KR20040064991A - System and method for access denial of mobile handset in the internet access gateway - Google Patents

Abstract

According to an embodiment of the present invention, after receiving a web data provision request from a user terminal and extracting terminal type information, if the extracted terminal type information does not correspond to terminal type information previously designated for blocking access, the web corresponding to the web data provision request By transmitting the data to the user terminal to enable the user to use the wireless Internet service, if the terminal type information corresponds to the terminal type information specified in advance to block access, by sending an error message to the user terminal through the communication network to the wireless Internet The present invention relates to a mobile communication terminal access blocking system and method of an internet interworking gateway that blocks access for service use, and can differentiate wireless Internet service charges according to types of user terminals even under the same wireless internet service environment.

Description

SYSTEM AND METHOD FOR ACCESS DENIAL OF MOBILE HANDSET IN THE INTERNET ACCESS GATEWAY}

The present invention relates to a mobile communication terminal access blocking system and method of the Internet-linked gateway, and in particular, the wireless Internet service usage fee can be differentiated by type of user terminal, and the Internet can easily block malicious access of a service-limited user terminal. The present invention relates to a mobile communication terminal access blocking system and a method of an interworking gateway.

Advances in science and economics have enabled the rapid dissemination of computers and high-speed Internet access. In addition, the development of Internet communication has made it possible to provide a communication environment that allows a user to access the Internet from anywhere using a PC room or a mobile communication terminal that provides a dedicated line connection service.

Accordingly, if a user is carrying a mobile communication terminal, a personal digital assistant (PDA), a notebook computer, or the like, the user can access the Internet anytime and anywhere to perform various tasks such as sending and receiving e-mail and searching for data.

In addition, the user accesses the Internet using a mobile communication terminal, a personal digital assistant (PDA), a notebook computer, or the like combined with a communication network, thereby providing various data such as text data, image data, sound data, and video data. Can be provided.

In the case of the wireless Internet, a web browser installed in a mobile communication terminal, etc. accesses a specific web server through a CDMA network and a gateway of a mobile communication company, thereby presenting the contents of the corresponding website to the user.

However, in the conventional wireless Internet service, since the data file downloaded by the user terminal connected to the web server is received in the form of a plurality of divided packets, the transmission speed and time vary according to the amount of data packets, which is eventually charged per packet. In this wireless Internet environment or the SLIP / PPP environment in which the hourly charge is granted, the amount of data communication increases, so that the usage time becomes longer and the excessive communication cost is burdened on the user.

In addition, in the conventional wireless Internet service, the same service fee is calculated regardless of whether the user uses a mobile communication terminal, a notebook computer, or a personal digital assistant (PDA), and thus the fee differentiation may be performed according to the type of the terminal used by the user. There was no limit.

In addition, in the conventional wireless Internet service, the wireless Internet service environment is configured to be integrated and used regardless of the user's terminal. Therefore, whether to selectively block access of a specific terminal type or block access by a specific source IP can be determined. There was a problem that can not be applied to the method of differentiation.

Accordingly, an object of the present invention is to provide a mobile communication terminal of an Internet-linked gateway to differentiate the wireless Internet service fee according to the type of the user terminal even in a wireless Internet service environment configured to be used independently of the type of the user terminal. It is to provide a connection blocking system and method.

Another object of the present invention is to configure a wireless Internet service method or a connection path according to the type of the user terminal to use the wireless Internet service, even if the user terminal access to the wireless Internet service in an illegal way The present invention provides a system and method for blocking access to a mobile communication terminal of an internet interworking gateway that can selectively block using a terminal type or IP address information.

1 is a schematic overall system diagram of a mobile communication terminal access blocking system of an Internet-linked gateway according to an embodiment of the present invention.

2 is a data flow diagram illustrating a method for performing a wireless Internet service in an internet interworking gateway when cache data does not exist according to an exemplary embodiment of the present invention.

