KR102162870B1 - Method for allocating dedicated network of application, method for providing user selectabe dedicated network service, and telecommunication system and user terminal implementing the methods - Google Patents

Abstract

A method of providing a user-selectable dedicated network service by interworking with a core network by a data policy control device, comprising: receiving an authentication request for accessing a dedicated network of a specific application from a terminal, whether the verification information included in the authentication request is integrity, and the The steps of authenticating the dedicated network access of the specific application based on the validity of the dedicated network service product subscribed by the user of the terminal, and allowing the specific application to access the dedicated network to the terminal when the dedicated network access authentication result is successful. Include. Traffic of the specific application is transmitted and received through a dedicated network allocated to the terminal.

Description

A method of allocating an application-only network, a method of providing a user-selective dedicated network service through it, and a communication network system and user terminal that implement it }

The present invention relates to a wireless communication network system and a data communication service thereof.

The user is given a certain amount of data every month according to the carrier's plan, and the amount of data is deducted each time data is transmitted or received through a communication network. Since the rate plan differs in the amount of data by section, users can use data communication services within the data limit of the subscription plan, but if the monthly data usage exceeds the data limit of the plan, subscribe to a higher plan or separate data. There is no choice but to buy. Users should be able to use data communication services reasonably only when the communication company designs the data difference between the rate plans to be narrow. However, as the data rate product is subdivided, the load on the communication network system increases, and as a result, the system maintenance/operation cost of the communication company increases. Therefore, there is a limitation in that the plan cannot be designed to fit all users' data usage patterns.

Users who have subscribed to the service provider's plan can use content provided by a remote service server by running an application on a terminal. At this time, the communication network system divides the access path according to the location of the service server, and differentially charges the data usage rate for each separated path. For example, a communication network system is an IMS (IP Multimedia Subsystem) network that provides wireless communication services, an Internet network connected through a public LTE network, and a private network of a specific organization or company connected through a private LTE network. Depending on the data usage rate, you may be charged. At this time, since the communication network system classifies rates by network access information such as APN (Access Point Name) and DNN (Data Network Name) allocated for each separated path, the rates cannot be differentiated for each application.

Meanwhile, the rate for each packet can be differentiated based on 5 tuples of data packets, but for this, the communication network system registers 5 tuples of a specific packet in the core network, and the P-GW is the content server of the packet. You must pay by recognizing your address. Accordingly, all destination information of the remote service server (host) used by the application must be provided to the communication company, and the connection between applications is frequent, so it is not easy to separate billing by service server address. In particular, when the service server address to which a single application accesses is variable, it is not easy to accurately separate billing into 5 tuples. For example, if a user uses an open market (eg, Gmarket) service at a separate data usage rate, the conventional communication network system classifies the open market server and handles billing exceptions. However, if a seller selling a product in an open market links product information located on a separate host rather than an open market server, product information can be exposed in the form embedded in the screen of the open market application. In this case, the user checks product information on the screen of the open market application, but the general rate is applied, not the data use rate agreed for the open market service. Therefore, it is not easy to accurately separate billing into 5 tuples, and there is a limitation in that the user cannot receive the contracted data usage rate according to the method of providing the service of the seller in the open market service.

The problem to be solved by the present invention is to provide a method of allocating a dedicated network to a user who has subscribed to a dedicated network service product and controlling access to a dedicated network of applications selected by the user, and a communication network system and a user terminal implementing the same.

The problem to be solved by the present invention is to separately allocate network access information for access to a dedicated network in a terminal capable of setting a plurality of network access information, and manage routing for access to a dedicated network of applications selected by a user according to the subscribed dedicated network service product. To provide a way.

In addition, a problem to be solved by the present invention is to provide a user interface through which a user can change an access network for each application or use a dedicated network service simply and intuitively.

A method for providing a user-selectable dedicated network service by interworking with a core network by a data policy control apparatus according to an embodiment, comprising the steps of: receiving an authentication request for accessing a dedicated network of a specific application from a terminal, and verifying verification information included in the authentication request. Authenticating the dedicated network access of the specific application based on the integrity and validity of the dedicated network service product subscribed to by the user of the terminal, and if the result of authenticating the dedicated network access is successful, accessing the dedicated network of the specific application to the terminal And granting permission. Traffic of the specific application is transmitted and received through a dedicated network allocated to the terminal.

In the step of authenticating access to the dedicated network, if the amount of data using the dedicated network in the terminal is within the data limit of the dedicated network service product, it may be determined that the dedicated network service product is valid.

The verification information may include an identifier of the specific application, integrity information of the specific application, and a market identifier in which the specific application is distributed.

In authenticating the access to the dedicated network, the integrity of the verification information may be verified using information obtained from an application market in which the specific application is distributed.

The user-selectable dedicated network service providing method is, after allowing the access to the dedicated network of the specific application, when the amount of data using the dedicated network in the terminal reaches the data limit of the dedicated network service product, the terminal is not authorized to access the dedicated network. It may further include the step of indicating. The terminal may change routing information of applications set to access the dedicated network to access the public network.

The method for providing a user-selectable private network service may include disallowing access to the private network of the specific application to the terminal when the result of authenticating access to the private network is failed. The terminal may transmit traffic of an application that is not permitted to access the dedicated network to a public network.

A method for providing a user-selectable dedicated network service by a terminal interworking with a data policy control device according to an embodiment, comprising the steps of: transmitting an authentication request for access to a dedicated network of a specific application to the data policy control device, from the data policy control device And receiving an authentication result permitting the specific application to access the dedicated network, and setting routing information for transmitting the traffic of the specific application to the dedicated network allocated to the terminal. The routing information is maintained while the dedicated network service product subscribed by the user of the terminal is valid.

