USOO8799468B2
`
`(12) United States Patent
`Burke, II et al.
`
`(10) Patent No.:
`(45) Date of Patent:
`
`US 8,799,468 B2
`* Aug. 5, 2014
`
`(54) SYSTEM FOR REGULATING ACCESS TO
`AND DISTRIBUTING CONTENT INA
`NETWORK
`
`(58) Field of Classification Search
`USPC .......................................................... 709/225
`See application file for complete search history.
`
`*) Notice:
`
`(76) Inventors: Robert M. Burke, II, Los Gatos, CA
`(US); David Z. Carman, San Jose, CA
`(US)
`Subject to any disclaimer, the term of this
`y
`patent is extended or adjusted under 35
`U.S.C. 154(b) by 191 days.
`This patent is Subject to a terminal dis
`claimer.
`
`(21) Appl. No.: 13/369,174
`(22) Filed:
`Feb. 8, 2012
`(65)
`Prior Publication Data
`US 2012/O210341 A1
`Aug. 16, 2012
`
`Related U.S. Application Data
`(63) Continuation of application No. 10/989,023, filed on
`Nov. 16, 2004, now Pat. No. 8,122,128.
`(60) Provisional application No. 60/563,064, filed on Apr.
`16, 2004, provisional application No. 60/538,370,
`filed on Jan. 22, 2004, provisional application No.
`60/523,057, filed on Nov. 18, 2003.
`
`(51) Int. Cl.
`G06F 5/73
`H04L 29/06
`(52) U.S. Cl.
`CPC ........... H04L 63/10 (2013.01); H04L 2463/101
`(2013.01)
`USPC .......................................................... 709/225
`
`(2006.01)
`(2006.01)
`
`(56)
`
`References Cited
`
`U.S. PATENT DOCUMENTS
`
`2/2003 Gregg et al.
`6,516,416 B2
`2/2004 Kalmanek, Jr. et al.
`6,694,429 B1
`2001/0051996 Al 12/2001 Cooper et al.
`2002fOO59440 A1
`5, 2002 Hudson et al.
`2002/0103778 A1
`8, 2002 Saxena
`2002/O120577 A1
`8, 2002 Hans et al.
`2002/0145981 A1 10, 2002 Klinker et al.
`2002fO169865 A1 11, 2002 Tarnoff
`2003/0204602 A1 10, 2003 Hudson et al.
`2003/0233281 A1 12/2003 Takeuchi et al.
`2005/OO33990 A1
`2/2005 Harvey et al.
`
`Primary Examiner — Shripal Khajuria
`(74) Attorney, Agent, or Firm — Schwabe Williamson &
`Wyatt PC
`
`ABSTRACT
`(57)
`There is provided a system for regulating access and manag
`ing distribution of content in a network, Such as the Internet.
`The system includes communication gateways, installed at a
`Subscriber site, internet control points, installed remotely, and
`various network elements installed throughout the network.
`The communication gateways and network elements operate
`in conjunction with the internet control points to restrict or
`allow access to specified Internet sites and to manage efficient
`distribution of content such as music, video, games, broad
`band data, real-time audio and Voice applications, and soft
`ware to subscribers.
`
`42 Claims, 7 Drawing Sheets
`
`57
`;
`
`
`
`62 -r
`
`Internet Service Provider
`Portal
`
`Active
`64
`sts Inition
`yem
`
`---
`
`50
`',
`
`Internet
`-ms- Control Point
`
`66 r
`Access Node
`
`52
`Non-SPA
`Content -
`Servers
`
`5s
`',
`
`SPA
`Content
`Servers
`
`as---
`
`
`
`
`
`
`
`
`
`t
`
`58
`',
`
`Internet Metro Area NetWork
`54
`55
`',
`',
`SPANetwork
`NSE
`d
`ements
`
`Elements
`
`582
`
`58
`
`Communication
`Gateway
`
`Communication
`Gateway
`
`Communication
`Gateway
`
`so,
`
`60
`
`
`
`Subscriber
`Terminal
`
`Subscriber
`Terminal
`
`Subscriber
`Terminal
`
`DISH, Exh.1001, p.0001
`
`

`

`U.S. Patent
`
`Aug. 5, 2014
`
`Sheet 1 of 7
`
`US 8,799.468 B2
`
`| 3.Infil
`
`
`
`
`
`
`
`
`
`
`
`
`DISH, Exh.1001, p.0002
`
`

