Security, fraud detection, and fraud mitigation in device-assisted services systems

US 8,793,758 B2
Filed: 12/01/2011
Issued: 07/29/2014
Est. Priority Date: 01/28/2009
Status: Active Grant

First Claim

Patent Images

1. An end-user device, comprising:

one or more modems for enabling the end-user device to communicate over at least a first wireless access network;

memory configured to store;

a first application program configured to execute on the end-user device and further configured to assist the end-user device in accessing one or more data services over at least the first wireless access network,a first application credential associated with the first application program,a first policy comprising one or more first policy instructions to be applied when the first application program initiates or attempts to initiate communication over the first wireless access network; and

one or more device agents configured to;

detect an attempted installation of update software on the end-user device, the update software purporting to be a modification, update, or replacement of the first application program,obtain an update-software credential associated with the update software,obtain the first application credential,determine whether the update-software credential matches the first application credential,when the update-software credential matches the first application credential, allow the update software to be installed on the end-user device,determine that the first application program is initiating or attempting to initiate communication over the first wireless access network, andbased on the determination that the first application program is initiating or attempting to initiate communication over the first wireless access network, apply the first policy.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A device that detects an attempted installation of update software on the device, the update software purporting to be a modification, update, or replacement of an application program that assists the device in accessing a data service over a wireless access network, obtain an update-software credential associated with the update software, obtain an application credential associated with the application program, determine whether the update-software credential matches the application credential, and allow the update software to be installed if the update-software credential matches the application credential, determine that the application program is initiating or attempting to initiate communication over the wireless access network, and based on the determination that the application program is initiating or attempting to initiate communication over the wireless access network, apply a policy when the application program initiates or attempts to initiate communication over the wireless access network.

937 Citations

81 Claims

1. An end-user device, comprising:
- one or more modems for enabling the end-user device to communicate over at least a first wireless access network;
  
  memory configured to store;
  
  a first application program configured to execute on the end-user device and further configured to assist the end-user device in accessing one or more data services over at least the first wireless access network,a first application credential associated with the first application program,a first policy comprising one or more first policy instructions to be applied when the first application program initiates or attempts to initiate communication over the first wireless access network; and
  
  one or more device agents configured to;
  
