-
7/31/2019 Intelligence Platform and Strategic Monitoring- 05-2012
1/78
Intelligence Platform
Information Extraction for Action-
able Intelligence
Steps towards deployment
-
7/31/2019 Intelligence Platform and Strategic Monitoring- 05-2012
2/78
Intelligence Platform
[email protected] 2/78
All rights Reserved
Intelligence platform and strategic monitoring 06-Feb-1010 v1.0.doc
Accuracy
Every effort has been made to ensure the accuracy of the features and techniques presented in this
publication.
Restricted Rights
You may not reproduce, transmit, transcribe, store in a retrieval system, or translate into any language or
computer language, in any form or by any means, electronic, mechanical, optical, magnetic, photographic,
manual, or otherwise, any part of this publication without the express permission of .
Limitations
This document has the following conditions and restrictions:
This document contains proprietary information belonging to our partner. Such information is supplied solely
for assisting explicitly and properly authorized users. No part of its contents may be used for any other
purpose, disclosed to any person or firm or reproduced by any means, electronic and mechanical, without the
express prior written permission of our partner. No part or parts of this document shall be copied, used for
commercial purposes or passed to any third party for any use, without approval of . The text and graphics are
for the purpose of illustration and reference only. The specifications on which they are based are subject to
change without notice.
-
7/31/2019 Intelligence Platform and Strategic Monitoring- 05-2012
3/78
Intelligence Platform
Table of Contents
1 INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . 62 OBJECTIVES OF THIS DOCUMENT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 ABSTRACT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . 84 INTELLIGENCE BODIES CHALLENGES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145 INTRODUCTION TO THE SOLUTION. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176 GATHERING PROJECT INFORMATION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
6.1 Gathering Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186.2 Analyzing the collected information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206.3 System Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206.4 Commercial Proposal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
7 SOLUTION DESCRIPTION. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . 247. 1 IRMP Intell igence Rules Management Platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Concept . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27System Components Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Access control and users management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297. 2 Location Tracking For Intelligence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
8 V ISUAL L INKS MAPPING . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . 36Functional Capabilit ies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38General description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40Visualization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41Multi Contextual Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
9 INTERCEPTION AND TARGETING . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4310 CELLULAREXTRACTOR AND SELECTIVE JAMMER. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
-
7/31/2019 Intelligence Platform and Strategic Monitoring- 05-2012
4/78
Intelligence Platform
[email protected] 4/78
11 INTERNET DENIAL OF SERVICE (DOS) SERVICE BLOCKING . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5212 UMBRELLA SOLUTION FORLIS SYSTEMS (PHASE-2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5313 F IELD LAPTOP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . 5714 PLATFORM HARDWARE &SOFTWARE SPECIFICATIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5915 PROBES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . 62
15.1 TDM ATM Probe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6215.2 IP Probe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6915.3 Mode of Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6915.4 Technical Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7215.4.1 Key Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7215.4.2 Interception Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7315.4.3 Capacity Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Table of Figures
Figure 1: Functional model for lawful interception .............................................................................. 11Figure 2: Architecture of the LIMS ................................................................................................................ 12Figure 3: Intelligence Platform ..................................................................................................................... 24Figure 4: Rule Builder........................................................................................................................................ 26Figure 5: Rule Engine Concept........................................................................................................................ 27Figure 6: Intelligence Location Data Records Extraction................................................................... 32Figure 7: Example of Detection of group meeting to plot a crime ................................................. 33
Figure 8: Cell & sector & Time Advanced location ................................................................................ 34Figure 9: Active location for Intelligence .................................................................................................. 35Figure 10: Correlating location with analysis results............................................................................ 37Figure 11: Examples of the Analysis application & Analysis Results .............................................. 38
-
7/31/2019 Intelligence Platform and Strategic Monitoring- 05-2012
5/78
Intelligence Platform
Figure 12: map of the results of analysis ................................................................................................... 42Figure 13: Signaling Monitoring for CDRs LDRs extraction .................................................................. 44Figure 14: Signaling & Voice links monitoring (CDRs LDRs & Voice)............................................... 45Figure 15: IP network Signaling & Content monitoring (IPDRs & Content).................................. 46Figure 16: BTS Extracting IMSI/IMEI/TA..................................................................................................... 48Figure 17: BTS triangle location tracking ................................................................................................. 48Figure 18: BTS black/white list creation .................................................................................................. 49Figure 19: Service for White Listed Phones .............................................................................................. 50Figure 20: DoS for All Other Phones ............................................................................................................. 50Figure 21: Activation of BTS ........................................................................................................................... 51Figure 22: DoS for IP users .............................................................................................................................. 52Figure 23: Architecture of Umbrella Solution......................................................................................... 54Figure 24: Umbrella Solution activation..................................................................................................... 56Figure 25: Filed LAPTOP .................................................................................................................................... 58Figure 26 Hexa E1/T1 Compact PCI Telecommunication Adapter ............................................... 63
-
7/31/2019 Intelligence Platform and Strategic Monitoring- 05-2012
6/78
Intelligence Platform
[email protected] 6/78
1 Introduction
is pleased to present intelligence agencies a turnkey solution to provide intelligence
bodies with a comprehensive secure and reliable system to provide effective and
comprehensive electronic intelligence services to the Agencies of the country.
About
develops and markets a wide range strategic and tactical solutions and products for the
security forces, lawful agencies and intelligence bodies. in-house developed products
monitor the telecommunications networks and generate meaningful sources ofinformation for intelligence and lawful intercept.
End-to-End Applications
Lawful Interception A family of LI application based on signaling passive
probing.
Intelligence Solutions A family of strategic and tactical solutions for intelligence
bodies.
Location an active location tracking system tracking for subscribers, using a
combination of active query modules and passive probes.
A-GPS precise location tracking for subscribers, using a combination of cellular
technology and GPS.
Probes- TDM & IP probes infrastructure.
Anti Fraud - A complete suite of Anti Fraud applications for IP and TDM networks.
Vendor reputation and experience
is backed by the Israel Ministry of Defense and we work with the relevant
security/intelligence and telecom operators locally. In addition, worldwide establishedTier 1 operators such as AT&T, Cable & Wireless, Sprint, Telefonica, Vodafone, Reliance
(among others) have trusted their mission critical needs and projects to us. has offices in
Israel and India.
was established in 1999 by a group of Israeli entrepreneurs. The company is profitable
and quickly made its way to financial independence and fast growth track. As part of the
process we entered relationships with the biggest and most renowned telecom vendors as
-
7/31/2019 Intelligence Platform and Strategic Monitoring- 05-2012
7/78
Intelligence Platform
channels to our products. Nevertheless always aimed at independence and in the last
years has reinforced its direct sales through establishment of satellite offices in 2
continents and enhancing its product line. This approach has proven to increase the
companys ability to market directly, better understand changing market requirements
and eventually in improving the companys financial performance.
Thanks to technical superiority and uniqueness of our products we still work with all of
them and continue to sell OEM products.
In the process, passive probes have been utilized to monitor all of Israels 4 mobile
operators on a-interface level and on other links; Pelephone, MIRS, Cellcom and
Partner/Orange. In some of them replaced incumbents, in most of them few applications
have been deployed, and are being continually supported, upgraded and scaled up. 3rd
generation technologies have been deployed both on CDMA and GSM networks.
The company has built a reputation of the highest technical skills, innovation, customer
orientation, highest products standards and financial independence. Increasing efforts in
customer care led to increased customer satisfaction and enabled us to cross and up sell
additional products and capacity to most of our customers.
has widely deployed its solution all over the globe both through its partners and
independently.
Lawful intercept deployment
Lawful interception solutions (LI) are sold almost in every case to government and
security organizations. India is an exception in which regulation imposes on telecom
operators the duty to enable Lawful Monitoring on its facilities.
As a world leader in network probing, SS7 and IP passive probes are chosen by
competitors as part of their solutions to monitor the networks.
