Architecture for controlling access to services by competing clients

FIELD: physics; computer engineering.

SUBSTANCE: invention relates to server systems which help subscribers in tracking and administration. The architecture allows for withholding regular and periodic service for all, except a selected number of clients existing at the same time, related to a subscriber, and without administration of a list of specific computers manually on a server. Instead of requiring an administred list, the system detects which clients are active, enters active clients into an active list and leaves out all clients which are not in the active list. The system includes one or more rules, compulsory implementation of which provides a mechanism for guaranteeing that, a subscriber does not add an unlimited number of clients and does not rotate clients into a pool and from the pool for efficient maintenance of services on a number of computers more than that, for which the subscriber is authorised.

EFFECT: wider functional capabilities for offering services on a server.

25 cl, 11 dwg

 

The technical field to which the invention relates

This invention relates to a software back-end systems, and in particular to a server architecture that facilitates subscriber tracking and administration.

Prior art

May be issued or purchased subscription, which gives the subscriber the right to pre-defined number (symbolically “n”) simultaneously active clients, with each client is executed on a separate machine, and this subscription entitles clients to access services on a Central server. Each client can query the server for the periodic, but regular service. One problem with this mechanism is to enforce a policy or rule to prevent the provision to the subscriber more than “n” simultaneously active clients. At the same time, it is important to ensure that the subscriber has not carried out a systematic rotation of the clients that are accessing the server, to effectively produce a greater volume of services to which they are entitled.

One way the administration is to assign each user a unique identifier and to ask the subscriber to accurately maintain a list of customers who must obsjatsa. This administered list is loaded into the server and each of the th time, when a client tries to connect to the server, the server checks to determine whether the connecting client in the list of those authorized to connect. The caller is responsible for adding and/or removing machines from its approved list.

One disadvantage of this method is that it imposes a burden to explicitly support lists as per subscriber and provider (ISP) services. The service provider may have the need to maintain resources service centres, based on computers and based on the numbers in order to facilitate the maintenance of these lists, which leads to increased cost of operations. The subscriber cannot simply connect a new client and disable the old one. The subscriber must maintain accurate database, which has up to the present time, or will not receive the desired level of services, which also leads to increased cost of operations. For example, if the subscriber connects a new customer to the service and simply selects the output of the old client, the caller can't do that without access to the list. In large organizations, this imposes more burden on the staff information technology administration.

One existing scheme of automatic licensing is the use of server "floating license". The server license is predstavljaet a centralized resource, which is configured to allow “n” users to simultaneously access the resource. Server floating license provides a way for client to connect to the license server and the "make" license. Once designed, the maximum number of licenses, the server refuses additional requests for licenses until then, until some of the existing feature licenses". Some servers license set a maximum time for subject registration of license, then the client loses the license and must obtain it again. One limitation of the approach with the license server consists of the following. The server license is for environments where it makes sense and requires continuous access to the resource. For example, if a user accesses a database SQL (structured query language) or to the Exchange server, then this is the treatment in General is required continuously. Therefore, all that is required is a diagram floating license, where measured only simultaneous use. Owner customers must purchase enough licenses to satisfy all customers who need continuous connection.

Thus, required improved mechanism subscriptions/licensing and tracking mechanism.

The invention

Lower the following presents a simplified summary of the invention for to provide a basic understanding of some aspects of the invention. This disclosure is not advanced overview of the invention. It is not intended to establish key/critical elements of the invention or to delineate the scope of the invention. Its sole purpose is to present some concepts of the invention in a simplified form as a prelude to the more detailed description that is presented below.

The present invention disclosed and claimed here, in one aspect, provides an architecture that allows client machines to subscribe to the subscription service and then dynamically enter and unplanned. Thus, when a new client machine subscriber is authenticated (authentication) on the use of the service, it is automatically placed in the list of active machines allowed. However, permission is subject to checks to ensure that the subscriber has not exceeded the allocated number of concurrent clients. This limitation on simultaneous clients is done automatically through the activation and implementation of rules that serve as constraints on the subscriber. The result of this automatic implementation is a waiver in respect of the tables, and hence the need to manage these tables the La administrator.

In another aspect of the present invention subscription service implements a rule related to the replacement, which expresses how often the client machine can be placed in service when replacing any old car.

In another aspect of the present invention subscription service implements the rule relating to the frequency, which represents the number of times that the client may leave the service and re-enter the service in a given period of time.

To achieve the above and related objectives, some illustrative aspects of the invention described here in connection with the following description and the attached drawings. These aspects, however, are illustrative only for the few ways in which you can apply the principles of the invention, and the present invention is intended to include all such aspects and their equivalents. Other advantages and new features of the invention can be understood from the following detailed description of the invention considered together with the drawings.

List of drawings

Figure 1 - illustration of a system in accordance with the present invention.

Figure 2 - illustration of a peer-to-peer system in accordance with the present invention.

Figure 3 - illustration of a flowchart of the algorithm for the subscription process of the present invention.

4 - and the lustration of the flowchart of the algorithm for the subscription process, where additional rules are imposed in accordance with the present invention.

5 is an illustration of a flowchart of the algorithm of the present invention, which allows all subscription customers to access and bill the subscriber, respectively.

Figa and FIGU - illustration of a methodology that provides a more detailed implementation of the General scheme described in accordance with figure 3 and figure 4 of the present invention.

7 is an illustration of a flowchart of the algorithm for the subscription process, which governs the subscription according to the information about user activity and accounts.

Fig - illustration of a system that uses artificial intelligence in accordance with the present invention.

Fig.9 illustrates a block diagram of the computer has the ability to execute the disclosed architecture.

Figure 10 - illustration of a conditional block diagram of an illustrative computing environment in accordance with the present invention.

Detailed description of the invention

The present invention is described now with reference to the drawings, where the same reference positions are used to denote identical elements throughout. In the following description, for purposes of explanation, various specific details are outlined in order to ensure full understanding of the present invention. M which can be, however, it is obvious that the present invention may be practiced without these specific details. In other instances, well-known structures and devices are shown in block diagrams in order to facilitate description of the present invention.

As used in this application, the expression "component" and "system" are intended to denote associated with the computer entity object representing either hardware, a combination of hardware and software, software, or software in execution. For example, the component may be, but not in a restrictive sense, the process running in the processor, a processor, an object, an executable, a thread of execution, a program and/or computer. As an illustration, the component may be an application executing on the server, and the server itself. One or more components may reside within a process and/or thread of execution and a component may be localized on one computer and/or distributed between two or more computers.

As used here, the term "output" or "output" refers in General to the process of reasoning or inference regarding the States of the system, environment, and/or user based on a set of observations, as recorded via events and/or data. Logical inference can be used to identify a specific context or action, or, for example, can generate a probability distribution over the States. The logical conclusion may be probabilistic, that is, the calculation of the probability distribution of interest to the States on the basis of consideration of data and events. The logical conclusion may also apply to the methods used for making the event a higher level from a set of events and/or data. This logical conclusion leads to the construction of new events or actions from a set of observed events and/or stored event data, regardless of correlated whether events in close temporal proximity, and do events and data from one or more event sources and data.