  detect an attempted installation of update software on the end-user device, the update software purporting to be a modification, update, or replacement of the first application program,obtain an update-software credential associated with the update software,obtain the first application credential,determine whether the update-software credential matches the first application credential,when the update-software credential matches the first application credential, allow the update software to be installed on the end-user device,determine that the first application program is initiating or attempting to initiate communication over the first wireless access network, andbased on the determination that the first application program is initiating or attempting to initiate communication over the first wireless access network, apply the first policy.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81)
- - 2. The end-user device recited in claim 1, wherein determine that the first application program is initiating or attempting to initiate communication over the first wireless access network comprises monitor a traffic flow comprising one or more communications and detect in the traffic flow an identifier associated with the first application program.
  - 3. The end-user device recited in claim 2, wherein the identifier is the first application credential.
  - 4. The end-user device recited in claim 1, wherein determine that the first application program is initiating attempting initiate communication over the first wireless access network comprises:
    - identify a first-application data flow, the first-application data flow comprising one or more related data transfers or attempted data transfers associated with the first application program,assign a flow tag to the first-application data flow, the flow tag comprising a traffic flow identifier,monitor a first wireless access network service usage or attempted service usage associated with the flow tag, the steps-of identify, assign and monitor occurring in any order, andafter identifying the first-application data flow, apply the first policy to the first wireless access network service usage or attempted service usage associated with the flow tag.
  - 5. The end-user device recited in claim 1, wherein at least one of the one or more device agents is associated with an installed-agent credential, and further comprising an agent-updating agent configured to:
    - detect an attempted installation of agent-updating software on the end-user device, the agent-updating software purporting to be a modification, update, or replacement of the at least one of the one or more device agents,obtain an agent-software-update credential associated with the agent-updating software,obtain the installed-agent credential, andallow the agent-updating software to be installed on the end-user device if the agent-software-update credential matches the installed-agent credential.
  - 6. The end-user device recited in claim 5, wherein the at least one of the one or more device agents comprises kernel software, framework software, or application software.
  - 7. The end-user device recited in claim 5, wherein the installed-agent credential comprises a signature, a certificate, or a hash result.
  - 8. The end-user device recited in claim 1, further comprising a verification agent configured to determine that a hosts file is present on the end-user device and is configured in an expected manner.
  - 9. The end-user device recited in claim 1, further comprising a verification agent configured to determine that a service processor on the end-user device completed an authentication procedure with a network element communicatively coupled to the end-user device over the first wireless access network.
  - 10. The end-user device recited in claim 1, wherein the one or more device agents are further configured to determine that the end-user device has been rooted.
  - 11. The end-user device recited in claim 1, wherein the first policy is configured to assist in controlling transmissions or receptions over the first wireless access network associated with the first application program.
  - 12. The end-user device recited in claim 1, wherein the first policy is configured to assist in accounting for transmissions or receptions over the first wireless access network associated with the first application program.
  - 13. The end-user device recited in claim 1, further comprising a user interface, and wherein the first policy is configured to assist in presenting, through the user interface, a notification message.
  - 14. The end-user device recited in claim 13, wherein the notification message comprises an indication of an amount or cost of data usage associated with the first application program.
  - 15. The end-user device recited in claim 13, wherein the notification message comprises an indication of an amount or cost of data usage associated with the first application program during a particular period of time.
  - 16. The end-user device recited in claim 15, wherein the particular period of time is configured to be selected by a user of the device.
  - 17. The end-user device recited in claim 13, wherein the notification message comprises an indication of an amount or cost of background data usage associated with the first application program.
  - 18. The end-user device recited in claim 10, wherein the one or more device agents are further configured to generate a fraud alert.
  - 19. The end-user device recited in claim 10, wherein the verification agent is further configured to restrict access to the first wireless access network by the end-user device based on the determination that the end-user device has been rooted.
  - 20. The end-user device recited in claim 19, wherein restrict access to the first wireless access network by the end-user device comprises block, delay, or rate-limit one or more end-user device communications over the first wireless access network.
  - 21. The end-user device recited in claim 19, wherein restrict access to the first wireless access network by the end-user device comprises quarantine the end-user device.
  - 22. The end-user device recited in claim 10, wherein the one or more device agents are further configured to assist in providing, to a user, a notification based on the determination that the end-user device has been rooted.
  - 23. The end-user device recited in claim 10, wherein the one or more device agents are further configured to assist in sending a message to a network element based on the determination that the end-user device has been rooted.
  - 24. The end-user device recited in claim 11, wherein controlling transmissions or receptions over the first wireless access network associated with the first application program comprises imposing a cap on a usage amount.
  - 25. The end-user device recited in claim 11, wherein controlling transmissions or receptions over the first wireless access network associated with the first application program comprises controlling a background activity.
  - 26. The end-user device recited in claim 1, wherein the first policy is based on a type of the first wireless access network.
  - 27. The end-user device recited in claim 26, wherein the type of the first wireless access network is home, roaming, wireless fidelity (WiFi), or cellular.
  - 28. The end-user device recited in claim 11, wherein assist in controlling transmissions or receptions over the first wireless access network associated with the first application program comprises interact with the first application program to arrange a setting of the first application program, the setting of the first application program configured to assist in applying the first policy.
  - 29. The end-user device recited in claim 28, wherein the setting of the first application program assists the first application program in allowing, blocking, throttling, or rate-limiting traffic associated with the first application program.
  - 30. The end-user device recited in claim 28, wherein the setting of the first application program assists the first application program in controlling background traffic associated with the first application program.
  - 31. The end-user device recited in claim 11, wherein controlling transmissions or receptions over the first wireless access network associated with the first application program comprises allowing, blocking, throttling, or rate-limiting communications associated with the first application program over the first wireless access network.
  - 32. The end-user device recited in claim 11, wherein controlling transmissions or receptions over the first wireless access network associated with the first application program comprises controlling background communications associated with the first application program over the first wireless access network.
  - 33. The end-user device recited in claim 1, wherein the first policy is configured to assist in determining that the end-user device has been rooted.
  - 34. The end-user device recited in claim 33, wherein the first policy is further configured to assist the end-user device in sending a message to a network element based on determining that the end-user device has been rooted.
  - 35. The end-user device recited in claim 33, wherein the first policy is further configured to assist the end-user device in providing, to a user, a notification based on determining that the end-user device has been rooted.
  - 36. The end-user device recited in claim 1, wherein the first policy is configured to assist in determining that the end-user device is tethering.
