WO2017074248A1 - Method and network system for service identification - Google Patents

Method and network system for service identification Download PDF

Info

Publication number
WO2017074248A1
WO2017074248A1 PCT/SE2016/051038 SE2016051038W WO2017074248A1 WO 2017074248 A1 WO2017074248 A1 WO 2017074248A1 SE 2016051038 W SE2016051038 W SE 2016051038W WO 2017074248 A1 WO2017074248 A1 WO 2017074248A1
Authority
WO
WIPO (PCT)
Prior art keywords
service
wireless device
identity
validity
determining
Prior art date
Application number
PCT/SE2016/051038
Other languages
French (fr)
Inventor
Daniel Nilsson
Josef LINDMAN HÖRNLUND
Fredrik AHLQVIST
Peter LITHNER
Original Assignee
Mni Group Ab
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Mni Group Ab filed Critical Mni Group Ab
Publication of WO2017074248A1 publication Critical patent/WO2017074248A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/51Discovery or management thereof, e.g. service location protocol [SLP] or web services

Definitions

  • the present invention relates to a method for identifying a service performed by a wireless device.
  • the invention also relates to a corresponding network system and to a computer program product.
  • Some services/ Apps provide the ability to transfer large amounts of data, such as to implement file sharing and streaming of movies or large audio files. Consequently, it may in many instances be of interest for an owner of a wireless network, providing wireless access for the wireless device, to be able to correctly manage the wireless access and charge/bill the user for the transferred (amount of) data.
  • a big drawback with this way of defining services is that it requires manual interaction.
  • the rules must be manually configured and updated. This quickly becomes unmanageable, if more than a few services are to be defined. In a scenario with thousands (and even hundreds of thousands) of services, it is simply not possible to make service specific definitions. From an end-user point of view, this means that it is not possible to pay for the data usage of a specific App (with the exception of very popular Apps, which are used to such an extent that it mandates the manual configuration and updating described above).
  • the server side service detection typically makes use of Deep Packet Inspection (DPI) or Shallow Packet Inspection (SPI) and sometimes using Heuristic detection.
  • DPI Deep Packet Inspection
  • SPI Shallow Packet Inspection
  • Heuristic detection usually CPU and memory intensive processes (for the server).
  • Shallow Packet Inspection is less demanding performance-wise, but is limited to IP-level inspection. With IP-level inspection, the ability to make service based classification is even more limited. Another important aspect is that DPI relies on having an unencrypted data transport.
  • WO2012178273 describing a methodology for classifying packets associated to at least one amongst a service and an application.
  • the method is carried out in a communication network comprising at least a user terminal, such as smart phone, and a PCEF network entity.
  • WO2012178273 further describes the possibility to install PCEF capabilities on user terminals, which would give the user terminals the ability to perform packet analysis there (i.e. at the user terminal), instead of in the packet core network (a functionality in WO2012178273 denoted as PCEMF).
  • PCEMF packet core network
  • the network owner thus trusts the result from the user terminal, which could make it possible for modification of the behavior of the user terminal (e.g. by a "hacker"), such that the PCEMF would emit incorrect control signals. If those signals were used to update the packet core PCEF rules it would have highly
  • a computer implemented method at least partly performed by one or more nodes of a wireless communication network serving a first wireless device, of determining the identity of a service performed by the first wireless device, the service requiring internet or network access, comprising receiving, from the first wireless device, payload data generated by the service when performed by the first wireless device, wherein the payload data is appended with information providing an indication of a service identity, comparing the indication of the service identity from the first wireless device with information received from a second wireless device comprised within the wireless communication network, the second wireless device performing a corresponding service, determining, based on the comparison, a level of validity for the service identity for the service performed by the first wireless device, and assigning an identity for the service if the level of validity is above a predetermined threshold.
  • the present invention is based upon the realization that it is may be possible to automatically (or at least semi-automatically) handle the determination of an identity of a service performed by the first wireless device and requiring internet or network access.
  • This is in accordance to the invention achieved by providing indicative identity information together with the actual payload data generated by the service when accessing the internet and/or network.
  • the indicative information is correlated with corresponding data provided by at least a second wireless device, whereby it may be possible to determining a validity level for an identity of the service performed by the first wireless device. In case it is determined that the validity level is above a predetermined threshold, the service is confirmed to have a specific identity.
  • the indicative information appended at the wireless device removes some of the necessary computation at the server side, thereby significantly reducing the complexity of the process having to be performed at the server side.
  • the collective behavior of the plurality of wireless devices is used for determining the identity of the service.
  • the need for manually forming a service behavioral template is drastically reduced. Accordingly, as the inventive concept allows for a reduction in manual interaction, there is a possibility to easily scale a corresponding implementation to handle a large plurality of different services.
  • services having only a few users may be handled/identified by the invention, a scenario that would not be economically feasible in the normal case where a person needs to manually handle the service behavioral template.
  • the collective behavior will also allow for a changing (or dynamic) behavior of a service to be handled without having to resort to manually changing the service behavioral template.
  • the inventive concept allows for the collective behavior of a corresponding service performed at a plurality of wireless devices to be used for determining the identity of the service.
  • the determination of identity is, as mentioned above, simplified (as seen from a server perspective) by allowing the payload data for the service to be appended with the mentioned indicative information as to the identity of the specific service.
  • the first wireless device is adapted to analyze the payload data generated by the service for determining the indication of the service identity.
  • the step of determining the level of validity typically includes pattern matching of indicative information associated with the service performed by the first wireless device and corresponding information associated with the service performed by the second wireless device. That is, when the first wireless device consumes a service, the indicative information of the first wireless device is compared with corresponding information for the second wireless device. If the indicative information is sufficiently matching (i.e. on a service-by-service level and above the predefined level of validity), the service consumed by the first wireless device is considered to be validated as a specific service. At this point the indicative information for the first wireless device is stored and aggregated with the indicative information of the second wireless device, to be used as a baseline for subsequent comparisons. Accordingly, the confidence in the validity (i.e. the level of validity) for the service is increased by seeing a strong pattern over time.
  • the indication of the service identity may in the suggested embodiment be arranged to include information relating to one or a plurality of IP addresses used by the service. It may however be so that the service performed by the first wireless device doesn't use all of the IP addresses as used by the second wireless device. Accordingly, there may in such implementations be only a partial "IP address overlap". This will however be handled by means of the validity level and the preselection of the threshold.
