Patent Application
20140328348
The present disclosure is related to Lawful Interception. More particularly, the disclosure presents a method, an arrangement and a node entity for providing a Law Enforcement Agency with payload data of an intercepted Internet Protocol flow.
Together with the delivery functions it is used to hide from the third generation (3G) Intercepting Control Elements ICE(s) that there might be multiple activations by different Lawful Enforcement Agencies on the same target.
The HI2 and HI3-interfaces represent the interfaces between the LEA and two delivery functions. The delivery functions are used:
According to known Internet access services, all the IP streams related to a given target is intercepted and delivered as a whole session data flow regardless any service used within an interception session. If a LEA needs to access specific contents embedded in the whole session streams, it becomes necessary to do an appropriate post-processing of the intercepted data to find the data content of interest.
One object for a LI system is to provide techniques that avoid any limiting and time consuming post-processing of the intercepted data. Rather, the following described embodiments facilitate the post-processing of data content of interest.
According to one aspect, this disclosure presents embodiments of a method for providing a Law Enforcement Agency with payload data of an intercepted Internet Protocol flow. The payload data is belonging to one or more target identities using a specific Internet service. The method comprises a step of receiving, from an Intercepting Control Element, intercepted payload data belonging to one or more target identities using a specific Internet service. It further comprises the steps of classifying the payload data by identifying the specific IP service to which the received payload data belongs, and marking each IP packet of the received payload data with a service identifier corresponding to the classification of the specific IP service to which the received payload data belongs. The method further comprises a step of forwarding the marked IP packets of the received payload data to the Law Enforcement Agency requesting the interception, and with the service identifier being inserted in the Lawful Interception header of the HI3 protocol.
According to further one aspect, this disclosure presents embodiments of an arrangement adapted to provide a Law Enforcement Agency with payload data of an intercepted Internet Protocol flow. The payload data belongs to one or more target identities using a specific Internet service. The arrangement comprises an Intercept Mediation and Delivery Unit involving a Mediation functionality MF3 comprising a receiver configured to receive from an Intercepting Control Element intercepted payload data belonging to one or more target identities using a specific Internet service. The mediation functionality MF3 further comprises classifying means for classifying the payload data by identifying the specific IP service to which the received payload data belongs, and marking means configured to mark each IP packet of the received payload data with a service identifier corresponding to classification of the specific IP service to which the received payload data belongs. The mediation functionality MF3 further comprises a sender for forwarding the marked IP packets of the received payload data to the Law Enforcement Agency requesting the interception, and with the service identifier being inserted in the Lawful Interception header of the HI3 protocol.
According to one additional aspect, this disclosure presents an entity comprising an Intercept Mediation and Delivery Unit in a Lawful Interception Network. The unit comprises mediation functionality MF3 comprising a receiver configured to receive from an Intercepting Control Element intercepted payload data belonging to one or more target identities using a specific Internet service. The mediation functionality further comprises classifying means for classifying the payload data by identifying the specific IP service to which the received payload data belongs, and marking means configured to mark each IP packet of the received payload data with a service identifier corresponding to classification of the specific IP service to which the received payload data belongs. The mediation functionality further comprises a sender for forwarding the marked IP packets of the received payload data to the Law Enforcement Agency requesting the interception, and with the service identifier being inserted in the Lawful Interception header of the HI3 protocol.
Further embodiments are stated in the dependent claims.
One advantage is the possibility to perform an actual real-time usage and analysis of the content of interest.
Further one advantage is that the network operators will be able to mark only the packets, which are associated to the services under its direct responsibility. As example, voice communication contents are marked in the network side and immediately recognized by the LEA according to e.g., national regulations.
One additional advantage is that the LEA benefits from the additional information delivered over HI3 since the network mechanism of payload classification enables a more effective processing at LEA side, by allowing the focus on only the services of interest and facilitating further real-time processing at LEA side in presence of mixed payload with encrypted and irrelevant services.
