(12) United States Patent
`US 8,122,128 B2
`(10) Patent N0.:
`
`(45) Date of Patent: Feb. 21, 2012
`Burke, 11 et a].
`
`U8008122128B2
`
`SYSTEM FOR REGULATING ACCESS TO
`AND DISTRIBUTING CONTENT IN A
`NETWORK
`
`lnventors: Robert M. Burke, 11, Los Gatos, CA
`(US); David Z. Carman, San Jose, CA
`(US)
`
`5/2002 Hudson et a1.
`2002/0059440 A1
`8/2002 Saxena .............................. 707/1
`2002/0103778 A1*
`8/2002 Hans et al.
`200M0120577 A1
`10/2002 Klinker et al.
`2002/0145981 A1
`11/2002 Tarnoff
`2002/0169865 A1
`10/2003 Hudson et a1.
`2003/0204602 A1
`12/2003 Takeuchi et al.
`2003/0233281 A1
`2/2005 Harvey et a1.
`................. 713/201
`2005/0033990 A1 "‘
`OTHER PUBLICATIONS
`
`Notice:
`
`Subject to any disclaimer, the term 01' this
`patent is extended or adjusted under 35
`U.S.C. 154(b) by 1727 days.
`
`International Search Report dated Jan. 3 l, 2006.
`
`’l‘ cited by examiner
`
`(54
`
`(76
`
`(21,
`
`(22
`
`(65
`
`(51
`
`(52
`(58
`
`(56
`
`
`
`Appl. N0.: 10/989,023
`
`Filed:
`
`Nov. 16, 2004
`
`Prior Publication Data
`
`US 2005/0125528 A1
`
`Jun. 9, 2005
`
`Int. Cl.
`(2006.01)
`G06F 15/1 73
`U.S. Cl.
`....................................................... 709/225
`Field of Classification Search ................... 709/225
`Sec application file for complete search history.
`
`References Cited
`
`U.S. PATENT DOCUMENTS
`
`Primary Examiner 7 Jeffrey Pwu
`Assislam Examiner 7 Shripal Khajuria
`(74) Attorney, Agent, or FirmiSchwabe, Williamson &
`Wyatt, RC.
`
`<._..
`
`ABSTRACT
`(57)
`"here is provided a system for regulating access and manag—
`ng distribution of content in a network, such as the lntcmet,
`he system includes communication gateways, installed at a
`subscriber site, intemet control points, installed remotely, and
`various network elements installed throughout the network.
`"he communication gateways and network elements operate
`in conjunction with the intemet control points to restrict or
`allow access to specified Internet sites and to manage efficient
`distribution of content such as music, Video, games, broad—
`band data, real-time audio and voice applications, and soft-
`ware to subscribers.
`
`6,516,416 B2
`6,694,429 B1
`2001/0051996 A1
`
`/2003 Gregg et a1.
`2/2004 Kalmanek. Jr. et al.
`12/2001 Cooper eta].
`
`l
`\1\
`Internet/ Metro Area Network
`55
`54
`
`Non-SPA
`
`Network
`
`Elements
`/
`
`758"
`
`t
`1
`Communication
`Gateway
`A
`l
`V
`Subscriber
`Terminal
`
`581
`_
`
`9
`r
`Communication
`Gateway
`A
`
`
`
`
`
`
`
`Communication
`Gateway
`A
`’
`601
`6(02
`i
`
`i
`i
`i
`Subscriber
`Subscriber
`
`
`
`Terminal
`Terminal
`
`-
`
`-
`
`-
`
`.
`
`.
`
`.
`
`60,.
`2
`
`‘
`
`Unified Patents Ex. 1011, pg. 1
`
`57
`
`.
`.
`62 \P Internet Servrce Provrder
`Portal
`
`52 / i \
`fi///
`
`\\
`
`
`Non-SPA
`
`
`Content
`,
`5.
`Sewers /
`/
`
`56
`
`SPA Network
`Elements
`
`
`
`///
`
`
`
`50 Claims, 7 Drawing Sheets
`
`64 \fi
`
`
`
`Active
`Intervention
`System
`
`
`
`i
`
`\
`
`4
`
`Internet
`
`5°
`
`l}
`> Control Point
`
`A
`;
`v
`
`66 m
`
`Access Node
`
`
`
`
`Unified Patents Ex. 1011, pg. 1
`
`

