WO2013154576A1 - Monitoring suspicious events in a cellular network - Google Patents

Monitoring suspicious events in a cellular network Download PDF

Info

Publication number
WO2013154576A1
WO2013154576A1 PCT/US2012/033511 US2012033511W WO2013154576A1 WO 2013154576 A1 WO2013154576 A1 WO 2013154576A1 US 2012033511 W US2012033511 W US 2012033511W WO 2013154576 A1 WO2013154576 A1 WO 2013154576A1
Authority
WO
WIPO (PCT)
Prior art keywords
monitoring
user equipment
category
devices
request
Prior art date
Application number
PCT/US2012/033511
Other languages
French (fr)
Inventor
Devaki Chandramouli
Rainer Liebhart
Original Assignee
Nokia Siemens Networks Oy
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nokia Siemens Networks Oy filed Critical Nokia Siemens Networks Oy
Priority to US14/391,793 priority Critical patent/US9294924B2/en
Priority to EP12874140.2A priority patent/EP2836910B1/en
Priority to PCT/US2012/033511 priority patent/WO2013154576A1/en
Publication of WO2013154576A1 publication Critical patent/WO2013154576A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/30Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
    • H04L63/306Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information intercepting packet switched data communications, e.g. Web, Internet or IMS communications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/535Tracking the activity of the user
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/126Anti-theft arrangements, e.g. protection against subscriber identity module [SIM] cloning
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/128Anti-malware arrangements, e.g. protection against SMS fraud or mobile malware
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W24/00Supervisory, monitoring or testing arrangements
    • H04W24/04Arrangements for maintaining operational condition
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/70Services for machine-to-machine communication [M2M] or machine type communication [MTC]
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y04INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
    • Y04SSYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
    • Y04S40/00Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
    • Y04S40/20Information technology specific aspects, e.g. CAD, simulation, modelling, system security