  • TCP/UDP ports associated with the payload data generated by the service when performed by the first wireless device with corresponding information associated with a service performed by the second wireless device.
  • the concept of correlating TCP/UDP ports is typically comparable to the above embodiment relation to IP addresses.
  • certificate information relating to the service identification of the service That is, a third- party certificate authority may verify the integrity of the service by the provision of a thereto assigned digital certificate.
  • the digital certificate may, similar as exemplified above, be used as a parameter for comparison between a service performed at the first wireless device and corresponding information of the service performed at the second wireless device.
  • the service identity may be validated.
  • the certificate may not necessarily be provided by a specific third-party authority, different implementations are possible and within the scope of the invention.
  • the service may typically comprise a process, or many processes, executed by a control unit of the first wireless device, and the indication of the service identity may in an alternative embodiment be based on process information provided by the control unit of the first wireless device.
  • the process may in turn include a process ID that may be used within the inventive correlation process, i.e. as to correlating information from a plurality of wireless devices.
  • the process ID may thus as an alternative (or also) be appended with the payload data provided by the wireless device.
  • the inventive concept allows for service determination based on a single or a combination of comparable parameters for the first and the second wireless device and relating to the service.
  • the indicative information may be analyzed with respect to each or a combination of the used IP addresses, TCP/UDP ports, certificates and process IDs.
  • each of the parameters are matched which results in a validity level.
  • the more things in common the higher level of validity.
  • the number of wireless devices using the same service in the comparison process will increase the overall level of validity for the service.
  • the model used for comparison is non-limited to the above exemplary parameters.
  • the mentioned service identity information may include at least one of package name, package version, commands executed, or similar, relating to the service.
  • Present or future similar comparable parameters may also be considered and are within the scope of the invention.
  • the present invention allows for any statistically significant pattern to be used for validating the identity of the service, or be a part of the validation of a service.
  • simple metrics like in the examples above, are combined, a very complex pattern matching model can be built.
  • the inventive concept allows for a swift and automated service identity determination, also in cases where the pattern is changing. For example, in a situation where a service is starting to apply a new set of IP addresses, the suggested implementation will handle such variations automatically (or at least semi-automated) based on an ongoing analysis and comparison of corresponding information from a plurality of wireless devices. The same of course is valid for the remaining parameters as mentioned above (ports, certificates, etc.)
  • the step of determining the level of validity is performed separated from the one or more nodes of the wireless communication network. That is, in some embodiments of the invention the determination of validity is performed by a distributed manner, possibly partly "offline" of the general processing performed by said at least one node. This will be further elaborated below in relation to the detailed description of the invention.
  • the service performed by at least one of the first and the second wireless device may in one embodiment be an App, typically executed by the control unit comprised with the wireless device. It should however be understood that the service may include a plurality of Apps and/or a "type of Apps".
  • the expression "type of Apps” could for example relate to different Apps all relating to "Social media”.
  • the Apps "Instagram” and “Snapchat” both relate to image and video based Social media Apps.
  • the invention may be implemented such that the indication of service identity provided by wireless device simply identifies more then a single App as being a "Social media image/video App".
  • Another category of types of Apps may for example be a collection of banking apps.
  • At least one of the first and the second wireless device is a mobile phone, a laptop, a tablet, etc.
  • the mobile phone may in some embodiments be provided with an operating system (or similar) allowing an implementation of the invention, as a third party application, determine the indication of the service identity.
  • an operating system is the Android operating system.
  • a network system comprising a memory configured to store instructions, the instructions configured for determining the identity of a service performed by a first wireless device comprised with the network system, the service requiring internet or network access, and a processor configured to execute the instructions by receiving, from the first wireless device, payload data generated by the service when performed by the first wireless device, wherein the payload data is appended with information providing an indication of a service identity, comparing the indication of the service identity from the first wireless device with
  • the processor is preferable an ASIC, a micro processor or any other type of computing device comprised with a server.
  • a software executed by the processor for operating the inventive system may be stored on a computer readable medium, being any type of memory device, including one of a removable nonvolatile random access memory, a hard disk drive, a floppy disk, a CD-ROM, a DVD- ROM, a USB memory, an SD memory card, or a similar computer readable medium known in the art.
  • a non- transitory computer program product comprising a computer readable medium having stored thereon computer program means for a processor comprised with a network system, the network system arranged to determining the identity of a service performed by a first wireless device comprised with the network system, the service requiring internet or network access, wherein the computer program product comprises code for receiving, from the first wireless device, payload data generated by the service when performed by the first wireless device, wherein the payload data is appended with information providing an indication of a service identity, code for comparing the indication of the service identity from the first wireless device with corresponding information received from a second wireless device comprised within the wireless communication network, the second wireless device performing a corresponding service, code for determining, based on the comparison, a level of validity for the service identity for the service performed by the first wireless device, and code for assigning an identity for the service if the level of validity is above a predetermined threshold. Also this aspect of the invention provides similar advantages as discussed above in relation to the
  • the processor is preferable an ASIC, a micro processor or any other type of computing device comprised with a server.
  • a software executed by the processor for operating the inventive system may be stored on a computer readable medium, being any type of memory device, including one of a removable nonvolatile random access memory, a hard disk drive, a floppy disk, a CD-ROM, a DVD- ROM, a USB memory, an SD memory card, or a similar computer readable medium known in the art.
  • Fig. 1 schematically exemplifies a wireless communication network according to an embodiment of the invention
  • Fig. 2 provides an illustration of processing for identifying a service
  • Fig. 3 is a flowchart illustrating the operation of the inventive method.
  • the wireless communication network 100 may include a first wireless device 102 and a second wireless device 103, a radio access network (RAN) 104, an application server 106 and a core network 108.
  • Components of wireless communication network 100 may interconnect via wired and/or wireless connections.
  • a single RAN 104, application server 106 and core network 108 have been illustrated in Fig. 1 for simplicity.
