WO2006066315A1 - Communications network monitoring system, method & apparatus - Google Patents

Communications network monitoring system, method & apparatus Download PDF

Info

Publication number
WO2006066315A1
WO2006066315A1 PCT/AU2005/001912 AU2005001912W WO2006066315A1 WO 2006066315 A1 WO2006066315 A1 WO 2006066315A1 AU 2005001912 W AU2005001912 W AU 2005001912W WO 2006066315 A1 WO2006066315 A1 WO 2006066315A1
Authority
WO
WIPO (PCT)
Prior art keywords
packets
user
data
communications network
communication
Prior art date
Application number
PCT/AU2005/001912
Other languages
French (fr)
Inventor
Arron Hollis
Matthew Ross Wiltshier
Jeffrey Smidt
Original Assignee
Webtraf Research Pty Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from AU2004907200A external-priority patent/AU2004907200A0/en
Application filed by Webtraf Research Pty Ltd filed Critical Webtraf Research Pty Ltd
Publication of WO2006066315A1 publication Critical patent/WO2006066315A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0245Filtering by information in the payload
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/552Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/168Implementing security features at a particular protocol layer above the transport layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/535Tracking the activity of the user

Definitions

  • the present invention relates to a communications network monitoring system, method and apparatus.
  • the present invention relates to a system, method and apparatus for covertly detecting and monitoring communications to, from and between users of concern/interest in a communications network.
  • Difficulties in tracking include finding the source of spoofed IP addresses and the use of proxy servers to hide users' IP addresses.
  • ISP Infrastructure Service Provider
  • the person needs to electronically intercept the packets of data, which requires a lot of processing power and can noticeably degrade the performance of the ISP. Not only is the performance degradation commercially undesirable for the ISP, but it can alert users engaging in illegal behaviour to the covert monitoring thus prompting the users to suspend their activities to avoid detection.
  • Routing protocols are known, such as "route always”, “route never” and
  • route copy which are used in routing data in communications networks. For example, the "route always” protocol always routes data via a specified route or to a specified destination, whereas the "route never” protocol never routes data to a particular destination or via a specified route.
  • the "route copy” protocol makes a copy of data before routing.
  • One problem with these protocols is their lack of selectivity in routing the data. For example, either all or none of the data is routed in a particular direction or all or none of the data is copied, which can lead to storage capacity problems because of the large amount of data being copied. This can additionally create undesirable levels of load on the network due to the proportional increase of data resulting from "route copy" activities.
  • the majority of the data is likely to be irrelevant because all of the data is being copied and not selected data of interest.
  • the invention resides in a system for monitoring at least one user of a communications network, said system comprising: at least one monitoring apparatus coupled to be in communication with the communications network; at least one user device coupled to be in communication with the communications network, the at least one user device requiring entry of at least one authentication code to permit communication via the communications network; a repacking module coupled to be in communication with the at least one monitoring apparatus; and a storage server coupled to be in communication with the repacking module; wherein the at least one monitoring apparatus: reads headers of all packets of data transmitted to and/or from the at least one user device without affecting the transmission of the packets of data; analyzes at least one component of the packets of data to determine one or more patterns between the different packets of data; and determines users to be monitored from the one or more patterns.
  • the authentication code authenticates the user device.
  • the authentication code authenticates the user of the user device.
  • the communications network is the Internet and the user device is coupled to be in communication with the communications network via an internet service provider.
  • the at least one monitoring apparatus is physically connected to transmission and reception lines of the internet service provider.
  • the at least one monitoring apparatus is physically connected to transmission and reception lines of an authentication server associated with the internet service provider.
  • the invention resides in an apparatus for monitoring at least one user of a communications network, the apparatus comprising a kernel for reading headers of all packets of data transmitted to and/or from a user device of the at least one user, analyzing at least one component of the packets of data to determine one or more patterns between the different packets of data and determining users to be monitored from the one or more patterns.
  • the invention resides in a method for monitoring communications over a communications network via a monitoring apparatus coupled to be in communication with the communications network, at least one user device coupled to be in communication with the communications network, the at least one user device requiring entry of at least one authentication code to permit communication via the communications network, the method including: reading headers of all packets of data transmitted to and/or from the at least one user device without affecting the transmission of the packets of data; analyzing at least one component of the packets of data to determine one or more patterns between the different packets of data; and determining users to be monitored from the one or more patterns.
  • the method may further include reading all payloads of packets of data transmitted to and/or from the user device of a user being monitored.
  • the method may further include copying at least some of the payloads of the packets of data transmitted to and/or from the user device of the user being monitored.
  • the method may further include transmitting the copied packets of data from the monitoring apparatus to a repackaging module coupled to be in communication with the monitoring apparatus.
  • the method may further include reconstructing the copied packets of data in the repackaging module into user readable format.
  • the method may further include dynamically allocating bandwidth available to one or more user devices on the basis of monitoring the one or more user devices.
