End user device that secures an association of application to service policy with an application certificate check
First Claim
Patent Images
1. An end user device, comprising:
- one or more modems configured to connect to one or more access networks, the one or more access networks including at least a first access network;
memory configured to store;
a first application program,a first service policy associated with the first application program, the first service policy comprising one or more agent instructions to be implemented when the first application program initiates or attempts to initiate communication over the first access network, anda first application credential, the first application credential associated with the first application program; and
one or more agents configured to;
implement the one or more agent instructions when the first application program initiates or attempts to initiate communication over the first access network, andutilize at least a portion of the first application credential to perform a first application configuration check, andif the first application configuration check does not pass, take an action.
3 Assignments
0 Petitions
Accused Products
Abstract
Network service provisioning is described. Network service provisioning to a device includes a mechanism for ensuring that network services are available based upon one or more of appropriate traffic control, billing, and notification policies. Ensuring that the policies are properly enforced on a device is a focus of this paper. The enforcement policies can be on the device or in the network.
-
Citations
110 Claims
-
1. An end user device, comprising:
-
one or more modems configured to connect to one or more access networks, the one or more access networks including at least a first access network; memory configured to store; a first application program, a first service policy associated with the first application program, the first service policy comprising one or more agent instructions to be implemented when the first application program initiates or attempts to initiate communication over the first access network, and a first application credential, the first application credential associated with the first application program; and one or more agents configured to; implement the one or more agent instructions when the first application program initiates or attempts to initiate communication over the first access network, and utilize at least a portion of the first application credential to perform a first application configuration check, and if the first application configuration check does not pass, take an action. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 91, 92, 93, 94, 95, 96, 97, 98, 99, 100, 101, 102, 103, 104, 105, 106, 107, 108, 109, 110)
-
2. The end user device recited in claim 1, wherein the first service policy comprises:
-
a control policy for controlling at least an aspect of access network communication activity associated with the first application program, an accounting policy for determining a measure of access network communication activity associated with the first application program, a notification policy for providing a user notification to a user interface of the end user device, or a combination of these.
-
-
3. The end user device recited in claim 2, further comprising a user interface, and wherein the one or more agents are further configured to assist in obtaining a user input through the user interface, and wherein at least a portion of the one or more agent instructions is based at least in part on the user input.
-
4. The end user device recited in claim 3, wherein the user input comprises a user election not to allow communication associated with the first application program over the first access network when the first application program is operating in a background mode, the background mode being effective when the first application program is not selected by a user of the end user device to:
-
occupy a foreground of the user interface, or accept user interface input to enable interaction with a user.
-
-
5. The end user device recited in claim 1, wherein the one or more modems are further configured to connect to a second access network of the one or more access networks, and wherein the one or more device agents are configured to:
-
determine that the end user device is connected to the second access network, and based on the determination that the end user device is connected to the second access network, refrain from implementing the one or more agent instructions.
-
-
6. The end user device recited in claim 1, further comprising a user interface, and wherein the one or more agents are further configured to:
-
present one or more service policy configuration options through the user interface, obtain a user input identifying at least one of the one or more service policy configuration options, and determine at least an aspect of the first service policy based on the user input.
-
-
7. The end user device recited in claim 6, wherein the user input comprises a user election to restrict communication over the first access network.
-
8. The end user device recited in claim 6, wherein the user input comprises a user election to establish a set of one or more allowances for communication associated with the first application program over the first access network.
-
9. The end user device recited in claim 6, wherein the user input comprises a user election to prevent communication associated with the first application program over the first access network.
-
10. The end user device recited in claim 6, wherein the user input comprises a user election to allow communication associated with the first application program over the first access network.
-
11. The end user device recited in claim 6, wherein the one or more access networks include a second access network, and wherein the user input comprises a user election to prevent or restrict communication associated with the first application program over the second access network.
-
12. The end user device recited in claim 6, wherein the one or more access networks include a second access network, and wherein the user input comprises a user election to allow communication associated with the first application program over the second access network.
-
13. The end user device recited in claim 6, wherein the user input comprises a user election to limit communication associated with the first application program over the first access network to a set of one or more network resources or destinations.
-
14. The end user device recited in claim 6, wherein the user input comprises an allowance for first-application-program communication with a set of one or more network resources or destinations over the first access network.
-
15. The end user device recited in claim 6, wherein the user input comprises a limit on a quality of service level for communication associated with the first application program over the first access network.
-
16. The end user device recited in claim 6, wherein the user input comprises an allowed quality of service level for communication associated with the first application program over the first access network.
