[go: up one dir, main page]

WO2010123385A1 - Identifying and tracking users in network communications - Google Patents

Identifying and tracking users in network communications Download PDF

Info

Publication number
WO2010123385A1
WO2010123385A1 PCT/NZ2010/000078 NZ2010000078W WO2010123385A1 WO 2010123385 A1 WO2010123385 A1 WO 2010123385A1 NZ 2010000078 W NZ2010000078 W NZ 2010000078W WO 2010123385 A1 WO2010123385 A1 WO 2010123385A1
Authority
WO
WIPO (PCT)
Prior art keywords
network
user
access
identifier
session
Prior art date
Application number
PCT/NZ2010/000078
Other languages
French (fr)
Inventor
Phillip Joe
Stephen Gary Simms
Original Assignee
Tomizone Limited
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tomizone Limited filed Critical Tomizone Limited
Priority to CN201080027355XA priority Critical patent/CN102484591A/en
Publication of WO2010123385A1 publication Critical patent/WO2010123385A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/50Address allocation
    • H04L61/5007Internet protocol [IP] addresses
    • H04L61/5014Internet protocol [IP] addresses using dynamic host configuration protocol [DHCP] or bootstrap protocol [BOOTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/30Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information

Definitions

  • the invention relates to the field of network communication. More particularly, the invention relates to monitoring wireless and fixed wire access to communication networks, such as identifying users and tracking user data during Internet access.
  • ISPs Internet Service Providers
  • ISPs must track all Internet use and record the source IP address and a usage time of every Internet session, including logon and logoff times.
  • CLC Cyber Law Compliance
  • a method of monitoring access to a communications network through a local access network configured for use by a plurality of users and/or client devices including: providing a user access to the network using a client device in a session; assigning a unique network identifier to the client device and/or session and/or user of the local access network; and storing session data in a database, the session data corresponding to the unique network identifier.
  • the local access network is a private local access network.
  • the local access network is a local wireless access network.
  • the method includes providing a plurality of users and/or client devices with access to the communications network.
  • Each user and/or client device and/or session is assigned a unique network identifier and this may be stored in a database in correspondence to session data relating to the session.
  • the method includes associating the session data with the user. More preferably, the session data is associated with the user in a database by relating the session data with a unique user identifier.
  • the method includes the step of verifying the identity of the user prior to providing the user access to the network. More preferably, the step of verifying may include verifying the identity of the user remotely. The step of verifying the identity of a user may include identifying the user as a registered user of the network or other service. Alternatively, the step of verifying may include checking proof of identification of the user and storing identification details of the user in a database.
  • the method includes assigning the unique user identifier to the user.
  • the method includes storing personal user information in the database and associating the personal user information with the unique user identifier.
  • the method includes providing the user with a network access code.
  • the network access code is preferably stored in the database and associated with the unique user identifier.
  • the method includes authenticating the network access code to allow the user to access the communications network.
  • the method includes providing wireless access to the communications network via a local wireless access network.
  • the wireless access network is a Wireless Local Area Network
  • WLAN Wireless Local Area Network
  • Wi-Fi Wireless Fidelity
  • the communications network is or includes the Internet.
  • the invention provides for the ability to identify and track a plurality of users accessing, for example, the Internet through a local wireless access network.
  • the client device / session of each user is provided with a different IP address.
  • the method includes accessing any of the following items or categories of information by providing information relating to one said item or category: the unique user identifier; the unique network identifier; session data; personal user information.
  • the session data includes any one or more of: a unique network identifier; a device unique identifier; a device type identifier; a device model identifier; session start time; session end time; session duration; a device connection location; network addresses visited.
  • the unique network identifier is a publicly available identifier. More preferably, the unique network identifier is an IP address.
  • the unique network identifier is assigned to the client device and/or session by a server in a virtual network.
  • the virtual network may include routing means.
  • the virtual network may be a virtual private network (VPN) having security protection.
  • the server may be a Dynamic Host Configuration Protocol (DHCP) server.
  • DHCP Dynamic Host Configuration Protocol
  • the client device includes any one or more of: personal computer; laptop; personal desktop assistant (PDA); mobile telephone. Any other device having the required functionality is included within the scope of the invention.
  • PDA personal desktop assistant
  • a local network access module including: means for assigning a unique network identifier to a client device and/or session and/or user of a local access network ; and means for storing and/or transmitting session data corresponding to the unique network identifier in association with the unique network identifier and/or in association with a user of the client device.
  • the local access network is a private local access network.
  • the local access network is a local wireless access network.
  • the local network access module includes means for receiving the unique network identifier.
  • the local network access module includes means for storing the unique network identifier in association with session data and/or a unique user identifier.
  • a system for monitoring access to a communications network through a local access network configured for use by a plurality of users and/or client devices including: means for providing a user access to the network using a client device in a session; means for assigning a unique network identifier to the client device and/or session and/or user of the local access network; and means for storing session data in a database, the session data corresponding to the unique network identifier.