Figure 1 illustrates a system 100 in accordance with the present invention. System 100 allows you to reject regular and periodic maintenance for all but a selected number of existing clients simultaneously associated with the subscriber, and without any administration list the specific computers manually on the server. Instead of requiring administered list, the system 100 detects which clients are active places of active clients in the active list, and excludes all clients, not n is confined to the active list. However, the system 100 may not be too dynamic in the sense of consent, because if it was, then there would be no enforcement of restrictions. Therefore, this system includes a system of rules that provide a mechanism to ensure that the subscriber does not add an unlimited number of clients or does not perform the rotation clients, introducing them to the pool and out to effectively support service on more computers than the one to which the subscriber is authorized.

To support this, the system 100 includes one or more services 102 placed on the subscription server (not shown)to provide this service(s) to one or more subscriber clients 104 (denoted also Subscriber Client1,...Subscriber ClientN). Clients 104 access to the service(s) dynamically and unplaned through the network 106, which the network 106 may be, for example, wired/wireless local area network (LAN), wide area network (WAN) and the Internet. Clients 104 include at least personal computers, portable computers, personal digital devices (PDAs), and portable communication devices, any or all of which may access the service(s) through the traditional means of communication. In accordance with the present which m invention, the system 100 also includes a component 108 of the rules, which provides an implementation of one or more rules in respect of the subscriber's account. The rule includes, for example, a limit on the number of simultaneously connected clients, limiting the "substitution" on the number of clients which can be replaced in a given period of time, and the limitation of "frequencies" how many times a given client may re-subscribe to the service(s) within a specified period of time.

It should also be understood that one or more limitations imposed on the first site may be the same, different or overlapping in some respects to the one or more rules imposed on the other party. Thus, there may be many different sets of rules available in the system 100, subject to the imposition on customers of different subscribers.

The system also includes a tracking component 110, which provides tracking the activities of the clients of the subscriber and billing the subscriber accordingly. For example, if the subscriber is allowed to exceed the parameters of the substitution and/or frequency, the tracking component 110 registers this activity (for example, in the active list) and bills the subscriber for excessive use.

Throughout this description will use the language of computing, client/server; however, the present invention is equally application is IMO peer-to-peer computing, where access control is to limit the number of peer devices having access to each other.

Regarding server floating license is limited in accordance with the present invention. Often continuous access to the server is not required, and this would allow the customer to buy a very small number of client licenses and rotate the issuance of licenses among a very large number of customers. In this case, the server license would be forced to provide a service. The customer can buy a small number of licenses, and then cyclically to ignore thousands of customers through these few licenses, and existing analogues is not limited to this use. License server does not track the identity of a floating license, and if any control of licenses supported by the server floating license, it requires administration manual, to limit the issue in all cases. The present invention automatically provides licenses to customers, but does not allow anonymous rotation of a much larger number of customers than that which is authorized.

Figure 2 illustrates peer-to-peer system 200 in accordance with the present invention. In this embodiment, the system 200 includes two interconnected peer-to-peer client (such as clients 104 of figure 1): first is the first peer-to-peer client 202 (indicated by the Client 1), and the second peer-to-peer client 204 (indicated by the Client2). Note, however, that any number of clients can connect peer-to-peer topology. The first client 202 has an associated first component 206 of the rules, which provides for the imposition of one or more rules to the second client 204 when searching them connected to the first client 202. Similarly, the second client 204 has an associated second component 208 of the rules, which provides for the imposition of one or more rules to the first client 202 when searching them connected to the second client 204. These one or more rules may include, but is not in a restrictive sense, a limit on how many times the peer device can connect to another peer device, and limiting the frequency with which the peer device connects to another peer device.

You should also understand that the rules of the first component 206 of the rules may be different or partially overlapping in some respects with the rules imposed by the second component 208 of the rules. So, the first client 202 may limit the frequency of the second client 204 and the second client 204 may not restrict the frequency of the first client 202.

Figure 3 illustrates the block diagram of the algorithm of the subscription process of the present invention. Although for the purposes of prototypename one or more methods, shown here, for example, in the form of a block diagram of the algorithm is shown and described as sequences of steps, you should understand and appreciate that the present invention is not limited by the order of acts, as some acts may, in accordance with the present invention, occur in different order and/or concurrently with other acts from the shown and described here. For example, experts will understand and appreciate that the method may be an alternative represented as a sequence of unrelated conditions or events, as in the state diagram. In addition, not all illustrated steps may be required to implement the methodologies in accordance with the present invention.

At step 300, the subscriber subscribes to the subscription service according to a predetermined number of clients. At step 302, a new client tries to connect by performing authentication regarding this service on a dynamic and unplanned basis. At step 304, the service imposes one or more rules to the subscriber. At step 306, the service determines is limited to whether a new client from being able to stay connected to the service. If not, the algorithm proceeds to step 308 to allow the client to stay connected to get the service. In other words, the client must connect to confirm their podlinnost is, and the server to determine whether the customer service. At step 310, the client is placed in the active list of clients that are currently connected in accordance with the subscriber's account. At step 312, one or more subscribers can then be removed from the active list if necessary. At step 314, this activity can be registered. The algorithm then returns to the input on the step 302 to process any other clients that attempt to connect to the service.

If the service imposes a restriction on the connection of a new client, the algorithm proceeds from step 306 to step 316 to prevent long-term connection. The algorithm proceeds to step 314 to register this activity.

In one implementation, along with the limitation on the maximum number of concurrent machines in service, two additional restrictions rules are imposed on the subscriber. However, in one embodiment, if the rule for the number of concurrent clients is not compromised, the client automatically resolves a long-term connection regardless of the results for any of the remaining rules. In another implementation, the connecting client must comply with all the rules before you will be allowed a long-term connection. The second rule is aimed at a valid "replacement", which is before the hat is that how often any new machine can be placed in service, replacing any old car, and the third rule is aimed at a valid allowed the frequency of re-subscriptions from individual machines. The substitution can be defined in terms of the number of new systems that are allowed to log in to the service per day or per week or per month (once the maximum is reached "n" subscription). Valid frequency re-subscription may be defined in terms of the number of times that the computer can leave the service and re-enter the service per week or per month or per year.

Note that each service will have a limiting characteristic time for replacement and Smoking rotations clients that make sense for this particular service. If the effective operation of the system requires that the client received the update only every six months, the time frame for the prohibition of substitution are in compliance with this six-month interval. Similarly, for time frame rotation, if the effective operation of the system requires that the client contacted the server only every six months time frame to prohibit rotation of the clients are in compliance with this six-month interval.

