TRAFFIC ANALYSIS is the process of intercepting and examining
messages in order to deduce information from patterns in communication
. It can be performed even when the messages are encrypted and cannot
be decrypted . In general, the greater the number of messages
observed, or even intercepted and stored, the more can be inferred
from the traffic.
* 1 In military intelligence
* 2 Examples
* 3 In computer security * 4 Countermeasures * 5 See also * 6 References * 7 Further reading
IN MILITARY INTELLIGENCE
In a military context, traffic analysis is a basic part of signals intelligence , and can be a source of information about the intentions and actions of the target. Representative patterns include:
* Frequent communications – can denote planning * Rapid, short communications – can denote negotiations * A lack of communication – can indicate a lack of activity, or completion of a finalized plan * Frequent communication to specific stations from a central station – can highlight the chain of command * Who talks to whom – can indicate which stations are 'in charge' or the 'control station' of a particular network. This further implies something about the personnel associated with each station * Who talks when – can indicate which stations are active in connection with events, which implies something about the information being passed and perhaps something about the personnel/access of those associated with some stations * Who changes from station to station, or medium to medium – can indicate movement, fear of interception
There is a close relationship between traffic analysis and
cryptanalysis (commonly called codebreaking ). Callsigns and addresses
are frequently encrypted , requiring assistance in identifying them.
TRAFFIC FLOW SECURITY
TRAFFIC-FLOW SECURITY is the use of measures that conceal the presence and properties of valid messages on a network to prevent traffic analysis. This can be done by operational procedures or by the protection resulting from features inherent in some cryptographic equipment. Techniques used include:
* changing radio callsigns frequently * encryption of a message's sending and receiving addresses (CODRESS MESSAGES) * causing the circuit to appear busy at all times or much of the time by sending dummy traffic * sending a continuous encrypted signal , whether or not traffic is being transmitted. This is also called MASKING or LINK ENCRYPTION.
Traffic-flow security is one aspect of communications security .
COMINT METADATA ANALYSIS
THIS SECTION HAS MULTIPLE ISSUES. Please help IMPROVE IT or discuss these issues on the TALK PAGE . (Learn how and when to remove these template messages )
This section's TONE OR STYLE MAY NOT REFLECT THE ENCYCLOPEDIC TONE USED ON. See's guide to writing better articles for suggestions. (November 2011) (Learn how and when to remove this template message )
This section DOES NOT CITE ANY SOURCES . Please help improve this section by adding citations to reliable sources . Unsourced material may be challenged and removed . (November 2011) (Learn how and when to remove this template message )
(Learn how and when to remove this template message )
The COMMUNICATIONS\' METADATA INTELLIGENCE, or COMINT METADATA is a term in communications intelligence (COMINT) referring to the concept of producing intelligence by analyzing only the technical metadata, hence, is a great practical example for traffic analysis in intelligence.
While traditionally information gathering in COMINT is derived from intercepting transmissions, tapping the target's communications and monitoring the content of conversations, the metadata intelligence is not based on content but on technical communicational data.
Non-content COMINT is usually used to deduce information about the user of a certain transmitter, such as locations, contacts, activity volume, routine and its exceptions.
For example, if a certain emitter is known as the radio transmitter of a certain unit, and by using direction finding (DF) tools, the position of the emitter is locatable; hence the changes of locations can be monitored. That way we're able to understand that this certain unit is moving from one point to another, without listening to any orders or reports. If we know that this unit reports back to a command on a certain pattern, and we know that another unit reports on the same pattern to the same command, then the two units are probably related, and that conclusion is based on the metadata of the two units' transmissions, and not on the content of their transmissions.
Using all, or as much of the metadata available is commonly used to build up an Electronic Order of Battle (EOB) – mapping different entities in the battlefield and their connections. Of course the EOB could be built by tapping all the conversations and trying to understand which unit is where, but using the metadata with an automatic analysis tool enables a much faster and accurate EOB build-up that alongside tapping builds a much better and complete picture.