  • different functions may be performed by the components of the wireless communication network 100 than what is explicitly mentioned below.
  • a further plurality of wireless devices 102, 103 are typically included with the wireless communication network 100.
  • the wireless devices 102, 103 may include devices capable of sending/receiving information (e.g., voice, data, broadband applications, etc.) to/from RAN 104.
  • the wireless devices 102, 103 may include, for example, a radiotelephone, a personal communications system (PCS) terminal (e.g., that may combine a cellular radiotelephone with data processing and data communications capabilities), a personal digital assistant (PDA) (e.g., that can include a radiotelephone, a pager, Internet/intranet access, etc.), a wireless device (e.g., a wireless telephone), a cellular telephone, a smart phone, a laptop computer with a broadband air card, a global positioning system (GPS) navigation device, a digital camera, a portable gaming system, or other types of mobile communication devices.
  • the wireless devices 102, 103 may also be referred to as mobile electronic devices.
  • the RAN 104 may include one or more devices that receive information (e.g., voice, data, broadband applications, etc.) from core network 108 and transmit that information to wireless devices 102, 103 via a wireless interface.
  • the RAN 104 may also include one or more devices that receive information (e.g., voice, data, broadband applications, etc.) from wireless device 102 over the wireless interface and transmit that information to the core network 108 and/or to other wireless devices.
  • the application server 106 may include one or more server devices that may provide data to push application software and content to wireless devices 102, 103.
  • the application server 106 may communicate with a variety of other components, such as databases, gateways, web servers, network switches or routers, television broadcast facilities, and other servers to facilitate providing service content to customers.
  • the core network 108 may include one or more resources (e.g., devices, components, etc.) that transfer/receive information (e.g., voice, data, broadband applications, etc.) to a circuit-switched and/or packet-switched network.
  • the core network 108 may include a cellular network, a second generation (2G) network, a third generation (3G) network, a fourth generation (4G) network, a fifth generation (5G) network, and/or another network.
  • the core network 108 may include a wide area network (WAN), a metropolitan area network (MAN), an ad hoc network, an intranet, the Internet, and/or a combination of these or other types of networks.
  • the core network 108 further includes one or more resources to monitor and predict data usage in a manner as has been discussed above and as will be further elaborated in relation to the further detailed description of the invention. Such resources may also be used for facilitating control of data access for the wireless devices 102, 103 to apply data usage restrictions/access for the wireless devices 102, 103.
  • Fig. 1 shows example components of the wireless communication network 100
  • the wireless communication network 100 may contain fewer components, different components, differently arranged components, or additional components than depicted in Fig. 1.
  • one or typically a plurality of services such as apps are operated/executed/performed at the wireless devices 102, 103. At least some of the services require network access, typically receiving some form of content in the from the application server 106.
  • the transmitted payload data is in accordance to the invention appended with information providing an indication of the identity of that specific service.
  • an identification server 202 is provided.
  • the identification server 202 form part of or is connected to the core network 108, forming a node of the wireless communication network 100.
  • the identification server 202 is configured to receive, SI, payload data with indicative identity information generated by the specific service of the first wireless device 102.
  • the identification server 202 is also configured to receive payload data with indicative identity information generated by a similar specific service of the second wireless device 103.
  • the identification server 202 is thus arranged in such a manner within the wireless communication network 100 that it may readily extract information passed between e.g. the wireless devices 102, 103 and the application server 106.
  • the identification server 202 is further connected to a database 204.
  • the identification server 202 is further configured to compare, S2, the indication of the service identity from the first wireless device 102 with the corresponding service related identity information received from the second wireless device 103.
  • the information that may be included as an indication of the identity of the service may, as exemplified above, be at least one or a combination of:
  • the identification server 202 has received the indication of the service identity for the service, i.e. from at least the first 102 and the second 103 wireless devices, this information is compared, S3, for making a determination, S4, of how well the indicative service identity information received from the first wireless device 102 is matching the corresponding indicative service identity information received from the second wireless device 103.
  • S3 a large plurality of "second" wireless devices are performing the specific service and a large plurality of elements of indicative service identity information have been previously collected, aggregated and stored in the database.
  • the comparison process thus typically includes matching the indicative service identity information received from the first wireless device 102 with corresponding information stored in the database 204.
  • the determination process will typically include setting a level of validity based on the matching between the indicative service identity information from the first 102 and the second 103 wireless devices. If the matching is above a predetermined threshold (that may be continuously adapted), the specific service is assigned, S4, an identity.
  • Example 1 The process of identity determination may be exemplified as follows.
  • Example 1 The process of identity determination may be exemplified as follows.
  • Example 1 The process of identity determination may be exemplified as follows.
  • Example 1 The process of identity determination may be exemplified as follows.
  • Service 1 when consumed by the first wireless device 102, communicates with IP address 1, IP address 2 and IP address 3.
  • IP address 4 is used by other (second) wireless devices, when consuming service 1.
  • service 1 when consumed by the first wireless device 102 could still become validated.
  • the above examples are non-limiting and further implementations are possible and within the scope of the invention as has been indicated above.
  • the more parameters being indicative of the specific service at the first wireless device 102 that match the collective behavior of the specific service performed at the plurality of second wireless devices 102 the higher the validity of the identity for the specific service.
  • control functionality of the present disclosure may be implemented using existing computer processors, or by a special purpose computer processor for an appropriate system, incorporated for this or another purpose, or by a hardwired system.
  • Embodiments within the scope of the present disclosure include program products comprising machine- readable media for carrying or having machine-executable instructions or data structures stored thereon. Such machine-readable media can be any available media that can be accessed by a general purpose or special purpose computer or other machine with a processor.
  • machine-readable media can comprise RAM, ROM, EPROM, EEPROM, CD-ROM or other optical disk storage, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to carry or store desired program code in the form of machine-executable instructions or data structures and which can be accessed by a general purpose or special purpose computer or other machine with a processor.
  • a network or another communications connection either hardwired, wireless, or a combination of hardwired and wireless
  • any such connection is properly termed a machine-readable medium.
  • Machine-executable instructions include, for example, instructions and data which cause a general purpose computer, special purpose computer, or special purpose processing machines to perform a certain function or group of functions.

