AU2008213165B2

AU2008213165B2 - Methods, systems and apparatus for monitoring and/or generating communications in a communications network

Info

Publication number: AU2008213165B2
Application number: AU2008213165A
Authority: AU
Inventors: Brian Parsons
Original assignee: Advanced Media Systems Ltd
Current assignee: Advanced Media Systems Ltd
Priority date: 2007-02-07
Filing date: 2008-02-07
Publication date: 2009-08-27
Anticipated expiration: 2028-02-07
Also published as: AU2008258126B2; GB2459612A; GB2459612C; CA2649104A1; GB0915341D0; WO2008097105A1; CA2649617A1; WO2008097107A1; GB2459612B; AU2008213165A1; AU2008258126A1

Description

WO 2008/097107 PCT/NZ2008/000013 1 _METHODS. SYSTEMS ANDAPPARATUS FOR MONITORING ANDIOR GENERATING y-' - COMMUNICATIONS IN A COMMUNICATIONS NETWORK Field of the Invention7: 5 -The present iMfeti!||Nrslates to -methods, apparatus and. systemsaformonitoringF2 and/or generating communidstions-in-a communications network..lihe-communications-mayg:rg include.-wired and/or- wirelessoimmunications which may be usedsfor the-transferrof voiceN and/dr-datais 'Moreparticu ariYembodiments-of the- invention providerfordawfuhinterceptionne ofIcommuictionsnd /ticIledti6ofdinformation regarding communications and/orthey .0 generation of ommunicatIims' BackiardundL eTOpen Systems[aconnectio (0) eferencerriodel provides a2set of protocolsign that defines and standardier-he dataomlrimunications processAto establisha-networking., 15 framworkichN Iliil ex ieg ; transfer 6f infornatidnrftairst applicationdo1f d: send ' tin trotghaal neork rriedium;- where the firstandsecon&applications imay-reside-or operate fin irstndsecnd nodes. or-stations,respectivelystypically-computing.

devices. A description of the@1: modelain relation to intemetworksais-irovidedinzDesigningai Cisco-Networks", Teare, Di Indianapolis: Cisco Press, July 1999,;a' copy-ofshih maye -20 found -on www.ciscoacom... The OS model- provides-for implementing protocols: in sevenilayers soAhatAed -transfer offinfori7itibanislbtk&idoiWn intb smaller, more manageabledaskswitheachlayer beiig s 6tzef-4hJelseEaph layer is reasonably-seif-contained .sothathe tasks assignd- tjeach:.layieirnan beb-.im-rnented independently.~ ThesevenJlyaers: aren -25- -specified belown: dpliditibnI laysW71.0 esentation-(layer-6Y' sessiaislayer5) - -transportz(layr_4) 30 network'(layer 3) -dt j(layer 2) physia[(layer ) The top three layersiiknown as the application set of layers (application, presentation 35 and session), may be grouped together as they provide the applicationserivicesrequire-forg- WO 2008/097107 PCT/NZ2008/000013 2 the-exchange of -information, inthat they allow-twoapplications to-interact.with eachother" through the services provided by their respective operating systems: The bottomfourlayers or data transport layers (transport, network, data-link and physical) may also be grouped together, with these four layers providing the-endto-end services..-necessary for data 5 exchange between two systems using- protocols associated*with- the communications= network used to link the two nodes together. Generally, any given layer will communicate with three -other layers- thelayers itmiediately -above and below, as well as the peerilayer- in-othernetworked systems m. The services p-ovided by adjacent layers help a given'OSI layer communicate-with-its peerdlayer" 10 --which is important because the information exchange process occurs-between peerdayers At--th-originating system, each- OSl:-layer adds- control informationrto the. data-or information to be exchanged, whereas- the destination-.system .analyses and ;removes-ther -control information from- the data.Thus, the origination -system works-from the application .layer6to the physical layer, adding- control information-at each layer, whereasithe destination -15 system works from the physical layde to the application layer extracting control information at-: eachlayeirso as to arriveiat the original data-- The- physical-layer defines, the-electrical- mechanical procedural andfnctioanl specifications; for -activating maintaining- and deactivating the-hysical-link between communication -networkcsystems. -Wt is - responsible-for. any encoding scheme, defines* 20---physical aspects such as cables and cards, provides electrical-and -mechanical-interfaces for-s -a network and specifies how signals are-to be transmitted on the network. - The data link layerprovides for the- reliableJransit of data- across a physicaknetwork;-d liinkby defining network and protocol characteristics, including physicalVe ddressing whichz ,enables-multiple devices to uniquely identify one-another at the datadlink layer>-The-data link -25- -layer controls frame-synchronisation, flow control and error- checking, -The network-layer -defines the network address (as opposed to-the-physical address)and provides switching and routing technologies to create logical-paths fortransmitting from: ode-to-node. The layer -also controls -error handling, congestion control and packet sequencing; 30 -The transport layer provides for the transparent transfer of data -between end systems or hosts and-is responsible for end-to-end error-recovery and flow-control itherebyc;ensuring=r -complete data transfer. The session layer establishes, manages and-terminates communication sessions. The presentation layer works to transform data into the form that the applicationdayer- 35 :can. accept so that-the-information.:or data sent from the application layer of one systems WO 2008/097107 PCT/NZ2008/000013 3 readable by the application layer of another system. This layer formats and eridrypts data to be sent across-a network providing -freedom from compatibility problems. The application layer supports application and end user processes by interacting with software applications that.-implement a communicating component Functions of this layer 5 include identifying communication partners and quality of service, corisidering:user authentication' and privacy, determining resource availability and synchronising. communication. Protocl stacks-are particular implementations (usually in software) of.a protocol suite. Protool stacks are often divided into- media, transport:and application sections or 10 layers with interfaces; defined by software-provided between the media and transport-layers and the transport and apblication-layrs. The media/transport'intrface defineihow protocol softwarernaks use of particular media and hardware types (e.g. card-drivers)- Forexample, this-interface May define how TCP/IP transport-software talks -to Ethernet hardware:- Thew application/transport interface specifies how application programsrmake use of-the transported 15 -- layers- Foreamplethisinterface may-define-how a web browserprogram talksto TCP/IP transport'-RfiWare Telecornmunicationssservice- providershave -been requested-ofacilitate-the-lawf lI interception of telephone calls and other-transfers of informationover heirA networks solastaf enable authorisedorganisations,suchas law enforcement agenciesFto moitorand intercept 20 Communications by individuals-under investigation: -, US-2004/01657-09-Al describes the interception of calls within a-Voice/ o6feIt6rnet= Protocol or VolP network;7- -The.VolP network includes a switch -thatr- offers IP-based telephony serices for subscribers over a packet-network. Packetinterceptor's are deployed? in the packet network-to. non intrusively- monitor the- signalling and media packets which' 25" conrisee-ri a VoIPnetwork Following receipt of an interception request, acll - monitoring engine notifies the packet interceptors to monitor -for,-any-activitymon theVoIP network for a specific telephone. -The-packet-interceptors thenisolate-and -filterlpackets based -on standard VoIP signalling protocols. - -In response to commands-from the dall monitoring engine, the packet-interceptors forward voice packets to-a voice-packet-receiver 30 and assembler, which buffers and re-transmits the media stream to- a law enforcement agency over a secure- channel.- -US 2002/0078384- Al describes an interception method -and systemforapacket network, such as a GPRS (General Packet Radio Service) olgUMTS (Universal= Mobile -Telecomrmunidations System) network. A first network element is provided-for intercepting :35-:- data packets in a packet network. :The first-network element reads-headers-of data zpacketsi WO 2008/097107 PCT/NZ2008/000013 4 -and -uses this information to select whether or not to intercept particular packet.Packets -selected for interception are duplicated and sent to an interception-gateway element (as-well as the packet network), Which in turn forwards the packets to an intercepting authority: US 2005/0094651 Al describes.a lawful interception gateway which receives RTP/IP -5 packets comprising the content of an intercepted communicationtbetween two-~or-moreusersz of a communication network from a iedia -gateway. When a communicationinvolving' a target user is detected by the media gateway, the media gateway transmits interception related information and the corresponding communication content to-a'monitoring facility - US patent number -5,913;161> describes --lawful interception of cellular 10 communications. Communications are copied-at-the interface toasebase station subsystems Control information is continuously monitored so as to identify tardetidentification-numbersiof-. called and calling parties. Upon finding-a target number, the copy"of the relevant channel is forwarded to a monitoring station. EP 1-484 892 A2.describes lawful interception of packet switched networkservices. 15 Interception functionality is provided at a switch -which riay beanyinoden ithe network where data packets, including packets that contain the user ID of a subscriber to the netwo-rk canibe intercepted. On attempting-to log on -the user ID iscomparedto a listof target-use IDsr and- if- there is a match a copy of the-communications is forwarded.toa monitoring station. - 20 -- There remains a need in the art for a system and/dr apparatus and/or method which enables communications of differenit-types to. be monitored concurrently, particularlyin or approaching real-time.

Summary of the Invention 25- It is an object of the invention- to' provide an improved-system and/or apparatus and/ore method for intercepting communications in a communications network - Alternatively, it is an object of the invention to provide a system and/or apparatus and/or method for collecting information regarding-- one or mtore'--communications-uin- a communications network. 30 Alternatively, it. is: an object of the invention to provide a system and/or apparatus and/or method for generating communications ina communications networick- Alternativelyjit'is-an object of the invention to provide at least a useful choice4o-the public.

