(19) United States
`(2) Patent Application Publication (10) Pub. No.: US 2002/0188725 A1
`Mani
`(43) Pub. Date:
`Dec. 12, 2002
`
`US 20020188725A1
`
`(52) U.S. Cl. … 709/227
`
`(54) USERVERIFICATION SERVICE INA
`MULTIMEDIA-CAPABLE NETWORK
`(76) Inventor: Babu V. Mani, Plano, TX (US)
`Correspondence Address:
`ALCATEL USA
`INTELLECTUAL PROPERTY DEPARTMENT
`1000 COIT ROAD, MS LEGL2
`PLANO, TX 7507; (US)
`
`ABSTRACT
`(57)
`A user verification system and method for use in a multi
`media-capable network wherein access to controlled facili
`ties such as, e.g., corporate or enterprise networks, home
`networks, physical locations, access-controlled services, and
`the like, is verified using multimedia response criteria. When
`an indication signifying that a user is attempting to access
`the controlled facility is received in a network element, a
`multimedia session engine is invoked for launching an
`access service application. Responsive to an interrogation
`procedure, multimedia responses associated with the user
`are captured and verified against a stored access control
`profile. Access to the controlled facility is granted only when
`
`(51) Int. Cl." … G06F 15/16 the responses are validated.
`
`(21) Appl. No.:
`(22) Filed:
`
`09/871,510
`May 31, 2001
`
`Publication Classification
`
`
`
`SERVICES, APPLICATIONS
`AND FEATURES (MANAGEMENT,
`PROVISIONING AND BACK
`OFFICE)
`
`106
`
`OPEN PROTOCOLS
`AND APS
`
`CALL/CONNECTION
`ADMISSION/SESSION
`CONTROL
`
`104
`
`OPEN PROTOCOLS
`AND APIS
`
`ACCESS/TRANSPORT
`HARDWARE
`
`102
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`100
`
`1/14
`
`DOJ EX. 1015
`
`

`
`Patent Application Publication Dec. 12, 2002 Sheet 1 of 6
`
`US 2002/0188725 A1
`
`SERVICES, APPLICATIONS
`AND FEATURES (MANAGEMENT,
`PROVISIONING AND BACK
`OFFICE)
`
`106
`
`OPEN PROTOCOLS
`AND APS
`
`CALL/CONNECTION
`ADMISSION/SESSION
`CONTROL
`
`104
`
`OPEN PROTOCOLS
`AND APIS
`
`
`
`
`
`100
`
`ACCESS/TRANSPORT
`HARDWARE
`
`102
`
`FIG. 1
`
`CALL/CONNECTION
`SESSION
`CONTROL ENGINE
`
`
`
`
`
`APPLICATION
`ENGINE
`
`
`
`
`
`300
`
`ACCESS
`ENGINE
`
`FIG. 3
`
`2/14
`
`DOJ EX. 1015
`
`

`
`Patent Application Publication Dec. 12, 2002 Sheet 2 of 6
`
`US 2002/0188725 A1
`
`
`
`
`
`708||W00 NOISSHS/TT/O
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`3/14
`
`DOJ EX. 1015
`
`

`
`Patent Application Publication Dec. 12, 2002 Sheet 3 of 6
`
`US 2002/0188725 A1
`
`00#
`N
`
`
`
`(NWTd ‘NISd)
`
`M/Sd.
