WO2013154576A1 - Monitoring suspicious events in a cellular network - Google Patents
Monitoring suspicious events in a cellular network Download PDFInfo
- Publication number
- WO2013154576A1 WO2013154576A1 PCT/US2012/033511 US2012033511W WO2013154576A1 WO 2013154576 A1 WO2013154576 A1 WO 2013154576A1 US 2012033511 W US2012033511 W US 2012033511W WO 2013154576 A1 WO2013154576 A1 WO 2013154576A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- monitoring
- user equipment
- category
- devices
- request
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/12—Detection or prevention of fraud
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/30—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
- H04L63/306—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information intercepting packet switched data communications, e.g. Web, Internet or IMS communications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/535—Tracking the activity of the user
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/12—Detection or prevention of fraud
- H04W12/126—Anti-theft arrangements, e.g. protection against subscriber identity module [SIM] cloning
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/12—Detection or prevention of fraud
- H04W12/128—Anti-malware arrangements, e.g. protection against SMS fraud or mobile malware
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W24/00—Supervisory, monitoring or testing arrangements
- H04W24/04—Arrangements for maintaining operational condition
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W4/00—Services specially adapted for wireless communication networks; Facilities therefor
- H04W4/70—Services for machine-to-machine communication [M2M] or machine type communication [MTC]
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y04—INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
- Y04S—SYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
- Y04S40/00—Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
- Y04S40/20—Information technology specific aspects, e.g. CAD, simulation, modelling, system security
Definitions
- Communication systems including cellular networks, and the devices that are connected to them, can have both legitimate and illegitimate uses.
- Such communication systems including systems that utilize, permit, or leverage machine-type-communications, may benefit from monitoring for suspicious events.
- the evolved packet system provides radio interfaces and packet core network functions for broadband wireless data access.
- EPS core network functions include the mobility management entity (MME), the packet data network gateway (PDN- GW) and the Serving Gateway (S-GW).
- MME mobility management entity
- PDN- GW packet data network gateway
- S-GW Serving Gateway
- An example of an evolved packet core architecture is illustrated in Figure 1 and is described by third generation partnership project (3GPP) technical specification (TS) 23.401, which is incorporated herein by reference in its entirety.
- 3GPP third generation partnership project
- TS third generation partnership project
- a common packet domain core network can be used for both radio access networks (RANs), the global system for mobile communication (GSM) enhanced data rates for GSM evolution (EDGE) radio access network (GERAN) and the universal terrestrial radio access network (UTRAN).
- GSM global system for mobile communication
- EDGE enhanced data rates for GSM evolution
- GERAN global system for mobile communication
- UTRAN universal terrestrial radio access network
- MTC-IWF MTC interworking function
- S6m machine-type-communication
- Tsp machine-type-communication
- Tsms machine-type-communication
- T5a/b/c machine-type-communication
- T4 machine-type-communication
- FIG 2 illustrates machine-type-communication additions to the 3 GPP architecture, as well as the various interfaces identified.
- the MTC-IWF and the new interfaces in 3 GPP Release 11 can, for example, enable triggering of devices with or without a mobile subscriber integrated services digital network number (MSISDN) from an internal or external MTC server.
- MSISDN mobile subscriber integrated services digital network number
- the triggering of the devices may be, for example, in order to establish a packet data network (PDN) connection and/or packet data protocol (PDP) context.
- PDN packet data network
- PDP packet data protocol
- a method includes receiving a monitoring request regarding a user equipment or a category of devices. The method also includes performing a monitoring activity regarding the user equipment or the category of devices with respect to at least one suspicious event. The method further includes responding to the monitoring request indicating whether monitoring will be performed for the user equipment or the category of devices.
- a method includes requesting monitoring of a user equipment or a category of devices with respect to at least one suspicious event. The method also includes receiving a response to the monitoring request, wherein the response indicates a registration status of the monitoring.
- a method includes receiving a request for monitoring a user equipment or category of devices with respect to at least one suspicious event. The method also includes determining whether the monitoring is permitted. The method further includes responding to the request based on whether the monitoring is permitted.
- a method includes monitoring for a suspicious event with respect to a user equipment or a category of devices for which monitoring has been requested by a requestor. The method also includes detecting an occurrence of the suspicious event with respect to the user equipment or the category of devices. The method further includes reporting the occurrence to the requestor.
- a method in certain embodiments, includes receiving a report of suspicious activity with respect to a user equipment or a category of devices for which monitoring has been requested by a requestor. The method also includes forwarding the report of the suspicious activity to the requestor.
- a method includes receiving a report of suspicious activity with respect to a user equipment or a category of devices for which monitoring has been requested by a user or subscriber of the user equipment. The method also includes reporting the suspicious activity to the user or the subscriber.
- an apparatus includes at least one processor and at least one memory including computer program code.
- the at least one memory and the computer program code are configured to, with the at least one processor, cause the apparatus at least to receive a monitoring request regarding a user equipment or a category of devices.
- the at least one memory and the computer program code are also configured to, with the at least one processor, cause the apparatus at least to perform a monitoring activity regarding the user equipment or the category of devices with respect to at least one suspicious event.
- the at least one memory and the computer program code are further configured to, with the at least one processor, cause the apparatus at least to respond to the monitoring request indicating whether monitoring will be performed for the user equipment or the category of devices.
- an apparatus includes at least one processor and at least one memory including computer program code.
- the at least one memory and the computer program code are configured to, with the at least one processor, cause the apparatus at least to request monitoring of a user equipment or a category of devices with respect to at least one suspicious event.
- the at least one memory and the computer program code are also configured to, with the at least one processor, cause the apparatus at least to receive a response to the monitoring request, wherein the response indicates a registration status of the monitoring.
- An apparatus includes at least one processor and at least one memory including computer program code.
- the at least one memory and the computer program code are configured to, with the at least one processor, cause the apparatus at least to receive a request for monitoring a user equipment or category of devices with respect to at least one suspicious event.
- the at least one memory and the computer program code are also configured to, with the at least one processor, cause the apparatus at least to determine whether the monitoring is permitted.
- the at least one memory and the computer program code are further configured to, with the at least one processor, cause the apparatus at least to respond to the request based on whether the monitoring is permitted.
- An apparatus in certain embodiments, includes at least one processor and at least one memory including computer program code.
- the at least one memory and the computer program code are configured to, with the at least one processor, cause the apparatus at least to monitor for a suspicious event with respect to a user equipment or a category of devices for which monitoring has been requested by a requestor.
- the at least one memory and the computer program code are also configured to, with the at least one processor, cause the apparatus at least to detect an occurrence of the suspicious event with respect to the user equipment or the category of devices.
- the at least one memory and the computer program code are further configured to, with the at least one processor, cause the apparatus at least to report the occurrence to the requestor.
- An apparatus includes at least one processor and at least one memory including computer program code in certain embodiments.
- the at least one memory and the computer program code are configured to, with the at least one processor, cause the apparatus at least to receive a report of suspicious activity with respect to a user equipment or a category of devices for which monitoring has been requested by a requestor.
- the at least one memory and the computer program code are also configured to, with the at least one processor, cause the apparatus at least to forward the report of the suspicious activity to the requestor.
- an apparatus includes at least one processor and at least one memory including computer program code.
- the at least one memory and the computer program code are configured to, with the at least one processor, cause the apparatus at least to receive a report of suspicious activity with respect to a user equipment or a category of devices for which monitoring has been requested by a user or subscriber of the user equipment.
- the at least one memory and the computer program code are also configured to, with the at least one processor, cause the apparatus at least to report the suspicious activity to the user or the subscriber.
- an apparatus includes receiving means for receiving a monitoring request regarding a user equipment or a category of devices.
- the apparatus also includes performing means for performing a monitoring activity regarding the user equipment or the category of devices with respect to at least one suspicious event.
- the apparatus further includes responding means for responding to the monitoring request indicating whether monitoring will be performed for the user equipment or the category of devices.
- An apparatus in certain embodiments, includes requesting means for requesting monitoring of a user equipment or a category of devices with respect to at least one suspicious event.
- the apparatus also includes receiving means for receiving a response to the monitoring request, wherein the response indicates a registration status of the monitoring.
- An apparatus includes receiving means for receiving a request for monitoring a user equipment or category of devices with respect to at least one suspicious event.
- the apparatus also includes determining means for determining whether the monitoring is permitted.
- the apparatus further includes responding means for responding to the request based on whether the monitoring is permitted.
- an apparatus includes monitoring means for monitoring for a suspicious event with respect to a user equipment or a category of devices for which monitoring has been requested by a requestor.
- the apparatus also includes detecting means for detecting an occurrence of the suspicious event with respect to the user equipment or the category of devices.
- the apparatus further includes reporting means for reporting the occurrence to the requestor.
- An apparatus in certain embodiments, includes receiving means for receiving a report of suspicious activity with respect to a user equipment or a category of devices for which monitoring has been requested by a requestor.
- the apparatus also includes forwarding means for forwarding the report of the suspicious activity to the requestor.
- an apparatus includes receiving means for receiving a report of suspicious activity with respect to a user equipment or a category of devices for which monitoring has been requested by a user or subscriber of the user equipment.
- the apparatus also includes reporting means for reporting the suspicious activity to the user or the subscriber.
- a non-transitory computer readable medium is, in certain embodiments, encoded with instructions that, when executed in hardware, perform a process.
- the process includes receiving a monitoring request regarding a user equipment or a category of devices.
- the process also includes performing a monitoring activity regarding the user equipment or the category of devices with respect to at least one suspicious event.
- the process further includes responding to the monitoring request indicating whether monitoring will be performed for the user equipment or the category of devices.
- a non-transitory computer readable medium encoded with instructions that, when executed in hardware, perform a process.
- the process includes requesting monitoring of a user equipment or a category of devices with respect to at least one suspicious event.
- the process also includes receiving a response to the monitoring request, wherein the response indicates a registration status of the monitoring.
- a non-transitory computer readable medium is, according to certain embodiments, encoded with instructions that, when executed in hardware, perform a process.
- the process includes receiving a request for monitoring a user equipment or category of devices with respect to at least one suspicious event.
- the process also includes determining whether the monitoring is permitted.
- the process further includes responding to the request based on whether the monitoring is permitted.
- a non-transitory computer readable medium is, in certain embodiments, encoded with instructions that, when executed in hardware, perform a process.
- the process includes monitoring for a suspicious event with respect to a user equipment or a category of devices for which monitoring has been requested by a requestor.
- the process also includes detecting an occurrence of the suspicious event with respect to the user equipment or the category of devices.
- the process further includes reporting the occurrence to the requestor.
- a non-transitory computer readable medium is encoded with instructions that, when executed in hardware, perform a process.