  • Figure 1 is a flow chart diagram showing a method according to an embodiment of the invention
  • FIG. 2 is a schematic network diagram of an Internet access network according to one embodiment of the invention. Brief Description of Preferred Embodiments of the Invention
  • the invention provides in general terms a method and system for providing users with wired or wireless access to communications networks such as the Internet while also providing the ability to verify the identification of users and/or monitor and track usage as may be desired or even required by law in some parts of the world.
  • the invention is described in terms of providing wireless access to the Internet through a local wireless access network which is configured for use by a plurality of users and/or client devices.
  • the local wireless access network is typically private but may not be limited as such.
  • the invention may relate more generally to any communications network but has particular application to the Internet.
  • Internet will be used in this description but will be understood to include any communications network.
  • a local access network is a network to which devices connect over a small physical area such as an office, home, Internet cafe or the like.
  • the devices typically connect through a common router or hub or other common access point to the Internet, for example.
  • the connection may be wired, for example in a Local Area Network (LAN), or wireless, such as a Wireless Local Area Network (WLAN), Wi-Fi network or Wi-Fi 'hotspot'.
  • WLAN Wireless Local Area Network
  • Wi-Fi network Wireless Local Area Network
  • Figure 1 is a flow chart diagram showing a method according to an embodiment of the invention. More particularly, the method described in the following description is illustrated in summary in Figure 1. Not all the steps of Figure 1 are essential to the invention, as will be described below.
  • a user is not permitted wireless access to the Internet without their identification first being verified in order to be associated with their subsequent Internet session.
  • This embodiment is particularly relevant where the identity of Internet users must be verified as a legal or regulatory requirement. This step may be omitted, such as when it is deemed sufficient, for example, to identify a session as relating to a particular device.
  • a user provides personal information, which is verified in order to identify the user and thus the user is able to access the Internet, for example by opening a user account or receiving a temporary access code, as discussed further below.
  • the following methods of user identification verification are preferred according to the first embodiment of the invention, although any known method may be used.
  • a user wishing to wirelessly access the Internet through a WLAN or Wi-Fi network provides proof of identification to the operators of the Wi-Fi network or other Internet Service Provider (ISP), for example in person at a point of sale.
  • ISP Internet Service Provider
  • Other methods of providing proof of identification may also be used.
  • the proof of identification may include, but is not limited to, passport, driving licence, credit card, health card or any other form of photographic or personal identification.
  • the Wi-Fi operator will typically define which forms of identification are acceptable, and these may vary between operators.
  • the identity of a user is remotely pre-verified when a user account for accessing the Wi-Fi network is opened. For example, a user's credit card details may be verified against bank details to confirm the user's identity. Other forms of remote identification verification are known and may be used within the scope of the invention.
  • the identity of a user is remotely pre-verified using remote message means, such as an email or SMS message.
  • remote message means such as an email or SMS message.
  • the user's email address or telephone number is provided.
  • an SMS message is sent since a telephone operator typically has its own record of customer identification information, which is required in order to activate a mobile telephone.
  • an email address can be obtained without identification.
  • personal information of the user is entered into a user database, typically via an online web interface, but alternative known means may be used.
  • the personal details of the user entered into and stored in the database preferably include a unique user identifier by which the user can be uniquely identified.
  • the unique user identifier may be generated by the system, for example as an index or code, and be associated in the database with the user's personal information.
  • Examples of the personal user information and/or unique user identifier which may be stored in the database include: name; address; contact information; username; password; personal identification number (PIN); telephone number; SIM card number; International Mobile Subscriber Identity (IMSI) number; MSISDN number; email address; tax number; passport number; credit card number; national insurance number; driving licence number; health care number; fingerprint information; retina information. Not all of this information may be required, the minimum being enough to identify the user.
  • the user is provided with a network access code which is inputted by the user as authentication to access the network.
  • the network access code may be any of the personal user information or it may be the unique user identifier, but it is preferably unique to each user. Alternatively, the network access code may consist of multiple pieces of information, such as a username and password combination.
  • the network access code is associated in a database with the unique user identifier, and hence the rest of the stored personal user information, such that the user's identity can be deduced from the network access code inputted.
  • the network access code may be in any known format, including alphanumeric strings, fingerprint data or other such information.
  • the network access code may be a temporary access code.
  • the form of the code may reflect the extent of access available, for example the duration of access.
  • the user may be provided with the network access code by any known means including, for example, in an email or SMS message. This may be sent in reply to any email or SMS sent to the Wi-Fi operator.
  • Providing the user details and receiving a network access code may at least partially constitute opening a user account or register a user as a registered user of the Wi-Fi network. As such, the user would be able to access the network again in the future, for example using the same code.
  • the user account may be the user's more conventional existing account (such as their home broadband account) with access via third party access points provided for by the invention. The user may have such remote use included within their package or separate conditions / charging may apply.