`

`US. Patent
`
`Feb. 21, 2012
`
`Sheet 1 0f 7
`
`US 8,122,128 B2
`
`
`
`
`fll
`
`EEBE
`
`
`
`E_on__o._Eoo
`
`+1
`
`
`232$806.
`
`
`
`om
`
`Emuw>m
`
`
`
`o>=o<
`
`cozcozfls
`
`vw
`
`gum
`
` b
`
`¢
`
`me
`
`mm
`
`wm
`
`{0szm2<0:22:25:
`
`<n_w-coz
`
`x8252
`
`fiameE
`
`
`
`{0,202(mm
`
`mucoEofi
`
`
`
`
`
`525$022$559$
`
`atom
`
`5W4
`
`
`
`{\
`
`\\
`
`Nm
`
`Nm
`
`<n_m.-:oZ
`
`EmEoo
`
`whmamw
`
`
`
`
`
`(am
`
`22:00
`
`9028
`
`cozmoEzEEoo
`
`$2,060
`
`Entomnzm
`
`EEEEh
`
`..
`
`
`
`11H?11
`
`coo
`
`cosmoEzEEoo
`
`cosmoEsEEoo
`
`>m>>8m0
`
`$2650
`
`4
`
`Fom
`
`r9:9“.
`
`Eczemnzw
`
`EEEEH
`
`Entownzw
`
`_m:_E._w._.
`
`
`
`Unified Patents Ex. 1011, pg. 2
`
`Unified Patents Ex. 1011, pg. 2
`
`
`
`
`
`
`
`
`
`
`
`

`

`US. Patent
`
`Feb. 21, 2012
`
`Sheet 2 017
`
`US 8,122,128 132
`
`Communication Gateway 58
`
`To Internet 52
`
`//AL Network
`\
`Interface
`
`
`Instructions
`
`106
`
`Content 108
`Storage
`
`User Partition
`
`Network Partition
`
`
`
`
`
`Initial Operating
`
`Parameters
`
`Other records
`
`i..................................................................._
`
`Processor
`
`
`
`*->
`
`110
`
`_
`Housmg
`Disassembly
`
`Detector
`
`100
`
`,
`5
`
`
`
`User Interface
`
`A
`
`i
`
`To Subscriber
`Terminal 60
`
`Figure 2
`
`Unified Patents Ex. 1011, pg. 3
`
`Unified Patents Ex. 1011, pg. 3
`
`

`

`US. Patent
`
`Feb. 21, 2012
`
`Sheet 3 017
`
`US 8,122,128 B2
`
`Internet Control Point 50
`
`
`
`§ To Internet 52
`
`interfaces
`
` Network
`
`Instructions
`Other records
`
`Figure 3
`
`Unified Patents Ex. 1011, pg. 4
`
`Unified Patents Ex. 1011, pg. 4
`
`

`

`US. Patent
`
`Feb. 21, 2012
`
`Sheet 4 017
`
`US 8,122,128 132
`
`SPA Network EEement 54
`
`6
`
`To Internet 52
`
`
`
`Network
`
`\r\ 300
`
`Interfaces
`
`I
`
`\J\ 306
`
`Switches
`
`Instructions
`
`Other records
`
`\J\ 302
`
`Processors
`
`
`
`Figure 4
`
`Unified Patents Ex. 1011, pg. 5
`
`Unified Patents Ex. 1011, pg. 5
`
`

`

`US. Patent
`
`Feb. 21, 2012
`
`Sheet 5 017
`
`US 8,122,128 B2
`
`400
`
`Receive instructions from
`
`network
`
`402
`
`Receive network access
`
`request from a user
`
`
`
`404
`
`
`
`Selectively transmit
`network access request in
`accordance with received
`instructions
`
`
`network access request
`
`406
`
`Receive content data
`
`responsive to transmitted
`
`Figure 5
`
`Unified Patents Ex. 1011, pg. 6
`
`Unified Patents Ex. 1011, pg. 6
`
`

