Network security system and method

US 8,127,346 B2
Filed: 06/29/2010
Issued: 02/28/2012
Est. Priority Date: 01/20/2006
Status: Active Grant

First Claim

Patent Images

1. A method of detecting cloned client devices communicating over a network, comprising:

creating a dynamic covert identifier which identifies a client device, the dynamic covert identifier being derived from operational events at the client device which are at least substantially unique to the usage history of the client device;

receiving a first message from the client device at a server, the message containing the dynamic covert identifier;

storing a version of the dynamic covert identifier at the server together with having credentials registered at the server identifying the client device;

updating at least part of the previously stored dynamic covert identifier periodically at the client device based on event triggers to create an updated version of the dynamic covert identifier which includes at least one original part of the previously stored dynamic covert identifier and at least one new part which is at least partially derived from operational events at the client device which occurred after creation of a previous version of the dynamic covert identifier;

receiving a subsequent message from a client device at the server, the message containing the latest updated version of the dynamic covert identifier;

locating the dynamic covert identifier previously stored at the server for the client device with the same credentials as the client device from which the subsequent message is received;

comparing the previously stored dynamic covert identifier with the original part of the updated version of the dynamic covert identifier received in the subsequent message; and

reporting detection of a cloned client device if a match is not found; and

saving the latest updated version of the dynamic covert identifier received from the client device at the server.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In a security system for network communications with client devices, each client device has a communication module for communicating with at least one server over a network, a data storage module for storing one or more covert data values of one or more operational events at the client device, and a covert identifier generating module which creates at least one covert identifier based on the stored covert data values. The covert identifier is provided in one or more network messages to the server, or otherwise sent to the service provider, and may be provided in response to a specific request received over the network, or routinely in one or more messages normally involved in network communications. The server compares covert identifiers received from client devices having the same client identifier in order to detect possible clones.

20 Citations

View as Search Results

37 Claims

1. A method of detecting cloned client devices communicating over a network, comprising:
- creating a dynamic covert identifier which identifies a client device, the dynamic covert identifier being derived from operational events at the client device which are at least substantially unique to the usage history of the client device;
  
  receiving a first message from the client device at a server, the message containing the dynamic covert identifier;
  
  storing a version of the dynamic covert identifier at the server together with having credentials registered at the server identifying the client device;
  
  updating at least part of the previously stored dynamic covert identifier periodically at the client device based on event triggers to create an updated version of the dynamic covert identifier which includes at least one original part of the previously stored dynamic covert identifier and at least one new part which is at least partially derived from operational events at the client device which occurred after creation of a previous version of the dynamic covert identifier;
  
  receiving a subsequent message from a client device at the server, the message containing the latest updated version of the dynamic covert identifier;
  
  locating the dynamic covert identifier previously stored at the server for the client device with the same credentials as the client device from which the subsequent message is received;
  
  comparing the previously stored dynamic covert identifier with the original part of the updated version of the dynamic covert identifier received in the subsequent message; and
  
  reporting detection of a cloned client device if a match is not found; and
  
  saving the latest updated version of the dynamic covert identifier received from the client device at the server.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1, wherein the dynamic covert identifier comprises selected covert data values generated by operational events at a client device, and detection of a clone of a real client device is reported if covert data values in a covert identifier received from a client device do not match any covert data values in a version of the covert identifier stored at the server for the client device having the same credentials as the client device from which the message is received.
  - 3. The method of claim 1, wherein the dynamic covert identifier is based on covert data values generated by the client device.
  - 4. The method of claim 2, further comprising periodically changing at least one covert data value to a different covert data value based on a different operational event at a client device.
  - 5. The method of claim 1, wherein the dynamic covert identifier comprises a code based on selected covert data values generated by different operational events at a client device.
  - 6. The method of claim 1, wherein the dynamic covert identifier is at least partially based on at least one token provided by the server to the client device.
  - 7. The method of claim 3, wherein the covert data values are based on the time of sending predetermined messages.
  - 8. The method of claim 1, wherein the dynamic covert identifier is based on covert data generated by the server and provided by the server in a message to the client device.
  - 9. The method of claim 1, wherein the dynamic covert identifier is based on covert data values generated by the client device and the server.
  - 10. The method of claim 1, wherein at least one event trigger comprises installation of updated firmware on a client device.
  - 11. The method of claim 1, wherein at least one event trigger comprises receipt of a predetermined number of a particular type of message from the server.
  - 12. The method of claim 1, wherein at least one event trigger comprises sending a predetermined number of a particular type of message from the client device.
  - 13. The method of claim 1, wherein at least one event trigger comprises a predetermined number of channel changes at the client device.
  - 14. The method of claim 1, wherein at least one event trigger comprises a server issued trigger.
  - 15. The method of claim 1, wherein the dynamic covert identifier is based on the time of day an event occurred in the client device.

