Two-stage anonymization of mobile network subscriber personal information

US 8,862,880 B2
Filed: 09/23/2011
Issued: 10/14/2014
Est. Priority Date: 09/23/2011
Status: Expired due to Fees

First Claim

Patent Images

1. A device for processing the anonymizing identifier associated with a user of a network comprising:

a network probe;

a memory; and

a computer processor in communication with the memory, the processor executes a program stored on said memory to perform the steps of;

tapping traffic traversing a portion of the network to collect session data;

extracting the identifier wherein the identifier is one of mobile station international subscriber directory number (MSISDN), international mobile equipment identity (IMEI), or international mobile subscriber identity (IMSI) from the tapped traffic;

applying by the network probe a cryptographic hash function Hash-based Message Authentication Code-Secure Hash Algorithm 1 (HMAC-SHA1) at least once to the extracted identifier to generate an anonymized subscriber identifier (ASI);

applying twice in succession the HMAC-SHA1 to the MSISDN, IMEI, or IMSI respectively using two separate keysinserting the ASI into the session data; and

sending the session data with inserted ASI to a network intelligence solution (NIS);

generating random subscriber identifier (RSI) using random generator;

enabling the NIS to associate the ASI to a strictly random subscriber identifier (RSI); and

storing the associated ASI and RSI in a lookup table.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A two-stage anonymization process is applied to monitored network traffic in which unique user identifiers, such as the MSISDN (Mobile Station International Subscriber Directory Number), are extracted from the traffic and anonymized to generate an ASI (anonymized subscriber identifier). A strictly random RSI (random subscriber identifier) is generated and used to replace the ASI. The RSI is generated upon a first occurrence of an ASI and stored in a lookup table for utilization upon subsequent ASI occurrences. Use of the strictly random RSI enables various studies and analysis of user behavior to be performed at a heightened level of privacy protection as compared with conventional anonymization schemes that do not utilize strictly random identifiers.

Citations

15 Claims

1. A device for processing the anonymizing identifier associated with a user of a network comprising:
- a network probe;
  
  a memory; and
  
  a computer processor in communication with the memory, the processor executes a program stored on said memory to perform the steps of;
  
  tapping traffic traversing a portion of the network to collect session data;
  
  extracting the identifier wherein the identifier is one of mobile station international subscriber directory number (MSISDN), international mobile equipment identity (IMEI), or international mobile subscriber identity (IMSI) from the tapped traffic;
  
  applying by the network probe a cryptographic hash function Hash-based Message Authentication Code-Secure Hash Algorithm 1 (HMAC-SHA1) at least once to the extracted identifier to generate an anonymized subscriber identifier (ASI);
  
  applying twice in succession the HMAC-SHA1 to the MSISDN, IMEI, or IMSI respectively using two separate keysinserting the ASI into the session data; and
  
  sending the session data with inserted ASI to a network intelligence solution (NIS);
  
  generating random subscriber identifier (RSI) using random generator;
  
  enabling the NIS to associate the ASI to a strictly random subscriber identifier (RSI); and
  
  storing the associated ASI and RSI in a lookup table.
- View Dependent Claims (2)
- - 2. The computer-implemented method of claim 1 in which the network is a general packet radio service (GPRS) mobile network and the session data is general packet radio service tunneling protocol (GTP) session data.

3. One or more non-transitory computer-readable storage media storing instructions which, when executed by one or more processors disposed in an electronic device, perform a method for generating a strictly random identifier for a user of a communications network, the method comprising the steps of:
- receiving, at a network intelligence solution (NIS), an anonymized subscriber identifier (ASI) generated at a network probe by applying twice of one or more cryptographic hash functions HMAC-SHA1 to a unique identifier associated with the user, the unique identifier being extracted from traffic traversing the network, and the ASI received as part of session data sent from the network probe to the NIS;
  
  generating a strictly random subscriber identifier (RSI) responsively to the received ASI in the session data;
  
  storing an association between the received ASI and generated RSI in a lookup table; and
  
  retrieving the RSI from the lookup table upon a subsequent receipt of the ASI at the NISassigning a time-to-live (TTL) to the RSI and deleting the association between the ASI and RSI in the lookup table when the TTL value is exceeded;
  
