(12) United States Patent
`Caslin et al.
`
`(10) Patent No.:
`(45) Date of Patent:
`
`US 7,197,560 B2
`Mar. 27, 2007
`
`US007197560B2
`
`(54) COMMUNICATIONS SYSTEM WITH FRAUD
`MONITORING
`
`(75) Inventors: Michael Caslin, Colorado Springs, CO
`(US); John Hans Van Arkel, Colorado
`Springs. Cottis), Arthuriance
`springer waterio. A (US)
`s
`s
`(73) Assignee: MCI, LLC, Basking Ridge, NJ (US)
`
`(*) Notice:
`
`Subject to any disclaimer, the term of this
`º º sº º under 35
`-- - *--> -
`y
`ys.
`
`-
`
`-
`
`-
`(21) Appl. No.: 10/103,279
`31, 21.
`(22) Filed:
`
`(65)
`
`Mar. 20, 2002
`- -
`e
`-
`Prior Publication Data
`|US 2002/0188712 A1
`Dec. 12, 2002
`
`Related U.S. Application Data
`-
`-
`-
`. -
`(60) Provisional application No. 60276,923, filed on Mar.
`20, 2001, provisional application No. 60/276,953,
`filed on Mar. 20, 2001, provisional application No.
`60/276,955, filed on Mar 20, 2001, provisional appli-
`cation No. 60/276,954, filed on Mar. 20, 2001.
`(51) Int. Cl.
`
`2/1997 Rosenblatt et al.
`5,606,604 A
`5,627,886 A * 5/1997 Bowman .................... 379/189
`5,706,338 A *
`1/1998 Relyea et al. ............... 379/189
`5,768,354 A * 6/1998 Lange et al. ................ 379/189
`5,907,602 A * 5/1999 Peel et al. .....
`... 379/189
`5,907,803 A * 5/1999 Nguyen ............
`... 455/410
`5,953,653 A * 9/1999 Josenhans et al. .......... 455/410
`5,995,604 A 11/1999 Chan et al.
`6,064,653 A + 5/2000 Farris ......................... 370/237
`6,188,753 B1* 2/2001 Afsar et al. ............ 379/114.14
`;: º : ! * et al. ......... sº
`6,233,313 B1* 5/2001 Farris et al. ................ 379/126
`6,266,525 B1* 7/2001 Peterson ..................... 455/410
`6,327,352 B1* 12/2001 Betts et al. ................. 379/189
`6,377,672 B1 * 4/2002 Busuioc .....
`... 379/189
`6,600,733 B2 * 7/2003 Deng ........
`... 370/352
`6,614,781 B1* 9/2003 Elliott et al. ................ 370/352
`6,721,284 B1 * 4/2004 Mottishaw et al. .... 379/114.01
`6,873,617 B1 * 3/2005 Karras ........................ 370/389
`
`©ll . . . . . . . . . . . . .
`
`- - - -
`
`.
`
`34–2–~ 3
`
`OTHER PUBLICATIONS
`
`Handley et al., “SIP: Session Initiation Protocol”, Internet Engi
`neering Task Force, Request for Comment 2543, Mar. 1999.
`-
`-
`* cited by examiner
`-
`inz v.
`Phili
`Primary Examiner—Philip B. Tran
`(57)
`ABSTRACT
`
`-
`- -
`-
`-
`- ...
`rallCl II.101111011119 SWSIein 18 Cl18CIOSeol IOI a COIITIITUIII.1Qa
`
`A fraud monitoring system is disclosed f
`tions system. The fraud monitoring system analyzes records
`of usage activity in the system and applies fraud pattern
`detection algorithms to detect patterns indicative of fraud.
`The fraud monitoring system advantageously accommo
`dates transaction both records resulting from control of a
`packet-switched network and those from a circuit-switched
`network gateway.
`
`G06F H5/173
`
`(2006.01)
`
`-
`
`-
`
`-
`
`(52) U.S. Cl. ...................... 709/224. 709/227. 709/246.
`379/189: 379/114.1 4
`(58) Field of Classification Search
`s
`709/224
`709/227, 230 246,379/iso 114.1 4
`See application file for com lete search histo
`-
`p
`ry.
`pp
`References Cited
`|U.S. PATENT DOCUMENTS
`
`(56)
`
`5,463,681 A * 10/1995 Vaios et al. ................. 379/189
`
`16 Claims, 7 Drawing Sheets
`
`
`
`and
`Billing
`
`Monitoring
`135 113
`
`SIP Phon
`
`PC/Laptop
`|---------------------
`
`
`
`Telephone
`
`117.
`
`Telephone
`
`GTL 1023
`IPR of U.S. Patent No. 8,340,260
`
`

