TW448387B - Generalized policy server - Google Patents

Abstract

A scalable access filter that is used together with others like it in a virtual private network to control access by users at clients in the network to information resources provided by servers in the network. Each access filter use a local copy of an access control data base to determine whether an access request made by a user. Changes made by administrators in the local copies are propagated to all of the other local copies. Each user belongs to one or more user groups and each information resource belongs to one or more information sets. Access is permitted or denied according to of access policies which define access in terms of the user groups and information sets. The rights of administrators are similarly determined by administrative policies. Access is further permitted only if the trust levels of a mode of identification of the user and of the path in the network by which the access is made are sufficient for the sensitivity level of the information resource. If necessary, the access filter automatically encrypts the request with an encryption method whose trust level is sufficient. The first access filter in the path performs the access check and encrypts and authenticates the request; the other access filters in the path do not repeat the access check. A policy server component of the access filter has been separated from the access filter and the policies have been generalized to permit administrators of the policy server to define new types of actions and new types of entities for which policies can be made. Policies may now further have specifications for time intervals during which the policies are in force and the entities may be associated with attributes that specify how the entity is to be used when the policy applies.

Description

Printed by the Consumer Cooperatives of the Intellectual Property Bureau of the Ministry of Economic Affairs 4483 87 A7 ______B7 V. Description of the invention (1) 1 For the secure delivery of information on the Internet, please refer to the related patent application. 2 Please refer to the related patent application. This patent application is for: On June 29, 1998, U.S. Provisional Patent Application No. 60 entitled "General Decision Feeder" was filed by Hanne !, Emperor il_M_ (Lipstone) 'and Schneider. / 091,130 enjoys priority "This patent application is also: On March 4, 1998, the application was made by David Schneider and others, entitled" Distributed Management of Access Information " ; A sequel to US Patent Application (USSN) No. 09 / 034,507; thus containing the entire description and drawings of this patent application. The new material in this patent application begins with the title, Take the chapters of General Principle I, of many technologies in the filter 203, and include some new drawings 26 to 37. BACKGROUND OF THE INVENTION 2 Background of the Invention 1. Field of the Invention 3 1. Field of the Invention The present invention is generally related to the control of access to data Related: And say More specifically, it is related to the control of access to data in a distributed environment. 2. Description of technology 3 2 · Description of technology The Internet has revolutionized data communication. It has provided many Protocols and addressing schemes are reached, regardless of: the physical hardware of the computer system, the type of physical network to which it is connected, or used to send information from one computer system to another-a computer- 4- This paper size is applicable to China National Standard (CNS) A4 specification (210 X 297 meals) ------ t I ---- I -------- Order · ------ --i ------ (please fill out the note on the back of Μίί before filling this page) 448387 A7 Printed by the Consumer Cooperatives of the Intellectual Property Bureau of the Ministry of Economic Affairs --------- B7_____ V. Description of the invention ( 2) What are the types of many continuous networks? This solution makes it possible to exchange information between any computer system anywhere in the world and any other computer system anywhere in the world. Everything that makes two computer systems exchange information Requirement 疋: Every computer system must have an Internet bit And software required for communication; and, through some combination of many physical networks, there will be a route between the two machines, which may be used to carry messages constructed in accordance with communication protocols. However, the ease with which computer systems may exchange information via the Internet has caused many problems. In one aspect, it has made accessing information easier and cheaper than in the past; in another aspect, it has made it more difficult. Protect information. The Internet has made it more difficult to protect information in two ways: • It is more difficult to restrict access. If it is possible to access the information via the Internet ', it is possible to access anyone's information as the Internet information is accessed. Once information is accessed via the Internet, blocking skilled intruders becomes a difficult technical issue. • It is difficult to maintain security en route via the Internet " Construct the Internet as a packet switching network. It is impossible to predict what route the message will take through the network. It is even more impossible to guarantee the security of all information exchanges, or to include those parts of the message that specify their source or destination: they have not been read or changed along the way. Figure 1 shows the current technology used to increase the security of networks that can access information via the Internet ^. Figure 1 shows: network 101, which is composed of two separate internal networks 103 (A) and 103 (B), which are all controlled by the Internet 111 (CNS) M specification (210x297mm a) (Please read the notice on the back of it before filling out this page) '1 ----- — 丁 ____ I 言 线 丨 4483 87 Employee Consumer Cooperative of Intellectual Property Bureau, Ministry of Economic Affairs印 *] 衣 Α7 Β7 V. Description of the invention (3) Connection. Although two networks 丨 〇3 (A) and 丨 〇3 (β) are generally inaccessible to information, but in a sense, they are both Internet-partial: in these networks All computer systems in the Internet have Internet addresses, and all use the Internet protocol to exchange information. Two such computer systems appear in Figure 1, like the requestor 105 on the network 103 (A) and the server 113 on the network 103 (b). Requester 105 is requesting access to information that can be provided by server U3. Attached to the server 113 is a mass storage device 115 which contains data 1 17 being requested by the requester 105. Of course, for other materials, server U3 may be the requester ’and requester 05 may be the server. Moreover, in the current context, an access operation is considered to be any operation that can read or change the data stored on the server 113 or can change the state of the server 113. In making a request, the requester 105 is using one of many standard TCP / IP (Transmission Control Communication Protocol / Internet Protocol) protocols. As used herein, a communication protocol is a description of a set of information that can be used to exchange information between many computer systems. The collective messages sent between the various computer systems that are communicating according to a communication protocol are collectively called: dialogue (s e s s i ο η). During the conversation, the requester 105 sent the message to the Internet address of the server η 3 according to the communication protocol, and the server 13 sent the message to the Internet bit of the requester 105 according to the communication protocol. site. Both the request and the response will operate through the Internet 111 between the two intranets 103 (Α) and 〖〇3 (Β). The local server 113 allows the requester 105 to access the data, then some of the messages flowing from the server 113 to the requester 105 in the dialogue will include the requested data 1 丨 7 ^ Apply this paper standard to the Θ house standard CNS) AJ specification (210 X 297 mm) (please read the precautions on the back and then fill in the clothing page), 4 ------- Thread > 4483 8 7 A7 B7 V. Description of the invention (4) Necessary Many of the multiple software components of the server 1 丨 3 that respond to messages through the Internet are called: services 9 If the owners of the two internal networks 103 (A and B) want to be sure: Only direct connections Only users of computer systems on network 103 (A and B) can access the data, and the contents of the request and response are unknown outside those networks: the owner must resolve both Item: be sure that server 113 will not respond to requests from computer systems that are different from those connected to the internal network; and be sure: although all are in transit via the Internet 1 1 1 , But access to the Internet! No one of the information can access or modify the request and response. Two technologies that may achieve these goals are: firewalls and tunneling using encryption ° Conceptually, a firewall is a barrier between the internal network and the rest of the Internet n 1 . Prevent walls from appearing at 109 (A) and (B). The firewall 109 (A) protects the internal network 103 (A), and the firewall 109 (B) protects the internal network 103 (B). The firewall is constructed by a gate way that operates in a computer system that is installed where the internal network is connected to the Internet. Included in the channel is an access filter: a set of software and hardware components in a computer system that checks all requests from outside the internal network for information stored within the internal network: and , If it comes from a source that has access to the information, it will only send the request on the intranet. Otherwise, it discards the request. Two such access filters: access filter 107 (A) and access filter 107 (B) appear in FIG. This paper size is applicable to 0 national standards < CNS) A4 specification (210 X 297 mm) (please read the precautions on the back before filling in this page) k -------- Order ---- ----- line ', printed by the Consumer Cooperative of the Intellectual Property Bureau of the Ministry of Economic Affairs; 3 3 8 7 A7 _____B7 V. Description of the Invention (5) If two questions can be answered affirmatively, the source has the right to access the requested information:

(fr first read the notes on the back of tf before filling out this FC. • Is the source actually the rightful person or thing? • Does the source have access to the data? The process of finding the answer to the first question is called: identification. Borrow In order to provide information to the firewall that identifies the user, the user personally authenticates the firewall. There are several items of this information. The user-owned authentication token (sometimes called a smart card) (Smartcard)); • The operating system identification of the user's machine; and * The IP address and Internet domain name of the user's machine 0 The information used by the firewall for authentication may be in the frequency band (In band), that is: it is part of the communication protocol; or, it may be out of band, that is: it is provided by-separate communication protocol. Line-Ministry of Economy " Printed by the Property Cooperative Consumer Cooperative, as apparent from the above list of identification information, the firewall can rely on the identification information to identify the extent to which the user has reached. It depends on the type. For example, the P address in the subcontracting information can be changed by anyone who can intercept the subcontracting information; therefore, the firewall can give a little trust to it, so it will use the p It is known to have a very low level of trust. On the other hand, when the identification information comes from a token, 'the firewall can give the identification information a higher level of trust.' This is because: Card is already owned by someone else, it should not recognize the user. Generally, for a discussion about authentication, 'see the Chinese paper standard (CNS> A4 size (210 x 297 mm) applicable to children ’s paper standards. Μ) 3387 Α7 Β7 V. Description of the invention (6) ilL ^ (S. Bellovin) and Cheswkk) :, firewall (please read v on the back first and then fill in this I) and Internet security · _ One book, printed by ^ ^ _ ±-^^ (Addison Wesley) Book Company, US Factory State _, 1994 edition s line. The Intellectual Property Bureau employee consumer cooperative of the Ministry of Economic Affairs is printed in modern access filters, in Check access operations at two levels: Internet Network subcontracting information or abbreviation 丨 p-level, and application level. Starting from the IP level, messages used in the Internet are carried in sub-contracting methods, called datagrams. Each of these Each subcontract has a header, which contains information indicating the source and destination of the subcontract. The source and destination; ^ are each expressed according to the IP address and the number. The port number is used Let's separate the multiple traffic streams (Streams 0f traffic) in the computer from i to 65535. The services of some well-known Internet communication protocols (such as: Ηττρ (transformation protocol) or FTP (building case transmission protocol)) will be designated as "listening" (丨 isten t〇) The well-known port number s access filter has a set of rules that indicate which targets might receive p-subcontracting information from which sources: and if the source and target specified in the title do not follow these rules, Discard Subcontracting Information ", for example, the rule may allow or disallow all access operations from one computer to another; or restrict access based on the source of the JP subcontracting information—a specific service ( (Indicated by the port number). However, in the title of the IP subcontracting information, there is no information about the length of the individual information piece being accessed 'and the only information about the user is the source information. Therefore,' access check It cannot be done at the level of 丨 p, but must be completed at the level of information protocol. The access check involves: instead of identifying users who are unlikely to use the source information, It is to determine whether the user has the right to access. -9- National Standard (CNS) AJ grid (2J〇κ 297 mm) is applicable. 448387 Printed by the Intellectual Property Bureau Employee Consumer Cooperative of the Ministry of Economic Affairs Λ7 B7 V. Invention Explanation (7) A piece of information. Access check at the application level is usually done by proxy servers (proxies) in the firewall. A proxy server is a software component of an access filter. So it is called a proxy The server is because: it can be used as a stand-in for the communication protocol in the access filter, in order to achieve user authentication and / or access check on the pieces of information that the user has requested. For example, 'a commonly used The TCP / IP protocol is the Hypertext Transfer Protocol (or HTTP for short), which is used to transfer World-Wide Web pages from one computer system to another such computer system If access control is required for individual web pages, the content of the agreement must be reviewed in order to determine which specific web page request is being requested. For a detailed discussion of firewalls, In other words, please refer to the previous references by Belovan and Chasewick. Although properly implemented access filter operations can prevent unauthorized access to data stored on the intranet via the Internet U 1, but It cannot prevent unauthorized access to the data in transit via the Internet 1 丨 1. This is prevented by using an encrypted tunneling operation. This tunneling operation works as follows: When accessing filter 1 When 07 (A) receives an IP subcontracting information from a computer system in an intranet i03 (A) with a target address in the internal network 103 (B), it will Including its title is encrypted; a new title is added, which states that the IP address of the access adapter 107 (A) is used as the source address of the subcontracting information, and the access filter 1 07 ( B) The IP address is used as the target address. The new title may also include: -10- identifying the access filter 107 (A) as the source of the encrypted subcontracting information. -10- This paper size applies the Chinese Standard (CNS) Al specification (210 X 297 Public Love)- ------------ 4 ^ -------- Order --------- I '(Please fill in this page with the precautions on the back of Mΐ *> 448387 A7 B7 V. Description of the invention (8) Authentication information; and information from which the access filter 7 (B) can determine whether the encrypted subcontracting information has been intervened. Because the original IP subcontracting information has been encrypted: so When it is communicating the Internet 1 1 1, both the title and the content of the original ZP subcontracting information cannot be renewed, and the data of the title or the original IP subcontracting information cannot be modified without detection. When the access filter 107 (B) receives IP subcontracting information, it uses any identifying information to determine whether the subcontracting information does indeed come from the access filter 107 (A). If so, it will pass the Access filter 丨 07 (a) is added to the header of the subcontracting information to remove it, and determines whether the subcontracting information is interfered; if not, 'subcontracting The message is decrypted, and an IP-level access check on the original title is performed. If the title passes, the 'access filter 107 (B) forwards (f0rward) the subcontracting information to the original title. IP address in Nakanosho network; or forwarded to a proxy server for protocol-level access control. The original IP subcontracting information is called tunneling through the Internet 1 1 1 ^ In Figure 1, one such tunnel 112 is shown between two access filters 107 (A) and 107 (8). One additional advantage of tunneling is that it hides data from only the Internet. The structure of the internal network of those who have access to the information in Road m is because the IP address is the IP address of the access adapter only if it is not added. The two internal networks 103 (A) and The owner of 103 (B) is also able to use tunneling operations together with the Internet 11 1; thus making the two internal networks 103 (A and B) a single virtual private network (VPN) 19. By tunneling 1 12. Computer systems in networks 103 (A) and 103 (B) can communicate with each other securely and are suitable for other computers It seems that the Internet 103 (A) and 103 (B) are both a type of -11-This paper size is applicable to the China Solid Standard (CNS) A4 specification (210 X 297 public). Read the matter on the back first Refill this page) I ί Printed by the Consumer Cooperatives of the Intellectual Property Bureau of the Ministry of Economic Affairs 4483 ^ 7 A / B7 V. Description of the invention (9 Dedicated physical link (physical link) instead of U 1 1 1 . Indeed, it is possible to extend the virtual private network 1 1 9 so that I? Includes any user who accesses the Internet I 1 1 information, and thus can perform the following: * Divide by an allowable access filter 107 Decrypt the packet information by encrypting the Internet subcontracting information addressed to one of the computer systems in the internal network 103; * Add a header to the encrypted subcontracting information addressed to the access filter 107 : And 'personally authenticate access filter 107. It is said that an employee who has a portable computer connected to the Internet 11 and has the necessary encryption and authentication capabilities can use a virtual private network in order to securely retrieve from many intranets Information about a computer system on a network. -Once many intranets began to use Internet addressing operations and Internet communication protocols, and were connected into virtual private networks: some Internet browsers (brc) wsers) have also been developed Used in: Internal network 103: and from the user ’s point of view, access to data on the Internet and access to the intranet 103 are from the Intellectual Property Bureau of the Ministry of Economic Affairs, Employees ’Consumer Cooperatives, India There is no difference in the control of poverty. As a result, the internal network 103 has become a 秭 ren, Lizhiye intranet, that is: an internal network with the same user interface as the Internet "Kandan Road U 丨. Of course, once it belongs to-

'All internal training channels have been combined into a single-virtual private enterprise intranet. The access protection system that belongs to the Internet is a feature of security. Do n’t latch 4… At this time, except for -12 -This paper standard is applicable to 0 standard (CNS) A4 specifications (210 X 297 public love) 4483 8 7 A7 B7 Inside Shao access data. Although many firewalls where the internal network is connected to the Internet 1 1 1 are perfect enough to prevent outsiders (0Uts 丨 ders) from accessing the data on the internal network, but they Do not make it impossible for insiders to access the information. For example, it may be as important as a company to prevent its personnel data from being affected by its employees and to prevent it from being affected by outsiders. At the same time, 'the company may want to empower Anyone who accesses the Internet n 丨 information can easily access it: on one of the many intranets, one of the computer systems' its World Wide Web site. Caused by a dedicated corporate intranet The solution to many security problems is to use firewalls to subdivide many intranets and to protect the intranet from unauthorized access to information via the Internet. Modern access filters 107 are designed The perimeter used to protect the intranet from unauthorized access to information: and, generally speaking, there is only one access filter per Internet connection 10 7. If you hit it Many access registers use the intranet; there will be more access filters for them, so virtual private networks using multiple modern access filters 107 are not easy to scale, that is : In a virtual private network with a small number of access filters, many access filters are not a serious burden: in a network with a large number of access filters, they are a burden. In The access filter described in "General Principles of Many Techniques Used in Access Filters 203" in the section of this patent application before the chapter actually solves the problem of prior art access The scalability of the device (scalability); therefore, it becomes easier to build a network with a large number of access filters. -13- This paper standard applies the China National Standard (CMS) A4 specification (210 x 297 public hair) (Please read the notes on the back before filling out this page} -------- Order -------- * Line 丨 Printed by the Consumer Cooperative of the Intellectual Property Bureau of the Ministry of Economic Affairs 4 ^ 83 8 7

AT B7 V. Description of Invention (11) In the further operation of the access transition device described in the first part of this patent application, it has become apparent that if the technology can be generalized, then the storage Many of the techniques developed for access checking in access filter 203 should be more useful: if they can be used in a different context from access filters that are operating at the p or Internet protocol level 'And if they can be extended: they enable decisions to be made not only for access to information sets, but also for any actions that might be performed against an entity that can access information through a computer system; enabling groups of users to Includes any kind of entity that can perform an action via a computer system; and enables information sets to become resource sets, where a resource is any entity that can be controlled via a computer system. It is further obvious that if the decision is allowed to include a time component, for example, a component that allows a user group to access certain resources only during non-working hours ^ Decisions should be more useful; and it should be useful to associate many attributes with decisions that determine how actions are performed. For example, a decision may specify not only access to one of the known resources = a member of the user group, but also the network: class of the service that it intends to use for the access operation. Therefore, the purpose of the present invention disclosed herein is to provide a technique for generalized access checking, and further provide a decision in which both the time components and attributes may be related to the decision.疋. Summary of the invention The present invention achieves the foregoing objectives through a decision execution system. In this system, the work of decision execution is shared between the following two components. -14- This paper standard applies to the national standard (CNS) ) A4 specifications (9) 0x 297 issued f__ 丁丁 I__I__ — III — I --- II 1 I * I i. — IIII-— — ll — ιί »I (Please read the note on the back first? Matters Refill this page} 4483 8 7 A7 B7 V. Description of the invention (12) Printed by the Consumer Cooperatives of the Intellectual Property Bureau of the Ministry of Economic Affairs " Including expandable decision database_decision server, α and—decision implementer (poIicy enforcer). When the decision executor receives a request from the first entity (-request to perform an action against the second entity, the policy enforcer passes the request to the decision server; and, if it comes from the decision Servor-response instructions: Decisions in the database allow actions before they are allowed. Actionable decision databases may be expanded to include many types of actions that are not performed by decision implementers. Because So, so decided The execution system can handle many new actions through the τ method: expand the decision database to provide decisions for those actions, and add decision implementers for many types of actions. Indeed, as long as actions are performed by a computer system (- A computer system does not need to perform the action under the control of the decision implementer. 'Separating decision evaluation and decision execution may also make the decision execution system easily handle at many different levels of the computer system to which the decision execution system belongs. Decision execution; and make: "Policy implementers are located far away from the decision server. In another point, 'based on: the set of the first entity, the set of the second entity, and $-the set-the entity may target the second set Zhi-entity execution: an action; many decisions are defined in the implementation of the decision execution system. In this embodiment, in addition to the "action type", the first entity type and the second entity type are both Extensible. In this embodiment, the action attribute may be attached to the set of the first entity or the set of f entities. The dynamic attribute determines how it intends to execute is the action of the subject of the decision. For example, it may be prioritized (_ 出力 -15- < please read the ——Issues on the back of the page before filling in this page) -1 ' .--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- The decision-making information base of this embodiment is an expandable type of action property of the consumer cooperative of employees of the Intellectual Property Bureau of the Ministry of Economic Affairs. The property type of the car is more likely to belong to the decision-making decision database. In the material h, even when the action of m should be allowed in the situation, if the conditions attached to the decision are not fulfilled, the action will not be allowed. One category of these conditions is time conditions. For example, a decision can be made to define access to information, and the decision-time condition can limit the validity of the decision to normal business hours. Following the following description and accompanying drawings, other objects and advantages of the present invention related to the present invention will be apparent to those skilled in the art, in which: "Overview of the Drawings 2 Overview of the Drawings Figure 1 is: via the Internet An overview of the many technologies used to control access to information over the Internet; Figure 2 is an overview of a VPN (Virtual Private Network) using one of the many access filters incorporated in the technology disclosed herein; Figure 3 Yes: an access control cable used in access filters; Figure 4 shows: access check and tunneling operations in a VPN using one of the many access filters incorporated in the technology disclosed herein Figure 5 shows: access to information in a VPN by roamer; Figure 6 is: used to define sensitivity and trust levels with many authentications and additions! I u I ί III j / ^ ·-(Please read the back of the book; fill in this page before filling in this page) ί ----^ D1 · I-1 ti-1— n I 4 16- ^ paper size _ towel Θ @ 家 标准(CNS) A4 specification (210 ^ 297 Gongchu) 448387 A7 Printed by the Consumer Cooperative of the Intellectual Property Bureau of the Ministry of Economic Affairs ____ B7__ · ___ V. Description of the invention (14) A table in the relationship between encryption technology; Figure 7 is an example of applying SEND (Secure Encrypted Network Delivery) technology; Figure 8 is a flow of a decision-making process Figure: Figure 9 shows: a display used to define a user group; Figure 10 shows: a display used to define an information set; Figure 11 shows: a display used to define an access decision; Figure 1 2 display: used to define one of the access filters 203: Figure 13 A and B are: a part of the schema of the access control database 301 that defines the user group Figure 14 is a diagram that defines one part of the access control database 3001 of the information set: Figure 15 is: the sites defined in the VPN and the servers at each site ' Figures 16A and B are: part of a diagram of a part of the access control database 3001 that defines a decision; Figure 17A , B, and C are: a diagram that defines a part of the server's access control database 3 0}; Figure 18 shows: Display diagram used in the intraMap (intra-image) interface; Figure 19 shows how to make changes to the access control database 30; Figure 20 is a detailed block diagram of the structure of the access filter 203 Figure 21 is a schematic diagram of the structure of an MMF (Memory Map File) file 2303. Figure 22 is a simple sim-17 using SKIP (Internet Protocol) -17- This paper applies the national standard of this country (CNS) A4 specification (210 X 297 mm) ~~~ ______- ______ I ί __I ___ «IT i ____ 'I ___ — II i I [I i · IIIIIII 4-0-i- I-厶 ί' · ΝI (Jing first read the precautions on the back of t5 before filling out this page) 4483 87 A7 B7 V. Description of the invention (15) Employees of the Intellectual Property Bureau of the Ministry of Economic Affairs will print the cooperative seal * · '^) ii; A schematic diagram of one of the messages; FIG. 23A, B ′ and C are all a table used in the case of the Chen F Building in the preferred example; FIG. 24 is a schematic diagram of the IntraMap interface—a construction example: FIG. 25 is : A diagram illustrating one of the delegation authority _ to _) in VPN2001; Figure 26 is: a decision has been checked and decided A block diagram of a separate action control system is implemented; Figure 27 is:-a block diagram of various action control systems with various decision enabling capabilities; Figure 28 shows:-a type used to define generalization The grammar of decision making · Figure 29 shows the total cable of the decision database "ο!" In the preferred embodiment; Figure 30 shows an example of construction of many attributes and time intervals in the decision database test: Figure 3 1 display: list all defined schedules (仏 ^ one window: two 3, 2 display: * used in a preferred embodiment to define schedule rules (a window; Figure 33 shows: use In the-preferred embodiment, a window used to make decisions; ned schedules) interval should be shown in Figure 34: used in the "preferred embodiment, used for a window": Figure 3 5 shows- ------------- 1 ------ Order · -------- 'Line I, (Please read the precautions on the back before filling in this page) ： Used in—better implementation financial, used to specify the attribute to -18-Thai paper size applies to Chinese family standard (CNS) A4 specification (210 X 297 public love) A7 448 387 ____B7_____ V. Description of the invention (16) A window of the main body; Figure 36 shows: a window used to display and modify an attribute definition in a preferred embodiment; and Figure 37 shows: a window used to display and modify In a preferred embodiment, a feature is defined as a window. The reference numbers in the various figures have at least three digits. The two rightmost numbers are reference numbers in the figure; the numbers to the left of those numbers are the figure numbers. In the figure, the item identified by the reference number appears first. For example, in FIG. 2, item 0 with reference number 203 appears first. Elaboration 2 Elaboration The following elaborations will be provided first: how easy-to-scale scalability access filters are, how they can be used to control access operations in an enterprise intranet, and how they can be used to build virtual private networks Total cable. Thus, the narrative will provide: the access control database used in access filters; ways to change it, and then distribute those changes across many access filters; and individual access filters to control access Details of the method used. A network with access filters that does not prevent scalability: Figure 2 A-A network with access filters that does not prevent scalability: Figure 2 Figure 2 shows a virtual Private Network (VPN) 20 1, of which: the access to data is designed to avoid problems caused by multiple access filters. -19-This paper standard applies to China National Standard (CNS) A4 specifications ( 210 X 297 mm) < Please read the notes on the back before filling in this page)

Order I --------- line, printed by the Consumer Cooperatives of the Intellectual Property Bureau of the Ministry of Economic Affairs 4.1 · ^ Printed by the Ministry of Economic Affairs ¾ printed by the Consumer Cooperatives of the Property Bureau ^ 4 8,3 8 7 A7 Explanation (17) Controlled by filter. VPN 201 is composed of four internal networks 103, which are connected to each other via the Internet 1 2 1. Also connected to VPN 20 I via Internet 121: a roamer 2 1 7 is a computer system, although the system is being used by people who may access data in the corporate intranet 20 I, But it will only connect to many intranets through the Internet 1 2 丨. Each intranet I 03 has: many computer systems or terminals 209 ′ belonging to the user, and many servers 2 1 1: the server includes: users may be located in many computer systems or terminals 209, Or data that may be accessed by one of the users in the roamer 2-17. However, the computer system or terminal 2 0 9 'or the rover 2 1 7 are not directly connected to a server 2 II; instead, they are each connected via an access filter 203, so that: All queries made by a user at the user system for data items on the server will pass through at least one accessor 203. Thus, the user system 209 (i) is connected to the network 2i3 (i), which is connected to the access filter 203 (a); and the servlet 2 u (丨) is connected to the network Road 215 (i) 'The network is also connected to the access filter 203 (a), so it is made by the user at the user system 209 (i) to access the feeder 2 1 1⑴ Any other attempt above will pass through the access device 203 (a), where the user will be denied if he does not have access to the data. Since VPN 20 I is of any size, there will be-a considerable number of access filters 203: therefore, scaling problems will occur immediately. Access filters 203 avoid these problems because they are designed based on the following principles: • Distributed access control database. Each access filter 203 has it. -20- This paper is standard for the national solid (CNS) A4 specification of halogenated paper (210 * 297 mm) ------------- -------- Order · -------- Line tl · (Please read the precautions on the back before filling out this page) Printed by the Employee Consumption Cooperative of the Intellectual Property Bureau of the Ministry of Economic Affairs 448387 A7

