System and method for interception of IP traffic based on image processing

US 9,742,812 B2
Filed: 10/29/2012
Issued: 08/22/2017
Est. Priority Date: 10/31/2011
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

monitoring, by an interface operatively coupled to a processor of a first computing system, using a Man in The Middle (MITM) protocol, remote communication sessions conducted in a communication network, wherein each monitored communication session comprises an exchange of communication traffic exchanged between communication terminals of the communication network;

extracting, by the processor of the first computing system, a digital image and a first and second communication identifiers from a monitored communication session, wherein the first communication identifier identifies at least one of the communication terminals of the monitored communication session, wherein the second identifier is an application-layer communication identifier comprising an e-mail address or chat nickname used in the monitored communication session;

detecting, by the processor of the first computing system, whether a known target individual appears in the extracted image, wherein the detecting comprises comparing, by the processor, the extracted image to images previously identified as being of the known target individual; and

upon the detection identifying that the known target individual appears in the extracted image;

establishing, by the processor of the first computing system, a correlation between the known target individual and the extracted communication identifiers, andreporting to a second computing system, by the processor of the first computing, the established correlation, wherein the second computing system is separate from the first computing system, and wherein the second computing system is configured to utilize the reported established correlation to track subsequent communication sessions that include the first or second communication identifiers, wherein the correlation between the known target individual and the communication identifiers is not known to the second computing system prior to the first computing system reporting the correlation to the second computing system.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for monitoring communication traffic in communication networks, such as Internet Protocol (IP) traffic transferred over the Internet or over a wireless network. The disclosed techniques identify communication traffic that is associated with target individuals, by extracting digital images from the traffic and recognizing target individuals who appear in the images. A correlation system monitors communication sessions that are conducted in a communication network to identify known target individuals who appear in images. Upon recognizing a target individual in an image extracted from a certain session, the system correlates this target user with one or more of the communication identifiers used in the session. The system automatically identifies IP addresses or other identifiers that are used by target individuals, and enable subsequent tracking of such identifiers.

13 Citations

18 Claims

1. A method comprising:
- monitoring, by an interface operatively coupled to a processor of a first computing system, using a Man in The Middle (MITM) protocol, remote communication sessions conducted in a communication network, wherein each monitored communication session comprises an exchange of communication traffic exchanged between communication terminals of the communication network;
  
  extracting, by the processor of the first computing system, a digital image and a first and second communication identifiers from a monitored communication session, wherein the first communication identifier identifies at least one of the communication terminals of the monitored communication session, wherein the second identifier is an application-layer communication identifier comprising an e-mail address or chat nickname used in the monitored communication session;
  
  detecting, by the processor of the first computing system, whether a known target individual appears in the extracted image, wherein the detecting comprises comparing, by the processor, the extracted image to images previously identified as being of the known target individual; and
  
  upon the detection identifying that the known target individual appears in the extracted image;
  
  establishing, by the processor of the first computing system, a correlation between the known target individual and the extracted communication identifiers, andreporting to a second computing system, by the processor of the first computing, the established correlation, wherein the second computing system is separate from the first computing system, and wherein the second computing system is configured to utilize the reported established correlation to track subsequent communication sessions that include the first or second communication identifiers, wherein the correlation between the known target individual and the communication identifiers is not known to the second computing system prior to the first computing system reporting the correlation to the second computing system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method according to claim 1, wherein the detecting of the target individual, by the processor, comprises applying a face recognition process to the extracted image so as to recognize a face of the target individual in the image.
  - 3. The method according to claim 1, wherein monitoring the communication sessions comprises receiving communication traffic from the communication network, and reconstructing the communication sessions from the received communication traffic.
  - 4. The method according to claim 1, wherein one or more of the communication sessions is encrypted with a transport-layer cryptographic protocol, and wherein monitoring the communication sessions comprises decrypting the cryptographic protocol before extracting the digital image and the first and second communication identifiers.
  - 5. The method according to claim 1, wherein monitoring the communication sessions comprises monitoring communication packets transferred over a wireless network, and wherein extracting the first communication identifier comprises extracting an identifier of a wireless communication terminal that participates in the monitored communication session.
  - 6. The method according to claim 5, wherein the wireless network comprises a Wireless Local Area Network (WLAN) and the first communication identifier comprises extracting a Medium Access Control (MAC) address that identifies the wireless communication terminal.
  - 7. The method according to claim 5, wherein the wireless network comprises one of a Global System for Mobile communications (GSM) and a Universal Mobile Telecommunications System (UMTS) Network.
  - 8. The method according to claim 1, wherein the detecting of the target individual, by the processor, comprises recognizing in the extracted image a car license plate that is associated with the target individual.
  - 9. The method according to claim 1, wherein the detecting of the target individual, by the processor, comprises recognizing in the extracted image a body feature that is associated with the target individual.

