COMMUNICATIONS NETWORK MONITORING SYSTEM, METHOD AND

APPARATUS

FIELD OF THE INVENTION

The present invention relates to a communications network monitoring system, method and apparatus. In particular, but not exclusively, the present invention relates to a system, method and apparatus for covertly detecting and monitoring communications to, from and between users of concern/interest in a communications network.

BACKGROUND TO THE INVENTION

The ubiquitous nature of communications networks such as the World

Wide Web, wireless and wired communications networks make them an attractive tool for the pursuit of undesirable and illegal activities such as organised crime, terrorism, paedophilia and undesirable espionage. In addition to threats originating in traditional ways, law enforcement and intelligence agencies are presented with the task of detecting, monitoring and preventing or attempting to prevent the aforementioned threats manifest over communications networks.

The ease with which such networks can be utilised by the everyday user, the availability of complex methods of encryption and the myriad different communication methods, such as email, virtual instant messaging and VoIP, to name but a few, exacerbate the problem faced by authorities of obtaining evidence of wrongdoing that is admissible in a court of law.

Existing methods of identifying and tracking nefarious activity on communications networks at internet gateways and/or across public or private network gateways include a number of drawbacks.

Difficulties in tracking include finding the source of spoofed IP addresses and the use of proxy servers to hide users' IP addresses.

Covert monitoring of communications network traffic places high demands on personnel. For example, covert monitoring of traffic at an Internet Service

Provider (ISP) level currently requires a person to be physically present at the premises of the ISP, providing they have first obtained a court order permitting them to gain access and conduct monitoring where necessary. The person needs to electronically intercept the packets of data, which requires a lot of processing power and can noticeably degrade the performance of the ISP. Not only is the performance degradation commercially undesirable for the ISP, but it can alert users engaging in illegal behaviour to the covert monitoring thus prompting the users to suspend their activities to avoid detection.

Successful monitoring at the ISP level relies on the ISP maintaining security, which cannot be guaranteed. Breaches in security significantly reduce detection and prevention rates. Dishonest ISPs have been known to re-route traffic in an attempt to protect users. Surveillance and monitoring of communications network traffic also requires expensive equipment to be deployed and the coordination of personnel and reporting. Furthermore, such equipment is not always capable of discovering undesirable and/or illegal behaviour because of, for example, difficulties in dealing with higher levels of encryption on the fly. Conventionally,

time is required to break such encryption, but such delays can alert users to the presence of surveillance and monitoring.

Routing protocols are known, such as "route always", "route never" and

"route copy", which are used in routing data in communications networks. For example, the "route always" protocol always routes data via a specified route or to a specified destination, whereas the "route never" protocol never routes data to a particular destination or via a specified route. The "route copy" protocol makes a copy of data before routing. One problem with these protocols is their lack of selectivity in routing the data. For example, either all or none of the data is routed in a particular direction or all or none of the data is copied, which can lead to storage capacity problems because of the large amount of data being copied. This can additionally create undesirable levels of load on the network due to the proportional increase of data resulting from "route copy" activities.

Furthermore, the majority of the data is likely to be irrelevant because all of the data is being copied and not selected data of interest.

Hence, there is a need for a communications network monitoring system and/or method and/or apparatus to address or at least ameliorate one or more of the aforementioned problems of the prior art.

In this specification, the terms "comprises", "comprising" or similar terms are intended to mean a non-exclusive inclusion, such that a method, system or apparatus that comprises a list of elements does not include those elements solely, but may well include other elements not listed.

SUMMARY OF THE INVENTION

In one form, although it need not be the only or indeed the broadest form, the invention resides in a system for monitoring at least one user of a communications network, said system comprising: at least one monitoring apparatus coupled to be in communication with the communications network; at least one user device coupled to be in communication with the communications network, the at least one user device requiring entry of at least one authentication code to permit communication via the communications network; a repacking module coupled to be in communication with the at least one monitoring apparatus; and a storage server coupled to be in communication with the repacking module; wherein the at least one monitoring apparatus: reads headers of all packets of data transmitted to and/or from the at least one user device without affecting the transmission of the packets of data; analyzes at least one component of the packets of data to determine one or more patterns between the different packets of data; and determines users to be monitored from the one or more patterns.

Suitably, the authentication code authenticates the user device. Suitably, the authentication code authenticates the user of the user device.

Suitably, the communications network is the Internet and the user device is coupled to be in communication with the communications network via an

internet service provider.

Suitably, the at least one monitoring apparatus is physically connected to transmission and reception lines of the internet service provider.