`
`
`
`(WHOMIE? dI/WIW)
`
`HIIHH70
`
`
`
`
`
`
`
`
`
`
`
`
`
`4/14
`
`DOJ EX. 1015
`
`

`
`Patent Application Publication Dec. 12, 2002 Sheet 4 of 6
`
`US 2002/0188725 A1
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`5/14
`
`DOJ EX. 1015
`
`

`
`Patent Application Publication Dec. 12, 2002 Sheet 5 of 6
`
`US 2002/0188725 A1
`
`
`
`
`
`
`
`USER ATTEMPTING TO
`ACCESSA WETWORK
`USINGA MULTIMEDIA
`CAPABLE APPLIANCE
`
`602
`
`|MWOKING A MULTIMEDIA
`CALL ENGINE TO LAUNCHA
`NETWORKACCESS APPLICATION
`
`604
`
`INTERFOGAING THE USEF, V-606
`FOR VERIFICATION
`
`608
`M0
`
`
`
`USER
`RESPONSE
`VALID
`2
`
`612
`
`|WTERROGATION
`COMPLETE
`2
`YES
`
`ACCESS GRANTED
`
`FIG. 6A
`
`614
`
`ACCESS
`DEWIED
`
`610
`
`6/14
`
`DOJ EX. 1015
`
`

`
`Patent Application Publication Dec. 12, 2002 Sheet 6 of 6
`
`US 2002/0188725 A1
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`ACCESS GRANTED
`
`
`
`614
`
`
`
`
`
`616
`
`ADDITIONAL
`INTERROGATION AFTER
`A PREDETERMINED TIME DURATION
`OR PREDETERMINED
`USERACTION
`2
`
`ACCESS
`TERMINATED
`
`620
`
`
`
`618
`
`
`
`USER
`RESPONSE
`VALID
`2
`
`ADDITIONAL
`|NTERROGATION
`COMPLETE
`2
`
`ACCESS GRAWT
`|MAINTAINED
`
`624
`
`FIG. 6B
`
`7/14
`
`DOJ EX. 1015
`
`

`
`US 2002/0188725 A1
`
`Dec. 12, 2002
`
`USER VERIFICATION SERVICE IN A
`MULTIMEDIA-CAPABLE NETWORK
`
`BACKGROUND OF THE INVENTION
`[0001] 1. Technical Field of the Invention
`[0002] The present invention generally relates to telecom
`munication and data communication services. More particu
`larly, and not by way of any limitation, the present invention
`is directed to a user verification service in a multimedia
`capable next-generation network.
`[0003] 2. Description of Related Art
`[0004] Over the last two decades or so, telecommunication
`services have evolved rapidly from simple telephone calls
`and fax communications to a host of advanced services such
`as multi-party conferences, voice mail, call forwarding,
`caller ID, call waiting, et cetera. This rapid evolution has
`been made possible primarily due to the successful deploy
`ment of the Intelligent Network (IN) and Advanced IN
`(AIN) architecture using Signaling System No. 7 (SS7) as
`the out-of-band signaling protocol infrastructure. Similarly,
`data services have also followed a significant transformation
`from basic text messaging in the 1980s to the World Wide
`Web and Internet of today, where transporting diverse media
`has become commonplace. For example, bandwidth-inten
`sive services such as desktop video conferencing, video on
`demand, telemedicine, real-time audio, and many other
`applications are driving the demand for simultaneous sup
`port of different types of services on the same public
`network.
`[0005] Coupled with the phenomenal popularity of the
`Internet, recently there has been a tremendous interest in
`using the packet-switched network (PSN) infrastructure
`employed in the data networks (e.g., those based on Internet
`Protocol (IP) addressing) as a replacement for, and/or as an
`adjunct to, the existing circuit-switched network (CSN)
`infrastructure deployed in today’s voice networks. Several
`advantages are expected to be realized due to such integra
`tion. From network operators’ viewpoint, the inherent traffic
`aggregation in PSN allows for a reduction in the cost of
`transmission and the infrastructure cost per end-user. Ulti
`mately, such cost reductions enable the network operators to
`pass on the savings to subscribers or, more generally, users.
`Also, operators of a new breed of service-centric networks
`(referred to as next-generation networks, distinct from the
`existing voice-centric and data-centric networks) can offer
`enhanced services with integrated voice/data/video to users
`who will be using endpoints of diverse multimedia capa
`bilities.
`[0006] As alluded to hereinabove, several advances have
`taken place in both data and voice services. However, the
`current data-centric and voice-centric services do not pro
`vide the gamut of enhancements that are possible with the
`use of multimedia capabilities in a next-generation network.
`
`SUMMARY OF THE INVENTION
`[0007] Accordingly, the present invention advantageously
`provides a user verification scheme for use as a network
`based service in a multimedia-capable network wherein
`access to controlled facilities such as, e.g., corporate or
`enterprise networks, home networks, physical locations
`(residential or commercial), access-controlled services, and
`
`the like, is verified using multimedia response criteria.
`Preferably, the multimedia-capable network is provisioned
`as a next-generation network (referred to as a service net
`work) having a decoupled service architecture that is facili
`tated by the use of multimedia softswitch technology.
