Intelligence Platform and Strategic Monitoring - 05-2012

Intelligence Platform
Information Extraction for Actionable Intelligence

Steps towards deployment
All rights Reserved I n te lli g en ce pl at f orm and s tr at eg i c m oni to r i ng 06 - F eb - 10 10 v 1. 0 . doc
Accuracy
Every effort has been made to ensure the accuracy of the features and techniques presented in this publication.
Res tricted Rights

You may not reproduce, transmit, transcribe, store in a retrieval system, or translate into any language or computer language, in any form or by any means, electronic, mechanical, optical, magnetic, photographic, manual, or otherwise, any part of this publication without the express permission of .
Limitations
This document has the following conditions and restrictions: This document contains proprietary information belonging to our partner. Such information is supplied solely for assisting explicitly and properly authorized users. No part of its contents may be used for any other purpose, disclosed to any person or firm or reproduced by any means, electronic and mechanical, without the express prior written permission of our partner. No part or parts of this document shall be copied, used for commercial purposes or passed to any third party for any use, without approval of . The text and graphics are for the purpose of illustration and reference only. The specifications on which they are based are subject to change without notice.
info@defensetechs.com
2/78
Table of Contents
1 2 3 4 5 6 I N TRO DU CTI ON ....... .......... .......... ..... ..... .......... .......... ....... ... .......... .......... ........ 6 O B J E CT I VE S O F TH I S DO CUM E N T ... .......... .......... ......... . .......... .......... .......... . ....... 8 A BS TRA CT .... .......... .......... ........ .. .......... .......... .......... .......... .......... .......... .. ...... 8 I N TE LL IG EN CE BO DI ES C H AL LE NG E S ........ .......... .......... .... ...... .......... .......... ...... 1 4 I N TRO DU CTI ON TO TH E S O LU T IO N . .......... .......... .......... . ......... .......... .......... ... ... 1 7 G A TH E RIN G P RO J EC T I N FO RM ATI O N ........ .......... .......... .... ...... .......... .......... ...... 1 7 6 .1 6 .2 6 .3 6 .4 7 Gath erin g In format ion ... ....... ...... ...... ...... .... ... ...... ...... ...... ....... .... .. ...... .... 18 An alyzin g th e collect ed in format ion ..... ...... ...... ...... ....... .. .... ...... ...... .... 20 Sy stem D esign ..... ...... ...... ....... ...... .. .... ...... ....... ...... ...... ... ... ....... ...... ...... .... 20 Commercial Prop osal ..... ....... ...... ...... ...... .. ..... ...... ...... ...... ....... .. .... ...... .... 22
S O L U TI ON D ES CR I PTI ON ..... .......... .......... ....... ... .......... .......... ......... . .......... ...... 2 4 7. 1 IRMP Int elligen ce Rules M ana gemen t Plat form ..... ...... ...... ....... ...... .. .. 25
Co ncept . ...... ....... ...... ...... ...... ....... ...... ...... ...... ....... ...... ...... ...... ....... ...... . ..... ...... .... 26 Fe atures ...... ...... ....... ...... ...... . ..... ....... ...... ...... ...... .. ..... ...... ...... ...... ....... .. .... ...... .... 27 Sys te m Compo nents Ove rview ...... ...... ...... ....... ...... . ..... ...... ...... ....... ...... .. .... .... 28 Acces s co nt rol and use rs management ... ...... ....... ...... ...... .... .. ....... ...... ...... .... 29 7. 2 8 Lo cati o n T rack in g Fo r Intelli gen ce ..... ....... ...... ...... ...... .. ..... ...... ...... .... 31
V I SU A L L IN KS M APP IN G ..... .......... .......... ....... ... .......... .......... ......... . .......... ...... 3 6 Fu n ction al Capabilitie s ...... ...... ....... ...... ...... . ..... ....... ...... ...... ...... .. ..... ...... ...... .... 38 Gen eral des cripti on ...... ...... ...... ....... ...... . ..... ...... ...... ....... ...... .. ..... ...... ...... ...... .... 40 Visu alizati on ..... ....... ...... ...... ...... .. ..... ...... ...... ...... ....... .. .... ...... ...... ....... ...... ... ... .... 41 M u lti Con tex tu al An alysis ... ...... ....... ...... ...... .... .. ....... ...... ...... ...... ..... .. ...... ...... .... 42
9 10
I N TE RCE PT I O N AN D T A RG E TIN G .... .......... .......... ........ .. .......... .......... .......... ...... 4 3 C E LL U LA R E X TRA CT O R AN D S E LE CT I V E J AM M E R ....... .......... .......... ..... ..... ...... 4 7
Intelligence Platform 11 12 13 14 15 15 .1 15 .2 1 5.3 1 5.4 1 5.4.1 1 5.4.2 1 5.4.3 I N T ERN ET D EN I A L O F S E RV I CE (D O S) S E RVI C E B LO C KI NG .... .......... .......... ...... 5 2 U M BR EL LA S O L U TIO N FO R LIS S YS TE M S ( PH AS E -2) .. .......... .......... .......... ...... 5 3 F I E LD L AP TO P .... .......... .......... ........ .. .......... .......... .......... .......... .......... ...... 5 7 P L ATF O RM H A RDW AR E & S O FT WA RE S PE CI F I CATI ON S ......... .......... .......... ... ... 5 9 P R O BE S .... .......... .......... ........ .. .......... .......... .......... .......... .......... .......... .. .... 6 2 TDM ATM Prob e ... ...... ....... ...... ...... .... .. ....... ...... ...... ...... ..... . ....... ...... ...... .... 62 IP Prob e .. ....... ...... ...... ...... ..... .. ...... ...... ....... ...... ..... . ...... ....... ...... ...... ...... .... 69 M ode of Op erati on ....... ...... ...... ...... ....... ...... ...... ...... ....... ...... . ..... ...... .... 69 Tech n ical Spe cif i cati on s ... ...... ...... ...... ....... .... .. ...... ...... ....... ...... ..... . .... 72 Key Featu res ...... ...... ....... ...... ...... . ..... ....... ...... ...... ...... .. ..... ...... ...... .... 72 In tercep ti on Criteri a ..... ...... ...... ...... ....... .. .... ...... ...... ....... ...... ... ... .... 73 Cap acit y P arame ter s ...... ...... ...... ....... ...... . ..... ...... ...... ....... ...... .. .... .... 78
Table of Figures
Figure 1: Functional model for lawful interception .............................................................................. 11 Figure 2: Architecture of the LIMS ................................................................................................................ 12 Figure 3: Intelligence Platform ..................................................................................................................... 24 Figure 4: Rule Builder........................................................................................................................................ 26 Figure 5: Rule Engine Concept ........................................................................................................................ 27 Figure 6: Intelligence Location Data Records Extraction ................................................................... 32 Figure 7: Example of Detection of group meeting to plot a crime ................................................. 33 Figure 8: Cell & sector & Time Advanced location ................................................................................ 34 Figure 9: Active location for Intelligence .................................................................................................. 35 Figure 10: Correlating location with analysis results ............................................................................ 37 Figure 11: Examples of the Analysis application & Analysis Results .............................................. 38
4/78
Figure 12: map of the results of analysis ................................................................................................... 42 Figure 13: Signaling Monitoring for CDRs LDRs extraction .................................................................. 44 Figure 14: Signaling & Voice links monitoring (CDRs LDRs & Voice) ............................................... 45 Figure 15: IP network Signaling & Content monitoring (IPDRs & Content).................................. 46 Figure 16: BTS Extracting IMSI/IMEI/TA..................................................................................................... 48 Figure 17: BTS triangle location tracking ................................................................................................. 48 Figure 18: BTS black/white list creation .................................................................................................. 49 Figure 19: Service for White Listed Phones .............................................................................................. 50 Figure 20: DoS for All Other Phones ............................................................................................................. 50 Figure 21: Activation of BTS ........................................................................................................................... 51 Figure 22: DoS for IP users .............................................................................................................................. 52 Figure 23: Architecture of Umbrella Solution ......................................................................................... 54 Figure 24: Umbrella Solution activation ..................................................................................................... 56 Figure 25: Filed LAPTOP .................................................................................................................................... 58 Figure 26 Hexa E1/T1 Compact PCI Telecommunication Adapter ............................................... 63
Introduction
is pleased to present intelligence agencies a turnkey solution to provide intelligence bodies with a comprehensive secure and reliable system to provide effective and comprehensive electronic intelligence services to the Agencies of the country.
About
develops and markets a wide range strategic and tactical solutions and products for the security forces, lawful agencies and intelligence bodies. in-house developed products monitor the telecommunications networks and generate meaningful sources of information for intelligence and lawful intercept.
End-to-End Applications
Lawful Interception A family of LI application based on signaling passive probing. Intelligence Solutions A family of strategic and tactical solutions for intelligence bodies. Location an active location tracking system tracking for subscribers, using a combination of active query modules and passive probes. A-GPS precise location tracking for subscribers, using a combination of cellular technology and GPS. Probes- TDM & IP probes infrastructure. Anti Fraud - A complete suite of Anti Fraud applications for IP and TDM networks.
Vendor reputation and experience