`

`US. Patent
`
`Feb. 21, 2012
`
`Sheet 6 0f 7
`
`US 8,122,128 B2
`
`500
`
`Receive instructions from
`
`network at subscribing
`
`network units
`
`instructions
`
`502
`
`Selectively inhibit access to
`content servers by a group
`of non-subscribing users in
`accordance with received
`
`
`
`Figure 6
`
`Unified Patents Ex. 1011, pg. 7
`
`Unified Patents Ex. 1011, pg. 7
`
`

`

`US. Patent
`
`Feb. 21, 2012
`
`Sheet 7 017
`
`US 8,122,128 B2
`
`
`
`
`
`
`Receive, at a first network unit,
`content distribution instructions
`
`
`
`
`from the network
`
`
`
`
`
`Store a first portion of content
`data from the network
`
`
`
`
`
`
`
`
`Initiate a request over the
`network, in accordance with the
`
`
`
`
`instructions and in response to
`a user request, for the
`remainder of the content data
`
`
`
`
`
`
`
`
`Receive the remainder of the
`content data from the network
`
`
`
`
`Assemble the first portion of
`content data with the remainder
`
`
`of the content data
`
`'!
`
`600
`
`602
`
`604
`
`606
`
`608
`
`Supply the assembled content
`data to the user
`
`
`610
`
`
`
`Selectively forward the first
`portion of content data to a
`second network unit in
`
`
`
` 612
`
`
`accordance with the instructions
`
`Figure 7
`
`Unified Patents Ex. 1011, pg. 8
`
`Unified Patents Ex. 1011, pg. 8
`
`