-
17. The end user device recited in claim 6, wherein the user input comprises a user election to limit or prevent a background communication associated with the first application program over the first access network.
-
18. The end user device recited in claim 6, wherein the user input comprises a user election to allow a background communication associated with the first application program over the first access network.
-
19. The end user device recited in claim 6, wherein the user input comprises a limit on an amount of service usage associated with the first application program over the first access network.
-
20. The end user device recited in claim 6, wherein the user input comprises an allowance for an amount of service usage associated with the first application program over the first access network.
-
21. The end user device recited in claim 6, wherein the user input comprises a user election not to allow communication associated with the first application program over the first access network when the first application program is operating in a background mode, the background mode being effective when the first application program is not selected by a user of the end user device to:
-
occupy a foreground of the user interface, or accept user interface input to enable interaction with a user.
-
-
22. The end user device recited in claim 1, wherein the one or more agents are configured to implement the one or more agent instructions before utilizing the at least a portion of the information about the first application credential to perform the first application configuration check.
-
23. The end user device recited in claim 1, wherein the one or more agents are further configured to obtain at least an aspect of the first service policy from a network element communicatively coupled to the end user device over at least one of the one or more access networks.
-
24. The end user device recited in claim 23, wherein the at least an aspect of the first service policy comprises at least a portion of the one or more agent instructions, and wherein the at least a portion of the one or more agent instructions assists the one or more agents to restrict communication associated with the first application program over the first access network.
-
25. The end user device recited in claim 24, wherein restrict communication associated with the first application program over the first access network comprises prevent communication associated with the first application program over the first access network.
-
26. The end user device recited in claim 24, further comprising a user interface, and wherein restrict communication associated with the first application program over the first access network comprises prevent communication associated with the first application program over the first access network when the first application program is operating in a background mode, the background mode being effective when the first application program is not selected by a user of the end user device to:
-
occupy a foreground of the user interface, and accept user interface input to enable interaction with the user.
-
-
27. The end user device recited in claim 6, wherein the user input comprises at least a portion of the one or more device agent instructions.
-
28. The end user device recited in claim 1, wherein the first application program comprises a user software program, an operating system software program, an operating system software component, an operating system function, a device firmware component, or a device system function.
-
29. The end user device recited in claim 1, wherein the first application credential comprises a configuration authentication certificate.
-
30. The end user device recited in claim 1, wherein the one or more agents are further configured to obtain at least a portion of the first application credential from a network element.
-
31. The end user device recited in claim 1, wherein the one or more agents are further configured to:
-
identify when a candidate application program initiates or attempts to initiate communication over the first access network, provide, to a network element, at least a portion of a candidate application program credential associated with the candidate application program, and receive, from the network element, information instructing the one or more agents to associate the first service policy with the candidate application program.
-
-
32. The end user device recited in claim 1, wherein the one or more agents are further configured to:
-
identify when a candidate application program initiates or attempts to initiate communication over the first access network, provide, to a network element, at least a portion of a candidate application program credential associated with the candidate application program, receive, from the network element, first application credential information, and associate the first application credential information with the candidate application program.
-
-
33. The end user device recited in claim 1, wherein utilize at least a portion of the first application credential to perform a first application credential check comprises compare the at least a portion of the first application credential to a candidate application configuration that is associated with an application identifier.
-
34. The end user device recited in claim 1, wherein utilize at least a portion of the first application credential to perform a first application credential check comprises:
-
provide information about a candidate application configuration to a network element, and receive from the network element a credential check result.
-
-
35. The end user device recited in claim 1, wherein utilize at least a portion of the first application credential to perform a first application credential check comprises determine whether a candidate modification or update to the first application program is consistent with the first application credential, and wherein take an action comprises do not allow the candidate modification or update to the first application program to modify or update the first application program.
-
36. The end user device recited in claim 1, wherein utilize at least a portion of the first application credential to perform a first application credential check comprises determine whether a candidate application program is consistent with the first application credential, the candidate application program being associated with an application identifier that is known to be associated with the first application program.
-
37. The end user device recited in claim 36, wherein take an action comprises signal a configuration error condition.
-
38. The end user device recited in claim 36, wherein
take an action comprises do not apply the first service policy when the candidate application program initiates or attempts to initiate communication over the first access network. -
39. The end user device recited in claim 36, wherein
take an action comprises restrict communication associated with the candidate application program over the first access network. -
40. The end user device recited in claim 36, wherein
take an action comprises restrict communication associated with the end user device over the first access network. -
41. The end user device recited in claim 37, wherein signal a configuration error condition comprises communicate the configuration error condition to a user interface.