--- ~~~ -II V. Description of the Invention (18)

Own copy of the access control resource library to control access to the load in the VPN. The changes made in the -copy of the database are propagated to all other copies s =: ^ management. Any number of administrators may be entrusted with the responsibility of the children of the system, $ σ. All administrators may perform their work at the same time. Knife cloth J access control. The access control functions are performed at the near-end access filtering benefit 203. That is, the first access filter 203 in the path between the client and the server will determine; whether the access operation is allowed; and many subsequent accesses in the path will not benefit. Repeat the access check performed by the first access filter. End-to-end encryption. Encryption occurs between the near-end cache / cache and the farthest possible encryption endpoint (endpoint). This endpoint is either the information server itself, or the far-end access filter 203-the last one in the route from the client to the server. Dynamic tunnels are established based on current network routing conditions. Adaptive encryption and authentication. Depending on the sensitivity of the information being transmitted, variable encryption levels and authentication requirements are applied to the traffic through the VPN ° All of these design points are discussed in more detail below. It should be pointed out at this time that the access information 4 203 may be constructed in any way, which guarantees that all of the data proposed in VPN 20 1 are proposed by many users who may access the data without authorization. Query Metropolis-21-This paper size is applicable to Chinese National Standard (CNS) A4 (21〇χ297 公 ^ ----------------- 4 J (Please read the Please fill in this page for urgent matters) Printed by the Consumer Cooperatives of the Intellectual Property Bureau of the Ministry of Economic Affairs ^ 48387 A7 V. Description of the invention (19) Over-access over-extinguisher 203. In the preferred embodiment, over-access; Server 2003 is built on a server and operates under the Windows NT® (new technology version of Windows software) operating system manufactured by Microsft Corporation. In other implementations In the example, the access filter 2 may be constructed as a component of an operating system, and / or may be constructed in a router in VPN 201. Distributed decision database: Figure 3 3 Distributed decision data Library: Figure 3 Each access filter 203 has an access control database 3 (M of-copy, it is time All data related to access control in VPN 2001. An access filter shown in access filter 203 (a) in FIG. 2 has a master copy of an access control database 301 205. Because of this, the access filter 203 (a) is called: Master Decision Manager (Master Decision Manager). The master copy 20.5 is: used to initialize (initiaUze)-some new access filters Device 203 or the one that replaces the damaged access control database 301. The backup device of the master decision management computer is an access filter 203 (b). A backup 207 is one of the master copies 205 Finally, the report management & formula 209 includes the software used to generate the report: the report is derived from the information in the access control database 301 and the green records obtained from all other access filters 203 〇gs). Any copy of the access control database 3〇 丨 may be changed by any user who must perform such an access operation: as will be described in more detail later, any such changes are first propagated To the main decision management program 205 Then go to all other access filters 203 in the virtual private network 20 1. -22- This paper includes the standard suitable financial ® @ 家 标准 (CNS) Ai} size gamma x 297 public love) 7 ---- ----- Order --------- (Please read the notes on the back before filling out this page) ^ 48 3 8 7 Printed Λ7 B7 Five 'Invention Note by the Employees' Cooperatives of the Intellectual Property Bureau of the Ministry of Economic Affairs ( 2) Figure 3 is: Access control database 3001 — a conceptual overview ^ The main function of the database is to respond to an access request 3009 from one of the access filters 203, breaking the access filter The server uses an indication of whether the request will be granted or denied 3 11 to identify users and information resources. The request will be granted if both of the following are true: • The user belongs to a user group, where the database 3 01 indicates that the accessible information resource belongs to the information set; and It is the same level of trust as the sensitivity level of information resources. Each user belongs to one or more user groups, and each information resource belongs to one or more information sets: if the user belongs to-none of the user groups is denied access to the information resource Belonging to—The information tree and any user group to which the user belongs are allowed to access any information set to which the information resource belongs; the user may access the information resource if the iS request has the necessary level of trust. The sensitivity level of a resource is only one of several levels of dependence required to access the resource. In general, information resources need to be protected and the higher the sensitivity level. The requested trust level has many components ... * The trust level of the identification technology used to identify the user: For example, _ ^ * ^ fc. Identifying a user by a token has a higher value than by using an IP address. Recognize that user B also has a high level of trust. • The trust level of the path taken by the access request via the network; “T” said that the path including the Internet has a lower level of trust than the path including only the internal network. -23- This paper size applies to Chinese national standards (CNS> A4 size (2 ^ x297)) ------------- I * I --- 1 ---- * 1- 11 · i ----------- 1 V t, please read the dignity on the back before filling this page) A7 448387 ____B7 V. Description of Invention (21) If t is added to the access request, then Trust level using encryption technology; the stronger the encryption technology, the higher the trust level. '' Consider the trust level of the identification technology and the trust level of the path separately. However, the trust level of the path may be affected by the trust level used to encrypt the access request. If the request is encrypted using an encryption technology whose trust level is higher than the trust level of the road part, the trust level of part of the road line is increased to the trust level of the encryption technology. = Yes, if the trust level of a part of the path is less than required for the sensitivity level of the resource; then the problem can be solved by encrypting the access request with an encryption technology with the necessary trust level. It is possible to divide the information contained in the database 30 1 into six categories: user identification information 3 13 which will identify the user; user groups 3 5 and 5 which will define the groups to which the user belongs; 3 2 0 'Dagger will protect some of the individual information items that are protected' and indicate where to find them; Information set 3 2 1 'It will define groups of information resources; Trust level information 323, it will contain information The sensitivity level of resources and the trust level of user identification and network paths; and decision information 303, which defines access rights based on user groups and many objects in VPN 201. The decision information is further divided into: access decision 307, management decision 305, and decision maker decision 306. The access decision 307 will define the right to access the information set by the user group. -24- ^ The paper size applies the national standard (CNS) A4 specification (〇X 297 public love) --------- --------------- Order · -------- t ί »rrsp first read the back of the quotation " problems and then fill out this page) Employee Consumer Cooperatives, Intellectual Property Bureau, Ministry of Economic Affairs Yinshang 448387 Employees' Cooperatives of the Intellectual Property Bureau of the Ministry of Economic Affairs * "A; B7 V. Invention Description (22). Official Decision 305 will be sufficient to define / exclude / modify user groups in Kajia: many Object rights β among many objects are: access decision, information set, user group, position in vn 2 201, server, and service: and decision maker decision 306 defines user group The right to make access decisions to information sets. It is stated that the user groups in the management decision and decision maker decision of the 3CH database are user groups of administrators. In νρΝ200ι, administrative authority is delegated by defining the administrator group and the objects they govern in the database 30 丨. Of course, a given user may be a member of both the general user group 317 and the management user group 319. User identification 3 User identification The user group uses user identification information 3 丨 3 to identify their members. Identification information identifies its users through a set of extensible identification technologies. These identification technologies include: X.509 certificates, Windows NT domain identification, authentication tokens, and IP addresses / domain names. The type of identification technology used to identify the user determines the level of confidence in the identification. Where strong identification of users or other entities communicating with the access filter 203 is required, VPN 2000 will be used: "Internet" developed by Sun Microsystems, Inc. (Simple Key Management for Internet -25- This paper standard applies to China Solid State Standard (CNS) A4 (210 X 297)) II ____II____ ”______ II T______.? 4J I —- * 5 ° · Ϊ I ί (Please read the precautions on the back before filling this page) 448387 A7 B? V. Description of the Invention (23)

Protocols' (short for SKIP) software communication protocol 3 This communication protocol will manage: public key exchange, key authentication, and dialogue 2 ^. Session encryption is performed by a transport key generated from the public and private keys of the parties that are exchanging data. The public key is included in the X.509 certificate, which is used to capture oneself | Certificate Discovery Communication Protocol " (Certificate Discovery Pr0t〇c〇1, referred to as One of the CD gates is a separate communication protocol exchanged between parties. In addition to encrypted messages, a type of message encrypted using SKIP includes: for the message—the encrypted transport key, and for the source and Identifiers of the target's certificate; ^ The recipient of the message uses the identifier of the certificate of the source of the message to indicate the location of the public key of the source; and uses its key and the source of the public key to send the secret Decryption: The message is then decrypted using the transmission key. SKIP messages are self-authenticating. 'In a sense, it contains an authentication that includes a cryptographic digest of the subcontracted information content. Title, and any kind of modification will make the abstract incorrect. For details on SKIP, see Ashar Aziz and Martin The article "Simple Key Management of Internet Protocols (SKIP)" published by Martin Patterson, which can be accessed on the Internet: 丨 February 28th, 99g, URL: http: // www. skip.org/inet-95.html. For details on the X.509 certificate, 'see the description available on the Internet: September 2, 997, URL: http: //www.rnbo.eom/ PROD / rmadiUo / p / pdoc2.htm .. In VPN 201, SKIP is also used by many access filters 203 to identify themselves and other access filters 203 in the VPN; This paper size applies to China National Standard (CNS) A'i specifications (210x 297 mm) (please read the precautions on the back of the page before filling out this page) * k Printed by the Consumer Cooperative of the Intellectual Property Bureau of the Ministry of Hydrocarbons 4483 8 7 A7 __ B7 Intellectual Property Cooperative Association of the Intellectual Property Bureau of the Ministry of Economic Affairs of the People's Republic of China. V. Description of Invention (24) And where encryption is needed, TCP / IP conversations are encrypted. When they are performing access check, many access filters The device 203 can also use a certificate for the SKIP key to identify the user. Such an identifying party It is particularly trusted 'and therefore has a relatively high level of trust β. One of the uses of this identification method by certificate is to: ,,, roamer, > 2 17 of the trusted identification methods. X.509 Certificates can be used for user identification because they associate key information with information about the user. The access filter 203 uses the following information bits from the certificate: Expiration date After this date, the certificate is invalid. • Public key: A public half-pair key that uses a private key pair, as used in Conclave (SKIP-based cryptography). • Signature of Certificate Authority: A distinguished name associated with the authority issuing the certificate. • Certificate serial number. ‘Subject name: The name of the entity to which the certificate was issued. The subject name includes the following sub-positions (the representative characters in parentheses are the general abbreviations for the unique position): 'Common name (CN): the established name of the subject, such as John & Public 0 • Country (C) : The country where the subject is located. The country code is a two-letter code specified in the X.509 specification. • Location (L): The location of the subject. This location is usually the city where the subject is located, but any location-related data may be used. -27- This paper size applies to Chinese national standard (CNS > A4 size (210 X 297 mm) ^^ 1 I-ϋ4 i ^ i ^^ 1 ^^ 1 I n- rt— 1 ^ 1 ^^ 1 ^^ 1 n ^^ 1., I ^^ 1 »n —fl— ^^ 1 _ (Please read the notes on the back before filling out this page) 448387 Printed by the Consumer Cooperative of the Intellectual Property Bureau of the Ministry of Economic Affairs A7 _________B7___ 5. Description of the invention (25) • Organization (〇): The group to which the subject belongs. This block is usually the name of the organization. • Organization unit (ου): The organizational unit of the subject. This field is usually the door of the subject, such as Say, the business department certificate, X · 509 allows up to four blocks in these fields. The certificate authority used with many access filters 203 will issue certificates with all of these bits. In addition, four 0U fields may be used to define additional classifications. The information used to describe users in the certificate can be used by the administrator of the database 301 and used when defining user groups. The information in the certificate correctly reflects the organizational structure of the enterprise: the certificate will not only identify the user, but JL will display it. This is based on the organization of the enterprise; to the extent that the user groups in the database 301 will reflect: organizational structure, user groups to which users belong. As will be explained in more detail later One of the ways in which members of many user groups may be defined is: by "certificate matching criteria," which defines the fields that a certificate that is a member of a given user group must have Numbers. The certificate matching criteria may be based on as few or as many of the above-mentioned niches as required. For example, the two certificate matching criteria for engineering user groups may be: organizational units and organizational units that specify the engineering department Fields. Other information identifying users may also be used to define members of many user groups. D Information set 3 Information set Poor information set holds information collected by many individual information resources. One resource can be -28- Night applicable Chinese National Standard (CNS) A4 specification (210 X 297 public love) ---- ^ --------- k .-------- Order -------- -Line-(锖 先 ΜίίBack & ii) (Write this page) 48387 A7 B7 V. Description of the invention (26) Can be compared with a www (World Wide Web) webpage or news group (newsgro 叩) — as small as it is, but it is most often caused by ... (Web directory tree) and its inner valley, FTP account, or the main Usenet news category. In one of the many servers in Figure 2, two information sets are displayed: 2 19⑴ and (K). Although the administrator of the access control database 301 should make a complete decision: what kind of information is included in an information set: However, the information in a given set is usually: both the subject and the intended audience (audience) Has related information. Examples of company-specific information sets

It could be: HR policies, HR Personnel Records, and Public In form at ion. Access decision 307 3Access decision 307 Conceptually, access decision 307 consists of a simple statement in the following format: Engineers allowed access to engineers engineer engineering allowed

Internet allowed access to the Internet public web site Public network site The first column contains the user group: the last column contains the information set. The middle column is access decision-allow or deny. The database 301 allows a hierarchical definition of user groups and information sets. For example, the engineer user group may be adequately defined to include: a hardware engineer user group, a software engineer user group, and a sales engineer user group. Similarly, the engineering data information set may be defined to include: hardware industrial data information set, software engineering-29- This paper size applies to the Chinese Standard (CNS) A4 specification (210x 297 public) {Please first Close the iit item on the back of the book and fill in this page again.) Order --------- Printed by the Consumers ’Cooperatives of the Intellectual Property Bureau of the Ministry of Economic Affairs ¥ 5% 77 A7 Printed by the Employees’ Cooperatives of the Intellectual Property Bureau of the Ministry of Economic Affairs-- ------- B7_ V. Description of invention (27) Process data information set and sales engineering data information set. In the user group (level, access is obtained by inheritance. Therefore, for access verification, a user who belongs to the hardware engineer user group will also automatically belong to the engineer user group. In the information set Within the hierarchy, the same access rights are obtained by inheritance. For access verification, it belongs to the hardware engineering data information set (an information resource also automatically belongs to the engineering data information set. Therefore, if there is-item, it gives the engineer access Engineering data access decisions, any user who is a member of one of the three user groups that make up the engineer may access: any of the three information sets that are part of the engineering data Any information resource of. Using inheritance in the definition of user groups and information sets will greatly reduce the number of access decisions 307 required in the access control database 301. For example, in the example above In the single access decision, all engineers are given access to all engineering data. The inheritance right also allows: All access decisions are possible. Continuing the above example, if there is a user group of "Salesman" (SaieSpe〇pie) that does not belong to the private and private teachers, but one item gives the user group access Decisions on access to sales engineering data: Users who are a member of "Salesman" will be able to access sales engineering data, but not software engineering data or hardware engineering data. Of course, 'a user may belong to More than one user group, and an information resource may belong to more than one information set. There may also be different access decisions for various user groups to which the user belongs and various information sets to which the information resource belongs. When faced with multiple access decisions that apply to both the user and the information resource that the user is trying to access, the access filter 203 -30- This paper standard applies to the national standard (CNS) A4 Specification (2) 0 X 297 mm) ^^ 1 ϋΈ ^^ 1 in d 1 ^ 1 m I 1 · Λ I— 1 1 'IJ— ^^ 1 i ^ i I, 1 ΙΛ Words (please close first (Read the note on the back and fill out this page) Member of the Intellectual Property Bureau, Ministry of Economic Affairs Printed by Consumer Cooperatives 4483 8 7 A7 B7 5. Invention Description (28) Decisions are applied in a restrictive rather than permissive way: • If multiple decisions allow or deny a user group access to an information set, The decision to deny access is dominant. • If a particular user is a member of a multi-user group and multiple decisions allow or deny access to the information set; the decision to deny access is dominant. Which user group the user belongs to may change depending on the recognition mode used to identify the user. Therefore, if according to the recognition mode that the user has provided to the access filter 203 at that time, no access decision applies to The user groups to which the user belongs: then accessed; the filter 203 may try to obtain additional identification information and decide whether the additional identification information will place the user in one of the decisions about a resource User group. The access filter 203 may obtain additional identification information if: • The user has installed User Identification Client (UIC) (a type that will run on the user's machine and provide identification information about the user) Software for access filter 203). • UIC is currently running on the user's machine. The user has made his UIC pop-up for further identification (the user has a check box that enables this feature ° If all these requirements are true, then access The filter 203 will chase the user ’s UIC and request additional identification information. Any identification information supplied by the user is stored. In each new user identification information sheet -31-This paper standard applies China National Standard (CNS) A4 specification (210 X 297) _____II ding I___ I It If 1 II f ΙΛ.. I, II · II 1 I _ 矣, {Please read the precautions on the back before filling in this Page) ^ 4838 Printed by the Consumer Cooperatives of the Intellectual Property Bureau of the Ministry of Economic Affairs Α7 Β7 V. Description of the Invention (29) After that, the access filter 203 will perform the same evaluation process: until it is obtained that there is a permission Or deny access to the identification information in a user group targeted by the operation decision; or, until the user abandons his request, pop up a UIC window. Management decision 305 3 Management decision 305 Official decision 305 will be implemented (丨 — ^ Ca called the management of many objects in the access control system of vpN 2〇 丨. Included in the objects are: user groups, Information sets, access decisions, and available resources referred to here; that is: services, servers, access filtering benefits, and the network hardware that makes up VPN 201. Objects are managed by one or more "Managed by the management user group. Management-A member of the management user group of a given object may modify the object and its relationship with other objects, and may make management decisions for that object. As will be explained in more detail later, a member of the management user group who manages the object may be controlled? The fact that the management decision for the object will make it possible for the member to assign the official roots to the organization. For example, , Management " hardware engineer " user group management One of the members of the user group may formulate: an item that grants "hardware engineering division" management rights to "hardware engineering manager" users Group management decision to delegate the management right of "hardware engineer" to "hardware engineering manager 1". It should be noted that the right to manage the information set is separate from the right to make access decisions to the information set — The fact that user groups have the right to make access decisions on information sets does not give user groups the right to make management decisions on information sets; and vice versa. When an access is made _- 32- This paper size is applicable to the Zhongguanjia Standard (CNS) A4 specification (Q χ Vision) I _ 111 111 .-------- Order · -------- 1 V (Please note this page and fill in this page again) ^ 48387 Employee Cooperative of the Intellectual Property Bureau of the Ministry of Economic Affairs printed A7 B? V. Invention Description (3〇) 'When the filter 203 was first built, the single-built security officer (security 〇 汀icer) The user group has: the management authority that governs all the objects in VPN 201 and the decision maker decision 306. The inheritance right of official decision 3-with the inheritance right of management decision Zhan Chengyi operates with official decision , The same method is: inheritance rights with access decisions It works. It organizes many user groups, information sets, and available resources referred to in management decisions in a hierarchical manner. Within a user group, it is a user group that is a subset of a given user group: Are all down and down from the hierarchy of many user groups from -¾ existing user groups. The same is true for information sets. In the same way as for access decisions, inheritance is applied at the level Therefore, within the user group level, the management user that manages one of the user groups will also govern all subsidiary, including some user groups. Similarly, with regard to the level of the information set, one of the management users who governs the information set will also govern all its affiliates, including one information set; and e, which is the management decision of-the case of the set of management-the management user will also Governs access decisions for all contained information sets. There is also a natural hierarchy of available resources. For example, one of the levels is: location. Within a given location, many verbal servers at that location form a down-level hierarchy: while within a server, many services provided by the server form the next level. A group of administrative users with jurisdiction at any level of the available resource tree also governs the lower levels used. For example, the management decision gives (many) the jurisdiction of the access filter 203 -33- This paper size is applicable to Zhonggu @ 家 浮 准 （CMS) A4 specification (210 X 297 mm) (锖 read first? R The splash on the back? Matters need to be filled in this I >, -------- Order ---------- line, 448387 A7 B7 Printed by the Consumer Cooperatives of the Intellectual Property Bureau of the Ministry of Economic Affairs Explanation (31) = Libei has the management right to: all services under the website = all services executed and those services supported by it. $ 贝 原 trust authority: Figure 2 5 3 delegation authority: Figure 2 5 In VPN 201, it is easy to trust permissions, because the management user group of the managed object group may modify the object's management decision on it. For example, if—manage user group collection 1 it The information set can be divided into two sub-sets, and this new official decision is made, which gives each of the two other user groups the use of the set to govern the management of one of the two sub-sets Figure 25 shows an example of augmenting delegated permissions. In Figure 25, the user_group and its Documents are represented by circles; decision-makers' decisions are represented by square tables: and decision-making relationships are represented by different types of arrows: solid arrows represent management decisions ^ dotted arrows represent decision-making decisions, and dashed arrows represent storage decisions Make a decision. Part of the drawing of 25G1—shows the situation when the access filter 203 is being built: built-in, security officer " use, group 2503 has jurisdiction over all built-in objects 2505 and jurisdiction The decision-maker's administrative authority for decision 2507. "Security Officers" members of the user group will use their administrative authority in order to: form a sub-collection of objects 2505, rearrange the object hierarchy, and establish decision-maker decision-making 25〇7. In the parts and sections of Figure 25 marked 2508, it can be seen that :, security officer, user group 2503's activity-an activity result. _, Security officer, user group One of the members of 2503 has been established: "" Project Manager, Management User Group-34- This paper size applies to the National Standard (CNS) A4 specification (210 X 297 mm) -i. · ---. ---- Order, — ♦ —.— Line * (Please read the notes on the back before filling out this page) 4483 87 Printed by the Consumers ’Cooperative of Intellectual Property Bureau of the Ministry of Economic Affairs Α7 Β7 V. Invention Description (32) Group 2509, a group of 25“ engineer ”users, and — "Engineering materials" information set 2 5 1 3 · 'and has been given to •, the project manager " manages the " engineer " " engineering " data management authority., Members of the security officer " have also been established and formulated Decision 2507, so that: the "project manager" has the right to make access decisions for process data, as shown by the dotted line arrow 25 1 0. One of the members of "Project Management" has used this right to formulate: Allow members of the Engineer 25II to access the information in "Engineering Data, 2513", as shown by the dashed arrow 25 12. As a result, members of the "security officer" have entrusted the project manager 2509 with the management authority 2511 'engineering data 2513' and the authority to manage access to the engineering data.

Of course, the 'security officer 2503 still has administrative authority over the project administrator 2509; therefore, this authority can be used for further delegation of authority. An example is shown at 2517. " Security Officer, a member of 2503 has divided "Engineering Administrators" into two sub-sets: "Engineering Personnel Administrators (Engineering Personnel Administrators) 25 19 and" Engineering Data Administrators " (Engineerng Data Administrators, ED A for short) 252 1. The members of these sub-collections are relayed from the project manager 2509 and have the management rights of the competent engineers "25 11 and" Engineering Materials ", 25 1 3. Members of EPA 251 9 and EDA 2521 will use these management rights to delegate the management authority of "Engineer" 25 11 to "Engineer Manager" 25 19, and to manage the management of 11 engineering data "25 13 Rights are delegated to "Engineering Data Manager" 2521. Members of EPA 25 19 and EDA 2521 have further used their rights to make access decisions against "Engineering Data" 25 25 to change access decisions such that : The access decision for "Engineering Materials" is made by "Engineering-35- This paper size is applicable ® National Standard (CNS) A4 specification (210 * 297 mm) • I____I / 了 气 I _ i _ · — 11 I — 1 ^ 1 ^^ 1-I ft ^ i If-l · nun IV 1 Φ * ^ 1 I-'^ 1 ^ 丨 · fu Please read the note on the back and then fill out this page) 7 4 48 3 $