Definitions

  • Communication systems including cellular networks, and the devices that are connected to them, can have both legitimate and illegitimate uses.
  • Such communication systems including systems that utilize, permit, or leverage machine-type-communications, may benefit from monitoring for suspicious events.
  • the evolved packet system provides radio interfaces and packet core network functions for broadband wireless data access.
  • EPS core network functions include the mobility management entity (MME), the packet data network gateway (PDN- GW) and the Serving Gateway (S-GW).
  • MME mobility management entity
  • PDN- GW packet data network gateway
  • S-GW Serving Gateway
  • An example of an evolved packet core architecture is illustrated in Figure 1 and is described by third generation partnership project (3GPP) technical specification (TS) 23.401, which is incorporated herein by reference in its entirety.
  • 3GPP third generation partnership project
  • TS third generation partnership project
  • a common packet domain core network can be used for both radio access networks (RANs), the global system for mobile communication (GSM) enhanced data rates for GSM evolution (EDGE) radio access network (GERAN) and the universal terrestrial radio access network (UTRAN).
  • GSM global system for mobile communication
  • EDGE enhanced data rates for GSM evolution
  • GERAN global system for mobile communication
  • UTRAN universal terrestrial radio access network
  • MTC-IWF MTC interworking function
  • S6m machine-type-communication
  • Tsp machine-type-communication
  • Tsms machine-type-communication
  • T5a/b/c machine-type-communication
  • T4 machine-type-communication
  • FIG 2 illustrates machine-type-communication additions to the 3 GPP architecture, as well as the various interfaces identified.
  • the MTC-IWF and the new interfaces in 3 GPP Release 11 can, for example, enable triggering of devices with or without a mobile subscriber integrated services digital network number (MSISDN) from an internal or external MTC server.
  • MSISDN mobile subscriber integrated services digital network number
  • the triggering of the devices may be, for example, in order to establish a packet data network (PDN) connection and/or packet data protocol (PDP) context.
  • PDN packet data network
  • PDP packet data protocol
  • a method includes receiving a monitoring request regarding a user equipment or a category of devices. The method also includes performing a monitoring activity regarding the user equipment or the category of devices with respect to at least one suspicious event. The method further includes responding to the monitoring request indicating whether monitoring will be performed for the user equipment or the category of devices.
  • a method includes requesting monitoring of a user equipment or a category of devices with respect to at least one suspicious event. The method also includes receiving a response to the monitoring request, wherein the response indicates a registration status of the monitoring.
  • a method includes receiving a request for monitoring a user equipment or category of devices with respect to at least one suspicious event. The method also includes determining whether the monitoring is permitted. The method further includes responding to the request based on whether the monitoring is permitted.
  • a method includes monitoring for a suspicious event with respect to a user equipment or a category of devices for which monitoring has been requested by a requestor. The method also includes detecting an occurrence of the suspicious event with respect to the user equipment or the category of devices. The method further includes reporting the occurrence to the requestor.
  • a method in certain embodiments, includes receiving a report of suspicious activity with respect to a user equipment or a category of devices for which monitoring has been requested by a requestor. The method also includes forwarding the report of the suspicious activity to the requestor.
  • a method includes receiving a report of suspicious activity with respect to a user equipment or a category of devices for which monitoring has been requested by a user or subscriber of the user equipment. The method also includes reporting the suspicious activity to the user or the subscriber.
  • an apparatus includes at least one processor and at least one memory including computer program code.
  • the at least one memory and the computer program code are configured to, with the at least one processor, cause the apparatus at least to receive a monitoring request regarding a user equipment or a category of devices.
  • the at least one memory and the computer program code are also configured to, with the at least one processor, cause the apparatus at least to perform a monitoring activity regarding the user equipment or the category of devices with respect to at least one suspicious event.
  • the at least one memory and the computer program code are further configured to, with the at least one processor, cause the apparatus at least to respond to the monitoring request indicating whether monitoring will be performed for the user equipment or the category of devices.
  • an apparatus includes at least one processor and at least one memory including computer program code.
  • the at least one memory and the computer program code are configured to, with the at least one processor, cause the apparatus at least to request monitoring of a user equipment or a category of devices with respect to at least one suspicious event.
  • the at least one memory and the computer program code are also configured to, with the at least one processor, cause the apparatus at least to receive a response to the monitoring request, wherein the response indicates a registration status of the monitoring.
  • An apparatus includes at least one processor and at least one memory including computer program code.
  • the at least one memory and the computer program code are configured to, with the at least one processor, cause the apparatus at least to receive a request for monitoring a user equipment or category of devices with respect to at least one suspicious event.
  • the at least one memory and the computer program code are also configured to, with the at least one processor, cause the apparatus at least to determine whether the monitoring is permitted.
  • the at least one memory and the computer program code are further configured to, with the at least one processor, cause the apparatus at least to respond to the request based on whether the monitoring is permitted.
  • An apparatus in certain embodiments, includes at least one processor and at least one memory including computer program code.
  • the at least one memory and the computer program code are configured to, with the at least one processor, cause the apparatus at least to monitor for a suspicious event with respect to a user equipment or a category of devices for which monitoring has been requested by a requestor.
  • the at least one memory and the computer program code are also configured to, with the at least one processor, cause the apparatus at least to detect an occurrence of the suspicious event with respect to the user equipment or the category of devices.
  • the at least one memory and the computer program code are further configured to, with the at least one processor, cause the apparatus at least to report the occurrence to the requestor.
  • An apparatus includes at least one processor and at least one memory including computer program code in certain embodiments.
  • the at least one memory and the computer program code are configured to, with the at least one processor, cause the apparatus at least to receive a report of suspicious activity with respect to a user equipment or a category of devices for which monitoring has been requested by a requestor.
  • the at least one memory and the computer program code are also configured to, with the at least one processor, cause the apparatus at least to forward the report of the suspicious activity to the requestor.
  • an apparatus includes at least one processor and at least one memory including computer program code.
  • the at least one memory and the computer program code are configured to, with the at least one processor, cause the apparatus at least to receive a report of suspicious activity with respect to a user equipment or a category of devices for which monitoring has been requested by a user or subscriber of the user equipment.
  • the at least one memory and the computer program code are also configured to, with the at least one processor, cause the apparatus at least to report the suspicious activity to the user or the subscriber.
  • an apparatus includes receiving means for receiving a monitoring request regarding a user equipment or a category of devices.
  • the apparatus also includes performing means for performing a monitoring activity regarding the user equipment or the category of devices with respect to at least one suspicious event.
  • the apparatus further includes responding means for responding to the monitoring request indicating whether monitoring will be performed for the user equipment or the category of devices.
  • An apparatus in certain embodiments, includes requesting means for requesting monitoring of a user equipment or a category of devices with respect to at least one suspicious event.
  • the apparatus also includes receiving means for receiving a response to the monitoring request, wherein the response indicates a registration status of the monitoring.
  • An apparatus includes receiving means for receiving a request for monitoring a user equipment or category of devices with respect to at least one suspicious event.
  • the apparatus also includes determining means for determining whether the monitoring is permitted.
  • the apparatus further includes responding means for responding to the request based on whether the monitoring is permitted.
  • an apparatus includes monitoring means for monitoring for a suspicious event with respect to a user equipment or a category of devices for which monitoring has been requested by a requestor.
  • the apparatus also includes detecting means for detecting an occurrence of the suspicious event with respect to the user equipment or the category of devices.
  • the apparatus further includes reporting means for reporting the occurrence to the requestor.
  • An apparatus in certain embodiments, includes receiving means for receiving a report of suspicious activity with respect to a user equipment or a category of devices for which monitoring has been requested by a requestor.
  • the apparatus also includes forwarding means for forwarding the report of the suspicious activity to the requestor.
  • an apparatus includes receiving means for receiving a report of suspicious activity with respect to a user equipment or a category of devices for which monitoring has been requested by a user or subscriber of the user equipment.
  • the apparatus also includes reporting means for reporting the suspicious activity to the user or the subscriber.
  • a non-transitory computer readable medium is, in certain embodiments, encoded with instructions that, when executed in hardware, perform a process.
  • the process includes receiving a monitoring request regarding a user equipment or a category of devices.
  • the process also includes performing a monitoring activity regarding the user equipment or the category of devices with respect to at least one suspicious event.
  • the process further includes responding to the monitoring request indicating whether monitoring will be performed for the user equipment or the category of devices.
  • a non-transitory computer readable medium encoded with instructions that, when executed in hardware, perform a process.
  • the process includes requesting monitoring of a user equipment or a category of devices with respect to at least one suspicious event.
  • the process also includes receiving a response to the monitoring request, wherein the response indicates a registration status of the monitoring.
  • a non-transitory computer readable medium is, according to certain embodiments, encoded with instructions that, when executed in hardware, perform a process.
  • the process includes receiving a request for monitoring a user equipment or category of devices with respect to at least one suspicious event.
  • the process also includes determining whether the monitoring is permitted.
  • the process further includes responding to the request based on whether the monitoring is permitted.
  • a non-transitory computer readable medium is, in certain embodiments, encoded with instructions that, when executed in hardware, perform a process.
  • the process includes monitoring for a suspicious event with respect to a user equipment or a category of devices for which monitoring has been requested by a requestor.
  • the process also includes detecting an occurrence of the suspicious event with respect to the user equipment or the category of devices.
  • the process further includes reporting the occurrence to the requestor.
  • a non-transitory computer readable medium is encoded with instructions that, when executed in hardware, perform a process.
  • the process includes receiving a report of suspicious activity with respect to a user equipment or a category of devices for which monitoring has been requested by a requestor.
  • the process also includes forwarding the report of the suspicious activity to the requestor.
  • a non-transitory computer readable medium is encoded with instructions that, when executed in hardware, perform a process.
  • the process includes receiving a report of suspicious activity with respect to a user equipment or a category of devices for which monitoring has been requested by a user or subscriber of the user equipment.
  • the process also includes reporting the suspicious activity to the user or the subscriber.
  • Figure 1 illustrates an evolved packet core architecture.
  • Figure 2 illustrates machine-type-communication additions to a third generation partnership project architecture.
  • Figure 3 illustrates direct interface registration for monitoring according to certain embodiments.
  • Figure 4 illustrates a simplified call flow to register for monitoring service according to certain embodiments.
  • Figure 5 illustrates direct interface reporting according to certain embodiments.
  • Figure 6 illustrates a simplified call flow to report suspicious activity according to certain embodiments.
  • Figure 7 illustrates a method according to certain embodiments.
  • Figure 8 illustrates a system according to certain embodiments.
  • Machine-type-communication (MTC) monitoring is one example of machine-type-communication related features. Because machine-type devices can be deployed in remote areas and in locations where they are not monitored actively by humans, theft and vandalism risks differ from cases where there is constant or frequent human monitoring. Accordingly, a network can provide a mechanism to auto-detect suspicious activities. Suspicious activities, in this context, can include, for example, change of association between user equipment (UE) and universal integrated circuit card (UICC), loss of connectivity, communication failure, change of location, and in general any behavior that is not aligned with subscribed features. These events are neither detected nor reported by conventional networks. Certain embodiments, however, enable detection of events and report of these events as and when they occur so that the service provider, user, or law enforcement agency can take appropriate action.
  • UE user equipment
  • UICC universal integrated circuit card
  • Some of these useful services may be applied to, for example, smart meters or remote surveillance systems.
  • the service can also be extended to normal devices, such as smart phones, by the mobile network operator, for example.
  • Certain embodiments thus, provide a monitoring feature. This feature may be able to detect suspicious activities for unmanned devices and devices that are at risk of being stolen or manipulated.
  • Embodiments can include at least three aspects.
  • a first aspect relates to a procedure to register for monitoring service.
  • a second aspect relates to an ability to detect suspicious events, such as those events described above or similar events.
  • a third aspect relates to a procedure to report suspicious events as and when they occur.
  • a direct interface can be used between the machine-type-communication inter-working function (MTC-IWF) and the nodes performing monitoring of certain events.
  • MTC-IWF machine-type-communication inter-working function
  • This direct interface can be, for example, T5a/b/c between MTC-IWF and MME/SGSN/MSC as in Annex B of 3 GPP TS 23.682, or an interface between MTC-IWF and HSS like S6m. Use of other interfaces is also permitted.
  • Monitoring of certain events can be triggered by an external services capability server (SCS) as described in 3GPP TS 23.682, by any other application server inside or outside the operator domain or by the network itself based on subscription data stored in the HSS.
  • SCS external services capability server
  • Subscription data containing the events that are to be monitored can be downloaded to the MTC- IWF or directly to the serving nodes, MME, SGSN, and MSC, during device registration.
  • the subscription data can be accompanied by a request for the serving nodes to detect these events.
  • Serving nodes may monitor suspicious events for a defined period of time, such as for the duration of validity time. Upon detection of suspicious events, serving nodes, MME, SGSN, and MSC, can report to the requestor MTC-IWF. Alternatively, the serving nodes can report to a pre-configured application server or can store this information as part of charging, for example, charging data records (CDRs), or other records.
  • CDRs charging data records
  • a direct interface is used to register for monitoring service. More particularly, Figure 3 illustrates a simplified call flow to register for monitoring service, using a direct interface such as T5a/b/c.
  • a services capability server can initiate a request over, for example, Tsp to send a monitoring request to MTC- IWF for a certain device identified by its external identifier (URI or NAI) or MSISDN.
  • URI external identifier
  • MSISDN MSISDN
  • the MTC monitoring request can include an external identifier (ID) or MSISDN and optionally service type(s), validity time, and a list of serving node(s).
  • the MTC-IWF can receive the request from the SCS and can query the home subscriber server (HSS) to obtain the following information such as international mobile subscriber identity (IMSI), serving node identifier(s) and subscription information for monitoring services.
  • HSS home subscriber server
  • IMSI international mobile subscriber identity
  • serving node identifier(s) serving node identifier(s)
  • subscription information for monitoring services.
  • HSS authenticates the request from SCS for monitoring the target user equipment, and at S2A provides a response.
  • the MTC-IWF can, at S2B, store the relevant parameters and choose, based on the events to be monitored and serving node capabilities, the appropriate serving node. Some events may be directly monitored and reported by the HSS.
  • the MTC-IWF can send a request to register for monitoring service.
  • the request can include an IMSI and MTC-IWF ID and can optionally include service type(s), validity time, and a list of serving node(s).
  • the serving node can receive the request, check if the user equipment is currently registered in the network, and store originator for the request. Storing the originator can include storing the MTC-IWF ID.
