Operational Engineering November 2010

tzevem?s Events Product Centre SECRET STRAP1 GCHQA

vzevents Agenda '2 Welcome '2 Salamanca erFDs I"?Guiding Light Questions SECRET STRAP1

tzevem?s IMMINGLE Key changes July 2010 to present: Inferred data from B3M now flagged Updates to handle identifiers from HARD ASSOC and 83M correctly MAINWAY: now grouped and ?agged in same way as SALAMANCA MAINWAY: direct access to event details provided GPRS flagging THUGGEE rules applied to SALAMANCA events SECRET STRAP1 - GCHQ

vzevents I Elna-?: Sui-11m"? Cir-plug] man-r]! IMMINGLE *5er Porn-inlet: ump? II-IH :Imnmm Lara-Him Julie-m [2-31 in I L1 I REL-nun lull-lg EFT: in: mm! Jinan-i- rune-m WM 111532315: n: Inn utm guru__aae?1_l mm" - Flu I 1 Ff": - H?JmIl-ta? her-Ira: 4C- Huh-1'1 giant?s-cl Pen-In an I 1: SW l? IJJH rhf?a. muf?n: 1" f" [1?.th r: Walk in Prowlede FFIE EFDHM 'D-ntn Burg-a - Elan [1am I1 HIhlh?J}: r; PHWE r-L lmEl FHEH I F'Tmm :1 r? ?Ewnl {Full-:11 tin-Ice: ?H'iimi- II, imamsm IZIL div?. mlLa 5 II.-. f' MAINWAY options and Help pages lame l? imhd-n Uri-'1'an I: [rum-d: Halidth IJJI-Iriuim r: 51W tau-II fl:- [-0313 I22: Bur-l, The-15 mm? l-o f? Elm-u Al Dunn-mm WEN Pain-prim [:uu SECRET STRAP1

Izeveni's IMMINGLE 3.39m was: 5 'f 3" .r'li; 1. .EAA 11 lgf'leIIQ-Dl Big-D I liE-UllJL?hqq?fMl? 1'4 If" 1! HQZDI I l-u-I. Mil-h Puf?n-I. 1133-1 FURLAMANCA- mg?npolo (Jamal - I m?mfg'ag?gfy 1-D DEQIIMWAAWAA innrhECl-h. I: I -J.MA1NWAT 11; a ll: El I-?mm- 3 3b.: . . $335an ?rm-142 4r . r? ?ll. WP '33::34 I 5H . 111.1315 Fr; . I grail?Hr] 5-06-52 BMW 123:In.- .q?I fr? . EH AB qr-r? . ?kg: Eva-Its: '4 i II SAUDI ARABIA HI a '9 9792:] 12:15 ?h a?wzal [if i- SEED IDENTIFIER .-.. . MA It: 3. aflurlzulu - .- . 1 Wk 1?1. D-aizasuurce Text MWATH I . 1:;ng I. NU 3,201.3 .3332 Sean Matt m-na?mmnmam r" I35F 5Fir5t Tail: 24-D5l-E?l? 15* HEW- 25 emu-mm .- - I- .- 3'31'3 95-47ERGAEI Text I l_ u- SECRET STRAP1

vzevem?s IMMINGLE :2 What next? FASCIA GPRS flagging HAUSTORIUM decommissioning Next Gen Contact Chaining NEXT GENERATION . events SECRET STRAP1

Izeven?l's BRIO and SALAMANCA I1- Key changes since July: r2.- NRT (Near Real Time) Storage 3 days *2 Extra feeds from TERRAINs at BUDE and SOUNDER I2 2nd Party usage of SALAMANCA: SHAREOWN replaces ESCHAR r2 CallAnsweredState and CallEndState added to TERRAIN-SALAMANCA feed a? SECRET STRAP1 GCHQ

Izevem?s (cont.) I I I Pa klstan NGN InferenCIng errors Eh EH fuchI'Ih'ururrmr 'rl 'n'urli -. J. u. tun-uni'hn-?a am 1.: prawn-c cutaigaml?? ?all In . ?mul . Brian-hr l1'l 3.1.111Jami. . huh-'nan-mi- - . . 'uIld'JI"tad-all mm a' a . . Cl?: qr. 5 LLIJHII ICED-1: - . . ?rir53.55w'l'u' ?pl. H.- I ?l?nr I: Iran;

vzevem?s SECRET STRAP1 (Em?