Figure 4 illustrates the block diagram of the algorithm for the subscription process, where additional rules n is arranged in accordance with the present invention. At step 400, the subscriber subscribes to one or more services according to a predetermined number of clients. At step 402, the client tries to connect to a service on a dynamic and unplanned basis. At step 404, the service imposes one or more rules to the subscriber's account. At step 406, the system determines that exceeded any limit on the number of concurrent clients. As indicated previously, this may be the dominant rule that automatically allows the client long-term connection. Thus, any remaining rules are not processed for this customer. Accordingly, the algorithm proceeds to step 408 to allow long-term connection to the client. At step 410, the client is placed in the active list. At step 412, if necessary, one or more subscribers may be removed from the active list. The algorithm then goes to step 414, where the system registers this activity for processing. The algorithm then returns to step 402 to process the next connection trying to connect client.

If the system determines that the limitation of concurrent clients is exceeded, the algorithm proceeds from step 406 to step 416 to prevent long-term client connection. The algorithm proceeds to block 414 to re-register the activity.

In alternative R is ment, where the customer must adhere to one or more rules in addition to the rule limit of concurrent clients, if at step 406 it is determined that the number of concurrent clients is not exceeded, the algorithm proceeds to step 418 to determine whether you have exceeded the limit of substitution. If Yes, then the algorithm proceeds to step 416 to prevent long-term connection. If the restriction of the substitution is not exceeded, then the algorithm proceeds from step 418 to step 420 to determine exceeded frequency. If Yes, then the algorithm proceeds to step 416 to prevent long-term connection. If none of the subscription rules are not violated and are not exceeded, the algorithm proceeds from step 420 to step 408 to allow the client long-term connection, and puts the client in the active list, as indicated by step 410. The algorithm then proceeds in accordance with the above description.

In the preceding discussion it was assumed that the server will apply access restrictions at the time when the customer enters into the service, and will deny access to the client, which exceeded any of the thresholds. Another strategy would be to give the right of all clients to access the server to calculate the number of active clients in the system and to charge the user based on the number of active clients. This approach is about who has the capability of Autonomous tracking subscription as part of the billing process and ranking.

Figure 5 illustrates the block diagram of the algorithm for the process of the present invention, which allows access to all customers of the subscriber and bills the subscriber accordingly. In this implementation, the counter replacement is allowed to increase beyond a predetermined limit, and the value recorded by the counter, is considered as the number of customers in service in a given day. The billing system does review each entry in the log file, and for each unique subscriber monitors the intensity of substitution. Additionally, measured by the number of times that the client re-enters the service in a particular period (e.g. six months). Any customer who enters the service more than a certain number of times within a specified interval, is considered as an additional client for the purposes of computation in the preparation of accounts. Therefore, the monitoring rules are not for the purpose of denial of service, and to measure usage for accurate bills.

At step 500, the subscriber subscribes to the service(s). At step 502 of each customer of the subscriber associated with the mandate (account access settings, formed after successful authentication of the subscriber and uniquely identify. The mandate may include, for example, e-mail address and/or user password. At step 504 CL is UNT subscriber is trying to establish a long-term connection to the service. At step 506, the server automatically allows the new customer to authenticate and stay connected. At step 508, the server monitors the activity corresponding to the connection of a new client, through a log of activities and uses information about the activities to the subscriber's account. At step 510 subscriber notify about signing up a new customer to provide feedback as a means of ensuring that the client is one of the customers of the subscriber. This notification may include sending mandate a new customer back to the caller, so the caller can check if a new client to the system subscriber. If not, the subscriber shall immediately notify the service to prevent access. At step 512 periodically perform the billing process to determine how many clients have logged in to the server during the previous period, to the corresponding payment could be assigned to the subscriber. The billing system will check all registered event access will determine the number of clients that concurrently use the system, and will generate the account according to a predetermined ranking for this number of clients. The process then reaches a stage stop.

On figa and 6B illustrates a methodology that provides more to icesto details regarding the implementation of the General scheme, described in accordance with figure 3 and figure 4 of the present invention. In particular, these details contain aspects related to how supported active lists by using uniquely identified clients using active lists and lists of pending retirement", and how rules are evaluated replacement frequency and the maximum number of clients. For the purposes of discussion and not limitation, it is assumed that the subscriber is allowed a maximum of three subscriptions for existing customers to access the server, a valid substitution is one client per day, and the allowable frequency re-subscription for the customer equal to twice per year (i.e. for the third time this year will be replaced). The choice of twice per year should be allowed to replace a machine that is subject to removal from service for repair, "rented" machine, and then put it back in service when she gets back from repair. We further assume that the subscriber has six client machines, labeled A, B, C, D, E and F where A, B, and C are denoted "initial" clients that are simultaneously connected with the services.

At step 600, the subscriber subscribes to the services according to a predetermined number of three clients. At step 602 the initial clients a, b and C serves food and and configure to access the server. These initial clients are autant is the qualification for the server using the credentials of the subscriber, and referred clients to uniquely identify you as a, b and C. the Server is now automatically configured to assume that the clients a, b and C are customers eligible for service. At step 604, the server places the clients a, b and C in the active list. The caller has reached the maximum at the same time allowed subscriptions. At step 606, the server makes a record of the date and time when the caller has reached the maximum number allowed subscriptions. At step 608, the server sets the counter replacement to zero and the frequency counter to zero.

When a subscriber wants to shut down the client and replace it with a new client D, the subscriber does just that. At step 610 new client D now performs authentication for the server to receive services. At step 612, the server checks the counter replacement and as it is set to zero, allows the new customer D access to the resource, applying liberal policies is the assumption that one of the existing machines in the active list is excluded. In block 614, the counter replacement now is set to "1", and the date and time that the change is recorded as the time stamp of the last substitution".

Continuing on FIGU, at step 616, the server is now hosted by the new customer D in the active list and moves the initial customers a, b and C from the active list to the list of "pending retirement". At step 618 clientip and C re-authenticate. New customers who are trying to authenticate, verify with the active list and the list of pending retirements in order to identify them as "new", but they will be denied access, because the substitution is equal to one. At step 620, the clients on the waiting list Disposals re-authenticate the server, and one by one moved back to the active list. Thus, the server moves the original clients and C back into the active list. Once the active list again filled (as in this example where, again, there is a maximum of three computers in the active list), then all the remaining computers in the list of pending retirements in fact be considered to be out of service and removed from the list (as indicated by step 622, the original client And delete).

If on the same day a new client E tries to log in to the service, the server will check the timestamp of the last substitution and, since it took less than a day from the latest substituted client (i.e. A client), the server checks the counter replacement. As the counter replacement is set to maximum in one new customer E prohibit access to the server, as indicated by step 624. At step 626, expires when the specified time period (in this example - one day from the time of entrance into service last customer), the counter replacement is reset to zero. For example the EP, if the client E tried to log in to the service after more than twenty-four hours after the first substituted client, the server checks the timestamp of the last substitution. Since this time stamp was established more than twenty-four hours ago, the server will reset the counter replacement and will allow the client E to the service. In this example, the substitution is measured discretely from period to period. However, you can also apply a running average. At step 628, the server process continues by checking the new authenticating clients regarding restrictions substitution and frequency and other processes, respectively.

Whenever the client is placed in service by placing the customer ID in the active list, the date and time of this event is also logged. It can be registered in a Central database on polientes basis. This is a safe way of saving information and places it under the tight control of the server. Thus, in accordance with the above example, if clients D and/or E would be associated with a double entry into service in the last three months, then the client D and/or E would also be denied access to the service and not allowed to enter into the active list.