  • the serving node can register the user equipment for the requested monitoring event(s) and report the registration status to the MTC-IWF. If the user equipment is not currently registered or there is some other reason for non-registration, such information can also be relayed to the MTC-IWF including the reason, if desired.
  • the serving node can generate the necessary CDR information for charging.
  • Registering at the serving node may imply setting a flag e.g. "UMS - UE monitoring service”. Note when the serving node receives this registration request from the HSS, if this flag is already set for the corresponding service, then the serving node simply needs to add "IWF ID" to the list of requestor.
  • the serving node can respond with a failure indication to the MTC-IWF and can indicate the cause for the failure or can forward the monitoring request to the other serving nodes, which were present in the request, with the MTC-IWF identifier. The serving node can then perform the monitoring for the period specified in the validity time.
  • the IWF can respond to the SCS with the registration status for monitoring service, so the result can be forwarded to the application server and appropriate action can be taken in case of failure.
  • Figure 4 illustrates a simplified call flow to register for monitoring service according to certain embodiments.
  • the registering is via an HSS using an interface, such as S6m.
  • a services capability server can initiate a request over Tsp to send a monitoring request to MTC-IWF for a certain device identified by its external identifier, for example its uniform resource identifier (URI) or network access identifier (NAI), or MSISDN.
  • URI uniform resource identifier
  • NAI network access identifier
  • MTC-IWF for a certain device identified by its external identifier
  • URI uniform resource identifier
  • NAI network access identifier
  • MSISDN MSISDN
  • the MTC monitoring request can include an external identifier (ID) or MSISDN and optionally service type(s), validity time, and a list of serving node(s).
  • the MTC-IWF can receive the request, identify the appropriate HSS to register for the monitoring service, and send a request to the HSS with ext ID or MSISDN, and IWF ID, and optionally including other parameters including requested monitoring event(s) and validity time for the monitoring service.
  • the HSS can check the user's subscription for monitoring service and can authenticate the request from the SCS for monitoring the target user equipment. Upon successful authentication and validation of subscription, the HSS can identify the latest registered serving node, validate its support for monitoring service and, at T3, register for monitoring service with the serving node.
  • the message registering for monitoring can include, for example, an IMSI of the user equipment, as well as other parameters, such as service type(s) or validity time.
  • the serving node can receive the request and check if the user equipment is currently registered with it. If the user equipment is registered, then the serving node can register the user equipment for the requested monitoring service(s). The serving node can generate the necessary CDR information for charging. Registering at the serving node may imply setting a flag, for example, "UMS - UE monitoring service". When the serving node receives this registration request from the HSS, if this flag is already set for the corresponding service, then no further action needs to be performed by the serving node to register the user equipment. The serving node can perform the monitoring for the period specified in the validity time.
  • the user equipment is currently not registered and/or the serving node is unaware of the target user equipment context, then at T5 it can respond with a failure indication to the HSS and can indicate the cause or reason for the failure. If the registration is successful, it can respond at T5 with the success.
  • the HSS can forward the response to the IWF.
  • the IWF can respond to the SCS with the registration status for monitoring service, so that the result can be forwarded to the application server and appropriate action can be taken in case of failure.
  • Suspicious event detection can be performed in various ways and various events can be determined to be suspicious. For example, the following are some activities that could be defined as "occurrence of suspicious activities" at the serving nodes, such as the MME, SGSN, MSC.
  • a first suspicious scenario can occur when a user equipment is subscribed with a low mobility feature and is confined to a certain paging area.
  • the MME/SGSN/MSC referring to any one or combination of these or similar serving nodes, can detect and report suspicious activity if the user equipment is performing a tracking area update from a location that is not part of the user equipment's subscription, such as a cell ID that is not within the paging area specified in the user equipment subscription.
  • a second suspicious scenario can occur when user equipment is subscribed with a time tolerant and/or time controlled feature and is supposed to access the network only within an "allowed time interval" and cannot access within the "forbidden time interval".
  • the MME/SGSN/MSC can detect and report suspicious activity if the user equipment is accessing the network outside the allowed time interval or at the forbidden time interval.
  • a user equipment can be subscribed for packet switched only services. If the user equipment is subscribed for packet switched only services, but the user equipment is performing a location update to a mobile switching center (MSC) to obtain voice service, then the MSC can detect this.
  • MSC mobile switching center
  • a fourth suspicious scenario can include increased data usage. If, for example, the user equipment is subscribed for a certain access point name aggregated maximum bit rate (APN-AMBR) but the serving nodes, with the help of entities managing user plane such as the eNB, RNC, P-GW,GGSN or another network element in the PCC infrastructure in the case of EPS, GPRS, detect that the usage has exceeded the allowed limit in the subscription, then the serving nodes can detect increased data usage.
  • APN-AMBR access point name aggregated maximum bit rate
  • the services capability server can either register for all the suspicious activities specified here, or other suspicious activities, or register simply for a specific event, such as increased data usage.
  • the nature of the monitoring event deployed in the operator's network can depend on the subscription model and subscription for the individual device.
  • the nature of the monitoring event deployed can also depend on the service level agreements between the mobile operator and the service provider. It is also possible that the network itself can monitor certain events based on the respective subscription data stored in the HSS.
  • Figure 5 illustrates direct interface reporting according to certain embodiments. More particularly, Figure 5 illustrates a simplified call flow to report suspicious activity using a direct interface such as T5a/b/c.
  • the serving nodes for example MME, SGSN, and/or MSC, can report the suspicious activity to a node that requested monitoring.
  • the MTC-IWF is the node that requested.
  • the report can include a corresponding IMSI for user equipment identification, as well as description or other identifier of the suspicious event, if, for example, more than one kind of event is being monitored.
  • the MTC-IWF can use a cached IMSI to perform extlD/MSISDN mapping to map the IMSI to extlD/MSISDN in the report.
  • the MTC-IWF can forward the report to the services capability server.
  • the report can include the extID or MSISDN, as well as some description or indication, explicit or implicit, of the event detected.
  • the SCS may forward this to the corresponding application server that is eventually responsible for alerting the user.
  • the suspicious activity can be reported to a law enforcement agency.
  • Figure 6 illustrates a simplified call flow to report suspicious activity according to certain embodiments.
  • Figure 6 illustrates an approach in which reporting is via an HSS, using an interface such as S6m.
  • the MME/SGSN/MSC can report the suspicious activity to the requestor, which is indicated as the HSS in this case.
  • the report can include the corresponding IMSI for user equipment identification, as well as an indication of the event(s) detected, either explicitly or implicitly.
  • the HSS can modify the report using a stored IMSI to extlD/MSISDN mapping to map the IMSI to extlD/MSISDN in the report. Then, at V3, the HSS can forward the report to the requestor, which is MTC- IWF in this case.
  • the MTC-IWF can forward the report to the SCS.
  • the SCS may forward this to the corresponding application server that is eventually responsible for alerting the user or, as noted above, to a law enforcement agency.
  • Embodiments can have various impacts on monitoring service due to user equipment mobility.
  • the user equipment can reselect to another cell either due to change in the radio frequency (RF) conditions of the current serving cell, such as when a truck crosses the signal path and fades the signal towards the user equipment, or due to physical movement of the device itself.
  • RF radio frequency
  • the user equipment can perform a handover from one cell to another cell. This handover may cause a change in the serving node (MSC, MME, SGSN).
  • the serving node can forward this information as part of the user equipment context to the new serving node to ensure that the new serving node continues to perform monitoring activities. If the new serving node does not support monitoring service or it is a legacy node, then the new serving node may either fail the registration or ignore the registration. Failure can then be reported to the IWF and SCS, either by the new serving node or the old serving node, to ensure that the user is alerted and can take appropriate action.
  • Monitoring service can be provided in the serving nodes or in the HSS and can generally be applied for all devices, including for example regular phones, as well as being applied in a circuit switched (CS) domain.
  • CS circuit switched
  • An IWF in the above call flows, illustrated in Figures 3 through 6, can be modified to serve as an application server/monitoring server in the operator's network.
  • the application server/monitoring server can directly register with the HSS, or could even be co-located with the HSS, and/or with the serving nodes. Registering with the HSS can avoid exposing the internal network topology of the visited network to different servers in the home network.
  • the network operator may decide to monitor certain events at all devices or according to certain device categories, such as all MTC devices, all smart phones, all iPhones, all dongles, and so forth.
  • the subscription data in the HSS can contain the necessary information and the network can request the device identity from the user equipment.
  • Subscription information can be downloaded to the serving nodes, such as MME, SGSN and MSC, during device registration, requesting the serving nodes to detect certain events and report to a pre-configured application server, or the serving nodes can simply add this information to charging or other records.
  • Certain embodiments can provide the ability for the networks to dynamically detect suspicious activities and report to the user subscribed for this service. Since many MTC devices may be present in unmanned location, sending personnel to monitor the device regularly requires human labor hours. Moreover, certain embodiments can provide a safety net in identifying suspicious activities as soon as they occur, hence increasing the chance of recovering a stolen device, or stopping hacking of a device.
  • Certain embodiments can use direct interfaces between MTC-IWF and the serving nodes, HSS and the serving nodes. Moreover, certain embodiments can monitor MSISDN-less devices in a "PS-only" deployment with a PS-only subscription. The same approach can be applied for monitoring devices with MSISDN in "CS" deployment with CS subscription.
  • MNOs mobile network operators
  • M2M machine to machine
  • Figure 7 illustrates a method according to certain embodiments.
  • a method can include, at 720, receiving a monitoring request regarding a user equipment or a category of devices.
  • the method can also include, at 722, performing a monitoring activity regarding the user equipment or the category of devices with respect to at least one suspicious event.
  • the method can further include, at 724, responding to the monitoring request indicating whether monitoring will be performed for the user equipment or the category of devices.
  • the suspicious event can include at least one event of the following: a tracking update occurs from a location outside an area allowed for the user equipment or from a certain device category; the user equipment or the device category accesses a network outside an allowed time interval or at a forbidden time interval; the user equipment or the device category is subscribed for packet switched services only but is performing a location update to obtain voice service; or the user equipment or the device category has exceeded an allowed data usage limit.
  • a device category is the category of all smart phones, or all smart phones of a particular make or model.
  • Other device categories can include all MTC devices, all regular phones, all smart meters, all tablets, or all dongles.
  • the monitoring activity can include selecting a serving node for monitoring services and registering the user equipment or the category of devices for monitoring service with the serving node.
  • the method can additionally include, at 726, receiving a registration status response in response to the registering and, at 728, forwarding the registration status toward a source of the monitoring request while responding to the monitoring request.
  • the method can also include, at 710, requesting monitoring of a user equipment or a category of devices with respect to at least one suspicious event.
  • the method can further include, at 712, receiving a response to the monitoring request, wherein the response indicates a registration status of the monitoring.
  • the requesting monitoring can include sending a monitoring request to a machine type communication interworking function.
  • the method can further include at 730, receiving a request for monitoring a user equipment or category of devices with respect to at least one suspicious event.
  • the method can also include, at 732, determining whether the monitoring is permitted.
  • the method can further include, at 734, responding to the request based on whether the monitoring is permitted.
  • the method can additionally include, at 736, determining whether monitoring is permitted under a subscriber agreement corresponding to the user equipment, wherein the responding is based on the subscriber agreement of the user equipment.
  • the method can also include, at 738, storing an identifier of the requestor of the monitoring.
  • the method can include at 740, monitoring for a suspicious event with respect to a user equipment or a category of devices for which monitoring has been requested by a requestor.
  • the method can also include, at 742, detecting an occurrence of the suspicious event with respect to the user equipment or the category of devices.
  • the method can further include, at 744, reporting the occurrence to the requestor.
  • the reporting can include sending an indication of the user equipment's international mobile subscriber identity to the requestor.
  • the method can also include, at 750, receiving a report of suspicious activity with respect to a user equipment or a category of devices for which monitoring has been requested by a requestor.
  • the method can further include, at 752, forwarding the report of the suspicious activity to the requestor.
  • the method can additionally include, at 754, receiving, in the report, a user equipment's international mobile subscriber identity.
  • the method can also include, at 756, translating the user equipment's international mobile subscriber identity to an external identifier or mobile subscriber integrated services digital network number.
  • the method additionally can include, at 760, receiving a report of suspicious activity with respect to a user equipment or a category of devices for which monitoring has been requested by a user or subscriber of the user equipment.
  • the method can also include, at 762, reporting the suspicious activity to the user or the subscriber.
  • FIG. 8 illustrates a system according to certain embodiments of the invention.
  • a system may include two devices, such as, for example, SCS 810, MME/SGSN/MSC 820, HSS 830, and MTC-IWF 840.
  • Each of these devices may include at least one processor, respectively indicated as 814, 824, 834, and 844.
  • At least one memory is provided in each device, and indicated as 815, 825, 835, and 845, respectively.
  • the memory may include computer program instructions or computer code contained therein.
  • Transceivers 816, 826, 836, and 846 are provided, and each device may also include an antenna, respectively illustrated as 817, 827, 837, and 847.
  • SCS 810, MME/SGSN/MSC 820, HSS 830, and MTC-IWF 840 may be configured for wired communication, rather than wireless communication, and in such a case antennas 817, 827, 837, and 847 would illustrate any form of communication hardware, without requiring a conventional antenna.
  • Transceivers 816, 826, 836, and 846 can each, independently, be a transmitter, a receiver, or both a transmitter and a receiver, or a unit or device that is configured both for transmission and reception.
  • Processors 814, 824, 834, and 844 can be embodied by any computational or data processing device, such as a central processing unit (CPU), application specific integrated circuit (ASIC), or comparable device.
  • the processors can be implemented as a single controller, or a plurality of controllers or processors.
  • Memories 815, 825, 835, and 845 can independently be any suitable storage device, such as a non-transitory computer-readable medium.
  • a hard disk drive (HDD), random access memory (RAM), flash memory, or other suitable memory can be used.
  • the memories can be combined on a single integrated circuit as the processor, or may be separate therefrom.
  • the computer program instructions stored in the memory and which may be processed by the processors can be any suitable form of computer program code, for example, a compiled or interpreted computer program written in any suitable programming language.
  • the memory and the computer program instructions can be configured, with the processor for the particular device, to cause a hardware apparatus such as SCS 810, MME/SGSN/MSC 820, HSS 830, or MTC-IWF 840, to perform any of the processes described above (see, for example, Figures 3-7). Therefore, in certain embodiments, a non-transitory computer-readable medium can be encoded with computer instructions that, when executed in hardware, perform a process such as one of the processes described herein. Alternatively, certain embodiments of the invention can be performed entirely in hardware.
  • Figure 8 illustrates a system including an SCS, MME/SGSN/MSC, HSS, and MTC-IWF
  • embodiments of the invention may be applicable to other configurations, and configurations involving additional elements, as illustrated herein.