The foregoing, and other, objects, features and advantages of the present embodiments over prior art will be more readily understood upon reading the following detailed description in conjunction with the drawings in which:
In the following description, for purposes of explanation and not limitation, specific details are set forth, such as particular circuits, circuit components, techniques, etc. in order to provide a thorough understanding of the present aspects and embodiments. However, it will be apparent to one skilled in the art that the present aspects and embodiments may be practiced in other embodiments that depart from these specific details. In other instances, detailed descriptions of well known methods, devices, and circuits are omitted so as not to obscure the description of the present invention with unnecessary detail.
In the message flow chart of
The IMDU is adapted to receive the request specifying one or more targets as one or more target identities. When the request for LI activation is received, a warrant is generated by the ADMF based on said one or more target identities. The ADMF is further configured to send via the interface X1 said warrant towards an ICE, Intercepting Control Element, which is arranged to intercept IP traffic through a network operator's network forwarding Internet data traffic flows/streams. The request may comprise a single warrant requesting for information related to the target or targets.
The ICE is configured to receive the warrant specifying one or more target things or target objects as one or more target identities. By means of the target information in the request, the ICE is capable to to intercept the IP traffic of a specified target, who is using a certain communication service during his/hers session. The ICE is also configured to deliver the IRI report to the node comprising IMDU. The ICE is further configured to generate Intercepted signaling which is delivered to the IMDU/Mediation node via the interface X2. The IMDU generates an Intercept Related Information (IRI) report comprising information related to said one or more target identities upon receipt of said intercepted signaling.
The Intercepted signaling relates to the target's session, which triggers the Lawful Interception of the session. The IMDU comprises a Delivery Function for IRI reporting, DF2, and a Mediation Function of IRI, MF2, that generates and delivers to the LEMF a standardized IRI report based on the received IRI report, which comprises information related to said one or more target identities. Said standardized IRI report is sent over a standardized interface HI2 to the LEMF. When generating said standardized IRI report related to a target identity, at least corresponding target data information is inserted. The delivery functions are used to distribute the Intercept Related Information (IRI) to the relevant LEA(s) via HI2.
When a session of a target starts, the ICE intercepts the session and the payload of the user data traffic is copied and sent over the X3 interface to the IMDU. The ICE intercepts said payload of the user data traffic, denoted as Content of Communications, CC. Said CC and IRI are network related data. As reference to the standard model, see references [1], [2] and [3], the content of communication is intercepted in the ICE network node and it is based upon duplication of target communication payload without modification.
The IMDU comprises a Delivery Function for CC reporting, DF3, and a Mediation Function of CC, MF3, that generates and delivers to the LEMF a standardized CC based on the received session payload, which comprises information related to said one or more target identities. Said standardized IRI report is sent over a standardized interface HI3 to the LEMF.
The new aspect compared to known LI systems is a new function in the IMDU. The new aspect is a payload classification function provided within the mediation system of the IMDU.
In such a new context, the system will provide the network Operator with the means for the administration of the function, in order to specify the services, e.g. VoIP, mail, messaging, national social networks, etc., that are of interest for being classified by the Mediation System before that the related payload was delivery over HI3.
On that basis, the system will provide capabilities for the real-time classification of the payload received over ×3 from traffic nodes. DF3 subsystem will be responsible for the analysis of payload and of the subsequent classification of packets before HI3 delivery.
The service identifiers may also be used as correlation identifiers to improve the correlation of payload data sent over the handover interface HI3 and the IRI report comprising metadata belonging to the same target identity which report is sent over the handover interface HI2. In that case, the service identifier would represent a new correlation identifier to be included within an IRI report, reporting the additional information about the service in the form of metadata. Thus, the MF3 subsystem provides the MF2 subsystem with additional information that will be used to build metadata on flow-basis and delivered in proper IRI reports. Among the provided information to MF2, the service identifier will enhance the correlation of IRI record over HI2 with the associated payload delivered over HI3 and it will enable LEA in accessing to the proper payload, data packet per data packet, as referenced in the IRI and by just using the new correlation identifier.
A proper service identifier will be appended to each packet that matches the classification analysis. All other packets will be delivered unmarked, i.e. without a service identifier.
The delivery over HI3 will provide the means to set the service identifier as a new parameter of the LI header on top of the supported Standard for HI3 delivery, the standard according to references [4], [5], [6], [7].