If the number of concurrent clients is not exceeded, then the new client will be allowed to Sovremennoe connection for the service. However, if the number of concurrent clients is exceeded, a new client trying to connect, can be regarded as having the right to "displace", with the aim of ousting connected client from the active list. By processing more rules to determine whether a new client sufficient rights to supplant existing simultaneously existing client. With regards to the above example, at step 616, when the client D is placed on the active list of clients a, b and C move in the list of pending disposal for re-authentication. A client that is not allowed to return to active list (i.e. A client), effectively displace from receiving any services. This is a direct example of the substitution of one client to the other according to the subscription plan of the present invention.

However, in this embodiment, it is assumed that one of the clients a, b or C should not be replaced with disconnection from the service for substitution, but may simply be suspended from further services until you have completed the new service connecting a customer with higher priority. For example, assume that the subscriber currently has clients a, b and C, connected to receive services and are in the process of receiving services. Instead of manually deleting the subscriber onethe existing simultaneously existing customers to create space for a new customer D, the subscriber may simply provide a connection to the client D with the server, and give the server the opportunity to decide (according to predefined criteria), which of the existing simultaneously existing customers should be temporarily displaced to make room for a new client D.

These criteria can be based, for example, which of the existing connected clients already connected the longest time which client is associated with the low priority data service and what the customer is the slowest or the fastest in terms of performance of the client system. Any number of rules may be imposed separately or in combination, to decide which connected client must be displaced to allow the new client D to connect.

Later in the assumption according to the present invention there is something connected client that is selected for eviction, may be disconnected immediately, in the middle of the service process, or after the service process is complete. In addition, the system is quite reliable in terms of identifying what services currently received by the selected client, contain a number of several services that should not be interrupted, since the repeated provision of these services would be more expensive item is the time and resources allowing then this range of services to complete before disconnecting the selected customer.

Figure 7 illustrates the block diagram of the algorithm of the subscription process, which governs the subscription according to information on the activities and the subscriber's account. At step 700, the subscriber subscribes to one or more services according to a predetermined number of clients. At step 702, a new customer of the subscriber tries to connect to a service on a dynamic and unplanned basis. At step 704, the service imposes one or more rules to the subscriber's account. At step 706, the system determines whether the violated (or exceeded) any of the imposed rules. If not, the algorithm proceeds to step 708 to allow long-term connection. At step 710, the activity is logged, and the algorithm returns to step 702 to process the next connection trying to connect client.

If any of these rules is exceeded, the algorithm proceeds from step 706 to step 712 to access subscriber information. Account information may include preferences of the subscriber, which allow subscription service to exceed the limits of the rules according to any criteria specified in these preferences. For example, because each client has a mandate and/or a unique identifier that mandate /the identifier may further be specified for services, as abramatic the rules in relation to this specific customer. If the mandate specifies that the client processes the information related to Finance, this client might be placed on a priority list to get the next connection. The service may then notify the client when a connection becomes available. Alternatively, the client can be allowed to connect, and the subscription level is adjusted accordingly. At step 714, the system adjusts the level of subscription in accordance with the invoice for client connections high level. At step 716 subscriber notify regarding the updated subscription level. At step 718, the system allows customers long-term connection. At step 720 the client is placed in the active list. The algorithm then returns to step 710 to register this activity.

In another implementation, the restriction on signing clients then reduce back to the restriction rules after disconnected "priority" customer. The subscriber then billed according to this brief "surplus" during this period of time.

On Fig illustrates a system 800 that uses cookies (small pieces of data about the background of the client to the server, automatically generated by the server on the client) in accordance with the present invention, in order to track which subscribers are returned to service. The system 800 includes the t component 802 services which provides one or more services to which a subscriber can subscribe to. Component 804 rules interacts with a component 802 of services to facilitate the imposition of rules to subscribers according to the account of the subscriber and the level of services provided to a particular subscriber. You should evaluate that component 802 may be configured to impose the same rules on all subscribers. To obtain services from the component 802 services connect many clients 806 (indicated by the Subscriber Client1... Subscriber ClientN). The client connects to the service through the transfer of mandate and/or the unique identifier component 802 services for authentication and confirmation that the client should be considered for long-term connections with the purpose of obtaining services. After authentication of the client is added to the active list, which list may be stored in the component 808 storage. Component 808 storage may include, for example, high-speed storage device, the data storage system of large capacity or database system, any of which may be located locally to the server component 802 or service is located remotely from it.

However, the use of a Central database for storage when scaling to potentially millions klie the tov inefficient. Alternatively, this information may be stored by each client, for example, by creating a server cookie to the client with a time stamp (or a set of time stamps corresponding to the number of times when the client was in the service of his unsigned state). If you use the cookie mechanism, because the client is nominally under the control of the subscriber, it can be taken additional steps to ensure that cookies cannot be removed or used fraudulently. One way is to have some authentication the authenticity of the client's code to ensure that it is written by the developers of the system, as well as secure storage for cookies on the local disk, to assure that any intervention in relation to the cookie will be detected by the client and/or server. If the server detects (by checking a Central database or cookie)that the client has entered into service more than permitted number of times for a specific time interval, it will also be denied access. Thus, customers 806 able to handle cookies in accordance with the present invention. Each client 806 includes corresponding cookies 810 (also denoted Cookie1... CookieN).

In an alternative implementation of the present izobreteny the various artificial intelligence based schemes can be used to perform aspects of the invention. For example, the process to determine when or how the rule should be applied, can be provided through an automated system and process 812 classifier. The classifier 812 communicates with component 802 of services and component 804 rules to process the information, services and rules.

A classifier is a function that maps an input vector of attributes x=(x1, x2, x3, x4, xn), a measure of confidence that the input belongs to a class, i.e. f(x)=confidence(class). Such classification can employ a probabilistic and/or based on a statistical analysis (e.g., the breakdown of the usefulness and value analysis) for prediction or conclusion in regard to the steps, automatic execution of which it is desirable for the user. In the case of subscription-based systems, for example, attributes can be mandates and/or unique client identifiers or other specific data attributes received from the client information of the subscriber, and the classes are categories or areas of interest (for example, levels of service).

Machine support vector machine (SVM) is an example of a classifier that can be applied. SVM operates by finding a hypersurface in the space of possible input data, and this hypersurface is trying to separate criteria initiated by the I reinitialised events. Intuitively this makes the correct classification for data validation, which is close to, but not identical to the training data. Can be applied to other classification approaches in accordance with directed and undirected models, including, for example, naive (primary) model Bayes (Bayesian), Bayesian networks, decision trees, and probabilistic classification model, providing different patterns of independence. Classification, as used here, also includes statistical regression, which is used to develop models of priority.

