Documents

TDI Introduction

Sep. 25 2015 — 9:36a.m.

/18
1/18

Target Detection Identifiers March 2009 © This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to . Slide 1

UK SECRET STRAP2 COMINT ORCON High-Speed Internet Processing TCP SYN GET / TCP FIN User-Agent: Mozilla 4.1, IE5 Host:www.google.com Cookie:ik=xzxsrzczccz …. 09:28:01 2008-10-13 7776 80 GET / Cookie: ik= qyzwww….. 09:28:13 2008-10-13 3456 80 GET / Cookie: ik= xzxsrzczccz … Event data sent to bulk store © Crown Copyright. All rights reserved. This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under other UK information legislation. Refer disclosure requests to Contains Intellectual Property owned and/or managed by GCHQ. The material may be disseminated throughout the recipient organisation, but GCHQ permission must be obtained for dissemination outside the organisation. Slide 2 UK SECRET STRAP2 COMINT ORCON

UK SECRET STRAP2 COMINT ORCON High-Speed Internet Processing • Bulk events key to SIGINT success on Internet • Event types that are valuable for Intelligence change (quickly) – – – – – • 2000 SMTP/POP3 2001 Webmail … 2007 vBulletin 2008 Social Networks,…,? GCHQ’s Applied Research are pioneering ways of dealing with this: – Presence Events (TDI) – Very large scale high speed flat file storage to bulk store TDIs – Just enough data marts © Crown Copyright. All rights reserved. This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under other UK information legislation. Refer disclosure requests to Contains Intellectual Property owned and/or managed by GCHQ. The material may be disseminated throughout the recipient organisation, but GCHQ permission must be obtained for dissemination outside the organisation. Slide 3 UK SECRET STRAP2 COMINT ORCON

UK SECRET STRAP2 COMINT ORCON IP Packet Information • Many possible types of information • Many techniques available • HTTP Get requests dominate cutting edge techniques • To get Intelligence value Information must relate to a person or device… a TDI © Crown Copyright. All rights reserved. This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under other UK information legislation. Refer disclosure requests to Contains Intellectual Property owned and/or managed by GCHQ. The material may be disseminated throughout the recipient organisation, but GCHQ permission must be obtained for dissemination outside the organisation. Slide 4 UK SECRET STRAP2 COMINT ORCON

UK SECRET STRAP2 COMINT ORCON TDI …? ; © Crown Copyright. All rights reserved. This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under other UK information legislation. Refer disclosure requests Contains Intellectual Property owned and/or managed by GCHQ. The material may be disseminated throughout the recipient organisation, but GCHQ permission must be obtained for dissemination outside the organisation. Slide 5 UK SECRET STRAP2 COMINT ORCON

UK SECRET STRAP2 COMINT ORCON TDI …? ; © Crown Copyright. All rights reserved. This information is exempt from disclos Contains Intellectual Property owned and/or managed by GCHQ. The material may be disseminated throughout the recipient organisation, but GCHQ permission must be obtained for dissemination outside the organisation. Slide 6 UK SECRET STRAP2 COMINT ORCON

UK SECRET STRAP2 COMINT ORCON TDI Target Detection Identifier ; © Crown Copyright. All rights reserved. This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under other UK information legislation. Refer disclosure requests to Contains Intellectual Property owned and/or managed by GCHQ. The material may be disseminated throughout the recipient organisation, but GCHQ permission must be obtained for dissemination outside the organisation. Slide 7 UK SECRET STRAP2 COMINT ORCON

UK SECRET STRAP2 COMINT ORCON TDI Target Detection Identifier Who When ; Where (doing) What © Crown Copyright. All rights reserved. This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under other UK information legislation. Refer disclosure requests to Contains Intellectual Property owned and/or managed by GCHQ. The material may be disseminated throughout the recipient organisation, but GCHQ permission must be obtained for dissemination outside the organisation. Slide 8 UK SECRET STRAP2 COMINT ORCON

UK SECRET STRAP2 COMINT ORCON TDI Target Detection Identifier Who When ; Where (doing) What Fundamental atom of the Internet age. © Crown Copyright. All rights reserved. This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under other UK information legislation. Refer disclosure requests to Contains Intellectual Property owned and/or managed by GCHQ. The material may be disseminated throughout the recipient organisation, but GCHQ permission must be obtained for dissemination outside the organisation. Slide 9 UK SECRET STRAP2 COMINT ORCON

UK SECRET STRAP2 COMINT ORCON Target Detection Identifiers • DEFINITION – TDIs are definite indicators of presence, that are unique and persistent for a user/machine. • Built on the familiar – Telephony +44 – international phone code – Signalling tells us this phone user is ‘online’ • Target Detection Identifiers – – – – Started with the Internet, mobile networks too. TDI is a ‘SIGINT standardised code’. Not a standard managed by the ITU/ETSI. Extraction from packets much more complex. © Crown Copyright. All rights reserved. This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under other UK information legislation. Refer disclosure requests to Contains Intellectual Property owned and/or managed by GCHQ. The material may be disseminated throughout the recipient organisation, but GCHQ permission must be obtained for dissemination outside the organisation. Slide 10 UK SECRET STRAP2 COMINT ORCON