Suitably, the at least one monitoring apparatus is physically connected to transmission and reception lines of an authentication server associated with the internet service provider.

In another form, the invention resides in an apparatus for monitoring at least one user of a communications network, the apparatus comprising a kernel for reading headers of all packets of data transmitted to and/or from a user device of the at least one user, analyzing at least one component of the packets of data to determine one or more patterns between the different packets of data and determining users to be monitored from the one or more patterns.

In a further form, the invention resides in a method for monitoring communications over a communications network via a monitoring apparatus coupled to be in communication with the communications network, at least one user device coupled to be in communication with the communications network, the at least one user device requiring entry of at least one authentication code to permit communication via the communications network, the method including: reading headers of all packets of data transmitted to and/or from the at least one user device without affecting the transmission of the packets of data; analyzing at least one component of the packets of data to determine one or more patterns between the different packets of data; and determining users to be monitored from the one or more patterns.

The method may further include reading all payloads of packets of data transmitted to and/or from the user device of a user being monitored.

The method may further include copying at least some of the payloads of the packets of data transmitted to and/or from the user device of the user being monitored.

The method may further include transmitting the copied packets of data from the monitoring apparatus to a repackaging module coupled to be in communication with the monitoring apparatus.

The method may further include reconstructing the copied packets of data in the repackaging module into user readable format.

The method may further include dynamically allocating bandwidth available to one or more user devices on the basis of monitoring the one or more user devices.

The method may further include comparing a volume of traffic logged by the at least one monitoring apparatus with a volume of traffic logged by a telecommunications company to determine if the at least one monitoring apparatus is being circumvented.

The method may further include categorizing a user as a user of concern/interest when analysis of the at least one component of the packets of data determines that the user has communicated with a particular entity a threshold number of times. Further features of the present invention will become apparent from the following detailed description.

BRIEF DESCRIPTION OF THE DRAWINGS

By way of example only, preferred embodiments of the invention will be described more fully hereinafter with reference to the accompanying drawings,

wherein:

FIG. 1 shows a schematic representation of the system according to an embodiment of the invention;

FIG. 2 is a flowchart illustrating the method according to two embodiments of the invention;

FIG. 3 is a schematic representation of a standard data packet; FIG. 4 is a schematic representation of the IP header of the data packet of FIG. 3; and

FIG. 5 is a schematic representation of the TCP header of the data packet of FIG. 3.

DETAILED DESCRIPTION OF THE INVENTION

Referring to FIG. 1, in accordance with an embodiment of the present invention, there is provided a system 10 comprising at least one user device 12 coupled to be in communication with a communications network 14. The user device 12 can be a desktop or tablet personal computer (PC), a laptop computer, a landline telephone, a VoIP telephone, a personal digital assistant (PDA), or other suitably enabled mobile communication device, such as a mobile telephone. The communications network 14 may be a global communications network, such as the Internet, or a conventional telephone network or a mobile telephone network.

The present invention will be described with reference to an embodiment in which the user devices are computers that are coupled to be in communication with the communications network via an ISP 16. However, it will be appreciated that the invention is not limited to this embodiment.

Communication between the user device 12, ISP 16 and the communications network 14 may be via wireless communication using one of the communications protocols known to persons skilled in the art or may be via wired communication (optionally including optical fibre communication) or a combination of the two, such as wireless communication between the user device 12 and the ISP 16 and wired communication between the ISP 16 and the communications network 14 or vice versa.

Each ISP 16 includes an authentication server 18, which is shown separate from the ISP 16 in FIG. 1 for the sake of clarity. System 10 includes at least one communications network monitoring apparatus 20 coupled to be in communication with the ISP 16, including their authentication server 18, and the communications network 14. Monitoring apparatus 20 is also coupled to be in communication with repacking module 22. Repacking module 22 is coupled to be in communication with storage server 24 in which data can be stored and retrieved. Repacking module 22 and storage server 24 may be located at a surveillance centre 26 where collected information can be processed and analysed. System 10 can include at least one remote user device 28 coupled to be in communication with a second ISP 16A and a second monitoring apparatus 2OA coupled to be in communication with authentication server 18A of ISP 16A and communications network 14.

The monitoring apparatus 20 can be in the same location as, or remote from, the ISP 16, but in each case is preferably coupled to be in communication with the authentication server 18. When in the same location as the ISP 16, the monitoring apparatus 20 is physically connected to the transmission and reception lines of the authentication server 18 such that all incoming and

outgoing traffic can be monitored. However, it should be noted that in some cases it may not be possible to connect directly to the authentication server 18. In this case, the information necessary to perform the invention is still obtainable from the headers of the packets of data transmitted via the ISP 16 and the further detail that is obtainable from a direct connection to the authentication server 18 to identify the user and their address and other such personal information can be obtained from the ISP 16 at a later date.

