Traffic analysis
   HOME

TheInfoList



OR:

Traffic analysis is the process of intercepting and examining messages in order to deduce information from patterns in
communication Communication is commonly defined as the transmission of information. Its precise definition is disputed and there are disagreements about whether Intention, unintentional or failed transmissions are included and whether communication not onl ...
. It can be performed even when the messages are encrypted. In general, the greater the number of messages observed, the greater information be inferred. Traffic analysis can be performed in the context of
military intelligence Military intelligence is a military discipline that uses information collection and analysis List of intelligence gathering disciplines, approaches to provide guidance and direction to assist Commanding officer, commanders in decision making pr ...
, counter-intelligence, or pattern-of-life analysis, and is also a concern in
computer security Computer security (also cybersecurity, digital security, or information technology (IT) security) is a subdiscipline within the field of information security. It consists of the protection of computer software, systems and computer network, n ...
. Traffic analysis tasks may be supported by dedicated computer
software Software consists of computer programs that instruct the Execution (computing), execution of a computer. Software also includes design documents and specifications. The history of software is closely tied to the development of digital comput ...
programs. Advanced traffic analysis techniques which may include various forms of
social network analysis Social network analysis (SNA) is the process of investigating social structures through the use of networks and graph theory. It characterizes networked structures in terms of ''nodes'' (individual actors, people, or things within the network) ...
. Traffic analysis has historically been a vital technique in
cryptanalysis Cryptanalysis (from the Greek ''kryptós'', "hidden", and ''analýein'', "to analyze") refers to the process of analyzing information systems in order to understand hidden aspects of the systems. Cryptanalysis is used to breach cryptographic se ...
, especially when the attempted crack depends on successfully seeding a known-plaintext attack, which often requires an inspired guess based on how specific the operational context might likely influence what an adversary communicates, which may be sufficient to establish a short crib.


Breaking the anonymity of networks

Traffic analysis method can be used to break the
anonymity Anonymity describes situations where the acting person's identity is unknown. Anonymity may be created unintentionally through the loss of identifying information due to the passage of time or a destructive event, or intentionally if a person cho ...
of anonymous networks, e.g., TORs. There are two methods of traffic-analysis attack, passive and active. *In passive traffic-analysis method, the attacker extracts features from the traffic of a specific flow on one side of the network and looks for those features on the other side of the network. *In active traffic-analysis method, the attacker alters the timings of the packets of a flow according to a specific pattern and looks for that pattern on the other side of the network; therefore, the attacker can link the flows in one side to the other side of the network and break the anonymity of it. It is shown, although timing noise is added to the packets, there are active traffic analysis methods robust against such a noise.


In military intelligence

In a military context, traffic analysis is a basic part of
signals intelligence Signals intelligence (SIGINT) is the act and field of intelligence-gathering by interception of ''signals'', whether communications between people (communications intelligence—abbreviated to COMINT) or from electronic signals not directly u ...
, and can be a source of information about the intentions and actions of the target. Representative patterns include: * Frequent communications – can denote planning * Rapid, short communications – can denote negotiations * A lack of communication – can indicate a lack of activity, or completion of a finalized plan * Frequent communication to specific stations from a central station – can highlight the chain of command * Who talks to whom – can indicate which stations are 'in charge' or the 'control station' of a particular network. This further implies something about the personnel associated with each station * Who talks when – can indicate which stations are active in connection with events, which implies something about the information being passed and perhaps something about the personnel/access of those associated with some stations * Who changes from station to station, or medium to medium – can indicate movement, fear of interception There is a close relationship between traffic analysis and
cryptanalysis Cryptanalysis (from the Greek ''kryptós'', "hidden", and ''analýein'', "to analyze") refers to the process of analyzing information systems in order to understand hidden aspects of the systems. Cryptanalysis is used to breach cryptographic se ...
(commonly called codebreaking). Callsigns and addresses are frequently encrypted, requiring assistance in identifying them. Traffic volume can often be a sign of an addressee's importance, giving hints to pending objectives or movements to cryptanalysts.