`[0008] In one aspect, the present invention is directed to an
`access control method for verifying a remote user’s access
`to a controlled facility. When an indication signifying that
`the user (operating a multimedia appliance) is attempting to
`access the controlled facility is received in a network
`element, a multimedia call/session engine is invoked for
`launching an access service application. Depending on how
`the service architecture is implemented, the access applica
`tion may be provisioned as a service application hosted on
`a third-party server platform coupled to a public packet
`switched network (e.g., the Internet), as a telecom-hardened,
`carrier-class service application hosted on dedicated
`IN/AIN-compliant nodes such as multimedia Service Con
`trol Points (SCPs) and application servers, or as a centralized
`service with service logic embedded in SS7 nodes (e.g.,
`Service Switching Points or SSPs) and multimedia soft
`switch elements.
`[0009] The access service application is operable to inter
`rogate the user, either in an active manner, passive manner,
`or in any combination thereof, for multimedia responses. In
`an exemplary embodiment, the multimedia responses com
`prise live video capture of the user operating the multimedia
`access appliance for gaining entry to the controlled facility,
`which may be formed of a private corporate or home
`network, an enterprise intranet, or a public data network, a
`physical location, and the like.
`[0010] The multimedia responses from the user are veri
`fied by determining whether they match valid users’ access
`profile information stored for the particular network being
`accessed. If so, permission to access the controlled facility
`is granted to the user. In an exemplary embodiment, addi
`tional interrogation steps may be effectuated after the user
`has been granted access to the network. Such additional
`interrogation procedures may be automated as part of the
`access service application service or facilitated by a human
`security operator. Continued user validation is accordingly
`required in this exemplary implementation for maintaining
`the original grant of access.
`[0011] In another aspect, the present invention is directed
`to a computer-accessible medium operable with a network
`element disposed in a multimedia-capable next-generation
`network. The computer-accessible medium is further oper
`able to carry a sequence of instructions which, when
`executed by at least one processing entity associated with
`the network, cause the network element to perform at least
`a portion of the steps of the user verification method set forth
`hereinabove.
`[0012] In yet another aspect, the present invention is
`directed to an access control system for use with a multi
`media-capable next-generation network so as to provide
`remote access to users with respect to a network portion such
`as, e.g., a private network portion. The access control system
`includes a structure capable of receiving indications from a
`remotely located user, wherein the indications are operable
`to signify to a network element that the user is attempting to
`gain access to the network portion by means of a multimedia
`appliance. Associated with the network element is a multi
`
`8/14
`
`DOJ EX. 1015
`
`

`
`US 2002/0188725 A1
`
`Dec. 12, 2002
`
`media session engine operable to invoke a network access
`application, in response at least in part to the received
`indications, on an access application server disposed in the
`multimedia-capable network. An interrogating apparatus,
`operable in a passive mode, active mode, or in a combina
`tion, is operable in association with the multimedia appli
`ance to capture, receive, acquire, or collect one or more
`multimedia responses (e.g., live picture ID, speech samples,
`etc.) from the user. A suitable logic block associated with the
`access application server is operable, in conjunction with a
`database, to determine if the multimedia responses from the
`user are valid. Permission to access the network portion is
`granted only if the responses associated with the remotely
`located user are matched with a stored access control profile
`for the user.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`[0013] A more complete understanding of the present
`invention may be had by reference to the following Detailed
`Description when taken in conjunction with the accompa
`nying drawings wherein:
`[0014] FIG. 1 depicts an exemplary high-level architec
`tural scheme of a next-generation, multimedia-capable net
`work employed for practicing the teachings of the present
`invention;
`[0015] FIG. 2 depicts a functional block diagram associ
`ated with the exemplary high-level architectural scheme
`shown in FIG. 1;
`[0016] FIG. 3 depicts a functional block diagram of a
`multimedia call/session engine operable in accordance with
`the teachings of the present invention;
`[0017] FIG. 4 depicts an exemplary next-generation net
`work capable of multimedia services;
`[0018] FIG. 5 depicts an exemplary network which
`employs a multimedia user verification scheme in accor
`dance with the teachings of the present invention; and
`[0019] FIGS. 6A and 6B are flow charts of the various
`steps involved in the multimedia user verification method
`provided in accordance with the teachings of the present
`invention for controlling access to a controlled facility.