  - 37. The end-user device recited in claim 1, wherein the first policy is configured to assist the end-user device in sharing an access network connection with other devices.
  - 38. The end-user device recited in claim 1, wherein the first policy is configured to assist in determining the integrity of a software component on the end-user device.
  - 39. The end-user device recited in claim 38, wherein the software component comprises a kernel, a library, an executable file, a machine-readable instruction, a script, or a service processor.
  - 40. The end-user device recited in claim 38, wherein the software component is the first application program.
  - 41. The end-user device recited in claim 38, wherein the first policy is further configured to assist in taking an action based on determining that the software component has been compromised.
  - 42. The end-user device recited in claim 41, wherein the action comprises restricting an ability of the software component to communicate over the first wireless access network.
  - 43. The end-user device recited in claim 41, wherein the action comprises notifying a user of the end-user device, notifying a network administrator, applying a control policy to one or more attempted or successful communications associated with the software component, preventing a user from accessing the software component, preventing the software component from executing, or terminating the software component.
  - 44. The end-user device recited in claim 43, wherein the software component is the first application program.
  - 45. The end-user device recited in claim 38, wherein the one or more device agents are further configured to send a report to a network element, the report comprising information about the integrity of the software component.
  - 46. The end-user device recited in claim 1, wherein the one or more device agents are further configured to send a message to a network element.
  - 47. The end-user device recited in claim 46, wherein the message comprises information associated with the first policy.
  - 48. The end-user device recited in claim 46, wherein the message comprises information about at least one of the one or more device agents.
  - 49. The end-user device recited in claim 46, wherein the message comprises information about a status or a configuration of at least one of the one or more device agents.
  - 50. The end-user device recited in claim 46, wherein the message comprises information about an operation of at least one of the one or more device agents.
  - 51. The end-user device recited in claim 46, wherein the message comprises information about an installation status of an operating system or an operating system component.
  - 52. The end-user device recited in claim 46, wherein the message comprises information about an installation status of the first application program or another application program.
  - 53. The end-user device recited in claim 46, wherein the message comprises information about a communication between a first agent of the one or more device agents and a second agent of the one or more device agents.
  - 54. The end-user device recited in claim 46, wherein the message comprises information about an attempted or successful memory access.
  - 55. The end-user device recited in claim 46, wherein the message comprises information about an attempted or successful network access.
  - 56. The end-user device recited in claim 46, wherein the message comprises information about an attempted or successful software download.
  - 57. The end-user device recited in claim 46, wherein the message comprises information about a software removal.
  - 58. The end-user device recited in claim 46, wherein the message comprises information about an error condition.
  - 59. The end-user device recited in claim 46, wherein the message comprises an agent identifier, a secure identifier, or a hash.
  - 60. The end-user device recited in claim 46, wherein the message comprises encrypted, signed, or secured information.
  - 61. The end-user device recited in claim 1, wherein the first wireless access network is a cellular network, a roaming network, or a wireless fidelity (WiFi) network.
  - 62. The end-user device recited in claim 1, wherein the first application credential comprises a name identifier, a signature, a certificate, a key, a password, a shared secret, a shared algorithm, or a hash.
  - 63. The end-user device recited in claim 1, wherein the update-software credential comprises a name identifier, a signature, a certificate, a key, a password, a shared secret, a shared algorithm, or a hash.
  - 64. The end-user device recited in claim 1, wherein, when the update-software credential matches the first application credential, the one or more device agents are further configured to notify a network element of the modification, update, or replacement of the first application software.
  - 65. The end-user device recited in claim 1, wherein the one or more device agents are further configured to prevent the update software from being installed on the end-user device when the update-software credential does not match the first application credential.
  - 66. The end-user device recited in claim 1, wherein the one or more device agents are further configured to take a fraud action when the update-software credential does not match the first application credential.
  - 67. The end-user device recited in claim 66, wherein the fraud action comprises restricting access by the end-user device to the first wireless access network, restricting access by the first application to the first wireless access network, notifying a user of the end-user device, notifying a network administrator, notifying a network element, applying a pre-determined billing rate for a service usage associated with the end-user device, or applying a pre-determined billing rate for a service usage associated with the first application.
  - 68. The end-user device recited in claim 1, wherein the one or more device agents are further configured to:
    - determine that the first application program intends to initiate or has initiated execution,obtain a run-time application credential associated with the first application program, andbased on an indication that the run-time application credential does not match a known-application credential, initiate a fraud action.
  - 69. The end-user device recited in claim 68, wherein the fraud action comprises restrict access to the first wireless access network associated with the first application program.
  - 70. The end-user device recited in claim 68, wherein the fraud action comprises restrict access to the first wireless access network by the end-user device.
  - 71. The end-user device recited in claim 68, wherein the fraud action comprises notify a user, an administrator, or a network element.
  - 72. The end-user device recited in claim 68, wherein the fraud action comprises prevent a user from accessing the first application program.
  - 73. The end-user device recited in claim 68, wherein the fraud action comprises terminate the first application program.
  - 74. The end-user device recited in claim 68, wherein the one or more device agents are further configured to obtain the known-application credential from a trusted source.
  - 75. The end-user device recited in claim 74, wherein the trusted source is a network element, a marketplace, an app store, an application author, a distributor, or a reseller.
  - 76. The end-user device recited in claim 68, wherein the one or more device agents are further configured to determine, based on information stored in the end-user device, the indication that the run-time application credential does not match the known-application credential.
  - 77. The end-user device recited in claim 1, wherein the one or more device agents are further configured to:
    - generate a first record comprising information about an attempted or successful usage of the first wireless access network associated with the first application program, andassist in sending the first usage record to a network element.
  - 78. The end-user device recited in claim 77, wherein sending the usage record to a network element comprises sending the usage record to the network element using a secure protocol.
  - 79. The end-user device recited in claim 77, wherein the one or more device agents are further configured to:
    - generate a second usage record comprising a second measure of usage of the first wireless access network associated with the first application program, andassist in sending the second usage record to the network element.
  - 80. The end-user device recited in claim 77, wherein the one or more device agents are further configured to:
    - determine an error condition based on the first usage record, andbased on the determination of the error condition, restrict access by the end-user device over the first wireless access network to one or more network destinations or functions.
  - 81. The end-user device recited in claim 77, wherein the one or more device agents are further configured to:
    - obtain an indication of an error condition from a network element, the error condition having been determined based on the first usage record, andbased on the obtained indication of the error condition, restrict access by the end-user device over the first wireless access network to one or more network destinations or functions.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Headwater Research LLC (Greg Raleigh)
Original Assignee
Headwater Partners I LLC (Greg Raleigh)
Inventors
Raleigh, Gregory G., Green, Jeffrey, Lavine, James
Primary Examiner(s)
RUDY, ANDREW J