`

`U.S. Patent
`
`Mar. 27, 2007
`
`Sheet 1 of 7
`
`US 7,197,560 B2
`
`w:
`
`.___________.________
`
`________________
`
`G
`
`PIIIIIIIIIIIIlllllll|l
`
`______
`fl—nFv35:82
`wammwE m:92
`
`_I
`
`“.I-
`
`nae”.
`
`mm-
`
`9.9392.
`
`_
`
`__
`
`______
`
`w_w.
`
`
`
`xgoEmZ9mm
`
`20:85...
`
`EH
`
`mcsmm
`
`ucm
`
`mc____m
`
`mwO
`
`_.N_.
`
`
`
`N3
`
`a.
`
`,.II
`
`
`aofimdon.
`
`0:051n=mma
`
`
`
` 9.9322.Wmumm.w:
`
`
`
`

`

`U.S. Patent
`U.S. Patent
`
`US 7,197,560 B2
`US 7,197,560 B2
`
`aml
`
`05.memem,mmzonamm02.50”.
`
`
`.<7.mmw:
`
`
`
`
`
`NNNZO_._.<OO.._7ovm
`
`M505200_.....................m/mm>mmm.SN
`
`
`
`
`
`......................,m255onll«Emma2925mm_ESE022.20%mum:
`
`
`
`NGE
`
`
`

`

`U.S. Patent
`U.S. Patent
`
`Mar. 27, 2007
`Ddar.27,2007
`
`Sheet 3 of 7
`Sheet3 0f7
`
`US 7,197,560 B2
`US 7,197,560 B2
`
`OZ9
`own
`
`9. "SD|
`m.07.
`
`
`
`w_w>._<z<03$:
`
`023.....m.a.@259.
`
`
`
`
`
`
`
`
`m1340mm”.«5
`
`
`
` moEmSzoowna.$60moo”m2m"\M02:.zmzws<inWWmaxmwomllllllllllllill!IIIllllllllllllllllllllllllllIlllllllilpllllilnu
`
`Wmmzwommmom$255wman:Ex5”moom
`
`8”
`
`20m”.an:5.0m“—moo
`
`wJ\m2><>>m_._.<0
`
`
`
`

`

`U.S. Patent
`
`Mar. 27, 2007
`
`Sheet 4 of 7
`
`US 7,197,560 B2
`
`402
`
`OBTAIN CDR(S) FROM
`NETWORK GATEWAY
`
`404
`
`406
`
`CONVERT CDR(S) To XDR(s)
`
`DETERMINE coRP_ID, IF ANY,
`ASSOCIATED WITH EACH CDR
`
`AUGMENT XDR WITH CORP ID
`
`CORRELATE TO XML
`RECORDS FROM NS, IF ANY
`
`NORMALIZE AND PREPROCESS
`FRAUD-RELEVANT FIELDS
`
`
`
`
`
`
`
`
`
`
`
`
`
`408
`
`410
`
`412
`
`414
`
`416
`
`APPLY FRAUD ANALYSIS TO SET
`OF CORRELATED RECORDS
`
`
`
`REPORT FRAUD RESULTS
`
`418
`
`420
`
`

`

`U.S. Patent
`U.S. Patent
`
`a
`Mar. 27, 2007
`m
`
`Sheet 5 of 7
`Sheet 5 of 7
`
`US 7,197,560 B2
`US 7,197,560 B2
`
`rum
`
`mNL
`
`o
`
`
`
`mGE
`
`
`
`mosmo2m
`
`mowmno
`
`AOKPZOOm5
`
`mSm,
`
`\
`
`mamF2m2_
`
`
`
`Mmoan.E0552
`
`
`
`mo<m9mz_<s_
`
`m2.590FE
`
`| 19
`
`
`
`\
`
`
`

