The present invention relates to an interception system and method for performing a lawful interception in a packet network such as the GPRS (General Packet Radio Services) or the UMTS (Universal Mobile Telecommunications System) network.
The provision of a lawful interception is a requirement of national law, which is usually mandatory. From time to time, a network operator and/or a service provider will be required, according to a lawful authorization, to make available results of interception relating to specific identities to a specific interception authority or Law Enforcement Agency (LEA).
There are various aspects of interception. The respective national law describes under what conditions and with what restrictions interception is allowed. If an LEA wishes to use lawful interception as a tool, it will ask a prosecuting judge or other responsible body for a lawful authorization, such as a warrant. If the lawful authorization is granted, the LEA will present the lawful authorization to an access provider which provides access from a user""s terminal to that network, to the network operator, or to the service provider via an administrative interface or procedure.
Such a lawful interception functionality is also needed in the packet switched part of new mobile data networks such as the GPRS and the UMTS.
Several approaches have been proposed so far. According to the hub approach, a hub is added to the GPRS backbone, such that all sessions will pass through the hub. The benefit of this system is that the SGSN (Serving GPRS Support Node) and the GGSN (Gateway GPRS Support Node) do not have to know anything about the lawful interception functionality. The hub consists of a pseudo GGSN interface and a pseudo SGSN interface, between which a Lawful Interception Node (LIN) is arranged.
According to another so-called SGSN/GGSN approach, a whole interception function is integrated into a combined SGSN/GGSN element. Every physical SGSN/GGSN element is linked by an own interface to an administrative function. The access method for delivering a GPRS interception information is based on a duplication of packets transmitted from an intercepted subscriber via the SGSN/GGSN element to another party. The duplicated packets are sent to a delivery function for delivering the corresponding interception information to the LEA.
However, national laws may require certain types of interception policies, wherein the interception functions allowed for the network operator may change.
Furthermore, various interception functions are required, such as store and forward intercepted data, real time data browsing, browsing at mobile stations, different interception data processings, multiplication of interception data for different destinations etc.
Therefore, a flexible interception system and method is required, which can be easily adapted to changing interception requirements.
It is therefore an object of the present invention to provide a flexible interception method and system.
This object is achieved by an interception system for performing a lawful interception in a packet network, comprising:
interception activation and deactivation means for activating and deactivating current interception targets based on a received interception-related command;
interception activation monitoring means for monitoring an activation of PDP contexts and for informing the interception activation and deactivation means of changes in PDP contexts;
interception data collection means for collecting intercepted data in response to an interception target activation by said interception activation and deactivation means; and
interception data destination means for receiving the collected intercepted data and forwarding it to a final interception destination.
Furthermore, the above object is achieved by a method for performing a lawful interception in a packet network, comprising the steps of:
monitoring an activation of PDP contexts in order to detect changes in the PDP contexts;
activating and deactivating current interception targets based on an interception-related command and the changes in the PDP contexts;
collecting intercepted data in response to an interception target activation; and
supplying the collected intercepted data to an interception destination.
Accordingly, due to the monitoring of the PDP contexts, a supervisor of the lawful interception may obtain information about all activated and deleted user connections. Thereby, intercepted connections can be selected and an interception for a specific tunnel can be requested rather than an interception for a given criterium. In this way, the interception data collection can be more easily implemented in a distributed manner, for example in a GGSN network element, to thereby provide a higher flexibility.
The main difference with regard to earlier proposed solutions is that the intercepted data can be filtered in a network element which anyway has to study the packet data. Thereby, different implementation of alternatives are allowed, depending on the over all network implementation architecture.
Moreover, a protocol can be established which makes the system robust, since the GGSN-SGSN traffic is operable even if specific lawful interception nodes like a lawful interception gateway are overloaded or even non-operable.
Furthermore, the interception data can be filtered more economically, since the filtering is performed at a place where it is anyway studied. Moreover, interception criteria can be stored only in the network element which implements the interception activation and deactivation functionality. Thus, configuration changes have to be made only in network element implementing the interception activation and deactivation functionality, such that a distribution of configuration data is not required.
Since the interception activation and deactivation means receives an information about the activation and deactivation of each tunnel, it can collect statistics of tunnels that satisfy a predetermined criterium. Furthermore, statistics of tunnels satisfying predetermined criteria can be collected so as to be used as a threshold value for activating an actual interception.
Due to the distributed interception functions, different security requirements can be applied to different functional units, even if they are implemented in the same network element.
If one or more functional units crash, the network may continue with a limited interception or without interception. In other words, the interception system can be implemented in a robust way. In case the functional units of the interception system are distributed over several existing network elements, the system is automatically scaleable. The reason therefore is that more network elements are anyway required in the network, if the network traffic increases. Furthermore, redundancy can be achieved automatically, if the implementation is distributed to existing network elements. If an existing network element is duplicated, the functional units implemented therein are also duplicated.
Due to the distributed functions of the proposed interception system, the lawful interception function is not dependent on the implementation architecture of the packet network and does not cause any bottleneck in the packet network. Furthermore, an implementation of the known Legal Interception Node (LIN) is not necessarily required, since the interception functions can be distributed to other existing network elements.
The final destination to which the collected intercepted data are forwarded may be a representative of a legal authority or a network operator.
Furthermore, the interception data destination means may be arranged to postprocess said intercepted data. The postprocessing may comprise decryption, formating and/or translation of the intercepted data.