We may mention that passive systems of this nature are sold either in the form of
complete end-to-end systems or as OEM products through other market leaders
throughout the world.
-
7/31/2019 Intelligence Platform and Strategic Monitoring- 05-2012
8/78
Intelligence Platform
[email protected] 8/78
2 Objectives of this document
This document is generated by for intelligence bodies in order to describe the steps
towards the deployment of strategic intelligence system across the intelligence
organizations.
The document describes the current lawful interception solutions scenario and its
drawbacks for intelligence systems.
Furthermore, the documents provide the guidelines to the questionnaire that will be the
tool for collecting the information related to the deployment of the solution.
3 Abstract
The Challenges to Lawful Interception
With a worldwide landscape characterized by entirely new forms of electronic
communication including digital communication based on Internet technologies that have
gained popularity over the last decade the nature of lawful interception (LI) has changed
substantially. Regulatory mandates implemented in many countries present a significant
challenge to the telecommunications companies, network operators, and service providers
tasked with meeting current requirements. Solutions that have been developed in recentyears to comply with local and national regulations differ considerably from the tools of
past eras when lawful interception encompassed primarily the public switched telephone
network (PSTN); permitting simpler monitoring of what was essentially a closed network.
In this digital era when the Internet provides multiple means of exchanging messages and
voice communications over a much more open telecommunications network than the
PSTN the onus is on companies to modify and extend their network infrastructures to
accommodate the necessary framework for lawful interception and to support techniques
that permit the capture and analysis of communication data in response to law
enforcement requests.
The complexities of todays communication environment heighten the need for lawful
interception tools versatile enough to contend with the widest range of wired and wireless
communication exchanges. These tools must also have the interoperability to integrate
easily into existing network infrastructures as well as the reliability to meet real-world
challenges in a proven and secure manner. Regardless of the architecture or technology
employed in lawful interception activities, effective solutions need to be available on
-
7/31/2019 Intelligence Platform and Strategic Monitoring- 05-2012
9/78
Intelligence Platform
demand to respond to all lawful surveillance requests from those agencies empowered by
law to obtain the information.
This document discusses the elements of a successful lawful interception solution from the
perspective of those organizations looking to modify their infrastructure to meet
requirements. The target audience includes network operators with fixed and mobile
installations, Internet service providers, telephone companies, system integrators, and law
enforcement agencies.
Lawful Interception in the 21st CenturyThe types of communication available to individuals in these early years of the 21 st
century are versatile, diverse, and based on an expanding range of technologies. Modern
telecommunications networks offer access through a tremendous range of technologies,
including PSTN, ISDN, xDSL, WLAN, WiMAX, GSM, GPRS, UMTS, CDMA, cable, and other
technologies based on the Internet Protocol (IP).
Hence, intelligence gathering becomes challenging
Each person may have unlimited Mobility
Several identities
Voice, fax, data
Several SP (access, content, switching)
Nowadays telecommunications has emerged as an environment with the following
features:
Full convergence of the IP and Circuit switched world
Full global Mobility and Availability
No subscription and vague identity
P2P applications, encryption
No clear service provider, mostly access providers
Telecom Trends
Availability anytime, anywhere and through any access method
-
7/31/2019 Intelligence Platform and Strategic Monitoring- 05-2012
10/78
Intelligence Platform
[email protected] 10/78
Free connectivity, free communication applications
No need for subscription
No need for identification
Deregulation of the telecom market
Voice communication services have progressed from a fixed network model to encompass
wireless technologies, such as cellular telephones, and Internet-based exchanges, such as
voice over IP (VoIP). Data services have expanded as well, spanning video, facsimile (fax)
services, Short Message Services (SMS), e-mail, image transmissions, and other services.
Internet-based communications have become ubiquitous and have grown far beyond the
basic capabilities of e-mail to include instant messaging, peer-to-peer (P2P) networking,
chat services, and low cost voice communication through a variety of companies and
emerging technologies such as Session Initiation Protocol (SIP). The nature of the Internet
also suggests that new applications and innovative tools will be developed in the future to
extend communication options in unpredictable ways. Amidst this profusion of
communication possibilities, national security organizations and law enforcement agencies
need mechanisms and proven techniques to detect criminal activities and terrorist
operations.
The need for lawful enforcement solutions is growing even while the dynamics of the
market and the legal and regulatory framework continues to evolve. Network operators,
ISPs, telephone companies, and others face an unprecedented public and regulatory
obligation to adapt their workflow and infrastructure selectively tapping into the vast
flow of information within the telecommunications spectrum to selectively extract
targeted data. For example, the interception of a single e-mail message can pose a major
challenge to an Internet Service Provider because of the high volume of IP traffic handled
by a typical large Internet gateway.
LIMS solutions for Law enforcement Agencies the current scenario
Lawful interception (LI) by its nature is performing a target centric monitoring over the
networks and it is the legally approved surveillance of telecommunication services.
-
7/31/2019 Intelligence Platform and Strategic Monitoring- 05-2012
11/78
Intelligence Platform
Figure 1: Functional model for lawful interception
The LIMS solution usually acts as a bridge or mediator between the service providers
network and the LEAs monitoring centers.
-
7/31/2019 Intelligence Platform and Strategic Monitoring- 05-2012
12/78
Intelligence Platform
[email protected] 12/78
Figure 2: Architecture of the LIMS
How does Lawful Interception work? It mostly relies on the following available identity
parameters
Calling number or Called number
IMEI or IMSI
Subscribers number
Source or destination IP address
Email address
User name
Interception is done according to a unique, easily identifiable parameter or combination
thereof which is linked with the targeted entity.
-
7/31/2019 Intelligence Platform and Strategic Monitoring- 05-2012
13/78
Intelligence Platform
The outcome of the lawful intercept systems is the targets session(s) / voice call content
(CC) content and their related information (IRI).
Obviously, the targeted data is limited to those targets that are provisioned under the
court warrants but absolutely insufficient for intelligence which is interested in looking at
the entire picture and continuous sources of information to analyze the call patterns of
not only the targets but also his/her associate and take an action. Moreover the agencies
would like to analyze the historical data to establish linkages between criminals or suspect
terror networks.
-
7/31/2019 Intelligence Platform and Strategic Monitoring- 05-2012
14/78
Intelligence Platform
[email protected] 14/78
4 Intelligence bodies Challenges
Intelligence bodies objectives are to defend the country from crime and terrorism in a
different manner mostly from anonymous people which plots crimes and terrorists attacks.
Intelligence is derived from sources of information which are taken from different domains
and one of them is telecommunications.
Hence, the intelligence systems requires real-time, continuous and comprehensiveinformation sources that will feed the intelligence system functions
Analysis
Rules base engine
Intelligence management
Alerting & alarming
Presentation
Actionable immediate crime and terrorist preventing operations
One of the objectives of the intelligence analysis systems is to produces new targets for
the targeting systems.
Lawful Intercept Drawbacks vs. the intelligence requirements
The outcome of the lawful intercept systems is limited to the targets sessions content
and their related information (IRI). By nature the lawful interception equipment and the
networks elements (e.g. switch, MSC) which extract the targets information is limited as it
was initially designed to support certain amount of targets and throughput.
The network elements first priority is to provide the service to the customers and only
then generate the targeted data.
Obviously, the targeted data is limited to those targets that are provisioned under the
court warrants but absolutely insufficient for intelligence as it may be network specific,
incomplete, not comprehensive and intermittent.
-
7/31/2019 Intelligence Platform and Strategic Monitoring- 05-2012
15/78
Intelligence Platform
The drawbacks of the current solutions are
In general we identify four major domains which current systems lack
a) missing sources of information
b) lack of cross organizational intelligence process
c) lack of cross organizational information sharing
d) lack of actionable intelligence
, which are characterized with
Insufficient & discontinuous & incomprehensive meaningful information sources
Limited network monitoring
Limited historical data
Limited sessions usage records
Limited visibility of wide telecommunications network
Decentralized & local monitoring management; no centralized management
Inability to link between occasions & suspects as meaningful data sources are very
less
Inability to link between telecommunication sessions generated on different types
of networks such as linking between sessions over different mobile networks in
different geographical location, or, between internet networks to mobile networks.
