Abstract: A system including a transceiver, a modem, and a processor. The processor is configured to cause the transceiver to imitate a base transceiver station (BTS) such that a mobile communication terminal disconnects from an Nth-generation mobile communication network, which uses an Nth-generation communication standard, and connects to the transceiver. The processor is further configured to cause the terminal to switch to the Pth-generation communication standard, and to cause the modem to impersonate the terminal with respect to an Mth-generation mobile communication network. The processor is further configured to intermediate voice communication between the terminal and the Mth-generation mobile communication network exchanged between the modem and the Mth-generation mobile communication network.

Abstract: The present disclosure provides method and system for a processor configured to receive, via a communication interface, cellular communication exchanged over at least one cellular network and fixed-network communication exchanged with a router connected to a fixed network. The method and system further correlating between the cellular communication and the fixed-network communication, and computing respective likelihoods for multiple cellular devices having connected to the fixed network via the router. In response to computing the likelihoods, compute one or more estimated properties associated with the router, and output the estimated properties.

Abstract: The present disclosure provides method and system for tracking cellular devices by a processor configured to receiving communications via communications interface of cellular communication packets exchanged over a cellular network and fixed-network communication packets exchanged with a router connected to a fixed network; identifying, in the cellular communication packets, data items exchanged with a cellular device at a cellular-communication time. The method and system then identifies the data item in the fixed-network communication packets, and in response to identifying the data item in both the cellular communication packets and the fixed-network communication packets, and based on a difference between the cellular-communication time and a fixed-network-communication time at which the data item was exchanged with the router, calculate a likelihood that the cellular device was connected to the fixed network via the router at the fixed-network-communication time, and output the likelihood.

Abstract: System and method that uses a first transceiver and a second transceiver, and a processor. The processor is configured to cause a cellular device associated with the 5G cellular network to communicate, to the first transceiver, a 5G identifier used by the device to identify itself, using the first transceiver. The processor is further configured to ascertain a correspondence between the 5G identifier and a Subscription Permanent Identifier (SUPI), by communicating with a core network of the 5G cellular network via a lawful-interception (LI) communication interface of the core network. The processor is further configured to cause the cellular device to register with the second transceiver, in response to ascertaining the correspondence and to the 5G identifier having been communicated from the cellular device.

Abstract: A monitoring system monitors authentication sessions both on the air interface between the terminals and the network, and on at least one wired network-side interface between network-side elements of the network. The monitoring system constructs a database of sets of network-side authentication parameters using network-side monitoring. Each set of network-side authentication parameters originates from a respective authentication session and is associated with the International Mobile Station Identity (IMSI) of the terminal involved in the session. In order to start decrypting the traffic of a given terminal, the system obtains the off-air authentication parameters of that terminal using off-air monitoring, and finds an entry in the database that matches the air-interface authentication parameters. From the combination of correlated network-side and off-air authentication parameters, the processor is able to extract the parameters needed for decryption.

Abstract: Systems and methods for obtaining authentication vectors issued, for use by a mobile communication terminal, by a Home Location Register (HLR) that serves a cellular communication network independently of any cooperation with the cellular network. Further to obtaining the authentication vectors, a terminal is caused to communicate over a WiFi WLAN using an encryption key derived from the obtained authentication vectors, e.g., per the EAP-SIM or EAP-AKA protocol. Since the encryption key is known, communication from the terminal is decrypted. The authentication vectors may be obtained by (i) an “impersonating” Visitor Location Register (VLR) server that does not serve the cellular network; (ii) an interrogation device which, by imitating a legitimate base station serving the cellular network, solicits the mobile communication terminal to associate with the interrogation device; or (iii) an SS7 probe, which obtains authentication vectors communicated from the HLR server to other entities on the SS7 network.

Abstract: Methods and systems for creating demographic profiles of mobile communication network users. A demographic classification system analyzes network traffic, so as to estimate the specific combination of application classes installed on a given terminal, and usage patterns of the applications over time. This combination of application classes and their respective usage patterns are a highly personalized choice made by the user, and is therefore used by the system to deduce the user's demographic profile. The demographic classification system operates on monitored network traffic, as opposed to obtaining explicit and accurate information regarding the installed applications from the terminal. The system then deduces the demographic profile of the user from the list of estimated application classes.

