WO2006066315A1 - Systeme de surveillance d'un reseau de communications, procede et appareil correspondants - Google Patents

Systeme de surveillance d'un reseau de communications, procede et appareil correspondants Download PDF

Info

Publication number
WO2006066315A1
WO2006066315A1 PCT/AU2005/001912 AU2005001912W WO2006066315A1 WO 2006066315 A1 WO2006066315 A1 WO 2006066315A1 AU 2005001912 W AU2005001912 W AU 2005001912W WO 2006066315 A1 WO2006066315 A1 WO 2006066315A1
Authority
WO
WIPO (PCT)
Prior art keywords
packets
user
data
communications network
communication
Prior art date
Application number
PCT/AU2005/001912
Other languages
English (en)
Inventor
Arron Hollis
Matthew Ross Wiltshier
Jeffrey Smidt
Original Assignee
Webtraf Research Pty Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from AU2004907200A external-priority patent/AU2004907200A0/en
Application filed by Webtraf Research Pty Ltd filed Critical Webtraf Research Pty Ltd
Publication of WO2006066315A1 publication Critical patent/WO2006066315A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0245Filtering by information in the payload
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/552Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/168Implementing security features at a particular protocol layer above the transport layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/535Tracking the activity of the user

Definitions

  • the present invention relates to a communications network monitoring system, method and apparatus.
  • the present invention relates to a system, method and apparatus for covertly detecting and monitoring communications to, from and between users of concern/interest in a communications network.
  • Difficulties in tracking include finding the source of spoofed IP addresses and the use of proxy servers to hide users' IP addresses.
  • ISP Infrastructure Service Provider
  • the person needs to electronically intercept the packets of data, which requires a lot of processing power and can noticeably degrade the performance of the ISP. Not only is the performance degradation commercially undesirable for the ISP, but it can alert users engaging in illegal behaviour to the covert monitoring thus prompting the users to suspend their activities to avoid detection.
  • Routing protocols are known, such as "route always”, “route never” and
  • route copy which are used in routing data in communications networks. For example, the "route always” protocol always routes data via a specified route or to a specified destination, whereas the "route never” protocol never routes data to a particular destination or via a specified route.
  • the "route copy” protocol makes a copy of data before routing.
  • One problem with these protocols is their lack of selectivity in routing the data. For example, either all or none of the data is routed in a particular direction or all or none of the data is copied, which can lead to storage capacity problems because of the large amount of data being copied. This can additionally create undesirable levels of load on the network due to the proportional increase of data resulting from "route copy" activities.
  • the majority of the data is likely to be irrelevant because all of the data is being copied and not selected data of interest.
  • the invention resides in a system for monitoring at least one user of a communications network, said system comprising: at least one monitoring apparatus coupled to be in communication with the communications network; at least one user device coupled to be in communication with the communications network, the at least one user device requiring entry of at least one authentication code to permit communication via the communications network; a repacking module coupled to be in communication with the at least one monitoring apparatus; and a storage server coupled to be in communication with the repacking module; wherein the at least one monitoring apparatus: reads headers of all packets of data transmitted to and/or from the at least one user device without affecting the transmission of the packets of data; analyzes at least one component of the packets of data to determine one or more patterns between the different packets of data; and determines users to be monitored from the one or more patterns.
  • the authentication code authenticates the user device.
  • the authentication code authenticates the user of the user device.
  • the communications network is the Internet and the user device is coupled to be in communication with the communications network via an internet service provider.
  • the at least one monitoring apparatus is physically connected to transmission and reception lines of the internet service provider.
  • the at least one monitoring apparatus is physically connected to transmission and reception lines of an authentication server associated with the internet service provider.
  • the invention resides in an apparatus for monitoring at least one user of a communications network, the apparatus comprising a kernel for reading headers of all packets of data transmitted to and/or from a user device of the at least one user, analyzing at least one component of the packets of data to determine one or more patterns between the different packets of data and determining users to be monitored from the one or more patterns.