The authentication request may include verification information obtained by downloading the specific application from an application market, and the authentication result may be determined based on whether the verification information is integrity and whether the dedicated network service product is valid.

The verification information may include an identifier of the specific application, integrity information of the specific application, and an identifier of the application market.

The method for providing a user-selectable private network service further includes receiving, after receiving the authentication result, deauthorization for access to the private network from the data policy control device, and changing the routing information to access the public network. I can.

The method for providing a user-selectable dedicated network service may further include displaying that the specific application is in a state in which the dedicated network can be accessed on a user interface screen after setting the routing information.

In the transmitting of the authentication request, when a user motion of moving the specific application displayed on the user interface screen into a specific area is input, the data policy control device may request authentication for accessing the dedicated network of the specific application. When access to the dedicated network is permitted from the data policy control device, the specific application may be located in the specific area, and when access to the dedicated network is not permitted from the data policy control device, the specific application may be located outside the specific area.

The method for providing a user-selectable dedicated network service includes receiving an execution request for the specific application located in the specific area, requesting authentication for accessing the specific application to the dedicated network through the data policy control device, and controlling the data policy When the device permits access to the dedicated network, the specific application is executed, and if the data policy control device does not permit access to the dedicated network, the step of moving the specific application out of the specific area may be further included.

The routing information may be information for transferring the traffic of the specific application to a first network interface to which dedicated network access information is assigned. Traffic of general applications that are not permitted to access a dedicated network among a plurality of installed applications may be delivered to a second network interface to which public network access information is assigned.

The method for providing the user-selectable dedicated network service may further include allocating the dedicated network access information obtained after subscription of the dedicated network service product is completed to the first network interface.

According to an embodiment, a user can supplement a conventional rate plan for each section by subscribing to a dedicated network service product according to the data usage or QoS requirement level, and in particular, the user can directly define a data rate for a required service. According to an embodiment, a user may use applications such as video and AR/VR games in a dedicated network with guaranteed QoS. According to an embodiment, through a container in the form of a folder/box displayed on a terminal screen, a user can easily and intuitively control a request to change an access network for each application or use a dedicated network service.

According to the embodiment, since the terminal can additionally set network access information different from the public network (for example, a dedicated APN) for an application that accesses the private network, it is not necessary to change the currently set network access information according to the application being executed. . According to an embodiment, by differently allocating network access information for each application, a traffic transmission path of a general application and a dedicated network application may be separated.

According to an embodiment, a communication company may define a data usage rate and QoS for a specific application differently from a general application through a dedicated network service product, regardless of the network in which the service server is located. According to the embodiment, a communication company can design a product that can change the rate for each application without changing the conventional billing system.

1 is a diagram illustrating a method of providing a user-selectable dedicated network service according to an embodiment.
2 is a diagram of a communication network system providing a dedicated network service for a user-selectable application according to an embodiment.
3 is a diagram exemplarily illustrating billing for each application according to an embodiment.
4 is an example of a terminal interface screen including an application container according to an embodiment.
5 is a flowchart of a method for subscribing to a user-selectable dedicated network service product according to an embodiment.
6 to 8 are flowcharts of a method for providing a user-selectable dedicated network service according to an embodiment.
9 is a diagram conceptually illustrating an application routing control structure based on a routing container according to an embodiment.
10 is a diagram illustrating access to a dedicated network in a routing container-based terminal structure according to an embodiment.
11 is a diagram conceptually illustrating an application routing control structure based on routing policy management according to another embodiment.
12 is a diagram conceptually illustrating an application routing control structure based on a network chain application program according to another embodiment.
13 is a flowchart of an application routing method based on a network chain application program according to another embodiment.

Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings so that those of ordinary skill in the art can easily implement the embodiments of the present invention. However, the present invention may be implemented in various different forms and is not limited to the embodiments described herein. In the drawings, parts irrelevant to the description are omitted in order to clearly describe the present invention, and similar reference numerals are assigned to similar parts throughout the specification.

Throughout the specification, when a part "includes" a certain component, it means that other components may be further included rather than excluding other components unless otherwise stated. In addition, terms such as "... unit", "... group", and "module" described in the specification mean units that process at least one function or operation, which can be implemented by hardware or software or a combination of hardware and software. have.

The devices described in the present invention are composed of hardware including at least one processor, a memory device, a communication device, and the like, and a program that is combined with the hardware and executed is stored in a designated place. The hardware has a configuration and capability to implement the method of the present invention. The program includes instructions for implementing the operating method of the present invention described with reference to the drawings, and executes the present invention by combining it with hardware such as a processor and a memory device.

In the present invention, the terminal is a mobile station (MS), a mobile terminal (MT), a subscriber station (SS), a portable subscriber station (PSS), and a user equipment (UE). , Access Terminal (AT), and the like, and may include all or part of functions such as a mobile station, a mobile terminal, a subscriber station, a mobile subscriber station, a user equipment, and an access terminal.

The terminal is a base station (BS), an access point (AP), a radio access station (RAS), a node B (Node B), an advanced node B (evolved NodeB, eNodeB), a transmission/reception base station ( It can be connected to a remote server by accessing network devices such as Base Transceiver Station, BTS), Mobile Multihop Relay (MMR)-BS, 5G NB (gNB), and the like.

The terminals are various types of communication terminals such as mobile terminals such as smart phones, tablet terminals such as smart pads and tablet PCs, computers, and televisions, and may include a plurality of communication interfaces. Communication interfaces can vary. For example, the communication interface is a local area wireless network interface such as WiFi/WLAN/Bluetooth, and mobile such as 3G/LTE (Long Term Evolution)/LTE-A (Long Term Evolution-Advanced)/5G. It may include a communication network interface, and a terminal manufacturer may add various communication interfaces.