  • the method may further include comparing a volume of traffic logged by the at least one monitoring apparatus with a volume of traffic logged by a telecommunications company to determine if the at least one monitoring apparatus is being circumvented.
  • the method may further include categorizing a user as a user of concern/interest when analysis of the at least one component of the packets of data determines that the user has communicated with a particular entity a threshold number of times.
  • FIG. 1 shows a schematic representation of the system according to an embodiment of the invention
  • FIG. 2 is a flowchart illustrating the method according to two embodiments of the invention.
  • FIG. 3 is a schematic representation of a standard data packet
  • FIG. 4 is a schematic representation of the IP header of the data packet of FIG. 3;
  • FIG. 5 is a schematic representation of the TCP header of the data packet of FIG. 3.
  • a system 10 comprising at least one user device 12 coupled to be in communication with a communications network 14.
  • the user device 12 can be a desktop or tablet personal computer (PC), a laptop computer, a landline telephone, a VoIP telephone, a personal digital assistant (PDA), or other suitably enabled mobile communication device, such as a mobile telephone.
  • the communications network 14 may be a global communications network, such as the Internet, or a conventional telephone network or a mobile telephone network.
  • Communication between the user device 12, ISP 16 and the communications network 14 may be via wireless communication using one of the communications protocols known to persons skilled in the art or may be via wired communication (optionally including optical fibre communication) or a combination of the two, such as wireless communication between the user device 12 and the ISP 16 and wired communication between the ISP 16 and the communications network 14 or vice versa.
  • Each ISP 16 includes an authentication server 18, which is shown separate from the ISP 16 in FIG. 1 for the sake of clarity.
  • System 10 includes at least one communications network monitoring apparatus 20 coupled to be in communication with the ISP 16, including their authentication server 18, and the communications network 14. Monitoring apparatus 20 is also coupled to be in communication with repacking module 22.
  • Repacking module 22 is coupled to be in communication with storage server 24 in which data can be stored and retrieved.
  • Repacking module 22 and storage server 24 may be located at a surveillance centre 26 where collected information can be processed and analysed.
  • System 10 can include at least one remote user device 28 coupled to be in communication with a second ISP 16A and a second monitoring apparatus 2OA coupled to be in communication with authentication server 18A of ISP 16A and communications network 14.
  • the monitoring apparatus 20 can be in the same location as, or remote from, the ISP 16, but in each case is preferably coupled to be in communication with the authentication server 18.
  • the monitoring apparatus 20 is physically connected to the transmission and reception lines of the authentication server 18 such that all incoming and outgoing traffic can be monitored.
  • the information necessary to perform the invention is still obtainable from the headers of the packets of data transmitted via the ISP 16 and the further detail that is obtainable from a direct connection to the authentication server 18 to identify the user and their address and other such personal information can be obtained from the ISP 16 at a later date.
  • the monitoring apparatus 20 can be installed via a conventional bootable flash memory familiar to persons skilled in the art and does not require any other specialist software to be installed on the ISP 16 and reconfiguration of the ISP is not required.
  • connection to the authentication server 18 is required to obtain all the personal details of a user.
  • the monitoring apparatus 20 works with any program or device that works over Internet Protocol (IP) configuration or Packet Switched Networks.
  • IP Internet Protocol
  • the monitoring apparatus 20 only comprises RAM and communicates with boot ROM in the storage server 24 to upload the necessary encrypted software for reading packets of data, performing analysis of data to determine patterns and users of concern/interest as described below. Therefore, if the monitoring apparatus 20 is stolen from the ISP 16, no valuable information would remain in the monitoring apparatus 20 because it only comprises ROM.
  • the authentication server 18 authenticates 102 the user typically by verification of a usemame and password, although this could be by other means such as, but not limited to, an identifying numerical or alphanumerical code and other such combinations that may or may not be secured via a checksum or algorithm.
  • the user device requires entry of at least one authentication code to permit communication via the communications network.
  • the authentication code authenticates the user device.
  • the authentication code authenticates the user of the user device.
  • both the user and the user device are authenticated.
  • the ISP 16 Upon successful authentication 104, the ISP 16 permits the user to access the communications network 14. If authentication is unsuccessful, the user may retry. Since the monitoring apparatus 20 is coupled to be in communication with the ISP 16, all traffic communicated via the ISP is transmitted through the monitoring apparatus 20. Since the monitoring apparatus 20 is coupled to the authentication server 18, the monitoring apparatus 20 is able to identify users 12 by recording 106 the authentication details provided by the user 12.
  • the monitoring apparatus 20 monitors 108 all traffic flowing through the ISP 16 from which traffic patterns can be identified 110.
  • monitoring is carried out by reading the IP header 200 and the TCP header 201 of the data packet 204.
  • a frequency of visits to a destination of concern such as a particular website, can be monitored. The user visiting the website of concern can be traced and if the frequency of visits exceeds a threshold, the user can be placed on, for example, a list of users of concern/interest.
  • the threshold may be set at zero such that any visit to a particular website causes the user to be included on the list.
  • the threshold may be set at one to account for accidental visits to a particular website and to account for automatic redirects to the website of concern that are not the responsibility of the user.
  • the threshold can be set at another predetermined figure such as 5 visits per month or other such frequency.