Abstract

The present invention relates to a method for identifying a service performed by a wireless device. The invention also relates to a corresponding network system and to a computer program product.

Description

METHOD AND NETWORK SYSTEM FOR SERVICE IDENTIFICATION
TECHNICAL FIELD
The present invention relates to a method for identifying a service performed by a wireless device. The invention also relates to a corresponding network system and to a computer program product.
BACKGROUND OF THE INVENTION
With the development of newer wireless devices, such as mobile phones operating numerous services (such as for example different applications, "Apps"), and the development of more sophisticated processing techniques, users can enjoy different types of multimedia content using high bandwidth connections. Some services/ Apps provide the ability to transfer large amounts of data, such as to implement file sharing and streaming of movies or large audio files. Consequently, it may in many instances be of interest for an owner of a wireless network, providing wireless access for the wireless device, to be able to correctly manage the wireless access and charge/bill the user for the transferred (amount of) data.
In presently available wireless networks, the ability to detect and act on traffic relating to specific services relies on server side service identification. This identification process makes use of statically configured templates, which could be a set of IP-addresses, URIs or some other well defined content of an IP -based communication. This template is compared, in real-time, with data traffic that passes the system.
A big drawback with this way of defining services is that it requires manual interaction. The rules must be manually configured and updated. This quickly becomes unmanageable, if more than a few services are to be defined. In a scenario with thousands (and even hundreds of thousands) of services, it is simply not possible to make service specific definitions. From an end-user point of view, this means that it is not possible to pay for the data usage of a specific App (with the exception of very popular Apps, which are used to such an extent that it mandates the manual configuration and updating described above).
Furthermore, the server side service detection typically makes use of Deep Packet Inspection (DPI) or Shallow Packet Inspection (SPI) and sometimes using Heuristic detection. The choice between these methods is typically a tradeoff between precision and performance. Deep Packet Inspection and heuristic deduction are usually CPU and memory intensive processes (for the server). Shallow Packet Inspection is less demanding performance-wise, but is limited to IP-level inspection. With IP-level inspection, the ability to make service based classification is even more limited. Another important aspect is that DPI relies on having an unencrypted data transport. This is becoming more and more of a problem, since a growing number of services is using encrypted transport (TLS, HTTPs), thereby forcing telecom operators to use IP-level inspection, and consequently loose transparency, and the ability to do service based classification. Accordingly, it is difficult and expensive to do service identification in the traditional way once the number of
services/ Apps is increasing.
Further attention is drawn to WO2012178273, describing a methodology for classifying packets associated to at least one amongst a service and an application. The method is carried out in a communication network comprising at least a user terminal, such as smart phone, and a PCEF network entity. WO2012178273 further describes the possibility to install PCEF capabilities on user terminals, which would give the user terminals the ability to perform packet analysis there (i.e. at the user terminal), instead of in the packet core network (a functionality in WO2012178273 denoted as PCEMF). In accordance to the methodology described in WO2012178273, the network owner thus trusts the result from the user terminal, which could make it possible for modification of the behavior of the user terminal (e.g. by a "hacker"), such that the PCEMF would emit incorrect control signals. If those signals were used to update the packet core PCEF rules it would have highly
undesirable effects.
Consequently, it would be desirable to introduce a new approach to service identification, preferably adapted to counteract the possible safety issues as mentioned above.
SUMMARY OF THE INVENTION
In view of the above-mentioned and other drawbacks of the prior art, it is an object of the present invention to provide improvements in relation to the
detection/identification of services generating data traffic in a wireless communication network, specifically with the purpose of minimizing any necessity of manual interaction and for reducing the need for CPU and memory intensive processes to be processed server side.
According to an aspect of the present invention, it is therefore provided a computer implemented method, at least partly performed by one or more nodes of a wireless communication network serving a first wireless device, of determining the identity of a service performed by the first wireless device, the service requiring internet or network access, comprising receiving, from the first wireless device, payload data generated by the service when performed by the first wireless device, wherein the payload data is appended with information providing an indication of a service identity, comparing the indication of the service identity from the first wireless device with information received from a second wireless device comprised within the wireless communication network, the second wireless device performing a corresponding service, determining, based on the comparison, a level of validity for the service identity for the service performed by the first wireless device, and assigning an identity for the service if the level of validity is above a predetermined threshold.
The present invention is based upon the realization that it is may be possible to automatically (or at least semi-automatically) handle the determination of an identity of a service performed by the first wireless device and requiring internet or network access. This is in accordance to the invention achieved by providing indicative identity information together with the actual payload data generated by the service when accessing the internet and/or network. The indicative information is correlated with corresponding data provided by at least a second wireless device, whereby it may be possible to determining a validity level for an identity of the service performed by the first wireless device. In case it is determined that the validity level is above a predetermined threshold, the service is confirmed to have a specific identity.
In essence, the indicative information appended at the wireless device removes some of the necessary computation at the server side, thereby significantly reducing the complexity of the process having to be performed at the server side. In addition, by correlating corresponding information from a plurality of wireless devices (i.e. at least the first and the second wireless device, but typically a large plurality of wireless devices being part of the wireless communication network), the collective behavior of the plurality of wireless devices is used for determining the identity of the service. Thereby, the need for manually forming a service behavioral template is drastically reduced. Accordingly, as the inventive concept allows for a reduction in manual interaction, there is a possibility to easily scale a corresponding implementation to handle a large plurality of different services. In addition, also services having only a few users may be handled/identified by the invention, a scenario that would not be economically feasible in the normal case where a person needs to manually handle the service behavioral template.
In addition, the collective behavior will also allow for a changing (or dynamic) behavior of a service to be handled without having to resort to manually changing the service behavioral template. Rather, the inventive concept allows for the collective behavior of a corresponding service performed at a plurality of wireless devices to be used for determining the identity of the service. The determination of identity is, as mentioned above, simplified (as seen from a server perspective) by allowing the payload data for the service to be appended with the mentioned indicative information as to the identity of the specific service. In an embodiment, the first wireless device is adapted to analyze the payload data generated by the service for determining the indication of the service identity.
