WO2015145218A1 - An intelligent service broker based upon gba and guss mechanism - Google Patents

An intelligent service broker based upon gba and guss mechanism Download PDF

Info

Publication number
WO2015145218A1
WO2015145218A1 PCT/IB2014/060279 IB2014060279W WO2015145218A1 WO 2015145218 A1 WO2015145218 A1 WO 2015145218A1 IB 2014060279 W IB2014060279 W IB 2014060279W WO 2015145218 A1 WO2015145218 A1 WO 2015145218A1
Authority
WO
WIPO (PCT)
Prior art keywords
service
user profile
attributes
generic
server
Prior art date
Application number
PCT/IB2014/060279
Other languages
French (fr)
Inventor
Andre Poulin
Zhongwen Zhu
Richard Joseph Brunner
Original Assignee
Telefonaktiebolaget L M Ericsson (Publ)
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Telefonaktiebolaget L M Ericsson (Publ) filed Critical Telefonaktiebolaget L M Ericsson (Publ)
Priority to PCT/IB2014/060279 priority Critical patent/WO2015145218A1/en
Publication of WO2015145218A1 publication Critical patent/WO2015145218A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0884Network architectures or network communication protocols for network security for authentication of entities by delegation of authentication, e.g. a proxy authenticates an entity to be authenticated on behalf of this entity vis-à-vis an authentication entity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/102Entity profiles
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/2866Architectures; Arrangements
    • H04L67/30Profiles
    • H04L67/306User profiles
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/02Services making use of location information

Definitions

  • the embodiment of Figure 2A also illustrates an optimization server 133 as containing a network adapter 223, a memory 225, and a processor 221, the processor 221 linked to the network adapter 223 and the memory 225.
  • the processor 221 is operable to execute an optimization agent 227.
  • the processor 231 can be a microprocessor, an ASIC, a state machine, or other processor, and can be any of a number of computer processors.
  • processors include, or may be in communication with, media, for example computer-readable media, which stores instructions that, when executed by the processor, cause the processor to perform the steps described herein.
  • the customization is performed by sending a request over the network to the HSS/HLR 121, the request notifying the HSS/HLR 121 to update the generic user profile into a customized user profile that includes information about the user's registration, such as the user's username or another attribute.
  • the provisioning agent 217 may be co-located on the HSS/HLR 121, in which case the request need not be sent over the network.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

Methods and systems for provisioning of a generic user profile (491), customizing the generic user profile into a customized user profile (493), and optimizing a list of attributes of target users (495) within a network utilizing Generic Bootstrapping Architecture (GBA). According to one embodiment, a provisioning agent receives a list of attributes of target users for a service from the network operator (301), selects a set of users matching the attributes (311), provisions generic user profiles for these target users and stores them within a Home Subscriber Server (HSS) or a Home Location Registry (HLR) (321). The provisioning agent then customizes a target user's generic user profile into a customized user profile when the target user registers with the service (341). In some embodiments, an optimization agent then uses the attributes of registered users to optimize the list of attributes so that target users are selected that are more likely to register (351).

