Intelligence Platform and Strategic Monitoring- 05-2012

7/31/2019 Intelligence Platform and Strategic Monitoring- 05-2012

1/78

Intelligence Platform

Information Extraction for Action-

able Intelligence

Steps towards deployment


2/78


[email protected] 2/78

All rights Reserved

Intelligence platform and strategic monitoring 06-Feb-1010 v1.0.doc

Accuracy

Every effort has been made to ensure the accuracy of the features and techniques presented in this

publication.

Restricted Rights

You may not reproduce, transmit, transcribe, store in a retrieval system, or translate into any language or

computer language, in any form or by any means, electronic, mechanical, optical, magnetic, photographic,

manual, or otherwise, any part of this publication without the express permission of .

Limitations

This document has the following conditions and restrictions:

This document contains proprietary information belonging to our partner. Such information is supplied solely

for assisting explicitly and properly authorized users. No part of its contents may be used for any other

purpose, disclosed to any person or firm or reproduced by any means, electronic and mechanical, without the

express prior written permission of our partner. No part or parts of this document shall be copied, used for

commercial purposes or passed to any third party for any use, without approval of . The text and graphics are

for the purpose of illustration and reference only. The specifications on which they are based are subject to

change without notice.


3/78


Table of Contents

1 INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . 62 OBJECTIVES OF THIS DOCUMENT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 ABSTRACT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . 84 INTELLIGENCE BODIES CHALLENGES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145 INTRODUCTION TO THE SOLUTION. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176 GATHERING PROJECT INFORMATION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

6.1 Gathering Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186.2 Analyzing the collected information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206.3 System Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206.4 Commercial Proposal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

7 SOLUTION DESCRIPTION. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . 247. 1 IRMP Intell igence Rules Management Platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Concept . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27System Components Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Access control and users management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297. 2 Location Tracking For Intelligence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

8 V ISUAL L INKS MAPPING . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . 36Functional Capabilit ies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38General description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40Visualization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41Multi Contextual Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

9 INTERCEPTION AND TARGETING . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4310 CELLULAREXTRACTOR AND SELECTIVE JAMMER. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47


4/78



11 INTERNET DENIAL OF SERVICE (DOS) SERVICE BLOCKING . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5212 UMBRELLA SOLUTION FORLIS SYSTEMS (PHASE-2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5313 F IELD LAPTOP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . 5714 PLATFORM HARDWARE &SOFTWARE SPECIFICATIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5915 PROBES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . 62

15.1 TDM ATM Probe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6215.2 IP Probe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6915.3 Mode of Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6915.4 Technical Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7215.4.1 Key Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7215.4.2 Interception Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7315.4.3 Capacity Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

Table of Figures

Figure 1: Functional model for lawful interception .............................................................................. 11Figure 2: Architecture of the LIMS ................................................................................................................ 12Figure 3: Intelligence Platform ..................................................................................................................... 24Figure 4: Rule Builder........................................................................................................................................ 26Figure 5: Rule Engine Concept........................................................................................................................ 27Figure 6: Intelligence Location Data Records Extraction................................................................... 32Figure 7: Example of Detection of group meeting to plot a crime ................................................. 33

Figure 8: Cell & sector & Time Advanced location ................................................................................ 34Figure 9: Active location for Intelligence .................................................................................................. 35Figure 10: Correlating location with analysis results............................................................................ 37Figure 11: Examples of the Analysis application & Analysis Results .............................................. 38


5/78


Figure 12: map of the results of analysis ................................................................................................... 42Figure 13: Signaling Monitoring for CDRs LDRs extraction .................................................................. 44Figure 14: Signaling & Voice links monitoring (CDRs LDRs & Voice)............................................... 45Figure 15: IP network Signaling & Content monitoring (IPDRs & Content).................................. 46Figure 16: BTS Extracting IMSI/IMEI/TA..................................................................................................... 48Figure 17: BTS triangle location tracking ................................................................................................. 48Figure 18: BTS black/white list creation .................................................................................................. 49Figure 19: Service for White Listed Phones .............................................................................................. 50Figure 20: DoS for All Other Phones ............................................................................................................. 50Figure 21: Activation of BTS ........................................................................................................................... 51Figure 22: DoS for IP users .............................................................................................................................. 52Figure 23: Architecture of Umbrella Solution......................................................................................... 54Figure 24: Umbrella Solution activation..................................................................................................... 56Figure 25: Filed LAPTOP .................................................................................................................................... 58Figure 26 Hexa E1/T1 Compact PCI Telecommunication Adapter ............................................... 63


6/78



1 Introduction

is pleased to present intelligence agencies a turnkey solution to provide intelligence

bodies with a comprehensive secure and reliable system to provide effective and

comprehensive electronic intelligence services to the Agencies of the country.

About

develops and markets a wide range strategic and tactical solutions and products for the

security forces, lawful agencies and intelligence bodies. in-house developed products

monitor the telecommunications networks and generate meaningful sources ofinformation for intelligence and lawful intercept.

End-to-End Applications

Lawful Interception A family of LI application based on signaling passive

probing.

Intelligence Solutions A family of strategic and tactical solutions for intelligence

bodies.

Location an active location tracking system tracking for subscribers, using a

combination of active query modules and passive probes.

A-GPS precise location tracking for subscribers, using a combination of cellular

technology and GPS.

Probes- TDM & IP probes infrastructure.

Anti Fraud - A complete suite of Anti Fraud applications for IP and TDM networks.

Vendor reputation and experience

is backed by the Israel Ministry of Defense and we work with the relevant

security/intelligence and telecom operators locally. In addition, worldwide establishedTier 1 operators such as AT&T, Cable & Wireless, Sprint, Telefonica, Vodafone, Reliance

(among others) have trusted their mission critical needs and projects to us. has offices in

Israel and India.

was established in 1999 by a group of Israeli entrepreneurs. The company is profitable

and quickly made its way to financial independence and fast growth track. As part of the

process we entered relationships with the biggest and most renowned telecom vendors as


7/78


channels to our products. Nevertheless always aimed at independence and in the last

years has reinforced its direct sales through establishment of satellite offices in 2

continents and enhancing its product line. This approach has proven to increase the

companys ability to market directly, better understand changing market requirements

and eventually in improving the companys financial performance.

Thanks to technical superiority and uniqueness of our products we still work with all of

them and continue to sell OEM products.

In the process, passive probes have been utilized to monitor all of Israels 4 mobile

operators on a-interface level and on other links; Pelephone, MIRS, Cellcom and

Partner/Orange. In some of them replaced incumbents, in most of them few applications

have been deployed, and are being continually supported, upgraded and scaled up. 3rd

generation technologies have been deployed both on CDMA and GSM networks.

The company has built a reputation of the highest technical skills, innovation, customer

orientation, highest products standards and financial independence. Increasing efforts in

customer care led to increased customer satisfaction and enabled us to cross and up sell

additional products and capacity to most of our customers.

has widely deployed its solution all over the globe both through its partners and

independently.

