WO2017074248A1 - Method and network system for service identification - Google Patents
Method and network system for service identification Download PDFInfo
- Publication number
- WO2017074248A1 WO2017074248A1 PCT/SE2016/051038 SE2016051038W WO2017074248A1 WO 2017074248 A1 WO2017074248 A1 WO 2017074248A1 SE 2016051038 W SE2016051038 W SE 2016051038W WO 2017074248 A1 WO2017074248 A1 WO 2017074248A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- service
- wireless device
- identity
- validity
- determining
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/51—Discovery or management thereof, e.g. service location protocol [SLP] or web services
Definitions
- the present invention relates to a method for identifying a service performed by a wireless device.
- the invention also relates to a corresponding network system and to a computer program product.
- Some services/ Apps provide the ability to transfer large amounts of data, such as to implement file sharing and streaming of movies or large audio files. Consequently, it may in many instances be of interest for an owner of a wireless network, providing wireless access for the wireless device, to be able to correctly manage the wireless access and charge/bill the user for the transferred (amount of) data.
- a big drawback with this way of defining services is that it requires manual interaction.
- the rules must be manually configured and updated. This quickly becomes unmanageable, if more than a few services are to be defined. In a scenario with thousands (and even hundreds of thousands) of services, it is simply not possible to make service specific definitions. From an end-user point of view, this means that it is not possible to pay for the data usage of a specific App (with the exception of very popular Apps, which are used to such an extent that it mandates the manual configuration and updating described above).
- the server side service detection typically makes use of Deep Packet Inspection (DPI) or Shallow Packet Inspection (SPI) and sometimes using Heuristic detection.
- DPI Deep Packet Inspection
- SPI Shallow Packet Inspection
- Heuristic detection usually CPU and memory intensive processes (for the server).
- Shallow Packet Inspection is less demanding performance-wise, but is limited to IP-level inspection. With IP-level inspection, the ability to make service based classification is even more limited. Another important aspect is that DPI relies on having an unencrypted data transport.
- WO2012178273 describing a methodology for classifying packets associated to at least one amongst a service and an application.
- the method is carried out in a communication network comprising at least a user terminal, such as smart phone, and a PCEF network entity.
- WO2012178273 further describes the possibility to install PCEF capabilities on user terminals, which would give the user terminals the ability to perform packet analysis there (i.e. at the user terminal), instead of in the packet core network (a functionality in WO2012178273 denoted as PCEMF).
- PCEMF packet core network
- the network owner thus trusts the result from the user terminal, which could make it possible for modification of the behavior of the user terminal (e.g. by a "hacker"), such that the PCEMF would emit incorrect control signals. If those signals were used to update the packet core PCEF rules it would have highly
- a computer implemented method at least partly performed by one or more nodes of a wireless communication network serving a first wireless device, of determining the identity of a service performed by the first wireless device, the service requiring internet or network access, comprising receiving, from the first wireless device, payload data generated by the service when performed by the first wireless device, wherein the payload data is appended with information providing an indication of a service identity, comparing the indication of the service identity from the first wireless device with information received from a second wireless device comprised within the wireless communication network, the second wireless device performing a corresponding service, determining, based on the comparison, a level of validity for the service identity for the service performed by the first wireless device, and assigning an identity for the service if the level of validity is above a predetermined threshold.
- the present invention is based upon the realization that it is may be possible to automatically (or at least semi-automatically) handle the determination of an identity of a service performed by the first wireless device and requiring internet or network access.
- This is in accordance to the invention achieved by providing indicative identity information together with the actual payload data generated by the service when accessing the internet and/or network.
- the indicative information is correlated with corresponding data provided by at least a second wireless device, whereby it may be possible to determining a validity level for an identity of the service performed by the first wireless device. In case it is determined that the validity level is above a predetermined threshold, the service is confirmed to have a specific identity.
- the indicative information appended at the wireless device removes some of the necessary computation at the server side, thereby significantly reducing the complexity of the process having to be performed at the server side.
- the collective behavior of the plurality of wireless devices is used for determining the identity of the service.
- the need for manually forming a service behavioral template is drastically reduced. Accordingly, as the inventive concept allows for a reduction in manual interaction, there is a possibility to easily scale a corresponding implementation to handle a large plurality of different services.
- services having only a few users may be handled/identified by the invention, a scenario that would not be economically feasible in the normal case where a person needs to manually handle the service behavioral template.
- the collective behavior will also allow for a changing (or dynamic) behavior of a service to be handled without having to resort to manually changing the service behavioral template.
