DE102019105700A1 - Method and device for monitoring the communication of a device with a global communication network and / or within a local communication network - Google Patents

Abstract

The present invention provides a method and a device (202) for monitoring the communication of a device (12, 54, 56, 57, 58, 60, 62, 64, 66, 68) with a global communication network (14) and / or described within a local communication network (204), which is characterized in that the device (12, 54, 56, 57, 58, 60, 62, 64, 66, 68) is assigned a firewall rule set with at least one firewall rule . This provides the user with secure communication within a device (12, 54, 56, 57, 58, 60, 62, 64, 66, 68) with a global communication network (14) and / or within a local communication network (204) Feeling given, making this communication safer and more comfortable.

Description

The present invention relates to a method for monitoring the communication of a device with a global communication network and / or within a local communication network according to the preamble of claim 1 and device for monitoring the communication of a device with a global communication network and / or within a local communication network according to the The preamble of claim 8.

The range of intelligent networked devices that are supposed to make everyday life as pleasant as possible is large and the possibilities for setting up a so-called “smart home” are increasing. The large number of so-called smart devices (hereinafter referred to as facilities) brings on the one hand a great potential of diverse possibilities in the networks of consumers, but this is also accompanied by increasing discomfort among users. The desire to use technology that is fun and supports everyday life in a meaningful way is thwarted by the growing fear of threats from the Internet and fear of losing one's own data.

Such devices can, for example, be voice assistants, smart TVs, computer systems, telephones and telephone systems, intercom systems, monitoring devices such as surveillance cameras, smart motion detectors, smart door and window contacts, washing machines, refrigerators, freezers, lighting such as smart lamps, coffee machines, smart ones Fire alarms, smart vacuum cleaner robots, smart sockets and similar devices and systems. Such devices are mainly home automation devices and entertainment electronics devices.

For example, the use of so-called voice assistants, such as Siri ^® from Apple ^® , Alexa ^® from Amazon ^® , Google Assistant ^® from Google ^® , Cortana ^® from Microsoft ^® and Bixby ^® from Samsung ^® , which process user communication and execute commands based on it, is known. Such language assistants are accessible mostly directly over the Internet, for example by present as a program on mobile computing devices, or they can be operated via dedicated language assistance devices, such as the Echo ^® series Amazon ^®.

In principle, these voice assistants are always connected to a global communication network, so that the user does not know what is happening to his personal data. The language assistance providers promise to do everything to ensure the security of communication and to treat the users' data confidentially, but this is not always convincing, since the business model of the language assistance providers is mostly the sale of personal data or its utilization, and also such language assistants can be taken over unauthorized by third parties from the global communication network.

This creates an uneasy feeling that the carefree use of voice assistants makes it impossible and reduces the fun of the ingenious possibilities of voice control in the digital home.

In addition to voice assistants, this problem also applies to all other facilities that communicate or can communicate with a global communication network.

But even within a local communication network there are dangers in that such devices communicate with one another and thus the external attack on a specific device also enables data to be tapped from other devices in the local communication network.

In the context of the present invention, a local communication network is understood to mean a local area network (LAN), while a global communication network is understood to mean larger communication networks, in particular Metropolitan Area Network (MAN), Wide Area Network (WAN) and Global Area Network (GAN) . These terms are used with their current meanings, as explained for example on Wikipedia.

It is therefore the object of the present invention to make the communication of a device with a global communication network and / or within a local communication network more secure.

This object is achieved with the method according to the invention according to claim 1, the device according to the invention according to claim 8 and the computer program product according to claim 10. Advantageous further developments are specified in the dependent claims and in the following description together with the figures.

It was recognized by the invention that this problem can be solved in a surprising manner particularly simply if the device is assigned a firewall rule set, because this significantly increases the security of the device's communication with the global communication network or within the local communication network becomes.

The method according to the invention for monitoring the communication of a device with a global communication network and / or within a local communication network is characterized in that the device is assigned a firewall rule set with at least one firewall rule.

In the context of the present invention, “firewall” is understood to mean a security system in connection with communication networks that protects against undesired network communication. More precisely, the “firewall” is used to restrict network communication based on firewall rules, for example sender, destination and communication services used. The firewall can thus include restrict communication from or to the facility with regard to a particular facility, both within a local communications network and to a global communications network. The firewall monitors and controls communication.

In an advantageous development, it is provided that the device is assigned to a device class and each device class has a dedicated firewall rule set. In this way, the assignment of the firewall rule set can be automated and therefore carried out very quickly and securely. This automated mapping will be sufficient for most use cases.

An advantageous development provides that the device is assigned to a device class automatically by analyzing the device, preferably the MAC address, service requests or the host name of the device, or that the device is displayed to the user and two or more device classes can be made available for selection so that the user can manually assign the device to a specific device class. This means that the assignment can be made very reliably.

In an advantageous development it is provided that at least one of the device classes consists of lamps, voice assistants, printers, televisions, computers, hi-fi systems, data backups, cooling devices such as refrigerators or freezers, washing machines, tumble dryers, heating devices, bell devices, fire / smoke detectors and blackout devices . These are usually device classes that occur in the field of home automation and in the field of entertainment electronics that perform different tasks.

In an advantageous development it is provided that the firewall is set up within an access point of the device to the global communication network or to the local communication network. This means that the firewall is central and is therefore very easy to maintain.

In an advantageous development it is provided that the firewall rule set has at least one firewall rule from the group comprising: permissible communication partners, permissible communication destinations, permissible data volume, permissible data throughput and permissible communication times. This allows the permitted communication to be controlled very specifically.

In an advantageous further development, it is provided that the user of the device is requested to release the firewall rule set before the device can communicate with the global communication network or the local communication network. This prevents institutions from communicating for which a firewall has not yet been set up.

In an advantageous further development, it is provided that the user of the device is able to adapt the firewall rule set in relation to their firewall rules from the group comprising: permissible communication partners, permissible communication destinations, permissible data volume, permissible data throughput and permissible communication times. This allows the user to specifically adapt the firewall for a specific facility in an "expert mode".

In an advantageous development it is provided that the actual communication of the device is recorded and the actual communication of the device is displayed outside the device, because this can significantly increase the user's sense of security.

In the context of the present invention, “display” means not just a visual representation, but also any output that affects one or more senses of a user. The display can thus also be made acoustically or the like, for example.