As will be immediately clear from the description, the invention can employ classifiers that accurately trained (for example, through typical training data), as well as implicitly trained (e.g., via observing user behavior, receiving external information). For example, machines SVM configure through a phase of learning or training in the constructor of the classifier module and select features. Thus, the classifier(s) may(can) be used, for example, to automatically determine according to a predetermined criteria when to apply the rule in relation to the given client, when to apply the rule in respect of a given number, how to impose the rule for the given client and the subscriber, when the how to change restriction of simultaneity and parameters substitution/frequency when and how to bill the subscriber and when to allow a customer of the subscriber to be connected according to the level of service and statistical data of the past.

Specifically, the classifier 812 can be used for analysis of the mandate submitted to the connected client, and change the rules accordingly to allow the client to connect, when imposed exceeded the constraint rule of simultaneity. The classifier 812 may also be used, for example, to perform a statistical analysis to predict when you need to upgrade the level of services on the basis of load presents a specific subscriber, by increasing the number of connection attempts, and/or to adjust the level of services on the basis of only attempts a logical entry in services.

In another implementation, where the typical conditions include many subscribers for services component 802 services, the classifier 812 may be used to regulate the levels of priority access when the time to connect with services increases or decreases. For example, if one subscriber has paid for a higher level of service to customers of the subscriber will be given a higher priority level by allowing customers of the subscriber to be connected more often and even before the subscriber a lower level, when can things is painted conflicts.

In another implementation, where the component 802 services administers several different types of services, the classifier 812 can be used to control which clients of the subscriber can be connected when connected and to which services. This is useful when the system starts to become overloaded.

The classifier 812 may also be used to determine when to move from storage to the client permissions locally on the storage device 808 to the use of cookies on the clients. Thus, as the system becomes increasingly burdened with a number of clients that are attached, the classifier can automatically switch to the use of cookies in order to limit the burden on the system.

The classifier 812 may also be used together with the aspect of "crowding out" of the present invention, to a more "reasonable" to choose both the current client, you want to push, and to determine the best time to be able to displace the selected simultaneously existing customer on the basis of implicit and explicit learning according to the statistical data stored in the log registration activity, current trends in the connection and the replacement customer for the provision of services, the type of hardware client (considering, for example, W is Rina strip of hardware and software components), the type of client (mobile client, desktop client), the type of operating system clients, the number of services required for any given connection (based, for example, time required, and does provide services to dual boot the same data to perform consistency checks), etc.

As you can see, the use of the classifier 812 significantly extends the capabilities of the present invention. Thus, any statistical analysis, trending, training and prediction are assumed to be in accordance with the present invention.

Figure 9 illustrates the block diagram of the computer made with the possibility for implementation of the disclosed architecture. In order to provide additional context for various aspects of the present invention, figures 9 and subsequent discussion are intended to provide a brief General description of a suitable computing environment 900 that can be implemented in various aspects of the present invention. Although the invention is described above in the General context mashinostryenia commands that can be executed on one or more computers, the experts will understand that the invention may also be implemented in combination with other program modules and/or as a combination of hardware and software on which especiany.

Generally, program modules include procedures, programs, components, data structures, etc. that perform particular tasks or implement certain abstract data types. In addition, experts will appreciate that the invented methods may be implemented in other configurations of the computer system, including single-processor or multiprocessor computer systems, minicomputers, universal computers (mainframes), as well as personal computers, portable computing devices, microprocessor-based or programmable consumer electronics, and the like, each of which can be operatively connected to one or more associated devices.

Illustrated aspects of the invention may also be implemented in distributed computing environments where certain tasks are performed by remote processing devices data that are linked through a communications network. In a distributed computing environment, program modules may be located in local and remote storage devices.

The computer typically includes a variety of machine-readable media. Machine-readable media can be any available media that can be handled by computer, and include both energogas the independent, and non-volatile media, both removable and non-removable media. By way of example, and not as a limitation, computer-readable media may include computer storage media and transmission media. Computer storage media includes both volatile and non-volatile, both removable and non-removable media implemented in any method or technology for storage of information such as machine-readable commands, data structures, program modules or other data. Computer storage media include, but are not in a restrictive sense, RAM, ROM, electrically erasable programmable ROM (EEPROM), flash memory or other memory technology, the ROM on the CD-ROM (CD-ROM), digital multi-function disk (DVD) or other memory, optical disks, magnetic cassettes, magnetic tape, memory on magnetic disks or other devices, magnetic memory, or any other media that can be used to store the necessary information and can access the computer.

Media communication is typically embody computer-readable commands, data structures, program modules or other data in a modulated information signal such as a carrier oscillation or other transfer mechanism, and includes any medium of information delivery. The expression "modelirovanie the information signal" means a signal, one or more characteristics which set or changed in such a way to ensure that encode information in the signal. By way of example, and not as a limitation, the transmission media include wired medium, such as a wired network or direct-wired connection, and wireless environments, such as acoustic, RF, infrared and other wireless environments. A combination of any of the above environments and media are also covered by the term "machine-readable medium".

With reference again to figure 9, illustrates an exemplary environment 900 for implementing various aspects of the invention, which includes computer 902, the computer 902 includes a block 904, the data processing system memory 906, and a system bus 908. The system bus 908 connects the system components, including, but not restrictively system memory 906, block 904 data. Block 904, the data may be any of various commercially available processors. Dual microprocessors and other multi-processor architectures may also be used as a block 904 data.

The system bus 908 may be any of several types of bus structures, which may further connect to the memory bus with memory controller or without it), a peripheral bus and a local bus is th, using any of a variety of commercially available bus architectures. System memory 906 includes continually memory (ROM) 910 and a random access memory (RAM) 912. The system basic input / output system (BIOS) is stored in non-volatile memory 910, such as a ROM, an electrically programmable ROM (EPROM), EEPROM, and this BIOS contains the basic routines that help to transfer information between elements within the computer 902, for example, at startup. RAM 912 can also include high-speed RAM such as static RAM for caching data.

The computer 902 further includes an internal storage drive 914 hard disk drives (HDD) (e.g., EIDE, SATA), and this internal drive 914 hard disk drives can also be configured for external use in a suitable chassis (not shown), the drive 916 for magnetic floppy disk drive (FDD), (for example, read from a removable floppy 918 or write to it) and drive 920 optical disk (e.g., reading a CD-ROM 922, or to read from the other optical medium of large capacity such as a DVD, or write to it). Drive 914 hard disk drives, floppy 916 for a magnetic disk and disk drive 920 optical disk can connect to the system bus 908 through an interface 924 drive hard on the magnetic disks, interface 926 drive for a magnetic disk and interface 928 optical disk, respectively. Interface 924 for external incarnations drive includes at least one or both of the front-end technologies universal serial bus (USB) and IEEE 1394.

Drives and drives and their associated computer-readable media provide nonvolatile storage of data, data structures, mashinostryenia commands, etc. To computer 902 drives and drives and media provide storage of any data in the appropriate digital format. Although the above description of computer-readable media refers to a HDD, a removable magnetic disk and a removable optical media such as CD or DVD, specialists in the art should understand that other types of media, which are machine-readable, such as zip drives, magnetic cassettes, flash memory cards, cartridges, etc. can also be used in the illustrative operating environment, and further that any such media may contain Mashinostroenie commands to perform the methods of the present invention.