Description

AN INTELLIGENT SERVICE BROKER BASED UPON GBA AND GUSS
MECHANISM
TECHNICAL FIELD
[0001] Embodiments of the invention relate to the field of cellular network user
authentication; and more specifically, to User Security Settings in a Generic Bootstrapping Architecture used in a Third Generation Partnership Project (3GPP) network.
BACKGROUND
[0002] As mobile technologies have improved and high-speed networks increased in size, the number of mobile devices, tablets, and other similar user equipment capable of using a variety of services from different service providers has substantially increased. Such services may include, for example, video conferencing services, voice over IP services, push-to-talk services, streaming video services, or any number of services accessible by user equipment. As use of such user equipment has become more prevalent, users, network operators, and service providers alike have become more aware of a growing need for security precautions that are protective, flexible, and scalable.
[0003] In such advanced communications networks, such as Third Generation mobile communication networks currently under development by the Third Generation Partnership Program (3GPP), security and trustworthiness are particularly important aspects to ensure proper identities of users and service providers.
[0004] One method of authenticating users and user equipment in existing Third Generation Partnership Project (3GPP) networks is performed through the Generic Bootstrapping
Architecture (GBA). GBA refers to a network setup that is designed to authenticate a mobile device and its owner using a user profile, including GBA User Security Settings (GUSS), stored in a Home Subscriber Server (HSS). It is initiated by shared secrets between the User
Equipment and the Bootstrapping Server Function (BSF), as well as between the User
Equipment and the Service Provider.
[0005] Under some GBA implementations, a network authentication method such as 3GPPs standardized Authentication and Key agreement Architecture (AKA) method is used in a bootstrapping procedure to create a generic key as basis for generation of further keys related to network services. A Network Application Function (NAF), implementing network services and belonging to a specific operator network, may communicate with a network "Bootstrapping Server Function" (BSF) to receive a session key related to the NAF entity. User equipment UE, implementing the same method for authentication as the network, may derive the same generic key and there from derive the same session key. This is specified in more detail in 3GPP TS
33.220 Generic Bootstrapping Architecture.
[0006] In some situations, GBA/GAA is deployed through an http-proxy. TS 33.222 specifies an Authentication Proxy, (AP), which is a reverse http-proxy operating as a NAF entity for the UE on behalf of one or more Application Servers.
[0007] During the bootstrapping procedure, the BSF accesses network entities such as the "Home Subscriber Server" (HSS) of "Home Location Register" (HLR) that contain GBA User Security Settings (GUSS).
SUMMARY
[0008] A method implemented by a provisioning server in an operator domain of a network that utilizes a Generic Bootstrapping Architecture is described, the method to provision a generic user profile to authenticate communication between a user equipment device and an application server running a service, and the method to customize the generic user profile into a customized user profile. The method includes receiving a list of attributes of target users of the service from an operator of the network, or from a service provider of the service. The method also includes selecting a set of target users such that each target user in the set of target users has at least one attribute in the list, where each target user in the set of target users has not yet registered with the service. The method also includes provisioning a generic user profile for each target user in the set of target users and storing the generic user profile in a home subscriber server. The method also includes customizing the generic user profile of a target user from the set of target users into the customized user profile via communication with the home subscriber server when the target user registers with the service.
[0009] A provisioning system is described operating in an operator domain of a network that utilizes a Generic Bootstrapping Architecture. The system is used for provisioning a generic user profile used to authenticate communication between a user equipment device and an application server running a service. The system is also used for customizing the generic user profile into a customized user profile. The system comprises a memory and a processor, the processor coupled to the memory. The processor is operative to execute a provisioning agent. The provisioning agent is operable to receive a list of attributes of target users from an operator of the network or from a service provider of the service, to select a set of target users such that each target user in the set has at least one attribute in the list and has not yet registered with the service, to provision the generic user profile for each target user in the set of target users and to store the generic user profile in a home subscriber server, and to customize the generic user profile into the customized user profile via communication with the home subscriber server when the target user from the set of target users registers with the service.
[0010] A non-transitory machine-readable storage medium is described that stores instructions that, if executed by a processor of an optimization server in a network, will cause said processor to perform operations for optimizing a list of attributes of target users by using data regarding the attributes of one or more target users of a service who have registered with the service run from an application server. One operation is receiving, from an operator of the network or from a service provider of the service, the list of attributes of target users. Another operation is receiving, from the application server through an authentication proxy, server the data regarding the attributes of the one or more target users of the service who have registered with the service. Another operation is modifying the list of attributes such that the modified list includes or more closely matches one or more attributes shared by at least a subset of the one or more target users of the service who have registered with the service.
BRIEF DESCRIPTION OF THE DRAWINGS
[0011] The invention may best be understood by referring to the following description and accompanying drawings that are used to illustrate embodiments of the invention. In the drawings:
[0012] Figure 1A is a diagram of one embodiment illustrating an exemplary way to implement a 3 GPP network that includes a provisioning agent and an optimization agent in the operator domain, and connects to a service provider's application servers through an intelligent service broker, and also connects to a User Equipment.
[0013] Figure IB is a diagram of one embodiment illustrating an exemplary way in which an operator 161 may manage the operator domain 111 of a 3 GPP network, and in which service provider administrator 163 may manage the service provider domain 141
[0014] Figure 2A is a diagram of one embodiment illustrating an exemplary provisioning agent and an exemplary optimization agent as separate hardware nodes as well as the connections of these nodes within the operator domain of the network.
[0015] Figure 2B is a diagram of one embodiment illustrating an exemplary provisioning agent and an exemplary optimization agent as co-located software components of the same hardware node as well as the connections of this node within the operator domain of the network.
[0016] Figure 3A is a flow chart of one embodiment illustrating the provisioning of the generic user profile, the customization of the generic user profile into a customized user profile, and the optimization of the list of attributes of target users, from the perspective of a combined hardware node that includes a provisioning agent and an optimization agent as software components.
[0017] Figure 3B is a flow chart of one embodiment illustrating the provisioning of the generic user profile, the customization of the generic user profile into a customized user profile, and the optimization of the list of attributes of target users, from the perspective of a combined hardware node that includes a provisioning agent and an optimization agent as software components.
[0018] Figure 3C is a flow chart of one embodiment illustrating the optimization of the list of attributes of target users from the perspective of an optimization agent that is executed by a separate hardware node than the provisioning agent is executed by.
[0019] Figure 4 is a flow diagram of one embodiment illustrating one possible sequence of communications between hardware nodes in a 3 GPP network with a provisioning agent and an optimization agent during provisioning of the generic user profile, customization of the generic user profile into a customized user profile, and optimization of the list of attributes of target users.
[0020] Figure 5 is a table diagram relevant to one embodiment illustrating an example of the data that may be stored in an HSS/HLR 121.
DESCRIPTION OF EMBODIMENTS
[0021] The following description describes methods and systems for provisioning of a generic user profile, customizing the generic user profile into a customized user profile, and optimizing a list of attributes of target users within a Third Generation Partnership Project (3GPP) utilizing Generic Bootstrapping Architecture (GBA).
[0022] In the following description, numerous specific details such as logic implementations, resource partitioning/sharing/duplication implementations, types and interrelationships of system components, and logic partitioning/integration choices are set forth in order to provide a more thorough understanding of the present invention. It will be appreciated, however, by one skilled in the art that the invention may be practiced without such specific details. In other instances, control structures, gate level circuits and full software instruction sequences have not been shown in detail in order not to obscure the invention. Those of ordinary skill in the art, with the included descriptions, will be able to implement appropriate functionality without undue experimentation.
[0023] References in the specification to "one embodiment," "an embodiment," "an example embodiment," etc., indicate that the embodiment described may include a particular feature, structure, or characteristic, but every embodiment may not necessarily include the particular feature, structure, or characteristic. Moreover, such phrases are not necessarily referring to the same embodiment. Further, when a particular feature, structure, or characteristic is described in connection with an embodiment, it is submitted that it is within the knowledge of one skilled in the art to affect such feature, structure, or characteristic in connection with other embodiments whether or not explicitly described.
[0024] Bracketed text and blocks with dashed borders (e.g., large dashes, small dashes, dot- dash, and dots) may be used herein to illustrate optional operations or relationships between components that add additional features to embodiments of the invention. However, such notation should not be taken to mean that these are the only options or optional operations, and/or that blocks with solid borders are not optional in certain embodiments of the invention.