In an advantageous further development it is provided that the device is selected from the group comprising voice assistants, smart TVs, computer devices, monitoring devices such as surveillance cameras, smart motion detectors, smart door and window contacts, telephones and telephone systems, intercom systems, washing machines, refrigerators, freezers, Lighting such as smart lamps, coffee machines, smart fire alarms, smart vacuum cleaner robots, smart sockets and similar devices and systems. Such devices are mainly home automation devices and entertainment electronics devices.

In an advantageous development it is provided that the device displays the communication and the display of the device and the display of the actual communication of the device take place in the same room, preferably close to one another. Then the user can easily compare whether the facility is truthfully communicating its own communication to the user.

In an advantageous development it is provided that the device displays the communication and the display of the device and the display of the actual communication take place in the same way. This makes checking particularly easy for the user. For example, a voice assistant usually uses light signals to indicate communication. If the actual communication is also displayed by light signals, then the user can easily determine whether an actual communication of the facility is not displayed because corresponding light signals are not displayed at the facility while they are displayed for the actual communication.

In an advantageous further development it is provided that the display of the device and the display of the actual communication of the device are analyzed and a non-correspondence between the two displays is shown, the non-correspondence preferably being logged. This allows the user to find out very easily whether communication is taking place that has not been made known by the facility.

In an advantageous development, it is provided that it is analyzed whether there is a device communicating with the global communication network and / or within a local communication network, and its existence is preferably displayed. As a result, the user can be informed of the possibility of integrating the monitoring system as part of an installation of the method according to the invention. In addition, the user can also be informed whether a device is already communicating with the global communication network or with another local communication network past a monitoring device executing the method according to the invention. If this device is connected, for example, to an access point that is being monitored, it can then be determined whether the device is communicating past the access point, e.g. due to misconfiguration or a hacker attack. Then the “communication past” can be interrupted, for example by means of “deauthentication” or similar methods.

In an advantageous development, it is provided that the digital certificates used in the communication, for example in the form of public key certificates, are checked and a display is made when invalid certificates are recognized. This can effectively prevent the facility from being compromised.

In an advantageous further development, it is provided that it is analyzed which data the device exchanges with the global communication network and / or the local communication network, the data preferably also being logged. This makes it very easy to identify any undesired communication.

In an advantageous development, it is provided that an access point is switched into the communicative connection between the device and a router, provision preferably being made for the actual communication to be recorded in the access point. As a result, the device's communication with the global communication network or in the local communication network is particularly secure because it is not possible to circumvent the monitoring and protection according to the invention.

In an advantageous development, it is provided that an access point is switched into the communicative connection between the device and a router, preferably providing that communication between the device and the global communication network or a further local communication network bypasses the access point and in particular is prevented.

1. a) gewünschte Zeiten und/oder
2. b) ein bestimmtes Datenvolumen in einer bestimmten Zeiteinheit und/oder
3. c) bestimmte Zieladressen in dem globalen Kommunikationsnetz bzw. lokalen Kommunikationsnetz und/oder
4. d) eine Nutzeranwesenheit, wobei die Nutzeranwesenheit insbesondere über die Anwesenheit einer mobilen Computereinrichtung des Nutzers ermittelt wird.

In an advantageous development it is provided that the communication between the device and the global communication network or the local communication network can be selectively switched off. As a result, the communication between the device and the global and local communication network is particularly secure, since undesired communication can be prevented even if the device is taken over by a third party. The shutdown is preferably carried out in the context of a complete or partial separation of the communication between the device and the global and / or local communication network and / or in relation to

1. a) desired times and / or
2. b) a certain volume of data in a certain time unit and / or
3. c) certain destination addresses in the global communication network or local communication network and / or
4. d) a user presence, the user presence being determined in particular via the presence of a mobile computer device of the user.

In case a), the user can select certain times during which the device does not communicate with the global or local communication network or only to a limited extent, whereby his privacy is preserved.

In case b), misuse is prevented, especially in the event that the facility is taken over by a third party, because a large volume of data within a certain period of time indicates that the facility is not carrying out its normal activities, but private data is being extracted by third parties. Dynamic limits depending on historical usage behavior are also conceivable.

In case c), data misuse by third parties is also prevented by the facility. Such devices have a standard communication address in the global communication network or local communication network, as for a voice assistant Amazon ^® page for Alexa ^®. If the voice assistant then does not want to access this page, but a different one, this is fundamentally suspicious.

In case d), undesired communication is prevented by ensuring that it only takes place when the user can also control the communication. Since most users have a mobile computer device such as a smartphone and carry it with them at all times, it is usually sufficient to detect the presence of this mobile computer device of the user. This can be done by determining the corresponding MAC address of the user's mobile computing device.

Complete separation offers the highest level of security, but partial separation is usually sufficient. For example, only outbound traffic could be blocked, i.e. For example, for the voice assistant that he is muted but can still play music. It should be noted that although no real user data is transmitted in the sending direction, the telegrams that are technically necessary to maintain communication and the requested service are still sent.

On the other hand, it is conceivable to only prevent the communication of certain security-relevant data packets, e.g. only certain content or certain goals, etc ...

Independent protection is claimed for the device according to the invention for monitoring the communication of a device with a global communication network and / or within a local communication network, which is characterized in that there are means for assigning a firewall rule set with at least one firewall rule to the device.

In an advantageous development it is provided that the device is designed to carry out the method according to the invention.

In an advantageous development it is provided that the device is designed as an access point. This means that the firewall is located centrally and can be assigned to the facilities and maintained very easily.

In an advantageous development it is provided that there are means for recording the actual communication of the device and a display outside the device which is designed to display the actual communication of the device. The display does not have to exist in the same place as the device, but can be spatially separated from it. This allows the actual communication of the facility to be displayed very easily.

In an advantageous development it is provided that the device has means for the optical and / or acoustic display of the actual communication of the device. This makes the display very easy to understand for the user.

In an advantageous further development it is provided that the device has a floor space for the device. The device can then be placed on the device so that the user can keep an eye on both the device and its actual communication. If it is a device with a relatively large footprint, it can be provided that the device is placed on or next to the device.

Furthermore, the invention may be embodied in the form of a computer program product accessible from a computer usable or computer readable medium and provided with program code for use by or for use in connection with a computer or any instruction execution system. Independent protection is therefore also claimed for a computer program product which is stored on a medium which can be read by a computer and which comprises program means which can be read by the computer and which cause the computer to do the execute method according to the invention when the program means are executed on the computer.

