FR3116687A1 - Method for controlling the access rights of a terminal to a communication network - Google Patents

Abstract

The present invention relates to a method for controlling the access rights of a terminal (1) to a communication network (20), characterized in that it comprises the implementation by a data processing module (21) a gateway (2) for access to said network (20) of steps of: Receiving from the terminal (1) a request for access to a service of said network (20); Verification of the compatibility of said service to which access is required with at least one access rule comprising at least one condition on location information of said terminal (1); Authorization or not of access to said service depending on the result of said verification. Figure for abstract: Fig. 1

Description

Method for controlling the access rights of a terminal to a communication network

GENERAL TECHNICAL AREA

The present invention relates to the field of Internet access.

More specifically, it relates to a process for controlling the access rights of a terminal to a communication network, such as parental control.

STATE OF THE ART

Parental control is a mechanism that allows parents to automatically restrict their children's access to the Internet in order to protect them.

Parental control can result in a limitation of the overall access time, and in particular by the implementation of filtering according to the schedule. The difficulty, in a home network, and being able to set up different filtering depending on the users. For example, you may want to block Internet access for children after 9 p.m., but not for parents.

A first known possibility is to use filtering by MAC address. This solution is effective but remains complex (it is not always easy for a novice user to find the MAC address of a device), and a little rigid (the same device can be shared between several users).

A second known possibility is to deploy individual accounts with different rights, if necessary shared between the various devices. Such a solution is more flexible, but more restrictive because it involves authentication to use the least equipment.

It is therefore desirable to have a new parental control solution that is simple, secure, and more intuitive than anything that exists.

PRESENTATION OF THE INVENTION

The present invention thus relates, according to a first aspect, to a method for controlling the access rights of a terminal to a communication network, characterized in that it comprises the implementation by a data processing module of an access gateway to said network of stages of:

1. Reception from the terminal of a request for access to a service of said network;
2. Verification of the compatibility of said service to which access is required with at least one access rule comprising at least one condition on location information of said terminal;
3. Authorization or not of access to said service depending on the result of said verification.

By filtering not by terminal or by account but by location, the present process proves to be very simple and very effective since it suffices to determine places in the dwelling such as children's rooms where parental control applies. .

According to advantageous and non-limiting characteristics:

Said communication network is a wide area network, in particular the Internet, said terminal being connected to the gateway via a local area network generated by the gateway (this is the simple and classic architecture of a building such as a house in which you may wish to implement parental control).

The gateway comprises at least one antenna, said local network being a wireless network, in particular Wi-Fi (the wireless character of the local network makes it possible to place the terminals anywhere, without being constrained by wires or fixed positions).

Said location information of said terminal is representative of a distance between said antenna and said terminal (this type of relative location information is very easy to obtain with good precision and to manipulate).

The gateway comprises a plurality of antennas, said location information of said terminal is representative of the distances between each antenna and said terminal (thus, triangulation, and therefore 2D position, can be done very simply).

Said location information of said terminal is, for an antenna, a received signal power level, RSSI, measured by the antenna (this is a basic solution available in all gateways and for all terminals, without that it is necessary to have the slightest means of specific positioning).

Said condition on said location information of said terminal of said access rule is an RSSI interval for said antenna (information representative of distances can be directly manipulated without calculating these distances in practice).

Step (b) comprises estimating said location information of said terminal.

The gateway comprises a data storage module storing a base of access rules of which said at least one access rule comprising at least one condition on said location information of said terminal, the verification step (b) comprising the verification the compatibility of said service to which access is required with each access rule of said database.

The method comprises a prior step (a0) of defining said condition on said location information of said terminal of said access rule by moving the terminal to an area in which the user wishes the rule to apply and by estimating said location information of said terminal during said movement (it is thus possible to create parental control rules very simply for a novice user).