In the present invention, mainly LTE EPC (Evolved Packet Core) is described as an example, but the same can be applied to 5G core. The network access information may be, for example, an access point name (APN) in an LTE network or a data network name (DNN) in a 5G network, and the dedicated network allocated to the CP is determined according to the network structure. This is information for specifying. In the present invention, the APN is described as an example of network access information.

In the present invention, the public network and the dedicated network mean separate traffic paths, and do not necessarily need to be physically separated. For example, the public network and the private network may be different bearers created in the same physical path.

The application of the present invention can be called a network convergence application or a data convergence application because a dedicated network is allocated and billing and QoS are controlled through it.

1 is a diagram illustrating a method of providing a user-selectable dedicated network service according to an embodiment.

Referring to FIG. 1, users up to now subscribe to a single rate plan and use a communication network within the data limit agreed by the rate plan. According to the present invention, in addition to the public network fee plan for accessing the public network, the user can subscribe to a dedicated network service product (fee plan) for accessing the private network. The user can select the amount of data that can use the dedicated network. The user can easily select the amount of data through the user interface as shown in FIG. 1A. The dedicated network service product may include not only the amount of data, but also service conditions such as QoS and data usage rates according to a contract between a communication company and a user. In addition, the dedicated network service product may determine the number of applications that can be transmitted to the dedicated network (acceptance limit), a period of use (eg, use for 3 months), and whether or not to purchase a monthly fee/once. The dedicated network service product may determine the type of application that can be transmitted to the dedicated network (eg, game, social media, video streaming, music streaming, or all applications).

Referring to (b) of FIG. 1, the terminal 100 provides an application container (for example, GiGA cube) in the form of a folder/box on the display screen, and the user desires to transmit and receive traffic through a dedicated network to the application container. It contains the application The terminal 100 sets routing information so that applications contained in the application container can access the dedicated network. To this end, the terminal 100 sets the network access information of the public network and the private network differently, and manages routing information for each application.

Alternatively, the terminal 100 may provide an application list on the display screen, and the user may select an application that desires to transmit and receive traffic through a dedicated network from the application list.

A user can subscribe to a dedicated network service product for an application requiring QoS, select a dedicated network access application, and use the dedicated network to transmit and receive traffic of a specific application. If the contracted dedicated network data amount is exhausted, the user can increase the data amount in the user interface as shown in FIG. 1A. When the contracted private network data amount is exhausted, the terminal 100 may control access to the private network by releasing authentication of applications contained in the application container. In this case, the routing information is changed so that applications contained in the application container move out of the application container and connect to the public network.

FIG. 2 is a diagram of a communication network system providing a dedicated network service for a user-selectable application according to an embodiment, and FIG. 3 is a diagram exemplarily illustrating billing for each application according to an embodiment.

Referring to FIG. 2, the communication network system includes a terminal 100 subscribed to a dedicated network service product and a data policy control device 200 of the communication network. The terminal 100 and the data policy control device 200 interwork with core network devices to provide a dedicated network service for a user-selectable application, and interworking with core network devices may vary according to design.

The terminal 100 may access a product subscription system, for example, a business support system (BSS) 10, and may subscribe to a dedicated network service product. The PCC (Policy and Charging) 12, which manages policy charging information, may create and distribute a network configuration policy for a dedicated network service product. The PCC 12 may be a Policy and Charging Control Function (PCRF)/Policy and Charging Enforcement Function (PCEF), or the like. The packet data gateway (P-GW) 33 creates a dedicated network according to the network configuration policy.

The terminal 100 subscribes for a dedicated network service product and stores dedicated network access information allocated to the dedicated network. The dedicated network access information may be transmitted to the terminal 100 when a subscription for a dedicated network service product is completed, or the dedicated network access information stored in the terminal 100 may be activated. The dedicated network access information may be received from the BSS 10, but may be transmitted from other devices according to design.

In a state in which a dedicated network connection is possible, when the terminal 100 receives a request from a user to use a dedicated network for a specific application, the terminal 100 requests the data policy control device 200 to access the dedicated network for a specific application. The terminal 100 creates a routing policy that maps a specific application that is permitted to access the dedicated network and the dedicated network access information (dedicated APN). When the mapping between the specific application and the dedicated network access information is completed, the terminal 100 displays the user to know that the dedicated network access application is.

Thereafter, when a packet of a specific application is generated, the terminal 100 transmits a packet of a specific application by accessing the dedicated network according to the routing policy. The access request message including the dedicated APN is transmitted to the mobility management device (MME) 31 via the base station 30. The MME 31 checks the dedicated network configuration policy of the dedicated APN included in the access request message, and establishes a dedicated network (dedicated bearer) for transmitting and receiving traffic of a specific application through the S-GW 32 and P-GW 33 do. Through this, the traffic of a specific application is transmitted and received through the P-GW 33 of the dedicated network allocated to the dedicated APN, and the amount of data transmitted and received in the dedicated network is collected by the billing device 20. The P-GW 33 delivers a call detailed record, call data record, and charged data record (CDR) indicating data usage to the billing device 20. The billing device 20 may be an Offline Charging System (OFCS)/Online Charging System (OCS) that collects data usage (CDR). The billing device 20 may report the user's data billing information in the dedicated network to the data policy control device 200.

The data policy control apparatus 200 authenticates or releases authentication of a dedicated network access to a specific application of the terminal 100 that has subscribed to the dedicated network service product. When the data policy control device 200 receives an authentication request for access to a dedicated network of a specific application from the terminal 100, the data policy control device 200 verifies the integrity of the specific application, verifies whether the dedicated network service product is in a valid state, and then accesses the dedicated network of the specific application. Authenticate. When the data policy control device 200 permits access to a dedicated network only for products downloaded and installed from an authorized application market, the data policy control device 200 may define properties of a service group without separate user consent. Meanwhile, the data policy control apparatus 200 may authenticate or deauthenticate access to a dedicated network for a specific application by using a white list, which is a list of applications that can access a private network, and a black list, which is a list of applications that cannot access the private network.

