Network-based Interception
In many countries, Telcos and ISPs are required by law to assist law enforcement and other government agencies in performing Network-based Interception by implementing an Internal Interception Function (IIF) within their networks. The Telco or ISP usually activates this IIF capability by order of a judicial warrant.
Network-Based Interception involves the duplication of interactions made by marked subscribers. Intercepted information (including both content and event information) is relayed to a delivery-mediation function that formats intercepted information into a regulatory-compliant standard and delivers it through the network to the LEA monitoring facility for processing.
The generic handover interface adopts a three-port structure such that administrative information (HI1), interception related information (HI2) and the content of communication (HI3) are logically separated.

ETSI LI Reference Model
The relevant entities for Lawful Interception, as specified by the ETSI ES 201 671 standard are shown in above figure. The blue outer circle represents the Network Operator/Access Provider/Service Provider (NWO/AP/SvP) domain with respect to lawful interception. It contains the network internal functions, the internal network interface (INI), the administration function and the mediation functions for IRI and CC.
The white inner circle contains the internal functions of the network (e.g. switching, routing, and handling of the communication process). Within the network internal function the results of interception (IRI, CC) are generated in the Internal Interception Function (IIF) capability of the switch/Network.
The internal interception functions (IIF) provide the content of communication (CC) and the interception related information (IRI), respectively, at the internal network interface INI. For both kinds of information, mediation functions may be used, which provide the final representation of the standardized handover interfaces at the NWO/AP/SvP domain boundary.
Within the NWO/AP/SvP administration center, the LI-related tasks, as received via interface HI1, are translated into man machine commands for the NWO/AP/SvP equipment.

Non-Intrusive Passive Interception
Passive interception of Internet and telephony communications (a.k.a. Tapping or Trunk Monitoring) involves the non-intrusive deployment of Front End (FE) probes in the network. This method is widely used by Intelligence Organizations and Internal Security Services for the following reasons:

  • Provides a much broader range of information than standard LI interception methods.
  • Does not require an existing IIF capability and is not affected by changes in the network.
  • Requires minimal cooperation of the Telco.
  • Keeps the identity of a targeted suspect secret, as it can be performed without the knowledge of personnel working for the Telco or ISPs.
The non-intrusive passive interception method is usually deployed on links connecting BSC and MSC in GSM networks, on international gateways or access links of an ISP, etc.
Facility-Based Interception
Facility-based Interception is used by law enforcement agencies when there is a need to deploy a rapid or temporary covert solution for gathering operational intelligence on a specific target. These small-scale, portable systems enable government agencies to relay intercepted data securely (online or offline). This solution can also be used as a self contained basic Back End monitoring center.
  1. Interception Process Model
    An overview of the interception process is provided in below figure. The interception process consists of four main functions: Interception, Delivery, Collection and Administration.
Interception is the first link in the chain. It is defined as the action of duplicating certain telecommunications and providing them to a Law Enforcement Monitoring Center (MC). The interception process includes a management function responsible for the marking (i.e. assignment) of specific intercepted entities according to specific Interception Criteria (IC) as well as the ability to duplicate these entities telecommunications and deliver them to the MC. In our case, we will have the probe which will be responsible for capturing the required information.
Delivery is the process of forwarding the interception products from the network to the agency. There are two basic types of products:
  • Communications Content (CC)
  • Interception Related Information (IRI
The Delivery process involves the formatting and transmission of interception products according to recognized industry standards (either international, national variants or proprietary). There are several standards that define the handover protocols for intercepted communication data to a LEA. These standards are determined by institutes such as the European Telecommunications Standards Institute (ETSI), or its American equivalent, the Telecommunications Industry Association (TIA). Local standards and regulations may also be applicable.
Collection is performed inside the Monitoring Center (MC). It refers to the capture and short term storage of CC and IRI delivered by the Delivery Function. This is usually done automatically by dedicated components that communicate with the Delivery function according to a specific standard. The Collection components can be deployed in several layouts. These layouts are determined by the customerís specific requirements.
The Administration function handles the creation and management of all system entities. It is responsible for the following aspects:
  • Assignment of intercepted subscribers.
  • Security issues relating to intercepted data.
  • Definition and assignment of user permissions.
  • Automatic trigger and termination of interception data (based on predefined schedules).
  • Implementation of audit trail.

Advantal Interception Monitoring Solution
Advantal interception monitoring solution integrates closely with the probe. It periodically fetches the IR and CC from the probe and store it for further analysis. The solution supports various types of analysis for Call, SMS and Fax.
Distributed architecture of the solution ensures that the analysis is faster and accurate. This has the advantages of deployment flexibility, scalability, reusability and efficient use of resources. It is capable of handling very high call volumes, with dedicated resources per port to ensure that the platform performance never degrades. For OA&M, user-friendly GUI is provided for centralized configuration, error and performance monitoring with the help of detailed call logs and traffic counters. Product supports the IP interface. Web based interface developed in .NET Technology provides an intuitive panel for administration and control.
Reporting :
Solution has an intuitive reporting module for generating various kind of reports. Admin with reporting capabilities can generate various kinds of reports in html, excel and pdf format. Product supports various kinds of reports based on user, date, time and others. It is also possible to have auto generated reports which can either be sent via email to a designated email address or purged on a designated location.
Alarm Management:
System support SNMP based alarm management. It integrates well with OSS for updating the raised alarms. There are various types of alarms supported by the solution. These alarms can be activated or disabled by admin. Some of these alarms are for database services, hardware failures, application software failures and other important alarms. New alarms can be integrated in the system based on end user requirements.
Security Controls:
Product is modularized with super admin to have separation of duty for various sub admin. It is possible for super admin to create sub admin and assign various roles in the system. Some of the defined roles are reports generation, user management, Alarms Management and others.
Solution is scalable to support higher load. More nodes can be added and solution can be replicated to support greater load.
High Availability
  • Database clustering / mirroring on Core