Crimes & terrorism historical and real-time location information is not
monitored over the networks resulting with inability to track suspects locations and
movements while the terrorists is moving towards the security forces or meeting
together in secret locations or while they are moving in deserted areas, most
probably to put a bom before the security forces will drive thru this roads.
Unable to alerts in real-time by any means to the officials in order to avoid crime
terrorists activities
-
7/31/2019 Intelligence Platform and Strategic Monitoring- 05-2012
16/78
Intelligence Platform
[email protected] 16/78
Unable to share the collected information and the post analysis meaningful results
between the local agencies and on a regional level
-
7/31/2019 Intelligence Platform and Strategic Monitoring- 05-2012
17/78
Intelligence Platform
5 Introduction to Solution
Communication Ltd comprehensive proven suite, used globally, based on innovative
probing and network-centric analytical methodology and technology. This specific
solution for information extraction for action-able intelligence, sharing and analysis has
been successfully deployed globally and is suitable for local, regional and/or State wide
implementations.
The suite aims to extract the telecommunications data and turn into effective
intelligence to prevent and combat activity of criminal and terrorist. Relevant data is
originally dispersed in different telecommunications systems such as mobile, internet
service providers, international and national long distance calls and others, in network &
information systems in different locations, formats and structures. It is pumped into a
data fusion center and used as the basis for analysis of criminal and terrorist & hostile
networks. The users of the system are law enforcement officers and analysts at any level.
Another important objective of the system is to send relevant generated alarms & alerts
which where created upon the activation of the criminal activities pre-define rules, after
the system detected data from this center to other regional, State or federal agencies as
prescribed by the administrators of the intelligence Plan. In addition, the system allows
effective local use of the shared data while at the same time eliminating the need for
each local agency to adapt their own systems.
Furthermore, the system allows a real-time actionable provisioning of different systems
such as tactical selective jammer which selectively blocks the GSM users upon an
immediate target service blocking request from the intelligence system. Vis-versa, the
selective jammers IMSI and IMEI BTS extractor is used as one of the inputs to the
Intelligence system as it can accurately detect the GSM users activation & location.
6 Gathering Project Information
The questionnaire aims to obtain the sufficient information for generating the technical
and the commercial proposals for the intelligence platform deployment.
This paragraph depicts the guidelines for the information collection. It describes the
information required on the telecommunication networks sources of information, their
frequency, comprehensiveness, bandwidth and geographical locations. Furthermore, the
-
7/31/2019 Intelligence Platform and Strategic Monitoring- 05-2012
18/78
Intelligence Platform
[email protected] 18/78
questionnaire requests of the specific intelligence specifications, geographical locations of
monitoring centers and proposed locations for deploying system components.
In addition, the questionnaire determines the requirements for the pilot project and the
complete project. The following action items describe the processes involved prior to
the deployment of the system.
6.1 GATHERING INFORMATION
generates a system questionnaire which includes the following clauses
Clarifications for the current deployed ETSI lawful interception system.This information will allow to design the connectivity to the current lawful
interception system for targeting the suspects. This will be built as an
umbrella solution that manages and extracts existing ETSI compliant LI
systems deployed on all the networks. In case the current deployment
meets the current LIS GR requirements partially then it needs to be
ascertained whether the existing system can be scaled up to meet the
current requirements or it would require a forklift upgrade.
Clarifications for mobile networks in the region
i. Names of the mobile networks (GSM 2G, 2.5G, 3G), CDMA
ii. Quantities and locations of the MSCs & MG, GGSN-SGSN
iii. For extracting the data records from A-Interfaces & IOS - number of
expected E1/STM1/IP/ATM links which runs the signaling between
the MSC to BSC
iv. For optional voice calls targeting - voice links to be monitored by
the probes for in targeting
v. Number of subscribers
vi. Switch vendors
Clarifications for ISP networks in the region
i. Names of the ISP networks and Locations
ii. Size number of users
-
7/31/2019 Intelligence Platform and Strategic Monitoring- 05-2012
19/78
Intelligence Platform
iii. Major pipes bandwidth in/out of the ISP (e.g. 100 Mbps, GigE,
10GigE)
iv. Radius links and protocols
Clarifications for PSTN networks in the region
i. Names of the PSTN networks and Locations
ii. Size number of subscribers
iii. Locations of the main switches
iv. Switch vendors
Clarifications for ILD Voice networks in the region
i. Names of the ILD networks and Locations
ii. Size number of subscribers
iii. Locations of the gateways
iv. Number of E1 carried in/out
v. Switch vendors
Clarifications for NLD Voice networks in the region
i. Names of the NLD networks and Locations
ii. Size number of subscribers
iii. Locations of the gateways
iv. Number of E1 carried in/out
v. Switch vendors
Clarifications for the proposed installation location of the Intelligence
system
i. Preferred backend Location for the IT & storage & applications
ii. Preferred NOC for the administrators of the system
-
7/31/2019 Intelligence Platform and Strategic Monitoring- 05-2012
20/78
Intelligence Platform
[email protected] 20/78
iii. Location of the local monitoring centers (city level)
iv. Location of the regional monitoring centers
v. Location of the state monitoring centers
vi. Available communication links between the operators to the
backend and MC at each level (e.g. E1, DS3, STM1/4/16, IP)
Gathering the intelligence specific requirements from the agency which
will be controlling the system
i. Processes to be in place for intelligence management
ii. Initial Rules of crime and terrorist activities to be collected. Note:
the majority of the rules will be deployed during the commissioning
of the system along with the agencies.
iii. Define reports
iv. Define automatic and manual activation rules
v. Define administrator rules
6.2 ANALYZING THE C OLLECTED INFORMATION
gathers & analyzes the collected information towards the project design of the system
Geographical design the entire network geographical locations are
considered for placement of the front-ends (probes) and for the physical
communication links placement designed over the region
Probing devices planning the quantities and type of required probing
device (e.g. TDM, IP) are correlated with the locations links and protocols
to be monitored, resulting in a list of desirable probing devices over the
entire region. At this stage, a consolidation of network probing elements is
considered for efficient deployment.
Calculation of the links bandwidth between the system entities at the
different geographical locations
6.3 SYSTEM DESIGN
Based on the collected information analysis, designs a multi phasee project
-
7/31/2019 Intelligence Platform and Strategic Monitoring- 05-2012
21/78
Intelligence Platform
(1) Pilot project - starting with a pilot project which will consist of all the
functionalities of the solution but will be given for a small scale for the monitoring
of preferred mobile network and ISP.
(2) Entire project after the completion of the pilot project with the evidence that
the system capabilities, and the customer (agency) signs and contract for the
entire project for monitoring the entire networks and providing a wide intelligence
system to the customer as per the predefine specifications.
(3) ETSI LIS Umbrellamodule after the completion of the initial phase (probe basesystem deployment) proposes to supply an Umbrella system to control the
current ETSI LIS systems that will enable to remotely manage and provision new
targets as per the system real-time activation modules and/or as per the court
issued warrant. The umbrella system will allow the agency to take an action of
monitoring suspects on the fly base on their weight and severity generated by the
intelligence system.
(4) Customer Service Automatic Deactivation
Another important objective of the system is allow the deactivation of customer
mobile services in real-time after the intelligence system rules detected a high
profiles suspect. provides the mechanisms and the interfaces to other solutions and
network provisioning systems.
