Field

The disclosure relates to methods and apparatuses for controlling and monitoring access in a network, and in particular methods and apparatuses that correlate the localization of a user with the localization of a device in order to identify user-device pairs comprising a device and the user of the device, and determine a connectivity rule for those user-device pairs. In various embodiments, the localization of the device is obtained with radio-analysis and the localization of the user is obtained with computer vision techniques, in particular face recognition.

Background

In controlled environments such as industrial settings, providing controlled connectivity to unmanaged/unknown devices or to shared devices that do not support user authentication (i.e. with no user interface through which to identify their current user) is currently not possible without resorting to separate networks (e.g. a separate guest/BYOD WiFi) and/or physical access control (for shared devices). Such environments often require to control access to resources depending not only on the role of the user, but also on his current location in the premises, current activity and type of the device, in order to reduce as much as possible unwarranted access.

Summary

In some example embodiments, the disclosure provides an apparatus for controlling and monitoring access in a network.

The apparatus for controlling and monitoring access in a network may comprise at least one processor and at least one memory including computer program code. The at least one memory and the computer program code may be configured to, with the at least one processor, cause the apparatus to manage and monitor access control in a network. The network is likely to be accessed by at least two users and/or at least two devices. A device can be a computer, a smartphone, a network-capable phone, a personal digital assistant (PDA), a copy machine, a television, a point-of-sale terminal, a manufacturing-related device, a physical access control device, a camera or a sensor. A physical access control device can be a card reader, a biometric reader, or an electromechanical lock. A sensor may be a temperature sensor, an air composition sensor, a specific gas detector, or a radiation sensor. Each user is supposed to use at least one device in order to access a network resource. The users interact locally with a device, e.g. by physical contact or short- distance interaction such as motion capture. The at least one memory and the computer program code may be configured to, with the at least one processor, cause the apparatus to obtain device information, the device information including localization data based on radio analysis and related to several devices and obtain user information, the user information including localization data obtained independently of the devices and related to several users. In an example embodiment, the localization data of the users may include coordinates of the users. In an example embodiment, the localization data of the devices may include coordinates of the devices. In another embodiment, wherein the network is a cellular network, localization data of the devices may include, for each device, a cell number and relative positioning to the corresponding antenna (possibly in a spherical coordinate system), e.g. in the case of beamforming. In another embodiment, the distance may take into account a mix of geographical proximity and other information such as history (e.g. when two users are equidistant to a given device, but one of them is deemed more likely to be the one using it based on historical data). The at least one memory and the computer program code may further be configured to, with the at least one processor, cause the apparatus to to determine distances between the devices and the users, based on user information and device information. The distance between a user and a device may be calculated using coordinates of the users and coordinates of the devices. The at least one memory and the computer program code may further be configured to, with the at least one processor, cause the apparatus to form a user-device pair, wherein the user-device pair includes a said device and a said user selected among the users to minimize a distance to said device. In an example embodiment, the apparatus forms a plurality of user-device pairs. In an example embodiment, the distance to minimize is the Euclidian distance between a device and a user. In another example embodiment wherein the network is a cellular network, this distance can be a distance between the cell in which is located a user and the cell in which is located a device

The at least one memory and the computer program code may further be configured to, with the at least one processor, cause the apparatus to determine a connectivity rule for the user-device pair or the plurality of user-device pairs. This connectivity rule can be determined based on the location of the user and the location of the device. The connectivity rule can define an authorized access for a user-device pair to a network resource, a restricted access for a user-device pair to a network resource or a denial of access for a user-device pair to a network resource.

The at least one memory and the computer program code may further be configured to, with the at least one processor, cause the apparatus to implement access control to the network for the user-device pair by enforcing the connectivity rule for the user-device pair. Implementing access control may include configuring network elements by enforcing the connectivity rule. In an example embodiment in which the apparatus forms a plurality of user-device pairs, there may be a connectivity rule for each user-device pair, the connectivity rules being different or not between the several user-device pairs. In an example embodiment, the network elements are chosen in a group consisting of switches, routers, firewalls and access points.

In some example embodiments, such apparatus may comprise one or more of the features below.

In an example embodiment, the user-information includes identity of the users and the connectivity rule for the user-device pair defines authorizations or denials of access to resources ofthe network based on the identity ofthe user. Access to resources of the network may be access to historical data provided by the previous authorized user who used a given device, access to a remote server, access to additional computing power, access to an artificial-intelligence-based analysis tool in orderto perform a complex task. In an example embodiment, the identity ofthe users may be determined with face recognition. Thanks to this feature, it is possible to perform two-factor-authentication and increase security in a network by checking if the visual identity ofthe user corresponds to the access credentials he is trying to use on a certain device. In an example embodiment, the device-information includes identity of the devices and the connectivity rule for the user-device pair defines authorizations or denials of access to services of the network based on the identity of the device. In an example embodiment, identity of the device may be determined thanks to a device IMSI number or MAC address depending on the nature ofthe network. Thanks to this feature, it is possible to increase security in the network by checking if the device a user is trying to use corresponds to the type of device such a user is supposed to use, and therefore detect a suspicious activity if the device does not correspond to the kind a device a user usually uses.