Lawful intercept deployment

Lawful interception solutions (LI) are sold almost in every case to government and

security organizations. India is an exception in which regulation imposes on telecom

operators the duty to enable Lawful Monitoring on its facilities.

As a world leader in network probing, SS7 and IP passive probes are chosen by

competitors as part of their solutions to monitor the networks.

We may mention that passive systems of this nature are sold either in the form of

complete end-to-end systems or as OEM products through other market leaders

throughout the world.


8/78



2 Objectives of this document

This document is generated by for intelligence bodies in order to describe the steps

towards the deployment of strategic intelligence system across the intelligence

organizations.

The document describes the current lawful interception solutions scenario and its

drawbacks for intelligence systems.

Furthermore, the documents provide the guidelines to the questionnaire that will be the

tool for collecting the information related to the deployment of the solution.

3 Abstract

The Challenges to Lawful Interception

With a worldwide landscape characterized by entirely new forms of electronic

communication including digital communication based on Internet technologies that have

gained popularity over the last decade the nature of lawful interception (LI) has changed

substantially. Regulatory mandates implemented in many countries present a significant

challenge to the telecommunications companies, network operators, and service providers

tasked with meeting current requirements. Solutions that have been developed in recentyears to comply with local and national regulations differ considerably from the tools of

past eras when lawful interception encompassed primarily the public switched telephone

network (PSTN); permitting simpler monitoring of what was essentially a closed network.

In this digital era when the Internet provides multiple means of exchanging messages and

voice communications over a much more open telecommunications network than the

PSTN the onus is on companies to modify and extend their network infrastructures to

accommodate the necessary framework for lawful interception and to support techniques

that permit the capture and analysis of communication data in response to law

enforcement requests.

The complexities of todays communication environment heighten the need for lawful

interception tools versatile enough to contend with the widest range of wired and wireless

communication exchanges. These tools must also have the interoperability to integrate

easily into existing network infrastructures as well as the reliability to meet real-world

challenges in a proven and secure manner. Regardless of the architecture or technology

employed in lawful interception activities, effective solutions need to be available on


9/78


demand to respond to all lawful surveillance requests from those agencies empowered by

law to obtain the information.

This document discusses the elements of a successful lawful interception solution from the

perspective of those organizations looking to modify their infrastructure to meet

requirements. The target audience includes network operators with fixed and mobile

installations, Internet service providers, telephone companies, system integrators, and law

enforcement agencies.

Lawful Interception in the 21st CenturyThe types of communication available to individuals in these early years of the 21 st

century are versatile, diverse, and based on an expanding range of technologies. Modern

telecommunications networks offer access through a tremendous range of technologies,

including PSTN, ISDN, xDSL, WLAN, WiMAX, GSM, GPRS, UMTS, CDMA, cable, and other

technologies based on the Internet Protocol (IP).

Hence, intelligence gathering becomes challenging

Each person may have unlimited Mobility

Several identities

Voice, fax, data

Several SP (access, content, switching)

Nowadays telecommunications has emerged as an environment with the following

features:

Full convergence of the IP and Circuit switched world

Full global Mobility and Availability

No subscription and vague identity

P2P applications, encryption

No clear service provider, mostly access providers

Telecom Trends

Availability anytime, anywhere and through any access method


10/78



Free connectivity, free communication applications

No need for subscription

No need for identification

Deregulation of the telecom market

Voice communication services have progressed from a fixed network model to encompass

wireless technologies, such as cellular telephones, and Internet-based exchanges, such as

voice over IP (VoIP). Data services have expanded as well, spanning video, facsimile (fax)

services, Short Message Services (SMS), e-mail, image transmissions, and other services.

Internet-based communications have become ubiquitous and have grown far beyond the

basic capabilities of e-mail to include instant messaging, peer-to-peer (P2P) networking,

chat services, and low cost voice communication through a variety of companies and

emerging technologies such as Session Initiation Protocol (SIP). The nature of the Internet

also suggests that new applications and innovative tools will be developed in the future to

extend communication options in unpredictable ways. Amidst this profusion of

communication possibilities, national security organizations and law enforcement agencies

need mechanisms and proven techniques to detect criminal activities and terrorist

operations.

The need for lawful enforcement solutions is growing even while the dynamics of the

market and the legal and regulatory framework continues to evolve. Network operators,

ISPs, telephone companies, and others face an unprecedented public and regulatory

obligation to adapt their workflow and infrastructure selectively tapping into the vast

flow of information within the telecommunications spectrum to selectively extract

targeted data. For example, the interception of a single e-mail message can pose a major

challenge to an Internet Service Provider because of the high volume of IP traffic handled

by a typical large Internet gateway.

LIMS solutions for Law enforcement Agencies the current scenario

Lawful interception (LI) by its nature is performing a target centric monitoring over the

networks and it is the legally approved surveillance of telecommunication services.


11/78


Figure 1: Functional model for lawful interception

The LIMS solution usually acts as a bridge or mediator between the service providers

network and the LEAs monitoring centers.


12/78



Figure 2: Architecture of the LIMS

How does Lawful Interception work? It mostly relies on the following available identity

parameters

Calling number or Called number

IMEI or IMSI

Subscribers number

Source or destination IP address

Email address

User name

Interception is done according to a unique, easily identifiable parameter or combination

thereof which is linked with the targeted entity.


13/78


The outcome of the lawful intercept systems is the targets session(s) / voice call content

(CC) content and their related information (IRI).

Obviously, the targeted data is limited to those targets that are provisioned under the

court warrants but absolutely insufficient for intelligence which is interested in looking at

the entire picture and continuous sources of information to analyze the call patterns of

not only the targets but also his/her associate and take an action. Moreover the agencies

would like to analyze the historical data to establish linkages between criminals or suspect

terror networks.


14/78



4 Intelligence bodies Challenges

Intelligence bodies objectives are to defend the country from crime and terrorism in a

different manner mostly from anonymous people which plots crimes and terrorists attacks.

Intelligence is derived from sources of information which are taken from different domains

and one of them is telecommunications.

Hence, the intelligence systems requires real-time, continuous and comprehensiveinformation sources that will feed the intelligence system functions

Analysis

Rules base engine

Intelligence management

Alerting & alarming

Presentation

Actionable immediate crime and terrorist preventing operations

One of the objectives of the intelligence analysis systems is to produces new targets for

the targeting systems.

Lawful Intercept Drawbacks vs. the intelligence requirements

The outcome of the lawful intercept systems is limited to the targets sessions content

and their related information (IRI). By nature the lawful interception equipment and the

networks elements (e.g. switch, MSC) which extract the targets information is limited as it

was initially designed to support certain amount of targets and throughput.

The network elements first priority is to provide the service to the customers and only

then generate the targeted data.

Obviously, the targeted data is limited to those targets that are provisioned under the

court warrants but absolutely insufficient for intelligence as it may be network specific,

incomplete, not comprehensive and intermittent.