`

`US 8,122,128 B2
`
`1
`SYSTEM FOR REGULATIVG ACCESS TO
`AND DISTRIBUTING CONTENT IN A
`
`NETWORK
`
`TECHNICAL FIELD
`
`This invention is in general related to regulation of access
`to a network and, more particularly, to distributing content
`efficiently while protecting the digital rights associated with
`the content.
`
`BACKGROUND
`
`'lhe network commonly known as the Internet, or any
`similar private or managed network, provides a convenient
`medium for the delivery of electronic data or content such as
`music, video, games, broadband data, real-time audio and
`voice applications, and software to subscribers. To accom—
`plish these purposes, the Internet is composed of several
`components including, for example, content providers for
`generating content; service providers for delivering content;
`subscriber terminals for receiving, displaying and playing
`content; and various additional network elements between
`service providers and subscribers for aiding in the distribution
`of the content. Service providers include, for example, tele-
`flhone line carriers, enterprise data centers, and cable televi—
`sion providers. Subscriber terminals are located at subscriber
`firemises and include, for example, personal computers, telc-
`visions configured with modems, a combination of both, or
`any other combination of consumer electronics capable of
`oresenting electronic content to a subscriber.
`Interest in providing delivery ofcontent via the Internet has
`remained high throughout the growth of the Internet. Several
`3roblems have yet to be overcome, however, before the Inter-
`net is fully effective at delivering content efficiently and rap—
`idly, while also protecting the rights ofthe owners of content,
`hat is, the owners of intellectual property. Techniques for
`grotecting this intellectual property are often referred to as
`jigital Rights Management (DRM). Recent music industry
`awsuits over the distribution of pirated music are evidence of
`he difficulties not yet solved by current DRM techniques.
`Service providers and content providers need the assurance
`hat the intellectual property (music, video, games, software,
`etc.) will be secure from illegal downloading and transmis—
`sion over the Internet, a major source of lost revenues and the
`oasis for hundreds of lawsuits. Service providers want this
`feature to halt the legal onslaught launched by music compa-
`nies and to encourage the motion picture industry to license
`heir content for distribution over the otherwise unsecured
`
`20
`
`30
`
`Lu W
`
`40
`
` Internet. The motion picture industry is understandably reluc— s
`
`ant, having seen the negative impact that piracy has already
`iad on the Music Recording Industry. Content providers thus
`demand this feature to stop the illegal downloading and trans-
`mission of intellectual property over the Internet which has
`cost the music and movie industries billions of dollars annu-
`ally. Techniques that reduee the strain on a content provider’s
`resources and reduce the high volumes ofnetwork data traflic
`are also desirable in order to improve the speed and efliciency
`of accessing content in a network.
`Another difficult problem that remains to be solved is pro-
`viding a means for law enforcement agencies to execute war—
`rants to wire-tap Internet communications such as email and
`real—time audio and video communications.A solution to this
`problem is especially desirable considering the importance of
`thwarting terrorist attacks. The Patriot Act and other recently
`passed legislation indicate the desirability and importance of
`providing such capabilities to law enforcement bodies.
`
`u. m
`
`60
`
`65
`
`2
`It is therefore desirable to provide new access regulation
`and data traffic control techniques that can be made available
`to telephone line carriers, ISPs, enterprises, cable television
`companies, for their Internet access networks. In addition, it
`is desirable to provide a means for law enforcement bodies to
`combat the prevalent use ofInternet communications in plan-
`ning illegal operations, In particular, it is desirable to meet
`these needs using the service provider’ s existing distribution
`network.
`
`SUMMARY
`
`Consistent with the invention, there is provided a system
`for regulating access to a network. The system comprises a
`controller node coupled to the network, the controller node
`comprising a first processor for generating controller instruc-
`tions and a first network interface for transmitting the con-
`troller instructions over the network. The system also com—
`prises a plurality of gateway units,
`the gateway units
`comprising a user interface receiving user-entered network
`access requests, a second network interface coupled to the
`network and receiving the controller instructions from the
`network and a second processor, the second processor selec—
`tively transmitting at
`least some of the network access
`requests over the network in accordance with the controller
`instructions, and transfening content data responsive to the
`transmitted network access requests over the network via the
`second network interface.
`Consistent with another aspect of the present invention,
`there is also provided a system for regulating access to a
`network that is accessed by a plurality of users. The system
`comprises a controller node coupled to the network, the con-
`troller node comprising a first processor for generating con-
`troller instructions and a first network interface for transmit-
`ting the controller instructions over the network. The system
`also comprises a plurality of network units associated with a
`first group of users, the network units comprising a second
`network interface coupled to the network and receiving the
`controller instructions from the network and a second proces—
`sor, the second processor inhibiting access for a second group
`of users to content in the network in accordance with the
`controller instructions,
`Consistent with yet another aspect ofthe present invention,
`there is also provided a system for distributing content over a
`network. The system comprises a controller node coupled to
`the network, the controller node comprising a first processor
`for generating controller instructions and a first network inter-
`face for transmitting the controller instructions over the net—
`work. The system also cornprises a plurality ofnetwork units,
`the network units comprising a second network interface
`coupled to the network, the second network interface in at
`least a first one of the network units receiving the controller
`instructions from the network and receiving a portion of a
`content data file from at least a second one of the network
`units and a second processor, the second processor in the at
`least first one ofthe network units selectively forwarding the
`portion of the content data lile received from the at least
`second one of the network units to at least a third one of the
`network units in accordance with the controller instructions.
`It is to be understood that both the foregoing general
`description and the following detailed description are exern—
`plary and explanatory only and are not restrictive ofthe inven-
`tion, as claimed.
`The accompanying drawings, which are incorporated in
`and constitute a part of this specification, illustrate one (sev—
`
`Unified Patents Ex. 1011, pg. 9
`
`Unified Patents Ex. 1011, pg. 9
`
`

