US 8,122,128 B2
`(10) Patent No:
`a2) United States Patent
`Burke,IT et al.
`(45) Date of Patent:
`Feb. 21, 2012
`
`
`US008122128B2
`
`3/2002 Hudson etal.
`2002/0059440 Al
`8/2002 Saxena wiscscsssse cee 707/1
`2002/0103778 AL*
`8/2002 Hansetal.
`2002/0120577 AL
`10/2002 Klinkeret al.
`2002/0145981 Al
`11/2002 Tarnoff
`2002/0169865 Al
`10/2003. Hudsonetal.
`2003/0204602 Al
`Inventors: Robert M. Burke, IL, Los Gatos, CA
`(76)
`: 2003/0233281 AL=12/2003 Takeuchietal.‘
`
`
`
`(54)
`
`SYSTEM FOR REGULATING ACCESS TO
`.
`AND DISTRIBUTING CONTENT IN A
`NETWORK
`
`(*)
`
`Notice:
`
`(us) David Z. Carman,San Jose, CA
`Subject lo any disclaimer, the termof this
`patent is extended or adjusted under 35
`US.C. 154(b) by 1727 days.
`
`2/2005 Harvey et al. veccssesnue 713/201
`2005/0033990 AL*
`OTHER PUBLICATIONS
`International Search Report dated Jan. 31, 2006.
`* cited by examiner
`
`(21) Appl. No.: 10/989,023
`.
`Filed:
`
`(22)
`(65
`
`Nov.16, 2004
`Prior Publication Data
`US 2005/0125528 Al
`un. 9, 2005
`
`(56
`
`References Cited
`
`Primary Examiner — Jeffrey Pwu
`Assistant Examiner — Shripal Khajuria
`(74) Attorney, Agent, or Firm — Schwabe, Williamson &
`Wyatt, P.C.
`
`
`
`ABSTRACT
`67)
`There is provided a systemlor regulating access and manag-
`Cl.
`t.
`S
`ing
`distribution of content in a network, such
`as the Internet.
`
`
`
`
`
`
`
`51) suchastheInt. Cl ing distribution of i |, I
`GO06F15/173
`‘The system includes communication gateways, installed at a
`(2006.01)
`(52) US. Ch ec eccccccccsstessneneseecneseeenenesenenesenens 709/225
`subscribersite, internet control points, installed remotely, and
`(58)
`Field of Classification Search ......0......0. 709/225
`Various network elementsinstalled throughoutthe network.
`See applicationfile for complete search history.
`The communication gateways and network elements operate
`in conjunction with the internet control points to restrict or
`allowaccess to specified Internet sites and to manageefficient
`distribution of content such as music, video, games, broad-
`band data, real-time audio and voice applications, and soft-
`ware to subscribers.
`
`
`
`U.S. PATENT DOCUMENTS
`6,516,416 B2
`2/2003 Greggetal.
`6,694,429 Bl
`2/2004 Kalmanek,Jr. et al.
`2001/0051996 Al
`12/2001 Cooperetal.
`
`50 Claims, 7 Drawing Sheets
`
`.
`.
`62 4 Internet Service Provider
`Portal
`
`
`
`Active
`64 Intervention
`System
`
`
`
`
`
`57
`
`Non-SPA
`Content
`
`
`
`}-
`
`
`
`Servers a
`56
`
`)
`SPA
`/
`
`
`Content
`4
`Servers
`
`
`
`Internet/ Metro Area Network
`54
`55
`
`Non-SPA
`
`Network
`Elements
`
`a
`ee
`
`SPA Network
`Elements
`
`
`
`+
`
`_
`
`\
`
`-<
`
`50
`
`5
`»| Control Point
`
`
`Internet
`
`|
`Y
`
`66
`
`Access Node
`
`
`
`
`58, 582 t
`58,
`
`jy
`j
`jy
`
`
`
`
`
`Communication
`Communication
`Gateway
`Gateway
`a
`7
`|
`|Pp
`
`
`
`
`Communication
`Gateway
`A
`
`see
`
`60,
`
`602
`
`i
`
`~
`60,
`$y¥
`Subscriber
`Terminal
`
`Subscriber
`Terminal
`
`eae
`
`Subscriber
`Terminal
`
`i
`
`Unified Patents Ex. 1011, pg. 1
`
`Unified Patents Ex. 1011, pg. 1
`
`