`

`U.S. Patent
`U.S. Patent
`
`Mar. 27, 2007
`Mar. 27, 2007
`
`Sheet 6 of 7
`Sheet 6 0f 7
`
`US 7,197,560 B2
`US 7,197,560 B2
`
`600
`6 0
`
`FIG. 6
`FIG. 6
`
`
`
`
`
`
`
`
`
`OREGiNATiNG iNFO
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`REMOTE ACCESS NO.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`608
`
`63"
`
`634
`634
`
`638
`
`

`

`U.S. Patent
`
`Mar. 27, 2007
`Ddar.27,2007
`
`Sheet 7 of 7
`Sheet7 0f7
`
`US 7,197,560 B2
`US 7,197,560 B2
`
`0ZA.
`own
`
`036$“.
`
`m_w>._<z<
`
`whqbwwm
`
`
`
`
`
`
`
`
`
`
`
`ravillllil‘flllnun-I’llIll-slllll'lllll‘lI.l'lllllllliilllitlllllllII.Dlloxl
`
`0:.
`
`
`
`N:
`
`
`
`
`
`wz_OZm_w_w>4<z<034E”.
`
`
`
`
`
`
`
`02—meOOmammawOZ_N_._<_>EOZ0100mm
`
`
`
`N..OE
`
`5$020Emmox
`
`
`
`