15/78


The drawbacks of the current solutions are

In general we identify four major domains which current systems lack

a) missing sources of information

b) lack of cross organizational intelligence process

c) lack of cross organizational information sharing

d) lack of actionable intelligence

, which are characterized with

Insufficient & discontinuous & incomprehensive meaningful information sources

Limited network monitoring

Limited historical data

Limited sessions usage records

Limited visibility of wide telecommunications network

Decentralized & local monitoring management; no centralized management

Inability to link between occasions & suspects as meaningful data sources are very

less

Inability to link between telecommunication sessions generated on different types

of networks such as linking between sessions over different mobile networks in

different geographical location, or, between internet networks to mobile networks.

Crimes & terrorism historical and real-time location information is not

monitored over the networks resulting with inability to track suspects locations and

movements while the terrorists is moving towards the security forces or meeting

together in secret locations or while they are moving in deserted areas, most

probably to put a bom before the security forces will drive thru this roads.

Unable to alerts in real-time by any means to the officials in order to avoid crime

terrorists activities


16/78



Unable to share the collected information and the post analysis meaningful results

between the local agencies and on a regional level


17/78


5 Introduction to Solution

Communication Ltd comprehensive proven suite, used globally, based on innovative

probing and network-centric analytical methodology and technology. This specific

solution for information extraction for action-able intelligence, sharing and analysis has

been successfully deployed globally and is suitable for local, regional and/or State wide

implementations.

The suite aims to extract the telecommunications data and turn into effective

intelligence to prevent and combat activity of criminal and terrorist. Relevant data is

originally dispersed in different telecommunications systems such as mobile, internet

service providers, international and national long distance calls and others, in network &

information systems in different locations, formats and structures. It is pumped into a

data fusion center and used as the basis for analysis of criminal and terrorist & hostile

networks. The users of the system are law enforcement officers and analysts at any level.

Another important objective of the system is to send relevant generated alarms & alerts

which where created upon the activation of the criminal activities pre-define rules, after

the system detected data from this center to other regional, State or federal agencies as

prescribed by the administrators of the intelligence Plan. In addition, the system allows

effective local use of the shared data while at the same time eliminating the need for

each local agency to adapt their own systems.

Furthermore, the system allows a real-time actionable provisioning of different systems

such as tactical selective jammer which selectively blocks the GSM users upon an

immediate target service blocking request from the intelligence system. Vis-versa, the

selective jammers IMSI and IMEI BTS extractor is used as one of the inputs to the

Intelligence system as it can accurately detect the GSM users activation & location.

6 Gathering Project Information

The questionnaire aims to obtain the sufficient information for generating the technical

and the commercial proposals for the intelligence platform deployment.

This paragraph depicts the guidelines for the information collection. It describes the

information required on the telecommunication networks sources of information, their

frequency, comprehensiveness, bandwidth and geographical locations. Furthermore, the


18/78



questionnaire requests of the specific intelligence specifications, geographical locations of

monitoring centers and proposed locations for deploying system components.

In addition, the questionnaire determines the requirements for the pilot project and the

complete project. The following action items describe the processes involved prior to

the deployment of the system.

6.1 GATHERING INFORMATION

generates a system questionnaire which includes the following clauses

Clarifications for the current deployed ETSI lawful interception system.This information will allow to design the connectivity to the current lawful

interception system for targeting the suspects. This will be built as an

umbrella solution that manages and extracts existing ETSI compliant LI

systems deployed on all the networks. In case the current deployment

meets the current LIS GR requirements partially then it needs to be

ascertained whether the existing system can be scaled up to meet the

current requirements or it would require a forklift upgrade.

Clarifications for mobile networks in the region

i. Names of the mobile networks (GSM 2G, 2.5G, 3G), CDMA

ii. Quantities and locations of the MSCs & MG, GGSN-SGSN

iii. For extracting the data records from A-Interfaces & IOS - number of

expected E1/STM1/IP/ATM links which runs the signaling between

the MSC to BSC

iv. For optional voice calls targeting - voice links to be monitored by

the probes for in targeting

v. Number of subscribers

vi. Switch vendors

Clarifications for ISP networks in the region

i. Names of the ISP networks and Locations

ii. Size number of users


19/78


iii. Major pipes bandwidth in/out of the ISP (e.g. 100 Mbps, GigE,

10GigE)

iv. Radius links and protocols

Clarifications for PSTN networks in the region

i. Names of the PSTN networks and Locations

ii. Size number of subscribers

iii. Locations of the main switches

iv. Switch vendors

Clarifications for ILD Voice networks in the region

i. Names of the ILD networks and Locations


iii. Locations of the gateways

iv. Number of E1 carried in/out

v. Switch vendors

Clarifications for NLD Voice networks in the region

i. Names of the NLD networks and Locations


iii. Locations of the gateways

iv. Number of E1 carried in/out

v. Switch vendors

Clarifications for the proposed installation location of the Intelligence

system

i. Preferred backend Location for the IT & storage & applications

ii. Preferred NOC for the administrators of the system


20/78



iii. Location of the local monitoring centers (city level)

iv. Location of the regional monitoring centers

v. Location of the state monitoring centers

vi. Available communication links between the operators to the

backend and MC at each level (e.g. E1, DS3, STM1/4/16, IP)

Gathering the intelligence specific requirements from the agency which

will be controlling the system

i. Processes to be in place for intelligence management

ii. Initial Rules of crime and terrorist activities to be collected. Note:

the majority of the rules will be deployed during the commissioning

of the system along with the agencies.

iii. Define reports

iv. Define automatic and manual activation rules

v. Define administrator rules

6.2 ANALYZING THE C OLLECTED INFORMATION

gathers & analyzes the collected information towards the project design of the system

Geographical design the entire network geographical locations are

considered for placement of the front-ends (probes) and for the physical

communication links placement designed over the region

Probing devices planning the quantities and type of required probing

device (e.g. TDM, IP) are correlated with the locations links and protocols

to be monitored, resulting in a list of desirable probing devices over the

entire region. At this stage, a consolidation of network probing elements is

considered for efficient deployment.

Calculation of the links bandwidth between the system entities at the

different geographical locations

6.3 SYSTEM DESIGN

Based on the collected information analysis, designs a multi phasee project


21/78


(1) Pilot project - starting with a pilot project which will consist of all the

functionalities of the solution but will be given for a small scale for the monitoring

of preferred mobile network and ISP.

(2) Entire project after the completion of the pilot project with the evidence that

the system capabilities, and the customer (agency) signs and contract for the

entire project for monitoring the entire networks and providing a wide intelligence

system to the customer as per the predefine specifications.

(3) ETSI LIS Umbrellamodule after the completion of the initial phase (probe basesystem deployment) proposes to supply an Umbrella system to control the

current ETSI LIS systems that will enable to remotely manage and provision new

targets as per the system real-time activation modules and/or as per the court

issued warrant. The umbrella system will allow the agency to take an action of

monitoring suspects on the fly base on their weight and severity generated by the

intelligence system.