The LEMF is adapted to receive the standardized IRI report with target data information related to said one or more target identities. Said information is provided to the requesting LEA, i.e. Law Enforcement Agency.
The LEA 180 sends a first LI request to a LEMF, Law Enforcement Management Function, 112. The first request specifies different kind of data and information for enabling Lawful Interception regarding data traffic flow of a specific target. An intercept request, also denoted Request for LI activation, is sent through a first Handover Interface, HI1, located between the Law Enforcement Management Function 112 and an IMDU, i.e. an Intercept Mediation and Delivery Unit, 114 comprising an Administration Function, ADMF, 118 involving a Mediation Function/Delivery Function, MF/DF, 116. Said Mediation Function 116 and Administration Function 118 generates based on said received request a warrant comprising said one or more target identities, and sends said warrant towards an Intercepting Control Element, ICE, 120 via an interface denoted X1—1. The ICE 120 is according to the illustrated embodiments situated in a node of a data communications network or telecommunications network which handles and distributes IP data packet flows from which the ICE intercepts Content of Communications, CC, and Intercept Related Information, IRI, of one or more target's communication sessions. Said CC and IRI are network related data. As reference to the standard model, see references [1], [2] and [3], the content of communication is intercepted in the ICE network traffic node and it is based upon duplication of target communication payload without modification. The Intercepting Control Element ICE 120 comprises a controller comprising a processor unit configured to control the circuitry, units, blocks and functionalities of the Intercepting Control Element, ICE, 120 and other circuitry.
The ICE 120 is provided with a receiver unit to receive a request with a warrant specifying one or more targets as one or more target identities. The request is an order to intercept IP Data Traffic passing through the traffic node. The ICE 120 may be provided with data acquiring means for intercepting IP data traffic through the node using said one or more target identities.
Thus the ICE 120 is configured to collect payload data of the IP data stream related to one or more target identities for which interception has been requested. A sender in the ICE 120 is adapted to forward the collected data to an IMDU 114, who processes the data. Such a process may be filtering and conversion of the data to another format or standard. The processed data is delivered to a Law Enforcement Management Function 112 for further distribution to the requesting LEA 180.
The ICE 120 sends the intercepted payload via an interface X2 to a Mediation Function MF2 124 and a Delivery Function DF2 122 for IRI reporting. The Mediation Function and Delivery Function, MF2/DF2, is configured to generate and deliver to a Collection Functionality (not shown) in the LEMF 112, a standardized IRI report based on the received IRI report comprising metadata related to the CC sent over X3 and HI3. Said standardized IRI report is sent over a standardized interface HI2 to the LEMF 112. The IRI reports comprises metadata is extracted from the application-layer in any IP payload. Metadata examples for different services are:
The delivery function unit DF2 122 is used to distribute the Intercept Related Information IRI to the relevant LEA or LEAs via HI2. The arrangement 100 is adapted to provide a Law Enforcement Agency 180 with payload data of an intercepted Internet Protocol flow, IP flow, wherein the payload data belongs to one or more target identities using a specific Internet service.
The Intercept Mediation and Delivery Unit 114 also involves a Mediation Function/Delivery Function, MF3/DF3. The MF3 168 comprises a receiver 170 configured to receive intercepted payload data from the Intercepting Control Element 120. The intercepted payload belongs to one or more target identities using a specific Internet service. The mediation function MF3 168 further comprises classifying means 172 for classifying the payload data by identifying the specific IP service to which the received payload data belongs. The mediation functionality MF3 168 further comprises marking means 174, which is configured to mark each IP packet of the received payload data with a service identifier corresponding to the result of the classification of the specific IP service to which the received payload data belongs, and wherein the mediation function MF3 168 further comprises a sender 176 for forwarding the marked IP packets of the received payload data to the Law Enforcement Agency 180 requesting the interception. The classifying means 172 is configured to identify the specific IP service to which the received payload data belongs by means of preferences set by the network operator. The classifying means 172 may further be configured to indicate in the encrypted payload data that the LEA 180 is not able to decrypt the encrypted payload data in real-time processing. The preference identified by the service identifier and set by the network operator may be a premium service, e.g. Voice-over-IP, chat, etc. With Premium Service is meant IP services that are deployed under a direct intervention and responsibility of the network operator.