`

`U.S. Patent
`
`Aug. 5, 2014
`
`Sheet 2 of 7
`
`US 8,799.468 B2
`
`Communication Gateway 58
`
`To internet 52
`
`e Instructions
`O Initial Operating
`Parameters
`Other records
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Housing
`
`Disassembly
`
`Detector
`
`Content 108
`Storage
`
`User Partition
`
`NetWork Partition
`
`
`
`Network
`Interface
`
`
`
`
`
`
`
`106
`
`100
`
`
`
`
`
`User Interface
`
`!
`
`To Subscriber
`Terminal 60
`
`Figure 2
`
`DISH, Exh.1001, p.0003
`
`

`

`U.S. Patent
`
`Aug. 5, 2014
`
`Sheet 3 of 7
`
`US 8,799.468 B2
`
`Internet Control Point 50
`
`
`
`To Internet 52
`
`NetWork
`Interfaces
`
`Processors
`
`Instructions
`Other records
`
`Figure 3
`
`DISH, Exh.1001, p.0004
`
`

`

`U.S. Patent
`
`Aug. 5, 2014
`
`Sheet 4 of 7
`
`US 8,799.468 B2
`
`SPA NetWork Element 54
`
`
`
`To internet 52
`
`NetWork
`Interfaces
`
`SWitches
`
`Processors
`
`e Instructions
`O Other records
`
`Figure 4
`
`DISH, Exh.1001, p.0005
`
`

`

`U.S. Patent
`
`Aug. 5, 2014
`
`Sheet 5 Of 7
`
`US 8,799.468 B2
`
`400
`
`Receive instructions from
`network
`
`Receive network access
`request from a user
`
`
`
`404
`
`Selectively transmit
`network access request in
`accordance with received
`instructions
`
`Receive Content data
`responsive to transmitted
`network access request
`
`Figure 5
`
`DISH, Exh.1001, p.0006
`
`

`

`U.S. Patent
`
`Aug. 5, 2014
`
`Sheet 6 of 7
`
`US 8,799.468 B2
`
`500
`
`Receive instructions from
`network at subscribing
`network units
`
`
`
`502
`
`Selectively inhibit access to
`Content servers by a group
`of non-subscribing users in
`aCCOrdance With received
`instructions
`
`Figure 6
`
`DISH, Exh.1001, p.0007
`
`

`

`U.S. Patent
`
`Aug. 5, 2014
`
`Sheet 7 Of 7
`
`US 8,799.468 B2
`
`Receive, at a first network unit,
`Content distribution instructions
`from the network
`
`6OO
`
`Store a first portion of content
`data from the network
`
`602
`
`Initiate a request over the
`network, in accordance with the
`instructions and in response to
`a user request, for the
`remainder of the content data
`
`604
`
`Receive the remainder of the
`Content data from the network
`
`606
`
`Assemble the first portion of
`Content data with the remainder
`of the Content data
`
`608
`
`Supply the assembled content
`data to the user
`
`610
`
`Selectively forward the first
`portion of content data to a
`Second network unit in
`aCCOrdance With the instructions
`
`612
`
`
`
`
`
`
`
`
`
`
`
`Figure 7
`
`DISH, Exh.1001, p.0008
`
`