3A is a data flow diagram illustrating a selective access authorization method according to a type of a user terminal in an internet-interworking gateway according to an embodiment of the present invention.

3B is a diagram illustrating an IP packet format according to a preferred embodiment of the present invention.

<Explanation of symbols for the main parts of the drawings>

110: user terminal

120: mobile communication service system

123: proxy server

127: Internet interworking gateway

130: content server

In order to achieve the above object, according to an aspect of the present invention, in the method for selectively blocking the request for using the wireless Internet service received from the user terminal, receiving a web data provision request from the user terminal, and the web data Extracting the terminal type information included in the provision request, checking whether the extracted terminal type information corresponds to terminal type information previously specified for the access blocking, and the terminal type information is previously for blocking the access. If it corresponds to the designated terminal type information, transmitting a predetermined error message to the user terminal; and if the terminal type information does not correspond to the terminal type information that is pre-specified to block access, through the communication network to the user terminal. In conjunction with the request for providing the web data Provided is a method for determining whether to allow access to an Internet-linked gateway, comprising: transmitting web data, and a system, apparatus, and a recording medium for enabling the method for determining whether to permit access to an internet-linked gateway are provided. Is provided.

The transmitting of the web data corresponding to the web data providing request to the user terminal through the communication network may include checking whether the web data corresponding to the web data providing request is stored in advance, and the web data. Search for the web data corresponding to the request for providing the web data and transmitting the searched web data to the user terminal through a communication network; and if the web data is not stored, the web data Transmitting the web data providing request to a web server corresponding to the providing request, receiving web data corresponding to the web data providing request from the web server, and transmitting the received web data to the user terminal through a communication network. It may include the step of transmitting.

In addition, the method of determining whether to allow access to the Internet-linked gateway according to the present invention comprises the steps of detecting the IP address information of the user terminal using the web data provision request, and the IP address information is pre-designated to block access; The method may further include checking whether the information corresponds to the information, and if the IP address information corresponds to pre-specified IP address information to block access, transmitting a predetermined error message to the user terminal.

The terminal type information may be information included in a user agent field of an IP packet corresponding to the web data provision request.

Hereinafter, exemplary embodiments of the present invention will be described in detail with reference to the accompanying drawings. However, in order to facilitate understanding, the present invention will first be described in detail, and then the present invention will be described in detail with reference to the accompanying drawings.

A proxy server exists in the mobile communication network, and the proxy server performs a function of searching a website for a specific URL (for example, downloading HTML data) while using a user's wireless Internet service. .

For example, in the case of the wireless Internet service provided by KTF, the MagicN proxy server PAS (Portal Access Server) is set as a proxy server on the mobile terminal, and when the user uses the wireless Internet service, the PAS ( Portal Access Server automatically receives the packet data transmitted from the user terminal and connects to the destination URL, and performs the function of collectively processing and managing billing for each service and / or content generated in the process. do.

In general, when proxy settings are performed in a browser installed in a user terminal (for example, a mobile communication terminal, a notebook computer, a personal digital assistant, etc.), the destination IP of all HTTP request packets is a proxy server. Becomes Therefore, the function of the proxy server receives a web surfing request packet transmitted from the user terminal in the middle, establishes a TCP connection again with the web server (i.e., the web server corresponding to the web surfing request) which becomes the final destination server, After the appropriate data is downloaded through the request and the HTTP response, the data is transmitted to the user terminal through the communication network. In addition, if the web page of the corresponding web server is not changed later, such an operation may also be performed in a caching role in which the proxy server directly responds to a request to the same destination URL afterwards. It is. A proxy server capable of performing such a function is called a caching proxy server, and an Internet access gateway (IAGW) to be described below may be regarded as one of these devices.

