Context-based dynamic policy system for mobile devices and supporting network infrastructure

US 10,178,525 B2
Filed: 11/11/2011
Issued: 01/08/2019
Est. Priority Date: 11/13/2010
Status: Active Grant

First Claim

Patent Images

1. A method of selecting a first network policy for a mobile device that operates as an endpoint in a communications network, the method comprising:

storing network policy values for a mobile device in a storage system, the network policy values relating context-based values for the mobile device to operational features for managing communications between the mobile device and network infrastructure that supports operations of the mobile device in a communications network in which the mobile device operates as an endpoint, the network infrastructure including at least one server or router that provides access to the communications network for the mobile device;

receiving first context-based values for the mobile device from at least one context-based data source;

using the first context-based values to select the first network policy for the mobile device from the stored network policy values, the first network policy specifying first operational features configured to manage the communications between the mobile device and the network infrastructure;

sending endpoint configuration values for the first network policy to an endpoint policy management unit to control operations of the mobile device; and

sending network-infrastructure configuration values for the first network policy to a network infrastructure policy management unit to control operations of the network infrastructure, wherein the sent network-infrastructure configuration values control operations of the network infrastructure by at least four of the following;

enablement of a quality of service setting,enablement of a priority setting,enablement of a network access control setting,enablement of a proxy setting,enablement of an authentication requirement,enablement of an intrusion detection setting,enablement of an intrusion prevention setting,enablement of access to a network,enablement of access to a servers,enablement of access to a directory,disablement of a quality of service setting,disablement of a priority setting,disablement of a network access control setting,disablement of a proxy setting,disablement of an authentication requirement,disablement of an intrusion detection setting,disablement of an intrusion prevention setting,disablement of access to a network,disablement of access to a server, ordisablement of access to a directory.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods dynamically adapt network policies for mobile devices by accessing context-based values to allocate or restrict capabilities on the mobile devices or within the network. Context-based values may include position or velocity as well as more general environment features such as proximity of other devices, the presence or absence of other wireless signals or network traffic, parameters measured by local or remote sensors, user credentials, or unique user or signal inputs to the device. Relevant capabilities may include access to hardware and software interfaces and related parameter sets including priority settings.

21 Citations

38 Claims

1. A method of selecting a first network policy for a mobile device that operates as an endpoint in a communications network, the method comprising:
- storing network policy values for a mobile device in a storage system, the network policy values relating context-based values for the mobile device to operational features for managing communications between the mobile device and network infrastructure that supports operations of the mobile device in a communications network in which the mobile device operates as an endpoint, the network infrastructure including at least one server or router that provides access to the communications network for the mobile device;
  
  receiving first context-based values for the mobile device from at least one context-based data source;
  
  using the first context-based values to select the first network policy for the mobile device from the stored network policy values, the first network policy specifying first operational features configured to manage the communications between the mobile device and the network infrastructure;
  
  sending endpoint configuration values for the first network policy to an endpoint policy management unit to control operations of the mobile device; and
  
  sending network-infrastructure configuration values for the first network policy to a network infrastructure policy management unit to control operations of the network infrastructure, wherein the sent network-infrastructure configuration values control operations of the network infrastructure by at least four of the following;
  