[0025] In the following description and claims, the terms "coupled" and "connected," along with their derivatives, may be used. It should be understood that these terms are not intended as synonyms for each other. "Coupled" is used to indicate that two or more elements, which may or may not be in direct physical or electrical contact with each other, co-operate or interact with each other. "Connected" is used to indicate the establishment of communication between two or more elements that are coupled with each other.
[0026] Figure 1A is an illustration of a Third Generation Partnership Project (3GPP) network architecture in which embodiments of the present invention can be deployed. In the
embodiment of Figure 1A, network connections between an Operator Domain 111, a Service Provider Domain 151, and a user equipment (UE) 101 are shown.
[0027] The terminology "user equipment" as used herein includes, but is not limited to, a mobile station, a fixed or mobile subscriber unit, a pager, a cellular telephone, a tablet device, a wearable electronic device, a digital music player, a personal digital assistant (PDA), a navigation system, an onboard vehicle control system, a computer, or any other type of user device capable of operating in a wireless environment. In some embodiments, the user equipment includes a universal integrated circuit card (UICC) containing a Universal Subscriber Identity Module (USIM) or IP Multimedia Services Identity Module (ISIM) that supports Hypertext Transfer Protocol (HTTP) Digest AKA (Authentication & Key Agreement) and NAF (Network Authentication Function) specific protocols. In some embodiments, a user equipment can store user subscriber information, authentication information, and further can contain storage for communications such as text messages.
[0028] The embodiment of Figure 1A organizes much of Operator Domain 111 according to the 3GPP Generic Bootstrapping Architecture (GBA) standard. In the illustrated embodiment, the network includes a Bootstrapping Server Function (BSF) node 115 and an Authentication Proxy 113. These network elements are involved in the initial authentication process, described further in this specification, which occurs when a UE 101 or software executed by the processor of a UE 101 initially tries to access an application server. In the embodiment shown in Figure 1A, the BSF 115 and the authentication proxy 113 are depicted as two distinct hardware units. In such embodiments, the BSF 115 may communicate with the authentication proxy 113 using a Zn interface, or another appropriate interface. In such embodiments, the BSF 115 may communicate with the user equipment 101 using a Ub interface, or another appropriate interface. In such embodiments, the authentication proxy 113 may communicate with the user equipment 101 using a Ua interface, or another appropriate interface. In other embodiments, the BSF 115 and the authentication proxy 113 may be two software routines both co-located in the memory of a single machine and executed from the processor of that machine.
[0029] Also included in this embodiment is the home subscribe server (HSS) or home location registry (HLR) 121. Such servers are used to store GBA User Security Settings (GUSSs), which store application- specific user security settings which can generally relate to identification, authorization data, and encryption key data. The server 121 may be either an HSS or an HLR. Accordingly, the term "HSS/HLR" shall hereinafter be understood to indicate the server 121. The embodiment of Figure 1A places the HSS/HLR 121 between and connected to the BSF 115 and the Provisioning Server 131 as well as the Optimization Server 133. In some embodiments, the HSS/HLR 121 communicates with the provisioning server 131 and optimization server 133 using Hypertext Transfer Protocol (HTTP), File Transfer Protocol (FTP), or some combination thereof. In other embodiments, another appropriate protocol can be used for such
communications. In some embodiments, the HSS/HLR 121 and the BSF 115 may communicate using a Zh interface, or another appropriate interface.
[0030] The Provisioning Server 131 and Optimization Server 133 are network elements within the Operator Domain 111 that connect to the HSS/HLR 121 and, in some embodiments, to a forwarding gateway 135. The provisioning server 131 and optimization server 133 execute the provisioning agent 217 and optimization agent 227, respectively. The embodiment of Figure 1A depicts the Provisioning Server 131 and the Optimization Server 133 as separate hardware nodes. Also illustrated is a forwarding gateway 135 and a charging data database 137. In some embodiments, the provisioning agent 217 and the optimization agent 227 are executed by the processor of a combined provisioning and optimization server 251. In some embodiments, such as the embodiment depicted in Figure 2B, this combined provisioning and optimization server 251 also includes the charging data database 137 and the functionality of the forwarding gateway 135. In some embodiments, these devices communicate between each other within the operator domain 111 of the network via Hypertext Transfer Protocol (HTTP). In other embodiments, another appropriate protocol can be used for such communications. [0031] The forwarding gateway 135 forwards data from the provisioning server 131 and the optimization server 133 to the Service Provider Domain 141. In some embodiments, this is done over Hypertext Transfer Protocol Secure (HTTPS) and can be secured by Secure Sockets Layer (SSL) or Transport Layer Security (TLS). In other embodiments, another appropriate protocol can be used for such communications. In some embodiments, the forwarding gateway provides security protections, such as a firewall, for data entering into or exiting out of the operator domain 111. In some embodiments, the intelligent service broker 145 is also located within the operator domain 111, in which case the intelligent service broker 145 should, like the rest of the operator domain 111, be located behind the protections of the forwarding gateway 135. In some embodiments, the forwarding gateway 135 is a separate hardware computer that receives inputs from the Provisioning Server 131 and the Optimization Server 133 or from a combined provisioning and optimization server 251. In other embodiments, the forwarding gateway 135 may be a network device (ND). A network device is an electronic device that communicatively interconnects other electronic devices on the network (e.g., other network devices, end-user devices). Some network devices are "multiple services network devices" that provide support for multiple networking functions (e.g., routing, bridging, switching, Layer 2 aggregation, session border control, Quality of Service, and/or subscriber management), and/or provide support for multiple application services (e.g., data, voice, and video). In yet other embodiments, as noted above, the forwarding gateway 135 may be part of a combined provisioning and optimization server 251. In some embodiments, the forwarding gateway 135 does not exist as a separate hardware device, in which case the provisioning server 131 and the optimization server 133 may communicate directly with the service provider domain 141, generally also over HTTPS or another appropriate protocol.
[0032] In some embodiments, a charging data database 137 that tracks charging data is also included in the network. "Charging data" as used herein refers to data regarding how much the service provider is to be charged for usage of the operator's network, or alternately how much the user is to be charged for usage of the operator's network. The charges for usage can be tracked using any metric or unit of currency. The database 137 can be any type of data structure such as a relational database or object oriented database that is managed by a database management system. In some embodiments, the database 137 may be located within the operator domain 111 but located externally from the other hardware and connected to the forwarding gateway 137, or in some embodiments, to the provisioning server 13, via the provisioning server 131 ' s network adapter 213. Figure 1A and Figure IB illustrate an embodiment in which the charging data database 137 is located within the operator domain 111 and is connected to both the provisioning server 131 and the forwarding gateway 135. In such embodiments, communication to and from the charging data database 137 may be performed via
HTTP or another appropriate protocol. The intelligent service broker 145 is also able to access the charging data database 137. In embodiments in which the charging data database 137 is located within the operator domain 111, the intelligent service broker 145 accesses the charging data database 137 through the forwarding gateway 135, or, in some embodiments, through the provisioning server 131. In some embodiments, the charging data database 137 is located externally from the operator domain 111. In such cases, communication to and from the charging data database 137 may be performed via HTTPS, TLS, or another appropriate protocol. Further, in one embodiment in which the charging data database 137 is external from the operator domain 111, the intelligent service broker 145 can communicate directly with the charging data database 137 through HTTPS, TLS, or another appropriate protocol. An example of an embodiment in which the charging database 137 is not located within the memory of a different hardware node within the operator domain 111 might be a setup in which the database 137 is stored in the memory of a separate computer connected to the network, such as an structured query language (SQL) server, a web front-end server, a central administration server, an index server, a database server, an application server, a gateway server, a broker server, an active directory server, a terminal server, a virtualization services server, a virtualized server, a file server, a print server, an email server, a security server, a connection server, a search server, a license server, any other machine with similar functionality, or any combination thereof.
Alternately, the database 137 could be stored in a "cloud" architecture or similar distributed storage architecture. In other embodiments, the database 137 may be stored in the memory of the forwarding gateway 135, in the memory 215 the provisioning server 131, or in the memory 235 of a combined server 251. The latter two embodiments are illustrated in Figure 2A and Figure 2B, respectively.
[0033] The term "database" as used to refer to database 137 may refer to any data structure that may be used to store data. In addition to a relational or object oriented database, entity 137 can alternately be a table, a list, a matrix, an array, an arraylist, a tree, a hash, a flat file, an image, a queue, a heap, a memory, a stack, a set of registers, or any data structure that can hold data about one or more entities.