tzevem?s Scaling "3 Current scale There are 100 unique bearers feeding the 825 tools. Consistently averaging over 30 billion events per-day into the input buffer. 0 MB is loading over 10.5 billion a 6 months data retention for MB 1,890,000,000,000 records and requires 400 TB. 0 Total storage of over one petabyte. a SECRET STRAP1

tzevents Scaling *2 Future Scale Further 58 bearers by end of 2010 An additional 40 bearers in Q1 2011. 0 MB will ingest over 20 billion events per day requiring one petabyte of storage. 0 Overall storage will increase to 2.5 petabytes. Scope scaling to 400 bearers. a SECRET STRAP1

m1ou mum:- 1-H I?duwlnw n. I: 'Ii' Vahwv-Ilaal?ev PM 1.5. ire-?Elba, mlhsI 31-? n1 -- I: .It-nnl ?farm mum va?lams I?m-web same: mhmnu Tahuo webmal? amt: EDIIEL awn dram?. news. and mat-Hint: Funkl?: I'Dll'llanw "anon-Emma THE 5i:an [Jam IS 1115 IE TIEI unmma Isme?man aft!? "fauna! c?man EHHIHS rr 1m ii an a primal-yr The ?ll manna; rlh: mam: an a aananda :Inrnaln a! {3 hr . ma?a: for mana- on primary! accnnuaryuuma MGII. In Iamc, In] u-surnarnn: appears part mama Immi- r: ma?m? ilsarl. ubfuawhau "H?er Tm Dafahaie buli- nu; ?nal-Inan- Emmy-"m using iiran aubs?'lu?an Wile tailed 9011 1 TM Mammal? break truth rala?tl ?irt with? ru one and Ium i bikini: plih twirl}! use an a TEII Ta nunf-Canhsn Is aneth anemummu 3E: 5.5. J-Ehan Elms ?lbh?hhl 1ha ?aunt sauirh] nliarr! rat-martin": a'n'ah Ho h?thcr allarr ahm I: brink. Imom'm, ur Inhalp'ful. plaasu am? MEMDW anu In: . MUIANI Elm-J l-IEI?im tuna ?r LMTHIP plLICEAL 3mm SECRET STRAP1

eevem?s Samuel Pepys r2 Pull through and upscaling of TR SPs. Currently 43 bearers. - 14 from TR SP - 29 additional bearers from TPS (generating HTTP, TDI, Websearch, FTP and Squeal). - Circa 40 additional bearers just generating Squeal. ?Approval to increase aperture to 100 bearers for all data-types. ?Approval to increase user numbers to 200. SECRET STRAP1

Izevem?s SOCIAL ANTHROPOID SECRET STRAP1

rzevem?s r2What is Social Anthropoid? SOCIAL ANTHROPOID is a converged comms database. It will allow you to see when your targets have communicated via phone, over the internet, or using converged channels sending e-mails from a phone or making voice calls over the internet). SECRET STRAP1 - GCHQ -

raevem?s li?What about the existing comms data- bases? ?When SOCIAL ANTHROPOID contains all the necessary data and has all the core functionality of the legacy tools Social animal, HAUSTORIUM ancl SALAMANCA will be de-commissioned. a SECRET STRAP1

rzevents '2 What data is in Social Anthropoid?? All of Salamanca data (telephony) Social animal data. Instant Messenger. Webmail. - SIP H323 VOIP Yahoo Voice Blackberry MMS SMS (from Salamanca and other sources) GTP (GPRS session set-ups) And more.. 5. SECRET STRAP1

tzevem?s PEWhat about SMTP, POP3 and Starting to receive these data types now. Capability deployed as part of HeartBeat 11. a SECRET STRAP1

