Security techniques for device assisted services

US 8,391,834 B2
Filed: 01/27/2010
Issued: 03/05/2013
Est. Priority Date: 01/28/2009
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

one or more modems for enabling a communications device to communicate over at least a first wireless network and a second wireless network;

one or more processors of the communications device configured to;

determine that the communications device is connected to the first wireless network;

based on the determination that the communications device is connected to the first wireless network, implement a first service profile executed at least in part in a secure execution environment, the first service profile for assisting control of usage by the communications device of a service over the first wireless network, wherein the service profile includes one or more service policy settings, at least one of the one or more service policy settings for assisting in controlling access to the service over the first wireless network; and

monitor an attempted or successful use of the service over the first wireless network; and

memory of the communications device coupled to the one or more processors and configured to provide the one or more processors with instructions.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Security techniques for device assisted services are provided. In some embodiments, secure service measurement and/or control execution partition is provided. In some embodiments, implementing a service profile executed at least in part in a secure execution environment of a processor of a communications device for assisting control of the communications device use of a service on a wireless network, in which the service profile includes a plurality of service policy settings, and wherein the service profile is associated with a service plan that provides for access to the service on the wireless network; monitoring use of the service based on the service profile; and verifying the use of the service based on the monitored use of the service.

Citations

62 Claims

1. A system, comprising:
- one or more modems for enabling a communications device to communicate over at least a first wireless network and a second wireless network;
  
  one or more processors of the communications device configured to;
  
  determine that the communications device is connected to the first wireless network;
  
  based on the determination that the communications device is connected to the first wireless network, implement a first service profile executed at least in part in a secure execution environment, the first service profile for assisting control of usage by the communications device of a service over the first wireless network, wherein the service profile includes one or more service policy settings, at least one of the one or more service policy settings for assisting in controlling access to the service over the first wireless network; and
  
  monitor an attempted or successful use of the service over the first wireless network; and
  
  memory of the communications device coupled to the one or more processors and configured to provide the one or more processors with instructions.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62)
- - 2. The system recited in claim 1, wherein the one or more processors of the communications device are further configured to send information about the monitored attempted or successful use of the service to a network element, wherein the information comprises service usage information.
  - 3. The system recited in claim 1, wherein the communications device is a mobile communications device or an intermediate networking device, and the service includes one or more Internet based services.
  - 4. The system recited in claim 1, wherein the communications device includes a modem, and at least one of the one or more processors of the communications device is located in the modem.
  - 5. The system recited in claim 1, wherein the communications device is a mobile communications device, and wherein the service includes one or more Internet based services, and wherein the mobile communications device includes one or more of the following:
    - a mobile phone, a personal digital assistant (PDA), an eBook reader, a music device, an entertainment device, a gaming device, a computer, laptop, a netbook, a tablet, and a home networking system.
  - 6. The system recited in claim 1, wherein the first service profile allows for access to the service with service capabilities that are controlled based on one or more of the following:
    - a period of time, a network address, a service type, a content type, an application type, a bandwidth, and a data usage.
  - 7. The system recited in claim 1, wherein the one or more service policy settings include one or more of the following:
    - an access control setting, a traffic control setting, a billing system setting, a user notification setting, a user notification with acknowledgement setting, a user notification with synchronized service usage information setting, a user privacy setting, a user preference setting, an authentication setting, an admission control setting, an application access setting, a content access setting, a transaction setting, a network management communication setting, and a device management communication setting.
  - 8. The system recited in claim 1, wherein the secure execution environment includes a protected device assisted service execution partition.
  - 9. The system recited in claim 1, wherein the secure execution environment includes a protected device assisted service execution partition, and wherein the protected device assisted service execution partition is implemented at least in part as a hardware partition.
  - 10. The system recited in claim 1, wherein the secure execution environment includes a protected device assisted service execution partition, and wherein the protected device assisted service execution partition is implemented at least in part as a software partition.
  - 11. The system recited in claim 1, wherein the secure execution environment includes a protected device assisted service execution partition, and wherein the protected device assisted service execution partition is implemented at least in part in a virtual machine executed on the one or more processors of the communications device.
  - 12. The system recited in claim 1, wherein the secure execution environment includes a protected device assisted service execution partition, and the one or more processors of the communications device are further configured to:
    - execute one or more device assisted service agents in the protected device assisted service execution partition, wherein the one or more device assisted service agents executed in the protected device assisted service execution partition are in communication with a network element.
  - 13. The system recited in claim 1, wherein the secure execution environment includes a protected device assisted service execution partition, and the one or more processors of the communications device are further configured to:
    - execute one or more device assisted service agents in the protected device assisted service execution partition, wherein the one or more device assisted service agents executed in the protected device assisted service execution partition include a device agent for providing a service usage measure.
  - 14. The system recited in claim 1, wherein the secure execution environment includes a protected device assisted service execution partition, and the one or more processors of the communications device are further configured to:
    - execute one or more device assisted service agents in the protected device assisted service execution partition, wherein the one or more device assisted service agents executed in the protected device assisted service execution partition are in secure communication with a network element, and wherein the secure communication with the network element includes encrypted communications.
  - 15. The system recited in claim 1, wherein the communications device includes a modem, and at least one of the one or more processors of the communications device is located in the modem, and wherein the secure execution environment includes a secure modem execution partition that is implemented using a hardware or software partition, and wherein the one or more processors of the communications device are further configured to:
    - execute one or more device assisted service agents in the secure modem execution partition, wherein the device assisted service agents executed in the secure modem execution partition are in communication with a network element.
  - 16. The system recited in claim 1, wherein the communications device includes a modem, and at least one of the one or more processors of the communications device is located in the modem, and wherein the secure execution environment includes a secure modem execution partition that is implemented using a hardware or software partition, and wherein the one or more processors of the communications device are further configured to:
    - execute one or more device assisted service agents in the secure modem execution partition, wherein the device assisted service agents executed in the secure modem execution partition are in secure communication with a network element, and wherein the secure communication with the network element includes encrypted communications.
  - 17. The system recited in claim 1, wherein the communications device includes a modem, and at least one of the one or more processors of the communications device is located in the modem, and wherein the secure execution environment includes a secure modem execution partition that is implemented using a hardware or software partition, and wherein the one or more processors of the communications device are further configured to:
    - execute one or more device assisted service agents in the secure modem execution partition, wherein one or more device assisted service agents executed in the secure modem execution partition include a modem agent for providing service usage measure.
  - 18. The system recited in claim 1, wherein the one or more processors of the communications device are further configured to:
    - execute a first set of one or more device assisted service agents in a kernel execution partition; and
      