  • the code may only provide temporary access.
  • Receiving a network access code may require payment in any known form.
  • the network access code may be provided in the form of a voucher or token, for example.
  • the user When the user wishes to access the Wi-Fi network they input the network access code which is authenticated against values stored in the database to verify the user's identification is known and/or the user is a registered user.
  • the user may provide the network access code through a web interface or other data input means such as a keypad or fingerprint scanner, for example.
  • the present invention assigns each user and/or session and/or client device a unique network identifier, typically an IP address.
  • the unique network identifier is publicly available, that is, it is available from outside the Wi-Fi network. Therefore, unlike in known systems all traffic in the Wi-Fi network does not appear to be associated with the same IP address. This is achieved in the manner discussed in the following.
  • FIG. 2 is a schematic network diagram of a local wireless access network 20 according to one embodiment of the invention.
  • a unique IP address is assigned for each user session. This is achieved by running a VPN 22 from each Wi-Fi router 23 back to a central DHCP server 24.
  • the public subnet is labelled "10. Y” in Figure 2 while the VPN is established on the subnet labelled "10. X”.
  • the example addresses shown in Figure 2 are from the RFC1918 standard (Address Allocation for Private Internets), typically reserved for private network use. However, the invention is not limited in such a way. The use of these labels in
  • Figure 2 represents an arbitrary address space which is usually public, although it may be private.
  • the dotted arrow indicates DHCP service from the DHCP server to Wi-Fi user 25.
  • the DHCP server 24 in Figure 2 has a proprietary name "Tunnel Terminator” (TT), by which it will be hereinafter referred.
  • TT 24 provides IP addresses to client devices from a centrally maintained pool. This avoids the need for IP masquerading, and ensures that each device uses a unique source IP address for the duration of the session.
  • Access to the Internet 26 by WiFi devices is tracked on TT 24.
  • the TT tracks and stores session data.
  • the session data may include any one or more of: a unique network identifier, such as a source IP address; a device unique identifier, such as a hardware MAC address; a device type identifier; a device model identifier; session start time; session end time; session duration; a device connection location; network addresses visited.
  • Session accounting is preferably implemented using the Remote Authentication Dial In User Service (RADIUS) protocol, but other accounting methods may be used to send session metadata from Wi-Fi routers to the TT.
  • traffic inspections may be performed on the TT to track HTTP URL requests and other relevant user activity, and the activity may be recorded.
  • firewall rules on the TT may be used to restrict user activity.
  • the stored session data is stored in a related association with or linked to the unique user identifier, for example in a relational database in which the unique user identifier is stored.
  • the session data is also associated with the other user personal information. Therefore any of the following may be provided in order to obtain information about any others of the following: session data; unique user identifier; unique network identifier (IP address); personal user information. Therefore, session data may be used to identify which user is associated with which session.
  • IP address unique network identifier
  • the details of the session stored as session data can be used to identify and locate the user.
  • a web interface is typically provided so that authorized personnel can query user activity according to session data, for example, by source IP address and/or time of use. Other methods of analysing the user data may also be used, as will be known to one of skill in the art.
  • a company's existing processes and infrastructure may make the use of public IP addresses difficult. If so, the method may be used to match the address spaces of Wi-Fi hotspots and existing equipment, thereby allowing the use of other tracking methods such as the known methods of using proxies.
  • a third embodiment of the invention details of a user's internet session are tracked. This may occur irrespective of whether or not a user's identity is verified according to the first embodiment, and whether or not a user is provisioned with a publicly routable IP address according to the second embodiment.
  • the present invention assigns each user and/or session and/or client device a unique network identifier, composed of a publicly available shared IP address and a private IP address (hereinafter called the combined identifier).
  • the shared network identifier is publicly available, that is, it is available from outside the Wi-Fi network.
  • User devices are preferably each assigned a private IP address. This is preferably performed by the router used by these devices to connect to external networks. The router preferably performs IP masquerading to share the public IP address among the user devices.
  • connection database In order to track user activity where IP masquerading is used to share a single public IP address between multiple user devices, details of each connection opened by the user are sent to the service platform, where they are recorded in a database (hereinafter called the connection database).
  • connection database For every TCP connection that is opened, the time of access, the combined identifier, and the IP address of the service that is being accessed are recorded in the connection database. Further identifying details, such as (but not limited to) the source and destination port, may be recorded.
  • the IP address of the service being accessed is looked up in the connection database.
  • the time that the connection was made is used to identify specific connection records in the connection database, and the user is determined given the related combined identifier.
  • the invention may be embodied as hardware or software solutions, or in a combination of the two.
  • software embodying the invention may be run on existing wireless network hardware.
  • a new piece of hardware, such as a module or other unit may be added to a wireless network which provides for the invention.
  • components of the invention may be concentrated or distributed throughout a network as desired.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Technology Law (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The invention provides a method and system for providing users with wired or wireless access to communications networks such as the Internet while also providing the ability to verify the identification of users and/or monitor and track usage, as may be required by law in some parts of the world.