The following modules and mechanism from allows the deactivation on the
telecommunication services:
a. Cellular Extractor and Selective Jammer
Based on GSM BTS it retrieves cellular identities (IMSI/IMEI) of GSM (2/2.5G)
phones in the coverage area. It provides mass wide area locations for these phones
and accurate locations for phones (using several systems together). Furthermore,
it provides extremely accurate location information for specific targeted cell
phones.
intelligence system will interface the allow to automatically block the suspected
mobile customers
The entire solution is described in a separate paragraph in this document
-
7/31/2019 Intelligence Platform and Strategic Monitoring- 05-2012
22/78
-
7/31/2019 Intelligence Platform and Strategic Monitoring- 05-2012
23/78
Intelligence Platform
p. Detailed Bill Of Material BOM for every option
-
7/31/2019 Intelligence Platform and Strategic Monitoring- 05-2012
24/78
Intelligence Platform
[email protected] 24/78
7 Solution Description
Communication Ltd is proposing a new concept for Intelligence Information Extraction
for Action-able Intelligence based on strategic monitoring which actually
comprehensively and widely monitors the telecommunications networks.
The platform allow non-telecom sources inputs such as immigration, treasure
departments, to be processed, analyzed and correlated with the telecommunication
sources and alert on potential threats.
Figure 3: Intelligence Platform
-
7/31/2019 Intelligence Platform and Strategic Monitoring- 05-2012
25/78
Intelligence Platform
7.1 IRMP INTELLIGENCE RULES MANAGEMENT PLATFORM
- Reactive Rule Engine -
Introduction
As telecommunication networks continue to grow in size, sophistication, types of services,
and geographic reach, Lawful Enforcement Agencies are turning to automated Intelligence
management solutions with advanced, real-time diagnostics to manage and enableinvestigations in complex infrastructure environment.
From out-of-the box network event management, to customizable and extensible event
correlation and root-cause diagnostics, Intelligence Rule-Engine Platform automates
events and services within the most complex network environments in real time, near real
time or off-line (based on events aggregation).
IRMP (Intelligence Rules Management Platform) is a module that helps manage, automate
and enforce reactive rules. The need for such rules may come from legal regulation, policy
or other sources. The Rule Engine software, among other functions, may help to register,
classify and manage all these rules; verify consistency of formal rules; infer some rules
based on other rules; and relate some of these rules to Information Technology
applications that are affected or need to enforce one or more of the rules (e.g. creating a
warrant, disconnecting a mobile call of a suspect subscriber or "alerting" operational
units). Rules can also be used to detect interesting terror/criminal situations
automatically.
IRMP transforms real-time operations data (e.g. pre-CDR/IPDR as well as
unsuccessful/non-completed calls) into automated decisions and actions, all in real time.
This platform works in conjunction with existing operational systems, including enterprise
systems, databases, automation systems, data historians, network management systems,
CRM and more.
In off-line mode, the filtering mechanism will act only on CDRs and Alerts residing in the
database. This will be a batch process either pre-scheduled or manually activated.
-
7/31/2019 Intelligence Platform and Strategic Monitoring- 05-2012
26/78
Intelligence Platform
[email protected] 26/78
.
Figure 4: Rule Builder
Concept
-
7/31/2019 Intelligence Platform and Strategic Monitoring- 05-2012
27/78
Intelligence Platform
Figure 5: Rule Engine Concept
Its combination of object technology, extensive rule-engine technologies, and proven
reliability, scalability, and performance make IRMP unique in its ability to address
complex networks for intelligence purposes.
Features
Proactive real- time monitoring of various Telco networks ( Mobile, Wireline and IP
) based on state of the art probes
Automation of the time-consuming steps required to analyze, diagnose and
investigate network phenomena/scenarios.
Rapid determination of the suspect and his "behavior" impact analysis
-
7/31/2019 Intelligence Platform and Strategic Monitoring- 05-2012
28/78
Intelligence Platform
[email protected] 28/78
Flexible user interface-expression editor for defining rules or parameters and
intuitive filtering capabilities ( events/alarms)
Multi stage events- The operator will be able to define for branch type events
(following the triggering event) whether to look for a following event or search
for a previous event.
Correlation capabilities that present critical information
Automated actions reporting to external systems/modules, creating warrants,
updating suspect numbers in phonebooks, etc.
Diverse parameters for in-depth investigation process- among the parameters
which could be incorporated into rules or phonebooks:
a. A or B numbers
b. Location ( Switch, Cell ,Sector ,TA)
c. Handset parameters- IMSI,IMEI,TMSI
d. IP Address/MAC
e. Score ( based on various pre-defined parameters/weights)
Interworking capabilities with other modules- both with internal as well as
external modules, there are capabilities of importing or exporting data ( e.g.
visualization tools)
System Components Overview
Data Input Handler this component designated to collect CDR records (in real
time) from probes and place them into the Persistent Queue.
Persistent Queue this component provides persistent and transactional queue
support. The incoming CDRs will be placed into the queue by the Data Input
Handler. The CDRs will be withdrawn from the queue by the Real Time Rule
Engine. As the queue should support transactions, the CDR will be removed from
the queue only after it is fully processed by the Real Time Rule Engine.
-
7/31/2019 Intelligence Platform and Strategic Monitoring- 05-2012
29/78
Intelligence Platform
Real Time Rule Engine this component is responsible for withdrawing the CDR
records from the Queue and running the Real Time Rules for each CDR. After the
CDR is processed, it should be recorded at the CDR database.
Alert Processor this component is responsible for processing alerts, generated by
Rule Engines. At first phase the only alert processing action available will be "call
disconnection", however, the architecture will allow to easily extend available
actions if required.
Rules Database this database will contain configuration of the rules, andcomplimentary information, like black/white lists and others.
CDR Database this database will contain the CDRs, required for rule processing
and calculating aggregate values, necessary for rules.
FDMS Manager GUI module, for use by FDMS administrator, for defining FDMS
configuration, rules, and corresponding information
Alerts Monitor GUI module, purposed to represent alerts, and perform required
actions on alerts for FDMS operator
Access control and users management
Each organization has its own corporate strategy which is based on its goals, activities,
operation methods and regulation approach. However, IRMP (Intelligence Rules
Management Platform) is equipped with sophisticated user's management module,
enabling the system administrator to define various investigator classifications,
categorizing users into group, controlling the operation and produce audit trails.
For a smooth and efficient deployment, besides the training and OJT (on the job training),
the following information is required:
Organizational structure
Roles and Responsibilities
Relevant functions and their interface to the system
Investigation procedures & flow
-
7/31/2019 Intelligence Platform and Strategic Monitoring- 05-2012
30/78
Intelligence Platform
[email protected] 30/78
External information sources
-
7/31/2019 Intelligence Platform and Strategic Monitoring- 05-2012
31/78
Intelligence Platform
7.2 LOCATION TRACKING FOR INTELLIGENCE
Massive & Robust Passive Location Tracking
While deploying the probes over the mobile networks it will naturally produce Location
Data Records (LDR). The records comes over the links for every session generated by the
user (Voice call, SMS, MMS web surfing or by the network) & network keep alive messages.
passive and non-intrusive SS7 unique solution for robust location information services
generating massive location positioning for the entire network. The platform is unified and
centralized base solution which collects non-intrusively the 100% of the subscribers
locations.
The advantage of this solution is the ability to provide the information for the entire
subscriber base in real-time. Thus, the applications such as Intelligence gathering platform
do not need to enquire as to the information for all of the subscribers individually, thereby
necessitating system resources and time. This in turn saves the operator a large amount of
resources and money. No other alternative in the Industry can compete with such massive-
passive location fixing method making the lowest cost per fix possible.
-
7/31/2019 Intelligence Platform and Strategic Monitoring- 05-2012
32/78
Intelligence Platform
[email protected] 32/78
Figure 6: Intelligence Location Data Records Extraction
-
7/31/2019 Intelligence Platform and Strategic Monitoring- 05-2012
33/78
Intelligence Platform
Active Location tracking for intelligence
Intelligence is based on real time information sources which lead to discovery of crimes
and terrorists activities plots. One of the most important inputs which reveal the suspects
behavior is their location.