`

`US 7,197,560 B2
`
`1
`COMMUNICATIONS SYSTEM WITH FRAUD
`MONITORING
`
`CROSS REFERENCE TO RELATED CASES
`
`This application is related to, and claims the benefit of the
`earlier filing date under 35 U.S.C. § 119(e) of, U.S. Provi
`sional Patent Application No. 60/276,923, filed Mar 20,
`2001, entitled “IP Communications,” U.S. Provisional
`Patent Application No. 60/276,953, filed Mar 20, 2001,
`entitled “IP Communications,” U.S. Provisional Patent
`Application No. 60/276,955, filed Mar 20, 2001, entitled “IP
`Communications,” and U.S. Provisional Patent Application
`No. 60/276,954, filed Mar. 20, 2001, entitled “IP Commu
`nications”; the entireties of which are incorporated herein by
`15
`reference.
`
`10
`
`TECHNICAL FIELD
`
`The present invention relates to controlling fraudulent use
`of communications services and, more particularly, to the
`detection of fraudulent activities in a data transport network.
`
`20
`
`BACKGROUND
`
`2
`rally be an expectation that the quality of the connections
`and the variety of services will be at least as good as in the
`former telephone network. There is also an expectation that
`the new types of networks will be less susceptible to
`fraudulent use of communications service—or at least no
`worse than their predecessors.
`However, employing a packet data transport for telephony
`introduces new vulnerabilities beyond those experienced
`with the traditional circuit-switched telephone network. The
`concern over security of communications in the public
`Internet is well known and has received considerable atten
`tion in light of countless identity thefts, hacking attacks,
`viruses, denial-of-service attacks, security breaches and
`other threats to reliable, confidential communications. These
`threats take on further significance as, in the case of packet
`telephony, the traffic streams are metered and revenue
`bearing.
`In response to these threats, a growing array of security
`countermeasures (firewalls, NAT, secure connections,
`encryption schemes, secure Internet protocol (IPsec), vul
`nerability probes) have been developed to defend against
`such crippling attacks on data networks.
`Of course, any of these security measures that were
`spawned by data network security may be beneficial to the
`prevention of attacks in telephony data networks. One area
`of particular vulnerability for some packet telephony sys
`tems stems from the fact that signaling, bearer traffic, and
`network management communications all share the same
`transport network. The call control systems communicate
`among themselves and to the network elements (such as
`gateways) using the same network that carries packets of
`customer data. To put things simply, one may send data to
`any point in a packet network as long as the address of the
`point is known. The fact that the call control servers are
`coupled through the transport network opens the possibility
`that a fraud perpetrator might attempt to communicate
`directly with a network server, either to impede the operation
`of the server or to send mock communications requests so as
`to fool the server into providing free communications ser
`vices. Fortunately, network security measures, such as the
`use of IPsec tunnels between legitimate endpoints, are
`largely effective against these kinds of attacks.
`While data network security measures may be employed
`to help defend against certain types of attacks against a
`telephony data network, there are a variety of fraud schemes
`that are not detected or prevented by such measures.
`Various fraud schemes are known by which fraud perpe
`trators are able to steal communications services. Perpetra
`tors have been able to steal calling card numbers, open false
`accounts, or otherwise manipulate equipment or people to
`get services without paying. Many of the possible fraud
`schemes have been well characterized in the PSTN and
`various techniques have been developed for detecting and
`preventing such abuses.
`Unfortunately, there is a common misconception among
`those in the industry that the use of sufficient data network
`security measures should prevent all manner of abuse and
`fraud, even in a packet telephony environment. In truth, the
`role of fraud monitoring can be distinct from, but comple
`mentary with, network security. Network security provides
`mechanisms (e.g., firewalls, authentication services, user
`IDs/passwords, etc.) to ensure that only authorized users
`gain access to network services. These security mechanisms
`have protection against internal abuse by authorized users
`and social engineering situations. As a complementary capa
`bility, fraud monitoring provides a view into the services
`used on the network to ensure that none of the security
`
`The proliferation of data transport networks, most notably
`the Internet, is causing a revolution in telephony and other
`forms of real-time communication. Businesses that have
`been accustomed to having telephony traffic and data traffic
`separately supported over different systems and networks
`are now moving towards so-called “converged networks”
`wherein telephone voice traffic and other forms of real-time
`media are converted into digital form and carried by a packet
`data network along with other forms of data. Now that the
`technologies are feasible to support it, voice over data
`transport offers many advantages in terms of reduced capital
`and operating costs, resource efficiency and flexibility.
`For example, at commercial installations, customer
`premise equipment investments are substantially reduced as
`most of the enhanced functions, such as PBX and automatic
`call distribution functions, may reside in a service provider’s
`network. Various types of gateways allow for sessions to be
`established even among diverse systems such as IP phones,
`conventional analog phones and PBXs as well as with
`networked desktop computers.
`A new generation of end user terminal devices are now
`replacing the traditional telephones and even the more recent
`PBX phone sets. These new sets, such as those offered by
`Cisco Systems, Inc. and Pingtel Corporation, may connect
`directly to a common packet data network, via an Ethernet
`connection for example, and feature large visual displays to
`enhance the richness of the user interface.
`Even before such devices were developed, computers
`equipped with audio adapters and connected to the Internet
`were able to conduct some rudimentary form of Internet
`telephony, although the quality was unpredictable and often
`very poor. The emphasis now is upon adapting internet
`protocol (IP) networks and other packet transport networks
`to provide reliable toll-quality connections, easy call set-up
`and enhanced features to supply full-featured telephony as
`well as other forms of media transport. Some other types of
`media sessions enabled by such techniques may include
`video, high quality audio, multi-party conferencing, mes
`saging and collaborative applications.
`Of course, as a business or residential communications
`subscriber begins using such voice-over-packet communi
`cations to replace conventional telephony, there will natu
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`