  • a user may send or receive images on a regular basis to or from one or more users or sources already under surveillance and such activity would cause the user not already under surveillance to be entered on the list.
  • the monitoring apparatus 20 will then monitor 114 all traffic to and from this user, which may include, but is not limited to, emails sent and received by the user, attachments thereto, images downloaded and/or uploaded by the user, the size and type of such files/data, information relating to users with whom the user of interest has been communicating, and other relevant information.
  • a user may already be of interest or concern on the basis of behaviour identified prior to installation of the monitoring apparatus 20.
  • the user's activity can be monitored 114 from the outset.
  • the monitoring apparatus 20 copies 116 the packets of data 204 being transmitted to and from the user being monitored and transmits 118 the copied data packets to the repacking module 22, which reconstructs 120 the packets of data into human readable/viewable format.
  • the reconstructed data can then be viewed in real time or substantially real time and/or can be stored 122 in storage server 24.
  • the data is encrypted, it is likely the data will be stored in storage server 24 for subsequent decryption and analysis. However, the data need not be encrypted.
  • the monitoring apparatus 20 coupled to be in communication with the ISP 16 of the user of interest attempts communication with the second monitoring apparatus 2OA coupled to be in communication with the second ISP 16A to which the remote user 28 is connected.
  • identity information relating to the remote user 28 can be sent by the second monitoring apparatus 2OA to the repacking module 22.
  • each packet of data 204 passes through the kernel of the monitoring apparatus 20, the size of each packet is extracted and then collated to provide usage records at a very high level of speed and accuracy. Typically traffic can be accurately recorded at speeds far in excess of 200Mb/s, but speeds are envisaged to increase as technology develops. Further speed increases are envisaged to be achievable by conversion to enable execution in solid state processors.
  • the kernel inspects each packet header 200, 201 for its destination address enabling reading of the packets without slowing the network and enabling the present invention to maintain monitoring performance as networks and traffic volumes grow.
  • the data packets 204 are read and, as required, all or parts of the selected packets 204 or their contents or string(s) are copied or mirrored and sent to the repacking module 22 and the storage server 24.
  • the payload 202 can also be read and copied.
  • Address spoofing by a proxy server can be detected by the present invention and the traffic recorded regarding the user and/or account at the ISP by extracting the source and destination from the data packets. This can be done providing the monitoring apparatus 20 is installed in the system 10 before the user's traffic reaches the proxy server. In the event of a proxy server being installed between the user and the monitoring apparatus 20, the monitoring apparatus would identify such destination traffic from a proxy server and a remedy could be sought. The destination and origin of such traffic will be in common, these being the IP address of the proxy server.
  • Monitoring apparatus 20 is also optionally capable of dynamically controlling and allocating bandwidth available to terminals with which the monitoring apparatus 20 is coupled to be in communication.
  • Bandwidth may be controlled to individual user devices on a per user basis or on a group basis, such as all user devices coupled to be in communication with a specific ISP. Therefore, when, for example, there is a real threat to national security involving communications networks, the apparatus 20 can be employed to restrict bandwidth availability or to share bandwidth that is not required for those services, such as governmental services, requiring communications capability.
  • the monitoring apparatus 20 and method of the present invention could also be applied to client software for the tracking of individual computers or for applications controlling internal or local traffic.
  • the apparatus and method may process all or selective data and store such data on location for manual collection such as, for example, within or attached to a Wide Area Network (WAN) that has no connection to external networks such as, but not limited to, the internet.
  • WAN Wide Area Network
  • the monitoring apparatus 20, repacking module 22 and storage server 24 could be present in a single device.
  • the method, system and apparatus of the present invention thus provide a solution to the aforementioned problems of the prior art by identifying specific users of interest and monitoring their activity on the communications network. This may be achieved by monitoring some or all of the traffic and identifying patterns in the traffic or by monitoring one or more specific users known to be of concern from the outset. Since the present invention copies the data packets and no degradation in the performance of the ISP is experienced, users can be monitored covertly without alerting the users to the presence of the monitoring. Routing tables will also show no evidence that a user is being monitored because the routing tables will show that data packets are being routed normally. Once the apparatus is installed at the ISP, personnel do not need to be present and traffic can be monitored remotely. This reduces demands on personnel and the risk of raising suspicion. Specific users can be monitored and therefore only selected data needs to be stored relating to specific users and/or specific activities and not all data transmitted through a specific route, thus addressing the storage capacity problems of the prior art.
  • the ISP is dishonest and, for example, re-routes traffic such that it is not monitored by the monitoring apparatus 20
  • this is detectable by comparing the volume of traffic logged by the telecommunications company providing the infrastructure for the ISP with the volume of traffic logged by the monitoring apparatus 20.
  • the two volumes should be the same.
  • the data stored in the storage server 24 will comprise a date and time stamp relating to its acquisition thus making the electronic evidence more readily acceptable in a court of law. It is currently difficult and manpower intensive to collect evidence, especially "Best Evidence", sufficient to justify the issue of legal and/or ethical permission to invade privacy. The initial monitoring and building of profiles will greatly reduce such costs and dramatically improve the efficiency and effectiveness of such activities whilst reducing current response times on such matters.