.=

According to a first- aspect -of the invention, there is provided a- module for-use- in a 35 communications network in which a plurality-of-signals aretransmitted between respective - WO 2008/097107 PCT/NZ2008/000013 5 first and second nodes, the-module comprising an engine for receiving the -plurality of signals over the network, for extracting protocol data therefrom and for- providing; the extracted, protocol data to an analyser; and a processor for controlling operation of the engine and the analyser. 5 Preferably, the-.module-is adapted to.divide signals-between: a respective first-node, and second node into a plurality of planes and-to separately process each-plane. Preferably, the module is adapted to divide the signals into three planes; - Preferably, a first plane comprises the access- side TRANSPORT plane which carries ; the user's payload -(sms, voice, video; internet data etc) to the carriers- CO exchange fori 10 -switching and routing overthe telco's network. eg: Radio link, phone line,- DSL line, PABX. trunksEthernet etc. The-module preferably simultaneously processes the transport-layer.ons the:access side of -the network for call- processing- and the-network side for- iiternai management functions such as redundancy and-system reliability.: - .... Preferably, a second- plane-- comprises call control information and/oranetworke calle 15 signalling and may be' referred- to- as the CONTROL plane. -Thendule-processes-ther control-plane on both the access and core networks, depending -on tietcarrier and-theuser device. -a;Preferably; a third plane comprises user-plane traffic and may berefered-to asth USER plane. This plane is-primarily concerned with user generatedrcontent egvoice;data 20 etc, but may contain call control sigrialling and/or network information generated.-by users applications, depending on- service- protocols. The module preferabl# processes-the-user plane on both the access and core networks. Preferably, the module is configured to process the user and/or_-network control signalling and the control information to control processing of the user plane traffic c -25- Preferably- each-plane is processed substantially simultaneously _ - According to particular embodiments of the invention, the three planes are used t0 -functionally group a particular signal's protocol layers. The planes are then preferably divided into two sections: access and core. The access section connects the user to-the-for example, telco network (wireline, local loop, cellular, RAN etc) and-the core section consists 30 .ofthe carriers' infrastructure switches. -Particular call, session- and/or -user (including .subscriber and/or device) -identities may be generated and/or be-simultaneously--present-ins one ot. more of the three planes,.- The units of information processed in a plane may. be referred to as a PDU or Plane Data Unit. Calls received which-do not have theiparticular identity may be immediately discarded.

WO 2008/097107 PCT/NZ2008/000013 6 The.PDU information content of each Jayer described- above is only indicative of what would typically be expected and-there is a-high degree of overlap -particularly between.the CONTROL and USER planes, especially in wireless networks. Preferably, the module engine applies a weight to the PDU to facilitate high speed 5 processing efficiency, provide a mechanism for real-time adaptation-of-the executing engines code and ensure reliable content delivery. Preferably, on a per call basis, each plane processes and assigns-anweighting-to the; PDU (call component signalling) it receives- and/or generates in combination-with'the previous plane weighting (if present) and local system parameters which contribute-tosystemi 10 -processing.-- The. PDU= weighting reflects the sectiorr- (access-core); wireless/fixede' technology,- handling-complexity, densitypayload-QoS; system processingJintensityeto.tions traffic-identified-and not discarded and/or generated the module enginecode cycle-operatiorn2 applies a native-and very natural logical centrifugal -force to theweighted PU's.Thisforce -.. ,aligns the.PDU with uppereplane-particular. controlkprocessing- such as-exception-handling or 15- delivery-routing changes for QoSto external systems - Thus, embodiments-of the inventiomenable real-time processingoftcommuniications:' by performing initial processing on only -a portion of the data hat- makes up anysgiven : communication -namely--user and/or 'network-call- signalling and/or transport information More time and/or processor intensive operations-may then only be performed for a subsettof;4 20 communications.- However through the use of the protaool information,:routing and: the, control of the state-of communications-during processing is ensured.~: - Preferably, the module comprises means for duplicating the plurality of signalsitoforms two or-more sets-of substantially- identical-signals ' mPreferably, the-eans for duplicating comprises one or more ofa tap, a mirror or a 25 splitter. Note that the means for duplicating may not be iiluded within the-module-butsase an external component communicatively coupled thereto. - - Preferably, the engine is-configuredAto receive the first-set of said'signals-- Preferably, the-- module: is 'configured to transparently transport the second-setof. signals such that each signal- is-conveyed to its respective destination node"n- 30 Preferably, the engine is adapted to extract protocol data from each ofthe-plurality of . signals (more particularly, each. PDU) and form-an engine CDC (GentrifugeDatanControl)-sets or hash set for each said signal, each engine data set. comprising-information regarding-user and/or transport and/or networksignalling control information and any userplanes traffic The engine -may then apply a weight to the PDU, as described hereinabove ' : WO 2008/097107 PCT/NZ2008/000013 7 Preferably, the engine is located remote from the analyser and/br-the.processor bute communicatively coupled thereto..-. Preferably, the analyser is located remote from the processor but.communicativelyL coupled thereto. 5 Alternative y, any : two or more of- the engine, ana lyser and- processor may- bei integrated. Preferably, the processor is-adapted to receive one or more modesignals which determine the functional -characteristics of the module. ... .. Preferably, the processor is_ adapted to receive a mode signaleom a user entry.

10 device. - u Preferably the processor is 'adapted to relay a first set of control parameters to Ihe analyserin response to-a mode-signal. Preferably, theanalyser-isadaptedIto relay a second set of control parameters to the engine-in response to the first set of control parameters. 15 - Preferably, the -processor is adapted to-relay a second set of control -paraheters to the engine inresponse-to a mode signal - Preferably, the processor is adapted to relay the second set of controLparameters to theengine via the analyser. -. -- :-r Preferably the analyseris adapted to-nodify the second set of control parameters, 20 prior to relaying said parameters to the engine.:-

-----

Preferably, the analyser is adapted to extract operational parameters froma databases in response to the first set of control parameters. Preferably, the engine is -adapted to extract operational parameters from a database in response to the second-set-of control parameters. --- 25 According -to- one -embodiment, a:mode-signal may indicate a lawful interception-modes of -operation with the module being adapted to receive an identifier-identifying one or more" -signals to.be intercepted. .- - Preferably, the analyser-is configured to locate the one or more- signals from the plurality of signals using the identifier and the -extracted protocol data. More-particularly, the 30 analyser-may.search the. extracted protocol data for instances of the-identifier.-- - - - Preferably, the identifier- comprises- a-user identifier and/or a Userndevice identifier: associated with one or more of said signals. For example, the identifier may-comprise one or more-of a telephone number, a unique-device or port identifier, a usernamemaloginnamenan email address,- a -URL, a service identifier or a category/type of service identifier The type-of 35 identifier is not important-and will depend on the particular-applicatioriof the:invention-Any WO 2008/097107 PCT/NZ2008/000013 8 identifier may be used which serves to selectively identify the desired. subset of% communications. Preferably, the module is adapted to receive the identifier from a database. The database may form part of the module. 5 Identifiers may be received via a user entry device, such as a keyboard:," Preferably, the module comprises a memory for storing at least a portion of the intercepted signal and/or information obtained therefrom Preferably, the module comprises a transmitter for transmitting at least a portion of -the intercepted signal and/or information-obtained-therefrom to a:remote node, in which case, 10 the- module preferably -comprises means for encrypting the at least-a :portion of the intercepted signal and/or- information-obtained therefrom prior to transmission. Preferably, the remote node is located-at or is in the control of-alawenforcement agency. -Preferably the analyser is adapted to generate an analysis hash-set for each signal 5 to be intercepted- the analysis hash set comprising at least portion -of-the engine hash omr data set for the respective -signal -and control and/or- transport information for.enabling transfer of the analysis hash set -and/or the-associateduser traffic to-the remnotenode_ According to one embodiment a, mode signal may indicate an information gathergm mode of operation.. 20 In response to the mode signal, the analyser is preferably configured ton gather -. information from at least a portion-of the'signals, such as for the&purposeof billing users/customers. It should be noted-that-the lawful interception mode and the information-mode may operate concurrently and, according to- particular embodiments -of the- inventions _the 25 informationgathering may be performed for-intercepted communications. Preferably, the'analyser is-configured to extract details of the -originating-and/or-_ destination nodes; and/or- a duration of the communication cand/or -an amount =of data exchanged between the two nodes; and/or a-type or category of serviceinformation - = - Preferably the -analyseris adapted- to format the information for transmission to-a 30 billing authority.