-
42. The end user device recited in claim 1, wherein the one or more agents are further configured to mitigate tampering with the one or more agent instructions by storing at least a portion of the one or more agent instructions in a software environment that is protected from modification by user application software.
-
43. The end user device recited in claim 1, wherein the one or more agents are further configured to mitigate tampering with the one or more agent instructions by including at least a portion of the one or more agent instructions in an operating system configuration that is confirmed by a secure operating system configuration credential.
-
44. The end user device recited in claim 43, wherein the secure operating system configuration credential comprises a configuration authentication certificate, a software security certificate, a software security signature, or a software security hash.
-
45. The end user device recited in claim 1, further comprising a user interface, and wherein the first service policy assists the one or more agents to:
-
obtain a measure of communication associated with the first application program, and assist in presenting a notification through the user interface, the notification comprising information about the measure of communication associated with the first application program.
-
-
46. The end user device recited in claim 45, wherein the measure of communication associated with the first application program is a measure of service usage over the first access network associated with the first application program.
-
47. The end user device recited in claim 1, wherein the first service policy assists the one or more agents to:
-
obtain a measure of communication associated with the first application program, and provide the measure of communication associated with the first application program to a network element.
-
-
48. The end user device recited in claim 47, wherein the measure of communication associated with the first application program is a measure of service usage over the first access network associated with the first application program.
-
49. The end user device recited in claim 45, wherein the notification indicates that a service usage limit has been reached.
-
50. The end user device recited in claim 49, wherein the one or more agents are further configured to:
obtain an indication of the service usage limit through the user interface.
-
51. The end user device recited in claim 49, wherein the one or more agents are further configured to:
obtain an indication of the service usage limit from a network element.
-
52. The end user device recited in claim 1, wherein the one or more agents are further configured to provide a first service policy indication or setting to the first application program through an application interface, the first service policy indication or setting enabling the first application program to implement at least an aspect of the first service policy.
-
53. The end user device recited in claim 1, wherein implement the one or more agent instructions when the first application program initiates or attempts to initiate communication over the first access network comprises provide a first service policy indication or setting to the first application program through an application interface, the first service policy indication or setting enabling the first application program to implement at least an aspect of the first service policy.
-
54. The end user device recited in claim 1, wherein the one or more agents are configured to utilize the at least a portion of the information about the first application credential to perform the first application configuration check before implementing the one or more agent instructions.
-
55. The end user device recited in claim 1, wherein the first application credential comprises an application identifier.
-
56. The end user device recited in claim 36, wherein the one or more agents are configured to determine whether the candidate application program is consistent with the first application credential before the candidate application program is used to load, update, or modify a stored version of the first application program.
-
57. The end user device recited in claim 36, wherein the one or more agents are configured to determine whether the candidate application program is consistent with the first application credential before the candidate application program is invoked or executed.
-
58. The end user device recited in claim 36, wherein the one or more agents are configured to determine whether the candidate application program is consistent with the first application credential during an audit of a version of the candidate application program that is stored in long term memory, short term memory, or execution memory.
-
59. The end user device recited in claim 36, wherein the one or more agents are configured to determine whether the candidate application program is consistent with the first application credential while the candidate application program is running.
-
60. The end user device recited in claim 1, further comprising a user interface, and wherein the one or more agents are further configured to
control a placement of a first application launch icon within a user interface display environment of the user interface, the first application launch icon for invoking, running, or bringing to a foreground of the user interface the first application program when the first application launch icon is selected or acted on by a user of the end user device. -
61. The end user device recited in claim 1, wherein the one or more agent instructions assist the one or more agents to control an aspect of a traffic path utilized for communication associated with the first application program over the first access network.
-
62. The end user device recited in claim 61, wherein the traffic path directs communication over the first access network to a network element that assists in implementing an aspect of a network-based policy for processing communication associated with one or more device applications over the first access network, the one or more device applications including the first application program.
-
63. The end user device recited in claim 61, wherein control an aspect of the traffic path utilized for communication associated with the first application program over the first access network comprises:
-
identify and direct the communication associated with the first application program to the traffic path, identify and route the communication associated with the first application program to the traffic path, identify and tunnel the communication associated with the first application program to the traffic path, or a combination of these.