The terminal 100, which has received authentication from the data policy control device 200, changes the routing policy so that the application for which the dedicated network access is authenticated access the dedicated network. In addition, the data policy control apparatus 200 may release the authentication for an application for which the dedicated network access is authenticated when the amount of dedicated network data is exhausted or the dedicated network cannot be used continuously, such as withdrawal of a dedicated network service product.

Upon receiving the authentication release from the data policy control device 200, the terminal 100 changes the routing policy so that the application for which the dedicated network connection is authenticated access the public network.

Referring to FIG. 3, when the terminal 100 is capable of setting a plurality of APNs (multi-APNs), the terminal 100 that has subscribed for a dedicated network service product uses specific applications APP3 and APP4 as APN2, which is dedicated network access information. Maps to The specific application is an application that is determined as a dedicated network access application by user selection, and is an application whose integrity is verified by the data policy control device 200 to authenticate the dedicated network access. The method for the user to select a dedicated network access application may be various, and may be selected by moving to an application container (GiGA cube) as described in FIG. 1.

The general applications APP1 and APP2 access the public network set as default by mapping the public APN (APN1). Charges for traffic transmitted through the public network are deducted from the general plan product subscribed to by the user.

The applications APP3 and APP4 specified as dedicated network access applications are mapped to a dedicated APN (APN2) to access the dedicated network corresponding to the dedicated APN. Charges for traffic transmitted through the dedicated network are deducted from the dedicated network service product subscribed by the user. At this time, the dedicated network service product may provide a data use rate or QoS different from the public network use.

Even if the P-GW 33 charges for one user, it generates a CDR according to the general plan product to charge for traffic generated by general applications (APP1, APP2), and generates a CDR generated by the dedicated network access application (APP3, APP4). For charging for traffic, CDR is generated according to the dedicated network service product.

Conventional communication network systems can charge different data usage rates depending on the network where the service server is located (IMS network, Internet network, corporate private network), so Internet services located in the same Internet network maintain a single rate and a single QoS. I have no choice but to. However, according to the present invention, since an individual subscriber provides two PDNs with different rates and QoS guaranteed, even if the service server is located in the same Internet network, traffic is transmitted to the destination server of the Internet network or the public network Can transmit traffic to the destination server on the Internet network. Accordingly, according to the present invention, regardless of a network in which a service server is located, a data usage rate and QoS for a specific application through a dedicated network service product can be defined differently from a general application.

In particular, according to the present invention, since an access network is determined for each application executed in a terminal, traffic is transmitted and received through a dedicated network even when a link to a page located on a separate host in the dedicated network access application is performed, so the data usage rate contracted by the dedicated network service product and QoS is applied. For example, if the application that provides the open market service is a dedicated network connection application, the seller who sells products in the open market links product information located on a separate host rather than the open market server, and is embedded in the screen of the open market application. Even if product information is exposed, the data usage rate and QoS contracted by the dedicated network service product are applied.

4 is an example of a terminal interface screen including an application container according to an embodiment.

Referring to FIG. 4A, there is an application container 300 as a user interface for distinguishing between a dedicated network access application and a public network access application. The application container 300 is in the form of a folder/box, and an application for which access to a dedicated network is authenticated may be located in the application container 300. At this time, the user moves the application located outside the application container into the application container by various methods such as drag and drop, and the terminal 100 authenticates the application to the dedicated network access to the data policy control device 200 Can be requested. In addition, the dedicated network may not be used by moving it out of the application container. The application container 300 may be managed and protected by a mobile device management (MDM) solution.

The terminal 100 places only applications that have been authenticated by the data policy control device 200 in the application container 300. The terminal 100 changes routing information so that applications located in the application container 300 can access a dedicated network rather than a public network. If the application located in the application container moves outside, the terminal 100 changes routing information so that the application can access a public network rather than a dedicated network.

To this end, the routing authentication unit 110 recognizes the application moved to the application container 300, requests authentication to the data policy control device 200, and manages the application to be included in the application container 300 according to the authentication result. . For an application located in the application container 300, routing information is set so that a dedicated APN is mapped.

Referring to FIG. 4B, an application authenticated by the data policy control device 200 and allowed to access a dedicated network is finally transferred from outside the application container to the inside. If the application is finally located outside the application container, it is an application that cannot access a dedicated network.

On the other hand, the data policy control device 200 verifies the integrity based on whether an application distributed in an authorized market or whether a symmetric key-based distributor is matched. If the application requested for authentication fails the integrity verification, the dedicated network access is not permitted. Does not. When the dedicated network service product is not valid, the data policy control device 200 does not permit access to the dedicated network of course.

Referring to FIG. 4C, when a user executes an application located in a container, the terminal 100 may request authentication from the data policy control device 200.

When the terminal 100 receives authentication cancellation for a specific application located in the container from the data policy control device 200, the terminal 100 moves the authentication canceled application out of the application container. When the terminal 100 stores the authentication release condition, an application that satisfies the authentication release condition may be moved out of the application container.

When the amount of data contracted in the dedicated network service product is exhausted, the data policy control apparatus 200 may notify the terminal 100 of deauthorization of an application located in the container.

As such, a user can intuitively distinguish between a dedicated network access application and a public network access application through the application container, and can simply request authentication by moving the application to the application container. In addition, the terminal 100 may manage routing information of applications included in the application container 300 by connecting the routing container in which the virtual network interface for accessing the dedicated network is set and the application container 300 of the application layer. .

The data policy control apparatus 200 may apply the CP's data charging burden policy in real time to put the application in the application container or remove the application from the application container.