(4) Customer Service Automatic Deactivation

Another important objective of the system is allow the deactivation of customer

mobile services in real-time after the intelligence system rules detected a high

profiles suspect. provides the mechanisms and the interfaces to other solutions and

network provisioning systems.

The following modules and mechanism from allows the deactivation on the

telecommunication services:

a. Cellular Extractor and Selective Jammer

Based on GSM BTS it retrieves cellular identities (IMSI/IMEI) of GSM (2/2.5G)

phones in the coverage area. It provides mass wide area locations for these phones

and accurate locations for phones (using several systems together). Furthermore,

it provides extremely accurate location information for specific targeted cell

phones.

intelligence system will interface the allow to automatically block the suspected

mobile customers

The entire solution is described in a separate paragraph in this document


22/78


23/78


p. Detailed Bill Of Material BOM for every option


24/78



7 Solution Description

Communication Ltd is proposing a new concept for Intelligence Information Extraction

for Action-able Intelligence based on strategic monitoring which actually

comprehensively and widely monitors the telecommunications networks.

The platform allow non-telecom sources inputs such as immigration, treasure

departments, to be processed, analyzed and correlated with the telecommunication

sources and alert on potential threats.

Figure 3: Intelligence Platform


25/78


7.1 IRMP INTELLIGENCE RULES MANAGEMENT PLATFORM

- Reactive Rule Engine -

Introduction

As telecommunication networks continue to grow in size, sophistication, types of services,

and geographic reach, Lawful Enforcement Agencies are turning to automated Intelligence

management solutions with advanced, real-time diagnostics to manage and enableinvestigations in complex infrastructure environment.

From out-of-the box network event management, to customizable and extensible event

correlation and root-cause diagnostics, Intelligence Rule-Engine Platform automates

events and services within the most complex network environments in real time, near real

time or off-line (based on events aggregation).

IRMP (Intelligence Rules Management Platform) is a module that helps manage, automate

and enforce reactive rules. The need for such rules may come from legal regulation, policy

or other sources. The Rule Engine software, among other functions, may help to register,

classify and manage all these rules; verify consistency of formal rules; infer some rules

based on other rules; and relate some of these rules to Information Technology

applications that are affected or need to enforce one or more of the rules (e.g. creating a

warrant, disconnecting a mobile call of a suspect subscriber or "alerting" operational

units). Rules can also be used to detect interesting terror/criminal situations

automatically.

IRMP transforms real-time operations data (e.g. pre-CDR/IPDR as well as

unsuccessful/non-completed calls) into automated decisions and actions, all in real time.

This platform works in conjunction with existing operational systems, including enterprise

systems, databases, automation systems, data historians, network management systems,

CRM and more.

In off-line mode, the filtering mechanism will act only on CDRs and Alerts residing in the

database. This will be a batch process either pre-scheduled or manually activated.


26/78



.

Figure 4: Rule Builder

Concept


27/78


Figure 5: Rule Engine Concept

Its combination of object technology, extensive rule-engine technologies, and proven

reliability, scalability, and performance make IRMP unique in its ability to address

complex networks for intelligence purposes.

Features

Proactive real- time monitoring of various Telco networks ( Mobile, Wireline and IP

) based on state of the art probes

Automation of the time-consuming steps required to analyze, diagnose and

investigate network phenomena/scenarios.

Rapid determination of the suspect and his "behavior" impact analysis


28/78



Flexible user interface-expression editor for defining rules or parameters and

intuitive filtering capabilities ( events/alarms)

Multi stage events- The operator will be able to define for branch type events

(following the triggering event) whether to look for a following event or search

for a previous event.

Correlation capabilities that present critical information

Automated actions reporting to external systems/modules, creating warrants,

updating suspect numbers in phonebooks, etc.

Diverse parameters for in-depth investigation process- among the parameters

which could be incorporated into rules or phonebooks:

a. A or B numbers

b. Location ( Switch, Cell ,Sector ,TA)

c. Handset parameters- IMSI,IMEI,TMSI

d. IP Address/MAC

e. Score ( based on various pre-defined parameters/weights)

Interworking capabilities with other modules- both with internal as well as

external modules, there are capabilities of importing or exporting data ( e.g.

visualization tools)

System Components Overview

Data Input Handler this component designated to collect CDR records (in real

time) from probes and place them into the Persistent Queue.

Persistent Queue this component provides persistent and transactional queue

support. The incoming CDRs will be placed into the queue by the Data Input

Handler. The CDRs will be withdrawn from the queue by the Real Time Rule

Engine. As the queue should support transactions, the CDR will be removed from

the queue only after it is fully processed by the Real Time Rule Engine.


29/78


Real Time Rule Engine this component is responsible for withdrawing the CDR

records from the Queue and running the Real Time Rules for each CDR. After the

CDR is processed, it should be recorded at the CDR database.

Alert Processor this component is responsible for processing alerts, generated by

Rule Engines. At first phase the only alert processing action available will be "call

disconnection", however, the architecture will allow to easily extend available

actions if required.

Rules Database this database will contain configuration of the rules, andcomplimentary information, like black/white lists and others.

CDR Database this database will contain the CDRs, required for rule processing

and calculating aggregate values, necessary for rules.

FDMS Manager GUI module, for use by FDMS administrator, for defining FDMS

configuration, rules, and corresponding information

Alerts Monitor GUI module, purposed to represent alerts, and perform required

actions on alerts for FDMS operator

Access control and users management

Each organization has its own corporate strategy which is based on its goals, activities,

operation methods and regulation approach. However, IRMP (Intelligence Rules

Management Platform) is equipped with sophisticated user's management module,

enabling the system administrator to define various investigator classifications,

categorizing users into group, controlling the operation and produce audit trails.

For a smooth and efficient deployment, besides the training and OJT (on the job training),

the following information is required:

Organizational structure

Roles and Responsibilities

Relevant functions and their interface to the system

Investigation procedures & flow


30/78



External information sources


31/78


7.2 LOCATION TRACKING FOR INTELLIGENCE

Massive & Robust Passive Location Tracking

While deploying the probes over the mobile networks it will naturally produce Location

Data Records (LDR). The records comes over the links for every session generated by the

user (Voice call, SMS, MMS web surfing or by the network) & network keep alive messages.

passive and non-intrusive SS7 unique solution for robust location information services

generating massive location positioning for the entire network. The platform is unified and

centralized base solution which collects non-intrusively the 100% of the subscribers

locations.

The advantage of this solution is the ability to provide the information for the entire

subscriber base in real-time. Thus, the applications such as Intelligence gathering platform

do not need to enquire as to the information for all of the subscribers individually, thereby

necessitating system resources and time. This in turn saves the operator a large amount of

resources and money. No other alternative in the Industry can compete with such massive-

passive location fixing method making the lowest cost per fix possible.