Application Number

US13/309,463
Publication Number

US 20120167162A1
Time in Patent Office

971 Days
Field of Search

455/67.11, 455/414.1, 455/456.1, 455/456.2, 455/456.3, 455/556.1, 455/556.2, 455/557, 340/949, 726/1, 709/224, 709/225
US Class Current

726/1
CPC Class Codes

G06F 21/57   Certifying or maintaining t...

H04L 12/14   Charging , metering or bill...

H04L 41/046   comprising network manageme...

H04L 41/082   the condition being updates...

H04L 41/0893   Assignment of logical group...

H04L 41/0894   Policy-based network config...

H04L 41/5003   Managing SLA; Interaction b...

H04L 41/5025   by proactively reacting to ...

H04L 63/0853   using an additional device,...

H04L 63/0876   based on the identity of th...

H04L 63/10   for controlling access to d...

H04L 63/20   for managing network securi...

H04L 67/34   involving the movement of s...

H04M 15/00   Arrangements for metering, ...

H04M 15/58   based on statistics of usag...

H04M 2215/0188   Network monitoring; statist...

H04W 12/068   using credential vaults, e....

H04W 12/069   using certificates or pre-s...

H04W 12/088   using filters or firewalls

H04W 12/128   Anti-malware arrangements, ...

H04W 4/24 : Accounting or billing

H04W 4/50 : Service provisioning or rec...

View All

Security, fraud detection, and fraud mitigation in device-assisted services systems

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

937 Citations

81 Claims

Specification

Solutions

Use Cases

Quick Links

Security, fraud detection, and fraud mitigation in device-assisted services systems

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

937 Citations

81 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links