Traffic analysis is the process of intercepting and examining messages in order to deduce information from patterns in

communication Communication (from la, communicare, meaning "to share" or "to be in relation with") is usually defined as the transmission of information. The term may also refer to the message communicated through such transmissions or the field of inquir ...

, it can be performed even when the messages are

encrypt In cryptography, encryption is the process of encoding information. This process converts the original representation of the information, known as plaintext, into an alternative form known as ciphertext. Ideally, only authorized parties can deci ...

ed. In general, the greater the number of messages observed, the greater information be inferred. Traffic analysis can be performed in the context of

military intelligence Military intelligence is a military discipline that uses information collection and analysis approaches to provide guidance and direction to assist commanders in their decisions. This aim is achieved by providing an assessment of data from a ...

counter-intelligence Counterintelligence is an activity aimed at protecting an agency's intelligence program from an opposition's intelligence service. It includes gathering information and conducting activities to prevent espionage, sabotage, assassinations or ot ...

, or

pattern-of-life analysis Pattern-of-life analysis is a method of surveillance specifically used for documenting or understanding the habits of a particular subject or of the population in an area. This form of observation is generally done without the consent of the subje ...

, and is also a concern in

computer security Computer security, cybersecurity (cyber security), or information technology security (IT security) is the protection of computer systems and networks from attack by malicious actors that may result in unauthorized information disclosure, t ...

. Traffic analysis tasks may be supported by dedicated computer

software Software is a set of computer programs and associated documentation and data. This is in contrast to hardware, from which the system is built and which actually performs the work. At the lowest programming level, executable code consists ...

programs. Advanced traffic analysis techniques which may include various forms of

social network analysis Social network analysis (SNA) is the process of investigating social structures through the use of networks and graph theory. It characterizes networked structures in terms of ''nodes'' (individual actors, people, or things within the network) a ...

. Traffic analysis has historically been a vital technique in

cryptanalysis Cryptanalysis (from the Greek ''kryptós'', "hidden", and ''analýein'', "to analyze") refers to the process of analyzing information systems in order to understand hidden aspects of the systems. Cryptanalysis is used to breach cryptographic sec ...

, especially when the attempted crack depends on successfully seeding a

known-plaintext attack The known-plaintext attack (KPA) is an attack model for cryptanalysis where the attacker has access to both the plaintext (called a crib), and its encrypted version (ciphertext). These can be used to reveal further secret information such as secr ...

, which often requires an inspired guess based on how specific the operational context might likely influence what an adversary communicates, which may be sufficient to establish a short crib.

Breaking the anonymity of networks

Traffic analysis method can be used to break the

anonymity Anonymity describes situations where the acting person's identity is unknown. Some writers have argued that namelessness, though technically correct, does not capture what is more centrally at stake in contexts of anonymity. The important idea he ...

of anonymous networks, e.g., TORs. There are two methods of traffic-analysis attack, passive and active. *In passive traffic-analysis method, the attacker extracts features from the traffic of a specific flow on one side of the network and looks for those features on the other side of the network. *In active traffic-analysis method, the attacker alters the timings of the packets of a flow according to a specific pattern and looks for that pattern on the other side of the network; therefore, the attacker can link the flows in one side to the other side of the network and break the anonymity of it. It is shown, although timing noise is added to the packets, there are active traffic analysis methods robust against such a noise.

In military intelligence

In a military context, traffic analysis is a basic part of

signals intelligence Signals intelligence (SIGINT) is intelligence-gathering by interception of ''signals'', whether communications between people (communications intelligence—abbreviated to COMINT) or from electronic signals not directly used in communication ( ...

, and can be a source of information about the intentions and actions of the target. Representative patterns include: * Frequent communications – can denote planning * Rapid, short communications – can denote negotiations * A lack of communication – can indicate a lack of activity, or completion of a finalized plan * Frequent communication to specific stations from a central station – can highlight the

chain of command A command hierarchy is a group of people who carry out orders based on others' authority within the group. It can be viewed as part of a power structure, in which it is usually seen as the most vulnerable and also the most powerful part. Milit ...

* Who talks to whom – can indicate which stations are 'in charge' or the 'control station' of a particular network. This further implies something about the personnel associated with each station * Who talks when – can indicate which stations are active in connection with events, which implies something about the information being passed and perhaps something about the personnel/access of those associated with some stations * Who changes from station to station, or medium to medium – can indicate movement, fear of interception There is a close relationship between traffic analysis and

(commonly called

codebreaking Cryptanalysis (from the Greek ''kryptós'', "hidden", and ''analýein'', "to analyze") refers to the process of analyzing information systems in order to understand hidden aspects of the systems. Cryptanalysis is used to breach cryptographic sec ...