- the process includes receiving a report of suspicious activity with respect to a user equipment or a category of devices for which monitoring has been requested by a requestor.
- the process also includes forwarding the report of the suspicious activity to the requestor.
- a non-transitory computer readable medium is encoded with instructions that, when executed in hardware, perform a process.
- the process includes receiving a report of suspicious activity with respect to a user equipment or a category of devices for which monitoring has been requested by a user or subscriber of the user equipment.
- the process also includes reporting the suspicious activity to the user or the subscriber.
- Figure 1 illustrates an evolved packet core architecture.
- Figure 2 illustrates machine-type-communication additions to a third generation partnership project architecture.
- Figure 3 illustrates direct interface registration for monitoring according to certain embodiments.
- Figure 4 illustrates a simplified call flow to register for monitoring service according to certain embodiments.
- Figure 5 illustrates direct interface reporting according to certain embodiments.
- Figure 6 illustrates a simplified call flow to report suspicious activity according to certain embodiments.
- Figure 7 illustrates a method according to certain embodiments.
- Figure 8 illustrates a system according to certain embodiments.
- Machine-type-communication (MTC) monitoring is one example of machine-type-communication related features. Because machine-type devices can be deployed in remote areas and in locations where they are not monitored actively by humans, theft and vandalism risks differ from cases where there is constant or frequent human monitoring. Accordingly, a network can provide a mechanism to auto-detect suspicious activities. Suspicious activities, in this context, can include, for example, change of association between user equipment (UE) and universal integrated circuit card (UICC), loss of connectivity, communication failure, change of location, and in general any behavior that is not aligned with subscribed features. These events are neither detected nor reported by conventional networks. Certain embodiments, however, enable detection of events and report of these events as and when they occur so that the service provider, user, or law enforcement agency can take appropriate action.
- UE user equipment
- UICC universal integrated circuit card
- Some of these useful services may be applied to, for example, smart meters or remote surveillance systems.
- the service can also be extended to normal devices, such as smart phones, by the mobile network operator, for example.
- Certain embodiments thus, provide a monitoring feature. This feature may be able to detect suspicious activities for unmanned devices and devices that are at risk of being stolen or manipulated.
- Embodiments can include at least three aspects.
- a first aspect relates to a procedure to register for monitoring service.
- a second aspect relates to an ability to detect suspicious events, such as those events described above or similar events.
- a third aspect relates to a procedure to report suspicious events as and when they occur.
- a direct interface can be used between the machine-type-communication inter-working function (MTC-IWF) and the nodes performing monitoring of certain events.
- MTC-IWF machine-type-communication inter-working function
- This direct interface can be, for example, T5a/b/c between MTC-IWF and MME/SGSN/MSC as in Annex B of 3 GPP TS 23.682, or an interface between MTC-IWF and HSS like S6m. Use of other interfaces is also permitted.
- Monitoring of certain events can be triggered by an external services capability server (SCS) as described in 3GPP TS 23.682, by any other application server inside or outside the operator domain or by the network itself based on subscription data stored in the HSS.
- SCS external services capability server
- Subscription data containing the events that are to be monitored can be downloaded to the MTC- IWF or directly to the serving nodes, MME, SGSN, and MSC, during device registration.
- the subscription data can be accompanied by a request for the serving nodes to detect these events.
- Serving nodes may monitor suspicious events for a defined period of time, such as for the duration of validity time. Upon detection of suspicious events, serving nodes, MME, SGSN, and MSC, can report to the requestor MTC-IWF. Alternatively, the serving nodes can report to a pre-configured application server or can store this information as part of charging, for example, charging data records (CDRs), or other records.
- CDRs charging data records
- a direct interface is used to register for monitoring service. More particularly, Figure 3 illustrates a simplified call flow to register for monitoring service, using a direct interface such as T5a/b/c.
- a services capability server can initiate a request over, for example, Tsp to send a monitoring request to MTC- IWF for a certain device identified by its external identifier (URI or NAI) or MSISDN.
- URI external identifier
- MSISDN MSISDN
- the MTC monitoring request can include an external identifier (ID) or MSISDN and optionally service type(s), validity time, and a list of serving node(s).
- the MTC-IWF can receive the request from the SCS and can query the home subscriber server (HSS) to obtain the following information such as international mobile subscriber identity (IMSI), serving node identifier(s) and subscription information for monitoring services.
- HSS home subscriber server
- IMSI international mobile subscriber identity
- serving node identifier(s) serving node identifier(s)
- subscription information for monitoring services.
- HSS authenticates the request from SCS for monitoring the target user equipment, and at S2A provides a response.
- the MTC-IWF can, at S2B, store the relevant parameters and choose, based on the events to be monitored and serving node capabilities, the appropriate serving node. Some events may be directly monitored and reported by the HSS.
- the MTC-IWF can send a request to register for monitoring service.
- the request can include an IMSI and MTC-IWF ID and can optionally include service type(s), validity time, and a list of serving node(s).
- the serving node can receive the request, check if the user equipment is currently registered in the network, and store originator for the request. Storing the originator can include storing the MTC-IWF ID.
- the serving node can register the user equipment for the requested monitoring event(s) and report the registration status to the MTC-IWF. If the user equipment is not currently registered or there is some other reason for non-registration, such information can also be relayed to the MTC-IWF including the reason, if desired.
- the serving node can generate the necessary CDR information for charging.
- Registering at the serving node may imply setting a flag e.g. "UMS - UE monitoring service”. Note when the serving node receives this registration request from the HSS, if this flag is already set for the corresponding service, then the serving node simply needs to add "IWF ID" to the list of requestor.
- the serving node can respond with a failure indication to the MTC-IWF and can indicate the cause for the failure or can forward the monitoring request to the other serving nodes, which were present in the request, with the MTC-IWF identifier. The serving node can then perform the monitoring for the period specified in the validity time.
- the IWF can respond to the SCS with the registration status for monitoring service, so the result can be forwarded to the application server and appropriate action can be taken in case of failure.
- Figure 4 illustrates a simplified call flow to register for monitoring service according to certain embodiments.
- the registering is via an HSS using an interface, such as S6m.
- a services capability server can initiate a request over Tsp to send a monitoring request to MTC-IWF for a certain device identified by its external identifier, for example its uniform resource identifier (URI) or network access identifier (NAI), or MSISDN.
- URI uniform resource identifier
- NAI network access identifier
- MTC-IWF for a certain device identified by its external identifier
- URI uniform resource identifier
- NAI network access identifier
- MSISDN MSISDN
- the MTC monitoring request can include an external identifier (ID) or MSISDN and optionally service type(s), validity time, and a list of serving node(s).
- the MTC-IWF can receive the request, identify the appropriate HSS to register for the monitoring service, and send a request to the HSS with ext ID or MSISDN, and IWF ID, and optionally including other parameters including requested monitoring event(s) and validity time for the monitoring service.
- the HSS can check the user's subscription for monitoring service and can authenticate the request from the SCS for monitoring the target user equipment. Upon successful authentication and validation of subscription, the HSS can identify the latest registered serving node, validate its support for monitoring service and, at T3, register for monitoring service with the serving node.
- the message registering for monitoring can include, for example, an IMSI of the user equipment, as well as other parameters, such as service type(s) or validity time.
- the serving node can receive the request and check if the user equipment is currently registered with it. If the user equipment is registered, then the serving node can register the user equipment for the requested monitoring service(s). The serving node can generate the necessary CDR information for charging. Registering at the serving node may imply setting a flag, for example, "UMS - UE monitoring service". When the serving node receives this registration request from the HSS, if this flag is already set for the corresponding service, then no further action needs to be performed by the serving node to register the user equipment. The serving node can perform the monitoring for the period specified in the validity time.
- the user equipment is currently not registered and/or the serving node is unaware of the target user equipment context, then at T5 it can respond with a failure indication to the HSS and can indicate the cause or reason for the failure. If the registration is successful, it can respond at T5 with the success.
- the HSS can forward the response to the IWF.
- the IWF can respond to the SCS with the registration status for monitoring service, so that the result can be forwarded to the application server and appropriate action can be taken in case of failure.
- Suspicious event detection can be performed in various ways and various events can be determined to be suspicious. For example, the following are some activities that could be defined as "occurrence of suspicious activities" at the serving nodes, such as the MME, SGSN, MSC.
- a first suspicious scenario can occur when a user equipment is subscribed with a low mobility feature and is confined to a certain paging area.
- the MME/SGSN/MSC referring to any one or combination of these or similar serving nodes, can detect and report suspicious activity if the user equipment is performing a tracking area update from a location that is not part of the user equipment's subscription, such as a cell ID that is not within the paging area specified in the user equipment subscription.
- a second suspicious scenario can occur when user equipment is subscribed with a time tolerant and/or time controlled feature and is supposed to access the network only within an "allowed time interval" and cannot access within the "forbidden time interval".
- the MME/SGSN/MSC can detect and report suspicious activity if the user equipment is accessing the network outside the allowed time interval or at the forbidden time interval.
- a user equipment can be subscribed for packet switched only services. If the user equipment is subscribed for packet switched only services, but the user equipment is performing a location update to a mobile switching center (MSC) to obtain voice service, then the MSC can detect this.
- MSC mobile switching center
- a fourth suspicious scenario can include increased data usage. If, for example, the user equipment is subscribed for a certain access point name aggregated maximum bit rate (APN-AMBR) but the serving nodes, with the help of entities managing user plane such as the eNB, RNC, P-GW,GGSN or another network element in the PCC infrastructure in the case of EPS, GPRS, detect that the usage has exceeded the allowed limit in the subscription, then the serving nodes can detect increased data usage.
- APN-AMBR access point name aggregated maximum bit rate
- the services capability server can either register for all the suspicious activities specified here, or other suspicious activities, or register simply for a specific event, such as increased data usage.
- the nature of the monitoring event deployed in the operator's network can depend on the subscription model and subscription for the individual device.
- the nature of the monitoring event deployed can also depend on the service level agreements between the mobile operator and the service provider. It is also possible that the network itself can monitor certain events based on the respective subscription data stored in the HSS.
- Figure 5 illustrates direct interface reporting according to certain embodiments. More particularly, Figure 5 illustrates a simplified call flow to report suspicious activity using a direct interface such as T5a/b/c.
- the serving nodes for example MME, SGSN, and/or MSC, can report the suspicious activity to a node that requested monitoring.
- the MTC-IWF is the node that requested.
- the report can include a corresponding IMSI for user equipment identification, as well as description or other identifier of the suspicious event, if, for example, more than one kind of event is being monitored.
- the MTC-IWF can use a cached IMSI to perform extlD/MSISDN mapping to map the IMSI to extlD/MSISDN in the report.
- the MTC-IWF can forward the report to the services capability server.