32/78



Figure 6: Intelligence Location Data Records Extraction


33/78


Active Location tracking for intelligence

Intelligence is based on real time information sources which lead to discovery of crimes

and terrorists activities plots. One of the most important inputs which reveal the suspects

behavior is their location.

As part of its intelligence portfolio produce the source of location tracking using its

Location Base Services platform (LBS).

provides active network query GMLC & SMLC solutions as well as passive probing base

solutions.

Figure 7: Example of Detection of group meeting to plot a crime

Various positioning methods may be used such as

Cell ID/Sector (cell/sector size)

Enhanced Cell ID (~600m)

Assisted GPS (street corner accuracy)

Some networks may provide the triangle location measurement which can be one of the

positioning methods to the solution and easily can be activated.

The following drawing depicts the basic Cell measurements which are provided by most of

the networks.


34/78


35/78


How Intelligence platform allow the activation of the active location GMLC &SMLC. The

following diagram depicts the activation on the location platform:

Figure 9: Active location for Intelligence


36/78



8 Visual Links Mapping

The analysis solution is based on stored accumulated CDRs coming from the different

interception systems and other sources. The software analyzes this information in order to

infer links between the various entities. The system interfaces with ' MC central database

containing CDRs & IPDRs & LDRs load them to its central intelligence database and

provides analysis tools for analysts to process them.

In addition to the CDRs & IPDRs & LDRs, structured and unstructured data can be loaded to

the system by the analysts in order to participate in the analysis process. At the later

phases the same system can be expanded to interface with various governmental

databases and to access their information, correlate it with the system information and

provide much more comprehensive and holistic intelligence capability.

Turning information into intelligence

Communications data becomes effective intelligence when it can be used to expose,

analyze and understand criminal and terrorist (hostile) networks. By "understanding" we

mean full comprehension of who is involved, how they operate, what are the trends and

changes and other pertinent questions.

The Analysis application exposes, analyzes and monitors hostile networks in a short

amount of time even from massive amounts of data records, and then reports and displaysthem visually.

On the one hand, the system can expose a network hidden in millions of records and on

the other hand allows an analyst to view individual records relevant to the analysis.


37/78


Figure 10: Correlating location with analysis results


38/78



The Analysis application enables law enforcement and intelligence agencies to achieve

more effective analysis in a shorter time and with fewer resources. The Analysis

application is capable of using data from virtually any interception, billing or other

system. There is no need to change how the data is collected. Data types may include

CDRs, emails, SMS messages, internet sessions and more. The data is automatically

canonized into a standard format, regardless of its origin.

The Analysis application includes a built-in investigator's desktop which provides

investigating teams the next generation solution to store, collate, analyze and report any

type of information used in their investigations.

Figure 11: Examples of the Analysis application & Analysis Results

Functional Capabilities

The Analysts main functions are


39/78


Acquiring of structured and/or unstructured information, manually or automatically

from different sources such as Internet web pages, files, Emails, external

databases (for structured data), and particularly CDRs.

Easy storage of any type of information: documents, photographs, videos,

recordings, web pages, applications, and any other digital information. Each piece

of information can be assigned to multiple contexts (such as different

investigations). Editing information in one context updates the information in all

contexts.

Acquired data is stored in a central system's repository and automatic indexing is

performed to allow instant and sophisticated Free-Text-Search.

Instant access to structured and unstructured data stored in the central

Intelligence Warehouse.

Built-in modeling subsystem enables analysts to define relationships constructing

models. These models are used, once defined, by all users to construct the

relations maps (networks) and to infer hidden links between involved entities.

Keywords management facility is used to categorize pieces of information to

different areas of interest. These keywords are utilized, once defined, to

selectively search of information and to associate several pieces of information to

the same are of interest.

A built-in free text search engine retrieves information from the Intelligence

Warehouse with easy to use sophisticated search criteria. Textual descriptions of

non-textual information (photographs, recordings, etc.) facilitate their quick

retrieval.

Data retrieval of historical information for post-mortem and ad-hoc analysis

capabilities.

Presentation and editing of links among pieces of information using visual context

maps.

Visual styling of each piece of information allows the user to see the big picture in

a glance.


40/78



Pieces of information can be opened and viewed directly from the context maps by

double-click.

Generate and distribute periodic reports based on the organization's intelligence

distribution methodology.

Automatic link analysis produces new relations maps to discover hidden

relationships and hostile networks. Automatically integrate structured and non-

structured data into new contexts.

Use a variety of algorithms (Analysis Models), each of which provides the analysts

with a new context based relations map from different points of view.

Data access to information is managed through granting users with user rights and

access privileges.

Maintenance utilities such as back up and restore of information, data integrity

verification, users management including definition of compartmentalization and

information security management aspects, etc.

General descriptionCustomers are using the Analysis application to infer intelligence from information that

exists in various systems and databases, and use it to conduct complex investigations and

to expose, track and manage hostile networks and tack terrorism and crime activities.

The Analysis application software suite is a state of the art intelligence platform that

assists investigators and analysts to conduct complex investigations and to reveal hidden

relations between entities and networks.

The system's main features include

Sophisticated link analysis

Advanced network analysis

On the fly analysis of mass quantities of data (billions of records)


41/78


Visualization of information in interactive context maps

Central repository connected to various databases

Information sharing for better teamwork capabilities

Storage of all types of data

Importing, exporting and maintaining information from other databases

Dissemination of investigation results to selected destinations and organizationalfunctions.

Built-in compartmentalization and information security management.

Visualization

The results of the analysis are presented as visual maps (charts) that enhance the users

understanding and ability to infer additional insights. The maps are completelyinteractive. Behind each element (information resource) and link on the map lie additional

metadata, information content, explanations, hyperlinks, database queries and more. The

users may add other types of information as needed in an ongoing investigation. Visual

mapping complements and completes the capabilities of spoken language to create and

communicate knowledge. It promotes an understanding of relationships that formal textual

or verbal phrasing is not generally capable of inducing.

The following example is a map of the results of analysis:


42/78



Figure 12: map of the results of analysis

Multi Contextual Analysis

An analysis of a network will typically include many different contexts such as

communications, financial, criminal activity, business relationships, etc. It may alsoinclude additional information which has been manually organized in context maps. The

system is capable of merging these multiple contexts together into one overall picture

called a multi-contextual star. This synthesis can include some or all of the contexts and

relevant links in those contexts. This process is executed automatically after the user

chooses criteria of what information to include in the analysis.


43/78


9 Interception and Targeting

Even intelligence is not calling for interception, proposes that in parallel to the

intelligence information gathering allow a selective targeting to be provisioned on

probes (either TDM or IP Probes). Hence, on the same probes deployments the intelligence

system will allow the provisioning of targets in real-time across the networks. The

advantage of this function is that in extreme conditions it will give the intelligence bodies

the capability to immediately set a target manually by the intelligence analyst or

automatically by the intelligence system without the need to interact with the networks

operators.