reevem?s a? ?IrrFr'r anI' . %Eaued queries To. have 1 sawed guerres. I . Test :v I QLeries will no aLto?netita ly sultn'rtted to all instances ot' SQCIR- ECCIAL MWAL ant Convergent SQCIEIL AHINEL. - Fo' :uull-: gLeriesJ enter n'ultirtle selecto?s {one per line). - If ellow r-Iiltcards is ti:ltet_ a is treated as a n'rJlti-charaeter {e g. parole .H II matthpaul'je. pau1456.pau1eayahaa.cam 'natc'r :uut U'rl lte other and here to s:e::ie n'rea'rirg [to :ueryr for a lterel sign. urchecc 'el ow ratherthan 'eseeoing' t're I- Eugr del?eutJ results rail he retuo?e: i?r wl?ich 'rour nrtut selector ir ether t?re Userf. o' _ser column {in MirnLtern'rs is the 'ectorJ o?the 'sueject' with the ere-rt}. To tetur?r relets ahitl' _rour selector o?rlg.r as the attve userJ?ce tl'e Query attire uses on _v checdooe: I Fro't-end processing rorr?a ises 32C selectors ir veritus weesJ ntleing t'e ren'ooa o: from the usernames o: Emei addresses. To get IEn'rai groJ will neet to norTra ise 'rourtueries in the sa?ne wa-r {e searc' instead Smeil iEef ignores the dot so there snI: danger of getting et'erts fo'the wrong atcant If :loulotJ co?rsult rout loeel 22C tech ex. "1i'en :la JJC F'rio?ty Furrtose HFlriI. JL stiFr certi :In Search period (cpto?ra to g; =ite' resuts log n'attl'ert selectors :Iritrto dstuley rill-rm QJe'g Lsers o?rly testing l+ Save Quer':r ii-t. Submit query SECRET STRAP1

aevents .- Jur InIltn mum lJirr U: :r A Ulcr U: I:r I ?lpl-Ir run [lili?llr anh- roll i:an Pasdts summer: 1'3 Eli-[Iri- ?din-a- ncuunr .I'Luucm no: mm .6. 2:1 Liar 41. Um A Tn: umr User 15 Fir?: Sam Len-I Stan CID-1M all chat 0-: dub: 31-3 ?4w; that mks-sane was??! mm e-m-all :rnml H: 3 I - that 31-h? :11 Ell rhdi "lHt?hdue _I1 _n_n11i Eur-Iij I 1 gum-c, mung: 153:4? 3-1 '7 Flr?nri than: mess-a nu:m1il.c Sender Mai HI: ":1er ail tern i -L- H: - 1551433"; Zd?uul- that EH-Ill-Z?t-Z?ll 33-Oct-2017. char masca- I.nu Err-an.an Sam-Jar Fun an: -r :nm -Fnh?r mun :r '1 pl I 15:53:? mammal ?LliLIn.? - . that 12 -JL H-EGJI Lz-lun-EUI: Lhat mas-:5: Er 131m a-I.fr' small Iu'luxmaalmru small I that: ma?age -2 13:15:14 chat char mussaqn hartmal .It Enndar Remnant hn?m-?lmrq Jnknown 3' rna?sage-a 15:39.13 Source- chat . Qa-nuu- 2:31 33-hau-E??1 mat may: 5r .Izu' urn-all -iilun imam Dr :rnall t: I: MEESJQE- ?1 I manna Eh in?ll-PE Action: .11: '?til?l: Ill n1? P'nlr Tr'ruz'l'lr'll El . Eran-El: 111 ?Juli-.12 - (?In dun-Iran], I lul: :tnrl a Ian!- I I'll' I - . . - ?lial-II}: ?rdnr L?nspla] Eumrlar-f lit-U Fulani; an: :o_n2- ii-itu-i-u; ?F-u SECRET STRAP1 .

'2 Telephony in Santhropoid j, I mar 11 rult ?ier-? n1? Mniw- IL Uur .I. name I: aim [l?i-r-cuu-Eul? -- tnIEpI-mlr went Iglnbal). 2 ?Int-1n. durahun: uummub I .Irlin type.- Benin a?n Faint?[ME Eli-?43una'anI-vn tli= =HrJ Lu-zm-Jri: SuurEE Paint?Ende: ?E-Nuu?E?ll} telephony event {glob-34), 2 selectur-s, duratmn: Hill?e u: Ium'J-ru mtlun: Acilun [rpm I:.3i a Pulml-EuchUDC-g diel'nd :uu H: l'uhlLtudL': ED =41 Ehluw way-cum Ill-*th {glam-J). a d'erTJill'I: :mmuruu mun Adi-J pt; Gail un-in awn :dll teLr-unbe- diil Ed Soul-1:1: Fui'nl: [ad-3: EDT-11 ?c?inatinn Fain]: Emit: Pemtn- Paul:- 5 Him ?rm: 1P _n Imhar I Jl ?Lu: Ln :an SECRET STRAP1 Ui?f 3 ram - Usrr 3 display name