`

`US 8,122,128 B2
`
`3
`eral) embodiment(s) of the invention and together with the
`description, serve to explain the principles of the invention.
`
`BRIEF DESCRIPTION OF TI IE DRAWINGS
`
`FIG. 1 depicts the overall environment in which the present
`invention is implemented.
`FIG. 2 depicts a communication gateway consistent with
`the present invention.
`FIG. 3 depicts an internet control point consistent with the
`present invention.
`FIG. 4 depicts a network element consistent with the
`present invention.
`FIG. 5 is a flow chart of a method for selectively transmit—
`ting network access requests consistent with the present
`invention.
`FIG. 6 is a flow chart of a method for inhibiting access to
`content servers on a network consistent with the present
`invention.
`FIG. 7 is a flow chart ofa method for distributing content in
`a network consistent with the present invention.
`DETAILED DESCRIPTION
`
`20
`
`System Architecture
`
`,
`
`Consistent with principles ofthe present invention, there is
`provided a system including a Service Preference Architec-
`ture (SPA). 'lhe SPA is a collection of hardware components
`and software routines executed by the components. Compo-
`nents installed at a subscriber’s site may be referred to as
`gateway units, or more specifically, Communication Gate-
`ways (CGs). The subscribers may include residential and
`business subscribers. The CGs may include a data storage
`device such as a hard drive, and are operable between active
`and inactive states. CGs operate in conjunction with SPA-
`based Internet Service Providers (ISPs) under the control of
`“controller nodes,” hereinafter referred to as Internet Control
`Points (ICPs). The ICPs are installed in an ISP’s network.
`ICPs may be network-based routers or computers that control
`the operation of CGs.
`The software routines located in CGs and ICPs provide a
`suite of features for the system. ISPs, such as telecommuni-
`cation carriers, electronic data centers, and cable TV compa—
`nies, may be equipped to deliver the suite of features by using
`a network service based system.
`In general, the SPA uses ICPs to control subscriber access
`to web sites and to deliver data to subscribers. The ICPs
`control the processing of data sent between subscribers (e.g.,
`client PCs or LAN servers) and the ISPs or content servers .
`with which they are exchanging information, using the CGs.
`The ICPs cooperate with hardware and software of the CGs
`located at a subscriber’s premises to provide the specific
`features of the system.
`The CGs cannot be tampered with by subscribers. This is
`accomplished by two aspects of the CGs. First, CGs are
`specifically designed to permit no subscriber-initiated pro-
`gramming and no access to the CG hardware or software.
`Instead,
`the CGs are provided only with compiled code
`loaded from flash memory, a hard drive, or EEPROM.
`Updates to this code are obtained from ICPs and encrypted
`passwords are stored in hidden, tmdocumented locations to
`allow authentication of ICP presence prior to CG control
`program update. The passwords are changed frequently dur-
`ing an “idle process control” phase and tracked by an ICP.
`The second anti-tampering aspect is the provision of a
`housing forthe CGs and a detector consisting ofa one or more
`
`Lo U1
`
`40
`
`u. m
`
`60
`
`
`
`4
`“deadman” switches that are tripped upon opening the hous-
`ing or removing a CG’s hard drive. The circuit may be either
`passive or active.
`If the detector is passive, it signals an internal controller
`upon re—start that it has been tripped and causes an even
`notification sent to an ICP upon next power-up. Upon receip
`of the event notification, either the ICP initiates diagnostics
`and disables the CG if a software tamper has occurred, or the
`CG disables both its control software and its internal harc
`drive to prevent the hard drive from operating, until it is
`returned to the ISP for repair. Subscriber agreements may be
`used to supply a contract provision specifying that tampering
`voids the warranty and that the subscriber deeds a portion 0
`the CG to the ISP and agrees to return tampered products to
`the ISP.
`If the detector is active, the “deadman switch” is kep
`powered by, for example, battery or capacitor. The trip is 11sec
`to immediately disable the controller software in the proces—
`sor and the internal hard drive of the CG. Both may be rese
`only by the ICP, either automatically or by human interven—
`tion. These measures prevent subscribers from writing, corn-
`piling, executing. modifying, or otherwise tampering with the
`operating software of the CG. Second, the active mode pre-
`vents users from getting access to the content on the hard
`drive.
`In addition to these tamper—proof provisions, all ICP—CG
`communications take place within the ISP side ofthe network
`and ICP-CG communications are secured with encryption
`and hashing. Furthermore, all CGs must be registered with the
`ISP. An ICP will not enable any service to an tin-registered
`CG and an un—registered CG will not operate in an experi—
`mental environment at all. At the onset of power-up or tran-
`sition from an inactive to an active state, the CG signals the
`ICP and the ICP returns an “OK” message prior to proceeding
`further. This transaction requires an encrypted password
`exchange to authorize the CG to enter an “active” state where
`it can play back, download or be used for anything delivering
`services to users. These measures ensure secure control ofthe
`data flow between both the ICP and the CG. This secure flow
`of data then enables ISPs to effectively and efficiently control
`the services provided to subscribers.
`to the present
`Reference will now be made in detail
`embodiments (exemplary embodiments) of the invention,
`examples ol'which are illustrated in the accompanying draw—
`ings. Wherever possible, the same reference numbers will be
`used throughout the drawings to refer to the same or like parts.
`FIG. 1 illustrates an environment in which the invention
`may operate. A Service Preference Architecture (SPA) may
`include at least one Internet Control Point (“ICP”) 50 con-
`nected to a network 52. Network 52 may be, for example, the
`Internet. a metro area network, or a local area network, and
`may include a plurality of SPA—controlled network elements
`54 and non-SPA-controlled network elements 55. Network
`elements 54, 55 may include, for example, network switches
`and routers. SPA-controlled network elements 54 aid in regu-
`lating access and distributing content through network 52.
`Also connected to network 52 are content servers including
`at least one SPA-controlled content server 56 and a plurality
`ol'communication gateways (“CGs”) 58, including CGs 581,
`582, .
`.
`. 58". A subscriber terminal 601, 602, .
`.
`. 60,, may be
`connected to each respective CG 58, or in an alternative
`embodiment not shown, may be combined with each respec-
`tive CG 58 to form “converged” CGs 58.
`An SPA-controlled content server 56 may be, for example,
`a computing terminal used to deliver content services. A
`content service may include, for example, delivery of any
`media file (such as movies, music, pictures, and graphics),
`
`Unified Patents Ex. 1011, pg. 10
`
`Unified Patents Ex. 1011, pg. 10
`
`