`

`US 8,799,468 B2
`
`1.
`SYSTEM FOR REGULATING ACCESS TO
`AND DISTRIBUTING CONTENT INA
`NETWORK
`
`This application is a continuation of U.S. patent applica
`tion Ser. No. 10/989,023, filed Nov. 16, 2004 and entitled
`SYSTEM FOR REGULATING ACCESS TO AND DIS
`TRIBUTING CONTENT IN A NETWORK, which claims
`the benefit of U.S. Provisional Application No. 60/523,057
`filed Nov. 18, 2003, U.S. Provisional Application No. 60/538,
`370 filed Jan. 22, 2004, and U.S. Provisional Application No.
`60/563,064 filed Apr. 16, 2004, the entire content and disclo
`sures of which are hereby incorporated in their entirety.
`
`TECHNICAL FIELD
`
`10
`
`15
`
`This invention is in general related to regulation of access
`to a network and, more particularly, to distributing content
`efficiently while protecting the digital rights associated with
`the content.
`
`BACKGROUND
`
`25
`
`30
`
`35
`
`45
`
`The network commonly known as the Internet, or any
`similar private or managed network, provides a convenient
`medium for the delivery of electronic data or content such as
`music, video, games, broadband data, real-time audio and
`Voice applications, and software to Subscribers. To accom
`plish these purposes, the Internet is composed of several
`components including, for example, content providers for
`generating content; service providers for delivering content;
`subscriber terminals for receiving, displaying and playing
`content; and various additional network elements between
`service providers and subscribers for aiding in the distribution
`of the content. Service providers include, for example, tele
`phone line carriers, enterprise data centers, and cable televi
`sion providers. Subscriber terminals are located at subscriber
`premises and include, for example, personal computers, tele
`visions configured with modems, a combination of both, or
`any other combination of consumer electronics capable of
`40
`presenting electronic content to a Subscriber.
`Interest in providing delivery of content via the Internet has
`remained high throughout the growth of the Internet. Several
`problems have yet to be overcome, however, before the Inter
`net is fully effective at delivering content efficiently and rap
`idly, while also protecting the rights of the owners of content,
`that is, the owners of intellectual property. Techniques for
`protecting this intellectual property are often referred to as
`Digital Rights Management (DRM). Recent music industry
`lawsuits over the distribution of pirated music are evidence of
`the difficulties not yet solved by current DRM techniques.
`Service providers and content providers need the assurance
`that the intellectual property (music, video, games, Software,
`etc.) will be secure from illegal downloading and transmis
`sion over the Internet, a major source of lost revenues and the
`basis for hundreds of lawsuits. Service providers want this
`feature to halt the legal onslaught launched by music compa
`nies and to encourage the motion picture industry to license
`their content for distribution over the otherwise unsecured
`Internet. The motion picture industry is understandably reluc
`tant, having seen the negative impact that piracy has already
`had on the Music Recording Industry. Content providers thus
`demand this feature to stop the illegal downloading and trans
`mission of intellectual property over the Internet which has
`cost the music and movie industries billions of dollars annu
`ally. Techniques that reduce the strain on a content provider's
`resources and reduce the high volumes of network data traffic
`
`50
`
`55
`
`60
`
`65
`
`2
`are also desirable in order to improve the speed and efficiency
`of accessing content in a network.
`Another difficult problem that remains to be solved is pro
`viding a means for law enforcement agencies to execute war
`rants to wire-tap Internet communications such as email and
`real-time audio and video communications. A solution to this
`problem is especially desirable considering the importance of
`thwarting terrorist attacks. The Patriot Act and other recently
`passed legislation indicate the desirability and importance of
`providing Such capabilities to law enforcement bodies.
`It is therefore desirable to provide new access regulation
`and data traffic control techniques that can be made available
`to telephone line carriers, ISPs, enterprises, cable television
`companies, for their Internet access networks. In addition, it
`is desirable to provide a means for law enforcement bodies to
`combat the prevalent use of Internet communications in plan
`ning illegal operations. In particular, it is desirable to meet
`these needs using the service provider's existing distribution
`network.
`
`SUMMARY
`
`Consistent with the invention, there is provided a system
`for regulating access to a network. The system comprises a
`controller node coupled to the network, the controller node
`comprising a first processor for generating controller instruc
`tions and a first network interface for transmitting the con
`troller instructions over the network. The system also com
`prises a plurality of gateway units, the gateway units
`comprising a user interface receiving user-entered network
`access requests, a second network interface coupled to the
`network and receiving the controller instructions from the
`network and a second processor, the second processor selec
`tively transmitting at least some of the network access
`requests over the network in accordance with the controller
`instructions, and transferring content data responsive to the
`transmitted network access requests over the network via the
`second network interface.
`Consistent with another aspect of the present invention,
`there is also provided a system for regulating access to a
`network that is accessed by a plurality of users. The system
`comprises a controller node coupled to the network, the con
`troller node comprising a first processor for generating con
`troller instructions and a first network interface for transmit
`ting the controller instructions over the network. The system
`also comprises a plurality of network units associated with a
`first group of users, the network units comprising a second
`network interface coupled to the network and receiving the
`controller instructions from the network and a second proces
`Sor, the second processor inhibiting access for a second group
`of users to content in the network in accordance with the
`controller instructions.
`Consistent with yet another aspect of the present invention,
`there is also provided a system for distributing content over a
`network. The system comprises a controller node coupled to
`the network, the controller node comprising a first processor
`for generating controller instructions and a first network inter
`face for transmitting the controller instructions over the net
`work. The system also comprises a plurality of network units,
`the network units comprising a second network interface
`coupled to the network, the second network interface in at
`least a first one of the network units receiving the controller
`instructions from the network and receiving a portion of a
`content data file from at least a second one of the network
`units and a second processor, the second processor in the at
`least first one of the network units selectively forwarding the
`portion of the content data file received from the at least
`
`DISH, Exh.1001, p.0009
`
`