Thus, the step of determining the level of validity typically includes pattern matching of indicative information associated with the service performed by the first wireless device and corresponding information associated with the service performed by the second wireless device. That is, when the first wireless device consumes a service, the indicative information of the first wireless device is compared with corresponding information for the second wireless device. If the indicative information is sufficiently matching (i.e. on a service-by-service level and above the predefined level of validity), the service consumed by the first wireless device is considered to be validated as a specific service. At this point the indicative information for the first wireless device is stored and aggregated with the indicative information of the second wireless device, to be used as a baseline for subsequent comparisons. Accordingly, the confidence in the validity (i.e. the level of validity) for the service is increased by seeing a strong pattern over time.
As understood from the above, different type of data may be used in the comparison/matching process. According to an embodiment of the invention, at least one IP address associated with the payload data generated by the service when performed by the first wireless device is matched/compared with an IP address associated with a service performed by the second wireless device. As such, the indication of the service identity may in the suggested embodiment be arranged to include information relating to one or a plurality of IP addresses used by the service. It may however be so that the service performed by the first wireless device doesn't use all of the IP addresses as used by the second wireless device. Accordingly, there may in such implementations be only a partial "IP address overlap". This will however be handled by means of the validity level and the preselection of the threshold.
Alternatively or also, it may be possible to compare at least one of source and destination TCP/UDP ports associated with the payload data generated by the service when performed by the first wireless device with corresponding information associated with a service performed by the second wireless device. The concept of correlating TCP/UDP ports is typically comparable to the above embodiment relation to IP addresses. Furthermore, it may in accordance to the invention be possible to use certificate information relating to the service identification of the service. That is, a third- party certificate authority may verify the integrity of the service by the provision of a thereto assigned digital certificate. The digital certificate may, similar as exemplified above, be used as a parameter for comparison between a service performed at the first wireless device and corresponding information of the service performed at the second wireless device. In case there is a match between the digital certificate (or information relation to the same) communicated from the first wireless device to the server, with e.g. previously stored corresponding information from the second wireless device, the service identity may be validated. The certificate may not necessarily be provided by a specific third-party authority, different implementations are possible and within the scope of the invention.
Still further, the service may typically comprise a process, or many processes, executed by a control unit of the first wireless device, and the indication of the service identity may in an alternative embodiment be based on process information provided by the control unit of the first wireless device. The process may in turn include a process ID that may be used within the inventive correlation process, i.e. as to correlating information from a plurality of wireless devices. The process ID may thus as an alternative (or also) be appended with the payload data provided by the wireless device.
Accordingly, the inventive concept allows for service determination based on a single or a combination of comparable parameters for the first and the second wireless device and relating to the service. For example, the indicative information may be analyzed with respect to each or a combination of the used IP addresses, TCP/UDP ports, certificates and process IDs. When performing matching, each of the parameters are matched which results in a validity level. As understood, the more things in common the higher level of validity. Similarly, the number of wireless devices using the same service (in the comparison process) will increase the overall level of validity for the service.
It should be understood that the model used for comparison is non-limited to the above exemplary parameters. For example, the mentioned service identity information may include at least one of package name, package version, commands executed, or similar, relating to the service. Present or future similar comparable parameters may also be considered and are within the scope of the invention. Thus, the present invention allows for any statistically significant pattern to be used for validating the identity of the service, or be a part of the validation of a service. As understood from the above, when simple metrics, like in the examples above, are combined, a very complex pattern matching model can be built. This model will in many ways resemble the heuristic analysis models used by many telecom operators, but without some of its inherent problems, like high processor and memory demand and vulnerability to changing conditions (if a service changes its behavior, the statically defined heuristic detection models will fail until upgraded, whereas the dynamic validation model proposed by the invention will continuously adapt to changing conditions). In addition to the above, the inventive concept allows for a swift and automated service identity determination, also in cases where the pattern is changing. For example, in a situation where a service is starting to apply a new set of IP addresses, the suggested implementation will handle such variations automatically (or at least semi-automated) based on an ongoing analysis and comparison of corresponding information from a plurality of wireless devices. The same of course is valid for the remaining parameters as mentioned above (ports, certificates, etc.)
Preferably, the step of determining the level of validity is performed separated from the one or more nodes of the wireless communication network. That is, in some embodiments of the invention the determination of validity is performed by a distributed manner, possibly partly "offline" of the general processing performed by said at least one node. This will be further elaborated below in relation to the detailed description of the invention.
The service performed by at least one of the first and the second wireless device may in one embodiment be an App, typically executed by the control unit comprised with the wireless device. It should however be understood that the service may include a plurality of Apps and/or a "type of Apps". The expression "type of Apps" could for example relate to different Apps all relating to "Social media". As a current example, the Apps "Instagram" and "Snapchat" both relate to image and video based Social media Apps. As such, the invention may be implemented such that the indication of service identity provided by wireless device simply identifies more then a single App as being a "Social media image/video App". Another category of types of Apps may for example be a collection of banking apps.
In an embodiment of the invention, at least one of the first and the second wireless device is a mobile phone, a laptop, a tablet, etc. The mobile phone may in some embodiments be provided with an operating system (or similar) allowing an implementation of the invention, as a third party application, determine the indication of the service identity. One example of such an operating system is the Android operating system. However, it may also be possible, and within the scope of the invention, to implement the present invention as a native functionality integrated with the operating system (i.e. not provided as a third party application), or similarly.
