LEGAL INTERCEPT OF COMMUNICATION TRAFFIC PARTICULARLY USEFUL IN A MOBILE ENVIRONMENT

US 20080276294A1
Filed: 05/02/2007
Published: 11/06/2008
Est. Priority Date: 05/02/2007
Status: Abandoned Application

First Claim

Patent Images

1. A method for facilitating a lawful intercept of IP traffic for a target user, said method comprising:

requesting a first authentication, authorization, and accounting system (AAA system) associated with a first sub-net to provide a network connection descriptor for a target user;

receiving the network connection descriptor for the target user from the first AAA system, said network connection descriptor comprising a network address identifier for a first device associated with the target user which is connected to the first sub-net, or comprising an indication that no device associated with the target user is connected to the first sub-net; and

conveying an intercept descriptor to a mediation module in response to any change in target user connection status, said intercept descriptor comprising a target address corresponding to the network address identifier, and further comprising a mediation command to indicate how the intercept descriptor should be processed to carry out the intercept of IP traffic for the first target device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, structures, and systems are disclosed for implementing legal intercept of data which provide real-time correlation of broadband user information to network addresses (or other identifiers) across multiple and different authentication systems and user databases. In certain embodiments, an intercept coordinator module interacts with each authentication system to determine real-time a target address for a target user device, which it then uses to update mediation devices, external databases, etc., involved in performing a lawful intercept under the CALEA process. Probes are not required within the network to perform authentication system captures. A modular interface system provides support for existing CALEA equipment, and support for implementing additional interface modules for new or updated CALEA equipment. Exemplary intercept coordinator modules may communicate with multiple AAA systems, in multiple different sub-nets or networks, including geographically distant networks, and provides for pooling of common CALEA equipment resources for use in multiple networks simultaneously.

59 Citations

View as Search Results

31 Claims

1. A method for facilitating a lawful intercept of IP traffic for a target user, said method comprising:
- requesting a first authentication, authorization, and accounting system (AAA system) associated with a first sub-net to provide a network connection descriptor for a target user;
  
  receiving the network connection descriptor for the target user from the first AAA system, said network connection descriptor comprising a network address identifier for a first device associated with the target user which is connected to the first sub-net, or comprising an indication that no device associated with the target user is connected to the first sub-net; and
  
  conveying an intercept descriptor to a mediation module in response to any change in target user connection status, said intercept descriptor comprising a target address corresponding to the network address identifier, and further comprising a mediation command to indicate how the intercept descriptor should be processed to carry out the intercept of IP traffic for the first target device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The method as recited in claim 1 wherein:
    - said receiving the network connection descriptor from the first AAA system is carried out from a location remote from the first sub-net and the first AAA system.
  - 3. The method as recited in claim 1 wherein the intercept descriptor further comprises a repective AF address for each of one or more access function devices associated with the first sub-net, and through which data traffic for the associated target device must flow.
  - 4. The method as recited in claim 1 further comprising:
    - periodically requesting the first AAA system to provide a network connection descriptor for the target user; and
      
      receiving a network connection descriptor for the target user in response to each request for such network connection descriptor.
  - 5. The method as recited in claim 4 wherein the network address identifier comprises a valid network address if said target user device is connected to the first sub-net, and otherwise an invalid network address to indicate that no such target user device is connected to the first sub-net.
  - 6. The method as recited in claim 5 wherein the network address identifier comprises a dynamically assigned IP address.
  - 7. The method as recited in claim 6 wherein said requesting the first AAA system to provide a network connection descriptor for a target user comprises:
    - conveying a target user identifier to the first AAA system, said target user identifier comprising one of a user name, a user account name, a screen name, a social security number, and a student identification number.
  - 8. The method as recited in claim 7 wherein:
    - said target user identifier further comprises one of a MAC address, a port number, or an IP address.
  - 9. The method as recited in claim 1 wherein the network connection descriptor comprises a maximum bandwidth tag for the associated target device.
  - 10. The method as recited in claim 1 further comprising:
    - requesting the first AAA system to provide a network connection descriptor for the target user only in response to changes in connection status; and
      