Callsign In broadcasting and radio communications, a call sign (also known as a call name or call letters—and historically as a call signal—or abbreviated as a call) is a unique identifier for a transmitter station. A call sign can be formally assigne ...

s and addresses are frequently

ed, requiring assistance in identifying them. Traffic volume can often be a sign of an addressee's importance, giving hints to pending objectives or movements to cryptanalysts.

Traffic flow security

Traffic-flow security is the use of measures that conceal the presence and properties of valid messages on a network to prevent traffic analysis. This can be done by operational procedures or by the protection resulting from features inherent in some cryptographic equipment. Techniques used include: * changing radio

callsign In broadcasting and radio communications, a call sign (also known as a call name or call letters—and historically as a call signal—or abbreviated as a call) is a unique identifier for a transmitter station. A call sign can be formally assigne ...

s frequently * encryption of a message's sending and receiving addresses (codress messages) * causing the circuit to appear busy at all times or much of the time by sending dummy

traffic Traffic comprises pedestrians, vehicles, ridden or herded animals, trains, and other conveyances that use public ways (roads) for travel and transportation. Traffic laws govern and regulate traffic, while rules of the road include traffic ...

* sending a continuous encrypted

signal In signal processing, a signal is a function that conveys information about a phenomenon. Any quantity that can vary over space or time can be used as a signal to share messages between observers. The ''IEEE Transactions on Signal Processing'' ...

, whether or not traffic is being transmitted. This is also called masking or link encryption. Traffic-flow security is one aspect of communications security.

COMINT metadata analysis

The Communications' Metadata Intelligence, or COMINT metadata is a term in

communications intelligence Signals intelligence (SIGINT) is list of intelligence gathering disciplines, intelligence-gathering by interception of ''Signal, signals'', whether communications between people (communications intelligence—abbreviated to COMINT) or from ele ...

(COMINT) referring to the concept of producing intelligence by analyzing only the technical

metadata Metadata is "data that provides information about other data", but not the content of the data, such as the text of a message or the image itself. There are many distinct types of metadata, including: * Descriptive metadata – the descriptive ...

, hence, is a great practical example for traffic analysis in intelligence. While traditionally information gathering in COMINT is derived from intercepting transmissions, tapping the target's communications and monitoring the content of conversations, the metadata intelligence is not based on content but on technical communicational data. Non-content COMINT is usually used to deduce information about the user of a certain transmitter, such as locations, contacts, activity volume, routine and its exceptions.

Examples

For example, if an emitter is known as the radio transmitter of a certain unit, and by using

direction finding Direction finding (DF), or radio direction finding (RDF), isin accordance with International Telecommunication Union (ITU)defined as radio location that uses the reception of radio waves to determine the direction in which a radio station ...

(DF) tools, the position of the emitter is locatable, the change of locations from one point to another can be deduced, without listening to any orders or reports. If one unit reports back to a command on a certain pattern, and another unit reports on the same pattern to the same command, then the two units are probably related, and that conclusion is based on the

of the two units' transmissions, not on the content of their transmissions. Using all, or as much of the metadata available is commonly used to build up an Electronic Order of Battle (EOB) – mapping different entities in the battlefield and their connections. Of course the EOB could be built by tapping all the conversations and trying to understand which unit is where, but using the metadata with an automatic analysis tool enables a much faster and accurate EOB build-up that alongside tapping builds a much better and complete picture.

World War I

* British analysts in

World War I World War I (28 July 1914 11 November 1918), often abbreviated as WWI, was one of the deadliest global conflicts in history. Belligerents included much of Europe, the Russian Empire, the United States, and the Ottoman Empire, with fightin ...

noticed that the

call sign In broadcasting and radio communications, a call sign (also known as a call name or call letters—and historically as a call signal—or abbreviated as a call) is a unique identifier for a transmitter station. A call sign can be formally assigne ...

of German Vice Admiral

Reinhard Scheer Carl Friedrich Heinrich Reinhard Scheer (30 September 1863 – 26 November 1928) was an Admiral in the Imperial German Navy (''Kaiserliche Marine''). Scheer joined the navy in 1879 as an officer cadet and progressed through the ranks, commandin ...