According to another aspect of the present invention, there is provided a network system, comprising a memory configured to store instructions, the instructions configured for determining the identity of a service performed by a first wireless device comprised with the network system, the service requiring internet or network access, and a processor configured to execute the instructions by receiving, from the first wireless device, payload data generated by the service when performed by the first wireless device, wherein the payload data is appended with information providing an indication of a service identity, comparing the indication of the service identity from the first wireless device with
information received from a second wireless device comprised within the wireless communication network, the second wireless device performing a corresponding service, determining, based on the comparison, a level of validity for the service identity for the service performed by the first wireless device, and assigning an identity for the service if the level of validity is above a predetermined threshold. This aspect of the invention provides similar advantages as discussed above in relation to the previous aspect of the invention.
According to the invention, the processor is preferable an ASIC, a micro processor or any other type of computing device comprised with a server. Similarly, a software executed by the processor for operating the inventive system may be stored on a computer readable medium, being any type of memory device, including one of a removable nonvolatile random access memory, a hard disk drive, a floppy disk, a CD-ROM, a DVD- ROM, a USB memory, an SD memory card, or a similar computer readable medium known in the art.
According to a further aspect of the present invention, there is provided a non- transitory computer program product comprising a computer readable medium having stored thereon computer program means for a processor comprised with a network system, the network system arranged to determining the identity of a service performed by a first wireless device comprised with the network system, the service requiring internet or network access, wherein the computer program product comprises code for receiving, from the first wireless device, payload data generated by the service when performed by the first wireless device, wherein the payload data is appended with information providing an indication of a service identity, code for comparing the indication of the service identity from the first wireless device with corresponding information received from a second wireless device comprised within the wireless communication network, the second wireless device performing a corresponding service, code for determining, based on the comparison, a level of validity for the service identity for the service performed by the first wireless device, and code for assigning an identity for the service if the level of validity is above a predetermined threshold. Also this aspect of the invention provides similar advantages as discussed above in relation to the previous aspects of the invention.
As mentioned above, the processor is preferable an ASIC, a micro processor or any other type of computing device comprised with a server. Similarly, a software executed by the processor for operating the inventive system may be stored on a computer readable medium, being any type of memory device, including one of a removable nonvolatile random access memory, a hard disk drive, a floppy disk, a CD-ROM, a DVD- ROM, a USB memory, an SD memory card, or a similar computer readable medium known in the art.
Further features of, and advantages with, the present invention will become apparent when studying the appended claims and the following description. The skilled addressee realize that different features of the present invention may be combined to create embodiments other than those described in the following, without departing from the scope of the present invention. BRIEF DESCRIPTION OF THE DRAWINGS
The various aspects of the invention, including its particular features and advantages, will be readily understood from the following detailed description and the accompanying drawings, in which:
Fig. 1 schematically exemplifies a wireless communication network according to an embodiment of the invention;
Fig. 2 provides an illustration of processing for identifying a service, and Fig. 3 is a flowchart illustrating the operation of the inventive method.
DETAILED DESCRIPTION
The present invention will now be described more fully hereinafter with reference to the accompanying drawings, in which currently preferred embodiments of the invention are shown. This invention may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein; rather, these embodiments are provided for thoroughness and completeness, and fully convey the scope of the invention to the skilled person. Like reference characters refer to like elements throughout.
Turning now to the drawings and to Fig.1 in particular, there is schematically illustrated a wireless communication network 100 according to an embodiment of the invention. In the illustration, the wireless communication network 100 may include a first wireless device 102 and a second wireless device 103, a radio access network (RAN) 104, an application server 106 and a core network 108. Components of wireless communication network 100 may interconnect via wired and/or wireless connections. A single RAN 104, application server 106 and core network 108 have been illustrated in Fig. 1 for simplicity. In practice, there may be a plurality of RANs 104, application servers 106 and core networks 108. Also, different functions may be performed by the components of the wireless communication network 100 than what is explicitly mentioned below. Similarly, a further plurality of wireless devices 102, 103 are typically included with the wireless communication network 100.
The wireless devices 102, 103 may include devices capable of sending/receiving information (e.g., voice, data, broadband applications, etc.) to/from RAN 104. The wireless devices 102, 103 may include, for example, a radiotelephone, a personal communications system (PCS) terminal (e.g., that may combine a cellular radiotelephone with data processing and data communications capabilities), a personal digital assistant (PDA) (e.g., that can include a radiotelephone, a pager, Internet/intranet access, etc.), a wireless device (e.g., a wireless telephone), a cellular telephone, a smart phone, a laptop computer with a broadband air card, a global positioning system (GPS) navigation device, a digital camera, a portable gaming system, or other types of mobile communication devices. The wireless devices 102, 103 may also be referred to as mobile electronic devices.
The RAN 104 may include one or more devices that receive information (e.g., voice, data, broadband applications, etc.) from core network 108 and transmit that information to wireless devices 102, 103 via a wireless interface. The RAN 104 may also include one or more devices that receive information (e.g., voice, data, broadband applications, etc.) from wireless device 102 over the wireless interface and transmit that information to the core network 108 and/or to other wireless devices.
The application server 106 may include one or more server devices that may provide data to push application software and content to wireless devices 102, 103. The application server 106 may communicate with a variety of other components, such as databases, gateways, web servers, network switches or routers, television broadcast facilities, and other servers to facilitate providing service content to customers.
The core network 108 may include one or more resources (e.g., devices, components, etc.) that transfer/receive information (e.g., voice, data, broadband applications, etc.) to a circuit-switched and/or packet-switched network. In one implementation, the core network 108 may include a cellular network, a second generation (2G) network, a third generation (3G) network, a fourth generation (4G) network, a fifth generation (5G) network, and/or another network. Additionally, or alternatively, the core network 108 may include a wide area network (WAN), a metropolitan area network (MAN), an ad hoc network, an intranet, the Internet, and/or a combination of these or other types of networks. The core network 108 further includes one or more resources to monitor and predict data usage in a manner as has been discussed above and as will be further elaborated in relation to the further detailed description of the invention. Such resources may also be used for facilitating control of data access for the wireless devices 102, 103 to apply data usage restrictions/access for the wireless devices 102, 103.