Convergenca - GTP tunnel Ilan?. HIE-FD Us." A Hill! U?l-El' A hm: User it Uicr I: ran valu: Ua-cr Ii roll.- Hit:- 5 H131.- [Ii-Er User II raw Halal: displafnamr dismal-llI nanlr: EII-Hnu-i'l'lln "n.an ruFM (9111:. IFIl?anri ?lL'wI: um: ?t?nn: .ld'inn l-"u-r Till-'3 tum-2 In'uil - a' Hate tUnn: tel_nl.1mtlr n1 wall 1 Hm rhl-"I I - 1x I_Iy_l_._1 11, -. E'murte IPIH: Elli-?HE: Damnation 1" JiEl-u' al events from Iris 5 r-1 fin:an (91:11:, .1 craeE-E m:th tun: 'runr-BI rut? tunna] In'm IIPI. Tutu tunn? not dualiahle arr-3U: tun-191 mas-lat?: lull quad-Juli: I I \u Sum-ti:- Enurrc Dr?lna?un II- 1' 1.1-: l_ 1.I .rll SECRET STRAP1 GCHQ

'2 Convergence Leaky Gateways [Ia-tr Fl User A User A. raw User IJqu Type Ultr A dupr ?It? 3 will" nihil- ?amt U: rli User-Bram dlfl. ?alm- 1? name 24-1] A: l- JEIJI. If! ll! er'. J. inn-tr.th Hechnet? Ill-? on: urn-IF let-Inn type: mmuge [hm-nun? I ?nurtr Dublin-Ilian 24-nct-zu1u [Iazl 1:5] webmall event [Hahn-n), 5 {ale-(tar; Indian: send ?ction type.- message Mina-urn I mum.? mu;? Iii'llm'a- Ed??rt-E?l? man IS- nebmall cue-n1 [yahnuL 5 :electnri ?ctive us tun?rum [r22 Ethan: send ?ctmn tyne: rruti-acuc [ill mm mm? ununmn 3r:n" mun ?4-?rl rumll 5 Biff L5 HzcuuriUw-?mr SECRET STRAP1 GCHQ

vzevents OSN Li's A. Ii User A ml: Mae-r .H. Uur l. User It ran uslua Br Ii User type User It Llser Hm value :liiplay rim-rm unma- 11:41:42 - AhI'?lALtuunt {Fanhuuk}. icln?mrs ?tlj ue us acetic-u:- um in Hull: Lzllat Al?liull In?: "mi-Jan: 1ha:me:uge Facahnnl-wd - Locum?: mr-Inr-r: l?-JuI-E?ll] 21:41:41! - SERIAL paler:an PI usEr?IF samba-o until El?: 4. t'l' lr-rn?rnn: [El-HIqu- 15-Jul-20?! 21:11:31' EHLIAL thHALevantiFamhnuH}, 2 user: :riwhb??'mtl ull-Lut Attitm t'l'llt". "Ir-way. Eli'lurt' 3' 1:11:11 'Iinillnl eunnt {Famhnuk}, ?Elna-an ?ctive ?ier-{rambmt-uid} nttl'nn: that Action t'fpa: SECRET STRAP1

tzevem?s Looks good, When can I have an account? Santhropoid is currently in the second stage of UAT. ?We currently have 200 users representing all areas of the business. ?Aiming to be in a position to release Santhropoid to the masses in early January. a SECRET STRAP1

pzevents New data source li' LUSTRE new data-source available in MB. Good for North Africa. '2 Source field This will enable new non- routine data-sources to be added to the QFDE. CNE JTRIG GLASSBACK data used for test case. COLLATERAL a SECRET STRAP1 Gama?

uzevem?s New Loaders e4: New loaders deployed to MB and HR Map, improvements to KP. Latency of the data in the QFDs has been greatly reduced, now around 12 hours. 0 Each instance of MB can now ingest 8 billion events per? day (total 32 billion) Some QFDs were previously 1-5 days behind. Query performance during loading has also been improved. a SECRET STRAP1

tzevents GUIDING LIGHT QFD Presented by (Guiding Light SU) SECRET STRAP1

Izeven?l's What is GUIDING I: New QFD developed in August 2010 by TDB- Events. rz Primary objective: ?To understand the traffic seen on the Next Gen Events bearers.? a SECRET STRAP1