Traffic flow security

Traffic-flow security is the use of measures that conceal the presence and properties of valid messages on a network to prevent traffic analysis. This can be done by operational procedures or by the protection resulting from features inherent in some cryptographic equipment. Techniques used include: * changing radio callsigns frequently * encryption of a message's sending and receiving addresses (codress messages) * causing the circuit to appear busy at all times or much of the time by sending dummy
traffic Traffic is the movement of vehicles and pedestrians along land routes. Traffic laws govern and regulate traffic, while rules of the road include traffic laws and informal rules that may have developed over time to facilitate the orderly an ...
* sending a continuous encrypted
signal A signal is both the process and the result of transmission of data over some media accomplished by embedding some variation. Signals are important in multiple subject fields including signal processing, information theory and biology. In ...
, whether or not traffic is being transmitted. This is also called masking or link encryption. Traffic-flow security is one aspect of
communications security Communications security is the discipline of preventing unauthorized interceptors from accessing telecommunications in an intelligible form, while still delivering content to the intended recipients. In the North Atlantic Treaty Organization ...
.


COMINT metadata analysis

The Communications' Metadata Intelligence, or COMINT metadata is a term in communications intelligence (COMINT) referring to the concept of producing intelligence by analyzing only the technical
metadata Metadata (or metainformation) is "data that provides information about other data", but not the content of the data itself, such as the text of a message or the image itself. There are many distinct types of metadata, including: * Descriptive ...
, hence, is a great practical example for traffic analysis in intelligence. While traditionally information gathering in COMINT is derived from intercepting transmissions, tapping the target's communications and monitoring the content of conversations, the metadata intelligence is not based on content but on technical communicational data. Non-content COMINT is usually used to deduce information about the user of a certain transmitter, such as locations, contacts, activity volume, routine and its exceptions.


Examples

For example, if an emitter is known as the radio transmitter of a certain unit, and by using direction finding (DF) tools, the position of the emitter is locatable, the change of locations from one point to another can be deduced, without listening to any orders or reports. If one unit reports back to a command on a certain pattern, and another unit reports on the same pattern to the same command, the two units are probably related. That conclusion is based on the
metadata Metadata (or metainformation) is "data that provides information about other data", but not the content of the data itself, such as the text of a message or the image itself. There are many distinct types of metadata, including: * Descriptive ...
of the two units' transmissions, not on the content of their transmissions. Using all or as much of the metadata available is commonly used to build up an Electronic Order of Battle (EOB) by mapping different entities in the battlefield and their connections. Of course, the EOB could be built by tapping all the conversations and trying to understand, which unit is where, but using the metadata with an automatic analysis tool enables a much faster and accurate EOB build-up, which, alongside tapping, builds a much better and complete picture.


World War I

* British analysts during
World War I World War I or the First World War (28 July 1914 – 11 November 1918), also known as the Great War, was a World war, global conflict between two coalitions: the Allies of World War I, Allies (or Entente) and the Central Powers. Fighting to ...
noticed that the
call sign In broadcasting and radio communications, a call sign (also known as a call name or call letters—and historically as a call signal—or abbreviated as a call) is a unique identifier for a transmitter station. A call sign can be formally as ...
of German Vice Admiral Reinhard Scheer, commanding the hostile fleet, had been transferred to a land station. Admiral of the Fleet Beatty, ignorant of Scheer's practice of changing call signs upon leaving harbour, dismissed its importance and disregarded Room 40 analysts' attempts to make the point. The German fleet sortied, and the British were late in meeting them at the Battle of Jutland. If traffic analysis had been taken more seriously, the British might have done better than a "draw". * French military intelligence, shaped by Auguste Kerckhoffs's legacy, had erected a network of intercept stations at the Western Front in pre-war times. When the Germans crossed the frontier, the French worked out crude means for direction-finding based on intercepted signal intensity. The recording of call signs and of traffic volumes further enabled the French to identify German combat groups and to distinguish fast-moving cavalry from slower infantry.