`

`US 8,799,468 B2
`
`3
`second one of the network units to at least a third one of the
`network units in accordance with the controller instructions.
`It is to be understood that both the foregoing general
`description and the following detailed description are exem
`plary and explanatory only and are not restrictive of the inven- 5
`tion, as claimed.
`The accompanying drawings, which are incorporated in
`and constitute a part of this specification, illustrate one (sev
`eral) embodiment(s) of the invention and together with the
`description, serve to explain the principles of the invention. 10
`
`4
`Updates to this code are obtained from ICPs and encrypted
`passwords are stored in hidden, undocumented locations to
`allow authentication of ICP presence prior to CG control
`program update. The passwords are changed frequently dur
`ing an "idle process control phase and tracked by an ICP.
`The second anti-tampering aspect is the provision of a
`housing for the CGs and a detector consisting of a one or more
`“deadman' Switches that are tripped upon opening the hous
`ing or removing a CG’s hard drive. The circuit may be either
`passive or active.
`If the detector is passive, it signals an internal controller
`upon re-start that it has been tripped and causes an event
`notification sent to an ICP upon next power-up. Upon receipt
`of the event notification, either the ICP initiates diagnostics
`and disables the CG if a software tamper has occurred, or the
`CG disables both its control software and its internal hard
`drive to prevent the hard drive from operating, until it is
`returned to the ISP for repair. Subscriber agreements may be
`used to Supply a contract provision specifying that tampering
`voids the warranty and that the subscriber deeds a portion of
`the CG to the ISP and agrees to return tampered products to
`the ISP.
`If the detector is active, the “deadman switch' is kept
`powered by, for example, battery or capacitor. The trip is used
`to immediately disable the controller software in the proces
`sor and the internal hard drive of the CG. Both may be reset
`only by the ICP, either automatically or by human interven
`tion. These measures prevent Subscribers from writing, com
`piling, executing, modifying, or otherwise tampering with the
`operating software of the CG. Second, the active mode pre
`vents users from getting access to the content on the hard
`drive.
`In addition to these tamper-proof provisions, all ICP-CG
`communications take place within the ISP side of the network
`and ICP-CG communications are secured with encryption
`and hashing. Furthermore, all CGs must be registered with the
`ISP. An ICP will not enable any service to an un-registered
`CG and an un-registered CG will not operate in an experi
`mental environment at all. At the onset of power-up or tran
`sition from an inactive to an active state, the CG signals the
`ICP and the ICP returns an “OK” message prior to proceeding
`further. This transaction requires an encrypted password
`exchange to authorize the CG to enteran “active' state where
`it can play back, download or be used for anything delivering
`services to users. These measures ensure secure control of the
`data flow between both the ICP and the CG. This secure flow
`of data then enables ISPs to effectively and efficiently control
`the services provided to subscribers.
`Reference will now be made in detail to the present
`embodiments (exemplary embodiments) of the invention,
`examples of which are illustrated in the accompanying draw
`ings. Wherever possible, the same reference numbers will be
`used throughout the drawings to refer to the same or like parts.
`FIG. 1 illustrates an environment in which the invention
`may operate. A Service Preference Architecture (SPA) may
`include at least one Internet Control Point (“ICP) 50 con
`nected to a network52. Network 52 may be, for example, the
`Internet, a metro area network, or a local area network, and
`may include a plurality of SPA-controlled network elements
`54 and non-SPA-controlled network elements 55. Network
`elements 54, 55 may include, for example, network switches
`and routers. SPA-controlled network elements 54 aid in regu
`lating access and distributing content through network 52.
`Also connected to network52 are content servers including
`at least one SPA-controlled content server 56 and a plurality
`of communication gateways (“CGs) 58, including CGs 58,
`58, ... 58. A subscriber terminal 60, 60, ... 60, may be
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`15
`
`FIG.1 depicts the overall environment in which the present
`invention is implemented.
`FIG. 2 depicts a communication gateway consistent with
`the present invention.
`FIG.3 depicts an internet control point consistent with the
`present invention.
`FIG. 4 depicts a network element consistent with the 20
`present invention.
`FIG. 5 is a flow chart of a method for selectively transmit
`ting network access requests consistent with the present
`invention.
`FIG. 6 is a flow chart of a method for inhibiting access to 25
`content servers on a network consistent with the present
`invention.
`FIG. 7 is a flow chart of a method for distributing content in
`a network consistent with the present invention.
`
`30
`
`DETAILED DESCRIPTION
`
`System Architecture
`Consistent with principles of the present invention, there is
`provided a system including a Service Preference Architec- 35
`ture (SPA). The SPA is a collection of hardware components
`and Software routines executed by the components. Compo
`nents installed at a subscriber's site may be referred to as
`gateway units, or more specifically, Communication Gate
`ways (CGs). The subscribers may include residential and 40
`business Subscribers. The CGs may include a data storage
`device such as a hard drive, and are operable between active
`and inactive states. CGs operate in conjunction with SPA
`based Internet Service Providers (ISPs) under the control of
`“controller nodes, hereinafter referred to as Internet Control 45
`Points (ICPs). The ICPs are installed in an ISP's network.
`ICPs may be network-based routers or computers that control
`the operation of CGs.
`The software routines located in CGs and ICPs provide a
`suite of features for the system. ISPs, such as telecommuni- 50
`cation carriers, electronic data centers, and cable TV compa
`nies, may be equipped to deliver the Suite of features by using
`a network service based system.
`In general, the SPA uses ICPs to control subscriber access
`to web sites and to deliver data to subscribers. The ICPs 55
`control the processing of data sent between Subscribers (e.g.,
`client PCs or LAN servers) and the ISPs or content servers
`with which they are exchanging information, using the CGs.
`The ICPs cooperate with hardware and software of the CGs
`located at a subscriber's premises to provide the specific 60
`features of the system.
`The CGs cannot be tampered with by subscribers. This is
`accomplished by two aspects of the CGs. First, CGs are
`specifically designed to permit no Subscriber-initiated pro
`gramming and no access to the CG hardware or Software. 65
`Instead, the CGs are provided only with compiled code
`loaded from flash memory, a hard drive, or EEPROM.
`
`DISH, Exh.1001, p.0010
`
`