Description

IDENTIFYING AND TRACKING USERS IN NETWORK COMMUNICATIONS
Field of invention
The invention relates to the field of network communication. More particularly, the invention relates to monitoring wireless and fixed wire access to communication networks, such as identifying users and tracking user data during Internet access.
Background to the invention
Many locations and businesses provide members of the public or customers with the ability to access communications networks such as the Internet in a wired or wireless manner.
Some countries have strict "cyber laws" governing Internet services and usage, and the lawful interception, logging and reporting of Internet usage. For example, in India, the Information Technology Act 2000 forms the legal code for cyber laws in India.
Typically, regulatory authorities implementing such cyber laws have two main recommended requirements:
Internet Service Providers (ISPs) must verify the identity of their Internet users for every Internet session. This requirement may be referred to as Know Your Customer
(KYC);
ISPs must track all Internet use and record the source IP address and a usage time of every Internet session, including logon and logoff times.
The regulatory authorities often require a link between a user session and user identity to be recorded. In some countries, the URL logs showing websites visited during the session may be required also. In India for instance, the ability to track, record and access this sort of user access information is known as Cyber Law Compliance (CLC). In addition, some cyber laws require particulars of the device used to access the Internet to be tracked and recorded.
These requirements present considerable challenges to retail or public Internet service providers like Internet Cafes, Wi-Fi hotspot and Metro Wi-Fi providers. Traditional methods of providing these services do not allow providers to track and record the necessary information.
Traditionally, such providers resell a single Internet connection provided by an ISP, with a single public IP address, to their customers. End user devices such as Wi-Fi devices are allocated a dynamic internal network IP address on the internal Local Area Network (LAN) using the Dynamic Host Configuration Protocol (DHCP). Traffic to addresses outside the LAN is routed using IP masquerading with the result that all traffic appears to be coming from the same single public IP address.
Previously there has been no easy way to uniquely identify individuals and devices by the source address of their traffic because the source IP address is common to all concurrent users of the service. In a Wi-Fl Hotspot set-up, for example, users could not be tracked to comply with CLC or KYC requirements and it would at best be possible to trace session activity to the single public IP address and possibly separately have a record of all the people who have used said single public IP address. Tracking users at device level to identify users on a Wi-Fi Hotspot provided privately or publicly has been difficult, if at all possible. However, increasingly, regulatory authorities require more information such as destination addresses for each use.
One known method used by some providers attempting to address the above problems is by placing a proxy between their customers and the Internet. This usually allows the providers to identify a customer given a time and a destination IP address in addition to the source IP address. This solution is problematic in that it requires the authorities to provide a destination address, does not guarantee a unique match, and restricts the protocols customers can use to those that can be proxied.
Object of the Invention
It is an object of the invention to provide an improved method and/or apparatus and/or system for identifying users and tracking user data in communication networks.
Alternatively, it is an object to provide a method and/or apparatus and/or system which conforms to at least some of the regulatory requirements of some communication networks.
Alternatively, it is an object of the invention to at least provide the public with a useful choice.
Summary of the invention
According to a first aspect of the invention, there is provided a method of monitoring access to a communications network through a local access network configured for use by a plurality of users and/or client devices including: providing a user access to the network using a client device in a session; assigning a unique network identifier to the client device and/or session and/or user of the local access network; and storing session data in a database, the session data corresponding to the unique network identifier.
Preferably, the local access network is a private local access network.
Preferably, the local access network is a local wireless access network.
Preferably, the method includes providing a plurality of users and/or client devices with access to the communications network. Each user and/or client device and/or session is assigned a unique network identifier and this may be stored in a database in correspondence to session data relating to the session.
Preferably, the method includes associating the session data with the user. More preferably, the session data is associated with the user in a database by relating the session data with a unique user identifier.
Preferably, the method includes the step of verifying the identity of the user prior to providing the user access to the network. More preferably, the step of verifying may include verifying the identity of the user remotely. The step of verifying the identity of a user may include identifying the user as a registered user of the network or other service. Alternatively, the step of verifying may include checking proof of identification of the user and storing identification details of the user in a database.
Preferably, the method includes assigning the unique user identifier to the user.
Preferably, the method includes storing personal user information in the database and associating the personal user information with the unique user identifier.
Preferably, the method includes providing the user with a network access code. The network access code is preferably stored in the database and associated with the unique user identifier. Preferably, the method includes authenticating the network access code to allow the user to access the communications network.
Preferably, the method includes providing wireless access to the communications network via a local wireless access network. Preferably, the wireless access network is a Wireless Local Area
Network (WLAN) or Wi-Fi network or any other type of network which may be provided to allow multiple users to wirelessly access a communications network, for example at a wireless 'hotspot1. Preferably, the communications network is or includes the Internet.
Thus, the invention provides for the ability to identify and track a plurality of users accessing, for example, the Internet through a local wireless access network. For example, the client device / session of each user is provided with a different IP address.
Preferably, the method includes accessing any of the following items or categories of information by providing information relating to one said item or category: the unique user identifier; the unique network identifier; session data; personal user information.
Preferably, the session data includes any one or more of: a unique network identifier; a device unique identifier; a device type identifier; a device model identifier; session start time; session end time; session duration; a device connection location; network addresses visited.
Preferably, the unique network identifier is a publicly available identifier. More preferably, the unique network identifier is an IP address.
Preferably, the unique network identifier is assigned to the client device and/or session by a server in a virtual network. The virtual network may include routing means. The virtual network may be a virtual private network (VPN) having security protection. The server may be a Dynamic Host Configuration Protocol (DHCP) server.
Preferably, the client device includes any one or more of: personal computer; laptop; personal desktop assistant (PDA); mobile telephone. Any other device having the required functionality is included within the scope of the invention.
According to a second aspect of the invention, there is provided a local network access module including: means for assigning a unique network identifier to a client device and/or session and/or user of a local access network ; and means for storing and/or transmitting session data corresponding to the unique network identifier in association with the unique network identifier and/or in association with a user of the client device.