UK SECRET STRAP2 COMINT ORCON TDI sources © Crown Copyright. All rights reserved. This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under other UK information legislation. Refer disclosure requests to Contains Intellectual Property owned and/or managed by GCHQ. The material may be disseminated throughout the recipient organisation, but GCHQ permission must be obtained for dissemination outside the organisation. Slide 11 UK SECRET STRAP2 COMINT ORCON

UK SECRET STRAP2 COMINT ORCON Target Detection Identifiers • 70 distinct TDI types discovered. TDI Type TDI Location User/Machine • 2500 TDIs/sec (GET, de-duplicated) Yahoo-Y-Cookie Cookie User • => 200 Million per day per 10Gbps Yahoo-B-Cookie Coookie Machine Google-IK Request-URI User Paltalk-Nickname Request-URI User MS-MUID-Cookie Cookie Machine Google-SID-Cookie Cookie Machine • De-dupe rate ??? • Cost – 250 hours per TDI • Automated discovery prototype Maktoob-MEUser-Cookie Cookie User Orkut-PREFID-Cookie Cookie User Cloob-Username Cookie User © Crown Copyright. All rights reserved. This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under other UK information legislation. Refer disclosure requests to Contains Intellectual Property owned and/or managed by GCHQ. The material may be disseminated throughout the recipient organisation, but GCHQ permission must be obtained for dissemination outside the organisation. Slide 12 UK SECRET STRAP2 COMINT ORCON

RAP2 COMINT ORCON SECRET © Crown Copyright. All rights reserved. This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under other UK information legislation. Refer disclosure requests to GCHQ on Contains Intellectual Property owned and/or managed by GCHQ. The material may be disseminated throughout the recipient organisation, but GCHQ permission must be obtained for dissemination outside the organisation. Slide 13 UK SECRET STRAP2 COMINT ORCON

UK SECRET STRAP2 COMINT ORCON TDI Applications • Bulk store of all TDIs seen in last 6 months [MUTANT BROTH] • Bulk store TDI correlations (6 months) [AUTO ASSOC] • Bulk store TDI <-> website correlations (6 months) [KARMA POLICE] • Bulk store TDI vBulletin activity [INFINITE MONKEYS] • Bulk store TDI Social Networking Site activity [SOCIAL ANIMAL] • Bulk store web search requests [MEMORY HOLE] • Bulk store Google Earth requests [MARBLED GECKO] • Bulk store of Host-Referer references [HRMAP] © Crown Copyright. All rights reserved. This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under other UK information legislation. Refer disclosure requests to Contains Intellectual Property owned and/or managed by GCHQ. The material may be disseminated throughout the recipient organisation, but GCHQ permission must be obtained for dissemination outside the organisation. Slide 14 UK SECRET STRAP2 COMINT ORCON

UK SECRET STRAP2 COMINT ORCON SECRET © Crown Copyright. All rights reserved. This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under other UK information legislation. Refer disclosure requests to GCH Contains Intellectual Property owned and/or managed by GCHQ. The material may be disseminated throughout the recipient organisation, but GCHQ permission must be obtained for dissemination outside the organisation. Slide 15 UK SECRET STRAP2 COMINT ORCON

UK SECRET STRAP2 COMINT ORCON SECRET © Crown Copyright. All rights reserved. This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under other UK information legislation. Refer disclosure requests to GCHQ on Contains Intellectual Property owned and/or managed by GCHQ. The material may be disseminated throughout the recipient organisation, but GCHQ permission must be obtained for dissemination outside the organisation. Slide 16 UK SECRET STRAP2 COMINT ORCON

UK SECRET STRAP2 COMINT ORCON SECRET © Crown Copyright. All rights reserved. This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under other UK information legislation. Refer disclosure requests to GCHQ on Contains Intellectual Property owned and/or managed by GCHQ. The material may be disseminated throughout the recipient organisation, but GCHQ permission must be obtained for dissemination outside the organisation. Slide 17 UK SECRET STRAP2 COMINT ORCON

UK SECRET STRAP2 COMINT ORCON Other Bulk Event Applications • Most events that can be associated back to TDIs: • File Transfer Signature (eg proof of life videos) • Detection by Internet profile – eg ‘Dead Letter Drop’. • Yahoo webcam images • Airline reservation confirmation emails © Crown Copyright. All rights reserved. This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under other UK information legislation. Refer disclosure requests to Contains Intellectual Property owned and/or managed by GCHQ. The material may be disseminated throughout the recipient organisation, but GCHQ permission must be obtained for dissemination outside the organisation. Slide 18 UK SECRET STRAP2 COMINT ORCON

Filters SVG