`

`US 8,799,468 B2
`
`10
`
`15
`
`25
`
`30
`
`35
`
`5
`connected to each respective CG 58, or in an alternative
`embodiment not shown, may be combined with each respec
`tive CG 58 to form “converged CGs 58.
`An SPA-controlled content server 56 may be, for example,
`a computing terminal used to deliver content services. A
`content service may include, for example, delivery of any
`media file (such as movies, music, pictures, and graphics),
`Software file (such as a complete application, operating
`parameters, data files, or partial application/updates) or a real
`time application (Such as interactive data processing, Voice
`communications or visual communications to an end user). In
`an alternative embodiment, the functions of SPA-controlled
`content server 56 and ICP 50 may be combined in a single
`component.
`ICP 50 is typically located remotely from subscriber ter
`minals 60 and regulates both subscriber access to network 52
`and distribution of content in network 52. The content may
`originate from SPA-controlled content server 56, for
`example, or from other content servers 57 in network52. ICP
`50 works in conjunction with CGs 58 and SPA-controlled
`network elements 54 by generating instructions which are
`transmitted over network 52 to CGS 58 and SPA-controlled
`network elements 54, where the instructions are executed.
`ICP50 may constitute the source of internet service control
`and conditional denial of subscriber access to ISP-selected
`URLs or IP addresses. ICP50 may control CGs 58 to deter
`mine what web site data is allowed to pass through to Sub
`scribers using, for example, web browser programs executing
`in subscriber terminals 60. ICP 50 may also control packet
`inspection processing in CGs 58 to determine which data can
`be allowed to flow through CGs 58 to and from subscriber
`terminals 60, specifically when e-mail or file transfers are
`initiated. ICP50 also controls what activities are engaged in
`by idle CGS 58 when corresponding subscriber terminals 60
`are inactive. Idle CGS 58 may receive software downloads
`from ICP50, collect data, and initiate communications activi
`ties that are disruptive to certain non-SPA content servers 57
`that offer unauthorized copyrighted materials for illegal
`download by subscribers. Multiple ICPs 50 may be deployed
`geographically in an ISP's network to Support the CG man
`40
`agement capacity of ICP50 and the number of subscribers in
`its service area.
`An ISP may provide an ISP portal 62 to facilitate sub
`scriber access to network 52. ISP portal 62 may be, for
`example, an enterprise data center. Access node 66 is associ
`ated with the ISP providing ISP portal 62. ICP 50 interacts
`with ISP portal 62, ISP associated access node 66, and SPA
`controlled content server 56 to control subscribers’ ability to
`access services that are offered by ISP portal 62. ICP50 also
`controls CGs 58 to deliver various services, including, for
`example, advertisements, the home page for ISP Portal 62 or
`SPA-controlled content server 56 web servers, or software
`downloads to subscriber terminals 60 for their use of ISP 62
`or SPA-controlled content server 56 services.
`ICP 50 also interacts with SPA-controlled network ele
`ments 54 used by ISP portal 62 to deliver services. ICP 50
`controls subscribers’ ability to access services that are offered
`by the ISP portal 62 and controls the operation of the services
`themselves by controlling the flow of data through SPA
`controlled network elements 54 used by ISP portal 62.
`60
`ICP 50 may be programmed either by human input or by
`operator-controlled web crawler software. Updates to a data
`base in ICP 50 may be provided by an active intervention
`system 64 whereby changes to ICP 50 database entries are
`discovered and implemented. The updates to ICP50 database
`may be made in a manner analogous to the regular updating of
`virus definitions for computer virus and worm protection.
`
`50
`
`45
`
`55
`
`65
`
`6