  • the invention resides in a method for monitoring communications over a communications network via a monitoring apparatus coupled to be in communication with the communications network, at least one user device coupled to be in communication with the communications network, the at least one user device requiring entry of at least one authentication code to permit communication via the communications network, the method including: reading headers of all packets of data transmitted to and/or from the at least one user device without affecting the transmission of the packets of data; analyzing at least one component of the packets of data to determine one or more patterns between the different packets of data; and determining users to be monitored from the one or more patterns.
  • the method may further include reading all payloads of packets of data transmitted to and/or from the user device of a user being monitored.
  • the method may further include copying at least some of the payloads of the packets of data transmitted to and/or from the user device of the user being monitored.
  • the method may further include transmitting the copied packets of data from the monitoring apparatus to a repackaging module coupled to be in communication with the monitoring apparatus.
  • the method may further include reconstructing the copied packets of data in the repackaging module into user readable format.
  • the method may further include dynamically allocating bandwidth available to one or more user devices on the basis of monitoring the one or more user devices.
  • the method may further include comparing a volume of traffic logged by the at least one monitoring apparatus with a volume of traffic logged by a telecommunications company to determine if the at least one monitoring apparatus is being circumvented.
  • the method may further include categorizing a user as a user of concern/interest when analysis of the at least one component of the packets of data determines that the user has communicated with a particular entity a threshold number of times.
  • FIG. 1 shows a schematic representation of the system according to an embodiment of the invention
  • FIG. 2 is a flowchart illustrating the method according to two embodiments of the invention.
  • FIG. 3 is a schematic representation of a standard data packet
  • FIG. 4 is a schematic representation of the IP header of the data packet of FIG. 3;
  • FIG. 5 is a schematic representation of the TCP header of the data packet of FIG. 3.
  • a system 10 comprising at least one user device 12 coupled to be in communication with a communications network 14.
  • the user device 12 can be a desktop or tablet personal computer (PC), a laptop computer, a landline telephone, a VoIP telephone, a personal digital assistant (PDA), or other suitably enabled mobile communication device, such as a mobile telephone.
  • the communications network 14 may be a global communications network, such as the Internet, or a conventional telephone network or a mobile telephone network.
  • Communication between the user device 12, ISP 16 and the communications network 14 may be via wireless communication using one of the communications protocols known to persons skilled in the art or may be via wired communication (optionally including optical fibre communication) or a combination of the two, such as wireless communication between the user device 12 and the ISP 16 and wired communication between the ISP 16 and the communications network 14 or vice versa.
  • Each ISP 16 includes an authentication server 18, which is shown separate from the ISP 16 in FIG. 1 for the sake of clarity.
  • System 10 includes at least one communications network monitoring apparatus 20 coupled to be in communication with the ISP 16, including their authentication server 18, and the communications network 14. Monitoring apparatus 20 is also coupled to be in communication with repacking module 22.
  • Repacking module 22 is coupled to be in communication with storage server 24 in which data can be stored and retrieved.
  • Repacking module 22 and storage server 24 may be located at a surveillance centre 26 where collected information can be processed and analysed.
  • System 10 can include at least one remote user device 28 coupled to be in communication with a second ISP 16A and a second monitoring apparatus 2OA coupled to be in communication with authentication server 18A of ISP 16A and communications network 14.
  • the monitoring apparatus 20 can be in the same location as, or remote from, the ISP 16, but in each case is preferably coupled to be in communication with the authentication server 18.
  • the monitoring apparatus 20 is physically connected to the transmission and reception lines of the authentication server 18 such that all incoming and outgoing traffic can be monitored.
  • the information necessary to perform the invention is still obtainable from the headers of the packets of data transmitted via the ISP 16 and the further detail that is obtainable from a direct connection to the authentication server 18 to identify the user and their address and other such personal information can be obtained from the ISP 16 at a later date.
  • the monitoring apparatus 20 can be installed via a conventional bootable flash memory familiar to persons skilled in the art and does not require any other specialist software to be installed on the ISP 16 and reconfiguration of the ISP is not required.
  • connection to the authentication server 18 is required to obtain all the personal details of a user.