In an example embodiment, the at least one memory and the computer program code may further be configured to, with the at least one processor, cause the apparatus to determine the connectivity rule for the user-device pair based on predefined connectivity policies and/or as a function of the identity of the device and/or localization data of the device and/or the identity of the user and/or localization data ofthe user. A connectivity policy may stipulate one ofthe following: not providing access to a given network to a given device, not providing access to a given network resource to any unmanaged device, authorizing only one device at a time to access a network resource, authorizing a given user to access a given network resource independently of the device used, authorizing access to a network resource only from some locations, restricting access to a network resource from some locations, authorizing only some users to use a given device, authorizing a user to access a network resource depending on his activity. Thanks to those features, it is possible to:

- allow an authorized user using a personal device he brought to work in order to access certain networked resources depending on his current location or activity in the premises;

- conversely, in a factory for instance, restrict access for genuine factory workers based on their current location/activity in the premises;

-allow a shared constrained device (i.e. unable to recognize its current context) to access certain networked resources based on the user information and the device information respectively related to the user and the device of the user- device pair the shared constrained device pertains to

-detect that a given user is currently trying to use a shared constrained device she is not authorized to, and subsequently deny any connectivity to this device;

-detect attempts (through monitoring) by a given device-user pair to access unauthorized networked resources, possibly depending on the current location in the premises

- remove previously granted connectivity to the device-user pair due to context changes (e.g. location has changed etc.).

In an example embodiment, the predefined connectivity policies are stored in a policy database. The at least one memory and the computer program code may further be configured to, with the at least one processor, cause the apparatus to communicate with the policy database in order to determine the connectivity rule for the user-device pair. Thanks to this feature, the connectivity policies are easy to reach and to apply.

In an example embodiment, predefined connectivity policies restrict the use of the device to a predefined subset of said users. The at least one memory and the computer program code may further be configured to, with the at least one processor, cause the apparatus to determining a connectivity rule for the user-device pair by: Performing a test, wherein the test includes checking if the user of the user-device pair belongs to said subset,

If the test is positive, determining the connectivity rule to authorize the user-device pair to access services of the network,

If the test is negative, determining the connectivity rule to deny the user- device pair to access the network.

Thanks to this feature, only users who have the right to use a given device are able to use this device to access network resources.

In an example embodiment, the at least one memory and the computer program code may further be configured to, with the at least one processor, cause the apparatus to perform a radio mapping to obtain the localization data of the devices. In an example embodiment, the radio mapping may be performed using a method selected in a group consisting of wireless triangulation, beamforming, analysis of received signal strength and time-of-flight measurement. In another example embodiment, the at least one memory and the computer program code may further be configured to obtain the device information by receiving localization data related to the devices.

In an example embodiment, the at least one memory and the computer program code may further be configured to, with the at least one processor, cause the apparatus to obtain the user information with a video analysis system. The video analysis system may be configured to record and analyze images of users. In an example embodiment, the video analysis system may comprise a camera or a plurality of cameras, wherein the camera or the plurality of cameras is located at a predefined position, the predefined position being independent of the positions of the devices. In an example embodiment, the video analysis system implements a computer vision method.

In an example embodiment wherein the user information is obtained thanks to a video analysis system and the device information is obtained thanks to a radio analysis system, the at least one memory and the computer program code may further be configured to, with the at least one processor, cause the apparatus to calibrate the video analysis system in accordance with the radio analysis system, in order to enable determining distances between users and devices based on the user information and the device information. In an example embodiment, the user information includes coordinates of the users, the device information includes coordinates of the devices and the at least one memory and the computer program code may further be configured to, with the at least one processor, cause the apparatus to calibrate the video analysis system in accordance with the radio analysis system using calibration devices. The calibration devices may comprise both a radio beacon and a visual marker and they may be placed in an area of interest so as to construct a common coordinate system for the coordinates of the users and the coordinates of the devices.

In an example embodiment, the at least one memory and the computer program code may further be configured to, with the at least one processor, cause the apparatus to obtain the user-information comprises means for receiving localization data related to the users.