Several software modules may be stored in the drives and the drives and RAM 912, including the operating system 930, one or more application programs 932, other program modules 934, and data 936 programs. In the e or part of the operating system, applications, modules and/or data may also be cached in RAM 912.

It is clear that the present invention can be implemented with various commercially available operating systems or combinations of operating systems.

The user can enter commands and information into the computer 902 via one or more wired/wireless input devices, for example, keyboard 938 and a pointing device such as mouse 940. Other input devices (not shown) may include a microphone, a remote infrared (IR) remote control, a joystick, game pad, stylus, touch screen or the like. These and other input devices are often connected with block 904 data through the interface 942 input device that is connected to the system bus 908, but may be connected by other interfaces such as a parallel port, serial port, IEEE 1394, game port, a USB port, an IR interface, etc.

Monitor 944 or other type of display device is also connected to the system bus 908 via an interface, such as video 946. In addition to the monitor 944, the computer typically includes other peripheral output devices (not shown), such as speakers, printers, etc.

Computer 902 may operate in a networked environment using logical connections via wire the e and/or wireless communication line to one or more remote computers, such as remote computer(s) 948. Remote computer(s) 948 may be a workstation, a server computer, a router, a personal computer, a portable computer, the microprocessor based entertainment device, a peer device or other common network node, and typically includes many or all of the elements described in relation to computer 902, although, for brevity, is illustrated only storage device 950. Shows the logical connections include wired/wireless connection to a local area network (LAN) 952 and/or larger networks, for example, a wide area network (WAN) 954. Such network environment LAN and WAN are common in offices and companies and provide computer network of the enterprise, such as an intranet, which all can connect to a global communication network such as the Internet.

When using in a network environment LAN 902 is connected to the local network 952 interface or adapter 956 wired and/or wireless communication network. Adapter 956 may provide a wired or wireless connection to a LAN 952, which may also include its wireless access point to communicate with a wireless adapter 956. When used in a WAN network environment, the computer 902 may include a modem 958 or connects to the server communication over LAN, Lieb who has other means for establishing communications over a WAN 954, for example, through the Internet. Modem 958, which may be internal or external and a wired or wireless device connected to the system bus 908 via the interface 942 serial port. In a networked environment, program modules depicted in connection with the computer 902, or parts thereof, may be stored in a remote storage device 950. It is clear that the illustrated network connections are illustrative and that can be used other means of establishing lines of communication between computers.

The computer 902 is configured to communicate with any wireless devices or entities, in working condition posted in a wireless connection, such as a printer, scanner, desktop and/or portable computer, a portable information device, a communications satellite, any piece of equipment or location associated with the detected wireless image label (e.g., a kiosk, news stand, restroom), and telephone. This includes at least wireless technologies Wi-Fi and Bluetooth™. Thus, communication can be preset patterns as with traditional network and a simple unplanned communication between at least two devices.

Wi-Fi, or wireless fidelity transmission of information", provides connectivity with the Internet is that with home sofa, the bed in the hotel room or conference room at work without wires. Wi-Fi is a wireless technology like cell phone, which enables such devices, such as computers, to send and receive data indoors and out, anywhere in the service area of a base station. Wi-Fi networks use radio technologies called IEEE 802.11 (a, b, g, etc)to ensure safe, reliable, fast wireless connectivity. The Wi-Fi network can be used to connect computers with each other, with the Internet, and to wired networks (which use IEEE 802.3 or Ethernet). Wi-Fi networks operate in the unlicensed radio bands 2.4 and 5 GHz with a data rate of 11 Mbps (802.11b) or 54 Mbps (a) or with products that contain both bands (dual band), so the networks can provide real-world performance similar to the basic wired Ethernet 10BaseT used in many institutions.

Figure 10 shows a conventional block diagram of an illustrative computing environment 1000 in accordance with the present invention. The system 1000 includes one or more clients 1002. The client(s) 1002 may be hardware and/or software (e.g., threads, processes, computing devices). The client(s) 1002 may contain the cookie(s) and/or associated context the information as disclosed by the application, for example, the present invention. The system 1000 also includes one or more servers 1004. Server(s) 1004 can also be hardware and/or software (e.g., threads, processes, computing devices). The server 1004 can accommodate threads to perform transformations by applying, for example, of the present invention. One possible communication between a client 1002 and server 1004 may be in the form of a data packet adapted to be transmitted between two or more computer processes. The data packet may include a cookie and/or associated contextual information, for example. The system 1000 includes infrastructure 1006 communications (for example, the global network Internet-type), which can be used for communication between the client(s) 1002 and the server(s) 1004.

Communication can be provided through a wired (including fiber) and/or wireless technology. The client(s) 1002 operable connected to one or more storage 1008 customer data that can be used to store information local to the client(s) 1002 (e.g., cookie(s) and/or associated contextual information). Similarly, the server(s) 1004 operable connected to one or more storage 1010 data server, which can be used for storage in the information, local servers 1004.

Described above includes examples of the present invention. Of course, it is impossible to describe every conceivable combination of components or methodologies for purposes of describing the present invention, but a specialist in the art can understand that it may be many further combinations and transformations of the present invention. Accordingly, the present invention is intended to cover all such changes, modifications and variations that fall within the essence and scope defined by the attached claims. Further, to the extent that the terms "includes" is used in either the detailed description or in the claims, it is assumed that this expression is covering, similar to the expression "comprising"as "comprising" is interpreted when applied as a transitional (intermediate) words in the claims.

1. A system that provides management subscription service that contains
component rules made with the possibility to process one or more rules in accordance with the subscription service subscriber;
component services performed with the opportunity to utilize the one or more rules for the automatic execution of the subscription services, partly according to the number of simultaneously poseiden is the R of the customers of the subscriber; and
one or more rules, which provide automatic execution of subscription services according to at least one of the parameter substitution and a frequency parameter.

2. The system according to claim 1, used in at least one of topology, client/server and peer-to-peer topology.

3. The system according to claim 1, in which each of simultaneously connected clients includes a cookie, which facilitates the implementation of subscription services.

4. The system according to claim 1, in which each of the connected clients placed in the active list of valid clients.

5. The system according to claim 1, in which if the number of simultaneously connected clients exceeded, none of the other customers associated subscriber is not allowed to connect to the component services.

6. The system according to claim 1, in which the aforementioned one or more rules include a rule that allows an unlimited number of simultaneously connected clients to the associated subscriber.

7. The system according to claim 1, additionally containing component tracking, which monitors the activities of customers of the subscriber and provides the billing to the subscriber, respectively.

8. The system according to claim 1, in which the aforementioned one or more rules are applied automatically to the customer of the subscriber, when the client tries to connect on an unscheduled basis.

9. The system p is 1, additionally contains the active list, which is populated and reduced dynamically according to the customer, respectively connected to the component services and disconnect from it.

10. The system according to claim 1, used in peer-to-peer topology, with one or more rules imposed on the first peer-to-peer client, meet at least one of the following options: different, overlapping and identical to one or more rules imposed on the second peer-to-peer client.