Since the Internet-linked gateway acts as a proxy server, when the user terminal sets the IP address of the proxy server to the IP address of the Internet-linked gateway, the IP address of the Internet-linked gateway is included in the destination IP field of the IP header of the packet. If the packet is captured between the user terminal and the Internet-linked gateway, the packet analysis may recognize that the packet uses the Internet-linked gateway as a proxy server. It is possible to differentiate the service fee for the service, and as a result, it is possible to activate the use of the wireless Internet service.

However, such proxy settings may be equally applied to existing mobile communication terminals which are generally ME browsers. In other words, if the user's terminal uses the proxy setting as the Internet-linked gateway, the destination IP address of the packet IP header is converted into the IP of the Internet-linked gateway and transmitted, thus enabling mobile communication with a notebook computer user or a personal digital assistant (PDA) user. The purpose of differentiating the service fee of the terminal user cannot be achieved.

Therefore, in order to solve this side effect, the present invention analyzes the difference between the HTTP request packet of the mobile communication terminal and the HTTP request packet of a notebook computer or a personal digital assistant (PDA). Attempts to use can be blocked by packet discard. The explicit difference between the HTTP request packet between the notebook computer and the mobile communication terminal is terminal type information included in the 'User Agent' field. The terminal type is 'CellPhone' in the 'User Agent' field of the HTTP request packet of the mobile communication terminal. After that, since the 'HTTP_PHONE_NUMBER' field (MIN number) and the 'HTTP_PHONE_SYSTEM_ PARAMETER' field (BSS ID, NID, SID, etc.) are added, filtering in consideration of these differences can block the HTTP request packet transmitted from the mobile terminal. In this way, it is possible to completely differentiate between a mobile terminal user and a notebook computer or personal digital assistant (PDA) user in terms of billing.

Therefore, the Internet-linked gateway according to the present invention can perform a dedicated service for a notebook computer or a personal digital assistant (PDA) during a wireless Internet service, and at the same time can block access attempts from a mobile communication terminal. In addition, by extending such a method, it is possible to differentiate and apply access blocking for each source IP during a connection attempt from a mobile communication terminal.

1 is a schematic overall system configuration diagram of a mobile communication terminal access blocking system of an Internet-linked gateway according to an embodiment of the present invention.

Referring to FIG. 1, the overall system configuration of the mobile communication terminal access blocking system of the Internet-linked gateway may include a user terminal 110, a mobile communication service system 120, a content server 130, and the like. The communication service system 120 may include a proxy server 123, an internet interworking gateway 127, and the like.

The user terminal 110 is connected to the proxy server 123 or the Internet interworking gateway 127 (IAGW: Internet Access Gateway) included in the mobile communication service system 120 through a communication network. As a device having an application installed therein and a built-in communication function, for example, a mobile communication terminal, a personal digital assistant (PDA), a notebook computer, and the like may correspond thereto. In addition, hereinafter, an internet interworking gateway of a mobile communication terminal in order to differentiate a fee for using a wireless internet service between a user using an internet service using a mobile communication terminal and a user using an internet service using a personal digital assistant or a laptop computer. (127) A description will be given focusing on a method of blocking a connection. Of course, the method of differentially applying the wireless Internet service usage fee may be a method of blocking access of the user terminal 110 other than the mobile communication terminal or a method of blocking access only to the user terminal 110 having a specific IP address. Naturally, it can be applied in various ways.

The mobile communication service system 120 allows a user who wants to make a phone call to use a telephone service using the user terminal 110, and, in the case of a user who wants to use a wireless Internet service, the content server 130 through the Internet network. System that provides access to In FIG. 1, only an apparatus for performing a method for blocking access of a mobile communication terminal of an internet interworking gateway according to the present invention is briefly described. Obviously, various devices such as (IWF) are included.

The proxy server 123 receives the web surfing request packet transmitted from the user terminal 110 in the middle, and establishes a TCP connection again with the content server 130 (that is, the content server corresponding to the web surfing request) which becomes the final destination server. After setting the appropriate data through the HTTP request and the HTTP response, the data is transmitted to the user terminal 110 through the communication network.