V. Description of the invention (33 Printed by the Consumer Cooperatives of the Intellectual Property Office of the Ministry of Economic Affairs and printed on 252 1), as shown in Figure 2523 of the counterpart of Yu Zhanzong, but not by the official laborers. Developed by the staff ”2509, 4 Putian Data Manager " 252 1. d delegated this function to the“ Workbook. Now the Engineering Manager and the members using them ^, and the members of the Engineering Data Manager can enable the state They have jurisdiction over engineers, engineering data, V., ^ T, poor materials, and management rights for access to engineering data to make a fine distinction (for the operation of accessing engineering data.) Say, " Engineer manager .. Another member may be •, engineer ',,. Tian Daocheng: " software engineer " and " hardware. Engineering data management: 10% may divide the "engineering resources department" into "hardware engineering data" and "software engineering data". In this way, do the same, one of the engineering data managers " one: Give "software engineers, access to" software engineering data " and secrets … "/ Replacement of access to data " replacement of engineer " engineer access, and access to engineering data ". Briefly, t 'can be said to have: jurisdiction-user group Many of the management = are responsible for the "qualification" of membership groups; they may delegate any part of this responsibility to other administrators. Similarly, they have Many administrators are responsible for the proper inclusion of information resources in the information set; they may delegate any part of this responsibility to other administrators. Of course, the latter's administrators must also be responsible for the management of certain available resources May obtain from this resource: the information being added to the information set. The administrators of the available resources are responsible for the overall network and security operations. Similarly, they may entrust others to control their duties. In the end, Decision makers who manage Shell will have the final jurisdiction to govern access to information. They can establish access to specific sets of information on their own. -36- This paper standard applies the China Solid State Standards (CNS) A4 regulations. Grid (210 X 297) _. ^ --------- ^ > »(^ Please read the Jiang Yi Matters on the back before filling out this page) 448387 A? _____B7 V. Description of Invention (34) Decision In a sense, the decision maker decides on the corporate gift-sharing and sharing decision. The administrator of the user group's information set, and the available resources, then decides on the details of construction. Many access filters are used Access control of 203 and database 301: Figure 4 2 Access control using many access filters 203 and database 301: Figure 4 As shown in Figure 2, the access filter 203 has a position in VPN 201. Place it between the client from which the user is requesting access to the information resource and the server on which the information resource resides. Thus, the access filter 203 can control the access to resources by the user by interceciing in communication between a user and a service on the server that can provide the user access to information resources . In order for users to gain access to information resources, a dialogue must be established between users and services. In the current context, the term "dialog" is broadly defined to include some well-behaved connectionless protocols. When the access filter 203 detects that the user is trying to start a conversation with a service, it determines whether the access operation should be allowed. This is done based on: the user's known identity; the information resource on which the information is being accessed; the sensitivity level of the information; and the user identification method, the path between the user and the service, and the trust level of any encryption technology used . Figure 4 shows how a conversation can involve more than one access filter 203. The dialog 402 shown in FIG. 4 involves five access filtering competitions 203 numbered 403 (1, ... 5) in the figure. The access filter 203 is designed so that only one of a plurality of access filters 203 needs to be used to make a decision whether to allow the user to access the information resource. Many accesses-37- This paper is applicable to 0 standard (CNS) A4 specifications (2i0 X 297) (Please read the precautions on the back before filling this page) I ί * 1 ^ 1 1 nfit flu II t. &Amp; Λ-45 么 > -v Printed by the Consumer Cooperatives of the Intellectual Property Bureau of the Ministry of Economic Affairs ^ 48307 Λ7 B7 V. Description of the invention (35) The key to this feature of filters 203 is that they treat each other themselves Identification ability. skip is used to do this. Each access filter 203 has: a type of χ.509 certificate that combines the key of the access filter 203 with the name of the access filter 'and is signed by the certificate authority of the VPN. In the database 301, each access filter has: the name and IP address of all other access filters in vρN 2〇 丨; and, once a conversation encrypted using SKIP arrives, each The access filter uses the certificate from the above-mentioned certificate in the skip discussion. • Subject Name determines whether the SKIP-encrypted network traffic from SKIP comes from the VPN. 2 The other access filter in 1 is 203. If the conversation in which the access filter is receiving is not the target of the conversation (that is, the 'access filter only performs a function like a router along the path), the access filter will only retrieve data from database 3. Verify in 〇1: The target IP address is the IP address of some other access filter fe 203 in vpN 2〇 丨. If this is the case, the dialogue is allowed to pass without additional checks. When the request comes to the last access filter 203, the last access filter 203 decrypts the request using SKIP in order to confirm that the child request is indeed checked by the first access filter 203, and then confirms that: the The request was never modified during the transfer. Therefore, in FIG. 4, the access filter 403 (丨) uses a copy of its own access control database 301 to determine whether the user who initiated the conversation has accessed the information resource specified for the conversation . If the access filter 403 is determined as such; it will identify the dialogue's output messages and encrypt them if necessary 'in order to achieve the appropriate level of trust. Then, -38- CNS) A ^ l secret c 297 public ^ 7 (Please read the precautions on the back before filling this page) ----- ^ * 1 --------, line-* Employees of the Intellectual Property Bureau of the Ministry of Economic Affairs Printed by the consumer cooperative 448387 Employees' cooperative of the Economic Village Intellectual Property Bureau's consumer seal A7 ______ B7__ V. Description of the invention (36) Such as access to the device 403 (2, ..., 5) will allow the dialogue to continue because this is because迓 The action is from the access filter 403 (〇 and has been encrypted with SK] [p; forced to use the copy of the core's own access control database 3〇 丨 to decrypt the message, but also The message will not be checked. Then, the access filter 403 (5) decrypts the message and confirms that: they are all encrypted 'so they are all checked by the access filter 403 (1): and if the message Are intact, then they are forwarded to the server 407 containing the required resources. In server 407 and use Many of the messages in the conversation passed between the systems 401 are processed in the same way: if necessary, they are encrypted using the access filter 403 (5): the access filters 403 (2, …, 4) will pass them on based on the authentication performed by the access filter 403 (5): and access the responder 403 (1) to pass the message to the system 4〇 ^ based on the authentication, and When necessary, 'decrypt the message. 0 This technique effectively performs: opening and closing a tunnel 405 for the dialogue between the access filter 403 (1) and the access filter 403 (5); Because of the tunnel, only the access filter 403 closest to the client needs to be performed: de-escalation, access check, and re-encryption. Moreover, in many intranets and in the Internet 1 2 1, tunnels They are all equally secure. In a large VPN, the 'access filter 403 (1) is in the best position to check the access operation because it has access to the user who initiated the conversation The most detailed information. The technology of the access check performed at the first access filter 401 will further The access control responsibilities are distributed throughout the VPN, thus allowing the VPN to scale to any size. End-to-end encryption: Figure 5-39- Dong. · Cang scales use Ninglang National Standard (CNS) A4 specifications ( 21〇χ depending on the public ----------- 1 ---------- r -------- J \ c (please read the back first; (Fill in this page again) 4483 8 7 A7 B7 Printed by the Consumers ’Cooperative of the Intellectual Property Bureau of the Ministry of Economic Affairs * '五 ί V. Description of the invention (37 3 End-to-end encryption: Figure 5 Figure 4 follows only from the access filter 4〇3 (1) Extended to accessing the device 403 (5): The message of the conversation is not encrypted between the system used by the user 40 and the accessing device 403 (1), and is being accessed again. The filter 403 (5) and the server 407 are not encrypted. In the case of extremely sensitive information, from the near-end access filter to the end of the path through the network, that is, between system 403 (1) and server 407, authentication and encryption may be required. Figure 5 shows how to use some access filter 203 to achieve this. Within the VPN ', with the exception of some access filters 203, authentication and encryption techniques may be used with any client system 401 or 503' or any server system 407. When a client computer uses encryption technology, it uses $ 11? To authenticate the conversation and uses a shared secret shared by the client computer and a selected access filter 203. The conversation is encrypted 'and then the encrypted message is sent to the selected access filter 203; thereby effectively establishing a channel between the client and the selected access filter 203, thereby making the selected access filter The filter 203 and the first access filter 203 can be used for access checking. At the first access filter 203, the message is decrypted and an access check is performed. Since the user's certificate and encrypted message are available, the user's authenticated identity can be used for access verification. If the access operation is allowed; the message is encrypted again 'and sent to the access filter 403 (5) closest to the server 407, which decrypts the message. If the database 301 contains a skip name and algorithm for the server 407; if necessary, access the server 403 (5) to retrieve the certificate for the server 407 and use SKIP to -40- This paper is suitable for financial standards iCNS) A4 size ⑵〇x 297 public). _. * ------- ^ --------- ii (please read the back of ί4 first) (I will fill in this page again if necessary) 448387 Printed A7 B7 by the Consumer Cooperatives of the Intellectual Property Bureau of the Ministry of Economic Affairs 5. Description of Invention (38) If necessary, re-encrypt the dialogue for server 407. In other cases, the access filter 403 (5) simply sends the message to the server 407 in clear. If the message is re-encrypted for the server 407, the server 407 finally receives the encrypted message and decrypts it. Some of the access filters 203 that are in the middle of the first access filter 203 and the last access filter 203 'all just noticed that the message came from another access filter and was encrypted with SKIP' and the message Just pass, as mentioned above. When the Serving Server 407 retrieves an information resource, it either sends it to the access filter 403 (5) in an explicit manner, or uses the secret wheel for the access filter 403 (5) to match the contained resource. Message is encrypted. Then, in the reverse order, the aforementioned decryption and encryption processes are performed in pairs: from server 407 to access filter 403 (5); from access filter 403 (5) to access filter 403 (1): and finally from the access filter 403 (1;) to the original client system 401, which decrypts the message. The effect of this technique is to build a tunnel on the path between the client and the server, which extends from the access filter 203 on the path closest to the client to the path on the path closest to the server Access the subtractor such as. If the client can encrypt and decrypt, the channel can be extended from the access server closest to the client to the client; and if the word server can be encrypted and decrypted, s!] The server's access adapter extends to the word server. -Once the first access passer 203 in the path has been touched and the conversation has been identified, there is no need to proceed-step up resistance or decryption until the access passer 203 closest to the feeder. Has been touched so far. In addition, the access control database 3Ql in the access controller 203 will be targeted at: Guest 41-This paper standard applies to the China Solid Standard (CNS) A4 specification ---- r --- I-- ---- Kun Yi -------- Order · -------- 1 ir (Please read the Jiang Yi Matters on the back before filling out this page) ^ 483 8 7 Employees of Intellectual Property Bureau, Ministry of Economic Affairs Consumption cooperative seal Λ, π A7 B7 V. Description of the invention (39) All necessary identification and certification (certiHcation) information of the client, server, and many access filters 203 in the routing. One of the advantages of the end-to-end encryption technique just described is that instead of focusing on the many access filters used to connect the VPN to the Internet, it is better to distribute the encryption burden across the network to enhance scalability. Figure 5 shows how the technology works with the conversation 501, which is initiated with the roamer, that is: the client 503 connects to the VPN via the Internet 12 1. The rover 503 is equipped with SKIP, just like the target server 407 on an intranet. When SKIP is configured in a roamer, a certificate for the access filter 403 (3) is given to the roamer, and a certificate for the roamer is given to the access filter 403 (3). When the roamer 503 sends a message belonging to a conversation, it addresses the message to the server 407, and encrypts the message using the transmission key shared by it and the access filter 403 (3). Then, the message is tunneled to the access filter 403 (3) via the tunnel 505. There, the access filter 403 (3) decrypts the conversation ', performs an access check, and then re-encrypts the conversation by sending a secret message against one of the access filters 403 (5). Many subsequent access filters 403 in the path allow the conversation to pass because: the conversation is authenticated by the access filter 403 (3); therefore, at least a tunnel 507 is provided to the access filter 403 (5). If the target server 407 is equipped with SKIP, the access filter 403 (5) will extend the tunnel to the target server 407, as described above. 0 Adaptability encryption and authentication based on data sensitivity: Figures 6 and 7 3 Based on data sensitivity Applicable encryption and identification: Figures 6 and 7 -42- This paper size applies to China National Standard (CNS) A4 (210 X 297 mm) 4 ^. Order ---------, line (谛 Please fill in this page first before filling in this page) 4483 8 7 A7 B7 Printed by the Consumer Cooperative of the Intellectual Property Bureau of the Ministry of Economic Affairs. 5. Description of Invention (4〇) In VPN, an important work in access control : Determines the minimum amount of security required for the conversation. This is important, first because: at least the minimum amount must be guaranteed; second because: more security than needed wastes resources. Many technologies used to determine the minimum and used in the access filter 203 are collectively referred to as secure encrypted network delivery (Secure

Encrypted Network Delivery (SEND). In SEND, the access control database 301 contains a data sensitivity level β for each information resource. The data sensitivity level indicates the level of confidentiality associated with the information resource (the level 〇f secrecy). Of security administrators assigned to information resources. One exemplary set of levels is: Top Secret, Seeret, Private, and Public. The levels used to indicate the sensitivity of the data are also used to indicate the level of reliance on the access request. As described earlier, access operations are allowed only if the trust level determined from the following trust levels is at least as large as the data sensitivity level of the information; the trust levels are: used to identify user = technology trust Level, the level of trust for access requests via the path of vpN 2〇 'or any encryption technology used to encrypt messages sent on the path. Aim: The user identification method, path, and u-level calculated by Lida are included in the access control database such as 1. Regarding the trust level of the road ’, the VPN is divided into a number of networks. The network components are many IP calls, and they are connected by a set of access filters. Every network component has a name Lai Shou level. For example, '' Internet components will have "public ----------- version ------------- order --------- line (please read the first Note: Please fill in this page again) -43- Printed by A7 B7 of Consumer Cooperatives of Intellectual Property Bureau of the Ministry of Economic Affairs V. Invention Description (41) Use " trust level, and an internal network component may have "dedicated" trust level A trust level of an existing component may be based on its physical security, or based on the use of cryptographic hardware in the component. Because each access filter 203 is added to vpN, one of it and VpN The description of the component connection is added to the database 301. Included in this description are: the trust level of many networks. Therefore 'any access filter 203 can use a copy of the database 301 of i Determine the trust level of each component of the road school; and between a client and a server, a dialogue will be carried through this path. The user's trust level is identified by the access request from the user Determined in the way. In the access control database 301, each user group There is one or more identification technologies associated with it, and each identification technology has a minimum level of trust. Many basic technologies are: • Certificates via SKIP. Users use the certificate in their X.509 certificate. The name is used to identify it, and the certificate is used with the SKIP protocol to authenticate and encrypt the traffic. * A certificate that identifies the client software by the user. The user uses the name in his certificate x'509 Identification, the certificate is transmitted to some auxiliary access filters 203 through a special Conclave client software module called user identification client software. Using a challenge / response mechanism, This transfer is done very securely. • The Windows Domain ID of the customer software is identified by the user. For the Microsoft Windows Domain (Microsoft Windows-44-Use the Chinese National Standard (CNS) A4 Specification) (210 X 297 public) II Ji .k * ------- Order · -------- line (please read the precautions on the back before filling in this 1 ^) 483 8 7 A7 B7 Ministry of Economic Affairs Bureau Consumer Consumption Cooperative Seal V. Invention Description (42) Domain) Users who have logged in and have installed user identification client software automatically have their Windows identity 'including group membership, and send to some affiliates The access filter 203 ^ implements network registration (ogon) securely within the mechanism of the NetBi0s (Network Basic Input / Output System) communication protocol. • Authentication token. Authentication tokens may be used in two ways (such as those manufactured by security ynamics Inc. and Axent Corp.): via use The user identifies the client software in an out-of-band manner; or, in the Telnet (Long-range Communication Network) and FTP (File Transfer Protocol) communication protocols, in-band. • 1 p address and / or domain name. The IP address or fully qualified domain name of the user's computer. In a preferred construction example of SEND, many identification technologies have a predetermined order from highest security to lowest security. The technologies just listed should be sorted / ordered as they are in the list above: the most secure technologies are at the top of the list. Although the ordering of identification technology is somewhat subjective, it reflects: the general security of identification technology 'and the strictness of the distribution and confirmation of user identity. The administrator in VPN 201 then associates the ORDERED trust level with ORDER identification technology. For example, if the administrator uses the special M 仏 level to be related to the identification technology via the ship's foot token; then users who want to access a resource with a "private" sensitivity level must identify it themselves, which The method is through an authentication token, or higher than the order of identification technology. -45-This paper size is applicable to 0 National Standard (CNS) A4 specifications (210 x 297 public) (please read the precautions on the back first) (Fill in this page again) -_k · ------- Order · -------- 'line_ ^ 48387 Printed by A7 B7, Consumer Cooperatives, Intellectual Property Bureau, Ministry of Economic Affairs V. Description of Invention (43) Another identification technology of the authentication technology. The administrator of the access filter will also: arrange the many password algorithms available in the VPN from highest security to lowest security; The order password algorithm is related; the order of many network paths used in VPN 201 is arranged; and the order trust level is related to the order network path. These relationships are included in the access control information Then, a SEND table related to the level of trust and sensitivity is related to the identification and encryption technology. Figure 6 is: A conceptual representation of such a SEND table. The SEND table 601 has three columns: one column is The column 603 'indicating the reliability / sensitivity level is 605 indicating the minimum encryption method, and the column is 607 indicating the minimum identification method. For details on the encryption methods of column 605, I', see by Bruce Shi Rr ce Schneier: "Applied to Code"-Book, printed by John Wiley & Sons Book Company, New York, USA, 1994 edition. Each column 609 in the table associates the trust / sensitivity level with the minimum encryption level of the access filter 'client and the Server 1 path and the minimum recognition level of the user. Column 609 (1) then relates the "top secret" trust / sensitivity level to the 3DES encryption algorithm and the user certificate obtained via SKIp. Users who want to gain access to a resource with a sensitivity level of one of the highest secrets must have an identification level certified by Skip: and if the path does not have a "highest level of confidentiality" trust level, the 3DESM method The algorithm encrypts the dialog. On the other hand, as shown in column 609 (4), it is hoped that the access has a sensitivity level of “Public,” one of -46. This paper standard applies to the solid state standard. (CNS) A4 specification (2l0x 297mm) f —..— k ------- 1, order · ------- * line l '(Please read first? Note on the back of F # · Item refill this page) A7 # 38 7 ___ Βί ______ 5. Description of the Invention (44) The user of the resource may be identified by any method 'and therefore the conversation need not be encrypted. When a new conversation is started, the first access filter 203 in the path used for the conversation will continue as follows: 1. The access filter 203 determines which information resource is being accessed; and, in the data Library 301 looks up its sensitivity level. According to the SEND table 601, the minimum authentication method for this sensitivity level will specify which identification mechanisms may be used by the access filter to identify and authenticate the user performing the access operation. The first access filter 203 then consults the database 301 to determine whether the user can access the resource according to the user group to which the user belongs and the information set to which the resource belongs. The first step is to decide based on the access control database: which of the many identification methods used to identify the user has a trust level that is sufficiently high for the sensitivity level of the resource. Then, the first access filter 203 consults the database 301 'using the identification information of the user according to each identification method having a sufficiently high level of trust to determine: the user group to which the user belongs. The first access filter 203 also consults the database 30 in order to determine: which information set the resource belongs to. The relevant user groups and information sets have been determined, and the access filter 2 0 3 will consult the database 3 0 1 to indicate the location of the access decision. The decision decision: whether to allow or Refuse to deposit -47- This paper size 剌 tai iji (CNS) A4 ^ (210 X 297) ------------- k -------- Order ----- ---- line- > (Please read the precautions on the back of Ϊ3 before filling out this page) Employee Consumption of the Intellectual Property Bureau of the Ministry of Economic Affairs, printed by the cooperative A7 448387 _____ B7 _.________ V. Description of the invention (45) Get dialogue information The detection of at least one decision to allow access operations and the finding that there is no decision to deny access operations' allows the user to access the operation: in other cases, the access operation is denied. The details of steps 骒 b'c and d are described below. 4. If the access operation is not denied, then the first access filter 203 will then consult the database 301 to determine the network components that make up the route. The route is from the client to the containing information via the VPN. The server of the resource. Consider routing into logical segments with up to three; 1 • Segment (a), from client to first access filter 203 »This segment may or may not be encrypted, end Depends on whether the client is using SKIP. 2. Segment (b) 'From the first access server 203 to the closest server and the access server 2 0 3 in the path; and 3. Segment (c) from the closest server The access filter 203 to the server, this segment may or may not be encrypted. If segments (a) and (c) exist, each segment will consist of a single network component. If the client is on the first access filter, segmentation will not exist, and if the server is on the access filter closest to the server, then segment (c) will not exist. If segment (b) exists, it will consist of one or more network components. If there is only one access filter between the client and the server, the segment will not exist. In terms of each section: (please read the text on the back; please fill in this page for further information) k · -------- Order ---------- line # 1 Printed by the Property Cooperative Consumer Cooperatives-48- 448387 B7 Printed by the Consumer Cooperative Cooperatives of the Intellectual Property Bureau of the Ministry of Hydrocarbons, V. Invention Description (46). As far as points are concerned, any encryption method must be performed by the client 9 The trust level of subsection (a) is at least not as strong as the resource's data. Or, if the encryption method performed by the client is at least not as strong as the resource's data sensitivity; Take operation ^ Say knife / again (b) and g, if the weakest trust level of any network component in the path is greater than or equal to the data sensitivity of the resource, then the throughput k is developed without encryption. This corresponds to the situation where the network is sufficiently secure to transmit data. In the example in the table above, it may be possible to send ^ message resources with the "public" data sensitivity level on any network, as shown in column _⑷. However, many accessors 203 will use SKIp to authenticate the conversation, thus allowing many subsequent access killers to pass the conversation without incurring the large overhead of decryption, access check, and re-encryption. . If the weakest trust level for road k is less than the data sensitivity of the resource, then consult the SEND table for the minimum encryption algorithm required for the sensitivity level, and then use the calculation. (1 ink) security upgrade (upgra'des) makes it suitable for carrying data of the given sensitivity, thus allowing users to access resources. 6. As far as segmentation is concerned, the path from the access filter 203 closest to the server to the server is determined by the first access filter 203 based on the information in the database 301: segmentation (c) And the level of trust of any encryption method used in segment (c). If the path of this _ -49- t Ξ1 297 ^ T) J ^ -------- Order --------- line-I (Please read the notes on the back before filling this page ) 4483 8 A7 B7 V. Description of the invention (47) The trust level of the segments is less than the information level, the greediness level, and the sensitivity level, and in that case, if the points p, ^ are in the knife * and (C) Encryption used

Method 彳 0 Lai Temple level to * ”/ TY _ Master y is not as strong as the required level 'Farly required temple level is like howling in old worries. 1 1 Wish the sensitivity level of Begon resources The most in the SEND table, as shown in the figure below, is the same as that of the second class: the first-access filter 2 0 3 will deny the access operation. The above method of determining sensitivity and trust level guarantees that the access filter 203 will use the encryption method only when it is necessary to reach the necessary trust level. While keeping the description of the network configuration in the database 301 simple and manageable, this method reduces the number of conversations to be encrypted. As a result, there will be better scalability for management and performance in VPNs. Figure 7 provides an example of how the sensitivity level of information resources, the trust level of user identification methods, and the level of trust associated with the path between the client and the server affect the access to information resources by users. In FIG. 7, a user equipped with SKIP at the client 703 initiates a conversation 701 in order to obtain one of the information resources 723 stored at the server 705 equipped with SKIP. Segment (a) discussed above appears at 707 in Figure 7; segment (b) appears at 709 (1 ^., 4); segment (c) appears at 711. The information resource 723 has a sensitivity level of " confidential ". The first access filter 203 encountered by this conversation is the access filter 203 (1). The access filter 203 (1) determines the sensitivity level of the resource 723 using a copy of its access control database. Here, the user has already used the SKIP certificate, and the SEND table 601 in the viewing database 30 1 shows to the access filter 203 (1): Because this user -50- This paper size applies the Chinese National Standard (CNS ) A4 specification (21〇χ 297 public love) (Please read the notes on the back before filling this page) k -------- Order --------- line. Intellectual Property Bureau of the Ministry of Economic Affairs Employee Consumption Cooperative Seal * · 1 ^ " 448387 A7 ____ B7__ V. Description of the Invention (48) The identification method meets the requirements of information resources with " confidential " sensitivity level, so section (a) at 707 has the required Trust level. Therefore, the "first-access filter continues to determine: in VPN, the segment between access filter 203 (1) and servlet 705 at 709 (1 ,,,,, 4) (B) and the trust level of segment (c) at 711. Segment 709 has some sub-segments: 7009), 709 (2), 709 (3), 709 (4) , And 709 (5) 'and the first access filter 203 (1) checks the trust level of each of the sub-segments of these molecular segments in the database 301. Segment 709 (2) is Internet 12 1, all Its trust level is: " Public " 'It is the lowest level in segment 709. Then, the access filter 203 (1) uses the access control database 3〇 丨 to check the trust level of segment 7 jj Its trust level is: _, confidential ". Therefore, the subsection (b) at 709 only has a path for accessing a " confidential " information resource 703 to a conversation Speech is too low a trust level. To deal with this, the access filter 203 (1) must encrypt the speech in order to raise it

To the necessary level. The first access filter 203 (丨) consults the SEND table 601 'to determine what encryption method is needed; and column 609 (2) indicates that: the DES bifurcation method is sufficient. Thus, the first access filter 203 (1) will use an algorithm to encrypt the conversation 'and send it to the access filter 203 (5). The segment 707 'connecting the client 703 to the access filter journal' in Figure 7) has a level of trust that is sufficiently high for the sensitivity level of the resource, so the client 703 does not have to add Encryption. When this is not the case, the right-only client 703 has used an encryption method that is sufficient for the sensitivity level of its trust-level resource to encrypt the request, accessing -51-this paper scale Chinese Θ national standard specifications < 2K) x 297gg {Please read the precautions on the back of the 再 and then fill in the clothing page) hr]! —--1 --- — 'Printed by the Consumer Cooperatives of the Intellectual Property Bureau of the Ministry of Economic Affairs 48387 A7 B7 V. Description of the invention (49) Filter 203 (1) will only be given to the client · 3 access operations. For this reason' in Figure 5 The roamer 503 must be equipped with SKIP. Since the roamers 5 access and access the information of the filter 403 (3) via the Internet 121, many requests of the roamer 503 may never have a high level. In the public, unless they are encrypted; and, for full access Resources, the rover 503 must use an encryption method, such as: a method provided by SKIP, whose trust level is sufficient for the highest sensitivity level. In some embodiments of the access filter 203 The access controller may negotiate the user identification mode in a manner similar to the one it uses in the preferred embodiment, and the client negotiates the encryption technology intended to be used in the request. For the access control database 301, Overview of the administrator interface: Figures 8 to 12 3 Overview of the administrator interface for the access control database 3001: Figures 8 to 12 Access decisions define access operations based on user groups and information sets; therefore, Before it is possible to define an access decision, the administrator must define how user groups and information sets can accomplish this. This is shown in Figure 8. Defining a user group involves steps 803 to 807: first define the user, and then use User group, and then assign the user to user # user feed. Defining the information set involves the step _ to 813: First define the resource, then define the information set, and then assign the resource to the information set. When When the user group and the information set involved in a decision have been completed, ^ is enough to establish an access decision, as shown at 815. As before, "^ p is for many users" And access rights to the information set are determined by the decision of the decision maker; however, it is used to define and pinpoint the user group. 52- Reference paper size applies Chinese National Standard (CNS) A4 specification (2) 0X 297 Gongai (Please read the precautions on the back before filling this page) "A + I-1 a ^ i I * 1 ^ 1 I-1 * 1 ^^ 1 Printed by the Consumer Cooperative of the Intellectual Property Bureau of the Ministry of Economic Affairs 448387 5λ A7 ---------- B7_____ of the Intellectual Property Bureau of the Intellectual Property Bureau of the Ministry of Economy It is determined by management decisions. :: As can be seen from the recap, user interfaces are often used to define the relationship between two entities or collections about them. Graphical user interface for access control materials & library 301