`

`US 8,122,128 B2
`
`5
`software file (such as a complete application, operating
`parameters, data files, orpartial application/updates) or a real
`time application (such as interactive data processing, voice
`communications or visual communications to an enduser). In
`an alternative embodiment, the functions of SPA-controlled
`content server 56 and ICP 50 may be combined in a single
`component,
`ICP 50 is typically located remotely from subscriber ter—
`minals 60 and regulates both subscriber access to network 52
`and distribution of content in network 52. The content may
`originate from SPA-controlled content
`server 56,
`for
`example, or from other content servers 57in network 52. lCP
`50 works in conjunction with CGs 58 and SPA—controlled
`network elements 54 by generating instructions which are
`transmitted over network 52 to CGs 58 and SPA-controlled
`network elements 54, where the instructions are executed.
`ICP 50 may constitute the source of internet service control
`and conditional denial of subscriber access to lSP—selected
`URLs or IP addresses. lCP 50 may control CGs 58 to deter-
`mine what web site data is allowed to pass through to sub-
`scribers using, for example, web browser programs executing
`in subscriber terminals 60. ICP 50 may also control packet
`inspection processing in CGs 58 to determine which data can
`be allowed to flow through CGs 58 to and from subscriber
`terminals 60, specifically when e—mail or file transfers are
`initiated. ICP 50 also controls what activities are engaged in
`by idle CGs 58 when corresponding subscriber terminals 60
`are inactive. ldle CGs 58 may receive software downloads
`from lCP 50, collect data, and initiate communications activi-
`ties that are disruptive to certain non—SPA content servers 57
`that offer unauthorized copyrighted materials for illegal
`download by subscribers. Multiple lCPs 50 may be deployed
`geographically in an lSP’s network to support the CG man-
`agement capacity of ICP 50 and the number of subscribers in
`its service area.
`An lSP may provide an ISP portal 62 to facilitate sub—
`scriber access to network 52. ISP portal 62 may be, for
`example, an enterprise data center. Access node 66 is associ-
`ated with the TSP providing ISP portal 62. ICP 50 interacts
`with ISP portal 62, lSP associated access node 66, and SPA-
`controlled content server 56 to control subscribers’ ability to
`access services that are offered by ISP portal 62. ICP 50 also
`controls CGs 58 to deliver various services, including, for
`example, advertisements, the home page for ISP Portal 62 or
`SPA—controlled content server 56 web servers, or software
`downloads to subscriber terminals 60 for their use of ISP 62
`or SPA—controlled content server 56 services.
`ICP 50 also interacts with SPA-controlled network ele-
`ments 54 used by ISP portal 62 to deliver services. ICP 50
`controls subscribers’ ability to access services that are offered
`by the ISP portal 62 and controls the operation ofthe services
`themselves by controlling the flow of data through SPA-
`controlled network elements 54 used by ISP portal 62.
`ICP 50 may be programmed either by human input or by
`operator-controlled web crawler software. Updates to a data-
`base in ICP 50 may be provided by an active intervention
`system 64 whereby changes to ICP 50 database entries are
`discovered and implemented. The updates to ICP 50 database
`may be made in a manner analogous to the regular updating of
`virus definitions for computer virus and worm protection.
`The web crawlers, human intervention, and ICP 50 and CG
`58 database updates may be controlled by active intervention
`system 64. Active intervention system 64 may include, for
`example, a set of centrally maintained computer systems.
`Active intervention system 64 may control the operation of
`various geographically deployed lCPs 50.
`
`5
`
`20
`
`25
`
`,
`
`Lu U1
`
`40
`
`4u.
`
`50
`
`u. m
`
`60
`
`65
`
`6
`The process begins with active intervention system 64.