`
`DETAILED DESCRIPTION OF THE DRAWINGS
`[0020] In the drawings, like or similar elements are des
`ignated with identical reference numerals throughout the
`several views thereof, and the various elements depicted are
`not necessarily drawn to scale. Referring now to FIG. 1,
`depicted therein is an exemplary high-level architectural
`scheme 100 of a next-generation network that is capable of
`effectuating multimedia communications. In the context of
`the present patent application, the term “multimedia”
`broadly refers to visual information, aural information, and
`other information. Visual information is generally divided
`into two categories: (i) still pictures and graphics, and (ii)
`full-motion video or animation. Aural information includes
`both speech and non-speech categories. Other information
`categories can include text, computer data, etc. Multimedia
`communication involves, accordingly, integrated presenta
`tion of text, graphics, video, animation, sound, and the like,
`using different media and multiple information elements in
`a single application or session.
`
`[0021] The exemplary architectural scheme 100 of the
`next-generation network is preferably effectuated by imple
`menting what is known as softswitch technology. Essen
`tially, the softswitch functionality is operable to separate the
`call control functions of a call (or, “session control” func
`tions in the context of a multimedia communication session)
`from the media gateways (i.e., transport layer(s)) that carry
`it. Call control features can vary, but call routing, admission
`control, connection control (such as creating and tearing
`down sessions), and signaling interworking—such as from
`SS7 to Session Initiation Protocol (SIP)—are usually
`included. These functionalities may collectively be referred
`to as session control. The softswitch functionality can also
`include: (i) the ability to route a call based on customer
`database information, (ii) the ability to transfer control of the
`call to a node disposed in another network, and (iii) support
`of management functions such as provisioning, billing, etc.
`[0022] Continuing to refer to FIG. 1, the architectural
`scheme 100 accordingly includes an access/transport level
`102 which interacts with a session control level 104 via a
`plurality of open-standard protocols and application pro
`gramming interfaces (APIs). The session control level 104 is
`operable, in turn, to interface with an application services/
`features level 106 via a second set of open-standard proto
`cols and APIs. As will be described in greater detail here
`inbelow, various multimedia services, applications, and
`features may be provided as part of this services level 106.
`Also, some of the back office management and provisioning
`functionality can be included herewith.
`[0023] Those skilled in the art should readily appreciate
`that several protocols and APIs are available for effectuating
`the architectural scheme 100 set forth hereinabove, which
`effectively decouples the session control layer from the
`underlying access/transport layer as well as the service
`application layer. For example, these protocols—which
`effectuate media control APIs, signaling APIs, and service
`APIs—include: SIP, H.323, Call Processing Language
`(CPL), Media Gateway Controller Protocol (MGCP), Inter
`net Protocol Device Control (IPDC), H.248, MEGACO,
`Real-Time Protocol (RTP), Java" APIs for Integrated Net
`works (JAIN), Resource Reservation Protocol (RSVP), Par
`lay, Lightweight Directory Access Protocol (LDAP),
`Markup Languages such as Extensible Markup Language
`(XML), Multi Protocol Label Switching (MPLS), and the
`like. Additionally, access to the existing IN/AIN service
`architecture is also available via suitable SS7 or IP-based
`interfaces.
`[0024] The softswitch functionality is realized essentially
`as a software implementation that can reside on a single
`network element, or be distributed across multiple nodes.
`Also, different levels of decoupling and interfacing may be
`provided in an actual softswitch implementation. For
`example, SS7 functionality may be embedded within a
`softswitch element or kept separate. In other implementa
`tions, the softswitch functionality may sit on top of a media
`gateway (MGW), instead of being physically distinct, as
`long as transport and control planes are decoupled.
`[0025] By creating separate planes for control and switch
`ing and leveraging software’s programmability, service pro
`viders can combine transport services and control protocols
`freely in order to facilitate seamless migration from one
`service to another. Best-in-class solutions and products from
`
`9/14
`
`DOJ EX. 1015
`
`

`
`US 2002/0188725 A1
`
`Dec. 12, 2002
`
`multiple vendors can be advantageously deployed in the
`next-generation network because of open standards and
`APIs. Further, open APIs to the service layer (including a
`suitable service creation environment (SCE)), along with
`service creation, service mediation and service brokering
`standards, enable creation of numerous advanced, multime
`dia-enhanced services with faster service rollout.
`[0026] FIG. 2 depicts a functional block diagram associ
`ated with the exemplary architectural scheme shown in FIG.
