In one embodiment, a device in a network observes traffic between a client and a server for an encrypted session. The device makes a determination that a server certificate should be obtained from the server. The device, based on the determination, sends a handshake probe to the server. The device extracts server certificate information from a handshake response from the server that the server sent in response to the handshake probe. The device uses the extracted server certificate information to analyze the traffic between the client and the server.

Methods and devices provide service-specific information besides LI data extracted from communications of LI targets, which receive services via the network and interact with a core function of the network. LI data includes at least one of IRI and CC. This approach is particularly useful if LI at application/service level is unavailable.

In one embodiment, a telemetry exporter in a network establishes a tunnel between the telemetry exporter and a traffic analysis service. The telemetry exporter obtains packet copies of a plurality of packets sent between devices via the network. The telemetry exporter forms a set of traffic telemetry data by discarding at least a portion of one or more of the packet copies, based on a filter policy. The telemetry exporter applies compression to the formed set of traffic telemetry data. The telemetry exporter sends, via the tunnel, the compressed set of traffic telemetry data to the traffic analysis service for analysis.

In some embodiments, a method for monitoring and/or inhibiting data leakage comprises generating a plurality of first and second profiles, and providing the first profiles to a predetermined website, and providing data associated with the exposure of the first profiles to one or more intermediaries. The method further comprises exposing the first and second profiles to third-party web-sites such that the content of the third-party websites is received by the first and second profiles, and retrieving information corresponding to the content received by the first and second profiles via at least one of the one or more intermediaries.

The invention relates to methods, communication devices, computer programs and computer program products related to Lawful Interception, LI. An LI, Administration Function, ADMF, sends a request over an X1 interface to a Network Element, NE, that is configured to perform an action associated with an LI, to add information associated with a destination or modify information of an existing destination for a message to be sent from the NE to the LI ADMF over the X1 interface. The NE receives the request, adds information associated with a destination or modifies information of an existing destination, and sends a response to the LI ADMF over the X1 interface, wherein the response comprises a result associated with the request.

Methods and apparatus for filtering lawfully intercepted encrypted traffic are described. A communications service provider network includes a mediation device and a security device. The mediation device receives a provisioned intercept request including a target IP address and one or more unique identifies corresponding to the target. The security device acquires certificates and private keys corresponding to one or more content distribution networks of interest for which intercepted traffic is to be partially or fully discarded. The mediation device receives filtering requests specifying filtering rules to be applied. Intercepted traffic is processed by the mediation device operating in conjunction with the security device to attempt decryption and identify the corresponding CDN network for the intercepted traffic. The mediation devices filters the decrypted traffic in accordance with the filtering rules, discarding traffic that is not of interest to the law enforcement agency (LEA) and sending traffic of interest to the LEA.

A portion of a server response to a client request can be selectively validated according to some examples described herein. In one example, a system can receive a response from a server to an application programming interface (API) request transmitted by a client application. The response can include target data and other data. The system can determine that the target data is to be validated. In response to determining that the target data is to be validated, the system allow a validation process to be performed on the target data and prevent the validation process from being performed on the other data.

In one embodiment, a device in a network receives traffic data regarding a plurality of observed traffic flows. The device maps one or more characteristics of the observed traffic flows from the traffic data to traffic characteristics associated with a targeted deployment environment. The device generates synthetic traffic data based on the mapped traffic characteristics associated with the targeted deployment environment. The device trains a machine learning-based traffic classifier using the synthetic traffic data.

A method for identifying an active administration function (ADMF) in a lawful interception deployment that utilizes an ADMF set comprising a plurality of ADMFs can be implemented by a network element. The method can include exchanging lawful interception signaling with a first ADMF when the first ADMF is the active ADMF. The method can also include receiving an auditing request message from one of the plurality of ADMFs in the ADMF set and sending a ping request message to each ADMF in the ADMF set. The method can also include receiving a ping response message from a second ADMF among the plurality of ADMFs in the ADMF set and identifying the second ADMF as the active ADMF in response to receiving the ping response message. The method can also include exchanging second lawful interception signaling with the second ADMF when the second ADMF is the active ADMF.

A system includes a security controller located within a central-zone in communication with a provisioned agent operating on an edge-zone device. The security controller may implement controller-blind security control on the edge-zone device by making security authorization determinations using a secure-operation confidence analysis performed by the provisioned agent. The provisioned agent, operating within the edge-zone, may have access to un-sanitized data, which may be unavailable to the security controller in the central-zone. The provisioned agent may access condition-descriptors via a secure-operation confidence assignment matrix. Using the condition-descriptors, the provisioned agent determine feedback, which may include a secure-operation confidence coefficient, based on the un-sanitized data to which the security controller is blind.