In an example embodiment, the at least one memory and the computer program code may further be configured to, with the at least one processor, cause the apparatus to obtain traffic-information related to network traffic generated by the user-device pair and restrict access to the network in response to detecting that the network traffic violates the connectivity rule for the user-device pair. Violating a connectivity rule in that case may represent different behaviors: the user-device pair tries to have access to another networked resource he or she has no access to, the volume of traffic is abnormal with respect to the activity or type of device in use, the type of protocols are not the expected one or the type of ports used are not the expected one. Thanks to this feature, it is possible to increase security in the network by authorizing, restricting or denying access to a network resource based also on the activity of a user in the network, and the possible evolution of this activity. For instance, it enables to remove previously granted connectivity to the device-user pair if the activity it was supposed to perform is finished. d

In some example embodiments, the disclosure also provides a computer- implemented method for:

Obtaining device information, the device information including localization data based on radio analysis and related to several devices,

Obtaining user information, the user information including localization data obtained independently of the devices and related to several users,

Determining distances between the devices and the users, based on the device information and the user information,

Forming a user-device pair, wherein the user-device pair includes a said device and a said user selected among the users to minimize a distance to said device,

Determining a connectivity rule for the user-device pair, Implementing access control to the network for the user-device pair by enforcing the connectivity rule for the user-device pair.

In some example embodiments, such a method may further comprise one or more of the features below.

In an example embodiment, the method is implemented for forming a plurality of user-device pairs.

In an example embodiment, the user-information includes identity of the users and the connectivity rule for the user-device pair defines authorizations or denials of access to services of the network based on the identity of the user.

In an example embodiment, the device-information includes identity of the devices and the connectivity rule for the user-device pair defines authorizations or denials of access to services of the network based on the identity of the device.

In an example embodiment, the method further comprises the steps of determining the connectivity rule for the user-device pair based on predefined connectivity policies and/or as a function of the identity of the device and/or localization data of the device and/orthe identity of the user and/or localization data of the user.

In an example embodiment, the method further comprises the step of performing a radio mapping to obtain the localization data of the devices.

In an example embodiment, the method further comprises the step of implementing a video analysis system by recording and analyzing images of users.

In an example embodiment wherein the device information is obtained with a radio analysis system, the method further comprises the step of calibrating the video analysis system in accordance with the radio analysis system, in order to enable determining distances between the devices and the users, based on the user information and the device information.

In an example embodiment wherein the user information includes coordinates of the users, the device information includes coordinates of the devices, the method further comprises the step of calibrating the video analysis system in accordance with the radio analysis system comprise calibration devices, the calibration devices comprising both a radio beacon and a visual marker, and being placed at known locations in an area of interest so as to construct a common coordinate system for the coordinates of the users and the coordinates of the devices

In an example embodiment, the step of implementing access control further comprises obtaining traffic-information related to network traffic generated by the user-device pair and restricting access to the network in response to detecting that the network traffic violates the connectivity rule for the user-device pair.

In example embodiments, the disclosure also provides a computer program comprising executable code that causes a computer to perform the steps of such method when executed.

In some example embodiments the disclosure also provides an apparatus for controlling and monitoring access in a network, comprising:

- A device-related-circuitry configured to obtaining device information, the device information including localization data based on radio analysis and related to several devices A user-related-circuitry configured to obtain user information, the user information including localization data obtained independently of the devices and related to several users

A distance-determining-circuitry configured to determine distances between the users and the devices based on the user information and the device information, based on the user information and the device information

A matching circuitry configured to form a user-device pair, wherein the user-device pair includes a said device and a said user selected among the users to minimize a distance to said device

A connectivity-related-circuitry configured to determine a connectivity rule for the user-device pair

A configuration circuitry configured to implement access control to the network for the user-device pair by enforcing the connectivity rule for the user-device pair.

In an example embodiment, the matching circuitry forms a plurality of user- device pairs.

In an example embodiment, the apparatus further comprises a policy-retrieving- circuitry configured to determine the connectivity rule for the user-device pair based on predefined connectivity policies and/or as a function of the identity of the device and/or localization data of the device and/or the identity of the user and/or localization data of the user.

In an example embodiment, the predefined connectivity policies are stored in a policy database, and the apparatus further comprises a communication circuitry configured to communicate with the policy database in order to determine the connectivity rule for the user-device pair.

In an example embodiment, the apparatus comprises a radio circuitry configured to perform a radio mapping to obtain the localization data of the devices. In an example embodiment, the apparatus comprises a device-related- communicating circuitry configured to receive localization data related to the devices.

In an example embodiment, the device information is obtained with a radio analysis system, and the apparatus comprises a calibration circuitry to calibrate the video analysis system in accordance with the radio analysis system, in order to enable determine distances between the users and the devices based on the user information and the device information.

In an example embodiment, the apparatus comprises a user-related- communication circuitry configured to obtain the user-information comprises means for receiving localization data related to the users.