Abstract

A system and method for monitoring a user of a communication network (14), comprises at least one monitoring apparatus (2) in communication with the communications network and a user device (12) coupled to the communications network, the at least one user device requiring entry of at least one authentication code to permit communication via the communications network. A repacking module (22) is coupled to be in communication with the at least one monitoring apparatus and a storage server (24) is in communication with the repacking module. The at least one monitoring apparatus reads headers of all packets of data transmitted to and/or from the at least one user device without affecting the transmission of the packets of data, analyses at least one component of the packets of data to determine one or more patterns between the different packets of data and determines users to be monitored from the patterns.

Description

TITLE
COMMUNICATIONS NETWORK MONITORING SYSTEM, METHOD AND
APPARATUS
FIELD OF THE INVENTION
The present invention relates to a communications network monitoring system, method and apparatus. In particular, but not exclusively, the present invention relates to a system, method and apparatus for covertly detecting and monitoring communications to, from and between users of concern/interest in a communications network.
BACKGROUND TO THE INVENTION
The ubiquitous nature of communications networks such as the World
Wide Web, wireless and wired communications networks make them an attractive tool for the pursuit of undesirable and illegal activities such as organised crime, terrorism, paedophilia and undesirable espionage. In addition to threats originating in traditional ways, law enforcement and intelligence agencies are presented with the task of detecting, monitoring and preventing or attempting to prevent the aforementioned threats manifest over communications networks.
The ease with which such networks can be utilised by the everyday user, the availability of complex methods of encryption and the myriad different communication methods, such as email, virtual instant messaging and VoIP, to name but a few, exacerbate the problem faced by authorities of obtaining evidence of wrongdoing that is admissible in a court of law. Existing methods of identifying and tracking nefarious activity on communications networks at internet gateways and/or across public or private network gateways include a number of drawbacks.
Difficulties in tracking include finding the source of spoofed IP addresses and the use of proxy servers to hide users' IP addresses.
Covert monitoring of communications network traffic places high demands on personnel. For example, covert monitoring of traffic at an Internet Service
Provider (ISP) level currently requires a person to be physically present at the premises of the ISP, providing they have first obtained a court order permitting them to gain access and conduct monitoring where necessary. The person needs to electronically intercept the packets of data, which requires a lot of processing power and can noticeably degrade the performance of the ISP. Not only is the performance degradation commercially undesirable for the ISP, but it can alert users engaging in illegal behaviour to the covert monitoring thus prompting the users to suspend their activities to avoid detection.
Successful monitoring at the ISP level relies on the ISP maintaining security, which cannot be guaranteed. Breaches in security significantly reduce detection and prevention rates. Dishonest ISPs have been known to re-route traffic in an attempt to protect users. Surveillance and monitoring of communications network traffic also requires expensive equipment to be deployed and the coordination of personnel and reporting. Furthermore, such equipment is not always capable of discovering undesirable and/or illegal behaviour because of, for example, difficulties in dealing with higher levels of encryption on the fly. Conventionally, time is required to break such encryption, but such delays can alert users to the presence of surveillance and monitoring.
Routing protocols are known, such as "route always", "route never" and
"route copy", which are used in routing data in communications networks. For example, the "route always" protocol always routes data via a specified route or to a specified destination, whereas the "route never" protocol never routes data to a particular destination or via a specified route. The "route copy" protocol makes a copy of data before routing. One problem with these protocols is their lack of selectivity in routing the data. For example, either all or none of the data is routed in a particular direction or all or none of the data is copied, which can lead to storage capacity problems because of the large amount of data being copied. This can additionally create undesirable levels of load on the network due to the proportional increase of data resulting from "route copy" activities.
Furthermore, the majority of the data is likely to be irrelevant because all of the data is being copied and not selected data of interest.
Hence, there is a need for a communications network monitoring system and/or method and/or apparatus to address or at least ameliorate one or more of the aforementioned problems of the prior art.
In this specification, the terms "comprises", "comprising" or similar terms are intended to mean a non-exclusive inclusion, such that a method, system or apparatus that comprises a list of elements does not include those elements solely, but may well include other elements not listed. SUMMARY OF THE INVENTION
In one form, although it need not be the only or indeed the broadest form, the invention resides in a system for monitoring at least one user of a communications network, said system comprising: at least one monitoring apparatus coupled to be in communication with the communications network; at least one user device coupled to be in communication with the communications network, the at least one user device requiring entry of at least one authentication code to permit communication via the communications network; a repacking module coupled to be in communication with the at least one monitoring apparatus; and a storage server coupled to be in communication with the repacking module; wherein the at least one monitoring apparatus: reads headers of all packets of data transmitted to and/or from the at least one user device without affecting the transmission of the packets of data; analyzes at least one component of the packets of data to determine one or more patterns between the different packets of data; and determines users to be monitored from the one or more patterns.
Suitably, the authentication code authenticates the user device. Suitably, the authentication code authenticates the user of the user device.
Suitably, the communications network is the Internet and the user device is coupled to be in communication with the communications network via an internet service provider.
Suitably, the at least one monitoring apparatus is physically connected to transmission and reception lines of the internet service provider.
Suitably, the at least one monitoring apparatus is physically connected to transmission and reception lines of an authentication server associated with the internet service provider.
In another form, the invention resides in an apparatus for monitoring at least one user of a communications network, the apparatus comprising a kernel for reading headers of all packets of data transmitted to and/or from a user device of the at least one user, analyzing at least one component of the packets of data to determine one or more patterns between the different packets of data and determining users to be monitored from the one or more patterns.
In a further form, the invention resides in a method for monitoring communications over a communications network via a monitoring apparatus coupled to be in communication with the communications network, at least one user device coupled to be in communication with the communications network, the at least one user device requiring entry of at least one authentication code to permit communication via the communications network, the method including: reading headers of all packets of data transmitted to and/or from the at least one user device without affecting the transmission of the packets of data; analyzing at least one component of the packets of data to determine one or more patterns between the different packets of data; and determining users to be monitored from the one or more patterns.