      execute a second set of one or more device assisted service agents in the protected device assisted service execution partition, wherein at least one agent of the second set of one or more device assisted service agents is in communication with a network element.
  - 19. The system recited in claim 1, wherein the one or more processors of the communications device are further configured to:
    - execute a first set of one or more device assisted service agents in an application execution partition;
      
      execute a second set of one or more device assisted service agents in a kernel execution partition; and
      
      execute a third set of one or more device assisted service agents in the protected device assisted service execution partition, wherein at least one agent of the third set of one or more device assisted service agents is in communication with a network element.
  - 20. The system recited in claim 1, wherein the one or more processors of the communications device are further configured to:
    - execute a first set of one or more device assisted service agents in an application execution partition;
      
      execute a second set of one or more device assisted service agents in a kernel execution partition;
      
      execute a third set of one or more device assisted service agents in a modem execution partition; and
      
      execute a fourth set of one or more device assisted service agents in the protected device assisted service execution partition, wherein at least one agent of the fourth set of one or more device assisted service agents is in communication with a network element.
  - 21. The system recited in claim 1, wherein the one or more processors of the communications device are further configured to:
    - execute a first set of one or more device assisted service agents in an application execution partition;
      
      execute a second set of one or more device assisted service agents in a kernel execution partition;
      
      execute a third set of one or more device assisted service agents in a modem execution partition; and
      
      execute a fourth set of one or more device assisted service agents in the protected device assisted service execution partition, wherein at least one agent of the fourth set of one or more device assisted service agents is in communication with a network element, and wherein the fourth set of one or more device assisted service agents comprises one or more of the following;
      
      an application identifier agent, an access control integrity agent, a policy control agent, a policy implementation agent, and a service usage measure agent.
  - 22. The system recited in claim 1, wherein the one or more processors of the communications device are further configured to:
    - execute a first set of one or more device assisted service agents in an application execution partition;
      
      execute a second set of one or more device assisted service agents in a kernel execution partition;
      
      execute a third set of one or more device assisted service agents in a modem execution partition, wherein the modem execution partition is in communication with the protected device assisted execution partition using a modem local channel; and
      