- the inventive concept allows for the collective behavior of a corresponding service performed at a plurality of wireless devices to be used for determining the identity of the service.
- the determination of identity is, as mentioned above, simplified (as seen from a server perspective) by allowing the payload data for the service to be appended with the mentioned indicative information as to the identity of the specific service.
- the first wireless device is adapted to analyze the payload data generated by the service for determining the indication of the service identity.
- the step of determining the level of validity typically includes pattern matching of indicative information associated with the service performed by the first wireless device and corresponding information associated with the service performed by the second wireless device. That is, when the first wireless device consumes a service, the indicative information of the first wireless device is compared with corresponding information for the second wireless device. If the indicative information is sufficiently matching (i.e. on a service-by-service level and above the predefined level of validity), the service consumed by the first wireless device is considered to be validated as a specific service. At this point the indicative information for the first wireless device is stored and aggregated with the indicative information of the second wireless device, to be used as a baseline for subsequent comparisons. Accordingly, the confidence in the validity (i.e. the level of validity) for the service is increased by seeing a strong pattern over time.
- the indication of the service identity may in the suggested embodiment be arranged to include information relating to one or a plurality of IP addresses used by the service. It may however be so that the service performed by the first wireless device doesn't use all of the IP addresses as used by the second wireless device. Accordingly, there may in such implementations be only a partial "IP address overlap". This will however be handled by means of the validity level and the preselection of the threshold.
- TCP/UDP ports associated with the payload data generated by the service when performed by the first wireless device with corresponding information associated with a service performed by the second wireless device.
- the concept of correlating TCP/UDP ports is typically comparable to the above embodiment relation to IP addresses.
- certificate information relating to the service identification of the service That is, a third- party certificate authority may verify the integrity of the service by the provision of a thereto assigned digital certificate.
- the digital certificate may, similar as exemplified above, be used as a parameter for comparison between a service performed at the first wireless device and corresponding information of the service performed at the second wireless device.
- the service identity may be validated.
- the certificate may not necessarily be provided by a specific third-party authority, different implementations are possible and within the scope of the invention.
- the service may typically comprise a process, or many processes, executed by a control unit of the first wireless device, and the indication of the service identity may in an alternative embodiment be based on process information provided by the control unit of the first wireless device.
- the process may in turn include a process ID that may be used within the inventive correlation process, i.e. as to correlating information from a plurality of wireless devices.
- the process ID may thus as an alternative (or also) be appended with the payload data provided by the wireless device.
- the inventive concept allows for service determination based on a single or a combination of comparable parameters for the first and the second wireless device and relating to the service.
- the indicative information may be analyzed with respect to each or a combination of the used IP addresses, TCP/UDP ports, certificates and process IDs.
- each of the parameters are matched which results in a validity level.
- the more things in common the higher level of validity.
- the number of wireless devices using the same service in the comparison process will increase the overall level of validity for the service.
- the model used for comparison is non-limited to the above exemplary parameters.
- the mentioned service identity information may include at least one of package name, package version, commands executed, or similar, relating to the service.
- Present or future similar comparable parameters may also be considered and are within the scope of the invention.
- the present invention allows for any statistically significant pattern to be used for validating the identity of the service, or be a part of the validation of a service.
- simple metrics like in the examples above, are combined, a very complex pattern matching model can be built.
- the inventive concept allows for a swift and automated service identity determination, also in cases where the pattern is changing. For example, in a situation where a service is starting to apply a new set of IP addresses, the suggested implementation will handle such variations automatically (or at least semi-automated) based on an ongoing analysis and comparison of corresponding information from a plurality of wireless devices. The same of course is valid for the remaining parameters as mentioned above (ports, certificates, etc.)
- the step of determining the level of validity is performed separated from the one or more nodes of the wireless communication network. That is, in some embodiments of the invention the determination of validity is performed by a distributed manner, possibly partly "offline" of the general processing performed by said at least one node. This will be further elaborated below in relation to the detailed description of the invention.
- the service performed by at least one of the first and the second wireless device may in one embodiment be an App, typically executed by the control unit comprised with the wireless device. It should however be understood that the service may include a plurality of Apps and/or a "type of Apps".
- the expression "type of Apps” could for example relate to different Apps all relating to "Social media”.
- the Apps "Instagram” and “Snapchat” both relate to image and video based Social media Apps.
- the invention may be implemented such that the indication of service identity provided by wireless device simply identifies more then a single App as being a "Social media image/video App".