Although Fig. 1 shows example components of the wireless communication network 100, in other implementations, the wireless communication network 100 may contain fewer components, different components, differently arranged components, or additional components than depicted in Fig. 1.
As has been elaborated above, one or typically a plurality of services, such as apps, are operated/executed/performed at the wireless devices 102, 103. At least some of the services require network access, typically receiving some form of content in the from the application server 106. When a specific service is accessing the network, the transmitted payload data is in accordance to the invention appended with information providing an indication of the identity of that specific service.
With further reference to Figs. 2 and 3, an identification server 202 is provided. The identification server 202 form part of or is connected to the core network 108, forming a node of the wireless communication network 100. The identification server 202 is configured to receive, SI, payload data with indicative identity information generated by the specific service of the first wireless device 102. The identification server 202 is also configured to receive payload data with indicative identity information generated by a similar specific service of the second wireless device 103. The identification server 202 is thus arranged in such a manner within the wireless communication network 100 that it may readily extract information passed between e.g. the wireless devices 102, 103 and the application server 106. The identification server 202 is further connected to a database 204.
The identification server 202 is further configured to compare, S2, the indication of the service identity from the first wireless device 102 with the corresponding service related identity information received from the second wireless device 103. The information that may be included as an indication of the identity of the service may, as exemplified above, be at least one or a combination of:
• one or a plurality of IP addresses used by the service,
• one or a plurality of ports used by the service,
· one or a plurality of certificates related to the service,
• one or a plurality of process IDs for the service,
• a data transfer speed for the service,
• one or a plurality of package names for the service,
• one or a plurality of package versions for the service, and/or
· an indication of one or a plurality of commands executed by the service.
It should be understood that the list provided is non-limiting and further information may be used as indicative identity information for the service.
Once the identification server 202 has received the indication of the service identity for the service, i.e. from at least the first 102 and the second 103 wireless devices, this information is compared, S3, for making a determination, S4, of how well the indicative service identity information received from the first wireless device 102 is matching the corresponding indicative service identity information received from the second wireless device 103. In a typical implementation, a large plurality of "second" wireless devices are performing the specific service and a large plurality of elements of indicative service identity information have been previously collected, aggregated and stored in the database. The comparison process thus typically includes matching the indicative service identity information received from the first wireless device 102 with corresponding information stored in the database 204.
The determination process will typically include setting a level of validity based on the matching between the indicative service identity information from the first 102 and the second 103 wireless devices. If the matching is above a predetermined threshold (that may be continuously adapted), the specific service is assigned, S4, an identity.
The process of identity determination may be exemplified as follows. Example 1 :
• Service 1, when consumed by the first wireless device 102 communicates with IP address 1, IP address 2 and IP address 3.
• When service 1 is consumed by the second wireless device 103, it communicates with IP address 1, IP address 2 and IP address 3.
This means that the services are identical, when it comes to which IP addresses they are communicating with. Example 2:
• Service 1, when consumed by the first wireless device 102, communicates with IP address 1, IP address 2 and IP address 3.
• Service 1, when consumed by the second wireless device 103, communicates with IP address 1, IP address 2 and IP address 4.
This means that the services are not identical, when it comes to which IP addresses they are communicating with. However, further analysis performed by the identification server 202 may show that IP address 4 is used by other (second) wireless devices, when consuming service 1. In this case, service 1, when consumed by the first wireless device 102 could still become validated.
The above examples are non-limiting and further implementations are possible and within the scope of the invention as has been indicated above. Typically, the more parameters being indicative of the specific service at the first wireless device 102 that match the collective behavior of the specific service performed at the plurality of second wireless devices 102, the higher the validity of the identity for the specific service.
The control functionality of the present disclosure may be implemented using existing computer processors, or by a special purpose computer processor for an appropriate system, incorporated for this or another purpose, or by a hardwired system. Embodiments within the scope of the present disclosure include program products comprising machine- readable media for carrying or having machine-executable instructions or data structures stored thereon. Such machine-readable media can be any available media that can be accessed by a general purpose or special purpose computer or other machine with a processor. By way of example, such machine-readable media can comprise RAM, ROM, EPROM, EEPROM, CD-ROM or other optical disk storage, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to carry or store desired program code in the form of machine-executable instructions or data structures and which can be accessed by a general purpose or special purpose computer or other machine with a processor. When information is transferred or provided over a network or another communications connection (either hardwired, wireless, or a combination of hardwired and wireless) to a machine, the machine properly views the connection as a machine-readable medium. Thus, any such connection is properly termed a machine-readable medium.
Combinations of the above are also included within the scope of machine-readable media. Machine-executable instructions include, for example, instructions and data which cause a general purpose computer, special purpose computer, or special purpose processing machines to perform a certain function or group of functions.
Although the figures may show a sequence, the order of the steps may differ from what is depicted. Also two or more steps may be performed concurrently or with partial concurrence. Such variation will depend on the software and hardware systems chosen and on designer choice. All such variations are within the scope of the disclosure. Likewise, software implementations could be accomplished with standard programming techniques with rule based logic and other logic to accomplish the various connection steps, processing steps, comparison steps and decision steps. Additionally, even though the invention has been described with reference to specific exemplifying embodiments thereof, many different alterations, modifications and the like will become apparent for those skilled in the art.
In addition, variations to the disclosed embodiments can be understood and effected by the skilled addressee in practicing the claimed invention, from a study of the drawings, the disclosure, and the appended claims. Furthermore, in the claims, the word "comprising" does not exclude other elements or steps, and the indefinite article "a" or "an" does not exclude a plurality.