is backed by the Israel Ministry of Defense and we work with the relevant security/intelligence and telecom operators locally. In addition, worldwide established Tier 1 operators such as AT&T, Cable & Wireless, Sprint, Telefonica, Vodafone, Reliance (among others) have trusted their mission critical needs and projects to us. has offices in Israel and India. was established in 1999 by a group of Israeli entrepreneurs. The company is profitable and quickly made its way to financial independence and fast growth track. As part of the process we entered relationships with the biggest and most renowned telecom vendors as
6/78
channels to our products. Nevertheless always aimed at independence and in the last years has reinforced its direct sales through establishment of satellite offices in 2 continents and enhancing its product line. This approach has proven to increase the companys ability to market directly, better understand changing market requirements and eventually in improving the companys financial performance. Thanks to technical superiority and uniqueness of our products we still work with all of them and continue to sell OEM products. In the process, passive probes have been utilized to monitor all of Israels 4 mobile operators on a-interface level and on other links; Pelephone, MIRS, Cellcom and Partner/Orange. In some of them replaced incumbents, in most of them few applications have been deployed, and are being continually supported, upgraded and scaled up. 3rd generation technologies have been deployed both on CDMA and GSM networks. The company has built a reputation of the highest technical skills, innovation, customer orientation, highest products standards and financial independence. Increasing efforts in customer care led to increased customer satisfaction and enabled us to cross and up sell additional products and capacity to most of our customers. has widely deployed its solution all over the globe both through its partners and independently.
Lawful intercept deployment

Lawful interception solutions (LI) are sold almost in every case to government and security organizations. India is an exception in which regulation imposes on telecom operators the duty to enable Lawful Monitoring on its facilities. As a world leader in network probing, SS7 and IP passive probes are chosen by competitors as part of their solutions to monitor the networks. We may mention that passive systems of this nature are sold either in the form of complete end-to-end systems or as OEM products through other market leaders throughout the world.
Objectives of this document
This document is generated by for intelligence bodies in order to describe the steps towards the deployment of strategic intelligence system across the intelligence organizations. The document describes the current lawful interception solutions scenario and its drawbacks for intelligence systems. Furthermore, the documents provide the guidelines to the questionnaire that will be the tool for collecting the information related to the deployment of the solution.
Abstract
The Challenges to Lawful Interception

With a worldwide landscape characterized by entirely new forms of electronic communication including digital communication based on Internet technologies that have gained popularity over the last decade the nature of lawful interception (LI) has changed substantially. Regulatory mandates implemented in many countries present a significant challenge to the telecommunications companies, network operators, and service providers tasked with meeting current requirements. Solutions that have been developed in recent years to comply with local and national regulations differ considerably from the tools of past eras when lawful interception encompassed primarily the public switched telephone network (PSTN); permitting simpler monitoring of what was essentially a closed network. In this digital era when the Internet provides multiple means of exchanging messages and voice communications over a much more open telecommunications network than the PSTN the onus is on companies to modify and extend their network infrastructures to accommodate the necessary framework for lawful interception and to support techniques that permit the capture and analysis of communication data in response to law enforcement requests. The complexities of todays communication environment heighten the need for lawful interception tools versatile enough to contend with the widest range of wired and wireless communication exchanges. These tools must also have the interoperability to integrate easily into existing network infrastructures as well as the reliability to meet real-world challenges in a proven and secure manner. Regardless of the architecture or technology employed in lawful interception activities, effective solutions need to be available on
8/78
demand to respond to all lawful surveillance requests from those agencies empowered by law to obtain the information. This document discusses the elements of a successful lawful interception solution from the perspective of those organizations looking to modify their infrastructure to meet requirements. The target audience includes network operators with fixed and mobile installations, Internet service providers, telephone companies, system integrators, and law enforcement agencies.
Lawful Interception in the 21st Century

The types of communication available to individuals in these early years of the 21st century are versatile, diverse, and based on an expanding range of technologies. Modern telecommunications networks offer access through a tremendous range of technologies, including PSTN, ISDN, xDSL, WLAN, WiMAX, GSM, GPRS, UMTS, CDMA, cable, and other technologies based on the Internet Protocol (IP). Hence, intelligence gathering becomes challenging Each person may have unlimited Mobility Several identities Voice, fax, data Several SP (access, content, switching)
Nowadays telecommunications has emerged as an environment with the following features: Full convergence of the IP and Circuit switched world Full global Mobility and Availability No subscription and vague identity P2P applications, encryption No clear service provider, mostly access providers
Telecom Trends Availability anytime, anywhere and through any access method
Intelligence Platform Free connectivity, free communication applications No need for subscription No need for identification Deregulation of the telecom market
Voice communication services have progressed from a fixed network model to encompass wireless technologies, such as cellular telephones, and Internet-based exchanges, such as voice over IP (VoIP). Data services have expanded as well, spanning video, facsimile (fax) services, Short Message Services (SMS), e-mail, image transmissions, and other services. Internet-based communications have become ubiquitous and have grown far beyond the basic capabilities of e-mail to include instant messaging, peer-to-peer (P2P) networking, chat services, and low cost voice communication through a variety of companies and emerging technologies such as Session Initiation Protocol (SIP). The nature of the Internet also suggests that new applications and innovative tools will be developed in the future to extend communication options in unpredictable ways. Amidst this profusion of communication possibilities, national security organizations and law enforcement agencies need mechanisms and proven techniques to detect criminal activities and terrorist operations. The need for lawful enforcement solutions is growing even while the dynamics of the market and the legal and regulatory framework continues to evolve. Network operators, ISPs, telephone companies, and others face an unprecedented public and regulatory obligation to adapt their workflow and infrastructure selectively tapping into the vast flow of information within the telecommunications spectrum to selectively extract targeted data. For example, the interception of a single e-mail message can pose a major challenge to an Internet Service Provider because of the high volume of IP traffic handled by a typical large Internet gateway.
LIMS solutions for Law enforcement Agencies the current scenario

Lawful interception (LI) by its nature is performing a target centric monitoring over the networks and it is the legally approved surveillance of telecommunication services.
10/78
Figure 1: Functional model for lawful interception The LIMS solution usually acts as a bridge or mediator between the service providers network and the LEAs monitoring centers.
Figure 2: Architecture of the LIMS How does Lawful Interception work? It mostly relies on the following available identity parameters Calling number or Called number IMEI or IMSI Subscribers number Source or destination IP address Email address User name
Interception is done according to a unique, easily identifiable parameter or combination thereof which is linked with the targeted entity.
12/78
The outcome of the lawful intercept systems is the targets session(s) / voice call content (CC) content and their related information (IRI). Obviously, the targeted data is limited to those targets that are provisioned under the court warrants but absolutely insufficient for intelligence which is interested in looking at the entire picture and continuous sources of information to analyze the call patterns of not only the targets but also his/her associate and take an action. Moreover the agencies would like to analyze the historical data to establish linkages between criminals or suspect terror networks.
Intelligence bodies Challenges
Intelligence bodies objectives are to defend the country from crime and terrorism in a different manner mostly from anonymous people which plots crimes and terrorists attacks. Intelligence is derived from sources of information which are taken from different domains and one of them is telecommunications. Hence, the intelligence systems requires real-time, continuous and comprehensive information sources that will feed the intelligence system functions Analysis Rules base engine Intelligence management Alerting & alarming Presentation Actionable immediate crime and terrorist preventing operations
One of the objectives of the intelligence analysis systems is to produces new targets for the targeting systems.
Lawful Intercept Drawbacks vs. the intelligence requirements