  enablement of a quality of service setting,enablement of a priority setting,enablement of a network access control setting,enablement of a proxy setting,enablement of an authentication requirement,enablement of an intrusion detection setting,enablement of an intrusion prevention setting,enablement of access to a network,enablement of access to a servers,enablement of access to a directory,disablement of a quality of service setting,disablement of a priority setting,disablement of a network access control setting,disablement of a proxy setting,disablement of an authentication requirement,disablement of an intrusion detection setting,disablement of an intrusion prevention setting,disablement of access to a network,disablement of access to a server, ordisablement of access to a directory.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38)
- - 2. The method of claim 1, wherein the context-based values for the mobile device include at least one of position or velocity for the mobile device, and the first network policy coordinates operations at the network infrastructure and the mobile device in accordance with the first context-based values to provide the first operational features for managing the communications between the mobile device and the network infrastructure.
  - 3. The method of claim 1, wherein selecting the first network policy includes accessing a dynamic policy function that relates the first context-based values to an enablement or disablement status for one or more hardware or software elements at the mobile device.
  - 4. The method of claim 1, wherein the endpoint policy management unit sends instructions corresponding to the first network policy to a mobile-device control unit that controls software and hardware operations at the mobile device, the endpoint policy management unit being external to the mobile device, and the mobile-device control unit being included in the mobile device.
  - 5. The method of claim 1, wherein the context-based values for the mobile device include at least one performance characteristic for the communications between the mobile device and the network infrastructure.
  - 6. The method of claim 1, wherein the operational features for managing the communications between the mobile device and the network infrastructure include at least one enabled function or disabled function within the mobile device or within the network infrastructure.
  - 7. The method of claim 1, wherein the at least one context-based data source includes at least one performance measurement device within the mobile device or the network infrastructure, the performance measurement device characterizing a quality of the communications between the mobile device and the network infrastructure.
  - 8. The method of claim 1, wherein the first operational features for managing the communications between the mobile device and the network infrastructure include an enablement or disablement of at least one function of the at least one server or router included in the network infrastructure.
  - 28. The method of claim 1 wherein:
    - the context-based values are received at a dynamic-policy unit that is external to the mobile device;
      
      the endpoint configuration values for the first network policy are sent from the dynamic-policy unit to the endpoint policy management unit; and
      
      the network-infrastructure configuration values for the first network policy are sent from the dynamic-policy unit to the network infrastructure policy management unit.
  - 29. The method of claim 1 wherein the first network policy includes at least one parameter that specifies a quality or priority for the communications between the mobile device and the network infrastructure.
  - 30. The method of claim 1, wherein the first context-based values include environmental factors comprising network traffic.
  - 31. The method of claim 1, wherein the first operational features for managing the communications between the mobile device and the network infrastructure comprise:
    - a policy setting that assigns a quality of service or priority on the communications network to the mobile device.
  - 32. The method of claim 1, wherein the first operational features for managing the communications between the mobile device and the network infrastructure comprise:
    - a policy setting that assigns a network access control setting to the mobile device.
  - 33. The method of claim 1, wherein the first operational features for managing the communications between the mobile device and the network infrastructure comprise:
    - a policy setting that assigns a proxy setting to the mobile device.
  - 34. The method of claim 1, wherein the first operational features for managing the communications between the mobile device and the network infrastructure comprise:
    - a policy setting that assigns an authentication requirement to the mobile device.
  - 35. The method of claim 1, wherein the first operational features for managing the communications between the mobile device and the network infrastructure comprise:
    - a policy setting that assigns an intrusion detection setting to the mobile device.
  - 36. The method of claim 1, wherein receiving the first context-based values comprises receiving the first context-based values for the mobile device and the network infrastructure from a plurality of context-based data sources, and wherein the plurality of context-based data sources include sensors at the mobile device and the network infrastructure.
  - 37. The method of claim 1, wherein the sent network-infrastructure configuration values control operations of the network infrastructure by at least eight of the following:
    - enablement of a quality of service setting,enablement of a priority setting,enablement of a network access control setting,enablement of a proxy setting,enablement of an authentication requirement,enablement of an intrusion detection setting,enablement of an intrusion prevention setting,enablement of access to a network,enablement of access to a servers,enablement of access to a directory,disablement of a quality of service setting,disablement of a priority setting,disablement of a network access control setting,disablement of a proxy setting,disablement of an authentication requirement,disablement of an intrusion detection setting,disablement of an intrusion prevention setting,disablement of access to a network,disablement of access to a server, ordisablement of access to a directory.
  - 38. The method of claim 1, wherein the sent network-infrastructure configuration values control operations of the network infrastructure by the following:
    - enablement of a quality of service setting,enablement of a priority setting,enablement of a network access control setting,enablement of a proxy setting,enablement of an authentication requirement,enablement of an intrusion detection setting,enablement of an intrusion prevention setting,enablement of access to a network,enablement of access to a servers,enablement of access to a directory,disablement of a quality of service setting,disablement of a priority setting,disablement of a network access control setting,disablement of a proxy setting,disablement of an authentication requirement,disablement of an intrusion detection setting,disablement of an intrusion prevention setting,disablement of access to a network,disablement of access to a server, anddisablement of access to a directory.