The method may further include reading all payloads of packets of data transmitted to and/or from the user device of a user being monitored. The method may further include copying at least some of the payloads of the packets of data transmitted to and/or from the user device of the user being monitored.
The method may further include transmitting the copied packets of data from the monitoring apparatus to a repackaging module coupled to be in communication with the monitoring apparatus.
The method may further include reconstructing the copied packets of data in the repackaging module into user readable format.
The method may further include dynamically allocating bandwidth available to one or more user devices on the basis of monitoring the one or more user devices.
The method may further include comparing a volume of traffic logged by the at least one monitoring apparatus with a volume of traffic logged by a telecommunications company to determine if the at least one monitoring apparatus is being circumvented.
The method may further include categorizing a user as a user of concern/interest when analysis of the at least one component of the packets of data determines that the user has communicated with a particular entity a threshold number of times. Further features of the present invention will become apparent from the following detailed description.
BRIEF DESCRIPTION OF THE DRAWINGS
By way of example only, preferred embodiments of the invention will be described more fully hereinafter with reference to the accompanying drawings, wherein:
FIG. 1 shows a schematic representation of the system according to an embodiment of the invention;
FIG. 2 is a flowchart illustrating the method according to two embodiments of the invention;
FIG. 3 is a schematic representation of a standard data packet; FIG. 4 is a schematic representation of the IP header of the data packet of FIG. 3; and
FIG. 5 is a schematic representation of the TCP header of the data packet of FIG. 3.
DETAILED DESCRIPTION OF THE INVENTION
Referring to FIG. 1, in accordance with an embodiment of the present invention, there is provided a system 10 comprising at least one user device 12 coupled to be in communication with a communications network 14. The user device 12 can be a desktop or tablet personal computer (PC), a laptop computer, a landline telephone, a VoIP telephone, a personal digital assistant (PDA), or other suitably enabled mobile communication device, such as a mobile telephone. The communications network 14 may be a global communications network, such as the Internet, or a conventional telephone network or a mobile telephone network.
The present invention will be described with reference to an embodiment in which the user devices are computers that are coupled to be in communication with the communications network via an ISP 16. However, it will be appreciated that the invention is not limited to this embodiment. Communication between the user device 12, ISP 16 and the communications network 14 may be via wireless communication using one of the communications protocols known to persons skilled in the art or may be via wired communication (optionally including optical fibre communication) or a combination of the two, such as wireless communication between the user device 12 and the ISP 16 and wired communication between the ISP 16 and the communications network 14 or vice versa.
Each ISP 16 includes an authentication server 18, which is shown separate from the ISP 16 in FIG. 1 for the sake of clarity. System 10 includes at least one communications network monitoring apparatus 20 coupled to be in communication with the ISP 16, including their authentication server 18, and the communications network 14. Monitoring apparatus 20 is also coupled to be in communication with repacking module 22. Repacking module 22 is coupled to be in communication with storage server 24 in which data can be stored and retrieved. Repacking module 22 and storage server 24 may be located at a surveillance centre 26 where collected information can be processed and analysed. System 10 can include at least one remote user device 28 coupled to be in communication with a second ISP 16A and a second monitoring apparatus 2OA coupled to be in communication with authentication server 18A of ISP 16A and communications network 14.
The monitoring apparatus 20 can be in the same location as, or remote from, the ISP 16, but in each case is preferably coupled to be in communication with the authentication server 18. When in the same location as the ISP 16, the monitoring apparatus 20 is physically connected to the transmission and reception lines of the authentication server 18 such that all incoming and outgoing traffic can be monitored. However, it should be noted that in some cases it may not be possible to connect directly to the authentication server 18. In this case, the information necessary to perform the invention is still obtainable from the headers of the packets of data transmitted via the ISP 16 and the further detail that is obtainable from a direct connection to the authentication server 18 to identify the user and their address and other such personal information can be obtained from the ISP 16 at a later date.
According to one embodiment, the monitoring apparatus 20 can be installed via a conventional bootable flash memory familiar to persons skilled in the art and does not require any other specialist software to be installed on the ISP 16 and reconfiguration of the ISP is not required. However, as specified above, connection to the authentication server 18 is required to obtain all the personal details of a user. The monitoring apparatus 20 works with any program or device that works over Internet Protocol (IP) configuration or Packet Switched Networks. The monitoring apparatus 20 only comprises RAM and communicates with boot ROM in the storage server 24 to upload the necessary encrypted software for reading packets of data, performing analysis of data to determine patterns and users of concern/interest as described below. Therefore, if the monitoring apparatus 20 is stolen from the ISP 16, no valuable information would remain in the monitoring apparatus 20 because it only comprises ROM.
Referring to FIG. 2, when a user 12 connects 100 to the ISP 16, the authentication server 18 authenticates 102 the user typically by verification of a usemame and password, although this could be by other means such as, but not limited to, an identifying numerical or alphanumerical code and other such combinations that may or may not be secured via a checksum or algorithm. The user device requires entry of at least one authentication code to permit communication via the communications network. In one embodiment, the authentication code authenticates the user device. In another embodiment, the authentication code authenticates the user of the user device. In a further embodiment, both the user and the user device are authenticated.
Upon successful authentication 104, the ISP 16 permits the user to access the communications network 14. If authentication is unsuccessful, the user may retry. Since the monitoring apparatus 20 is coupled to be in communication with the ISP 16, all traffic communicated via the ISP is transmitted through the monitoring apparatus 20. Since the monitoring apparatus 20 is coupled to the authentication server 18, the monitoring apparatus 20 is able to identify users 12 by recording 106 the authentication details provided by the user 12.
According to one embodiment, initially the monitoring apparatus 20 monitors 108 all traffic flowing through the ISP 16 from which traffic patterns can be identified 110. With reference to FIGS 3-5, monitoring is carried out by reading the IP header 200 and the TCP header 201 of the data packet 204. Under current legislation, without specific authorization, it is not permissible to view the contents of the communications stored in the payload 202 of the data packet 204, however this can be copied for later inspection. Regarding monitoring, for example, a frequency of visits to a destination of concern, such as a particular website, can be monitored. The user visiting the website of concern can be traced and if the frequency of visits exceeds a threshold, the user can be placed on, for example, a list of users of concern/interest. The threshold may be set at zero such that any visit to a particular website causes the user to be included on the list. Alternatively, the threshold may be set at one to account for accidental visits to a particular website and to account for automatic redirects to the website of concern that are not the responsibility of the user. In another embodiment, the threshold can be set at another predetermined figure such as 5 visits per month or other such frequency. In another example, a user may send or receive images on a regular basis to or from one or more users or sources already under surveillance and such activity would cause the user not already under surveillance to be entered on the list.