For purposes of this description, computer-usable or computer-readable media can be any facilities or devices that contain, store, communicate, distribute, or transport the program for use by, or use in connection with, the instruction execution system, device, or facility. Mobile communication means, for example cell phones, tablet computers and the like, can also be used.

The medium can be an electronic, magnetic, optical, electromagnetic, infrared or semiconductor system (or device or device), or a propagation medium. Examples of a computer readable medium include semiconductor or solid state memory, magnetic tape, a removable computer disk, a random access memory (RAM), a read-only memory (ROM), a solid magnetic disk, and an optical disk. Current examples of optical disks include compact disks. Read-only memory (CD-ROM), compact disk read / write (CD-R / W) and DVD.

A data processing system which is suitable for storing and / or executing the program code comprises at least one processor which is connected directly or indirectly to at least one storage element through a system bus. The storage element may include local memory which is active during the current execution of the program code, mass memory and buffer memory which provides temporary storage of at least some program code in order to reduce the number of fetches of the code from the mass memory during execution.

Input / output or I / O devices, which can include keyboards, displays, pointing devices, etc., but are not limited to them, can be coupled to the system either directly or through I / O controllers connected in between.

Network adapters can also be connected to the system to enable the data processing system to be coupled to other data processing systems or to remote printers or storage devices through intermediary private or public networks. In this context, modems, cable modems or Ethernet cards are just a few examples of the types of network adapters currently available.

• 1 ein System zur Kommunikation eines Sprachassistenten mit einem globalen Kommunikationsnetz nach dem Stand der Technik,
• 2 ein System zur Kommunikation eines lokalen Kommunikationsnetzes mit einem globalen Kommunikationsnetz nach dem Stand der Technik,
• 3 das erfindungsgemäße System nach einem ersten bevorzugten Ausführungsbeispiel zur Kommunikation eines Sprachassistenten mit einem globalen Kommunikationsnetz,
• 4 die erfindungsgemäße Überwachungsvorrichtung in einer ersten bevorzugten Ausführungsform in einer perspektivischen Ansicht,
• 5 das Zusammenspiel zwischen der erfindungsgemäßen Überwachungsvorrichtung nach 4 und einem Sprachassistenten,
• 6 das erfindungsgemäße System nach einem zweiten bevorzugten Ausführungsbeispiel zur Kommunikation eines lokalen Kommunikationsnetzes mit einem globalen Kommunikationsnetz,
• 7 die erfindungsgemäße Überwachungsvorrichtung nach einer zweiten bevorzugten Ausführungsform in einer ersten perspektivischen Ansicht,
• 8 die erfindungsgemäße Überwachungsvorrichtung nach 7 in einer zweiten perspektivischen Ansicht,
• 9 die erfindungsgemäße Überwachungsvorrichtung nach 7 in einem Betriebszustand in einer perspektivischen Ansicht,
• 10 die erfindungsgemäße Überwachungsvorrichtung nach 7 in einem weiteren Betriebszustand in einer perspektivischen Ansicht und
• 11 der Würfelkörper der erfindungsgemäßen Überwachungsvorrichtung nach 7 in einer ersten teilweisen, perspektivischen Ansicht.

The features and further advantages of the present invention will become clear in the following on the basis of the description of preferred exemplary embodiments in connection with the figures. Purely schematically show:

• 1 a system for communication between a voice assistant and a global communication network according to the state of the art,
• 2 a system for communication between a local communication network and a global communication network according to the state of the art,
• 3 the system according to the invention according to a first preferred embodiment for the communication of a voice assistant with a global communication network,
• 4th the monitoring device according to the invention in a first preferred embodiment in a perspective view,
• 5 the interaction between the monitoring device according to the invention 4th and a voice assistant,
• 6th the system according to the invention according to a second preferred embodiment for communication between a local communication network and a global communication network,
• 7th the monitoring device according to the invention according to a second preferred embodiment in a first perspective view,
• 8th the monitoring device according to the invention 7th in a second perspective view,
• 9 the monitoring device according to the invention 7th in an operating state in a perspective view,
• 10 the monitoring device according to the invention 7th in a further operating state in a perspective view and
• 11 the cube body of the monitoring device according to the invention 7th in a first partial perspective view.

In 1 is a system 10 for the communication of a voice assistant 12 with a global communication network 14th according to the prior art shown in a schematic block view.

It can be seen that in the system 10 the language assistant 12 , which can be available as an Amazon Echo Plus, for example, via WiFi 15th through a router 16 with the global communication network 14th communicates. In the global Communication network 14th are numerous services, applications and sites 18th available, including the Alexa ^® voice assistance service 20th .

The language assistant 12 responds to commands from a user (not shown) and transmits and receives data 22nd to and from the router 16 which in turn data 24 to and from the global communication network 14th transmits and receives.

A disadvantage of this existing configuration of the system 10 is that the user never really knows 26th when which data 24 actually transmitted and received. In particular, there is a risk of unauthorized third parties 28 Receive or send data 30th which violates the privacy of the user.

The voice assistant also listens 12 permanently to react to the activation word, to analyze and follow commands, and would thus be able to constantly send speech and sounds to Alexa ^® 20th transferred to. The language assistant must do this 12 always be ready to receive and the user does not know which data at all when 22nd be transmitted 26th .

This gives the user a bad feeling 26th the threat to his privacy, even when there is no attack. The only remedy that is possible is to use the voice assistant 12 switch off, which means that it cannot be used and that it must be switched on again before it can be used.

In 2 is a system 50 for communication with the voice assistant 12 with a global communication network 14th according to the prior art shown in a schematic block view, the voice assistant being part of a local communication network here 52 is. Identical reference symbols are used for identical elements as in 1 used.

It can be seen that the router 16 ' with its WiFi 15 ' not just the access point for the voice assistant here 12 is, but also the voice assistant 12 via LAN (not shown) or WLAN 15 ' with other facilities, such as mass storage 54 (for example in the form of a NAS), lighting equipment 56 , including compromised lighting 57 , Televisions and home computers 58 , mobile computing devices 60 (e.g. smartphones), printers 62 , Game consoles 64 , Surveillance cameras 66 , Internet radios 68 and the like. Other devices of home automation and entertainment electronics to the local communication network 52 linked and its communication with the global communication network 14th ensures.