-
-
64. The end user device recited in claim 61, wherein the traffic path is identified by an access point name identifier.
-
65. The end user device recited in claim 64, wherein the traffic path is configured to operate in accordance with an access point name traffic protocol.
-
66. The end user device recited in claim 65, wherein the access point name traffic protocol is the GPRS tunneling protocol.
-
67. The end user device recited in claim 65, wherein the access point name traffic protocol comprises a packet data context protocol.
-
68. The end user device recited in claim 65, wherein the access point name traffic protocol comprises an access point resolution protocol associating network activity associated with the access point name with a network address for a network server or gateway that processes the network activity associated with the access point name.
-
69. The end user device recited in claim 61, wherein the one or more agents are further configured to obtain at least a portion of the one or more agent instructions from a network element.
-
70. The end user device recited in claim 64, wherein the traffic path is serviced by an access point name traffic path server that assists in implementing an aspect of a network-based policy for processing communication associated with one or more device applications, the one or more device applications including the first application program.
-
71. The end user device recited in claim 61, wherein the one or more agents are further configured to:
-
store a mapping of an identifier for the first application program to an identifier for the traffic path utilized for communication associated with the first application program, identify one or more communications associated with the first application program, establish an association of the one or more communications associated with the first application program with the identifier for the first application program, and utilize the mapping of the identifier for the first application program to the identifier for the traffic path utilized for communication associated with the first application program to enable directing the one or more communications associated with the first application program to the traffic path utilized for communication associated with the first application program.
-
-
72. The end user device recited in claim 71, wherein the one or more agents are further configured to obtain information about the mapping of the identifier for the first application program to the identifier for the traffic path utilized for communication associated with the first application program from a network element.
-
73. The end user device recited in claim 71, wherein the one or more agents are further configured to obtain information about the mapping of the identifier for the first application program to the identifier for the traffic path utilized for communication associated with the first application program from a policy store.
-
74. The end user device recited in claim 61, wherein the one or more agents are further configured to provide an application interface configured to interact with the first application program to enable use of the traffic path for communication associated with the first application program over the first access network.
-
75. The end user device recited in claim 74, wherein interact with the first application program comprises arrange a setting in the first application program to enable use of the traffic path for communication associated with the first application.
-
76. The end user device recited in claim 74, wherein interact with the first application program comprises provide information about the traffic path to the first application program.
-
77. The end user device recited in claim 74, wherein interact with the first application program comprises process a traffic path request from the first application program.
-
78. The end user device recited in claim 74, wherein interact with the first application program comprises process a request for implementation of at least an aspect of the first service policy.
-
79. The end user device recited in claim 64, wherein the one or more agents are further configured to:
-
store a mapping of an identifier for the first application program to an identifier for the traffic path identified by the access point name identifier, identify one or more communications activity associated with the first application program, establish an association of the one or more communications associated with the first application program with the identifier for the first application program, and utilize the mapping of the identifier for the first application program to the identifier for the traffic path identified by the access point name identifier to enable directing of the one or more communications associated with the first application program to the traffic path identified by an access point name identifier.
-
-
80. The end user device recited in claim 1, wherein implement the one or more agent instructions when the first application program initiates or attempts to initiate communication over the first access network comprises:
-
identify a traffic flow comprising one or more related data transfers over the first access network, identify an association of the traffic flow with the first application program, assign a flow tag to the traffic flow, the flow tag comprising a traffic flow identifier that enables preservation of the association of the traffic flow with the first application program when the traffic flow is processed by one or more device communication functions that operate on the traffic flow, monitor a usage of the first access network associated with the flow tag, and implement the one or more agent instructions based on the flow tag.
-
-
81. The end user device recited in claim 1, wherein implement the one or more agent instructions when the first application program initiates or attempts to initiate communication over the first access network comprises:
-
identify a traffic flow comprising one or more related data transfers over the first access network, identify an association of the traffic flow with the first application program, assign a flow tag to the traffic flow, the flow tag comprising a traffic flow identifier that is added to the one or more related data transfers to enable a traffic processing element to identify the association of the traffic flow with the first application program.
-
-
82. The end user device recited in claim 81, wherein the traffic processing element is included in the configuration of the one or more agents.
-
83. The end user device recited in claim 81, wherein the traffic processing element is a network element.
-
84. The end user device recited in claim 1, wherein the first service policy assists in providing, to a sponsor entity, an accounting of communication associated with the first application program over the first access network, the sponsor entity being a party other than a user of the end user device, the sponsor entity subsidizing at least a portion of a usage of the first access network associated with the first application program.
