Support systems interactions with virtual network functions in a trusted security zone

US 9,811,686 B1
Filed: 10/09/2015
Issued: 11/07/2017
Est. Priority Date: 10/09/2015
Status: Active Grant

First Claim

Patent Images

1. An apparatus, comprising:

a network communication interface to communicatively couple the apparatus to a network;

a processor coupled to the network communication interface and comprising a normal partition and a secure partition;

a memory coupled to the processor and comprising a normal memory and a secure memory;

a trusted security zone comprising the secure partition and the secure memory, wherein when the processor executes the secure partition, the normal partition is prevented from executing, and wherein the trusted security zone executes a separate operating system that is inaccessible to users of the apparatus; and

a trusted orchestrator application stored in the secure memory that, when executed by the secure partition of the processor;

receives fully-detailed data from a virtualized network function of a virtual server via a trusted end-to-end communication link, wherein the data comprises a log of events performed by the virtual network function for a customer, and wherein existence of the fully-detailed data is restricted to the trusted security zone;

sanitizes the data received from the virtualized network function into sanitized data that is not restricted to the trusted security zone, wherein sanitizing the data received from the virtualized network function removes identifying information of the customer to form the sanitized data; and

transmits the sanitized data outside of the trusted security zone to a network device for providing services to the customer according to the log of events.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An apparatus, comprising a network communication interface to communicatively couple the apparatus to a network, a processor coupled to the network communication interface, a memory coupled to the processor and comprising a trusted security zone, and a trusted orchestrator application stored in the trusted security zone of the memory that. When the application is executed by the processor, it receives fully-detailed data from a virtualized network function of a virtual server via a trusted end-to-end communication link, wherein the data comprises a log of events performed by the virtual network function for a customer. The application then sanitizes the data received from the virtualized network function and transmits the sanitized data outside of the trusted security zone.

Citations

20 Claims

1. An apparatus, comprising:
- a network communication interface to communicatively couple the apparatus to a network;
  
  a processor coupled to the network communication interface and comprising a normal partition and a secure partition;
  
  a memory coupled to the processor and comprising a normal memory and a secure memory;
  
  a trusted security zone comprising the secure partition and the secure memory, wherein when the processor executes the secure partition, the normal partition is prevented from executing, and wherein the trusted security zone executes a separate operating system that is inaccessible to users of the apparatus; and
  
  a trusted orchestrator application stored in the secure memory that, when executed by the secure partition of the processor;
  
  receives fully-detailed data from a virtualized network function of a virtual server via a trusted end-to-end communication link, wherein the data comprises a log of events performed by the virtual network function for a customer, and wherein existence of the fully-detailed data is restricted to the trusted security zone;
  
  sanitizes the data received from the virtualized network function into sanitized data that is not restricted to the trusted security zone, wherein sanitizing the data received from the virtualized network function removes identifying information of the customer to form the sanitized data; and
  
  transmits the sanitized data outside of the trusted security zone to a network device for providing services to the customer according to the log of events.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The apparatus of claim 1, wherein the apparatus has knowledge of a plurality of virtual network functions operating in the network.
  - 3. The apparatus of claim 1, wherein the trusted orchestrator comprises a billing support system trustlet, and wherein the sanitized data indicates one or more billing events for billing to the customer.
  - 4. The apparatus of claim 1, wherein the trusted orchestrator comprises an operational support system and wherein the sanitized data indicates an activity that should be performed in the network.
  - 5. The apparatus of claim 1, wherein the sanitized data is transmitted by the trusted orchestrator to one of a billing support system or an operational support system outside of the trusted security zone.
  - 6. The apparatus of claim 1, wherein an audit trail is retained in the trusted orchestrator that connects the sanitized data to the fully-detailed data in the virtualized network function.

