Traffic analysis
Encyclopedia
Traffic analysis is the process of intercepting and examining messages in order to deduce information from patterns in communication
. It can be performed even when the messages are encrypted and cannot be decrypted
. In general, the greater the number of messages observed, or even intercepted and stored, the more can be inferred from the traffic. Traffic analysis can be performed in the context of military intelligence
or counter-intelligence
, and is a concern in computer security
.
Traffic analysis tasks may be supported by dedicated computer software programs, including commercially available programs such as those offered by i2, Visual Analytics, Memex, Orion Scientific, Pacific Northwest National Labs, Genesis EW's GenCOM Suite, SynerScope and others. Advanced traffic analysis techniques may include various forms of social network analysis.
, and can be a source of information about the intentions and actions of the enemy. Representative patterns include:
There is a close relationship between traffic analysis and cryptanalysis
(commonly called codebreaking). Callsigns and addresses are frequently encrypted, requiring assistance in identifying them. Traffic volume can often be a sign of an addressee's importance, giving hints to pending objectives or movements to cryptanalysts.
Traffic-flow security is one aspect of communications security
.
While traditionally information gathering in COMINT is derived from intercepting transmissions, tapping the target's communications and monitoring the content of conversations, the metadata intelligence is not based on content but on technical communicational data.
Non-content COMINT is usually used to figure information about the user of a certain transmitter, such as locations, contacts, activity volume, routine and its exceptions.
tools, the position of the emitter is locatable; hence the changes of locations can be monitored. That way we're able to understand that this certain unit is moving from one point to another, without listening to any orders or reports. If we know that this unit reports back to a command on a certain pattern, and we know that another unit reports on the same pattern to the same command, then the two units are probably related, and that conclusion is based on the metadata of the two units' transmissions, and not on the content of their transmissions.
Using all, or as much of the metadata available is commonly used to build up an Electronic Order of Battle (EOB) – mapping different entities in the battlefield and their connections. Of course the EOB could be built by tapping all the conversations and trying to understand which unit is where, but using the metadata with an automatic analysis tool enables a much faster and accurate EOB build-up that alongside tapping builds a much better and complete picture.
. An attacker can gain important information by monitoring the frequency and timing of network packets. A timing attack on the SSH
protocol can use timing information to deduce information about password
s since, during interactive session, SSH transmits each keystroke as a message. The time between keystroke messages can be studied using hidden Markov model
s. Song, et al. claim that it can recover the password fifty times faster than a brute force attack
.
Onion routing
systems are used to gain anonymity. Traffic analysis can be used to attack anonymous communication systems like the Tor anonymity network
. Steven J. Murdoch and George Danezis from University of Cambridge presented
research showing that traffic-analysis allows adversaries to infer which nodes relay the anonymous streams. This reduces the anonymity provided by Tor. They have shown that otherwise unrelated streams can be linked back to the same initiator.
Remailer
systems can also be attacked via traffic analysis. If a message is observed going to a remailing server, and an identical-length (if now anonymized) message is seen exiting the server soon after, a traffic analyst may be able to (automatically) connect the sender with the ultimate receiver. Variations of remailer operations exist that can make traffic analysis less effective.
by sending dummy traffic, similar to the encrypted traffic, thereby keeping bandwidth usage constant
. "It is very hard to hide information about the size or timing of messages. The known solutions require Alice
to send a continuous stream of messages at the maximum bandwidth
she will ever use...This might be acceptable for military applications, but it is not for most civilian applications." The military-versus-civilian problems applies in situations where the user is charged for the volume of information sent.
Even for Internet access, where there is not a per-packet charge, ISPs make statistical assumption that connections from user sites will not be busy 100% of the time. The user cannot simply increase the bandwidth of the link, since masking would fill that as well. If masking, which often can be built into end-to-end encryptors, becomes common practice, ISPs will have to change their traffic assumptions.
Communication
Communication is the activity of conveying meaningful information. Communication requires a sender, a message, and an intended recipient, although the receiver need not be present or aware of the sender's intent to communicate at the time of communication; thus communication can occur across vast...
. It can be performed even when the messages are encrypted and cannot be decrypted
Cryptanalysis
Cryptanalysis is the study of methods for obtaining the meaning of encrypted information, without access to the secret information that is normally required to do so. Typically, this involves knowing how the system works and finding a secret key...
. In general, the greater the number of messages observed, or even intercepted and stored, the more can be inferred from the traffic. Traffic analysis can be performed in the context of military intelligence
Military intelligence
Military intelligence is a military discipline that exploits a number of information collection and analysis approaches to provide guidance and direction to commanders in support of their decisions....
or counter-intelligence
Counter-intelligence
Counterintelligence or counter-intelligence refers to efforts made by intelligence organizations to prevent hostile or enemy intelligence organizations from successfully gathering and collecting intelligence against them. National intelligence programs, and, by extension, the overall defenses of...