`1. Three layers corresponding to the three decoupled levels
`of the architectural scheme are particularly illustrated. An
`access/transport layer 202 is exemplified with a plurality of
`multimedia-capable H.323 terminals 208, GW's 210 (includ
`ing MGWs and Access Gateways or AGWs) for providing
`access to one or more Integrated Access Devices (IADs) (not
`shown) and other communication appliances, and multime
`dia-capable SIP terminals 212. For purposes of the present
`invention, all such multimedia-capable access devices
`(including multimedia-capable phones, computers, game
`stations, television sets, etc.) may be referred to as multi
`media appliances and are preferably provided with one or
`more man/machine interfaces (e.g., video/still cameras,
`microphones, display screens, keyboards, pointing devices,
`joy sticks, track balls, voice recorders, audio-to-text or
`text-to-audio converters, and the like) for accepting or
`capturing multimedia responses or inputs associated with a
`user. Also, in some exemplary implementations, the multi
`media appliances may be equipped with suitable biometric
`ID readers and sensors, e.g., fingerprint readers, retinal
`scanners, voice recognition systems, etc.
`[0027] Continuing to refer to FIG. 2, control layer 204 of
`the decoupled architectural scheme illustrates the function
`ality of an exemplary multimedia call/session engine imple
`mented as part of a multimedia softswitch in a network. A
`call/session and connection control block 226 is provided
`with a plurality of access and transport interfaces 214 to
`couple to the underlying access/transport layer 202. As
`alluded to hereinabove, these interfaces include, e.g., SIP
`interfaces 216, H.323 interfaces 218, SS7 interfaces 220,
`SigTran interfaces 222 (for SS7-over-IP) and H.248 inter
`faces 224. The functionality of the call/session and connec
`tion control block 226 is associated with a plurality of
`modules such as, for instance, a resource management
`module 228, a traffic metering/measurement module 230, an
`event log module 232, a screening module 234, alarms 236,
`a billing module 238, a bandwidth management module 240,
`a routing module 242, a Quality of Service (QoS) module
`244, feature interactions module 246, a provisioning module
`248, and a translation module 250.
`[0028] A plurality of application interfaces 252 are avail
`able to the multimedia session engine for interacting with an
`application layer 206. A Parlay interface 254 and a SIP
`interface 256 are exemplified herein. Reference numerals
`258-1 through 258-N refer to a plurality of application
`servers (ASs) that are operable to host various services,
`features and management policies. One or more legacy
`service nodes (e.g., a Service Control Point or SCP) may
`also be provided as part of the application layer 206 in the
`form of one or several AS nodes, e.g., AS 260. Preferably,
`interfaces to third-party AS nodes 262 are also included.
`[0029] Application layering in the decoupled architectural
`scheme can be architected in three ways. Custom applica
`
`tions such as e-commerce, e-business, e-residence (home
`appliance control, residential security, etc.), e-health, and the
`like, may reside on the Internet as applications hosted on
`third-party platforms. Specialized services such as Virtual
`Private Networks (VPNs), prepaid services, etc., and mul
`timedia applications for business and residential use may be
`provided as distributed applications hosted on dedicated
`telecom-hardened platforms. Carrier-class AS nodes, multi
`media-capable SCPs, etc. typically comprise such platforms.
`A select group of legacy service offerings, for commercial as
`well as residential applications, may be provided as central
`ized applications that are based on SS7 platforms (such as
`signal switching points (SSPs)) and softswitch nodes.
`[0030] Referring now to FIG. 3, depicted therein is a
`high-level functional block diagram of a call/session engine
`300 of a multimedia softswitch operable in accordance with
`the teachings of the present invention. As described in detail
`hereinabove, both access/transport interfaces 214 and appli
`cation layer interfaces 252 are available to the call/session
`engine 300 for effectuating its softswitch functionality. A
`control engine 302 is responsible for call/session control and
`connection control (analogous to the traditional call control
`function or CCF). An application engine 304 is included for
`application triggering and managing feature/policy interac
`tion with respect to a triggered service application. In
`addition, the application engine 304 is preferably operable to
`open suitable APIs for supporting enhanced services. When
`third-party applications are invoked, the application engine
`304 may also provide firewall management and subscriber
`access management for service selection and initiation. An
`access engine 306 is operable to effectuate online user
`authentication and authorization and validate service usage
`rights. Also, roaming management may be provided by the
`access engine 306 for subscription retrieval, roaming
`retrieval and registration negotiation.