The interception module is provided as an option to the intelligence system.

TDM Interception

The TDM probes are places on the links carried between MSC to BSC, or on Gb

interface for GPRS or between the international ILD links etc.

The initial role of the probes is to collect, analyze and extract the meaningful

information from the signaling links, therefore, for this purpose the probes areplaces over the signaling links.

In order to perform the content information (Voice) the probes will need to place

also on the voice A-Interface links (e.g. E1, STM1) which will require additional

hardware on the same probes. The probes are capable to record certain amount of

concurrent calls depending on the hardware installed.


44/78



The following drawing depicts the two scenarios, one for signaling probing to

produce the meta-data CDRs and LDRs

Figure 13: Signaling Monitoring for CDRs LDRs extraction

The second is an additional voice links probing for intercepting targets calls.


45/78


Figure 14: Signaling & Voice links monitoring (CDRs LDRs & Voice)

IP Interception

The IP probes are placed on the IP data links at the ISP and major pops or any

other data service provider.

The initial role of the probes is to collect, analyze and extract the meaningful

information in order to generate the IPDRs.

Since the probe can see the content it is just a matter of the assigning targets on

the probe itself and the content of the provisioned targets will be recorded at the

intelligent platform.


46/78



Figure 15: IP network Signaling & Content monitoring (IPDRs & Content)


47/78


10 Cellular Extractor and Selective Jammer

In the preface of this document the BTS Cellular extractor - selective jammer

direction finder platform was mentioned as one of the modules in which the

intelligence platform can be activated, which brings the following capabilities to

the entire solution

GSM Cellular IMSI & IMEI extractor

GSM Cellular phones service blocking

GSM Cellular phones location finder which can feed the locations of the customers

to the intelligence system.

GSM Cellular IMSI & IMEI extractor

How does it work? It maps all near-by network BTSs while BTS pretends to be a

real network BTS (spoofing) with all relevant parameters (frequency, network ID,

etc.). The IMEI /IMSI are extracted for phones trying to register (if DB of IMSI/IMEIis available, owners can be identified as well) as well as the Distance from the BTS

are extracted for all phones.

The IMEI/IMSI and Location information is one of the tactical field sources to the

system.


48/78



Figure 16: BTS Extracting IMSI/IMEI/TA

Figure 17: BTS triangle location tracking

For example, while occasions like Olympic Games and such are running the Cellular

Extractors BTS are places in the geographical area in such a way that it covers

entire region and extract the entire mobile IMSI/IMEI and location. The intelligence

system may have a rule that if a known suspect is entering the geographical region


49/78


of the games, then the Cellular Extractor will be delivering this valuable

information to the center which will activate the relevant rule and will alert with

high severity to the officials. As an automatic action, the intelligence system will

instruct the Cellular Extractor to operate its deactivation selective jamming

module Selective Jammer and to block the specific customer.

Figure 18: BTS black/white list creation

How Does It Work? The selective jammer loads its DB with IMSI / IMEI EmulatingNear-by Networks and the selective jammer blocks the blacklisted users

communication so they can not make or receive a call.

It jams only unauthorized phones and supports white and black lists (IMSI, IMEI, and

MSISDN). It works for GSM (2, 2.5 networks, triple band).

White listed handsets get service from the real networks cells (for both

incoming and outgoing calls)

Any handset which is not included in the white list is hooked to the BTS

which means:

Outgoing calls receive no service

Incoming calls get a subscriber unavailable message


50/78



Figure 19: Service for White Listed Phones

Figure 20: DoS for All Other Phones

Another option is when the system will not block the service of the customer but

tracks his position continuously until the law enforcement official will decide to

capture him live.


51/78


Figure 21: Activation of BTS

The above drawing depicts the activation of the BTS platform.


52/78



11 Internet Denial of Service (DoS) Service blocking

intelligence system allows the blocking of services from customers by interfacing

with IP service blocker and automatically blocks the suspected internet users

Figure 22: DoS for IP users


53/78


12 Umbrella Solution for LIS systems (phase-2)

The proposed intelligence platform basically employs a new set of passive probes that will

non-intrusively connect on the communication links and extract the meta-data i.e. call

data record and location data record as well as IPDRs from the IP domain.

It is possible that the probes will perform targeted interception as well which will require

additional connection to the content links i.e. E1 carrying voice on the mobile network.

But, concept is to utilize the current lawful interception systems which are already

deployed in most of the networks. platform will manage the current ETSI delivery system

in parallel to the current management of the system and allow the provisioning of new

target remotely with or without the interfering of the operators.

For that purpose in the second phase proposes to build an umbrella management solution

for controlling these systems.

The Challenge

Electronic surveillance of telecommunications services has become an important and

accepted method of law enforcement agencies (LEAs) and government bodies in their fight

against crime and terrorism. By today most fixed and mobile network operators and

telecommunication service providers have installed systems to enable lawful interception

(LI) for the various voice and data services they offer to their customers. Comprehensive

national laws are established that enable LEAs to engage communications service

providers (CSPs) who arrange electronic surveillance for certain individuals (also referred

to as targets). Practice however shows that the number of different networks, services,

and interception systems together with the increasing amount of interception decisions

(ICDs) raise considerable challenges for LEAs and monitoring centers. In fact the

complexity of lawful interception in such heterogeneous and dispersed LI environmentinevitably leads to errors and delays during the activation of LI decisions or with the

collection of interception data. Furthermore authorities require immediate oversight of all

active ICDs to facilitate analysis and statistics of the nationwide LI activity.

Umbrella Systems


54/78



has addressed these needs and challenges by the development of an umbrella

management system that is capable of interconnecting with various other LI management

systems via an automated HI1 interface (see also ETSI TS 101 671 for a definition of HI1-

HI3 interfaces). As shown in figure 1) the umbrella LIMS is a single interface and

management platform for all monitoring centers. ICDs entered at the umbrella system are

provisioned to the various operator LI systems. The delivery of communications content

(CC) will be made directly between the mediation devices or interception access points of

the operators network and the collection devices of the monitoring center. Intercept

related information (IRI) is first handed over to one mediation device per service provider

which is part of the umbrella system. This guarantees that all IRI is logged, tagged and

delivered to the appropriate monitoring center in a standardized format that enables the

MC to correlate CC and IRI with the original ICD.

Figure 23: Architecture of Umbrella Solution


55/78


As shown in the diagram the LI systems of the providers maintain an important role in the

network as they connect to the proprietary interfaces of the various network elements and

incorporate the mediation and delivery function for each type of service.

The use of an umbrella system has various advantages for administrative bodies:

Immediate access - ICDs can be activated instantly and provisioned automatically

on one or many operator networks. There is no delay by paper fax or manualconfigurations on several systems.

Central Database - The central storage and maintenance of all ICDs enables full

control over all active interception requests. It facilitates security audits,

consistency checks, and allows detailed statistics and instant failure recognition.