As described above, since the user-selectable dedicated network service is characterized in that the user selects an application, the application container in the form of a folder is used as a user interface so that the user can check whether the dedicated network service product is valid or not and simply select an application to use the dedicated network. When the access network is changed from the private network to the public network due to exceeding the data limit or expiration of the private network service use period, the change is displayed on the user interface screen.

In addition to the application container, there may be various methods of displaying the dedicated network access applications that are permitted to access the dedicated network to be classified. An application icon displayed on the terminal interface screen can be used to distinguish between a dedicated network access application and a general application. In the case of a dedicated network connection application, a dedicated network badge may be attached to the icon or the icon design may be different.

The icon of the dedicated network access application can visually display the amount of data consumed in the dedicated network. For example, the icon of the dedicated network access application may include a gradient, and an amount of data consumption in the dedicated network may be additionally displayed in the gradient density.

When the user is permitted to access the dedicated network by the data policy control device 200 by performing a designated authentication operation (eg, long-touching an icon, moving to an application container, etc.), the terminal 100 accesses the authenticated application to the dedicated network. You can change the display (for example, attach a badge or display a gradation) with an application. When authentication is released by the data policy control device 200, the terminal 100 may change an icon displayed as a dedicated network access application into a general application icon.

5 is a flowchart of a method for subscribing to a user-selectable dedicated network service product according to an embodiment, and FIGS. 6 to 8 are flowcharts illustrating a method of providing a user-selectable dedicated network service according to an embodiment.

5, the terminal 100 accesses a product subscription system, for example, a sales support system (BSS) 10, and subscribes for a dedicated network service product (S110). The subscription content may include various service conditions such as purchase data volume, QoS, and contract period. Meanwhile, the user does not need to subscribe for a product through the terminal 100. That is, a user can subscribe to a dedicated network service product at an offline branch.

The BSS 10 requests the PCC 12 to distribute a network configuration policy corresponding to the dedicated network service product (S120). The PCC 12 may be a Policy and Charging Control Function (PCRF).

The PCC 12 creates a network configuration policy of a dedicated network service product, and distributes it to core network devices such as the MME 31 and P-GW 33 (S130).

The BSS 10 notifies the terminal 100 of the subscription completion of the dedicated network service product (S140). At this time, the exclusive network access information (dedicated APN) is transmitted along with the subscription of the dedicated network service product. The BSS 10 may notify the data policy control device 200 of user information who has subscribed to a dedicated network service product.

The terminal 100 stores the dedicated network access information (dedicated APN) in the profile, and prepares for access to the dedicated network (S150). The terminal 100 allocates a dedicated APN to the dedicated network network interface, and connects the dedicated network network interface and the virtual network interface. Thereafter, the terminal 100 routes specific applications for which the dedicated network access is authenticated to the virtual network interface, and manages the routing so that the dedicated APN is transmitted to the assigned dedicated network interface.

The terminal 100 indicates that the subscription for the dedicated network service product is completed and access to the dedicated network is possible (S160).

The timing at which a user subscribes for a product through the terminal 100 may vary. For example, a user may subscribe to a dedicated network service product on an online product subscription page. Alternatively, when a user moves a random application to the application container 300 or requests access to a private network by selecting a random application from the application list, the terminal 100 checks whether the private network access information (dedicated APN) is stored in the profile. do. If the dedicated network access information (dedicated APN) is not stored in the profile, the terminal 100 displays a dedicated network service product subscription page on the screen, and when receiving a request for a dedicated network service product subscription, the BSS 10 sends a dedicated network service product. You can subscribe. If it is not necessary to explicitly subscribe to a dedicated network service product from a user (for example, a dedicated network service product is free), the terminal 100 is a user action or application list that moves an arbitrary application to the application container 300 A user operation requesting access to a dedicated network by selecting a random application is regarded as a request for a subscription to a dedicated network service product, and a dedicated network service product may be subscribed to the BSS 10.

Referring to FIG. 6, the terminal 100 is requested to use a dedicated network for a specific application (S210). When a specific application is moved to the application container 300 or a specific application is selected as a dedicated network access application in the application list, the terminal 100 may recognize the request for using a dedicated network.

The terminal 100 makes an authentication request for access to a dedicated network of a specific application to the data policy control device 200 (S220). The terminal 100 transmits verification information including user identification information, an identifier of a specific application (App ID), integrity information of a specific application (Signiture), and a market identifier (Market ID) in which a specific application is distributed, to the data policy control device 200 ) To request authentication.

The data policy control device 200 verifies the integrity of a specific application and the validity of a dedicated network service product (S230). The data policy control apparatus 200 may verify integrity by verifying whether an application is distributed in an authorized market and whether a distributor is matched based on a symmetric key based on verification information of a specific application. In addition, the data policy control device 200 checks the dedicated network service product of the terminal user and then checks whether the dedicated network service product is valid. When there is no information necessary for verifying the integrity of a specific application, the data policy control device 200 requests verification information corresponding to the application identifier (App ID) to the application market corresponding to the market identifier (Market ID) to verify the integrity. You can obtain the necessary information.

When the integrity of the specific application and the validity of the dedicated network service product are successfully verified, the data policy control device 200 permits the terminal 100 to access the dedicated network of the specific application (S240).

The terminal 100 changes routing information so that a specific application accesses the dedicated network (S250).

The terminal 100 indicates that a specific application can access the dedicated network (S252). For example, a specific application may be located in the application container 300, or a specific application may be displayed as a dedicated network access application in the application list.

When a specific application is executed, the terminal 100 accesses the dedicated network according to routing information of the specific application (S260). The terminal 100 accesses a content server of a specific application through a dedicated network, and transmits and receives traffic. The private network may have a different QoS set than the public network, and the private network configuration policy is distributed to core network devices such as P-GW.

The data policy control device 200 receives billing information used in the dedicated network by the terminal 100 from the billing device of the core network (S270).