`[0031] FIG. 4 depicts an exemplary next-generation mul
`timedia network 400 that is capable of providing a plurality
`of multimedia services in accordance with the teachings of
`the present invention. For purposes of the present invention,
`network 400 and its variants and exemplary implementa
`tions will be referred to as a “service network.” One or more
`legacy circuit-switched networks (CSNs) 402 such as the
`Public Switched Telephone Network (PSTN) for wireline
`telephony and the Public Land Mobile Network (PLMN) for
`wireless telephony are coupled to one or more packet
`switched networks (PSNs) 406 such as the IP-based Internet,
`ATM-based packet network, etc. Further, the PSN portion
`406 may also encompass such other private IP-based net
`works as, e.g., corporate intranets, enterprise networks,
`home networks, and the like. Accordingly, in one embodi
`ment, PSN 406 represents an inter-networking network of a
`combination of such IP networks. A plurality of Trunk
`Gateways (TGWs), e.g., TGW 404A and TGW 404B, are
`disposed between the CSN and PSN portions of the network
`400 for effectuating the interfacing therebetween. An Access
`Gateway (AGW) node 408 is coupled to the PSN portion
`406 for facilitating access to the network from a plurality of
`access devices (ADs) 410-1 through 410-N. One or more
`multimedia-capable SIP terminals 412 and multimedia-ca
`pable H.323 terminals 414 are operable to originate and
`terminate multimedia sessions in conjunction with various
`multimedia services supported by the network 400.
`
`10/14
`
`DOJ EX. 1015
`
`

`
`US 2002/0188725 A1
`
`Dec. 12, 2002
`
`[0032] One or more optional multimedia (MM) Service
`Resource Function (SRF) nodes, e.g., MM-SRF 416, are
`coupled to PSN 400 for providing bearer resource function
`ality for converged voice/data services, protocols to request
`these services, and open APIs for programming bearer
`resource-intensive applications as well as content/announce
`ment files. The MM-SRF node 416 does not set up a bearer
`path between two parties, however, as there is no such
`dedicated bearer connection in the context of IP networking.
`Rather, only a logical connection is established between the
`parties.
`[0033] Within the multimedia-based service network
`framework, some of the functions of the MM-SRF node 416
`include the following: (i) operating in the media access/
`resources plane for bearer services by providing multimedia
`resource services, (ii) providing standard protocols, (iii)
`interfacing to AS nodes through a multimedia softswitch
`(e.g., softswitch 418), and (iv) enabling third-party program
`mability of bearer services and content/announcements
`through the open APIs. Those skilled in the art should
`appreciate that some of these functionalities may be embed
`ded within the multimedia softswitch 418 or be distributed
`across several MM-capable nodes depending on the inte
`gration level of the softswitch.
`[0034] A plurality of hosted applications 420 are co
`located at the multimedia softswitch node 418. The specific
`type of the applications is dependent on the service archi
`tecture implementation and application layering. Some of
`the exemplary applications may include network announce
`ments (in conjunction with SRF 416), video conferencing,
`digit collection, unified (multimedia) messaging, media
`streaming and custom announcements, automatic speech
`recognition (ASR), text-to-speech (TTS), user verification
`using multimedia, and various enhanced services such as
`multimedia call waiting, direct connect services, distinctive
`call notification, emergency override service, presentation of
`call party profiles based on multimedia, etc. It should be
`recognized, in addition, that some of these multimedia
`services may be provisioned as applications hosted on
`carrier AS nodes 422 and third-party AS nodes 424, with
`suitable APIs associated therewith, respectively.
`[0035] Although the exemplary network embodiment 400
`shown in FIG. 4 does not explicitly illustrate SS7 interfaces
`for effectuating legacy IN/AIN services, those skilled in the
`art should appreciate that various such SS7 interfaces and
`SS7-capable signaling gateways (SGWs) may also be appro
`priately disposed in the network for providing SS7 func
`tionality.