- the report can include the extID or MSISDN, as well as some description or indication, explicit or implicit, of the event detected.
- the SCS may forward this to the corresponding application server that is eventually responsible for alerting the user.
- the suspicious activity can be reported to a law enforcement agency.
- Figure 6 illustrates a simplified call flow to report suspicious activity according to certain embodiments.
- Figure 6 illustrates an approach in which reporting is via an HSS, using an interface such as S6m.
- the MME/SGSN/MSC can report the suspicious activity to the requestor, which is indicated as the HSS in this case.
- the report can include the corresponding IMSI for user equipment identification, as well as an indication of the event(s) detected, either explicitly or implicitly.
- the HSS can modify the report using a stored IMSI to extlD/MSISDN mapping to map the IMSI to extlD/MSISDN in the report. Then, at V3, the HSS can forward the report to the requestor, which is MTC- IWF in this case.
- the MTC-IWF can forward the report to the SCS.
- the SCS may forward this to the corresponding application server that is eventually responsible for alerting the user or, as noted above, to a law enforcement agency.
- Embodiments can have various impacts on monitoring service due to user equipment mobility.
- the user equipment can reselect to another cell either due to change in the radio frequency (RF) conditions of the current serving cell, such as when a truck crosses the signal path and fades the signal towards the user equipment, or due to physical movement of the device itself.
- RF radio frequency
- the user equipment can perform a handover from one cell to another cell. This handover may cause a change in the serving node (MSC, MME, SGSN).
- the serving node can forward this information as part of the user equipment context to the new serving node to ensure that the new serving node continues to perform monitoring activities. If the new serving node does not support monitoring service or it is a legacy node, then the new serving node may either fail the registration or ignore the registration. Failure can then be reported to the IWF and SCS, either by the new serving node or the old serving node, to ensure that the user is alerted and can take appropriate action.
- Monitoring service can be provided in the serving nodes or in the HSS and can generally be applied for all devices, including for example regular phones, as well as being applied in a circuit switched (CS) domain.
- CS circuit switched
- An IWF in the above call flows, illustrated in Figures 3 through 6, can be modified to serve as an application server/monitoring server in the operator's network.
- the application server/monitoring server can directly register with the HSS, or could even be co-located with the HSS, and/or with the serving nodes. Registering with the HSS can avoid exposing the internal network topology of the visited network to different servers in the home network.
- the network operator may decide to monitor certain events at all devices or according to certain device categories, such as all MTC devices, all smart phones, all iPhones, all dongles, and so forth.
- the subscription data in the HSS can contain the necessary information and the network can request the device identity from the user equipment.
- Subscription information can be downloaded to the serving nodes, such as MME, SGSN and MSC, during device registration, requesting the serving nodes to detect certain events and report to a pre-configured application server, or the serving nodes can simply add this information to charging or other records.
- Certain embodiments can provide the ability for the networks to dynamically detect suspicious activities and report to the user subscribed for this service. Since many MTC devices may be present in unmanned location, sending personnel to monitor the device regularly requires human labor hours. Moreover, certain embodiments can provide a safety net in identifying suspicious activities as soon as they occur, hence increasing the chance of recovering a stolen device, or stopping hacking of a device.
- Certain embodiments can use direct interfaces between MTC-IWF and the serving nodes, HSS and the serving nodes. Moreover, certain embodiments can monitor MSISDN-less devices in a "PS-only" deployment with a PS-only subscription. The same approach can be applied for monitoring devices with MSISDN in "CS" deployment with CS subscription.
- MNOs mobile network operators
- M2M machine to machine
- Figure 7 illustrates a method according to certain embodiments.
- a method can include, at 720, receiving a monitoring request regarding a user equipment or a category of devices.
- the method can also include, at 722, performing a monitoring activity regarding the user equipment or the category of devices with respect to at least one suspicious event.
- the method can further include, at 724, responding to the monitoring request indicating whether monitoring will be performed for the user equipment or the category of devices.
- the suspicious event can include at least one event of the following: a tracking update occurs from a location outside an area allowed for the user equipment or from a certain device category; the user equipment or the device category accesses a network outside an allowed time interval or at a forbidden time interval; the user equipment or the device category is subscribed for packet switched services only but is performing a location update to obtain voice service; or the user equipment or the device category has exceeded an allowed data usage limit.
- a device category is the category of all smart phones, or all smart phones of a particular make or model.
- Other device categories can include all MTC devices, all regular phones, all smart meters, all tablets, or all dongles.
- the monitoring activity can include selecting a serving node for monitoring services and registering the user equipment or the category of devices for monitoring service with the serving node.
- the method can additionally include, at 726, receiving a registration status response in response to the registering and, at 728, forwarding the registration status toward a source of the monitoring request while responding to the monitoring request.
- the method can also include, at 710, requesting monitoring of a user equipment or a category of devices with respect to at least one suspicious event.
- the method can further include, at 712, receiving a response to the monitoring request, wherein the response indicates a registration status of the monitoring.
- the requesting monitoring can include sending a monitoring request to a machine type communication interworking function.
- the method can further include at 730, receiving a request for monitoring a user equipment or category of devices with respect to at least one suspicious event.
- the method can also include, at 732, determining whether the monitoring is permitted.
- the method can further include, at 734, responding to the request based on whether the monitoring is permitted.
- the method can additionally include, at 736, determining whether monitoring is permitted under a subscriber agreement corresponding to the user equipment, wherein the responding is based on the subscriber agreement of the user equipment.
- the method can also include, at 738, storing an identifier of the requestor of the monitoring.
- the method can include at 740, monitoring for a suspicious event with respect to a user equipment or a category of devices for which monitoring has been requested by a requestor.
- the method can also include, at 742, detecting an occurrence of the suspicious event with respect to the user equipment or the category of devices.
- the method can further include, at 744, reporting the occurrence to the requestor.
- the reporting can include sending an indication of the user equipment's international mobile subscriber identity to the requestor.
- the method can also include, at 750, receiving a report of suspicious activity with respect to a user equipment or a category of devices for which monitoring has been requested by a requestor.
- the method can further include, at 752, forwarding the report of the suspicious activity to the requestor.
- the method can additionally include, at 754, receiving, in the report, a user equipment's international mobile subscriber identity.
- the method can also include, at 756, translating the user equipment's international mobile subscriber identity to an external identifier or mobile subscriber integrated services digital network number.
- the method additionally can include, at 760, receiving a report of suspicious activity with respect to a user equipment or a category of devices for which monitoring has been requested by a user or subscriber of the user equipment.
- the method can also include, at 762, reporting the suspicious activity to the user or the subscriber.
- FIG. 8 illustrates a system according to certain embodiments of the invention.
- a system may include two devices, such as, for example, SCS 810, MME/SGSN/MSC 820, HSS 830, and MTC-IWF 840.
- Each of these devices may include at least one processor, respectively indicated as 814, 824, 834, and 844.
- At least one memory is provided in each device, and indicated as 815, 825, 835, and 845, respectively.
- the memory may include computer program instructions or computer code contained therein.
- Transceivers 816, 826, 836, and 846 are provided, and each device may also include an antenna, respectively illustrated as 817, 827, 837, and 847.
- SCS 810, MME/SGSN/MSC 820, HSS 830, and MTC-IWF 840 may be configured for wired communication, rather than wireless communication, and in such a case antennas 817, 827, 837, and 847 would illustrate any form of communication hardware, without requiring a conventional antenna.
- Transceivers 816, 826, 836, and 846 can each, independently, be a transmitter, a receiver, or both a transmitter and a receiver, or a unit or device that is configured both for transmission and reception.
- Processors 814, 824, 834, and 844 can be embodied by any computational or data processing device, such as a central processing unit (CPU), application specific integrated circuit (ASIC), or comparable device.
- the processors can be implemented as a single controller, or a plurality of controllers or processors.
- Memories 815, 825, 835, and 845 can independently be any suitable storage device, such as a non-transitory computer-readable medium.
- a hard disk drive (HDD), random access memory (RAM), flash memory, or other suitable memory can be used.
- the memories can be combined on a single integrated circuit as the processor, or may be separate therefrom.
- the computer program instructions stored in the memory and which may be processed by the processors can be any suitable form of computer program code, for example, a compiled or interpreted computer program written in any suitable programming language.
- the memory and the computer program instructions can be configured, with the processor for the particular device, to cause a hardware apparatus such as SCS 810, MME/SGSN/MSC 820, HSS 830, or MTC-IWF 840, to perform any of the processes described above (see, for example, Figures 3-7). Therefore, in certain embodiments, a non-transitory computer-readable medium can be encoded with computer instructions that, when executed in hardware, perform a process such as one of the processes described herein. Alternatively, certain embodiments of the invention can be performed entirely in hardware.
- Figure 8 illustrates a system including an SCS, MME/SGSN/MSC, HSS, and MTC-IWF
- embodiments of the invention may be applicable to other configurations, and configurations involving additional elements, as illustrated herein.
Abstract
Communication systems, including cellular networks, and the devices that are connected to them, can have both legitimate and illegitimate uses. Such communication systems, including systems that utilize, permit, or leverage machine-type-communications, may benefit from monitoring for suspicious events. A method can include receiving a monitoring request regarding a user equipment or a category of devices. The method can also include performing a monitoring activity regarding the user equipment or the category of devices with respect to at least one suspicious event. The method can further include responding to the monitoring request indicating whether monitoring will be performed for the user equipment or the category of devices.
Description
MONITORING SUSPICIOUS EVENTS IN A CELLULAR NETWORK
BACKGROUND:
Field:
[0001] Communication systems, including cellular networks, and the devices that are connected to them, can have both legitimate and illegitimate uses. Such communication systems, including systems that utilize, permit, or leverage machine-type-communications, may benefit from monitoring for suspicious events.
Description of the Related Art:
[0002] The evolved packet system (EPS), the successor of general packet radio system (GPRS), provides radio interfaces and packet core network functions for broadband wireless data access. EPS core network functions include the mobility management entity (MME), the packet data network gateway (PDN- GW) and the Serving Gateway (S-GW). An example of an evolved packet core architecture is illustrated in Figure 1 and is described by third generation partnership project (3GPP) technical specification (TS) 23.401, which is incorporated herein by reference in its entirety. A common packet domain core network can be used for both radio access networks (RANs), the global system for mobile communication (GSM) enhanced data rates for GSM evolution (EDGE) radio access network (GERAN) and the universal terrestrial radio access network (UTRAN).