, commanding the hostile fleet, had been transferred to a land station. Admiral of the Fleet Beatty, ignorant of Scheer's practice of changing callsigns upon leaving harbor, dismissed its importance and disregarded

Room 40 Room 40, also known as 40 O.B. (old building; officially part of NID25), was the cryptanalysis section of the British Admiralty during the First World War. The group, which was formed in October 1914, began when Rear-Admiral Henry Oliver, the ...

analysts' attempts to make the point. The German fleet sortied, and the British were late in meeting them at the

Battle of Jutland The Battle of Jutland (german: Skagerrakschlacht, the Battle of the Skagerrak) was a naval battle fought between Britain's Royal Navy Grand Fleet, under Admiral John Jellicoe, 1st Earl Jellicoe, Sir John Jellicoe, and the Imperial German Navy ...

. If traffic analysis had been taken more seriously, the British might have done better than a "draw". * French military intelligence, shaped by

Kerckhoffs Auguste Kerckhoffs (19 January 1835 – 9 August 1903) was a Dutch linguistics, linguist and cryptographer in the late 19th century. Biography Kerckhoffs was born in Nuth, the Netherlands, as Jean Guillaume Auguste Victor François Huber ...

's legacy, had erected a network of intercept stations at the Western front in pre-war times. When the Germans crossed the frontier, the French worked out crude means for direction-finding based on intercepted signal intensity. Recording of call-signs and volume of traffic further enabled them to identify German combat groups and to distinguish between fast-moving cavalry and slower infantry.

World War II

* In early

World War II World War II or the Second World War, often abbreviated as WWII or WW2, was a world war that lasted from 1939 to 1945. It involved the vast majority of the world's countries—including all of the great powers—forming two opposin ...

, the

aircraft carrier An aircraft carrier is a warship that serves as a seagoing airbase, equipped with a full-length flight deck and facilities for carrying, arming, deploying, and recovering aircraft. Typically, it is the capital ship of a fleet, as it allows a ...

was evacuating pilots and planes from

Norway Norway, officially the Kingdom of Norway, is a Nordic country in Northern Europe, the mainland territory of which comprises the western and northernmost portion of the Scandinavian Peninsula. The remote Arctic island of Jan Mayen and t ...

. Traffic analysis produced indications and were moving into the North Sea, but the Admiralty dismissed the report as unproven. The captain of ''Glorious'' did not keep sufficient lookout, and was subsequently surprised and sunk.

Harry Hinsley Sir Francis Harry Hinsley, (26 November 1918 – 16 February 1998) was an English historian and cryptanalyst. He worked at Bletchley Park during the Second World War and wrote widely on the history of international relations and British Int ...

, the young

Bletchley Park Bletchley Park is an English country house and estate in Bletchley, Milton Keynes ( Buckinghamshire) that became the principal centre of Allied code-breaking during the Second World War. The mansion was constructed during the years following ...

liaison to the Admiralty, later said his reports from the traffic analysts were taken much more seriously thereafter. * During the planning and rehearsal for the

attack on Pearl Harbor The attack on Pearl HarborAlso known as the Battle of Pearl Harbor was a surprise military strike by the Imperial Japanese Navy Air Service upon the United States against the naval base at Pearl Harbor in Honolulu, Territory of Hawaii, j ...

, very little traffic was passed by radio, subject to interception. The ships, units, and commands involved were all in Japan and in touch by phone, courier, signal lamp, or even flag. None of that traffic was intercepted, and could not be analyzed. * The espionage effort against Pearl Harbor before December didn't send an unusual number of messages; Japanese vessels regularly called in Hawaii and messages were carried aboard by consular personnel. At least one such vessel carried some Japanese Navy Intelligence officers. Such messages cannot be analyzed. It has been suggested, however, the volume of diplomatic traffic to and from certain consular stations might have indicated places of interest to Japan, which might thus have suggested locations to concentrate traffic analysis and decryption efforts. * Admiral Nagumo's Pearl Harbor Attack Force sailed under radio silence, with its radios physically locked down. It is unclear if this deceived the U.S.; Pacific Fleet intelligence was unable to locate the Japanese carriers in the days immediately preceding the

. * The

Japanese Navy , abbreviated , also simply known as the Japanese Navy, is the maritime warfare branch of the Japan Self-Defense Forces, tasked with the naval defense of Japan. The JMSDF was formed following the dissolution of the Imperial Japanese Navy (IJN) ...

played radio games to inhibit traffic analysis (see Examples, below) with the attack force after it sailed in late November. Radio operators normally assigned to carriers, with a characteristic Morse Code "

fist A fist is the shape of a hand when the fingers are bent inward against the palm and held there tightly. To make or clench a fist is to fold the fingers tightly into the center of the palm and then to clamp the thumb over the middle phalanges; in ...