The outcome of the lawful intercept systems is limited to the targets sessions content and their related information (IRI). By nature the lawful interception equipment and the networks elements (e.g. switch, MSC) which extract the targets information is limited as it was initially designed to support certain amount of targets and throughput. The network elements first priority is to provide the service to the customers and only then generate the targeted data. Obviously, the targeted data is limited to those targets that are provisioned under the court warrants but absolutely insufficient for intelligence as it may be network specific, incomplete, not comprehensive and intermittent.
14/78
The drawbacksof the current solutions are In general we identify four major domains which current systems lack a) missing sources of information b) lack of cross organizational intelligence process c) lack of cross organizational information sharing d) lack of actionable intelligence , which are characterized with Insufficient & discontinuous & incomprehensive meaningful information sources Limited network monitoring Limited historical data Limited sessions usage records Limited visibility of wide telecommunications network Decentralized & local monitoring management; no centralized management Inability to link between occasions & suspects as meaningful data sources are very less Inability to link between telecommunication sessions generated on different types of networks such as linking between sessions over different mobile networks in different geographical location, or, between internet networks to mobile networks. Crimes & terrorism historical and real-time location information is not monitored over the networks resulting with inability to track suspects locations and movements while the terrorists is moving towards the security forces or meeting together in secret locations or while they are moving in deserted areas, most probably to put a bom before the security forces will drive thru this roads. Unable to alerts in real-time by any means to the officials in order to avoid crime terrorists activities
Intelligence Platform Unable to share the collected information and the post analysis meaningful results between the local agencies and on a regional level
16/78
Introduction to Solution
Communication Ltd comprehensive proven suite, used globally, based on innovative probing and network-centric analytical methodology and technology. This specific solution for information extraction for action-able intelligence, sharing and analysis has been successfully deployed globally and is suitable for local, regional and/or State wide implementations. The suite aims to extract the telecommunications data and turn into effective intelligence to prevent and combat activity of criminal and terrorist. Relevant data is originally dispersed in different telecommunications systems such as mobile, internet service providers, international and national long distance calls and others, in network & information systems in different locations, formats and structures. It is pumped into a data fusion center and used as the basis for analysis of criminal and terrorist & hostile networks. The users of the system are law enforcement officers and analysts at any level. Another important objective of the system is to send relevant generated alarms & alerts which where created upon the activation of the criminal activities pre-define rules, after the system detected data from this center to other regional, State or federal agencies as prescribed by the administrators of the intelligence Plan. In addition, the system allows effective local use of the shared data while at the same time eliminating the need for each local agency to adapt their own systems. Furthermore, the system allows a real-time actionable provisioning of different systems such as tactical selective jammer which selectively blocks the GSM users upon an immediate target service blocking request from the intelligence system. Vis-versa, the selective jammers IMSI and IMEI BTS extractor is used as one of the inputs to the Intelligence system as it can accurately detect the GSM users activation & location.
Gathering Project Information
The questionnaire aims to obtain the sufficient information for generating the technical and the commercial proposals for the intelligence platform deployment. This paragraph depicts the guidelines for the information collection. It describes the information required on the telecommunication networks sources of information, their frequency, comprehensiveness, bandwidth and geographical locations. Furthermore, the
Intelligence Platform questionnaire requests of the specific intelligence specifications, geographical locations of monitoring centers and proposed locations for deploying system components. In addition, the questionnaire determines the requirements for the pilot project and the complete project. The following action items describe the processes involved prior to the deployment of the system.
6.1
G ATHERI NG I NFORM ATION
generates a system questionnaire which includes the following clauses
Clarifications for the current deployed ETSI lawful interception system. This information will allow to design the connectivity to the current lawful interception system for targeting the suspects. This will be built as an umbrella solution that manages and extracts existing ETSI compliant LI systems deployed on all the networks. In case the current deployment meets the current LIS GR requirements partially then it needs to be ascertained whether the existing system can be scaled up to meet the current requirements or it would require a forklift upgrade. Clarifications for mobile networks in the region i. Names of the mobile networks (GSM 2G, 2.5G, 3G), CDMA ii. Quantities and locations of the MSCs & MG, GGSN-SGSN iii. For extracting the data records from A-Interfaces & IOS - number of expected E1/STM1/IP/ATM links which runs the signaling between the MSC to BSC iv. For optional voice calls targeting - voice links to be monitored by the probes for in targeting v. Number of subscribers vi. Switch vendors
Clarifications for ISP networks in the region i. Names of the ISP networks and Locations ii. Size number of users
18/78
iii. Major pipes bandwidth in/out of the ISP (e.g. 100 Mbps, GigE, 10GigE) iv. Radius links and protocols
Clarifications for PSTN networks in the region i. Names of the PSTN networks and Locations ii. Size number of subscribers iii. Locations of the main switches iv. Switch vendors
Clarifications for ILD Voice networks in the region i. Names of the ILD networks and Locations ii. Size number of subscribers iii. Locations of the gateways iv. Number of E1 carried in/out v. Switch vendors
Clarifications for NLD Voice networks in the region i. Names of the NLD networks and Locations ii. Size number of subscribers iii. Locations of the gateways iv. Number of E1 carried in/out v. Switch vendors
Clarifications for the proposed installation location of the system
Intelligence
i. Preferred backend Location for the IT & storage & applications ii. Preferred NOC for the administrators of the system
Intelligence Platform iii. Location of the local monitoring centers (city level) iv. Location of the regional monitoring centers v. Location of the state monitoring centers vi. Available communication links between the operators to the backend and MC at each level (e.g. E1, DS3, STM1/4/16, IP)
Gathering the intelligence specific requirements from the agency which will be controlling the system i. Processes to be in place for intelligence management ii. Initial Rules of crime and terrorist activities to be collected. Note: the majority of the rules will be deployed during the commissioning of the system along with the agencies. iii. Define reports iv. Define automatic and manual activation rules v. Define administrator rules
6.2
A NA LY ZING
THE C OLLECT ED INFORM ATIO N
gathers & analyzes the collected information towards the project design of the system
Geographical design the entire network geographical locations are considered for placement of the front-ends (probes) and for the physical communication links placement designed over the region Probing devices planning the quantities and type of required probing device (e.g. TDM, IP) are correlated with the locations links and protocols to be monitored, resulting in a list of desirable probing devices over the entire region. At this stage, a consolidation of network probing elements is considered for efficient deployment. Calculation of the links bandwidth between the system entities at the different geographical locations
6.3
S Y ST EM D ESIGN
Based on the collected information analysis, designs a multi phasee project info@defensetechs.com
20/78
(1) Pilot project - starting with a pilot project which will consist of all the
functionalities of the solution but will be given for a small scale for the monitoring of preferred mobile network and ISP.
(2) Entire project after the completion of the pilot project with the evidence that
the system capabilities, and the customer (agency) signs and contract for the entire project for monitoring the entire networks and providing a wide intelligence system to the customer as per the predefine specifications.
(3) ETSI LIS Umbrella module after the completion of the initial phase (probe base
system deployment) proposes to supply an Umbrella system to control the current ETSI LIS systems that will enable to remotely manage and provision new targets as per the system real-time activation modules and/or as per the court issued warrant. The umbrella system will allow the agency to take an action of monitoring suspects on the fly base on their weight and severity generated by the intelligence system.
(4) Customer Service Automatic Deactivation

