Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Protection at a particular protocol layer
Reexamination Certificate
2001-09-10
2004-03-23
Peeso, Thomas R. (Department: 2132)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Protection at a particular protocol layer
C713S189000, C713S152000
Reexamination Certificate
active
06711689
ABSTRACT:
FIELD OF THE INVENTION
The present invention relates to an interception system and method for performing a lawful interception in a packet network such as the GPRS (General Packet Radio Services) or the UMTS (Universal Mobile Telecommunications System) network.
BACKGROUND OF THE INVENTION
The provision of a lawful interception is a requirement of national law, which is usually mandatory. From time to time, a network operator and/or a service provider will be required, according to a lawful authorization, to make available results of interception relating to specific identities to a specific interception authority or Law Enforcement Agency (LEA).
There are various aspects of interception. The respective national law describes under what conditions and with what restrictions interception is allowed. If an LEA wishes to use lawful interception as a tool, it will ask a prosecuting judge or other responsible body for a lawful authorization, such as a warrant. If the lawful authorization is granted, the LEA will present the lawful authorization to an access provider which provides access from a user's terminal to that network, to the network operator, or to the service provider via an administrative interface or procedure.
Such a lawful interception functionality is also needed in the packet switched part of new mobile data networks such as the GPRS and the UMTS.
Several approaches have been proposed so far. According to the hub approach, a hub is added to the GPRS backbone, such that all sessions will pass through the hub. The benefit of this system is that the SGSN (Serving GPRS Support Node) and the GGSN (Gateway GPRS Support Node) do not have to know anything about the lawful interception functionality. The hub consists of a pseudo GGSN interface and a pseudo SGSN interface, between which a Lawful Interception Node (LIN) is arranged.
According to another so-called SGSN/GGSN approach, a whole interception function is integrated into a combined SGSN/GGSN element. Every physical SGSN/GGSN element is linked by an own interface to an administrative function. The access method for delivering a GPRS interception information is based on a duplication of packets transmitted from an intercepted subscriber via the SGSN/GGSN element to another party. The duplicated packets are sent to a delivery function for delivering the corresponding interception information to the LEA.
However, national laws may require certain types of interception policies, wherein the interception functions allowed for the network operator may change.
Furthermore, various interception functions are required, such as store and forward intercepted data, real time data browsing, browsing at mobile stations, different interception data processings, multiplication of interception data for different destinations etc.
Therefore, a flexible interception system and method is required, which can be easily adapted to changing interception requirements.
SUMMARY OF THE INVENTION
It is therefore an object of the present invention to provide a flexible interception method and system.
This object is achieved by an interception system for performing a lawful interception in a packet network, comprising:
interception activation and deactivation means for activating and deactivating current interception targets based on a received interception-related command;
interception activation monitoring means for monitoring an activation of PDP contexts and for informing the interception activation and deactivation means of changes in PDP contexts;
interception data collection means for collecting intercepted data in response to an interception target activation by said interception activation and deactivation means; and
interception data destination means for receiving the collected intercepted data and forwarding it to a final interception destination.
Furthermore, the above object is achieved by a method for performing a lawful interception in a packet network, comprising the steps of:
monitoring an activation of PDP contexts in order to detect changes in the PDP contexts;
activating and deactivating current interception targets based on an interception-related command and the changes in the PDP contexts;
collecting intercepted data in response to an interception target activation; and
supplying the collected intercepted data to an interception destination.
Accordingly, due to the monitoring of the PDP contexts, a supervisor of the lawful interception may obtain information about all activated and deleted user connections. Thereby, intercepted connections can be selected and an interception for a specific tunnel can be requested rather than an interception for a given criterium. In this way, the interception data collection can be more easily implemented in a distributed manner, for example in a GGSN network element, to thereby provide a higher flexibility.
The main difference with regard to earlier proposed solutions is that the intercepted data can be filtered in a network element which anyway has to study the packet data. Thereby, different implementation of alternatives are allowed, depending on the over all network implementation architecture.
Moreover, a protocol can be established which makes the system robust, since the GGSN-SGSN traffic is operable even if specific lawful interception nodes like a lawful interception gateway are overloaded or even non-operable.
Furthermore, the interception data can be filtered more economically, since the filtering is performed at a place where it is anyway studied. Moreover, interception criteria can be stored only in the network element which implements the interception activation and deactivation functionality. Thus, configuration changes have to be made only in network element implementing the interception activation and deactivation functionality, such that a distribution of configuration data is not required.
Since the interception activation and deactivation means receives an information about the activation and deactivation of each tunnel, it can collect statistics of tunnels that satisfy a predetermined criterium. Furthermore, statistics of tunnels satisfying predetermined criteria can be collected so as to be used as a threshold value for activating an actual interception.
Due to the distributed interception functions, different security requirements can be applied to different functional units, even if they are implemented in the same network element.
If one or more functional units crash, the network may continue with a limited interception or without interception. In other words, the interception system can be implemented in a robust way. In case the functional units of the interception system are distributed over several existing network elements, the system is automatically scaleable. The reason therefore is that more network elements are anyway required in the network, if the network traffic increases. Furthermore, redundancy can be achieved automatically, if the implementation is distributed to existing network elements. If an existing network element is duplicated, the functional units implemented therein are also duplicated.
Due to the distributed functions of the proposed interception system, the lawful interception function is not dependent on the implementation architecture of the packet network and does not cause any bottleneck in the packet network. Furthermore, an implementation of the known Legal Interception Node (LIN) is not necessarily required, since the interception functions can be distributed to other existing network elements.
The final destination to which the collected intercepted data are forwarded may be a representative of a legal authority or a network operator.
Furthermore, the interception data destination means may be arranged to postprocess said intercepted data. The postprocessing may comprise decryption, formating and/or translation of the intercepted data.
The interception activation and deactivation means preferably receives the interception-related command from a user interface for lawful interception, wherein the interception-related command i
Eloranta Jaana
Jokinen Hannu
Lumme Martti
Nokia Corporation
Peeso Thomas R.
LandOfFree
Interception system and method does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Interception system and method, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Interception system and method will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3265966