  • the monitoring apparatus 20 works with any program or device that works over Internet Protocol (IP) configuration or Packet Switched Networks.
  • IP Internet Protocol
  • the monitoring apparatus 20 only comprises RAM and communicates with boot ROM in the storage server 24 to upload the necessary encrypted software for reading packets of data, performing analysis of data to determine patterns and users of concern/interest as described below. Therefore, if the monitoring apparatus 20 is stolen from the ISP 16, no valuable information would remain in the monitoring apparatus 20 because it only comprises ROM.
  • the authentication server 18 authenticates 102 the user typically by verification of a usemame and password, although this could be by other means such as, but not limited to, an identifying numerical or alphanumerical code and other such combinations that may or may not be secured via a checksum or algorithm.
  • the user device requires entry of at least one authentication code to permit communication via the communications network.
  • the authentication code authenticates the user device.
  • the authentication code authenticates the user of the user device.
  • both the user and the user device are authenticated.
  • the ISP 16 Upon successful authentication 104, the ISP 16 permits the user to access the communications network 14. If authentication is unsuccessful, the user may retry. Since the monitoring apparatus 20 is coupled to be in communication with the ISP 16, all traffic communicated via the ISP is transmitted through the monitoring apparatus 20. Since the monitoring apparatus 20 is coupled to the authentication server 18, the monitoring apparatus 20 is able to identify users 12 by recording 106 the authentication details provided by the user 12.
  • the monitoring apparatus 20 monitors 108 all traffic flowing through the ISP 16 from which traffic patterns can be identified 110.
  • monitoring is carried out by reading the IP header 200 and the TCP header 201 of the data packet 204.
  • a frequency of visits to a destination of concern such as a particular website, can be monitored. The user visiting the website of concern can be traced and if the frequency of visits exceeds a threshold, the user can be placed on, for example, a list of users of concern/interest.
  • the threshold may be set at zero such that any visit to a particular website causes the user to be included on the list.
  • the threshold may be set at one to account for accidental visits to a particular website and to account for automatic redirects to the website of concern that are not the responsibility of the user.
  • the threshold can be set at another predetermined figure such as 5 visits per month or other such frequency.
  • a user may send or receive images on a regular basis to or from one or more users or sources already under surveillance and such activity would cause the user not already under surveillance to be entered on the list.
  • the monitoring apparatus 20 will then monitor 114 all traffic to and from this user, which may include, but is not limited to, emails sent and received by the user, attachments thereto, images downloaded and/or uploaded by the user, the size and type of such files/data, information relating to users with whom the user of interest has been communicating, and other relevant information.
  • a user may already be of interest or concern on the basis of behaviour identified prior to installation of the monitoring apparatus 20.
  • the user's activity can be monitored 114 from the outset.
  • the monitoring apparatus 20 copies 116 the packets of data 204 being transmitted to and from the user being monitored and transmits 118 the copied data packets to the repacking module 22, which reconstructs 120 the packets of data into human readable/viewable format.
  • the reconstructed data can then be viewed in real time or substantially real time and/or can be stored 122 in storage server 24.
  • the data is encrypted, it is likely the data will be stored in storage server 24 for subsequent decryption and analysis. However, the data need not be encrypted.
  • the monitoring apparatus 20 coupled to be in communication with the ISP 16 of the user of interest attempts communication with the second monitoring apparatus 2OA coupled to be in communication with the second ISP 16A to which the remote user 28 is connected.
  • identity information relating to the remote user 28 can be sent by the second monitoring apparatus 2OA to the repacking module 22.
  • each packet of data 204 passes through the kernel of the monitoring apparatus 20, the size of each packet is extracted and then collated to provide usage records at a very high level of speed and accuracy. Typically traffic can be accurately recorded at speeds far in excess of 200Mb/s, but speeds are envisaged to increase as technology develops. Further speed increases are envisaged to be achievable by conversion to enable execution in solid state processors.
  • the kernel inspects each packet header 200, 201 for its destination address enabling reading of the packets without slowing the network and enabling the present invention to maintain monitoring performance as networks and traffic volumes grow.
  • the data packets 204 are read and, as required, all or parts of the selected packets 204 or their contents or string(s) are copied or mirrored and sent to the repacking module 22 and the storage server 24.
  • the payload 202 can also be read and copied.