`

`U.S. Patent
`
`Feb. 21, 2012
`
`Sheet 1 of 7
`
`US 8,122,128 B2
`
`0sSN°
`
`
`
`
`
`Lonny$9|PHOdz9
`
`
`SAIOYJAPIAC”BO|AIBSJOUIa}U]
`
`
`atzs
`
`
`aeyIOMJaNOMIONvas
`
`3s}USW9a|4
`}Ss]UsLUa|9
`
`“8g
`
`VdS-UON
`
`
`
`
`
`
`
`SPONsseooy
`
`yeuld}u]65We fWIOMJONBAYOOP)AEULE}U]
`
`
`
`
`
`UOeIIUNWIWUODuoeoUNWW0s
`
`uoneojunWWOD
`
`A
`
`|“a9
`
`
`
`Aemayegaoe|Aemayes
`
`JEURWISE
`
`
`
` JEUILUIE|JequosqnsoeJaquosqns
`
`jeuluUa|Jequosqns
`
`Aemaye
`
`|b}oo
`
`,ainbi4
`
`
`
`Unified Patents Ex. 1011, pg. 2
`
`VdS-UON
`
`yuaju05
`
`SIOAIAS
`
`
`
`
`
`VdS
`
`juajuog
`
`S1BAIaS
`
`5‘gg
`
`Unified Patents Ex. 1011, pg. 2
`
`
`
`
`
`
`
`
`
`
`
`
`

`

`U.S. Patent
`
`Feb. 21, 2012
`
`Sheet 2 of 7
`
`US 8,122,128 B2
`
`Communication Gateway 58
`
`To Internet 52
`
`
`
`Network Partition
`
`
`Network
`
`Storage
`
`106
`
`Processor
`
`User Partition
`
` User Interface
`
`104
`
`
`
` «
`
`e
`
`Instructions
`Initial Operating
`Parameters
`
`Other records
`
` Carnitine titannine mime
`
`
`
`110
`
`
`
`Housing
`Disassembly
`Detector
`
`To Subscriber
`Terminal 60
`
`Figure 2
`
`Unified Patents Ex. 1011, pg. 3
`
`Unified Patents Ex. 1011, pg. 3
`
`

`

`U.S. Patent
`
`Feb. 21, 2012
`
`Sheet3 of 7
`
`US 8,122,128 B2
`
`Internet Control Point 50
`
`6
`
`To Internet 52 Network
`
`Interfaces
`
`Instructions
`Other records
`
`Figure 3
`
`Unified Patents Ex. 1011, pg. 4
`
`Unified Patents Ex. 1011, pg. 4
`
`

`

`U.S. Patent
`
`Feb. 21, 2012
`
`Sheet 4 of 7
`
`US 8,122,128 B2
`
`SPA Network Element 54
`
`2
`
`
`
`Instructions
`Other records
`
`To Internet 52
`
`A
`
`Network
`Interfaces
`
`
`
`Ws~ 300
`
`
`
`
`
`
`ry 306
`
`Switches
`
`
`~~ 302
`
`Processors
`
`
`
`Figure 4
`
`Unified Patents Ex. 1011, pg. 5
`
`Unified Patents Ex. 1011, pg. 5
`
`

`

`U.S. Patent
`
`Feb. 21, 2012
`
`Sheet 5 of 7
`
`US 8,122,128 B2
`
`400
`
`network
`
`Receiveinstructions from
`
`402
`
`Receive network access
`request from a user
`
`
`
`404
`
`
`
`
`network access request
`
`Selectively transmit
`network access requestin
`accordancewith received
`instructions
`
`406
`
`Receive content data
`responsive to transmitted
`
`Figure 5
`
`Unified Patents Ex. 1011, pg. 6
`
`Unified Patents Ex. 1011, pg. 6
`
`

`

`U.S. Patent
`
`Feb. 21, 2012
`
`Sheet6 of 7
`
`US 8,122,128 B2
`
`500
`
`Receive instructions from
`network at subscribing
`
`networkunits
`502
`
`
`
`Selectively inhibit access to
`content servers by a group
`of non-subscribing usersin
`accordance with received
`instructions
`
`Figure 6
`
`Unified Patents Ex. 1011, pg. 7
`
`Unified Patents Ex. 1011, pg. 7
`
`