[0034] Each of the hardware nodes discussed above are electronic devices. An electronic device stores and transmits (internally and/or with other electronic devices over a network) code (which is composed of software instructions and which is sometimes referred to as computer program code) and/or data using machine-readable media, such as non-transitory machine- readable media (e.g., machine-readable storage media such as magnetic disks, optical disks, read only memory, flash memory devices, phase change memory) and transitory machine-readable transmission media (e.g., electrical, optical, acoustical or other form of propagated signals - such as carrier waves, infrared signals). Thus, an electronic device (e.g., a computer) includes hardware and software, such as a set of one or more processors coupled to one or more non- transitory machine-readable storage media (to store code for execution on the set of processors and data) and a set or one or more physical network interface(s) to establish network
connections (to transmit code and/or data using propagating signals). One or more parts of an embodiment of the invention may be implemented using different combinations of software, firmware, and/or hardware.
[0035] The service provider domain 141 of the network illustrated in Figure 1A includes an intelligent service broker 145 that is, in some embodiments, directly connected to the service provider's application servers (e.g. 151, 153, 155) that execute services requested by user equipment 101. In some embodiments, the application servers (e.g. 151, 153, 155) are deployed in a "cloud" or similar distributed computing system environment 143. In some embodiments, the intelligent service provider 145 is further accessible through this cloud environment 143, allowing the intelligent service broker 145 to be accessed by the service provider administrator 163 or the application servers (e.g. 151, 153, 155) via HTTP, HTTPS, FTP, TLS, or some other appropriate protocol. In some embodiments, the intelligent service broker can provide some application programming interfaces (APIs) (e.g., a representational state transfer (REST) API) that individual application servers can utilize to get information about target users, or even to select target users or help define the list of attributes of target users. The service provider domain 141 is further explained in reference to Figure IB.
[0036] Figure IB is a diagram of one embodiment illustrating an exemplary way in which an operator 161 may manage the operator domain 111 of a 3 GPP network, and in which service provider administrator 163 may manage the service provider domain 141.
[0037] In some embodiments, the operator 161 manages the provisioning server 131, optimization server 133, and the service provider application servers (151, 153, 155). This takes place at the beginning of the "provisioning" stage 491, as discussed in reference to Figure 3A and Figure 3B.
[0038] In the embodiment pictured in Figure IB, the user 165 manages the user equipment 101. The user 165 is relevant to the invention in that certain attributes of the user equipment 101, and in some embodiments, of the user 165 themselves, affect whether or not the user 165 is selected as a target user, as discussed further relation to Figure 3A. For example, these attributes can include any one of a current location, age or age group, time zone, place of residence, username, password, real name, email address, internet provider, gender, past behavior, past service usage, credit rating, financial history, gaming history, device preferences, personal preferences, employment status, employment history, marital status, area code, social network use, social network contacts, phone contacts, media-viewing history, advertisement- viewing history, purchase history, current date, current time, current weather conditions, future or past weather conditions, body temperature, heart rate, blood sugar or insulin measurement, medical device output, fitness device output, wearable device output, reading history, purchase history, stored music, stored documents, stored photos, business reviews, or product reviews. The user 165 is also relevant to the invention in that a decision by the user 165 of whether or not to register for the service can affect whether or not the user's generic user profile is customized or eventually deleted (see Block 331 of Figure 3A).
[0039] In the embodiment pictured in Figure IB, the service provider administrator 163, who is a dedicated administrator for a single service provider, manages engagement between the service domain 141 and the operator domain 111 through the intelligent service broker 145. In some embodiments, for example, the intelligent service broker 145 allows the service provider administrator 163 to sign a service layer agreement (SLA) about services to be offered to user equipment devices 101 through the operator's network. This SLA may then dictate the details of a template user profile that is the basis of the generic user profiles of that service. The SLA may also dictate the customizations allowed for a customized user profile. Additionally, in some embodiments, the intelligent service broker 145 allows the service provider administrator 163 to directly define the template user profile. Additionally, in some embodiments, the intelligent service broker 145 allows the service provider administrator 163 to define the list of attributes of target users, or even to select a set of target users. In some embodiments, the intelligent service broker 145 is provided by the operator 161, and may even be located within the operator domain 111. In some embodiments, the intelligent service broker 145 can also be used by the service provider administrator 163 as a management tool to manage services deployed in the service provider domain 141. If the intelligent service broker is located in the operator domain 111, in one embodiment, it can be located behind the protection of the forwarding gateway 135, which can be used to provide security, such as a firewall, for data entering and leaving the operator domain 111. In some embodiments, the intelligent service broker 145 is a computer system including a user interface through which a service provider administrator 163 can perform management operations over the application servers (e.g., 151, 153, 155). In such embodiments, the intelligent service broker 145 can communicate with the application servers (e.g., 151, 153, 155) via HTTPS or another appropriate protocol. In other embodiments, the intelligent service broker 145 can be a network device as defined earlier in reference to the forwarding gateway 135. Specifically, the intelligent service broker 145 can be an electronic device that communicatively interconnects other electronic devices on the network (e.g., other network devices, end-user devices). Some network devices are "multiple services network devices" that provide support for multiple networking functions (e.g., routing, bridging, switching, Layer 2 aggregation, session border control, Quality of Service, and/or subscriber management), and/or provide support for multiple application services (e.g., data, voice, and video). In some embodiments, the intelligent service broker 145 does not exist as a separate hardware device, in which case the network components in the operator domain 111 may communicate directly with application servers (e.g. 151, 153, 155), generally also over HTTPS or another appropriate protocol.
[0040] In some embodiments, the application servers (e.g. 151, 153, 155) are deployed in a "cloud" or similar distributed computing system environment 143. In some embodiments, the intelligent service provider 145 is further accessible to the service provider administrator 163 through either the same cloud environment 143 or a separate cloud environment. In other embodiments, as noted above, the intelligent service provider 145 may be located within the operator domain 111.
[0041] Figure 2A is a diagram of one embodiment illustrating a provisioning server 131 and an optimization server 133 as separate hardware nodes, as well as the connections of these nodes within the operator domain of the network.
[0042] The embodiment of Figure 2A illustrates a provisioning server 131 as containing a network adapter 213, a memory 215, and a processor 211, the processor 211 linked to the network adapter 213 and the memory 215. The processor 211 is operable to execute a provisioning agent 217.
[0043] The embodiment of Figure 2A also illustrates an optimization server 133 as containing a network adapter 223, a memory 225, and a processor 221, the processor 221 linked to the network adapter 223 and the memory 225. The processor 221 is operable to execute an optimization agent 227.
[0044] The embodiment of Figure 2A also illustrates the HSS/HLR 121. The HSS/HLR is commonly used in 3GPP networks to manage the identities and settings each user 165 (as in Figure IB) and his/her user equipment 101. In Figure 2A, it is depicted as containing a network adapter 203, a memory 205, and a processor 201, the processor 201 linked to the network adapter 203 and the memory 205. The memory 205 is used here to store multiple Generic Authentication Architecture (GAA) User Security Settings (GUSS) entities. These are divided into generic user profiles (e.g. 241, 243) and customized user profiles (e.g. 245).
[0045] Each processor of the set of processors 201, 211, and 221 can be a microprocessor, an ASIC, a state machine, or other processor, and can be any of a number of computer processors. Such processors include, or may be in communication with, media, for example computer- readable media, which stores instructions that, when executed by the processor, cause the processor to perform the steps described herein.
[0046] Each machine in the operator domain 111 can include one or more storage or memory units, including memory units 205, 215, and 225. These memories can include hard disk drives, optical drives, tape drives, random access memory (RAM), read-only memory (ROM), programmable read-only memory (PROM), Redundant Arrays of Independent Disks (RAID), flash memory, magneto-optical memory, holographic memory, memristor-based memory, bubble memory, magnetic drum, memory stick, polyester film tape, smartdisk, thin film memory, zip drive, or similar storage or memory hardware.
[0047] Figure 2B is a diagram of one embodiment illustrating a provisioning agent 217 and an optimization agent 227 as both being executed by the processor 231 of a single combined provisioning and optimization server 251. It also illustrates the connections of this server 251 within the operator domain 111 of the network according to some embodiments of the invention.
[0048] The combined provisioning and optimization server 251 includes a processor 251, a network adapter 233, and a memory unit 235, the processor 251 connected to both the network adapter 233 and the memory unity 235. The processor 231 is operable to execute both the provisioning agent 217 and the optimization agent 227.
[0049] As above, the processor 231 can be a microprocessor, an ASIC, a state machine, or other processor, and can be any of a number of computer processors. Such processors include, or may be in communication with, media, for example computer-readable media, which stores instructions that, when executed by the processor, cause the processor to perform the steps described herein.
[0050] As above, the memory 235 can include one or more storage or memory units, and can include hard disk drives, optical drives, tape drives, random access memory (RAM), read-only memory (ROM), programmable read-only memory (PROM), Redundant Arrays of Independent Disks (RAID), flash memory, magneto-optical memory, holographic memory, memristor-based memory, bubble memory, magnetic drum, memory stick, polyester film tape, smartdisk, thin film memory, zip drive, or similar storage or memory hardware.