  • Address spoofing by a proxy server can be detected by the present invention and the traffic recorded regarding the user and/or account at the ISP by extracting the source and destination from the data packets. This can be done providing the monitoring apparatus 20 is installed in the system 10 before the user's traffic reaches the proxy server. In the event of a proxy server being installed between the user and the monitoring apparatus 20, the monitoring apparatus would identify such destination traffic from a proxy server and a remedy could be sought. The destination and origin of such traffic will be in common, these being the IP address of the proxy server.
  • Monitoring apparatus 20 is also optionally capable of dynamically controlling and allocating bandwidth available to terminals with which the monitoring apparatus 20 is coupled to be in communication.
  • Bandwidth may be controlled to individual user devices on a per user basis or on a group basis, such as all user devices coupled to be in communication with a specific ISP. Therefore, when, for example, there is a real threat to national security involving communications networks, the apparatus 20 can be employed to restrict bandwidth availability or to share bandwidth that is not required for those services, such as governmental services, requiring communications capability.
  • the monitoring apparatus 20 and method of the present invention could also be applied to client software for the tracking of individual computers or for applications controlling internal or local traffic.
  • the apparatus and method may process all or selective data and store such data on location for manual collection such as, for example, within or attached to a Wide Area Network (WAN) that has no connection to external networks such as, but not limited to, the internet.
  • WAN Wide Area Network
  • the monitoring apparatus 20, repacking module 22 and storage server 24 could be present in a single device.
  • the method, system and apparatus of the present invention thus provide a solution to the aforementioned problems of the prior art by identifying specific users of interest and monitoring their activity on the communications network. This may be achieved by monitoring some or all of the traffic and identifying patterns in the traffic or by monitoring one or more specific users known to be of concern from the outset. Since the present invention copies the data packets and no degradation in the performance of the ISP is experienced, users can be monitored covertly without alerting the users to the presence of the monitoring. Routing tables will also show no evidence that a user is being monitored because the routing tables will show that data packets are being routed normally. Once the apparatus is installed at the ISP, personnel do not need to be present and traffic can be monitored remotely. This reduces demands on personnel and the risk of raising suspicion. Specific users can be monitored and therefore only selected data needs to be stored relating to specific users and/or specific activities and not all data transmitted through a specific route, thus addressing the storage capacity problems of the prior art.
  • the ISP is dishonest and, for example, re-routes traffic such that it is not monitored by the monitoring apparatus 20
  • this is detectable by comparing the volume of traffic logged by the telecommunications company providing the infrastructure for the ISP with the volume of traffic logged by the monitoring apparatus 20.
  • the two volumes should be the same.
  • the data stored in the storage server 24 will comprise a date and time stamp relating to its acquisition thus making the electronic evidence more readily acceptable in a court of law. It is currently difficult and manpower intensive to collect evidence, especially "Best Evidence", sufficient to justify the issue of legal and/or ethical permission to invade privacy. The initial monitoring and building of profiles will greatly reduce such costs and dramatically improve the efficiency and effectiveness of such activities whilst reducing current response times on such matters.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Un système et un procédé de surveillance d'un utilisateur d'un réseau (14) de communications comprennent au moins un appareil de surveillance (2) relié au réseau de communications et un dispositif utilisateur (12) couplé au réseau de communications, le ou les dispositifs utilisateur nécessitant l'entrée d'au moins un code d'authentification pour pouvoir communiquer via le réseau de communications. Un module de recompression (22) est couplé de manière à pouvoir communiquer avec le ou les appareils de surveillance et un serveur de stockage (24) communique avec le module de recompression. Le ou les appareil de surveillance lit/lisent les en-têtes de tous les paquets de données envoyés au(x) dispositif(s) utilisateur et/ou provenant de ce/ces derniers sans affecter la transmission des paquets de données, analyse/analysent au moins un constituant des paquets de données pour déterminer un ou plusieurs types parmi les différents paquets de données et détermine/déterminent à partir des types, les utilisateurs devant être surveillés.
PCT/AU2005/001912 2004-12-20 2005-12-16 Systeme de surveillance d'un reseau de communications, procede et appareil correspondants WO2006066315A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
AU2004907200A AU2004907200A0 (en) 2004-12-20 Communications network monitoring system, method and apparatus
AU2004907200 2004-12-20