Abstract

Communication systems, including cellular networks, and the devices that are connected to them, can have both legitimate and illegitimate uses. Such communication systems, including systems that utilize, permit, or leverage machine-type-communications, may benefit from monitoring for suspicious events. A method can include receiving a monitoring request regarding a user equipment or a category of devices. The method can also include performing a monitoring activity regarding the user equipment or the category of devices with respect to at least one suspicious event. The method can further include responding to the monitoring request indicating whether monitoring will be performed for the user equipment or the category of devices.

Description

MONITORING SUSPICIOUS EVENTS IN A CELLULAR NETWORK
BACKGROUND:
Field:
[0001] Communication systems, including cellular networks, and the devices that are connected to them, can have both legitimate and illegitimate uses. Such communication systems, including systems that utilize, permit, or leverage machine-type-communications, may benefit from monitoring for suspicious events.
Description of the Related Art:
[0002] The evolved packet system (EPS), the successor of general packet radio system (GPRS), provides radio interfaces and packet core network functions for broadband wireless data access. EPS core network functions include the mobility management entity (MME), the packet data network gateway (PDN- GW) and the Serving Gateway (S-GW). An example of an evolved packet core architecture is illustrated in Figure 1 and is described by third generation partnership project (3GPP) technical specification (TS) 23.401, which is incorporated herein by reference in its entirety. A common packet domain core network can be used for both radio access networks (RANs), the global system for mobile communication (GSM) enhanced data rates for GSM evolution (EDGE) radio access network (GERAN) and the universal terrestrial radio access network (UTRAN).
[0003] For machine-type-communication (MTC) a functional entity called MTC interworking function (MTC-IWF) and several new interfaces, including S6m, Tsp, Tsms, T5a/b/c and T4, have been introduced to the 3GPP architecture. Figure 2 illustrates machine-type-communication additions to the 3 GPP architecture, as well as the various interfaces identified. The MTC-IWF and the new interfaces in 3 GPP Release 11 (Rel 11) can, for example, enable triggering of devices with or without a mobile subscriber integrated services digital network number (MSISDN) from an internal or external MTC server. The triggering of the devices may be, for example, in order to establish a packet data network (PDN) connection and/or packet data protocol (PDP) context. A 3 GPP architecture for machine-type communication is discussed in 3GPP TS 23.682, which incorporated herein by reference in its entirety.
SUMMARY:
[0004] According to certain embodiments, a method includes receiving a monitoring request regarding a user equipment or a category of devices. The method also includes performing a monitoring activity regarding the user equipment or the category of devices with respect to at least one suspicious event. The method further includes responding to the monitoring request indicating whether monitoring will be performed for the user equipment or the category of devices.
[0005] In certain embodiments, a method includes requesting monitoring of a user equipment or a category of devices with respect to at least one suspicious event. The method also includes receiving a response to the monitoring request, wherein the response indicates a registration status of the monitoring.
[0006] A method, according to certain embodiments, includes receiving a request for monitoring a user equipment or category of devices with respect to at least one suspicious event. The method also includes determining whether the monitoring is permitted. The method further includes responding to the request based on whether the monitoring is permitted.
[0007] According to certain embodiments, a method includes monitoring for a suspicious event with respect to a user equipment or a category of devices for which monitoring has been requested by a requestor. The method also includes detecting an occurrence of the suspicious event with respect to the user equipment or the category of devices. The method further includes reporting the occurrence to the requestor.
[0008] A method, in certain embodiments, includes receiving a report of suspicious activity with respect to a user equipment or a category of devices for which monitoring has been requested by a requestor. The method also includes forwarding the report of the suspicious activity to the requestor.
[0009] A method, according to certain embodiments, includes receiving a report of suspicious activity with respect to a user equipment or a category of devices for which monitoring has been requested by a user or subscriber of the user equipment. The method also includes reporting the suspicious activity to the user or the subscriber.
[0010] In certain embodiments, an apparatus includes at least one processor and at least one memory including computer program code. The at least one memory and the computer program code are configured to, with the at least one processor, cause the apparatus at least to receive a monitoring request regarding a user equipment or a category of devices. The at least one memory and the computer program code are also configured to, with the at least one processor, cause the apparatus at least to perform a monitoring activity regarding the user equipment or the category of devices with respect to at least one suspicious event. The at least one memory and the computer program code are further configured to, with the at least one processor, cause the apparatus at least to respond to the monitoring request indicating whether monitoring will be performed for the user equipment or the category of devices.
[0011] According to certain embodiments, an apparatus includes at least one processor and at least one memory including computer program code. The at least one memory and the computer program code are configured to, with the at least one processor, cause the apparatus at least to request monitoring of a user equipment or a category of devices with respect to at least one suspicious event. The at least one memory and the computer program code are also configured to, with the at least one processor, cause the apparatus at least to receive a response to the monitoring request, wherein the response indicates a registration status of the monitoring. [0012] An apparatus, according to certain embodiments, includes at least one processor and at least one memory including computer program code. The at least one memory and the computer program code are configured to, with the at least one processor, cause the apparatus at least to receive a request for monitoring a user equipment or category of devices with respect to at least one suspicious event. The at least one memory and the computer program code are also configured to, with the at least one processor, cause the apparatus at least to determine whether the monitoring is permitted. The at least one memory and the computer program code are further configured to, with the at least one processor, cause the apparatus at least to respond to the request based on whether the monitoring is permitted.
[0013] An apparatus, in certain embodiments, includes at least one processor and at least one memory including computer program code. The at least one memory and the computer program code are configured to, with the at least one processor, cause the apparatus at least to monitor for a suspicious event with respect to a user equipment or a category of devices for which monitoring has been requested by a requestor. The at least one memory and the computer program code are also configured to, with the at least one processor, cause the apparatus at least to detect an occurrence of the suspicious event with respect to the user equipment or the category of devices. The at least one memory and the computer program code are further configured to, with the at least one processor, cause the apparatus at least to report the occurrence to the requestor.
[0014] An apparatus includes at least one processor and at least one memory including computer program code in certain embodiments. The at least one memory and the computer program code are configured to, with the at least one processor, cause the apparatus at least to receive a report of suspicious activity with respect to a user equipment or a category of devices for which monitoring has been requested by a requestor. The at least one memory and the computer program code are also configured to, with the at least one processor, cause the apparatus at least to forward the report of the suspicious activity to the requestor.
[0015] According to certain embodiments, an apparatus includes at least one processor and at least one memory including computer program code. The at least one memory and the computer program code are configured to, with the at least one processor, cause the apparatus at least to receive a report of suspicious activity with respect to a user equipment or a category of devices for which monitoring has been requested by a user or subscriber of the user equipment. The at least one memory and the computer program code are also configured to, with the at least one processor, cause the apparatus at least to report the suspicious activity to the user or the subscriber.
[0016] In certain embodiments, an apparatus includes receiving means for receiving a monitoring request regarding a user equipment or a category of devices. The apparatus also includes performing means for performing a monitoring activity regarding the user equipment or the category of devices with respect to at least one suspicious event. The apparatus further includes responding means for responding to the monitoring request indicating whether monitoring will be performed for the user equipment or the category of devices.
[0017] An apparatus, in certain embodiments, includes requesting means for requesting monitoring of a user equipment or a category of devices with respect to at least one suspicious event. The apparatus also includes receiving means for receiving a response to the monitoring request, wherein the response indicates a registration status of the monitoring.
[0018] An apparatus, according to certain embodiments, includes receiving means for receiving a request for monitoring a user equipment or category of devices with respect to at least one suspicious event. The apparatus also includes determining means for determining whether the monitoring is permitted. The apparatus further includes responding means for responding to the request based on whether the monitoring is permitted.
[0019] According to certain embodiments, an apparatus includes monitoring means for monitoring for a suspicious event with respect to a user equipment or a category of devices for which monitoring has been requested by a requestor. The apparatus also includes detecting means for detecting an occurrence of the suspicious event with respect to the user equipment or the category of devices. The apparatus further includes reporting means for reporting the occurrence to the requestor.
[0020] An apparatus, in certain embodiments, includes receiving means for receiving a report of suspicious activity with respect to a user equipment or a category of devices for which monitoring has been requested by a requestor. The apparatus also includes forwarding means for forwarding the report of the suspicious activity to the requestor.
[0021] In certain embodiments, an apparatus includes receiving means for receiving a report of suspicious activity with respect to a user equipment or a category of devices for which monitoring has been requested by a user or subscriber of the user equipment. The apparatus also includes reporting means for reporting the suspicious activity to the user or the subscriber.
[0022] A non-transitory computer readable medium is, in certain embodiments, encoded with instructions that, when executed in hardware, perform a process. The process includes receiving a monitoring request regarding a user equipment or a category of devices. The process also includes performing a monitoring activity regarding the user equipment or the category of devices with respect to at least one suspicious event. The process further includes responding to the monitoring request indicating whether monitoring will be performed for the user equipment or the category of devices.
[0023] According to certain embodiments, a non-transitory computer readable medium encoded with instructions that, when executed in hardware, perform a process. The process includes requesting monitoring of a user equipment or a category of devices with respect to at least one suspicious event. The process also includes receiving a response to the monitoring request, wherein the response indicates a registration status of the monitoring.
[0024] A non-transitory computer readable medium is, according to certain embodiments, encoded with instructions that, when executed in hardware, perform a process. The process includes receiving a request for monitoring a user equipment or category of devices with respect to at least one suspicious event. The process also includes determining whether the monitoring is permitted. The process further includes responding to the request based on whether the monitoring is permitted.
[0025] A non-transitory computer readable medium is, in certain embodiments, encoded with instructions that, when executed in hardware, perform a process. The process includes monitoring for a suspicious event with respect to a user equipment or a category of devices for which monitoring has been requested by a requestor. The process also includes detecting an occurrence of the suspicious event with respect to the user equipment or the category of devices. The process further includes reporting the occurrence to the requestor.
[0026] In certain embodiments, a non-transitory computer readable medium is encoded with instructions that, when executed in hardware, perform a process. The process includes receiving a report of suspicious activity with respect to a user equipment or a category of devices for which monitoring has been requested by a requestor. The process also includes forwarding the report of the suspicious activity to the requestor.
[0027] According to certain embodiments, a non-transitory computer readable medium is encoded with instructions that, when executed in hardware, perform a process. The process includes receiving a report of suspicious activity with respect to a user equipment or a category of devices for which monitoring has been requested by a user or subscriber of the user equipment. The process also includes reporting the suspicious activity to the user or the subscriber. BRIEF DESCRIPTION OF THE DRAWINGS:
[0028] For proper understanding of the invention, reference should be made to the accompanying drawings, wherein:
[0029] Figure 1 illustrates an evolved packet core architecture.
[0030] Figure 2 illustrates machine-type-communication additions to a third generation partnership project architecture.
[0031] Figure 3 illustrates direct interface registration for monitoring according to certain embodiments.
[0032] Figure 4 illustrates a simplified call flow to register for monitoring service according to certain embodiments.
[0033] Figure 5 illustrates direct interface reporting according to certain embodiments.
[0034] Figure 6 illustrates a simplified call flow to report suspicious activity according to certain embodiments.
[0035] Figure 7 illustrates a method according to certain embodiments.
[0036] Figure 8 illustrates a system according to certain embodiments.
DETAILED DESCRIPTION:
[0037] Machine-type-communication (MTC) monitoring is one example of machine-type-communication related features. Because machine-type devices can be deployed in remote areas and in locations where they are not monitored actively by humans, theft and vandalism risks differ from cases where there is constant or frequent human monitoring. Accordingly, a network can provide a mechanism to auto-detect suspicious activities. Suspicious activities, in this context, can include, for example, change of association between user equipment (UE) and universal integrated circuit card (UICC), loss of connectivity, communication failure, change of location, and in general any behavior that is not aligned with subscribed features. These events are neither detected nor reported by conventional networks. Certain embodiments, however, enable detection of events and report of these events as and when they occur so that the service provider, user, or law enforcement agency can take appropriate action.
[0038] Some of these useful services may be applied to, for example, smart meters or remote surveillance systems. The service can also be extended to normal devices, such as smart phones, by the mobile network operator, for example.
[0039] Certain embodiments, thus, provide a monitoring feature. This feature may be able to detect suspicious activities for unmanned devices and devices that are at risk of being stolen or manipulated.
[0040] Embodiments can include at least three aspects. A first aspect relates to a procedure to register for monitoring service. A second aspect relates to an ability to detect suspicious events, such as those events described above or similar events. A third aspect relates to a procedure to report suspicious events as and when they occur.
[0041] Certain embodiments also address the impact on the core network (CN) due to user equipment mobility. A direct interface can be used between the machine-type-communication inter-working function (MTC-IWF) and the nodes performing monitoring of certain events. This direct interface can be, for example, T5a/b/c between MTC-IWF and MME/SGSN/MSC as in Annex B of 3 GPP TS 23.682, or an interface between MTC-IWF and HSS like S6m. Use of other interfaces is also permitted.
[0042] Monitoring of certain events can be triggered by an external services capability server (SCS) as described in 3GPP TS 23.682, by any other application server inside or outside the operator domain or by the network itself based on subscription data stored in the HSS. Subscription data containing the events that are to be monitored can be downloaded to the MTC- IWF or directly to the serving nodes, MME, SGSN, and MSC, during device registration. The subscription data can be accompanied by a request for the serving nodes to detect these events.
[0043] Serving nodes may monitor suspicious events for a defined period of time, such as for the duration of validity time. Upon detection of suspicious events, serving nodes, MME, SGSN, and MSC, can report to the requestor MTC-IWF. Alternatively, the serving nodes can report to a pre-configured application server or can store this information as part of charging, for example, charging data records (CDRs), or other records.
[0044] Various procedures can be used to register for monitoring service. Two possible alternatives available for a services capability server to register for monitoring service with the network are discussed below.
[0045] In a first alternative, illustrated in Figure 3, a direct interface is used to register for monitoring service. More particularly, Figure 3 illustrates a simplified call flow to register for monitoring service, using a direct interface such as T5a/b/c.
[0046] As shown in Figure 3, at SI, a services capability server (SCS) can initiate a request over, for example, Tsp to send a monitoring request to MTC- IWF for a certain device identified by its external identifier (URI or NAI) or MSISDN. This could be a generic request that includes all types of monitoring events or it could be a specific request for certain types of monitoring events. This may depend on the service level agreements between mobile operator and service provider. The MTC monitoring request can include an external identifier (ID) or MSISDN and optionally service type(s), validity time, and a list of serving node(s).
[0047] At S2, the MTC-IWF can receive the request from the SCS and can query the home subscriber server (HSS) to obtain the following information such as international mobile subscriber identity (IMSI), serving node identifier(s) and subscription information for monitoring services. In addition, HSS authenticates the request from SCS for monitoring the target user equipment, and at S2A provides a response.
[0048] Upon successful response from HSS with any needed parameters such as IMSI and a list of serving nodes, the MTC-IWF can, at S2B, store the relevant parameters and choose, based on the events to be monitored and serving node capabilities, the appropriate serving node. Some events may be directly monitored and reported by the HSS.
[0049] Then, at S3, the MTC-IWF can send a request to register for monitoring service. The request can include an IMSI and MTC-IWF ID and can optionally include service type(s), validity time, and a list of serving node(s).
[0050] At S3A, the serving node can receive the request, check if the user equipment is currently registered in the network, and store originator for the request. Storing the originator can include storing the MTC-IWF ID.
[0051] Moreover, at S4, upon a determination that the user equipment is currently registered in the network, the serving node can register the user equipment for the requested monitoring event(s) and report the registration status to the MTC-IWF. If the user equipment is not currently registered or there is some other reason for non-registration, such information can also be relayed to the MTC-IWF including the reason, if desired.
[0052] More specifically, the serving node can generate the necessary CDR information for charging. Registering at the serving node may imply setting a flag e.g. "UMS - UE monitoring service". Note when the serving node receives this registration request from the HSS, if this flag is already set for the corresponding service, then the serving node simply needs to add "IWF ID" to the list of requestor.
[0053] If the user equipment is currently not registered in the network and/or the serving node is unaware of the target user equipment context, then the serving node can respond with a failure indication to the MTC-IWF and can indicate the cause for the failure or can forward the monitoring request to the other serving nodes, which were present in the request, with the MTC-IWF identifier. The serving node can then perform the monitoring for the period specified in the validity time.
[0054] At S5, the IWF can respond to the SCS with the registration status for monitoring service, so the result can be forwarded to the application server and appropriate action can be taken in case of failure.
[0055] Figure 4 illustrates a simplified call flow to register for monitoring service according to certain embodiments. In this example, the registering is via an HSS using an interface, such as S6m.
[0056] As shown in Figure 4, at Tl, a services capability server (SCS) can initiate a request over Tsp to send a monitoring request to MTC-IWF for a certain device identified by its external identifier, for example its uniform resource identifier (URI) or network access identifier (NAI), or MSISDN. This could be a generic request that includes all types of monitoring services or it could be a specific request for a certain type of monitoring service. This may depend on the service level agreements between mobile operator and service provider. The MTC monitoring request can include an external identifier (ID) or MSISDN and optionally service type(s), validity time, and a list of serving node(s).
[0057] At T2, the MTC-IWF can receive the request, identify the appropriate HSS to register for the monitoring service, and send a request to the HSS with ext ID or MSISDN, and IWF ID, and optionally including other parameters including requested monitoring event(s) and validity time for the monitoring service.
[0058] At T3A, the HSS can check the user's subscription for monitoring service and can authenticate the request from the SCS for monitoring the target user equipment. Upon successful authentication and validation of subscription, the HSS can identify the latest registered serving node, validate its support for monitoring service and, at T3, register for monitoring service with the serving node. The message registering for monitoring can include, for example, an IMSI of the user equipment, as well as other parameters, such as service type(s) or validity time.
[0059] At T4, the serving node can receive the request and check if the user equipment is currently registered with it. If the user equipment is registered, then the serving node can register the user equipment for the requested monitoring service(s). The serving node can generate the necessary CDR information for charging. Registering at the serving node may imply setting a flag, for example, "UMS - UE monitoring service". When the serving node receives this registration request from the HSS, if this flag is already set for the corresponding service, then no further action needs to be performed by the serving node to register the user equipment. The serving node can perform the monitoring for the period specified in the validity time.
[0060] If the user equipment is currently not registered and/or the serving node is unaware of the target user equipment context, then at T5 it can respond with a failure indication to the HSS and can indicate the cause or reason for the failure. If the registration is successful, it can respond at T5 with the success.
[0061] At T6, the HSS can forward the response to the IWF. Then, at T7, the IWF can respond to the SCS with the registration status for monitoring service, so that the result can be forwarded to the application server and appropriate action can be taken in case of failure.
[0062] Suspicious event detection can be performed in various ways and various events can be determined to be suspicious. For example, the following are some activities that could be defined as "occurrence of suspicious activities" at the serving nodes, such as the MME, SGSN, MSC.
[0063] A first suspicious scenario can occur when a user equipment is subscribed with a low mobility feature and is confined to a certain paging area. In this case, the MME/SGSN/MSC, referring to any one or combination of these or similar serving nodes, can detect and report suspicious activity if the user equipment is performing a tracking area update from a location that is not part of the user equipment's subscription, such as a cell ID that is not within the paging area specified in the user equipment subscription.
[0064] A second suspicious scenario can occur when user equipment is subscribed with a time tolerant and/or time controlled feature and is supposed to access the network only within an "allowed time interval" and cannot access within the "forbidden time interval". In this case, the MME/SGSN/MSC can detect and report suspicious activity if the user equipment is accessing the network outside the allowed time interval or at the forbidden time interval.
[0065] In a third suspicious scenario, a user equipment can be subscribed for packet switched only services. If the user equipment is subscribed for packet switched only services, but the user equipment is performing a location update to a mobile switching center (MSC) to obtain voice service, then the MSC can detect this.
[0066] A fourth suspicious scenario can include increased data usage. If, for example, the user equipment is subscribed for a certain access point name aggregated maximum bit rate (APN-AMBR) but the serving nodes, with the help of entities managing user plane such as the eNB, RNC, P-GW,GGSN or another network element in the PCC infrastructure in the case of EPS, GPRS, detect that the usage has exceeded the allowed limit in the subscription, then the serving nodes can detect increased data usage.
[0067] These four scenarios are example of suspicious scenarios, although other scenarios are also possible. For example, if a particular device that the system has determined is a permanently stationary device, such as a smart meter, attempts a handover from a home network to a visited network or roams into a visited network, this may be deemed a suspicious event, if the device's subscription does not include roaming service.
[0068] The services capability server can either register for all the suspicious activities specified here, or other suspicious activities, or register simply for a specific event, such as increased data usage. The nature of the monitoring event deployed in the operator's network can depend on the subscription model and subscription for the individual device. The nature of the monitoring event deployed can also depend on the service level agreements between the mobile operator and the service provider. It is also possible that the network itself can monitor certain events based on the respective subscription data stored in the HSS.
[0069] Various procedures can be used to report suspicious activities. Depending on the procedure adopted to register for monitoring, a corresponding procedure can be used to report suspicious activities. Thus, there are at least two alternative approaches available to report suspicious activities, corresponding to the two alternative approaches for monitoring already outlined above.