This enables the determination 112 of users of interest/suspicion/concern who may be placed on a list to be monitored. The monitoring apparatus 20 will then monitor 114 all traffic to and from this user, which may include, but is not limited to, emails sent and received by the user, attachments thereto, images downloaded and/or uploaded by the user, the size and type of such files/data, information relating to users with whom the user of interest has been communicating, and other relevant information.
In an alternative embodiment, a user may already be of interest or concern on the basis of behaviour identified prior to installation of the monitoring apparatus 20. In this case, the user's activity can be monitored 114 from the outset. The monitoring apparatus 20 copies 116 the packets of data 204 being transmitted to and from the user being monitored and transmits 118 the copied data packets to the repacking module 22, which reconstructs 120 the packets of data into human readable/viewable format. The reconstructed data can then be viewed in real time or substantially real time and/or can be stored 122 in storage server 24. Where the data is encrypted, it is likely the data will be stored in storage server 24 for subsequent decryption and analysis. However, the data need not be encrypted.
In the case of peer to peer traffic, i.e. where the user of interest is communicating with a remote user 28, the monitoring apparatus 20 coupled to be in communication with the ISP 16 of the user of interest attempts communication with the second monitoring apparatus 2OA coupled to be in communication with the second ISP 16A to which the remote user 28 is connected. Where connection to the second monitoring apparatus 2OA is successful, identity information relating to the remote user 28 can be sent by the second monitoring apparatus 2OA to the repacking module 22.
As packets of data 204 pass through the kernel of the monitoring apparatus 20, the size of each packet is extracted and then collated to provide usage records at a very high level of speed and accuracy. Typically traffic can be accurately recorded at speeds far in excess of 200Mb/s, but speeds are envisaged to increase as technology develops. Further speed increases are envisaged to be achievable by conversion to enable execution in solid state processors. The kernel inspects each packet header 200, 201 for its destination address enabling reading of the packets without slowing the network and enabling the present invention to maintain monitoring performance as networks and traffic volumes grow. The data packets 204 are read and, as required, all or parts of the selected packets 204 or their contents or string(s) are copied or mirrored and sent to the repacking module 22 and the storage server 24. According to one embodiment, in a proactive mode of operation in which all traffic is being monitored and no particular users are being monitored, only the headers 200, 201 of the data packets 204 are read and optionally copied. However, once authorisation is provided to monitor a particular user, the payload 202 can also be read and copied.
Address spoofing by a proxy server can be detected by the present invention and the traffic recorded regarding the user and/or account at the ISP by extracting the source and destination from the data packets. This can be done providing the monitoring apparatus 20 is installed in the system 10 before the user's traffic reaches the proxy server. In the event of a proxy server being installed between the user and the monitoring apparatus 20, the monitoring apparatus would identify such destination traffic from a proxy server and a remedy could be sought. The destination and origin of such traffic will be in common, these being the IP address of the proxy server.
Monitoring apparatus 20 is also optionally capable of dynamically controlling and allocating bandwidth available to terminals with which the monitoring apparatus 20 is coupled to be in communication. Bandwidth may be controlled to individual user devices on a per user basis or on a group basis, such as all user devices coupled to be in communication with a specific ISP. Therefore, when, for example, there is a real threat to national security involving communications networks, the apparatus 20 can be employed to restrict bandwidth availability or to share bandwidth that is not required for those services, such as governmental services, requiring communications capability. This means that civil networks, whilst being dynamically controlled, could be allowed to continue partially or, if the need is such, to fully commandeer all such resources for matters of national urgency/priority. Additionally, this provides the ability to block communications or connections of an undesirable nature. The monitoring apparatus 20 and method of the present invention could also be applied to client software for the tracking of individual computers or for applications controlling internal or local traffic. The apparatus and method may process all or selective data and store such data on location for manual collection such as, for example, within or attached to a Wide Area Network (WAN) that has no connection to external networks such as, but not limited to, the internet. It should be appreciated that the monitoring apparatus 20, repacking module 22 and storage server 24 could be present in a single device.
Hence, the method, system and apparatus of the present invention thus provide a solution to the aforementioned problems of the prior art by identifying specific users of interest and monitoring their activity on the communications network. This may be achieved by monitoring some or all of the traffic and identifying patterns in the traffic or by monitoring one or more specific users known to be of concern from the outset. Since the present invention copies the data packets and no degradation in the performance of the ISP is experienced, users can be monitored covertly without alerting the users to the presence of the monitoring. Routing tables will also show no evidence that a user is being monitored because the routing tables will show that data packets are being routed normally. Once the apparatus is installed at the ISP, personnel do not need to be present and traffic can be monitored remotely. This reduces demands on personnel and the risk of raising suspicion. Specific users can be monitored and therefore only selected data needs to be stored relating to specific users and/or specific activities and not all data transmitted through a specific route, thus addressing the storage capacity problems of the prior art.
In the event that the ISP is dishonest and, for example, re-routes traffic such that it is not monitored by the monitoring apparatus 20, this is detectable by comparing the volume of traffic logged by the telecommunications company providing the infrastructure for the ISP with the volume of traffic logged by the monitoring apparatus 20. The two volumes should be the same. However, where less traffic passes through the monitoring apparatus 20 than the telecommunications company, this suggests that the ISP is circumventing the monitoring apparatus 20 by re-routing data.
The data stored in the storage server 24 will comprise a date and time stamp relating to its acquisition thus making the electronic evidence more readily acceptable in a court of law. It is currently difficult and manpower intensive to collect evidence, especially "Best Evidence", sufficient to justify the issue of legal and/or ethical permission to invade privacy. The initial monitoring and building of profiles will greatly reduce such costs and dramatically improve the efficiency and effectiveness of such activities whilst reducing current response times on such matters.
Throughout the specification the aim has been to describe the invention without limiting the invention to any one embodiment or specific collection of features. Persons skilled in the relevant art may realize variations from the specific embodiments that will nonetheless fall within the scope of the invention.