All facilities 12 , 54 , 56 , 57 , 58 , 60 , 62 , 64 , 66 , 68 are networked with each other 70 , which is basically a problem when the local communication network 52 a compromised facility 57 having. In the case of the 2 is the compromised facility 57 a smart lightbulb 57 , the sensitive data in the local communication network 52 collects 72 and to an attacker 28 in the global communication network 14th sends 74 , 30 ' or the attacker 28 as a gateway 74 , 30 ' in the local communication network 14th serves.

In 3 is the system used according to the invention 100 shown in a schematic block view according to a first preferred embodiment, identical reference numerals for identical elements as in 1 be used.

It can be seen that the voice assistant is here 12 not directly with the router 16 communicates, but the monitoring device according to the invention 102 is switched on in communication. This monitoring device 102 thus acts like an access point that facilitates communication between the language assistant 12 and router 16 conveyed.

The voice assistant is thus communicating 104 12 with the monitoring device 102 , the monitoring device 102 communicates 106 with the router 16 and the router communicates 108 with the global communications network 14th .

The monitoring device provides 102 a firewall 109 ready with its own firewall rule set for the voice assistant 12 Is provided.

4th shows the monitoring device according to the invention 102 in a first preferred embodiment in a perspective view.

It can be seen that the monitoring device 102 a body 110 with one foot 112 and a floor space 114 for the voice assistant 12 having. In addition to connections (not shown) for the power supply, the monitoring device has 102 also an advertisement 116 and a loudspeaker (not shown) for outputting optical and acoustic signals. It is of course also possible to use other output means for outputting signals other than optical and acoustic signals. Furthermore, operating elements (not shown) for setting up the monitoring device 102 and the activation of certain functions. This setup and activation can, however, also take place via a suitable program, for example the app of a mobile computer device (not shown). In addition, connections for a sensor system for detecting the light signal of the voice assistant can also be used 12 exist or this Sensor technology is directly in the monitoring device 102 integrated.

The footprint 114 is dimensioned so that the voice assistant 12 can be placed on it, creating an elegant unit 118 from monitoring device 102 and voice assistant 12 results. This leaves the voice assistant 12 with its controls 120 still operable and the actual communication 108 can still through the ad 116 are represented (cf. 5 ).

In addition, the monitoring device 102 a switch for on-off (not shown). Otherwise the monitoring device is 102 completely remotely controllable and configurable via a suitable program (not shown), for example the app of a mobile computer device.

The monitoring device 102 has two independent WLAN interfaces 126 , 128 (see. 3 ) on. A first WLAN interface 126 is used for communication 104 , 106 with voice assistant 12 and router 16 , the second WLAN interface 128 is used for constant monitoring of the receivable local communication networks 122 , in which other devices such as printers, televisions, audio systems, home automation devices, lighting, data backup devices and the like. As well as other routers can be integrated.

In addition, the monitoring device has 102 a control and evaluation unit (not shown) for monitoring and analyzing communication 104 , 106 , 108 as well as to control this communication 104 , 106 , 108 .

• Die Überwachungsvorrichtung 102 wird in ein bestehendes System 10 entsprechend 1 eingeführt und aktiviert. Dabei überprüft 130 die Überwachungsvorrichtung 102 mit seinem zweiten WLAN-Interface 128 sämtlichen WLAN-Verkehr 132 und analysiert die dabei aktiven MAC-Adressen (Geräte-Adressen). Wenn eine einem Sprachassistenten 12, beispielsweise einem mit Alexa^® kommunizierenden Echo^®-Produkt von Amazon^®, zuordenbare Geräte-Adresse ermittelt wird, erhält der Nutzer über eine auf einer mobilen Computereinrichtung, beispielsweise seinem Smart-Phone, installierte Applikation eine Mitteilung, dass empfohlen wird, die Überwachungsvorrichtung 102 mit dem Router 16 zu verbinden und den Sprachassistenten 12 mit der Überwachungsvorrichtung 102 als Access-Point zu verbinden. Dadurch wird das System 100 nach 3 gebildet. Diese Mitteilung kann auch optisch oder akustisch über die Überwachungsvorrichtung 102 selbst erfolgen.

The monitoring device according to the invention 102 is now in the system according to the invention 100 used as follows:

• The monitoring device 102 is in an existing system 10 corresponding 1 introduced and activated. The monitoring device checks 130 102 with its second WLAN interface 128 all WiFi traffic 132 and analyzes the active MAC addresses (device addresses). If one of a voice assistant 12 , For example, a communicating with Alexa ^® echo ^® product Amazon ^®, assignable device address is determined, the user receives a is that recommended on a mobile computing device, such as his smart phone, installed application a message, the monitoring device 102 with the router 16 to connect and the voice assistant 12 with the monitoring device 102 to connect as an access point. This will make the system 100 to 3 educated. This message can also be optically or acoustically via the monitoring device 102 take place yourself.

So that the user both the monitoring device 102 as well as the voice assistant 12 the voice assistant should have in view 12 on the monitoring device 102 be turned off, as in 5 is shown. In addition to the power supply unit supplied (not shown), the power supply unit (not shown) of the voice assistant can also be used as a power supply with the aid of a special cable available as an accessory 12 can also be used so that no further cables have to be laid.

Now the voice assistant can 12 no longer directly with the router 16 communicate, but only through the intermediary of the monitoring device 102 , eliminating all incoming and outgoing communication 104 , 106 , 108 can be monitored and controlled.

Should be the voice assistant 12 , for whatever reason, with the router 16 connect directly 132 or another network, the monitoring device detects 102 that and alerts the user or can be configured in such a way that such connections are prevented directly.

To be more precise, the second WLAN interface “sweeps” 128 constantly through all possible WLAN channels and “listens” 130 to all receivable WLAN packets (including the encrypted ones). When analyzing the data packets, the main focus is on the ESSID contained in the header of the WLAN packet as well as the source and destination MAC address. In addition, statistical information on existing connections can be collected and used on the length and frequency of the encrypted data packets, for example.

Finally, the monitoring device arranges 102 the voice assistant 12 a voice assistant for the device class 12 adapted firewall rule set, with which permitted communication partners, permitted communication destinations, permitted data volume, permitted data throughput and permitted communication times are preconfigured according to usually meaningful rules, and this alone prevents or neutralizes a compromise of the voice assistant.