---

The billing authority may be a telecors-operator and/or an ntemetservice provider. The analyser is preferably adapted to-generate an analysis hash set for each-signalof -the at least-a-portion of the-signals, the analysis hash set comprising at least a portionsof then engine hash or data-set for the respective signal and control and/or transport informationforr 35 -enabling transfer of the analysis hash set to the billing authority. - - - ==- WO 2008/097107 PCT/NZ2008/000013 9 Alternatively, the- module may be configured to gather information for testing and/or; diagnostic purposes. In this case, the analyser is preferably configured to derive one 7or. more statistics relating.to at least a portion of the signals. Preferably, the analyser is adapted to format the information for transmission to a 5 remote station. Preferably, the analyser is adapted to generate an analysis hash set for each signal of the at least a portion:of the signals, the analysis hash set comprising at least a portion ofe the engine hash or data set'for-the respective.signal and controland/or transport information, for enabling transfer of the analysis hash set to the remote station:.!-,- 10: Preferably, the remote. station. :is .located- at or under the- control of.-a telecommunications companymand/or an internet service-provider and/oranetwork operator Again, it should be noted that the module- may concurrently operate in more than-one. mode. Namely, the lawful. interception mode may operate as the :module is performingother data: gathering processes 15- -- According to-a second aspect there isprovided an apparatus-fo rgenerating communications to be sent to one or more destination nodes in.a-communicationsinetwork, the'apparatus- comprising-anengine communicatively coupled.toa-analyser; approcessoa' communicatively coupled to- the- engine cand-the analyser; and ca database; whereinwther processor is configured to transmit- control signals to the engine-and/orthe. analyseraid ina 20 response -thereto, the- engine-and the analyser are configured-to:generate and- route communications to the destination-nodes .using-parametersfrom the-database Preferably, the -engine and the analyser are configured to generate protocol datafor, the -communications -based on- the - parameters-,e thereby tenabling.-routing of-the :communications to-their respective destination nodes. - 5 e Preferably, the-parameters comprise one or more of a usernam6 an email address a telephone number, a unique device identifier,details of the transfer-nmedia to the6respective destination nodes or a type of.device identifier:+ -_ -- Preferably, the-apparatus -comprises a memory for storing user traffic,--wherein-the apparatusis.-configured- to-extract-and associate at- least a portionof-the-_ userrtraffic-toeacha 30 generated communication.

Preferably, the user traffic comprises voice and/or data traffic. Preferably the-apparatus-comprises means for generating the user traffic. Preferably, -the analyser -is- configured to generate an analysis' hash set for each communication in response- to the control signals using parameters extracted- from -'the 35 -database.

WO 2008/097107 PCT/NZ2008/000013 10 Preferably; the engine is configured.to generate engine hash or data-sets~in response to the control signals and using the analysis hash sets. -- The-analysis-and engine hash sets contain protocol and control data which enable the generated communications to be appropriately routed. - - - 5 The apparatus of the second aspect may contain the module of the-first aspect, such that the module gathers information regarding -the-generated communications Moreover, the, elements of the- apparatus of the-second aspect may be the same as-those of-the module of \the first- aspect such-that- the -same elements-,perform both the-data gathering and call generation roles. Essentially, the.apparatus-of the -second-aspect-provides-the reverse -10 functionality of many of the components of the first aspect. * The apparatus :- of,-the second aspect provides a means- for -generatinga -communications so as to for-example,.test at-least portions of a communications-network-byproviding data on thatanetwork. The invention enables this testing to be based on data that is akin to real data transferred over a network,but without the risk associated'therewith.

5 According to one embodimentin the-call generation mode, means-for-routing7 the: communications from the apparatus of the second aspect are provided so as to enable the. -communications to be presented-to a particular network.: Such means may include- oneFor - more-of-a tap, mirror or splitter .- According to a third aspect; there is-provided a Communications:systemcomprising 20 the module of the first aspect and/or the apparatus of the second aspects - - -According to a fourth aspect, there is provided a method for use in a communicationss. network in which a plurality- of signals- are-transmitted between.respective-first and-second nodes- the method comprising receiving thea plurality of signals-over thenetworkat-an engine- extracting protocol data from the received signals and providing the- extracted 25 protocol data to an analyser and controlling. operation-of the engine and analyser:using a: processor Preferably, the method comprises dividing the signals between a.respective first node-' ,._ and second node into a plurality of planes and separately processing: each -planer'=More preferably, the -signals are'divided intothree planes - Namelythe lanesidefinedainirelatiorm 30 to the first aspect. -Preferably, the method comprises processing the user and/or-network -acontrol' signalling and the control information to control processing of the user plane traffic-. r -Preferably each plane- is processed substantially simultaneously- "" Thus each signal of: the second set-of signals may be- relayed to its corresponding 35 destination through the- module or apparatus of the invention in, or-substantiallyin- real-time< WO 2008/097107 PCT/NZ2008/000013 11 such that- a user at the destination node is-:unaware of any delay. - This-is-particularly, important .for lawful interception applications since it is vital that- parties -to the communications being monitored are unaware-of the interceptions: More generallyjthough7 it avoids inconveniencing users and loss of connections. - 5 - Preferably, the method. comprises duplicating the plurality of signals7-tofform two- ora more sets of substantially identical signals, .wherein a first set of signals is vprocesseda according to the method of the fourth aspect and a second set.of.signals-is-transparently transported.such that each signal is conveyed to its respective destination node - Preferably, the method comprises extracting protocol data frorn each of the plurality of: signals and forming an engine hash set or an: engine CDC (Centrifuge-DataControl sector -eachs- aid signal, each engine hash set comprising information regarding user-and/or transport-and/or network signallingc, control information and ahy-user plane traffic - The-method may-further comprise adding a weight as described- hereinabove in relation to the first aspect.

-5referably, the method comprises receiving one or more mode signals -Preferablyafirst set-ofcontrol parameters is relayed from the processor tth& ---- -an-alyser in. response to a mode signal -A second set of control parameters maybe relayed from the analyser to theengine in response to the-first set of control parametersso directly passedromtthe processor-to the 20 engine. Altemativelythe-second set oftcontrol parameters maybe relayed-from-the - _processorlto-the engine via -the analyseriwhich case, the--analyser may :modify:the parameters prior to.relaying them to the engine.