In an example embodiment, the apparatus comprises a traffic monitoring circuitry configured to obtain traffic-information related to network traffic generated by the user-device pair and restricting access to the network in response to detecting that the network traffic violates the connectivity rule for the user-device pair. The traffic monitoring circuitry is in particular configured to check if the type of traffic from or to the device paired with the user is compliant with the expected activity for the user-device pair

In some example embodiments, the disclosure also provides an apparatus, e.g. an apparatus for comprising:

Means for obtaining device information, the device information including localization data based on radio analysis and related to several devices Means for obtaining user information, the user information including localization data obtained independently of the devices and related to several users,

Means for determining distances between the devices and the users based on the user information and the device information, Means for forming a user-device pair, wherein the user-device pair includes a said device and a said user selected among the users to minimize a distance to said device,

- Means for determining a connectivity rule for the user-device pair, - Means for implementing access control to the network for the user- device pair by enforcing the connectivity rule for the user-device pair

In an example embodiment, the apparatus comprises means for forming a plurality of user-device pairs.

In an example embodiment, the apparatus further comprises means for determining the connectivity rule for the user-device pair based on predefined connectivity policies and/or as a function of the identity of the device and/or localization data of the device and/orthe identity of the user and/or localization data of the user.

In an example embodiment the predefined connectivity policies are stored in a policy database and the apparatus further comprises means for communicating with the policy database in order to determine the connectivity rule for the user-device pair.

In an example embodiment wherein the predefined connectivity policies restrict the use of the device to a predefined subset of said users, the means for determining a connectivity rule for the user-device pair comprise means for :

Performing a test, wherein the test includes checking if the user of the user-device pair belongs to said subset,

If the test is positive, determining the connectivity rule to authorize the user-device pair to access services of the network, - If the test is negative, determining the connectivity rule to deny the user- device pair to access the network.

In an example embodiment, the apparatus further comprises means for performing a radio mapping to obtain the localization data of the devices.

In an example embodiment, the means for obtaining the device-information comprises means for receiving localization data related to the devices. In an example embodiment wherein the device information is obtained with a radio analysis system, the apparatus further comprises means for calibrating the video analysis system in accordance with the radio analysis system, in order to enable determining distances between the users and the devices based on the user information and the device information.

In an example embodiment, the means for obtaining the user-information comprise means for receiving localization data related to the users.

In an example embodiment, the means for implementing access control comprise means for obtaining traffic-information related to network traffic generated by the user-device pair and restricting access to the network in response to detecting that the network traffic violates the connectivity rule for the user-device pair.

In some example embodiments, the means in the apparatus further comprises; at least one processor; and at least one memory including computer program code, the at least one memory and computer program code configured to, with the at least one processor, cause the performance of the apparatus.

In an example embodiment, an apparatus comprises at least one processor and at least one memory including computer program code; the at least one memory and the computer program code configured to, with the at least one processor, cause the apparatus at least to perform:

Obtaining device information, the device information including localization data based on radio analysis and related to several devices,

- Obtaining user information, the user information including localization data obtained independently of the devices and related to several users,

Determining distances between the users and the devices based on the user information and the device information, Forming a user-device pair, wherein the user-device pair includes a said device and a said user selected among the users to minimize a distance to said device,

Determining a connectivity rule for the user-device pair, - Implementing access control to the network for the user-device pair by enforcing the connectivity rule for the user-device pair.

In an example embodiment, a non-transitory computer readable medium comprises program instructions for causing an apparatus to perform at least the following:

Obtaining device information, the device information including localization data based on radio analysis and related to several devices,

Obtaining user information, the user information including localization data obtained independently of the devices and related to several users,

Determining distances between the users and the devices based on the user information and the device information,

Forming a user-device pair, wherein the user-device pair includes a said device and a said user selected among the users to minimize a distance to said device,

Determining a connectivity rule for the user-device pair,

- Implementing access control to the network for the user-device pair by enforcing the connectivity rule for the user-device pair. Aspects of the invention aim at reducing the risk of attack or possible misuse of networked resources, as all network traffic will occur between authorized device user pairs and networked resources. Moreover, aspects of the invention enable to:

Provide access control based on device location as well as user identity and location for unmanaged or potentially untrusted devices Provide access control based on device location as well as user identity and location for devices not supporting authentication means. Even if an authentication means is present on the considered device, the solution provides a dual authentication through infrastructure.

Brief description of the drawings

These and other aspects of the invention will be apparent from and elucidated with reference to example embodiments described hereinafter, by way of example, with reference to the drawings. Figure 1 is a functional representation of the network elements, the network infrastructure and the apparatuses that enable to manage and monitor access control in the network according to an embodiment.

Figure 2 is a sequence diagram showing a method of managing and monitoring access according to an embodiment. Figure 3 is a flow chart showing a sequence of actions that may be implemented in the network controller of figure 1 according to an embodiment.