Meanwhile, when the integrity of a specific application and validity verification of a dedicated network service product fail, the data policy control apparatus 200 denies access to the dedicated network of the specific application to the terminal 100. The data policy control apparatus 200 may transmit the reason why the private network access is not permitted to the terminal 100. In this case, the terminal 100 indicates that a specific application cannot access a dedicated network, and may indicate a reason why a specific application cannot access the dedicated network. The terminal 100 transmits the traffic of an application that is not allowed to access the private network to the public network.

As described above, for a user-selectable dedicated network service, the core network must be able to check the application selected by the terminal 100, so that the data policy control device 200 verifies the integrity of the application requested to access the dedicated network from the terminal 100 Allow access. Since the application requested to access the dedicated network from the terminal 100 may be an abnormal application that has been forged and altered, the data policy control device 200 permits access to the dedicated network to the application normally downloaded from the normal application market. As an embodiment for this, an integrity verification method for installing an application downloaded from an application market may be used as follows. The application market assigns a unique ID to the application, and the application developer registers and distributes the installation file and public key together in the market. Then, a normal terminal whose root authority has not been stolen verifies the integrity of the installation file with the public key downloaded from the application market, and installs only the application whose developer (distributor) has confirmed.

The data policy control device 200 includes an identifier (App ID), integrity information (Signiture), and a market identifier (Market ID) of an application requesting a dedicated network connection from the terminal 100 by using an application distribution procedure of the application market. By receiving verification information, the integrity of the application is verified. Therefore, without changing the application distribution procedure so far, the data policy control apparatus 200 may control to transmit a specific application to a dedicated network or a public network.

Referring to FIG. 7, the data policy control device 200 monitors the remaining amount of data of a dedicated network service product subscribed by a user (S310).

When the data remaining amount reaches the contract limit, the data policy control apparatus 200 notifies the terminal 100 of the data exhaustion schedule (S320).

The data policy control device 200 receives the addition of data of a dedicated network service product to which a user has subscribed (S330). The user can increase the data amount of the dedicated network service product on the screen as shown in FIG. 1A.

The data policy control device 200 updates the remaining amount of data of the dedicated network service product subscribed by the user (S340).

Referring to FIG. 8, the data policy control device 200 receives billing information used by the terminal 100 in the dedicated network from the billing device of the core network (S410).

The data policy control device 200 monitors the remaining amount of data of the dedicated network service product to which the user has subscribed to determine whether the remaining amount of data is exhausted (S420).

When the data remaining amount is exhausted, the data policy control apparatus 200 releases authentication of an application permitted to access a dedicated network (S430).

The terminal 100 changes the routing information of the deauthenticated application to public network access information (public APN) (S440).

The terminal 100 indicates that the application whose authentication has been released is changed to a general application that accesses the public network (S450). For example, applications located in the application container 300 may move out of the application container 300 or a specific application may be displayed as a public network access application in the application list.

When a specific application is executed, the terminal 100 accesses the public network according to routing information of the specific application (S460). The terminal 100 accesses a content server of a specific application through a public network and transmits and receives traffic.

9 is a diagram conceptually illustrating a routing container-based application routing control structure according to an embodiment, and FIG. 10 is a diagram illustrating a dedicated network connection in a routing container-based terminal structure according to an embodiment.

Referring to FIG. 9, in order to branch traffic of an application authenticated from the data policy control apparatus 200 to a dedicated network, the terminal 100 needs a routing function for routing an application for which a dedicated network connection is authenticated to a dedicated APN. The routing function may be implemented according to the application framework of the terminal and the operating system (OS). When two APNs can be set in the terminal, a public APN (default APN) for access to a public network and a dedicated APN for access to a dedicated network can be set.

When the application framework of the terminal 100a and the operating system provide an application-unit routing function, the terminal 100a communicates with the data policy control device 200 to authenticate or deauthenticate access to a dedicated network for a specific application. (Routing Authentication) 110, a routing management unit 130a for integrated management of routing rules for applications, and a routing container 150 for managing dedicated network access information for authenticated specific applications. The routing management unit 130a manages not only a routing rule (general routing rule) for accessing a public network, but also a routing rule (dedicated routing rule) for the routing container 150. The general routing rule may include a routing rule connecting App1/App2 to a public APN.

When the routing authentication unit 110 receives a request for access to a dedicated network for App 3/App 4 from a user, it requests authentication for access to a dedicated network for App 3/App 4 to the data policy control device 200. The routing authentication unit 110 receives an authentication result for access to a private network from the data policy control device 200.

When App3/App4 access to a dedicated network is permitted, the routing management unit 130a sets a dedicated routing rule for mapping App3/App4 to a dedicated APN. That is, the routing management unit 130a manages a dedicated routing rule so that App1/App2 is connected to a dedicated APN through the routing container 150.

The routing container 150 is assigned a virtual network interface for connecting an application group authenticated by the data policy control device 200 to a dedicated network according to a dedicated routing rule.

When App3/App4 is executed, the traffic of App3/App4 is transmitted to the dedicated network connected through the dedicated APN.

If the routing authentication unit 110 receives the deauthentication of App3/App4 from the data policy control device 200, the routing management unit 130a maps App3/App4 to a general routing rule. Then, App3/App4 accesses the public APN according to the general routing rule instead of the routing container 150 connected to the dedicated APN.

Referring to FIG. 10, the terminal 100 prepares for a dedicated network connection by communicating with the data policy control device 200, and manages network access information (APN) and network interfaces through a profile as shown in Table 1. The terminal 100 is a subscriber terminal capable of accessing a dedicated network, and a dedicated network service product is in a valid state.