Preferably,- operational parameters are-extracted from a database i Wresponse to the first-set of control parameters and/or the second set of control parameters -- L. 25 According to one embodimentr-a modesignal may indicate a lawful interception model of operation and an identifier (or a plurality of identifiers) may be received identifying one-or more-signals to be intercepted. :. - Peferably,.the one or-more signals-from the plurality of signals are-located using-the identifier and.the extracted protocol data.- 30 Preferably, the identifier is received from a database The identifier may be received directly from a user entry device directly orv ia the Preferablyatleast-a portion of the intercepted signal and/or information obtained - t--herefrom-is stored-and/or transmitted.- ~Preferably, the at least a"portion-of-thWiintercekted 35 signal and/or information obtained therefrom is:encrypted prior to-trarismiSsio WO 2008/097107 PCT/NZ2008/000013 12 Preferably, the method comprises generating an analysis hash settfor each-signatoj be intercepted, the analysis hash set comprising at least a portion of the-engine hash ordata -set:for the respective -signal and control -and/or transport information--for enabling transfer of the analysis hash set and/or the associated user traffic to the remotenode- -_ 7 5 According to another embodiment, -a mode signal may indicate: aninformation -gathering mode, in which case, the method preferably comprises!gathering informationfrom at least a portioniof the signalsiin response to the mode signal. - -- - ---- The gathering-of information may be for billing purposes,:in which case,-details-of the. originating -and/or destination nodes;and/or a duration of the communication and/or an 10 amount of data exchanged between the twonodes; -and/or a typeor category oftserviceinformation may be-extracted. The information! may -be formatted.for-transmission an& transmitted to: al billing authority Preferably an- analysis hasir set isitgeneratedifor each -signaof the at least abortion of the signals, the analysis hash set comprising at-easta -portion of the -engine. hash.-or data-set- for the respective signal and conttl and/or transport -- 15 information for enabling transfer of the analysis hash-set tothe billingauthoritys -c:: -Altematively,- the gathering of- information -may be-~for testing and/or - diagnosticT _,-purposes,'in which:case; one or more statistics may be derivede-which- relate-to-atdeasta-a portion-of the signals. The information may be formatted for transmission andstransmittddton a remote stations PreferabIygananalysis.hashs-et is generated for each~signak of thesatieast z -20,j a portion of thersignals-,'the analysis hash set comprising-at ieast*aportiorimofatheeiagine -' hash or -data -set -for-the respective signal- and -control and/or-transport informationfor7 --- enabling transfer of the analysis hash set to the remote station. -=- - - S- According to a fifthaspect, there is provided a method of generating communications to bez sent to one- or more destination nodes in a communications network the method -- 25- comprising transmitting control signals from-a processor to anengine-and/oran-analyser, theengine being communicatively coupled -to the-analyser; and in responsethereto; generating and routing communications to-the destination nodes using parametersifrom the-database by - - .. the-engine and the analyser.- Preferably, the:--generating- comprises generating protodol- data. for the. 30 -communications based on the parameters, thereby enabli ng routing-of-the- communications -totheirrespective destinationnodes:n Preferably, stored user traffic is used for the communicationswherein at least a portion of the user traffic -is -extracted: and associated to each generated communication. Thusit is -possible to test a network or portions of-the network to see how they-handle realk -35 traffic:previously communicatedmonrthat or another networkrandetdo-so.nreaktime:dt-is- WO 2008/097107 PCT/NZ2008/000013 13 therefore a straightforward matter to.test the operation of a network during its -infancy or when modifications are made. Alternatively, the -user traffic may- be generated as required, either locally or remotely Preferably, an- analysis hash set is generated for each communication in response to' 5 the control signals using-parameters extracted from the database. - - Preferably,- enginehash sets are' generated in response to the controllsignals and using the analysis hash sets; Information regarding communicationsgenerated using the method of the fifth aspect may be gathered using the method. of the fourth aspect. - 10 - Further aspects of the invention,which.should be considered in alkits-novel aspects will become. apparent to those skilled in the art upon -reading the following description which provides at-least one example of a practical application of the invention-- Brief Description of the Drawings- -15 - nene or-more embodiments of the invention willbe described below by way of example only and without intending-to be limiting with reference to the following drawings, ir which:.-,. Fiqure 1 is a telecommunications-architecture having th e- planes according to-an 20 - embodiment of the- nvention! Fiqure2a~ -is a:schematic representation of asystem of an embodiment of the invention,-' Fiaure-2b is a schematic representation of a system of an eibodiment of the invention, similar-to-that of-Figure 2a but providing additional detail; - Fiqure 3 is a schematic- representation of a first module-of the invention anda'its 25 ---- interface withtatsecond-module;-e qFiure 4 is a schematic-representationof a second module-of the invention and-its'interfaces with the first module and a third module;_:__ Figure 5 is a schematic representation of the third module of the invention bandits interfaces with- a second-module and -end users; and 30 Fiqure-6 is an end-to-end -schematic representation of a system according to an embodiment of the invention. -.- Detailed Description of Preferred Embodiments A service providers,--including wired- and/or wireless telecommunicatonsacompanies:. -35 - (Telcos) and Internet service providers (ISPs), offer their subscribers many-individuallyspiped - WO 2008/097107 PCT/NZ2008/000013 14 services and applications. As well as providing for the transfer of voice and/or-data-and/or information, authentication, billing and access to third-party application servers must also, for example, be performed. These services or applications may be integral.to-network-switching and routing elements but the specific architecture and connecting technologies will depend 5.- on-the-Telco-and the-vendor equipment chosen..-, Each application or service deployed by a service provider isrnade up of many protocol stacks. Each stack may be described in terms of-the- OS-:reference model descri bed. hereinbefore. Between origination and destination 'rodesp each layer may be transformed or adapted depending on the service provider's architecture and:the carrier % 0 technology deployed. There' is a wide range of connecting technotogies-interfaces and" architectures to deliver a service provider's application, some based onrstandardsadothers: proprietary to the vendorsupplying the equipment -orsapplication involved. Ths additional layers may be included and/or some layers of the OSI model may bealtered or omitted -Embodiments -of the present invention provide apparatus systems and methods'that 15 are able to operate in-various environments and thereby enable service providers to move towards:alrmore converged view whilst maintaining and supportirigan existing custerbase and legacy -services. This- is 'enabled- using data obtained from the various 'OS" layedf'or -- protocol stacks which may be performed for any type= of communications will become: apparent from the description below:.-The physical location of the'application of the present 20 -invention within a communications -system rnnetwork depends-on its particular usearid deployment model-.' 'According to-preferred embodiments, the engine is' loated-at anaccess'= aggregation point on the-access side of-the-core network such thathere-is access fonthea apparatus of the invention. to all or. a desired portion-of communications.-in- thelnetwork -e Embodiments of the invention do -not-require changes to- anyof-tIhe hardware modules 25 present-in existing networks because whilst the- module':of the. present invention may--be "included-in-an access: aggregation point-such as a switch, it is preferably provided upstrean7a or downstream thereof so that it may receive all or a subset ofathe-communications to--and from the switch but does- not- require: modifications to be made-to.the switch.- Thus,_ embodiments of-the present invention- provide- an application that is-independent-of vendor 30 equipment; functionally holistic in: access and-core network switching-technologisand capable of transparent, real-time operation. - -' --- -Figure 1 shows a telecommunications architecture 1 having-three -planes 12,13,4. .In-each plane 12, 13, 14,the standard OSI reference model mayaalplyinwhole-or ir art (i:e -all or a subset of -the OSI-layers may-be used for each plane 12,13,-14%).Plaiesc12,13 35 14 are configured such that thetuser/networkssignalling, cditrol dataeandusertraffic-may ben WO 2008/097107 PCT/NZ2008/000013 15 -carried over physically separate bearer and/or-transport technologies First planed 2 (shown in light blue in Figures 1 to 5) is responsible for user traffic such's voice, data; applications and-services. Second;plane- 13 (shown in light green in Figures-i -to5)pis-responsible for control data. Third plane%:14 (shown in light orange in Figures 11o 5) is responsible for 5 transport or user/network signalling. All planes 12, 13, 14 -work together simultaneously to enable communications to and- from auser or subscriber devicet:5. Typically, eachplane interacts with the others and this interaction has many interfaces, each with-its own particular protocolstacks. The application -logic.of the present invention maintains-state for processing. between planes -interfaces and-protocols. 10-. - -- z In preferred embodiments, the invention- processes user/netwok -calsignalling arnd control:data thereby permitting-the tracking-of;,analysis on and potential-subsequent.action, -on-user plane traffic. Thus, it is- possible- -to focus processing eon- -key- portions of communications and to -only expend significant processing powerand communications: bandwidth on user -plane traffic when required7:The invention finds-padiculardapplicatiorato 15 -z lawful interception-of communicationsinvolving an identifier suchiasthatf a particulauser service or any other identifier that-may besselected. The identifierrnay. be-comparedwith information- in the control data plane 13 -and/or :user/networkasignallinga -plane14=rwithF operations (e.g. routing of the user-plane traffic to a law enforcement-agency)-only-bein performed if-required Embodiments of the invention may also-be -used-fordata etraction 20 purposes by- identifying _service users(suchA- as callingeand/orc- allied -- partiescin a - - -. telecommunications -network), details of they communications (eig lengthoftimefor a communication and/or-amount of data exchanged) and/or detailsof the-type-of service:.Then information obtained may be-used for billing customers as wallasnzncapacityqplanning.-iari& diagnostics. Capacity planning-and-diagnostics functionality may. be provided-sing -real . 25 -- communications- over-the- network -However, embodiments::of the invention provide -for simulated call generation for this-purpose -so as to enable- moreapidatesting-ofrnstwork -functionality. The- call generation -and .data extraction functionalities are-preferably-pfovidedin the same module using~the same key.components.- However the invention"is-notlimited' thereto- and separate components-may- be used-in the same module or-separate-rnoduless-- 30 may be used:for each-purpose.- -- -- - -The apparatus of the present invention is made up of three basic' odules, anger gin an analyser. and a processor; each of -which may--be implemented-in-hardwareg-and/or software. The-functions-of each module are- such that they support-centralised ordistritrted processing-wherein the-functions-may be performed-by a singloeem-et split over* a 35 -plurality -of.elements-:- The particular--configuration- selected isonot,:materialetothesnvention~ z WO 2008/097107 PCT/NZ2008/000013 16 and-the skilled: man would be readily-able-to select a particular configuration-dependi ng onz performance requirements.:, ltis therefore intended that all such-configurations be included. within the scope of the invention. Referring again to-Figure-I, to receive a service, subscriber 15 typically makesuse ofy 5 the service provider's access, core and service- applications networks17;8. 'This involves the- use of several Eelements- (shown as circles in the three. layers) with interfaces therebetween The real-time-logic of the present invention"understands the -protocols - between the various- elements and extracts information-therefrom7 - This is: applied-to1 - processing for the user or-service as required. Connections-between-plane elements are7 0 interfaces. that consist of various-physicallinterfaces-and -protocolhstacks Thus,-the- invention -,-czprovides for:a-multi-protocoLreal-time switching and processing;;application for wirelessaand fixed:-access: and core- technologies. This- provides service providers-;with direct real-time - - processing of all user activity and applications present -on their-network- This- processing, may be on a particularisubscriber-or-on a-service used by many subscribers -5 -- Figure 2a- shows.aschematic7 representation of a system 20. according.- to-an embodiment of the invention.Asadiscussedrabovethe application-of the-inventidncomprisess three modules-;These are' engine module.-21, analysis module 22 and-processihodule2&r- -he modules work together -torprovidescarriers completer.visibility-,of -the user/netwrk: ---signalling - and payloadstraffic flowing over their networks.Modulds'2122-and-23 ars: 20 communicatively-coupled Ato database-24 which holds- unique -subscribers or application serviceidentifiersa ~Tihe real-time.processing-of the invention oftaccess-and coredinetwork -s

--

interfacesand protocolsallows-for an-array of-user or service specific-identifiers; such--as : telephone.numbers-loginnames- Internet service provider (I SP)-homepages-etc here arem -norestrictions-on the -ormof-the identifiers-or. :the--type of:-communication. to which -the.: 25 -- -invention may be applied- -Theidentifiers- may-depend-on the-technology-or maygbe-c6mmn to: the serviceI. Also,;embodimentsoof-therinvention are able to operate-regardless of the. -.- vendor equipment deployed by a.fixed and/obrwireless carrier. - :.--:--.- Engine module 2tappliesfixed and:wireline.-protocol analysis and createshashisetsm 'of current subscriber-calls-application -- services and-their particular ,states-along-with ther 30 information such as statistics-to:analysis module 22. Record sets provisioned'in database24 are used to determine which calls-and application services are tobe processednn -; "' Similar -to _engine - module 21-.analysismodule 22- implements-fixed and wireless protocol stacks and isullygaware..of-processes occurring in all seven.OSIayers.-Analysisk:. -module 22. controls theprocessing logic within engine: module 21based on-applicationst 35- loaded -in process -modules 23. aUnlike engine-module-21 which uses the -actuaksignalling WO 2008/097107 PCT/NZ2008/000013 17 provided by the network,-the protocol- analysis performed by- analysis-:rmodule=22 works on the hash sets provided by engine module 21 which dramatically speeds up the switching and processing of user payloads. Analysis module 22 and engine module 21 work together providing a h igh-speed switching lane for user plane traffic. 5 Process module 23,provides instructions to analysis- module 22 setting the functional. characteristics thereof depending on the particular- application, of-the invention. For example,, for a capacity planning role (as will be discussed in more detail below),z analysis module-22 and engine module -21only require statistics to be recorded whereas iniadawful interception role, multimedia voice-and data-is switched- in:reaktime throughto thea (law enforcement) 1&.agencies-authorised -tomake the interceptions .Process module 23 alsoprovides-interfaces to-.the-end user, carrier. NOC; (Network Operations-Centre) or other controlcentreand/or y-- reporting :servers, as applicable, whetheridata, media or reportingtis -delivered Process : module 23'has-an -admihistratiorninterface whereby- an operator can sprovision-IDs or identifies, URI's (Uniform iResource Identifier) application services-(fixed or cellular) etc-they.. 15 would like to troubleshoot, analyse or receive-in-real-time. -- - -- d - igure-2b:is aschematica-representation showing functionalitylqaccording toma preferred ..- embodiment ofrthe invention. The module-is-preferably adapted to-divide signalsbetweena -. respective first node andsecond node-into plurality of planes and-to separately process each'plane: -More preferablyrsignals are ,divided- into three planes-transport,-contro[ ands _20 user planes. - n -- - .