Figure 4a is a schematic view of a means for correlating the coordinate system of the video analysis system and the coordinate system of the radio analysis system according to an embodiment where the user information includes coordinates of the users and the device information includes coordinates of the devices.

Figure 4b is a schematic view of a means for correlating the coordinate system of the video analysis system and the coordinate system of the radio analysis system according to another embodiment where the user information includes coordinates of the users and the device information includes coordinates of the devices.

Figure 5 is a schematic view of a situation in which several user-device pairs are identified and which access control is managed and monitored according to an embodiment. Figure 6 is a diagram representing a test that may be implemented by the network controller of figure 1 in order to determine a connectivity policy, according to an embodiment.

Figure 7 is a functional diagram of a programmed computer in which example embodiments of the invention may be implemented.

Detailed description of the embodiments

The disclosure relates to a network which needs to be accessed by several users, each user using a device. The users locally interact with a device. That means that a user needs to be physically close to a device in order to interact with it.

In an example embodiment shown in figure 1, a network controller 1 performs network control and monitoring 102 of the network connectivity. The network controller 1 is either a dedicated equipment, or embedded in an existing network node selected among the group consisting of a router, a border gateway, a firewall and a set-top unit. The network controller 1 could also be placed in the Cloud or Edge Cloud. The network controller 1 allows or denies traffic between a given device and a targeted network resource that a user is trying to access with the device. A device can be a computer, a smartphone, a network-capable phone, a personal digital assistant (PDA), a copy machine, a television, a point-of-sale terminal, a manufacturing-related device, a physical access control device, a camera or a sensor. A physical access control device can be a card reader, a biometric reader, or an electromechanical lock. A sensor can be a temperature sensor, an air composition sensor, a specific gas detector, or a radiation sensor.

Granting or denying access to network resources is based on a context, which comprises device information, including identity and localization of the device, and user information, including the identity and localization of the user of the device. In the example embodiment of figure 1, user information is obtained for all the users of the network, and device information is obtained for all the devices of the network. This information is obtained thanks to on-premises infrastructure 101 that the network controller 1 communicates with: user information is obtained thanks to a video analysis system 3 and device information is obtained thanks to a radio analysis system 2.

The video analysis system 3 is composed of interconnected cameras 121 which record images of the users and transmit them to the video analysis system 3, as shown by arrows 12. These cameras are connected to a wired or wireless network (the considered controlled network or a separate network), allowing them to transmit their video feeds to the video analysis system. The cameras 121 are independent ofthe devices. In particular, their position is independent of the position of the devices. Once the video analysis system 2 receives the images recorded by the cameras 121, it analyzes them in order to identify and locate users. Localization of the users is possible because the position of the cameras 121 is known to the video analysis system 3. In an example embodiment, the video analysis system 3 implements a computer vision method. In an example embodiment, this computer vision method enables to perform face recognition and identify the users. In order to obtain the user information, the network controller 1 communicates with the video analysis system 3, as shown by arrow 14. In an example embodiment, communication between the network controller 1 and the video analysis system 3 can be a wired or a wireless communication, through the controlled network or a separate network.

In an non illustrated embodiment the video analysis system may be embedded in the cameras.

The radio analysis system 2 is implemented by the network infrastructure, which is part of the on-premises infrastructure 101. Radio base stations 131 locate the devices and transmit their position to the radio analysis system 2, as shown by arrow 13. In an example embodiment, device localization is obtained with a method selected in the group consisting of wireless triangulation, beamforming, analysis of received signal strength and time-of-flight measurement. The radio analysis system 2 presented in figure 1 provides device identification alongside with device localization. Devices can be identified with their IMSI number or their MAC address. Once determined by the radio analysis system 2, the locations of the devices and their identities are transmitted to the network controller 1, as shown by arrow 15. Communication between the network controller 1 and the radio analysis system 2 can be a wired or a wireless communication, through the controlled network or a separate network.

Based on the user information and the device information, the network controller 1 may decide to authorize the user to access the targeted network resource with the device. By default, connectivity for the considered device is not authorized, and must therefore be whitelisted based on the network context. In the embodiment represented in figure 1, the network controller 1 accesses a policy database 4, which contains connectivity policies to be applied in the network. The network controller 1 then evaluates connectivity policies in the context of the user information and the device information, in order to determine connectivity rules, which result in authorizing, restricting or denying access to the targeted networked resource. Connectivity policies can include rules based on various elements including, but not limited to, the identity of the user, the identity of the device, the targeted networked resources, and the localization and current activity of the user within the premises. These are first retrieved individually by the on-premises infrastructure 101 (camera 121 and radio base stations 131), and then correlated by the network controller 1. The connectivity policy evaluation may result in automated network provisioning (i.e. configuration orders being sent to network components such as routers, firewalls, etc.) or, if necessary, in requesting manual intervention from an administrator.

