The present invention relates to a solution for handling charging and statistics of use of applications in a wireless communication network and in particular identifying type of service provided in a secure manner.
Mobile communications solutions are increasingly becoming more packet based and converge towards Internet based applications and users roam packet based networks. There is also an increasing supply and demand of different types of applications used in these types of networks and there is an interest to make these applications available also to mobile communication platforms such as smart phones, Internet enabled phones, laptops and other mobile computing equipment. However, operators need to control the data traffic in order to provide good Service of Quality (QoS) and balance this with the costs of maintaining and building communication infrastructure. Operators have an interest in providing differentiated charging depending on applications used or type of communication traffic; for instance to differentiate between web surfing using html based information, email traffic, Voice over Internet Protocol (VoIP), gaming, and other applications/protocols.
Current charging solutions, for instance in gateway support nodes, e.g. GGSN, are based on configuration of the packet identification pointing out different charging identifiers. Charging identifiers are, except for the mobile device identifiers, typically Service Identifier (SI) and Rating Group (RG). These charging identifiers are 32 bit in length, even though the some solutions only support 4096 simultaneous identifiers for the SI.
Manual configuration of rules for applications complicates the introduction of new third party services, since a service level agreement (SLA) need to be negotiated between the operator and the application provider and new configuration need to be added to the nodes. To enable fast roll-out of services an automated solution for this is desired.
It is therefore an object of the present invention to provide solutions that addresses these problems.
The idea of the invention is to, in a secure way, dynamically identify services based on identification of given identities in the packets in a flow.
This may for instance be done based on proprietary additions in the HTTP headers, SMTP headers, IMAP headers or by identification of an application identifier in a URL. This may for instance be done by the introduction of an application identifier parameter which takes any suitable value.
The identifier filtered out from the HTTP headers or URL may then be combined with other identifier(s) given by the matching filtering (packet inspection) rule and then a unique identifier may be constructed within some use database, such as a statistics log, charging log, or charging records. This may then be done without changing the standardized charging format or as vendor specific additions.
The solution according to the present invention use information for statistical purposes, e.g. to be able to do some kind of revenue sharing, but also adds security to the dynamic identification of the services.
Security is obtained by using cryptographic algorithms (authentication) to verify that the application identifier and other parameters are accurate (e.g. defined as a combination of URL and Server IP address together with the application identifier). The authentication code may for instance be calculated in an application registration server and then this authentication code need to be passed along in the payload traffic (e.g. as another HTTP header field) from the client device, e.g. a user equipment (UE), so that it may be verified by a GGSN/PDN-GW/SASN node that performs the charging counting.
This is provided in a number of aspects in which a first is a method for handling applications used in wireless communications network. The method is executed mainly in a gateway node in the wireless communications network and comprises the steps of providing access for a user equipment, i.e. UE, to an application server, i.e. APS, providing download of an authenticated application, e.g. from the APS, to the UE and wherein the application is authenticated using an authentication service, providing communication between a service on a packet data network and the UE using the application, identifying and authenticating the application used in the service using packet inspection of communication packets and determining an application identifier and authentication data located in the packets, determining application statistics relating to the identified application, and storing the application statistics in a database.
The method may for instance further comprise a step of checking authentication of the application using a cryptographic algorithm; for instance by using at least one of an Internet Protocol, i.e. IP, address, application identifier, and port number in the cryptographic algorithm, or by using a uniform resource locator, i.e. URL, in the cryptographic algorithm.
The method may further comprise a step of registering an application in an application registry and/or may further comprise a step of comparing the determined application identifier and stored application identifiers in an application registry related to the authentication service.
The method may further comprise a step of charging a client related to the UE for traffic related to the stored application statistics and may further comprise a step of storing charging data in a charging data record, i.e. CDR.
The gateway node may be one of gateway GPRS support node, i.e. GGSN, Packet Data Network Gateway, i.e. PDN-GW, or service aware support node, i.e. SASN.
The application identifier may be embedded in a protocol header and the protocol may be at least one of:
Another aspect of the present invention is provided, a node in a communications network (100). The node comprises at least one processor, at least one computer readable memory unit, and at least on communications interface. The processor may be arranged to execute computer program instruction sets stored in the computer readable memory unit and using the communications interface for providing access for a user equipment, i.e. UE, to an application server (104), i.e. APS, allowing download of an authenticated application from the APS to the UE, providing communication between a service on a packet data network and the UE using the application, identifying the application used in the service using packet inspection of communication packets and determining an application identifier located in the packets, determining application statistics relating to the identified application, and storing the application statistics in a database.
Furthermore, the present invention may be provided as a system for handling applications used in wireless communications network. The system may comprise a node as exemplified above and a database located separate from the node.