9. An apparatus configured to select a first network policy for a mobile device that operates as an endpoint in a communications network, the apparatus comprising at least one computer configured to instantiate computer-implemented modules including:
- a policy-storage module that is configured to store network policy values for a mobile device in a storage system, the network policy values relating context-based values for the mobile device to operational features for managing communications between the mobile device and network infrastructure that supports operations of the mobile device in a communications network, the network infrastructure including at least one server or router that provides access to the communications network for the mobile device;
  
  a value-receiving module that is configured to receive first context-based values for the mobile device from at least one context-based data source;
  
  a policy-selection module that is configured to use the first context-based values to select the first network policy for the mobile device from the stored network policy values, the first network policy specifying first operational features configured to manage the communications between the mobile device and the network infrastructure;
  
  a first value-sending module configured to send endpoint configuration values for the first network policy to an endpoint policy management unit to control operations of the mobile device; and
  
  a second value-sending module configured to send network-infrastructure configuration values for the first network policy to a network infrastructure policy management unit to control operations of the network infrastructure, wherein the sent network-infrastructure configuration values control operations of the network infrastructure by at least four of the following;
  
  enablement of a quality of service setting,enablement of a priority setting,enablement of a network access control setting,enablement of a proxy setting,enablement of an authentication requirement,enablement of an intrusion detection setting,enablement of an intrusion prevention setting,enablement of access to a network,enablement of access to a servers,enablement of access to a directory,disablement of a quality of service setting,disablement of a priority setting,disablement of a network access control setting,disablement of a proxy setting,disablement of an authentication requirement,disablement of an intrusion detection setting,disablement of an intrusion prevention setting,disablement of access to a network,disablement of access to a server, ordisablement of access to a directory.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The apparatus of claim 9, wherein the context-based values for the mobile device include at least one of position or velocity for the mobile device, and the first network policy coordinates operations at the network infrastructure and the mobile device in accordance with the first context-based values to provide the first operational features for managing the communications between the mobile device and the network infrastructure.
  - 11. The apparatus of claim 9, wherein selecting the first network policy includes accessing a dynamic policy function that relates the first context-based values to an enablement or disablement status for one or more hardware or software elements at the mobile device.
  - 12. The apparatus of claim 9, wherein the context-based values for the mobile device include at least one performance characteristic for the communications between the mobile device and the network infrastructure.
  - 13. The apparatus of claim 9, wherein the operational features for managing the communications between the mobile device and the network infrastructure include at least one enabled function or disabled function within the mobile device or within the network infrastructure.
  - 14. The apparatus of claim 9, wherein the at least one context-based data source includes at least one performance measurement device within the mobile device or the network infrastructure, the performance measurement device characterizing a quality of the communications between the mobile device and the network infrastructure.
  - 15. The apparatus of claim 9, wherein the first operational features for managing the communications between the mobile device and the network infrastructure include an enablement or disablement of at least one function of the at least one server or router included in the network infrastructure.