Here are some examples of connectivity policies: - never provide access to a given networked resource from an unmanaged device

- there shall only be one device at a time being granted access to a given network resource

- a user is authorized to access a networked resource

- a networked resource should only be accessible from some predefined locations - a shared device should only be used by some predefined users - a user with some activity should be granted access to a networked resource, while he could be granted access to other networked resources in another activity

The resulting connectivity rule resulting from the evaluation of the connectivity policies regarding the network context may be giving a level of access to the targeted network resource, the level of access being chosen among the group consisting of no access, limited access or full access to the targeted network resource, wherein low-access and mid-access are restricted accesses to the network (not total accesses nor denials of access).

The network controller 1 finally enforces the determined connectivity rule or connectivity rules by configuring network elements 103 in order to authorize, restrict or deny access to network resources. In the example embodiment of figure 1, network elements include access points 5, firewalls 6 and routers 7. Configuring the network elements 103 can consist in performing actions selected in the group consisting of editing routing, forwarding and firewall rules with SDN solutions, authorizing source/destination ports and addresses (OSI Layers 2 and 3) on existing network components (routers, gateway/proxies, NAT, firewalls, etc.).

In an example embodiment, the information related to the network context is enriched with a network traffic analysis provided by a network traffic analysis system 8, which receives information related to network traffic from a router 7, as shown by arrow 10, analyzes network traffic and transmits its analysis to the network controller 1, as shown by arrow 11. In an example embodiment, an information about network traffic can be the amount of data a user is trying to download with a device or the number of connection attempts. For instance, if this amount of data, or the number of connection attempts exceeds a predefined threshold, the user access to the network may be restricted. In an example embodiment, an information about network traffic can be that a user is trying to use a class of networked application he is not allowed to access. If the use of such an unexpected class of networked application is detected, the traffic of the user may be blocked. In an example embodiment, the fact that the user tried to violate a policy (not using a certain class of networked application) can also lead to a further restricted access to other functionalities of the network. As this network traffic analysis is optional, it has been represented in light grey in figure 1.

Figure 2 shows the interactions in the network while its access control is being managed and monitored according to an embodiment A user 21 tries to use a device 22 in order to access the network, as shown by arrow 211. The user may need access to all the network or only part of it. The network controller 1 manages and monitors access in the network.

The radio analysis system 2 continuously probes for device locations, as illustrated with arrow 212. The radio analysis system 2 also reports the device locations to the network controller 1, as illustrated with arrow 214. In an example embodiment, a device localization mechanism identifies the device.

The video analysis system 3 continuously tracks users and their location, as shown by arrow 213. The video analysis system 3 reports the locations of the users to the network controller 1, as shown by arrow 215. In an example embodiment, video analysis system 3 implements a computer vision technique. In an example embodiment, the computer vision technique consists in using a camera to detect the presence of a user and its location. The position of the camera is known independently from the position of the devices. In an example embodiment, the camera performs face recognition in order to identify the user.

In an example embodiment, the video analysis system 3 mechanism also infers the activities of the users and reports them to the network controller as user- activity pairs.

Thus, the radio analysis system 2 and the video analysis system 3 implement two actions: a periodic scanning of the environment 201 and a continuous reporting to the network controller 202.

The network controller 1 correlates the received information and constructs a context for each device, which is illustrated by step 203. In an example embodiment, this context consists in a user 21 of the device 22 and a location for the user and the device (the user 21 and the device 22 being quite close, as the user 21 is physically using the device 22). In another example embodiment, this context consists in a user 21, a location of the user 21 and the device 22, and an activity the user 21 is trying to perform with the device 22. The correlation is performed by calculating the minimum distance between a device and a user. As it is assumed that the users locally interact with the devices, the device which is the closest to a user is obviously the one being used by this user.

After identifying the user-device pairs, the network controller 1 queries policies for each device from a policy database 4, as illustrated by arrow 216. The network controller 1 then receives the queried policies, as illustrated by arrow 217. Furthermore, the network controller 1 evaluates those policies in the light of the context of each device. This results in a set of permissible connectivity rules for each device. The step of determining those rules is shown in step 204.

In an example embodiment, network elements monitor the traffic of devices based on their context, as defined by a set of monitoring policies. Deviations are reported to the network controller, which may respond by further refining the network connectivity rules for that device.

The network controller computes a new network configuration in order to authorize the correct connectivity for each device. This is illustrated with step 205. After that, the network controller 1 configures the various network elements 23 (switches, routers, firewalls, etc.) by sending them connectivity orders symbolized by arrow 218, so as by enforcing these connectivity rules. At this point, communication between a device and a networked resource is only possible if explicitly permitted by a specific connectivity rule inferred by the network controller.