, and is a concern in computer security
Computer security
Computer security is a branch of computer technology known as information security as applied to computers and networks. The objective of computer security includes protection of information and property from theft, corruption, or natural disaster, while allowing the information and property to...
.
Traffic analysis tasks may be supported by dedicated computer software programs, including commercially available programs such as those offered by i2, Visual Analytics, Memex, Orion Scientific, Pacific Northwest National Labs, Genesis EW's GenCOM Suite, SynerScope and others. Advanced traffic analysis techniques may include various forms of social network analysis.
In military intelligence
In a military context, traffic analysis is a basic part of signals intelligenceSIGINT
Signals intelligence is intelligence-gathering by interception of signals, whether between people , whether involving electronic signals not directly used in communication , or combinations of the two...
, and can be a source of information about the intentions and actions of the enemy. Representative patterns include:
- Frequent communications — can denote planning
- Rapid, short, communications — can denote negotiations
- A lack of communication — can indicate a lack of activity, or completion of a finalized plan
- Frequent communication to specific stations from a central station — can highlight the chain of commandChain of CommandChain of Command may refer to:* Chain of command, in a military context, the line of authority and responsibility along which orders are passed* "Chain of Command" , the fifth episode of the first season of Beast Wars...
- Who talks to whom — can indicate which stations are 'in charge' or the 'control station' of a particular network. This further implies something about the personnel associated with each station
- Who talks when — can indicate which stations are active in connection with events, which implies something about the information being passed and perhaps something about the personnel/access of those associated with some stations
- Who changes from station to station, or medium to medium — can indicate movement, fear of interception
There is a close relationship between traffic analysis and cryptanalysis
Cryptanalysis
Cryptanalysis is the study of methods for obtaining the meaning of encrypted information, without access to the secret information that is normally required to do so. Typically, this involves knowing how the system works and finding a secret key...
(commonly called codebreaking). Callsigns and addresses are frequently encrypted, requiring assistance in identifying them. Traffic volume can often be a sign of an addressee's importance, giving hints to pending objectives or movements to cryptanalysts.
Traffic flow security
Traffic-flow security is the use of measures that conceal the presence and properties of valid messages on a network to prevent traffic analysis. This can be done by operational procedures or by the protection resulting from features inherent in some cryptographic equipment. Techniques used include:- changing radio callsigns frequently
- encryption of a message's sending and receiving addresses (codress messages)
- causing the circuit to appear busy at all times or much of the time by sending dummy trafficTrafficTraffic on roads may consist of pedestrians, ridden or herded animals, vehicles, streetcars and other conveyances, either singly or together, while using the public way for purposes of travel...
- sending a continuous encrypted signal, whether or not traffic is being transmitted. This is also called masking or link encryption.
Traffic-flow security is one aspect of communications security
Communications security
Communications security is the discipline of preventing unauthorized interceptors from accessing telecommunications in an intelligible form, while still delivering content to the intended recipients. In the United States Department of Defense culture, it is often referred to by the abbreviation...
.
COMINT metadata analysis
The Communications' Metadata Intelligence, or COMINT metadata is a term in COMINT referring to the concept of producing intelligence by analyzing only the technical metadata, hence, is a great practical example for traffic analysis in intelligence.While traditionally information gathering in COMINT is derived from intercepting transmissions, tapping the target's communications and monitoring the content of conversations, the metadata intelligence is not based on content but on technical communicational data.
Non-content COMINT is usually used to figure information about the user of a certain transmitter, such as locations, contacts, activity volume, routine and its exceptions.
Examples
For example, if a certain emitter is known as the radio transmitter of a certain unit, and by using DF (direction finding)Direction finding
Direction finding refers to the establishment of the direction from which a received signal was transmitted. This can refer to radio or other forms of wireless communication...
tools, the position of the emitter is locatable; hence the changes of locations can be monitored. That way we're able to understand that this certain unit is moving from one point to another, without listening to any orders or reports. If we know that this unit reports back to a command on a certain pattern, and we know that another unit reports on the same pattern to the same command, then the two units are probably related, and that conclusion is based on the metadata of the two units' transmissions, and not on the content of their transmissions.
Using all, or as much of the metadata available is commonly used to build up an Electronic Order of Battle (EOB) – mapping different entities in the battlefield and their connections. Of course the EOB could be built by tapping all the conversations and trying to understand which unit is where, but using the metadata with an automatic analysis tool enables a much faster and accurate EOB build-up that alongside tapping builds a much better and complete picture.