16. A non-transitory computer-readable medium that stores one or more computer programs that, when executed by one or more processors, effectuate operations comprising:
- storing network policy values for a mobile device in a storage system, the network policy values relating context-based values for the mobile device to operational features for managing communications between the mobile device and network infrastructure that supports operations of the mobile device in a communications network, the network infrastructure including at least one server or router that provides access to the communications network for the mobile device;
  
  receiving first context-based values for the mobile device from at least one context-based data source;
  
  using the first context-based values to select the first network policy for the mobile device from the stored network policy values, the first network policy specifying first operational features for managing the communications between the mobile device and the network infrastructure;
  
  sending endpoint configuration values for the first network policy to an endpoint policy management unit to control operations of the mobile device; and
  
  sending network-infrastructure configuration values for the first network policy to a network infrastructure policy management unit to control operations of the network infrastructure, wherein the sent network-infrastructure configuration values control operations of the network infrastructure by at least four of the following;
  
  enablement of a quality of service setting,enablement of a priority setting,enablement of a network access control setting,enablement of a proxy setting,enablement of an authentication requirement,enablement of an intrusion detection setting,enablement of an intrusion prevention setting,enablement of access to a network,enablement of access to a servers,enablement of access to a directory,disablement of a quality of service setting,disablement of a priority setting,disablement of a network access control setting,disablement of a proxy setting,disablement of an authentication requirement,disablement of an intrusion detection setting,disablement of an intrusion prevention setting,disablement of access to a network,disablement of access to a server, ordisablement of access to a directory.

17. A method of implementing a network policy for a mobile device that operates as an endpoint in a communications network, the method comprising:
- receiving context-based values for a mobile device from at least one context-based data source;
  
  sending the context-based values to a dynamic policy unit that determines network policies related to the mobile device from the context-based values, the network policies relating the context-based values for the mobile device to operational features for managing communications between the mobile device and network infrastructure that supports operations of the mobile device in a communications network, the network infrastructure including at least one server or router that provides access to the communications network for the mobile device;
  
  receiving values for a network policy from the dynamic policy unit, the network policy specifying the operational features for managing the communications between the mobile device and the network infrastructure;
  
  sending instructions to a control unit that enforces the network policy for at least a portion of the communications network, the control unit including a network-infrastructure control unit that controls operations of the network infrastructure by controlling at least some hardware or software of the at least one server or router included in the network infrastructure, wherein controlling operations of the network infrastructure comprises controlling operations of the network infrastructure by at least four of the following;
  
  enablement of a quality of service setting,enablement of a priority setting,enablement of a network access control setting,enablement of a proxy setting,enablement of an authentication requirement,enablement of an intrusion detection setting,enablement of an intrusion prevention setting,enablement of access to a network,enablement of access to a servers,enablement of access to a directory,disablement of a quality of service setting,disablement of a priority setting,disablement of a network access control setting,disablement of a proxy setting,disablement of an authentication requirement,disablement of an intrusion detection setting,disablement of an intrusion prevention setting,disablement of access to a network,disablement of access to a server, ordisablement of access to a directory.
- View Dependent Claims (18, 19, 20, 21)
- - 18. The method of claim 17, further comprising:
    - logging events including the context-based values and the network policy values in a storage system.
  - 19. The method of claim 17, further comprising:
    - autonomously revising the network policy based on the received context-based values, the received context-based values including environmental factors related to network usage.
  - 20. The method of claim 17, whereinthe at least one context-based data source is included in the mobile device, andthe control unit includes a mobile-device control unit that controls at least some hardware or software of the mobile device.
  - 21. The method of claim 17, wherein the at least one context-based data source is included in the network infrastructure, the context-based data source being external to the mobile device.

22. An apparatus for implementing a network policy for a mobile device that operates as an endpoint in a communications network, the apparatus comprising at least one computer to perform operations for computer-implemented modules including:
- a data-retrieval module configured to receive context-based values for the mobile device from at least one context-based data source and sends the context-based values to a dynamic policy unit that determines network policies related to the mobile device from the context-based values, the network policies relating the context-based values for the mobile device to operational features for managing communications between the mobile device and network infrastructure that supports operations of the mobile device in the communications network, the network infrastructure including at least one server or router that provides access to the communications network for the mobile device;
  
  a dynamic-policy-enforcement module configured to receive values for a network policy from the dynamic policy unit and sends instructions to a control unit that enforces the network policy for at least a portion of the communications network, the control unit including a network-infrastructure control unit that controls operations of the network infrastructure by controlling at least some hardware or software of the at least one server or router included in the network infrastructure, wherein controlling operations of the network infrastructure comprises controlling operations of the network infrastructure by at least four of the following;
  