As part of its intelligence portfolio produce the source of location tracking using its
Location Base Services platform (LBS).
provides active network query GMLC & SMLC solutions as well as passive probing base
solutions.
Figure 7: Example of Detection of group meeting to plot a crime
Various positioning methods may be used such as
Cell ID/Sector (cell/sector size)
Enhanced Cell ID (~600m)
Assisted GPS (street corner accuracy)
Some networks may provide the triangle location measurement which can be one of the
positioning methods to the solution and easily can be activated.
The following drawing depicts the basic Cell measurements which are provided by most of
the networks.
-
7/31/2019 Intelligence Platform and Strategic Monitoring- 05-2012
34/78
-
7/31/2019 Intelligence Platform and Strategic Monitoring- 05-2012
35/78
Intelligence Platform
How Intelligence platform allow the activation of the active location GMLC &SMLC. The
following diagram depicts the activation on the location platform:
Figure 9: Active location for Intelligence
-
7/31/2019 Intelligence Platform and Strategic Monitoring- 05-2012
36/78
Intelligence Platform
[email protected] 36/78
8 Visual Links Mapping
The analysis solution is based on stored accumulated CDRs coming from the different
interception systems and other sources. The software analyzes this information in order to
infer links between the various entities. The system interfaces with ' MC central database
containing CDRs & IPDRs & LDRs load them to its central intelligence database and
provides analysis tools for analysts to process them.
In addition to the CDRs & IPDRs & LDRs, structured and unstructured data can be loaded to
the system by the analysts in order to participate in the analysis process. At the later
phases the same system can be expanded to interface with various governmental
databases and to access their information, correlate it with the system information and
provide much more comprehensive and holistic intelligence capability.
Turning information into intelligence
Communications data becomes effective intelligence when it can be used to expose,
analyze and understand criminal and terrorist (hostile) networks. By "understanding" we
mean full comprehension of who is involved, how they operate, what are the trends and
changes and other pertinent questions.
The Analysis application exposes, analyzes and monitors hostile networks in a short
amount of time even from massive amounts of data records, and then reports and displaysthem visually.
On the one hand, the system can expose a network hidden in millions of records and on
the other hand allows an analyst to view individual records relevant to the analysis.
-
7/31/2019 Intelligence Platform and Strategic Monitoring- 05-2012
37/78
Intelligence Platform
Figure 10: Correlating location with analysis results
-
7/31/2019 Intelligence Platform and Strategic Monitoring- 05-2012
38/78
Intelligence Platform
[email protected] 38/78
The Analysis application enables law enforcement and intelligence agencies to achieve
more effective analysis in a shorter time and with fewer resources. The Analysis
application is capable of using data from virtually any interception, billing or other
system. There is no need to change how the data is collected. Data types may include
CDRs, emails, SMS messages, internet sessions and more. The data is automatically
canonized into a standard format, regardless of its origin.
The Analysis application includes a built-in investigator's desktop which provides
investigating teams the next generation solution to store, collate, analyze and report any
type of information used in their investigations.
Figure 11: Examples of the Analysis application & Analysis Results
Functional Capabilities
The Analysts main functions are
-
7/31/2019 Intelligence Platform and Strategic Monitoring- 05-2012
39/78
Intelligence Platform
Acquiring of structured and/or unstructured information, manually or automatically
from different sources such as Internet web pages, files, Emails, external
databases (for structured data), and particularly CDRs.
Easy storage of any type of information: documents, photographs, videos,
recordings, web pages, applications, and any other digital information. Each piece
of information can be assigned to multiple contexts (such as different
investigations). Editing information in one context updates the information in all
contexts.
Acquired data is stored in a central system's repository and automatic indexing is
performed to allow instant and sophisticated Free-Text-Search.
Instant access to structured and unstructured data stored in the central
Intelligence Warehouse.
Built-in modeling subsystem enables analysts to define relationships constructing
models. These models are used, once defined, by all users to construct the
relations maps (networks) and to infer hidden links between involved entities.
Keywords management facility is used to categorize pieces of information to
different areas of interest. These keywords are utilized, once defined, to
selectively search of information and to associate several pieces of information to
the same are of interest.
A built-in free text search engine retrieves information from the Intelligence
Warehouse with easy to use sophisticated search criteria. Textual descriptions of
non-textual information (photographs, recordings, etc.) facilitate their quick
retrieval.
Data retrieval of historical information for post-mortem and ad-hoc analysis
capabilities.
Presentation and editing of links among pieces of information using visual context
maps.
Visual styling of each piece of information allows the user to see the big picture in
a glance.
-
7/31/2019 Intelligence Platform and Strategic Monitoring- 05-2012
40/78
Intelligence Platform
[email protected] 40/78
Pieces of information can be opened and viewed directly from the context maps by
double-click.
Generate and distribute periodic reports based on the organization's intelligence
distribution methodology.
Automatic link analysis produces new relations maps to discover hidden
relationships and hostile networks. Automatically integrate structured and non-
structured data into new contexts.
Use a variety of algorithms (Analysis Models), each of which provides the analysts
with a new context based relations map from different points of view.
Data access to information is managed through granting users with user rights and
access privileges.
Maintenance utilities such as back up and restore of information, data integrity
verification, users management including definition of compartmentalization and
information security management aspects, etc.
General descriptionCustomers are using the Analysis application to infer intelligence from information that
exists in various systems and databases, and use it to conduct complex investigations and
to expose, track and manage hostile networks and tack terrorism and crime activities.
The Analysis application software suite is a state of the art intelligence platform that
assists investigators and analysts to conduct complex investigations and to reveal hidden
relations between entities and networks.
The system's main features include
Sophisticated link analysis
Advanced network analysis
On the fly analysis of mass quantities of data (billions of records)
-
7/31/2019 Intelligence Platform and Strategic Monitoring- 05-2012
41/78
Intelligence Platform
Visualization of information in interactive context maps
Central repository connected to various databases
Information sharing for better teamwork capabilities
Storage of all types of data
Importing, exporting and maintaining information from other databases
Dissemination of investigation results to selected destinations and organizationalfunctions.
Built-in compartmentalization and information security management.
Visualization
The results of the analysis are presented as visual maps (charts) that enhance the users
understanding and ability to infer additional insights. The maps are completelyinteractive. Behind each element (information resource) and link on the map lie additional
metadata, information content, explanations, hyperlinks, database queries and more. The
users may add other types of information as needed in an ongoing investigation. Visual
mapping complements and completes the capabilities of spoken language to create and
communicate knowledge. It promotes an understanding of relationships that formal textual
or verbal phrasing is not generally capable of inducing.
The following example is a map of the results of analysis:
-
7/31/2019 Intelligence Platform and Strategic Monitoring- 05-2012
42/78
Intelligence Platform
[email protected] 42/78
Figure 12: map of the results of analysis
Multi Contextual Analysis
An analysis of a network will typically include many different contexts such as
communications, financial, criminal activity, business relationships, etc. It may alsoinclude additional information which has been manually organized in context maps. The
system is capable of merging these multiple contexts together into one overall picture
called a multi-contextual star. This synthesis can include some or all of the contexts and
relevant links in those contexts. This process is executed automatically after the user
chooses criteria of what information to include in the analysis.
-
7/31/2019 Intelligence Platform and Strategic Monitoring- 05-2012
43/78
Intelligence Platform
9 Interception and Targeting
Even intelligence is not calling for interception, proposes that in parallel to the
intelligence information gathering allow a selective targeting to be provisioned on
probes (either TDM or IP Probes). Hence, on the same probes deployments the intelligence
system will allow the provisioning of targets in real-time across the networks. The
advantage of this function is that in extreme conditions it will give the intelligence bodies
the capability to immediately set a target manually by the intelligence analyst or
automatically by the intelligence system without the need to interact with the networks
operators.
The interception module is provided as an option to the intelligence system.
TDM Interception
The TDM probes are places on the links carried between MSC to BSC, or on Gb
interface for GPRS or between the international ILD links etc.