Claims

1. A method, at least partly performed by one or more nodes of a wireless communication network serving a first wireless device, of determining the identity of a service performed by the first wireless device, the service requiring internet or network access, comprising:
- receiving, from the first wireless device, payload data generated by the service when performed by the first wireless device, wherein the payload data is appended with information providing an indication of a service identity;
- comparing the indication of the service identity from the first wireless device with information received from a second wireless device comprised within the wireless communication network, the second wireless device performing a corresponding service;
- determining, based on the comparison, a level of validity for the service identity for the service performed by the first wireless device, and
- assigning an identity for the service if the level of validity is above a predetermined threshold.
2. The method according to claim 1, wherein the step of determining the level of validity includes pattern matching of indicative information associated with the service performed by the first wireless device and corresponding indicative information associated with the service performed by the second wireless device.
3. The method according to any one of claims 1 and 2, wherein the step of determining the level of validity further comprising comparing at least one IP address associated with the payload data generated by the service when performed by the first wireless device with an IP address associated with a service performed by the second wireless device.
4. The method according to any one of the preceding claims, wherein the step of determining the level of validity further comprising comparing at least one of source and destination TCP/UDP ports associated with the payload data generated by the service when performed by the first wireless device with corresponding information associated with a service performed by the second wireless device.
5. The method according to any one of the preceding claims, wherein the step of determining the level of validity further comprising comparing at least a certificate associated with the service performed by the first wireless device and a corresponding certificate associated with the service performed by the second wireless device.
6. The method according to any one of the preceding claims, wherein the service comprises a process executed by a control unit of the first wireless device, and the indication of the service identity is based on service identity information relating to said process provided by the control unit of the first wireless device, and the step of determining the level of validity further comprising comparing process information associated with the payload data generated by the service when performed by the first wireless device with corresponding information associated with the service performed by the second wireless device.
7. The method according to any one of the preceding claims, wherein the step of determining the level of validity is performed separated from said one or more nodes of the wireless communication network.
8. The method according to any one of the preceding claims, wherein the first wireless device is adapted to analyze the payload data generated by the service for determining the indication of the service identity.
9. The method according to any one of the preceding claims, wherein the service performed by at least one of the first and the second wireless device is an App.
10. The method according to any one of the preceding claims, wherein at least one of the first and the second wireless device is a mobile phone.
11. A network system, comprising:
- a memory configured to store instructions, the instructions configured for determining the identity of a service performed by a first wireless device comprised with the network system, the service requiring internet or network access, and
- a processor configured to execute the instructions by: - receiving, from the first wireless device, payload data generated by the service when performed by the first wireless device, wherein the payload data is appended with information providing an indication of a service identity;
- comparing the indication of the service identity from the first wireless device with information received from a second wireless device comprised within the wireless communication network, the second wireless device performing a corresponding service;
- determining, based on the comparison, a level of validity for the service identity for the service performed by the first wireless device, and
- assigning an identity for the service if the level of validity is above a predetermined threshold.
12. Computer program product comprising a non-transitory computer readable medium having stored thereon computer program means for a processor comprised with a network system, the network system arranged to determining the identity of a service performed by a first wireless device comprised with the network system, the service requiring internet or network access, wherein the computer program product comprises:
- code for receiving, from the first wireless device, payload data generated by the service when performed by the first wireless device, wherein the payload data is appended with information providing an indication of a service identity;
- code for comparing the indication of the service identity from the first wireless device with corresponding information received from a second wireless device comprised within the wireless communication network, the second wireless device performing a corresponding service;
- code for determining, based on the comparison, a level of validity for the service identity for the service performed by the first wireless device, and
- code for assigning an identity for the service if the level of validity is above a predetermined threshold.
PCT/SE2016/051038 2015-10-30 2016-10-26 Method and network system for service identification WO2017074248A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
SE1551404A SE539143C2 (en) 2015-10-30 2015-10-30 Method and network system for service identification
SE1551404-5 2015-10-30

Publications (1)

Publication Number Publication Date
WO2017074248A1 true WO2017074248A1 (en) 2017-05-04

Family

ID=58503790

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/SE2016/051038 WO2017074248A1 (en) 2015-10-30 2016-10-26 Method and network system for service identification

Country Status (2)

Country Link
SE (1) SE539143C2 (en)
WO (1) WO2017074248A1 (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1798914A1 (en) * 2005-12-13 2007-06-20 Alcatel Lucent Congestion control
WO2011012165A1 (en) * 2009-07-30 2011-02-03 Telefonaktiebolaget Lm Ericsson (Publ) Packet classification method and apparatus
WO2013178273A1 (en) * 2012-05-31 2013-12-05 Telefonaktiebolaget L M Ericsson (Publ) Method, user terminal, and policy and charging network entity for classifying packets
WO2015012863A1 (en) * 2013-07-26 2015-01-29 Hewlett Packard Development Company, L.P. Network configuration using service identifier

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1798914A1 (en) * 2005-12-13 2007-06-20 Alcatel Lucent Congestion control
WO2011012165A1 (en) * 2009-07-30 2011-02-03 Telefonaktiebolaget Lm Ericsson (Publ) Packet classification method and apparatus
WO2013178273A1 (en) * 2012-05-31 2013-12-05 Telefonaktiebolaget L M Ericsson (Publ) Method, user terminal, and policy and charging network entity for classifying packets
WO2015012863A1 (en) * 2013-07-26 2015-01-29 Hewlett Packard Development Company, L.P. Network configuration using service identifier

Also Published As

Publication number Publication date
SE1551404A1 (en) 2017-04-18
SE539143C2 (en) 2017-04-18

Similar Documents

Publication Publication Date Title
US10452843B2 (en) Self-adaptive application programming interface level security monitoring
US9554169B2 (en) Systems, methods, and apparatus for delivering content
CN113574838A (en) System and method for filtering internet traffic through client fingerprints
US10496263B2 (en) De-anonymization of website visitor identity
KR20170060280A (en) Apparatus and method for automatically generating rules for malware detection
US20160050128A1 (en) System and Method for Facilitating Communication with Network-Enabled Devices
US8984151B1 (en) Content developer abuse detection
CN107666404B (en) Broadband network user identification method and device
TWI737942B (en) A user tracking method, server and client
US9749200B2 (en) Method and apparatus for detecting application
US20160019266A1 (en) Query generating method and query generating device
US20180007024A1 (en) Methods and apparatus for obtaining a scoped token
JP2018537921A (en) Identification method and apparatus based on communication flow of different functions of Skype
CN112019446A (en) Interface speed limiting method, device, equipment and readable storage medium
WO2016201876A1 (en) Service identification method and device for encrypted traffic, and computer storage medium
CN107623696B (en) User identity verification method and device based on user behavior characteristics
CN113326523A (en) Privacy calculation method and device and electronic equipment
US9646149B2 (en) Accelerated application authentication and content delivery
WO2017074248A1 (en) Method and network system for service identification
CN109831492B (en) Method and device for accessing OTT application and server push message
Rula et al. Who's left behind? Measuring Adoption of Application Updates at Scale
CN107018140B (en) Authority control method and system
CN114817076A (en) Data processing method, device, equipment, medium and product of vehicle-mounted operating system
CN105991373B (en) A kind of application protocol recognition methods and device
WO2015078124A1 (en) Network data processing method and device

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16860385

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

WPC Withdrawal of priority claims after completion of the technical preparations for international publication

Ref document number: 1551404-5

Country of ref document: SE

Date of ref document: 20180417

Free format text: WITHDRAWN AFTER TECHNICAL PREPARATION FINISHED

122 Ep: pct application non-entry in european phase

Ref document number: 16860385

Country of ref document: EP

Kind code of ref document: A1