1. 1.) Bereits im Auslieferungszustand und ohne Konfiguration durch den Endanwender, kann alleine durch das Mithören 130 der Datenpakete in den verfügbaren WLANs eine Aussage darüber getroffen werden, ob ein bestimmtes Device, wie z.B. ein Sprachassistent 12 (z.B. Amazon Echo), im Haushalt existiert und der Endanwender darauf hingewiesen werden, dieses mit der erfindungsgemäßen Überwachungsvorrichtung 102 sicher an das globale Netz 14 anzubinden. Des Weiteren können zu diesem Zeitpunkt bereits Aussagen über die an das globale Netz 14 gesendeten Daten getroffen und dem Endanwender angezeigt werden. D.h. selbst ohne Konfiguration ist die erfindungsgemäße Überwachungsvorrichtung 102 bereits mit eingeschränktem Funktionsumfang einsatzbereit.
2. 2.) Das Mithören 130 des weiteren Datenverkehrs in allen verfügbaren WLANs und die Analyse der MAC-Adressen ermöglicht außerdem das Erkennen eines fälschlicherweise „Vorbeikommunizierens“ 132 des zu überwachenden Geräts 12 an der erfindungsgemäßen Überwachungsvorrichtung 102, welche dem Endanwender sofort angezeigt werden kann.
3. 3.) Über Methoden, wie z.B. das Versenden von Deauthentification-Paketen 130 mit dem zweiten WLAN-Interface 128, kann ein solches „Vorbeikommunizieren“ sogar automatisch dadurch unterbunden werden, dass die Verbindung 132 von 12 mit Router 16 getrennt wird.
4. 4.) Auch das „Vorbeikommunizieren“ eines zu überwachenden Geräts 12 an der erfindungsgemäßen Überwachungsvorrichtung 102 über einen weiteren vorhandenen Access-Point (nicht dargestellt) kann erkannt und unterbunden werden.
5. 5.) Angepasst an typische Anwendungsszenarien von Einrichtungen, wie Sprachassistenten 12, kann durch Analyse ihrer Geräteklasse und Zuordnung vorkonfigurierter Firewall-Regelsätze, die Sicherheit der Kommunikation weiter erhöht werden. Dabei Kann die Kommunikation dieser Einrichtung erst dann erlaubt werden, wenn der Firewall-Regelsatz tatsächlich zugeordnet wurde und somit die Firewall 109 für die Einrichtung 12 aktiv ist.

This is made possible by the monitoring device according to the invention 102 in particular the following functions:

1. 1.) Already in the delivery state and without configuration by the end user, you can just listen in 130 of the data packets in the available WLANs whether a specific device, such as a voice assistant, can be made 12 (eg Amazon Echo), exists in the household and the end user is notified of this with the monitoring device according to the invention 102 securely to the global network 14th to connect. Furthermore, at this point in time, statements can already be made about the to the global network 14th sent data are taken and displayed to the end user. That is, the monitoring device according to the invention is even without configuration 102 ready for use with limited functionality.
2. 2.) Listening in 130 the further data traffic in all available WLANs and the analysis of the MAC addresses also enables the detection of an erroneous "passing by" 132 of the device to be monitored 12 on the monitoring device according to the invention 102 which can be displayed immediately to the end user.
3. 3.) Via methods such as sending deauthentication packets 130 with the second WLAN interface 128 , such "passing by" can even be prevented automatically by the connection 132 from 12 with router 16 is separated.
4. 4.) Also the "communication past" of a device to be monitored 12 on the monitoring device according to the invention 102 A further available access point (not shown) can be recognized and prevented.
5. 5.) Adapted to typical application scenarios of institutions such as language assistants 12 , the security of communication can be further increased by analyzing your device class and assigning preconfigured firewall rule sets. Communication with this facility can only be permitted if the firewall rule set has actually been assigned and thus the firewall 109 for the establishment 12 is active.

Furthermore, the monitoring device shows 102 by outputting optical signals with its display 116 and / or acoustic signals with his loudspeaker are always given to the user when the voice assistant communicates 12 with the global communication network 14th takes place. You can also choose between incoming and outgoing communication 104 , 106 , 108 differentiated, which gives the user a very good feeling for when the voice assistant is used 12 For example, audio signals from the user are processed and sent to the global communication network 14th transmitted.

Even if the language assistant 12 even a display for your own communication with the global communication network 14th has, then the user can easily grasp whether the voice assistant 12 communicates the actual communication in each case, or whether he is "hiding" something from the user.

The application can also be used to specifically control communication 104 , 106 , 108 respectively.

On the one hand, a real muting of the voice assistant 12 respectively. Although this usually also has a so-called "mute function", the user is dependent on the manufacturer's assurance that the microphones of the voice assistant will work 12 are actually muted. Not every user has this trust.

The muting via the monitoring device 102 is a real mute, because although the voice assistant 12 is still active, its communication 104 via the monitoring device 102 however is blocked.

Such a muting can be performed, for example, depending on the time between 10 p.m. and 7 a.m., so that the privacy of the user is ensured.

Muting can also be done via the monitoring device 102 can always be activated by means of the application if the voice assistant is currently active 12 should not be used. This can be the case, for example, during confidential conversations between the user.

Furthermore, the monitoring device 102 With a WLAN module, it is also possible to determine not only the MAC addresses of the communication partners involved, in order to use voice assistants 12 A stored MAC address, for example that of the user's smart phone, can also be recognized via this. This allows the presence of the user in the area of the voice assistant 12 recognized and the muting controlled so that the voice assistant 12 is always muted when the user is not present. There are of course other options for recognizing the presence of the user, such as a video camera, a control element that has to be pressed, a special transponder, a smart door lock, etc.

In addition, the user can use the application to create a black list, i.e. pages 18th in the global communication network 14th that via the voice assistant 12 Not should be reachable. Then the monitoring device 102 any communication 108 to such undesirable sites 28 lock.

Conversely, and to increase the security of the user, a white list of pages can also be used 20th can be defined exclusively for one communication 108 allowed are. This also increases communication 124 from dubious third parties 28 specifically prevented, thereby taking over the voice assistant 12 by third parties 28 and its harmful consequences are prevented.

There is also an automatism available, which is also unwanted communication 104 , 106 , 108 prevents and in particular a takeover by third parties 28 . Thereby communication 104 , 106 , 108 analyzed and determined whether a data volume of y MB (variable) is exceeded in a certain time of x minutes and, in this case, the communication 104 , 106 , 108 switched off. Dynamic limits depending on historical usage behavior are conceivable.

