Documents
TDI Introduction
Sep. 25 2015 — 5:36 a.m.

Target Detection Identifiers
March 2009
© This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to
.
Slide 1

UK SECRET STRAP2 COMINT ORCON
High-Speed Internet Processing
TCP SYN
GET /
TCP FIN
User-Agent: Mozilla 4.1, IE5
Host:www.google.com
Cookie:ik=xzxsrzczccz
….
09:28:01 2008-10-13
7776 80 GET / Cookie: ik= qyzwww…..
09:28:13 2008-10-13
3456 80 GET / Cookie: ik= xzxsrzczccz
…
Event data sent to bulk store
© Crown Copyright. All rights reserved. This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under
other UK information legislation. Refer disclosure requests to
Contains Intellectual Property owned and/or managed by GCHQ. The material may be disseminated throughout the recipient organisation, but GCHQ permission must
be obtained for dissemination outside the organisation.
Slide 2
UK SECRET STRAP2 COMINT ORCON

UK SECRET STRAP2 COMINT ORCON
High-Speed Internet Processing
•
Bulk events key to SIGINT success on Internet
•
Event types that are valuable for Intelligence change (quickly)
–
–
–
–
–
•
2000 SMTP/POP3
2001 Webmail
…
2007 vBulletin
2008 Social Networks,…,?
GCHQ’s Applied Research are pioneering ways of dealing with this:
– Presence Events (TDI)
– Very large scale high speed flat file storage to bulk store TDIs
– Just enough data marts
© Crown Copyright. All rights reserved. This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under
other UK information legislation. Refer disclosure requests to
Contains Intellectual Property owned and/or managed by GCHQ. The material may be disseminated throughout the recipient organisation, but GCHQ permission must
be obtained for dissemination outside the organisation.
Slide 3
UK SECRET STRAP2 COMINT ORCON

UK SECRET STRAP2 COMINT ORCON
IP Packet Information
• Many possible types of information
• Many techniques available
• HTTP Get requests dominate cutting edge
techniques
• To get Intelligence value Information must
relate to a person or device… a TDI
© Crown Copyright. All rights reserved. This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under
other UK information legislation. Refer disclosure requests to
Contains Intellectual Property owned and/or managed by GCHQ. The material may be disseminated throughout the recipient organisation, but GCHQ permission must
be obtained for dissemination outside the organisation.
Slide 4
UK SECRET STRAP2 COMINT ORCON

UK SECRET STRAP2 COMINT ORCON
TDI …?
;
© Crown Copyright. All rights reserved. This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under
other UK information legislation. Refer disclosure requests
Contains Intellectual Property owned and/or managed by GCHQ. The material may be disseminated throughout the recipient organisation, but GCHQ permission must
be obtained for dissemination outside the organisation.
Slide 5
UK SECRET STRAP2 COMINT ORCON

UK SECRET STRAP2 COMINT ORCON
TDI …?
;
© Crown Copyright. All rights reserved. This information is exempt from disclos
Contains Intellectual Property owned and/or managed by GCHQ. The material may be disseminated throughout the recipient organisation, but GCHQ permission must
be obtained for dissemination outside the organisation.
Slide 6
UK SECRET STRAP2 COMINT ORCON

UK SECRET STRAP2 COMINT ORCON
TDI
Target
Detection
Identifier
;
© Crown Copyright. All rights reserved. This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under
other UK information legislation. Refer disclosure requests to
Contains Intellectual Property owned and/or managed by GCHQ. The material may be disseminated throughout the recipient organisation, but GCHQ permission must
be obtained for dissemination outside the organisation.
Slide 7
UK SECRET STRAP2 COMINT ORCON

UK SECRET STRAP2 COMINT ORCON
TDI
Target
Detection
Identifier
Who
When
;
Where
(doing) What
© Crown Copyright. All rights reserved. This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under
other UK information legislation. Refer disclosure requests to
Contains Intellectual Property owned and/or managed by GCHQ. The material may be disseminated throughout the recipient organisation, but GCHQ permission must
be obtained for dissemination outside the organisation.
Slide 8
UK SECRET STRAP2 COMINT ORCON

UK SECRET STRAP2 COMINT ORCON
TDI
Target
Detection
Identifier
Who
When
;
Where
(doing) What
Fundamental atom of the Internet age.
© Crown Copyright. All rights reserved. This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under
other UK information legislation. Refer disclosure requests to
Contains Intellectual Property owned and/or managed by GCHQ. The material may be disseminated throughout the recipient organisation, but GCHQ permission must
be obtained for dissemination outside the organisation.
Slide 9
UK SECRET STRAP2 COMINT ORCON

UK SECRET STRAP2 COMINT ORCON
Target Detection Identifiers
• DEFINITION
– TDIs are definite indicators of presence, that are unique and persistent
for a user/machine.
•
Built on the familiar
– Telephony +44
– international phone code
– Signalling tells us this phone user is ‘online’
•
Target Detection Identifiers
–
–
–
–
Started with the Internet, mobile networks too.
TDI is a ‘SIGINT standardised code’.
Not a standard managed by the ITU/ETSI.
Extraction from packets much more complex.
© Crown Copyright. All rights reserved. This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under
other UK information legislation. Refer disclosure requests to
Contains Intellectual Property owned and/or managed by GCHQ. The material may be disseminated throughout the recipient organisation, but GCHQ permission must
be obtained for dissemination outside the organisation.
Slide 10
UK SECRET STRAP2 COMINT ORCON