`

`US 7,197,560 B2
`
`3
`mechanisms have been compromised or abused. Fraud
`monitoring facilitates identification of vulnerabilities in the
`network, protects a commercial customer by minimizing
`unauthorized use, and protects the service provider against
`revenue loss.
`In summary, network security focuses on fraud preven
`tion, while fraud monitoring focuses on fraud detection.
`These network concerns must be addressed before custom
`ers invest in the adoption of new services and technologies.
`Customers are attracted to a converged solution because of
`the potential for new services and enhance functions, but are
`apprehensive about new security risks and avenues of fraud.
`
`SUMMARY
`
`4
`While the present invention is shown and described in the
`context of packet-switched telephony, it will be apparent that
`it may be similarly applicable to other forms of communi
`cation, such as video conferencing or other data streaming,
`where a perpetrator seeks to steal network resources.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`The present invention is illustrated by way of example,
`and not by way of limitation, in the figures of the accom
`panying drawings and in which like reference numerals refer
`to similar elements and in which:
`FIG. 1 is a diagram of a data communications system
`capable of supporting telephony services and comprising
`means for monitoring usage activities in accordance with an
`exemplary embodiment of the present invention;
`FIG. 2 is a diagram of functional elements involved in
`establishing a session among parties according to an exem
`plary embodiment of the present invention;
`FIG. 3 is a diagram of functional elements for monitoring
`usage activity of a communications system in accordance
`with an exemplary embodiment of the present invention;
`FIG. 4 is a flowchart describing a process for processing
`records of usage activity from a communications system in
`accordance with an exemplary embodiment of the present
`invention;
`FIG. 5 is a diagram of a computer system with which an
`embodiment of the present invention may be implemented;
`FIG. 6 is a diagram of a data structure for conveying
`recorded usage of a communications system in accordance
`with an exemplary embodiment of the present invention; and
`FIG. 7 is a diagram of a fraud analyzing apparatus in
`accordance with an exemplary embodiment of the present
`invention.
`
`DETAILED DESCRIPTION OF EXEMPLARY
`EMBODIMENT
`
`In the following description, well-known structures and
`devices may be shown in block diagram form or otherwise
`summarized in order to avoid unnecessarily obscuring the
`present invention. For the purposes of explanation, numer
`ous specific details are set forth in order to provide a
`thorough understanding of the present invention. It should
`be understood however that the present invention may be
`practiced in a variety of ways beyond these specific details.
`For example, although the present invention is discussed
`in the context of the Session Initiation Protocol (SIP) and an
`Internet Protocol (IP)-based network, one of ordinary skill in
`the art will recognize that the present invention may be
`generally applicable to other equivalent or analogous com
`munication protocols (ITU H.323) or communications net
`works (ATM, frame relay, etc.)
`Fraud vulnerabilities in business communications systems
`largely involve the following: abuse by employees or ex
`employees, subscription fraud, remote access fraud, miscon
`figured dialing plans, and social engineering. Customer
`Premise Equipment (CPE)-related fraud occurs when a third
`party gains unauthorized access to a Private Branch
`eXchange (PBX) switch and “steals dial-tone” to make
`outgoing calls, or an employee abuses long distance calling
`or other costly PBX-provided features for non-business
`purposes. These outgoing calls are charged back to the
`owner of the CPE regardless of the origination of the call
`(on-network or off-network).
`In the case of subscription fraud, a small business may
`“set up shop” with false credentials with no intention of
`
`10
`
`15
`
`20
`
`25
`
`30
`
`35
`
`The present invention meets the need for a fraud moni
`toring capability to complement other security measures in
`a voice-over-packet communications system.
`To the extent that a packet telephony network operates
`analogously to a traditional network and many of the same
`fraud schemes apply, the present invention advantageously
`adapts an existing fraud detection system for use with a
`packet telephony network. This means that existing tools
`and practices developed for the traditional telephone net
`work may be immediately applied in the realm of packet
`telephony.
`Additionally, where packet telephony introduces new
`aspects or surfaces new sources of information beyond what
`was observed in traditional telephony, the present invention
`provides for the collection of new indicators and the imple
`mentation of new detection methods.
`In another aspect, the present invention also provides for
`a single fraud monitoring platform to serve both conven
`tional and packet-switched telephony systems. In particular,
`the present invention provides for the collection, correlation
`and collective processing of usage activity information
`derived from both circuit-switched and packet-switched
`domains. This is a novel capability for reviewing all aspects
`of calls, even those that involve gateways and are carried
`over both forms of transport.
`In accordance with an aspect of the present invention,
`network servers performing call processing, or more appro
`priately “session processing”, in the packet telephony sys
`tem create transaction detail records reflecting each call or
`session request that was handled by the server. What is
`recorded may include network addresses, call dispositions,
`feature invocations, time of day, etc. These transaction detail
`records are forwarded through an operations support system
`and eventually processed by a fraud monitoring engine that
`looks for various patterns of fraud. In accordance with a
`50
`preferred embodiment, such records are provided in an XML
`(extensible Mark-up Language) format.
`In another aspect of the present invention, network gate
`ways, which adapt signaling and bearer channels among
`circuit-switched and packet-switched networks, also gener
`ate call detail records (CDRs) of the more traditional type
`and forward those to a collection process. These CDRs
`convey information about PSTN-types of events. Eventu
`ally, these CDRs are correlated with the records from the
`network servers and the fraud monitoring system is then able
`to get an overall picture of each call, even when a call
`involves both types of networks.
`To facilitate use of such CDRs, such as for correlation to
`packet network events, the present teachings provide that
`CDRs may be augmented in a novel fashion with additional
`information having particular significance in a mixed
`packet-switched and circuit-switched environment.
`
`40
`
`45
`
`55
`
`60
`
`65
`
`