[0070] Figure 5 illustrates direct interface reporting according to certain embodiments. More particularly, Figure 5 illustrates a simplified call flow to report suspicious activity using a direct interface such as T5a/b/c.
[0071] As shown in Figure 5, at Ul, upon detection of suspicious activity based on registered event(s) the serving nodes, for example MME, SGSN, and/or MSC, can report the suspicious activity to a node that requested monitoring. In this case, the MTC-IWF is the node that requested. The report can include a corresponding IMSI for user equipment identification, as well as description or other identifier of the suspicious event, if, for example, more than one kind of event is being monitored.
[0072] At U2, the MTC-IWF can use a cached IMSI to perform extlD/MSISDN mapping to map the IMSI to extlD/MSISDN in the report. At U3, the MTC-IWF can forward the report to the services capability server. The report can include the extID or MSISDN, as well as some description or indication, explicit or implicit, of the event detected. The SCS may forward this to the corresponding application server that is eventually responsible for alerting the user. Alternatively, the suspicious activity can be reported to a law enforcement agency.
[0073] Figure 6 illustrates a simplified call flow to report suspicious activity according to certain embodiments. In particular, Figure 6 illustrates an approach in which reporting is via an HSS, using an interface such as S6m.
[0074] At VI, upon detection of suspicious activity based on registered event(s) the MME/SGSN/MSC can report the suspicious activity to the requestor, which is indicated as the HSS in this case. The report can include the corresponding IMSI for user equipment identification, as well as an indication of the event(s) detected, either explicitly or implicitly.
[0075] At V2, the HSS can modify the report using a stored IMSI to extlD/MSISDN mapping to map the IMSI to extlD/MSISDN in the report. Then, at V3, the HSS can forward the report to the requestor, which is MTC- IWF in this case.
[0076] At V4, the MTC-IWF can forward the report to the SCS. The SCS may forward this to the corresponding application server that is eventually responsible for alerting the user or, as noted above, to a law enforcement agency.
[0077] Embodiments can have various impacts on monitoring service due to user equipment mobility. In a traditional mobile network, the user equipment can reselect to another cell either due to change in the radio frequency (RF) conditions of the current serving cell, such as when a truck crosses the signal path and fades the signal towards the user equipment, or due to physical movement of the device itself. When these or similar events happen, the user equipment can perform a handover from one cell to another cell. This handover may cause a change in the serving node (MSC, MME, SGSN).
[0078] If the user equipment is registered for monitoring service and is within the validity time for the registered service, then the serving node can forward this information as part of the user equipment context to the new serving node to ensure that the new serving node continues to perform monitoring activities. If the new serving node does not support monitoring service or it is a legacy node, then the new serving node may either fail the registration or ignore the registration. Failure can then be reported to the IWF and SCS, either by the new serving node or the old serving node, to ensure that the user is alerted and can take appropriate action.
[0079] Certain embodiments can also apply to a general monitoring service beyond MTC devices when a MTC-IWF is not deployed, for example. Monitoring service can be provided in the serving nodes or in the HSS and can generally be applied for all devices, including for example regular phones, as well as being applied in a circuit switched (CS) domain.
[0080] An IWF in the above call flows, illustrated in Figures 3 through 6, can be modified to serve as an application server/monitoring server in the operator's network. In this case, the application server/monitoring server can directly register with the HSS, or could even be co-located with the HSS, and/or with the serving nodes. Registering with the HSS can avoid exposing the internal network topology of the visited network to different servers in the home network.
[0081] As an alternative, the network operator may decide to monitor certain events at all devices or according to certain device categories, such as all MTC devices, all smart phones, all iPhones, all dongles, and so forth. To enable this functionality, the subscription data in the HSS can contain the necessary information and the network can request the device identity from the user equipment. Subscription information can be downloaded to the serving nodes, such as MME, SGSN and MSC, during device registration, requesting the serving nodes to detect certain events and report to a pre-configured application server, or the serving nodes can simply add this information to charging or other records.
[0082] Certain embodiments can provide the ability for the networks to dynamically detect suspicious activities and report to the user subscribed for this service. Since many MTC devices may be present in unmanned location, sending personnel to monitor the device regularly requires human labor hours. Moreover, certain embodiments can provide a safety net in identifying suspicious activities as soon as they occur, hence increasing the chance of recovering a stolen device, or stopping hacking of a device.
[0083] Certain embodiments can use direct interfaces between MTC-IWF and the serving nodes, HSS and the serving nodes. Moreover, certain embodiments can monitor MSISDN-less devices in a "PS-only" deployment with a PS-only subscription. The same approach can be applied for monitoring devices with MSISDN in "CS" deployment with CS subscription.
[0084] This kind of monitoring service can be offered by mobile network operators (MNOs) to their subscribers, both for machine to machine (M2M) devices and normal devices, to reduce theft and vandalism.
[0085] Figure 7 illustrates a method according to certain embodiments. As illustrated in Figure 7, a method can include, at 720, receiving a monitoring request regarding a user equipment or a category of devices. The method can also include, at 722, performing a monitoring activity regarding the user equipment or the category of devices with respect to at least one suspicious event. The method can further include, at 724, responding to the monitoring request indicating whether monitoring will be performed for the user equipment or the category of devices.
[0086] The suspicious event can include at least one event of the following: a tracking update occurs from a location outside an area allowed for the user equipment or from a certain device category; the user equipment or the device category accesses a network outside an allowed time interval or at a forbidden time interval; the user equipment or the device category is subscribed for packet switched services only but is performing a location update to obtain voice service; or the user equipment or the device category has exceeded an allowed data usage limit. One example of a device category is the category of all smart phones, or all smart phones of a particular make or model. Other device categories can include all MTC devices, all regular phones, all smart meters, all tablets, or all dongles.
[0087] The monitoring activity can include selecting a serving node for monitoring services and registering the user equipment or the category of devices for monitoring service with the serving node.
[0088] The method can additionally include, at 726, receiving a registration status response in response to the registering and, at 728, forwarding the registration status toward a source of the monitoring request while responding to the monitoring request. [0089] The method can also include, at 710, requesting monitoring of a user equipment or a category of devices with respect to at least one suspicious event. The method can further include, at 712, receiving a response to the monitoring request, wherein the response indicates a registration status of the monitoring.
[0090] The requesting monitoring can include sending a monitoring request to a machine type communication interworking function.
[0091] The method can further include at 730, receiving a request for monitoring a user equipment or category of devices with respect to at least one suspicious event. The method can also include, at 732, determining whether the monitoring is permitted. The method can further include, at 734, responding to the request based on whether the monitoring is permitted.
[0092] The method can additionally include, at 736, determining whether monitoring is permitted under a subscriber agreement corresponding to the user equipment, wherein the responding is based on the subscriber agreement of the user equipment. The method can also include, at 738, storing an identifier of the requestor of the monitoring.
[0093] The method, moreover, can include at 740, monitoring for a suspicious event with respect to a user equipment or a category of devices for which monitoring has been requested by a requestor. The method can also include, at 742, detecting an occurrence of the suspicious event with respect to the user equipment or the category of devices. The method can further include, at 744, reporting the occurrence to the requestor.
[0094] The reporting can include sending an indication of the user equipment's international mobile subscriber identity to the requestor.
[0095] The method can also include, at 750, receiving a report of suspicious activity with respect to a user equipment or a category of devices for which monitoring has been requested by a requestor. The method can further include, at 752, forwarding the report of the suspicious activity to the requestor. [0096] The method can additionally include, at 754, receiving, in the report, a user equipment's international mobile subscriber identity. The method can also include, at 756, translating the user equipment's international mobile subscriber identity to an external identifier or mobile subscriber integrated services digital network number.
[0097] The method additionally can include, at 760, receiving a report of suspicious activity with respect to a user equipment or a category of devices for which monitoring has been requested by a user or subscriber of the user equipment. The method can also include, at 762, reporting the suspicious activity to the user or the subscriber.
[0098] Figure 8 illustrates a system according to certain embodiments of the invention. In one embodiment, a system may include two devices, such as, for example, SCS 810, MME/SGSN/MSC 820, HSS 830, and MTC-IWF 840. Each of these devices may include at least one processor, respectively indicated as 814, 824, 834, and 844. At least one memory is provided in each device, and indicated as 815, 825, 835, and 845, respectively. The memory may include computer program instructions or computer code contained therein. Transceivers 816, 826, 836, and 846 are provided, and each device may also include an antenna, respectively illustrated as 817, 827, 837, and 847. Other configurations of these devices, for example, may be provided. For example, SCS 810, MME/SGSN/MSC 820, HSS 830, and MTC-IWF 840 may be configured for wired communication, rather than wireless communication, and in such a case antennas 817, 827, 837, and 847 would illustrate any form of communication hardware, without requiring a conventional antenna.
[0099] Transceivers 816, 826, 836, and 846 can each, independently, be a transmitter, a receiver, or both a transmitter and a receiver, or a unit or device that is configured both for transmission and reception.
[0100] Processors 814, 824, 834, and 844 can be embodied by any computational or data processing device, such as a central processing unit (CPU), application specific integrated circuit (ASIC), or comparable device. The processors can be implemented as a single controller, or a plurality of controllers or processors.
[0101] Memories 815, 825, 835, and 845 can independently be any suitable storage device, such as a non-transitory computer-readable medium. A hard disk drive (HDD), random access memory (RAM), flash memory, or other suitable memory can be used. The memories can be combined on a single integrated circuit as the processor, or may be separate therefrom. Furthermore, the computer program instructions stored in the memory and which may be processed by the processors can be any suitable form of computer program code, for example, a compiled or interpreted computer program written in any suitable programming language.
[0102] The memory and the computer program instructions can be configured, with the processor for the particular device, to cause a hardware apparatus such as SCS 810, MME/SGSN/MSC 820, HSS 830, or MTC-IWF 840, to perform any of the processes described above (see, for example, Figures 3-7). Therefore, in certain embodiments, a non-transitory computer-readable medium can be encoded with computer instructions that, when executed in hardware, perform a process such as one of the processes described herein. Alternatively, certain embodiments of the invention can be performed entirely in hardware.
[0103] Furthermore, although Figure 8 illustrates a system including an SCS, MME/SGSN/MSC, HSS, and MTC-IWF, embodiments of the invention may be applicable to other configurations, and configurations involving additional elements, as illustrated herein.
[0104] One having ordinary skill in the art will readily understand that the invention as discussed above may be practiced with steps in a different order, and/or with hardware elements in configurations which are different than those which are disclosed. Therefore, although the invention has been described based upon these preferred embodiments, it would be apparent to those of skill in the art that certain modifications, variations, and alternative constructions would be apparent, while remaining within the spirit and scope of the invention. In order to determine the metes and bounds of the invention, therefore, reference should be made to the appended claims.
[0105] Glossary of Abbreviations
[0106] IMSI - International Mobile Subscriber Identity
[0107] M2M, MTC - Machine Type Communication
[0108] OA&M - Operation, Administration and Maintenance
[0109] SIMTC - System Improvements for Machine Type Communication
(3 GPP Rel-1 1 work item)
[0110] SCS - Services Capability Server
[0111] IWF - Interworking Function
[0112] extID - External Identifier (could be NAI, URI or FQDN)
[0113] MSISDN - Mobile Subscriber Integrated Services Digital Network Number
[0114]UE - User Equipment