Figure 3 shows the sequence of actions that may be implemented in the network controller according to an embodiment: Receiving user information 311, the user information 311 including localization data of the users

Receiving device information 312, the device information 312 including localization data of the device - Determining distances between the users and the devices based on the user information and the device information, as represented by step 30,

Forming a user-device pair, the user-device pair including a given device and a user selected among the users to minimize a distance to the given device, as represented by step 31, - Determining a connectivity rule for the user-device pair, as represented by step 32,

Implementing access control to the network for the user-device pair by enforcing the connectivity rule for the user-device pair, as represented by step 33. Figures 4a and 4b relate to an embodiment in which the user information and the device information include respectively coordinates of the users and coordinates of the devices. In such an embodiment, the coordinates of the devices obtained with a radio localization mechanism 42 (which is part of the radio analysis system 2 of figure 1) and the coordinates of the users obtained with a video localization mechanism 41 (which is part of the video analysis system 3 of figure 1) need to be expressed in the same coordinate system, so as to enable calculating a distance between a user and a device. As the radio localization mechanism 42 and video localization mechanism 41 are independent, obtaining the same coordinate system for the coordinates of the users and the coordinates of the devices is not obvious and requires a specific calibration of the radio localization mechanism 42 and the video localization mechanism 41.

Figure 4a shows a first possibility for such a calibration. The video localization mechanism 41 is calibrated with visual markers 411, placed at predefined locations in an area of interest, that area of interest being for instance a factory. As their locations are predefined, it is possible to determine their absolute positioning in the factory. The factory is therefore an absolute coordinate system 413. It is thus possible to establish a transformation matrix between the coordinates in the coordinate system the video localization mechanism 41 and the absolute coordinate system 413, as shown by arrow 414. Likewise, the radio localization mechanism 41 is calibrated with radio beacons 412, placed at predefined locations in the same area of interest. It is thus possible to establish a transformation matrix between the coordinates in the coordinate system of the radio localization mechanism 42 and the absolute coordinate system 413, as shown by arrow 415. In the example embodiment of figure 4a, the absolute coordinate system 413 and its relations to the coordinate system of the radio localization mechanism 42 and the video localization mechanism 41 represented respectively with arrows 415 and 414 is then used to determine a transformation matrix 417 between the coordinate system of the video localization mechanism 41 and the coordinate system of the radio localization mechanism 42. That gives a direct relation 418 between the coordinate system of the video localization mechanism 41 and the coordinate system of the radio localization mechanism 42.

In another example embodiment, the coordinates of the users obtained thanks to the video localization mechanism and the coordinates of the devices obtained thanks to the radio localization mechanism may be directly expressed in the absolute coordinate system 413.

Figure 4b shows another possibility for such a calibration. Special beacons 511, that embed both a radio beacon and a visual marker are used to correlate the coordinate system of the video localization mechanism 41 and the coordinate system of the radio localization mechanism 42. The visual marker includes a beacon number which is the same emitted by the embedded radio beacon. These special beacons 511 can be placed on an area of interest where it will be likely to find users or devices. This area of interest can be the floor or on the walls. The special beacons 511 can be placed in the area of interest temporarily during calibration time or perpetually. It is unlikely that they would be placed onto vision or radio sensors themselves (typically those would be placed at the ceiling, which is not part of the area of interest, as there are not users nor devices on the ceiling). Knowledge of the positions of the sensing devices (cameras and access points) is not required for the system to work. The use of such special beacons 511 to calibrate at the same time the video localization mechanism 41 and the radio localization mechanism 42 enables to construct a common coordinate system for the video localization mechanism 41 and the radio localization mechanism 42. This permits to correlate the coordinate system of the video localization mechanism 41 and the coordinate system of the radio localization mechanism 42, as shown by arrow 512, because both coordinate systems are the same and correspond to the common coordinate system. Thus, the coordinates of the devices and of the user can be directly expressed in the same coordinate system.

Figure 5 shows an example of use of the invention. The users are a first user 521, a second user 522 and a third user 523. The devices are a first device 531, a second device 532 and a third device 533. User-device pairs have been identified by the network controller 1. Each one of the pairs contains a device and a user, the user being the closest user to the device among all the devices. In this example, the identified user-device pairs are a first user-device pair 51, a second user-device pair 52 and a third user-device pair 53. Each one of those user-device pairs 51, 52, 53 illustrates a different case of use of the invention:

The first user 521, of the first user-device pair 51, is unknown to the network controller 1, whereas the first device 531 he is trying to use is known to the network controller 1. If there is a policy in the policy database 4 stating that the first device 531 is expected to be used by unknown users, network access will be given to the first user 521. Otherwise, if the first device 531 is only expected to be used by known users, access to the network will be denied for the first user 521. - The second user 522 of the second device-pair 52 is known to the network controller 1 and the second device 532 is also known to the network controller 1, but it is not sure whether the second user 522 has the right to use the second device 532. A test will then be deployed, as described in figure 6, to determine whether the second user 522 has the right to access the network or not.