10. An apparatus comprising:
- an interface, which is connected to a communication network and is configured to monitor remote communication sessions conducted in the network using a Man in The Middle (MITM) protocol, wherein each monitored communication session comprises an exchange of communication traffic exchanged between communication terminals of the communication network; and
  
  a processor operatively coupled to the interface, which is configured to;
  
  extract from a monitored communication session, a digital image and a first and second communication identifier, wherein the first communication identifier identifies at least one of the communication terminals of the monitored communication session, wherein the second identifier is an application-layer communication identifier comprising an e-mail address or chat nickname used in the monitored communication session;
  
  detect whether a known target individual appears in the extracted image, wherein the detection comprises comparing the extracted image to images previously identified as being of the known target individual; and
  
  upon detecting that the known target individual appears in the extracted image, establish a correlation between the known target individual and the extracted communication identifiers, and report the established correlation to a computing system that is separate from the apparatus, wherein the computing system is configured to utilize the communication identifier of the reported established correlation to track subsequent communication sessions that include the first or second communication identifiers, wherein the correlation between the known target individual and the communication identifiers is not known to the computing system prior to the apparatus reporting the correlation to the computing system.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
- - 11. The apparatus according to claim 10, wherein the processor is configured to apply a face recognition process to the extracted image so as to recognize a face of the target individual in the image.
  - 12. The apparatus according to claim 10, wherein the processor is configured to receive communication traffic from the communication network, and to reconstruct the communication sessions from the received communication traffic.
  - 13. The apparatus according to claim 10, wherein one or more of the communication sessions is encrypted with a transport-layer cryptographic protocol, and wherein the processor is configured to decrypt the cryptographic protocol before extracting the digital image and the first and second communication identifiers.
  - 14. The apparatus according to claim 10, wherein the communication sessions comprise communication packets transferred over a wireless network, and wherein the first communication identifier comprises an identifier of a wireless communication terminal that participates in the monitored communication session.
  - 15. The apparatus according to claim 14, wherein the wireless network comprises a Wireless Local Area Network (WLAN), and wherein the first communication identifier comprises a Medium Access Control (MAC) address that identifies the wireless communication terminal.
  - 16. The apparatus according to claim 14, wherein the wireless network comprises one of a Global System for Mobile communications (GSM) and a Universal Mobile Telecommunications System (UMTS) Network.
  - 17. The apparatus according to claim 14, wherein the processor is configured to correlate an Internet Protocol (IP) address extracted from the monitored communication session with the first identifier of the wireless communication terminal.

18. A computer software product, the product comprising a tangible non-transitory computer-readable medium, in which program instructions are stored, which instructions, when read by a first computing system, cause the first computing system to:
- monitor, using a Man in the Middle (MITM) protocol, remote communication sessions conducted in a communication network, wherein each monitored communication session comprises an exchange of communication traffic exchanged between communication terminals of the communication network;
  
  extract from a monitored communication session, a digital image and a first and second communication identifier, wherein the first communication identifier identifies at least one of the communications terminals of the monitored communication session, wherein the second identifier is an application-layer communication identifier comprising an e-mail address or chat nickname used in the monitored communication session;
  
  detect whether a known target individual appears in the extracted image, wherein the detecting comprises comparing the extracted image to images previously identifies as being of the known target individual; and
  
  upon the detection identifying that the known target individual appears in the extracted image, establish a correlation between the known target individual and the extracted communication identifiers, and report the established correlation to a second computing system that is separate from the first computing system, wherein the second computing system is configured to utilizes the reported established correlation to track communication subsequent sessions that include the first or second communication identifiers, wherein the correlation between the known target individual and the communication identifiers is not known to the second computing system prior to the first computing system reporting the correlation to the second computing system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cognyte Technologies Israel Ltd. (Cognyte Software Ltd.)
Original Assignee
Verint Systems Limited (Verint Systems Incorporated)
Inventors
Aviad, Rotem, Zamir, Ariel
Primary Examiner(s)
Cese, Kenny

Application Number

US13/663,388
Publication Number

US 20130108114A1
Time in Patent Office

1,758 Days
Field of Search

382103, 382105, 382106, 382115, 382118
US Class Current
CPC Class Codes

G06V 40/172   Classification, e.g. identi...

H04L 63/164   at the network layer

H04L 63/306   intercepting packet switche...

H04L 67/535   Tracking the activity of th...

H04W 4/21   for social networking appli...

System and method for interception of IP traffic based on image processing

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

13 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for interception of IP traffic based on image processing

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

13 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links