Another important objective of the system is allow the deactivation of customer mobile services in real-time after the intelligence system rules detected a high profiles suspect. provides the mechanisms and the interfaces to other solutions and network provisioning systems. The following modules and mechanism from telecommunication services: allows the deactivation on the
a. Cellular Extractor and Selective Jammer Based on GSM BTS it retrieves cellular identities (IMSI/IMEI) of GSM (2/2.5G) phones in the coverage area. It provides mass wide area locations for these phones and accurate locations for phones (using several systems together). Furthermore, it provides extremely accurate location information for specific targeted cell phones. intelligence system will interface the allow to automatically block the suspected mobile customers The entire solution is described in a separate paragraph in this document
(5) Each design followed by a technical solution including

b. Layout of the physical front-ends which consists of the probing devices, IT and communications c. Layout of the centralized backend which consists of the centralized servers and the core of intelligence software d. Layout of the NOC which controls the entire system elements e. Detail design of the analysis layer f. Detail design of the rule base layer g. Detail design of the monitoring center h. Detail Bill Of Material - BOM
6.4
C OM M ERCIA L P ROPOSAL
Base on the detailed design generates commercial proposal for the
(6) Pilot project pilot limited networks monitoring commercial proposal (7) Entire project telecommunications coverage system commercial proposal for the
entire networks in the region Each proposal consists of different solution modules as follows i. Separate specific purpose front-ends modules consist of the hardware and software required for each and every front-end type with different sizing j. Backend - consist of the hardware, software and communications required for each the day-1 backend with scalability to future growth. k. Layout of the centralized backend which consists of the centralized servers and the core of intelligence software l. Layout of the NOC which controls the entire system elements m. Detailed design of the analysis layer n. Detailed design of the rule base layer o. Detailed design of the monitoring center
22/78
p. Detailed Bill Of Material BOM for every option
Solution Description
Communication Ltd is proposing a new concept for Intelligence Information Extraction for Action-able Intelligence based on strategic monitoring which actually comprehensively and widely monitors the telecommunications networks. The platform allow non-telecom sources inputs such as immigration, treasure departments, to be processed, analyzed and correlated with the telecommunication sources and alert on potential threats.
Figure 3: Intelligence Platform
24/78
7.1
IRMP I NT ELLIGENCE R U LES M ANAGEMENT P LATFOR M - Reactive Rule Engine -
Introduction
As telecommunication networks continue to grow in size, sophistication, types of services, and geographic reach, Lawful Enforcement Agencies are turning to automated Intelligence management solutions with advanced, real-time diagnostics to manage and enable investigations in complex infrastructure environment. From out-of-the box network event management, to customizable and extensible event correlation and root-cause diagnostics, Intelligence Rule-Engine Platform automates events and services within the most complex network environments in real time, near real time or off-line (based on events aggregation). IRMP (Intelligence Rules Management Platform) is a module that helps manage, automate and enforce reactive rules. The need for such rules may come from legal regulation, policy or other sources. The Rule Engine software, among other functions, may help to register, classify and manage all these rules; verify consistency of formal rules; infer some rules based on other rules; and relate some of these rules to Information Technology applications that are affected or need to enforce one or more of the rules (e.g. creating a warrant, disconnecting a mobile call of a suspect subscriber or "alerting" operational units). Rules can also be used to detect interesting terror/criminal situations automatically. IRMP transforms real-time operations data (e.g. pre-CDR/IPDR as well as unsuccessful/non-completed calls) into automated decisions and actions, all in real time. This platform works in conjunction with existing operational systems, including enterprise systems, databases, automation systems, data historians, network management systems, CRM and more. In off-line mode, the filtering mechanism will act only on CDRs and Alerts residing in the database. This will be a batch process either pre-scheduled or manually activated.
. Figure 4: Rule Builder
Concept
26/78
Figure 5: Rule Engine Concept
Its combination of object technology, extensive rule-engine technologies, and proven reliability, scalability, and performance make IRMP unique in its ability to address complex networks for intelligence purposes.
Features
Proactive real- time monitoring of various Telco networks ( Mobile, Wireline and IP ) based on state of the art probes Automation of the time-consuming steps required to analyze, diagnose and investigate network phenomena/scenarios. Rapid determination of the suspect and his "behavior" impact analysis
Flexible user interface-expression editor for defining rules or parameters and intuitive filtering capabilities ( events/alarms) Multi stage events- The operator will be able to define for branch type events (following the triggering event) whether to look for a following event or search for a previous event. Correlation capabilities that present critical information Automated actions reporting to external systems/modules, creating warrants, updating suspect numbers in phonebooks, etc. Diverse parameters for in-depth investigation process- among the parameters which could be incorporated into rules or phonebooks:
a. A or B numbers b. Location ( Switch, Cell ,Sector ,TA) c. Handset parameters- IMSI,IMEI,TMSI d. IP Address/MAC e. Score ( based on various pre-defined parameters/weights)
Interworking capabilities with other modules- both with internal as well as external modules, there are capabilities of importing or exporting data ( e.g. visualization tools)
System Components Overview
Data Input Handler this component designated to collect CDR records (in real time) from probes and place them into the Persistent Queue. Persistent Queue this component provides persistent and transactional queue support. The incoming CDRs will be placed into the queue by the Data Input Handler. The CDRs will be withdrawn from the queue by the Real Time Rule Engine. As the queue should support transactions, the CDR will be removed from the queue only after it is fully processed by the Real Time Rule Engine.
28/78
Real Time Rule Engine this component is responsible for withdrawing the CDR records from the Queue and running the Real Time Rules for each CDR. After the CDR is processed, it should be recorded at the CDR database. Alert Processor this component is responsible for processing alerts, generated by Rule Engines. At first phase the only alert processing action available will be "call disconnection", however, the architecture will allow to easily extend available actions if required. Rules Database this database will contain configuration of the rules, and complimentary information, like black/white lists and others. CDR Database this database will contain the CDRs, required for rule processing and calculating aggregate values, necessary for rules. FDMS Manager GUI module, for use by FDMS administrator, for defining FDMS configuration, rules, and corresponding information Alerts Monitor GUI module, purposed to represent alerts, and perform required actions on alerts for FDMS operator
Access control and users management

Each organization has its own corporate strategy which is based on its goals, activities, operation methods and regulation approach. However, IRMP (Intelligence Rules Management Platform) is equipped with sophisticated user's management module, enabling the system administrator to define various investigator classifications, categorizing users into group, controlling the operation and produce audit trails. For a smooth and efficient deployment, besides the training and OJT (on the job training), the following information is required:
Organizational structure Roles and Responsibilities Relevant functions and their interface to the system Investigation procedures & flow
External information sources
30/78
7.2
L OC ATION T R ACKING F OR I NT ELLIGENCE
Massive & Robust Passive Location Tracking

While deploying the probes over the mobile networks it will naturally produce Location Data Records (LDR). The records comes over the links for every session generated by the user (Voice call, SMS, MMS web surfing or by the network) & network keep alive messages. passive and non-intrusive SS7 unique solution for robust location information services generating massive location positioning for the entire network. The platform is unified and centralized base solution which collects non-intrusively the 100% of the subscribers locations. The advantage of this solution is the ability to provide the information for the entire subscriber base in real-time. Thus, the applications such as Intelligence gathering platform do not need to enquire as to the information for all of the subscribers individually, thereby necessitating system resources and time. This in turn saves the operator a large amount of resources and money. No other alternative in the Industry can compete with such massivepassive location fixing method making the lowest cost per fix possible.
Figure 6: Intelligence Location Data Records Extraction
32/78
Active Location tracking for intelligence

Intelligence is based on real time information sources which lead to discovery of crimes and terrorists activities plots. One of the most important inputs which reveal the suspects behavior is their location. As part of its intelligence portfolio produce the source of location tracking using its Location Base Services platform (LBS). provides active network query GMLC & SMLC solutions as well as passive probing base solutions.
Figure 7: Example of Detection of group meeting to plot a crime Various positioning methods may be used such as Cell ID/Sector (cell/sector size) Enhanced Cell ID (~600m) Assisted GPS (street corner accuracy)
Some networks may provide the triangle location measurement which can be one of the positioning methods to the solution and easily can be activated. The following drawing depicts the basic Cell measurements which are provided by most of the networks.
Figure 8: Cell & sector & Time Advanced location Where extensive real time location information systems for cellular networks provides resolutions ranging from Cell ID/Sector with Time Advance correction up to Assisted GPS precise location. The main location determination technologies include passive signaling monitoring (A-Interface, A-bis, IS-634, IOS, NOIS, and others), Assisted GPS, Active GMLC/SMLC MPC Network interrogation and, Passive-Active Hybrid systems. Networks served include GSM, GPRS, UMTS, CDMA, CDMA 2000 1X-RTT, CDMA 2000 1X-EVDO.
GMLC- Location via Cell/Sector-ID

The Cell/Sector-ID & time advance location module (GMLC) is an infrastructure which provides, through an open API, location applications with real-time information in regard to the subscriber location. The information includes Cell ID and Sector ID & Time Advance as well as translated latitude & longitude mapping coordinates. This information can then be used in many different applications requiring location information. The module is used to support both A-GPS and non A-GPS capable handsets. The GMLC is based on proven SS7 signaling stacks communication has developed a robust Telco grade active positioning solution. How location has been used by intelligence bodies?
34/78
How Intelligence platform allow the activation of the active location GMLC &SMLC. The following diagram depicts the activation on the location platform:
Figure 9: Active location for Intelligence
Visual Links Mapping
The analysis solution is based on stored accumulated CDRs coming from the different interception systems and other sources. The software analyzes this information in order to infer links between the various entities. The system interfaces with ' MC central database containing CDRs & IPDRs & LDRs load them to its central intelligence database and provides analysis tools for analysts to process them. In addition to the CDRs & IPDRs & LDRs, structured and unstructured data can be loaded to the system by the analysts in order to participate in the analysis process. At the later phases the same system can be expanded to interface with various governmental databases and to access their information, correlate it with the system information and provide much more comprehensive and holistic intelligence capability.
Turning information into intelligence