16. A method of renewing subscriber client devices on a network, comprising:
- creating a dynamic covert identifier which identifies a client device, the dynamic covert identifier being derived from operational events which are at least substantially unique to the operation of said client device;
  
  storing at a server of a service provider the dynamic covert identifier for a client device having credentials registered at a server;
  
  updating at least part of the previously stored dynamic covert identifier periodically at a client device based on event triggers to create an updated version of the dynamic covert identifier which includes at least one original part of the previously stored dynamic covert identifier and at least one new part which is at least partially derived from operational events at the client device which occurred after creation of a previous version of the dynamic covert identifier, and storing the latest updated version of the dynamic covert identifier at the client device;
  
  receiving a service renewal message from the service provider at the client device;
  
  providing the current updated version of the dynamic covert identifier created at the client device to the service provider in a message from the client device over the network in response to the service renewal message;
  
  comparing the dynamic covert identifier previously stored at the server for the client device with the original part of the current updated version of the dynamic covert identifier received in the message from the client device in response to the service renewal message;
  
  if the original part of the updated version of the dynamic cover identifier received in the message from the client device matches the dynamic covert identifier previously stored at the server, sending a renewal code message to the client device over the network, the renewal code message containing a renewal unlock code based on the dynamic covert identifier provided to the service provider; and
  
  processing the renewal unlock code using the dynamic covert identifier stored at the client device to receive continued services from the service provider.
- View Dependent Claims (17, 18)
- - 17. The method of claim 16, further comprising receiving an update covert identifier message at the client device prior to the service renewal message, and the step of updating at least part of the dynamic covert identifier stored at the client device occurs at least in response to receipt of the update covert identifier message from the server, and is based on operational events subsequent to the events from which the original the previously stored dynamic covert identifier was created.
  - 18. The method of claim 16, wherein the dynamic covert identifier comprises a code based on selected covert data values generated by different operational events at a client device.

19. A system for detecting cloned client devices on a network, comprising:
- a server having a communication module which communicates with client devices over a network;
  
  a plurality of client devices communicating with the server over the network;
  
  each client device having a covert identifier generating module which generates a first version of a variable dynamic covert identifier based on operational events at the respective client device which are substantially unique to the respective client device and which periodically generates an updated version of the dynamic covert identifier which includes at least one original part of the previously generated dynamic covert identifier and at least one new part which is at least partially derived from operational events at the respective client device which occurred subsequent to creation of the previous version of the dynamic covert identifier, a covert data storage module which stores covert data values, and a message formatting module which embeds the latest version of the dynamic covert identifier in each message sent from the client device to the server over the network;
  
  a data storage module associated with the server which stores a client identifier associated with at least one real client device registered for service with the server and at least the latest version of the dynamic covert identifier received from a client device having the same client identifier;
  
  anda clone detection module associated with the server and data storage module which compares the original part of at least one dynamic covert identifier in a message received from a client device with the original and new parts in the latest version of the dynamic covert identifier stored in the data storage module which is associated with a client device having the same client identifier, and which creates a clone detection report if the original part of the dynamic covert identifier received in the message does not match the latest version of the dynamic covert identifier stored at the server.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26)
- - 20. The system of claim 19, wherein the client devices are smart cards.
  - 21. The system of claim 19, wherein at least some of the client devices include smart cards.
  - 22. The system of claim 19, wherein at least some of the client devices are set top boxes.
  - 23. The system of claim 19, wherein at least some of the client devices are mobile communication devices.
  - 24. The system of claim 19, wherein at least some of the client devices are personal computers.
  - 25. The system of claim 19, wherein each version of the dynamic covert identifier comprises a plurality of covert data values corresponding to different operational events at the respective client device.
  - 26. The system of claim 19, wherein each version of the dynamic covert identifier comprises a transformed version of a plurality of covert data values corresponding to different operational events at the respective client device.