The internet interworking gateway 127 is a device capable of performing the above-described caching function as well as the function of the proxy server 123. When the type of the user terminal 110 is a notebook computer or a personal portable terminal, the connection is performed. However, in the case of a mobile communication terminal, it performs a function of blocking the connection (of course, if the conditions are different, other types of user terminals 110 may be blocked). Looking at the function of the Internet-linked gateway 127 according to the present invention in detail, the Internet-linked gateway 127 is a packet filtering function, web cache function, session management function, security function (Firewall function), TCP optimization function, authentication function, device Interworking function, network management function, operation management function, configuration management function, fault management function, statistics management function, security management function, performance management function, and the like. Will be explained in the section.

The content server 130 is a device that performs a function of providing data corresponding to an access request, a data transmission request, and the like transmitted from the user terminal 110 through a communication network. In FIG. 1, only one content server 130 is shown for convenience. However, in practice, a plurality of content servers may be combined with a mobile communication service system through an internet network.

2 is a data flow diagram illustrating a method of performing a wireless Internet service in an Internet-linked gateway when cache data does not exist according to an exemplary embodiment of the present invention.

That is, in FIG. 2, although the user terminal 110 connected to the Internet-linked gateway 127 corresponds to a service target, cache data corresponding to the HTTP request message received from the user terminal 110 is stored in the Internet-linked gateway 127. A method of performing a wireless Internet service when it does not exist.

Referring to FIG. 2, the user terminal 110 establishes a TCP session with the Internet interworking gateway 127 according to the proxy settings stored in advance in step 210, and proceeds to step 215, in which an HTTP request message (HTTP GET) input by the user is input. Request Message) is transmitted to the Internet interworking gateway 127 through a communication network.

The internet interworking gateway 127 may perform data corresponding to the HTTP request message received from the user terminal 110 through step 215 in step 220 (that is, web page configuration data, multimedia data, etc. for a URL corresponding to the HTTP request message). Checks whether the) exists. If the data does not exist, the Internet-linked gateway 127 sets up a TCP session in step 225 with the content server 130 in step 225, and the user uses the TCP session set in step 230. The HTTP request message received in step 215 from the terminal 110 is transmitted to the content server 130 corresponding to the HTTP request message through a communication network (or Internet network).

If there is data corresponding to the HTTP request message in step 235, the content server 130 transmits an HTTP response message including the HTTP response message to the Internet interworking gateway through a communication network. In this case, when the content server 130 includes data corresponding to the HTTP request message in the HTTP response message, the header information of a predetermined form (for example, a cache-control header, etc.) is applied to the HTTP response message. It can be included in the response message.

In step 240, the Internet interworking gateway 127 checks the header information of the HTTP response message received in step 235, and includes header information of a predetermined type (for example, a cache-control header). In this case, it is determined whether to cache according to the instruction, and if the data is new data (that is, data not stored in the storage unit of the Internet-linked gateway 127), it is stored.

In operation 245, the internet interworking gateway 127 transmits the HTTP response message received from the content server 130 to the user terminal 110 through the communication network in operation 235.

Hereinafter, the web cache function of the Internet-linked gateway 127 according to the present invention will be described briefly.

The Internet-linked gateway 127 according to the present invention provides an HTTP method (OPTION, GET, HEAD, POST, PUT, DELETE, TRACE), determines an expiration time based on the elapsed time and validity of the stored data, and determines the last update date. The verification function for the stored data and the automatic update function for the cached data may be performed. In addition, depending on the characteristics of the web page, the ability to selectively apply whether to cache by URI, and for the purpose of security and privacy, such as to create a non-shared cache for a specific data and can be accessed only by the user.

And, when the components of the cache table for cache data storage and management in the Internet-linked gateway 127 is shown in Table 1 below.