`

`U.S. Patent
`
`Feb. 21, 2012
`
`Sheet 7 of 7
`
`US 8,122,128 B2
`
`
`
`
`
`Receive, at a first network unit,
`
`content distribution instructions
`
`from the network
`
`
`600
`
`
`
`Store a first portion of content
`
`data from the network 602
`
`
`
`
`
`
`
`Initiate a request over the
`network, in accordancewith the
`
`
`instructions and in response to
`604
`
`a user request, for the
`
`
`remainder of the content data
`
`
`Receive the remainder of the
`content data from the network
`
`
`606
`
`
`
` '
`
`Assemble the first portion of
`content data with the remainder
`of the content data
`
`
`
`608
`
`Supply the assembled content
`data to the user
`
`
`610
`
`
`
`
`
` 612
`
`
`Selectively forward the first
`portion of content data to a
`second networkunit in
`accordancewith the instructions
`
`Figure 7
`
`Unified Patents Ex. 1011, pg. 8
`
`Unified Patents Ex. 1011, pg. 8
`
`

`

`US 8,122,128 B2
`
`1
`SYSTEM FOR REGULATING ACCESS TO
`AND DISTRIBUTING CONTENT IN A
`
`NETWORK
`
`TECHNICAL FIELD
`
`This inventionis in generalrelated to regulation of access
`to a network and, more particularly, to distributing content
`efficiently while protecting the digital rights associated with
`the content.
`
`BACKGROUND
`
`‘The network commonly known as the Internet, or any
`similar private or managed network, provides a convenient
`mediumfor the delivery of electronic data or content such as
`music, video, games, broadband data, real-time audio and
`voice applications, and software to subscribers. To accom-
`plish these purposes, the Internet is composed of several
`components including, for example, content providers for
`generating content; service providers for delivering content;
`subscriber terminals for receiving, displaying and playing
`content; and various additional network elements between
`service providers and subscribers for aiding in the distribution
`of the content. Service providers include, for example, tele-
`phoneline carriers, enterprise data centers, and cable televi-
`sion providers. Subscriber terminals are located at subscriber
`premisesand. include, for example, personal computers, tele-
`visions configured with modems, a combination of both, or
`
`presenting electronic content to a subscriber.
`Interest in providing delivery ofcontentvia the Internet has
`remained high throughout the growth ofthe Internet. Several
`problemshave yet to be overcome, however, before the Inter-
`net is fully effective at delivering contentefficiently and rap-
`idly, while also protecting the rights ofthe owners of content,
`hat is, the owners ofintellectual property. Techniques for
`protecting this intellectual property are often referred to as
`Digital Rights Management (DRM). Recent music industry
`awsuits over the distributionof pirated music are evidence of
`the difficultics not yet solved. by current DRM techniques.
`Service providers and content providers need the assurance
`that the intellectual property (music, video, games, software,
`etc.) will be secure [rom illegal downloading and transmis-
`sion overthe Internet, a major source of lost revenues and the
`basis for hundreds of lawsuits. Service providers want this
`feature to halt the legal onslaught launched by music compa-
`nies and to encourage the motion picture industry to license
`heir content for distribution over the otherwise unsecured
`Internet. The motion picture industryis understandably reluc-
`ant, having seen the negative impact that piracy has already
`had on the Music Recording Industry. Content providers thus
`demandthis feature to stop the Ulegal downloading and trans-
`mission of intellectual property over the Internet which has
`cost the nmusic and movie industries billions ofdollars annu-
`ally. Techniques that reduce the strain on a content provider’s
`resources and reduce the high volumes ofnetwork datatraffic
`are also desirable in order to improvethe speed andefficiency
`of accessing content in a network.
`Anotherdifficult problem that remainsto be solved is pro-
`viding a means for law enforcement agencies lo execule war-
`rants to wire-tap Internet communications such as email and