According to a second aspect, the invention proposes a network access gateway, comprising a data processing module configured for;

• Receive from a terminal a request for access to a service of said network;
• Check the compatibility of said service to which access is required with at least one access rule comprising at least one condition on location information of said terminal;
• Whether or not to authorize access to said service depending on the result of said verification.

According to a third and a fourth aspect, the invention relates to a computer program product comprising code instructions for the execution of a method according to the first aspect for controlling the access rights of a terminal to a communication ; and a storage means readable by computer equipment on which a computer program product comprises code instructions for the execution of a method according to the first aspect of controlling the access rights of a terminal to a network of communication.

PRESENTATION OF FIGURES

Other characteristics and advantages of the present invention will appear on reading the following description of a preferred embodiment. This description will be given with reference to the appended figures including:

• [Fig. 1] Figure 1 is a diagram of a general network architecture for implementing the method according to the invention;
• [Fig. 2] FIG. 2 represents the steps of an embodiment of the method according to the invention.

DETAILED DESCRIPTION

Architecture

With reference to the , the invention proposes a method for controlling the access rights of a terminal 1 to a communication network 20 such as parental control implemented within the network 20, typically an extended network WAN (Wide Area Network) , especially the Internet.

There is a gateway 2 for access to the network 20, typically a gateway of the Internet access box type (a box), generating a local network 10 LAN (Local Area Network), i.e. the local network 10 is interconnected with the extended network 20.

Conventionally, the gateway 2 comprises a data processing module 21 such as a processor, and possibly a data storage module 22 (a memory, for example flash). It manages the accessibility to the wide area network 20, and is thus basic suitable for implementing access control and managing the connection, the access rights and the security of the users of the local area network.

As will be seen, in a preferred embodiment said local area network 10 is wireless, advantageously Wi-Fi, and as such the gateway 2 comprises in practice at least one antenna 23a, 23b for transmission/reception of the radio signal from said wireless network 10, preferably a plurality of antennas 23a, 23b to increase the coverage. Each of these antennas can be integrated into gateway 2 or external, i.e. either a wired antenna connected to gateway 2 (Ethernet, PLC, etc.) or a repeater (antenna capable of "duplicating" the wireless network). In all cases, the antennas 23a, 23b remain close to the gateway 2 (at most a few tens of meters) and all located in the same building (generally a home, but potentially as far as an office building). Thus, said plurality of antennas 23a, 23b will not be confused with, for example, the plurality of relay antennas of a mobile communication network, which is much more extensive. In all cases, it is assumed that the position of the antennas 23a, 23b is known. It should be noted that their positioning is generally considered insofar as one wishes the best quality of service, and this in all the rooms or at least the one where one has frequent use.

We place ourselves from the point of view of a particular terminal 1, but it will be understood that the present method can be applied to all the terminals connected or connectable to the extended network 20 via the gateway, i.e. all the terminals connected to the local network 10. For that, the terminal 1 advantageously has its own antenna (although it can for example be connected by wire to the gateway 2).

Terminal 1 itself can be any device with connectivity to Gateway 2, such as a smartphone, touchpad, laptop, TV decoder, game console, etc.

In a preferred embodiment, terminal 1 is a first terminal called child terminal, and a second terminal 1′ called parent terminal is used. In the typical case where the present method is a parental control method, it is in fact intended to be applied to the first terminal or child terminal 1 (whose user is assumed to be a child) and controlled via the second terminal or parent terminal 1' (of which the user is assumed to be a parent).

The parent/child distinction is however purely illustrative and corresponds to a classic use case, but of course the present process will not be limited to any particular situation. For example, the "parent" terminal could be that of an administrator of a company and the "child" terminal that of an employee of this company. Thus, the rest of the description exposes the preferred example of a parental control. However, the invention applies to other cases of control of the access rights of a terminal to a communications network.

By “control of access rights”, is meant any total or partial restriction of access to services of the extended network 20 at the level of the terminal 1, i.e. a request for access to certain services may be refused in certain circumstances, in based on at least one access rule. We repeat that the "parental" formula is consecrated, but applies to any situation, where one may wish to control what can be accessed on terminal 1.