Communications data becomes effective intelligence when it can be used to expose, analyze and understand criminal and terrorist (hostile) networks. By "understanding" we mean full comprehension of who is involved, how they operate, what are the trends and changes and other pertinent questions. The Analysis application exposes, analyzes and monitors hostile networks in a short amount of time even from massive amounts of data records, and then reports and displays them visually. On the one hand, the system can expose a network hidden in millions of records and on the other hand allows an analyst to view individual records relevant to the analysis.
36/78
Figure 10: Correlating location with analysis results
Intelligence Platform The Analysis application enables law enforcement and intelligence agencies to achieve more effective analysis in a shorter time and with fewer resources. The Analysis application is capable of using data from virtually any interception, billing or other system. There is no need to change how the data is collected. Data types may include CDRs, emails, SMS messages, internet sessions and more. The data is automatically canonized into a standard format, regardless of its origin. The Analysis application includes a built-in investigator's desktop which provides investigating teams the next generation solution to store, collate, analyze and report any type of information used in their investigations.
Figure 11: Examples of the Analysis application & Analysis Results
Functional Capabilities
The Analysts main functions are
38/78
Acquiring of structured and/or unstructured information, manually or automatically from different sources such as Internet web pages, files, Emails, external databases (for structured data), and particularly CDRs. Easy storage of any type of information: documents, photographs, videos, recordings, web pages, applications, and any other digital information. Each piece of information can be assigned to multiple contexts (such as different investigations). Editing information in one context updates the information in all contexts. Acquired data is stored in a central system's repository and automatic indexing is performed to allow instant and sophisticated Free-Text-Search. Instant access to structured and unstructured data stored in the central Intelligence Warehouse. Built-in modeling subsystem enables analysts to define relationships constructing models. These models are used, once defined, by all users to construct the relations maps (networks) and to infer hidden links between involved entities. Keywords management facility is used to categorize pieces of information to different areas of interest. These keywords are utilized, once defined, to selectively search of information and to associate several pieces of information to the same are of interest. A built-in free text search engine retrieves information from the Intelligence Warehouse with easy to use sophisticated search criteria. Textual descriptions of non-textual information (photographs, recordings, etc.) facilitate their quick retrieval. Data retrieval of historical information for post-mortem and ad-hoc analysis capabilities. Presentation and editing of links among pieces of information using visual context maps. Visual styling of each piece of information allows the user to see the big picture in a glance.
Pieces of information can be opened and viewed directly from the context maps by double-click. Generate and distribute periodic reports based on the organization's intelligence distribution methodology. Automatic link analysis produces new relations maps to discover hidden relationships and hostile networks. Automatically integrate structured and nonstructured data into new contexts. Use a variety of algorithms (Analysis Models), each of which provides the analysts with a new context based relations map from different points of view. Data access to information is managed through granting users with user rights and access privileges. Maintenance utilities such as back up and restore of information, data integrity verification, users management including definition of compartmentalization and information security management aspects, etc.
General description
Customers are using the Analysis application to infer intelligence from information that exists in various systems and databases, and use it to conduct complex investigations and to expose, track and manage hostile networks and tack terrorism and crime activities. The Analysis application software suite is a state of the art intelligence platform that assists investigators and analysts to conduct complex investigations and to reveal hidden relations between entities and networks.
The system's main features include
Sophisticated link analysis Advanced network analysis On the fly analysis of mass quantities of data (billions of records)
40/78
Visualization of information in interactive context maps Central repository connected to various databases Information sharing for better teamwork capabilities Storage of all types of data Importing, exporting and maintaining information from other databases Dissemination of investigation results to selected destinations and organizational functions. Built-in compartmentalization and information security management.
Visualization
The results of the analysis are presented as visual maps (charts) that enhance the users understanding and ability to infer additional insights. The maps are completely interactive. Behind each element (information resource) and link on the map lie additional metadata, information content, explanations, hyperlinks, database queries and more. The users may add other types of information as needed in an ongoing investigation. Visual mapping complements and completes the capabilities of spoken language to create and communicate knowledge. It promotes an understanding of relationships that formal textual or verbal phrasing is not generally capable of inducing. The following example is a map of the results of analysis:
Figure 12: map of the results of analysis
Multi Contextual Analysis

An analysis of a network will typically include many different contexts such as communications, financial, criminal activity, business relationships, etc. It may also include additional information which has been manually organized in context maps. The system is capable of merging these multiple contexts together into one overall picture called a multi-contextual star. This synthesis can include some or all of the contexts and relevant links in those contexts. This process is executed automatically after the user chooses criteria of what information to include in the analysis.
42/78
Interception and Targeting
Even intelligence is not calling for interception, proposes that in parallel to the intelligence information gathering allow a selective targeting to be provisioned on probes (either TDM or IP Probes). Hence, on the same probes deployments the intelligence system will allow the provisioning of targets in real-time across the networks. The advantage of this function is that in extreme conditions it will give the intelligence bodies the capability to immediately set a target manually by the intelligence analyst or automatically by the intelligence system without the need to interact with the networks operators. The interception module is provided as an option to the intelligence system.
TDM Interception The TDM probes are places on the links carried between MSC to BSC, or on Gb interface for GPRS or between the international ILD links etc. The initial role of the probes is to collect, analyze and extract the meaningful information from the signaling links, therefore, for this purpose the probes are places over the signaling links. In order to perform the content information (Voice) the probes will need to place also on the voice A-Interface links (e.g. E1, STM1) which will require additional hardware on the same probes. The probes are capable to record certain amount of concurrent calls depending on the hardware installed.
Intelligence Platform The following drawing depicts the two scenarios, one for signaling probing to produce the meta-data CDRs and LDRs
Figure 13: Signaling Monitoring for CDRs LDRs extraction The second is an additional voice links probing for intercepting targets calls.
44/78
Figure 14: Signaling & Voice links monitoring (CDRs LDRs & Voice)
IP Interception The IP probes are placed on the IP data links at the ISP and major pops or any other data service provider. The initial role of the probes is to collect, analyze and extract the meaningful information in order to generate the IPDRs. Since the probe can see the content it is just a matter of the assigning targets on the probe itself and the content of the provisioned targets will be recorded at the intelligent platform.
Figure 15: IP network Signaling & Content monitoring (IPDRs & Content)
46/78
10
Cellular Extractor and Selective Jammer

In the preface of this document the BTS Cellular extractor - selective jammer direction finder platform was mentioned as one of the modules in which the intelligence platform can be activated, which brings the following capabilities to the entire solution
GSM Cellular IMSI & IMEI extractor GSM Cellular phones service blocking GSM Cellular phones location finder which can feed the locations of the customers to the intelligence system.
GSM Cellular IMSI & IMEI extractor How does it work? It maps all near-by network BTSs while BTS pretends to be a real network BTS (spoofing) with all relevant parameters (frequency, network ID, etc.). The IMEI /IMSI are extracted for phones trying to register (if DB of IMSI/IMEI is available, owners can be identified as well) as well as the Distance from the BTS are extracted for all phones. The IMEI/IMSI and Location information is one of the tactical field sources to the system.
Figure 16: BTS Extracting IMSI/IMEI/TA
Figure 17: BTS triangle location tracking
For example, while occasions like Olympic Games and such are running the Cellular Extractors BTS are places in the geographical area in such a way that it covers entire region and extract the entire mobile IMSI/IMEI and location. The intelligence system may have a rule that if a known suspect is entering the geographical region info@defensetechs.com
48/78
of the games, then the Cellular Extractor will be delivering this valuable information to the center which will activate the relevant rule and will alert with high severity to the officials. As an automatic action, the intelligence system will instruct the Cellular Extractor to operate its deactivation selective jamming module Selective Jammer and to block the specific customer.
Figure 18: BTS black/white list creation
How Does It Work? The selective jammer loads its DB with IMSI / IMEI Emulating Near-by Networks and the selective jammer blocks the blacklisted users communication so they can not make or receive a call. It jams only unauthorized phones and supports white and black lists (IMSI, IMEI, and MSISDN). It works for GSM (2, 2.5 networks, triple band).
White listed handsets get service from the real networks cells (for both incoming and outgoing calls) Any handset which is not included in the white list is hooked to the BTS which means: Outgoing calls receive no service Incoming calls get a subscriber unavailable message
Figure 19: Service for White Listed Phones
Figure 20: DoS for All Other Phones
Another option is when the system will not block the service of the customer but tracks his position continuously until the law enforcement official will decide to capture him live.
50/78
Figure 21: Activation of BTS The above drawing depicts the activation of the BTS platform.
11
Internet Denial of Service (DoS) Service blocking