InterfaCe's (GUI for short) corresponds to this work. The display diagram consists of two windows, each of which contains representations of entities intended to be related to each other, while the system does not select the entity and the place where it is needed to define it, thus defining the relationship. Defining user groups: Fig. 9 3 Defining user groups: Fig. 9 Fig. 9 α shows a display 901 for populating and defining user groups. Window 903 in the display map contains a layered display of one of the currently defined user groups; window 903 and those used to display the Wind〇ws% trademarks manufactured by Microsoft Corporation (Microsoft Corporation) The operation system is similar to the first-level IA case-level window. In the window 903, all the user groups targeted by the management user that Tu Can's management user is using are displayed in black; all other user groups are displayed in gray. On the two views ®: Two button bars (91i and 915). Button tape 91 lists: some available displays used to modify the access control database 3101, while button tape 915 lists: those that may be performed on those displays — some operations. Thus, the button labeled "User Group" in the button strip 911 is highlighted, thus indicating that the display figure 901 is a display diagram for colonizing and defining the user group. Regarding the button strip 915, when Windows 903 is currently used -53- This paper size applies to China National Standards (CNS) A'l specifications (21G X 297 public love y ------------------ ------ Order .-------- line > (Please read the precautions on the front of the goods before filling out this page) 4 48387 A7 B7 Printed by the Consumer Cooperatives of the Intellectual Property Bureau of the Ministry of Economic Affairs " 2. Description of the invention (51) When the status is' right to manage one of the user groups, the management user may modify the user group, the method is: select the user group in the window 903: and use the button with 9 Click the "delete" button in 1 5 to delete the user group; or use the "new" button to add and name the selected user group in the hierarchy A new user group of. When the management user clicks the (clicks): Apply (appiy) button 921, the access filter 2 0 3 will modify its access control A copy of the database 301 to verify what is on the display map 901; and to propagate the modification information to: a copy of all the access control database 301 in the VPN. The window 909 displays the user. By The way to identify users in a collection is to 'indicate one collection of users in the display. In this case, users are identified by IP addresses, and they are all identified by jp addresses. The range appears in the display. The button with 913 indicates: other types of identification methods that can be displayed in window 909. As with window 903, 'When the window is currently in use, you can use "Add" and " Delete " Two buttons to add and delete users. To assign the (many) users specified by the user identification information to a user group, the use of the GUI will choose: a user group , As shown at 917, and a collection of identification information, as shown at 919; then use the "add to group" button in the button strip 913 to add the identification information The set is added to the user group, as shown by the fact that the range of the selected IP address at 919 now appears below the selected user group at 9 i 7 In the hierarchy, the effect of this operation is: make many users become members of the "R & D" user group, which makes -54- this paper size applies the Chinese National Standard (CNS) A4 specification (210 X 297 mm) -------------- 1 I ^ -------- Order · -------- line ", ^ Read the phonetic on the back? Please fill in this page again for the matter} 44838 7 Printed by the Consumer Cooperatives of the Intellectual Property Bureau of the Ministry of Economic Affairs ^ ί A7 B7 V. Description of Invention (52) The user's dialogue has the source IP address listed at 9 17; and, when used When the user clicks the " Apply " button, all copies of the access control database 301 are modified. Figure 10 shows a display diagram 1001 used to define an information set. Here, window 1003 contains a hierarchical list of information sets, and window 1005 contains a hierarchical list of available resources. It is formulated in the same way as the list of user groups: a hierarchical list of information sets, and a hierarchical list of available user groups. Furthermore, the information set and available resources that the user has management authority to manage in the display diagram 丨 〇〇 丨 are shown in black; all other items on the list are shown in gray. In Windows 100, the available resources are: Internet and two locations that make up VPN 201. In a more developed version of VpN 201, the list of available resources should indicate: the server at the location, the services in the server, and the information items provided by the service. For example, if the service provides a directory tree, the information item contained in the green tree should be indicated by a pathname; the path name will specify the root of the directory tree and will use A wildcard character ("wiidcard" is used to indicate some files above the root of the directory tree. When adding a resource to a server, it is possible to define the resource through window 105. So, it has been The resource is defined, and the resource may be assigned to the information set in a way that is similar to a user identification information assigned to a user group. Furthermore, clicking m㈣ causes the changes in the display @ 1QQI to be propagated to all storages. Take a copy of the control database 3 01. Figure 1 丨 Display: display diagram for defining decisions 丨 10i. Which type of decision is being defined and specified in the button band m3; as shown there Refers to -55- This paper has passed the Chinese Gardener's Standard (CNS) A4 specification (210 297 mm) — .11 —---------- * ------— Order ·- ------- 1 \ (Please read the notes on the back before filling this page) 4483 8 Member of Intellectual Property Bureau, Ministry of Economic Affairs Printed by the Industrial and Consumer Cooperatives * "A7 B7 V. Description of the invention (53), display diagram 110 丨 Defining access decision 3 All decision display diagrams have the same general format: a window 丨 丨 03, which contains the use of Hierarchical display of one of the user groups: a window U05, which contains one of the object levels for which decisions may be defined: and-a decision definition window 1107, which contains some access decision definitions 1108. In the object In the hierarchy, the user of the display map u〇1 has the right to define the objects to which the decision is directed, while the others are gray. In the display map 1 101, the access decision is being defined, so the objects are Information set. Each access decision definition has four parts: An active checkbox 1117, which indicates whether the access decision defined by the decision definition is active, that is, it is being used to control the access decision. Fetch operations: • The access group is being defined for the user group 1 119; * The access decision is being defined for the user information set 1 12 3: and, the access operation is located 2 1, which indicates the storage Fetch operation Allow or deny to define access decisions. Menu bar 1109 and button strip ms allow decision makers to decide which administrators are allowed to edit, add, delete, and activate or deactivate ) —Selected decision definitions 丨 108. The active circle check box 1Π7 of each decision definition 1108 allows the administrator to start or remove the selection decision definition Π 08; access the operation field 丨 1 2 1 allows the administrator to choose to allow or Reject as a decision. The |, delete button in the button with π 丨 5 allows the administrator to delete a selected decision: while, the new,. Button allows the administrator to define a new decision definition 11 〇8; To do this, the administrator will choose · ---- ^ --------- Jtr · --------- I »(Please read the notes on the back before filling in this page ) -56-44838 7 Printed by the Intellectual Property Bureau of the Ministry of Economic Affairs and Industrial Cooperatives A7 B7 V. Description of the invention (54) One of the user groups in window Π 03 and one of the information sets in window 丨 丨 05: Then press the "Add" button. A new access decision definition 1 108 appears in the display TF graph I 1 07: and the 'administrator can edit the new access decision definition, as just described. To apply the change to the access control database 301 and propagate it to all access filters 203; the administrator will click on the "Apply" button 1125. The display also contains a decision evaluator Tool program (p〇Hcy evaluatortoo 丨), which allows administrators to see how the current set of access decision definitions determines access operations for a given user group or resource set. When the administrator clicks: When you click the "p〇ncy evaluation" button in 1113 and select a user group from the display diagram n03, the tool program will display: The selected user group is blue: The decision definition allows user group access and all the information sets in the display UQ5 are green: and the rest are red: The decision as to which information sets may be accessed by the user group is β. All decision definitions are Convex ^ in the same color set "If the administrator selects an information set 1 ': Situation; then, the evaluator tool program will display: The selected information set. The current basket color, all user groups that can access the information set are green = f surplus: it is red, so it also highlights 1 have me. The user is also able to select -items. In that case, =, now blue 'and the user groups and information sets affected by the decision = the main monitor color or red, just like the' Γ > determined by the decision. In addition, select more than one: user Group, information #. The user can, in that case, the evaluator tool program treat each item $, 朿. In and Dongdong show: Applicable to the Institute 57- This paper size is applicable to the Chinese National Standard (CNS) A4 specification (210 X 297 public hair 碎 broken-^ read the notes on the back and fill in the wooden pages)

Printed by the Consumer Cooperatives of the Intellectual Property Bureau of the Ministry of Economic Affairs.44838 7 Α7 Β7 V. Description of Invention (55) Some options and the effects of those decisions. The evaluator tool program can be turned off by clicking the decision button " button in the button belt 1113, and the color and highlights can be applied by clicking on the red belt 1115 11Reset evaluation " (reset evaiuati〇n) Turn off according to the red in order to prepare for a new decision evaluation. FIG. 12 shows: FIG. 1201 is used to input information about an access controller 203 into the access control database 301. Window 1203 displays: a hierarchical list of one of the accessors 203; when the window is active, the two buttons "Add" and "Delete" in the button strip 1209 may be used to add or delete Access filter. The window 1205 is used to input or display information about the access filter 203. The display in window Π07 is determined by clicking on one of the red buttons 1207 and pressing 4s; as shown in red, the display in window 1207 can be used to: enter and check Enter and view information about the trust level of those connections based on information about the many network connections that have accessed the 203, scan the network for available servers and services, and detect problems detected in the access filter 203 The alert information (alerts) is established to specify optional parameters for the software and to specify the allocation order changed by the access control database 301. "Alert setup: (" alert setup: ("highlights the function instructions. The display shown in Figure 12 shows the display of 1205 is used to display and create the display of the warning information." User interface for inventing resources: Figures 18 and 24 User interfaces for inventing resources: Figures 18 and 24 Users of VPN 201 have an interface to see what resources are available to them in VPN 201. Here It is called the IntraMap (intra-image) boundary ___- 58- This paper size applies to the Chinese National Standard (CNS) A4 specification (210 χ 297 mm) I ------------ 4% ^ .- ------- Order --------- line (please read the notes on the back before filling this page) 44838 7 Printed by the Consumer Cooperatives of the Intellectual Property Bureau of the Ministry of Economic Affairs A7 B7 V. Invention Description ( 56) IrmaMap (Internet Dynamics,

Incorporated (a trademark of Incorporated)), at least for each user is displayed. · Resources that belong to the information set that the user may access according to the access decision for the user set to which the user belongs. In other embodiments, intraMap may also consider the sensitivity level of the resource and the trust level of the user's identification method. The interface is constructed by a Java program (JaVaTM appiet), which is executed on any World Wide Web (www) browser equipped with java. Using a web browser, users can scan graphic displays to: find and access resources available to users: or request access to resources that are not currently available to users. Access to resources by users is determined by many access decisions that apply to users and resources. Figure 18 shows: The display generated by the IntraMap interface is Figure 1801. The left side of the IntraMap display map 1801 shows: the resource list 1803: and the right side of the display map shows: Find 1807, Sort section 1809, Services section 1811, and The Description field is 1813. By clicking the "Help" button (Help) 1815, you can use the on-line help program of intraMap (available on-line help). The resource list 1 803 shows: For users who are using the IntraMap interface, the resources and information available in VPN 20 1 are available. This list is not hierarchical. The user can expand or reduce the branches of the tree " by clicking on the "+ " and " _" tags on the branches. Each entry in the list is 1804 The name of the resource will be included. The color used to display the posted items indicates: what access operations the user has. D If posted -59- This paper size applies the Chinese National Standard (CNS) A4 Regulations (210 X 297). -------- Order --------- line (please read the notes on the back before filling this page) 44838 Printed by the Consumer Cooperatives of the Intellectual Property Bureau of the Ministry of Economic Affairs $ Λ A7 B7 V. Description of Invention (57) Item I 804 is displayed in blue: the user has a kind of current hyperlink for the resource and may click the resource twice to make it invisible. "If the resource is displayed and presented Black, although it is also available to users, but there is no hyper communication link available, so a separate application must be used to retrieve the resources. Although the resources shown in gray are not directly available to users Use, but if the user chooses one Item Resource 'IntraMap interface will open a dialog box: Allow the user to send an email (e_mail) requesting an access operation to the administrator' The administrator has responsibility for the access decision of the information set to which the resource belongs Your responsibility. Then the 'administrator may modify the access and / or management decisions, if necessary, to give the user access. The administrator may further assign resources, and hide hidden properties. When the resource has this characteristic, the resource will only appear in the IntraMap interface 1801 if the user belongs to a user group that is an information set of an information set to which the access permission belongs. If the resource does not have the hidden feature ’, it will always appear in the IntraMap interface 1801. In other cases, it does not occur. A resource may have a more detailed description than the description contained in its publication 1804. When the user selects the resource, the description is displayed in the description field 1813. In addition to the resource list 1803, the IntraMap display map also shows two specialized resource lists at 1805. • What ’s New 1’1806 shows: recent information postings from other departments within the enterprise. If the administrator has given the user access to the "Which is the latest" web page, the user may post a URL (common resource indicator) of a new resource there. -60 * This paper size applies to China National Standard (CNS) A4 specifications (210 X 297 public hair ^ --- Λ clothes · ------ order · -------- 'line * t ( Please read the notes on the back of is before filling in this page > 448387 A7 B7 V. Invention Description (58) • " Which is the most popular " (What's Hot) 1 808 Based on how long the resources have been accessed, it shows the company The most popular information resource. The service type control table at 18 11 allows users to filter some resources that are intended to be displayed in the resource list 1 g03 according to the service type of the 'k source'. In 1 811, each service type has a circled box. If the box is circled, resources that include the service type and are associated with this service will appear in the resource list. In other cases, this service has The associated resources will not appear in the resource list. The intraMap interface allows the user to sort the resource list by information set, location, or service 1803. To perform this, the user will choose the way he wants to sort in Sort resource list in field 1 809. Users may also Indicates the order in which categories are used in the sort field. The interface also has a search function. To perform a search function, the user enters a search string into the " find " field 1 807. Then search the resource list and resource description for the resources related to the string according to the order specified in the sorting block 1 809. The search function is only to find the word matching of the whole or Shao Fen (worci matches). The situation is not very sensitive. 'The first match is displayed, it is possible to use some function keys to navigate to other matches. Of course, if the user has not checked one of the service type fields 1811 Service type, then many resources of this service type are not involved in the sorting or search operation. Figure 24 shows a construction example 2401 of the IntraMap interface. For users of VPN 201, the IntraMap interface appears as a web page. The report management program 209 running on the access filter 203 (c) in FIG. 2 provides -61-This paper size is applicable to China Solid @ 家 standard (CNS) A4 specification (210 * 297 public hair) (Please read the notes on the back before filling this page)

I i 1 * n I—!-II Printed by the Consumer Cooperatives of the Intellectual Property Bureau of the Ministry of Economic Affairs 4483 8 7 A7 ---- B7 I. Fifth, the invention description (59) (please fill in the precautions on the back of sals first Page) One of many resources. In VPN 20 {-the user; or 'even the general public (that is: someone who is a full member of the Internet user group) may use the same as he may be given access to any other resource Mode, given access to the IntraMap interface. As will be apparent from the description below, the web page for IntraMap may be on any server in VPN 201. Construction example 24〇 丨 has: in a workstation 2403 'used by a user to look at

Components of IntraMap; components in access filter 203 (1) that are local to workstation 2403; and components in access filter 203 (c), the access filter is a report The access filter on which the hypervisor 209 will run. Of course, the access filter 203 (c) may also perform a function like a local access filter. "The local access filter 203 (I) is connected to the report access filter 203 (c) through VPN 201. The workstation 2403 is connected to the local access filter 203 (I) through a local area network (LAN) 2 13. Line · Member of Intellectual Property Bureau of the Ministry of Economic Affairs ^ -Printed by Consumer Cooperatives As will be explained in more detail later, all access filters 203 have a layered architecture. At the lowest level is an Internet Subcontracting Information (IP) filter 24 19, which deals with only the header of Internet Subcontracting Information. The subcontracting information filter 24 19 reads the source and destination addresses in the Internet subcontracting information header and applies a set of rules to the subcontracting information. As determined by the rules, IP filters do not accept them and discard them; they further route them in VPN 20 1 to guide them. This rule will also determine how to route the received subcontracting information in the access server 203. The next level in the architecture is _ service proxies 2427. Service representative server meeting -62- This paper size applies to China National Standard (CNS) A4 (210 X 297 mm) 448387 A7 B7 Printed by the Consumer Cooperative of the Intellectual Property Bureau of the Ministry of Economic Affairs For traffic of services such as the World Wide Web (WWW), and perform access check on traffic & volume. If the access filter 203 provides the service itself or performs access check on one of the servers providing the service, Then the IP filter 2 419 sends the subcontracting information for the service to one of the service-oriented service proxy servers 2427. The service proxy server uses the access control database 301 to perform protocol-level access check for the service. For example, a service proxy server for a web service may check whether the user who is making a request for a given web page is authorized to access the web page. The next souther level is the service level 2425; if relevant Of the service proxy server that allows a request and the access filter is also for the service server, it is intended to go to the service at service level 2425 In the case of a web page, the service should indicate the location of the web page and return it to the requester. In IntraMap, two services are involved: web (network) service and IntraMap service. In Figure 2401 'Web The service appears as WebS 2423. The proxy server for WebS 2423 is WebP 242 1; for many reasons that will become apparent in the description below, the IntraMap service has only one proxy server: IntraMap 2417 »In addition, the access control database 301 includes IntraMap information 2422, which is an optimized version of the information in the access control database 301. It can be used as the basis for the IntraMap display map. About the access filter 203 (c) and storage The main difference in the IntraMap construction example between the filter 203 (I) is that the access filter 203 (c) includes a World Wide Web page 2410 with a copy of the IntraMap Java program 2411. When the access filter 203 (I) Downloaded to the workstation-63- This paper size applies to the Chinese National Standard (CNS) A4 specification (210 * 297 public love) --------- f I! ------ ----- 1 order — I {Please read the matter on the back, please fill in this page first) 4483 8 7 A7 B7 V. Invention description (61) When the web browser 2429 in 2403, the Java program 24 11 will generate a pointer to IntraMap The request from the server 2425, and then use the results returned by the intraMap server 2425 to generate an intraMap display I 801. The operation is as follows. For the user of the workstation 2403, IntraMap may appear as a communication link for a web page. Therefore, if you want to use IntraMap, you will start one of the 30 pages 2410 communication links for 1: 1. The network / web browser 2429 in workstation 2403 will respond to the initiation of the communication link, just as it should respond to initiation of any other communication link to the web page: it makes a request for the web page, and The request is sent to the word server shown in the communication link. In the case of a communication link for IntraMap 'because the communication link specifies the web server 2423 in the access server 203 (c)', the request passes through the local access filter 203 and vpN 201 and go to the access filter 203 (c). Just like any other access operation to one of the resources in VPN 201, the local access filter 203 (1) performs an access check for IntraMap webpage requests. Since the request is directed to the webpage ’, the web proxy server 2421 completes the access check. In most VPN 201, the IntraMap webpage 2410 will be accessible to any user in VPN 201; therefore, the access control database 3 0 1 indicates that it has a valid IP source address Any user of may access the IntraMap webpage 24 10. When the request is received in the storage access server 203 (c), the IP transitioner 2419 forwards it to the network representative server 2421, which sequentially forwards the request to the network server. 2423 'It responded to the request by downloading the IntraMap Claw Program 2411 to the web browser 2429 in the workstation 2403, -64- This paper size applies the Chinese National Standard (CNS) A4 specification (210 X 297 G) (Please read the notice on the back of is before filling out this page) 1 n I—rn 1 ° JI (^ 1 IIII '^' ^ rKr. Printed by the Consumers ’Cooperative of the Intellectual Property Bureau of the Ministry of Hydrocarbons 4483 8 Economy Printed by the Intellectual Property Bureau employee consumer cooperative A7 B7 V. Invention description (62) Among them: IntraMap Java program 24 丨 1 began to be implemented in the Internet tide. During the execution, it will send a request to the target theory ⑽ 叩 IntraMap proxy server 2427 of information 2422. Like all Java programs, IrmaMap Java program 2411 sends requests to the server it is in. 'In this case, it is an access filter.' However, , Just like any other access from workstation 2403 Do that 'The request will advance through the local access filter 203'. Voila, the intraMap proxy server 2427 will detect that the request was addressed by the IrmaMap proxy server 2427 in the address fetcher 203 'instead of sending the request Sent to the access controller 203 (c); IntraMap information 2422 is obtained from a local copy of the access control database 301 in the local access controller 203; the information is filtered so that it states: Access the resources belonging to the information set targeted by the user groups to which the user belongs to generate the list 243 1; and then transfer it back to the IntraMap Java program 2411 via LAN 213, which then uses the list 2431 to generate IntraMap displays Figure 180. In terms of generating the display map, the Java program 2411 will apply any access filters specified in the request, and will also sort the list as specified in the request. List 243 i not only means that π may be Resources for use, and contain the information needed to extract v. Shen: Beiyuan. Yu Xi, if the resource has a type of hypercommunication link ', the hypercommunication link is included in the list; if it is a The user currently does not have access, but the user may request access to the targeted resource. The list includes: the name and email address of the administrator of the resource. Access control database 3 〇1 details: Figure 1 3 to 1 7 3 Details of the access control database 3001: Figure I 3 to i 7 -65- This paper size applies to the Chinese National Standard (CNS) A4 (210 x 297 mm) IIII ^^ 1 __ _ 1— τ ^ ρ -Γ I * f— HI II ^^ 1 ^ ~ · II 11 ^^ 1 ^^ 1 --- I_I-. I I. (Please read the notes on the back before filling this page) 448387 A7 B7 V. Description of the Invention (63) In a preferred embodiment of the access controller 203, an access control database 30 1 is constructed at two levels: one level is used by a graphical user interface To manipulate the access control database 30i; the other level is used in the actual access check. The first level is constructed using the Microsoft Jet trademark database system developed by Microsoft Corporation. The second level is constructed using memory mapped files (MMF) compiled from the first level database. The following discussion will describe a first level construction example 'and show how the information contained therein can be used in access checking. In studying this discussion, you should keep in mind that the actual access check is done using MMF, as will be described in detail later. Printed by the Intellectual Property Office of the Ministry of Economic Affairs, Consumer Cooperatives. As is the case with most database systems, the Microsoft Jet trademark database system has a diagram that is: a description of the edited structure of the database. Figures 13 to 17 are display diagrams generated by the Microsoft Jet trademark database system for the diagram of the access control database 301. Figure 13 shows a diagram 1301 for a portion of a database that defines many user groups. The display diagram consists of two elements: the notation of "classes of tables" 1303 in the database, and the "communication link" that shows the relationship between the two tables that belong to certain categories of the table ; 丨 30 table method. The notation of the category of the table shows: the name of the category at 13 10; and at 1308, the data field that will be included in every table belonging to that category. Each instance of the table has an identifier (ID) assigned by the database system. The other information in the table will change depending on the type of table. By using the ID of the second table in the first table to create a belonging table -66-

44838 7 Printed by the Consumer Cooperatives of the Intellectual Property Bureau of the Ministry of Economic Affairs A7 B7 V. The communication link between the first table of the first category of the invention description (64) and the second table of the second category of the table, and vice versa . Thus, the communication link 1 305 shows that some tables in the 'user group tree' category table 1307 and "user groups" and some tables in category table 1 309 can be linked. Some communication links have numbers at both ends of them. The number indicates: at the end of the number, the number of communication keys that the watch may have. Therefore, the communication link connecting the category table 13 009 and the category table 13 0 7 has: at the category table 13 009 The number 1 at the end of it, and the number ① at the end of category table 1 307; thus indicating that any number of ids in the instances of category table 1309 may appear in one instance of category table 1 307: but Only one ID in one instance of the category table 1307 may appear in one instance of the category table 1309. User group table: Figure 1 3 3 User group table: Figure 1 3 The user group table 1301 contains a user group category table 1309 for each user group in the database 301. In the "User Groups" category table 1 3 09, 'The data of particular interest include: group name, which is the character-string name of the group; group description, which is the group's A string description; and pre-defined information indicating whether the users who are members of the group are: an administrator, that is, capable of making management decisions; a security officer, that is, capable of making decision makers Decision-making; or a mere information user. The user group table 1301 will further organize many user groups into a hierarchical list-not only for inheritance rights, but also for the hierarchical display of user groups shown in window 903 in FIG. 9- 67- This paper size applies to the national standard of China i (CNS> A4 specification (210 X 297 male t) ------------— * x ^ · ------- ^ I-- ------, line r, (Please read the notes on the back before filling this page) 44838 7 Printed by the Consumer Cooperatives of the Intellectual Property Bureau of the Ministry of Economic Affairs A7 ------ B7____ V. Description of the invention (65) Figure 'so that the user identification method is associated with the user group, and the alert message is associated with the user group, organized into a hierarchical list by the user group tree " category table 1 307 Some tables in the "user group tree" category table will link one of the "user group" category tables to a parent user group (Also the type of u user group). For a specific "user group" table, multiple "user group tree", the table may Here, it depends on the number of places in which a particular user group appears. As already mentioned, there are five different ways to identify users to an access filter 203: by丨 Port address range, by a fully-qualified Internet domain name 'by user identity in the operating system of the Microsoft Windows trademark, by an authentication token, and by a certificate. Table classes that identify the user's table by the certificate are displayed at 1321. Class tables for the table that identifies the user by the IP address range are displayed at 13 17; for the IP network Those category tables whose fields identify the user's table are displayed at 13 19; those category tables for the user's table identified by the operating system ID (identifier) of the Microsoft Windows trademark are displayed at 13 15; and The category table for the user's table identified by the clock token (labeled as a smart card in the figure) is displayed at 1323. Finally, the category table Π25 defines: Yu Jing Some tables of information. &Quot; User Groups • One of the category tables 1309 may make it relevant to any number of tables for any way to identify users. As the matter says That way * may be identified in many different ways at the same time-the intended user. -68-This paper size applies the Chinese National Standard (CNS) A4 specification (210 x 297 public). (Please read the precautions on the back before filling in this Page) ^ · ------- ^ ---------- Tired '4483 8 7 Α7 -—-__ Β7 V. Description of Invention (66) The wisdom of the Ministry of Economic Affairs on the elimination of cooperatives of employees of the Production Bureau In order to perform an access check, the access filter 203 must decide which user groups the user requesting belongs to. The request includes a user identification method 'so the identification method is the starting point for the decision. Some tables in the user group table 1301 will allow access to the filter 203: according to the identification method to determine which user groups the user belongs to, and according to those user groups, determine some other uses that determine which user the user belongs to Hierarchical relationship of the group. Assuming that the user is identified by an IP address, the access filter 203 starts to work by looking for one or more tables in the "IP address range definition," category table (in 13 17). The category table defines: the range of IP addresses including the user's IP address. Each of these tables has a communication link to the " IP address range " category table (in 13 丨 7), which makes the "IP address range definition " category table defined The range is related to the user group ID, which corresponds to the user group of the IP address range and T, which in turn can be used as a communication link to the " user group category table 1 309. use. " User Group " Each of the _type tables in the category table 1309 has a pointer to the "user group tree_, category table!" The communication path of 307 is therefore able to follow some communication links And pointing to the "user groups", "user groups," and the category table, which are specified by the jp address, these user groups will inherit the access rights. Therefore, when the process ends, 'The IP filter 203 has pointed out the location of all user groups, and they are all related to determining whether the user is likely to access the resource. Moreover, the IP transitioner 203 knows on request: how to identify the user; Decide: what level should be assigned to the user identification method used in the request β Compile the information in the user group table 1301 into mmf (note -69- This paper size applies the Chinese National Standard (CNS) A4 specification ( 210 * 297) 483 8 7 A7 B7 Printed by the Consumers' Association of the Intellectual Property Management Bureau of the Ministry of Economic Affairs. 5. The invention description (67 memory mapping file). When the user starts the conversation, the user will provide- Seed The user identification method gives the first accessor device 203 on the conversation path; the accessor device 203 uses a user identification method with _F in order to make-items equivalent to those described above. Decision. Therefore, the access controller 203 can decide: for a given user identification method, whether it recognizes a user who has access to the information; what user identification method it is; and therefore it has What level of trust; and which user groups and groups the user belongs to. Therefore, the user group table contains all the information needed for the user part of the -access decision 1108. Information set table: Figure 1 4 3 information set table: Figure 1 4 Figure 14 shows: the table for defining the information set of the table is just. These: will make many information sets (resource groups in Figure 14) and the s source that composes them "Related" and have a relationship with the network location of the resource; and will also organize many information sets into: a hierarchical list of information sets shown at 1003 in Figure 丨 0. In the access control database Each information set in 3〇i is classified by the "resource group" Table 丨 4G3. Through Table M19, the tables in the resource group table are organized into a layer for inheritance and display purposes w > between the resources and the resources that make up it, and Virtual, they are stored in it and the relationship between some positions in vp N are: The resource group element category (resource group elements) category table 407 is established by _ "jin. But this will be & quot The resource group " category table links to any number of tables in the It resource ^ groups category table. Link the resource group unit to the table—the table links to many category tables: ', site unit' (Site (please read the iiti item on the back of 璜 before filling this page)-~ k -------- Order --------- line.

