The following acronyms are used:                CM—Cable Modem;        CMTS—Cable Modem Termination System;        CPE—Customer Premises Equipment;        HFC—Hybrid Fiber/Coax;        ID—Identifier;        IP—Internet Protocol; and        MAC—Medium Access Control.        
The present invention relates to subscriber networks, such as HFC cable television networks, and more particularly to controlling access to services provided over the network. The invention is particularly suitable for use with networks with subscriber terminals/set-top boxes that use two-way modems, such as CMs, that are connected to the network.
Such modems are increasingly being used to allow network users to send and receive data, such as from the Internet data, at relatively high speeds. The modems may also provide telephony capabilities. The invention also is useful generally for terminals that have any upstream signaling capability via the network, e.g., to a network headend.
It is important for a network operator to control access to services that are delivered via the network. However, there is a tradeoff between the level and cost of security distributed throughout any communications network. The extremes of this tradeoff are:                (a) place all of the security within the CPE (such as in a user's home), in which case, for example, only physical security associated with encryption keys is provided; and        (b) place all of the security in the network, e.g., implement network security protocols that rely on the trust associated with the absolute identity, in this case physical location, of the distributed elements of the network.        
For the latter case, if duplicate CPE could be identified with absolute certainty, security protocols and procedures can be implemented that relied on this trust. For purposes of this disclosure, the terms “consumer premises equipment”, “subscriber unit”, “terminal”, “set-top box”, “cable modem” and the like are used interchangeably.
Unauthorized persons (“pirates” or “attackers”) have been successful in gaining access to networks using various attack techniques. One possible attack on a network of the type described above is to move the permanent identity of a first subscriber unit (e.g., a CM or other CPE), for which a subscriber has paid for the services provided by the network, to a second “clone” subscriber unit in the network. The first subscriber unit is known as the “clone master.” This cloning can be performed if the security information or unit ID of the first subscriber unit is not protected from theft. Such cloning allows a single individual to purchase programming or other data services legitimately from the network, and then sell to others for a profit, without authorization, the ability (along with possibly modified terminals) to access the services.
An alternative motivation is the theft of the identity of a unit, then selling that identity to persons wishing to illegally use other network services and not pay. For example, current networks users who pay for a basic level of services can obtain enhanced services without paying. The network operator can incur significant revenue losses if the identity of the compromised unit were used, for example, to access long distance telephone services or gain free unlimited Internet access, e.g., via a CM.
To remain undetected in the network, the cloned unit must possess all of the characteristics of the clone master. If the clone is identical to the clone master, the clone will merely use the bandwidth and ID of the clone master. Moreover, if a clone unit has multiple (N) clone IDs, any of these identities can be used to gain access to the network. A concentration ratio of N:1 allows the cloned units to operate in the network with little chance of collision, if N is large enough.
The cloned units can continue to operate undetected if the network operator (e.g., the CMTS and associated servers operated by or for the service provider) does not detect any noticeable anomalies in the network's traffic, such as multiple IP addresses, increased traffic flows, etc. Additionally, the clones can continue to operate undetected even though the network operator verifies the identity of the unit that sends an upstream message. This is achieved because the verification of an ID of the subscriber unit (e.g., a CM or other CPE) is performed before the modem is registered with the network. The ID may specify a manufacturer's serial number, IEEE MAC address, and so forth. However, there is no practical method for any network operator to associate this address to a specific modem prior to modem registration.
A cloned network element will remain undetected as long as there are no discernable differences between any of the master and cloned units, and they operate within the network in a logical and physically possible manner.
For example, one method for detecting cloned analog cell phones is to identify telephone calls that originate from physically distant parts of the network within a short time window. However, such methods of clone detection are marginally effective at identifying cloned phones since unauthorized calls within the same general vicinity (e.g., same city) as unauthorized calls cannot be flagged. Additionally, data indicating the location, such as which network cell is used, must be communicated upstream to a central processing facility. Moreover, this technique is not easily used in a subscriber network such as an HFC cable television network since there is no provision to identify the network path (e.g., branch or hub) that is traveled by an upstream message from a clone terminal.
Accordingly, it would be advantageous to provide a reliable system for detecting cloned units, such as CMs, in a network. The system should be implementable with relatively low cost and complexity, and without significant disruptions in service. The system should recognize and take advantage of the fact that systems which support CM service or telephony service (e.g., HFC cable television and the like) allow several unique aspects of the physical layer to be exploited, such that subscriber units (e.g., modems) can be uniquely identified even if the unique ID can be cloned into other units.
The system should be compatible with the “Data Over Cable Service Interface Specification RF Interface” (DOCSIS RFI) standard.
The present invention provides a system having the above and other advantages.