- Another category of types of Apps may for example be a collection of banking apps.
- At least one of the first and the second wireless device is a mobile phone, a laptop, a tablet, etc.
- the mobile phone may in some embodiments be provided with an operating system (or similar) allowing an implementation of the invention, as a third party application, determine the indication of the service identity.
- an operating system is the Android operating system.
- a network system comprising a memory configured to store instructions, the instructions configured for determining the identity of a service performed by a first wireless device comprised with the network system, the service requiring internet or network access, and a processor configured to execute the instructions by receiving, from the first wireless device, payload data generated by the service when performed by the first wireless device, wherein the payload data is appended with information providing an indication of a service identity, comparing the indication of the service identity from the first wireless device with
- the processor is preferable an ASIC, a micro processor or any other type of computing device comprised with a server.
- a software executed by the processor for operating the inventive system may be stored on a computer readable medium, being any type of memory device, including one of a removable nonvolatile random access memory, a hard disk drive, a floppy disk, a CD-ROM, a DVD- ROM, a USB memory, an SD memory card, or a similar computer readable medium known in the art.
- a non- transitory computer program product comprising a computer readable medium having stored thereon computer program means for a processor comprised with a network system, the network system arranged to determining the identity of a service performed by a first wireless device comprised with the network system, the service requiring internet or network access, wherein the computer program product comprises code for receiving, from the first wireless device, payload data generated by the service when performed by the first wireless device, wherein the payload data is appended with information providing an indication of a service identity, code for comparing the indication of the service identity from the first wireless device with corresponding information received from a second wireless device comprised within the wireless communication network, the second wireless device performing a corresponding service, code for determining, based on the comparison, a level of validity for the service identity for the service performed by the first wireless device, and code for assigning an identity for the service if the level of validity is above a predetermined threshold. Also this aspect of the invention provides similar advantages as discussed above in relation to the
- the processor is preferable an ASIC, a micro processor or any other type of computing device comprised with a server.
- a software executed by the processor for operating the inventive system may be stored on a computer readable medium, being any type of memory device, including one of a removable nonvolatile random access memory, a hard disk drive, a floppy disk, a CD-ROM, a DVD- ROM, a USB memory, an SD memory card, or a similar computer readable medium known in the art.
- Fig. 1 schematically exemplifies a wireless communication network according to an embodiment of the invention
- Fig. 2 provides an illustration of processing for identifying a service
- Fig. 3 is a flowchart illustrating the operation of the inventive method.
- the wireless communication network 100 may include a first wireless device 102 and a second wireless device 103, a radio access network (RAN) 104, an application server 106 and a core network 108.
- Components of wireless communication network 100 may interconnect via wired and/or wireless connections.
- a single RAN 104, application server 106 and core network 108 have been illustrated in Fig. 1 for simplicity.
- different functions may be performed by the components of the wireless communication network 100 than what is explicitly mentioned below.
- a further plurality of wireless devices 102, 103 are typically included with the wireless communication network 100.
- the wireless devices 102, 103 may include devices capable of sending/receiving information (e.g., voice, data, broadband applications, etc.) to/from RAN 104.
- the wireless devices 102, 103 may include, for example, a radiotelephone, a personal communications system (PCS) terminal (e.g., that may combine a cellular radiotelephone with data processing and data communications capabilities), a personal digital assistant (PDA) (e.g., that can include a radiotelephone, a pager, Internet/intranet access, etc.), a wireless device (e.g., a wireless telephone), a cellular telephone, a smart phone, a laptop computer with a broadband air card, a global positioning system (GPS) navigation device, a digital camera, a portable gaming system, or other types of mobile communication devices.
- the wireless devices 102, 103 may also be referred to as mobile electronic devices.
- the RAN 104 may include one or more devices that receive information (e.g., voice, data, broadband applications, etc.) from core network 108 and transmit that information to wireless devices 102, 103 via a wireless interface.
- the RAN 104 may also include one or more devices that receive information (e.g., voice, data, broadband applications, etc.) from wireless device 102 over the wireless interface and transmit that information to the core network 108 and/or to other wireless devices.
- the application server 106 may include one or more server devices that may provide data to push application software and content to wireless devices 102, 103.
- the application server 106 may communicate with a variety of other components, such as databases, gateways, web servers, network switches or routers, television broadcast facilities, and other servers to facilitate providing service content to customers.
- the core network 108 may include one or more resources (e.g., devices, components, etc.) that transfer/receive information (e.g., voice, data, broadband applications, etc.) to a circuit-switched and/or packet-switched network.