Claims

WE CLAIM:
1. A method, comprising:
receiving a monitoring request regarding a user equipment or a category of devices;
performing a monitoring activity regarding the user equipment or the category of devices with respect to at least one suspicious event; and
responding to the monitoring request indicating whether monitoring will be performed for the user equipment or the category of devices.
2. The method of claim 1, wherein the monitoring activity comprises selecting a serving node for monitoring services and registering the user equipment or the category of devices for monitoring service with the serving node.
3. The method of claim 2, further comprising:
receiving a registration status response in response to the registering; and
forwarding the registration status toward a source of the monitoring request while responding to the monitoring request.
4. The method of claim 1, wherein the suspicious event comprises at least one event of the following: a tracking update occurs from a location outside an area allowed for the user equipment or from a certain device category; the user equipment or the device category accesses a network outside an allowed time interval or at a forbidden time interval; the user equipment or the device category is subscribed for packet switched services only but is performing a location update to obtain voice service; or the user equipment or the device category has exceeded an allowed data usage limit.
5. The method of claim 4, wherein the device category comprises a category of at least one of the following: smart phones, regular phones, machine type devices, smart meters, tablets, or dongles.
6. A method, comprising:
requesting monitoring of a user equipment or a category of devices with respect to at least one suspicious event; and
receiving a response to the monitoring request, wherein the response indicates a registration status of the monitoring.
7. The method of claim 6, wherein the requesting monitoring comprises sending a monitoring request to a machine type communication interworking function.
8. A method, comprising:
receiving a request for monitoring a user equipment or category of devices with respect to at least one suspicious event;
determining whether the monitoring is permitted; and
responding to the request based on whether the monitoring is permitted.
9. The method of claim 8, further comprising:
determining whether monitoring is permitted under a subscriber agreement corresponding to the user equipment, wherein the responding is based on the subscriber agreement of the user equipment.
10. The method of claim 9, further comprising:
storing an identifier of the requestor of the monitoring.
11. A method, comprising:
monitoring for a suspicious event with respect to a user equipment or a category of devices for which monitoring has been requested by a requestor; detecting an occurrence of the suspicious event with respect to the user equipment or the category of devices; and
reporting the occurrence to the requestor.
12. The method of claim 11, wherein the reporting comprises sending an indication of the user equipment's international mobile subscriber identity to the requestor.
13. The method of claim 11, wherein the reporting comprises sending a report to a machine type communication interworking function.
14. A method, comprising:
receiving a report of suspicious activity with respect to a user equipment or a category of devices for which monitoring has been requested by a requestor; and
forwarding the report of the suspicious activity to the requestor.
15. The method of claim 14, further comprising:
receiving, in the report, a user equipment's international mobile subscriber identity; and
translating the user equipment's international mobile subscriber identity to an external identifier or mobile subscriber integrated services digital network number.
16. A method, comprising:
receiving a report of suspicious activity with respect to a user equipment or a category of devices for which monitoring has been requested by a user or subscriber of the user equipment; and
reporting the suspicious activity to the user or the subscriber.
17. An apparatus, comprising:
at least one processor; and
at least one memory including computer program code,
wherein the at least one memory and the computer program code are configured to, with the at least one processor, cause the apparatus at least to receive a monitoring request regarding a user equipment or a category of devices;
perform a monitoring activity regarding the user equipment or the category of devices with respect to at least one suspicious event; and
respond to the monitoring request indicating whether monitoring will be performed for the user equipment or the category of devices.
18. The apparatus of claim 17, wherein the monitoring activity comprises selecting a serving node for monitoring services and registering the user equipment or the category of devices for monitoring service with the serving node.
19. The apparatus of claim 18, wherein the at least one memory and the computer program code are configured to, with the at least one processor, cause the apparatus at least to:
receive a registration status response in response to the registering; and forward the registration status toward a source of the monitoring request while responding to the monitoring request.
20. An apparatus, comprising:
at least one processor; and
at least one memory including computer program code,
wherein the at least one memory and the computer program code are configured to, with the at least one processor, cause the apparatus at least to request monitoring of a user equipment or a category of devices with respect to at least one suspicious event; and
receive a response to the monitoring request, wherein the response indicates a registration status of the monitoring.
21. The apparatus of claim 20, wherein the at least one memory and the computer program code are configured to, with the at least one processor, cause the apparatus at least to request the monitoring by sending a monitoring request to a machine type communication interworking function.
22. An apparatus, comprising:
at least one processor; and
at least one memory including computer program code,
wherein the at least one memory and the computer program code are configured to, with the at least one processor, cause the apparatus at least to receive a request for monitoring a user equipment or category of devices with respect to at least one suspicious event;
determine whether the monitoring is permitted; and
respond to the request based on whether the monitoring is permitted.
23. The apparatus of claim 22, wherein the at least one memory and the computer program code are configured to, with the at least one processor, cause the apparatus at least to determine whether monitoring is permitted under a subscriber agreement corresponding to the user equipment, and to respond to the request based on the subscriber agreement of the user equipment.
24. The apparatus of claim 23, wherein the at least one memory and the computer program code are configured to, with the at least one processor, cause the apparatus at least to store an identifier of the requestor of the monitoring.
25. An apparatus, comprising:
at least one processor; and
at least one memory including computer program code,
wherein the at least one memory and the computer program code are configured to, with the at least one processor, cause the apparatus at least to monitor for a suspicious event with respect to a user equipment or a category of devices for which monitoring has been requested by a requestor; detect an occurrence of the suspicious event with respect to the user equipment or the category of devices; and
report the occurrence to the requestor.
26. The apparatus of claim 25, wherein the at least one memory and the computer program code are configured to, with the at least one processor, cause the apparatus at least to report the occurrence by sending an indication of the user equipment's international mobile subscriber identity to the requestor.
27. An apparatus, comprising:
at least one processor; and
at least one memory including computer program code,
wherein the at least one memory and the computer program code are configured to, with the at least one processor, cause the apparatus at least to receive a report of suspicious activity with respect to a user equipment or a category of devices for which monitoring has been requested by a requestor; and
forward the report of the suspicious activity to the requestor.
28. The apparatus of claim 27, wherein the at least one memory and the computer program code are configured to, with the at least one processor, cause the apparatus at least to:
receive, in the report, a user equipment's international mobile subscriber identity; and
translate the user equipment's international mobile subscriber identity to an external identifier or mobile subscriber integrated services digital network number.
29. An apparatus, comprising:
at least one processor; and
at least one memory including computer program code,
wherein the at least one memory and the computer program code are configured to, with the at least one processor, cause the apparatus at least to receive a report of suspicious activity with respect to a user equipment or a category of devices for which monitoring has been requested by a user or subscriber of the user equipment; and
report the suspicious activity to the user or the subscriber.
30. An apparatus, comprising:
receiving means for receiving a monitoring request regarding a user equipment or a category of devices;
performing means for performing a monitoring activity regarding the user equipment or the category of devices with respect to at least one suspicious event; and
responding means for responding to the monitoring request indicating whether monitoring will be performed for the user equipment or the category of devices.
31. The apparatus of claim 30, wherein the monitoring activity comprises selecting a serving node for monitoring services and registering the user equipment or the category of devices for monitoring service with the serving node.
32. The apparatus of claim 31, further comprising:
receiving means for receiving a registration status response in response to the registering; and
forwarding means for forwarding the registration status toward a source of the monitoring request while responding to the monitoring request.
33. An apparatus, comprising:
requesting means for requesting monitoring of a user equipment or a category of devices with respect to at least one suspicious event; and
receiving means for receiving a response to the monitoring request, wherein the response indicates a registration status of the monitoring.
34. The apparatus of claim 33, wherein the requesting monitoring comprises sending a monitoring request to a machine type communication interworking function.
35. An apparatus, comprising:
receiving means for receiving a request for monitoring a user equipment or category of devices with respect to at least one suspicious event; determining means for determining whether the monitoring is permitted; and
responding means for responding to the request based on whether the monitoring is permitted.
36. The apparatus of claim 35, further comprising:
determining means for determining whether monitoring is permitted under a subscriber agreement corresponding to the user equipment, wherein the responding is based on the subscriber agreement of the user equipment.
37. The apparatus of claim 36, further comprising:
storing means for storing an identifier of the requestor of the monitoring.
38. An apparatus, comprising:
monitoring means for monitoring for a suspicious event with respect to a user equipment or a category of devices for which monitoring has been requested by a requestor;
detecting means for detecting an occurrence of the suspicious event with respect to the user equipment or the category of devices; and
reporting means for reporting the occurrence to the requestor.
39. The apparatus of claim 38, wherein the reporting comprises sending an indication of the user equipment's international mobile subscriber identity to the requestor.
40. An apparatus, comprising:
receiving means for receiving a report of suspicious activity with respect to a user equipment or a category of devices for which monitoring has been requested by a requestor; and
forwarding means for forwarding the report of the suspicious activity to the requestor.
41. The apparatus of claim 40, further comprising:
receiving means for receiving, in the report, a user equipment's international mobile subscriber identity; and
translating means for translating the user equipment's international mobile subscriber identity to an external identifier or mobile subscriber integrated services digital network number.
42. An apparatus, comprising:
receiving means for receiving a report of suspicious activity with respect to a user equipment or a category of devices for which monitoring has been requested by a user or subscriber of the user equipment; and
reporting means for reporting the suspicious activity to the user or the subscriber.
43. A non-transitory computer readable medium encoded with instructions that, when executed in hardware, perform a process, the process comprising:
receiving a monitoring request regarding a user equipment or a category of devices;
performing a monitoring activity regarding the user equipment or the category of devices with respect to at least one suspicious event; and
responding to the monitoring request indicating whether monitoring will be performed for the user equipment or the category of devices.
44. The non-transitory computer readable medium of claim 43, wherein the monitoring activity comprises selecting a serving node for monitoring services and registering the user equipment or the category of devices for monitoring service with the serving node.
45. The non-transitory computer readable medium of claim 44, the process further comprising:
receiving a registration status response in response to the registering; and
forwarding the registration status toward a source of the monitoring request while responding to the monitoring request.
46. A non-transitory computer readable medium encoded with instructions that, when executed in hardware, perform a process, the process comprising:
requesting monitoring of a user equipment or a category of devices with respect to at least one suspicious event; and
receiving a response to the monitoring request, wherein the response indicates a registration status of the monitoring.
47. The non-transitory computer readable medium of claim 46, wherein the requesting monitoring comprises sending a monitoring request to a machine type communication interworking function.
48. A non-transitory computer readable medium encoded with instructions that, when executed in hardware, perform a process, the process comprising:
receiving a request for monitoring a user equipment or category of devices with respect to at least one suspicious event;
determining whether the monitoring is permitted; and
responding to the request based on whether the monitoring is permitted.
49. The non-transitory computer readable medium of claim 48, the process further comprising:
determining whether monitoring is permitted under a subscriber agreement corresponding to the user equipment, wherein the responding is based on the subscriber agreement of the user equipment.
50. The non-transitory computer readable medium of claim 49, the process further comprising:
storing an identifier of the requestor of the monitoring.
51. A non-transitory computer readable medium encoded with instructions that, when executed in hardware, perform a process, the process comprising:
monitoring for a suspicious event with respect to a user equipment or a category of devices for which monitoring has been requested by a requestor; detecting an occurrence of the suspicious event with respect to the user equipment or the category of devices; and
reporting the occurrence to the requestor.
52. The non-transitory computer readable medium of claim 51, wherein the reporting comprises sending an indication of the user equipment's international mobile subscriber identity to the requestor.
53. A non-transitory computer readable medium encoded with instructions that, when executed in hardware, perform a process, the process comprising:
receiving a report of suspicious activity with respect to a user equipment or a category of devices for which monitoring has been requested by a requestor; and
forwarding the report of the suspicious activity to the requestor.
54. The non-transitory computer readable medium of claim 53, the process further comprising:
receiving, in the report, a user equipment's international mobile subscriber identity; and
translating the user equipment's international mobile subscriber identity to an external identifier or mobile subscriber integrated services digital network number.
55. A non-transitory computer readable medium encoded with instructions that, when executed in hardware, perform a process, the process comprising:
receiving a report of suspicious activity with respect to a user equipment or a category of devices for which monitoring has been requested by a user or subscriber of the user equipment; and
reporting the suspicious activity to the user or the subscriber.
PCT/US2012/033511 2012-04-13 2012-04-13 Monitoring suspicious events in a cellular network WO2013154576A1 (en)