An “access rule” is a rule comprising at least one condition, applied to the terminal 1 to determine what it can access. Preferably, there is an access rule base stored by a data storage module 22 of the gateway, but it will be understood that the rules can for example be stored and managed by a remote server (in particular disposed in the extended network 20 ). Each rule can be presented as IF(CONDITION(S)) THEN (CONSEQUENCE(S))

The consequences of the rules are for example:

• A complete blocking of one or more services;
• Authorized access to this (these) service(s) but with notification (in particular of the second terminal 1’);
• Access authorized subject to an acknowledgment procedure (for example entering a code on the second terminal 1');
• Etc.

We will see these conditions later.

Said services typically correspond to resources of the network 20, i.e. parental control aims to control access to web pages. This example is used to describe the invention in the rest of the description, but those skilled in the art will be able to transpose the invention to any other service to which the user of the first terminal 1 would like to access in the network 20 (downloading of applications , in-app purchase, etc.). As explained, said service can be the network 20 in its entirety, i.e. we can ultimately have a total blocking of access to the network 20.

The present invention will in no way be limited to a particular type of rule, or its application to a service or another

Process

With reference to the , the present method, implemented by the data processing module 21 of the gateway 2, begins with a step (a) of reception from the first terminal 1 of a request for access to a service. For example, the user types in a browser of the terminal 1 the address of a page. It is assumed as explained that the terminal 1 is already connected to the local network 10, so that it already has for example an IP address.

In a step (b), the data processing module 21 verifies the compatibility of said service to which access is required with at least one access rule. As explained, either he has the rule base himself and does this check alone, or he queries a dedicated server.

By verifying "compatibility", it is understood that we are verifying whether or not the conditions of the rule have been respected, so as to determine whether the consequence is applied.

The present method is distinguished in that at least one access rule comprises at least one condition on location information of said terminal 1.

The idea is to filter access to the terminal 1 to the network 20 according to its "geolocation" in the building, for example to authorize access only when the terminal 1 is in a certain room and/or on the contrary to prohibit the access when this same terminal 1 is in a defined room. In particular, children's rooms can be targeted in the context of parental control.

This makes it possible to have access control which is not linked to a particular terminal 1 as is the case with MAC filtering (the rules can give different consequences for the same terminal 1), without the heaviness an access procedure with authentication.

Preferably, said condition on location information of said terminal 1 is in practice generic, that is to say not specifically identifying said terminal 1, for example by its MAC address or its IP address. In other words, it is a condition on the location information of the terminal which sent the request of step (a), and if it was a second terminal 1' other than the first terminal 1, said condition on the location information of this second terminal 1'. To reformulate again, it is a condition on the location information of "any terminal", and the rule advantageously does not present any condition associated with a unique identifier of a terminal.

To implement the verification of this condition, step (b) advantageously comprises the estimation of said location information of said terminal 1.

By “location information” of said terminal 1, is meant any parameter making it possible to characterize in an absolute or relative manner (compared to the gateway 2) the position of the terminal 1. Preferably, this is information representative of a distance between the at least one antenna 23a, 23b and the terminal 1 (advantageously all the distances between each antenna 23a, 23b and the terminal 1), and we will take this example in the following description but we will understand that it may alternatively be a GPS position if the terminal 1 has suitable means, relay antenna boundary data (if for example the terminal 1 is a mobile terminal), proximity information via bluetooth etc

We understand that this is information "representative" of the distance and not necessarily the distance itself.

In particular, said location information of said terminal 1 representative of a distance between the at least one antenna 23a, 23b and the terminal 1 is advantageously a received signal power level, RSSI (Received Signal Strength Indicator), measured (automatically ) by the antenna 23a, 23b. We are of course talking here of the signal emitted by terminal 1 in the case of a wireless local network 10, since it is assumed as explained that terminal 1 is already connected to local network 10.