According to one embodiment, the monitoring apparatus 20 can be installed via a conventional bootable flash memory familiar to persons skilled in the art and does not require any other specialist software to be installed on the ISP 16 and reconfiguration of the ISP is not required. However, as specified above, connection to the authentication server 18 is required to obtain all the personal details of a user. The monitoring apparatus 20 works with any program or device that works over Internet Protocol (IP) configuration or Packet Switched Networks. The monitoring apparatus 20 only comprises RAM and communicates with boot ROM in the storage server 24 to upload the necessary encrypted software for reading packets of data, performing analysis of data to determine patterns and users of concern/interest as described below. Therefore, if the monitoring apparatus 20 is stolen from the ISP 16, no valuable information would remain in the monitoring apparatus 20 because it only comprises ROM.

Referring to FIG. 2, when a user 12 connects 100 to the ISP 16, the authentication server 18 authenticates 102 the user typically by verification of a usemame and password, although this could be by other means such as, but not limited to, an identifying numerical or alphanumerical code and other such combinations that may or may not be secured via a checksum or algorithm. The

user device requires entry of at least one authentication code to permit communication via the communications network. In one embodiment, the authentication code authenticates the user device. In another embodiment, the authentication code authenticates the user of the user device. In a further embodiment, both the user and the user device are authenticated.

Upon successful authentication 104, the ISP 16 permits the user to access the communications network 14. If authentication is unsuccessful, the user may retry. Since the monitoring apparatus 20 is coupled to be in communication with the ISP 16, all traffic communicated via the ISP is transmitted through the monitoring apparatus 20. Since the monitoring apparatus 20 is coupled to the authentication server 18, the monitoring apparatus 20 is able to identify users 12 by recording 106 the authentication details provided by the user 12.

According to one embodiment, initially the monitoring apparatus 20 monitors 108 all traffic flowing through the ISP 16 from which traffic patterns can be identified 110. With reference to FIGS 3-5, monitoring is carried out by reading the IP header 200 and the TCP header 201 of the data packet 204. Under current legislation, without specific authorization, it is not permissible to view the contents of the communications stored in the payload 202 of the data packet 204, however this can be copied for later inspection. Regarding monitoring, for example, a frequency of visits to a destination of concern, such as a particular website, can be monitored. The user visiting the website of concern can be traced and if the frequency of visits exceeds a threshold, the user can be placed on, for example, a list of users of concern/interest. The threshold may be set at zero such that any visit to a particular website causes

the user to be included on the list. Alternatively, the threshold may be set at one to account for accidental visits to a particular website and to account for automatic redirects to the website of concern that are not the responsibility of the user. In another embodiment, the threshold can be set at another predetermined figure such as 5 visits per month or other such frequency. In another example, a user may send or receive images on a regular basis to or from one or more users or sources already under surveillance and such activity would cause the user not already under surveillance to be entered on the list.

This enables the determination 112 of users of interest/suspicion/concern who may be placed on a list to be monitored. The monitoring apparatus 20 will then monitor 114 all traffic to and from this user, which may include, but is not limited to, emails sent and received by the user, attachments thereto, images downloaded and/or uploaded by the user, the size and type of such files/data, information relating to users with whom the user of interest has been communicating, and other relevant information.

In an alternative embodiment, a user may already be of interest or concern on the basis of behaviour identified prior to installation of the monitoring apparatus 20. In this case, the user's activity can be monitored 114 from the outset. The monitoring apparatus 20 copies 116 the packets of data 204 being transmitted to and from the user being monitored and transmits 118 the copied data packets to the repacking module 22, which reconstructs 120 the packets of data into human readable/viewable format. The reconstructed data can then be viewed in real time or substantially real time and/or can be stored 122 in storage server 24. Where the data is encrypted, it is likely the data will be stored in

storage server 24 for subsequent decryption and analysis. However, the data need not be encrypted.

In the case of peer to peer traffic, i.e. where the user of interest is communicating with a remote user 28, the monitoring apparatus 20 coupled to be in communication with the ISP 16 of the user of interest attempts communication with the second monitoring apparatus 2OA coupled to be in communication with the second ISP 16A to which the remote user 28 is connected. Where connection to the second monitoring apparatus 2OA is successful, identity information relating to the remote user 28 can be sent by the second monitoring apparatus 2OA to the repacking module 22.