Abstract: Methods for obtain identifiers, such as International Mobile Subscriber Identities (IMSIs) and International Mobile Station Equipment Identities (IMEIs), of mobile communication terminals, and associate these identifiers with other items of identifying information provided by users of the terminals. A local interrogation device may be installed that imitates a legitimate base station belonging to a cellular network, at a control checkpoint. Local interrogation devices are connected to a global interrogation device in a hierarchical network, whereby the local interrogation devices are assigned a priority that is higher than that of the global interrogation device. The global interrogation device provides cellular coverage to a larger area that contains the control checkpoints, while the local interrogation devices provide more localized cellular coverage to the control checkpoints.

Abstract: An anomaly-detection system that gathers information relating to the relationships between entities and represents these relationships in a graph that interconnects each pair of related entities. The graph may represent a computer network, in which each node corresponds to a respective device in the network and each edge between two nodes indicates that the devices represented by the nodes exchanged communication with one another in the past. the system monitors each of the entities in the graph, by continually computing a single-entity anomaly score (SEAS) for the entity. If the SEAS exceeds a first threshold the system generates an alert. Otherwise, the system checks whether the SEAS exceeds a second, lower threshold. If so, the system computes a subgraph anomaly score (SAS) for the entity's subgraph. If the SAS exceeds a SAS threshold, an alert is generated. By computing the SAS in this manner resources are conserved.

Abstract: Methods and systems for creating demographic profiles of mobile communication network users. A demographic classification system analyzes network traffic, so as to estimate the specific combination of application classes installed on a given terminal, and usage patterns of the applications over time. This combination of application classes and their respective usage patterns are a highly personalized choice made by the user, and is therefore used by the system to deduce the user's demographic profile. The demographic classification system operates on monitored network traffic, as opposed to obtaining explicit and accurate information regarding the installed applications from the terminal. The system then deduces the demographic profile of the user from the list of estimated application classes.

Abstract: Systems and methods for obtaining authentication vectors issued, for use by a mobile communication terminal, by a Home Location Register (HLR) that serves a cellular communication network independently of any cooperation with the cellular network. Further to obtaining the authentication vectors, a terminal is caused to communicate over a WiFi WLAN using an encryption key derived from the obtained authentication vectors, e.g., per the EAP-SIM or EAP-AKA protocol. Since the encryption key is known, communication from the terminal is decrypted. The authentication vectors may be obtained by (i) an “impersonating” Visitor Location Register (VLR) server that does not serve the cellular network; (ii) an interrogation device which, by imitating a legitimate base station serving the cellular network, solicits the mobile communication terminal to associate with the interrogation device; or (iii) an SS7 probe, which obtains authentication vectors communicated from the HLR server to other entities on the SS7 network.

Abstract: Methods for obtain identifiers, such as International Mobile Subscriber Identities (IMSIs) and International Mobile Station Equipment Identities (IMEIs), of mobile communication terminals, and associate these identifiers with other items of identifying information provided by users of the terminals. A local interrogation device may be installed that imitates a legitimate base station belonging to a cellular network, at a control checkpoint. Local interrogation devices are connected to a global interrogation device in a hierarchical network, whereby the local interrogation devices are assigned a priority that is higher than that of the global interrogation device. The global interrogation device provides cellular coverage to a larger area that contains the control checkpoints, while the local interrogation devices provide more localized cellular coverage to the control checkpoints.

Abstract: An anomaly-detection system that gathers information relating to the relationships between entities and represents these relationships in a graph that interconnects each pair of related entities. The graph may represent a computer network, in which each node corresponds to a respective device in the network and each edge between two nodes indicates that the devices represented by the nodes exchanged communication with one another in the past. the system monitors each of the entities in the graph, by continually computing a single-entity anomaly score (SEAS) for the entity. If the SEAS exceeds a first threshold the system generates an alert. Otherwise, the system checks whether the SEAS exceeds a second, lower threshold. If so, the system computes a subgraph anomaly score (SAS) for the entity's subgraph. If the SAS exceeds a SAS threshold, an alert is generated. By computing the SAS in this manner resources are conserved.

Abstract: Methods for obtain identifiers, such as International Mobile Subscriber Identities (IMSIs) and International Mobile Station Equipment Identities (IMEIs), of mobile communication terminals, and associate these identifiers with other items of identifying information provided by users of the terminals. A local interrogation device may be installed that imitates a legitimate base station belonging to a cellular network, at a control checkpoint. Local interrogation devices are connected to a global interrogation device in a hierarchical network, whereby the local interrogation devices are assigned a priority that is higher than that of the global interrogation device. The global interrogation device provides cellular coverage to a larger area that contains the control checkpoints, while the local interrogation devices provide more localized cellular coverage to the control checkpoints.