`

`US 7,197,560 B2
`
`10
`
`20
`
`25
`
`30
`
`35
`
`15
`
`5
`paying. The delay in the service provider recognizing this
`situation gives the perpetrator time to accumulate substantial
`charges.
`In the case of remote access fraud, an unauthorized user
`may steal, or determine by “hacking”, authentication infor
`mation that permits access to the network, such as SIP phone
`user IDs and or passwords.
`Fraud relating to a “leaky PBX” may stem from a cus
`tomer improperly configuring the PBX such that a certain
`feature of the PBX may be enabled and compromised by a
`former employee. Additionally, incorrectly setting dialing
`plan configurations may result in unintended privileges to
`certain users; for example, a department can place interna
`tional calls, although its dialing plan should only permit
`them to call domestically.
`Social engineering refers to the practice of obtaining
`information of services through a person who answers a call
`(such as a PBX operator) by pretending to be a legitimate
`caller in need of assistance. For example, a caller from an
`outside line is forwarded to a company operator and con
`vinces the operator that the user is an employee who needs
`to make an off-network call. It is observed that business
`customers are generally subjected to PBX hacking, internal
`abuse, and social engineering.
`Preventive measures have been proposed or implemented
`to reduce the susceptibility of such networks on several
`fronts. Some of these measures address “low-level” vulner
`abilities, such as the exposure of an IP-addressable resource
`to an overwhelming influx of data packets. An example of
`measures taken in a data network to prevent these so-called
`“denial-of-service” attacks is described in the following
`copending patent applications which are hereby incorpo
`rated by reference in their entireties: U.S. patent application
`Ser. No. 10/023,331, filed on Dec. 17, 2001, entitled “Virtual
`Private Network (VPN)-Aware Customer Premises Equip
`ment (CPE) Edge Router” by McDysan; U.S. patent appli
`cation Ser. No. 10/023,043, filed on Dec. 17, 2001, entitled
`“System, Method and Apparatus That Employ Virtual Pri
`vate Networks to Resist IP QoS Denial of Service Attacks”
`by McDysan et al.; and U.S. patent application Ser. No.
`10/023,332, filed on Dec. 17, 2001, entitled “System,
`Method and Apparatus That Isolate Virtual Private Network
`(VPN) and Best Effort Traffic to Resist Denial of Service
`Attacks” by McDysan.
`On a different front, the aforementioned vulnerability
`introduced by having call control elements coupled through
`the transport network is addressed by the following co
`pending application: U.S. patent application Ser. No.
`10/099,316, filed on Mar 15, 2002, entitled “Method of and
`System for Providing Intelligent Network Control Services
`In IP Telephony” by Gallant et al., the content of which is
`incorporated by reference in its entirety.
`On yet another front, an example of higher level service
`processing to curtail fraud or even inadvertant abuse, in the
`context of advanced features may be termed “feature-asso
`ciated call screening.” It is possible for call forwarding and
`certain other features to complete calls that would otherwise
`be blocked, such as costly international calls. At least one
`approach for preventing this circumvention of desired
`screening is described in the following co-pending patent
`applications which are hereby incorporated by reference
`herein in their entireties: U.S. patent application Ser. No.
`10/097,592, filed on Mar. 15, 2002, entitled “Selective
`Feature Blocking in a Communications Network” by Gal
`lant; and U.S. patent application Ser. No. 60/364,670, filed
`65
`on Mar. 15, 2002, entitled “Featuring Blocking in Commu