[0003] For machine-type-communication (MTC) a functional entity called MTC interworking function (MTC-IWF) and several new interfaces, including S6m, Tsp, Tsms, T5a/b/c and T4, have been introduced to the 3GPP architecture. Figure 2 illustrates machine-type-communication additions to the 3 GPP architecture, as well as the various interfaces identified. The MTC-IWF and the new interfaces in 3 GPP Release 11 (Rel 11) can, for example, enable triggering of devices with or without a mobile subscriber integrated services
digital network number (MSISDN) from an internal or external MTC server. The triggering of the devices may be, for example, in order to establish a packet data network (PDN) connection and/or packet data protocol (PDP) context. A 3 GPP architecture for machine-type communication is discussed in 3GPP TS 23.682, which incorporated herein by reference in its entirety.
SUMMARY:
[0004] According to certain embodiments, a method includes receiving a monitoring request regarding a user equipment or a category of devices. The method also includes performing a monitoring activity regarding the user equipment or the category of devices with respect to at least one suspicious event. The method further includes responding to the monitoring request indicating whether monitoring will be performed for the user equipment or the category of devices.
[0005] In certain embodiments, a method includes requesting monitoring of a user equipment or a category of devices with respect to at least one suspicious event. The method also includes receiving a response to the monitoring request, wherein the response indicates a registration status of the monitoring.
[0006] A method, according to certain embodiments, includes receiving a request for monitoring a user equipment or category of devices with respect to at least one suspicious event. The method also includes determining whether the monitoring is permitted. The method further includes responding to the request based on whether the monitoring is permitted.
[0007] According to certain embodiments, a method includes monitoring for a suspicious event with respect to a user equipment or a category of devices for which monitoring has been requested by a requestor. The method also includes detecting an occurrence of the suspicious event with respect to the user equipment or the category of devices. The method further includes reporting the occurrence to the requestor.
[0008] A method, in certain embodiments, includes receiving a report of
suspicious activity with respect to a user equipment or a category of devices for which monitoring has been requested by a requestor. The method also includes forwarding the report of the suspicious activity to the requestor.
[0009] A method, according to certain embodiments, includes receiving a report of suspicious activity with respect to a user equipment or a category of devices for which monitoring has been requested by a user or subscriber of the user equipment. The method also includes reporting the suspicious activity to the user or the subscriber.
[0010] In certain embodiments, an apparatus includes at least one processor and at least one memory including computer program code. The at least one memory and the computer program code are configured to, with the at least one processor, cause the apparatus at least to receive a monitoring request regarding a user equipment or a category of devices. The at least one memory and the computer program code are also configured to, with the at least one processor, cause the apparatus at least to perform a monitoring activity regarding the user equipment or the category of devices with respect to at least one suspicious event. The at least one memory and the computer program code are further configured to, with the at least one processor, cause the apparatus at least to respond to the monitoring request indicating whether monitoring will be performed for the user equipment or the category of devices.
[0011] According to certain embodiments, an apparatus includes at least one processor and at least one memory including computer program code. The at least one memory and the computer program code are configured to, with the at least one processor, cause the apparatus at least to request monitoring of a user equipment or a category of devices with respect to at least one suspicious event. The at least one memory and the computer program code are also configured to, with the at least one processor, cause the apparatus at least to receive a response to the monitoring request, wherein the response indicates a registration status of the monitoring.
[0012] An apparatus, according to certain embodiments, includes at least one processor and at least one memory including computer program code. The at least one memory and the computer program code are configured to, with the at least one processor, cause the apparatus at least to receive a request for monitoring a user equipment or category of devices with respect to at least one suspicious event. The at least one memory and the computer program code are also configured to, with the at least one processor, cause the apparatus at least to determine whether the monitoring is permitted. The at least one memory and the computer program code are further configured to, with the at least one processor, cause the apparatus at least to respond to the request based on whether the monitoring is permitted.
[0013] An apparatus, in certain embodiments, includes at least one processor and at least one memory including computer program code. The at least one memory and the computer program code are configured to, with the at least one processor, cause the apparatus at least to monitor for a suspicious event with respect to a user equipment or a category of devices for which monitoring has been requested by a requestor. The at least one memory and the computer program code are also configured to, with the at least one processor, cause the apparatus at least to detect an occurrence of the suspicious event with respect to the user equipment or the category of devices. The at least one memory and the computer program code are further configured to, with the at least one processor, cause the apparatus at least to report the occurrence to the requestor.
[0014] An apparatus includes at least one processor and at least one memory including computer program code in certain embodiments. The at least one memory and the computer program code are configured to, with the at least one processor, cause the apparatus at least to receive a report of suspicious activity with respect to a user equipment or a category of devices for which monitoring has been requested by a requestor. The at least one memory and the computer program code are also configured to, with the at least one processor, cause the apparatus at least to forward the report of the suspicious
activity to the requestor.
[0015] According to certain embodiments, an apparatus includes at least one processor and at least one memory including computer program code. The at least one memory and the computer program code are configured to, with the at least one processor, cause the apparatus at least to receive a report of suspicious activity with respect to a user equipment or a category of devices for which monitoring has been requested by a user or subscriber of the user equipment. The at least one memory and the computer program code are also configured to, with the at least one processor, cause the apparatus at least to report the suspicious activity to the user or the subscriber.
[0016] In certain embodiments, an apparatus includes receiving means for receiving a monitoring request regarding a user equipment or a category of devices. The apparatus also includes performing means for performing a monitoring activity regarding the user equipment or the category of devices with respect to at least one suspicious event. The apparatus further includes responding means for responding to the monitoring request indicating whether monitoring will be performed for the user equipment or the category of devices.
[0017] An apparatus, in certain embodiments, includes requesting means for requesting monitoring of a user equipment or a category of devices with respect to at least one suspicious event. The apparatus also includes receiving means for receiving a response to the monitoring request, wherein the response indicates a registration status of the monitoring.
[0018] An apparatus, according to certain embodiments, includes receiving means for receiving a request for monitoring a user equipment or category of devices with respect to at least one suspicious event. The apparatus also includes determining means for determining whether the monitoring is permitted. The apparatus further includes responding means for responding to the request based on whether the monitoring is permitted.
[0019] According to certain embodiments, an apparatus includes monitoring
means for monitoring for a suspicious event with respect to a user equipment or a category of devices for which monitoring has been requested by a requestor. The apparatus also includes detecting means for detecting an occurrence of the suspicious event with respect to the user equipment or the category of devices. The apparatus further includes reporting means for reporting the occurrence to the requestor.
[0020] An apparatus, in certain embodiments, includes receiving means for receiving a report of suspicious activity with respect to a user equipment or a category of devices for which monitoring has been requested by a requestor. The apparatus also includes forwarding means for forwarding the report of the suspicious activity to the requestor.
[0021] In certain embodiments, an apparatus includes receiving means for receiving a report of suspicious activity with respect to a user equipment or a category of devices for which monitoring has been requested by a user or subscriber of the user equipment. The apparatus also includes reporting means for reporting the suspicious activity to the user or the subscriber.
[0022] A non-transitory computer readable medium is, in certain embodiments, encoded with instructions that, when executed in hardware, perform a process. The process includes receiving a monitoring request regarding a user equipment or a category of devices. The process also includes performing a monitoring activity regarding the user equipment or the category of devices with respect to at least one suspicious event. The process further includes responding to the monitoring request indicating whether monitoring will be performed for the user equipment or the category of devices.
[0023] According to certain embodiments, a non-transitory computer readable medium encoded with instructions that, when executed in hardware, perform a process. The process includes requesting monitoring of a user equipment or a category of devices with respect to at least one suspicious event. The process also includes receiving a response to the monitoring request, wherein the
response indicates a registration status of the monitoring.
[0024] A non-transitory computer readable medium is, according to certain embodiments, encoded with instructions that, when executed in hardware, perform a process. The process includes receiving a request for monitoring a user equipment or category of devices with respect to at least one suspicious event. The process also includes determining whether the monitoring is permitted. The process further includes responding to the request based on whether the monitoring is permitted.
[0025] A non-transitory computer readable medium is, in certain embodiments, encoded with instructions that, when executed in hardware, perform a process. The process includes monitoring for a suspicious event with respect to a user equipment or a category of devices for which monitoring has been requested by a requestor. The process also includes detecting an occurrence of the suspicious event with respect to the user equipment or the category of devices. The process further includes reporting the occurrence to the requestor.
[0026] In certain embodiments, a non-transitory computer readable medium is encoded with instructions that, when executed in hardware, perform a process. The process includes receiving a report of suspicious activity with respect to a user equipment or a category of devices for which monitoring has been requested by a requestor. The process also includes forwarding the report of the suspicious activity to the requestor.
[0027] According to certain embodiments, a non-transitory computer readable medium is encoded with instructions that, when executed in hardware, perform a process. The process includes receiving a report of suspicious activity with respect to a user equipment or a category of devices for which monitoring has been requested by a user or subscriber of the user equipment. The process also includes reporting the suspicious activity to the user or the subscriber.
BRIEF DESCRIPTION OF THE DRAWINGS:
[0028] For proper understanding of the invention, reference should be made to the accompanying drawings, wherein:
[0029] Figure 1 illustrates an evolved packet core architecture.
[0030] Figure 2 illustrates machine-type-communication additions to a third generation partnership project architecture.
[0031] Figure 3 illustrates direct interface registration for monitoring according to certain embodiments.
[0032] Figure 4 illustrates a simplified call flow to register for monitoring service according to certain embodiments.
[0033] Figure 5 illustrates direct interface reporting according to certain embodiments.
[0034] Figure 6 illustrates a simplified call flow to report suspicious activity according to certain embodiments.
[0035] Figure 7 illustrates a method according to certain embodiments.
[0036] Figure 8 illustrates a system according to certain embodiments.
DETAILED DESCRIPTION:
[0037] Machine-type-communication (MTC) monitoring is one example of machine-type-communication related features. Because machine-type devices can be deployed in remote areas and in locations where they are not monitored actively by humans, theft and vandalism risks differ from cases where there is constant or frequent human monitoring. Accordingly, a network can provide a mechanism to auto-detect suspicious activities. Suspicious activities, in this context, can include, for example, change of association between user equipment (UE) and universal integrated circuit card (UICC), loss of connectivity, communication failure, change of location, and in general any behavior that is not aligned with subscribed features. These events are neither detected nor reported by conventional networks. Certain embodiments, however, enable detection of events and report of these events as and when
they occur so that the service provider, user, or law enforcement agency can take appropriate action.
[0038] Some of these useful services may be applied to, for example, smart meters or remote surveillance systems. The service can also be extended to normal devices, such as smart phones, by the mobile network operator, for example.
[0039] Certain embodiments, thus, provide a monitoring feature. This feature may be able to detect suspicious activities for unmanned devices and devices that are at risk of being stolen or manipulated.