`real-time audio and video communications. A solution to this
`problemis especially desirable considering the importance of
`thwarting terrorist attacks. The Patriot Act and other recently
`passed legislation indicate the desirability and importance of
`providing such capabilities to law enforcement bodies.
`
` any other combination of consumerelectronics capable of 3
`
`10
`
`ra w
`
`20
`
`40
`
`iNa
`
`50
`
`60
`
`2
`It is therefore desirable to provide new access regulation
`and data traffic control techniques that can be made available
`to telephonelinecarriers, ISPs, enterprises, cable television
`companies, for their Internet access networks. In addition, it
`is desirable to provide a meansfor law enforcement bodies to
`combatthe prevalent use ofInternet communicationsin plan-
`ning illegal operations. In particular, it is desirable to meet
`these needs using the service provider's existing distribution
`network.
`
`SUMMARY
`
`Consistent with the invention, there is provided a system
`for regulating access to a network. The system comprises a
`controller node coupled to the network, the controller node
`comprisinga first processor for generating controller instruc-
`tions and a first network interface for transmitting, the con-
`troller instructions over the network. The system also com-
`prises a plurality of gateway units,
`the gateway units
`comprising a user interface receiving user-entered network
`access requests, a second network interface coupled to the
`network and receiving the controller instructions from the
`network and a second processor, the second processor selec-
`tively transmitting at
`least some of the network access
`requests over the network in accordance with the controller
`instructions, and transferring content data responsive to the
`transmitted network access requests over the network via the
`second network interface.
`Consistent with another aspect of the present invention,
`there is alsa provided a system for regulating access to a
`network that is accessed bya plurality of users. The system
`comprises a controller node coupled to the network, the con-
`troller node comprising a first processor for generating con-
`troller instructions and a first network interface for transmit-
`ting the controller instructions over the network. The system
`also comprises a plurality of network units associated with a
`first group of users, the network units comprising a second
`network interface coupled to the network and receiving the
`controller instructions from the network and a second proces-
`sor, the second processorinhibiting access for a second group
`of users to content in the network in accordance with the
`controller instructions.
`Consistent with yet anotheraspectofthe presentinvention,
`there is also provided a system for distributing content over a
`network. The system comprises a controller node coupled to
`the network, the controller node comprisinga first processor
`for generating controller instructions anda first network inter-
`face for transmitting the controller instructions over the net-
`work. The system also comprisesa plurality ofnetwork units,
`the network units comprising a second network interface
`coupled to the network, the second network interface in at
`least a first one of the network units receiving the controller
`instructions from the network and receiving a portion of a
`content data file from at least a second one of the network
`units and a second processor, the second processor in the at
`least first one ofthe network units selectively forwarding the
`portion of the content data file received [rom the at least
`second oneof the network units to at least a third one of the
`network unils in accordance with the controller instructions.
`It is to be understood that both the foregoing general
`description and the following detailed description are exem-
`plary and explanatoryonly andare notrestrictive ofthe inven-
`tion, as claimed.
`The accompanying drawings, which are incorporated in
`and constitute a part of this specification, illustrate one (sev-
`
`Unified Patents Ex. 1011, pg. 9
`
`Unified Patents Ex. 1011, pg. 9
`
`