27. A client device for communicating over a network, comprising:
- a communication module which is configured to communicate with a server of at least one service provider over a network;
  
  a covert identifier generating module which is configured to create a first version of a variable dynamic covert identifier based on at least one variable covert data value of an operational event at the client device which is substantially unique to the client device and which periodically creates an updated version of the dynamic covert identifier which includes at least one original covert data value of the previously created dynamic covert identifier and at least one new covert data value which is derived from operational events at the respective client device which occurred subsequent to creation of the first version of the dynamic covert identifier;
  
  a data storage module associated with the covert data generating module which stores the latest updated version of the dynamic covert identifier; and
  
  a message formatting module associated with the communication module and data storage module which embeds the latest version of the dynamic covert identifier in each message sent from the client device to the server over the network; and
  
  a renewal module which is configured to respond to a renewal message received from the server over the network by sending the current updated dynamic covert identifier in a renewal unlock code request message to the server and to process a renewal unlock code based on the current updated dynamic covert identifier subsequently received from the server using the latest updated dynamic covert identifier stored in the data storage module, whereby the client device continues to receive services from the service provider associated with the server if the renewal unlock code contains a dynamic covert identifier matching the current updated dynamic covert identifier stored in the data storage module.
- View Dependent Claims (28, 29, 30, 31, 32, 33, 34, 35, 36, 37)
- - 28. The client device of claim 27, wherein the data storage module stores a covert data table of different covert data values of different operational events which are substantially unique to the client device, and the dynamic covert identifier is based on the covert data table.
  - 29. The client device of claim 28, wherein the dynamic covert identifier comprises at least some of the covert data values in the covert data table.
  - 30. The client device of claim 28, wherein the dynamic covert identifier is a transformation of at least some of the covert data values.
  - 31. The client device of claim 28, further comprising a covert data update module configured to update the table of covert data values with at least some new covert data values in response to at least one predetermined covert data trigger.
  - 32. The client device of claim 27, wherein the dynamic covert identifier generating module is configured to generate an updated version of the dynamic covert identifier based on new covert data values in response to a command received from the server.
  - 33. The client device of claim 32, wherein the command comprises an update command received in a network message.
  - 34. The client device of claim 32, wherein the command comprises a covert data trigger.
  - 35. The client device of claim 27, comprising a smart card having an integral processor containing the communication module, covert identifier generating module, and data storage module.
  - 36. The client device of claim 27, wherein the client device is selected from the group consisting of set top boxes, personal computers, personal digital assistants, portable communication devices, media playing devices, and smart cards.
  - 37. The client device of claim 27, wherein the client device is a silicon chip including a covert identifier generating module and data storage module.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Verimatrix Incorporated (Verimatrix SA)
Original Assignee
Verimatrix Incorporated (Verimatrix SA)
Inventors
Kulakowski, Robert T., White, Donovan Steve
Primary Examiner(s)
Orgad, Edan
Assistant Examiner(s)
HOLDER, BRADLEY W

Application Number

US12/826,501
Publication Number

US 20100268771A1
Time in Patent Office

609 Days
Field of Search

726/10, 726/2, 726/3, 726/5, 726/9
US Class Current

726/10
CPC Class Codes

G06F 21/31   User authentication

G06F 21/445   by mutual authentication, e...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/14   for detecting or protecting...

H04L 63/1466   Active attacks involving in...

H04N 21/25816   involving client authentica...

H04N 7/162   Authorising the user termin...

H04W 12/126   Anti-theft arrangements, e....

H04W 12/35   Protecting application or s...

Network security system and method

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

20 Citations

37 Claims

Specification

Solutions

Use Cases

Quick Links

Network security system and method

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

20 Citations

37 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links