Table 1 Components of the Cache Table

Item Explanation Refresh Flag Current state of cache data (Refresh in progress / completed / incomplete) Last modified Time of latest change of cache data Etag Entity Tag of Cache Data Page View The number of requests for that cache data Access time Latest request time for cache data Expiration Time Expiry Time for Cache Data Request Time The time at which the HTTP request was sent for refresh Content Type Content Type of Cache Data Content len Cache data size (bytes) Content Data Cache data

Up to now, the method of performing wireless Internet service when there is no cache data corresponding to the HTTP request message received from the user terminal 110 in the Internet interworking gateway 127 has been described with reference to FIG. 2. If present in the interworking gateway 127 will be transmitted to the user terminal 110 via the communication network after the inspection of step 220. Of course, in such a case, the internet interworking gateway 127 does not need to connect to the content server 130 to receive the data, and transmits the data already stored to the user terminal 110. The data can be provided in a short time.

FIG. 3A is a data flow diagram illustrating a selective access authorization method according to a type of a user terminal in an internet interworking gateway according to an exemplary embodiment of the present invention, and FIG. 3B illustrates an IP packet format according to an exemplary embodiment of the present invention. One drawing.

Referring to FIG. 3A, the user terminal 110 establishes a TCP session with the Internet interworking gateway 127 according to the proxy settings previously stored in step 310, and proceeds to step 315 to receive an HTTP request message (HTTP GET) input by the user. Request Message) is transmitted to the Internet interworking gateway 127 through a communication network.

In step 320, the internet interworking gateway 127 is included in the type of the user terminal 110 that is previously designated to use the wireless Internet service through the internet interworking gateway 127. Examine whether or not.

3b illustrates an IP packet format according to the present invention.

Referring to FIG. 3B, the IP packet may include an 'IP header' field, a 'TCP header' field, a 'TCP payload' field, and the like, and the 'TCP payload' field may include a 'Method / URI / Version'. It may include an 'HTTP header' field including an 'field, a' User Agent 'field and an' HTTP Body 'field.

The 'User Agent' field includes type information of the user terminal 110 that has transmitted the HTTP request message. For example, if the user terminal 110 is a mobile communication terminal, the proxy set in the user terminal 110 is included. Regardless of the information, 'CellPhone' is included in the 'User Agent' field.

Therefore, even if an HTTP request message is received through a certain path (that is, a normal path or an illegal path), the Internet-linked gateway according to the present invention uses the information included in the 'User Agent' field of the received IP packet. It is possible to determine whether to allow or block the access of the user terminal 110.

If the Internet interworking gateway 127 is configured to allow a laptop computer or a personal digital assistant (PDA) to access the mobile communication terminal but block the connection of the mobile communication terminal, the information “CellPhone” is “User Agent”. By discarding the IP packet included in the field, the mobile communication terminal can be disconnected. This means that even if a user of a mobile communication terminal designated to use a wireless Internet service through the proxy server 123 intentionally changes the proxy setting and connects to the Internet-linked gateway 127 side, the connection can be blocked by the above-described method. .

Referring back to FIG. 3A, if the check result of step 320 includes the information 'CellPhone' in the 'User Agent' field in the HTTP request message, the Internet interworking gateway 127 is connected to the user terminal 110. Since the type is not the target of the wireless Internet service through the Internet interworking gateway 127, a predetermined error message (eg, Error Code 450-Unsupported User Agent ') is transmitted to the user terminal 110 through the communication network.

Of course, if the type of the user terminal 110 is the target of the wireless Internet service through the Internet-linked gateway 127, as described above with reference to FIG.

Up to now, since the mobile communication terminal as a type of the user terminal 110 is previously designated to use the wireless Internet service through the proxy server 123 instead of the internet interworking gateway 127, the mobile communication terminal at the internet interworking gateway 127. A method of blocking a connection request from a server has been described.