11. The system according to claim 1, in which the aforementioned one or more additional rules contain a rule that limits the number of substitutions for a specific time interval.

12. The system according to claim 1, additionally containing a classifier that facilitates efficient processing rules according to the logical conclusion.

13. The system according to claim 1, additionally containing
the tracking service that tracks the activities of the client in accordance with the subscription service by controlling the active list simultaneously connected clients, so that the customer may be invoiced accordingly.

14. The system of item 13, in which the aforementioned one or more rules implemented in accordance with the subscriber, meet at least one of the following options: are the same, partially overlapping the camping and excellent in relation to one or more rules, implemented in accordance with another call.

15. The system of item 13, in which if the number of simultaneously connected clients exceeded, none of the other customers associated subscriber is not allowed to connect to the component services.

16. The system of item 13, in which the aforementioned one or more additional rules contain a rule that limits the number of substitutions for a specific time interval.

17. The system of item 13, further containing a classifier that facilitates determining when to switch from the local storage of customer information storing client information on the client.

18. The server that hosts the system according to claim 1.

19. The computer containing the system according to claim 1.

20. The way to manage subscription service that contains steps which provide access to the service in accordance with the subscription service;
automatically controlling access to the service in accordance with one or more rules based at least partially on the number of clients that concurrently access the service;
process substitution rule of the said one or more rules, which provides control over how often one of the clients that concurrently access the service, may be replaced by a new client; and process the rule frequency of the above-mentioned one or more rules, which provides control over the number of times that one of these clients may access the service in a given period of time.

21. The method according to claim 20, further containing phase, which automatically implement at least the substitution rule to deny access to a new customer who wants to access the service.

22. The method according to claim 20, further comprising stages, in which process the substitution rule to allow the subscriber subscription services to exceed the rule of substitution upon occurrence of some event; and billed to the subscriber according to each event.

23. The method according to claim 20, further comprising stages on which process referred to one or more rules by allowing the subscriber subscription services to exceed the selected rule from the aforementioned one or more rules;
change the level of services to a new level, according to selected rules from the aforementioned one or more rules, which exceeded; and then billed to the subscriber at a new level of service.

24. The method according to claim 20, further comprising stages on which process referred to one or more rules by allowing the subscriber subscription services to exceed the selected rule from the aforementioned one or more human the sludge;
change the level of services to a new level, according to selected rules from the aforementioned one or more rules, which exceeded; and return to the above level of service after the selected rule from the aforementioned one or more rules, which were exceeded not exceeded within a predetermined period of time.

25. Machine-readable media having executable computer commands to perform the method according to any one of p-24.



 

Same patents:

FIELD: information technologies.

SUBSTANCE: inventions are related to computer systems and methods for provision of protected access to database. System comprises memory device for protection descriptors, which store information about protection, related to at least one line of database, besides database contains at least one table that includes at least one line and two columns, in one of columns there is a protection descriptor stored, being related to line, information stored in protection descriptor comprises data about which type of access and to which principal is permitted or prohibited; database processor that issues response to query of database, based at least partially on information about protection stored in protection descriptor, which is assessed on the basis of information stored in database, and context of user that makes query; query component that contains optimiser of queries, which defines optimal route for response provision to query.

EFFECT: improved protection of access to database.

20 cl, 9 dwg, 2 tbl

FIELD: information technology.

SUBSTANCE: invention relates to the architecture of a multi-level firewall and methods of multi-level packet filtering. The firewall infrastructure contains: a set of level processes, where each level process can process level parametres for a packet, associated with that level process, and each level process can also send a classification query, which includes level parametres; and a first firewall tool, which includes: a level interface for receiving first level parametres from the requesting level process and for returning action to the requesting level process, where the requesting level process is one of the said set of level processes, a set of filters and a search component for identification of at least one matching filter from the said set of filters and for identification from this matching filter, action, which is subject to returning by the level interface.

EFFECT: reduced excess execution of syntax analysis and interpretation of packets using levels in a network stack and firewall.

28 cl, 9 dwg

FIELD: physics; computer facilities.

SUBSTANCE: invention concerns a way of data record in the environments of identification of various types (IM-X, IM-Y) through the assigned servers of record/reading WR. According to the specified method, virtual independent of the identification environments reference file system RFS is defined. All RKi access keys are replaced by a key of the FSK file system, and all ACi access rights of Bi subsections are paused, and the FS file system corresponding to the RFS reference file system, is initialised or written in the identification environments: (FS(IM-X), FS(IM-Y)). Thus a file system index point (FS-S(IM-X), FS-S(IM-Y)) is defined in the identification environments (IM(FS) and the assigned servers of reading/record WR(RFS) to the end that application (App(RFS) corresponding RFS virtual reference file system could be written in the environments of identification and executed.

EFFECT: possibility reception to write or execute generally defined applications (App(RFS) in the initialised environments of identification of various types (IM-X(FS), IM-Y(FS)) without adapting them.

23 cl, 11 dwg

FIELD: information technology.

SUBSTANCE: present invention relates to management of distributed resources of a network service provider. Description is given of a system and method of delegating access to resources distributed in a distributed computer environment. In one aspect the server distributes a set of resources. The server receives a request from a user for executing an operation in relation to one of the distributed resources. As a response to the received request, the server determines whether the user has already been delegated authority to execute the operation. Delegated authority does not depend on whether the user is a member of a group of administrators, related to any resource of the server.

EFFECT: improved safety of computers and WEB-sites.

38 cl, 3 dwg, 17 tbl

FIELD: information technology.

SUBSTANCE: present invention relates to devices for limiting access to digital data stored on a data carrier. The technical outcome is achieved due to that permission for access to data is checked using a separate device, fitted on the controller board of the data carrier. Change in device parametres, which are program-accessible, can only be done using special software, which is part of the system for limiting access to data. For this purpose in the device there is an extra unit for analysing commands, which verifies authenticity of commands given by the software.

EFFECT: provision for limited access to sectors of a data carrier, distinguished by special attributes, and prevention of unauthorised altering of the attributes themselves.

2 cl, 5 dwg

FIELD: physics, computation technology.

SUBSTANCE: invention concerns method and device of digital rights management. When authorisation on server is not accessible, operations with minimised risk are allowed by implementation of internal authorisation scheme. Authorisation method for operation to be performed on digital element involves definition of first operation group members including first predetermined group of operations on digital element, and second operation group including second predetermined group of operations on digital elements; comparison of predetermined operation to be performed on digital element to operations included in each indicated operation group; external authorisation with access to authorising server if operation belongs to first operation group; internal authorisation by device if operation belongs to second operation group; and authorisation of operation to be performed on digital element if one of listed authorisations brings positive result.

EFFECT: enhanced security level of operations with digital content.

13 cl, 5 dwg

FIELD: physics; control.