`

`US 8,122,128 B2
`
`3
`eral) embodiment(s) of the invention and together with the
`description, serve to explainthe principles of the invention.
`
`BRIET DESCRIPTION OF TIE DRAWINGS
`
`FIG.1 depicts the overall environmentin which the present
`invention is implemented.
`FIG. 2 depicts a communication gatewayconsistent with
`the present invention.
`FIG.3 depicts an internet control point consistent with the
`present invention.
`FIG. 4 depicts a network element consistent with the
`present invention.
`FIG.5 is a flowchart of a methodfor selectively transmit-
`ting, network access requests consistent with the present
`invention.
`FIG. 6 is a flow chart of a method for inhibiting access to
`content servers on a network consistent with the present
`invention.
`FIG.7 is a flowchart ofa methodfor distributing content in
`a network consistent with the present invention.
`DETAILED DESCRIPTION
`
`ra w
`
`System Architecture
`
`Consistent with principles ofthe present invention,there is
`provided a system including a Service Preference Architcc-
`ture (SPA). The SPA is a collection of hardware components
`and software routines executed by the components. Compo-
`nents installed at a subscriber’s sile may be referred to as
`gateway units, or more specifically, Communication Gate-
`ways (CGs). The subscribers may include residential and
`business subscribers. The CGs may include a data storage
`device such as a hard drive, and are operable between active
`and inactive states. CGs operate in conjunction with SPA-
`based Internet Service Providers (ISPs) under the control of
`“controller nodes,” hereinafter referred to as Internet Control
`Points (ICPs). The ICPs are installed in an ISP’s network.
`ICPs may be network-based routers or computers that contro!
`the operation of CGs.
`‘The software routines located in CGs and ICPsprovide a
`suite of features for the system. ISPs, such as telecommuni-
`calion carriers, electronic data centers, and cable TV compa-
`nies, may be equippedto deliver the suite of features by using
`a network service based system.
`In general, the SPA uses ICPsto control subscriber access
`to web sites and to deliver data to subscribers. The ICPs
`control the processing of data sent between subscribers(e.g.,
`client PCs or LAN servers) and the ISPs or content servers 5
`with whichthey are exchanging information, using the CGs.
`The ICPs cooperate with hardware and software of the CGs
`located at a subscriber’s premises to provide the specific
`features of the system.
`‘The CGs cannot be tampered with by subscribers. ‘This is
`accomplished by two aspects of the CGs. First, CGs are
`specifically designed to permit no subscriber-initiated pro-
`gramming and no access to the CG hardware or software.
`Instead,
`the CGs are provided only with compiled code
`loaded from flash memory, a hard drive, or EEPROM.
`Updates to this code are obtained trom ICPs and encrypted
`passwordsare stored in hidden, undocumented locations to
`allow authentication of ICP presence prior to CG control
`program update. The passwords are changed frequently dur-
`ing an “idle process control” phase and tracked by an ICP.
`The second anti-tampering aspect is the provision of a
`housing forthe CGs and a detector consisting ofa one or more
`
`us on
`
`a a
`
`
`
`4
`“deadman” switchesthat are tripped upon opening the hous-
`ing or removing a CG’s hard drive. The circuit maybe either
`passive or aclive.
`If the detector is passive, it signals an internal controller
`upon re-slart thal it has been tripped and causes an even
`notification sent to an ICP uponnext power-up. Uponreceip
`of the event notification, either the ICP initiates diagnostics
`and disables the CG if a software tamper has occurred, or the
`CG disables both its control software and its internal hard
`drive to prevent the hard drive from operating, until it is
`returned to the ISP for repair. Subscriber agreements may be
`used to supply a contract provision specifying that tampering
`voids the warranty and that the subscriber deeds a portion a
`the CG to the ISP and agrees to return tampered products to
`the ISP.
`If the detector is active, the “deadman switch” is kep
`poweredby, for example, battery or capacitor. Thetrip is used
`to immediately disable the controller software in the proces-
`sor and the internal hard drive of the CG. Both mayberese
`only by the ICP, either automatically or by humaninterven-
`tion. These measures prevent subscribers from writing, com-
`piling, executing. modifying, or otherwise tampering with the
`operating software of the CG. Second, the active modepre-
`vents users from getting access to the content on the hard
`drive.
`In addition to these tamper-proof provisions, all T1CP-CG
`communications take place withinthe ISP side ofthe network
`and ICP-CG communications are secured with cneryption
`and hashing. Furthermore, all CGs mustbe registered with the
`ISP. An ICP will not enable anyservice to an un-registered
`CG and an un-registered CG will nol operate in an experi-
`mental environmentat all. At the onset of power-up or tran-
`sition [rom an inactive to an active stale, the CG signals the
`ICP and the ICP returns an “OK” messageprior to proceeding
`further. This transaction requires an encrypted password
`exchangeto authorize the CG to enter an“active” state where
`it can play back, downloadorbe used for anything delivering
`services to users. These measures ensure secure control ofthe
`data flow between both the ICP and the CG.This secure flow
`of data then enables ISPsto effectivelyandefficiently contro!
`the services provided to subscribers.
`to the present
`Reference will now be made in detail
`embodiments (exemplary embodiments) of the invention,
`examples of which are illustrated in the accompanying draw-
`ings. Wherever possible, the same reference numberswill be
`used throughout the drawingsto refer to the sameorlike parts.
`VIG.1 illustrates an environment in which the invention
`mayoperate. A Service Preference Architecture (SPA) may
`include at least one Internet Control Point (“ICP’’) 50 con-
`nected to a network 52. Network 52 maybe, for example, the
`Internet, a metro area network, or a local area network, and
`mayincludea plurality of SPA-controlled network elements
`54 and non-SPA-controlled network elements 55. Network
`elements 54, 55 may include, for example, network switches
`and routers. SPA-controlled network elements 54 aid in regu-
`lating access and distributing content through network 52.
`Also connected to network 52 are content servers including
`at least one SPA-controlled content server 56 and a plurality
`ofcommunication gateways (“CGs”) 58, including CGs 58,,
`58,,... 58,. A subscriber terminal 60,, 60,, .. . 60,, may be
`connected to each respective CG 58, or in an allernalive
`embodiment not shown, may be combined with each respec-
`tive CG 58 to form “converged” CGs 58.
`An SPA-controlled content server 56 maybe, for example,
`a computing terminal used to deliver content services. A
`content service may include, for example, delivery of any
`media file (such as movies, music, pictures, and graphics),
`
`Unified Patents Ex. 1011, pg. 10
`
`Unified Patents Ex. 1011, pg. 10
`
`