  assigning an aging threshold to the ASI and deleting the ASI from the lookup table when the threshold is exceeded.
- View Dependent Claims (4, 5, 6, 7)
- - 4. The one or more non-transitory computer-readable storage media of claim 3 in which the communications network is a mobile communications network and the unique identifier is associated with mobile equipment utilized by the user to access the mobile communications network, the mobile equipment comprising one of mobile phone, e-mail appliance, smart phone, non-smart phone, machine to machine (M2M) equipment, personal digital assistants (PDA), personal computers (PC), ultra-mobile PC, tablet device, tablet PC, handheld game device, digital media player, digital camera, global positioning system (GPS) navigation device, pager, wireless data card, wireless dongle, wireless modem, or device which combines one or more features thereof.
  - 5. The one or more non-transitory computer-readable storage media of claim 3 in which the NIS performs deep packet inspection of traffic flowing between mobile equipment utilized by the user and Internet-based servers.
  - 6. The one or more non-transitory computer-readable storage media of claim 3 in which the method further includes a step of exposing a management interface to enable the TTL value to be specified by an administrator.
  - 7. The one or more non-transitory computer-readable storage media of claim 6 in which the method further includes a step of exposing a management interface to enable a value of the threshold to be specified by an administrator.

8. A computer-implemented method for anonymizing indirect personally identifiable information (PII) associated with a subscriber to a mobile communications network using a two-stage anonymization process, the method comprising the steps of:
- inserting a probe at a node of the mobile communications network to tap general packet radio service tunneling protocol (GTP) traffic;
  
  extracting a unique identifier from the traffic that exposes the subscriber PII;
  
  applying twice in a first stage of the two-stage anonymization process, a cryptographic hash HMAC-SHA1 at least once at the probe to the extracted unique identifier to generate an anonymized subscriber identifier (ASI);
  
  sending the generated ASI in GTP session data to a network intelligence solution (NIS) that is operatively coupled to the probe;
  
  repeating the steps of extracting, applying, and sending, until a succession of ASIs is sent from the probe to the NIS;
  
  generating in a second stage of the two-stage anonymization process, a random subscriber identifier (RSI) at the NIS responsively to an initial occurrence of an ASI where the RSI is strictly random;
  
  storing the ASI and RSI as an associated pair in a lookup table;
  
  assigning a time-to-live (TTL) to the RSI;
  
  upon receipt of a subsequent occurrence of the ASI,persisting the RSI from the lookup table if the TTL is not expired, otherwise generating a new RSI; and
  
  writing the RSI to a file to support analyses of subscriber behavior or Internet usage using the GTP session data.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15)
- - 9. The computer-implemented method of claim 8 in which the node is a gateway GPRS support node.
  - 10. The computer-implemented method of claim 8 in which the RSI generating is performed using a collision-free random code generator.
  - 11. The computer-implemented method of claim 8 further including a step of periodically storing the lookup table as an encrypted file in non-volatile memory.
  - 12. The computer-implemented method of claim 8 further including a step of loading the lookup table from non-volatile memory upon startup or restart of a system on which the computer-implemented method executes.
  - 13. The computer-implemented method of claim 8 further including a step of exposing tools through a management interface for controlling parameters used by the two-stage anonymization process.
  - 14. The computer-implemented method of claim 13 in which the tools facilitate control of at least one of resetting the RSI including specification of a value for the TTL, cleaning up the lookup table, saving the lookup table to encrypted storage, process monitoring, or process logging.
  - 15. The computer-implemented method of claim 13 in which the management interface is instantiated locally with the NIS or remotely located from the NIS.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Gfk Holding, Inc. (Nielsen Holdings plc)
Original Assignee
Gfk Holding, Inc. (Nielsen Holdings plc)
Inventors
Combet, Jacques, LeMaitre, Yves-Marie, Kivi, Antero
Primary Examiner(s)
Pham, Luu
Assistant Examiner(s)
JACKSON, JENISE E

Application Number

US13/241,968
Publication Number

US 20130080774A1
Time in Patent Office

1,117 Days
Field of Search

713/154, 713/168, 726/13, 380/44
US Class Current

713/168
CPC Class Codes

H04L 63/0421   Anonymous communication, i....

H04L 63/30   for supporting lawful inter...

H04W 12/02   Protecting privacy or anony...

H04W 12/72   Subscriber identity

H04W 8/26   Network addressing or numbe...

Two-stage anonymization of mobile network subscriber personal information

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Two-stage anonymization of mobile network subscriber personal information

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links