      execute a fourth set of one or more device assisted service agents in the protected device assisted service execution partition, wherein at least one agent of the fourth set of one or more device assisted service agents is in communication with a network element, and wherein the fourth set of one or more device assisted service agents comprises one or more of the following;
      
      an application identifier agent, an access control integrity agent, a policy control agent, a policy implementation agent, and a service usage measure agent.
  - 23. The system recited in claim 1, wherein the one or more processors of the communications device are further configured to:
    - execute a first set of one or more device assisted service agents in an application execution partition;
      
      execute a second set of one or more device assisted service agents in a kernel execution partition;
      
      execute a third set of one or more device assisted service agents in a modem execution partition, wherein the modem execution partition is in communication with the protected device assisted execution partition using a modem local channel, and wherein at least one agent of the third set of one or more device assisted service agents comprises a service usage measure agent; and
      
      execute a fourth set of one or more device assisted service agents in the protected device assisted service execution partition, wherein at least one agent of the fourth set of one or more device assisted service agents is in communication with a network element, and wherein the fourth set of one or more device assisted service agents comprises one or more of the following;
      
      an application identifier agent, an access control integrity agent, a policy control agent, a policy implementation agent, and a service usage measure agent.
  - 26. The system recited in claim 1, wherein the first wireless network is a roaming network, and wherein assisting control of usage by the communications device of a service over the first wireless network comprises disallowing communications on the roaming network.
  - 27. The system recited in claim 1, wherein the first wireless network is a roaming network, and wherein assisting control of usage by the communications device of a service over the first wireless network comprises restricting at least an aspect of communications on the roaming network.
  - 28. The system recited in claim 1, wherein the first wireless network is a cellular network, and wherein assisting control of usage by the communications device of a service over the first wireless network comprises disallowing communications on the cellular network.
  - 29. The system recited in claim 1, wherein the first wireless network is a cellular network, and wherein assisting control of usage by the communications device of a service over the first wireless network comprises restricting at least an aspect of communications on the cellular network.
  - 30. The system recited in claim 1, wherein the one or more processors are further configured to:
    - determine that the communications device is connected to the second wireless network; and
      
      implement a second service profile, the second service profile for assisting control of usage by the communications device of the service over the second wireless network.
  - 31. The system recited in claim 30, wherein the one or more service policy settings are one or more first service policy settings, and wherein the second service profile comprises one or more second service policy settings.
  - 32. The system recited in claim 30, wherein the one or more processors are configured to implement the second service profile by executing the second service profile at least in part in the secure execution environment.
  - 33. The system recited in claim 1, wherein the one or more processors are further configured to:
    - determine that the communications device is connected to the second wireless network; and
      
