In the course of an investigation, a law enforcement agency may request a network service provider to assist in the intercept of desired information passing through the service provider's network. Typically the desired information which is helpful to the LEA's investigation is that which is related to the party or parties which are subjects of the investigation. Typically the information is contained in desired network IP traffic which reflects activities or forms part of communications by the suspect(s), individual(s), or organization(s) under investigation (referred to hereinafter as the suspect). The content of the traffic can take on many forms including but not limited to VoIP, e-mail, text messaging, streaming or download format video, document or data communication exchanges. To intercept this desired network traffic, the LEA requests from the network service provider a duplicate or mirror of network traffic meeting a certain set of criteria which it is believed will contain the desired information. Network traffic meeting these criteria and which has been intercepted in accordance therewith is referred to herein as intercepted traffic. Criteria for the desired network traffic could include that the traffic originates from a certain location, from a particular individual, organization or machine, at a specific time, or from a specific application. These criteria could also include that the traffic is being sent to a specific destination or is addressed to a particular individual, organization or machine.
Even when the network traffic is intercepted according to the set of criteria, much of that intercepted traffic might not constitute what is relevant to the investigation and therefore might not be helpful in furthering the investigation nor in supporting a future presentation in court of a case resulting from the investigation. The intercepted traffic will typically require analysis at the premises of the LEA to glean the desired information which could be helpful to move the investigation further along or which may prove to be useful in court. Analysis at the premises of the LEA is typically done on equipment including a computer system often connected to an internal network.
There are two specific challenges facing an LEA in the collection and analysis of network traffic for use in an investigation or in support of a court case. Firstly, any intercepted traffic must be kept in its totality in the sense that its integrity, as required by law or associated regulation, cannot be compromised. Failure to meet legal integrity requirements can invalidate the intercepted desired network traffic for forensic investigation and may cause it to be inadmissible in a court of law. These integrity requirements are also referred to as lawful intercept requirements (LIR). Secondly, the intercepted traffic may include malicious traffic which may threaten the LEA premises equipment, including its network, databases, and other resources. Attacks aimed at the LEA originating in the malicious traffic are referred to as “indirect” because they occur only when the intercepted traffic is accessed or replayed in the LEA premises which in general is at a later time than when the traffic was actually transmitted from the originator of the attack. Law enforcement agencies are particularly at risk since malicious traffic may specifically be created by a suspect being monitored in order to attack the LEA premises equipment as a countermeasure to the surveillance by the LEA. This attacker may try to affect efficiency of an analysis of the intercepted traffic or may be deliberately injecting malicious traffic that would later impact the LEA premises network back-end functions and possibly crash the LEA's systems or otherwise cause a denial of service. Such attacks could include application level floods, dummy sessions, software vulnerability exploits, or Trojans, among others. Denial of service attacks are a particular threat to the LEA if it is targeting and collecting data from the attacker's network which for example could be the case when the attacker is part of an organized criminal group.
A law enforcement agency has to deal with all of the intercepted traffic and also to protect its own resources from the impact that processing of the traffic may cause. In order to be able to do its primary job efficiently and cost-effectively, dealing with the data and providing security ideally should be performed simultaneously. In most cases the traffic making up an attack will not be of interest to the LEA since attack traffic usually does not carry information that an LEA normally has a warrant for and is interested in. This is true in most cases except when the attacks themselves are the subject of a computer crime investigation.
According to the current practice which is depicted in FIG. 1, LEAs and network service providers employ a best effort approach. In this example, network traffic 30 having desired network traffic of interest to the LEA and which is to be intercepted, originates at a suspect premises equipment 10 and is destined for the internet 60 over an internet service provider's (ISP) network 100. The network service provider at the request of the LEA duplicates and forwards all of the network traffic passing through the ISP network 100 meeting the criteria as requested by the LEA, in the form of intercepted traffic 40 to the law enforcement agency's premises equipment 150. Management of the intercepted traffic 40 requires a relatively large computational and storage capacity which ideally would be efficient and would operate in a secure manner. Current ETSI (European Telecommunications Standards Institute) and 3GPP (3rd generation partnership project) standards only describe handover interfaces between the network service provider and the client (LEA equipment), and do not address any threat model or security measures for the LEA's own network and back-end functionality necessary for analyzing and storing the intercepted traffic. Most LEA's consider the most important “security” concern in respect of any stored intercepted traffic 40, as being that of ensuring protection of that stored intercepted traffic 40 from unauthorized access, whether in the form of unauthorized copying or unauthorized modification. This well known type of security provided for the data archive is to be contrasted from the type of security concerned with protecting LEA premises equipment from the data archive which is the type of security addressed by the invention described below.
During both intensive analysis and routine handling of the intercepted traffic, the LEA will need to transfer, record, and possibly replay every single packet of the intercepted traffic which was received or sent by the suspect premises equipment 10. The LEA cannot implement a firewall around its premises equipment to protect itself because that would not allow a complete copy of the intercepted traffic to enter the LEA premises for storage. In general for a firewall to serve as an effective security mechanism it must be both robust and cautious in keeping one side of the firewall, which in this case would be the LEA premises equipment 150, secure from malicious traffic originating from the other side, which in this case would be the ISP network 100. Any packets making up a known attack, such as application floods, dummy sessions, software vulnerability exploits, Trojans and others, would be filtered by the firewall so that none would enter into the secure zone, namely, the LEA premises equipment 150. Firewalls also typically have intelligent heuristics which are used to filter any packets which are suspicious, or may constitute an unknown attack. Filtering all known and possible attacks in the intercepted traffic before storage would lead to an incomplete archive of intercepted traffic. In order to obtain a complete copy of the intercepted traffic, the intercepted traffic cannot be filtered by a firewall, and must be stored as it was intercepted. A consequence of not employing a firewall to filter the intercepted traffic as it enters the LEA premises equipment 200 is that it exposes the LEA premises equipment 200 to attack from the very suspect under investigation. In most other systems where data integrity is not a requirement, a firewall used to block or destroy data can serve as an effective security measure. The need to allow for the seemingly mutually exclusive requirements of security from attacks and preservation of data integrity is peculiar to the field of data surveillance by law enforcement agencies.
Deep packet inspection (DPI) may be used as part of a custom analysis application in the LEA premises, but such a solution may result in longer processing times due to resource overload. Moreover, such a solution increases the probability that desired information is missed, and may require the expensive manual rejection of unrelated data.
No existing current system or method adequately addresses the opposing goals of data integrity and security in the context of LEA surveillance and analysis of network traffic associated with a suspect.