`

`US 8,122,128 B2
`
`ran °
`
`0
`
`5
`software file (such as a complete application, operating
`parameters, data files, or partial application/updates)or a real
`time application (such as interactive data processing, voice
`communicationsor visual communications to an end user). In
`an alternative embodiment, the functions of SPA-controlled
`content server 56 and ICP 50 may be combinedin a single
`component.
`ICP 50 is typically located remotely from subscriberter-
`minals 60 and regulates both subscriber access to network 52
`and distribution of content in network 52. The content may
`originate from SPA-controlled content
`server 56,
`for
`example, or fromother content servers 57 in network 52. ICP
`50 works in conjunction with CGs 58 and SPA-controlled
`network elements 54 by generating instructions which are
`transmitted over network 52 to CGs 58 and SPA-controlled
`network clements 54, where the instructions are executed.
`ICP 50 mayconstitute the sourceof internet service control
`and conditional denial of subscriber access to [SP-selected
`URLsorIP addresses. ICP 50 maycontrol CGs 58 to deter-
`mine what web site data is allowed to pass through to sub-
`scribers using, for example, web browser programs executing
`in subscriber terminals 60. ICP 50 may also control packet
`inspection processing in CGs 58 to determine which data can
`ND wa
`be allowed to flow through CGs 58 to and from subscriber 2
`terminals 60, specifically when e-mail or file transfers are
`initiated. ICP 50 also controls whatactivities are engaged in
`byidle CGs 58 when corresponding subscriber terminals 60
`are inactive. Idle CGs 58 may receive software downloads
`2 2
`from ICP 50, collect data, and initiate communicationsactivi- 3
`lies that are disruptive to certain non-SPA content servers 57
`that offer unauthorized copyrighted materials for illegal
`download bysubscribers. Multiple ICPs 50 may be deployed
`geographically in an ISP’s network to support the CG man-
`agement capacity of ICP 50 and the numberof subscribers in
`its service area.
`An ISP mayprovide an ISP portal 62 to facilitate sub-
`scriber access to network 52. ISP portal 62 may be, for
`example, an enterprise data center. Access node 66 is associ-
`ated with the ISP providing ISP portal 62. ICP 50 interacts
`with ISP portal 62, ISP associated access nade 66, and SPA-
`controlled content server 56 to control subscribers’ ability to
`accessservicesthat are offered by ISP portal 62. ICP 50 also
`controls CGs 58 to deliver various services, including, for
`example, advertisements, the home page for ISP Portal 62 or
`SPA-controlled content server 56 web servers, or sofiware
`downloads to subscriber terminals 60 for their use of ISP 62
`or SPA-controlled content server 56 services.
`ICP 50 also interacts with SPA-controlled network ele-
`wn S
`ments 54 used by ISP portal 62 to deliver services. ICP 50 5
`controls subscribers’ ability to access servicesthat are offered
`bythe ISPportal 62 and controls the operationofthe services
`themselves by controlling the flow of data through SPA-
`controlled network elements 54 used by ISP portal 62.
`ICP 50 may be programmed either by human input or by
`operator-controlled web crawler software. Updatesto a data-
`base in ICP 50 may be provided by an active intervention
`system 64 whereby changes to ICP 50 database entries are
`discovered and implemented. The updates to ICP 50 database
`maybe made in a manneranalogousto the regular updating of
`virus definitions for computer virus and worm protection.
`The web crawlers, human intervention, and ICP 50 and CG
`58 database updates may be controlled byactive intervention
`system 64. Active intervention system 64 may include, for
`example, a set of centrally maintained computer systems.
`Active intervention system 64 may control the operation of
`various geographically deployed ICPs 50.
`
`us on
`
`a a
`
`a0
`
`6
`The process begins with active intervention system 64.