Transparency - Administration and delivery channels are separated between the

connected service provider systems. Thus personal at the operators network have

no insight in any details of interception decisions in other networks.

No performance loss - Although the administration function is centralized the

delivery of intercept data is done directly from the distributed mediation devices

(DF2) and network elements to the monitoring center.

Reliability - The central management of all LI systems enhances the reliability of

the entire LI network. System failures can be detected automatically by alarm

messages so that operators can immediately take appropriate action or require the

administrator of the faulty network to analyze the problem locally. To further

enhance the availability of the system a redundant management server can be

operated in hot-standby mode. If local failure recovery fails the system can

seamlessly switch to the standby server. The automation of the provisioning

process further reduces the risk of human failures.

Cost reduction - Automation of the provisioning interfaces (HI1) leads to an

acceleration of processes and thus reduces the costs of operation for both, the LEA

and the service provider.

Extensibility - The modular architecture of the umbrella system provides a solid

basis for future extensions of the LI system. In fact there is virtually no limit to the


56/78


57/78


13 Field Laptop

Extracting Information from the intelligence system on the Field

enables the use of laptop on the field that can be connected with cellular modem via one

of the mobile networks.

As the information is top classified the communication shall be with the appropriate

security methods. By the communication to the intelligence system the field forces can

see the mobile users activities and instruct the intelligence system even to do

interception if required.

The following diagram depicts the concept:


58/78



Figure 25: Field LAPTOP


59/78


14 Platform Hardware & Software Specifications

Solution Considerations for Achieving Comprehensive Intelligence

Regardless of the specific geographic location, the prevailing regulatory environment in

your region is likely to include provisions so that lawful interception operations can be

performed when requested by an authority. The following list highlights the capabilities of

a lawful interception solution that are most relevant to regulatory mandates and

legislative requirements.

Comprehensive interception capabilities: The intelligence solution must be able

to intercept all applicable communications of the entire targets and certain targets

without any gaps in coverage.

Reliability and integrity: The intelligence solution should ensure delivery of

precise and accurate results with the highest levels of data integrity. The

intelligence solution must be as reliable as the service to be monitored &

intercepted.

Separation of content: Intercepted communications data should be divisible into

individual components; for example, the metadata included in the Interception

Related Information (IRI) should be separable from the Communication Content

(CC) if targeting is operated on the system.

Transparent surveillance: The monitoring activities performed by the solution

must not be detectable by the subscriber and should be non intrusive to the

monitored links.

Immediate activation and real-time responsiveness: Following a request for

intelligence analysts, a solution must be able to be immediately activated and

provide real-time response in delivering intercepted data.

Sufficient capacity: The solution must have adequate capacity to handle the scope

and scale of requested surveillance activities.

Data security and privacy: Sensitive data must be protected during transmission

and the privacy of an individuals records and personal


60/78



Technical Specifications

Hardware

Intelligence Platform runs on industry-standard servers. Customers can choose from

single-server configurations for small networks up to multi-server cluster for large

networks with tens of millions of telecom extracted records and millions of subscribers

and thousands of intercept targets.

State-of-the-Art Interception System

After over 11 years of experience and continuous improvement, the LIMS & Intelligence

systems has matured from a surveillance system for mobile networks to a complete

interception suite for various kinds of networks and services. Today offers the most

comprehensive list complex LIMS deployments and probe based installations for

intelligence gathering supporting any wireless and wireline network supporting multiple

services, including telephony, fax, SMS, MMS, Push-to-Talk, Internet access, e-mail, VoIP

and other IP-based services and most important, location of subscribers.

In its entire software and hardware architecture the solution has been designed as a

carrier-grade system that meets highest security, reliability and performance criteria.

Standards Compliance

platform is designed to comply with national and international lawful interception

standards developed by ETSI, 3GPP and others.

Modular and Scalable Architecture

While the system is designed for large-scale networks with millions of subscribers, the

intelligence platform can easily be adapted to provide an economically feasible solution

for networks with only a few thousand users. In fact, the modular software architecture

enables operators to extend the system as the demand for lawful interception increases

and/ or their subscriber base grows. Performance-critical tasks and processes can be

migrated to dedicated servers to increase the overall system capacity and throughput. The

underlying hardware platform based on probing system and ETSI delivery active elements

with sufficient performance reserves for all current and future network sizes. The


61/78


architecture of the solution is designed to meet the networks day-1 monitored links using

the probes which supports a modular concept.

In addition, as the developer and the manufacture of probes (TDM, IP, Mobile -2G, 2.5G,

3G, UMTS, and CDMA) frequently adapts its set of supported protocols to the market

changes & new technologies.

Cost-Efficiency

The platform is a centralized system that serves all intelligence and LI-related tasks ofmultiple intelligence geographically separated entities and multiple intelligence bodies on

a heterogeneous service network. By using one single point of access, the users of the

system can reduce their administration costs by simplifying the communication with LEAs

and by reducing the effort for the provisioning of the probing infrastructure on the widely

spread network.

Users can initiate, modify or delete any monitoring and queries requests on the entire

network and on various levels of the system in a matter of minutes with the easy-to-use

management system. Once installed in the network, monitoring platform is almost

maintenance-free.


62/78



15 Probes

15.1 TDM ATM PROBE

The TDM interception is for any type of TDM traditional protocols such as ISUP, PRI, R2 and

ATM.

TDM Probe

Signaling E1, DS3 and STM1 TDM Probes collect data directly from the signaling links of

circuit-switched and from packet-switched networks. Since the probes monitor the data

traffic non-intrusively, switch performance is not affected. The Monitoring solution can

process 1000's of passive messages per second.

The SSP analyzes the data, generates statistic, store the results, and conducts real-time

triggering, trapping, and filtering for each link. Each probe can generate raw

call/transaction/SMS detail records (xDRs) in conjunction with full surveillance monitoring.

SSP is a flexible system that allows multiple configurations of its chassis form factor with

power supply redundancy and 1, 4, or 7 slots for card line connection, which can support

up to 646 signaling channels per shelf.

In band and out of band signaling will be monitored for detecting the in-band traffic. Itwill be known in advance, in most cases, what signaling comes on a specific ingress link. In

that case the links signaling will be configured as defined in the warrant.

In other scenario where links signaling needs to be analyzed it will be manually directed

to an analysis application trying to identify the protocol. After identification of protocol

the, its signaling type will be updated and the link will be available for monitoring.

FE Signaling Probe analyzes signaling data, generates statistic, store the results, and

conducts real-time triggering, trapping, and filtering for each link. Each probe can

generate raw call/transaction/SMS detail records (xDRs) in conjunction with full

surveillance monitoring.

The probe is a flexible system that allows multiple configurations of its chassis form factor

with power supply redundancy and 1,to 18 slots for card line connection, which can

support up to 288 TDM signaling channels per shelf (see CC-Probe connectivity chart) and

up to a speed of 1 gigabyte per monitoring card.