-
85. The end user device recited in claim 84, wherein the accounting comprises a measure or a cost of the communication associated with the first application program over the first access network.
-
86. The end user device recited in claim 1, wherein the first application credential comprises a software security certificate.
-
87. The end user device recited in claim 1, wherein the first application credential comprises a software security signature.
-
88. The end user device recited in claim 1, wherein the first application credential comprises information about a software security hash.
-
89. The end user device recited in claim 33, wherein the application identifier is known to be associated with the first application program.
-
90. The end user device recited in claim 37, wherein signal a configuration error condition comprises communicate the configuration error condition to a network element.
-
91. The end user device recited in claim 52, wherein the first service policy indication or setting is based on a user input.
-
92. The end user device recited in claim 53, wherein the first service policy indication or setting is based on a user input.
-
93. The end user device recited in claim 60, wherein the placement of the first application launch icon is associated with a level of ease of discovery of the first application launch icon.
-
94. The end user device recited in claim 60, wherein the placement of the first application launch icon is associated with a level of user interface display prominence of the icon.
-
95. The end user device recited in claim 63, wherein the traffic path is identified by an access point name identifier.
-
96. The end user device recited in claim 3, wherein the user input comprises a user election to restrict communication over the first access network.
-
97. The end user device recited in claim 3, wherein the user input comprises a user election to establish a set of one or more allowances for communication associated with the first application program over the first access network.
-
98. The end user device recited in claim 3, wherein the user input comprises a user election to prevent communication associated with the first application program over the first access network.
-
99. The end user device recited in claim 3, wherein the user input comprises a user election to allow communication associated with the first application program over the first access network.
-
100. The end user device recited in claim 3, wherein the one or more access networks include a second access network, and wherein the user input comprises a user election to prevent or restrict communication associated with the first application program over the second access network.
-
101. The end user device recited in claim 3, wherein the one or more access networks include a second access network, and wherein the user input comprises a user election to allow communication associated with the first application program over the second access network.
-
102. The end user device recited in claim 3, wherein the user input comprises a user election to limit communication associated with the first application program over the first access network to a set of one or more network resources or destinations.
-
103. The end user device recited in claim 3, wherein the user input comprises an allowance for first-application-program communication with a set of one or more network resources or destinations over the first access network.
-
104. The end user device recited in claim 3, wherein the user input comprises a limit on a quality of service level for communication associated with the first application program over the first access network.
-
105. The end user device recited in claim 3, wherein the user input comprises an allowed quality of service level for communication associated with the first application program over the first access network.
-
106. The end user device recited in claim 3, wherein the user input restriction comprises a user election to limit or prevent a background communication associated with the first application program over the first access network.
-
107. The end user device recited in claim 3, wherein the user input comprises a user election to allow a background communication associated with the first application program over the first access network.
-
108. The end user device recited in claim 3, wherein the user input comprises a limit on an amount of service usage associated with the first application program over the first access network.
-
109. The end user device recited in claim 3, wherein the user input comprises an allowance for an amount of service usage associated with the first application program over the first access network.
-
110. The end user device recited in claim 1, wherein the action is to initiate a notification.
-
2. The end user device recited in claim 1, wherein the first service policy comprises:
-
Specification
- Resources
Thank you for your request. You will receive a custom alert email when the Litigation Campaign Assessment is available.
×
-
Current AssigneeHeadwater Research LLC (Greg Raleigh)
-
Original AssigneeHeadwater Partners I LLC (Greg Raleigh)
-
InventorsRaleigh, Gregory G., Green, Jeffrey, Lavine, James
-
Primary Examiner(s)Ruby, Andrew Joseph
-
Application NumberUS13/309,556Publication NumberTime in Patent Office1,083 DaysField of Search455/414.1, 455/1, 455/456.1, 455/456.2, 455/556.1, 455/556.2, 455/557, 705/1.1, 709/203, 709/217, 709/223, 709/224, 715/736, 715/738, 726/1, 726/6, 726/7US Class Current715/736CPC Class CodesH04L 12/1485 Tariff-related aspectsH04L 12/1489 dependent on congestionH04L 41/0893 Assignment of logical group...H04L 41/0894 Policy-based network config...H04L 41/5003 Managing SLA; Interaction b...H04L 41/5025 by proactively reacting to ...H04M 15/00 Arrangements for metering, ...H04M 15/58 based on statistics of usag...H04M 2215/0188 Network monitoring; statist...H04W 4/24 Accounting or billingH04W 4/60 Subscription-based services...