DeepProbe Surveillance Modules

Flexible and extensible to serve evolving surveillance needs!

DeepProbe intercept functionality is provided via innovative Surveillance Modules. To the user, Surveillance Modules (SMs) are a series of well-defined, secure ASN.1 commands, which are designed for specific surveillance techniques.  For example, there are SMs for discovering webmail traffic, user-id login (e.g., radius or DHCP), and VoIP traffic.  These are termed ‘application-level’ SMs, since they deal with specific target applications/usages.

Other SMs include those geared towards monitoring more generic flows (conversations) based on specific packet header or content characteristics.  These are termed ‘protocol-level’ SMs since these require the user to be somewhat knowledgeable of specific packet header and/or content values.  

SM's have up to three logical components:

1. Filters: define what is to be discovered and intercepted
2. Delivery Instructions: define where and how to deliver intercepted data
3. (Optional) Scan Schema: define content scanning options for the intercepted data

SM's are configured through a set of secure (SSL authenticated or encrypted), reliable (TCP), ASN.1-formatted commands.

Once the targets are discovered DeepProbe SMs can deliver varying amounts of intercepted information, including the complete application flow with related content such as attachments, a summary of the content, or just the application session events (i.e., IRI or Pen-Register equivalent).  For IP traffic intercepts, the DeepProbe can qualify the intercepted traffic by layer 4 ports and will monitor all subsequent dynamic IP address (re)assignment. For email interception, the DeepProbe can deliver the entire email, even if the email address identifier was discovered after the first packet(s) in the email flow.

DeepProbe also incorporates sophisticated reconstruction logic to deliver only pertinent information when intercepting complex applications such as webmail and IM/chat, significantly reducing the processing required by the monitoring and analytic systems. 

SM delivery of intercepted data shares the same security and reliability features as SM configuration, but also provides a failover mechanism.

DeepProbe systems can run numerous SM's concurrently.

 

Webmail Surveillance Module

The webmail SM provides application-level intercept and reconstruction of popular webmail services, including Gmail, Hot mail, Yahoo, and Mail.com. The SM can intercept specific user webmail activity or activity from all service users. The webmail SM is designed to work with a webmail scan SM (future availability).

Webmail SM filters include the flexibility to specify the webmail service, email address (user), To/From/both, and folder reads (e.g., inbox, drafts, etc.). Intercept options include the flexibility to intercept and deliver the full email w/attachments, no attachments, summary-only, events, and others.

Lastly, the Webmail SM incorporates sophisticated reconstruction logic to deliver only pertinent information in a standardized manner. Emails are converted to RFC822 format, folder reads are summarized, and attachments are delivered as a byte stream with associated information (e.g. file name, application, etc.). This powerful feature eliminates the need for mediation or monitoring systems to decode and reconstruct various webmail service protocols and formats.

The following is a summary of the Webmail SM:

 

 

Email Surveillance Module

The email SM provides application-level intercept of target's email address in standard email headers as well as SMTP, POP3, and IMAP4 email protocols. If a target's email address is detected, the entire email is captured - even if the email address was detected after the first packet in the flow.

Email SM filters include the flexibility to specify the target as 'email@domain', '*@domain', 'email', or '*.*'. Intercept options include the flexibility to intercept and deliver the full email (including attachments), summary-only, and events.

 

VoIP Surveillance Module

The VoIP SM provides application-level intercept of SIP-based VoIP. Since DeepProbe's are completely passive, the discovery and intercept is independent of any other network elements (e.g., SBC, softswitch).

VoIP SM filters include the flexibility to specify the target as 'user@host', 'user@IPaddress', 'phone_number', and 'tel:phone'. Intercept options include the flexibility to intercept and deliver the just the SIP signaling messages or the combination of SIP signaling and RTP call content.

 

IP Traffic Surveillance Module

Tithe IP Traffic SM intercepts traffic based on IP address, protocol, and layer-4 port, including support for IPv4, IPv6, subnets, and dynamic addresses. Dynamic IP addresses can be discovered via RADIUS (username, NAS port) and DHCP (MAC, option 61, option 82) and addresses are tracked through potential reassignments. Layter-4 ports can be specified as single ports, ranges, sets, or not conditions. .

IP Traffic SM Intercept options include the flexibility to intercept and deliver the captured packets or events.

 

For complete specifications, please refer to the DeepProbe Datasheet.

For more information about Network Surveillance using DeepProbe, please refer to the IP Network Surveillance Whitepaper.