[0040] Embodiments can include at least three aspects. A first aspect relates to a procedure to register for monitoring service. A second aspect relates to an ability to detect suspicious events, such as those events described above or similar events. A third aspect relates to a procedure to report suspicious events as and when they occur.
[0041] Certain embodiments also address the impact on the core network (CN) due to user equipment mobility. A direct interface can be used between the machine-type-communication inter-working function (MTC-IWF) and the nodes performing monitoring of certain events. This direct interface can be, for example, T5a/b/c between MTC-IWF and MME/SGSN/MSC as in Annex B of 3 GPP TS 23.682, or an interface between MTC-IWF and HSS like S6m. Use of other interfaces is also permitted.
[0042] Monitoring of certain events can be triggered by an external services capability server (SCS) as described in 3GPP TS 23.682, by any other application server inside or outside the operator domain or by the network itself based on subscription data stored in the HSS. Subscription data containing the events that are to be monitored can be downloaded to the MTC- IWF or directly to the serving nodes, MME, SGSN, and MSC, during device registration. The subscription data can be accompanied by a request for the serving nodes to detect these events.
[0043] Serving nodes may monitor suspicious events for a defined period of
time, such as for the duration of validity time. Upon detection of suspicious events, serving nodes, MME, SGSN, and MSC, can report to the requestor MTC-IWF. Alternatively, the serving nodes can report to a pre-configured application server or can store this information as part of charging, for example, charging data records (CDRs), or other records.
[0044] Various procedures can be used to register for monitoring service. Two possible alternatives available for a services capability server to register for monitoring service with the network are discussed below.
[0045] In a first alternative, illustrated in Figure 3, a direct interface is used to register for monitoring service. More particularly, Figure 3 illustrates a simplified call flow to register for monitoring service, using a direct interface such as T5a/b/c.
[0046] As shown in Figure 3, at SI, a services capability server (SCS) can initiate a request over, for example, Tsp to send a monitoring request to MTC- IWF for a certain device identified by its external identifier (URI or NAI) or MSISDN. This could be a generic request that includes all types of monitoring events or it could be a specific request for certain types of monitoring events. This may depend on the service level agreements between mobile operator and service provider. The MTC monitoring request can include an external identifier (ID) or MSISDN and optionally service type(s), validity time, and a list of serving node(s).
[0047] At S2, the MTC-IWF can receive the request from the SCS and can query the home subscriber server (HSS) to obtain the following information such as international mobile subscriber identity (IMSI), serving node identifier(s) and subscription information for monitoring services. In addition, HSS authenticates the request from SCS for monitoring the target user equipment, and at S2A provides a response.
[0048] Upon successful response from HSS with any needed parameters such as IMSI and a list of serving nodes, the MTC-IWF can, at S2B, store the relevant parameters and choose, based on the events to be monitored and
serving node capabilities, the appropriate serving node. Some events may be directly monitored and reported by the HSS.
[0049] Then, at S3, the MTC-IWF can send a request to register for monitoring service. The request can include an IMSI and MTC-IWF ID and can optionally include service type(s), validity time, and a list of serving node(s).
[0050] At S3A, the serving node can receive the request, check if the user equipment is currently registered in the network, and store originator for the request. Storing the originator can include storing the MTC-IWF ID.
[0051] Moreover, at S4, upon a determination that the user equipment is currently registered in the network, the serving node can register the user equipment for the requested monitoring event(s) and report the registration status to the MTC-IWF. If the user equipment is not currently registered or there is some other reason for non-registration, such information can also be relayed to the MTC-IWF including the reason, if desired.
[0052] More specifically, the serving node can generate the necessary CDR information for charging. Registering at the serving node may imply setting a flag e.g. "UMS - UE monitoring service". Note when the serving node receives this registration request from the HSS, if this flag is already set for the corresponding service, then the serving node simply needs to add "IWF ID" to the list of requestor.
[0053] If the user equipment is currently not registered in the network and/or the serving node is unaware of the target user equipment context, then the serving node can respond with a failure indication to the MTC-IWF and can indicate the cause for the failure or can forward the monitoring request to the other serving nodes, which were present in the request, with the MTC-IWF identifier. The serving node can then perform the monitoring for the period specified in the validity time.
[0054] At S5, the IWF can respond to the SCS with the registration status for monitoring service, so the result can be forwarded to the application server and
appropriate action can be taken in case of failure.
[0055] Figure 4 illustrates a simplified call flow to register for monitoring service according to certain embodiments. In this example, the registering is via an HSS using an interface, such as S6m.
[0056] As shown in Figure 4, at Tl, a services capability server (SCS) can initiate a request over Tsp to send a monitoring request to MTC-IWF for a certain device identified by its external identifier, for example its uniform resource identifier (URI) or network access identifier (NAI), or MSISDN. This could be a generic request that includes all types of monitoring services or it could be a specific request for a certain type of monitoring service. This may depend on the service level agreements between mobile operator and service provider. The MTC monitoring request can include an external identifier (ID) or MSISDN and optionally service type(s), validity time, and a list of serving node(s).
[0057] At T2, the MTC-IWF can receive the request, identify the appropriate HSS to register for the monitoring service, and send a request to the HSS with ext ID or MSISDN, and IWF ID, and optionally including other parameters including requested monitoring event(s) and validity time for the monitoring service.
[0058] At T3A, the HSS can check the user's subscription for monitoring service and can authenticate the request from the SCS for monitoring the target user equipment. Upon successful authentication and validation of subscription, the HSS can identify the latest registered serving node, validate its support for monitoring service and, at T3, register for monitoring service with the serving node. The message registering for monitoring can include, for example, an IMSI of the user equipment, as well as other parameters, such as service type(s) or validity time.
[0059] At T4, the serving node can receive the request and check if the user equipment is currently registered with it. If the user equipment is registered, then the serving node can register the user equipment for the requested
monitoring service(s). The serving node can generate the necessary CDR information for charging. Registering at the serving node may imply setting a flag, for example, "UMS - UE monitoring service". When the serving node receives this registration request from the HSS, if this flag is already set for the corresponding service, then no further action needs to be performed by the serving node to register the user equipment. The serving node can perform the monitoring for the period specified in the validity time.
[0060] If the user equipment is currently not registered and/or the serving node is unaware of the target user equipment context, then at T5 it can respond with a failure indication to the HSS and can indicate the cause or reason for the failure. If the registration is successful, it can respond at T5 with the success.
[0061] At T6, the HSS can forward the response to the IWF. Then, at T7, the IWF can respond to the SCS with the registration status for monitoring service, so that the result can be forwarded to the application server and appropriate action can be taken in case of failure.
[0062] Suspicious event detection can be performed in various ways and various events can be determined to be suspicious. For example, the following are some activities that could be defined as "occurrence of suspicious activities" at the serving nodes, such as the MME, SGSN, MSC.
[0063] A first suspicious scenario can occur when a user equipment is subscribed with a low mobility feature and is confined to a certain paging area. In this case, the MME/SGSN/MSC, referring to any one or combination of these or similar serving nodes, can detect and report suspicious activity if the user equipment is performing a tracking area update from a location that is not part of the user equipment's subscription, such as a cell ID that is not within the paging area specified in the user equipment subscription.
[0064] A second suspicious scenario can occur when user equipment is subscribed with a time tolerant and/or time controlled feature and is supposed to access the network only within an "allowed time interval" and cannot access within the "forbidden time interval". In this case, the MME/SGSN/MSC can
detect and report suspicious activity if the user equipment is accessing the network outside the allowed time interval or at the forbidden time interval.
[0065] In a third suspicious scenario, a user equipment can be subscribed for packet switched only services. If the user equipment is subscribed for packet switched only services, but the user equipment is performing a location update to a mobile switching center (MSC) to obtain voice service, then the MSC can detect this.
[0066] A fourth suspicious scenario can include increased data usage. If, for example, the user equipment is subscribed for a certain access point name aggregated maximum bit rate (APN-AMBR) but the serving nodes, with the help of entities managing user plane such as the eNB, RNC, P-GW,GGSN or another network element in the PCC infrastructure in the case of EPS, GPRS, detect that the usage has exceeded the allowed limit in the subscription, then the serving nodes can detect increased data usage.
[0067] These four scenarios are example of suspicious scenarios, although other scenarios are also possible. For example, if a particular device that the system has determined is a permanently stationary device, such as a smart meter, attempts a handover from a home network to a visited network or roams into a visited network, this may be deemed a suspicious event, if the device's subscription does not include roaming service.
[0068] The services capability server can either register for all the suspicious activities specified here, or other suspicious activities, or register simply for a specific event, such as increased data usage. The nature of the monitoring event deployed in the operator's network can depend on the subscription model and subscription for the individual device. The nature of the monitoring event deployed can also depend on the service level agreements between the mobile operator and the service provider. It is also possible that the network itself can monitor certain events based on the respective subscription data stored in the HSS.
[0069] Various procedures can be used to report suspicious activities.
Depending on the procedure adopted to register for monitoring, a corresponding procedure can be used to report suspicious activities. Thus, there are at least two alternative approaches available to report suspicious activities, corresponding to the two alternative approaches for monitoring already outlined above.
[0070] Figure 5 illustrates direct interface reporting according to certain embodiments. More particularly, Figure 5 illustrates a simplified call flow to report suspicious activity using a direct interface such as T5a/b/c.
[0071] As shown in Figure 5, at Ul, upon detection of suspicious activity based on registered event(s) the serving nodes, for example MME, SGSN, and/or MSC, can report the suspicious activity to a node that requested monitoring. In this case, the MTC-IWF is the node that requested. The report can include a corresponding IMSI for user equipment identification, as well as description or other identifier of the suspicious event, if, for example, more than one kind of event is being monitored.
[0072] At U2, the MTC-IWF can use a cached IMSI to perform extlD/MSISDN mapping to map the IMSI to extlD/MSISDN in the report. At U3, the MTC-IWF can forward the report to the services capability server. The report can include the extID or MSISDN, as well as some description or indication, explicit or implicit, of the event detected. The SCS may forward this to the corresponding application server that is eventually responsible for alerting the user. Alternatively, the suspicious activity can be reported to a law enforcement agency.
[0073] Figure 6 illustrates a simplified call flow to report suspicious activity according to certain embodiments. In particular, Figure 6 illustrates an approach in which reporting is via an HSS, using an interface such as S6m.
[0074] At VI, upon detection of suspicious activity based on registered event(s) the MME/SGSN/MSC can report the suspicious activity to the requestor, which is indicated as the HSS in this case. The report can include the corresponding IMSI for user equipment identification, as well as an
indication of the event(s) detected, either explicitly or implicitly.
[0075] At V2, the HSS can modify the report using a stored IMSI to extlD/MSISDN mapping to map the IMSI to extlD/MSISDN in the report. Then, at V3, the HSS can forward the report to the requestor, which is MTC- IWF in this case.