The user can choose for the facility 12 Adapt the suggested, ie preconfigured firewall rule set to personal needs at any time (expert mode).

In addition, there are extensive options for logging communication that has taken place, so that the user can subsequently contact the provider of the voice assistant 12 to report misconduct and to have it remedied.

The monitoring device according to the invention 102 So decouples the voice assistant 12 from the home network 122 , visualizes its network traffic 104 , 106 , 108 (especially in the event of deviations from the desired behavior) via a configurable display 116 and enables the voice assistant to be switched off transparently ("real mute") 12 .

Since all the data traffic of the voice assistant 12 via the monitoring device 102 can be an analysis and evaluation of the data traffic 104 , 106 , 108 and a corresponding optical and / or acoustic visualization or alerting of the user take place. Incoming and / or outgoing network traffic is also blocked by the monitoring device 102 possible.

• - Erkennung von Sprachassistenten 12 im Umfeld der Überwachungsvorrichtung 102
• - Einrichtung einer für verschiedene Einrichtungen 12 angepassten Firewall mit einem an die jeweilige Geräteklasse angepassten Firewall-Regelsatz
• - Analyse, Bewertung und Visualisieren von aus- und eingehendem Netzwerkverkehr
• - Kontrolliertes Blocken von aus- und/oder eingehendem Netzwerkverkehr durch den Nutzer (auch über einen vom Nutzer konfigurierten Zeitplan) über App bzw. Widget
• - Ermittlung des übertragenen Datenvolumens in Sende- und Empfangsrichtung sowie entsprechende Protokollierung bzw. Darstellung
• - Visualisierung, Alarmierung und möglicherweise Blockierung der Sende- oder Empfangsrichtung bei Erreichen bestimmter vom Nutzer konfigurierter Datenvolumen
• - Sichere Mute-Funktion über Blockieren der Senderichtung des Sprachassistenten 12
• - Kompromittierungsschutz des Sprachassistenten 12 mit Hilfe einer Zertifikatsüberwachung (Visualisierung und Alarmierung bei Datenmanipulation)
• - Permanenter Netzwerk-Scan zur Überwachung, dass der Sprachassistent 12 nicht an der Überwachungsvorrichtung 102 vorbei kommuniziert (bevorzugt inklusive Alarmierung des Nutzers und/oder Unterbindung eines solchen Vorbeikommunizierens).

The preferred modes of operation of the monitoring device 102 can be summarized as follows:

• - Recognition of voice assistants 12 in the vicinity of the monitoring device 102
• - Establishing one for different facilities 12 adapted firewall with a firewall rule set adapted to the respective device class
• - Analysis, evaluation and visualization of outgoing and incoming network traffic
• - Controlled blocking of outgoing and / or incoming network traffic by the user (also via a schedule configured by the user) via app or widget
• - Determination of the transferred data volume in the sending and receiving directions as well as corresponding logging or representation
• - Visualization, alarming and possibly blocking of the send or receive direction when reaching certain data volumes configured by the user
• - Safe mute function by blocking the transmission direction of the voice assistant 12
• - Compromise protection of the voice assistant 12 with the help of certificate monitoring (visualization and alarms in the event of data manipulation)
• - Permanent network scan to monitor that the voice assistant 12 not on the monitoring device 102 communicated by (preferably including alerting the user and / or preventing such communication by).

The possibilities of controlling other digital networked devices (not shown) in the digital home with the help of so-called skills via the voice assistant 12 is also when using the monitoring device 102 still possible without restrictions (cf. 6th ).

In addition, the monitoring device could 102 also have optical analysis means (not shown), which the display by the voice assistant 12 constantly with your own ad 116 compare and warn the user if they do not match, because then the voice assistant 12 actual communication "withheld".

The monitoring device 102 could alternatively or additionally to the display, for example designed as an LED ring 116 also have acoustic display means in the form of one or more loudspeakers.

• Über die optische und akustische Signalisierung oder Alarmierung der Überwachungsvorrichtung 102 weiß der Nutzer jederzeit, wann Audiodaten in das Internet 14 übertragen werden. Im Falle einer ungewollten Übertragung, kann diese durch die Überwachungsvorrichtung 102 unterbunden werden. Ein Abhören, egal durch wen, würde in jedem Fall erkannt.

The advantages for the user are clearly evident:

• Via the optical and acoustic signaling or alarming of the monitoring device 102 the user knows at any time when audio data is on the Internet 14th be transmitted. In the event of an unwanted transmission, this can be done by the monitoring device 102 be prevented. An eavesdropping, regardless of who, would be recognized in any case.

This enables the user to use the voice assistant 12 without being eavesdropped or unconsciously sending private conversations to contacts in his address book. This means that no eavesdropping can take place and the user's data cannot be misused for advertising purposes. The user can thus determine which data is communicated outside and when.

The user no longer has a bad feeling when using the voice assistant 12 because the monitoring device 102 the voice assistant 12 controlled in such a way that the user always knows what is happening, as does the voice assistant 12 only sends data when this is intended.

The user can mute the voice assistant 12 use and also rely on it, because the optical or acoustic signaling of the monitoring device 102 would obviously indicate an unwanted transmission of audio data in the case of mute. Also, by using the actual muting of the monitoring device 102 the transfer of data to the Internet 14th (e.g. in the sending direction) are completely prevented.

The user can trust that only those with the voice assistant 12 related services 20th are involved in the communication because the behavior of the monitoring device differs 102 would be recognized and displayed.

The user can use the voice assistant for meetings or sensitive private conversations 12 by means of the monitoring device 102 actually mute it.

In addition, the user has a real option to switch off the voice assistant 12 without having to operate its power supply by using the monitoring device 102 the voice assistant 12 completely from the global communication network 14th can separate.

The user can set a schedule for using the voice assistant 12 establish.

The user does not have to be afraid of hackers (manipulation and misuse by hackers, e.g. purchases, bookings or controlling their household appliances) because the voice assistant is compromised due to the optical and acoustic display of the outgoing network traffic 12 can be recognized directly by the user and acted accordingly by him.

There is also one to the respective institution 12 specially adapted firewall 109 which cannot be circumvented, and which provides a device-specific firewall rule set, so that data can be accessed and other attacks by third parties 28 effectively prevented.

The monitoring device 102 thus determines attempts at the facility 12 , Data to third parties 28 to pass on and informed 134 the user. As a result, the user can act 136 accordingly, for example he can specifically block outgoing and / or incoming network traffic and also define automatisms for this.

