Communications device with secure data path processing agents

US 8,725,123 B2
Filed: 09/28/2011
Issued: 05/13/2014
Est. Priority Date: 06/05/2008
Status: Active Grant

First Claim

Patent Images

1. A communications device comprising:

one or more communication input/output (I/O) ports, at least one of the one or more communication I/O ports being a wide area network port configured to connect the communications device to a wide area network;

one or more secure data path processing agents configured to;

execute in a secure execution environment,monitor communication activity through the wide area network port,generate a device data record comprising information about the communication activity through the wide area network port, andsend the device data record to a network element over a trusted communication link between the one or more secure data path processing agents and the network element; and

a trusted data path between the one or more secure data path processing agents and the wide area network port.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A communications device comprising one or more communication input/output (I/O) ports, at least one of the one or more communication I/O ports being a wide area network port configured to connect the communications device to a wide area network; one or more secure data path processing agents configured to execute in a secure execution environment, monitor a device data communications activity through at least one of the one or more communication I/O ports, generate a device data record comprising information about the device data communications activity through at least one of the one or more communication I/O ports, and send the device data record to the network element over a trusted communication link between the one or more secure data path processing agents and the network element; and a trusted data path between the one or more secure data path processing agents and the wide area network port.

851 Citations

32 Claims

1. A communications device comprising:
- one or more communication input/output (I/O) ports, at least one of the one or more communication I/O ports being a wide area network port configured to connect the communications device to a wide area network;
  
  one or more secure data path processing agents configured to;
  
  execute in a secure execution environment,monitor communication activity through the wide area network port,generate a device data record comprising information about the communication activity through the wide area network port, andsend the device data record to a network element over a trusted communication link between the one or more secure data path processing agents and the network element; and
  