`nication Systems” by Gallant et al.
`
`40
`
`45
`
`50
`
`55
`
`60
`
`6
`Of course, it is desirable that security measures may not
`be so extreme as to impede legitimate use of the commu
`nications system. Special approaches may be appropriate to
`draw a compromise between usefulness of the system and
`absolute security. For example, in some environments, such
`as a very publicly accessible service business, it may be
`appropriate to liberally allow calls from parties who are not
`authenticated through the network. In other environments,
`such as a defense contractor, it may be more important to
`restrict the reach of inbound calls. Such scenarios are
`described further in U.S. patent application Ser. No. 10/097,
`748, filed on Mar. 15, 2002, entitled “Caller Treatment in a
`SIP Network” by Gallant et al., the content of which is
`incorporated by reference in its entirety (non-trusted user).
`FIG. 1 shows a diagram of a data communications system
`generally capable of supporting telephony services, in accor
`dance with an exemplary embodiment of the present inven
`tion. The communication system 100 includes a packet data
`transport network 101, which in an exemplary embodiment
`is an Internet Protocol (IP) based network. System 100
`provides the ability to establish communications among
`various terminal equipment coupled thereto, such as tele
`phone 125, PBX phone 118 and SIP phone 109. In practice,
`there may be thousands or millions of such terminal devices
`served by one or more systems 100.
`As used herein, the term “SIP phone” refers to any client
`(e.g., a personal computer, a web-appliance, etc.) that is
`configured to provide SIP phone functions. The SIP phones
`109 may take the form of standalone devices—e.g., a SIP
`phone may be designed and configured to function and
`appear like a Plain Old Telephone Service (POTS) telephone
`station. A SIP client 111, however, is a software client and
`may that run, for example, on a conventional personal
`computer (PC) or laptop computer. From a signaling per
`spective, these devices 109, 111 may operate quite similarly,
`with the main differences relating to the user interface.
`Unless otherwise stated, it is recognized that the function
`alities of both the SIP phones 109 and the SIP client 111 are
`comparable and that the network operates similarly with
`either type of device.
`System 100 is able to support large enterprise customers
`who maintain multiple locations having telephony and data
`transport requirements. For example, in FIG. 1, a first
`customer site 150 and a second customer site 152 are
`depicted, each comprising telephones 118 and PBXs 117.
`These may be customer sites of the type that were tradition
`ally coupled through a Class 3 network, such as switch
`network 137, via the PBXs 117.
`In accordance with more recent technologies, customer
`sites 150 and 152 further comprise data communications
`equipment, namely local area networks (LANs) 140 and
`142, SIP phones 109, and PC clients 111. At each customer
`site, an enterprise gateway 103 is provided to allow users at
`telephones 118 through PBXs 117 to readily make calls to
`and receive calls from users of SIP phones 109 and PC
`clients 111.
`A gateway is a device that allows divergent transport
`networks to cooperatively carry traffic. A gateway often
`provides for interoperation at two levels—between different
`signaling schemes and between different media forms. For
`example, network gateway 107 may adapt between the SS7
`signaling of the telephone network and SIP or H.323 pro
`tocols used by the data network. At the same time, network
`gateway adapts analog or PCM-encoded voice signals in a
`telephone bearer channel to a packetized data streams suit
`able for transport over data network 101.
`
`