intelligence system allows the blocking of services from customers by interfacing with IP service blocker and automatically blocks the suspected internet users
Figure 22: DoS for IP users
52/78
12
Umbrella Solution for LIS systems (phase-2)
The proposed intelligence platform basically employs a new set of passive probes that will non-intrusively connect on the communication links and extract the meta-data i.e. call data record and location data record as well as IPDRs from the IP domain. It is possible that the probes will perform targeted interception as well which will require additional connection to the content links i.e. E1 carrying voice on the mobile network. But, concept is to utilize the current lawful interception systems which are already deployed in most of the networks. platform will manage the current ETSI delivery system in parallel to the current management of the system and allow the provisioning of new target remotely with or without the interfering of the operators. For that purpose in the second phase proposes to build an umbrella management solution for controlling these systems.
The Challenge
Electronic surveillance of telecommunications services has become an important and accepted method of law enforcement agencies (LEAs) and government bodies in their fight against crime and terrorism. By today most fixed and mobile network operators and telecommunication service providers have installed systems to enable lawful interception (LI) for the various voice and data services they offer to their customers. Comprehensive national laws are established that enable LEAs to engage communications service providers (CSPs) who arrange electronic surveillance for certain individuals (also referred to as targets). Practice however shows that the number of different networks, services, and interception systems together with the increasing amount of interception decisions (ICDs) raise considerable challenges for LEAs and monitoring centers. In fact the complexity of lawful interception in such heterogeneous and dispersed LI environment inevitably leads to errors and delays during the activation of LI decisions or with the collection of interception data. Furthermore authorities require immediate oversight of all active ICDs to facilitate analysis and statistics of the nationwide LI activity.
Umbrella Systems
Intelligence Platform has addressed these needs and challenges by the development of an umbrella management system that is capable of interconnecting with various other LI management systems via an automated HI1 interface (see also ETSI TS 101 671 for a definition of HI1HI3 interfaces). As shown in figure 1) the umbrella LIMS is a single interface and management platform for all monitoring centers. ICDs entered at the umbrella system are provisioned to the various operator LI systems. The delivery of communications content (CC) will be made directly between the mediation devices or interception access points of the operators network and the collection devices of the monitoring center. Intercept related information (IRI) is first handed over to one mediation device per service provider which is part of the umbrella system. This guarantees that all IRI is logged, tagged and delivered to the appropriate monitoring center in a standardized format that enables the MC to correlate CC and IRI with the original ICD.
Figure 23: Architecture of Umbrella Solution info@defensetechs.com

54/78
As shown in the diagram the LI systems of the providers maintain an important role in the network as they connect to the proprietary interfaces of the various network elements and incorporate the mediation and delivery function for each type of service.
The use of an umbrella system has various advantages for administrative bodies:
Immediate access - ICDs can be activated instantly and provisioned automatically on one or many operator networks. There is no delay by paper fax or manual configurations on several systems. Central Database - The central storage and maintenance of all ICDs enables full control over all active interception requests. It facilitates security audits, consistency checks, and allows detailed statistics and instant failure recognition. Transparency - Administration and delivery channels are separated between the connected service provider systems. Thus personal at the operators network have no insight in any details of interception decisions in other networks. No performance loss - Although the administration function is centralized the delivery of intercept data is done directly from the distributed mediation devices (DF2) and network elements to the monitoring center. Reliability - The central management of all LI systems enhances the reliability of the entire LI network. System failures can be detected automatically by alarm messages so that operators can immediately take appropriate action or require the administrator of the faulty network to analyze the problem locally. To further enhance the availability of the system a redundant management server can be operated in hot-standby mode. If local failure recovery fails the system can seamlessly switch to the standby server. The automation of the provisioning process further reduces the risk of human failures. Cost reduction - Automation of the provisioning interfaces (HI1) leads to an acceleration of processes and thus reduces the costs of operation for both, the LEA and the service provider. Extensibility - The modular architecture of the umbrella system provides a solid basis for future extensions of the LI system. In fact there is virtually no limit to the
Intelligence Platform number of client systems connected to the umbrella LIMS. Likewise the maximum number of interception targets and the range of supported communication services are scalable by adding new mediation devices. Furthermore LIMS includes a finegrained right management system that enables access to multiple local or remote operators. For instance it would be possible to have multiple LEAs operating on the same umbrella LIMS while maintaining individual security profiles for each LEA. The following diagram depicts the Umbrella solution activation from the intelligence platform.
Figure 24: Umbrella Solution activation
56/78
13
Field Laptop
Extracting Information from the intelligence system on the Field

enables the use of laptop on the field that can be connected with cellular modem via one of the mobile networks. As the information is top classified the communication shall be with the appropriate security methods. By the communication to the intelligence system the field forces can see the mobile users activities and instruct the intelligence system even to do interception if required.
The following diagram depicts the concept:
Figure 25: Field LAPTOP
58/78
14
Platform Hardware & Software Specifications
Solution Considerations for Achieving Comprehensive Intelligence

Regardless of the specific geographic location, the prevailing regulatory environment in your region is likely to include provisions so that lawful interception operations can be performed when requested by an authority. The following list highlights the capabilities of a lawful interception solution that are most relevant to regulatory mandates and legislative requirements.
Comprehensive interception capabilities: The intelligence solution must be able to intercept all applicable communications of the entire targets and certain targets without any gaps in coverage. Reliability and integrity: The intelligence solution should ensure delivery of precise and accurate results with the highest levels of data integrity. The intelligence solution must be as reliable as the service to be monitored & intercepted. Separation of content: Intercepted communications data should be divisible into individual components; for example, the metadata included in the Interception Related Information (IRI) should be separable from the Communication Content (CC) if targeting is operated on the system. Transparent surveillance: The monitoring activities performed by the solution must not be detectable by the subscriber and should be non intrusive to the monitored links. Immediate activation and real-time responsiveness: Following a request for intelligence analysts, a solution must be able to be immediately activated and provide real-time response in delivering intercepted data. Sufficient capacity: The solution must have adequate capacity to handle the scope and scale of requested surveillance activities. Data security and privacy: Sensitive data must be protected during transmission and the privacy of an individuals records and personal
Technical Specifications
Hardware
Intelligence Platform runs on industry-standard servers. Customers can choose from single-server configurations for small networks up to multi-server cluster for large networks with tens of millions of telecom extracted records and millions of subscribers and thousands of intercept targets.
State-of-the-Art Interception System
After over 11 years of experience and continuous improvement, the LIMS & Intelligence systems has matured from a surveillance system for mobile networks to a complete interception suite for various kinds of networks and services. Today offers the most comprehensive list complex LIMS deployments and probe based installations for intelligence gathering supporting any wireless and wireline network supporting multiple services, including telephony, fax, SMS, MMS, Push-to-Talk, Internet access, e-mail, VoIP and other IP-based services and most important, location of subscribers. In its entire software and hardware architecture the solution has been designed as a carrier-grade system that meets highest security, reliability and performance criteria.
Standards Compliance
platform is designed to comply with national and international lawful interception standards developed by ETSI, 3GPP and others.
Modular and Scalable Architecture
While the system is designed for large-scale networks with millions of subscribers, the intelligence platform can easily be adapted to provide an economically feasible solution for networks with only a few thousand users. In fact, the modular software architecture enables operators to extend the system as the demand for lawful interception increases and/ or their subscriber base grows. Performance-critical tasks and processes can be migrated to dedicated servers to increase the overall system capacity and throughput. The underlying hardware platform based on probing system and ETSI delivery active elements with sufficient performance reserves for all current and future network sizes. The
60/78
architecture of the solution is designed to meet the networks day-1 monitored links using the probes which supports a modular concept. In addition, as the developer and the manufacture of probes (TDM, IP, Mobile -2G, 2.5G, 3G, UMTS, and CDMA) frequently adapts its set of supported protocols to the market changes & new technologies.
Cost-Efficiency
The platform is a centralized system that serves all intelligence and LI-related tasks of multiple intelligence geographically separated entities and multiple intelligence bodies on a heterogeneous service network. By using one single point of access, the users of the system can reduce their administration costs by simplifying the communication with LEAs and by reducing the effort for the provisioning of the probing infrastructure on the widely spread network. Users can initiate, modify or delete any monitoring and queries requests on the entire network and on various levels of the system in a matter of minutes with the easy-to-use management system. Once installed in the network, monitoring platform is almost maintenance-free.
15
Probes
15.1 TDM ATM P ROBE