- the core network 108 may include a cellular network, a second generation (2G) network, a third generation (3G) network, a fourth generation (4G) network, a fifth generation (5G) network, and/or another network.
- the core network 108 may include a wide area network (WAN), a metropolitan area network (MAN), an ad hoc network, an intranet, the Internet, and/or a combination of these or other types of networks.
- the core network 108 further includes one or more resources to monitor and predict data usage in a manner as has been discussed above and as will be further elaborated in relation to the further detailed description of the invention. Such resources may also be used for facilitating control of data access for the wireless devices 102, 103 to apply data usage restrictions/access for the wireless devices 102, 103.
- Fig. 1 shows example components of the wireless communication network 100
- the wireless communication network 100 may contain fewer components, different components, differently arranged components, or additional components than depicted in Fig. 1.
- one or typically a plurality of services such as apps are operated/executed/performed at the wireless devices 102, 103. At least some of the services require network access, typically receiving some form of content in the from the application server 106.
- the transmitted payload data is in accordance to the invention appended with information providing an indication of the identity of that specific service.
- an identification server 202 is provided.
- the identification server 202 form part of or is connected to the core network 108, forming a node of the wireless communication network 100.
- the identification server 202 is configured to receive, SI, payload data with indicative identity information generated by the specific service of the first wireless device 102.
- the identification server 202 is also configured to receive payload data with indicative identity information generated by a similar specific service of the second wireless device 103.
- the identification server 202 is thus arranged in such a manner within the wireless communication network 100 that it may readily extract information passed between e.g. the wireless devices 102, 103 and the application server 106.
- the identification server 202 is further connected to a database 204.
- the identification server 202 is further configured to compare, S2, the indication of the service identity from the first wireless device 102 with the corresponding service related identity information received from the second wireless device 103.
- the information that may be included as an indication of the identity of the service may, as exemplified above, be at least one or a combination of:
- the identification server 202 has received the indication of the service identity for the service, i.e. from at least the first 102 and the second 103 wireless devices, this information is compared, S3, for making a determination, S4, of how well the indicative service identity information received from the first wireless device 102 is matching the corresponding indicative service identity information received from the second wireless device 103.
- S3 a large plurality of "second" wireless devices are performing the specific service and a large plurality of elements of indicative service identity information have been previously collected, aggregated and stored in the database.
- the comparison process thus typically includes matching the indicative service identity information received from the first wireless device 102 with corresponding information stored in the database 204.
- the determination process will typically include setting a level of validity based on the matching between the indicative service identity information from the first 102 and the second 103 wireless devices. If the matching is above a predetermined threshold (that may be continuously adapted), the specific service is assigned, S4, an identity.
- Example 1 The process of identity determination may be exemplified as follows.
- Example 1 The process of identity determination may be exemplified as follows.
- Example 1 The process of identity determination may be exemplified as follows.
- Example 1 The process of identity determination may be exemplified as follows.
- Service 1 when consumed by the first wireless device 102, communicates with IP address 1, IP address 2 and IP address 3.
- IP address 4 is used by other (second) wireless devices, when consuming service 1.
- service 1 when consumed by the first wireless device 102 could still become validated.
- the above examples are non-limiting and further implementations are possible and within the scope of the invention as has been indicated above.
- the more parameters being indicative of the specific service at the first wireless device 102 that match the collective behavior of the specific service performed at the plurality of second wireless devices 102 the higher the validity of the identity for the specific service.
- control functionality of the present disclosure may be implemented using existing computer processors, or by a special purpose computer processor for an appropriate system, incorporated for this or another purpose, or by a hardwired system.
- Embodiments within the scope of the present disclosure include program products comprising machine- readable media for carrying or having machine-executable instructions or data structures stored thereon. Such machine-readable media can be any available media that can be accessed by a general purpose or special purpose computer or other machine with a processor.
- machine-readable media can comprise RAM, ROM, EPROM, EEPROM, CD-ROM or other optical disk storage, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to carry or store desired program code in the form of machine-executable instructions or data structures and which can be accessed by a general purpose or special purpose computer or other machine with a processor.
- a network or another communications connection either hardwired, wireless, or a combination of hardwired and wireless
- any such connection is properly termed a machine-readable medium.
- Machine-executable instructions include, for example, instructions and data which cause a general purpose computer, special purpose computer, or special purpose processing machines to perform a certain function or group of functions.