The interception activation and deactivation means preferably receives the interception-related command from a user interface for lawful interception, wherein the interception-related command is a command for changing current interception criteria. In this case, the interception activation and deactivation means and the interception data destination means may be arranged in a network element comprising the user interface for lawful interception. Furthermore, the interception activation monitoring means and the interception data collection means may be arranged in a GPRS support node.
Preferably, the interception activation monitoring means is arranged to monitor tunnel activations and deactivations by monitoring corresponding GTP protocol messages, and to inform the interception activation and deactivation means about new possible interception targets and/or currently intercepted and now finished tunnels.
The interception activation monitoring means may be arranged in a lawful interception node, and adapted to recognize tunnel activation and deactivation requests on the basis of GTP protocol messages.
Furthermore, the interception activation monitoring means may be arranged in a gateway GPRS support node, a serving GPRS support node or a border gateway.
The interception activation and deactivation means may comprise an interception database and may be arranged to modify the interception database in response to the interception-related command.
Preferably, the interception activation and deactivation means may be arranged to inform the interception data collection means to collect data about active tunnels by an activation message and to stop collecting data by deactivation message. Moreover, the interception activation and deactivation means may be arranged to check a tunnel identification received from the interception activation monitoring means and to send a tunnel deactivation message to the interception data destination means, if the tunnel identification matches are criterium in the interception database.
The interception activation and deactivation means may be arranged in a lawful interception gateway, a gateway GPRS support node or serving GPRS support node.
The interception data collection means may be preferably arranged to inform the interception data destination means of an activated interception data collection by transmitting an interception activation message to the interception data destination means in response to which the interception data destination means starts storing received interception data for the new intercepted tunnel. In this case, the interception activation message may include a tunnel identification and a destination for the intercepted data.
The interception data collection means may be arranged in a lawful interception node, a GPRS support node or a border gateway.
Preferably, the interception data destination receives the collected intercepted data together with the intended destination thereof.
The interception data destination means may be arranged in a legal interception gateway, an interception browsing element, or a user equipment comprising a specific interception data destination processing capability.
Furthermore, the above object is achieved by a network element for a packet network, comprising:
setting means for setting an interception information in a PDP context thereof in response to a interception request received by the network element; and
interception data collection means for collecting intercepted data in response to the interception information and for supplying the collected intercepted data to an interception destination.
Additionally, the above object is achieved by a method for performing a lawful interception in a packet network, comprising the steps of:
setting an interception information in a PDP context of a network element in response to an interception request;
collecting intercepted data in the network element in response to the interception information; and
supplying the collected intercepted data to an interception destination.
Accordingly, due to the setting of an interception information in the PDP context of the network element, any network element of the packet network can be used for collecting intercepted data. Thus, the interception system is automatically scalable with every new network element and the bottleneck problem due to the known solutions can be prevented.
Furthermore, many legal interception gateways may coexist, since the collection of interception data is performed on the basis of the interception information included in the PDP context of the network elements.
Preferably, the interception information is a bit mask, or any equivalent fast data structure such as a linked list, wherein each bit refers to an entity that can request copies of data packets. In particular, each bit of said bit mask may refer to a listening context comprising an information about the interception destination. The information about the interception destination may comprise a destination address, authentication keys, a mastering interception gateway address, and a protocol information.
Preferably, the interception data collection means performs collection on the basis of an IMSI number or an IP address of a data packet.
The interception data collection means may be arranged to create a secure tunnel by a secure authentication, wherein the collected intercepted data is transferred via said tunnel using a secure data encryption. Thus, the secret information is situated only in the legal interception gateway which may be the destination of the collected intercepted data. The authentication and tunnelling may be performed by using VPN or SSH. Thus, a VPN tunneling is possible without a VPN device in every network segment.
The network element may be arranged to store entries for authenticated interception destinations which can set and reset the interception information.
In particular, the network element may be a gateway GPRS support node.
Furthermore, the above object is achieved by an interception browsing element for a packet network, comprising:
receiving means for receiving intercepted data from a network element having an interception data collection function;
storing means for storing interception data received from the network element; and
browsing means for browsing the stored interception databased on an external command, and for supplying the result of the browsing to an interception authority.
Additionally, the above object is achieved by a method for performing a lawful interception in a packet network, comprising the steps of:
providing a first network element having an interception data collection function;
transmitting collected intercepted data from the first network element to an interception browsing element, browsing the transmitted intercepted data at the interception browsing element based on an external command from a second network element having an interception activation and deactivation function; and
transmitting the result of the browsing step to an interception authority.
Accordingly, browsing and managing of the lawful interception can be performed separately in two different network elements. The interception browsing element does not have to be robust, because it doesn""t affect the normal behaviour of the first network element having the interception data collection function.
Since many interception browsing elements can coexist, the browsing capacity may easily increased and redundancy implemented. Furthermore, no unnecessary secret information has to be processed in the interception browsing element.
Thus, a flexible interception system can be provided.
The external command can be supplied from a network element having an interception activation and deactivation function. Furthermore, the intercepted data may be received from the network element having the interception data collection function via a secure tunnel. In this case, the network element having the interception deactivation and deactivation function may have an authentication key different from that one of the interception browsing element. Thus, a secure control of the interception browsing elements and first network elements can be ensured.
The interception browsing element may be arranged at the network operator site, at the interception authority site, or at the public network site. Moreover, the interception browsing element may be a mobile terminal arranged in a mobile network connected to the packet network.