`The web crawlers, human intervention, and ICP50 and CG
`58 database updates may be controlled by active intervention
`system 64. Active intervention system 64 may include, for
`example, a set of centrally maintained computer systems.
`Active intervention system 64 may control the operation of
`various geographically deployed ICPs 50.
`The process begins with active intervention system 64.
`Active intervention system 64 is used by human operators to
`discover new URLs or IP addresses to "pirate sites to con
`ditionally deny access to these URLs or IP addresses by CGs
`58, discover changes needed to implement Digital Rights
`Management (DRM) techniques, discover and record new
`packet characteristics, install wiretaps as ordered, process
`new copyright registry entries, change encryption techniques,
`and perform other management services. ICPs 50 then deliver
`active and real time executed network management, distrib
`ute new database entries and software changes to CGs 58 and
`track operation of the SPA-controlled network elements 54.
`Although one ICP50 is illustrated there may be more. Thus,
`multiple ICPs 50 may be networked together to enable them
`to manage large numbers of SPA-controlled network ele
`ments 54 and provide redundant, highly reliable operation.
`Furthermore, ICPs 50 may all use identical databases to
`enable uninterrupted network management.
`As illustrated in FIG. 2, a CG 58 may include a user
`interface 100 that receives subscriber requests, entered by
`subscribers at an associated subscriber terminal 60, to access
`network 52. CG 58 may also include a network interface 102
`to exchange data with network 52 and to receive instructions
`from ICP50; a memory device 104 including a database for
`storing ICP-generated instructions, initial operating param
`eters, and other records; a processor 106 to implement the
`instructions; a content storage device 108 having a user par
`tition and a network partition for storing content; and a hous
`ing disassembly detector 110 to prevent tampering, as
`described above. Memory device 104 may be, for example, a
`bank of one or more semiconductor memories, a bank of one
`or more hard disk drives, a combination of semiconductor
`memories and hard disk drives or any other device that holds
`data. Processor 106 may be, for example, a general purpose
`processor (such as a Pentium 4 processor, an integrated cir
`cuit, or collection of integrated circuits) that can execute
`program instructions and is designed to allow control of CG
`58 to be implemented in purely software and may also be used
`for non-CG related general purpose computing applications,
`or processor 106 may be a special purpose processor (inte
`grated circuit or collection of integrated circuits) that can
`execute program instructions and is designed with only the
`power, bus, memory, logic and hardware accelerators needed
`to control CG 58. Content storage 108 may be, for example,
`a bank of one or more semiconductor memories, a bank of one
`or more hard disk drives, a combination of semiconductor
`memories and hard disk drives or any other device that holds
`data. CGs may be provided in various forms, such as, for
`example, a gateway module that combines TV, video, internet
`and Voice access, a dial-up remote access server, an ADSL
`modem/router, a satellite TV gateway, a cable TV modem, a
`converged set top-plus-internet gateway, a wireless modem,
`or other fixed or mobile computing, playback, recording,
`display or communications device including radio, TV, Ste
`reo, wireless phone, phone, DVD, VCR, WLAN access point,
`wireless broadband or narrowband modem, or similar device.
`As illustrated in FIG.3, an ICP50 may include one or more
`network interfaces 200, one or more processors 202, a
`memory device 204 including a database for storing records,
`and a non-internet communications link for traffic between
`processors and shared storage and memory. The records pref
`
`DISH, Exh.1001, p.0011
`
`