Abstract
Description
Claims
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
SE1551404A SE539143C2 (en) | 2015-10-30 | 2015-10-30 | Method and network system for service identification |
SE1551404-5 | 2015-10-30 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2017074248A1 true WO2017074248A1 (en) | 2017-05-04 |
Family
ID=58503790
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/SE2016/051038 WO2017074248A1 (en) | 2015-10-30 | 2016-10-26 | Method and network system for service identification |
Country Status (2)
Country | Link |
---|---|
SE (1) | SE539143C2 (en) |
WO (1) | WO2017074248A1 (en) |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP1798914A1 (en) * | 2005-12-13 | 2007-06-20 | Alcatel Lucent | Congestion control |
WO2011012165A1 (en) * | 2009-07-30 | 2011-02-03 | Telefonaktiebolaget Lm Ericsson (Publ) | Packet classification method and apparatus |
WO2013178273A1 (en) * | 2012-05-31 | 2013-12-05 | Telefonaktiebolaget L M Ericsson (Publ) | Method, user terminal, and policy and charging network entity for classifying packets |
WO2015012863A1 (en) * | 2013-07-26 | 2015-01-29 | Hewlett Packard Development Company, L.P. | Network configuration using service identifier |
-
2015
- 2015-10-30 SE SE1551404A patent/SE539143C2/en not_active IP Right Cessation
-
2016
- 2016-10-26 WO PCT/SE2016/051038 patent/WO2017074248A1/en active Application Filing
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP1798914A1 (en) * | 2005-12-13 | 2007-06-20 | Alcatel Lucent | Congestion control |
WO2011012165A1 (en) * | 2009-07-30 | 2011-02-03 | Telefonaktiebolaget Lm Ericsson (Publ) | Packet classification method and apparatus |
WO2013178273A1 (en) * | 2012-05-31 | 2013-12-05 | Telefonaktiebolaget L M Ericsson (Publ) | Method, user terminal, and policy and charging network entity for classifying packets |
WO2015012863A1 (en) * | 2013-07-26 | 2015-01-29 | Hewlett Packard Development Company, L.P. | Network configuration using service identifier |
Also Published As
Publication number | Publication date |
---|---|
SE1551404A1 (en) | 2017-04-18 |
SE539143C2 (en) | 2017-04-18 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10452843B2 (en) | Self-adaptive application programming interface level security monitoring | |
US9554169B2 (en) | Systems, methods, and apparatus for delivering content | |
CN113574838A (en) | System and method for filtering internet traffic through client fingerprints | |
US10496263B2 (en) | De-anonymization of website visitor identity | |
KR20170060280A (en) | Apparatus and method for automatically generating rules for malware detection | |
US20160050128A1 (en) | System and Method for Facilitating Communication with Network-Enabled Devices | |
US8984151B1 (en) | Content developer abuse detection | |
CN107666404B (en) | Broadband network user identification method and device | |
TWI737942B (en) | A user tracking method, server and client | |
US9749200B2 (en) | Method and apparatus for detecting application | |
US20160019266A1 (en) | Query generating method and query generating device | |
US20180007024A1 (en) | Methods and apparatus for obtaining a scoped token | |
JP2018537921A (en) | Identification method and apparatus based on communication flow of different functions of Skype | |
CN112019446A (en) | Interface speed limiting method, device, equipment and readable storage medium | |
WO2016201876A1 (en) | Service identification method and device for encrypted traffic, and computer storage medium | |
CN107623696B (en) | User identity verification method and device based on user behavior characteristics | |
CN113326523A (en) | Privacy calculation method and device and electronic equipment | |
US9646149B2 (en) | Accelerated application authentication and content delivery | |
WO2017074248A1 (en) | Method and network system for service identification | |
CN109831492B (en) | Method and device for accessing OTT application and server push message | |
Rula et al. | Who's left behind? Measuring Adoption of Application Updates at Scale | |
CN107018140B (en) | Authority control method and system | |
CN114817076A (en) | Data processing method, device, equipment, medium and product of vehicle-mounted operating system | |
CN105991373B (en) | A kind of application protocol recognition methods and device | |
WO2015078124A1 (en) | Network data processing method and device |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 16860385 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
WPC | Withdrawal of priority claims after completion of the technical preparations for international publication |
Ref document number: 1551404-5 Country of ref document: SE Date of ref document: 20180417 Free format text: WITHDRAWN AFTER TECHNICAL PREPARATION FINISHED |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 16860385 Country of ref document: EP Kind code of ref document: A1 |