Priority Applications (3)

Application Number Priority Date Filing Date Title
US14/391,793 US9294924B2 (en) 2012-04-13 2012-04-13 Monitoring suspicious events in a cellular network
EP12874140.2A EP2836910B1 (en) 2012-04-13 2012-04-13 Monitoring suspicious events in a cellular network
PCT/US2012/033511 WO2013154576A1 (en) 2012-04-13 2012-04-13 Monitoring suspicious events in a cellular network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/US2012/033511 WO2013154576A1 (en) 2012-04-13 2012-04-13 Monitoring suspicious events in a cellular network

Publications (1)

Publication Number Publication Date
WO2013154576A1 true WO2013154576A1 (en) 2013-10-17

Family

ID=49327991

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2012/033511 WO2013154576A1 (en) 2012-04-13 2012-04-13 Monitoring suspicious events in a cellular network

Country Status (3)

Country Link
US (1) US9294924B2 (en)
EP (1) EP2836910B1 (en)
WO (1) WO2013154576A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2858301A4 (en) * 2012-09-13 2015-07-29 Huawei Device Co Ltd Event reporting method and system
EP3051710A1 (en) * 2012-09-28 2016-08-03 Intel Corporation Machine type communication monitoring framework for 3gpp systems
CN105981225A (en) * 2013-12-10 2016-09-28 At&T知识产权部有限合伙公司 Quasi-optical coupler

Families Citing this family (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103812599B (en) * 2012-11-05 2017-10-17 华为终端有限公司 The method and equipment of the core network of a kind of transmission equipment triggering message
KR102167870B1 (en) * 2014-07-07 2020-10-20 콘비다 와이어리스, 엘엘씨 Coordinated grouping for machine type communications group based services
US10574331B2 (en) * 2016-05-10 2020-02-25 Nokia Technologies Oy Antenna co-location and receiver assumptions
US10887768B2 (en) * 2016-07-13 2021-01-05 T-Mobile Usa, Inc. Mobile traffic redirection system
US10506403B2 (en) 2017-02-27 2019-12-10 Oracle International Corporation Methods, systems and computer readable media for providing integrated service capability exposure function (SCEF), service capability server (SCS) and application server (AS) services
US11146577B2 (en) * 2018-05-25 2021-10-12 Oracle International Corporation Methods, systems, and computer readable media for detecting and mitigating effects of abnormal behavior of a machine type communication (MTC) device
CN110650489B (en) * 2018-06-26 2022-02-15 华为技术有限公司 Method and device for managing monitoring events
CN112135310A (en) * 2019-06-24 2020-12-25 中兴通讯股份有限公司 Abnormal terminal identification method and device, storage medium and electronic device
US11381955B2 (en) 2020-07-17 2022-07-05 Oracle International Corporation Methods, systems, and computer readable media for monitoring machine type communications (MTC) device related information
US11700510B2 (en) 2021-02-12 2023-07-11 Oracle International Corporation Methods, systems, and computer readable media for short message delivery status report validation

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060218395A1 (en) * 2005-03-23 2006-09-28 Oracle International Corporation Device agent
US20090271469A1 (en) * 2008-04-28 2009-10-29 Benco David S Method and apparatus for IMS support for multimedia session, recording, analysis and storage
US20100023598A9 (en) * 2003-06-09 2010-01-28 Andrew Ginter Event monitoring and management
WO2011054299A1 (en) 2009-11-06 2011-05-12 中兴通讯股份有限公司 Method and system for obtaining information of machine type communication terminal

Family Cites Families (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6119236A (en) * 1996-10-07 2000-09-12 Shipley; Peter M. Intelligent network security device and method
US7376969B1 (en) * 2002-12-02 2008-05-20 Arcsight, Inc. Real time monitoring and analysis of events from multiple network security devices
US20040158630A1 (en) * 2003-02-12 2004-08-12 Chang Tsung-Yen Dean Monitoring and controlling network activity in real-time
WO2006098668A1 (en) * 2005-03-18 2006-09-21 Telefonaktiebolaget Lm Ericsson (Publ) Lawful interception of unauthorized subscribers and equipments
US8196205B2 (en) * 2006-01-23 2012-06-05 University Of Washington Through Its Center For Commercialization Detection of spyware threats within virtual machine
JP4829347B2 (en) * 2006-08-01 2011-12-07 テレフオンアクチーボラゲット エル エム エリクソン(パブル) Method and apparatus for collecting user activity in a communication system
EP2156691B1 (en) * 2007-05-28 2016-12-14 Telefonaktiebolaget LM Ericsson (publ) User equipment tracing in a wireless communications network
KR100864867B1 (en) * 2007-12-05 2008-10-23 한국전자통신연구원 The method and apparatus for detecting malicious file in mobile terminal
KR101167939B1 (en) * 2010-01-08 2012-08-02 엘지전자 주식회사 Method for monitoring machine type communication device in mobile communications system
US8438278B2 (en) * 2010-05-03 2013-05-07 Htc Corporation Methods for monitoring and reporting MTC events
US9042864B2 (en) * 2011-12-19 2015-05-26 International Business Machines Corporation Appliance in a mobile data network that spans multiple enclosures
US8782387B2 (en) * 2011-12-31 2014-07-15 International Business Machines Corporation Secure boot of a data breakout appliance with multiple subsystems at the edge of a mobile data network

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100023598A9 (en) * 2003-06-09 2010-01-28 Andrew Ginter Event monitoring and management
US20060218395A1 (en) * 2005-03-23 2006-09-28 Oracle International Corporation Device agent
US20090271469A1 (en) * 2008-04-28 2009-10-29 Benco David S Method and apparatus for IMS support for multimedia session, recording, analysis and storage
WO2011054299A1 (en) 2009-11-06 2011-05-12 中兴通讯股份有限公司 Method and system for obtaining information of machine type communication terminal

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See also references of EP2836910A4

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2858301A4 (en) * 2012-09-13 2015-07-29 Huawei Device Co Ltd Event reporting method and system
EP3051710A1 (en) * 2012-09-28 2016-08-03 Intel Corporation Machine type communication monitoring framework for 3gpp systems
US9942791B2 (en) 2012-09-28 2018-04-10 Intel Corporation Machine type communication monitoring framework for 3GPP systems
EP3370344A1 (en) * 2012-09-28 2018-09-05 Intel Corporation Machine type communication monitoring framework for 3 gpp systems
US10524156B2 (en) 2012-09-28 2019-12-31 Intel Corporation Machine type communication monitoring framework for 3GPP systems
US11089500B2 (en) 2012-09-28 2021-08-10 Apple Inc. Machine type communication monitoring framework for 3GPP systems
CN105981225A (en) * 2013-12-10 2016-09-28 At&T知识产权部有限合伙公司 Quasi-optical coupler

Also Published As

Publication number Publication date
EP2836910B1 (en) 2020-02-19
EP2836910A4 (en) 2015-12-30
US9294924B2 (en) 2016-03-22
EP2836910A1 (en) 2015-02-18
US20150111533A1 (en) 2015-04-23

Similar Documents

Publication Publication Date Title
EP2836910B1 (en) Monitoring suspicious events in a cellular network
EP3941112B1 (en) Location-based context delivery
CN109041089B (en) Information processing method and device
US9794772B2 (en) Machine type communication interworking function
US9026082B2 (en) Terminal identifiers in a communications network
EP2498526B1 (en) Method and system for obtaining information of machine type communication terminal
US9241254B2 (en) Method and system for determining reachability of terminal group
US20130332627A1 (en) Enabling ip-communication with a machine to machine unit
JP2016524393A (en) Proximity service permission method, apparatus and system
EP3205132A1 (en) Correlation identifier for user plane congestion and other use cases
CN106664540B (en) Method, device and system for detecting abnormality of terminal equipment
US9380478B2 (en) Updating method for trigger message counter, machine type communication server and terminal
WO2014071171A2 (en) Method and apparatus for machine-type communication device monitoring
CN108282814B (en) User equipment information monitoring method, device and system
WO2011134370A1 (en) Machine type communication event reporting method and system thereof
US10524114B2 (en) Subscription fall-back in a radio communication network
EP3163920A1 (en) Method for processing prose service authorization change, first network element and second network element
EP2865199A1 (en) Machine type communication interworking function
US10827347B1 (en) Dynamic identities in a mobile device
WO2013139073A1 (en) Method and system for sending terminal monitoring report
US11050799B2 (en) Methods and devices for registering a user equipment, UE, with low access priority in an internet protocol based multimedia subsystem, IMS
US8855673B2 (en) Network location management entity
WO2015090436A1 (en) Method of improving security in a communication network and authentication entity
US20150163619A1 (en) System, apparatus, and method for triggering roaming mtc device
WO2013164363A1 (en) Method to initiate priority alarm in a cellular network

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 12874140

Country of ref document: EP

Kind code of ref document: A1

WWE Wipo information: entry into national phase

Ref document number: 2012874140

Country of ref document: EP

NENP Non-entry into the national phase

Ref country code: DE

WWE Wipo information: entry into national phase

Ref document number: 14391793

Country of ref document: US