As packets of data 204 pass through the kernel of the monitoring apparatus 20, the size of each packet is extracted and then collated to provide usage records at a very high level of speed and accuracy. Typically traffic can be accurately recorded at speeds far in excess of 200Mb/s, but speeds are envisaged to increase as technology develops. Further speed increases are envisaged to be achievable by conversion to enable execution in solid state processors. The kernel inspects each packet header 200, 201 for its destination address enabling reading of the packets without slowing the network and enabling the present invention to maintain monitoring performance as networks and traffic volumes grow. The data packets 204 are read and, as required, all or parts of the selected packets 204 or their contents or string(s) are copied or mirrored and sent to the repacking module 22 and the storage server 24. According to one embodiment, in a proactive mode of operation in which all traffic is being monitored and no particular users are being monitored, only the headers 200, 201 of the data packets 204 are read and optionally copied.

However, once authorisation is provided to monitor a particular user, the payload 202 can also be read and copied.

Address spoofing by a proxy server can be detected by the present invention and the traffic recorded regarding the user and/or account at the ISP by extracting the source and destination from the data packets. This can be done providing the monitoring apparatus 20 is installed in the system 10 before the user's traffic reaches the proxy server. In the event of a proxy server being installed between the user and the monitoring apparatus 20, the monitoring apparatus would identify such destination traffic from a proxy server and a remedy could be sought. The destination and origin of such traffic will be in common, these being the IP address of the proxy server.

Monitoring apparatus 20 is also optionally capable of dynamically controlling and allocating bandwidth available to terminals with which the monitoring apparatus 20 is coupled to be in communication. Bandwidth may be controlled to individual user devices on a per user basis or on a group basis, such as all user devices coupled to be in communication with a specific ISP. Therefore, when, for example, there is a real threat to national security involving communications networks, the apparatus 20 can be employed to restrict bandwidth availability or to share bandwidth that is not required for those services, such as governmental services, requiring communications capability. This means that civil networks, whilst being dynamically controlled, could be allowed to continue partially or, if the need is such, to fully commandeer all such resources for matters of national urgency/priority. Additionally, this provides the ability to block communications or connections of an undesirable nature. The monitoring apparatus 20 and method of the present invention could

also be applied to client software for the tracking of individual computers or for applications controlling internal or local traffic. The apparatus and method may process all or selective data and store such data on location for manual collection such as, for example, within or attached to a Wide Area Network (WAN) that has no connection to external networks such as, but not limited to, the internet. It should be appreciated that the monitoring apparatus 20, repacking module 22 and storage server 24 could be present in a single device.

Hence, the method, system and apparatus of the present invention thus provide a solution to the aforementioned problems of the prior art by identifying specific users of interest and monitoring their activity on the communications network. This may be achieved by monitoring some or all of the traffic and identifying patterns in the traffic or by monitoring one or more specific users known to be of concern from the outset. Since the present invention copies the data packets and no degradation in the performance of the ISP is experienced, users can be monitored covertly without alerting the users to the presence of the monitoring. Routing tables will also show no evidence that a user is being monitored because the routing tables will show that data packets are being routed normally. Once the apparatus is installed at the ISP, personnel do not need to be present and traffic can be monitored remotely. This reduces demands on personnel and the risk of raising suspicion. Specific users can be monitored and therefore only selected data needs to be stored relating to specific users and/or specific activities and not all data transmitted through a specific route, thus addressing the storage capacity problems of the prior art.

In the event that the ISP is dishonest and, for example, re-routes traffic such that it is not monitored by the monitoring apparatus 20, this is detectable by

comparing the volume of traffic logged by the telecommunications company providing the infrastructure for the ISP with the volume of traffic logged by the monitoring apparatus 20. The two volumes should be the same. However, where less traffic passes through the monitoring apparatus 20 than the telecommunications company, this suggests that the ISP is circumventing the monitoring apparatus 20 by re-routing data.

The data stored in the storage server 24 will comprise a date and time stamp relating to its acquisition thus making the electronic evidence more readily acceptable in a court of law. It is currently difficult and manpower intensive to collect evidence, especially "Best Evidence", sufficient to justify the issue of legal and/or ethical permission to invade privacy. The initial monitoring and building of profiles will greatly reduce such costs and dramatically improve the efficiency and effectiveness of such activities whilst reducing current response times on such matters.

Throughout the specification the aim has been to describe the invention without limiting the invention to any one embodiment or specific collection of features. Persons skilled in the relevant art may realize variations from the specific embodiments that will nonetheless fall within the scope of the invention.