[0051] The embodiment of Figure 2B omits the forwarding gateway 135 and charging data database 137, because these have been incorporated into the combined server 251. In such cases, the intelligent service broker 145 can communicate with the combined server 251 in order to obtain information from the charging data database 137. However, in some embodiments, the combined server 251 does not include one or both of the forwarding gateway 135 and charging data database 137. In some embodiments, for instance, the charging data database 137 is separate from the combined server 251, but the forwarding gateway 135 is not, and the charging data database 137 is accessible to the combined server 251 and intelligent service broker 145 through HTTP, HTTPS, FTP, TLS, or some other appropriate protocol. Likewise, if the combined server 251 contains the charging data database 137 in its memory 235, it can communicate this to the forwarding gateway 135 via HTTP, FTP, or some other appropriate protocol, so that the forwarding gateway can communicate information from the charging data database 137 to the intelligent service broker 145. In some embodiments, the combined server 251 can communicate directly with the intelligent service broker 145 via HTTP, HTTPS, FTP, TLS, or some other appropriate protocol. In embodiments where the charging data database 137 is external from the combined server 251 but located within the operator domain 111, communication between the combined server 251 and the charging data database 137 within the operator domain 111 of the network can be performed via HTTP, FTP, or another appropriate protocol. If the charging data database 137 is not located within the operator domain 111 of the network, such communications can be performed via HTTPS, TLS, or another appropriate protocol. Similarly, if both the charging data database 137 and the intelligent service broker 145 are located within the operator network 111, then they can communicate via HTTP, FTP, or another appropriate protocol, but if one or the other is not located in the operator domain 111, then they should communicate via HTTPS, TLS, or another appropriately secure protocol.
[0052] While some alternate embodiments of the devices in the operator domain 111 have been discussed, there are other possible embodiments as well. For example, in one embodiment, the functionalities of all of the devices depicted separately in Figure 1A within the operator domain 111 may be co-located on a single hardware machine.
[0053] Figure 3A is a flow chart of one embodiment illustrating the provisioning of the generic user profile, the customization of the generic user profile into a customized user profile, and the optimization of the list of attributes of target users, from the perspective of a combined server 251 that includes at least a provisioning agent 217 and an optimization agent 227 as software components. The generic and customized user profiles are GUSS entities that each relate to a single service, the service provided by an application server (e.g., 151, 153, 155), as well as a single user equipment 101, or in some embodiments, a single user 165. In some embodiments, the generic and customized user profiles may include an authorization vector. In other embodiments, the terms "generic user profile" and "customized user profile" refer only to the GUSS aligned with a service and a user equipment 101, and the HSS/HLR 121 separately stores an authorization vector associated with each GUSS.
[0054] The generic user profile provisioning process begins with the provisioning agent 217 receives a list of attributes of target users of the service from the operator 161 or the service provider (Block 301). This list of attributes of target users functions as a "target user profile" that describes the attributes of users that are likely to use the service, or that have been advertised to, or some similar circumstance. In some embodiments, this list of attributes of target users originates from the operator 161. In one embodiment, the operator 161 simply uses the same list of attributes for multiple services according to a predetermined agreement with a service provider, or according to a policy internal to the operator 161. In another embodiment, the operator 161 provides "template" lists of attributes to a service provider, who then selects one of the template lists of attributes, ultimately leading the operator to send this template list to the provisioning agent 217 and optimization agent 227. In yet another embodiment, the service provider administrator 163 creates the list of attributes of target users, and either forwards the list of attributes to the operator 161, or instead forwards the list of attributes directly to the provisioning agent 217 and optimization agent 227.
[0055] The list of attributes of target users can produce a "target user profile" using a variety of attributes with which a user 165 may be differentiated from another user, or a user equipment 101 may be differentiated from another user equipment. These attributes can include any one of a current location, age or age group, time zone, place of residence, username, password, real name, email address, internet provider, gender, past behavior, past service usage, credit rating, financial history, gaming history, device preferences, personal preferences, employment status, employment history, marital status, area code, social network use, social network contacts, phone contacts, media- viewing history, advertisement- viewing history, purchase history, current date, current time, current weather conditions, future or past weather conditions, body temperature, heart rate, blood sugar or insulin measurement, medical device output, fitness device output, wearable device output, reading history, purchase history, stored music, stored documents, stored photos, business reviews, or product reviews. Other attributes may also be used.
[0056] The provisioning agent 217 then selects a set of target users such that each target user in the set of target users has at least one attribute in the list, where each target user in the set of target users has not yet registered with the service (Block 311).
[0057] The provisioning agent 217 then provisions the generic user profile for each target user in the set of target users and stores the generic user profile in a HSS/HLR 121 (Block 321). Generic user profiles 241 and 243 in Figure 2 A and Figure 2B are examples of this. In some embodiments, the provisioning agent 217 stores the generic user profiles on the HSS/HLR 121 using the network, through an http or ftp connection, for example. In other embodiments, the provisioning agent 217 may be co-located on the HSS/HLR 121, in which case such storage does not require transfer over a network. [0058] The provisioning agent 217 executing the process of Block 321 marks the end of the
"provisioning" stage 491 of the invention. The provisioning agent 217 can then execute the "customization" stage 493 of the invention.
[0059] What happens with the generic user profile then depends on whether or not the user equipment 101 tries to access and register with the service via the application servers (e.g. 151, 153, 155) (Block 331).
[0060] In some embodiments, a user device 101 attempting to access an application server must be authenticated by a Generic Bootstrapping Architecture (GBA) bootstrapping process through the bootstrapping server function 115 and authentication proxy 113. The GBA authentication process functions based on the establishment of shared secrets between the user equipment 101 and the BSF 115, as well as between the user equipment 101 and the service provider domain 141, often through the authentication proxy 113. In some embodiments, the BSF 115 and user equipment 101 mutually authenticate using an Authentication and Key Agreement (AKA) protocol in which encryption keys are exchanged. In other embodiments, a Cellular Authentication and Voice Encryption (CAVE) based protocol may be used instead. This process depends on the ability of the BSF 115 to obtain an authorization vector, and, in some embodiments, the user profile (GUSS) from the HSS/HLR 121, whether the user profile is a generic user profile or a customized user profile.
[0061] If the target user ultimately does not register with the service, then the provisioning agent 217 can delete the generic user profile of the target user after a predetermined time, after a predetermined number of target user service registrations, after a predetermined number of total service registrations, after a predetermined event, or when additional system resources are required for one of the systems in the network (Block 361). In one embodiment, for example the provisioning agent 217 or intelligent service broker 145 can set an "expire date" on the generic user profiles of a service such that if the user has not registered for a month, the provisioning agent 217 automatically deletes the generic user profile from the HSS/HLR 121. If a customized user profile has already been generated by the provisioning agent 217, this customized user profile will not be deleted on the "expire date" of the generic user profile. In an alternate embodiment, the "expire date" can be replaced with an "expire event," so that, for example, if the service provider expects that many users will register with the service right before a holiday, generic user profiles can be generated prior to the holiday and can be set to expire on the holiday. In another embodiment, the provisioning agent 217 can be set to automatically delete a generic user profile from the HSS/HLR 121 when the provisioning agent receives an indication from the HSS/HLR 121 that the HSS/HLR 121 is running out of space in memory. In such a case, the provisioning agent 217 can delete generic user profiles in an order based on which generic user profiles are closest to their respective "expire dates" or "expire events."
[0062] If the target user from the set of target users ultimately does register with the service before his/her generic user profile is deleted from the HSS/HLR 121, then the provisioning agent 217 can customize the generic user profile into the customized user profile via communication with the HSS/HLR 121 (Block 341). In some embodiments, the generic user profile that was the basis of the customized user profile is also kept in the HSS/HLR 121 until it is deleted at its "expire date" or "expire event," though in other embodiments, the generic user profile is directly modified into the customized user profile, or is deleted from the HSS/HLR 121 as soon as the customized user profile is created. In Figure 2A and Figure 2B, customized user profile 245 is an example of this. In some embodiments, the customization is performed by sending a request over the network to the HSS/HLR 121, the request notifying the HSS/HLR 121 to update the generic user profile into a customized user profile that includes information about the user's registration, such as the user's username or another attribute. In other embodiments, the provisioning agent 217 may be co-located on the HSS/HLR 121, in which case the request need not be sent over the network.
[0063] Because changing the generic user profile to a customized user profile within the HSS/HLR 121 changes the nature of the GUSS from a generic user profile into a customized user profile, a new bootstrapping is required in some embodiments. In some embodiments, the BSF 115 must initiate a new GBA bootstrapping once the user equipment 101 sends a request to access the service. During this process, the HSS/HLR 121 will provide the BSF 115 with the authentication vector from the customized user profile.