297 mm) 4 483 8 7 A? B7 Printed by the Consumer Cooperatives of the Intellectual Property Bureau of the Ministry of Economic Affairs * 'Agricultural V. Description of Invention (68 ^ Ming) ⑷ 1 ,,! Service "1413", and any of the "resources" 1409 "tables. For each resource indicated in the database 30, there will be a "source identification table." Included in the table are: i D of the resource: its name; ID for the service providing the resource; sensitivity level for defining the resource Heart: description of the source; email address of the resource manager; and a hidden flag, which indicates whether IntraMap should show the resource to users who do not belong to some user groups who have access to the resource The IntraMap interface will get the information it needs about the resource from the "Resources" table for resources. There are two types of tables: "Site Units" and "Services" tables, and There are two types of tables: Websites "415" and "Some of the tables in Serving Server" 417 belong to the category tables 1421 describing the location of information in the VPN. There will be a "Website" category table for each physical location in the: "Feeder" category table for each servlet in vpN: and a list of each service in vpN There is a "Service" category table. Now, the communication links in some tables in the category table and the website table will make many websites related to many servers: in the "server" category table, the communication links in some tables will use Many servers are related to the many services they provide: and the communication links in some tables in the "Services" category table will make many services related to the many resources of their host. In determining what information set the requested resource belongs to, the access filter 203 starts with the information in the request. The request is contained in a 1? Subcontracting message and therefore has: a header and a body (body). In the title, there is: an IP address, which is specified in one of the positions in the virtual private network 201, -71-This paper size is applicable to the Chinese National Standard (CNS) A4 specification (210x297 public)- ----------- ^ · ------- ^ --------- • Line · I (Please read the notes on the back before filling this page) 44838 7 A7 Printed by the Consumer Cooperatives of the Bureau of Economics and Intellectual Property, V. Invention Description (of the invention) and a server at that location; a port number, which specifies one of the services of the server. In the ontology, Cai: a resource description presented in the form prescribed by the communication protocol. For example, if the request is for a web page, the resource description will be the URL of the resource. The access filter 203 uses the p address to indicate the location of the " website " category table, and uses the communication keys in the table to indicate the " site unit " bit I of the category table I4U. This table relates the website to the server ID (identifier) of the servers at the website; and, the access server 203 uses the server ID to indicate the server for the website ... T "of some tables in the" Category "category table 1417. Then, it can use the IP address to indicate the location of the" Category Table "corresponding to the server listed in the request; and Follow the communication links of some tables in the following tables: from the server, the server to the server, to the service of the service: and then use the port number from π to find the appropriate "service" table. -Once it has issued the appropriate, service, and table, it will be able to follow the many communication links pointing to the " resource " category table ^ 9 = of these tables and indicate the "resources" corresponding to the request "The location of the table. From there, there will be a communication link to the" Resource Group Unit "category table Η07, which makes many resources different from some of the resource groups for its information set. There is a relationship. A lot of resources indicate in sequence the "resource group" category table U03—this table, and the = table all refer to a number of tables in the "resource group tree" category table Pass = link, so you can decide: set the strength of the branch + ·; ^ take the level of many source groups to which the resource in Λ belongs. After those things have been done, access to the device as found: and decide what Whether the request should be granted related: Group. The "resources" table for resources also contains the level of sensitivity for resources. Please note the S item on the back of the page before filling out this page) -------- Order- ---- The size of thread paper is applicable to Chinese National Standard (CNS) A4 Regulations-72- 4 4 8 3 8 7 _____B7_____ V. Description of the invention (70) Furthermore, the information in the information set table 1401 is edited into the MMF. When a request comes to the first access filter 203 in the path between the user and the server that provided the resource, the first access filter 203 will use the MMF case to make a logical equivalent to One of the decisions just described. So 'after viewing the MMF file containing the information from the user group table 301 and the information set table 1401, the proxy server has decided: the trust level of the user identification method, the sensitivity level of the information resource, the user User groups to which they belong, and information sets to which the information resource belongs. Decision table: Figure 1 6 3 Decision table: Figure 1 6 Figure 16 shows: some tables used in the access control database 30 to define access decisions; included in these decisions are: access decisions , Management decisions, and decision makers' decisions: • Access decisions make user groups related to resource groups; • Management decisions make their members one of the administrators. User groups are related to one of the following: 1. Another user group 2. —Information collection 3 — —Printed by the Consumer Cooperative of the Intellectual Property Bureau of the Ministry of Resources and Economy-«-------- Order --------- Line ' r. 4 is a location (website) in the VPN 5.-Access filter 203 or other server 6.-Service • Decision maker decision Makes the administrator's user group related to the information set. * 73-This paper size is in accordance with Chinese National Standard (CNS) A4 (2〗 0 x 297) ί 483 8 7 V. Description of the invention (71) Each decision will make the "left side," and "right side " There is a relationship, the left side is always "user group," category table 1309, while the right side depends on the type of decision, it may be "" resource "category table 1409," resource group "category table 1403 ( Display, newsletter) '" website " category table 1415, " service " category table 1413, u word server', category table 14Π, or ·, user group, category table 1309. Therefore, the decision tables 1601 are divided into three groups: the left table 1603, the decision tables 1605, and the right table 1609. The right to change decisions is hierarchical: members of a user group can change access decisions As determined by the administrative decision for the group, the "user group" table of the group indicates that it is one of many types of managers-a group. In turn, those # 理 员 may specify other management decisions related to their subdomain. Corresponding to two kinds of decisions, there are three category tables in the decision tables 丨 605: Category Access Decision _ '(P0 丨 丨 cies Access) Category Table 161 1, " Administrator Decisions (Policies AdmimSter) Category Table] 613, and some of the 'Policies Po ncy Maker' category tables 1691. All these category tables share many characteristics; they all include: the ID of the user group table to the left of the decision , An indication of a table (Ϊ 〇'decision (access operation is allowed or denied) indicating a list of items in the right side of the decision, an indication of whether the decision is predefined and cannot be deleted, and decision 疋 σ ' It is a kind of indication as it is currently used. The difference between the category tables is: which may be on the right side of the decision, and thus is the L-link to many entities on the right side in the case of access decisions and decision makers' decisions The entities on the right are just information sets. Therefore, the access decision M and "decision making _____ -74- This paper is based on the _ Home Standard (CNS) A4 Regulation χ 297 public love) (Please read the back first Please fill in this page again for attention)-Version -------- Order · -------- Line, printed by the Consumer Cooperatives of the Intellectual Property Bureau of the Ministry of Economic Affairs 4 483 8 7 Α7 Β7 V. Description of the invention ( 72 'Some of the two category tables only include pointers to the right side of some of the tables in the resource group's category tables; however, some tables in the administrator's decision_ category table may contain pointers The following alternatives: | · user group " category list, "resource group," category list, ", website " category list '" vocabulary " category list, ", service" category list, and ΚResource " Many of the right-hand communication links in some tables of the category table. The right given to the user group specified by the user group on the right side of the management decision to govern the collection of many entities specified on the right side There are changes, depending on the type of body, as shown in the following table: Any one of the user groups on the left and the right 1 is allowed &access; the meaning of the access operation User groups can be created to target or include items Management decisions. This will allow responsibility User delegation rights (please read the precautions on the back before filling out this page) User Group User Group User Group Economy Group Intellectual Property Bureau Shellfish Consumption Cooperative Association Print User Group Information Set User Group members can Manage target user groups, including nested user groups. Allowed management includes: deleting, moving, and copying target user groups; nesting it on another user Groups; add members to it: and nest other user groups in which members of the user group can manage information sets, including some nested information sets. Allowed management includes: deleting, moving, and copying the target information set; nesting it in another information set; adding it to it; nesting some information sets in it. ', This paper size 剌 (CNS) A4 (2J0 X 297 ^ 7 k -------- Order --------- line 448387 A7 B7 V. Description of invention (73) Intellectual property of the Ministry of Economic Affairs Bureau Consumer Consumption Co-operative Printed User Group Website User Group Members are able to manage the website, including: "available resources" list (all access devices, servers, services, and resources) 'on the website Some of the units below. The official management of Gu Yan includes: deleting and moving the website; adding it to the information set; and adding some location and access filters to it β in order to define some new access filters 'Jurisdiction over corporate intranet locations is required. User Group Access Filters Members of the user group can manage access filters, including: from " available resources ,, lists (all servers Filters, services, and resources), some units under the access filter. Permitted management includes: deleting and moving the access filter; adding it to the information set; and adding some servers or services Give it. Use Members of the group server user group are able to manage the server, including: From the Available Resources list (all services and resources are some units below the server. Permitted management, including: Delete the server And mobile; add it to the information set; and add some servers or services to it. User group service Members of the user group are able to manage the service, including: from the 'Available Resources' list (all resources ), Some resources under the service. Allowed management includes: deleting, moving, and copying the service; adding it to the information set; and adding some resources to it. User Group Resource User Group All members can manage resources. Allowed management includes: deleting, moving, and copying resources; and adding it to the information set. III · -------------- (jing Read the notes on the back before filling in this page) ·, line 76- This paper size applies to the China Solid Goods Standard (CNS > A4 specification (210 X 297 mm) 448387 A7 B7 V. Invention Explanation (74) The following table describes: When each 0 05 & management user group appears on the left side of the decision maker's decision, the right of the user group is assigned to the user group on the left. "Group information set" is allowed " The meaning of the access operation The members of the user group M can manage the various access decisions used to control the information set by any user group, including some nested information sets They may also include information sets and any information sets from their descendants in the decision makers' decision-making. The Intellectual Property Bureau of the Ministry of Economic Affairs, the Industrial and Consumer Cooperatives, printed as indicated in the discussion of the above information set table, The proxy server running the access branch pair can use the "user group" table and the "information set" table to find: in the user group to which the user who is making the access request belongs, == is being accessed The information set to which the information resource belongs: and it can also use ^ to trust the level of user identification method and the sensitivity level of the information resource. The proxy server can then use the "Access Decision" table to find out whether any user group to which my user belongs may access any information set to which the information resource belongs. If any one of such user groups is found The user may access the information set if the requested trust level and the t-sensitivity level of the information resource are as high as possible. To determine the requested trust level, the proxy server must decide: any encryption technology being used And / or the trust level of the path in VPN 201 that is being used for access operations. This information can be obtained in Table 1 701 of the access filter shown in Figure 7 and described in If the sensitivity level of the access decision or access request does not allow the access operation: the message is ignored and any dialogue it belongs to is discarded ^ When the request is made by -77- This paper standard applies to China Standard (CNS) A4 specification (210 X 297 mm) ---: --------- r -------- 1r * ---------, line (please (Notes on the back of Mla before filling in this page) ^ 48387 A7 B7 Explanation (75) When a request is made for a user who is a member of one of the management user groups in the access database 30, the access check process is essentially the same: only a pity: when the access operation When allowed, it may result in changes to the database according to the rules announced above. This modification will then be propagated to all other access filters 203 in VPN 201. Server list: Figure 1 3 3 Server Table: Figure 17 Figure 17 shows a chart of some tables that are particularly important for the operation of many servers in a VPN. In a VPN, there are three types of servers: • Plain servers These are: servers that have resources stored on them and access resources by executing services. • Access filter 203. • Decision management program feeders. These are ... coordinated and allocated Database 301, and / or an access filter 203 that generates some reports on the operation and status of the VPN. The access filter 203 may additionally perform functions like a Yangchun server. For each of the VPN's One SERVER will have a "server " category table 1417. The information in the table for each feeder includes the ID, name of the server, the domain in the operating system of the Windows NT trademark, its Internet name, whether it is—access filter 2 〇3 and incidentally a decision server's access information can only be obtained through access filter 203, and whether it is within the VPN. If the server is an access controller 203, it will additionally have an access filter 203 provided for vpn -78- This paper standard applies to the National Standard (CNS) A4 specification (210 X 297 public) ) (Please note the back of M5 before filling out this page) _k -------- Order --------- line. Intellectual Property Bureau of the Ministry of Economic Affairs Printed by the Consumer Cooperative of the Intellectual Property Bureau of the Ministry of Economic Affairs Employee Consumer Cooperatives printed out their father's profile 8 7 A7 _ B7 V. Identity of other entities in the description of invention (76) 201 for identification and encryption. In a preferred embodiment, the identification is: X.509 certificate used by SKIP for the access filter. The X.509 certificate also includes a public key for the access filter 203. The public key may belong to one of many name spaces; the name space ID (NSID) is an identifier for the name space of public secrets: and the master secret identifier (Mester key ID, MKID for short) is the public key that is identified in the namespace. Also included in the table are: A communication link to the "Certificate Authority" category table 1 711, which indicates the certificate authority issuing the X.509 certificate for the access filter. Of course, 'some servers different from the access server also have X, 509 certificates.' And, in that case, their 'server' table will have the NSID and MKID. Each Yangchun server in the VPN will have one or more services running on it. For example, 'An FTP (File Transfer Protocol) service will be based on the TCP / IP suite of protocols (protocol suite) File transfer protocol to access files (resources) on the server. The "server" category table 14 for the Yangchun server has each of the following: points to the definitions available on the server Many communication links to a group table of services and resources. As shown at 1719, these tables include: " Services " category table 1413, which represents services; " Resources 11 category table, 1409 'which represents for use via services Resources: and _ · Service Definition π Category Table 1715, which will define services. + For the rest of the tables in Fig. 17, it is shown: some charts containing information used to access the controller 203. The category table shows -79 at 1705- This paper size is applicable due to the national standard (CNS) A4 specification (210 X 297 public love) ^ i— b ^ i— Λ in A · ^ — t I k (Jingxian wtf back Sr phonetic? Matters please fill out this page) 448387 Printed by the Consumer Cooperatives of the Intellectual Property Bureau of the Ministry of Economic Affairs A: B7 V. Description of Invention (77) Some tables will contain: All are used to allocate the database 3〇ι and / or the decision management program used to generate the report and used by the access filter 203: its category tables are displayed at 17 17 some tables will contain: Take the information of the many optional parameters of the software executed by the filter 203: the category tables are displayed at 709 and those tables will contain: information about proxy servers and other software modules, many of which have been accessed by the German device 203 Use this module to perform protocol-level access check in access filter 203: and some tables at Π07 will contain information about the trust and authentication methods for user identification methods and encryption types. Information on sensitivity definitions. Some tables indicated by the reference numeral 1708 will contain information about access to the VPN to which the shaker 203 belongs. The access filter 203 uses this information to route the conversation: and it is also used to determine: the level of trust that the given conversation is using for the path. "Routing table" category table 1 72 1 will define: a list of many current routes pointing to all networks that can access information from access filter 203. When those routes change 'Θ table will be updated automatically. 11 Attached Network " (Attached Network) category table Π23 will define a number of tables that indicate ... For each access filter 203' Access filter 2〇 3 Some of the networks that are currently attached; some tables in this category table will contain many communication links to some tables in the "Network Definition" category table, and 723, which will sequentially contain pointers to the " trust level One of the definitions in the trust definitions category table 1707 defines a communication link ', and this category table indicates the trust level of the network = the last category table in this group is " point-to-point connection " (p〇int t0 Point Connection) -80- Applicable to Chinese Standards (CNS) A ^^ j1〇x 297 issued by this paper standard ^ ~ I- '(III t—--I—. 1.-Ί >) I n-] \ ^ t __________ _ __ J f (碕 Please fill in this page first on the back of Mis) 448 387 Printed by A7 B7, Consumer Cooperatives, Intellectual Property Bureau, Ministry of Economic Affairs 5. Description of the Invention (78) Category table 1713, which will define: two accesses describing the information that can be accessed via VpN; the connection between the filter 2 03 Some tables. There is a table for each combination of source and target access filters 203, and one of the trust level definitions pointing to a trust level specifying the path between the source and target access filters 203 road. The level of trust in this table is based on the encryption technology used for messages crossing the path. As explained earlier, the "" User Groups" table 1301 and, information set, table 1401 will provide the information required by the access filter 203 in order to decide: the decision is made in the access decision in Table 1 60 1 Whether access is allowed; and, information about the sensitivity level of the resource being accessed is also provided. The access filter tables 170 1 will additionally provide the information needed to access the filter 203 in order to determine: the minimum trust level of the path in the VPN being taken by the conversation 'and the trust level of some available encryption algorithms. Therefore, if the access filter 203 decides that a given user who wants to access a given resource belongs to a user group that has access to the information set to which the given resource belongs, and decides that: The identification level of the identification method is not lower than that required for the sensitivity level of the resource. Then the access filter 203 can further determine whether the path's trust level is high enough; and if the trust level is not high enough, the access filter 203 By selecting an encryption algorithm with the required level of trust and encrypting the conversation, the trust level can be increased to the required amount. Available information table: Figure 15 3 Available information table: Figure 15 Figure 15 shows a chart for the available information tables 1501. The tables are all accessed by -81-This paper size is applicable to Chinese National Standard (CNS) A4 specifications (210 X 297 gong (please read the note on the back of ti? Matters before filling in. Each page) -1—] dn Γ * _ SI m I---u I--V6 Rabbit 448387 A7 ______B7 V. Description of the Invention (79) ίτ Read the precautions on the back before filling out this page) Filter 203 is used in order to generate a display map of available resources 〇5, as shown in Figure 10. Some of the category tables shown at 1502 will make each server related to the service of the Έ and related to the resources provided by the service. Shown at 1504—these category tables organize many available resources into a hierarchy for inheritance purposes: and are also used to generate a hierarchical list shown at 1005; further, by following Many communication links from the unit "list to server" list, the access filter 203 can determine: the level of website, server, service, and resource. At some category tables at 1 503, a distribution tree of access filter 203 is finally created. As will be explained in more detail later, when the access control database 30 I is modified, the tree defined by those tables is determined: the order in which changes are assigned to some accessors is modified by β Access Control Database 30 1: Figure 1 9 '3 Modify Access Control Database 301: Figure 1 9 Employee Consumer Cooperatives of Intellectual Property Bureau of the Ministry of Economic Affairs printed as mentioned earlier' Each access filter 203 will have one An exact duplicate of the copy of the access control database 301 belonging to the master decision management program 205 in the access filter 203 (a) of FIG. 2. Fig. 19 shows how to modify the copy of the access control database 301, and, at first, to distribute the modification information from the access filter 203 (a) to other access subtractors 203. Figure 19 shows: the access filter 203 (a) with the master decision manager 205; and another access filter 203 (3), where an administrator using one of the workstations is modifying the access control database 3 〇1. The messages that need to be used to allocate and synchronize information 1909 are encrypted using SKIP-82- This paper size is applicable to China National Standard (CNS) A4 (210 X 297 g) 4483 8 7 A7 B7 was printed by the Cargo Cooperative Fifth, the description of the invention (80), and it was sent via VPN 201 using a communication protocol called "private communications service (PCS)." There will be many copies of the access control database for the filter. There are at least two copies of any access controller 203: a live database (LDB) 1907, which is currently being used to execute Access to the verified database; and mirror database (mirror, MDB for short) 1 905 'It is: a copy that can be switched into, intended to replace one of the databases of the live database 1907. The router 203 (a) has: an MDB 1905 (a) and an LDB 1907 (a); and the access decrementer 203 (i) has: MDB 1905 () and LDB 1907 (). If an access filter 203 is being Used by the administrator to modify the storage Control database 301, it will additionally have at least one working database (WDB) 1903. The working database is: it is not a copy of one of the databases being used to control access operations, so it can be copied by Modified by the administrator. The administrator will do this by using a network connected to one of the workstations or PCs (personal computers) that access the computer. The workstation or PC will display the management graphical user interface described above, and The administrator uses a GUI (graphical user interface) to make many changes as enabled by some management decisions. These changes may affect any aspect of the information stored in the access control database 301. As described above As instructed, the change in cargo is a change in access or management decisions, so the administrator can use the decision evaluation feature to see the effect of the change. When the administrator is satisfied with the change ^, he clicks: " Application " Eucalyptus button: Therefore, many heat-removing knives are allocated to all access filters' and included in each access filter; the cost of the filter is -83- In accordance with Chinese National Standard (CNS) A4 (210 χ 297 mm) J [1 .- ’V I.

Employees of the Intellectual Property Bureau of the Ministry of Economic Affairs, Cooperative Cooperative Press 5 5. Invention Description (81) in the library. The process of updating all live databases is called: database synchronization and distribution. There are three stages to this process: First, the modification information is sent from the access filter 2 03 (here, the access filter 2 03 (i)) where they are generated to the master database. The access filter 203 (here, the access filter 203 (a)). • In that case, incorporate many changes into the master database. The way to do this is to incorporate many changes into the mirror database i 905 (a), and then swap the live database 1907 (a) and the mirror database 丨 9505) and then change New mirror database 190 (a). • Then ‘distribute many changes from the master decision manager to other access controllers. At each access filter 203, synchronization is done in the same way as with access filter 203 (a). The order in which changes are made in the access filter 203 of VPN 201 is determined by the allocation tree 丨 5 丨 丨, and the access filter display diagram 120 1 is used to build it in order. An access filter 203 with a master decision manager 205 is always the root of the tree. The first access filter 203 installed in the VPN 201 by default has a master decision manager 205. When other access filters 203 are installed, they are added to the tree as children of the master decision manager. The master decision management program assigns many changes to its children in sequence. When each child access filter 203 receives its allocation information, it then assigns it to its children. Says: A kind of self-top-84- This paper size is applicable to China National Standard (CNS) A4 specifications (210 * 297). First read the phonetic on the back? Please fill in this page for more information) T___ ^ 6 Printed by the Consumers' Cooperative of the Intellectual Property Bureau of the Ministry of Online Economy A shallow allocation tree will complete an allocation cycle faster than a deep allocation tree with few branches from the top. An administrator with proper access to information can reconfigure the allocation tree 'to make allocation more efficient. If two administrators have modified the same information section (for example, the 'access filter definition') in a different working database [903], a synchronization conflict will occur. When this happens, the master decision management program 205 decides: which modification information is to be included in the access control database 3 〇 β to optimize the access control database 3 〇1: Figure 2 1 and 2 3 3Optimize the access control database 301 • Figures 2 丨 and 2 3 Although the management graphical user interface (GUI) 1915 is suitable for continuous storage and use; but for use in real-time access check, the data The library 301 is not optimized. As will be explained in more detail below, the access filter 203 optimizes the data in the database 301, which is required for run-time access checks, and is then used to generate the IntraMap Show graph. Every time a new copy of the database 301 is received in the access filter 203, it performs an optimization (0ptimiZation). According to their optimized form, the database 301 is a collection of many memory mapping schemes (MMFs), in which access decision information is stored in a form that allows fast access. The reason why it is called MMF is that although they are generated as normal files, they are subsequently attached to the memory space of a program, and are all operated by some memory, not by file operations. Access. Further optimization is achieved by using MMF files in order to generate some rules: by IP source and destination addresses and against -85- (please read the notes on the back before filling this page) — II ---- -line

This paper size applies the Chinese National Standard (CNS) A4 specification (21〇χ 297 mm) 'J 448387 Printed by the Consumer Cooperative of the Intellectual Property Bureau of the Ministry of Economic Affairs A7 B7 V. Description of the invention (M) The access operation is allowed or denied Port number, use this rule to perform low-level filtering of the message β Figure shows an example of MMF file 2303. The file in question is: DBCertifiCatesbyUSerGr〇uP (Database identified by user group " Certificate, ... " File 2 丨 〇1, which will be used to identify certificates that belong to a number of specific user groups The matching criteria are mapped to: some identifiers in the database 3W for records of many user groups specified by the certificate matching criteria. Thus, Building Case 2101 allows a proxy server fan with a certificate that will identify the source of a message that has been encrypted using SKIP: many user groups to which the user identified by the certificate belongs. In a preferred embodiment, the certificate matching criteria are: 0 (organization) '0U (organization unit) in the x.509 certificate, and (eight (certificate authority) fields. All MMF files 2303 have the same There are two main parts of the general form: the title part 2103, which contains the information being mapped by the isthmus: and the data part 2105, which contains the information being pointed to by the mapping. The title 2103 contains many publications A list of entries 2107. Each entry will contain: the number by which it is being mapped (in this case, the CMC Matching Criterion (CMC) 21〇9): and Point to the index (pc) inter) 21 ii in the data part 21〇5, which contains β Λ which is being pointed to by the mapping (in this case, it is: for the identification by CMC 2 丨 09 Among the many user groups to which the user belongs, one of the identifiers 2U3 in the database 3o 丨 is listed in 21) 5). Many of the entries in Title 2 103 are sorted according to the information on which they are being mapped (here, * CMC 21〇9), making it possible to use many standard fast search algorithms to n J- H ^ 1 ¢ .- 1 ^ — ^^ 1 I II · 1-*-III. 1 ^^ 1 one I l I----I n ft t (This page) -86-448387 Employees of the Intellectual Property Bureau of the Ministry of Economic Affairs, printed by the cooperative, A7 B7 V. Description of the invention (84) Corresponds to the position of one of the items in the set of matching rules of a given if book 2 丨 〇7a Figure 23 A , B and C provide: a complete list of many MMF files 2301 used in one of the access filter 203 construction examples β According to the description of the file contents provided in the table 'These files and databases The relationship between some tables will be obvious. Each MMF file 2303 is represented by one of the entries in the table, which indicates the file name and its contents. Subdivide the files into the following groups: 23 11, 23 13, 23 19, 232 1, 2323, and 2422. Some files of particular interest are: DBUsers (Database 1'Users) Building Case 2307 and DBResources (Database " Resources '') Building Case 2309, both of which describe decisions; DBCertificatesByUserGroup (by user groups To identify the database "certificate," file 2101, which is the MMF project shown in Figure 21 in detail; DBResourcelDbyServicelD (database identified by IP name " resource identifier ") file 23 15, it will make the URL (common resource indicator) of the resource and the resource ID (identifier): 08 feet 680111'0655 > ^ 16 5 0111 ^ 61〇 (database identified by resource 10) " resource ") Case 23 17, it will make the resource and resource group related; and DBTrustTable (database_'trust level table ') file 2325, it will construct the SEND table 601. Furthermore, the following files are used to compile the rules: DBServerlDByNameFile (database identified by IP name " server ID " file) DBIPAndTypeByServerlDFile (database identified by server ID " IP address and type ”) DBServicePortToProxyPortFile (Database " Service Port-to-Proxy Serving-87- This paper size applies to China National Standard (CNS) A4 specification (210 X 297 mm). Γ r I -------- Order ---------, line 'I. (Please read the notes on the back before filling this page) Printed by the Consumer Cooperatives of the Intellectual Property Bureau of the Ministry of Economic Affairs 4 48 3; 7 A7 __ B7 V. Description of the invention ( 85) Device port " File) DB AttachedNetworksByServerIDFile (Database identified by server ID " Subordinate network " File) DBRoutingTab 丨 eFile (Database 11 routing table "file) DBRoutingTablebyServerlDFile (by server Database "route selection table" files identified by the device ID) Many files in the IntraMap information 2422 were finally filtered to generate the list 243 1 and then use the intraMap mini Java program 24 11 Download it to the client for use. Details of the access filter 203: Figure 20 3 Details of the access filter 203: Figure 20 Figure 20 is a block diagram of an architecture 2001 of an access filter 203. In the construction example shown in FIG. 20, all access filter 203 components different from some NIC (network interface card) cards 2013 are constructed in software. The operating system manufactured by the company is under the trademark N of Windows. Software components are divided into two categories: those components that execute as applications at the user level 2003 of the operating system and those that execute at the kernel level 2005 of the operating system. By and large, programs executed at the core level perform: IP-level access checks, as well as encryption and authentication; those executed at the user level perform application-level access checks. Also included in the user-level component are: software for managing the access control database 3001, and software that generates MMFs and rules for p-level access checks based on the access control database 30i. The following discussion will be from the core level -88--tA -------- Order --------- line (please read the precautions on the back before filling this page) This' paper size is moderate a The cabinet is closed ^ ^ r C / 0 r 5 \ Ding Ί Ί I-Μ 公 4483 8 A7 B7 V. Description of the invention (86) and the item h is' continue to discuss the user related to the access control database 3 〇1 Hierarchical components, and then discussions on communication protocol-level access checks. Core-level components 3 Core-level components Network Interface Card (NIC) 2013: These are the Ethernet and token ring cards installed in the access filter 203. Generally speaking, there are three types of network cards ((; 〇1 ^ 41 ^^). One is: for the Internet, for a wide area network (WAN) 201 1, or for connecting to another — Configured to access the network interface of one of the filters 203. The other is configured for the interface 2 0 7 of all client computers; the third is designed to provide TCP / IP services The server interface is configured in 2009. If it is not necessary to place an access filter 203 between many clients and servers, there may be only two NICs 20 13: one for WAN 20 1 1 and the other For LAN (Local Area Network). If no server exists at the location of access filter 203, or 'if all local clients have access to all local information resources, it is acceptable; It is not necessary to put an access filter in between. Printed Gap Software (SHIM) 2017 by the Consumer Cooperatives of the Intellectual Property Bureau of the Ministry of Economic Affairs: When installing, insert a gap filler (Shiji software module into the Windows NT trademark operation Two levels of the system (NDIs and TDIS levels This will cause all traffic for a specific communication protocol to pass S ΗIM 2 01 7. In the construction example, all traffic for the τ c P / 1P communication protocol will pass SHIM 201 7 instead of TCP / IP通 -89- This paper is in accordance with the National Standard (CNS) A4 specification (210 X 297 public) 448387 Printed by the cooperative of the Intellectual Property Bureau of the Ministry of Economic Affairs A7 ___B7____ V. Description of Invention (87) Letter of Agreement The traffic goes directly from the NIC to some appropriate other core modules. SHIH 2017 will invoke the SKIP module to handle the traffic of the TCP / IP communication protocol when necessary. SKIP module 2021: via SKIP 2 02 1 To send all IP network traffic. If the input subcontracting information is not SKIP type, that is, SKIP does not need to perform authentication and decryption services; SKIP module 202 1 will pass it to the IP filter module 2 0 1 9. Similarly, if the output subcontracting information is not intended to be encrypted, the SKIP module 2021 will send it directly to the appropriate NIC 2013 for transmission. Although there is SKIP type subcontracting information, But the identifier in SKIP module 2021 (Authenticat〇r) 2024 can be used to identify a conversation; the encryptor / decryptor 2022 can be used to encrypt and decrypt information at a conversation level. Possible use: any number of other access filters The server 203 uses some servers of SKIP and some clients of SKIP to perform authentication and encryption / decryption. The authentication and encryption algorithms are based on the SEND parameter and are set by the IP filter module 2019 for the output subcontracting information; or both are specified in the input subcontracting information. The SKIP module 202 1 will maintain sufficient status information for every other website it talks with, so that it can maintain high-speed operation for most SKIP-type subcontracting information. Sometimes subcontracted information will be parked, and additional processing (shared secret and temporary key calculation) will be performed. In userspace 2003 & skipd_, module 2037 performs this additional processing. IP Filter 2019: The IP filter operates according to a set of rules, the rule -90- This paper size is applicable to China National Standard (CNS) A4 specifications (210 X 297 public) 1 _ ^ 1--I 1 ^ 1 I---I —I JA · II 1-.- ---- or, li t—---1 i (Please read the notes on the back before filling this page) 448387 A7