Publications (1)

Publication Number Publication Date
WO2006066315A1 true WO2006066315A1 (fr) 2006-06-29

Family

ID=36601251

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/AU2005/001912 WO2006066315A1 (fr) 2004-12-20 2005-12-16 Systeme de surveillance d'un reseau de communications, procede et appareil correspondants

Country Status (1)

Country Link
WO (1) WO2006066315A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110336806A (zh) * 2019-06-27 2019-10-15 四川大学 一种结合会话行为和通信关系的隐蔽通信检测方法

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5787253A (en) * 1996-05-28 1998-07-28 The Ag Group Apparatus and method of analyzing internet activity
WO2001001272A2 (fr) * 1999-06-30 2001-01-04 Apptitude, Inc. Procede et appareil permettant de surveiller le trafic dans un reseau
US6182146B1 (en) * 1997-06-27 2001-01-30 Compuware Corporation Automatic identification of application protocols through dynamic mapping of application-port associations

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5787253A (en) * 1996-05-28 1998-07-28 The Ag Group Apparatus and method of analyzing internet activity
US6182146B1 (en) * 1997-06-27 2001-01-30 Compuware Corporation Automatic identification of application protocols through dynamic mapping of application-port associations
WO2001001272A2 (fr) * 1999-06-30 2001-01-04 Apptitude, Inc. Procede et appareil permettant de surveiller le trafic dans un reseau

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110336806A (zh) * 2019-06-27 2019-10-15 四川大学 一种结合会话行为和通信关系的隐蔽通信检测方法
CN110336806B (zh) * 2019-06-27 2020-05-01 四川大学 一种结合会话行为和通信关系的隐蔽通信检测方法

Similar Documents

Publication Publication Date Title
AU2021209277B2 (en) Efficient packet capture for cyber threat analysis
US11323469B2 (en) Entity group behavior profiling
US9930055B2 (en) Unwanted tunneling alert system
US10469514B2 (en) Collaborative and adaptive threat intelligence for computer security
EP1817685B1 (fr) Détection d'intrusion dans un environnement de centre de données
CN102859934B (zh) 网络可接入计算机服务的接入管理和安全保护系统和方法
CN113228585B (zh) 具有基于反馈回路的增强流量分析的网络安全系统
KR20200007931A (ko) 상관관계 중심 위협 평가 및 치료
US20060026678A1 (en) System and method of characterizing and managing electronic traffic
US20040088409A1 (en) Network architecture using firewalls
US7475420B1 (en) Detecting network proxies through observation of symmetric relationships
AU2022202238B2 (en) Tunneled monitoring service and methods
US20210409446A1 (en) Leveraging network security scanning to obtain enhanced information regarding an attack chain involving a decoy file
CN114301706B (zh) 基于目标节点中现有威胁的防御方法、装置及系统
KR101598187B1 (ko) DDoS 공격 차단 방법 및 장치
WO2006066315A1 (fr) Systeme de surveillance d'un reseau de communications, procede et appareil correspondants
US20200389435A1 (en) Auditing smart bits
Arul et al. Supervised deep learning vector quantization to detect MemCached DDOS malware attack on cloud
CN112600844A (zh) 一种数据的安全检测方法、装置、存储介质及电子设备
US20180219834A1 (en) Systems and methods for providing multi-level network security
Toor et al. Deployment of Low Interaction Honeypot in a Private Network
Stoianov et al. Towards Security Requirements of the SPIDER Project

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KM KN KP KR KZ LC LK LR LS LT LU LV LY MA MD MG MK MN MW MX MZ NA NG NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SM SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): BW GH GM KE LS MW MZ NA SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LT LU LV MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 15.11.2007)

122 Ep: pct application non-entry in european phase

Ref document number: 05821648

Country of ref document: EP

Kind code of ref document: A1