[0076] At V4, the MTC-IWF can forward the report to the SCS. The SCS may forward this to the corresponding application server that is eventually responsible for alerting the user or, as noted above, to a law enforcement agency.
[0077] Embodiments can have various impacts on monitoring service due to user equipment mobility. In a traditional mobile network, the user equipment can reselect to another cell either due to change in the radio frequency (RF) conditions of the current serving cell, such as when a truck crosses the signal path and fades the signal towards the user equipment, or due to physical movement of the device itself. When these or similar events happen, the user equipment can perform a handover from one cell to another cell. This handover may cause a change in the serving node (MSC, MME, SGSN).
[0078] If the user equipment is registered for monitoring service and is within the validity time for the registered service, then the serving node can forward this information as part of the user equipment context to the new serving node to ensure that the new serving node continues to perform monitoring activities. If the new serving node does not support monitoring service or it is a legacy node, then the new serving node may either fail the registration or ignore the registration. Failure can then be reported to the IWF and SCS, either by the new serving node or the old serving node, to ensure that the user is alerted and can take appropriate action.
[0079] Certain embodiments can also apply to a general monitoring service beyond MTC devices when a MTC-IWF is not deployed, for example. Monitoring service can be provided in the serving nodes or in the HSS and can generally be applied for all devices, including for example regular phones, as
well as being applied in a circuit switched (CS) domain.
[0080] An IWF in the above call flows, illustrated in Figures 3 through 6, can be modified to serve as an application server/monitoring server in the operator's network. In this case, the application server/monitoring server can directly register with the HSS, or could even be co-located with the HSS, and/or with the serving nodes. Registering with the HSS can avoid exposing the internal network topology of the visited network to different servers in the home network.
[0081] As an alternative, the network operator may decide to monitor certain events at all devices or according to certain device categories, such as all MTC devices, all smart phones, all iPhones, all dongles, and so forth. To enable this functionality, the subscription data in the HSS can contain the necessary information and the network can request the device identity from the user equipment. Subscription information can be downloaded to the serving nodes, such as MME, SGSN and MSC, during device registration, requesting the serving nodes to detect certain events and report to a pre-configured application server, or the serving nodes can simply add this information to charging or other records.
[0082] Certain embodiments can provide the ability for the networks to dynamically detect suspicious activities and report to the user subscribed for this service. Since many MTC devices may be present in unmanned location, sending personnel to monitor the device regularly requires human labor hours. Moreover, certain embodiments can provide a safety net in identifying suspicious activities as soon as they occur, hence increasing the chance of recovering a stolen device, or stopping hacking of a device.
[0083] Certain embodiments can use direct interfaces between MTC-IWF and the serving nodes, HSS and the serving nodes. Moreover, certain embodiments can monitor MSISDN-less devices in a "PS-only" deployment with a PS-only subscription. The same approach can be applied for monitoring devices with MSISDN in "CS" deployment with CS
subscription.
[0084] This kind of monitoring service can be offered by mobile network operators (MNOs) to their subscribers, both for machine to machine (M2M) devices and normal devices, to reduce theft and vandalism.
[0085] Figure 7 illustrates a method according to certain embodiments. As illustrated in Figure 7, a method can include, at 720, receiving a monitoring request regarding a user equipment or a category of devices. The method can also include, at 722, performing a monitoring activity regarding the user equipment or the category of devices with respect to at least one suspicious event. The method can further include, at 724, responding to the monitoring request indicating whether monitoring will be performed for the user equipment or the category of devices.
[0086] The suspicious event can include at least one event of the following: a tracking update occurs from a location outside an area allowed for the user equipment or from a certain device category; the user equipment or the device category accesses a network outside an allowed time interval or at a forbidden time interval; the user equipment or the device category is subscribed for packet switched services only but is performing a location update to obtain voice service; or the user equipment or the device category has exceeded an allowed data usage limit. One example of a device category is the category of all smart phones, or all smart phones of a particular make or model. Other device categories can include all MTC devices, all regular phones, all smart meters, all tablets, or all dongles.
[0087] The monitoring activity can include selecting a serving node for monitoring services and registering the user equipment or the category of devices for monitoring service with the serving node.
[0088] The method can additionally include, at 726, receiving a registration status response in response to the registering and, at 728, forwarding the registration status toward a source of the monitoring request while responding to the monitoring request.
[0089] The method can also include, at 710, requesting monitoring of a user equipment or a category of devices with respect to at least one suspicious event. The method can further include, at 712, receiving a response to the monitoring request, wherein the response indicates a registration status of the monitoring.
[0090] The requesting monitoring can include sending a monitoring request to a machine type communication interworking function.
[0091] The method can further include at 730, receiving a request for monitoring a user equipment or category of devices with respect to at least one suspicious event. The method can also include, at 732, determining whether the monitoring is permitted. The method can further include, at 734, responding to the request based on whether the monitoring is permitted.
[0092] The method can additionally include, at 736, determining whether monitoring is permitted under a subscriber agreement corresponding to the user equipment, wherein the responding is based on the subscriber agreement of the user equipment. The method can also include, at 738, storing an identifier of the requestor of the monitoring.
[0093] The method, moreover, can include at 740, monitoring for a suspicious event with respect to a user equipment or a category of devices for which monitoring has been requested by a requestor. The method can also include, at 742, detecting an occurrence of the suspicious event with respect to the user equipment or the category of devices. The method can further include, at 744, reporting the occurrence to the requestor.
[0094] The reporting can include sending an indication of the user equipment's international mobile subscriber identity to the requestor.
[0095] The method can also include, at 750, receiving a report of suspicious activity with respect to a user equipment or a category of devices for which monitoring has been requested by a requestor. The method can further include, at 752, forwarding the report of the suspicious activity to the requestor.
[0096] The method can additionally include, at 754, receiving, in the report, a user equipment's international mobile subscriber identity. The method can also include, at 756, translating the user equipment's international mobile subscriber identity to an external identifier or mobile subscriber integrated services digital network number.
[0097] The method additionally can include, at 760, receiving a report of suspicious activity with respect to a user equipment or a category of devices for which monitoring has been requested by a user or subscriber of the user equipment. The method can also include, at 762, reporting the suspicious activity to the user or the subscriber.
[0098] Figure 8 illustrates a system according to certain embodiments of the invention. In one embodiment, a system may include two devices, such as, for example, SCS 810, MME/SGSN/MSC 820, HSS 830, and MTC-IWF 840. Each of these devices may include at least one processor, respectively indicated as 814, 824, 834, and 844. At least one memory is provided in each device, and indicated as 815, 825, 835, and 845, respectively. The memory may include computer program instructions or computer code contained therein. Transceivers 816, 826, 836, and 846 are provided, and each device may also include an antenna, respectively illustrated as 817, 827, 837, and 847. Other configurations of these devices, for example, may be provided. For example, SCS 810, MME/SGSN/MSC 820, HSS 830, and MTC-IWF 840 may be configured for wired communication, rather than wireless communication, and in such a case antennas 817, 827, 837, and 847 would illustrate any form of communication hardware, without requiring a conventional antenna.
[0099] Transceivers 816, 826, 836, and 846 can each, independently, be a transmitter, a receiver, or both a transmitter and a receiver, or a unit or device that is configured both for transmission and reception.
[0100] Processors 814, 824, 834, and 844 can be embodied by any computational or data processing device, such as a central processing unit
(CPU), application specific integrated circuit (ASIC), or comparable device. The processors can be implemented as a single controller, or a plurality of controllers or processors.
[0101] Memories 815, 825, 835, and 845 can independently be any suitable storage device, such as a non-transitory computer-readable medium. A hard disk drive (HDD), random access memory (RAM), flash memory, or other suitable memory can be used. The memories can be combined on a single integrated circuit as the processor, or may be separate therefrom. Furthermore, the computer program instructions stored in the memory and which may be processed by the processors can be any suitable form of computer program code, for example, a compiled or interpreted computer program written in any suitable programming language.
[0102] The memory and the computer program instructions can be configured, with the processor for the particular device, to cause a hardware apparatus such as SCS 810, MME/SGSN/MSC 820, HSS 830, or MTC-IWF 840, to perform any of the processes described above (see, for example, Figures 3-7). Therefore, in certain embodiments, a non-transitory computer-readable medium can be encoded with computer instructions that, when executed in hardware, perform a process such as one of the processes described herein. Alternatively, certain embodiments of the invention can be performed entirely in hardware.
[0103] Furthermore, although Figure 8 illustrates a system including an SCS, MME/SGSN/MSC, HSS, and MTC-IWF, embodiments of the invention may be applicable to other configurations, and configurations involving additional elements, as illustrated herein.
[0104] One having ordinary skill in the art will readily understand that the invention as discussed above may be practiced with steps in a different order, and/or with hardware elements in configurations which are different than those which are disclosed. Therefore, although the invention has been described based upon these preferred embodiments, it would be apparent to
those of skill in the art that certain modifications, variations, and alternative constructions would be apparent, while remaining within the spirit and scope of the invention. In order to determine the metes and bounds of the invention, therefore, reference should be made to the appended claims.
[0105] Glossary of Abbreviations
[0106] IMSI - International Mobile Subscriber Identity
[0107] M2M, MTC - Machine Type Communication
[0108] OA&M - Operation, Administration and Maintenance
[0109] SIMTC - System Improvements for Machine Type Communication
(3 GPP Rel-1 1 work item)
[0110] SCS - Services Capability Server
[0111] IWF - Interworking Function
[0112] extID - External Identifier (could be NAI, URI or FQDN)
[0113] MSISDN - Mobile Subscriber Integrated Services Digital Network Number
[0114]UE - User Equipment
Claims
1. A method, comprising:
receiving a monitoring request regarding a user equipment or a category of devices;
performing a monitoring activity regarding the user equipment or the category of devices with respect to at least one suspicious event; and
responding to the monitoring request indicating whether monitoring will be performed for the user equipment or the category of devices.
2. The method of claim 1, wherein the monitoring activity comprises selecting a serving node for monitoring services and registering the user equipment or the category of devices for monitoring service with the serving node.
3. The method of claim 2, further comprising:
receiving a registration status response in response to the registering; and
forwarding the registration status toward a source of the monitoring request while responding to the monitoring request.
4. The method of claim 1, wherein the suspicious event comprises at least one event of the following: a tracking update occurs from a location outside an area allowed for the user equipment or from a certain device category; the user equipment or the device category accesses a network outside an allowed time interval or at a forbidden time interval; the user equipment or the device category is subscribed for packet switched services only but is performing a location update to obtain voice service; or the user equipment or the device category has exceeded an allowed data usage limit.