[0064] Further, if there is a Service Layer Agreement (SLA) between the operator and the service provider, the provisioning agent 217 applies the policies of the SLA to the customized user profile. An SLA is often used in a 3GPP network to denote how much money a service provider is charged by the operator. This information is often stored in the charging data database 137, described previously.
[0065] The provisioning agent 217 executing the process of Block 341 marks the end of the "customization" stage 493 of the invention. In some embodiments, the process is then repeated, as denoted by the dashed arrow on the left side of Figure 3A. In other embodiments, the optimization agent 217 can then execute the "optimization" stage 495 of the invention.
[0066] In embodiments that include the "optimization" stage 495 of the invention, the optimization agent 227 can then modify the list of attributes after a predetermined time, after a predetermined number of target user service registrations, after a predetermined number of total service registrations, or after a predetermined event, such that the modified list includes or more closely matches one or more attributes shared by at least a subset of the target users who have registered with the service (Block 351).
[0067] The goal behind this optimization process is to refine the "target user profile" by refining the list of attributes of target users. As denoted by the dotted arrow in, the process described in Figure 3A can be repeated after the optimization process has completed.
Specifically, the provisioning agent 217 can begin anew by selecting a new set of target users based on the modified list of attributes of target users, paying special attention not to include the target users that have already registered with the service previously and thus already have customized user profiles within the memory 205 of the HSS/HLR 121.
[0068] During the optimization, a variety of optimization algorithms can be used by the optimization agent 227. These include, but are not limited to, a genetic algorithm, evolutionary algorithms, differential evolution algorithms, memetic algorithms, Gaussian or neural network algorithms. In some embodiments, the optimization algorithm that is used by the optimization agent 227 can vary based on which service or which application server the optimization agent 227 is currently working with.
[0069] In some embodiments, the "optimization" process may be repeated several times (see Block 475 of Figure 4). Further, the entire process is repeated in some embodiments, as denoted by the dashed arrow from Block 351 to Block 311 of Figure 3A.
[0070] Some advantages of the provisioning of generic user profiles for target users followed by subsequent customization of the generic user profiles into customized user profiles are that provisioning generic user profiles for target users (users that are likely to register for a service) ahead of time can lessen the load on network systems during times when many users are registering for a service simultaneously, such as when an advertisement for the service is played at a live event, or during a highly-watched live televised broadcast. Provisioning generic user profiles for target users can also reduce strain on local servers in places where location-based advertising can encourage users to register for the service, such as when a billboard encourages users to register for the service. Optimization of the list of attributes of target users is an added benefit that allows the system to target users that are increasingly likely to register for the service so that system resources are not wasted during the provisioning process.
[0071] Figure 3B is a flow chart of one embodiment illustrating the process of Figure 3A, but with additional blocks denoting additional processes that may be present in some embodiments.
[0072] In some embodiments, the "provisioning" process also includes receipt by the provisioning agent 217 of a "template user profile" for the application server (Block 303). In one embodiment, the template user profile is provided by the operator, but in another embodiment it can instead be provided by the service provider. This template user profile is then used by the provisioning agent 217 when it prepares to provision a generic user profile, since each generic user profile is essentially a copy of the template user profile tied to a particular user 165 or user equipment 101 (Block 313).
[0073] In some embodiments, the "provisioning" process also includes receipt by the provisioning agent 217 of a white list of trusted application servers from the operator (Block 305). In some embodiments, an application server appears on the white list in order for the provisioning agent to provision generic user profiles for that application server's services (not pictured). In other embodiments, if an application server appears on the white list, this means that it has been pre-approved by the operator to be able to push customizations of a user's generic user profile, or further customizations of a user's customized user profile (Blocks 333, 341). In one embodiment, if an application server does not appear on the white list, the provisioning agent 217 then sends a request to the operator 161 asking for approval of the customization (Blocks 363, 365). If the operator approves, then the customization proceeds (Block 341), but if the operator does not, then no customizations are made to the generic user profile, or no further customizations are made to the customized user profile (Block 367). In an alternate embodiment, the provisioning agent 217 does not send a request to the operator 161 if the application server is not on the white list, effectively banning the application server from pushing customizations if it is not on the white list.
[0074] The remaining blocks in Figure 3B are the same as the blocks illustrated in Figure 3A. The discussion of these blocks in reference to Figure 3A applies in the context of Figure 3B as well.
[0075] Figure 3C is a flow chart of one embodiment illustrating the "optimization" stage 495 from the perspective of an optimization agent 227, in which the optimization agent 227 modifies the list of attributes of target users.
[0076] Block 301 in Figure 3C represents the same action as discussed in reference to Figure 3A, though in this case, the optimization agent 227 is the recipient of the list of attributes of target users. This list of attributes can originate from the operator 161, or, as previously discussed, it can alternately originate from the service provider administrator 163.
[0077] In addition to receiving the list of attributes (Block 301), the optimization agent 227 also receives data regarding the attributes of the one or more target users of a service who have subsequently registered with the service (Block 307)
[0078] The operations in the flow charts or flow diagrams will be described with reference to the exemplary embodiments of the other figures. However, it should be understood that the operations of the flow diagrams can be performed by embodiments of the invention other than those discussed with reference to the other figures, and the embodiments of the invention discussed with reference to these other figures can perform operations different than those discussed with reference to the flow diagrams.
[0079] Figure 4 is a flow diagram of one embodiment illustrating one possible sequence of communications between hardware nodes in a 3 GPP network with a provisioning agent and an optimization agent during provisioning of the generic user profile, customization of the generic user profile into a customized user profile, and optimization of the list of attributes of target users.
[0080] The process begins with the "provisioning" stage 491 with the service provider administrator 163 logging in to the intelligent service broker server 145 (Block 401) and receiving a successful login confirmation (Block 403).
[0081] The service provider administrator 163 can then, in some embodiments, define the list of attributes of target users (Block 405). In other embodiments, such as those depicted in
Figure 3A, Figure 3B, or Figure 3C, this list of attributes is instead defined by the operator 161.
[0082] The intelligent service broker 145 then requests the provisioning agent 217 to select a target user set (as per Block 311 of Figure 3A or Figure 3B) (Block 407). During this process, the provisioning agent 217 retrieves the location, and often other attributes, of each target user (Block 409).
[0083] Because 3GPP networks often have multiple HSS/HLR servers 121 in different locations, the provisioning agent 217 then finds out which HSS/HLR server 121 it should provision generic user profiles into, based on a target user's location. For this reason, the provisioning agent 217 requests the HSS/HLR 121 corresponding to the target user's location from the subscriber location function 489 (Block 411), which returns information regarding which HSS/HLR 121 the provisioning agent 217 should use (Block 413).
[0084] The provisioning agent 217 then provisions a generic user profile as a GUSS in the HSS/HLR 121 (Block 415) and receives confirmation from the HSS/HLR 121 when the provisioning is complete (Block 417). At this point, the provisioning agent 217 confirms the success of the provisioning to the intelligent service broker (Block 419), which confirms the success of the provisioning to the service provider administrator (Block 421).
[0085] During the "customization" stage 493, the provisioning agent 217 sends a request to the optimization agent 227 to monitor the HSS/HLR 121 for any customizations requested to any generic user profiles (Block 423). The optimization agent 227 then configures or sends a request to the intelligent service broker 145 to monitor incoming generic user profile
customization requests (Block 425). At this point, the intelligent service broker 145 confirms the success of setting up its monitoring protocol to the optimization agent 227 (Block 427), and the optimization agent 227 forwards this confirmation to the provisioning agent 217. In some alternate embodiments, the provisioning agent 217 is the entity that sends a monitoring request to the intelligent service broker 145 during the process described in Block 425, instead of this being done by the optimization agent 227. In such embodiments, Blocks 423 and 429 are not necessary. In still another alternate embodiment, the operator network 111 may include a modified HSS/HLR 121 that includes monitoring logic functionality. In such an embodiment, the optimization agent 227 can request that the modified HSS/HLR 121 configure itself to monitor itself and report back to the optimization agent 227 when it successfully enters this the monitoring configuration. In such an embodiment, the intelligent service broker 145 need not be involved in the HSS/HLR 121 monitoring process (as described in Blocks 425-429).