Preferably, the local access network is a private local access network. Preferably, the local access network is a local wireless access network.
Preferably, the local network access module includes means for receiving the unique network identifier.
Preferably, the local network access module includes means for storing the unique network identifier in association with session data and/or a unique user identifier.
According to a third aspect of the invention, there is provided a system for monitoring access to a communications network through a local access network configured for use by a plurality of users and/or client devices including: means for providing a user access to the network using a client device in a session; means for assigning a unique network identifier to the client device and/or session and/or user of the local access network; and means for storing session data in a database, the session data corresponding to the unique network identifier.
Other aspects of the system of the invention are analogous to features of the method of the invention. As will be apparent to those skilled in the art, the placement and level of concentration (or conversely distribution) of components of the system may be varied as required with known communications means being used to facilitate transfer of data therebetween.
Further aspects of the invention, which should be considered in all its novel aspects, will become apparent to those skilled in the art upon reading of the following description which provides at least one example of a practical application of the invention, as well as the claims appended hereto.
Brief Description of the Drawings One or more embodiments of the invention will be described below by way of example only, and without intending to be limiting, with reference to the following drawings, in which:
Figure 1 is a flow chart diagram showing a method according to an embodiment of the invention;
Figure 2 is a schematic network diagram of an Internet access network according to one embodiment of the invention. Brief Description of Preferred Embodiments of the Invention
The invention provides in general terms a method and system for providing users with wired or wireless access to communications networks such as the Internet while also providing the ability to verify the identification of users and/or monitor and track usage as may be desired or even required by law in some parts of the world.
In the following description, the invention is described in terms of providing wireless access to the Internet through a local wireless access network which is configured for use by a plurality of users and/or client devices. The local wireless access network is typically private but may not be limited as such. The invention may relate more generally to any communications network but has particular application to the Internet. For ease of reference, therefore, the term "Internet" will be used in this description but will be understood to include any communications network.
The invention is mainly described in terms of wireless access in the embodiments below, but is also applicable to wired access, as will be known to one of skill in the art. A local access network is a network to which devices connect over a small physical area such as an office, home, Internet cafe or the like. The devices typically connect through a common router or hub or other common access point to the Internet, for example. The connection may be wired, for example in a Local Area Network (LAN), or wireless, such as a Wireless Local Area Network (WLAN), Wi-Fi network or Wi-Fi 'hotspot'. Where the term "Wi-Fi network" is used in this description it will be appreciated that the invention may also be applied to other local wireless access networks.
Figure 1 is a flow chart diagram showing a method according to an embodiment of the invention. More particularly, the method described in the following description is illustrated in summary in Figure 1. Not all the steps of Figure 1 are essential to the invention, as will be described below.
In a first embodiment of the invention, a user is not permitted wireless access to the Internet without their identification first being verified in order to be associated with their subsequent Internet session. This embodiment is particularly relevant where the identity of Internet users must be verified as a legal or regulatory requirement. This step may be omitted, such as when it is deemed sufficient, for example, to identify a session as relating to a particular device. In general, a user provides personal information, which is verified in order to identify the user and thus the user is able to access the Internet, for example by opening a user account or receiving a temporary access code, as discussed further below. The following methods of user identification verification are preferred according to the first embodiment of the invention, although any known method may be used.
In one method, a user wishing to wirelessly access the Internet through a WLAN or Wi-Fi network provides proof of identification to the operators of the Wi-Fi network or other Internet Service Provider (ISP), for example in person at a point of sale. Other methods of providing proof of identification may also be used. The proof of identification may include, but is not limited to, passport, driving licence, credit card, health card or any other form of photographic or personal identification. The Wi-Fi operator will typically define which forms of identification are acceptable, and these may vary between operators.
In another method, the identity of a user is remotely pre-verified when a user account for accessing the Wi-Fi network is opened. For example, a user's credit card details may be verified against bank details to confirm the user's identity. Other forms of remote identification verification are known and may be used within the scope of the invention.
In an alternative method, the identity of a user is remotely pre-verified using remote message means, such as an email or SMS message. By sending a remote message to the ISP or Wi-Fi operator, the user's email address or telephone number is provided. In a preferred embodiment, an SMS message is sent since a telephone operator typically has its own record of customer identification information, which is required in order to activate a mobile telephone. In contrast, an email address can be obtained without identification.
Once a user's identification has been verified, personal information of the user is entered into a user database, typically via an online web interface, but alternative known means may be used. The personal details of the user entered into and stored in the database preferably include a unique user identifier by which the user can be uniquely identified. Alternatively, the unique user identifier may be generated by the system, for example as an index or code, and be associated in the database with the user's personal information.
Examples of the personal user information and/or unique user identifier which may be stored in the database include: name; address; contact information; username; password; personal identification number (PIN); telephone number; SIM card number; International Mobile Subscriber Identity (IMSI) number; MSISDN number; email address; tax number; passport number; credit card number; national insurance number; driving licence number; health care number; fingerprint information; retina information. Not all of this information may be required, the minimum being enough to identify the user.
The user is provided with a network access code which is inputted by the user as authentication to access the network. The network access code may be any of the personal user information or it may be the unique user identifier, but it is preferably unique to each user. Alternatively, the network access code may consist of multiple pieces of information, such as a username and password combination. The network access code is associated in a database with the unique user identifier, and hence the rest of the stored personal user information, such that the user's identity can be deduced from the network access code inputted.
The network access code may be in any known format, including alphanumeric strings, fingerprint data or other such information. The network access code may be a temporary access code. The form of the code may reflect the extent of access available, for example the duration of access.
The user may be provided with the network access code by any known means including, for example, in an email or SMS message. This may be sent in reply to any email or SMS sent to the Wi-Fi operator.