The initial role of the probes is to collect, analyze and extract the meaningful
information from the signaling links, therefore, for this purpose the probes areplaces over the signaling links.
In order to perform the content information (Voice) the probes will need to place
also on the voice A-Interface links (e.g. E1, STM1) which will require additional
hardware on the same probes. The probes are capable to record certain amount of
concurrent calls depending on the hardware installed.
-
7/31/2019 Intelligence Platform and Strategic Monitoring- 05-2012
44/78
Intelligence Platform
[email protected] 44/78
The following drawing depicts the two scenarios, one for signaling probing to
produce the meta-data CDRs and LDRs
Figure 13: Signaling Monitoring for CDRs LDRs extraction
The second is an additional voice links probing for intercepting targets calls.
-
7/31/2019 Intelligence Platform and Strategic Monitoring- 05-2012
45/78
Intelligence Platform
Figure 14: Signaling & Voice links monitoring (CDRs LDRs & Voice)
IP Interception
The IP probes are placed on the IP data links at the ISP and major pops or any
other data service provider.
The initial role of the probes is to collect, analyze and extract the meaningful
information in order to generate the IPDRs.
Since the probe can see the content it is just a matter of the assigning targets on
the probe itself and the content of the provisioned targets will be recorded at the
intelligent platform.
-
7/31/2019 Intelligence Platform and Strategic Monitoring- 05-2012
46/78
Intelligence Platform
[email protected] 46/78
Figure 15: IP network Signaling & Content monitoring (IPDRs & Content)
-
7/31/2019 Intelligence Platform and Strategic Monitoring- 05-2012
47/78
Intelligence Platform
10 Cellular Extractor and Selective Jammer
In the preface of this document the BTS Cellular extractor - selective jammer
direction finder platform was mentioned as one of the modules in which the
intelligence platform can be activated, which brings the following capabilities to
the entire solution
GSM Cellular IMSI & IMEI extractor
GSM Cellular phones service blocking
GSM Cellular phones location finder which can feed the locations of the customers
to the intelligence system.
GSM Cellular IMSI & IMEI extractor
How does it work? It maps all near-by network BTSs while BTS pretends to be a
real network BTS (spoofing) with all relevant parameters (frequency, network ID,
etc.). The IMEI /IMSI are extracted for phones trying to register (if DB of IMSI/IMEIis available, owners can be identified as well) as well as the Distance from the BTS
are extracted for all phones.
The IMEI/IMSI and Location information is one of the tactical field sources to the
system.
-
7/31/2019 Intelligence Platform and Strategic Monitoring- 05-2012
48/78
Intelligence Platform
[email protected] 48/78
Figure 16: BTS Extracting IMSI/IMEI/TA
Figure 17: BTS triangle location tracking
For example, while occasions like Olympic Games and such are running the Cellular
Extractors BTS are places in the geographical area in such a way that it covers
entire region and extract the entire mobile IMSI/IMEI and location. The intelligence
system may have a rule that if a known suspect is entering the geographical region
-
7/31/2019 Intelligence Platform and Strategic Monitoring- 05-2012
49/78
Intelligence Platform
of the games, then the Cellular Extractor will be delivering this valuable
information to the center which will activate the relevant rule and will alert with
high severity to the officials. As an automatic action, the intelligence system will
instruct the Cellular Extractor to operate its deactivation selective jamming
module Selective Jammer and to block the specific customer.
Figure 18: BTS black/white list creation
How Does It Work? The selective jammer loads its DB with IMSI / IMEI EmulatingNear-by Networks and the selective jammer blocks the blacklisted users
communication so they can not make or receive a call.
It jams only unauthorized phones and supports white and black lists (IMSI, IMEI, and
MSISDN). It works for GSM (2, 2.5 networks, triple band).
White listed handsets get service from the real networks cells (for both
incoming and outgoing calls)
Any handset which is not included in the white list is hooked to the BTS
which means:
Outgoing calls receive no service
Incoming calls get a subscriber unavailable message
-
7/31/2019 Intelligence Platform and Strategic Monitoring- 05-2012
50/78
Intelligence Platform
[email protected] 50/78
Figure 19: Service for White Listed Phones
Figure 20: DoS for All Other Phones
Another option is when the system will not block the service of the customer but
tracks his position continuously until the law enforcement official will decide to
capture him live.
-
7/31/2019 Intelligence Platform and Strategic Monitoring- 05-2012
51/78
Intelligence Platform
Figure 21: Activation of BTS
The above drawing depicts the activation of the BTS platform.
-
7/31/2019 Intelligence Platform and Strategic Monitoring- 05-2012
52/78
Intelligence Platform
[email protected] 52/78
11 Internet Denial of Service (DoS) Service blocking
intelligence system allows the blocking of services from customers by interfacing
with IP service blocker and automatically blocks the suspected internet users
Figure 22: DoS for IP users
-
7/31/2019 Intelligence Platform and Strategic Monitoring- 05-2012
53/78
Intelligence Platform
12 Umbrella Solution for LIS systems (phase-2)
The proposed intelligence platform basically employs a new set of passive probes that will
non-intrusively connect on the communication links and extract the meta-data i.e. call
data record and location data record as well as IPDRs from the IP domain.
It is possible that the probes will perform targeted interception as well which will require
additional connection to the content links i.e. E1 carrying voice on the mobile network.
But, concept is to utilize the current lawful interception systems which are already
deployed in most of the networks. platform will manage the current ETSI delivery system
in parallel to the current management of the system and allow the provisioning of new
target remotely with or without the interfering of the operators.
For that purpose in the second phase proposes to build an umbrella management solution
for controlling these systems.
The Challenge
Electronic surveillance of telecommunications services has become an important and
accepted method of law enforcement agencies (LEAs) and government bodies in their fight
against crime and terrorism. By today most fixed and mobile network operators and
telecommunication service providers have installed systems to enable lawful interception
(LI) for the various voice and data services they offer to their customers. Comprehensive
national laws are established that enable LEAs to engage communications service
providers (CSPs) who arrange electronic surveillance for certain individuals (also referred
to as targets). Practice however shows that the number of different networks, services,
and interception systems together with the increasing amount of interception decisions
(ICDs) raise considerable challenges for LEAs and monitoring centers. In fact the
complexity of lawful interception in such heterogeneous and dispersed LI environmentinevitably leads to errors and delays during the activation of LI decisions or with the
collection of interception data. Furthermore authorities require immediate oversight of all
active ICDs to facilitate analysis and statistics of the nationwide LI activity.
Umbrella Systems
-
7/31/2019 Intelligence Platform and Strategic Monitoring- 05-2012
54/78
Intelligence Platform
[email protected] 54/78
has addressed these needs and challenges by the development of an umbrella
management system that is capable of interconnecting with various other LI management
systems via an automated HI1 interface (see also ETSI TS 101 671 for a definition of HI1-
HI3 interfaces). As shown in figure 1) the umbrella LIMS is a single interface and
management platform for all monitoring centers. ICDs entered at the umbrella system are
provisioned to the various operator LI systems. The delivery of communications content
(CC) will be made directly between the mediation devices or interception access points of
the operators network and the collection devices of the monitoring center. Intercept
related information (IRI) is first handed over to one mediation device per service provider
which is part of the umbrella system. This guarantees that all IRI is logged, tagged and
delivered to the appropriate monitoring center in a standardized format that enables the
MC to correlate CC and IRI with the original ICD.
Figure 23: Architecture of Umbrella Solution
-
7/31/2019 Intelligence Platform and Strategic Monitoring- 05-2012
55/78
Intelligence Platform
As shown in the diagram the LI systems of the providers maintain an important role in the
network as they connect to the proprietary interfaces of the various network elements and
incorporate the mediation and delivery function for each type of service.
The use of an umbrella system has various advantages for administrative bodies:
Immediate access - ICDs can be activated instantly and provisioned automatically
on one or many operator networks. There is no delay by paper fax or manualconfigurations on several systems.