`Active intervention system 64 is used by human operators to
`discover new URLs or IP addresses to “pirate” sites to con—
`ditionally deny access to these URLs or IP addresses by CGs
`58, discover changes needed to implement Digital Rights
`Management (DRM) techniques, discover and record new
`packet characteristics, install wiretaps as ordered, process
`new copyright registry entries. change encryption techniques,
`and perform other management services. ICPs 50 then deliver
`active and real time executed network management, distrib-
`ute new database entries and software changes to CGs 58 and
`track operation of the SPA-controlled network elements 54.
`Although one ICP 50 is illustrated there maybe more. Thus,
`multiple 1CPs 50 may be networked together to enable them
`to manage large numbers of SPA-controlled network ele-
`ments 54 and provide redundant, highly reliable operation.
`Furthermore, lCPs 50 may all use identical databases to
`enable uninterrupted network management.
`As illustrated in FIG. 2, a CG 58 may include a user
`interface 100 that receives subscriber requests, entered by
`subscribers at an associated subscriber terminal 60, to access
`network 52. CG 58 may also include a network interface 102
`to exchange data with network 52 and to receive instructions
`from ICP 50; a memory device 104 including a database for
`storing ICP-generated instructions, initial operating param-
`eters, and other records; a processor 106 to implement the
`instructions; a content storage device 108 having a user par-
`tition and a network partition for storing content; and a hous-
`ing disassembly detector 110 to prevent
`tampering, as
`described above. Memory device 104 may be, for example, a
`bank 01' one or more semiconductor memories, a bank 01' one
`or more hard disk drives, a combination of semiconductor
`memories and hard disk drives or any other device that holds
`data. Processor 106 may be, for example, a general purpose
`processor (such as a Pentium 4 processor, an integrated cir—
`cuit, or collection of integrated circuits) that can execute
`program instructions and is designed to allow control of CG
`58 to be implemented in purely software and may also be used
`for non-CG related general purpose computing applications,
`or processor 106 may be a special purpose processor (inte-
`grated circuit or collection of integrated circuits) that can
`execute program instructions and is designed with only the
`power, bus, memory, logic and hardware accelerators needed
`to control CG 58. Content storage 108 may be, for example,
`a bank ofone or more semiconductor memories, a bank ofone
`or more hard disk drives, a combination of semiconductor
`memories and hard disk drives or any other device that holds
`data. CGs may be provided in various forms, such as, for
`example, a gateway module that combines TV, video, internet
`and voice access, a dial—up remote access server, an ADSL
`modern/router, a satellite TV gateway, a cable TV modem, a
`converged set top—plus—intemet gateway, a wireless modem,
`or other fixed or mobile computing, playback, recording,
`display or communications device including radio, TV, ste—
`reo, wireless phone, phone, DVD, VCR, WLAN access point,
`wireless broadband or narrowband modem, or similar device,
`As illustrated in FlG. 3, an lCP 50 may include one or more
`network interfaces 200, one or more processors 202, a
`memory device 204 including a database for storing records,
`and a non-intemet communications link for traffic between
`processors and shared storage and memory. The records pref—
`erably include instructions that may be updated by active
`intervention system 64 and distributed to CGs 58 and SPA—
`controlled network elements 54 for execution.
`As illustrated in FIG. 4, SPA—controlled network elements
`54 may include one or more network interfaces 300, one or
`more processors 302, a memory device 304 including a data—
`
`Unified Patents Ex. 1011, pg. 11
`
`Unified Patents Ex. 1011, pg. 11
`
`