      receiving a network connection descriptor for the target user whenever such network connection status changes.
  - 11. The method as recited in claim 1 further comprising:
    - querying a secondary server to determine the target address corresponding to the network address identifier if the network connection descriptor does not already include the target address.
  - 12. The method as recited in claim 1 further comprising:
    - communicating the target address to an access function device associated with the first sub-net.
  - 13. The method as recited in claim 12 further comprising:
    - filtering the IP traffic associated with the target address and conveying a copy of such filtered IP traffic to the mediation module.
  - 14. The method as recited in claim 1 further comprising:
    - receiving from the first AAA system a network connection descriptor for a second device associated with the target user which is simultaneously connected to the first sub-net, or comprising an indication that the second device associated with the target user is no longer connected to the first sub-net; and
      
      conveying an intercept descriptor to the mediation module in response to any change in connection status for the second device associated with the target user.
  - 15. The method as recited in claim 1 further comprising:
    - requesting a second authentication, authorization, and accounting system (AAA system) associated with a second sub-net to provide a network connection descriptor for the target user;
      
      receiving from the second AAA system the network connection descriptor for the target user, said network connection descriptor comprising a network address identifier for a device associated with the target user which is connected to the second sub-net, or comprising an indication that no device associated with the target user is connected to the second sub-net; and
      
      conveying an intercept descriptor to a mediation module in response to any change in connection status for the device associated with the target user and connected to the second sub-net.
  - 16. The method as recited in claim 15 wherein:
    - the first and second sub-nets are part of a local area network for a single contiguous campus.
  - 17. The method as recited in claim 15 wherein:
    - the first and second sub-nets are part of respective local area networks for geographically distant campuses.
  - 18. The method as recited in claim 15 wherein communication with the respective AAA systems for the first and second sub-nets utilize different protocols.

19. A computer readable medium encoding instructions executable on a processor, said instructions arranged to:
- request a first authentication, authorization, and accounting system (AAA system) associated with a first sub-net to provide a network connection descriptor for a target user;
  
  receive the network connection descriptor for the target user from the first AAA system, said network connection descriptor comprising a network address identifier for a first device associated with the target user which is connected to the first sub-net, or comprising an indication that no device associated with the target user is connected to the first sub-net; and
  
  convey an intercept descriptor to a mediation module in response to any change in target user connection status, said intercept descriptor comprising a target address corresponding to the network address identifier, and further comprising a mediation command to indicate how the intercept descriptor should be processed to carry out the intercept of IP traffic for the first target device.
- View Dependent Claims (20, 21, 22, 23, 24, 25)
- - 20. The medium as recited in claim 19 wherein the instructions are further arranged to:
    - periodically request the first AAA system to provide a network connection descriptor for the target user; and
      
      receive a network connection descriptor for the target user in response to each request for such network connection descriptor.
  - 21. The medium as recited in claim 19 wherein the instructions are further arranged to:
    - request the first AAA system to provide a network connection descriptor for the target user only in response to changes in connection status; and
      
      receive a network connection descriptor for the target user whenever such network connection status changes.
  - 22. The medium as recited in claim 19 wherein the instructions are further arranged to:
    - query a secondary server to determine the target address corresponding to the network address identifier if the network connection descriptor does not already include the target address.
  - 23. The medium as recited in claim 19 wherein the instructions are further arranged to:
    - communicate the target address to an access function device associated with the first sub-net.
  - 24. The medium as recited in claim 19 wherein the instructions are further arranged to:
    - receive from the first AAA system a network connection descriptor for a second device associated with the target user which is simultaneously connected to the first sub-net, or comprising an indication that the second device associated with the target user is no longer connected to the first sub-net; and
      
      convey an intercept descriptor to the mediation module in response to any change in connection status for the second device associated with the target user.
  - 25. The medium as recited in claim 19 wherein the instructions are further arranged to:
    - request a second authentication, authorization, and accounting system (AAA system) associated with a second sub-net to provide a network connection descriptor for the target user;
      
      receive from the second AAA system the network connection descriptor for the target user, said network connection descriptor comprising a network address identifier for a device associated with the target user which is connected to the second sub-net, or comprising an indication that no device associated with the target user is connected to the second sub-net; and
      
      convey an intercept descriptor to a mediation module in response to any change in connection status for the device associated with the target user and connected to the second sub-net.