.. .'iThe access side TRANSPORT plane-carries the user's payload (sms,voicegvideo, intemet data -etc)to the.carrier's CO exchange for switching and routingaover the.telco's network. eg:Radio link,-phone line-,DSL line,- PABX. trunks-Ethernet-etc The: module. preferably simultaneously processes the-transport-layer on the access side-of themnetworktfor-: 25 call processing and- the:-network sidefor-:internal managementfunctionssuch as-redundancyandssystem reliability.- - - - - --- - - -- '-~he CONTROL plane includes call control information and/or network call signaling:.- - he module processes the control plane on-both the access and corernetworks,:dependinge on-the carrier and the user device.- -- a - * -_ - -* 30 - - The-USER plane includes userplanetraffic: Thisplane :is primarily con~ermed with user generated content:'e.g. -voice- data etc, but may -contain. call-controlsignalling: and/or_ network information generated by user applications dependingomnservice protocols.? Them -.. module preferably processes the-user plane on.both the access and-corenetworks. m-. -The three planes:are used to functionally group a particular signals protocollayers -35 Theplanes areAhenpreferably divided :into two sections:; access. and-coree The' access: WO 2008/097107 PCT/NZ2008/000013 18 section. connects the user to the for example telco network -(wireline local-loop, cellular,-t RAN etc) and the core. section-consists of the carriers' infrastructure switches"Particular call, -session -and/or user (including- subscriber and/or device) identities -may be generatedeand/orn be simultaneously present in: one- or more of the three planes.- The units of informations 5 processed in a plane may be referred-to -as a PDU-or Plane Data-Unit.;Calls received which. '--donot have the particular identity-may be:immediately discarded; -z -f - The PDU information content of each layer described-above is onlyindicative of-what ::would typically be expected and there-is- ahigh degree- of overlap particularly between the. CONTROL and USERplanes, especially in wireless networks. - s- m - - a 1 - Preferably, the module engine applies a. weight to-the-PDU to-facilitatahigh speed s processing -efficiency provide a mechanism for realtime adaptation -otthe ekecuting engine code-and ensure reliable content-del very. - - -- amtre' . Preferably, on a-percall basiseachplane processes-and assigrssaaveighting tothe ::-.PDU c(call component signalling)it-receives and/or generates;(epee-dihg-onthe-modeof, 15-.--operation) in- combination- with the previous plane weighting. (if present) andclocal systems _ parameters-whichcontribute to-system-processing The PDU weightingsreflects-thes-sectinLe (access, core); wireless/fixedltechnology ,handling complexitydensityp-,payloadQoSysystema processing intensity,-etc. or traffic identifiedand not discarded and/or generateddhemodle engine code cycle-.operation applies-a native and very natural logicalcenrifugal:forcetothe7 20 weighted PDU's. -This force aligns the PDU with upper plane particular control processing'. such as -exception handling-or-deliveryrouting-changes for QoSVtoextemal systems Detals '. of a preferred weighting scheme are provided inFigure 2b The-skilledperson-will be'aware of other-weighting schemes-and the invention -is-not limited to thesspecifids of-then-schemes -shown.--- -- ---------- 25 - --The-engine- may.extract protocol data from each signal (more piticularly-eacWPDU) and form an engine CDC (Centrifuge Data Control) set or hash set-forieachtsaid-signateah engine data set comprising.-information regarding- user- and/or- transport- and/ormnetwork signalling control information-and any user plane-traffic. Ther-engine7maya then-zapply;a. weight to the PDU, as~described hereinabove. -+- - - 30 --- Figure 3-is a schematic representation ofjengine module-2VaiidLits7literface-with= analysis- moduler-22-.- Enginerrmodule2l receives signals over-any number--of.interfacess carrying user-and/or network control and signalling-and ;user traffic hese interfacesmay-be -- physical-or logical. For:examplethey may be VPN (virtual private-network) basedwitWRES (virtual private LAN-service)-or MPLS:(multiprotocol -label :switching) encapsulationsrThe t35 physical transport-to :the-apparatus of the invention-may use copper-wire and/oreoptical-fibres- WO 2008/097107 PCT/NZ2008/000013 19 and-may -be- adapted -to: receive and transmit-or receive only. All-forms ofVLi.and -L2 - encapsulation are supported: There is no-limit to the call processing -capabilities other than the: switching. and -processing limits inherent of the platform on whichsthe application-of theinvention resides. The engine is designed torprocess each layer of the particular protocol 5 stack as efficiently-as- possible through the use:of hash sets which-are parsed versions of the' -protocol stacks associated with -given communications. - - Each physical connection contains interfaces having a specific inte-plane-connection. (see Figure1). or several interconnections. interfaces may carry fixed -and/or wireIess;-x protocol stacks, where- the connection is specific: to a particular fixed-or wireless interface.

-10- For example ,the Gn interface (a GPRS interface located between GPRS-support nodes)ps7a7 specificdUMTS access technology interface as per 3GPP; C7 ISUP (ISDNistr pat§-a key-a protocol-in the C7/SS7 signalling system) is common to-both fixeda-and wirelessaccess and.