`

`US 8,799,468 B2
`
`7
`erably include instructions that may be updated by active
`intervention system 64 and distributed to CGs 58 and SPA
`controlled network elements 54 for execution.
`As illustrated in FIG. 4, SPA-controlled network elements
`54 may include one or more network interfaces 300, one or 5
`more processors 302, a memory device 304 including a data
`base, and one or more switch modules 306 for providing
`routing and switching services. Components 300, 302, and
`304 may operate in a similar fashion to the corresponding
`components of the CGs. SPA-controlled network element 54 10
`may be provided in various forms, such as, for example, a
`computer used to deliver data services or content services, a
`core router or ATM Switch, a Subscriber management system
`used to control access to the network, authenticate Subscrib
`ers or devices before allowing access into the network, a 15
`DSLAM, cable modem system, wireless modem system, or
`any other multiplexing or channel service delivery system, or
`a satellite that incorporates any of these elements.
`Service Initialization
`CGs 58 may be required to register with ICP50 when they 20
`are powered up for the first time. CGs 58 will remain inactive
`until they receive a registration confirmation from SPA-con
`trolled content server 56 or ICP50. The registration process
`may include collection of information by ICP 50 for a war
`ranty registration from the Subscriber Such as, for example, 25
`CG's 58 hardware address and other identifying data. ICP50
`will then send CG 58 the latest operating software, if neces
`sary, and its initial operating parameters to load in memory
`104. Initial operating parameters may include, for example,
`the address of the CGS 58 ICP 50 and other variables as 30
`described below. Subsequent re-registrations may be initiated
`by CG 58 under subscriber control for address or ISP
`changes.
`Active and Inactive CG Processing Control
`Upon power down or inactivity timeout of CG 58, CG 58 35
`may register itself as "idle' by sending an event notification to
`ICP50. The duration of an inactivity timeout may be preset
`and may be changed by input to ICP50 for distribution to all
`CGS 58 under the control of ICP 50.
`Upon Subsequent re-activation, which may be initiated by 40
`either power up or signals from subscriber terminal 60, CG 58
`identifies itself as “active” by sending an event notification to
`ICP50, which responds with an acknowledgement. Failure of
`a CG 58 to receive an acknowledgement results in a series of
`re-tries until finally a timeout or maximum number of re-tries 45
`occurs. When this occurs, a diagnostic program may be
`executed in CG 58 to advise the subscriber what to do next,
`based on the deduced source of the failure. Active CGs 58
`may process and control delivery of content and services from
`SPA-controlled content server 56 or ISP portal 62. Inactive 50
`CGS 58 may process and control either CG maintenance or
`may carry out activity delegated to inactive CGS by design.
`Conditional Denial
`FIG. 5 shows a method, consistent with the invention for
`regulating user access to a network. In step 400, a gateway 55
`unit associated with a user receives controller instructions
`from the network. Next, at step 402, the gateway unit receives
`a network access request from a user, via a subscriber termi
`nal. At step 404, the gateway unit selectively transmits the
`network access requests over the network in accordance with 60
`the controller instructions. Finally, at step 406, the gateway
`unit receives content data responsive to the transmitted net
`work access request from the network. Consistent with the
`present invention, this section, and others that follow,
`describe in more detail the implementation of this method. 65
`CGs 58, under ICP 50 control, may provide a network
`based Digital Rights Management (DRM) service. The DRM
`
`8
`service denies subscribers the capability to send or to receive
`data from or to "pirate URLs or IP addresses that are known
`to contain unlicensed copyrighted material. In implementing
`this denial, CG 58 deletes the “pirate URL or IP address and
`substitutes the URL or IP address of a site that offers licensed
`copyrighted materials for legal, authorized sale. The list of
`"pirate URLs or IP addresses that are known to contain
`unlicensed copyrighted material may be regularly updated,
`similar to the manner in which virus definitions are regularly
`updated.
`Furthermore, when other non-w