The sender 176 is configured to forward via the handover interface HI3 the marked IP packets of the received payload data CC to the Law Enforcement Agency, wherein the service identifier being inserted in the Lawful Interception header of the HI3 protocol.
According to some embodiments of the arrangement, the Intercept Mediation and Delivery Unit 154 may comprise a second Mediation Functionality MF2 124 comprising a second sender 178, which is configured to forward an Intercept Related Information IRI report via the second Handover Interface HI2 to the Law Enforcement Agency. Said report comprises at least metadata which is based on the received payload data which is sent to the Law Enforcement Agency via the handover interface HI3.
According to some embodiments of the arrangement, the service identifier is used as a correlation identifier to improve the correlation of payload data sent over the handover interface HI3 and an IRI report comprising metadata belonging to the same target identity which IRI report is sent over the handover interface HI2.
Examples of dedicated service identifiers are indicated in Table 1.
The intercepted packets of the payload related to a target are labeled in the operator domain by means of a dedicated service identifier. Network operators are provided with the means for the administration of the function, in order to specify the services that are of interest for being classified by the mediation system MF before that the related payload was delivered over HI3.
As illustrated in
A proper service identifier will be appended to each packet that matches the classification analysis. All other packets will be delivered un-market, i.e. without a service identifier.
As illustrated in
According to some embodiments of the node entity, as already mentioned above, the classifying means 172 may further be configured to indicate in the encrypted payload data that the LEA 180 is not able to decrypt the encrypted payload data in real-time processing.
According to some embodiments of the node entity, a general service identification classifier, e.g. service-id=999, may be provided in order to indicate any generally encrypted traffic flow that the system and arrangement is able to detect and decrypt in a real-time processing manner.
According to some embodiments of the node entity, the sender 176 is configured to forward via a handover interface HI3 the marked IP packets of the received payload data to the Law Enforcement Agency 180, the service identifier being inserted in the Lawful Interception header.
According to further embodiments of the node entity, the Intercept Mediation and Delivery Unit 154 further comprises a second Mediation functionality MF2 124 wherein a second sender 178 is configured to forward an Intercept Related Information IRI report via a second Handover Interface HI2 to the Law Enforcement Agency. The report comprises at least metadata which is based on the received payload data which is sent to the Law Enforcement Agency via the handover interface HI3.
According to still further embodiments of the node entity, service identifiers are used as correlation identifiers to improve the correlation of payload data sent over the handover interface HI3 and the IRI report comprising metadata belonging to the same target identity which report is sent over the handover interface HI2. In that case, the service identifier would represent a new correlation identifier to be included within an IRI report, reporting the additional information about the service in the form of metadata. Thus, the MF3 subsystem 168 provides the MF2 subsystem 124 with additional information that will be used to build metadata on flow-basis and delivered in proper IRI reports. Among the provided information to MF2, the service identifier will enhance the correlation of IRI record over HI2 with the associated payload delivered over HI3 and it will enable LEA in accessing to the proper payload, data packet per data packet, as referenced in the IRI and by just using the new correlation identifier.
S210: Receiving from an Intercepting Control Element 120 intercepted payload data belonging to one or more target identities using a specific Internet service. The arrangement 100 comprises an Intercept Mediation and Delivery Unit 114, which involves a Mediation Function/Delivery Function MF3/DF3 168/166. The MF3 168 comprises a receiver 170 configured to receive intercepted payload data from an ICE 120, i.e. Intercepting Control Element 120, in the LI system arrangement 100. The ICE is situated in a traffic node of a communications network. The intercepted payload belongs to one or more target identities using a specific Internet service.
S220: Classifying the payload data by identifying the specific IP service to which the received payload data belongs. The mediation function MF3 168 further comprises classifying means 172 for classifying the payload data by identifying the specific IP service to which the received payload data belongs.