More precisely, the RSSI is expressed in a logarithmic scale (often in dBm), and is correlated with the distance between transmitter and receiver: the greater the distance, the lower the received power, i.e. RSSI and distance are related by a function monotone.

In Wi-Fi, the usual RSSI values vary from −30 dBm (high reception level – “zero” distance between the terminal 1 and the antenna 23a, 23b) to −90 dBm (minimum level allowing the signal to be exploited – the greatest possible distance at which the terminal 1 can communicate with the antenna 23a, 23b). Thus, the RSSI is indeed a parameter representative of a distance between the at least one antenna 23a, 23b and the terminal 1, and in practice an interval of RSSI value corresponds to an interval of distance.

It is thus understood that said condition on said location information of said terminal 1 of said access rule is advantageously an RSSI interval for said antenna 23a, 23b in which the estimated RSSI for terminal 1 must be (or not).

Note that walls or metal objects, for example, reduce the RSSI (because the signal is weakened by crossing them), but this does not change the monotonous nature of the link between RSSI and distance. For example, moving away from an antenna 23a, 23b until touching a wall, the RSSI gradually decreases, then decreases more strongly while crossing the wall, and continues to decrease again at the initial rate while moving away again this time in the room on the other side of the wall.

The use of the RSSI is particularly advantageous, because it does not require any additional equipment (as soon as there is a wireless communication between the terminal 1 and an antenna, we have an RSSI measurement), and is optimal for the distances of the order of a few meters or tens of meters which are generally observed within a dwelling. The results are much more precise than with GPS, even taking into account disturbances by walls or metal objects.

Preferably, there is an RSSI for each antenna 23a, 23b so as to be able to “triangulate” the position of the terminal 1 with respect to the antennas 23a, 23b. By way of example, it can be seen that in a room the RSSI varies over an interval of -70 to -53 dBm for a first antenna 23a (the one on the gateway 2) and from -54 to -35 dBm for a second antenna. 23b (a repeater).

Thus, the pair of RSSI values (-66; -50) indicates that terminal 1 is in this room.

Of course, this access rule and/or the other access rules may have other conditions, relating for example to other contextual parameters. For example, if the rule relates to an access time slot for the service, the compatibility check also involves determining the current time to check whether you are in this time slot. For example, it is possible to provide that for a given room (designated by the RSSI ranges) access is only restricted from 9 p.m. to 7 a.m.

Finally, in a step (c), the gateway 2 authorizes or denies access to said service depending on the result of said verification. More precisely :

• If compatibility is verified, access to the service is authorized;
• Otherwise access to the service is denied. In the latter case, the gateway 2 can send back to the first terminal 1, instead of the service it expected, a notification informing it of the blockage.

According to a particular embodiment, an access rule may involve, as explained, access subject to an acknowledgment procedure, for example the submission of the access request to the second terminal 1′. In such a case, step (b) comprises the implementation of the acknowledgment procedure (in particular the sending of a request to enter a code on the second terminal 1'), and if this ci is completed (valid code returned) gateway 2 considers that the compatibility check is conclusive.

Rules management

Preferably, the present method comprises a prior step (a0) (which can be implemented well before step (a)), of adding said access rule comprising at least one condition on said location information of said terminal 1 at gateway 2 (or modification or deletion of a rule).

This step (a0) involves the definition of said condition on said location information of said terminal 1 of said access rule and this is done preferentially by learning. Indeed, as explained, in practice it is not necessary to really know and enter the distance values, you can just see the RSSI values that you have in practice.

This is advantageously implemented by moving the terminal 1 in an area in which the user wishes the rule to apply and by estimating said location information of said terminal 1 during said movement. Note that this can be done using any terminal and not necessarily said terminal 1 (for example the second terminal 1').

