In a multi-user communication scenario that includes one or more Lawful Interception (LI) target users, one or more of these users may manipulate media content in order to mislead a Law Enforcement Agency (LEA). The manipulation may be achieved by adulterating traffic generated from his/her system. The adulteration may also be caused by a colluding agent sitting between two communicating users. The adulteration is done such that only the intended recipient of the communication receives unadulterated content and the LEA receives adulterated content. This may be enabled as intermediate systems may interpret the adulterated communication content as unadulterated content or the adulterated content may be forwarded to the LEA without understanding that it is garbage. As a result, LI content is corrupted beyond interpretation by the LEA.
In conventional methods, adulterated packets are detected based on an offline analysis. The offline analysis may include analysis of histogram of the hop length of packets and thereafter determining minimum hop length for packets to reach the receiver. The offline analysis further includes analysis of average bytes per packet, and comparison with standard communication flows to determine possibility of an attack. Based on this analysis, the adulterated packets are removed thereafter. However, this method supports only Transmission Control Protocol (TCP) and is not suitable for online real-time detection of adulterated packets.
In other conventional methods, sensitivity of a network node that performs functionality of Content Duplication Function (CDF) is enhanced, such that, the network node collects all information that may help in detection of adulterated packets. The network node may also send out some probe packets to learn more about the network. Additionally, the network node may be placed as close as possible to the receiver. However, these conventional methods fail to address detection of adulterated packets (which have been adulterated at the network or higher layer) in a manner that complies with legal and regulatory requirements, irrespective of the CDF location, and without employing any probe packets to learn about the network.