- The third user 523 of the third user-device pair 53 is known to the network controller 1 but the third device 533 is unknown to the network controller 1. This may be a BYOD (Bring Your Own Device) case, in which the third user 523 brought his own device, for instance his own computer at work.

Therefore, if there is a policy in the policy database 4 stating that it is expected that the third user 523 will bring his own device at work, the third user-device pair 53 will be granted access to the network.

Figure 6 illustrates a test that will be performed ifthe situation of the second user-device pair 52 represented in figure 5 occurs. It relates to the particular situation in which a device is supposed to be used by a subset of users (among all the possible users of devices in a company for instance). That case of use only applies to an embodiment in which the user information is obtained thanks to a video analysis mechanism that identifies the users. When a user is identified as using that device, meaning that the network controller 1 formed a user-device pair with this user and the device, test 61 is performed. Test 61 consists in checking, through face recognition, if the user who is trying to use the device belongs to the subset of users who are authorized to use the device. If he does, as illustrated by the first outcome 62, he will be authorized to access the network resource he is trying to access with the device, as shown by step 63. If he does not belong to the subset of users who are authorized to use the device, as illustrated by the second outcome 64, access to the network resource he is trying to access will be denied, as shown by step 65.

Thanks to this test, it is possible to determine if a user is trying to steal the identity of another user in order to use a device. For instance, if a user stole another users' access credentials in order to access his computer, the network controller will not let him access the network, because it has video evidence that the identity of the user who is trying to use the device does not correspond to the identity of a user who has the right to use the device (through face recognition for instance). Such denial of access occurs no matter if the access credentials the user is trying to use correspond Lu access credentials of a user who is authorized to use the device in order to access the network. This provides a two factor authentication, increasing the security in the network, as the network controller does not only check if a user uses the correct access credentials to access a network, but also performs a visual control to see if the user looks like one of the users who have the right to use a given device to access the network.

Figure 7 shows a functional diagram of a programmed computer, server, circuitry, or apparatus 700 that may be used for that purpose. Computer 700 has a core and several peripherals connected via a communication bus. The major components of the core are a microprocessor 701 (often called the CPU) random access memory (RAM) 702 and read only memory (ROM) 703. The peripherals comprise devices that allow information to be input to the system from users, output to users and stored and retrieved (mass storage devices 704 such as hard disks and network interfaces 705). The invention is not limited to the described example embodiments. The appended claims are to be construed as embodying all modifications and alternative constructions that may occur to one skilled in the art, and which fairly fall within the basic teaching as set forth herein.

As used in this application, the term "circuitry" may refer to one or more or all of the following:

(a) hardware-only circuit implementations (such as implementations in only analog and/or digital circuitry) and

(b) combinations of hardware circuits and software, such as (as applicable): (i) a combination of analog and/or digital hardware circuit(s) with software/firmware and

(ii) any portions of hardware processor(s) with software (including digital signal processor(s)), software, and memory(ies) that work together to cause an apparatus, such as a mobile phone or server, to perform various functions) and

(c) hardware circuit(s) and or processor(s), such as a microprocessor(s) or a portion of a microprocessor(s), that requires software (e.g., firmware) for operation, but the software may not be present when it is not needed for operation."

This definition of circuitry applies to all uses of this term in this application, including in any claims. As a further example, as used in this application, the term circuitry also covers an implementation of merely a hardware circuit or processor (or multiple processors) or portion of a hardware circuit or processor and its (or their) accompanying software and/or firmware. The term circuitry also covers, for example and if applicable to the particular claim element, a baseband integrated circuit or processor integrated circuit for a mobile device or a similar integrated circuit in server, a cellular network device, or other computing or network device.

Elements such as the apparatus and its components could be or include e.g. hardware means like e.g. an Application-Specific Integrated Circuit (ASIC), or a combination of hardware and software means, e.g. an ASIC and a Field- Programmable Gate Array (FPGA), or at least one microprocessor and at least one memory with software modules located therein, e.g. a programmed computer.

The use of the verb "to comprise" or "to include" and its conjugations does not exclude the presence of elements or steps other than those stated in a claim. Furthermore, the use of the article "a" or "an" preceding an element or step does not exclude the presence of a plurality of such elements or steps. The example embodiments may be implemented by means of hardware as well as software. The same item of hardware may represent several "means".

In the claims, any reference signs placed between parentheses shall not be construed as limiting the scope of the claims.