core technologies- Engine module. 21 provides the logic to correlatemthe commdn.-and specificinterfaces and-protodols- andhas -Ilogicto- maintain the state between the interfacest 15 and their layers such that communications continue-to be relayed-inaatransparent manner -. - The invention processes and=:parses-the received fixed-and wireless-protocol stacksw (starting at layer, )inaccordance withAfixed-and wireless protocorsignalling standardsuCh' as for circuitITU/ANSL C7-iSUP WB and-international Q.769 and-cell- packetftnolgiesa ---TM. DSL-FrameRelayIP -cellularaetc: § -- - --- A 20 Engine module,-21 constructs hash sets-(preferably one to two bytesinAength-but-may - be-up to four-bytes) for -maintaining- protocol and:-call state information -The hash - sets are- -read and written to viasbitwisedlogic-operations--and are produced-on a per s-ubscriber basis but-may be consolidated basedon: application service, access technology-,carrier technology etc.The relevant call signalling is extracted and maintained by:way of the--hash-sets for the 25 purpose-of keeping-state forzsubsequent logic.-:The length-of the hash-sets depends-n-the -particular layerinterface and-plane-over-which the signalling is occurring - -- -Engine hash setsearemproduced- as:a result of protocol- analysis-which requires7 particulars-of the:-subscriber or.service of interest These- particulars: are-providedin: --. database 24 and can be changed- at anytime during operation of-theiinventionThe records 30 stored in database-24 are-of-a-natureathataprovides-unique call/serviceridentifier-s:-which aren groomed and applied-toothe protocol stacks relevant to-the traffic ontheJinboundinterfacess ,::....,.Engine module 21. provides common protocol stack switchingz.whereby certain ~protocollayers are -common--to manyrstacks:I For example, the-, T-protocol-may;be% -accessed via-wireless (PDA) or fixed-(broadband) networks and thereis noneed-toduplidifea 35 -this: ayer.- Everydlayer-is carefully maintained for state inforiationsand system-mainterance§ WO 2008/097107 PCT/NZ2008/000013 20 -purposes and to overcome access and. transport connectivity issues such as packet lossand congestion which cause problems in-terms of -dormant sessions and -memory loss The-unique hash :sets provide details on the current call state by consolidating details for each relevant interface participating in a particular call or calls;-taking-account of-network; 5 congestion and retransmission: algorithms and strategies, which:is critical-particularly for; traffic inbound overiossy wireless access networks. SWhat information engine module 21 .extracts depends on. the technology employed at the particular layer. For example, fixed voice may be carried over different protocols:(from layer-I through to layer 6), but layer 7 is still voice. (layer 1 could-be an!FVor Ethemet) it 1- depends-on: the -carrier infrastructure-. it becomes more Com plex when wireles(GSM/UMTS (3GPP) vrs DMA/EVDO (3GPP2)) functionality is added. Engine module 21 understahdse this variation on a per layer basis and tracks the changes- in protocols-(layer I through -tolayerz7-). As a result of this -- variation the input-to the hash sets-may varyifrorreprotocolota _ protocol and could -be-. atm/vpn identifiers, trough to session/sequence numbers and 15 cryptographic hashes, basic informationspecific to the-owner/generator/terminator of-Athe -communicationsstream, or simply data that-helps in the reassembly-ofa fragmented traffic" streamn-The-length-of'the -hashsets mayvary-depending on what- is beingthashed and-they contain-bits to identify the protocol-owner-and;stream information to aid in the.multiplexing of real -time QoS-(Quality of Service) aware traffic. - : 20 ---- Figure-4 is a schematic-representation of-analysis7 module:-22 and its interfaces within engine module 21and- process module-23Analysis -module- 22-controls the' processing performed by engine module 21 -in accordance with the service:instructions received:from - processmoduler 23.The instructions it receives.depends.on the-particular application'of the-: invention-being performed on the :selected call-or service. Call-and service specific details 25 are read fromdatabase:=24: Analysis module 23 providesiriformation-to process module23, such as call service trace data and -call statistics, as well as providing health of- system-and/org -diagnostic datafor system -logs, alarming and-:maintenance purposes. - m Analysis module~-22 implements feed-forward towards process module 24 and-feed back towards -enginet-module-21 with the -particular information being-passed -dependingcon, 30 -the- particular application'of-the invention. Critical details required-to-support -the-particular appication are provided ina:memory:such-as-database 24. ..... . :.:::-Call states are maintained through analysis hash-sets-which are based-on-the-engine - hash sets (ie .; the hash sets generated by engine module 21) and he instructions-received from process-module 23-3Thus,-the analysis- hash sets may contain data-from the engine 35 hash sets-as well as,:for example,: routing- and-control information-to enable the:desired- WO 2008/097107 PCT/NZ2008/000013 21 function to be performed (egAthe correct routing of-data to a law. enforcement agencywhen operating- in .the lawful interception mode or the forwarding of datato a local ordrenote: memory when operating in a diagnostic mode). - =- - - - Thus analysisimodule-22~simplyv-controls what engine module -2-1is looking for in' 5 terms of relevant-identifiers (whether these identifiers be for lawful interception:billingzor other information- gathering orcall generation). .-.This aids in the- real-time multiplexing' of media audio/video or-any=QoS-aware traffic andthe generatiocr-of' therappropriate data, Swhich-again depends on carrier infrastructure and technologies. ':. -'===. -Figure-5 is-a schematic representation of process module 23 and its interfaces with 10 ~analysis-module 22 andexample-endusers.-Process module 2-3provides top Ieei control for the-invention inrtthatitadapts.and controls the behaviour-of enginerand analysis modules- 21and 22 depending on-the particular application, such-as traffic analysis, eahtine billingy -- lawful-interception. etc- Each:specifictapplication requires datarconfigurationand details: which are provided-by database 24 which-isspreferably-readable-by-althree modules 2--22 - 7,,Processamodule-231sends instructions to analysis module 22 fortuning and taioring - the.protocol analysis stack functions As'a'result, analysis module-22-maysimilarlytum-e and' -tailor the function "of, engine module 241The instructions arecon.apercallosservice basis -- and do-not apply-in.a-gIobal sense,-thereby allowing the invention toperformmultiplerotes 2simultaneously.without interference. 'For 'example commijnicationsmayA- generated. in4a generation mode and substantially- simultaneously - recorded for.- statisticalpurposes.in capacity planning role. r- .. . .... --- Through use oftheprotocolhashsetsgenerated byengine and analysismodules2t1 and :22;the inventionsupports 'realtime processing of various.communications- including-r 25 standard PS~EN voice-.traffic,-soft-switch based voice overlP technogyfshd peer topeer technologies- such as 'Skype and--the -like An- embodiment: ofsthe-systemashowingisucha capabilitiesIs- provided. in Figure6. ;Note :that the skilled:man-vould-bec aware *of alternative/additional technologies and/or transport media which-ay beincludedothethan those-specifically-,shown in Figure-6) and it-isaintended -that all suchaltematives/additionsiba - 30 included-within the scope:ofthelinventon. - - - - -= = 'i - E:: Figure 6.-shows :example system- 60 including: some of the: inventive aspectsof-thet_ nvention, in particular,- those :relating to-lawful' interception of ';communicationsy-Access5 etwork61-,-wireless-network-62 and fixed-network:63 enable elements Within-systemz6G-.to7 communicate with one another, as-would- be- apparent to one :of. skill-in-the -art"-the ,35- transmissionmedia,:including-via -satellitess---are- also. within ther.scop& of, Ahetinvention WO 2008/097107 PCT/NZ2008/000013 22 Module 64 of the invention receives all-communications, or at least a copy thereof;being transferred across the network (note that-reference "BXP" in Figure 6-is used to-highlight the key-components of the invention). Relevant communications are interceptedand sent over, for-example; virtual private -network (VPN) 65 to-a remote server 66m.:User tinterface67 is 5- provided to enable the results torbe-rrmonitored and also to enable the-provision-of identifiers into the system so that particular-communications may- be targeted for interception: Note that server 66 and monitor-67may be directly coupled to or integral to module:64. an- - Anembodiment of the:method-of the invention will now be described with referenceto Figure2a-.At -step 0 the-identifiers are-loaded from database 24,andiat step 1, protocol 10- -analysis:is performed .byrengine--21%--on incoming traffic to determine.call technologyand state Hash sets are createdsfor each: communication and sent-tozanalysis module 22;. At' step -2,analysis module22 performs:-particular functions on the engine hash setsdepending on instructions received-fromprocess module-23 and identifierstreceivedfrom database-249 Based on-call.-state--data -received from--analysis modulet--22-and--the- particularrole or -1 5 application -the system: or.method of the invention is selected torperform;-futher-instructions are sent to analysis module-22 for execution at:step 3: Analysis-hash-sets are-createdaa a result-of this-processinga The analysis hash sets may be generatedrfor-allrra-subset of-the' communications depending on the-mode-of operation of the invention.-dForexample, in these lawful interception mode, analysis module 22-rmayaidentify -relevanttcommunications and onyn-. 20 generate analysis hash setsefdr-the identified-communicatidois At-step:4; analysis rmodule22 carries out any instructions received fromaprocess module 23: For exampleithe instmrutions-a -- may be to connect-a-highsspeed switching socket for media relay or to tavessignatli tiand -callstatistics to- a-memory and/or a-display (not shown) These instrudtions willdepen&ona the-particular role selected to be performed.-Thehash sets- are -modified-Ato-reflect-these 25 instructions= - -Analysis module -22 may -receive-instructioristo-prioritise certainctalissand/orpservices - overothersat step 5-.-Additionally-eedback is-provided Ato engine721 so-thatAit:wiks-with maximum efficiency, suchtas by-deploying ICMP (Internet Contro MessagePotocol) orARPR- (Address-Resolution--ProtoGol)-filters, -At-step:-6, engine~ 21 applies protodo--.analysiS- forall[ 30 OSI layers for every-frame or- cell. - Certainprotocols maybe filtered-for-expicitly for eithere processing or-to-be dropped:, -Tuning- instructions for engine 21 are providedsby7analysis module 22. The instructions received by-engine 21:at stepTmaybe tonnecta hightspeed edia lane to process-module--2;--inwhiccase the- connections are made'anduser plane traffic is-relayed througtot-its-destination.- The high speed media-sWitchirg lane"rquTires thew -re a e e tn to - - v-. . . . . - - ------ -- -- - WO 2008/097107 PCT/NZ2008/000013 23 use of both-the engine-and-analysis-hash sets to ensure-that state is -maintained-for the communications and that they are correctly routed. On receiving data reports, media etc at step 8 from engine 21 and analysis module 22,-process module 23 cuts, for example; ASN.1 -(Abstract Syntax Notation One) records withe 5 details-regarding the call or application service for.formal reporting into the-business. -ASN: is a-formal notationused for-describing data-transmitted by telecommunicationsprotocols, regardless of language implementation and physical representation-of.the datawhatever-the application, whether complex or simple. - It is a language for abstractly describing messages to be exchanged amongoan.extensive rangeof applications involving the'Internetintelligent 10 networkcellular phones-:-ground-to-air communications, electronic cormmerce- secure electronic services, interactive television, intelligent* transportationssystems VoiceO Perm and others. Analysis module 22 ensures-that content reporting,-multimedia, rtpystatistics etc are delivered: to the provisioned- end-p6int-destinations: Receipt of all-transactionsaind. communications is preferably-confirmedgusing protocols known to-those of skill in the art.: 1:5 - - Embodiments of the inventionado not replace deployed networkelementssor systems - but instead complimentbexisting systems byf erforming-analysis-and relay-oftraffic- -- mtransparently-(to the originating and--destination nodes)- and lrrrea[ timeuThugn--nad requirements are imposed on the existing -infrastructure allowing for deployment of the invention in existing:systems.r§s - .20 t =-- Embodiments of the-invention-may not-only be usedfor monitoing communications Additionally or alternatively;, embodiments.ofthe invention naybea used:to-gererate communications. These embodiments:aare -of particular- value- when-wcombined Withnthe monitoring systems described hereinbefore-because rthis enables-aservicesprovider to quickly and easily-test the capabilities-of their-systems under anydesired -conditions§Thus 25 embodiments of the inventiommay be used-to- rapidly test: new-components-deployed-in a communications-network,thereby-allowing them to become operational and an active part of the network more quickly-but -avoidinglossof any-actual-user traffic=.:- - a--- + According::to the communications generation-aspects of the invention, the engine, -analyser and processor-work together--to-generate -the communications.--The:- processor - -- 30 provides control signals'to- theengine and/or-the analysis and-in 'response'thieretothe engine and the analyser generate:and route: communicationstothe -desire-d destination" nodes: using. parameters -from aadatabasepsuch -as, databaser24inigur-o2a re-"--.. particularly ,he-engine andthe-analyser: generate protocol datafor-the-communications -f based on: the parameters-which may-include-one or more of a username-an esniladdtes 35 a telephone number, a-unique device identifier or a type of device identifier: -The parameters: WO 2008/097107 PCT/NZ2008/000013 24 may4 also includeaparticulars of-the transmission medium. Thusprotocol stacks may be generated which enable transmission of the communications These stacks may be formed by thesanalyser generating an :analysis hash setfor each communication inresponse to the. - control signals using, parameters extracted -from the database -and-theengine generating-e 5 respective engine hash sets in response to the control signals and using the analysis hasha sets, and possibly additional parameters retrieved fror the database AIrmermory,-such'u as database 24 of Figure 2a-, maystore sample user traffic which is- appended to-the .-- :communications".The user traffic-may' include voice and/or dataAraffictapplications-or -services.- According to one- embodiment- means are provided for generating-the usetraffic,' -10- -The--means for generating may be-adapted to-generate-traffic in acordance with-parameters -previously- monitored-for the network or a similar network usingAhe monitoring-apparatlsof -- matheinvention.Random-generators may-be-used-to mimic variations-which-are likelyto-csceur " -within the network- Thus, it is: possibld-to generate -traffic which is similaito that-whicheriaey - -- - actually be-communicated-over-the network. - - - - - --- " - Thus ore or a plurality-of communications streams-may beset up between"twor ,rumore real-devices:. Protocol layers (iteheader/ tail) are generated onia-percall basisfor -the-desiredsnumber of calls'and technology-(e4g'fixed/wireless ValPSMS;- voiceft)" ad'the payloads of the calls-are multiplexed through to the destinationsstemeApopriate statistics-and diagnostics can be performed in real-time or cantbe-recorded for-seffline-. c20 analysis of thecarrier infrastructure and subsystems (eig*.transmissihn; billing, e INretcY Apple ications ofthe invention i ncludeWreal-time ISP/teloapplications-or services troubleshooting on-a-per cal orper services -- bTasise a § . eal tiimencall -traffic generate o of user/network-isigfillingand--usertraffic f61the 25 purpose of-loadirig network/servie -elements- dirduit and packet7 fieda dcellular dhih nincationsare supported;* -' real timebil iig record generation on a per call or per service basis adtirne viewing of network states cs ar S''WfaUlinriidtirh'ial tim 'Thinventionis'not limited to thes& applications and tieskilledinimrabe Wae obf -- tie> It is intendedtat'allosuch applidati6ns be included withinihescope of-the-i en tio whether they indiudetheerction 'dat regarding communicationand/or the'g e r focii-hiiniations in-6ain-c-rnunatidlifinefu6rk --- --------- e---- -Unie many eVlu ragemes 6 suc as that described- in OOO'5 35 ifnbd6ii nts of tie present invention are not Iiniited to one-particular typeoftcommunication WO 2008/097107 PCT/NZ2008/000013 25 overone particular. portion-of a network: For example, US 2004/0165709 is limitedto a Telco's core IP network, with the interceptor limited-to VolP communications: Embodiments of the invention may:process all types of communications on-both the access andre networks, -thereby guaranteeing: interception -of any target. The novel approach described 5 herein- enables this tom-be: realised: despite the- potentially huge-volumes of dataf-being: transported around a network-and without causing delays in the transmission of traffic ore storing data-which is not being legitimately targeted. -Furthermore, contrary to-prior-approaches, embodiments of the-invention provide for --operation at layer thereby -enabling various components -of-the -systemtot 4eliably 10 communicate with onexanother An additional advantage is that-forexample eographical redundancy may be:provided-such asfor telephone numbersincaeembodiments-of the iventionenable geographical restraints to be removed. :-- -- z - - various changes- and modifications tothe presently preferred embodinents described herein will-be apparent-to those skilled in the-art. Suchchangeszand modifications-ay be 15 madeFwithoutdepartings fromthe spirit!andscope of the-present4invartiondaMdWithout diminishing its- attendant-'advantages. lt-is -therefore;intended that suchchangssand - modifications be-included withinthe-present invention.