`

`US 8,122,128 B2
`
`20
`
`7
`base, and one or more switch modules 306 for providing
`routing and switching services. Components 300, 302, and
`304 may operate in a similar fashion to the corresponding
`components ofthe CGs. SPA-controlled network element 54
`may be provided in various forms, such as, for example, a
`computer used to deliver data services or content services, a
`core router or ATM switch, a subscriber management system
`used to control access to the network, authenticate subscrib-
`ers or devices before allowing access into the network, a
`DSLAM, cable modem system, wireless modem system, or
`any other multiplexing or channel service delivery system, or
`a satellite that incorporates any of these elements.
`Service Initialization
`CGs 58 may be required to register with ICP 50 when they
`are powered up for the first time. CGs 58 will remain inactive
`until they receive a registration confirmation from SPA-con-
`trolled content server 56 or ICP 50. The registration process
`may include collection of information by ICP 50 for a war—
`ranty registration from the subscriber such as, for example,
`CG‘ s 58 hardware address and other identifying data. ICP 50
`will then send CG 58 the latest operating software, if neces-
`sary, and its initial operating parameters to load in memory
`104. Initial operating parameters may include, for example,
`the address of the CG’s 58 ICP 50 and other variables as
`described below. Subsequent re-registrations may be initiated
`by CG 58 under subscriber control for address or ISP
`changes.
`Active and Inactive CG Processing Control
`Upon power down or inactivity timeout of CG 58, CG 58
`may register itself as “idle” by sending an event notificationto ,
`ICP 50. The duration of an inactivity timeout may be preset
`and may be changed by input to ICP 50 for distribution to all
`CGs 58 under the control ol'ICP 50.
`Upon sub sequent re—activation, which may be initiated by
`eitherpower up or signals from subscriber terminal 60, CG 58
`identifies itself as “active” by sending an event notification to
`ICP 50, which responds with an acknowledgement. Failure of
`a CG 58 to receive an acknowledgement results in a series of
`re-trics until finally a timeout or maximum number ofre-tries
`occurs. \Vhen this occurs, a diagnostic program may be
`executed in CG 58 to advise the subscriber what to do next,
`based on the deduced source of the failure. Active CGs 58
`may process and control delivery of content and services from
`SPA—controlled content server 56 or ISP portal 62. Inactive
`CGs 58 may process and control either CG maintenance or
`may carry out activity delegated to inactive CGs by design.
`Conditional Denial
`FIG. 5 shows a method, consistent with the invention for
`regulating user access to a network. In step 400, a gateway
`unit associated with a user receives controller instructions a
`from the network. Next, at step 402, the gateway unit receives
`a network access request from a user, via a subscriber termi—
`nal. At step 404, the gateway unit selectively transmits the
`network access requests over the network in accordance with
`the controller instructions. Finally, at step 406, the gateway
`unit receives content data responsive to the transmitted net-
`work access request from the network. Consistent with the
`present
`invention,
`this section, and others that
`follow,
`describe in more detail the implementation of this method.
`CGs 58, under ICP 50 control, may provide a network-
`based Digital Rights Management (DRM) service. The DRM
`service denies subscribers the capability to send or to receive
`data from or to “pirate” URLs or IP addresses that are known
`to contain unlicensed copyrighted material. In implementing
`this denial, CG 58 deletes the “pirate” URI. or IP address and
`substitutes the URL or IP address ofa site that offers licensed
`copyrighted materials for legal, authorized sale. The list of
`
`
`
`8
`“pirate” URLs or IP addresses that are known to contain
`unlicensed copyrighted material may be regularly updated,
`similar to the manner in which virus definitions are regularly
`updated.
`Furthermore, when other non-web browser programs
`executing in subscriber terminals 60 attempt to access a
`blocked site, the request to the URL or IP address of the
`blocked site may be redirected to a legal content provider’s
`URL or IP address or ignored.
`Upon registration of a CG 58 as “active,” ICP 50 may
`update the list in CG 58 of DRM URL or IP address substi-
`tu