WORLD WAR I
* British analysts in
World War I
WORLD WAR II
* In early
World War II
IN COMPUTER SECURITY
Remailer systems can also be attacked via traffic analysis. If a message is observed going to a remailing server, and an identical-length (if now anonymized) message is seen exiting the server soon after, a traffic analyst may be able to (automatically) connect the sender with the ultimate receiver. Variations of remailer operations exist that can make traffic analysis less effective.
It is difficult to defeat traffic analysis without both encrypting messages and masking the channel. When no actual messages are being sent, the channel can be MASKED by sending dummy traffic, similar to the encrypted traffic, thereby keeping bandwidth usage constant . "It is very hard to hide information about the size or timing of messages. The known solutions require Alice to send a continuous stream of messages at the maximum bandwidth she will ever use...This might be acceptable for military applications, but it is not for most civilian applications." The military-versus-civilian problems applies in situations where the user is charged for the volume of information sent.
Even for Internet access, where there is not a per-packet charge, ISPs make statistical assumption that connections from user sites will not be busy 100% of the time. The user cannot simply increase the bandwidth of the link, since masking would fill that as well. If masking, which often can be built into end-to-end encryptors, becomes common practice, ISPs will have to change their traffic assumptions.
Chatter (signals intelligence)
* ^ A B C Kahn, David (1974). The Codebreakers: The Story of Secret
Writing. Macmillan. ISBN 0-02-560460-0 . Kahn-1974.
* ^ Howland, Vernon W. (2007-10-01). "The Loss of HMS Glorious: An
Analysis of the Action". Retrieved 2007-11-26.
* ^ Costello, John (1995). Days of Infamy: Macarthur, Roosevelt,
Churchill-The Shocking Truth Revealed : How Their Secret Deals and
Strategic Blunders Caused Disasters at Pear Harbor and the
Philippines. Pocket. ISBN 0-671-76986-3 .
* ^ Layton, Edwin T.; Roger Pineau, John Costello (1985). "And I
Was There": Pearl Harbor And Midway -- Breaking the Secrets. William
Morrow & Co. ISBN 0-688-04883-8 .
* ^ Masterman, John C (1972) . The Double-Cross System in the War
of 1939 to 1945. Australian National University Press. p. 233. ISBN
* ^ Song, Dawn Xiaodong; Wagner, David; Tian, Xuqing (2001).
"Timing Analysis of Keystrokes and Timing Attacks on SSH". 10th USENIX
* ^ Adam Back; Ulf Möeller and Anton Stiglic (2001). "Traffic
Analysis Attacks and Trade-Offs in Anonymity Providing systems" (PDF).
Springer Proceedings - 4th International Workshop Information Hiding.
* ^ Murdoch, Steven J.; George Danezis (2005). "Low-Cost Traffic
Analysis of Tor" (PDF).
* ^ Xinwen Fu, Bryan Graham, Riccardo Bettati and Wei Zhao. "Active
* Ferguson, Niels; Schneier, Bruce (2003). Practical Cryptography. p. 114. ISBN 0-471-22357-3 . * Wang XY, Chen S, Jajodia S (November 2005). "Tracking Anonymous Peer-to-Peer VoIP Calls on the Internet" (PDF). Proceedings of the 12th ACM Conference on Computer Communications Security (CCS 2005). * FMV Sweden * Multi-source data fusion in NATO coalition operations * request for COMINT metadata analysts
* http://www.cyber-rights.org/interception/stoa/interception_capabilities_2000.htm — a study by Duncan Campbell * http://www.onr.navy.mil/02/baa/docs/07-026_07_026_industry_briefing.pdf * Selected Papers in Anonymity — on Free Haven
* v * t * e
* Asset recruiting * Cell system * Covert action * Direct action * Operational techniques
* field * handling
* black bag
Measurement and signature (MASINT)
* Electro-optical * Geophysical * Nuclear * Radar * Radiofrequency * Materials * Casualty estimation (earthquake )
* Cultural (CULTINT) * Financial (FININT) * Geospatial (GEOINT) * Imagery (IMINT) * Market (MARKINT) * Open-source (OSINT) * Technical (TECHINT)
* Cognitive traps * Competing hypotheses * Target-centric * Words of estimative probability