Providing the user details and receiving a network access code may at least partially constitute opening a user account or register a user as a registered user of the Wi-Fi network. As such, the user would be able to access the network again in the future, for example using the same code. According to one embodiment, the user account may be the user's more conventional existing account (such as their home broadband account) with access via third party access points provided for by the invention. The user may have such remote use included within their package or separate conditions / charging may apply. Alternatively, as mentioned above, the code may only provide temporary access. Receiving a network access code may require payment in any known form. The network access code may be provided in the form of a voucher or token, for example.
When the user wishes to access the Wi-Fi network they input the network access code which is authenticated against values stored in the database to verify the user's identification is known and/or the user is a registered user. The user may provide the network access code through a web interface or other data input means such as a keypad or fingerprint scanner, for example. Once the user has been authenticated, access to the Internet is provided and a session is established.
There is now described a second embodiment of the invention in which the details of a user's internet session is tracked. This occurs irrespective of whether or not a user's identity is verified according to the first embodiment.
In order to track a user session, the present invention assigns each user and/or session and/or client device a unique network identifier, typically an IP address. The unique network identifier is publicly available, that is, it is available from outside the Wi-Fi network. Therefore, unlike in known systems all traffic in the Wi-Fi network does not appear to be associated with the same IP address. This is achieved in the manner discussed in the following.
Figure 2 is a schematic network diagram of a local wireless access network 20 according to one embodiment of the invention. In order to track user sessions, a unique IP address is assigned for each user session. This is achieved by running a VPN 22 from each Wi-Fi router 23 back to a central DHCP server 24. The public subnet is labelled "10. Y" in Figure 2 while the VPN is established on the subnet labelled "10. X". The example addresses shown in Figure 2 are from the RFC1918 standard (Address Allocation for Private Internets), typically reserved for private network use. However, the invention is not limited in such a way. The use of these labels in
Figure 2 represents an arbitrary address space which is usually public, although it may be private.
The dotted arrow indicates DHCP service from the DHCP server to Wi-Fi user 25. The DHCP server 24 in Figure 2 has a proprietary name "Tunnel Terminator" (TT), by which it will be hereinafter referred. TT 24 provides IP addresses to client devices from a centrally maintained pool. This avoids the need for IP masquerading, and ensures that each device uses a unique source IP address for the duration of the session.
Access to the Internet 26 by WiFi devices is tracked on TT 24. When a session is established the TT tracks and stores session data. The session data may include any one or more of: a unique network identifier, such as a source IP address; a device unique identifier, such as a hardware MAC address; a device type identifier; a device model identifier; session start time; session end time; session duration; a device connection location; network addresses visited. Session accounting is preferably implemented using the Remote Authentication Dial In User Service (RADIUS) protocol, but other accounting methods may be used to send session metadata from Wi-Fi routers to the TT. Optionally, traffic inspections may be performed on the TT to track HTTP URL requests and other relevant user activity, and the activity may be recorded. Optionally, firewall rules on the TT may be used to restrict user activity.
The stored session data is stored in a related association with or linked to the unique user identifier, for example in a relational database in which the unique user identifier is stored. As a result, the session data is also associated with the other user personal information. Therefore any of the following may be provided in order to obtain information about any others of the following: session data; unique user identifier; unique network identifier (IP address); personal user information. Therefore, session data may be used to identify which user is associated with which session. Advantageously, if a user has accessed the network in a fraudulent, illegal or otherwise inappropriate manner, the details of the session stored as session data can be used to identify and locate the user.
A web interface is typically provided so that authorized personnel can query user activity according to session data, for example, by source IP address and/or time of use. Other methods of analysing the user data may also be used, as will be known to one of skill in the art.
In some cases, a company's existing processes and infrastructure may make the use of public IP addresses difficult. If so, the method may be used to match the address spaces of Wi-Fi hotspots and existing equipment, thereby allowing the use of other tracking methods such as the known methods of using proxies.
In a third embodiment of the invention, details of a user's internet session are tracked. This may occur irrespective of whether or not a user's identity is verified according to the first embodiment, and whether or not a user is provisioned with a publicly routable IP address according to the second embodiment.
In order to track a user session, the present invention assigns each user and/or session and/or client device a unique network identifier, composed of a publicly available shared IP address and a private IP address (hereinafter called the combined identifier). The shared network identifier is publicly available, that is, it is available from outside the Wi-Fi network. User devices are preferably each assigned a private IP address. This is preferably performed by the router used by these devices to connect to external networks. The router preferably performs IP masquerading to share the public IP address among the user devices.
In order to track user activity where IP masquerading is used to share a single public IP address between multiple user devices, details of each connection opened by the user are sent to the service platform, where they are recorded in a database (hereinafter called the connection database).
For every TCP connection that is opened, the time of access, the combined identifier, and the IP address of the service that is being accessed are recorded in the connection database. Further identifying details, such as (but not limited to) the source and destination port, may be recorded.
In order to identify the user who accessed a particular service, the IP address of the service being accessed is looked up in the connection database. The time that the connection was made is used to identify specific connection records in the connection database, and the user is determined given the related combined identifier.
The invention may be embodied as hardware or software solutions, or in a combination of the two. For example, software embodying the invention may be run on existing wireless network hardware. Alternatively, a new piece of hardware, such as a module or other unit, may be added to a wireless network which provides for the invention. As will be appreciated by those skilled in the art, components of the invention (including databases) may be concentrated or distributed throughout a network as desired.
Reference to any prior art in this specification is not, and should not be taken as, an acknowledgement or any form of suggestion that that prior art forms part of the common general knowledge in the field of endeavour in any country in the world.
Wherein the foregoing description reference has been made to integers or components having known equivalents thereof, those integers are herein incorporated as if individually set forth.
It should be noted that various changes and modifications to the presently preferred embodiments described herein will be apparent to those skilled in the art. Such changes and modifications may be made without departing from the spirit and scope of the invention and without diminishing its attendant advantages. It is therefore intended that such changes and modifications be included within the present invention.