", transmitted from inland Japanese waters, suggesting the carriers were still near Japan. * Operation Quicksilver, part of the British deception plan for the

Invasion of Normandy Operation Overlord was the codename for the Battle of Normandy, the Allied operation that launched the successful invasion of German-occupied Western Europe during World War II. The operation was launched on 6 June 1944 (D-Day) with the Norm ...

, fed German intelligence a combination of true and false information about troop deployments in Britain, causing the Germans to deduce an order of battle which suggested an invasion at the

Pas-de-Calais Pas-de-Calais (, " strait of Calais"; pcd, Pas-Calés; also nl, Nauw van Kales) is a department in northern France named after the French designation of the Strait of Dover, which it borders. It has the most communes of all the departments ...

instead of Normandy. The fictitious divisions created for this deception were supplied with real radio units, which maintained a flow of messages consistent with the deception.

In computer security

Traffic analysis is also a concern in

. An attacker can gain important information by monitoring the frequency and timing of network packets. A timing attack on the

SSH The Secure Shell Protocol (SSH) is a cryptographic network protocol for operating network services securely over an unsecured network. Its most notable applications are remote login and command-line execution. SSH applications are based on ...

protocol can use timing information to deduce information about

password A password, sometimes called a passcode (for example in Apple devices), is secret data, typically a string of characters, usually used to confirm a user's identity. Traditionally, passwords were expected to be memorized, but the large number of ...

s since, during interactive session, SSH transmits each keystroke as a message. The time between keystroke messages can be studied using

hidden Markov model A hidden Markov model (HMM) is a statistical Markov model in which the system being modeled is assumed to be a Markov process — call it X — with unobservable ("''hidden''") states. As part of the definition, HMM requires that there be an ob ...

s. Song, ''et al.'' claim that it can recover the password fifty times faster than a

brute force attack In cryptography, a brute-force attack consists of an attacker submitting many passwords or passphrases with the hope of eventually guessing correctly. The attacker systematically checks all possible passwords and passphrases until the correct ...

Onion routing Onion routing is a technique for anonymous communication over a computer network. In an onion network, messages are encapsulated in layers of encryption, analogous to layers of an onion. The encrypted data is transmitted through a series of net ...

systems are used to gain anonymity. Traffic analysis can be used to attack anonymous communication systems like the Tor anonymity network. Adam Back, Ulf Möeller and Anton Stiglic present traffic analysis attacks against anonymity providing systems . Steven J. Murdoch and George Danezis from University of Cambridge presented research showing that traffic-analysis allows adversaries to infer which nodes relay the anonymous streams. This reduces the anonymity provided by Tor. They have shown that otherwise unrelated streams can be linked back to the same initiator. Remailer systems can also be attacked via traffic analysis. If a message is observed going to a remailing server, and an identical-length (if now anonymized) message is seen exiting the server soon after, a traffic analyst may be able to (automatically) connect the sender with the ultimate receiver. Variations of remailer operations exist that can make traffic analysis less effective.

Countermeasures

It is difficult to defeat traffic analysis without both encrypting messages and masking the channel. When no actual messages are being sent, the channel can be masked by sending dummy traffic, similar to the encrypted traffic, thereby keeping bandwidth usage constant . "It is very hard to hide information about the size or timing of messages. The known solutions require Alice to send a continuous stream of messages at the maximum

bandwidth Bandwidth commonly refers to: * Bandwidth (signal processing) or ''analog bandwidth'', ''frequency bandwidth'', or ''radio bandwidth'', a measure of the width of a frequency range * Bandwidth (computing), the rate of data transfer, bit rate or thr ...

she will ever use...This might be acceptable for military applications, but it is not for most civilian applications." The military-versus-civilian problems applies in situations where the user is charged for the volume of information sent. Even for Internet access, where there is not a per-packet charge,

ISPs An Internet service provider (ISP) is an organization that provides services for accessing, using, or participating in the Internet. ISPs can be organized in various forms, such as commercial, community-owned, non-profit, or otherwise private ...

make statistical assumption that connections from user sites will not be busy 100% of the time. The user cannot simply increase the bandwidth of the link, since masking would fill that as well. If masking, which often can be built into end-to-end encryptors, becomes common practice, ISPs will have to change their traffic assumptions.

References

* *
FMV SwedenMulti-source data fusion in NATO coalition operations