`Active intervention system 64 is used by human operators to
`discover new URLsor IP addresses to “pirate” sites lo con-
`ditionally deny access to these URLsor IP addresses by CGs
`58, discover changes needed to implement Digital Rights
`Management (DRM)techniques, discover and record new
`packet characteristics, install wiretaps as ordered, process
`new copyrightregistry entries, change encryption techniques,
`and perform other managementservices. ICPs 50 then deliver
`active and real time executed network management, distrib-
`ute new database entrics and software changes to CGs 58 and
`track operation of the SPA-controlled network elements 54.
`Although one ICP 50 is illustrated there may be more. Thus,
`multiple [CPs 50 may be networked together to enable them
`to manage large numbers of SPA-controlled network ele-
`ments 54 and provide redundant, highly reliable operation.
`Furthermore, ICPs 50 mayall use identical databases to
`enable uninterrupted network management.
`As illustrated in TIG. 2, a CG 58 may include a user
`interface 100 that receives subscriber requests, entered by
`subscribers at an associated subscriber terminal 60. to access
`network 52. CG 58 mayalso include a network interface 102
`to exchange data with network 52 andto receive instructions
`from ICP 50; a memorydevice 104 including a database for
`storing ICP-generated instructions, initial operating param-
`eters, and other records; a processor 106 to implement the
`instructions; a content storage device 108 having a user par-
`tition and a network partition for storing content; and a hous-
`ing disassembly detector 110 to prevent
`tampering, as
`described above. Memorydevice 104 may be, for example, a
`bank of one or more semiconductor memories, a bank of one
`or more hard disk drives, a combination of semiconductor
`memories and hard disk drives or any other device that holds
`data. Processor 106 maybe, for example, a general purpose
`processor(such as a Pentium 4 processor, an integrated cir-
`cuit, or collection of integrated circuits) that can execute
`program instructions and is designedto allow control of CG
`58 to be implemented in purely software and mayalso be used
`for non-CG related general purpose computing applications,
`or processor 106 maybe a special purpose processor(inte-
`grated circuit or collection of integrated circuits) that can
`execute program instructions and is designed with only the
`power, bus, memory, logic and. hardware accelerators needed
`to control CG 58. Content storage 108 may be, for example,
`a bank ofone or more semiconductor memories, a bank ofone
`or more hard disk drives, a combination of semiconductor
`memories and hard disk drives or any other device that holds
`data. CGs may be provided in various forms, such as, for
`example, a gateway module that combines TV, video, internet
`and voice access, a dial-up remote access server, anADSL
`modem/router, a satellite TV gateway, a cable TV modem, a
`converged set top-plus-internet gateway, a wireless modem,
`or other fixed or mobile computing, playback, recording,
`display or communications device including radio, TV, ste-
`reo, Wireless phone, phone. DVD, VCR, WLANaccesspoint,
`wireless broadband or narrowband modem,or similar device.
`Asillustrated in FIG.3, an ICP 50 may include one or more
`network interfaces 200, one or more processors 202, a
`memory device 204 including a database for storing records,
`and a non-internet communications link for traffic between
`processors and shared storage and memory. The recordspref-
`erably include instructions that may be updated by active
`intervention system 64 anddistributed to CGs 58 and SPA-
`controlled network elements 54 for execution.
`As illustrated in FIG. 4, SPA-controlled network elements
`54 may include one or more network interfaces 300, one or
`more processors 302, a memory device 304 including a data-
`
`Unified Patents Ex. 1011, pg. 11
`
`Unified Patents Ex. 1011, pg. 11
`
`