Claims

CLAIMS:
1. A system for monitoring at least one user of a communications network, said system comprising: at least one monitoring apparatus coupled to be in communication with the communications network; at least one user device coupled to be in communication with the communications network, the at least one user device requiring entry of at least one authentication code to permit communication via the communications network; a repacking module coupled to be in communication with the at least one monitoring apparatus; and a storage server coupled to be in communication with the repacking module; wherein the at least one monitoring apparatus: reads headers of all packets of data transmitted to and/or from the at least one user device without affecting the transmission of the packets of data; analyzes at least one component of the packets of data to determine one or more patterns between the different packets of data; and determines users to be monitored from the one or more patterns.
2. The system of claim 1 , wherein the authentication code authenticates the user device.
3. The system of claim 1 , wherein the authentication code authenticates the user of the user device.
4. The system of claim 1 , wherein the communications network is the Internet and the user device is coupled to be in communication with the communications network via an internet service provider.
5. The system of claim 4, wherein the at least one monitoring apparatus is physically connected to transmission and reception lines of the internet service provider.
6. The system of claim 5, wherein the at least one monitoring apparatus is physically connected to transmission and reception lines of an authentication server associated with the internet service provider.
7. An apparatus for monitoring at least one user of a communications network, the apparatus comprising a kernel for reading headers of all packets of data transmitted to and/or from a user device of the at least one user, analyzing at least one component of the packets of data to determine one or more patterns between the different packets of data and determining users to be monitored from the one or more patterns.
8. A method for monitoring communications over a communications network via a monitoring apparatus coupled to be in communication with the communications network, at least one user device coupled to be in communication with the communications network, the at least one user device requiring entry of at least one authentication code to permit communication via the communications network, the method including: reading headers of all packets of data transmitted to and/or from the at least one user device without affecting the transmission of the packets of data; analyzing at least one component of the packets of data to determine one or more patterns between the different packets of data; and determining users to be monitored from the one or more patterns.
9. The method of claim 8, further including reading all payloads of packets of data transmitted to and/or from the user device of a user being monitored.
10. The method of claim 8, further including copying at least some of the payloads of the packets of data transmitted to and/or from the user device of the user being monitored.
11. The method of claim 8, further including transmitting the copied packets of data from the monitoring apparatus to a repackaging module coupled to be in communication with the monitoring apparatus.
12. The method of claim 8, further including reconstructing the copied packets of data in the repackaging module into user readable format.
13. The method of claim 8, further including dynamically allocating bandwidth available to one or more user devices on the basis of monitoring the one or more user devices.
14. The method of claim 8, further including comparing a volume of traffic logged by the at least one monitoring apparatus with a volume of traffic logged by a telecommunications company to determine if the at least one monitoring apparatus is being circumvented.
15. The method of claim 8, further including categorizing a user as a user of concern/interest when analysis of the at least one component of the packets of data determines that the user has communicated with a particular entity a threshold number of times.
PCT/AU2005/001912 2004-12-20 2005-12-16 Communications network monitoring system, method & apparatus WO2006066315A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
AU2004907200 2004-12-20
AU2004907200A AU2004907200A0 (en) 2004-12-20 Communications network monitoring system, method and apparatus