`[0036] Referring now to FIG. 5, depicted therein is an
`exemplary service network arrangement 500 which employs
`a multimedia user verification scheme in accordance with
`the teachings of the present invention for purposes of
`positively identifying a user 518 (or, interchangeably, a
`subscriber) attempting to gain access to a controlled facility
`such as, e.g., a corporate network 506. A PSN/CSN portion
`502 (hereinafter referred to as a public network portion) is
`coupled to the corporate network 506 via a suitable GW
`node 504. A multimedia softswitch 508 is interfaced with
`either the public network portion 502, the corporate network
`506, or both.
`[0037] In the exemplary embodiment of the user verifica
`tion system shown in FIG. 5, an access application server
`
`node 507 is operable to provide a multimedia-based access
`control service with respect to user 518 attempting to access
`the corporate network portion 506. The access application
`server node 507 may be interfaced with either the public
`network portion 502, the corporate network 506, or both.
`Further, the multimedia softswitch 508 is operable to launch
`a multimedia network access application hosted on the
`access application server 507 when a multimedia session
`engine is invoked due to access attempts by the user 518
`(e.g., an employee), who may be remotely located, through
`a multimedia-capable appliance/device 516.
`[0038] Preferably, one or more multimedia man/machine
`interfaces (e.g., a video/still camera, a keyboard or pointing
`device, an audio interface, and the like) are co-located with
`the multimedia appliance 516 for use within the context of
`the present invention. A multimedia access node 514 is
`operably coupled to the public network portion 502 to
`provide access gateway functionality with respect to the
`multimedia appliance 516. Further, the access node 514 is
`also interfaced with the multimedia softswitch 508.
`[0039] A database cluster 512 having a plurality of data
`bases is operable for storing access profile information for
`valid users of the corporate network 506. Such access profile
`information may comprise valid users’ video clips, still
`photos, audio responses (e.g., words or phrases) to a set of
`questions that can be randomly selected, biometric ID infor
`mation such as fingerprints, retinal scans, and the like, in
`addition to password and login ID information. The database
`cluster 512 is interfaced with the network access AS node
`507 as well as an operator control 510 associated with the
`corporate network. Preferably, the operator control 510 can
`override an automated interrogation procedure or manually
`interject an interrogation procedure whenever necessary.
`[0040] FIG. 6A is a flow chart of the various steps
`involved in an exemplary multimedia user verification
`method provided in accordance with the teachings of the
`present invention for controlling access to a private network
`portion such as, e.g., a corporate network or a home net
`work. When the user attempts to access the private network
`by logging from a remotely located multimedia appliance,
`an indication thereof is received in a network element such
`as the multimedia softswitch operably coupled to the net
`work (step 602). Responsive thereto, a multimedia call/
`session engine is invoked to launch a network access appli
`cation (step 604), which may be a softswitch-hosted
`application (centralized application layering), an application
`hosted on a dedicated telecom-hardened AS node as a
`carrier-class service (distributed application layering), or as
`a third-party application on the Internet.
`[0041] Regardless of its location, the network access
`application is operable to “interrogate” the user by means of
`a suitable multimedia man/machine interface (step 606). The
`interrogation process and responses to such interrogation
`may be passive, active, or a combination thereof. For
`example, a video camera associated with the multimedia
`appliance can passively “interrogate” and automatically
`capture a live picture of the user, which can be verified
`against the valid users’ access profile information stored in
`a database. In another embodiment, an audio query system
`coupled with ASR may be employed to actively query the
`user for audio response input. Again, the audio responses are
`verified against the stored access profile information for the
`
`11/14
`
`DOJ EX. 1015
`
`

`
`US 2002/0188725 A1
`
`Dec. 12, 2002
`
`private network. In yet another embodiment, the user may be
`instructed by an audio system to present a token, an access
`card having a predetermined graphic element or other ID
`indicia thereon, or a picture ID, etc. for verification. It should
`be appreciated, accordingly, that numerous multimedia
`interrogation schemes may be implemented by utilizing the
`various combinations resulting from audio, video, text,
`biometric inputs. However, actual implementations will
`necessarily depend on network-specific access profile infor
`mation that is available in the database storage.
`[0042] Continuing to refer to FIG. 6A, upon receiving a
`suitable multimedia response (which may be an active input
`by the user or a passive capture), either at a multimedia
`softswitch or a node hosting the network access application,
`a decision block 608 determines whether the response is a
`valid response by verifying it against the stored access
`profile information database. If it is determined that the
`multimedia response is not a valid response, the user is
`denied access to the private network (step 610). The inter
`rogation procedure may employ a predetermined cascaded