63/78


Since the numbers of E1 are 4 then will deploy a 4U chassis.

Figure 26 Hexa E1/T1 Compact PCI Telecommunication Adapter

The Hexa E1/T1 Telecom Adapter card is a stand-alone Compact PCI card designed for

operations over up to 16 E1/T1 interfaces connectable to ISDN PRIs, CAS/RBS trunks, V5

links and SS7 links. This card is ideally suited for both PSTN and IP telephony systems

handling large volumes of voice circuits for protocol processing or for transfer to the H.110

bus, the PCI bus or Ethernet.

Application examples include SS7 network elements, wireless infrastructure equipment,

media and signaling gateways, and telecom switching and routing equipment.

It is fully compliant with PICMG 2.16 (Packet Switching Backplane) specification.

The card operates as a fully programmable communications subsystem capable of infra-

chassis communication using the cPCI bus.

TDM Probe Supported protocols:

ISDN

Q.931 (1988)

PRI

MTP2 supports:

Reliable transfer of signaling messages over signaling


64/78



links for:

ITU-T

ANSI

TTC (Japan)

NTT (Japan)

China

Other variants

Bellcore

TR-TSY-000271 Issue 1, Rev. 4, 1990

TR-NWT-000246 Issue 2, 1991

ANSI SS7 GR-246 Issue 2

MTPT1.111

SCCP T1.112

ISUPT1.113

TCAPT1.114

AIN Release 0.1

TR-NWT-001299 Issue 1, 11/92

TIA-EIA

IS-41B

IS-41C

IS-634B

WIN

ITUT SS7 White-Book CD 12/97

TCAP Q.77303/93


65/78


ISUP Q.76303/93

TUP Q.723 Extract from

Blue Book Fascicle VI.8

(1988)

SCCP Q.71307/96

MTP3 Q.707 Extract from

Blue Book Fascicle VI.8

(1988)

MTP3 Q.70407/96

MTP2 Q.70307/96

INAP Q.121810/95

INAP supports:

Capability Set 1 (CS1), as defined by the ITU, ETSI, and

the Generic Requirement (GR) Standards of the Bellcore

Advanced Intelligent Network (AIN)

ISUP variants

Telcordia (formally Bellcore)

Singapore

Q.767

ETSI FTZ

Russia

India

Italy NTT (Japan) Israel


66/78



Other variants

Brazilian TUP

Chinese TUP

ETSI GSM

Abis 08.58 Version 3.5.0

MAP 09.02 Version 7.1.0

BSSAP 08.06 Version 8.0.0

BSSMAP 08.08 Version 8.5.0

DTAP 04.08 Version 7.8

GSM

A-Interface MTP2, MTP3, SCCP, DTAP BSSMAP,MAP (HLR-VLR), TCAP

G-b Over E1, Frame Relay, IP

CDMA

A-Interface

NOIS

1XRTT (IOS)

GPRS

Gb

Gr

Gp

UMTS

Iu-PS

Iu-CS

Iu-r


67/78


Q.2140

Supports convergence functions necessary to map the SS7 MTP Level 3 protocol to the ATM

Q.SAAL protocol:

ITU-T Q.2140: B-ISDN ATM Adaptation Layer - SSCF at NNI and Q.2110: B-ISDN ATM

Adaptation Layer - SSCOP

NOM-112

NOM-112-SCT (1995)

V5.2

ETS 300 347-1 (1994)

Supported In-Band Protocols

N5 based on ITU-T Q.140-Q.145, Q.151-

R2

C5

Q156

MFR R2

MFR R1.5

CAS

Alcatel CAS TRS JD7STHAA

DTMF

Signaling Link Interfaces


68/78


69/78


15.2 IP PROBE

Overview

The IP 1GigE and 10GigE probes are designed and built in a modular architecture. The

probe comprises of a standard ATCA/MicroTCA carrier grade chassis, equipped with IP

Probe Cards. Each card is composed of a highly integrated system-on-chip (SoC) platform

that includes a PowerPC core. This flexible and powerful architecture provides the ability

and flexibility to monitor, filter, analyze and capture IP sessions from lower layers

(Ethernet, MPLS, VLAN, etc.) all the way to the application layers (E-mail, Web, VoIP,

Video, Chat, etc.), at wire speed rate of up to 10Gbps and beyond.

15.3MODE OF OPERATION

IP Probe is passively attached to the IP network which is being monitored, either directly

from the splitter, or through Ethernet outputs of the Interceptor unit (which is in charge

of converting POS traffic to Ethernet). The passive attachment ensures that no additional

load on the network is created due to monitoring requirements, so no additional network

resources are required. Packets extracted by the IP probe undergo an inspection process

that determines whether to process them into sessions or transactions, or to discard them

at the probe level.

The packet inspection is performed by hierarchical process. In the first stage the IP Probe

Card filters IP sessions based on the following targeting identifiers: MAC Address, VLAN ID,

MPLS tag, etc. and combination of IP addresses and Transport Layer protocols ports (such

as TCP or UDP). Traffic targeted by those identifiers is forward directly to the Mediation

sub-system (Server) for further processing. The traffic that requires application layer

targeting (like specific strings search within an e-mail or a web page) is passed to the main

processor for deep packets inspection (DPI). This layered based filtering approach enables

wire speed packets flowing while allowing DPI when application level analysis is required.


70/78



The following diagram illustrates this process:

Yes

Lower Layers

Based Filtering

App

Targeting

Re uired?

Application

Specific Data

Processing

No

Content

TargetingRe uired?

No

Yes

DPI Processing

and Keyword

Search

Aggregation and

Mediation


71/78



72/78


73/78


15.4.2 INTERCEPTION CRITERIA

The table below provides a partial list of interception criteria available for the IP probe:

Interception Criteria Layer Decodable Protocol Name RFC/ITU Standard

MAC Address 2 Ethernet IEEE 802.3

VLAN ID 2.5 Virtual LAN IEEE 802.1Q

MPLS Tag 2.5 MPLS

VPI 2 ATM

VCI 2 ATM

DLCI 2 Frame Relay

IP Address 3 IPv4

IP Address Range 3 IPv4

IP Address 3 IPv6

IP Address Range 3 IPv6

TCP Port 4 TCP

UDP Port 4 UDP

SCTP Port 4 SCTP

E-mail From Address 7 SMTP, POP, IMAP, NNTP

E-mail To Address 7 SMTP, POP, IMAP, NNTP

E-mail CC Address 7 SMTP, POP, IMAP, NNTP

E-mail BCC Address 7 SMTP, POP, IMAP, NNTP

E-mail Subject 7 SMTP, POP, IMAP, NNTP

E-mail Reply To Address 7 SMTP, POP, IMAP, NNTP

This list is continuously updated as new interception criteria are made available

7/31/2019 Intelligence P

Intelligence Platform and Strategic Monitoring- 05-2012

Documents

Transcript of Intelligence Platform and Strategic Monitoring- 05-2012