Printed by the Employees' Cooperatives of the Intellectual Property Bureau of the Ministry of Economic Affairs " V. Invention Description (88) is: a rule compiler for a component of the database service 2029, which is formulated based on the access decision in the access control database 301. Ip filters — some basic functions are used to: 1 Pass traffic to the TCP / IP stack. 2 Blocking Traffic-Traffic for specific IP addresses is explicitly discarded ’and is based on many special rules for emergency situations. 3 Discard traffic-Explicitly discard traffic that neither matches any rules nor is allowed by any decision β 4 Agent handles the traffic-instead of delivering the traffic to the indicated target, it directs it to the One of the current proxy server applications on the machine. 5 Perform network address conversion-change a potentially illegal internal I ρ address to a legitimate IP address 9 6. Establish a code to strictly determine the rules for access control operations , The decision will be passed to pr Jpf (discussed below). In general, Mai is directed at dialogues that may be tolerated by decision-making or by the aforementioned νρΝ tunneling operating characteristics. IP Filter 2019 performs these functions based on the following information: rules generated by the rule compiler; source and destination IP addresses and IP addresses; encryption of input subcontracting information, or no encryption; and output subcontracting information Required encryption and authentication. Components related to database 3 0 1 3 Components related to database 301 • 91-This paper's fe standard meets the Chinese Standard (CNS) A4 specification (210 X 297 public love)------- ^ * ------- Order -------- »rr f (Please read the notes on the back before filling this page) 448387 A7 B7 V. Description of the invention (89) Shared Directory 2028: VPN 201 keeps a single access control database 3 03, which access / receiver 2 0 3 uses. All versions of the database 301 in a given access filter 203 are maintained in the shared directory 2028. The shared directory 2028 also contains the case of each user who has accessed: 203 of the green building case (丨 0g f 丨 丨. Private Connect Service (pcs) module 2025, PCS module 2025 is provided in VPN 201 The "access adapter" accesses the access controller «all such 'communications will have ^ own IP port number' and its messages must be encrypted. Some specific functions implemented by pcs messages are : • Allocation tree management; • Allocation and synchronization of database 301; • Retrieval and allocation of routing table 1721; • Retrieval of Windows domain and user information; • Network scanning; • Retrieval of login content; And • transmission of reports used by reports and other subsystems. ISDB Manager 2027: ISDB Manager 207 manages the database 301 ° It and pcs are unique to the data in each access filter 203 The interface of the copies of the library 301. It contains software for reading and writing all the tables in the copies of the database 301. Database Service and Rule Compiler 2009: Database Service Module 2029 Will generate many MMF files Case 2301. Every time it receives a new copy of the database 301 in the access filter 203, it will do so. It is -92- This paper standard applies to the National Standard S (CNS) A4 (210 x 297 mm) (Qi ^ ^ Please note the details on the back before filling in this page ^ 丨 ^ i --------- Order · ---- Printed by the Consumers ’Cooperative of the Intellectual Property Bureau of the Ministry of Online Economics * '& lt 4483 8 Employees' Cooperative Cooperative Seal A7 B7 of the Intellectual Property Bureau of the Ministry of Economic Affairs 5. Description of the Invention (90) Use the function provided by the ISDB management program 2027 to read live data for a given access filter 203 (I) Library 1907 (1) and generates many MMF 2301. One of the components of the database service module 2029 is a rule compiler, which will generate and use the IP filter module 201 according to some of the many MMF 2301 related to MMF. 9 9 There are some rules in this rule. This rule specifies what the access operation is allowed or denied: IP source 'destination, and port number. The rule compiler exists' to act as a DLL and just call the routines in the DLL ( routines). In normal operation, whenever in the access filter 203⑴ 'When the modified database 3001 is received from the main decision management program 2005' The routines in the DLL are called by the database service module 2029. The installation and startup processing (bootstrapping) process During the process, the application is used in some special modes. S Self Memory Map Building Case (MMF) 2301: As already explained, mmF 2301 is a data building case generated by the database service module 2029. And they are used by many other modules in the access filter 203. Design a building plan to make the following operations as effective as possible: • Mapping from user identification methods to (many) user groups; • Mapping from information resources to (many) information sets; • Finding associations with many user groups Decision-making; and • finding decision-making related to many information sets p. Components related to evaluation 3 component-related evaluation program (Evaluator) 2036: the evaluation program 2036 is composed of a number of proxy servers 2031 One of the many used by each proxy server. 93- This paper size applies to the Zhongguanjia Standard (CNS) A4 specification (21G) < 297 public love) (Please read the precautions on the back before filling this page) , Κ -------- Order ----- Printed by the Consumer Cooperatives of the Intellectual Property Bureau of the Ministry of Online Economy 44838 A7 One B7 V. Description of the invention (91). The evaluation program 2036 will provide the following functions to many proxy servers: • Prompting the user for additional " in-band •, or " out-of-band "identification information; • From the Authentication Tool Service (Authentication Tool Service, ("ATS") for "out-of-band" authentication information: • Obtain certificates associated with the current user from SKIPd; • Read many MMF 2301 'and decide: whether the access decision allows the user to access the resource: and . If the access operation is allowed in other cases, construct a trust / sensitivity level calculation for the path, including determining whether the access operation is likely to be permitted via the path, and if so; what encryption and method of determination is required '; Which access filter is closest to the server. These functions are performed by a component of an evaluation program 2036 called a VPN management program. Yinding tool program service / user identification client software (ats / uic) 2039 and 2041 ATS 2039 is a server in a client-server application that collects and authenticates user information. ATS 2039 will be executed on the computer and other components on which the access filter 203 is executed. The client part is ~ UIC 2041, which will be executed on a windows-based client. ATS 2039 and UIC 2041 are mechanisms. The access filter 203 will obtain remote identification information through a remote mechanism. ^ G 2039 and UIC 204 1 will be separated from the dialog being authenticated by an Dialogue and communication 0 ATS 2039 will collect and quickly access (caches) the authentication information it obtained from many clients, and then provide this information to the evaluation program -94- This paper standard applies to the Chinese national standard (CNSM4 specification (210 X 297 public love) lk ------- order .-------- · line ^ to read the notes on the back before filling in this page) 44838 Printed by the Industrial Property Cooperative of the Intellectual Property Bureau of the Ministry of Economic Affairs Α7 Β7 V. Description of the invention (92) 2046. Quick access information from clients includes: • Windows ID; • Identity certificate: and • Authentication token ID. SKIPd 2037: Most SFCIP'd functions support SKIP module 202 1. Those functions include: • Exchange certificate information with other communication partners. This is done by using the Certificate Discovery Protocol (CDP). • Calculate Diffie-Hellman's secret method. This shared secret method is key to SKIP operations. This calculation can take a considerable amount of time and save it to disk in an encrypted form. • Calculate the transport key used to encrypt the conversation. These keys can last for a period of time or amount of data. • In addition, SKIPd will provide certificate matching criteria to (among many) evaluation procedures for use in user identification methods. Proxy server 203 1 3 Proxy server 2031 As described above, the 'proxy server' is software in the access transition device 203 that intercepts traffic for a specific communication foot. The agent feed μ understands the communication protocol: it is carrying information, so it can obtain the information it needs to identify the resource being accessed and / or identify the user from the information being exchanged during the conversation. With the IP filter will make some -95- this paper measurement applies to the National Solid Standard (CNS) A4 specification (210x297 cm) LI _ 'fk · ------- Order · ----- --- (Please read the notes on the back before filling out this page) 4483 8 7 A7 B7 ----- Printed by the Employees ’Cooperative of Intellectual Property Bureau of the Ministry of Economic Affairs 5. Description of Invention (93) Use an existing communication agreement Redirects messages from its standard port to its non-standard port, and all proxy servers except SMTP will receive: for their communication, messages on ports other than the standard port. The proxy server provides the information obtained from the oblique words to the evaluation program 2036 in order to determine whether the user has access to the information resources. If the user has access to 'then the access filter 203 will forward the input message to the server to which they are addressed' and further process the information in the server with the service for that protocol . In the following description, each communication protocol used in a preferred embodiment will be discussed; of course, other embodiments may include proxy servers for other communication protocols.

Pr_ipf (IP filter proxy server): Most network traffic will occur on a few communication protocols, and in access filter 203 there will be many proxy servers for this protocol. However, even where there is no proxy server, an access decision must be made. In some cases, the decision may be made by the IP filter 2019 at the core level. When it does not make a decision, the IP filter 20 provides traffic to pr-ipf, which will Any information it can obtain from the traffic related to user identification methods and information resources, and then pass that information to the evaluation program 2036 in order to determine whether the access operation should be permitted. pr_ipf is not actually a kind of proxy server, because it just makes an access decision for IP filter 2019, so it does not pass any traffic to the standard communication protocol software. FTP (File Transfer Protocol): The ftp proxy server handles TCP / IP subcontracting information for the building transfer protocol. One of the current examples in VPN 201-96- This paper size applies the Chinese National Standard (CNS) A4 specification (210 X 297 mm). T > clothing -------- order ---- ---- ", line (please read the precautions on the back side and then fill out this page) 448387 Printed by A7 of the Consumer Cooperatives of the Intellectual Property Bureau of the Ministry of Economic Affairs __________B7__ 5. In the description of the invention (94), only the access control will be implemented To the account (login) level; in other embodiments, it is possible to control access operations to the file access level. During the FTP login green part of the communication protocol, the 'proxy server will determine the server and account being accessed' and provide this information to the evaluation program 2036 in order to determine whether the user belongs to a use Group, many members of the group may have access to the information set corresponding to the account. The proxy server uses tokens that interact with users in the FTP communication protocol to further process "in-band" authentication information. FTP is actually a very complex communication protocol that involves active and passive (Passive mode) (used in web browsers and some automatic FTP client software). In addition, FTP data transfer uses a second dynamic deterministic TCP (Transmission Control Protocol) conversation. This requires an FTP proxy The special interface between the server and the IP filter 20 丨 9 enables the FTP proxy server to indicate to the IP filter 2019: it should allow a second conversation. "HTTP (Super Text Transfer Protocol): For http In the public domain CERN (Huanzhou Koji Institute of Physics) construction example, the HTTP proxy server is constructed based on source code and contains all its fast access logic (caching logic). . The proxy server uses the evaluation program 2036 to check every access operation pointing to a URL. No "in the band, authentication information is performed using HTTP.

Telnet (Remote Communication Network): Telnet resources are controlled only to the server level due to the non-standardized nature of Telnet registration. Telnet proxy server is used only to provide additional " in-band "authentication information. It is Zhu-97- this paper standard meets the Chinese National Standard < cns) a4 ^ 77】 0 x 297 public) LII k * -------- Order --------- (Please read the precautions on the back before filling in this page> 44838 7 A7

V. Description of the Invention (95) The simplest of the multi-agent proxy server printed by the Consumer Cooperatives of the Intellectual Property Bureau of the Ministry of Economic Affairs, NNTP: Network News Transfer Protocol ^ ^ ^ (referred to as Jane TP) is used Control news feed (_s feed) and news read two operations. During the news transmission operation, the Yan proxy server watched that the unencoded messages were converted to information exchange standard code text (ASCIItex⑽ binary messages for transmission. Such messages are often used by Dissolve into multi-part messages in order to keep them reachable—a reasonable size knife_Goli word server will quickly access binary messages; there are parts. 訧 Each such message and t ' If the message is to be completed—the last part of a multi-part message, then the entire multi-part message is combined into: The anti-virus (aim-virus) module 2033 will check the message against many viruses, like It is described in more detail below. During the news reading operation, the access operation is protected to the news group level. As in other proxy servers, the evaluation program 2036 is used to determine whether the current user is likely to save Get newsgroups. 眞 Real Audio: 眞 Real Audio Communication Agent Server allows clients to access 眞 Real Audio which is only protected at the server level Communication server. Although the Real Audio communication protocol uses a standard TCP socket connection to establish a conversation, it then uses a switch back to the UP channel. As with FTP, the Real Audio communication proxy server has An interface for the IP filter 20-9, which allows it to indicate to the IP filter 20 I 9: Switching back to the UP channel is allowed. SMTP · 'Simple Mail Transfer Protocol (98 papers) The scale is applicable to China National Standard (CNS) A4 (2) 0 X 297 mm. Nt · ^^ 1 · I u 1 ^ —! · Nn I _ · fc I t 1 n · 1 11 ^^ 1 ^^ 1-1 ^ 1 t (Please read the phonetic on the back of ir? Matters before filling in this Ϊ 4838 7 A7 B7 Printed by the Consumer Cooperatives of the Intellectual Property Bureau of the Ministry of Economy The difference between the servers is:] Many rules of the proxy server of the p server are not used to redirect traffic to the SMTP proxy server. In fact, other proxy servers will "quote listen" on the non-standard ports ; And SM The TP proxy server listens on the standard port (25), and then performs its own communication connection with the standard sMTp server software. The access decision in the database 30 1 must explicitly allow this access operation. IntraMap : When the user specifies the URL for lntraMap, the report management program 209 downloads the IntraMap program, and the downloaded Java program attempts to execute an access filter that returns to the report management program 209. The communication connection of a set of sockets of 203 = the IP filter 201 of the local access controller 203 (I) 201 9 will intercept the information of the attempt to perform communication connection, and then supply the local ring with b 彳 疋. 〇3 (I) IntraMap Proxy Server "By looking for the answers in the local copy of database 30 丨 and returning the answers to the Java program, the proxy server will query the Java program (Query) in response. As all responses are being filtered to reflect user access rights. The IntraMap proxy server is not a real proxy server because the entire communication connection is always fully serviced by the instance of the IntraMap proxy server that intercepts the communication connection. Anti-virus module 2033 3 Anti-virus module 2033 The anti-virus module 2 0 3 in the preferred embodiment is a trend micro__ located in Cupertino, CA, California. One of the many DLLs provided by Trend Micro Devices, Inc. In other practice -99- This paper size is applicable to China National Standard (CNS) A4 specification (210 X 297 mm) (Please read the notice on the back before filling this page) ^ ----

IT ______ I ^ -0 «J [II line 4483 8 7 A7 --------------------- V. Description of the invention (97) In the example, it may be used from The anti-virus module 51 from other sources is anti-virus module, and 2033 will check all the information entered into 001 for viruses. In order to provide users with feedback on data transfer and prevent the user software program from timing out, the data is transferred to the client and copied at the same time into a virus check Temporary building case. However, the last part of the information was not sent to the client 'until the virus check was completed. The last part of the article in Temporary Dogwood says that temporary files will be checked for many viruses. If no virus is detected, then the rest of the data is sent to the client. If a virus is detected, the data transfer is suspended. In this embodiment, the user is notified that the transmission has failed. If the administrator has stated so, it is possible to send a kind of alert information to the administrator. Start (launck) 'Login, Alert, and Reporting Module 2 〇 2 7: Some components of this module will perform the following functions: • Initial sequence of startup control startup work; when Dali VPN 20 1' this initial sequence It will happen on an access filter 203. * Login-a dll that provides a standardized green login interface. • Vigilance-a standalone program that looks at all NT logins, so look for the vigilance conditions contained in database 301. Use GU: [to specify the method used to deliver alert information for defining alert information. .Reports-transfer a subset of the many registrations to a special report to log in, ▲ shrink into a database, and later transfer to the report management program 209 〇-100-This paper standard applies to the national standard (CNS) ) A4 size (210x297) (Please read the precautions on the back before filling in this page) * ^ · ------- Order --------- 1 * 5 ^ ^ Ministry of Economy Bureau Consumer Consumption Cooperative Printed Area 4483 8 / A7 B7 Printed by Employee Property Cooperatives of the Intellectual Property Bureau of the Ministry of Economic Affairs. 5. Description of Invention (98) Management Graphical User Interface 1 9 1 5: GUI (Graphical User Interface) Available p) j is executed on the access filter 203, or on any computer attached to the access subtraction 2ΓΠ and having a 32-bit Windows trademark operating system. No matter it is executed on the access register 203 or on the auxiliary system, it will use the management program 2027 to read or write one of the working databases 1903 in the access control database π 丨. Via GUI 1915, the material A% a 义 μ — ° makes all necessary modifications to the access control lean library 3 〇 丨. The application "operation in the GUI" is sent as a signal to PCS 205. It will respond to the signal by initiating the aforementioned allocation and synchronization operations. A detailed example of the operation of the access filter 203: Figures $ and 2 2 3 A detailed example of the operation of the access filter 203: Figures 5 and 2 2 In the following description, the details of Figure 5 End-to-end encryption instance. In this example, a roamer 503 equipped with Skip is accessing: within a website on VPN 201, a server 407 equipped with a Skip. When the roamer 503 is established to access the VPN 201, it is so established by using an access filter 403 (3) of a special encryption type. Here 'will assume that the encryption type being used by the roamer 503 has a "confidential" trust level: and assume that the user wants to access a web page on the server 407, which has a "confidential" The sensitivity and so on. Because the web page being accessed is, the roamer 503 is using the HTTP communication protocol for its dialogue with the HTTP service on the server 407. Because of the roamer 503, many storages in the VPN 201 The filter 203 and the server 407 are all equipped with SKIP; therefore, they are all equipped with their own -101-This paper size is applicable to the Chinese National Standard (CNS) A4 specification (2) 0 X 297 public)-^ I · ------------------ A ^ l -------- 'S sector A, please read the phonetic on the back? Matters before filling out this page) 448387 Ministry of Economic Affairs Intellectual property. Member of the property bureau Η Printed by consumer cooperative A7 B7 V. Public and private keys of invention description (99) = At a minimum, roamer 503 also has a certificate and public key for access filter 403 (3) , It will direct messages for servers inside VPN 201 to the access filter 403 (3); 403 (3) has a certificate and public key for roamer 503 (or obtain them using a certificate discovery communication protocol); all access filters 203 in VPN 201 have or can get: each other's public key, and Public keys for many servers equipped with SKIP in VPN 201. In addition, each access filter 203 in VPN 201 will know: all other access filters 203 and many more in VPN 201 The IP address of the server. All messages sent and received as part of the HTTP conversation between the roamer 503 and the server 407 are encrypted and authenticated by SKIP. Figure 22 shows: A format used by SKIP message 220 1. The SKIP message is produced by SKIP software on the system that is the source of the SKIP message. The SKIP message 220 1 shown here is from the roamer 503. Its main components The copies are: Outer IP Header 2203: Outer IP Header 2203 is used to deliver SKIP messages to the access filter 403 (3) »Included in IP Header 2203 are: Source IP address 2209 for roamer 503, and Against The target IP address 2206 of the router 403 (3) has been taken. When the roamer 503 is established to access the VPN 201, the target address 2206 used by the roamer 503 is set up to specify the access filter 403 (3). The source IP address 2209 may be dynamically assigned to the roamer 503 by the Internet service provider; and the roamer 503 is used to connect to the Internet-102- This paper Standards apply to China Solid State Standards (CNS) A4 specifications (210 X 297) (please read the first + /; 1 tone? Fill in the matter again Fc \ _______ 丁 If " ν I t xi 0 * l f Line 4 483 8 7 Printed on the clothes of the Consumer Cooperatives of the Intellectual Property Bureau of the Ministry of Economic Affairs Α7 Β7 V. Description of Invention (100) 121. The outer IP header 2203 also contains a message type (message abbreviation MT) field 2208, which will state that the message is a SKIP message. SKIP header 2205: SKIP header 2205 contains the information needed to decrypt the SKIP message 2201 when it is received. The SKIP header 2205 contains at least a target-specific certificate, that is, a target NSID (namespace identifier) 2215 and a target MKID (master key identifier) 22 1 3 of the certificate against the access filter 403 (3); and For the certificate of the source, that is, the source of the certificate for the roamer 503! 102219 and source% 1 <: 102217. In addition, the SKIP header 2205 contains: an identifier for the algorithm used to authenticate the message (MAC ALG 2226) and the algorithm used to encrypt the message (crypt ALG 222: 5); and an encrypted transmission key used to decrypt the message Key (Kp 2223) and identifier 2224 for the algorithm used to decrypt the transmission key »Authentication Title 22 Π: Authentication Title 22 U contains a message authentication code (MAC) 222 The MAC algorithm identified in bit 2226 is calculated; and it is used by the access filter 403 (3) to verify that the message arrived without intervention. Encrypted payload 2227: Encrypted payload 2227 contains a known encrypted message that is being sent to Server 4 07 by Duyou 5 0 3, which includes the IP header 233 1 'for the message and the Encrypted message 2229. I P ^ Question 233 1 has an IP address for the server 407 and a port number for the http protocol service. By using the transmission key Kp -103- with the decryption algorithm specified in CRYpT ALg (Cryptographic Algorithm Identifier) 2225, this paper size applies the China National Standard (CNS) A4 specification (2 丨 〇X 297) Li) (Please read the note on the back before filling in this page) ν ^ -------- Order --------- line 4483 8 Printed by the Consumers ’Cooperative of the Intellectual Property Bureau of the Ministry of Economic Affairs * ' Clothing A7 B7 5. Description of the invention (101) 2223, the encrypted payload 2227 can be decrypted. Process SKIP message 2201 3 Process SKIP message 2201 SKIP message 220 1 arrives on the Internet interface 2101 of the access filter 403 (3). Message processing begins at the SHIM level in core level 2005. SHIM 2017 will send all incoming traffic to SKIP 2021, and it will sequentially perceive according to MT field 2208 that the message is a SKIP message. To decrypt and authenticate the message, SKIP needs to decrypt the transmission key κρ 2223, and what it has to do is: it will provide SNSID 2219, SMKID 22Π, DNSID 2215, and DMKID 2213 to SKIPd 2037, and SKIPd will use these IDs in order to retrieve the information from SKIPd The certificate fast access cache (2037) retrieves the certificate for the roamer 503 and the access filter 403 (3). If the certificate is not there, SKIPd 2037 uses the CDP protocol to extract the certificate. Then, use the information in the certificate with the private key of the access filter 403 (3); in order to generate a shared secret number, and then use the remote number to resolve the transmission secret Kp 2223, and then generate two Internal keys: Akp and Ekp »SKIP will securely store shared secret numbers for use with future earnings. This is because the calculation of this number takes a considerable amount of time. Secondly, calculate mac for the entire received message, and use Akp with MAC 2221 and MAC ALG 2226 together to verify: The entire S BCIP sfl interest 2 2 0 I has not been interfered with. If this is the case, the Inner Shaw Ekp is used to decrypt the encrypted payload 2227 in order to recover the original message from the roamer 503. The decrypted payload 2227 is then provided to the IP converter 2 01 9 'It will apply some of its rules to: Source-104- This paper standard uses China National Standard (CNS) A4 specification (210 X 297 public ) T Please read the French and Italian matters on the back before filling out this page), ^ '------- Order --------- line 448387 A7

V. Description of the Invention (102) The seal of the Consumer Cooperatives of the Intellectual Property Bureau of the Ministry of Economic Affairs ^ IP address, target IP address, and port number of title 223. If there is no rule to deny the access operation, then the filter 2o9 complies with another rule and redirects the unencrypted message along with SNSID2219 and SMKID2217 to the port for the HTTP proxy server. The filter 2019 uses the DBServicePortToProxyPort file in mmf 2301 to find the port in question. Processing of messages continues at the application level in the user level 2003 of the operating system. The HTTP proxy server can grasp: the server's p address, the service port number, the URL for the web page, the user certificate belonging to the roamer 503, and the encryption method used to encrypt the message. It will use the appraisal program 2036 to determine the following according to MMF 230 1: • Many user groups to which the user represented by the certificate belongs; • Many information sets to which the web page belongs; • Is there an access The decision will allow at least one of the many user groups to access at least one of the many information sets: and • Whether the trust level of the message is at least equal to the sensitivity level of the web page. Starting from the first of these tasks, the evaluation program 2 0 3 6 will receive the NSID and MKID for the certificate and use the certificate matching criteria for the certificate with the DBCertificatesByUserGroup building case to obtain: the user who is sending the message belongs Identifiers for many user groups. The evaluation program 2036 determines the information set by adopting: the IP address of the server, the port number of the service, and the URL of the web page; and uses: a database with DBServerlDByIP (a database identified by a P address " servo Device ID ") -105- This paper size applies to China National Standard (CNS) A4 specification (2〗 0 X 297 public love) f Sr Read the precautions on the back of ti before filling this page); ^