Publications (1)

Publication Number Publication Date
WO2006066315A1 true WO2006066315A1 (en) 2006-06-29

Family

ID=36601251

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/AU2005/001912 WO2006066315A1 (en) 2004-12-20 2005-12-16 Communications network monitoring system, method & apparatus

Country Status (1)

Country Link
WO (1) WO2006066315A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110336806A (en) * 2019-06-27 2019-10-15 四川大学 A kind of covert communications detection method of combination session behavior and correspondence

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5787253A (en) * 1996-05-28 1998-07-28 The Ag Group Apparatus and method of analyzing internet activity
WO2001001272A2 (en) * 1999-06-30 2001-01-04 Apptitude, Inc. Method and apparatus for monitoring traffic in a network
US6182146B1 (en) * 1997-06-27 2001-01-30 Compuware Corporation Automatic identification of application protocols through dynamic mapping of application-port associations

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5787253A (en) * 1996-05-28 1998-07-28 The Ag Group Apparatus and method of analyzing internet activity
US6182146B1 (en) * 1997-06-27 2001-01-30 Compuware Corporation Automatic identification of application protocols through dynamic mapping of application-port associations
WO2001001272A2 (en) * 1999-06-30 2001-01-04 Apptitude, Inc. Method and apparatus for monitoring traffic in a network

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110336806A (en) * 2019-06-27 2019-10-15 四川大学 A kind of covert communications detection method of combination session behavior and correspondence
CN110336806B (en) * 2019-06-27 2020-05-01 四川大学 Covert communication detection method combining conversation behavior and communication relation

Similar Documents

Publication Publication Date Title
AU2021209277B2 (en) Efficient packet capture for cyber threat analysis
US11323469B2 (en) Entity group behavior profiling
US9930055B2 (en) Unwanted tunneling alert system
EP1817685B1 (en) Intrusion detection in a data center environment
CN102859934B (en) Access-in management and safety system and the method for the accessible Computer Service of network
CN113228585B (en) Network security system with feedback loop based enhanced traffic analysis
US7313618B2 (en) Network architecture using firewalls
KR20200007931A (en) Correlation-Based Threat Assessment and Treatment
US20060026678A1 (en) System and method of characterizing and managing electronic traffic
US7475420B1 (en) Detecting network proxies through observation of symmetric relationships
AU2020217317B2 (en) Tunneled monitoring service and methods
US20210409446A1 (en) Leveraging network security scanning to obtain enhanced information regarding an attack chain involving a decoy file
CN114301706B (en) Defense method, device and system based on existing threat in target node
KR101598187B1 (en) Method and apparatus for blocking distributed denial of service
KR20110059963A (en) Apparatus and method for blocking harmful traffic and system for blocking harmful traffic using the same
WO2006066315A1 (en) Communications network monitoring system, method & apparatus
US20200389435A1 (en) Auditing smart bits
US10757078B2 (en) Systems and methods for providing multi-level network security
CN112600844A (en) Data security detection method and device, storage medium and electronic equipment
Toor et al. Deployment of Low Interaction Honeypot in a Private Network
CN112602301A (en) Method and system for efficient network protection
Stoianov et al. Towards Security Requirements of the SPIDER Project

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KM KN KP KR KZ LC LK LR LS LT LU LV LY MA MD MG MK MN MW MX MZ NA NG NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SM SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): BW GH GM KE LS MW MZ NA SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LT LU LV MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 15.11.2007)

122 Ep: pct application non-entry in european phase

Ref document number: 05821648

Country of ref document: EP

Kind code of ref document: A1