  enablement of a quality of service setting,enablement of a priority setting,enablement of a network access control setting,enablement of a proxy setting,enablement of an authentication requirement,enablement of an intrusion detection setting,enablement of an intrusion prevention setting,enablement of access to a network,enablement of access to a servers,enablement of access to a directory,disablement of a quality of service setting,disablement of a priority setting,disablement of a network access control setting,disablement of a proxy setting,disablement of an authentication requirement,disablement of an intrusion detection setting,disablement of an intrusion prevention setting,disablement of access to a network,disablement of access to a server, ordisablement of access to a directory.
- View Dependent Claims (23, 24, 25, 26)
- - 23. The apparatus of claim 22, further comprising:
    - an event-logging module that logs events including the context-based values and the network policy values in a storage system.
  - 24. The apparatus of claim 22, further comprising:
    - an autonomous-configuration module that autonomously revises the network policy based on the received context-based values, the received context-based values including environmental factors related to network usage.
  - 25. The apparatus of claim 22, whereinthe at least one context-based data source is included in the mobile device, andthe control unit includes a mobile-device control unit that controls at least some hardware or software of the mobile device.
  - 26. The apparatus of claim 22, wherein the at least one context-based data source is included in the network infrastructure, the context-based data source being external to the mobile device.

27. A non-transitory computer-readable medium that stores a computer program including instructions that, when executed by a computer, cause the computer to perform operations comprising:
- receiving, with one or more processors, context-based values for a mobile device from at least one context-based data source;
  
  sending, with one or more processors, the context-based values to a dynamic policy unit that determines network policies related to the mobile device from the context-based values, the network policies relating the context-based values for the mobile device to operational features for managing communications between the mobile device and network infrastructure that supports operations of the mobile device in a communications network, the network infrastructure including at least one server or router that provides access to the communications network for the mobile device;
  
  receiving, with one or more processors, values for a network policy from the dynamic policy unit, the network policy specifying the operational features configured to manage the communications between the mobile device and the network infrastructure;
  
  sending, with one or more processors, instructions to a control unit that enforces the network policy for at least a portion of the communications network, the control unit including a network-infrastructure control unit that controls operations of the network infrastructure by controlling at least some hardware or software of the at least one server or router included in the network infrastructure, wherein controlling operations of the network infrastructure comprises controlling operations of the network infrastructure by at least four of the following;
  
  enablement of a quality of service setting,enablement of a priority setting,enablement of a network access control setting,enablement of a proxy setting,enablement of an authentication requirement,enablement of an intrusion detection setting,enablement of an intrusion prevention setting,enablement of access to a network,enablement of access to a servers,enablement of access to a directory,disablement of a quality of service setting,disablement of a priority setting,disablement of a network access control setting,disablement of a proxy setting,disablement of an authentication requirement,disablement of an intrusion detection setting,disablement of an intrusion prevention setting,disablement of access to a network,disablement of access to a server, ordisablement of access to a directory.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Inpixon Co.
Original Assignee
Inpixon Co.
Inventors
Madey, Daniel A., Pollutro, Dennis V., Levy-Yurista, Guy
Primary Examiner(s)
Srivastava, Vivek
Assistant Examiner(s)
Bukhari, Sibte H

Application Number

US13/294,794
Publication Number

US 20120131155A1
Time in Patent Office

2,615 Days
Field of Search

709220
US Class Current
CPC Class Codes

H04W 12/30   Security of mobile devices;...

H04W 12/63   Location-dependent; Proximi...

H04W 4/02   Services making use of loca...

H04W 4/027   using movement velocity, ac...

H04W 4/50   Service provisioning or rec...

Context-based dynamic policy system for mobile devices and supporting network infrastructure

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

21 Citations

38 Claims

Specification

Solutions

Use Cases

Quick Links

Context-based dynamic policy system for mobile devices and supporting network infrastructure

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

21 Citations

38 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links