7. A method executed in a communications network, comprising:
- receiving, by a transceiver in a trusted security zone, a log of event details restricted to the trusted security zone and describing billing events executed by a virtualized network function from the virtualized network function, wherein the billing events indicate events for which a customer should be billed;
  
  sanitizing, by a processor in the trusted security zone, the log of event details to remove information having a predetermined level of specificity, wherein sanitizing the log of events comprises transforming the log of event details into categories, and wherein sanitizing the log of event details removes identifying information of the customer to form a sanitized log of event details; and
  
  transmitting by the transceiver, the sanitized log of event details,wherein the processor comprises a secure partition and a normal partition, and the trusted security zone comprises the secure partition,wherein when the processor executes the secure partition in the trusted security zone, the processor is prevented from executing the normal partition outside of the trusted security zone, andwherein the trusted security zone executes a separate operating system that is inaccessible to device users.
- View Dependent Claims (8, 9, 10, 11, 12, 13, 14)
- - 8. The method of claim 7, wherein the method is executed on a trusted orchestrator in a network function virtualization architecture.
  - 9. The method of claim 8, wherein the trusted orchestrator comprises a billing support system.
  - 10. The method of claim 8, wherein the sanitized log of event details is converted by the trusted orchestrator into a bill prior to transmission to the customer.
  - 11. The method of claim 7, wherein the categories comprise at least one of a measurement of the customer'"'"'s network usage comprising a count of cycles used, a count of data throughput, a count of time slots used, a count of process cycles used, a count of minutes consumed, a count of message throughput, a count of events transacted, a count of applications initiated, and a count of services terminated.
  - 12. The method of claim 7, wherein the categories comprise a quality of service provided to the customer.
  - 13. The method of claim 7, wherein the categories comprise a listing of services consumed by the customer and selected from a services catalog.
  - 14. The method of claim 7, wherein the level of specificity to be removed when sanitizing the log of event details is dependent on specifications of the trusted security zone that must be maintained to ensure trust is preserved.

15. A method executed in a communications network, comprising:
- receiving, by a transceiver in a trusted security zone, a log of event details restricted to the trusted security zone and describing network events executed by a virtualized network function from the virtualized network function, wherein the network events indicate a network activity that should take place on a network;
  
  receiving from an outside network device, a predetermined level of specificity for information that should be removed from the log of event details;
  
  sanitizing, by a processor in the trusted security zone, the log of event details to remove information having the received predetermined level of specificity, wherein sanitizing the log of event details removes identifying information of a customer to form a sanitized log of event details; and
  
  transmitting by the transceiver, the sanitized log of event details to the outside network device,wherein the processor comprises a secure partition and a normal partition, and the trusted security zone comprises the secure partition,wherein when the processor executes the secure partition in the trusted security zone, the processor is prevented from executing the normal partition outside of the trusted security zone, andwherein the trusted security zone executes a separate operating system that is inaccessible to device users.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The method of claim 15, wherein the method is executed on a trusted orchestrator in a network function virtualization architecture.
  - 17. The method of claim 15, wherein the trusted orchestrator comprises an operational support system trustlet.
  - 18. The method of claim 15, wherein the network activity indicates service is required on a portion of the network.
  - 19. The method of claim 18, wherein sanitizing the log of events comprises removing all non-essential information from the log of events such that only a minimum amount of information necessary to identify the portion of the network requiring service remains.
  - 20. The method of claim 15, wherein the network activity comprises provisioning a service for the customer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
T-Mobile Innovations LLC (Deutsche Telekom AG)
Original Assignee
Sprint Communications Company LP (Deutsche Telekom AG)
Inventors
Marquardt, Ronald R., Paczkowski, Lyle W., Rajagopal, Arun
Primary Examiner(s)
Rahman, Shawnchoy

Application Number

US14/879,324
Time in Patent Office

760 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/6245 Protecting personal data, e...

G06Q 30/04 Billing or invoicing

Support systems interactions with virtual network functions in a trusted security zone

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Support systems interactions with virtual network functions in a trusted security zone

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links