`

`US 7,197,560 B2
`
`7
`Enterprise gateways 103 adapt between PBX signals and
`data signals for transport over a data network such as LAN
`140 or the service provider’s network 101. As a signaling
`interface to PBX 117, enterprise gateway 103 may use
`Integrated Digital Services Network (ISDN), Circuit Asso- 5
`ciated Signaling (CAS), or other PBX interfaces (e.g.,
`European Telecommunications Standards Institute (ETSI)
`PRI, R2). As shown, enterprise gateway 103 provides con
`nectivity from a PBX 117, which contains trunks or lines
`often for a single business customer or location (e.g., PBX 10
`phones 118). Signaling for calls from PBX 117 into the IP
`network comprises information which uniquely identifies
`the customer, trunk group, or carrier. This allows private
`numbers to be interpreted in their correct context.
`By virtue of the service provider’s data network 101, any 15
`of the users at customer site 150 may readily communicate
`with those at site 152. It is also conceivable that data
`network 101 may be coupled to the public Internet 127,
`opening the possibility that communications might be estab
`lished with PC clients 112, or the like, that are not within 20
`either customer site 150 or 152.
`Network gateway 107, introduced earlier, is shown to
`adapt data network 101 to a telephone network 137 which
`may comprise a network of Class 3 telephone switches, for
`example. PBX 117' and telephones 118' may be coupled to 25
`network 137 in the more traditional manner of a VPN
`dedicated access line. Furthermore, network 137 is shown
`coupled by a trunk to the PSTN 123, representing the typical
`Class 5 local telephone exchanges. A plain analog phone 125
`or other telephone (pay phone) may be connected to PSTN 30
`123 through a subscriber loop.
`As shown in FIG. 1, network gateway 107 enables calls
`from telephones 118' and 125 to any of PBX-connected
`phones 118, SIP phones 109 or PC clients 111, assuming
`system 100 gives such privileges. Any combination of calls 35
`from one type of phone to another may readily be envi
`sioned, many of which involve the traversal of network
`gateway 107 and other elements.
`Both SIP phones 109 and SIP clients 111 preferably
`support user log-in. By default, a given user may be asso- 40
`ciated with a particular communications terminal (tele
`phone, mobile phone, pager, etc.) in the traditional sense. In
`addition, the user may approach one of the newer types of
`IP phone appliances and register his presence to receive calls
`at the given phone. Any inbound calls will then go to the 45
`most recently registered address.
`Coupled with this mobility is the added aspect that a user
`may be known to others by multiple alternative names or
`“aliases.” Multiple Aliases for a given user may resolve to
`a single user profile system 100 as described in U.S. patent 50
`application Ser. No. 10/101,389, filed on Mar. 16, 2002,
`entitled “User Aliases in a Communication System” by
`Gallant, the content of which is incorporated by reference in
`its entirety. Aliases may be of a variety of types including
`public and private telephone numbers, URLs, and SIP 55
`addresses.
`From a fraud prevention standpoint, it may be considered
`advantageous that a unified user profile is maintained by the
`service provider or an authorized customer administrator,
`even though the user may be known by many such aliases. 60
`To implement this mobility and to support new call
`control paradigms, control elements are provided in system
`100 to coordinate the actions of network 101 in correctly
`routing traffic and executing features. In particular, system
`100 comprises the important elements of a proxy server 113 65
`(also known as a network server (NS)) and a location server
`(LS) 115. A typical functioning of these elements is
`
`8
`described in IETF document RFC 2543. Location server 115
`serves as a repository for end user information to enable
`address validation, feature status, and real-time subscriber
`feature configuration. Additionally, LS115 may store system
`configuration information.
`An example of a typical interaction among proxy 113 and
`location server 115 in providing service is now explained in
`conjunction with FIG. 2.
`In FIG. 2, User A 210 desires to establish communications
`with User B 220. User B 220 may be reachable at any one
`of several addresses. These addresses or contacts may cor
`respond to conventional telephones, SIP phones, wireless
`phones, pagers, etc. The list of addresses may even be
`changing as User B moves about and registers as being
`present at various terminal devices 222. The current infor
`mation about User B’s contact information is typically
`maintained in location server 240, or in some form of a
`“presence registry” coupled thereto.
`To initiate contact, User A 210 accesses a terminal, calling
`station 212, and specifies User B as the destination to be
`reached. This expression of the specific desired destination
`may take the form of dialing of digits or of selecting a user
`name or URL-style address from a list. In some cases, User
`A may also be able to express what type of session is desired
`(video, high quality, messaging,etc.) or