Central Database - The central storage and maintenance of all ICDs enables full
control over all active interception requests. It facilitates security audits,
consistency checks, and allows detailed statistics and instant failure recognition.
Transparency - Administration and delivery channels are separated between the
connected service provider systems. Thus personal at the operators network have
no insight in any details of interception decisions in other networks.
No performance loss - Although the administration function is centralized the
delivery of intercept data is done directly from the distributed mediation devices
(DF2) and network elements to the monitoring center.
Reliability - The central management of all LI systems enhances the reliability of
the entire LI network. System failures can be detected automatically by alarm
messages so that operators can immediately take appropriate action or require the
administrator of the faulty network to analyze the problem locally. To further
enhance the availability of the system a redundant management server can be
operated in hot-standby mode. If local failure recovery fails the system can
seamlessly switch to the standby server. The automation of the provisioning
process further reduces the risk of human failures.
Cost reduction - Automation of the provisioning interfaces (HI1) leads to an
acceleration of processes and thus reduces the costs of operation for both, the LEA
and the service provider.
Extensibility - The modular architecture of the umbrella system provides a solid
basis for future extensions of the LI system. In fact there is virtually no limit to the
-
7/31/2019 Intelligence Platform and Strategic Monitoring- 05-2012
56/78
-
7/31/2019 Intelligence Platform and Strategic Monitoring- 05-2012
57/78
Intelligence Platform
13 Field Laptop
Extracting Information from the intelligence system on the Field
enables the use of laptop on the field that can be connected with cellular modem via one
of the mobile networks.
As the information is top classified the communication shall be with the appropriate
security methods. By the communication to the intelligence system the field forces can
see the mobile users activities and instruct the intelligence system even to do
interception if required.
The following diagram depicts the concept:
-
7/31/2019 Intelligence Platform and Strategic Monitoring- 05-2012
58/78
Intelligence Platform
[email protected] 58/78
Figure 25: Field LAPTOP
-
7/31/2019 Intelligence Platform and Strategic Monitoring- 05-2012
59/78
Intelligence Platform
14 Platform Hardware & Software Specifications
Solution Considerations for Achieving Comprehensive Intelligence
Regardless of the specific geographic location, the prevailing regulatory environment in
your region is likely to include provisions so that lawful interception operations can be
performed when requested by an authority. The following list highlights the capabilities of
a lawful interception solution that are most relevant to regulatory mandates and
legislative requirements.
Comprehensive interception capabilities: The intelligence solution must be able
to intercept all applicable communications of the entire targets and certain targets
without any gaps in coverage.
Reliability and integrity: The intelligence solution should ensure delivery of
precise and accurate results with the highest levels of data integrity. The
intelligence solution must be as reliable as the service to be monitored &
intercepted.
Separation of content: Intercepted communications data should be divisible into
individual components; for example, the metadata included in the Interception
Related Information (IRI) should be separable from the Communication Content
(CC) if targeting is operated on the system.
Transparent surveillance: The monitoring activities performed by the solution
must not be detectable by the subscriber and should be non intrusive to the
monitored links.
Immediate activation and real-time responsiveness: Following a request for
intelligence analysts, a solution must be able to be immediately activated and
provide real-time response in delivering intercepted data.
Sufficient capacity: The solution must have adequate capacity to handle the scope
and scale of requested surveillance activities.
Data security and privacy: Sensitive data must be protected during transmission
and the privacy of an individuals records and personal
-
7/31/2019 Intelligence Platform and Strategic Monitoring- 05-2012
60/78
Intelligence Platform
[email protected] 60/78
Technical Specifications
Hardware
Intelligence Platform runs on industry-standard servers. Customers can choose from
single-server configurations for small networks up to multi-server cluster for large
networks with tens of millions of telecom extracted records and millions of subscribers
and thousands of intercept targets.
State-of-the-Art Interception System
After over 11 years of experience and continuous improvement, the LIMS & Intelligence
systems has matured from a surveillance system for mobile networks to a complete
interception suite for various kinds of networks and services. Today offers the most
comprehensive list complex LIMS deployments and probe based installations for
intelligence gathering supporting any wireless and wireline network supporting multiple
services, including telephony, fax, SMS, MMS, Push-to-Talk, Internet access, e-mail, VoIP
and other IP-based services and most important, location of subscribers.
In its entire software and hardware architecture the solution has been designed as a
carrier-grade system that meets highest security, reliability and performance criteria.
Standards Compliance
platform is designed to comply with national and international lawful interception
standards developed by ETSI, 3GPP and others.
Modular and Scalable Architecture
While the system is designed for large-scale networks with millions of subscribers, the
intelligence platform can easily be adapted to provide an economically feasible solution
for networks with only a few thousand users. In fact, the modular software architecture
enables operators to extend the system as the demand for lawful interception increases
and/ or their subscriber base grows. Performance-critical tasks and processes can be
migrated to dedicated servers to increase the overall system capacity and throughput. The
underlying hardware platform based on probing system and ETSI delivery active elements
with sufficient performance reserves for all current and future network sizes. The
-
7/31/2019 Intelligence Platform and Strategic Monitoring- 05-2012
61/78
Intelligence Platform
architecture of the solution is designed to meet the networks day-1 monitored links using
the probes which supports a modular concept.
In addition, as the developer and the manufacture of probes (TDM, IP, Mobile -2G, 2.5G,
3G, UMTS, and CDMA) frequently adapts its set of supported protocols to the market
changes & new technologies.
Cost-Efficiency
The platform is a centralized system that serves all intelligence and LI-related tasks ofmultiple intelligence geographically separated entities and multiple intelligence bodies on
a heterogeneous service network. By using one single point of access, the users of the
system can reduce their administration costs by simplifying the communication with LEAs
and by reducing the effort for the provisioning of the probing infrastructure on the widely
spread network.
Users can initiate, modify or delete any monitoring and queries requests on the entire
network and on various levels of the system in a matter of minutes with the easy-to-use
management system. Once installed in the network, monitoring platform is almost
maintenance-free.
-
7/31/2019 Intelligence Platform and Strategic Monitoring- 05-2012
62/78
Intelligence Platform
[email protected] 62/78
15 Probes
15.1 TDM ATM PROBE
The TDM interception is for any type of TDM traditional protocols such as ISUP, PRI, R2 and
ATM.
TDM Probe
Signaling E1, DS3 and STM1 TDM Probes collect data directly from the signaling links of
circuit-switched and from packet-switched networks. Since the probes monitor the data
traffic non-intrusively, switch performance is not affected. The Monitoring solution can
process 1000's of passive messages per second.
The SSP analyzes the data, generates statistic, store the results, and conducts real-time
triggering, trapping, and filtering for each link. Each probe can generate raw
call/transaction/SMS detail records (xDRs) in conjunction with full surveillance monitoring.
SSP is a flexible system that allows multiple configurations of its chassis form factor with
power supply redundancy and 1, 4, or 7 slots for card line connection, which can support
up to 646 signaling channels per shelf.
In band and out of band signaling will be monitored for detecting the in-band traffic. Itwill be known in advance, in most cases, what signaling comes on a specific ingress link. In
that case the links signaling will be configured as defined in the warrant.
In other scenario where links signaling needs to be analyzed it will be manually directed
to an analysis application trying to identify the protocol. After identification of protocol
the, its signaling type will be updated and the link will be available for monitoring.
FE Signaling Probe analyzes signaling data, generates statistic, store the results, and
conducts real-time triggering, trapping, and filtering for each link. Each probe can
generate raw call/transaction/SMS detail records (xDRs) in conjunction with full
surveillance monitoring.
The probe is a flexible system that allows multiple configurations of its chassis form factor
with power supply redundancy and 1,to 18 slots for card line connection, which can
support up to 288 TDM signaling channels per shelf (see CC-Probe connectivity chart) and
up to a speed of 1 gigabyte per monitoring card.