Claims

1. A method of monitoring access to a communications network through a local access network configured for use by a plurality of users and/or client devices in one or more sessions, the method including: providing one or more users access to the network using a respective client device in a session; assigning a respective unique network identifier to the or each client device and/or session and/or user of the local access network; and storing respective session data in a database, the session data corresponding to the respective unique network identifier.
2. The method of claim 1 , including associating session data with a respective said user.
3. The method of claim 1 or claim 2, including verifying an identity of a said user prior to providing access to the network.
4. The method of any one of the preceding claims, including: storing respective personal user information in a database; and associating the personal user information with a respective unique user identifier.
5. The method of any one of the preceding claims, including: providing a said user with a respective network access code; and authenticating the network access code to allow the user to access the communications network.
6. The method of any one of the preceding claims, including providing wired or wireless access to the communications network via a local area network
7. The method of any one of the preceding claims, including providing a client device and/or a session of the or each user with a different IP address.
8. The method of any one of the preceding claims, including accessing any one or more of the following items or categories of information by providing information relating to one or more said item or category: the unique user identifier; the unique network identifier; session data; personal user information.
9. The method of any one of the preceding claims, wherein the session data includes any one or more of: a unique network identifier; a device unique identifier; a device type identifier; a device model identifier; session start time; session end time; session duration; a device connection location; network addresses visited.
10. The method of any one of the preceding claims, wherein the unique network identifier includes or is an IP address.
11. The method of any one of the preceding claims, wherein the unique network identifier includes a first identifier that is a publicly available IP address that is viewable external to the local access network.
12. The method of any one of the preceding claims, wherein the unique network identifier includes a second identifier that is a private IP address, access to which is restricted.
13. A local network access module including: means for assigning or receiving a unique network identifier for a client device and/or session and/or user of a local access network; and means for storing and/or transmitting session data corresponding to the unique network identifier in association with the unique network identifier and/or in association with a user of the client device and/or in association with the client device.
14. A system for monitoring access to a communications network through a local access network configured for use by a plurality of users and/or client devices, the system including: the module of claim 13; and/or means adapted to implement the method of any one of claims 1 to 12.
15. A method of monitoring access to a communications network through a local access network configured for use by a plurality of users and/or client devices in one or more sessions substantially as hereinbefore described with reference to the drawings.
16. A local network access module substantially as hereinbefore described with reference to the drawings.
17. A system for monitoring access to a communications network through a local access network configured for use by a plurality of users and/or client devices substantially as hereinbefore described with reference to the drawings.
PCT/NZ2010/000078 2009-04-24 2010-04-23 Identifying and tracking users in network communications WO2010123385A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201080027355XA CN102484591A (en) 2009-04-24 2010-04-23 Identifying and tracking users in network communications

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
NZ57652609 2009-04-24
NZ576526 2009-04-24

Publications (1)

Publication Number Publication Date
WO2010123385A1 true WO2010123385A1 (en) 2010-10-28

Family

ID=43011299

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/NZ2010/000078 WO2010123385A1 (en) 2009-04-24 2010-04-23 Identifying and tracking users in network communications

Country Status (2)

Country Link
CN (1) CN102484591A (en)
WO (1) WO2010123385A1 (en)

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130232560A1 (en) * 2010-11-24 2013-09-05 Adisseo France S.A.S. Method, device and system for verifying communication sessions
WO2014144602A1 (en) * 2013-03-15 2014-09-18 Intel Corporation Reducing authentication confidence over time based on user history
US9137247B2 (en) 2013-03-15 2015-09-15 Intel Corporation Technologies for secure storage and use of biometric authentication information
US9160730B2 (en) 2013-03-15 2015-10-13 Intel Corporation Continuous authentication confidence module
CN105025081A (en) * 2011-06-30 2015-11-04 尼尔森(美国)有限公司 Methods, and apparatus to monitor mobile internet activity
WO2018035863A1 (en) * 2016-08-26 2018-03-01 Cheng Raymond Shu Kwok A technique for allowing registered mobile users of the same or different social networks in the vicinity to use mobile devices of the same or different operation system to identify each other and exchange business information
US20180343317A1 (en) * 2017-05-26 2018-11-29 Microsoft Technology Licensing, Llc Discovery Of Network Device Roles Based On Application Level Protocol Parsing In Organizational Environments
US10505894B2 (en) 2016-10-13 2019-12-10 Microsoft Technology Licensing, Llc Active and passive method to perform IP to name resolution in organizational environments
US12095877B2 (en) 2014-10-31 2024-09-17 The Nielsen Company (Us), Llc Methods and apparatus to improve usage crediting in mobile devices

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104144092A (en) * 2013-12-03 2014-11-12 国家电网公司 Automatic access method of LAN terminal