Igeven?l's What can it do for me? General Questions: I: Given a case notation, what are the TDI types that are found on it? Ir: Given a TDI type/subset, which bearers produce the highest number of events? What type of traffic is on which bearers and where is it coming from? *2 Which bearers provide the most amount of traffic type from place y? SECRET STRAP1

laeven'l's Front End Interface GUIDING LIGHT Frum Date Tu Date l?ust?m Custern I Dress-ants Bearer e.g_ 51 s: Event Type ezg. semester-ts; Cuunlry?igraphe {using ISO standard 31 Min Event taunt FrernAteEI Mate: The as wildsard character represents er rne?re characters. Event Types Seurse Tynes Daily Emma Prs?le Elearers' Countries a? 51? SECRET STRAP1 .

vzevem?s any? Em. 'irlrir?-E. illi?ahrai :3 I I-i:e II err'yw I I'Irig'rn'rim ".1Irlrg. I1 JE pea-ante ?33: were? "If. ., JE aiera? pea-antra- 5 2'5 Fee-enure- tree-enme- pea-anne- pea-ange- pee-ante- 52:: 5 .25 55-inch mas-anne- mes-ence- sear-2h :5 Urea-eme- Balance ceaenqa 'qat r1939.an ?gatqreTera? Irl:h C'Iullmhul' Q1alt?nhar mltanhar' L: 1eltenhar' ?lg-Iran her? ITHHII :rlhul' C'Iullmhul' C1elt_anhar' L: mltanharf 1elten.l_1_ar' Ewe-Henna? I: ?elgenhar' mltanhar' Ljeltanhar' I: ?Is-gunner {Hull ErlhiJl'. {Hull :rlhul' mltanhar' I: mltanharj _L'?eltenhar? I: ?elgenhar? {Hull :rlhul' {Hull :rlhul' mltanhar' ll: qultenhar l: {Hull ErlhiJl'. ITHHII Irlhul' Results - Full Profile Query WEEJC: 1099:1313. _5 :Igzulqa x'L LHL Him: I ?r1133 _15 I: _Ul .F r. . .RP ?1??th _I'jnr? EM lle! 'l FI IT: EQEPD I: EQEPD ?rm-w _HI11har??gilr4mi-IJser-?qer1_ _aw-x k_ ant . EQEPD a _HfJ?dl 3' FII 'rI I: SECRET STRAP1 L: 'm d: I- UL: 53-: --: an a: [In J-

Results Pivot: Event Types Event Twas Sectiun3 :44: I . 3,333,333 .. . . .. . 3,333,331 3,313,331 334,333 .. . 433,333 I 3544:?: tannin-435 (T43) 343,333 333,333 33,413 . .. 31.333 - 53'553 33,343 . . 33,343 . 31,334 13.444 14,433 tE?u??t?fp??GHQ: - 14"]93 E?i-e?tarit?pa 34mg . 14333 . . - 11,333 13.1133 3 ntry P13413112 3.531 - 3,334 3,333 .444 E33431: Ty'paJ 33:31.? I Emu Easter - 'qai'lyzcujun?ca 3.4334 .4443: SECRET STRAP1

Results Pivot: Countries (From) ?rm-H .5: 341 Fr: . tJ-1 aw 13: :2 5'5 'e t'E' . I In: I Fri-1 Ill .IT ll . FTE 14'! . 135 I-?o I I LEE I: bE EI-JII .. 55'. 'I'i II- I I IIEI t! 'Juef :?g-imn IJ 'I-cLIc-e - Eucrl 1. I, SE 1' Egsliulim Ecl. .F hm I um SECRET STRAP1 Gama;

Izeveni's Recent Enhancements :2 Data from Bude (RPC) ?Inc uding data from SWORDPLAY '2 New fields PDDG SIGAD SSDG a SECRET STRAP1

Eevenfs Future Enhancements Near future: eAdding BROAD OAK Targeting data :2 Incorporating MI functionality from REFORMER (where appropriate!) Adding more feeds. (Ongoing) Longer term: rat-Adding Cipher and MI information a: Linkage into ARTEMIS (or its successor) SECRET STRAP1 Gama?

eevents Any Questions SECRET STRAP1