  a trusted data path between the one or more secure data path processing agents and the wide area network port.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 27, 28, 29, 30, 31, 32)
- - 2. The communications device recited in claim 1, further comprising memory configured to store a device communication activity policy, and wherein the information about the communication activity through the wide area network port indicates whether the communications device is properly implementing the device communication activity policy.
  - 3. The communications device recited in claim 1, wherein the trusted communication link comprises a secure message receipt feedback loop.
  - 4. The communications device recited in claim 3, wherein the one or more secure data path processing agents are further configured to restrict data transmission or data reception by the communications device through the wide area network or through another port of the one or more communication I/O ports based on information from the secure message receipt feedback loop.
  - 5. The communications device recited in claim 4, wherein the network element is a first network element, and wherein the wide area network port enables the communications device to communicate with the first network element or a second network element to obtain an error handling instruction when a secure message receipt feedback loop error condition exists.
  - 6. The communications device recited in claim 1, further comprising memory configured to store a device communication activity policy obtained from the network element.
  - 7. The communications device recited in claim 1, wherein the information about the communication activity comprises a record of communication activity over the wide area network port.
  - 8. The communications device recited in claim 1, further comprising memory configured to store a device communication activity policy, and wherein the device communication activity policy comprises a policy for monitoring an application.
  - 9. The communications device recited in claim 1, further comprising memory configured to store a device communication activity policy, and wherein the device communication activity policy comprises a policy for monitoring access to a network destination, an address, or a resource.
  - 10. The communications device recited in claim 1, wherein the secure execution environment and the one or more secure data path processing agents are located in a secure execution partition controlled by an application processor.
  - 11. The communications device recited in claim 1, wherein the secure execution environment and the one or more secure data path processing agents are located in a secure execution partition controlled by an operating system or secure partitioning software.
  - 12. The communications device recited in claim 1, wherein the secure execution environment and the one or more secure data path processing agents are located in a secure execution partition controlled by a modem processor.
  - 13. The communications device recited in claim 1, wherein the secure execution environment and the one or more secure data path processing agents are located on a SIM card.
  - 14. The communications device recited in claim 1, wherein the wide area network is a wireless network, and wherein the information about the communication activity comprises a record of service usage over the wireless network.
  - 15. The communications device recited in claim 1, further comprising memory configured to store a device communication activity policy, and wherein the wide area network is a wireless network, and wherein the device communication activity policy comprises a policy for controlling access to the wireless network.
  - 16. The communications device recited in claim 15, wherein the policy comprises one or more control policies for controlling one or more applications operating on or capable of operating on the communications device.
  - 17. The communications device recited in claim 15, wherein the policy comprises one or more control policies for controlling access to one or more network destinations, addresses or resources accessible over the wireless network.
  - 18. The communications device recited in claim 15, wherein the policy comprises a control policy for controlling communication over a roaming network.
  - 19. The communications device recited in claim 1, further comprising memory configured to store a device communication activity policy, and wherein the wide area network is a wireless network, and wherein the device communication activity policy comprises a policy for accounting for usage of the wireless network.
  - 20. The communications device recited in claim 19, wherein the policy comprises one or more accounting policies for accounting for usage of the wireless network associated with one or more applications operating on the communications device.
  - 21. The communications device recited in claim 19, wherein the policy comprises one or more accounting policies for accounting for usage of the wireless network associated with access to one or more network destinations, addresses, or resources accessible over the wireless network.
  - 22. The communications device recited in claim 19, wherein the policy comprises an accounting policy for accounting for usage of a roaming network.
  - 23. The communications device recited in claim 22, wherein the accounting policy is configured to:
    - request an access network service cost acknowledgement or payment indication associated with usage of the roaming network from a device user, andrestrict access to the roaming network by the communications device if the device user does not provide the service cost acknowledgement or payment indication.
  - 24. The communications device recited in claim 1, wherein the one or more secure data path processing agents are further configured to:
    - monitor communications sent by the network element over the trusted communication link, andrestrict access to the wide area network port or another port of the one or more communication I/O ports if, within a specified event interval after sending the device data record to the network element over the trusted communication link, the one or more secure data path processing agents have not detected a secure message receipt in the communications from the network element sent over the trusted communication link.
  - 25. The communications device recited in claim 24, wherein the specified event interval comprises a period of time, a number of records transmitted, or a number of communications with the network element.
  - 27. The communications device recited in claim 1, further comprising one or more functions configured to verify at least a portion of the one or more secure data path processing agents.
  - 28. The communications device recited in claim 27, wherein the one or more functions are configured to verify the at least a portion of the one or more secure data path processing agents based on one or more security elements.
  - 29. The communications device recited in claim 1, further comprising one or more notification agents configured to present information associated with the device data record to a user of the communications device.
  - 30. The communications device recited in claim 1, wherein at least a portion of the one or more secure data path processing agents is stored in a separate partition of a nonvolatile memory, and further comprising one or more functions configured to secure or verify the at least a portion of the one or more secure data path processing agents.
  - 31. The communications device recited in claim 28, wherein the one or more security elements comprise a signature, one or more keys, a certificate, or a hash.
  - 32. The communications device recited in claim 27, wherein the one or more functions are configured to verify the at least a portion of the one or more secure data path processing agents in association with a download of the at least a portion of the one or more secure data path processing agents, an installation of the at least a portion of the one or more secure data path processing agents, or a load of the at least a portion of the one or more secure data path processing agents.

26. A communications device comprising:
- one or more communication input/output (I/O) ports, at least one of the one or more communication I/O ports being a wide area network port configured to connect the communications device to a wide area network;
  
  memory configured to store a device communication activity policy;
  
  a SIM card comprising;
  
  one or more secure data path processing agents configured to;
  
  execute in a secure execution environment,monitor communication activity through the wide area network port, andbased on the monitored communication activity, take an action to assist in enforcing the device communication activity policy; and
  
  a trusted data path between the one or more secure data path processing agents and the wide area network port.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Headwater Research LLC (Greg Raleigh)
Original Assignee
Headwater Partners I LLC (Greg Raleigh)
Inventors
Raleigh, Gregory G., Raissinia, Alireza, Sabin, Michael, Lavine, James
Primary Examiner(s)
Rudy, Andrew Joseph

Application Number

US13/247,998
Publication Number

US 20120084438A1
Time in Patent Office

958 Days
Field of Search

709/203, 709/217, 709/223, 709/224, 455405-409, 455/414.1, 455/432.1, 705/30, 705/32
US Class Current

455/414.1
CPC Class Codes

H04L 41/046   comprising network manageme...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/20   for managing network securi...

H04W 12/106   Packet or message integrity

H04W 12/122   Counter-measures against at...

H04W 24/08   Testing, supervising or mon...

Communications device with secure data path processing agents

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

851 Citations

32 Claims

Specification

Solutions

Use Cases

Quick Links

Communications device with secure data path processing agents

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

851 Citations

32 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links