GFR/CGFR/Cop

PProces

1Commercial in Confidence

R tpyRouter

flss flow

Revision 2.3

How do we stop thsuch as child pornsuch as child porn

enter our hompredators and tho

and engaand enga

2

he flow of illicit data ography which can ography which can

mes, encourage , gose that encourage age them?age them?

Who will take part in upcomenforceme

•Altnet / BDE–Providing Global File Registrylicenses.

Cisco•Cisco–Providing proven best of breewidely deployed SCE platformwidely deployed SCE platform

•Local ISP–Australian ISP where the pilotAustralian ISP where the pilot

3

ming commercial and law ent trials

y (GFR) technology and related

ed technology, based on their m.m.

t will take place.t will take place.

How does it all w

4

work together?

Law enforcemLaw enforcemThe CopyRouter detects and replaces from search results refereto files that are known to the police. This has a flow on effect:1- If user downloads the file, the file they get is one from the 2- The original files won't be available for download. Even if tg

does NOT download this file, the information about the origremoved for this search, which means...

3- Information about these files won't be propagated throughhost that is receiving this search result. But the files from po

4- Also, Browsing a host directly is treated in the same mannedi fil h i hi h ddirect user-to-user file exchange using this method.

GFR Copyrout

Reportreplac

5

replacsecur

ment overviewment overviewences

police.the user inal file has been

h the client olice would.er,severely limiting

terThe Internet

Gnutella Servers hosting replacement contentfrom Law Agencies.

All search results replaced by the SCE point to these servers.ts about traffic activity and

ements made are sent toements made are sent toe servers

Step 1 : Local ISP user ruP2P network, i.e., for Pret

What do you have with ‘'Prehot 15 wmv?hot 15.wmv?

SCE does not modi

6

uns a search (query) on teens sweet hot 15.wmv?

teens sweet

ify any packet.

Step 2a.: P2P clients on the net start replyingany files they may know containing ‘Preteens s'.Each query hit contains information about thto get the file from ( IP address and port num

Step 2.b : The SCE detects pand the application

7

back with search results (query hits), of sweet hot 15.wmv

he file (filehash, filename, etc) and where mber).

Here you go, we have all this....

ackets with P2P resultsn comes into action...

Law enforcement

Cleaned up search results

Law enforcement

Preteens sweet hot 15.wmvHash : {Hash-of-this-police-generated-video}Get it from IP-of-police-P2P Servers

Lolita - 33455233.jpgHash : {Hash-of-the-police-generated-image}Get it from IP-of-police-P2P serversGet it from IP of police P2P servers

8

overview – cont'd

Original search results

overview cont d

g

Preteens sweet hot 15.wmvHash : aaaaaaaaaaaaaaaaGet it from IP 1.2.3.4

Lolita - 33455233.jpgHash : bbbbbbbbbbbbbbbbGet it from IP 5.4.2.6

Law enforcemeLaw enforceme

– Search results scanned for k– When a hit happens, the inforeplaced with information aboreplaced with information aboLaw Enforcement agency.–When the user accesses the fO i ill h dl Operating system will handle –It is possible to target any fil

Images (jpg png bmp t• Images (jpg, png, bmp, t• Videos (avi, wmv, mov, x• Audio (mp3, wma, acc, o( p , , ,• Documents (doc, pdf, ppt• etc.

9

ent applicationent application

known, targeted hashes.ormation about the original file is out another file chosen by the out another file, chosen by the

file just downloaded, the h fil ll the file normally.e typestiff)tiff)xdiv) gg)gg)t)

Possible messaging when tWhen a user downloads a file that was replacedopen the file, their computer will handle it as anagency right in front of their eyes.

Download process over P2P...

10

these files are downloaded by the Law Enforcement agency and they

ny other file, putting the message from the

DRM Window in WMV

Messaging and dif

11

fferent file types...

The CopyRouter in its current implementation will handle the requirement of(LUT) which would be provided by Law enforcement agencies.The biggest differences are in the reporting needs : different destinations dif

Applications : Commercial in

SERVER_IP {Initial_agenSERVER_PORT {Initial_agFILE_EXT .jpgADD# Infringing Hash

The biggest differences are in the reporting needs : different destinations, difneed to determine which 'vendor' provided which information in the LUT, and

Any hits here will generate a 'red' report,which will be routed to the

police collector server ONLY g g2J35NKWJE6BXOFBVAXSLIOY2OIOPN45W3G6KWN6CXKJX2C5D2AB3T64BD55NHCJ5BGBGNTLNW6OX44TQOPDI6XBQ2CHX

police collector server ONLY. These reports contain full IP information.

P2P t

Not Found in LUT

Hit for FP

12

Law Ecollec

f Law enforcement agencies – we just need entries for the look-up table

fferent information (enforcement agencies may require IP info) We therefore

parallel to Law enforcement

ncy_Server_IP} {NumberOfServers}gency_Server_Port} {NumberOfPorts}

Replacement Hash File size Vendor

fferent information (enforcement agencies may require IP info). We therefore this is done by adding a new field to the LUT.

pYJFCQK64UO UFIRGOBOJNMPGY6SCBHO6P3D4D7QVFB7 853097 2CC6CGO3JGD UFIRGOBOJNMPGY6SCBHO6P3D4D7QVFB7 853097 2NDWPWVOHMK UFIRGOBOJNMPGY6SCBHO6P3D4D7QVFB7 853097 2XZH7CANE3J UFIRGOBOJNMPGY6SCBHO6P3D4D7QVFB7 853097 2

raffic between users

Enforcement Data ctor

Example of informExample of inform

These results were seen by the Cosmall network connection in a test small network connection in a test via the router as part of the normaThe red highlighted parts are the h

ll hi hli ht IP dd

13

yellow highlights are IP addresses.

mation generatedmation generated

pyrouter when installed on a very environment The results passed environment. The results passed al P2P traffic.hashes that could be targeted,

ReportinReportinFor each P2P search result seen, a on

server.

Th t t i i f ti bThese reports contain information abusers.

Report= reports : file seen.

The SCE will run in 'report-only modethis stage will be useful for:

Getting a baseline of P2P activity in

Creating a more targeted lookup ta

P2P traf

Reports from SCE

14

SCE

ng : SCEng : SCEne line report is sent to a reporting

b t th fil b t b t bout the files, but never about

e' for about a week. Data gathered in

n the network prior to the pilot.

able.

ffic between users

Special handlingSpecial handling

•Compression:Compression:–Some of the Query andcompressedcompressed–We change the compresession will be in plain tsession will be in plain t

E ti•Encryption–Some of the sessions a–We change the traffic thnegotiation so the sessi

15

g

g of P2P protocolg of P2P protocol

d Query Hits are normally

ession offer token so the texttext.

are normally encryptedhat holds the encryption ion will be in plain text.p

Global FileGlobal File•Interdicts proven illicit data on ap•Substitutes that illicit data with a•It does this without impact on cuIt does this without impact on cuperformance without effecting •World's best technology for disrugytrafficking•Protects your community regardy y gcriminals operate from

16

e Registrye Registryn automated basis.

an appropriate warning/noticeustomer experience or technicalustomer experience or technical privacy or customer integrityupting & defeating illicit data p g g

dless of where the cyber y

Thank

17Commercial in Confidence

k you!y

Revision 1.9.4