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030154398A1 (en) * 2002-02-08 2003-08-14 Eaton Eric Thomas System for providing continuity between session clients and method therefor
US7281059B2 (en) * 2000-09-08 2007-10-09 Samsung Electronics Co., Ltd. Method for using a unique IP address in a private IP address domain
US20080060064A1 (en) * 2006-09-06 2008-03-06 Devicescape Software, Inc. Systems and methods for obtaining network access

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7281059B2 (en) * 2000-09-08 2007-10-09 Samsung Electronics Co., Ltd. Method for using a unique IP address in a private IP address domain
US20030154398A1 (en) * 2002-02-08 2003-08-14 Eaton Eric Thomas System for providing continuity between session clients and method therefor
US20080060064A1 (en) * 2006-09-06 2008-03-06 Devicescape Software, Inc. Systems and methods for obtaining network access

Cited By (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130232560A1 (en) * 2010-11-24 2013-09-05 Adisseo France S.A.S. Method, device and system for verifying communication sessions
US9444801B2 (en) * 2010-11-24 2016-09-13 Alcatel Lucent Method, device and system for verifying communication sessions
CN105025081A (en) * 2011-06-30 2015-11-04 尼尔森(美国)有限公司 Methods, and apparatus to monitor mobile internet activity
US9762566B2 (en) 2013-03-15 2017-09-12 Intel Corporation Reducing authentication confidence over time based on user history
US9160730B2 (en) 2013-03-15 2015-10-13 Intel Corporation Continuous authentication confidence module
US9137247B2 (en) 2013-03-15 2015-09-15 Intel Corporation Technologies for secure storage and use of biometric authentication information
US9590966B2 (en) 2013-03-15 2017-03-07 Intel Corporation Reducing authentication confidence over time based on user history
US9628478B2 (en) 2013-03-15 2017-04-18 Intel Corporation Technologies for secure storage and use of biometric authentication information
WO2014144602A1 (en) * 2013-03-15 2014-09-18 Intel Corporation Reducing authentication confidence over time based on user history
US9871779B2 (en) 2013-03-15 2018-01-16 Intel Corporation Continuous authentication confidence module
US10009327B2 (en) 2013-03-15 2018-06-26 Intel Corporation Technologies for secure storage and use of biometric authentication information
US12095877B2 (en) 2014-10-31 2024-09-17 The Nielsen Company (Us), Llc Methods and apparatus to improve usage crediting in mobile devices
WO2018035863A1 (en) * 2016-08-26 2018-03-01 Cheng Raymond Shu Kwok A technique for allowing registered mobile users of the same or different social networks in the vicinity to use mobile devices of the same or different operation system to identify each other and exchange business information
CN108476377A (en) * 2016-08-26 2018-08-31 郑树国 Technology for mutually identifying and exchanging business information of mobile devices of same or different operating systems by adjacent mobile users registered under same or different social networks
US10505894B2 (en) 2016-10-13 2019-12-10 Microsoft Technology Licensing, Llc Active and passive method to perform IP to name resolution in organizational environments
US20180343317A1 (en) * 2017-05-26 2018-11-29 Microsoft Technology Licensing, Llc Discovery Of Network Device Roles Based On Application Level Protocol Parsing In Organizational Environments

Also Published As

Publication number Publication date
CN102484591A (en) 2012-05-30

Similar Documents

Publication Publication Date Title
WO2010123385A1 (en) Identifying and tracking users in network communications
US11706255B2 (en) Systems and methods for obtaining permanent MAC addresses
JP4722056B2 (en) Method and apparatus for personalization and identity management
US8549588B2 (en) Systems and methods for obtaining network access
CN100417152C (en) Distributed Network Authentication and Access Control System
EP1468540B1 (en) Method and system for secure handling of electronic business transactions on the internet
US10116628B2 (en) Server-paid internet access service
CN103812836B (en) A kind of website sends the system and method that user reserves information
CN101404643B (en) Wireless single-point login system based on IPSEC technology and its operation method
US7861283B2 (en) User position utilization system
CN108900484A (en) A kind of generation method and device of access authority information
EP2062130A2 (en) Systems and methods for obtaining network access
US20050210288A1 (en) Method and apparatus for eliminating dual authentication for enterprise access via wireless LAN services
CN106559785A (en) Authentication method, equipment and system and access device and terminal
KR101916342B1 (en) System and Method for Location based Marketing Information Service Using the AP
US20080282331A1 (en) User Provisioning With Multi-Factor Authentication
JP5544016B2 (en) ICP website login method, system and login device for user in ID / locator separation network
CN102420808A (en) Method for realizing single sign-on in telecom online business hall
US12333544B2 (en) Methods for access point systems and payment systems therefor
JP4009273B2 (en) Communication method
NZ576526A (en) Identifying and tracking users in network communications
JP5670926B2 (en) Wireless LAN access point terminal access control system and authorization server device
CN107800569B (en) VPN quick access system and method based on ONT
EP2879348A1 (en) Safe internet access system
CN115270171A (en) Supplier information auditing system based on safety isolation

Legal Events

Date Code Title Description
WWE Wipo information: entry into national phase

Ref document number: 201080027355.X

Country of ref document: CN

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 10767362

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 10767362

Country of ref document: EP

Kind code of ref document: A1