Even if the invention in this first embodiment according to 3 to 5 based on the monitoring of a voice assistant 12 Has been explained, it can also be used for any other devices, such as household appliances, telecommunications devices, electronic entertainment devices and the like., Which are connected to a global communication network 14th and / or a local communication network 52 to be able to communicate.

In 6th is a second preferred embodiment for the system according to the invention 200 shown.

It can be seen that the monitoring device according to the invention 202 here in the context of a local communication network 204 is used. The monitoring device forms 202 the access point of the facilities 12 , 54 , 56 , 57 , 58 , 60 , 62 , 64 , 66 , 68 both for communication with each other and for communication 206 with the global communication network 14th .

The facilities 12 , 54 , 56 , 57 , 58 , 60 , 62 , 64 , 66 , 68 can only use the monitoring device 202 communicate 210 but not among each other 216 or with the router 16 ' . Just the monitor 202 can with the router 16 ' communicate 212 . The communication 212 between monitoring device 202 and router 16 ' and communication too 210 of the facilities 12 , 54 , 56 , 57 , 58 , 60 , 62 , 64 , 66 , 68 with the monitoring device 202 can be wired (e.g. LAN) as well as wireless (e.g. via WLAN).

Here, too, is the monitoring device 202 again a firewall 214 ready with firewall Rule sets for each individual facility 12 , 54 , 56 , 57 , 58 , 60 , 62 , 64 , 66 , 68 .

In addition, they also apply within the scope of the monitoring device according to the invention 102 to 3 to 5 named properties and advantages, so that only a few differences will be discussed below.

More specifically, the monitoring device prevents 202 here that the compromised smart lightbulb 57 Data from the other facilities 12 , 54 , 58 , 60 , 62 , 64 , 66 , 68 collects as there is no direct networking 216 the compromised smart lightbulb 57 with the other facilities 12 , 54 , 56 , 58 , 60 , 62 , 64 , 66 , 68 exists and the firewall rule set for the compromised smart lightbulb 57 prevents the compromised smart lightbulb 57 with the other facilities 12 , 54 , 56 , 58 , 60 , 62 , 64 , 66 , 68 communicates. Through the firewall 214 There will also be data leakage through the compromised facility 57 to a third party 28 prevented and also attacks 218 from third 28 on the local communication network 204 are prevented.

The monitoring device also determines 202 Attempts at the compromised smart lightbulb 57 , with other bodies 12 , 54 , 56 , 58 , 60 , 62 , 64 , 66 , 68 to communicate or share data with third parties 28 to pass on and informed 220 the user. This allows the user to act accordingly 222 , for example the compromised smart lightbulb 57 replace the surveillance device's firewall rule set 202 adapt, the support of the manufacturer of the smart light bulb 56 , 57 inform or inform IT security experts. Among other things, there is the option of doing this in an application on a mobile computer device, such as a smartphone 60 of the user. The user can thus take targeted protective measures and thereby gain control over the local communication network 204 .

In 7th to 11 is the monitoring device according to the invention 202 shown in more detail according to a second preferred embodiment.

It can be seen that the monitoring device 202 Is cube-shaped with a cube base 250 that in a customized shot 251 of a cube 252 Is designed to be plugged in a fit, wherein the cube body 252 as a container for the cube base 250 serves.

The cube base 250 has various connection options for LAN 254 and a power supply 256 and communicates with the cube body 252 via WLAN (not shown) or the like. Wireless communication technology, so that cube base 250 and cube bodies 252 are completely separable from one another and can still communicate with one another.

The cube base 250 includes besides the means of communication 254 also a control unit (not shown) and further WLAN modules (not shown) for communication with the router 16 ' and the facilities 12 , 54 , 56 , 57 , 58 , 60 , 62 , 64 , 66 , 68 .

The cube body 252 points behind an outer shell 258 all over its front side wall 260 and and partly on the other side walls 262 optical display means in the form of LEDs 264 on. Instead, larger LCD units or the like could also be installed. Instead of a full-surface display on the front 260 can use the optical display means 264 there only partially or on the remaining side walls 262 also be provided over the entire surface. Also on the deck 266 can visual display means 264 be provided.

In addition, acoustic display means (not shown) are also provided.

This configuration of the monitoring device 202 with a cube base 250 and a cube body separable therefrom 252 , which is used for display, the display in the form of the cube body 252 can be positioned anywhere by the user while the cube base 250 the fixed connection (preferably via LAN 254 ) with the router 16 ' serves.

All information and warnings to the user are then taken from the cube body 252 transmitted and the user can then in a suitable manner by entering commands via the application on his smartphone 60 react or the monitoring device 202 set up.

Additional monitoring devices can also be used 102 , 202 are used, which then as part of a master-slave connection of the monitoring device 202 to 6th are subordinate and preferably only serve the display for the user, for example in other rooms.

It has become clear from the above illustration that the present invention gives the user a feeling of security in the context of communication between a voice assistant and a global communication network, with this communication being made more secure and convenient.

With the monitoring device according to the invention 102 , 202 there is a "gatekeeper" for everyone internal and external communication links, so that a fully configurable hardware firewall 109 , 214 for all communication connections. There are firewall rule sets that are preconfigured modularly based on device classes, so that it is also possible for non-specialist users to have a firewall adapted to their needs 109 , 214 to configure. Based on these modular firewall rule sets, new facilities 12 , 54 , 56 , 57 , 58 , 60 , 62 , 64 , 66 , 68 can be easily integrated into the security solution via plug & play. For knowledgeable users there is also an expert mode to set the firewall for individual facilities 12 , 54 , 56 , 57 , 58 , 60 , 62 , 64 , 66 , 68 to be specifically adapted to the specific needs. This adaptation can be carried out intuitively using the individually adaptable firewall rules provided.

In addition, a non-specialist user can also use the monitoring device according to the invention 102 , 202 and above all their display 116 , 264 quantitative and qualitative statements about the network traffic of all its loT (Internet of Things) devices used in the household 12 , 54 , 56 , 57 , 58 , 60 , 62 , 64 , 66 , 68 (all facilities directly or indirectly connected to a global communication network 14th or a local communication network 204 are connected). Based on these results, the user is able to take further steps towards IT security in his home.

Unless stated otherwise, all of the features of the present invention can be freely combined with one another. Unless otherwise stated, the features described in the description of the figures can also be freely combined with the other features as features of the invention. Objective features of the device can also be used in the context of a method, reformulated to form method features, and method features in the context of a device can be reformulated into features of the device.