Claims

1. A module for use in a communications network in which a plurality of signals are transmitted between respective first and second nodes, the module comprising: an engine for receiving the plurality of signals over the network and for extracting 5 protocol data therefrom; an analyser for receiving the extracted protocol data; and a processor for controlling operation of the engine and analyser, wherein the module is adapted to divide signals between a respective first node and second node into a plurality of planes and to separately process each plane. 10

2. The module of claim 1, wherein the module is adapted to divide the signals into three planes.

3. The module of claim 2, wherein a first plane comprises the access side transport plane which carries a user's payload.

4. The module of claim 2 or claim 3, wherein a second plane comprises control 15 information and/or network call signalling.

5. The module of any one of claims 2 to 4, wherein a third plane comprises user plane traffic.

6. The module of claim 5 when dependent on claims 3 and 4, wherein the module is configured to process the user and/or network control signalling and the control information 20 to control processing of the user plane traffic.

7. The module of any one of the preceding claims, wherein each plane is processed substantially simultaneously.

8. The module of any one of the preceding claims, comprising means for duplicating said plurality of signals to form two sets of substantially identical signals. 25

9. The module of claim 8, wherein said means for duplicating comprises one or more of a tap, a mirror or a splitter.

10. The module of claim 8 or claim 9, wherein the engine is configured to receive the first set of said signals.

11. The module of any one of claims 8 to 10, wherein the module is configured to 30 transparently transport the second set of signals such that each signal of the second set is conveyed to its respective destination node.

12. The module of any one of the preceding claims, wherein the engine is adapted to extract protocol data from each of the plurality of signals and to form an engine hash set for each said signal, each engine hash set comprising information regarding user and/or 35 transport and/or network signalling, control information and any user plane traffic. 301026327 CHW507244AUPR 27

13. The module of any one of the preceding claims, wherein the engine is located remote from the analyser and/or the processor but communicatively coupled thereto.

14. The module of any one of the preceding claims, wherein the analyser is located remote from the processor but communicatively coupled thereto. 5

15. The module of any one of the preceding claims, wherein the processor is adapted to receive one or more mode signals which determine the functional characteristics of the module.

16. The module of claim 15, wherein the processor is adapted to receive a mode signal from a user entry device. 10

17. The module of claim 15 or claim 16, wherein the processor is adapted to relay a first set of control parameters to the analyser in response to a mode signal.

18. The module of claim 17, wherein the analyser is adapted to relay a second set of control parameters to the engine in response to the first set of control parameters.

19. The module of any one of claims 15 to 17, wherein the processor is adapted to relay 15 a second set of control parameters to the engine in response to a mode signal.

20. The module of claim 19, wherein the processor is adapted to relay the second set of control parameters to the engine via the analyser.

21. The module of claim 20, wherein the analyser is adapted to modify the second set of control parameters prior to relaying said parameters to the engine. 20

22. The module of claim 17 or any one of claims 18 to 21 when dependent thereon, wherein the analyser is adapted to extract operational parameters from a database in response to the first set of control parameters.

23. The module of any one of claims 18 to 21, wherein the engine is adapted to extract operational parameters from a database in response to the second set of control parameters. 25

24. The module of any one of claims 15 to 23, wherein: a mode signal indicates a lawful interception mode of operation: and said module is adapted to receive an identifier identifying one or more signals to be intercepted.

25. The module of claim 24, wherein the analyser is configured to locate said one or more 30 signals from the plurality of signals using the identifier and the extracted protocol data.

26. The module of claim 24 or claim 25, wherein the identifier comprises a user identifier and/or a user device identifier associated with one or more of said signals.

27. The module of claim 24 or claim 25, wherein the identifier comprises one or more of a telephone number, unique device or port identifier, username, login name, email address or 35 a URL. 301026327 CMW6Q7244AUPR 28

28. The module of claim 24 or claim 25, wherein the identifier comprises a service identifier.

29, The module of claim 24 or claim 25, wherein the identifier comprises a category of service identifier. 5

30. The module of any one of claims 24 to 29, wherein the module is adapted to receive the identifier from a database.

31. The module of claim 30, comprising said database.

32. The module of any one of claims 24 to 31, wherein said identifier is received from a user entry device. 10

33. The module of any one of claims 24 to 32, comprising a memory for storing at least a portion of the intercepted signal and/or information obtained therefrom,

34, The module of any one of claims 24 to 33, comprising a transmitter for transmitting at least a portion of the intercepted signal and/or information obtained therefrom to a remote node. 15

35. The module of claim 34, comprising means for encrypting the at least a portion of the intercepted signal and/or information obtained therefrom prior to transmission.

36. The module of claim 34 or claim 35, wherein the remote node is located at or is in the control of a law enforcement agency.

37. The module of any one of claims 34 to 36 when dependent on claim 12, wherein the 20 analyser is adapted to generate an analysis hash set for each signal to be intercepted, the analysis hash set comprising at least a portion of the engine hash set for the respective signal and control and/or transport information for enabling transfer of the analysis hash set andforthe associated user traffic to the remote node.

38. The module of any one of claims 15 to 36, wherein a mode signal indicates an 25 information gathering mode of operation.

39. The module of claim 38, wherein, in response to the mod'e signal, the analyser is configured to gather information from at least a portion of the signals.

40. The module of claim 39, wherein the module is configured to gather information for billing purposes. 30

41. The module of claim 40, wherein the analyser is configured to extract details of the originating and/or destination nodes; and/or a duration of the communication and/or an amount of data exchanged between the two nodes; and/or a type or category of service information.