_____ 丁 * ____ III I 10 0 «i III line 4483 8 7 Printed by A7 B7 of the Consumer Cooperatives of the Intellectual Property Bureau of the Ministry of Economic Affairs 5. The IP address of the invention description (103) case to determine the server containing the webpage, Have DBServicelDByPort (database identified by port number, service j D ") file heart port number to determine the service on the server providing the service, and have DBHes〇urceiDbyName (database identified by IP name" Resource ID) URL to get the identifier for the information set to which the web page belongs. With the ability to grasp: for user groups and information sets, the identifiers in database 3 〇 ^ · The evaluation program 2036 uses the DBRes〇urceHf case to decide whether there is an access decision that will allow any user to belong to A user group accesses any information set to which the page belongs. In doing so, it may only consider some user groups whose membership is determined using recognition patterns, and the trust level of the far recognition pattern is sufficient for the sensitivity level of the resource. The DBResources file maps each information set identifier to, and there will be a list of one of the many user groups for which access decisions concerning the resource set are targeted. For each user group, the DBRes〇machi eu file will further indicate: decide whether to allow or deny access operations. The evaluation narrative 2036 uses the DBResources file to determine for each information set to which the page belongs in order: there will be a lot of decisions about the access to the information set. Does the list of user groups include many of the user's belongings? A user group in a user group. If there is an access decision for any user group to deny the access operation, the evaluation program instructs the Ηττρ proxy server: the access operation is denied; if there is no access decision for any user group, the access is denied. Fetch operation and at least one decision allows access ^, the evaluator instructs the HTTP proxy server: the access operation is allowed; if there is no access decision of any kind for any user group, -106- This paper size applies to China National Standard (CNS) A4 specification (210x297 public love) K I ----------- 'k · ------- Order -------- -Line (Please read the back ^ -Precautions before filling in this page> 4483 8 Printed by the Ministry of Economic Affairs ^ Finance Cliff Bureau Consumer Consumption Cooperative Association * '" 1 A7 B7 5. Invention Description (104) The evaluation program will Decision: Will there be at least one certificate or token-based user group with an allowable decision for the resource. If so, and the requesting client has a UIC (User Identification Client Software) running: = Contact UIC to Ask the user for additional identification information. If additional identification information comes back, Repeat the above process. In other cases, the estimator instructs the HTTP proxy server: the access operation is denied. Of course, if the access request does not have a trust level equal to the sensitivity level of the web page, the evaluation program 2036 also The access operation will be denied. The evaluation program 2036 obtains the sensitivity level of the web page from the DBResourcesByResourcelD file. ; Trust level encryption ") Obtain the trust level of the encryption method in the file. Because SKIP has used a method that has the confidentiality level to encrypt the message, so the trust level of the path through the network and This example is irrelevant. It is necessary to decide whether the trust level for the user identification and encryption method is sufficient for the sensitivity level of the web page; the evaluation program 2036 will use the DBTrustTable file that effectively constructs the SEND table 601. If the trust level is If it is sufficient, the evaluation program 2036 Server instructions: The access operation is allowed. Once the proxy server has confirmed that it intends to allow access to the information resources contained in the message: the proxy server will initiate a new dialog for the actual service: About server 407 HTTP service. The proxy server 203 will send a special message to the IP filter 2019, thus telling it: allow a specific conversation to pass; this is because: in other cases, this conversation may be The scale used the Chinese Θ standard (CNS) A4 specification (210x 297 public) JI!. [-----— 0 ^ ----------------- '绿 Γ Qing first read the back & Zhuyin? Please fill in this item again 1) 4483 Printed by the Consumer Cooperatives of the Intellectual Property Bureau of the Ministry of Economic Affairs A7 B7 V. Description of the invention (105) These rules are blocked or sent to the proxy server again. The message for the IP killer 20 1 9 also includes information about the encryption method required for the new conversation. In this example, the information is: for the last access filter 4 03 (5), the conversation should be Encryption; and an encryption method appropriate to the sensitivity level of the data should be used. When the IP filter 2019 encounters a new conversation, Έ: will find that: Because the conversation matches the criteria specified by the proxy server 2003, it will pass the conversation to the SKIP module. Since encryption is necessary for this conversation, the message will be re-encrypted. Except for the following items, the SKIP module 2021 generates a SKIP message 2201 in the same manner as described above: • The outer IP header 2203 for the message states that the access filter 403 (3) is used as the message Source 'and target the access filter 403 (5) as the message; • 3 〖115 Title 2205 has: 5 10 2219 and SMKiD 2217 for the access filter 403 (3); and 0 of the access filter 403 (5) 10 2215 and 01 ^ 1 <: 10 2213: And the other numbers in the title 2205 are also: the source and destination of the message are now the access filter 403 ( 3) and those required for the fact of access filter 403 (5); • the encrypted payload 2227 is the same as before (except that it has been encrypted using a different key; and if necessary for the entire New message 2201 generates MAC 2221. When the proxy server is relaying the message, it is also watching the type of file transfer that may contain a virus. When it encounters a virus, it applies the anti-virus carcass 2033 to These files. -108 if this file contains a virus The description uses the Chinese National Standard (CNS) A4 specification (210 χ 297 issued) ------ In If-I--. --J n ---- 〆k ^ · In I--- --- I --- 01, »i-1 I I--11 1 ty (please fill in this page with the precautions on the back of /! 3tt) 44838 7 Printed by A7, Employees’ Cooperative of Intellectual Property Bureau, Ministry of Economic Affairs B7 V. Description of the invention (106) The proxy server failed to deliver the complete case so that the virus would not cause harm. If the access control database 3 0 1 instructs this, then the anti-virus software 2033 detects a virus , The proxy server will send a warning message. When the SKIP message 2201 is received at the access filter 403 (5), it will pass it to the SKIP module 202 1 where it is as described above. Regarding access, the filter 403 (3), by the same mechanism as described above, the IP filter 20 1 9 on the access filter 403 (5) notices: because of the message Is assigned to the HTTP application protocol, so it will direct the message to the HTTP proxy server 203 1. The proxy server will accept the message: it will then send the message from the outer IP header 2203 and SKIP 2205 title, which can be obtained on the originator of the message (access filter 403 (3)) to send information to the evaluation program 2036, in order to decide: this message is being instigated whether dialogue should be allowed to proceed. The evaluation program 2036 will look at the source of the message, the p address, and other identifying information; and determine it by the source IP address found in the DBServerlDByIP file of the MMF file: For the access filter 403 (3), The identifier in database 301; using the identifier to indicate the location of the certificate that was accessed 403 (3); and found that: the certificate information matches the retrieved certificate, and the retrieved certificate matches the certificate being retrieved The processed message of access filter 403 (3) is related. The access filter 403 (3) of the source of the message is therefore considered to be one of the access filters 403 in VPN 201, so the evaluator 2036 responds that the conversation should be allowed because it is a Messages allowed by another access transit device 403 within the same VPN 201. This decision to allow the message is passed back to the HTTP proxy server 2031. The evaluation program 2036 will guide on the access filter 403 (5) -109- Applicable to this paper standard Θ National Standard (CNS) A4 Specification (2) 0 > = 297 mm) (Please read the back first Please fill out this page >

It clothes · --- Order --------- line 44838 7 Printed by A7 B7, Employee Cooperative of Intellectual Property Bureau of the Ministry of Economic Affairs V. HTTP Proxy Server 203 for Invention Description (107) 1: For the same Rita allows any request from the same conversation. When the HTTP request is processed, the proxy server establishes an outgoing communication connection with the HTTP service on the server 407 in the same manner as the outgoing session is established on the access filter 403 (3). When the communication connection with the server 407 was started, the evaluation program 203 6 will find the IP address of the server 407 in the DBServerlDByIP building of the MMF coffin case, so as to determine: For the server 4 07, in the database 3 〇 丨 Identifier: Use this identifier to indicate the location of the server table; then use the identification from the remote table and DBCertificates (database " certificate ") to find the certificate for server 407" and then It uses a fork key for the access filter 4 03 (3) and a public key (obtained from Pingshu) for the servlet 407 to construct a SKIP conversation, as described earlier. The actual message is added to Encryption and authentication, add the SKIP header 2205, and add the outer title 2203, so the message is directed to the server 407. When the message reaches the server 407, the SK in the server 407 will check: Regarding the authentication information of the message, decrypt it, and then forward the decrypted message to the HTTP service; the service will perform access: the webpage requested by the message contained in the payload. The webpage has been obtained. ^ Τρ 服务 会Generate a return message with a title that specifies the rover 503 as the target. Then, encapsulate this return message in a SKIP message 2201, as described previously. This is as heart The information is directed to the access filter 403 (5), and the information contained in the outer title 2203fpSKIp title 2205 is necessary for the information between those entities. -110 · This paper standard applies to the solid state National Standard (CNS) A4 Specification (2) 0x 297 public love) L ------------- h .-------- Order --------- line (Please read the notes on the back before filling out this page) 4 4 8 3 8 7 Printed by the Consumers Cooperatives of the Wisdom and Time Bureau of the Ministry of Economic Affairs-A7 B7 V. Description of Invention (108) Required. When the reply message touches the deposit When the filter 403 (5) is taken, the SKIP module 2021 there will authenticate and decrypt it and send it to the p filter 20 19. The message was found to match an existing conversation, so it is not Necessary evaluation; it is therefore forwarded directly to the HTTP proxy server 201. There, it is checked as an HTTP communication protocol reply message. Validity, and then resend it back to the originator of the HTTP conversation that is access filter 403 (3). Knowing that the originator of this conversation may be another access filter 403 'in VPN 201 Performs a check operation of the anti-virus module 203 3, just as it knows that the access filter performs a check operation when necessary. Use the message between the access filter 403 (3) and the access filter 403 (5) Many SKIP parameters that are necessary for the exchange are processed again through the SKIP module 202 1 and the encryption of the reply message, as described above.

When this answer message comes to the access register 403 (3), exactly the same thing happens', that is, the message passes through the SKIP module 202 1 and the IP filter 20 I 9 to the HTTP proxy server 2031. There, check it for validity as an HTTP communication protocol reply message; possibly through anti-virus module 2033 (if the message content type guarantees it); and then resend it back to the HTTP conversation which is the roamer 503 The initiator. For a message being sent from the access filter 403 (3) to the roamer 503, 'using the SKIP parameters as announced above, via the SKIP module 2021, the processing of the reply message is processed again, and then it is processed as described above. Encrypted. Then 'receive the answer message at the roamer 503; here: use SKIP This paper size applies the China National Standard (CNS) A4 specification (210 X 297) Chu ---------- l * k * ------- Order '-------- line. 1 (Please read the note t on the back before filling this page) Printed by the Consumer Goods Cooperative of the Intellectual Property Bureau of the Ministry of Economic Affairs 4483 b A7 _____B7 V. Description of the invention (109) The information on the disciplinary information and the% Cha 'is provided to the user's unscrupulous smile and displayed for the user. General principles of many technologies used in access filter 203 Many technologies used in access filter 203 have been generalized in two ways:. Separating decision evaluation and decision execution, it will allow access filters Decision making by different entities: and • The decision database now not only allows definitions: users, user groups, resources, and resource groups; it also allows definitions: many new types of user identification that may define many New action types, and many new resource-type pads. ’The following description will first describe how it is possible to separate decision evaluation and decision execution, and then describe how it is possible to expand the many types of definitions used to define decisions. Separate decision evaluation and decision execution: Figures 20, 26, and 27 Figure 26 is a block diagram of a decision execution system 26001, in which decision evaluation and decision execution have been separated. In system 26〇 丨, the notion of decision (notion) has been generalized, including not only: access decisions, management decisions' and decision-making decisions; but also: any action that users may perform on an information resource, such as , A decision may state that a particular user group may print some documents that belong to a particular information set. System 261 has five main components: • Requesting entity 2603, which will request an action to be performed on an information resource, and it may be any entity that can belong to a user group; -112- This paper standard applies China National Standard (CNS) A4 Specification (210x297) Chu; LI ---------- · · I ------- Order · -------- Line (please first (See the back; fill in this page for more information)

44S3S Printed by the Consumer Cooperatives of Intellectual Property Bureau of the Ministry of Economic Affairs Α7 ΒΤ 5. Description of Invention (11〇) • Decision implementer 2609, which can control the effectiveness of the requested action; • Many resources 2611 (0, ..., η ), It may be: any information that can be accessed by the decision implementer 2609 or controlled by the device; • a decision server 2617, which decides: whether the action is allowed; and • a decision database 2619, which contains many decisions, a decision server The device 2617 decides based on this decision: whether the action is allowed. The requesting entity 2603, the decision executor 2609, and the decision server 26 1 7 can each be located anywhere. The only requirement is that there will be a message transmission medium between the requesting entity 2603 and the decision executor 2609, and between the decision executor 2609 and the decision sever 2617.> Between the requesting entity 2603 and the decision executor 2609, The media allows requesting entity 2603 to send a message 2605 requesting an action to be performed on a resource R26 1 1⑴ to decision executor 2619; and to receive an action response message 2607 from decision executor 2609, which indicates : Whether to take action, and if such results. The media between the decision executor 2609 and the decision server 2617 allows the decision executor 2609 to send a decision request 2613 to the decision server 2617, thus requesting the decision server 2617 to instruct: in the decision server database 2619 Whether many of the decisions allow a given requesting entity to take a given action relative to a given resource: and request the decision server 26 丨 7 to respond to the decision request 26 with a decision response 2615, the response indicates: The actions specified in the decision request will be allowed. It should be further noted that actions controlled by the decision implementer 2609 need not even be performed by the components of a computer system. For example, many decisions in the decision database may be controlled by library patrons to access the books, and -113 reference paper standards (CNS) A4 (210 X 29Γ ^ ϊ " _ n JII-- —JII *.-1 I n--οι I l—---_I n --- t, (Please close the Jiang Yi items on the back before filling in this!) 4 4838 7 A7 B7 V. Description of the invention (111 ) The action specified in the decision may be a library web page that extracts a book from the bookshelf. The format of the decision request message 26 1 3 and the decision response message 26 15 are defined by a decision communication protocol. Examples of some standard decision communication protocols that are currently being developed are: Common Open Decision System (COP0) Open Poic System (referred to as COPS), which can be learned on the Internet: as it was on June 21, 1999 Described, the URL is: http: //wwv/.jf; tf ηΓσ / internet-drafts / draft-ietf-rap-cops-06.txt; and Remote Authentication Dial In User Service, referred to as RADIUS; Reference: Internet Standard RFC: No. 2 138 The decision server 26 1 7 obtains the information needed to generate a decision response 26 15 and then provides the response to the decision executor 2609. The decision server 26 丨 7 includes a decision server database 2619 containing many decisions. The decision includes: In response to the request body 2603, the decision executor 2609 has been requested to perform one or more decisions on a resource R26 1 1⑴. The decision server 26} 7 will query the decision server database 2 61 9 to point out some relevant information. Decision locations' before applying them to decision requests 2613. Doing this may require the decision server 26 1 7 to obtain other decision-related information 2623 from any location accessible by the decision server 26 17. An example of such a process is: the technology described in the discussion of the access filter 203; by this technology 'access filter 203 obtains additional identification information about the user. If the decision server 2617 from the decision server Information obtained from the database 2619 and other resources indicates that the action is allowed, the decision server -114- This paper standard applies to the national solid standard Standard (CNS) A4 (210 X 297 mm) (Please read the precautions on the back before filling out this page) -------- Order ----- Employee Consumer Cooperatives, Intellectual Property Bureau, Ministry of Economic Affairs印 * '衣 448387 Printed by the Consumer Cooperatives of the Intellectual Property Bureau of the Ministry of Economic Affairs

AT B7 V. Invention Description (112) 2617 will send a decision response 2615 instructed in this way, and the decision executor 2609 will perform action 4 as indicated at 2㈣ and will return the result to the requesting entity 26〇3 via the action response 2607. ; If the decision response 2615 indicates that the action is not allowed, the decision executor 2609 sends an action response 2607 indicating that the action is not allowed. Separating the decision implementer 2609 from the decision server 261 7—The important advantage is that it is possible to construct the decision implementer 2609 at many different levels in the system. It is understood that the system includes a number of devices connected by a network. The decision server 26 17 may contain decisions for any decision executor; therefore, actions that may be governed by that decision are no longer limited to actions taken at one or more levels of the system. Figure 2 7 shows: a system 2701 with many components, which all include a public network 2702 and an internal network! 03's network is connected. At the highest level, the system 2701 has: one or more policy decision points 2723 that determine whether a decision allows an action; and one or more decision execution points 2721, many of which are decision points Decisions are made. The decision-making decision point will include a decision server 2617; and the decision-executing point will include a decision-enabling device, that is, a device capable of performing a function like the decision-executor 2609. The communication between the decision-making decision point and the decision-executing point is through a decision message 2725 ′. The message includes: a decision request 26 1 3 and a decision response 2615. ® Only 2 6 0 3 When _resource R 2 6 1 1 is required to perform a drinking operation, the operation will be performed by a device controlled by decision execution point 2721, and decision execution point 2721 will be linked to decision Decision point 2723 exchange decision message-115- This paper size is applicable to China National Standard (CNS) A4 specification (210x 297 issued) 1.ki ------- Order --------- line {Jing (Please read the notes on the back before filling this page) 44838 Printed by the Consumers ’Cooperative of the Intellectual Property Bureau of the Ministry of Economic Affairs *” Machine A7 B7 V. Description of Invention (113) 2725 in order to decide whether the action is allowed: if yes, make a decision Execution point 2721 will cause the action to be performed. Among the many decision-enabling devices included in the system 2701 are:. Decision-enabling router 2713, which executes decisions at the level of routing guidance traffic in the physical network; • Decision-enabling subsidiary device 2719, which Decisions are performed at the level of a device that is attached to the system's 2701 network. An example is a printer, and ΈΓ can consult the decision server 26 丨 7 to decide whether to accept a print request from an entity 2603. • Decision-enabled application 27 Π, which executes decisions at the application level. Each decision-enabling device processes decisions in the same way as described for the decision-making implementer 2609: when the decision-enabling device receives it it must decide whether the action request complies with the decision server database 26丨 For many access decisions in 9-an action request 2703, it will send a decision message 2725 to the decision server 2617; and when it receives the decision message, it will respond, allow or Reject the action indicated by the decision message. Continue to discuss in more detail the level at which the decision-enabling devices of FIG. 27 operate. The decision-enabling router 2713 may maintain the permissible sources and destinations of the many subcontracting information directed by it—this table; When 2713 was initialized, these tables were created based on the information provided by the decision server: From then on, when router 2713 ^ __ has subcontracting information whose source or destination is not in its table, it will — ____ -116- The size of this paper _ Medium _ Jia Pi (CNS) A4 11.k -------- Order. ---------- line {Qi first read the precautions on the back before filling in this page ) 44838 7 A7 B7 V. Description of the invention (114) The type of decision flood interest 2 72 5 is sent to the decision server 2617 indicating the source or target, and the decision server 2617 will indicate whether the source or target is intended The target is included in some tables to respond to this message. Of course, when the decision server database 2 6 1 9 is changed, some tables of the router 2 71 3 may also be sent by the decision server 26 17 to router 2 " 7 1 3 messages to stay updated. Just like from the previous As can be seen, the router 2713 performs a decision check at the level of the IP filter 2019 in the access filter 203 construction example 2001. The decision-enabling accessory device 27 19 is a printer such as a printer attached to the network The device is capable of responding to a request made by an entity 'to use it with a decision message sent by the decision server 26 1 7 and based on what it receives from the decision server 2617 Information continues. This decision enabling accessory 2 * 719 will allow the granularity of control over these devices to be more fine-grained than access checks at the level of access to teardropper 203 may allow Finally, the decision-enabling application 2717 will allow: execution of a decision at a higher level than may have been accessed; the cache 203 may allow. As long as the decision server database 2 619 contains and is being Decision information related to many resources accessed by the application, the decision enabling application 2 7 17 can exchange decision information 2725 with the decision server 2617, so it can make decisions · • Yes Allow or deny the action being requested by the user of the decision enabling application 27 17. An example of the decision enabling application 27 17 is: an application that constructs an Internet service such as FTP, HTTP, or SMTP. This is the level handled by many proxy servers 2031 in Figure 20. Because the paper & degree applies to the China National Standard (CNS) A4 specification (210 X 297 mm) (please read the back of tf first (Please fill in this page again)

·-J- 1-I: I— One pi I num-u I Printed by the Consumer Cooperative of Intellectual Property Bureau of the Ministry of Economic Affairs 44838 7 A7 B7 V. Invention Description (M5) Services may now be enabled by decision-making, so A proxy server is no longer necessary; instead, it can only pass the Internet communication protocol to the system where the service exists, and the service will provide the access operation requested by the communication protocol. As shown in Figure 27, the service is then able to personally and decision server = 2617 switch decision message 2725 'in order to decide whether the requested access operation should be allowed. Another example of a decision enabling application 2717 is: a document processing program. In this case, the decision server database 26, 9 may contain some decisions that specify a collection of users who have the right to modify a collection of files. When the user uses the program to select a document for editing, the document processing program can exchange decision information 2725 with the decision server 2617; and if the decision response instruction from the decision server 26 1 7 indicates that the user may not Modifies the document; the document handler may instruct the user and refuses to allow the user to modify the document. As can be seen from the foregoing, the separation of decision evaluation and decision execution and the extensible nature of decision definition actually collectively allow: any operation that a program can perform on a resource becomes the subject of a decision; thus, making access Control systems are like those shown in Figure 27: they are not only scalable and easy to manage, but also easily adapted to any current or future device or program. It should be pointed out here: in access filters In 203, the decision evaluation and decision execution are logically separated, even if both are contained in the same device. When reviewing view 20 according to FIG. 26, it is obvious that: GUI 1915: start, green log, alert and report module 2027: Zi-118- This paper standard is applicable to the Chinese National Standard (CNS) A4 specification (210 = < 297 public hair) (Please read the notes on the back before filling out this page) --------- Order -------- [Printed by the Ministry of Economic Affairs, Intellectual Property Bureau, Consumer Consumption Cooperatives Printed by the Intellectual Property Bureau's Consumer Cooperatives ^ 44S387 A7 ______ B7 V. Description of the Invention (116) The repository is in the catalogue 2028; ISDB management program 2027; PCS 2025; and MMF 2301 will construct the decision server 2617; A decision executor 2609 that operates at the IP_II and Internet Protocol levels will be constructed. General rules for decision-making: Figure 2 8 In the access controller 203, administrators who properly access information; can define new UW users_ 'can define new resources and information sets, and can add services and servers. Management Shell cannot define actions different from access to information. And I, the methods anyone can use to define new user groups are fixed ’and resources are limited by the source of the information. In the generalized decision server of the preferred embodiment, these restrictions have been removed. It is now possible for the 'administrator to define: a new action' a new way to define user groups' and resources that are not information sets. Of course, the right to make these definitions is itself determined by the decisions in the decision server database 26, 9 and 9, as explained in the management decisions and decision maker decisions in the access filter 203. In most systems, the definition of the “Provincial Multi-Continent Type” and the “Resource Type” and the type of action should be limited to those who belong to the “security officer” user group. These new possibilities are illustrated in a generalized decision syntax 2801 for the decision statement shown in FIG. The generalized decision grammar 281 describes how to present decisions to officials in the window targeted by possible manipulation decisions. In Figure 2-8, the project department shown in italics is a component of many decision statements that may be defined by the officials of the decision server 26-17. The administrator has the right to access the decision server database. 2 6 丨 9. Zaifang-119- This paper size is applicable to China National Standard (CNS) A4 specification (210 * 297) &-J;! ^ --------- ^ -------- Order --------- line (please read the note on the back before filling out this page) 44838 7

Staff of the Intellectual Property Office of the Ministry of Economic Affairs, Consumer Affairs Cooperatives U A7 Β7 V. Description of the Invention (117) The items in parentheses are the words that make the items in italics related to the definition of a decision. For example,

Employees are allowed to Access the HR Web Site (Emp 丨 oyees) are a group of users, Access is an activity, and The HR Web Site is an information set; this decision statement allows: any user belonging to |, the employees " user group to access any resource belonging to the "HR website 11 information set. Continue in more detail Discussion on the generalized decision syntax 28〇, £ ntity (entity) represents a group of users whose members are: one of many technologies used in the access filter 203; or the decision server 2617 It is defined by a technology defined by the official. The only requirement for the entity is that it must be recognizable by the decision implementer 2609. Action indicates that it may only be like access filter 203 The access operation is just a thrill, or it is an action defined by a member of the decision server 1%. The only requirement for action is that the decision maker 2609 can execute the item resource. action (How to call resources) means—information set. However, in a generalized decision server, an information set may be a collection of many devices such as a printer or a building server. The only requirement of a pin = is- : Enabling decision enforcer 2609 to perform on resources: 'Timelntervals 2809 Allow management — using generalized decision syntax 2801 and being specified = (temP〇ral restriction) β When the decision is being made For evaluation-whether the system user has the right to access-a given resource time = a given time estimate right time at time -120-this paper size towel _ 家家 (心 ⑷i I, 1 Κ 衣衣 --- ----- Order --------- line, please read the it item on the back, and then fill out this page) 7 Printed by the Ministry of Economic Affairs and the Intellectual Property Cooperative of the Intellectual Property Bureau, printed by A7 B7 V. Invention Description ( 118) Only within the interval will a decision with a time interval be considered. For example: Employees are allowed to Access the HR Web Site from 9:00 am-5: 00 pm weekdays (Employees are allowed to access the HR website Xinping said: from 9 am to 5 pm) it will limit the time for employees to access the HR website In a preferred embodiment, the normal business hours may define the time interval as follows: the range of the beginning and end of working hours each day; the range of the beginning and end of working dates; restrictions on weekly working days and holidays: optional Include or exclude weekly special work dates and / or dates listed as holidays; restrictions on the work week of the mother month: weekly, every X from the reference date Week (where X is a number from 2 to 12), or a table of weeks in each applicable month; ACtiOnAttribute (S) 2S 11 are some administrator-defined definitions that may implement the methods allowed by the decision statement. Furthermore, the only requirement is that the decision executor 2609 is able to perform the action as stated in the attribute of the action. For example:

Marketing is allowed to print to the Marketing Printer with type = color (Marketers are allowed to print using a printer with a marketing type of color) -121-This paper is fully compliant with national standards (CNS) ) A4 size (210 ^ 297 mm) t J--IH-I-—-II-. I—. — I ―I- III. I-I--I I_ I (Please read the precautions on the back first (Fill in this page again) 44838 7 A7 B7 Printed by the Consumer Cooperatives of the Intellectual Property Bureau of the Ministry of Economic Affairs. 5. Description of the invention (m) This policy includes the action attribute type = color (printing punishment _ ~, Dong Jiu Xu belongs to, | The marketing user group knows that the user # 4-M 4ii Et · r. # 仃 员 疋 printer resources to perform color printing. Many additional examples of mobile attributes are: * For web The type of service required for the communication connection; • The type of routing or media that you plan to use; * The billing rate that you plan to apply; * The maximum number of transactions: • The maximum time allowed to complete an exchange. Like by the syntax [with I whenK has 丨 every time) as indicated, "Enough to make the time interval and line Property, as well as the entire decision and statement from the two = use. For example, a decision that sets a time limit on the service category looks like this: (Everyone is allowed to access the World Wide Web with bandwidth = 90% when weekends (Everyone is allowed to access bandwidth with access every weekend) = 90% of World Wide Web information) This decision allows entities in the “user group” to access the World Wide Web information with bandwidth = 90% every weekend. When the time interval has been applied When it comes to action attributes, if a request to perform an action is made within the time interval applied to the action attributes, the actions specified in the decision will be executed as described in the action attributes. Example of the construction of a generalized decision: Figure 2 9 and 3 0 Figure 2 9 shows the decision database 290 1. The decision database 290 1 is the decision information. (Please read the notes on the back before filling this page) Η Order --------- Line-122 private paper scale applies Chinese National Standard (CNS) A4 specification (2〗 〇x 297 public meals) 44838 Printed by A7 B7, Consumer Cooperative of Intellectual Property Bureau of the Ministry of Economic Affairs 5. Description of invention (120) Library 3〇1- A variety of modifications; The generalized decision as defined in Law 2801 and operates in an environment T where decision evaluation and decision execution have been separated. Therefore, in FIG. 29, the decision query 2939 comes from the decision server 17 instead of the access filter 20, and thus includes: a specifier that intends to perform actions, and a specification of a source of information or other resource for which the action is intended to be performed. The result of the decision inquiry 294丨 Switched back to the decision server 2617. In addition to an indication of whether the action is allowed, the result now also includes the value of the attribute associated with the action. Many of the units in Figure 3 are shown in Figures 2 and 9 and their functions remain unchanged. They all have: the reference numbers we have in Figure 3. Starting from the access decision, the first additional item of information is the access type definition 2929, which will define many additional action categories, which may be targeted for it. Decisions are defined in access decisions 307. Second, there is attribute information 2927, which defines: attributes that may be attached to many entities involved in implementing a decision. Included in attributes News 2937 contains the following kinds of information: Attribute designation 2S > 37, which will indicate what is intended to be used with the attribute, user group, information set, website, or service; attribute tag 294 1, it will Definitions; in the user interface, many well-known attribute names; and attribute characteristics 2939, which will actually define: how attributes affect many user groups that are only adequate for it, etc. schedules) Information 2925 defines: time intervals that may be attached to decisions or attributes. In the schedule information 2925, the schedule rule 293 1 will always define the time interval; and the physical holiday table 2 and 3 are-a kind of 123 paper standards _ Zhongguanjia standard X 297 g) t IL. — I —-------- I ^ -ash. II ------ * 151 · ____ I I Ϊ I (Please read the 冱 旮 on the back? Matters before filling out this page) 448387 Λ7 --- -------- Β7 V. Description of the invention (121) Use the holiday schedule in the schedule rules. Resource type 5 will define: it is possible to define the type of resources for which the decision is made, and the user is not satisfied with the type of identification method. In the preferred embodiment, the company's well-known: Microsoft® Access Database Software is used to construct the database 2901. Access software is a relational database, that is, the information in the database is stored in some tables. A utUity in access software provides: images of some tables and their relationship to each other. Figures 13 to 17 and Figure 3 of the present π case are derived from those images. In Figure 30, some of the tables appearing in Figures 13 to 17 have the reference numbers they have in those figures; some new tables have reference numbers that begin with " 3〇 ||. Some tables 300 in Figure 30 show how some tables used to define time intervals and attributes can be integrated into the decision database 2901. More generally, they show how a decision can be modified by adding additional units, and how many new unit types can be defined for the decision. A detailed construction example of the time interval starts with the k time interval, and these time intervals are defined in the time interval table 3025. The table includes: a schedule definition table 3023, which determines the name of the timetable that can be flti appear in Timelnterval 2809 in the generalized decision syntax 2801; and a schedule rule table 3025, which defines possible and definitions In “Schedule Definition •”, the names in Table 3023 have schedule rules associated with them. More than one schedule rule may have a given name -124- This paper is a Chinese standard (CNS) A4 Specifications (2) 0 × 297 mm) (Please read the notes on the back before filling out this page) ^ -------- Order --------- line. Staff of Intellectual Property Bureau, Ministry of Economic Affairs Printed by Consumer Cooperatives 4483 8 7