Abstract: Systems and methods for obtaining authentication vectors issued, for use by a mobile communication terminal, by a Home Location Register (HLR) that serves a cellular communication network independently of any cooperation with the cellular network. Further to obtaining the authentication vectors, a terminal is caused to communicate over a WiFi WLAN using an encryption key derived from the obtained authentication vectors, e.g., per the EAP-SIM or EAP-AKA protocol. Since the encryption key is known, communication from the terminal is decrypted. The authentication vectors may be obtained by (i) an “impersonating” Visitor Location Register (VLR) server that does not serve the cellular network; (ii) an interrogation device which, by imitating a legitimate base station serving the cellular network, solicits the mobile communication terminal to associate with the interrogation device; or (iii) an SS7 probe, which obtains authentication vectors communicated from the HLR server to other entities on the SS7 network.

Abstract: A plurality of pairs of video cameras and interrogation devices may be placed in a public place along various paths that a person-of-interest might be expected to move. The person-of-interest is then located in multiple images acquired, collectively, by multiple video cameras. From each of the interrogation devices that are paired with these video cameras, a subset of the captured identifiers is obtained. Candidate identifiers are then restricted to those identifiers that are included in each of the subsets. A given identifier may be rejected as a candidate identifier. To automatically locate the person-of-interest in the images acquired by the “paired” video cameras, a processor may utilize video-tracking techniques to automatically track the person-of-interest, such that the person-of-interest is not “lost.” By virtue of utilizing such tracking techniques, the person-of-interest may be repeatedly located automatically, and with minimal chance of a false detection.

Abstract: Methods for obtain identifiers, such as International Mobile Subscriber Identities (IMSIs) and International Mobile Station Equipment Identities (IMEIs), of mobile communication terminals, and associate these identifiers with other items of identifying information provided by users of the terminals. A local interrogation device may be installed that imitates a legitimate base station belonging to a cellular network, at a control checkpoint. Local interrogation devices are connected to a global interrogation device in a hierarchical network, whereby the local interrogation devices are assigned a priority that is higher than that of the global interrogation device. The global interrogation device provides cellular coverage to a larger area that contains the control checkpoints, while the local interrogation devices provide more localized cellular coverage to the control checkpoints.

Abstract: A monitoring system monitors authentication sessions both on the air interface between the terminals and the network, and on at least one wired network-side interface between network-side elements of the network. The monitoring system constructs a database of sets of network-side authentication parameters using network-side monitoring. Each set of network-side authentication parameters originates from a respective authentication session and is associated with the International Mobile Station Identity (IMSI) of the terminal involved in the session. In order to start decrypting the traffic of a given terminal, the system obtains the off-air authentication parameters of that terminal using off-air monitoring, and finds an entry in the database that matches the air-interface authentication parameters. From the combination of correlated network-side and off-air authentication parameters, the processor is able to extract the parameters needed for decryption.

Abstract: Methods for obtain identifiers, such as International Mobile Subscriber Identities (IMSIs) and International Mobile Station Equipment Identities (IMEIs), of mobile communication terminals, and associate these identifiers with other items of identifying information provided by users of the terminals. A local interrogation device may be installed that imitates a legitimate base station belonging to a cellular network, at a control checkpoint. Local interrogation devices are connected to a global interrogation device in a hierarchical network, whereby the local interrogation devices are assigned a priority that is higher than that of the global interrogation device. The global interrogation device provides cellular coverage to a larger area that contains the control checkpoints, while the local interrogation devices provide more localized cellular coverage to the control checkpoints.

Abstract: A monitoring system monitors authentication sessions both on the air interface between the terminals and the network, and on at least one wired network-side interface between network-side elements of the network. The monitoring system constructs a database of sets of network-side authentication parameters using network-side monitoring. Each set of network-side authentication parameters originates from a respective authentication session and is associated with the International Mobile Station Identity (IMSI) of the terminal involved in the session. In order to start decrypting the traffic of a given terminal, the system obtains the off-air authentication parameters of that terminal using off-air monitoring, and finds an entry in the database that matches the air-interface authentication parameters. From the combination of correlated network-side and off-air authentication parameters, the processor is able to extract the parameters needed for decryption.