S230: Marking each IP packet of the received payload data with a service identifier corresponding to the classification of the specific IP service to which the received payload data belongs. The mediation functionality MF3 166 further comprises marking means 174, which is configured to mark each IP packet of the received payload data with a service identifier corresponding to classification of the specific IP service to which the received payload data belongs, and wherein the mediation function MF3 166 further comprises a sender 176 for forwarding the marked IP packets of the received payload data to the Law Enforcement Agency 180 requesting the interception.
S240: Forwarding the marked IP packets of the received payload data to the Law Enforcement Agency 180 requesting the interception. The sender 176 is configured to forward via the handover interface HI3 the marked IP packets of the received payload data CC to the LEMF 112 for further delivery to the Law Enforcement Agency, wherein the service identifier being inserted in the Lawful Interception header of the HI3 protocol.
Further one embodiment of the above described method is presented in
S222: Identifying the specific IP service to which the received payload data belongs by means of preferences set by the network operator. The classifying means 172 is configured to identify the specific IP service to which the received payload data belongs by means of preferences set by the network operator. The classifying means 172 is further configured to indicate in the encrypted payload data that the LEA 180 is not able to decrypt the encrypted payload data in real-time processing. The specific IP service identified by the service identifier and set by the network operator may be a premium service, e.g. Voice-over-IP, chat, etc.
Further one embodiment of the above described methods are presented in
S224: Indicating to LEA that LEA is not able to decrypt the encrypted data payload in real-time processing. Thus a certain service identifier may be defined for said purpose.
Further one embodiment of the above described methods are presented in
S235: Forwarding an Intercept Related Information IRI report comprising at least metadata. The mediation functionality MF2 124 is configured to forward an IRI report, i.e. an Intercept Related Information report, comprising at least metadata which is based on the received payload data sent to the Law Enforcement Agency 180 via the handover interface HI3 and the LEMF 112. The IRI report is sent over the second Handover Interface HI2 to the LEMF 112, which forwards the data to the LEA 180. The LEMF 112 may be capable of and configured to real-time process, the received payload data. The service identifier is used as a correlation identifier to improve the correlation of payload data sent over the handover interface HI3 and an IRI report comprising meta data belonging to the same target identity, which report is sent over the handover interface HI2.
The proposed embodiments of different arrangements and methods may be implemented in digital electronically circuitry, or in computer hardware, firmware, software, or in combinations of them. Said embodiments may be implemented in a computer program product tangibly embodied in a machine readable storage device for execution by a programmable processor; and method steps of the invention may be performed by a programmable processor executing a program of instructions to perform functions of the invention by operating on input data and generating output.
The described entity IMDU 114 and its blocks, means and units may advantageously be implemented in one or more computer programs that are executable on a programmable system including at least one programmable processor coupled to receive data and instructions from, and to transmit data and instructions to, a data storage system, at least one input device, and at least one output device. Each computer program may be implemented in a high-level procedural or object-oriented programming language or in assembly or machine language if desired; and in any case, the language may be a compiled or interpreted language.
A computer program product comprising computer program code loadable into a processor, wherein the computer program comprises code adapted to perform of one or more of the steps of the method embodiments described herein, when the computer program code is executed in the processor.
Generally, a processor, e.g. in a controller, will receive instructions and data from a read-only memory and/or a random access memory. Storage devices suitable for tangibly embodying computer program instructions and data include all forms of non-volatile memory, including by way of example semiconductor memory devices, such as EPROM, EEPROM, and flash memory devices; magnetic disks such internal hard disks and removable disks; magneto-optical disks; and CD-ROM disks. Any of the foregoing may be supplemented by, or incorporated in, specially-designed ASICs (Application Specific Integrated Circuits).
The described embodiments comprising the new classification function provide a number of advantages.
A number of embodiments have been described. It will be understood that various modifications may be made without departing from the scope of the described aspects and embodiments in this disclosure. Therefore, other implementations are within the scope of the following claims.
| Filing Document | Filing Date | Country | Kind | 371c Date |
|---|---|---|---|---|
| PCT/SE2011/051528 | 12/16/2011 | WO | 00 | 6/4/2014 |