Service type APN Network interface Virtual interface General LTE (wireless network #1) lte.kt.com rmnet0 - MMS lte.kt.com rmnet0 - IMS ims.kt.com rmnet1 - Dedicated LTE (wireless network #2) special.lte.kt.com rmnet2 vEthernet1

Referring to FIG. 10A, in order to access a dedicated network based on a routing container, the terminal 100 connects a dedicated APN (Special.lte.kt.com) to the dedicated network (wireless network #2) network interface (rmnet2). To allocate. The terminal 100 may update the dedicated APN according to the control of the data policy control device 200.

In addition, the terminal 100 connects the virtual network interface vEthernet1 and the network interface rmnet2 of the routing container. The virtual network interface (vEthernet1) may be connected to the global network interface of the terminal at the L2 level. If the terminal supports setting of a plurality of APNs, a plurality of routing containers may be generated corresponding to APNs for each dedicated network.

Referring to (b) of FIG. 10, when access to the dedicated network of App3/App4 is permitted by the data policy control device 200, the terminal 100 is a virtual network interface of a routing container for App3/App4. Set the routing rule to (vEthernet1). Since the virtual network interface (vEthernet1) is mapped one-to-one to the dedicated network (wireless network #2) network interface (rmnet2), the traffic of App3/App4 is routed to the dedicated network (wireless network #2) network interface (rmnet2). App1/App2 has a routing rule for accessing a public network (wireless network #1), and can receive authentication for access to a dedicated network from the data policy control device 200. Then, App1/App2 is also applied with the routing rule connected to the virtual network interface (vEthernet1) of the routing container.

Meanwhile, application containers for applications connected to the virtual network interface (vEthernet1) of the routing container may be generated in the application layer.

11 is a diagram conceptually illustrating an application routing control structure based on routing policy management according to another embodiment.

Referring to FIG. 11, when the application framework of the terminal 100b and the operating system (OS) fail to provide an application-unit routing function, the terminal 100b maps and routes specific authenticated applications to the routing container 150. Can't.

To this end, since the terminal 100b does not provide an application-level routing function, an Inter-System Mobility Policy (ISMP)/Inter-System Routing (ISRP) of an Access Network Discovery and Selection Function (ANDSF) Policy) can be used. ISMP can define an access preference network among LTE/WiFi, and ISRP can define an access preference network according to an APN of a destination data network (PDN). However, since ISMP/ISRP only exists with an IP Flow Routing Rule based on a source/destination, an ANDSF management unit 170 for setting an application-based routing policy is added.

The ANDSF management unit 170 may additionally define an APN for each application according to an extended management object (MO). Here, the extended MO is an extension of the MO that defines the APN and the access network to the application, and is defined so that the application-APN-access network can be routed as a full set. The extended MO may be additionally implemented in the ANDSF-related model implemented in the terminal. In this way, the ANDSF management unit 170 may provide authentication information of a dedicated network and applications required by ISRP through the extended MO. The algorithm for adding/deleting/updating an application-based routing policy by the ANDSF management unit 170 may follow the OMA-DM (Device Management) standard.

When the routing authentication unit 110 authenticates App1's access to the dedicated network from the data policy control device 200, it transmits App1's dedicated network access information (dedicated APN) to the ANDSF management unit 170. Then, the ANDSF management unit 170 reflects the dedicated network access information (dedicated APN) of App 1 to the routing management unit 130b.

When App1 is executed, it is connected to a dedicated network through a dedicated APN according to a routing rule mapped to App1 by the routing management unit 130b.

If the routing authentication unit 110 receives the deauthentication of App 1 from the data policy control device 200, the ANDSF management unit 170 changes the APN of App 1 to a public APN and reflects it to the routing management unit 130b. .

12 is a diagram conceptually illustrating a network chain application-based application routing control structure according to another embodiment, and FIG. 13 is a flowchart of a network chain application-based application routing method according to another embodiment.

Referring to FIG. 12, the terminal 100c may implement a network firewall application program with a network filter framework module of an operating system (OS) kernel. Network Layer, Protocol Layer, and Application Layer can all be used as reference sources for network chain rules. ISMP/ISRP acquires information for configuring the chain rule as a management object (MO) based on the ANDSF standard, but can be configured at the user application program level even if it is not a standard standard.

In this case, the network chain application program may be routed to a dedicated APN using a UID that identifies the application by the terminal OS instead of an application identifier (App ID). Even for applications with the same application identifier (App ID), the UID may be changed according to the time of OS installation. Accordingly, the terminal maps and manages an application identifier (App ID) and UID, and updates the mapping table when the application is reinstalled after deletion.

Referring to FIG. 13, the terminal 100c downloads a specific application from the application market (S510). The terminal 100c receives an installation file including an application identifier (App ID), a market identifier (Market ID), and application integrity information (Signiture). The application identifier (App ID), market identifier (Market ID), and application integrity information (Signiture) are recorded in the application information table.

The terminal 100c installs a specific application, assigns a UID to distinguish the installed application from the terminal, and then stores the UID in the application information table as shown in Table 2 (S520).

App. ID UID App. Signiture Market ID com.kt.dualapn 1001000 4eDFdfAFCDFDF… com.android.vending

When the terminal 100c is requested to use the dedicated network for a specific application, the terminal 100c makes an authentication request for accessing the dedicated network of the specific application to the data policy control device 200 (S530).

The data policy control device 200 verifies the integrity of a specific application and the validity of a dedicated network service product (S540). If necessary, the data policy control device 200 may obtain information necessary for integrity verification in the application market.

When the integrity of the specific application and the validity of the dedicated network service product are successfully verified, the data policy control device 200 permits the terminal 100c to access the dedicated network of the specific application (S550).

The terminal 100c changes the routing information so that a specific application accesses the dedicated network, but stores the routing rule using the UID (S560). The terminal 100c may manage a rule table as shown in Table 3, and may manage a routing table corresponding to each rule as shown in FIG. 4.