42. The module of claim 40 or claim 41, wherein the analyser is adapted to format the 35 information for transmission to a billing authority. 301 o26327 CHW5D7244AUPR 29

43. The module of claim 42, wherein the billing authority comprises a telecoms operator and/or an internet service provider.

44. The module of claim 42 or claim 43 when dependent on claim 12, wherein the analyser is adapted to generate an analysis hash set for each signal of the at least a portion 5 of the signals, the analysis hash set comprising at least a portion of the engine hash set for the respective signal and control and/or transport information for enabling transfer of the analysis hash set to the billing authority.

45. The module of claim 39, wherein the module is configured to gather information for testing and/or diagnostic purposes. 10

46 The module of claim 45, wherein the analyser is configured to derive one or more statistics relating to at least a portion of the signals.

47. The module of claim 45 or claim 46, wherein the analyser is adapted to format the information for transmission to a remote station.

48. The module of claim 47 when dependent on claim 12, wherein the analyser is 15 adapted to generate an analysis hash set for each signal of the at least a portion of the signals, the analysis hash set comprising at least a portion of the engine hash set for the respective signal and control andfor transport information for enabling transfer of the analysis hash set to the remote station.

49. The module of claim 47 or claim 48, wherein the remote station is located at or under 20 the control of a telecommunications company and/or an internet service provider and/or a network operator.

50. A system comprising the module of any one of the preceding claims and an, apparatus for generating communications to be sent to one or more destination, podes in the communications network, wherein the apparatus comprises 25 a second engine communicatively coupled to an second analyser; a second processor communicatively coupled to the second engine and the second analyser; and a database, wherein the second processor is configured to transmit control signals to the second 30 engine and/or the second analyser, and in response thereto, the second engine and the second analyser are configured to generate and route communications to the destination nodes using parameters from the database.

51. The system of claim 50, wherein the module is communicatively coupled to the apparatus. 36

52. The system of claim 51, wherein the module is integral to the apparatus. 301026327 CHW507244AUPR 30

53. The system of claim 52, wherein the first and second engines and/or the first and second analysers and/or the first and second processors are integral.

54. The system of any one of claims 50 to 53, wherein the second engine and the second analyzer are configured to generate protocol data for the communications based on the 5 parameters, thereby enabling routing of the communications to their respective destination nodes.

55. The system of any one of claims 50 to 54, wherein the parameters comprise one or more of a username, an e-mail address, a telephone number, a unique device identifier, details of the transfer media to the respective destination nodes or a type of device identifier. 10

56, The system of any one of claims 50 to 55, comprising a memory for storing user traffic, wherein the apparatus is configured to extract and associate at least a portion of the user traffic to each generated communication.

57. The system of claim 56, wherein the user traffic comprises voice and/or data traffic.

58. The system of claim 56 or claim 57, comprising means for generating the user traffic. 15

59. The system of any one of claims 50 to 58, wherein the second analyser is configured to generate an analysis hash set for each communication in response to the control signals using parameters extracted from the database.

60. The system of claim 59, wherein the second engine is configured to generate engine hash sets in response to the control signals and using the analysis hash sets. 20

61. The system of any one of claims 50 to 60, comprising the module of any one of claims 45 to 49, said module being adapted to gather information regarding the generated communications.

62. A method for use in a communications network in which a plurality of signals are transmitted between respective first and second nodes, the method comprising: 25 receiving the plurality of signals over the network at an engine; extracting protocol data from the received signals and providing the extracted protocol data to an analyser; controlling operation of the engine and analyser using a processor; and dividing the signals between a respective first node and second node into a plurality 30 of planes and separately processing each plane.

63. The method of claim 62, comprising dividing the signals into three planes.

64. The method of claim 63, wherein a first plane comprises transport information, a second plane comprises control information and a third plane comprises user plane traffic.

65. The method of claim 64, comprising processing the first and second planes to control 35 processing of the third plane. 301026327 cHW507244AUPR 31

66. The method of any one of claims 62 to 65, comprising processing each plane substantially simultaneously.

67. The method of any one of claims 62 to 66, comprising duplicating the plurality of signals to form two sets of substantially identical signals. 5

68. The method of claim 67, comprising receiving the first set of signals at the engine.

69, The method of claim 67 or claim 68, comprising transparently transporting the second set of signals such that each signal is conveyed to its respective destination node

70. The method of any one of claims 62 to 69, comprising extracting protocol data by the engine from each of the plurality of signals and forming an engine hash set for each said 10 signal, each engine hash set comprising information regarding user and/or transport and/or network signalling, control information and any user plane traffic.

71. The method of any one of claims 62 to 70, comprising receiving one or more mode signals at the processor.

72. The method of claim 71, comprising relaying a first set of control parameters from the 15 processor to the analyser in response to a mode signal.

73. The method of claim 72, comprising relaying a second set of control parameters from the analyser to the engine in response to the first set of control parameters.

74. The method of claim 71 or claim 72, comprising relaying a second set of control parameters from the processor to the engine in response to a mode signal. 20

75. The method of claim 74, comprising relaying the second set of control parameters from the processor to the engine via the analyser.

76. The method of claim 75, comprising modifying the second set of control parameters by the analyser prior to relaying said parameters to the engine.

77. The method of claim 72 or any one of claims 73 to 76 when dependent thereon, 25 comprising extracting operational parameters by the analyser from a database in response to the first set of control parameters.

78. The method of any one of claims 73 to 76, comprising extracting operational parameters by the engine from a database in response to the second set of control parameters. 30

79. The method of any one of claims 71 to 78, wherein a mode signal indicates a lawful interception mode of operation, said method further comprising receiving an identifier identifying one or more signals to be intercepted.

80. The method of claim 79, comprising locating the one or more signals from the plurality of signals using the identifier and the extracted protocol data. 301026327 CHW607:244AUPR 32

81. The method of claim 79 or claim 60, comprising receiving the identifier from a database.

82. The method of any one of claims 79 to 81, comprising receiving the identifier from a user entry device. 5

83. The method of any one of claims 79 to 82, comprising storing at least a portion of the intercepted signal and/or information obtained therefrom

84. The method of any one of claims 79 to 93, comprising transmitting at least a portion of the intercepted signal and/or information obtained therefrom to a remote node.

85. The method of claim 84, comprising encrypting the at least a portion of the 10 intercepted signal and/or information obtained therefrom prior to transmission.

86. The method of claim 84 or claim 85 when dependent on claim 70, comprising generating an analysis hash set by the analyser for each signal to be intercepted, the analysis hash set comprising at least a portion of the engine hash set for the respective signal and control and/or transport information for enabling transfer of the analysis hash set 15 and/or the associated user traffic to the remote node.

87. The method of any one of claims 71 to 86, wherein a mode signal indicates an information gathering mode of operation.

88. The method of claim 87, comprising gathering information from at least a portion of the signals by the analyser in response to the mode signal. 20

89. The method of claim 88, comprising gathering information for billing purposes.

90. The method of claim 89, comprising extracting details of the originating and/or destination nodes; and/or a -duration of the communication and/or an amount of data exchanged between the two nodes; and/or a type or category of service information.

91. The method of claim 89 or claim 90, comprising formatting the information for 25 transmission to a billing authority.

92. The method of claim 91 when dependent on claim 70, comprising generating an analysis hash set by the analyser for each signal of the at least a portion of the signals, the analysis hash set comprising at least a portion of the engine hash set for the respective signal and control and/or transport information for enabling transfer of the analysis hash set 30 to the billing authority

93. The method of claim 88, comprising gathering information for testing and/or diagnostic purposes.

94. The method of claim 93, deriving one or more statistics relating to at least a portion of the signals. 301026327 CHW507244AUPR 33

95. The method of claim 93 or claim 94, comprising formatting the information for transmission to a remote station.

96. The method of claim 95 when dependent on claim 70, comprising generating an analysis hash set by the analyser for each signal of the at least a portion of the signals, the 5 analysis hash set comprising at least a portion of the engine hash set for the respective signal and control and/or transport information for enabling transfer of the analysis hash set to the remote station.

97. The method of any one of claims 62 to 96, comprising generating communications to be sent to one or more destination nodes in the communications network, the method 10 comprising: transmitting control signals from a processor to a second engine and/or a second analyser, the second engine being communicatively coupled to the second analyser; and in response thereto, generating and routing communications to the destination nodes using parameters from the database by the second engine and the second analyser. 15

98. The method of claim 97, wherein said generating comprises generating protocol data for the communications based on the parameters, thereby enabling- routing of the communications to their respective destination nodes.

99. The method of claim 97 or claim 98, comprising storing user traffic; and extracting and associating at least a portion of the user traffic to each generated communication. 20

100. The method of claim 99, comprising means for generating the user traffic.

101. The method of any one of claims 97 to 100, wherein said generating comprises generating and/or retrieving the destination nodes and/or addresses therefor.

102. The- method- of any one of claims 97 to 101, comprising generating- an analysis hash set for each communication in response to the control signals using parameters extracted 25 from the database.

103. The method of claim 102, comprising generating engine hash sets in response to the control signals and using the analysis hash sets.

104. The method of any one of claims 97 to 103, comprising gathering information relating to the generated communications using the method of any one of claims 93 to 96. 30

105. A module for use in a communications network substantially as hereinbefore described with reference to any one of the embodiments shown in the drawings.

106. A communications system substantially as hereinbefore described with reference to any-one of the embodiments shown in the drawings.

107. A method for use in a communications network substantially as hereinbefore 35 described with reference to any one of the embodiments shown in the drawings.