World War II

* In the early part of
World War II World War II or the Second World War (1 September 1939 – 2 September 1945) was a World war, global conflict between two coalitions: the Allies of World War II, Allies and the Axis powers. World War II by country, Nearly all of the wo ...
, the
aircraft carrier An aircraft carrier is a warship that serves as a seagoing airbase, equipped with a full-length flight deck and hangar facilities for supporting, arming, deploying and recovering carrier-based aircraft, shipborne aircraft. Typically it is the ...
was evacuating pilots and planes from
Norway Norway, officially the Kingdom of Norway, is a Nordic countries, Nordic country located on the Scandinavian Peninsula in Northern Europe. The remote Arctic island of Jan Mayen and the archipelago of Svalbard also form part of the Kingdom of ...
. Traffic analysis produced indications and were moving into the
North Sea The North Sea lies between Great Britain, Denmark, Norway, Germany, the Netherlands, Belgium, and France. A sea on the European continental shelf, it connects to the Atlantic Ocean through the English Channel in the south and the Norwegian Se ...
, but the Admiralty dismissed the report as unproven. The captain of ''Glorious'' did not keep sufficient lookout and was subsequently surprised and sunk. Harry Hinsley, the young
Bletchley Park Bletchley Park is an English country house and Bletchley Park estate, estate in Bletchley, Milton Keynes (Buckinghamshire), that became the principal centre of Allies of World War II, Allied World War II cryptography, code-breaking during the S ...
liaison to the Admiralty, later said that his reports from the traffic analysts were taken much more seriously thereafter. * During the planning and rehearsal for the
attack on Pearl Harbor The attack on Pearl HarborAlso known as the Battle of Pearl Harbor was a surprise military strike by the Empire of Japan on the United States Pacific Fleet at Naval Station Pearl Harbor, its naval base at Pearl Harbor on Oahu, Territory of ...
, very little traffic was passed by radio, subject to interception. The ships, units, and commands involved were all in Japan and in touch by phone, courier, signal lamp, or even flag. None of that traffic was intercepted, and could not be analyzed. * The espionage effort against Pearl Harbor before December did not send an unusual number of messages; Japanese vessels regularly called in Hawaii and messages were carried aboard by consular personnel. At least one such vessel carried some Japanese Navy Intelligence officers. Such messages could not be analyzed. It has been suggested, however, the volume of diplomatic traffic to and from certain consular stations might have indicated places of interest to Japan, which might thus have suggested locations to concentrate traffic analysis and decryption efforts. * Admiral Nagumo's Pearl Harbor Attack Force sailed under radio silence, with its radios physically locked down. It is unclear if that deceived the US since Pacific Fleet intelligence had been unable to locate the Japanese carriers in the days immediately preceding the
attack on Pearl Harbor The attack on Pearl HarborAlso known as the Battle of Pearl Harbor was a surprise military strike by the Empire of Japan on the United States Pacific Fleet at Naval Station Pearl Harbor, its naval base at Pearl Harbor on Oahu, Territory of ...
. * The Japanese Navy played radio games to inhibit traffic analysis (see Examples, below) with the attack force after it sailed in late November. Radio operators normally assigned to carriers, with a characteristic Morse Code " fist", transmitted from inland Japanese waters, suggesting the carriers were still near Japan. * Operation Quicksilver, part of the British deception plan for the Invasion of Normandy during World War II fed German intelligence a combination of true and false information about troop deployments in Britain, which caused the Germans to deduce an order of battle that suggested an invasion at the
Pas-de-Calais The Pas-de-Calais (, ' strait of Calais'; ; ) is a department in northern France named after the French designation of the Strait of Dover, which it borders. It has the most communes of all the departments of France, with 890, and is the ...
, instead of Normandy. The fictitious divisions that were created for the deception were supplied with real radio units, which maintained a flow of messages that was consistent with the deception.