The TDM interception is for any type of TDM traditional protocols such as ISUP, PRI, R2 and ATM.
TDM Probe
Signaling E1, DS3 and STM1 TDM Probes collect data directly from the signaling links of circuit-switched and from packet-switched networks. Since the probes monitor the data traffic non-intrusively, switch performance is not affected. The Monitoring solution can process 1000's of passive messages per second. The SSP analyzes the data, generates statistic, store the results, and conducts real-time triggering, trapping, and filtering for each link. Each probe can generate raw call/transaction/SMS detail records (xDRs) in conjunction with full surveillance monitoring. SSP is a flexible system that allows multiple configurations of its chassis form factor with power supply redundancy and 1, 4, or 7 slots for card line connection, which can support up to 646 signaling channels per shelf. In band and out of band signaling will be monitored for detecting the in-band traffic. It will be known in advance, in most cases, what signaling comes on a specific ingress link. In that case the links signaling will be configured as defined in the warrant. In other scenario where links signaling needs to be analyzed it will be manually directed to an analysis application trying to identify the protocol. After identification of protocol the, its signaling type will be updated and the link will be available for monitoring. FE Signaling Probe analyzes signaling data, generates statistic, store the results, and conducts real-time triggering, trapping, and filtering for each link. Each probe can generate raw call/transaction/SMS detail records (xDRs) in conjunction with full surveillance monitoring. The probe is a flexible system that allows multiple configurations of its chassis form factor with power supply redundancy and 1,to 18 slots for card line connection, which can support up to 288 TDM signaling channels per shelf (see CC-Probe connectivity chart) and up to a speed of 1 gigabyte per monitoring card.
62/78
Since the numbers of E1 are 4 then will deploy a 4U chassis.
Figure 26 Hexa E1/T1 Compact PCI Telecommunication Adapter
The Hexa E1/T1 Telecom Adapter card is a stand-alone Compact PCI card designed for operations over up to 16 E1/T1 interfaces connectable to ISDN PRIs, CAS/RBS trunks, V5 links and SS7 links. This card is ideally suited for both PSTN and IP telephony systems handling large volumes of voice circuits for protocol processing or for transfer to the H.110 bus, the PCI bus or Ethernet. Application examples include SS7 network elements, wireless infrastructure equipment, media and signaling gateways, and telecom switching and routing equipment. It is fully compliant with PICMG 2.16 (Packet Switching Backplane) specification. The card operates as a fully programmable communications subsystem capable of infrachassis communication using the cPCI bus.
TDM Probe Supported protocols: ISDN Q.931 (1988) PRI MTP2 supports: Reliable transfer of signaling messages over signaling
Intelligence Platform links for: ITU-T ANSI TTC (Japan) NTT (Japan) China Other variants Bellcore TR-TSY-000271 Issue 1, Rev. 4, 1990 TR-NWT-000246 Issue 2, 1991 ANSI SS7 GR-246 Issue 2 MTPT1.111 SCCP T1.112 ISUPT1.113 TCAPT1.114 AIN Release 0.1 TR-NWT-001299 Issue 1, 11/92 TIA-EIA IS-41B IS-41C IS-634B WIN ITUT SS7 White-Book CD 12/97 TCAP Q.77303/93
64/78
ISUP Q.76303/93 TUP Q.723 Extract from Blue Book Fascicle VI.8 (1988) SCCP Q.71307/96 MTP3 Q.707 Extract from Blue Book Fascicle VI.8 (1988) MTP3 Q.70407/96 MTP2 Q.70307/96 INAP Q.121810/95 INAP supports: Capability Set 1 (CS1), as defined by the ITU, ETSI, and the Generic Requirement (GR) Standards of the Bellcore Advanced Intelligent Network (AIN) ISUP variants Telcordia (formally Bellcore) Singapore Q.767 ETSI FTZ Russia India Italy NTT (Japan) Israel
Intelligence Platform Other variants Brazilian TUP Chinese TUP ETSI GSM Abis 08.58 Version 3.5.0 MAP 09.02 Version 7.1.0 BSSAP 08.06 Version 8.0.0 BSSMAP 08.08 Version 8.5.0 DTAP 04.08 Version 7.8 GSM A-Interface G-b CDMA A-Interface NOIS 1XRTT (IOS) GPRS Gb Gr Gp UMTS Iu-PS Iu-CS Iu-r MTP2, MTP3, SCCP, DTAP BSSMAP,MAP (HLR-VLR), TCAP Over E1, Frame Relay, IP
66/78
Q.2140 Supports convergence functions necessary to map the SS7 MTP Level 3 protocol to the ATM Q.SAAL protocol: ITU-T Q.2140: B-ISDN ATM Adaptation Layer - SSCF at NNI and Q.2110: B-ISDN ATM Adaptation Layer - SSCOP
NOM-112 NOM-112-SCT (1995)
V5.2 ETS 300 347-1 (1994)
Supported In-Band Protocols N5 based on ITU-T Q.140-Q.145, Q.151R2 C5 Q156 MFR R2 MFR R1.5 CAS Alcatel CAS TRS JD7STHAA DTMF
Signaling Link Interfaces
Intelligence Platform LPC EIA-232, V.35, EIA-530, RS-449 E1 and T1 HSSL - ATM/FR/ FE/GE ATM: UNI-E1/T1 AF-PHY-64.000 (I.432) IMA-E1/T1 (Up to 8xE1/T1) AF-PHY-0086.001 E3/DS3 STM1-1/OC3 FR: HDLC FE: 10/100Base-T GE: Giga Ethernet IF HSSI
68/78
15.2 IP P ROBE Overview

The IP 1GigE and 10GigE probes are designed and built in a modular architecture. The probe comprises of a standard ATCA/MicroTCA carrier grade chassis, equipped with IP Probe Cards. Each card is composed of a highly integrated system-on-chip (SoC) platform that includes a PowerPC core. This flexible and powerful architecture provides the ability and flexibility to monitor, filter, analyze and capture IP sessions from lower layers (Ethernet, MPLS, VLAN, etc.) all the way to the application layers (E-mail, Web, VoIP, Video, Chat, etc.), at wire speed rate of up to 10Gbps and beyond.
15.3 M OD E
OF
O P ERA TION
IP Probe is passively attached to the IP network which is being monitored, either directly from the splitter, or through Ethernet outputs of the Interceptor unit (which is in charge of converting POS traffic to Ethernet). The passive attachment ensures that no additional load on the network is created due to monitoring requirements, so no additional network resources are required. Packets extracted by the IP probe undergo an inspection process that determines whether to process them into sessions or transactions, or to discard them at the probe level. The packet inspection is performed by hierarchical process. In the first stage the IP Probe Card filters IP sessions based on the following targeting identifiers: MAC Address, VLAN ID, MPLS tag, etc. and combination of IP addresses and Transport Layer protocols ports (such as TCP or UDP). Traffic targeted by those identifiers is forward directly to the Mediation sub-system (Server) for further processing. The traffic that requires application layer targeting (like specific strings search within an e-mail or a web page) is passed to the main processor for deep packets inspection (DPI). This layered based filtering approach enables wire speed packets flowing while allowing DPI when application level analysis is required.
Intelligence Platform The following diagram illustrates this process:
Lower Layers Based Filtering
App Targeting Required?

Yes
No
Application Specific Data Processing
Aggregation and Mediation
Content Targeting Required?