[0086] Once the intelligent service broker 145 is monitoring the HSS/HLR 121 for an incoming generic user profile customization request, or once the modified HSS/HLR 121 is monitoring itself for an incoming generic user profile customization request, such a request can appear when a user equipment 101 registers with the service (Block 431). In one embodiment, this is achieved by the user equipment 101 retrieving an access token via the authentication proxy 113 and BSF 115, then utilizing this token to access the application server (e.g., 151, 153, 155), as per standard GBA authentication procedures. The user 165 then chooses to register for the service, and this registration choice is noted by the intelligent service broker 145 or the modified HSS/HLR 121 and passed to the provisioning agent 217, which then generates a for the customized user profile based on the generic user profile in the HSS/HLR 121 and stores the customized user profile in the HSS/HLR 121 (Block 431). One embodiment of this
customization process is described by Block 341 in Figure 3A and Figure 3B. Note that in some embodiments, the provisioning agent 217 can block the customization request if the application server for that service is not on the operator 161 's white list, as illustrated by Block 333 of Figure 3B. Also, in some alternate embodiments, the intelligent service broker 145, not the provisioning agent 227, is the entity that ultimately customizes the generic user profile into a customized user profile.
[0087] Some embodiments of the invention include an "optimization" stage 495. The
"optimization" stage 495 begins with the optimization agent 227 retrieving the log of changes, or customizations, to the generic user profile that changed it into a customized user profile from the HSS/HLR 121 (Block 441). This is followed by receipt of a confirmation of the retrieval (Block 443).
[0088] Next, the optimization agent 227 performs the optimization of the list of attributes (Block 445) by modifying the list of attributes after a predetermined time, after a predetermined number of target user service registrations, after a predetermined number of total service registrations, or after a predetermined event, such that the modified list includes or more closely matches one or more attributes shared by at least a subset of the target users who have registered with the service. This process is also described by Block 351 of Figure 3A and Figure 3B.
[0089] As noted previously, a variety of optimization algorithms can be used by the optimization agent 227 during the process described by Block 445. These include, but are not limited to, a genetic algorithm, evolutionary algorithms, differential evolution algorithms, memetic algorithms, Gaussian or neural network algorithms. In some embodiments, the optimization algorithm that is used by the optimization agent 227 can vary based on which service or which application server the optimization agent 227 is currently working with. During the optimization, a variety of optimization algorithms can be used by the optimization agent 227. These include, but are not limited to, a genetic algorithm, evolutionary algorithms, differential evolution algorithms, memetic algorithms, Gaussian or neural network algorithms. In some embodiments, the optimization algorithm that is used by the optimization agent 227 can vary based on which service or which application server the optimization agent 227 is currently working with.
[0090] After the optimization of the list of attributes has occurred, a new provisioning cycle is performed according to some embodiments of the invention. Accordingly, the optimization agent 227 instructs the provisioning agent 217 to select a new set of target users based on the newly modified list of attributes of target users (Block 447). Special care is taken by the provisioning agent 217 not to include target users from the group of target users who has already registered, since these registered users already have customized user profiles within the
HSS/HLR 121. As with the first "provisioning" stage 491, the provisioning agent 217 then retrieves the location and other attributes of each target user (Block 449) and requests from the subscriber location function 489 the HSS/HLR 121 that corresponds to the location of the target user (Block 451). The subscriber location function 489 then returns the appropriate HSS/HLR 121 to the provisioning agent 217 (Block 453). The provisioning agent then provisions generic user profiles for this new target user set (Block 455) and awaits confirmation of successful provisioning from the HSS/HLR 121 (Block 457).
[0091] The provisioning agent 217 then confirms the success of the new provisioning cycle to the optimization agent 227 (Block 459), which then reports the successful optimization to the intelligent service broker 145, along with, in some embodiments, a report detailing how the list of attributes was modified during the optimization process (Block 461). The intelligent service broker 145 then stores the updated list of attributes or other update information (Block 463) and confirms for the optimization agent 227 that the optimization was successfully reported (Block 465). After this point, the service provider administrator 163 can request the optimization report from the intelligent service broker 145 (Block 471) and receive confirmation that the
optimization was successful, as well as receiving the optimization report detailing how the list of attributes was modified during the optimization process (Block 473).
[0092] In some embodiments, the optimization cycle can be repeated (Block 475). In order to repeat the optimization cycle, the processes described by Blocks 441-465 of Figure 4 can be repeated.
[0093] Figure 5 is a table diagram relevant to one embodiment illustrating an example of the data that may be stored in an HSS/HLR 121. In Figure 5, this data is separated into rows based on user (rows 511, 513, and 515) and columns based on application server (columns 501, 503, and 505). Column 521 is also included as a reminder that the both the generic user profiles and customized user profiles are a form of GUSS.
[0094] Figure 5 illustrates an embodiment in which Users 1 is a targeted user with a provisioned generic user profile for the service run from application servers 1 and 2, but has already registered with the service run from application server 3, and therefore already has a customized user profile tied to application server 3 (see row 511). User 2 is a target user with a provisioned generic user profile for the service run from application server 1, but has already registered with the services run from application servers 2 and 3, and therefore already has customized user profiles tied to application servers 2 and 3 (see row 513). User 3 is a target user with a provisioned generic user profile for the services run from application servers 1, 2, and 3, and has not registered with the services run from any application server, and therefore does not have a customized user profile tied to any application server (see row 515).
[0095] In some embodiments, a user may exist that is not a target user for an application server. Under a table layout such as the one in Figure 5, the square under that application server would be blank to denote that no data is stored in the HSS/HLR 121 for that user for that application server. Similarly, if a user has a generic user profile but does not register for the service, it may eventually be deleted at a predetermined "expire date" or "expire event," as described in reference to Block 361 of Figure 3A or Figure 3B.
[0096] In the future, if, a user decides to unregister or unsubscribe from a service, then, in some embodiments, that user's customized user profile is then deleted. In some embodiments, the user may then be targeted again as a target user, and the provisioning agent 217 may end up provisioning a new generic user profile where the customized user profile. In other
embodiments, users that unregister or unsubscribe may be listed by the provisioning agent 217 within the memory 215 or 235 so that memory is not wasted in the HSS/HLR 121 for provisioning a generic user profile for a user to is unlikely to re -register. [0097] The embodiment of the data depicted in Figure 5 is to be regarded in an illustrative rather than a restrictive sense. The graphical representations in each of the figures included herein are exemplary and not intended as a requirement for every embodiment of the invention.
Various modifications and changes can be made to the embodiments without departing from the broader spirit and scope of the invention as set forth in the appended claims.
[0098] Some portions of the preceding detailed descriptions have been presented in terms of algorithms and symbolic representations of operations on data bits within a computer memory.
These algorithmic descriptions and representations are the ways used by those skilled in the data processing arts to most effectively convey the substance of their work to others skilled in the art.
An algorithm is here, and generally, conceived to be a self-consistent sequence of operations leading to a desired result. The operations are those requiring physical manipulations of physical quantities.
[0099] It should be borne in mind, however, that all of these and similar terms are to be associated with the appropriate physical quantities and are merely convenient labels applied to these quantities. Unless specifically stated otherwise as apparent from the above discussion, it is appreciated that throughout the description, discussions utilizing terms such as those set forth in the claims below, refer to the action and processes of a computer system, or similar electronic computing device, that manipulates and transforms data represented as physical (electronic) quantities within the computer system's registers and memories into other data similarly represented as physical quantities within the computer system memories or registers or other such information storage, transmission or display devices.
[00100] Embodiments of the invention also relate to an apparatus for performing the operations herein. Such a computer program is stored in a non-transitory computer readable medium. A machine-readable medium includes any mechanism for storing information in a form readable by a machine (e.g., a computer). For example, a machine-readable (e.g., computer-readable) medium includes a machine (e.g., a computer) readable storage medium (e.g., read only memory ("ROM"), random access memory ("RAM"), magnetic disk storage media, optical storage media, flash memory devices).
[00101] The processes or methods depicted in the preceding figures can be performed by processing logic that comprises hardware (e.g. circuitry, dedicated logic, etc.), software (e.g., embodied on a non-transitory computer readable medium), or a combination of both. Although the processes or methods are described above in terms of some sequential operations, it should be appreciated that some of the operations described can be performed in a different order.
Moreover, some operations can be performed in parallel rather than sequentially. [00102] Embodiments of the present invention are not described with reference to any particular programming language. It will be appreciated that a variety of programming languages can be used to implement the teachings of embodiments of the invention as described herein.
[00103] While the invention has been described in terms of several embodiments, those skilled in the art will recognize that the invention is not limited to the embodiments described, can be practiced with modification and alteration within the spirit and scope of the appended claims. The description is thus to be regarded as illustrative instead of limiting.

