Content-control software, or web filtering software, is a term for software designed and optimized for controlling what content is permitted to a reader, especially when it is used to restrict material delivered over the Web. Content-control software determines what content will be available on a particular machine or network; the motive is often to prevent persons from viewing content which the computer's owner(s) or other authorities may consider objectionable; when imposed without the consent of the user, content control can constitute censorship. Common use cases of such software include avoidance of websites known for malicious or undesirable purposes such as phishing, viruses, and spam; parents who wish to limit what sites their children may view from home computers, schools performing the same function with regard to computers found at school, and employers restricting what content may be viewed by employees while on the job. Individuals may wish to protect their home, work, or mobile computing devices from websites known to be hazardous.
A conventional Web filter software application is downloaded by a home user installed in a home computer. A database of websites and domains is maintained outside of the served computer. The user will select a number of categories of websites or domains that are allowed to be accessed by a http application that is a browser. Each website is rated for its text and images and placed in a category of the database. As a software product, a conventional Web filter requires a license and installation on each computer being protected.
A conventional filter examines a URI, consults a database, and interrupts access to a website according to the rating of the database and categories selected by a parent or administrator.
A conventional Web filter apparatus is a dedicated computer system comprising a plurality of network interfaces which can be installed by information technology professionals to protect a the group or organization at the intersection of their local area network with a wide area network or at the WAN edge. By installing a conventional Web filter apparatus into a network, a large number of web browsers can be protected without installing software on each computer.
Conventional Web filter solutions are known to those skilled in the art and protected by some of the following patents U.S. Pat. No. 6,947,985, entitled “Filtering Techniques for Managing Access to Internet Sites or Other Software Applications.” Other U.S. patents include U.S. Pat. Nos. 6,606,659, 5,678,041, 7,483,982, and 7,194,464.
Another technique known in the art is referred to as DNS hijacking. Hijacking of dns to filter websites is not scalable, dynamic or easy to maintain.
Hardware-based Web filtering solutions generally located at the intersection of a local area network and a wide area network are not portable and do not support mobile computer users who frequent libraries, Internet cafes, and airport hotspots. Home computer users are generally not sophisticated enough to do more than install software on their PC which is burdensome if there are several PCs in the home.
What is needed is a way to reduce the cost of ownership including installation and maintenance for a person who is less than a system administrator or who is a mobile computer user.
The details of one or more embodiments of the invention are set forth in the accompanying drawings and the description below. Other features, objects, and advantages of the invention will be apparent from the description and drawings, and from the claims.
The present invention comprises DNS Triage, URI Scanner, and Query Proxy Services. Each service comprises a processor adapted by a program product and coupled to each other via a network: query string proxy, URI path scanner, and domain name system triage.
The method comprises:
The method further comprises the following steps:
Referring now to the figures a conventional web filter and network configuration is illustrated in
Referring now to
Referring now to
Referring now to
But some servers may be new or provide public hosting services or may not be totally trusted or not yet appear on any black list. The situation is addressed in
This allows a script or database query or transaction or program to be dynamically triggered by the uniform resource identifier and return a programmatic response which can be examined by the proxy scanner apparatus 400. If the proxy scanner apparatus 400 determines that the reply to the protocol session 430 includes undesirable content such as viruses, text or images considered undesirable, the client 100 receives a message warning or explanation directly or indirectly from the messenger apparatus 500.
The method comprises the steps for operating an apparatus, the apparatus comprising a Web filtering DNS server, a Web filtering response portal server, and a Web filtering extended proxy, the method comprising the steps of
If the answer is yes the actual IP address corresponding to the DNS request is sent to the client which the client uses for requesting HTTP services. If the answer cannot be determined by categorization and policy rule on the hostname part of the HTTP request, the traffic is rerouted to the Web filtering extended proxy. The Web filtering extended proxy will determine if the traffic is allowed based on the actual full URI of the HTTP request. The web filtering extended proxy may execute the HTTP request and examine the response to determine if the traffic is allowed. In an embodiment, a block page is served to the client machine on the condition that the web filtering DNS server can determine based on policy control over the hostname of the targeting web server that traffic is denied by returning the IP address of the Web filtering response portal server. In an embodiment a block page is served to the client machine on the condition that the Web filtering extended proxy determines that traffic is not allowed based on the full URI or on the content of the http response.
For ease of disclosure and to facilitate understanding, the elements of the invention are described as independent apparatus connected by a network. The elements can be connected inside of a local area network or a wide area network or elements of a local area network and a wide area network. It can be appreciated by those skilled in the art that the elements of the invention can be implemented within a single apparatus or where the elements are locally attached to one another as an equivalent. The Web filtering DNS server the Web filtering response portal server and the Web filtering extended proxy may be distributed among a server farm or combined into one or two apparatuses without changing the nature of the invention substantially.