Yes
No
DPI Processing and Keyword Search
70/78
15.4 T ECHNICAL S P ECIFICAT IONS 15.4.1

K EY F EAT URES
Wire speed network surveillance Flexibility to filter, analyze and capture IP sessions from lower layers all the way to the application layers Protocol and keyword based interception rules Stream buffer for complete session interception Intelligent data reduction at interception point Seamless integration in any infrastructures, e.g. CALEA, ETSI Comprehensive network statistics Classify sessions in wire speed up to 10Gbps and beyond with no packet loss Powerful content related search Detection of obfuscated and encrypted protocols such as Skype, BitTorent, VPN and SSL Session interception based on: Protocol-specific keywords e.g. e-mail addresses, IM user names, SIP phone numbers Arbitrary payload keywords. IP addresses, port numbers and ranges Radius related properties such as subscriber names Comprehensive VoIP support: H.323, SIP, IAX Signaling and RTP correlation Filtering, analyzing and capturing sessions Generation of CDR and IPDR Support of the following protocol-specific encodings: On-the-fly decompression of HTTP compressed (GZIP) messages On-the-fly MIME Base64 decoding of e-mail attachments Integrated stream buffer, ensuring accurate and complete traffic capture at wire speed with zero packet loss Up to 5 million packets per second Up to 50 million concurrent sessions Up to 4 million new sessions per second Up to 500,000 concurrent target rules Up to 100,000 concurrent keywords
72/78
15.4.2
I NTERC EPTION C RIT ERIA
The table below provides a partial list of interception criteria available for the IP probe :
Interception Criteria MAC Address VLAN ID MPLS Tag VPI VCI DLCI IP Address IP Address Range IP Address IP Address Range TCP Port UDP Port SCTP Port E-mail From Address E-mail To Address E-mail CC Address E-mail BCC Address E-mail Subject E-mail Reply To Address Layer 2 2.5 2.5 2 2 2 3 3 3 3 4 4 4 7 7 7 7 7 7 Decodable Protocol Name Ethernet Virtual LAN MPLS ATM ATM Frame Relay IPv4 IPv4 IPv6 IPv6 TCP UDP SCTP SMTP, POP, IMAP, NNTP SMTP, POP, IMAP, NNTP SMTP, POP, IMAP, NNTP SMTP, POP, IMAP, NNTP SMTP, POP, IMAP, NNTP SMTP, POP, IMAP, NNTP RFC/ITU Standard IEEE 802.3 IEEE 802.1Q
This list is continuously updated as new interception criteria are made available
E-mail Size E-mail MsgID E-mail Date E-mail Received E-mail ReturnPath E-mail Comment E-mail ContentType E-mail Content E-mail File E-mail Action User Pass SecureAuth MsgNum Client Auth Server Action RqVersion URI Host Cookie RsVersion Status Description ContentType Content Date 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 SMTP, POP, IMAP, NNTP SMTP, POP, IMAP, NNTP SMTP, POP, IMAP, NNTP SMTP, POP, IMAP, NNTP SMTP, POP, IMAP, NNTP SMTP, POP, IMAP, NNTP SMTP, POP, IMAP, NNTP SMTP, POP, IMAP, NNTP SMTP, POP, IMAP, NNTP SMTP, POP, IMAP, NNTP POP, NNTP POP, NNTP POP POP SMTP SMTP SMTP HTTP HTTP HTTP HTTP HTTP HTTP HTTP HTTP HTTP HTTP HTTP
74/78
Referer URL PostCount UserName UserPassword NasIpAddress NasPort ServiceType FramedProtocol FramedIpAddress FramedIpNetmask FramedRouting LoginIpHost LoginService LoginTcpPort State Class TerminationAction CalledStationId CallingStationId NasIdentifier ProxyState LoginLatService LoginLatNode LoginLatGroup NasPortType LoginLatPort
7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7
HTTP HTTP HTTP RADIUS RADIUS RADIUS RADIUS RADIUS RADIUS RADIUS RADIUS RADIUS RADIUS RADIUS RADIUS RADIUS RADIUS RADIUS RADIUS RADIUS RADIUS RADIUS RADIUS RADIUS RADIUS RADIUS RADIUS
ResultCode CallId ResponseCode To From Contact SrcAudioPort SrcVideoPort DstAudioPort DstVideoPort SrcAudioConnection DstAudioConnection SrcVideoConnection DstVideoConnection Action Sequence Timestamp SSRC MediaType Action User Incoming Outgoing Contact File FilesCount Size Command 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 RADIUS SIP SIP SIP SIP SIP SIP SIP SIP SIP SIP SIP SIP SIP SIP RTP RTP RTP RTP MSN MSN MSN MSN MSN MSN MSN MSN MSN
76/78
Content Type Info To From User File FileLength ValidComplete Action
7 7 7 7 7 7 7 7 7 7
MSN MSN MSN MSN MSN MSN FTP MSN FTP MSN FTP MSN FTP MSN FTP
15.4.3
C APACITY P AR AMETERS
The table below provides capacity related parameters of the IP probe:
Module
Input Streams
Input Traffic Capacity
Input Connector Type & Modes Copper/ Optical Single Mode
Probe Output Traffic Capacity
Total Chassis Output Traffic Capacity 1 x GigE x max 10 modules
Output Connector Type & Modes SFP Cooper/ Optical XFP
Management Communication
GigE Ethernet SFP
SEP-GigE
2 x GigE
1XGigE
1 x GigE
SEP-10 GigE (one into ten) * SEP-10 GigE (June 2010 roadmap 1 into 1)
10GigE Ethernet XFP
2x 10GigE
10G
Optical LC Single Mode
10G
10G
Optical
XFP 2x 10GigE Optical LC Single Mode Optical 10G 10G
10GigE Ethernet XFP
10G
Thank you
78/78

Intelligence Platform and Strategic Monitoring - 05-2012

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Intelligence Platform and Strategic Monitoring - 05-2012

Hochgeladen von

Copyright:

Verfügbare Formate

Intelligence Platform

Information Extraction for Actionable Intelligence

Res tricted Rights

Vendor reputation and experience

Lawful intercept deployment

Objectives of this document

The Challenges to Lawful Interception

Lawful Interception in the 21st Century

LIMS solutions for Law enforcement Agencies the current scenario

Intelligence bodies Challenges

Lawful Intercept Drawbacks vs. the intelligence requirements

Gathering Project Information

G ATHERI NG I NFORM ATION

generates a system questionnaire which includes the following clauses

Clarifications for the proposed installation location of the system

THE C OLLECT ED INFORM ATIO N

(4) Customer Service Automatic Deactivation

(5) Each design followed by a technical solution including

Base on the detailed design generates commercial proposal for the

p. Detailed Bill Of Material BOM for every option

Figure 3: Intelligence Platform

IRMP I NT ELLIGENCE R U LES M ANAGEMENT P LATFOR M - Reactive Rule Engine -

. Figure 4: Rule Builder

Figure 5: Rule Engine Concept

System Components Overview

Access control and users management

External information sources

L OC ATION T R ACKING F OR I NT ELLIGENCE

Massive & Robust Passive Location Tracking

Figure 6: Intelligence Location Data Records Extraction

Active Location tracking for intelligence

GMLC- Location via Cell/Sector-ID

Figure 9: Active location for Intelligence

Visual Links Mapping

Turning information into intelligence

Figure 10: Correlating location with analysis results

Figure 11: Examples of the Analysis application & Analysis Results

The system's main features include

Figure 12: map of the results of analysis

Multi Contextual Analysis

Interception and Targeting

Cellular Extractor and Selective Jammer

Figure 16: BTS Extracting IMSI/IMEI/TA

Figure 17: BTS triangle location tracking

Figure 18: BTS black/white list creation

Figure 19: Service for White Listed Phones

Figure 20: DoS for All Other Phones

Internet Denial of Service (DoS) Service blocking

Figure 22: DoS for IP users

Umbrella Solution for LIS systems (phase-2)

Figure 23: Architecture of Umbrella Solution info@defensetechs.com

Figure 24: Umbrella Solution activation

Extracting Information from the intelligence system on the Field

The following diagram depicts the concept:

Figure 25: Field LAPTOP

Platform Hardware & Software Specifications

Solution Considerations for Achieving Comprehensive Intelligence

State-of-the-Art Interception System

Modular and Scalable Architecture

15.1 TDM ATM P ROBE

Since the numbers of E1 are 4 then will deploy a 4U chassis.

Figure 26 Hexa E1/T1 Compact PCI Telecommunication Adapter

NOM-112 NOM-112-SCT (1995)