With the solution according to the present invention several advantages may be identified; for instance it is possible to provide statistical information about usage in a packet based network, provide user data to applications, and also to provide secure information which may be used in charging applications in relation to the usage. The solution may be implemented easily into existing products with small amendments and may be distributed as software amendments which provide a cost efficient solution.
In the following the invention will be described in a non-limiting way and in more detail with reference to exemplary embodiments illustrated in the enclosed drawings, in which:
In
The present invention handles dynamic application identifiers from payload to create charging records. The solution according to the present invention use dynamic identifier information to dynamically create fully 3GPP standard compliant charging records by providing a secure mechanism to identify services without specifically needing to configure each of them for packet inspection in the core nodes.
The definition of an application identifier may in principle be done in many ways, e.g. the application identifier is defined as a subset of a 3GPP service identifier (SI, 32-bit) that is reserved for this purpose. This application identifier may then be encoded for instance as a string or numeric value for an application protocol header such as for instance an HTTP header field, e.g. named “Application-ID”.
Another way to define application identifiers may be to add the application identifier to a HTTP-post message that is visible in the URL as for example “?appl-id=1234”.
Protocols that are specially suitable for using the application identifiers in are protocols that have defined ways to be extended; however other protocols may be used as well and below are a list of some common protocols used in relation to Internet communication for which the present solution may be utilized:
It should be noted that the present invention is not limited to the above mentioned protocols. Furthermore, if an application is used in relation to several protocols, all protocols used will have the application identifier embedded in order to identify the application and be able to keep track of application usage for later billing and/or statistical purposes.
If the application identifier is not possible to be, or not selected to be, directly mapped to a field in a charge data record (CDR) (like for instance SI that is the best fitting parameter according to current charging specifications), mapping tables may be needed, the application identifier as such may be defined as an extension in the CDR, or the application identifier may be used together with other parameters as input to any packet inspection handling.
To verify the security for charging, the identification data of the application is preferably authenticated. This data comprises at least the application identifier and the IP address of the application server; the latter since it is the only known identity used in the network for identification of the service, maybe in conjunction with a port. One complication here is that applications may be in a server farm or load-balanced with DNS over several servers so that several IP addresses may be possible. One way to go around that problem is that the application providers uses an iterative solution for registering and/or authenticating a plurality of IP-addresses in the application registration, e.g. register/authenticate each IP address for each server providing access to the application service at a time. On the other hand service redundancy may require IP-networks to be registered instead. This kind of properties may also be defined together with the authentication code to define the way it should be calculated when authenticating the application. The application is authenticated by registration at an authentication service (AUS) 109 and authentication/identification data are stored in a database 105 accessible by a gateway. This database may also be used for storing usage and/or user information accessible by application providers.
If an operator controlled HTTP-proxy is used, the IP address is not needed to be authenticated, but instead only the URL need to be authenticated.
Several different authentication mechanisms may be supported. If the registration portal or server is under control of the same organization as the gateway, algorithms with pre-shared keys may be supported, i.e. both sides have the same key for encrypting and/or authenticating the application or application session. Otherwise, it is possible to use solutions with public-key algorithms such as asymmetric algorithms based on RSA, Elgamal, or Digital Signature Algorithm (DSS), like for instance as used in e.g. PGP (Pretty Good Privacy), GPG, and Internet Key Exchange.
With reference to
It should be noted that application identifier information may be inserted with a separate application add-on or plug in program.
The solution according to the present invention involves a core network node 400, e.g. the GW, as illustrated in
It should be noted that with computer program is meant any type of instruction sets that may be executed by a processor. It may be software instruction sets or hardware instruction sets depending on type of processing device, e.g. microprocessor, central processing unit (CPU), digital signal processor (DSP), a field programmable gate array (FPGA), application specific integrated circuit (ASIC), or similar device.
With computer readable storage medium is meant any type of storage medium accessible by a processing unit, and the storage medium may be of volatile and/or non-volatile type.
It should be noted that the word “comprising” does not exclude the presence of other elements or steps than those listed and the words “a” or “an” preceding an element do not exclude the presence of a plurality of such elements. It should further be noted that any reference signs do not limit the scope of the claims, that the invention may be at least in part implemented by means of both hardware and software, and that several “means” or “units” may be represented by the same item of hardware.
The above mentioned and described embodiments are only given as examples and should not be limiting to the present invention. Other solutions, uses, objectives, and functions within the scope of the invention as claimed in the below described patent claims should be apparent for the person skilled in the art.
Filing Document | Filing Date | Country | Kind | 371c Date |
---|---|---|---|---|
PCT/EP2009/067279 | 12/16/2009 | WO | 00 | 6/18/2012 |