-
7/31/2019 Intelligence Platform and Strategic Monitoring- 05-2012
63/78
Intelligence Platform
Since the numbers of E1 are 4 then will deploy a 4U chassis.
Figure 26 Hexa E1/T1 Compact PCI Telecommunication Adapter
The Hexa E1/T1 Telecom Adapter card is a stand-alone Compact PCI card designed for
operations over up to 16 E1/T1 interfaces connectable to ISDN PRIs, CAS/RBS trunks, V5
links and SS7 links. This card is ideally suited for both PSTN and IP telephony systems
handling large volumes of voice circuits for protocol processing or for transfer to the H.110
bus, the PCI bus or Ethernet.
Application examples include SS7 network elements, wireless infrastructure equipment,
media and signaling gateways, and telecom switching and routing equipment.
It is fully compliant with PICMG 2.16 (Packet Switching Backplane) specification.
The card operates as a fully programmable communications subsystem capable of infra-
chassis communication using the cPCI bus.
TDM Probe Supported protocols:
ISDN
Q.931 (1988)
PRI
MTP2 supports:
Reliable transfer of signaling messages over signaling
-
7/31/2019 Intelligence Platform and Strategic Monitoring- 05-2012
64/78
Intelligence Platform
[email protected] 64/78
links for:
ITU-T
ANSI
TTC (Japan)
NTT (Japan)
China
Other variants
Bellcore
TR-TSY-000271 Issue 1, Rev. 4, 1990
TR-NWT-000246 Issue 2, 1991
ANSI SS7 GR-246 Issue 2
MTPT1.111
SCCP T1.112
ISUPT1.113
TCAPT1.114
AIN Release 0.1
TR-NWT-001299 Issue 1, 11/92
TIA-EIA
IS-41B
IS-41C
IS-634B
WIN
ITUT SS7 White-Book CD 12/97
TCAP Q.77303/93
-
7/31/2019 Intelligence Platform and Strategic Monitoring- 05-2012
65/78
Intelligence Platform
ISUP Q.76303/93
TUP Q.723 Extract from
Blue Book Fascicle VI.8
(1988)
SCCP Q.71307/96
MTP3 Q.707 Extract from
Blue Book Fascicle VI.8
(1988)
MTP3 Q.70407/96
MTP2 Q.70307/96
INAP Q.121810/95
INAP supports:
Capability Set 1 (CS1), as defined by the ITU, ETSI, and
the Generic Requirement (GR) Standards of the Bellcore
Advanced Intelligent Network (AIN)
ISUP variants
Telcordia (formally Bellcore)
Singapore
Q.767
ETSI FTZ
Russia
India
Italy NTT (Japan) Israel
-
7/31/2019 Intelligence Platform and Strategic Monitoring- 05-2012
66/78
Intelligence Platform
[email protected] 66/78
Other variants
Brazilian TUP
Chinese TUP
ETSI GSM
Abis 08.58 Version 3.5.0
MAP 09.02 Version 7.1.0
BSSAP 08.06 Version 8.0.0
BSSMAP 08.08 Version 8.5.0
DTAP 04.08 Version 7.8
GSM
A-Interface MTP2, MTP3, SCCP, DTAP BSSMAP,MAP (HLR-VLR), TCAP
G-b Over E1, Frame Relay, IP
CDMA
A-Interface
NOIS
1XRTT (IOS)
GPRS
Gb
Gr
Gp
UMTS
Iu-PS
Iu-CS
Iu-r
-
7/31/2019 Intelligence Platform and Strategic Monitoring- 05-2012
67/78
Intelligence Platform
Q.2140
Supports convergence functions necessary to map the SS7 MTP Level 3 protocol to the ATM
Q.SAAL protocol:
ITU-T Q.2140: B-ISDN ATM Adaptation Layer - SSCF at NNI and Q.2110: B-ISDN ATM
Adaptation Layer - SSCOP
NOM-112
NOM-112-SCT (1995)
V5.2
ETS 300 347-1 (1994)
Supported In-Band Protocols
N5 based on ITU-T Q.140-Q.145, Q.151-
R2
C5
Q156
MFR R2
MFR R1.5
CAS
Alcatel CAS TRS JD7STHAA
DTMF
Signaling Link Interfaces
-
7/31/2019 Intelligence Platform and Strategic Monitoring- 05-2012
68/78
-
7/31/2019 Intelligence Platform and Strategic Monitoring- 05-2012
69/78
Intelligence Platform
15.2 IP PROBE
Overview
The IP 1GigE and 10GigE probes are designed and built in a modular architecture. The
probe comprises of a standard ATCA/MicroTCA carrier grade chassis, equipped with IP
Probe Cards. Each card is composed of a highly integrated system-on-chip (SoC) platform
that includes a PowerPC core. This flexible and powerful architecture provides the ability
and flexibility to monitor, filter, analyze and capture IP sessions from lower layers
(Ethernet, MPLS, VLAN, etc.) all the way to the application layers (E-mail, Web, VoIP,
Video, Chat, etc.), at wire speed rate of up to 10Gbps and beyond.
15.3MODE OF OPERATION
IP Probe is passively attached to the IP network which is being monitored, either directly
from the splitter, or through Ethernet outputs of the Interceptor unit (which is in charge
of converting POS traffic to Ethernet). The passive attachment ensures that no additional
load on the network is created due to monitoring requirements, so no additional network
resources are required. Packets extracted by the IP probe undergo an inspection process
that determines whether to process them into sessions or transactions, or to discard them
at the probe level.
The packet inspection is performed by hierarchical process. In the first stage the IP Probe
Card filters IP sessions based on the following targeting identifiers: MAC Address, VLAN ID,
MPLS tag, etc. and combination of IP addresses and Transport Layer protocols ports (such
as TCP or UDP). Traffic targeted by those identifiers is forward directly to the Mediation
sub-system (Server) for further processing. The traffic that requires application layer
targeting (like specific strings search within an e-mail or a web page) is passed to the main
processor for deep packets inspection (DPI). This layered based filtering approach enables
wire speed packets flowing while allowing DPI when application level analysis is required.
-
7/31/2019 Intelligence Platform and Strategic Monitoring- 05-2012
70/78
Intelligence Platform
[email protected] 70/78
The following diagram illustrates this process:
Yes
Lower Layers
Based Filtering
App
Targeting
Re uired?
Application
Specific Data
Processing
No
Content
TargetingRe uired?
No
Yes
DPI Processing
and Keyword
Search
Aggregation and
Mediation
-
7/31/2019 Intelligence Platform and Strategic Monitoring- 05-2012
71/78
Intelligence Platform
-
7/31/2019 Intelligence Platform and Strategic Monitoring- 05-2012
72/78
-
7/31/2019 Intelligence Platform and Strategic Monitoring- 05-2012
73/78
Intelligence Platform
15.4.2 INTERCEPTION CRITERIA
The table below provides a partial list of interception criteria available for the IP probe:
Interception Criteria Layer Decodable Protocol Name RFC/ITU Standard
MAC Address 2 Ethernet IEEE 802.3
VLAN ID 2.5 Virtual LAN IEEE 802.1Q
MPLS Tag 2.5 MPLS
VPI 2 ATM
VCI 2 ATM
DLCI 2 Frame Relay
IP Address 3 IPv4
IP Address Range 3 IPv4
IP Address 3 IPv6
IP Address Range 3 IPv6
TCP Port 4 TCP
UDP Port 4 UDP
SCTP Port 4 SCTP
E-mail From Address 7 SMTP, POP, IMAP, NNTP
E-mail To Address 7 SMTP, POP, IMAP, NNTP
E-mail CC Address 7 SMTP, POP, IMAP, NNTP
E-mail BCC Address 7 SMTP, POP, IMAP, NNTP
E-mail Subject 7 SMTP, POP, IMAP, NNTP
E-mail Reply To Address 7 SMTP, POP, IMAP, NNTP
This list is continuously updated as new interception criteria are made available
-
7/31/2019 Intelligence P