Rule ID From UID Range(fwmark) Lookup Routing Table 10500 All if rmnet0 0-0 1003 10500 All if rmnet2 0-0 1005 13000 All fwmark 0x101fb 1005 13000 All 1001000 ~ 100999 1005

Routing Table ID Network Gateway Interface 1005 Default 10.201.202.1 rmnet2

As described above, according to the embodiment, a user can supplement a conventional section-by-section rate plan by subscribing to a dedicated network service product according to the data usage or QoS requirement level, and in particular, the user can directly define a data rate for a required service. According to an embodiment, a user may use applications such as video and AR/VR games in a dedicated network with guaranteed QoS. According to an embodiment, through a container in the form of a folder/box displayed on a terminal screen, a user can easily and intuitively control a request to change an access network for each application or use a dedicated network service.

According to the embodiment, since the terminal can additionally set network access information different from the public network (for example, a dedicated APN) for an application that accesses the private network, it is not necessary to change the currently set network access information according to the application being executed. . According to an embodiment, by differently allocating network access information for each application, a traffic transmission path of a general application and a dedicated network application may be separated.

According to an embodiment, a communication company may define a data usage rate and QoS for a specific application differently from a general application through a dedicated network service product, regardless of the network in which the service server is located. According to the embodiment, a communication company can design a product that can change the rate for each application without changing the conventional billing system.

The embodiments of the present invention described above are not implemented only through an apparatus and a method, but may be implemented through a program that realizes a function corresponding to the configuration of the embodiment of the present invention or a recording medium on which the program is recorded.

Although the embodiments of the present invention have been described in detail above, the scope of the present invention is not limited thereto, and various modifications and improvements by those skilled in the art using the basic concept of the present invention defined in the following claims are also provided. It belongs to the scope of rights.

Claims (15)

As a method for a data policy control device to provide a user-selectable dedicated network service by interworking with a core network,
Receiving an authentication request for access to a dedicated network of a specific application from a terminal,
Authenticating the access to the dedicated network of the specific application based on the integrity of the verification information included in the authentication request and the validity of the dedicated network service product subscribed to by the user of the terminal, and
If the result of authenticating the private network access is successful, including allowing the specific application to access the private network to the terminal,
The traffic of the specific application is transmitted and received through a dedicated network allocated to the terminal, user-selectable dedicated network service providing method. In claim 1,
The step of authenticating the dedicated network access
When the amount of data used by the dedicated network in the terminal is within the data limit of the dedicated network service product, determining that the dedicated network service product is valid. In claim 1,
The verification information is
A method for providing a user-selectable dedicated network service comprising an identifier of the specific application, integrity information of the specific application, and a market identifier in which the specific application is distributed. In paragraph 3,
The step of authenticating the dedicated network access
A method of providing a user-selectable dedicated network service for verifying the integrity of the verification information by using information obtained from an application market in which the specific application is distributed. In claim 1,
After allowing the access to the dedicated network of the specific application, when the amount of data using the dedicated network by the terminal reaches the data limit of the dedicated network service product, instructing the terminal to release authentication for access to the dedicated network,
The terminal changes routing information of applications set to access the private network to access a public network, a method for providing a user-selectable private network service. In claim 1,
If the result of authentication of the private network access is failure, disallowing access to the private network of the specific application to the terminal,
The terminal transmits the traffic of the application is not allowed to access the private network to a public network, user-selectable private network service providing method. As a method for a terminal to provide a user-selectable dedicated network service by interworking with a data policy control device,
Transmitting an authentication request for access to a dedicated network of a specific application to the data policy control device,
Receiving an authentication result permitting access to a dedicated network of the specific application from the data policy control device, and
Including the step of setting routing information for transmitting the traffic of the specific application to the dedicated network allocated to the terminal,
The routing information is maintained while a dedicated network service product subscribed by a user of the terminal is valid. In clause 7,
The authentication request includes verification information obtained by downloading the specific application from an application market,
The above authentication result is
A method for providing a user-selectable dedicated network service, which is determined based on whether the verification information is integrity and whether the dedicated network service product is valid. In clause 8,
The verification information is
A method for providing a user-selectable dedicated network service including an identifier of the specific application, integrity information of the specific application, and an identifier of the application market. In clause 7,
After receiving the authentication result, receiving authentication cancellation for access to the private network from the data policy control device, and
Changing the routing information to access the public network
A method for providing a user-selectable dedicated network service further comprising a. In clause 7,
After setting the routing information, displaying that the specific application is accessible to the dedicated network on a user interface screen
User-selectable dedicated network service providing method further comprising a. In clause 7,
Transmitting the authentication request
When a user motion of moving the specific application displayed on the user interface screen into a specific area is input, the data policy control device requests authentication for access to the dedicated network of the specific application,
When access to the dedicated network is permitted from the data policy control device, the specific application is located in the specific area, and when access to the dedicated network is not permitted from the data policy control device, the specific application is located outside the specific area. Delivery method. In clause 7,
Receiving an execution request for the specific application located in a specific area,
Requesting authentication for access to a dedicated network of the specific application to the data policy control device, and
If the data policy control device allows access to the dedicated network, executing the specific application, and if the data policy control device does not permit access to the dedicated network, moving the specific application out of the specific area
A method for providing a user-selectable dedicated network service further comprising a. In clause 7,
The routing information is information for transferring the traffic of the specific application to a first network interface to which dedicated network access information is assigned,
A method of providing a user-selectable private network service, wherein traffic of general applications that are not permitted to access a private network among a plurality of installed applications are transmitted to a second network interface to which public network access information is allocated. In clause 14,
Allocating the dedicated network access information obtained after subscription of the dedicated network service product is completed to the first network interface
A method for providing a user-selectable dedicated network service further comprising a.

Images