Claims

CLAIMS What is claimed is:
1. A method implemented by a provisioning server in an operator domain of a network that utilizes a Generic Bootstrapping Architecture, the method to provision a generic user profile to authenticate communication between a user equipment device and an application server running a service, the method to customize the generic user profile into a customized user profile, the method comprising:
receiving a list of attributes of target users of the service from an operator of the network or from a service provider of the service;
selecting a set of target users such that each target user in the set of target users has at least one attribute in the list, where each target user in the set of target users has not yet registered with the service;
provisioning the generic user profile for each target user in the set of target users and storing the generic user profile in a home subscriber server; and
customizing the generic user profile of a target user from the set of target users into the customized user profile via communication with the home subscriber server when the target user registers with the service.
2. The method of claim 1, further comprising:
modifying the list of attributes after a predetermined time, after a predetermined number of target user service registrations, after a predetermined number of total service registrations, or after a predetermined event, such that the modified list includes or more closely matches one or more attributes shared by at least a subset of the target users who have registered with the service.
3. The method of claim 1, further comprising:
deleting the generic user profile of the target user after a predetermined time, after a predetermined number of target user service registrations, after a predetermined number of total service registrations, after a predetermined event, or when additional system resources are required for one of the systems in the network.
4. The method of claim 1, wherein the attributes include any one of a current location, age or age group, time zone, place of residence, username, password, real name, email address, internet provider, gender, past behavior, past service usage, credit rating, financial history, gaming history, device preferences, personal preferences, employment status, employment history, marital status, area code, social network use, social network contacts, phone contacts, media-viewing history, advertisement- viewing history, purchase history, current date, current time, current weather conditions, future or past weather conditions, body temperature, heart rate, blood sugar or insulin measurement, medical device output, fitness device output, wearable device output, reading history, purchase history, stored music, stored photos, business reviews, or product reviews.
5. The method of claim 1, further comprising:
receiving a template user profile for the application server from the operator; and preparing each generic user profile of the service provided by that application server so that the generic user profile matches the template user profile.
6. The method of claim 1, further comprising:
receiving a white list of trusted application servers from the operator;
receiving a customization request from the application server through an authentication proxy server; and
preparing to customize the generic user profile into a customized user profile if the application server is within the white list.
7. A provisioning system in an operator domain of a network that utilizes a Generic Bootstrapping Architecture, the system used for provisioning a generic user profile used to authenticate communication between a user equipment device and an application server running a service, the system also used for customizing the generic user profile into a customized user profile, the system comprising:
a memory;
a processor, the processor coupled to the memory, wherein the processor is operative to execute a provisioning agent, wherein the provisioning agent is operable to receive a list of attributes of target users from an operator of the network or from a service provider of the service, to select a set of target users such that each target user in the set has at least one attribute in the list and has not yet registered with the service, to provision the generic user profile for each target user in the set of target users and to store the generic user profile in a home subscriber server, and to customize the generic user profile of a target user in from set of target users into the customized user profile via communication with the home subscriber server when the target user with the service.
8. The system of claim 7, wherein the processor is also operative to execute an optimization agent, the optimization agent operable to modify the list of attributes after a predetermined time, after a predetermined number of target user service registrations, after a predetermined number of total service registrations, or after a predetermined event, such that the modified list includes or more closely matches one or more attributes shared by at least a subset of the target users who have registered with the service.
9. The system of claim 7, further comprising:
an optimization server comprising an optimization server processor, the optimization server processor operative to execute an optimization agent operable to modify the list of attributes after a predetermined time, after a predetermined number of target user service registrations, after a predetermined number of total service registrations, or after a
predetermined event, such that the modified list includes or more closely matches one or more attributes shared by at least a subset of the target users who have registered with the service.
10. The system of claim 7, wherein the provisioning agent is further operative to delete the generic user profile of the target user from the home subscriber server after a predetermined time, after a predetermined number of target user service registrations, after a predetermined number of total service registrations, after a predetermined event, or when additional system resources are required by the home subscriber server.
11. The system of claim 7, wherein the attributes include any one of a current location, age or age group, time zone, place of residence, username, password, real name, email address, internet provider, gender, past behavior, past service usage, credit rating, financial history, gaming history, device preferences, personal preferences, employment status, employment history, marital status, area code, social network use, social network contacts, phone contacts, media-viewing history, advertisement- viewing history, purchase history, current date, current time, current weather conditions, future or past weather conditions, body temperature, heart rate, blood sugar or insulin measurement, medical device output, fitness device output, wearable device output, reading history, purchase history, stored music, stored photos, business reviews, or product reviews.
12. The system of claim 7, wherein the provisioning agent is further operative to receive a template user profile for the application server from the operator, and to prepare each generic user profile of the service provided by that application server so that the generic user profile matches the template user profile.
13. The system of claim 7, wherein the provisioning agent is further operative to receive a white list of trusted application servers from the operator, to receive a customization request from the application server through an authentication proxy server, and to prepare to customize the generic user profile into a customized user profile if the application server is within the white list.
14. A non-transitory machine-readable storage medium that stores instructions that, if executed by a processor of an optimization server in a network, will cause said processor to perform operations for optimizing a list of attributes of target users by using data regarding the attributes of one or more target users of a service who have registered with the service run from an application server, the operations comprising:
receiving, from an operator of the network or from a service provider of the service, the list of attributes of target users,
receiving, from the application server through an authentication proxy server, the data regarding the attributes of the one or more target users of the service who have registered with the service; and
modifying the list of attributes such that the modified list includes or more closely matches one or more attributes shared by at least a subset of the one or more target users of the service who have registered with the service.
15. The non-transitory machine-readable storage medium of claim 14, wherein the attributes include any one of a current location, age or age group, time zone, place of residence, username, password, real name, email address, internet provider, gender, past behavior, past service usage, credit rating, financial history, gaming history, device preferences, personal preferences, employment status, employment history, marital status, area code, social network use, social network contacts, phone contacts, media-viewing history, advertisement-viewing history, purchase history, current date, current time, current weather conditions, future or past weather conditions, body temperature, heart rate, blood sugar or insulin measurement, medical device output, fitness device output, wearable device output, reading history, purchase history, stored music, stored photos, business reviews, or product reviews.
PCT/IB2014/060279 2014-03-28 2014-03-28 An intelligent service broker based upon gba and guss mechanism WO2015145218A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/IB2014/060279 WO2015145218A1 (en) 2014-03-28 2014-03-28 An intelligent service broker based upon gba and guss mechanism

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/IB2014/060279 WO2015145218A1 (en) 2014-03-28 2014-03-28 An intelligent service broker based upon gba and guss mechanism

Publications (1)

Publication Number Publication Date
WO2015145218A1 true WO2015145218A1 (en) 2015-10-01

Family

ID=50549369

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IB2014/060279 WO2015145218A1 (en) 2014-03-28 2014-03-28 An intelligent service broker based upon gba and guss mechanism

Country Status (1)

Country Link
WO (1) WO2015145218A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105429979A (en) * 2015-11-17 2016-03-23 上海礼源网络科技有限公司 Cross-platform user certificating method and intelligent router, Internet surfing system
WO2021179265A1 (en) * 2020-03-12 2021-09-16 深圳市欢太科技有限公司 Information pushing method and apparatus, server, and storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2009015814A2 (en) * 2007-07-27 2009-02-05 Koninklijke Kpn N.V. Method of provisioning an entry in a subscriber database of an ip multimedia subsystem
US20100093346A1 (en) * 2007-01-08 2010-04-15 Lg Electronics Inc. Session update using management of capability of terminal
US20100280892A1 (en) * 2009-04-30 2010-11-04 Alcatel-Lucent Usa Inc. Method and system for targeted offers to mobile users

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100093346A1 (en) * 2007-01-08 2010-04-15 Lg Electronics Inc. Session update using management of capability of terminal
WO2009015814A2 (en) * 2007-07-27 2009-02-05 Koninklijke Kpn N.V. Method of provisioning an entry in a subscriber database of an ip multimedia subsystem
US20100280892A1 (en) * 2009-04-30 2010-11-04 Alcatel-Lucent Usa Inc. Method and system for targeted offers to mobile users

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105429979A (en) * 2015-11-17 2016-03-23 上海礼源网络科技有限公司 Cross-platform user certificating method and intelligent router, Internet surfing system
WO2021179265A1 (en) * 2020-03-12 2021-09-16 深圳市欢太科技有限公司 Information pushing method and apparatus, server, and storage medium

Similar Documents

Publication Publication Date Title
KR102396947B1 (en) Methods and systems for processing temporary content messages
US11368842B2 (en) Session establishment method and means and communication system
US20170257886A1 (en) End-to-end architecture, api framework, discovery, and access in a virtualized network
US11368839B2 (en) Secure privacy provisioning in 5G networks
US9667423B2 (en) Method and apparatus for accelerated authentication
US9906954B2 (en) Identity authentication
US8495195B1 (en) Cookie preservation when switching devices
US9251315B2 (en) Security key management based on service packaging
US20150254659A1 (en) Secure validation of financial transactions
US11568083B2 (en) User-controlled access to data in a communication network
US11523305B2 (en) Traffic steering and policy combining
US20150326511A1 (en) Message transmission system and method suitable for individual and organization
US9781125B2 (en) Enrollment in a device-to-device network
US20150327064A1 (en) Message transmission system and method for a structure of a plurality of organizations
WO2019161939A1 (en) Methods, devices, and computer programs for provisioning or controlling operator profiles in terminals
JP6802190B2 (en) Technology for dynamic zero-rate server clusters
WO2015145218A1 (en) An intelligent service broker based upon gba and guss mechanism
US9860736B1 (en) Providing network resource access based on a purpose identifier
US10149149B2 (en) Method, system and device for accessing data storage in a telecommunications network
EP3709692A1 (en) Routing method, apparatus and system
US8972729B2 (en) Secure information delivery
WO2015117444A1 (en) Method and device for processing data card
US20240106818A1 (en) Network connectivity based on user identity
US20230354017A1 (en) DIRECT SMF CONTROL PLANE WITH gNB
US20210266382A1 (en) System, method, and computer program for establishing an over the air (ota) communication channel between a communication service provider and a user device

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14719364

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14719364

Country of ref document: EP

Kind code of ref document: A1