The present invention is a system to provide a selective personalized Web filtering service by selective proxy using a domain name system comprising:
The Web filtering domain name system server apparatus comprises
In an embodiment, the Web filtering domain name system server apparatus comprises
In an embodiment, the system further comprises
In an embodiment the system further comprises a Web filtering response portal server having a third Internet protocol address comprising
In an embodiment the Web filtering domain name system server apparatus further comprises
In an embodiment the client machine is adapted at network connection to send domain name system requests to the Web filtering domain name system server apparatus.
In an embodiment the client machine is adapted at user logon to send DNS requests to a certain personalized Web filtering domain name system server apparatus.
In an embodiment, the network comprises one of
In an embodiment the network is a wide area network.
In an embodiment the invention comprises an apparatus to provide a selective personalized Web filtering service by extended proxy comprising:
In an embodiment the apparatus further comprises
In an embodiment the apparatus further comprises a proxy server apparatus adapted by a software program
In an embodiment the apparatus further comprises
In an embodiment the apparatus further comprises a response server,
In an embodiment the apparatus further comprises authentication means of a client machine as a subscriber of a service.
In an embodiment the apparatus further comprises an authentication circuit of a user as a subscriber of a service.
In an embodiment the apparatus further comprises a circuit for fulfillment of a Web page request to the requesting client machine if no objectionable content is found and if the full URI does not contain a URI found in the blacklist.
The present invention may be easily distinguished from conventional web filter methods and software program products by not requiring the installation of software in a client machine nor licensing of a client machine. The present invention may be easily distinguished from conventional DNS hijacking by not requiring administration authority or operating system programming skills.
The present invention may be easily distinguished from conventional web filter appliances, by not requiring the installation, configuration, and maintenance by information technology professionals of an apparatus at a wide area network edge. The present invention may be distinguished from conventional web filter solutions by operating independently of protocols unless the first DNS triage step redirects to enhanced filter services.
The present invention may be easily distinguished from conventional web filter proxy apparatus by ease of deployment for mobile business or personal web users visiting public access points such as cafes, libraries, and schools by its scalable domain name system triage provisioned as a service. The present invention may be easily distinguished from conventional web filters by providing a personalized and portable web filter profile which operates independently of a specific home, public, or business network or even a specific computer.
The techniques described herein can be implemented in digital electronic circuitry, or in computer hardware, firmware, software, or in combinations of them. The techniques can be implemented as a computer program product, i.e., a computer program tangibly embodied in an information carrier, e.g., in a machine-readable storage device or in a propagated signal, for execution by, or to control the operation of, data processing apparatus, e.g., a programmable processor, a computer, or multiple computers. A computer program can be written in any form of programming language, including compiled or interpreted languages, and it can be deployed in any form, including as a stand-alone program or as a module, component, subroutine, or other unit suitable for use in a computing environment. A computer program can be deployed to be executed on one computer or on multiple computers at one site or distributed across multiple sites and interconnected by a communication network.
Method steps of the techniques described herein can be performed by one or more programmable processors executing a computer program to perform functions of the invention by operating on input data and generating output. Method steps can also be performed by, and apparatus of the invention can be implemented as, special purpose logic circuitry, e.g., an FPGA (field programmable gate array) or an ASIC (application-specific integrated circuit). Modules can refer to portions of the computer program and/or the processor/special circuitry that implements that functionality.
Processors suitable for the execution of a computer program include, by way of example, both general and special purpose microprocessors, and any one or more processors of any kind of digital computer. Generally, a processor will receive instructions and data from a read-only memory or a random access memory or both. The essential elements of a computer are a processor for executing instructions and one or more memory devices for storing instructions and data. Generally, a computer will also include, or be operatively coupled to receive data from or transfer data to, or both, one or more mass storage devices for storing data, e.g., magnetic, magneto-optical disks, or optical disks. Information carriers suitable for embodying computer program instructions and data include all forms of non-volatile memory, including by way of example semiconductor memory devices, e.g., EPROM, EEPROM, and flash memory devices; magnetic disks, e.g., internal hard disks or removable disks; magneto-optical disks; and CD-ROM and DVD-ROM disks. The processor and the memory can be supplemented by, or incorporated in special purpose logic circuitry.
A number of embodiments of the invention have been described. Nevertheless, it will be understood that various modifications may be made without departing from the spirit and scope of the invention. For example, other network topologies may be used. Accordingly, other embodiments are within the scope of the following claims.