the user device is assigned to the user profile on the basis of the at least one transmitted user identification data, and
in a further step, based on the user-specific filter profile, the information from the network that is addressed directly or indirectly to the corresponding network addresses or originates from it is filtered according to the rules of the filter profile. 14. The method according to claim 13, characterized in that the Establishing a connection to the network through a user device, the the network address assigned to the user device and the user IDs identification data are stored in relation to each other and can be loaded to select the user profile, with the Establishing the connection is checked whether a specific groove zerprofil is available to this, if it exists, too enable and filter the information. 15. The method according to one or more of claims 13 and 14, characterized in that the network is the Internet, the Access to the Internet through a network access server (NAS) that follows the user identification data in relation to the Network address saves and access to this information allowed. 16. The method according to claim 15, characterized in that the NAS actively transmits the user identification data when a new user has registered. 17. The method according to claim 15, characterized in that the NAS passively transmits the user identification data when ei a request is made to him. 18. The method according to one or more of claims 13 to 17, characterized in that a local network connection with each user device is set up, via the information in Form of requests and responses are transmitted, the  Network addresses of the user devices when requesting a Network address shown with a corresponding masking and be forwarded to the Internet, and if the Responses arrive back transformed. 19. The method according to one or more of claims 13 to 18, characterized in that the answers over a longer period Period can be cached in order to restart ask for a shorter response time by using the between saved responses are transferred.