In computer security

Traffic analysis is also a concern in
computer security Computer security (also cybersecurity, digital security, or information technology (IT) security) is a subdiscipline within the field of information security. It consists of the protection of computer software, systems and computer network, n ...
. An attacker can gain important information by monitoring the frequency and timing of network packets. A timing attack on the SSH protocol can use timing information to deduce information about
password A password, sometimes called a passcode, is secret data, typically a string of characters, usually used to confirm a user's identity. Traditionally, passwords were expected to be memorized, but the large number of password-protected services t ...
s since, during interactive session, SSH transmits each keystroke as a message. The time between keystroke messages can be studied using hidden Markov models. Song, ''et al.'' claim that it can recover the password fifty times faster than a brute force attack.
Onion routing Onion routing is a technique for anonymous communication over a computer network. In an onion network, messages are encapsulated in layers of encryption, analogous to the layers of an onion. The encrypted data is transmitted through a series o ...
systems are used to gain anonymity. Traffic analysis can be used to attack anonymous communication systems like the Tor anonymity network. Adam Back, Ulf Möeller and Anton Stiglic present traffic analysis attacks against anonymity providing systems. Steven J. Murdoch and George Danezis from University of Cambridge presented research showing that traffic-analysis allows adversaries to infer which nodes relay the anonymous streams. This reduces the anonymity provided by Tor. They have shown that otherwise unrelated streams can be linked back to the same initiator. Remailer systems can also be attacked via traffic analysis. If a message is observed going to a remailing server, and an identical-length (if now anonymized) message is seen exiting the server soon after, a traffic analyst may be able to (automatically) connect the sender with the ultimate receiver. Variations of remailer operations exist that can make traffic analysis less effective. Traffic analysis involves intercepting and scrutinizing cybersecurity threats to gather valuable insights about anonymous data flowing through the exit node. By using technique rooted in
dark web The dark web is the World Wide Web content that exists on darknets ( overlay networks) that use the Internet but require specific software, configurations, or authorization to access. Through the dark web, private computer networks can communica ...
crawling and specializing software, one can identify the specific characteristics of a client's network traffic within the dark web.


Countermeasures

It is difficult to defeat traffic analysis without both encrypting messages and masking the channel. When no actual messages are being sent, the channel can be masked by sending dummy traffic, similar to the encrypted traffic, thereby keeping bandwidth usage constant. "It is very hard to hide information about the size or timing of messages. The known solutions require
Alice Alice may refer to: * Alice (name), most often a feminine given name, but also used as a surname Literature * Alice (''Alice's Adventures in Wonderland''), a character in books by Lewis Carroll * ''Alice'' series, children's and teen books by ...
to send a continuous stream of messages at the maximum bandwidth she will ever use...This might be acceptable for military applications, but it is not for most civilian applications." The military-versus-civilian problems applies in situations where the user is charged for the volume of information sent. Even for Internet access, where there is not a per-packet charge, ISPs make statistical assumption that connections from user sites will not be busy 100% of the time. The user cannot simply increase the bandwidth of the link, since masking would fill that as well. If masking, which often can be built into end-to-end encryptors, becomes common practice, ISPs will have to change their traffic assumptions.


See also

* Chatter (signals intelligence) *
Data warehouse In computing, a data warehouse (DW or DWH), also known as an enterprise data warehouse (EDW), is a system used for Business intelligence, reporting and data analysis and is a core component of business intelligence. Data warehouses are central Re ...
* ECHELON * Electronic order of battle *
ELINT Signals intelligence (SIGINT) is the act and field of intelligence-gathering by interception of ''signals'', whether communications between people (communications intelligence—abbreviated to COMINT) or from electronic signals not directly u ...
* Pattern-of-life analysis * SIGINT *
Social network analysis Social network analysis (SNA) is the process of investigating social structures through the use of networks and graph theory. It characterizes networked structures in terms of ''nodes'' (individual actors, people, or things within the network) ...
* Telecommunications data retention * Zendian Problem


References

* *
FMV SwedenMulti-source data fusion in NATO coalition operations


Further reading

*http://www.cyber-rights.org/interception/stoa/interception_capabilities_2000.htm — a study by Duncan Campbell *https://web.archive.org/web/20070713232218/http://www.onr.navy.mil/02/baa/docs/07-026_07_026_industry_briefing.pdf
Selected Papers in Anonymity
— on Free Haven {{DEFAULTSORT:Traffic Analysis Cryptographic attacks Intelligence analysis Military communications Telecommunications