5. The method of claim 4, wherein the device category comprises a category of at least one of the following: smart phones, regular phones, machine type devices, smart meters, tablets, or dongles.
6. A method, comprising:
requesting monitoring of a user equipment or a category of devices with respect to at least one suspicious event; and
receiving a response to the monitoring request, wherein the response indicates a registration status of the monitoring.
7. The method of claim 6, wherein the requesting monitoring comprises sending a monitoring request to a machine type communication interworking function.
8. A method, comprising:
receiving a request for monitoring a user equipment or category of devices with respect to at least one suspicious event;
determining whether the monitoring is permitted; and
responding to the request based on whether the monitoring is permitted.
9. The method of claim 8, further comprising:
determining whether monitoring is permitted under a subscriber agreement corresponding to the user equipment, wherein the responding is based on the subscriber agreement of the user equipment.
10. The method of claim 9, further comprising:
storing an identifier of the requestor of the monitoring.
11. A method, comprising:
monitoring for a suspicious event with respect to a user equipment or a category of devices for which monitoring has been requested by a requestor; detecting an occurrence of the suspicious event with respect to the user equipment or the category of devices; and
reporting the occurrence to the requestor.
12. The method of claim 11, wherein the reporting comprises sending an indication of the user equipment's international mobile subscriber identity to the requestor.
13. The method of claim 11, wherein the reporting comprises sending a report to a machine type communication interworking function.
14. A method, comprising:
receiving a report of suspicious activity with respect to a user equipment or a category of devices for which monitoring has been requested by a requestor; and
forwarding the report of the suspicious activity to the requestor.
15. The method of claim 14, further comprising:
receiving, in the report, a user equipment's international mobile subscriber identity; and
translating the user equipment's international mobile subscriber identity to an external identifier or mobile subscriber integrated services digital network number.
16. A method, comprising:
receiving a report of suspicious activity with respect to a user equipment or a category of devices for which monitoring has been requested by a user or subscriber of the user equipment; and
reporting the suspicious activity to the user or the subscriber.
17. An apparatus, comprising:
at least one processor; and
at least one memory including computer program code,
wherein the at least one memory and the computer program code are configured to, with the at least one processor, cause the apparatus at least to receive a monitoring request regarding a user equipment or a category of devices;
perform a monitoring activity regarding the user equipment or the category of devices with respect to at least one suspicious event; and
respond to the monitoring request indicating whether monitoring will be performed for the user equipment or the category of devices.
18. The apparatus of claim 17, wherein the monitoring activity comprises selecting a serving node for monitoring services and registering the user equipment or the category of devices for monitoring service with the serving node.
19. The apparatus of claim 18, wherein the at least one memory and the computer program code are configured to, with the at least one processor, cause the apparatus at least to:
receive a registration status response in response to the registering; and forward the registration status toward a source of the monitoring request while responding to the monitoring request.
20. An apparatus, comprising:
at least one processor; and
at least one memory including computer program code,
wherein the at least one memory and the computer program code are configured to, with the at least one processor, cause the apparatus at least to request monitoring of a user equipment or a category of devices with respect to at least one suspicious event; and
receive a response to the monitoring request, wherein the response indicates a registration status of the monitoring.
21. The apparatus of claim 20, wherein the at least one memory and the computer program code are configured to, with the at least one processor, cause the apparatus at least to request the monitoring by sending a monitoring request to a machine type communication interworking function.
22. An apparatus, comprising:
at least one processor; and
at least one memory including computer program code,
wherein the at least one memory and the computer program code are configured to, with the at least one processor, cause the apparatus at least to receive a request for monitoring a user equipment or category of devices with respect to at least one suspicious event;
determine whether the monitoring is permitted; and
respond to the request based on whether the monitoring is permitted.
23. The apparatus of claim 22, wherein the at least one memory and the computer program code are configured to, with the at least one processor, cause the apparatus at least to determine whether monitoring is permitted under a subscriber agreement corresponding to the user equipment, and to respond to the request based on the subscriber agreement of the user equipment.
24. The apparatus of claim 23, wherein the at least one memory and the computer program code are configured to, with the at least one processor, cause the apparatus at least to store an identifier of the requestor of the monitoring.
25. An apparatus, comprising:
at least one processor; and
at least one memory including computer program code,
wherein the at least one memory and the computer program code are configured to, with the at least one processor, cause the apparatus at least to monitor for a suspicious event with respect to a user equipment or a category of devices for which monitoring has been requested by a requestor; detect an occurrence of the suspicious event with respect to the user equipment or the category of devices; and
report the occurrence to the requestor.
26. The apparatus of claim 25, wherein the at least one memory and the computer program code are configured to, with the at least one processor, cause the apparatus at least to report the occurrence by sending an indication of the user equipment's international mobile subscriber identity to the requestor.
27. An apparatus, comprising:
at least one processor; and
at least one memory including computer program code,
wherein the at least one memory and the computer program code are configured to, with the at least one processor, cause the apparatus at least to receive a report of suspicious activity with respect to a user equipment or a category of devices for which monitoring has been requested by a requestor; and
forward the report of the suspicious activity to the requestor.
28. The apparatus of claim 27, wherein the at least one memory and the computer program code are configured to, with the at least one processor, cause the apparatus at least to:
receive, in the report, a user equipment's international mobile subscriber identity; and
translate the user equipment's international mobile subscriber identity to an external identifier or mobile subscriber integrated services digital network number.
29. An apparatus, comprising:
at least one processor; and
at least one memory including computer program code,
wherein the at least one memory and the computer program code are configured to, with the at least one processor, cause the apparatus at least to receive a report of suspicious activity with respect to a user equipment or a category of devices for which monitoring has been requested by a user or subscriber of the user equipment; and
report the suspicious activity to the user or the subscriber.
30. An apparatus, comprising:
receiving means for receiving a monitoring request regarding a user equipment or a category of devices;
performing means for performing a monitoring activity regarding the user equipment or the category of devices with respect to at least one suspicious event; and
responding means for responding to the monitoring request indicating whether monitoring will be performed for the user equipment or the category of devices.
31. The apparatus of claim 30, wherein the monitoring activity comprises selecting a serving node for monitoring services and registering the user equipment or the category of devices for monitoring service with the serving node.
32. The apparatus of claim 31, further comprising:
receiving means for receiving a registration status response in response to the registering; and
forwarding means for forwarding the registration status toward a source of the monitoring request while responding to the monitoring request.
33. An apparatus, comprising:
requesting means for requesting monitoring of a user equipment or a category of devices with respect to at least one suspicious event; and
receiving means for receiving a response to the monitoring request, wherein the response indicates a registration status of the monitoring.
34. The apparatus of claim 33, wherein the requesting monitoring comprises sending a monitoring request to a machine type communication interworking function.
35. An apparatus, comprising:
receiving means for receiving a request for monitoring a user equipment or category of devices with respect to at least one suspicious event; determining means for determining whether the monitoring is permitted; and
responding means for responding to the request based on whether the monitoring is permitted.
36. The apparatus of claim 35, further comprising:
determining means for determining whether monitoring is permitted under a subscriber agreement corresponding to the user equipment, wherein the responding is based on the subscriber agreement of the user equipment.
37. The apparatus of claim 36, further comprising:
storing means for storing an identifier of the requestor of the monitoring.
38. An apparatus, comprising:
monitoring means for monitoring for a suspicious event with respect to a user equipment or a category of devices for which monitoring has been requested by a requestor;
detecting means for detecting an occurrence of the suspicious event with respect to the user equipment or the category of devices; and
reporting means for reporting the occurrence to the requestor.
39. The apparatus of claim 38, wherein the reporting comprises sending an indication of the user equipment's international mobile subscriber identity to the requestor.
40. An apparatus, comprising:
receiving means for receiving a report of suspicious activity with respect to a user equipment or a category of devices for which monitoring has been requested by a requestor; and
forwarding means for forwarding the report of the suspicious activity to the requestor.
41. The apparatus of claim 40, further comprising:
receiving means for receiving, in the report, a user equipment's international mobile subscriber identity; and
translating means for translating the user equipment's international mobile subscriber identity to an external identifier or mobile subscriber integrated services digital network number.
42. An apparatus, comprising:
receiving means for receiving a report of suspicious activity with respect to a user equipment or a category of devices for which monitoring has been requested by a user or subscriber of the user equipment; and
reporting means for reporting the suspicious activity to the user or the subscriber.
43. A non-transitory computer readable medium encoded with instructions that, when executed in hardware, perform a process, the process comprising:
receiving a monitoring request regarding a user equipment or a category of devices;
performing a monitoring activity regarding the user equipment or the category of devices with respect to at least one suspicious event; and
responding to the monitoring request indicating whether monitoring will be performed for the user equipment or the category of devices.
44. The non-transitory computer readable medium of claim 43, wherein the monitoring activity comprises selecting a serving node for monitoring services and registering the user equipment or the category of devices for monitoring service with the serving node.
45. The non-transitory computer readable medium of claim 44, the process further comprising:
receiving a registration status response in response to the registering; and
forwarding the registration status toward a source of the monitoring request while responding to the monitoring request.
46. A non-transitory computer readable medium encoded with instructions that, when executed in hardware, perform a process, the process comprising:
requesting monitoring of a user equipment or a category of devices with respect to at least one suspicious event; and
receiving a response to the monitoring request, wherein the response indicates a registration status of the monitoring.
47. The non-transitory computer readable medium of claim 46, wherein the requesting monitoring comprises sending a monitoring request to a machine type communication interworking function.
48. A non-transitory computer readable medium encoded with instructions that, when executed in hardware, perform a process, the process comprising:
receiving a request for monitoring a user equipment or category of devices with respect to at least one suspicious event;
determining whether the monitoring is permitted; and
responding to the request based on whether the monitoring is permitted.
49. The non-transitory computer readable medium of claim 48, the process further comprising:
determining whether monitoring is permitted under a subscriber agreement corresponding to the user equipment, wherein the responding is based on the subscriber agreement of the user equipment.
50. The non-transitory computer readable medium of claim 49, the process further comprising:
storing an identifier of the requestor of the monitoring.
51. A non-transitory computer readable medium encoded with instructions that, when executed in hardware, perform a process, the process comprising:
monitoring for a suspicious event with respect to a user equipment or a category of devices for which monitoring has been requested by a requestor; detecting an occurrence of the suspicious event with respect to the user equipment or the category of devices; and
reporting the occurrence to the requestor.
52. The non-transitory computer readable medium of claim 51, wherein the reporting comprises sending an indication of the user equipment's international mobile subscriber identity to the requestor.
53. A non-transitory computer readable medium encoded with instructions that, when executed in hardware, perform a process, the process comprising:
receiving a report of suspicious activity with respect to a user equipment or a category of devices for which monitoring has been requested by a requestor; and
forwarding the report of the suspicious activity to the requestor.