`

`US 8,122,128 B2
`
`ran °
`
`ra w
`
`q
`
`i)wa
`
`2
`
`us on
`
`7
`base, and one or more switch modules 306 for providing
`routing, and switching services. Components 300, 302, and
`304 may operate in a similar fashion to the corresponding
`components ofthe CGs. SPA-controlled network element 54
`maybe provided in various forms, such as, for example, a
`computer used to deliver data services or content services, a
`core router or ATM switch, a subscriber management system
`used to control access to the network, authenticate subscrib-
`ers or devices before allowing access into the network, a
`DSLAM,cable modem system, wireless modemsystem, or
`any other multiplexing or channel service delivery system, or
`a satellite that incorporates any of these elements.
`Service Initialization
`CGs 58 maybe required to register with ICP 50 whenthey
`are powered up for the first time. CGs 58 will remain inactive
`until they receive a registration confirmation from SPA-con-
`trolled content server 56 or ICP 50. Theregistration process
`mayinclude collection of information by ICP 50 for a war-
`ranty registration from the subscriber such as, for example,
`CG's 58 hardware address and otheridentifying data. ICP 50
`will then send CG 58the latest operating software, if neces-
`sary, and its initial operating parameters to load in memory
`104, Initial operating parameters mayinclude, for example,
`the address of the CG’s 58 ICP 50 and other variables as
`described below. Subsequentre-registrations maybeinitiated
`by CG 58 under subscriber control for address or ISP
`changes.
`Active and Inactive CG Processing Control
`Upon power downor inactivity timeout of CG 58, CG 58
`mayregisteritself as “idle” by sending an eventnotification to
`ICP 50. The duration of an inaclivily imeoul may be preset
`and may be changed byinput to ICP 50 for distribution to all
`CGs 38 under the control of ICP 50.
`Uponsubsequentre-activation, which maybe initiated by
`either powerup or signals from subscriber terminal 60, CG 58
`identifies itself as ‘‘active” by sending an event notification to
`ICP 50, which responds with an acknowledgement.Failure of
`a CG 58to receive an acknowledgementresults in a series of
`re-trics until finally a timcout or maximum numberofre-tries
`occurs. Whenthis occurs, a diagnostic program may be
`executed in CG 58 to advise the subscriber what to do next,
`based on the deduced source ofthe failure. Active CGs 58
`mayprocess and control delivery of content and services from
`SPA-controlled content server 56 or ISP portal 62. Inactive
`CGs 58 mayprocess and control either CG maintenance or
`maycarry oulactivity delegated to inaclive CGs by design.
`Conditional Denial
`FIG. 5 shows a method, consistent with the invention for
`regulating user access to a network. In step 400, a gateway
`wn S
`unit associated with a user receives controller instructions 5
`fromthe network. Next, at step 402, the gatewayunit receives
`a network access request from a user, via a subscriber termi-
`nal. At step 404, the gatewayunit selectively transmits the
`network access requests over the networkin accordance with
`the controller instructions. Finally, at step 406, the gateway
`unit receives content data responsive to the transmitted net-
`work access request from the network. Consistent with the
`present
`invention,
`this section, and others that
`follow,
`describe in more detail the implementation ofthis method.
`CGs 58, under ICP 50 control, may provide a network-
`based Digital Rights Management (DRM)service. The DRM
`service denies subscribers the capability to send or to receive
`data from or to “pirate” URLsor IP addresses that are known
`to contain unlicensed copyrighted material. In implementing
`this denial, CG 58 deletes the “pirate” URI. or IP address and
`substitutes the URL orIP addressofasite that offers licensed
`copyrighted materials for legal, authorized sale. The list of
`
`a a
`
`a an
`
`
`
`8
`“pirate” URLs or IP addresses that are known to contain
`unlicensed copyrighted material may be regularly updated,
`similar to the manner in which virus definitions are regularly
`updated.
`Furthermore, when other non-web browser programs
`executing in subscriber terminals 60 attempt to access a
`blocked site, the request to the URL or IP address of the
`blocked site mayberedirected to a legal content provider’s
`URLorIP address or ignored.
`Uponregistration of a CG 58 as “active,” ICP 50 may
`update the list in CG 58 of DRM URLorIP address substi-
`tutions.
`Packet Inspection
`CGs 58 and SPA-controlled network elements 54 may
`perform packet inspection to determinethefile type ofallfiles
`being transferred through CG 58 or SPA-controlled network
`elements 54, based onfile properties, including, for example,
`file extension,file format, header or trailer c