      refrain from implementing the first service profile based on the determination that the communications device is connected to the second wireless network.
  - 34. The system recited in claim 1, wherein assisting control of usage by the communications device of a service over the first wireless network comprises assisting in providing the service with an identified quality of service (QOS).
  - 35. The system recited in claim 1, wherein assisting control of usage by the communications device of a service over the first wireless network comprises assisting in disallowing use of the service.
  - 36. The system recited in claim 1, wherein assisting control of usage by the communications device of a service over the first wireless network comprises assisting in restricting use of the service.
  - 37. The system recited in claim 1, wherein assisting control of usage by the communications device of a service over the first wireless network comprises assisting in applying a traffic shaping to the service.
  - 38. The system recited in claim 1, wherein assisting control of usage by the communications device of a service over the first wireless network comprises assisting in controlling a particular service usage activity.
  - 39. The system recited in claim 38, wherein assisting in controlling a particular service usage activity comprises disallowing the particular service usage activity.
  - 40. The system recited in claim 38, wherein assisting in controlling a particular service usage activity comprises restricting the particular service usage activity.
  - 41. The system recited in claim 38, wherein assisting in controlling a particular service usage activity comprises traffic shaping the particular service usage activity.
  - 42. The system recited in claim 38, wherein in controlling a particular service usage activity comprises assisting in providing an identified quality of service (QOS) to the particular service usage activity.
  - 43. The system recited in claim 38, wherein the particular service usage activity comprises communications associated with a particular application.
  - 44. The system recited in claim 38, wherein the particular service usage activity comprises:
    - communications over a roaming network, communications over a cellular network, communications associated with a particular source or destination, communications associated with a particular traffic type, communications associated with a transaction service, communications associated with an advertising service, communications associated with an application type, communications associated with a particular network communication end point, or communications associated with a particular transaction type.
  - 45. The system recited in claim 44, wherein the particular traffic type comprises best-effort traffic, real-time traffic, voice over Internet protocol (VOIP) traffic, live video traffic, streaming traffic, multi-cast traffic, uni-cast traffic, point-to-point traffic, traffic associated with a file type, traffic associated with an application, traffic with a particular priority, traffic without an assigned priority, traffic associated with the first wireless network, or traffic associated with the second wireless network.
  - 46. The system recited in claim 1, wherein at least a portion of the first service profile is based on a user preference.
  - 47. The system recited in claim 46, further comprising a user interface, and wherein the one or more processors are further configured to obtain the user preference through the user interface.
  - 48. The system recited in claim 1, wherein assisting control of usage by the communications device of a service over the first wireless network comprises providing differentiated quality of service (QOS) to two or more service usage activities.
  - 49. The system recited in claim 48, wherein the differentiated QOS is based on an assigned QOS hierarchy.
  - 50. The system recited in claim 48, wherein at least one of the two or more service usage activities comprises:
    - communications over a roaming network, communications over a cellular network, communications associated with a particular source or destination, communications associated with a particular application, communications associated with a particular traffic type, communications associated with a transaction service, communications associated with an advertising service, communications associated with an application type, communications associated with a particular network communication end point, and communications associated with a particular transaction type.
  - 51. The system recited in claim 50, wherein the particular traffic type comprises best-effort traffic, real-time traffic, voice over Internet protocol (VOIP) traffic, live video traffic, streaming traffic, multi-cast traffic, uni-cast traffic, point-to-point traffic, traffic associated with a file type, traffic associated with an application, traffic with a particular priority, traffic without an assigned priority, or traffic associated with a particular network.
  - 52. The system recited in claim 1, wherein the service is associated with a particular quality of service (QOS), and wherein first service profile assists in providing the service with the particular QOS.
  - 53. The system recited in claim 1, wherein the first service profile assists in authorizing the communications device to use the wireless network.
  - 54. The system recited in claim 1, wherein the one or more processors are further configured to obtain at least a portion of the first service profile from the network element.
  - 55. The system recited in claim 1, wherein the one or more processors are further configured to obtain configuration information from a network element, the configuration information for assisting the one or more processors in modifying or allowing modifications to at least one service policy setting of the one or more service policy settings.
  - 56. The system recited in claim 55, wherein the communications device is an intermediate networking device.
  - 57. The system recited in claim 1, wherein the one or more processors are further configured to obtain at least one of the one or more service policy settings from a network element.
  - 58. The system recited in claim 1, wherein the one or more processors are further configured to send information about the monitored attempted or successful use of the service to a network element.
  - 59. The system recited in claim 58, wherein the one or more processors are further configured to obtain a message from the network element, the message confirming receipt of the information about the monitored attempted or successful use of the service.
  - 60. The system recited in claim 58, wherein the information about the monitored attempted or successful use of the service comprises quality of service (QOS) information.
  - 61. The system recited in claim 58, wherein the network element is a quality of service (QOS) control element.
  - 62. The system recited in claim 1, wherein the one or more processors of the communications device are configured to implement the first service profile based on the monitored attempted or successful use of the service over the first wireless network.

24. A method, comprising:
- determining that a communications device capable of connecting to a first wireless network and to a second wireless network is connected to the first wireless network;
  
  based on determining that the communications device is connected to the first wireless network, implementing a first service profile executed at least in part in a secure execution environment of the communications device, the first service profile for assisting control of usage by the communications device of a service over the first wireless network, wherein the service profile includes one or more service policy settings for assisting in controlling access to the service over the first wireless network; and
  
  monitoring an attempted or successful use of the service over the first wireless network.

25. A computer program product, the computer program product being embodied in a non-transitory computer readable storage medium and comprising computer instructions for:
- determining that a communications device capable of connecting to a first wireless network and to a second wireless network is connected to the first wireless network;
  
  based on determining that the communications device is connected to the first wireless network, implementing a first service profile executed at least in part in a secure execution environment of the communications device, the first service profile for assisting control of usage by the communications device of a service over the first wireless network, wherein the service profile includes one or more service policy settings for assisting in controlling access to the service over the first wireless network; and
  
  monitoring an attempted or successful use of the service over the first wireless network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Headwater Research LLC (Greg Raleigh)
Original Assignee
Headwater Partners I LLC (Greg Raleigh)
Inventors
Raleigh, Gregory G.
Primary Examiner(s)
RUDY, ANDREW J

Application Number

US12/694,445
Publication Number

US 20100199325A1
Time in Patent Office

1,133 Days
Field of Search

370/468, 370/252, 455/461, 455/406, 455/407, 455/408, 455/414.1, 455/418, 455/419, 455/456.1, 455/456.6, 705/30, 705/34, 709/203, 709/217, 709/223, 709/224
US Class Current

455/407
CPC Class Codes

G06F 15/177   Initialisation or configura...