54. The non-transitory computer readable medium of claim 53, the process further comprising:
receiving, in the report, a user equipment's international mobile subscriber identity; and
translating the user equipment's international mobile subscriber identity to an external identifier or mobile subscriber integrated services digital network number.
55. A non-transitory computer readable medium encoded with instructions that, when executed in hardware, perform a process, the process comprising:
receiving a report of suspicious activity with respect to a user equipment or a category of devices for which monitoring has been requested by a user or subscriber of the user equipment; and
reporting the suspicious activity to the user or the subscriber.
Priority Applications (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US14/391,793 US9294924B2 (en) | 2012-04-13 | 2012-04-13 | Monitoring suspicious events in a cellular network |
EP12874140.2A EP2836910B1 (en) | 2012-04-13 | 2012-04-13 | Monitoring suspicious events in a cellular network |
PCT/US2012/033511 WO2013154576A1 (en) | 2012-04-13 | 2012-04-13 | Monitoring suspicious events in a cellular network |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/US2012/033511 WO2013154576A1 (en) | 2012-04-13 | 2012-04-13 | Monitoring suspicious events in a cellular network |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2013154576A1 true WO2013154576A1 (en) | 2013-10-17 |
Family
ID=49327991
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/US2012/033511 WO2013154576A1 (en) | 2012-04-13 | 2012-04-13 | Monitoring suspicious events in a cellular network |
Country Status (3)
Country | Link |
---|---|
US (1) | US9294924B2 (en) |
EP (1) | EP2836910B1 (en) |
WO (1) | WO2013154576A1 (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP2858301A4 (en) * | 2012-09-13 | 2015-07-29 | Huawei Device Co Ltd | Event reporting method and system |
EP3051710A1 (en) * | 2012-09-28 | 2016-08-03 | Intel Corporation | Machine type communication monitoring framework for 3gpp systems |
CN105981225A (en) * | 2013-12-10 | 2016-09-28 | At&T知识产权部有限合伙公司 | Quasi-optical coupler |
Families Citing this family (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103812599B (en) * | 2012-11-05 | 2017-10-17 | 华为终端有限公司 | The method and equipment of the core network of a kind of transmission equipment triggering message |
KR102167870B1 (en) * | 2014-07-07 | 2020-10-20 | 콘비다 와이어리스, 엘엘씨 | Coordinated grouping for machine type communications group based services |
US10574331B2 (en) * | 2016-05-10 | 2020-02-25 | Nokia Technologies Oy | Antenna co-location and receiver assumptions |
US10887768B2 (en) * | 2016-07-13 | 2021-01-05 | T-Mobile Usa, Inc. | Mobile traffic redirection system |
US10506403B2 (en) | 2017-02-27 | 2019-12-10 | Oracle International Corporation | Methods, systems and computer readable media for providing integrated service capability exposure function (SCEF), service capability server (SCS) and application server (AS) services |
US11146577B2 (en) * | 2018-05-25 | 2021-10-12 | Oracle International Corporation | Methods, systems, and computer readable media for detecting and mitigating effects of abnormal behavior of a machine type communication (MTC) device |
CN110650489B (en) * | 2018-06-26 | 2022-02-15 | 华为技术有限公司 | Method and device for managing monitoring events |
CN112135310A (en) * | 2019-06-24 | 2020-12-25 | 中兴通讯股份有限公司 | Abnormal terminal identification method and device, storage medium and electronic device |
US11381955B2 (en) | 2020-07-17 | 2022-07-05 | Oracle International Corporation | Methods, systems, and computer readable media for monitoring machine type communications (MTC) device related information |
US11700510B2 (en) | 2021-02-12 | 2023-07-11 | Oracle International Corporation | Methods, systems, and computer readable media for short message delivery status report validation |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20060218395A1 (en) * | 2005-03-23 | 2006-09-28 | Oracle International Corporation | Device agent |
US20090271469A1 (en) * | 2008-04-28 | 2009-10-29 | Benco David S | Method and apparatus for IMS support for multimedia session, recording, analysis and storage |
US20100023598A9 (en) * | 2003-06-09 | 2010-01-28 | Andrew Ginter | Event monitoring and management |
WO2011054299A1 (en) | 2009-11-06 | 2011-05-12 | 中兴通讯股份有限公司 | Method and system for obtaining information of machine type communication terminal |
Family Cites Families (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6119236A (en) * | 1996-10-07 | 2000-09-12 | Shipley; Peter M. | Intelligent network security device and method |
US7376969B1 (en) * | 2002-12-02 | 2008-05-20 | Arcsight, Inc. | Real time monitoring and analysis of events from multiple network security devices |
US20040158630A1 (en) * | 2003-02-12 | 2004-08-12 | Chang Tsung-Yen Dean | Monitoring and controlling network activity in real-time |
WO2006098668A1 (en) * | 2005-03-18 | 2006-09-21 | Telefonaktiebolaget Lm Ericsson (Publ) | Lawful interception of unauthorized subscribers and equipments |
US8196205B2 (en) * | 2006-01-23 | 2012-06-05 | University Of Washington Through Its Center For Commercialization | Detection of spyware threats within virtual machine |
JP4829347B2 (en) * | 2006-08-01 | 2011-12-07 | テレフオンアクチーボラゲット エル エム エリクソン(パブル) | Method and apparatus for collecting user activity in a communication system |
EP2156691B1 (en) * | 2007-05-28 | 2016-12-14 | Telefonaktiebolaget LM Ericsson (publ) | User equipment tracing in a wireless communications network |
KR100864867B1 (en) * | 2007-12-05 | 2008-10-23 | 한국전자통신연구원 | The method and apparatus for detecting malicious file in mobile terminal |
KR101167939B1 (en) * | 2010-01-08 | 2012-08-02 | 엘지전자 주식회사 | Method for monitoring machine type communication device in mobile communications system |
US8438278B2 (en) * | 2010-05-03 | 2013-05-07 | Htc Corporation | Methods for monitoring and reporting MTC events |
US9042864B2 (en) * | 2011-12-19 | 2015-05-26 | International Business Machines Corporation | Appliance in a mobile data network that spans multiple enclosures |
US8782387B2 (en) * | 2011-12-31 | 2014-07-15 | International Business Machines Corporation | Secure boot of a data breakout appliance with multiple subsystems at the edge of a mobile data network |
-
2012
- 2012-04-13 US US14/391,793 patent/US9294924B2/en active Active
- 2012-04-13 EP EP12874140.2A patent/EP2836910B1/en active Active
- 2012-04-13 WO PCT/US2012/033511 patent/WO2013154576A1/en active Application Filing
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20100023598A9 (en) * | 2003-06-09 | 2010-01-28 | Andrew Ginter | Event monitoring and management |
US20060218395A1 (en) * | 2005-03-23 | 2006-09-28 | Oracle International Corporation | Device agent |
US20090271469A1 (en) * | 2008-04-28 | 2009-10-29 | Benco David S | Method and apparatus for IMS support for multimedia session, recording, analysis and storage |
WO2011054299A1 (en) | 2009-11-06 | 2011-05-12 | 中兴通讯股份有限公司 | Method and system for obtaining information of machine type communication terminal |
Non-Patent Citations (1)
Title |
---|
See also references of EP2836910A4 |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP2858301A4 (en) * | 2012-09-13 | 2015-07-29 | Huawei Device Co Ltd | Event reporting method and system |
EP3051710A1 (en) * | 2012-09-28 | 2016-08-03 | Intel Corporation | Machine type communication monitoring framework for 3gpp systems |
US9942791B2 (en) | 2012-09-28 | 2018-04-10 | Intel Corporation | Machine type communication monitoring framework for 3GPP systems |
EP3370344A1 (en) * | 2012-09-28 | 2018-09-05 | Intel Corporation | Machine type communication monitoring framework for 3 gpp systems |
US10524156B2 (en) | 2012-09-28 | 2019-12-31 | Intel Corporation | Machine type communication monitoring framework for 3GPP systems |
US11089500B2 (en) | 2012-09-28 | 2021-08-10 | Apple Inc. | Machine type communication monitoring framework for 3GPP systems |
CN105981225A (en) * | 2013-12-10 | 2016-09-28 | At&T知识产权部有限合伙公司 | Quasi-optical coupler |
Also Published As
Publication number | Publication date |
---|---|
EP2836910B1 (en) | 2020-02-19 |
EP2836910A4 (en) | 2015-12-30 |
US9294924B2 (en) | 2016-03-22 |
EP2836910A1 (en) | 2015-02-18 |
US20150111533A1 (en) | 2015-04-23 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP2836910B1 (en) | Monitoring suspicious events in a cellular network | |
EP3941112B1 (en) | Location-based context delivery | |
CN109041089B (en) | Information processing method and device | |
US9794772B2 (en) | Machine type communication interworking function | |
US9026082B2 (en) | Terminal identifiers in a communications network | |
EP2498526B1 (en) | Method and system for obtaining information of machine type communication terminal | |
US9241254B2 (en) | Method and system for determining reachability of terminal group | |
US20130332627A1 (en) | Enabling ip-communication with a machine to machine unit | |
JP2016524393A (en) | Proximity service permission method, apparatus and system | |
EP3205132A1 (en) | Correlation identifier for user plane congestion and other use cases | |
CN106664540B (en) | Method, device and system for detecting abnormality of terminal equipment | |
US9380478B2 (en) | Updating method for trigger message counter, machine type communication server and terminal | |
WO2014071171A2 (en) | Method and apparatus for machine-type communication device monitoring | |
CN108282814B (en) | User equipment information monitoring method, device and system | |
WO2011134370A1 (en) | Machine type communication event reporting method and system thereof | |
US10524114B2 (en) | Subscription fall-back in a radio communication network | |
EP3163920A1 (en) | Method for processing prose service authorization change, first network element and second network element | |
EP2865199A1 (en) | Machine type communication interworking function | |
US10827347B1 (en) | Dynamic identities in a mobile device | |
WO2013139073A1 (en) | Method and system for sending terminal monitoring report | |
US11050799B2 (en) | Methods and devices for registering a user equipment, UE, with low access priority in an internet protocol based multimedia subsystem, IMS | |
US8855673B2 (en) | Network location management entity | |
WO2015090436A1 (en) | Method of improving security in a communication network and authentication entity | |
US20150163619A1 (en) | System, apparatus, and method for triggering roaming mtc device | |
WO2013164363A1 (en) | Method to initiate priority alarm in a cellular network |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 12874140 Country of ref document: EP Kind code of ref document: A1 |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2012874140 Country of ref document: EP |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
WWE | Wipo information: entry into national phase |
Ref document number: 14391793 Country of ref document: US |