List of reference symbols

10

State-of-the-art system

12

Voice assistant

14th

global communication network

15, 15 '

WiFi connection

16, 16 '

Router

18th

Services, applications and pages in the global communication network 14th

20th

Voice assistance service Alexa ^® on Amazon ^® side

22nd

Data communication of the voice assistant 12 with the router 16

24

Data communication of the router 16 with the global communication network 14th

26th

A user's feeling and knowledge

28

dubious third party, hacker

30th

received or sent data of the dubious third party 28

50

System for communication in a local communication network 52 with a global communication network 14th According to the state of the art

52

local communication network

54

Mass storage, NAS

56

Lighting means, smart lightbulb

57

compromised lighting equipment, compromised smart lightbulb

58

TVs and home computers

60

mobile computing devices, smartphones

62

printer

64

Game consoles

66

Surveillance cameras

68

Internet radios

70

Networking the institutions 12 , 54 , 56 , 57 , 58 , 60 , 62 , 64 , 66 , 68 among themselves

72

compromised smart lightbulb 57 or compromised facility collects sensitive data in the local communication network 52

74

compromised smart lightbulb 57 or compromised device sends sensitive data of the local communication network 52 to an attacker 28 in the global communication network 14th , Gateway to the local communication network 14th

100

inventive system according to a first preferred embodiment

102

inventive monitoring device according to a first preferred embodiment

104

Data communication of the voice assistant 12 with the monitoring device 102

106

Data communication of the monitoring device 102 with the router 16

108

Data communication of the router 16 with the global communication network 14th

109

Monitoring device firewall 102

110

Body of the monitoring device 102

112

Foot of the monitoring device 102

114

Space for the voice assistant 12

116

Monitor display 102

118

Monitoring device unit 102 and voice assistant 12

120

Control elements of the voice assistant 12

122

local communication network

124

Communication from dubious third parties 28

126

first WLAN interface

128

second WLAN interface

130

Listening to WLAN communication in local networks 122 , Sending of deauthentification packages

132

Communication between voice assistant 12 and router 16 bypassing the monitoring device 102

134

Monitoring device 102 informs the user

136

User can act

200

inventive system according to a second preferred embodiment

202

inventive monitoring device according to a second preferred embodiment

204

local communication network

206

Communication of the local communication network 204 with the global communication network 14th

210

Communication of the institutions 12 , 54 , 56 , 57 , 58 , 60 , 62 , 64 , 66 , 68 with the monitoring device 202

212

Communication of the monitoring device 202 with the router 16 '

214

Monitoring device firewall 202

216

no direct networking of the institutions 12 , 54 , 56 , 57 , 58 , 60 , 62 , 64 , 66 , 68 among each other past the monitoring device 202

218

Third party attack 28 on the local communication network 204

220

Monitoring device 202 informs the user

220

User can act

250

Monitor cube base 202

251

Holder for cube base 250

252

Cube body of the monitoring device 202

254

LAN

256

Power supply

258

outer shell of the cube 252

260

front sidewall

262

remaining side walls

264

optical display means, LEDs

266

Top surface

Claims (10)

Method for monitoring the communication of a device (12, 54, 56, 57, 58, 60, 62, 64, 66, 68) with a global communication network (14) and / or within a local communication network (204), characterized in that the device (12, 54, 56, 57, 58, 60, 62, 64, 66, 68) is assigned a firewall rule set with at least one firewall rule. Procedure according to Claim 1 , characterized in that the device (12, 54, 56, 57, 58, 60, 62, 64, 66, 68) is assigned to a device class and each device class has a dedicated firewall rule set. Procedure according to Claim 2 , characterized in that the assignment of the device (12, 54, 56, 57, 58, 60, 62, 64, 66, 68) to a device class automatically by analyzing the device (12, 54, 56, 57, 58, 60 , 62, 64, 66, 68), preferably the MAC address, service requests or the host name of the facility (12, 54, 56, 57, 58, 60, 62, 64, 66, 68), or that the User the device (12, 54, 56, 57, 58, 60, 62, 64, 66, 68) is displayed and two or more device classes can be selected so that the user can assign the device (12, 54, 56 , 57, 58, 60, 62, 64, 66, 68) manually for a specific device class. Method according to one of the Claims 2 or 3 , characterized in that at least one of the device classes consists of lamps, voice assistants, printers, televisions, computers, hi-fi systems, data backups, cooling devices such as refrigerators or freezers, washing machines, tumble dryers, heating devices, bell devices, fire / smoke detectors and blackout devices. Method according to one of the preceding claims, characterized in that the firewall (109; 214) within an access point of the device (12, 54, 56, 57, 58, 60, 62, 64, 66, 68) to the global communication network ( 14) or to the local communication network (204) is set up. Method according to one of the preceding claims, characterized in that the firewall rule set has at least one firewall rule from the group comprising: permissible communication partners, permissible communication destinations, permissible data volume, permissible data throughput and permissible communication times. Method according to one of the preceding claims, characterized in that the user of the device (12, 54, 56, 57, 58, 60, 62, 64, 66, 68) before the communication of the device (12, 54, 56, 57 , 58, 60, 62, 64, 66, 68) with the global communication network (14) or the local communication network (204) a release of the firewall rule set is required and / or that the user of the device (12, 54, 56 , 57, 58, 60, 62, 64, 66, 68) an adaptation of the firewall rule set with regard to their firewall rules Claim 6 is made possible. Device (102; 202) for monitoring the communication of a device (12, 54, 56, 57, 58, 60, 62, 64, 66, 68) with a global communication network (14) and / or within a local communication network (204) , characterized in that means (109; 214) consist of assigning a firewall rule set with at least one firewall rule to the device (12, 54, 56, 57, 58, 60, 62, 64, 66, 68). Device (102; 202) after Claim 8 , characterized in that the device (102; 202) is designed, the method according to one of the Claims 1 to 7th and / or that the device (102; 202) is designed as an access point and / or that the device (102; 202) has means (116; 264) for the optical and / or acoustic display of the actual communication of the device (12, 54, 56, 57, 58, 60, 62, 64, 66, 68). Computer program product, which is stored on a medium readable by a computer, comprising program means readable by the computer, which cause the computer to implement a method according to one of the Claims 1 to 7th when the program resources are executed on the computer.

Images