UK SECRET STRAP2 COMINT ORCON
TDI sources
© Crown Copyright. All rights reserved. This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under
other UK information legislation. Refer disclosure requests to
Contains Intellectual Property owned and/or managed by GCHQ. The material may be disseminated throughout the recipient organisation, but GCHQ permission must
be obtained for dissemination outside the organisation.
Slide 11
UK SECRET STRAP2 COMINT ORCON

UK SECRET STRAP2 COMINT ORCON
Target Detection Identifiers
•
70 distinct TDI types discovered.
TDI Type
TDI Location User/Machine
•
2500 TDIs/sec (GET, de-duplicated)
Yahoo-Y-Cookie
Cookie
User
•
=> 200 Million per day per 10Gbps
Yahoo-B-Cookie
Coookie
Machine
Google-IK
Request-URI
User
Paltalk-Nickname
Request-URI
User
MS-MUID-Cookie
Cookie
Machine
Google-SID-Cookie
Cookie
Machine
•
De-dupe rate ???
•
Cost – 250 hours per TDI
•
Automated discovery prototype
Maktoob-MEUser-Cookie Cookie
User
Orkut-PREFID-Cookie
Cookie
User
Cloob-Username
Cookie
User
© Crown Copyright. All rights reserved. This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under
other UK information legislation. Refer disclosure requests to
Contains Intellectual Property owned and/or managed by GCHQ. The material may be disseminated throughout the recipient organisation, but GCHQ permission must
be obtained for dissemination outside the organisation.
Slide 12
UK SECRET STRAP2 COMINT ORCON

RAP2 COMINT ORCON
SECRET
© Crown Copyright. All rights reserved. This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under
other UK information legislation. Refer disclosure requests to GCHQ on
Contains Intellectual Property owned and/or managed by GCHQ. The material may be disseminated throughout the recipient organisation, but GCHQ permission must
be obtained for dissemination outside the organisation.
Slide 13
UK SECRET STRAP2 COMINT ORCON

UK SECRET STRAP2 COMINT ORCON
TDI Applications
•
Bulk store of all TDIs seen in last 6 months [MUTANT BROTH]
•
Bulk store TDI correlations (6 months) [AUTO ASSOC]
•
Bulk store TDI <-> website correlations (6 months) [KARMA POLICE]
•
Bulk store TDI vBulletin activity [INFINITE MONKEYS]
•
Bulk store TDI Social Networking Site activity [SOCIAL ANIMAL]
•
Bulk store web search requests [MEMORY HOLE]
•
Bulk store Google Earth requests [MARBLED GECKO]
•
Bulk store of Host-Referer references [HRMAP]
© Crown Copyright. All rights reserved. This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under
other UK information legislation. Refer disclosure requests to
Contains Intellectual Property owned and/or managed by GCHQ. The material may be disseminated throughout the recipient organisation, but GCHQ permission must
be obtained for dissemination outside the organisation.
Slide 14
UK SECRET STRAP2 COMINT ORCON

UK SECRET STRAP2 COMINT ORCON
SECRET
© Crown Copyright. All rights reserved. This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under
other UK information legislation. Refer disclosure requests to GCH
Contains Intellectual Property owned and/or managed by GCHQ. The material may be disseminated throughout the recipient organisation, but GCHQ permission must
be obtained for dissemination outside the organisation.
Slide 15
UK SECRET STRAP2 COMINT ORCON

UK SECRET STRAP2 COMINT ORCON
SECRET
© Crown Copyright. All rights reserved. This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under
other UK information legislation. Refer disclosure requests to GCHQ on
Contains Intellectual Property owned and/or managed by GCHQ. The material may be disseminated throughout the recipient organisation, but GCHQ permission must
be obtained for dissemination outside the organisation.
Slide 16
UK SECRET STRAP2 COMINT ORCON

UK SECRET STRAP2 COMINT ORCON
SECRET
© Crown Copyright. All rights reserved. This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under
other UK information legislation. Refer disclosure requests to GCHQ on
Contains Intellectual Property owned and/or managed by GCHQ. The material may be disseminated throughout the recipient organisation, but GCHQ permission must
be obtained for dissemination outside the organisation.
Slide 17
UK SECRET STRAP2 COMINT ORCON

UK SECRET STRAP2 COMINT ORCON
Other Bulk Event Applications
•
Most events that can be associated back to TDIs:
•
File Transfer Signature (eg proof of life videos)
•
Detection by Internet profile – eg ‘Dead Letter Drop’.
•
Yahoo webcam images
•
Airline reservation confirmation emails
© Crown Copyright. All rights reserved. This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under
other UK information legislation. Refer disclosure requests to
Contains Intellectual Property owned and/or managed by GCHQ. The material may be disseminated throughout the recipient organisation, but GCHQ permission must
be obtained for dissemination outside the organisation.
Slide 18
UK SECRET STRAP2 COMINT ORCON