26. An intercept coordinator module comprising:
- a first interface for communicating with a first authentication, authorization, and accounting system (AAA system) associated with a first sub-net, for requesting and receiving from the first AAA system a network connection descriptor for any device associated with a target user and connected to the first subnet; and
  
  a second interface for communicating with a mediation module, for conveying to the mediation module an intercept descriptor for any target user device if a received network connection descriptor represents a change in connection status of the target user;
  
  wherein each network connection descriptor comprises a network address identifier for a device associated with the target user which is connected to the first sub-net, or comprising an indication that no device associated with the target user is connected to the first sub-net; and
  
  wherein said intercept descriptor comprises a target address corresponding to the network address identifier and a mediation command to indicate how the intercept descriptor should be processed to carry out the intercept of IP traffic for the first target device.
- View Dependent Claims (27, 28)
- - 27. The module as recited in claim 26 further comprising:
    - a second interface for communicating with a second AAA system associated with a second sub-net, for requesting and receiving from the second AAA system a network connection descriptor for any device associated with a target user connected to the second subnet.
  - 28. The module as recited in claim 26 implemented as instructions executable on a processor and encoded in a computer readable medium.

29. A method for facilitating a lawful intercept of IP traffic for a target user, said method comprising:
- for each of one or more sub-nets to which a target user is authorized to connect, querying an authentication, authorization, and accounting system (AAA system) associated with the sub-net to provide a respective network connection descriptor for any target user device that is connected to the sub-net;
  
  in response to any received network connection descriptor that represents a change in target user connection status for any of the connected target user devices, forming a respective intercept descriptor corresponding to the network connection descriptor; and
  
  conveying the respective intercept descriptor to a mediation module to carry out the intercept.

30. A system comprising:
- a mediation module;
  
  an intercept coordinator module logically coupled to the mediation module, said intercept coordinator module for querying an authentication, authorization, and accounting system (AAA system) associated with a sub-net to provide a respective network connection descriptor for any device associated with a target user and connected to the sub-net, and in response to any change in connection status for any connected target user device, for conveying a respective intercept descriptor corresponding to the network connection descriptor to the mediation module to carry out the intercept.
- View Dependent Claims (31)
- - 31. The system as recited in claim 30 further comprising:
    - an access function (AF) device logically coupled to the mediation module and coupled to intercept data traffic for the sub-net, said AF device for receiving a target address from the mediation module and for conveying a copy of filtered IP traffic for the target address to the mediation module.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Apogee Telecom Incorporated
Original Assignee
Apogee Telecom Incorporated
Inventors
Brady, Charles J.

Application Number

US11/743,498
Publication Number

US 20080276294A1
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

H04L 61/103   across network layers, e.g....

H04L 61/5014   using dynamic host configur...

H04L 63/08   for authentication of entit...

H04L 63/306   intercepting packet switche...

H04W 12/02   Protecting privacy or anony...

H04W 12/033   of the user plane, e.g. use...

H04W 12/037   of the control plane, e.g. ...

H04W 12/80   Arrangements enabling lawfu...

LEGAL INTERCEPT OF COMMUNICATION TRAFFIC PARTICULARLY USEFUL IN A MOBILE ENVIRONMENT

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

59 Citations

31 Claims

Specification

Solutions

Use Cases

Quick Links

LEGAL INTERCEPT OF COMMUNICATION TRAFFIC PARTICULARLY USEFUL IN A MOBILE ENVIRONMENT

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

59 Citations

31 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links