AT B7 Printed by the Intellectual Property Bureau of the Ministry of Economic Affairs, Consumer Cooperative, Co., Ltd. 5. Inventory Note (122). ScheduleDefm (Schedule Definition D) enables every g schedule rule defined in Table 3025 to be used in Table 3 The time schedule of the rules in 〇23 has a relationship, k Day Mask to Encj 〇ate (end date) The rules of the time schedule of Zhu Xi Peng will be sufficient. ,, Descript 丨 ⑽ "(Description) It contains a description of the rules and their purpose. As mentioned below, time intervals may be defined for the entire decision and for the attributes in the decision. Therefore, each item defined in the " access decision " table M Η Decisions now include a Schedule eDefID bit. Each such field will contain: a Schedule [eDefiD identifier] defined in one of Table 3203 for a time interval intended to be applied to the decision. 'When the decision server 2617 is deciding whether a decision is applicable to an action request, via: ScheduleDefID field for the time interval in the entries in the table for decision 丨 6 n; it can Enough to indicate the position of the time interval applied to a decision. Similarly, the "attribute specification" table 3007 will make the attribute related to: user groups, resource sets, websites, or services, far away The table includes: a ScheduleDefID field applicable to any time interval specified by that particular attribute. Finally, the mechanism used to define the time interval is also used in scheduling alert information—preferred examples: As a result, many of the entries in Table 3023 can also indicate locations from AlertSchedules " (Warning Information Schedule) Table 3201. The detailed construction examples of attributes will be used to define many attributes and make them possible Applied: user groups, resource groups, websites, and services are shown in some tables; the attribute table 3003 in Figure 30. A given attribute is composed of three tables: "Attribute-125- This paper Standards are applicable to China National Standard (CNS) A4 specifications (210 X 297 issued 1-- 'I .--------- installed. Closing (please read the back; please fill in this page) 44838 Member of Intellectual Property Bureau, Ministry of Economic Affairs Industrial and consumer cooperative seal * '^ A7 B7 ----- ^ V. Description of the invention (123) Mark "Table 3005 attributes" Table 3011, and 11 attribute specific, as defined in the entry in Table 3009. " The attribute tag " table 3005 will define a tag for attributes in ActionAttribute (s) within the decision definition syntax 2801. For each of these targets, there will be a posting item, which includes: Cai Yin 6's own attribute's enumeration; the 'precedence' of the token, and the type of attribute. The precedence of the tags defines which attributes will be applied when more than one attribute is connected to the decision evaluation. When a designation has a higher priority than another designation, the designation with a lower priority is ignored. Each attribute tag entry is identified by an " AttributeLabellD " (attribute tag ID). Each posting in " attribute " table 3 0 11 will show the current definition of the attribute. The definition may have one or more of the "attribute tags," which are listed in Table 3005. "Attribute tag ID " Stop. By the attribute tag" table 3005 The tags defined by the items represent the attributes defined by the items listed in Table 3, Properties. The current meaning of attributes is defined by some of the stops in Table 30. It includes: description of the attribute, its type, the ID of the server to which it is applied, and the device type of the server. The three fields: " AttributeFeaturelD " (attribute feature ID), " valuel " (number 1) and `` Value2 "(number 2) are all particularly interesting stops. There must be at least A "AttributeFeaturelD" field. This block will identify one of the entries in the "Attribute Feature" table 3009, which will define the types and ranges of the many numbers in the attribute., Vaiue ^ o ,, VaIue2 ”will define: the current range of a single number (Valuel), or the current range of two numbers (both Valuel and Value2); this number is selected from the target " is-126- this paper size Applicable to Chinese National Standards (CNS > A4 specifications (210 * 297 public love) 1 Ί I .--------- 'Installation -------- Order --------- Aunt (Please read the "1 Emperor? Matters on the back before filling out this page") 4838 Printed by the Consumer Property Cooperative of the Intellectual Property Bureau of the Ministry of Economic Affairs A7 B7 V. Description of the Invention (124) Many characteristics defined by the attributes in Table 3009 The type and range of 値. As will be apparent from the foregoing, the " attribute feature " table 300ί can be used To define many new attribute types. Each entry in Table 3009 will include the attributes that indicate the location of the entry, attributes, d, identification, and some shelving as follows: • Category 7 attribute belongs Other names (such as: service quality, checkout rate, or maximum number of transactions): • Feature ID: A number that uniquely defines a feature within its category;. Name: Users use it to understand The name of the feature: • Description: A description of the feature;. Data type: A definition that defines the type of many data of the attribute (for example: whether a single data or a pair of data is needed, and data type information);. Features Priority: An indication of the order in which many characteristics are applied to the evaluation attributes; • Number of priorities: an indication of the highest number in the range that is intended to be selected; and. Limitations on the limits of numbers —A kind of instruction. To define a new attribute category, the decision of the decision server 2617: the administrator just defines the "attribute characteristics" table 3_bis 2 special 4 and then starts to determine I use those characteristics of the genus #. It can be: for the decision executor 2609 that will execute decisions: 'yin: anything. It should be noted here: may be used to determine = 127- This paper uses the Chinese National Standard (CNS) A4 standard f f ------------ M -------- IT --------- line (please first Read the legal and legal matters on the back and fill in this page) 4 483Γ A7 B7 Ministry of Economic Affairs. ¾ Printed by the Ministry of Property, Industrial and Commercial Co., Ltd. V. Description of the invention (125) New genus 丨 Health & The Δ ·! Α used in the decision database 2901 is of much significance: new actions, new methods to identify users, and new resource types. There are three types of attributes already in use: the information in 3005, 3011, and 3009 plus = meaning, and it will be related to the entity to which an attribute may be applied. This entity is called: the subject of the attribute. · The attribute designation (At-ment) table j07 will specify these relationships. Each entry in the table "ο? Will make the attribute of the month contained in ί: AttributeLabellD" (attribute mark I d) related to the single: the royal body; it is expected that it may make the attribute and the-user group There is a relationship, and members of the user group may perform an action involving the subject. The right entry does not specify a user group, the attribute is applied to any use of the subject. In other cases, it is only applied when the user group is stated to use the main gift. The subject may be: use User group, resource set, website, or service; like with many fields B " user group 1D " ,,, resource group ID "site 丨 D.", and " server 丨 D " The value is stated as such. In the other fields in Table 307, it is indicated whether the attribute is active (that is, intended to be currently applied), when the application should start, when it expires, and the attribute. Whether the time interval is involved. ScheduleDefID value for the time interval. The "Priority" column indicates the priority that attributes will have among the many attributes assigned to a given entity. In deciding which attributes to use in making a decision, the misguided feeder 26II continues As follows: When the decision evaluation is completed, it is directed to the user group, resource group, website, or server that is related to the decision Donghan Khan estimate -128 paper size translation Chinese National Standard (CNS) A4 specification (210x 297 public love_ ^ ------------------- Media (Please read the notes on the back before filling out this page) 44838 7 ΑΓ B7 Printed by the Consumer Cooperative of the Intellectual Property Office of the Ministry of Economic Affairs The invention describes (126) any one of the many communication links in the search, and searches for the attribute in the attribute W. If the entity performing the action belongs to the "user group" targeted by the attribute application, it will follow from the table Attributes specified in 3007: When the link is gone, the attribute tags in Table 5 will be reached, in order: the attribute in 3011 'will finally come to the attribute characteristics of Table 9t. This follows each of the tables. Boom 1 ~ Dagger 4 (except Table 3011) will include priority The information is used to determine which attributes in Table 3011 will actually be evaluated for those attributes found along all communication keys. J Decide on each category of attribute separately Consider these priorities in the same way as defined by the attribute characteristics in Table 3009. Within each category, consider first: the priorities in the attribute assignments in Table 3007. Although those that share the same priority order All assignments are considered, but only those assignments with the highest priority number are considered further. Second, consider: For the remaining linked attributes, the tag precedence in the attribute tag in Table 3 2005 .Although all tags that share the same tag priority will be considered, only those tags with the highest number of priorities will be considered further. Second, consider: For the remaining linked attributes, in the ", attribute characteristics" table 3009 Feature priority in the postings in. Only those attributes that share the highest feature priority will be retained. Finally, For each attribute in Table 3011, the attribute is linked to the same entry in the "Attribute Characteristics" table 3009: the priority of the numbers in the "Attribute Characteristics" table 3009, by indicating the intended The choice of the highest or lowest number is used to decide: which genus from Table 3011 is used 129- This paper size applies to the 0 National Standard (CNS) A4 specification (210 x 297 issued) ^ Order- -------- Please read the phonetic on the back of the book? Matters and write this page again} 448387 A7 B7 V. Description of the invention (127 At this time, 'for the words in Table 30λ, what is the most defined in Table 30U? Many of the relevant attribute characteristics are posted, and the Hehe in the entry will remain as it is, and in these ... ^^ Duhe will be switched back for use in evaluating the decision. In some cases, the Sheben τ 1 stone must be called Mu Kezhen to indicate what kind of attribute number is required. And, if: 们: they and Zai Xian in the flute beans, and may be rejected: in other 掊 形 丁 々 " Seek open / close, and provide a number of attribute numbers to the implementation 2609 for execution of the action. The optimization of the attribute table 3003 and the time interval table 3025 is as discussed in the accessor 2Q3 described above. As depicted in Figure 21 and illustrated in Figure 21, the decision server 2617 in the-preferred embodiment borrows from you Ganshi * ... to make a lot of MMF files 2303 and make decisions poor The library 2901 is optimized. In the preferred embodiment, two new profile files have been added to optimize the information in watch fans 3 and 3 () 25. The two MMF files are as follows: • DBPn> perties (database "Features" file: Contains all the features, attributes, and schedules that can be applied to its files. This index is indexed by "characteristic ID" in those other objects. • DBPropertiesMetaData (database, property metadata) All properties have a name. This file is indexed by the property type name (for each of the competitive names contained in the DBproperper file) (There is one entry in the index); and some names are mapped to a list of many feature IDs so that they are within -130- this paper standard is applicable to the National Standards (CNS) A4 (210 X 297) (Issued) (please read the precautions on the back of the page before filling out this page) ^ --------- Order --------- Printed by the Consumer Cooperative of the Intellectual Property Bureau of the Ministry of Economic Affairs 448387 Economy Printed by the Intellectual Property Bureau of the Ministry of Intellectual Property and Consumer Cooperatives * · 1 ^ A7 B7 V. Description of the invention (128) The case of the DBProperties building was quickly detected 2 User interface for time intervals: Figure 3

Figures 3 to 3 show that: in a preferred embodiment, the window used by the AT in the graphical user interface; used to: look at, the time interval (air time schedule) has been defined, the definition is for a The time-interval-term-cutting is only present, and the use of a time interval is associated with a decision. Beginning with Figure 31 of Min'keng, the figure shows: See 3 102 for displaying a defined schedule. Subwindow 3 103 lists the defined schedules of Jingu " 丨 匁 according to the name; Subwindow 3 106 lists all the defined rules according to the name. The displayed information is from the "Schedule Definition" table 30.3 and "Schedule Rules" table 3025. To see what kind of rule a schedule name represents, the user will choose to display it in the sub-window 3 1 03 The name in Chinese, as shown at 3 105, where "non-working time" has been selected. At this time, the schedule has two constituent rules: _ means workday of the week, and is displayed at 3107: One indicates that Saturday, "Weekday and Holiday Day" are displayed at 3 109. When the name of the schedule is selected, the rule (s) belonging to it are highlighted in window 3 1 06. Conversely, when the rule is selected The name of the schedule for many schedules using this rule will be highlighted. It is displayed at 3 1 1 1 in the sub-window 3 1 06: The rule for business hours: and it is displayed in the sub-window 3 103 : Some other schedule names. To generate a new schedule, when the sub-window 3 1 03 is in the active state, click the "Add" button and enter the new schedule name: then Choose a new schedule and will belong to Some of the rules are highlighted in sub-window 3 102 -131-This paper size applies to the China National Solid Standard (CNS) A4 specification (210 X 297 mm) ------------ ^ * ---- --- Order ----------- Line (Please read the notes on the back before filling out this page) 448387 A7 5. In the description of the invention (129). To change some rules assigned to a schedule , First select the name of the schedule, and then select a different rule for that name in the sub-window 3 丨 〇6. To generate a new rule for an existing schedule, first select the name of the schedule and click, The 'Add' button may generate new rules at the time, as described below. When in the sub-window 3 106, you can also click the " Add ' button to generate a new rule, and then make the new rule related to a schedule name%, as described above. By dragging a rule to the schedule name and discarding it on the schedule name, ^ is enough to make a rule related to a schedule name ^ knows the window used to generate a new rule It is shown at 3201 in Figure 32. A window used to modify an existing rule or generate a new rule. To modify an existing rule, double-click it. Entering information in the window will allow the user to: define the time interval (320.3) that is being applied to the decision or attribute based on the validity of the scheduled time, and define the weekly work day that the selected time is valid (3205), define the work week in which the schedule is valid (3207), and define a portion of the year in which the schedule is valid (3209). As shown in the figure, the window 3 2 0 丨 defines the schedule shown in FIG. 3 at 3 π 1. The schedule is indicated by " business hours ". The information shown in window 32〇i is from the "Schedule of Schedules", Table 3025, and many modifications made using Window 32〇1 are applied to the table β Figure 33 shows: Views that increase the time interval to the definition of a decision »Windows 3301 will be accessed by many users belonging to the" user group "(corporate) user group" Community "information set is limited to: at 33 〇3, “Business hours” schedule. When the user clicks on the box 33〇3, 132 will be displayed. • The paper size is applicable to the CNS A4 specification (21〇 × 297). Love> f 锖 Please read the notes on the back of # 1 before filling out this page) X- -------- Printed by the Intellectual Property Cooperative of the Ministry of Economic Affairs 4832 Printed by the Consumer Cooperative of the Property Bureau 8483 8 Print A7 B7 Five 'Invention Note (13) shows the entire list of many defined schedules' so the user may choose one or add a new name. When the user clicks, the definition " button 3305 Window will be displayed for the selected decision. If you are adding-items Name, if necessary, the user will fill in the new schedule ^ Window 3 2 01 ^ According to Figure 3 〇, choose in Figure 3 3-schedule will make, access to the decision table 1611 A "ScheduleDefID" field is filled in: for, the identifier of the entry in the schedule definition table 3023; and in Table 3203, the schedule name is included in its " name " stop If the name of the schedule is new, a new entry is added to the table for the new name. If a rule is added or modified, "the schedule rule, table 3025 will also be modify. User interface for attributes: Figures 3 to 3 7 The user interfaces for attribute definitions and assignments are similar. Figure 34 shows:-A window 3 4 01 listing a number of defined attributes of the type of quality of service (Qos). These attributes determine how much bandwidth is available for an access operation that is being performed according to a given decision. At 3401 'some attribute tags or names are listed. Here, four types of QoS attributes are defined: three types indicate the amount of bandwidth (" high ", " medium " ,,, and low "), and one ("highest priority") indicates the priority when there is a conflict (Priority). All of these properties have one. Priority, as shown at 3405. Many bandwidth attributes are all defined by "bandwidth" characteristics, as shown at 3407. The "number" for each attribute is defined at 3409. Only the "highest priority" will be There is "Number 2". As stated in Windows 3401, in the QoS bandwidth attribute: 11 high "will receive 512000 -133- This paper standard applies the Chinese National Standard (CNS) A4 specification ( 210 «297 mm) i— J I .----— — 111 --- I ---- Order * --- 11 * '^ (Please read the notice on the back before filling in this page) 448387 Printed by the Consumer Property Cooperative of the Intellectual Property Bureau of the Ministry of Economic Affairs A7 B7 V. Description of the invention (131) The maximum bandwidth '" Medium ·' will receive a maximum bandwidth of 64000, and " Low 'will receive a maximum frequency of 3 2000 together width. Regarding the "highest priority", the priority specified in the attribute must be between the "number 1" and "number 2", the two numbers specified. The information in window 3401 is of course from three tables: 3005, 3011, and 3009. Figure 35 shows a window 350 1 for assigning a QOS attribute to a user group, information collection 'website, or service. In the window 3503, it shows: for all user groups (3507), how have the three types of QoS bandwidth attributes (3509), • Medium ", " High, and Low ", respectively specified To the World Wide Web Service's file transfer service and remote access service (35 1 1), and how has the "high" q〇s priority attribute been assigned to "Finance" (Finance). Use Subject group. Many different assignments reflect the fact that bandwidth is an attribute of a communication service and priority is an attribute of one of the users of the communication service. Therefore, within the bandwidth available for network services, many members of the Finance " user group have high priority. As shown by this example, more than one action attribute may be applied to a decision. If it is possible to generate attributes for a topic by selecting user groups and topics from two sub-windows 3 5 13 and 3 5 1 5 respectively, attribute designation will be promoted. The selections you make in this window will of course be applied to the M attribute assignments table 3007. In the same general way as Windows 3 102 touches many windows that are used to define the attributes and characteristics of attributes, you can further use Windows 3 5 03 ° Figure 36 shows: used to read, modify, or generate, attribute tags ,, Table 3001 [in the window 360i of the items listed. Here, the item that is being read is pin -134- this A-sheet scale family standard kcns ... specifications ⑵㈤ π public love) (please note on the back of fiati? Matters before filling out this page) ^ -0 ------ Knot

4483S A7 B7 Printed by the Consumer Cooperatives of the Intellectual Property Bureau of the Ministry of Economic Affairs 5. Description of the invention (132) Yes, ’’ QoS bandwidth attributes. At 3603, there are displayed: "posted items," mark "," description ", and" mark priority "number of digits. Administrators with appropriate access rights can of course go through window 3 6 〇丨 And change the number of these blocks: At 3605, it displays: For the attributes associated with the tag, from, the information of the entry in the attribute 1_ table 301 丨. There is displayed: The current number of the number 1 and the name of the feature. Of course the name of the feature comes from the "attribute feature" table 3 for this attribute. Furthermore, these numbers may be edited via the window 3601 button 36. 7 is used to view a window, and the window will display: The complete contents of the items listed in "Attributes," Table 3.009. Figure 37 shows this window. Window 3701 is used to define a number of new attributes for a given attribute class and new attribute classes. Of course, the window will operate according to the number of entries in one of the "Attribute Features" table 3009. Box 3703 is a list of many attribute categories; new categories may be defined by adding to the list. Box 3705 is the name of the current feature; a posting item is uniquely identified between them (category and name), and the category and name correspond to " category " and, of the many postings in Table 3009, Name, two fields. In this case, the 'post item' is for qoS " priority attribute ". "Description, • Box 3707 will contain: the number of" Description "in the item being reviewed. 3709 indicates: what kind of data type does the feature have 'here 疋 a pair of numbers' as shown in Figure 3 4 At 3 7 Π, the current settings of "Feature Priority" and "Number Priority" are displayed: while at 3 7 1 3, any restriction information will appear. Conclusion-135- This paper size is in accordance with the Chinese National Standard (CNS) A4 specification (210 X 297 mm) < Please read the precautions on the back before filling this page) 装 —- ， I nl · i— ni ^ i nickel

44838 J Printed by the Consumers ’Cooperative of the Intellectual Property Bureau of the Ministry of Economic Affairs A7 ________B7______ V. Description of the Invention (133) 3 Conclusion + The previous statement has been disclosed to those who are familiar with the technology related to the statement: used to build a universal decision-making The best mode of the server, this mode is now well known to many developers of the universal decision server disclosed herein. As described above, the two basic characteristics of a universal decision server are: the separation of decision evaluation from decision execution, and the scalability of the many types of actions that can be targeted for decision making. The execution components may be located at different levels in the system to which the decision is applied; and many decision evaluation components may be located away from many decision components. Although the techniques used to separate decision evaluation from decision execution, as well as techniques that enable decision types to be extended to make decisions scalable, may be applied to any mechanism used to define them; however, when the technology is used based on some actions and many They are particularly useful when a collection of entities is used to define a decision-making system. In these systems, it may also be possible to expand the types of entities that perform actions and the types of entities to which they perform actions. It will increase the usefulness of the system, and some of the features of the decision execution system disclosed here are: the attribute of action, which defines the method and time interval in which it intends to perform another authorization by decision making; the time interval will Meaning: The time when a decision is valid or an attribute is applied to an action: First, the graphical user interface will provide: a simple definition and manipulation of many decisions and their components. s It will be immediately obvious to those who are familiar with the relevant art -136- This gray sheet scale re-orders 圏 National Standard (CNS) A4 specification (210 x 2g7 public) 1 -------- --- K -------- Order --------- (Please read the cautions on the back and fill in this page first) 4 * 483 8 " A7 _____B7_ V. Description of the invention ( 134) That way, many of the techniques described here may be applied to any kind of decision execution system: and even those that are most useful in a decision execution system that defines decisions in the way described here, It may be structured in many different ways. For example, it may use different graphical user interfaces' may use different database systems to construct decisions: and in a given database system, many different table arrangements may be used. Infinitely many other embodiments of the many principles disclosed herein are possible; and, for this reason, 'in all respects, it is intended to treat " explanation " as an example and not restrictive; therefore, the text disclosed herein is decided Coverth of invention ) Does not come from " Explanation ", but from the scope of patent application as explained using the full coverage allowed by patent law. Lr-, ---------- 装 ---- ---- Order ---- (Please read the notes on the back before filling this page} 、 Printed by the Consumer Cooperatives of the Intellectual Property Bureau of the Ministry of Economic Affairs-137- This paper size applies to China National Standard (CNS) A4 specifications ( 210 χ 297 mm)

Claims (1)

Printed by the Consumer Cooperatives of the Intellectual Property Bureau of the Ministry of Economic Affairs 448387 A7 ------- B7 V. Description of the Invention () 1.-A decision-making execution system for decision-making. Many of the first-defined Zhao-Zhao may perform actions that belong to the first facet of many second entities that are sufficient in the computer system. The types of decision-making implementation systems ^ include: ': Decision server 'It includes a decision database of one of the many decisions; and a decision executor; it controls the performance of the first type of action and can communicate a request to the first type of action to the decision server ; Only if it comes from the decision server: device = response instruction: the decision allows the action, the decision implementer will not allow staring and executing, and the decision execution system has the following characteristics: The decision database can be expanded to include釺 Decisions on actions that belong to the additional type; therefore, it is possible to add a policy implementer that will control the decay of the additional type and the action of the action. System. 2. A further feature of the decision execution system according to item i of the scope of patent application is: the decision database is a category that defines decisions based on the collection of the first entity and the collection of the second entity; and, "The decision database is accessible -The step is expanded to include:-an additional first entity type and / or an additional second entity type. 3. According to the decision execution system of the second patent application scope, the further step is characterized by: 行动 an action The attribute may be related to the collection of the first entity and / or the collection of the second entity in the database. The action attribute will state: -138 · This paper size applies the Chinese National Standard (CNS) A4 specification (210 x297 (Gongchu) 4, ---------. Install -------- Order · -------- ^ (Please read the precautions on the back before filling in this page) 448387 A8 B8 C8 D8 Sixth, the scope of the application for patents-'Many entities in the collection of bodies and, or many entities in the second real-i and δ, are stated in a way, according to. 弋 in the decision-item Action 4. According to the decision of the Chinese Patent Patent Park, the third feature is: Department .. No 'one step with a decision database can be further shaken. Age' ... 5 · According to the scope of the patent application, the following features are: The additional decision implementer will be executed in the computer department, and this level is at the control level of the decision implementer. ㈣The actions are different. The level of execution is 6. According to the scope of the patent application, the characteristics are as follows: &amp; At least one of the electricity is in a position in the 4 system away from the decision server 7- The features of the park are: fk line system, further system, further system, further k -------- order --------- line. Please read the note on the back first Please fill in this page for further information.) Employees of the Intellectual Property Bureau of the Ministry of Economic Affairs, Consumer Cooperatives, and M. The decision implementer will control the second entity that is not part of the computer system. 8. Types of collections that are based on the first entity and the second entity , As well as a decision database that defines multiple categories of decision making—predetermined decisions will make sense: the set that belongs to a given first entity—the entity may target entities that belong to a set that belongs to a second entity—entity enforcement One of the papers-139- This paper size is applicable to the Chinese National Standard (CNS) A4 specification (21 × 297 mm) 448387 A7 --------- B7 V. Description of the invention () The decision database has the following characteristics: An additional condition may be associated with the established decision in the database, and the additional condition may request an entity to submit a poem request in one of the collections belonging to the established first entity to execute The collection of second entities-the entity's intended action at the time determines whether the requesting entity is likely to perform that action. 9. According to the decision database of the 8th scope of the patent application, it is further characterized by:-The additional condition is that a time interval specification associated with a given decision 'the time interval specification will specify the time interval; During this period, many entities belonging to the set of the first entity specified in the given decision may be executed: for many entities belonging to the set of the second entity specified in the set, the set of actions stated therein. Π) '-a type of decision database that belongs to a set of first entities, a set of second entities, and many actions to define the type of decision. The set of two entities—entity-performed—item established actions; The decision database has the following characteristics:-The item may be in the database with the set of the established first-entity and / or the set of established second entity Relevant, the action attribute will state: The method by which the intended action is set out in the stated decision. η. According to the decision database of the 10th scope of the patent application, the collection is: -140 The paper size applies the Chinese National Standard (CNS) A4 specification (210x297) (please read the precautions on the back before filling this page) .si --------- Order ---------, ¾ Printed by the Consumer Cooperatives of the Intellectual Property Bureau of the Ministry of Economy 44838 7 0088¾ ABCS Printed by the Consumer Cooperatives of the Intellectual Property Bureau of the Ministry of Economic Affairs Qing = ° The application policy library is expandable, which includes many new action attributes. The state library's step has special action attributes, which may be related to the database and action attributes. The action attribute conditions will At ten :: at the time of the request for decision: it belongs to the established first-the actual request to prove whether it can be performed against the second entity of the established second =-the requesting entity's predetermined action -141-This paper size is applicable to China Solid State Standard (CNS) A4 (210 X 297 mm) ------ (-II n II I---1 «n--one., * It --I f [I f (Please read the notes on the back before filling in the <Page)