G06F 21/53   by executing in a restricte...

G06F 21/55   Detecting local intrusion o...

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2115   Third party

G06F 2221/2149   Restricted operating enviro...

G06Q 10/06315   Needs-based resource requir...

G06Q 10/06375   Prediction of business proc...

G06Q 20/102   Bill distribution or payments

G06Q 20/20   Point-of-sale [POS] network...

G06Q 20/40   Authorisation, e.g. identif...

G06Q 30/0207   Discounts or incentives, e....

G06Q 30/0241   Advertisements

G06Q 30/0283   Price estimation or determi...

G06Q 30/0284   Time or distance, e.g. usag...

G06Q 30/04   Billing or invoicing

G06Q 30/0601   Electronic shopping [e-shop...

G06Q 40/00   Finance; Insurance; Tax str...

G06Q 40/12   Accounting

H04L 12/14   Charging , metering or bill...

H04L 41/0806 : for initial configuration o...

H04L 41/0876 : Aspects of the degree of co...

H04L 41/0893 : Assignment of logical group...

H04L 41/5003 : Managing SLA; Interaction b...

H04L 41/5025 : by proactively reacting to ...

H04L 41/5054 : Automatic deployment of ser...

H04L 47/20 : Traffic policing

H04L 47/2408 : for supporting different se...

H04L 51/046 : Interoperability with other...

H04L 63/0236 : Filtering by address, proto...

H04L 63/04 : for providing a confidentia...

H04L 63/0428 : wherein the data content is...

H04L 63/08 : for authentication of entit...

H04L 63/0853 : using an additional device,...

H04L 63/0892 : by using authentication-aut...

H04L 63/10 : for controlling access to d...

H04L 63/145 : the attack involving the pr...

H04L 63/20 : for managing network securi...

H04L 67/145 : avoiding end of session, e....

H04L 67/306 : User profiles

H04L 67/34 : involving the movement of s...

H04L 67/55 : Push-based network services

H04L 67/564 : Enhancement of application ...

H04L 67/63 : Routing a service request d...

H04L 9/32 : including means for verifyi...

H04L 9/3247 : involving digital signatures

H04M 15/00 : Arrangements for metering, ...

H04M 15/58 : based on statistics of usag...

H04M 15/61 : based on the service used

H04M 15/80 : Rating or billing plans; Ta...

H04M 15/88 : Provision for limiting conn...

H04M 2215/0188 : Network monitoring; statist...

H04W 12/00 : Security arrangements; Auth...

H04W 12/02 : Protecting privacy or anony...

H04W 12/037 : of the control plane, e.g. ...

H04W 12/06 : Authentication

H04W 12/08 : Access security

H04W 12/088 : using filters or firewalls

H04W 24/08 : Testing, supervising or mon...

H04W 28/02 : Traffic management, e.g. fl...

H04W 28/0215 : based on user or device pro...

H04W 28/0268 : using specific QoS paramete...

H04W 28/12 : using signalling between ne...

H04W 4/02 : Services making use of loca...

H04W 4/12 : Messaging; Mailboxes; Annou...

H04W 4/18 : Information format or conte...

H04W 4/20 : Services signaling; Auxilia...

H04W 4/24 : Accounting or billing

H04W 4/50 : Service provisioning or rec...

H04W 48/14 : using user query or user de...

H04W 48/16 : Discovering, processing acc...

H04W 72/0453 : Resources in frequency doma...

H04W 8/02 : Processing of mobility data...

H04W 8/18 : Processing of user or subsc...

H04W 8/20 : Transfer of user or subscri...

H04W 84/04 : Large scale networks; Deep ...

H04W 84/042 : Public Land Mobile systems,...

H04W 84/12 : WLAN [Wireless Local Area N...

H04W 88/06 : adapted for operation in mu...

H04W 88/08 : Access point devices

Y02P 90/80 : Management or planning

View All

Security techniques for device assisted services

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

62 Claims

Specification

Solutions

Use Cases

Quick Links

Security techniques for device assisted services

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

62 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links