HOME
        TheInfoList






Traffic analysis is the process of intercepting and examining messages in order to deduce information from patterns in communication, which can be performed even when the messages are encrypted.[1] In general, the greater the number of messages observed, or even intercepted and stored, the more can be inferred from the traffic. Traffic analysis can be performed in the context of military intelligence, counter-intelligence, or pattern-of-life analysis, and is a concern in computer security.

Traffic analysis tasks may be supported by dedicated computer software programs. Advanced traffic analysis techniques may include various forms of social network analysis.

Breaking the anonymity of networks

Traffic analysis method can be used to break the anonymity of anonymous networks, e.g., TORs [1]. There are two methods of traffic-analysis attack, passive and active.

  • In passive traffic-analysis method, the attacker extracts features from the traffic of a specific flow on one side of the network and looks for those features on the other side of the network.
  • In active traffic-analysis method, the attacker alters the timings of the packets of a flow according to a specific pattern and looks for that pattern on the other side of the network; therefore, the attacker can link the flows in one side to the other side of the network and break the anonymity of it. It is shown, although timing noise is added to the packets, there are active traffic analysis methods robust against such a noise.[1]

In military intelligence

In a military context, traffic analysis is a basic part of signals intelligence, and can be a source of information about the intentions and actions of the target. Representative patterns include:

  • Frequent communications – can denote planning
  • Rapid, short communications – can denote negotiations
  • A lack of communication – can indicate a lack of activity, or completion of a finalized plan
  • Frequent communication to specific stations from a central station – can highlight the chain of command
  • Who talks to whom – can indicate which stations are 'in charge' or the 'control station' of a particular network. This further implies something about the personnel associated with each station
  • Who talks when – can indicate which stations are active in connection with events, which implies something about the information being passed and perhaps something about the personnel/access of those associated with some stations
  • Who changes from station to station, or medium to medium – can indicate movement, fear of interception

There is a close relationship between traffic analysis and cryptanalysis (commonly called codebreaking). Callsigns and addresses are frequently encrypted, requiring assistance in identifying them. Traffic volume can often be a sign of an addressee's importance, giving hints to pending objectives or movements to cryptanalysts.

Traffic flow security

Traffic-flow security is the use of measures that conceal the presence a

Traffic analysis tasks may be supported by dedicated computer software programs. Advanced traffic analysis techniques may include various forms of social network analysis.

Traffic analysis method can be used to break the anonymity of anonymous networks, e.g., TORs [1]. There are two methods of traffic-analysis attack, passive and active.

  • In passive traffic-analysis method, the attacker extracts features from the traffic of a specific flow on one side of the network and looks for those features on the other side of the network.
  • In active traffic-analysis method, the attacker alters the timings of the packets of a flow according to a specific pattern and looks for that pattern on the other side of the network; therefore, the attacker can link the flows in one side to the other side of the network and break the anonymity of it. It is shown, although timing noise is added to the packets, there are active traffic analysis methods robust against such a noise.[1]

In military intelligence

In a military context, traffic analysis is a basic part of signals intelligence, and can be a source of information about the intentions and actions of the target. Representative patterns include:

  • Frequent communications – can denote planning
  • Rapid, short communications – can denote negotiations
  • A lack of communication – can indicate a lack of activity, or completion of a finalized plan
  • Frequent communication to specific stations from a central station – can highlight the chain of command
  • Who talks to whom – can indicate which stations are 'in charge' or the 'control station' of a particular network. This further implies something about the personnel associated with each station
  • Who talks when – can indicate which stations are active in connection with events, which implies something about the information being passed and perhaps something about the personnel/access of those associated with some stations
  • Who changes from station to station, or medium to medium – can indicate movement, fear of interception

There is a close relationship between traffic analysis and cryptanalysis (commonly called codebreaking). signals intelligence, and can be a source of information about the intentions and actions of the target. Representative patterns include:

  • Frequent communications – can denote planning
  • Rapid, short communications – can denote negotiations
  • A lack of communication – can indicate a lack of activity, or completion of a finalized plan
  • Frequent communication to specific stations from a central station – can highlight the chain of command
  • Who talks to whom – can indicate which stations are 'in charge' or the 'control station' of a particular network. This further implies something about the personnel associated with each station
  • Who talks when – can indicate which stations are active in connection with events, which implies something about the information being passed and perhaps something about the personnel/access of those associated with some stations
  • Who changes from station to station, or medium to medium – can indicate movement, fear of interception

There is a close relationship between traffic analysis and cryptanalysis (commonly called codebreaking). Callsigns and addresses are frequently encrypted, requiring assistance in identifying them. Traffic volume can often be a sign of an addressee's importance, giving hints to pending objectives or movements to cryptanalysts.

Traffic flow security

Traffic-flow security is the use of measures that conceal the presence and properties of valid messages on a network to prevent traffic analysis. This can be done by operational procedures or by the protection resulting from features inherent in some cryptographic equipment. Techniques used include:

  • changing radio callsigns frequently
  • encryption of a message's sending and receiving addresses (codress messages)
  • causing the circuit to appear busy at all times or much of the time by sending dummy callsigns frequently
  • encryption of a message's sending and receiving addresses (codress messages)
  • causing the circuit to appear busy at all times or much of the time by sending dummy traffic<

    Traffic-flow security is one aspect of communications security.

    COMINT metadata analysis