SUBSTANCE: present invention relates to information delivery systems with functions of controlling sublicenses and methods of supporting creation of intellectual property together with information users. Second systems SLs1-SLs3 for controlling intellectual property, which are available to second class licensees, holding the sublicense on using the system from first class licensees, request information on intellectual property from the first MLs system of controlling intellectual property available to first class licensees, in response to requests coming from user systems US1-US3, with requirement for creating objects of intellectual property. The first MLs system for controlling intellectual property publishes the results for searching information on intellectual property, obtained in response to requests by user system US4, on a browser screen, set for the very first MLs system for controlling intellectual property, and allows the user system US4 to browse the search results.

EFFECT: provision for use of intellectual valuables together with parties requesting information, in accordance with which several systems of controlling intellectual property are provided with possibility of cooperation on a sublicensed contract.

11 cl, 24 dwg

FIELD: information technologies.

SUBSTANCE: data of serial interface for detection of dual-in-line memory module (DIMM) presence in electronically erasable programmable read-only memory (EEPROM) is encoded using closed key of motherboard with which this dual-in-line memory module (DIMM) is to be used, so that only basic input-output system (BIOS) of specified motherboard could decode presence detection serial (SPD) interface data to complete downloading.

EFFECT: improving protection of computer system integrity by blocking the use of memory modules retrieved from original motherboard in another motherboard.

15 cl, 2 dwg

FIELD: physics, computer engineering.

SUBSTANCE: invention is related to protection systems. Unit of protection and method realise requests for data from USB device or other similar device, at that protected component may realise protected communication to device without variation of underlying USB bus protocol, or device, even where software that controls the bus is not trusted. Protection unit (physically separated or integrated in device or concentrator) intercepts data transmitted from device into protected component in response to request for data. Signal of data reception confirmation unavailability is transmitted into protected component, and data are coded. The following request for data is intercepted, and coded data are sent in response. Confirmation of data reception from protected component in device is allowed to reach the device. In order to process request for installation, permit command that contains coded and decoded installation command is sent to protection unit. If coding is checked successfully, then installation command sent to device (via protection unit), is allowed to reach the device.

EFFECT: provision of improved protection.

32 cl, 6 dwg

FIELD: physics; computer engineering.

SUBSTANCE: present invention pertains to control of generation of cryptographic keys in an information media, comprising a party which generates the key and distributes the key information for the party using the key. Through a given unilateral function of deriving keys, a relationship between key generations is determined, which is such that, earlier generation of keys can be more efficiently derived from later generation, but not the opposite. Each time, when necessary, the party using the key iteratively receives the given unilateral function of deriving keys for outputting the key information of at least, one previous key generation from the key information of new key generation. That way, memory requirements for the party using the key can considerably be reduced.

EFFECT: protection of data during recording.

32 cl, 6 dwg

Processor // 2248608

FIELD: computers, data protection.

SUBSTANCE: processor has bus interface device, device for selection/decoding of commands, device for dispatching/execution, program string decoding device, which string is selected from program and loaded in first levels command cash, which contains a set of N two-input elements XOR, keys memory, storing different N-bit decoding keys.

EFFECT: higher efficiency.

2 dwg

FIELD: technologies for authentication of information.

SUBSTANCE: method includes performing absolute identification for confirming legality of data carrier according to first rule in preset time. Authentication information is recorded on this data carrier in previously set position. Process of arbitrary authentication is performed for confirming legality of said data carrier in accordance to second rule in arbitrary time. First rule includes announcing confirmation of standard match, if information for authentication is detected as registered in selected preset position. Second rule in given arbitrary authentication process includes announcing standard match, if information for authentication is detected as not registered in arbitrary positions, different from given preset position.

EFFECT: higher reliability.

6 cl, 12 dwg

FIELD: computers.

SUBSTANCE: method includes, on basis of contents of central processor registers, received after processor performs some sort of command, by means of mathematical logical operation, forming certain finite control sum and storing it in memory, and on basis of contents of registers, received before start of execution by said processor of directly next command, certain starting checksum is formed, while if starting checksum mismatches finite checksum, error message is generated, which can be followed by halting of processor operation or blocking of chip board with its removal from circulation.

EFFECT: higher reliability.

2 cl, 2 dwg

FIELD: copy protection.

SUBSTANCE: system has content distribution block, multiple recording and playback devices for digital data, calculations processing block, meant to perform communications with recording and playback devices and performing calculations processing for transferring license payments.

EFFECT: higher reliability of copy protection.

5 cl, 55 dwg

FIELD: electronics.

SUBSTANCE: device has signaling bus, loaded with clock signal, at least one couple of buses serving for encoding one bit, detector circuit, multiplexer. According to method in case of first value of signal of signal bus two buses of one couple detect same level of signal, and in case of second value of signal of signal bus two buses of one couple detect different signal levels, detect forbidden states during operation of board, change process of system functioning, to generate alarm in that way.

EFFECT: higher reliability of protection.

2 cl, 7 dwg

FIELD: microprocessors.

SUBSTANCE: device has central processing devices, including first cryptographic block, at least one peripheral block, including second cryptographic block, device also has data bus, random numbers generator, conductor for supplying clock signal, conductor for providing random numbers signal, set of logical communication elements, while each cryptographic block has register of displacement with check connection.

EFFECT: higher level of unsanctioned access protection.

7 cl, 1 dwg

FIELD: digital memory technologies.

SUBSTANCE: board has rewritable power-independent memory and control circuit, means for storing address, pointing at limit between authentication area and non-authentication area, circuit for changing size of said areas. Reading device contains estimation means, reading information, pointing at number of times, for which digital data can be read, and playback means. Second device variant additionally has means for digital output of contents.

EFFECT: higher efficiency.

3 cl, 23 dwg

FIELD: computer science.

SUBSTANCE: method includes protective mathematical conversion of service data of network frame prior to transfer to environment for transfer of a LAN. To said protective conversion the data is subjected, which is contained in headers of network frames of channel level, and also in headers of all encapsulated network packets and segments. As a result the very possibility of interception is prevented.

EFFECT: higher efficiency.

7 cl, 2 dwg

FIELD: data carriers.

SUBSTANCE: device for reproduction of data from data carrier, program zone of which is used for recording a set of files, and control zone - for controlling copy protection data concerning the file, recorded in program zone, has computer for calculating copy protection information for each time file is reproduced, comparison means for comparing value, calculated on reproduction command, being prior to current one, to value, calculated on current reproduction command, and if these values coincide, the last value is stored as copy protection value, calculated on reproduction command , prior to current one and control means for allowing reproduction of file, appropriate for current command, if value, calculated as response to command, previous relatively to current command, coincides as a result of comparison to value, calculated as a response to current command.

EFFECT: higher reliability, higher efficiency.

4 cl, 46 dwg

FIELD: data carriers.

SUBSTANCE: device has calculating, reserving and recording modules. Each variant of semiconductor memory card contains area for recording user data for controlling volume and area for recording user data. On carrier method for computer initialization is recorded, including calculation of size of volume control information, reserving areas and recording therein of control information for volume and user data, recording main boot record and sectors table in first section of first area, skipping preset number of sectors, recording information of boot sector of section, file allocation table and root directory element to following sectors.

EFFECT: higher efficiency.

5 cl, 59 dwg

Up!