Note that here we can both define an authorization zone (if we are in this zone we can access the service, moreover) and an exclusion zone (if we are in this zone we cannot access service, when you can elsewhere). It is also possible to concatenate zones or define several alternative conditions corresponding to several traversed zones.

We can explain how to add other conditions to the rule (not relating to location information), and finally a built rule can then be added to the rule base to be activated.

Bridge

According to a second aspect, the invention relates to the gateway 2 for implementing the method according to the first aspect.

As explained, this gateway 2 is typically an access gateway to an extended network 20, in particular the Internet, generating a local network 10 thanks to which a terminal 1 can connect to the gateway 2 to attempt to access the network 20.

The gateway 2 comprises a data processing module 21. The latter is more precisely configured for:

• Receive from terminal 1 a request for access to a service of said network (20);
• Check the compatibility of said service to which access is required with at least one access rule comprising at least one condition on location information of said terminal 1 (and to do this estimate said location information of said terminal 1);
• Whether or not to authorize access to said service depending on the result of said verification.

computer program product

According to a third and a fourth aspect, the invention relates to a computer program product comprising code instructions for the execution (in particular on the data processing module 21 of the gateway 2) of a method according to the first access rights control aspect, as well as storage means readable by computer equipment (the data storage module 22 of the gateway 2) on which this computer program product is found.

Claims (13)

Method for controlling the access rights of a terminal (1) to a communication network (20), characterized in that it comprises the implementation by a data processing module (21) of a gateway ( 2) access to said network (20) of steps of:
To. Reception from the terminal (1) of a request for access to a service of said network (20);
b. Verification of the compatibility of said service to which access is required with at least one access rule comprising at least one condition on location information of said terminal (1);
vs. Authorization or not of access to said service depending on the result of said verification. Method according to claim 1, in which said communication network (20) is a wide area network, in particular the Internet, said terminal (1) being connected to the gateway (2) via a local area network (10) generated by the gateway (2 ). Method according to claim 2, in which the gateway (2) comprises at least one antenna (23a 23b), said local network (10) being a wireless network, in particular Wi-Fi. Method according to claim 3, in which said location information of said terminal (1) is representative of a distance between said antenna (23a, 23b) and said terminal (1). Method according to claim 4, in which the gateway (2) comprises a plurality of antennas (23a 23b), said location information of said terminal (1) is representative of the distances between each antenna (23a, 23b) and said terminal (1 ). Method according to one of Claims 4 and 5, in which the said information on the location of the said terminal (1) is, for an antenna (23a, 23b), a received signal power level, RSSI, measured by the antenna (23a, 23b). A method according to claim 6, wherein said condition on said location information of said terminal (1) of said access rule is an RSSI interval for said antenna (23a, 23b). Method according to one of Claims 1 to 7, in which step (b) comprises estimating said location information of said terminal (1). Method according to one of Claims 1 to 8, in which the gateway (2) comprises a data storage module (22) storing an access rule base, the said at least one access rule comprising at least one condition on said location information of said terminal (1), the verification step (b) comprising verifying the compatibility of said service to which access is requested with each access rule of said database. Method according to one of Claims 1 to 9, comprising a preliminary step (a0) of defining said condition on said location information of said terminal (1) of said access rule by moving the terminal (1) in a zone in which the user wishes the rule to apply and by estimating said location information of said terminal (1) during said movement. Gateway (2) for access to a network (20), comprising a data processing module (21) configured for;

• Receive from a terminal (1) a request for access to a service of said network (20);
• Checking the compatibility of said service to which access is required with at least one access rule comprising at least one condition on location information of said terminal (1);
• Whether or not to authorize access to said service depending on the result of said verification.

Computer program product comprising code instructions for the execution of a method according to one of Claims 1 to 10 for controlling the access rights of a terminal (1) to a communication network (20), when said program is executed by a computer. Storage medium readable by computer equipment on which a computer program product comprises code instructions for the execution of a method according to one of claims 1 to 9 for controlling the access rights of a terminal ( 1) to a communication network (20).