However, the method for blocking access to a user terminal of the Internet-linked gateway according to the present invention is not limited to the type of the specific user terminal 110, and distinguishes and blocks the source IP address filter included in the IP header when the network information is specific network information. It can be applied as a selective packet filtering method. For example, when the information included in the source IP address field matches specific network information previously specified for blocking access, and the information 'CellPhone' is included in the 'User Agent' field, This is how to block access requests. That is, if only one of the network information and the type of the user terminal 110 does not match with the predetermined information for the connection blocking can be allowed to be allowed.

The present invention is not limited to the above embodiments, and many variations are possible by those skilled in the art within the spirit of the present invention.

As described above, the system and method for blocking access to a mobile communication terminal of an Internet interworking gateway according to the present invention are based on the type of the user terminal even under a wireless Internet service environment configured to be used integrally regardless of the type of the user terminal. Can be differentiated.

In addition, the present invention may be configured differently according to the type of the user terminal to use the wireless Internet service, the method and the path, and even if the user terminal to use the wireless Internet service in an illegal way, the type of the user terminal Alternatively, you can selectively block using IP address information.

Claims (6)

In the method for selectively blocking the request to use the wireless Internet service received from the user terminal, Receiving a request for providing web data from a user terminal; Extracting terminal type information included in the web data provision request; Checking whether the extracted terminal type information corresponds to terminal type information designated in advance for blocking access; If the terminal type information corresponds to terminal type information previously designated to block access, transmitting a predetermined error message to the user terminal; If the terminal type information does not correspond to the terminal type information previously designated for blocking access, transmitting the web data corresponding to the web data provision request to the user terminal through a communication network; Method for determining whether to allow access to the Internet-linked gateway, comprising a. The method of claim 1, The step of transmitting the web data corresponding to the web data providing request to the user terminal through a communication network, Checking whether web data corresponding to the web data providing request is stored in advance; If the web data is stored, retrieving web data corresponding to the web data provision request and transmitting the retrieved web data to the user terminal through a communication network; If the web data is not stored, transmitting the web data provision request to a web server corresponding to the web data provision request; Receiving web data corresponding to the web data provision request from the web server, and transmitting the received web data to the user terminal through a communication network; Method for determining whether to allow access to the Internet-linked gateway, characterized in that it comprises a. The method according to claim 1 or 2, Detecting IP address information of the user terminal using the web data provision request; Checking whether the IP address information corresponds to predetermined IP address information to block access; Transmitting the predetermined error message to the user terminal when the IP address information corresponds to predetermined IP address information to block access; Method for determining whether to allow access to the Internet-linked gateway further comprising a. The method of claim 1, The terminal type information is information included in a user agent field of an IP packet corresponding to the web data provision request. Method for determining whether to allow access to the Internet-linked gateway, characterized in that. A system for selectively blocking a request for using a wireless Internet service received from a user terminal, Means for receiving a web data provision request from a user terminal; Means for extracting terminal type information included in the web data provision request; Means for checking whether the extracted terminal type information corresponds to terminal type information designated in advance for blocking access; When the terminal type information corresponds to the terminal type information predetermined for the access blocking, transmits a predetermined error message to the user terminal, and the terminal type information does not correspond to the terminal type information predetermined for the access blocking. Means for transmitting web data corresponding to the web data provision request to the user terminal through a communication network; System for determining whether to allow access to a user terminal comprising a. In the program product that can be read by the user terminal is implemented programmatically implemented by the user terminal to perform the method of determining whether to allow the connection of the Internet interlocking gateway, Receiving a request for providing web data from a user terminal; Extracting terminal type information included in the web data provision request; Checking whether the extracted terminal type information corresponds to terminal type information designated in advance for blocking access; If the terminal type information corresponds to terminal type information previously designated to block access, transmitting a predetermined error message to the user terminal; If the terminal type information does not correspond to the terminal type information previously designated for blocking access, transmitting the web data corresponding to the web data provision request to the user terminal through a communication network; Program product comprising a.