World War I
- British analysts in World War IWorld War IWorld War I , which was predominantly called the World War or the Great War from its occurrence until 1939, and the First World War or World War I thereafter, was a major war centred in Europe that began on 28 July 1914 and lasted until 11 November 1918...
noticed that the call signCall signIn broadcasting and radio communications, a call sign is a unique designation for a transmitting station. In North America they are used as names for broadcasting stations...
of German Vice Admiral Reinhard ScheerReinhard ScheerReinhard Scheer was an Admiral in the German Kaiserliche Marine. Scheer joined the navy in 1879 as an officer cadet; he progressed through the ranks, commanding cruisers and battleships, as well as major staff positions on land. At the outbreak of World War I, Scheer was the commander of the II...
, commanding the hostile fleet, had been transferred to a land-based station. Admiral of the fleetAdmiral of the Fleet (Royal Navy)Admiral of the fleet is the highest rank of the British Royal Navy and other navies, which equates to the NATO rank code OF-10. The rank still exists in the Royal Navy but routine appointments ceased in 1996....
BeattyDavid Beatty, 1st Earl BeattyAdmiral of the Fleet David Richard Beatty, 1st Earl Beatty, GCB, OM, GCVO, DSO was an admiral in the Royal Navy...
, ignorant of Scheer's practice of changing callsigns upon leaving harbor, dismissed its importance and disregarded Room 40Room 40In the history of Cryptanalysis, Room 40 was the section in the Admiralty most identified with the British cryptoanalysis effort during the First World War.Room 40 was formed in October 1914, shortly after the start of the war...
analysts' attempts to make the point. The German fleet sortied, and the British were late in meeting them at the Battle of JutlandBattle of JutlandThe Battle of Jutland was a naval battle between the British Royal Navy's Grand Fleet and the Imperial German Navy's High Seas Fleet during the First World War. The battle was fought on 31 May and 1 June 1916 in the North Sea near Jutland, Denmark. It was the largest naval battle and the only...
. If traffic analysis had been taken more seriously, the British might have done better than a 'draw'. - French military intelligence, shaped by Kerckhoffs's legacy, had erected a network of intercept stations at the Western front in pre-war times. When the Germans crossed the frontier the French worked out crude means for direction-finding based on intercepted signal intensity. Recording of call-signs and volume of traffic further enabled them to identify German combat groups and to distinguish between fast-moving cavalry and slower infantry.
World War II
- In early World War IIWorld War IIWorld War II, or the Second World War , was a global conflict lasting from 1939 to 1945, involving most of the world's nations—including all of the great powers—eventually forming two opposing military alliances: the Allies and the Axis...
, the aircraft carrierAircraft carrierAn aircraft carrier is a warship designed with a primary mission of deploying and recovering aircraft, acting as a seagoing airbase. Aircraft carriers thus allow a naval force to project air power worldwide without having to depend on local bases for staging aircraft operations...
HMS GloriousHMS Glorious (77)HMS Glorious was the second of the cruisers built for the British Royal Navy during the First World War. Designed to support the Baltic Project championed by the First Sea Lord, Lord Fisher, they were very lightly armoured and armed with only a few heavy guns. Glorious was completed in late 1916...
was evacuating pilots and planes from NorwayNorwayNorway , officially the Kingdom of Norway, is a Nordic unitary constitutional monarchy whose territory comprises the western portion of the Scandinavian Peninsula, Jan Mayen, and the Arctic archipelago of Svalbard and Bouvet Island. Norway has a total area of and a population of about 4.9 million...
. Traffic analysis produced indications Scharnhorst and Gneisenau were moving into the North Sea, but the Admiralty dismissed the report as unproven. The captain of Glorious did not keep sufficient lookout, and was subsequently surprised and sunk. Harry HinsleyHarry HinsleySir Francis Harry Hinsley OBE was an English historian and cryptanalyst. He worked at Bletchley Park during the Second World War and wrote widely on the history of international relations and British Intelligence during the Second World War...
, the young Bletchley ParkBletchley ParkBletchley Park is an estate located in the town of Bletchley, in Buckinghamshire, England, which currently houses the National Museum of Computing...
liaison to the Admiralty, later said his reports from the traffic analysts were taken much more seriously thereafter. - During the planning and rehearsal for the attack on Pearl HarborAttack on Pearl HarborThe attack on Pearl Harbor was a surprise military strike conducted by the Imperial Japanese Navy against the United States naval base at Pearl Harbor, Hawaii, on the morning of December 7, 1941...
, very little traffic passed by radio, subject to interception. The ships, units, and commands involved were all in Japan and in touch by phone, courier, signal lamp, or even flag. None of that traffic was intercepted, and could not be analyzed. - The espionage effort against Pearl Harbor before December didn't send an unusual number of messages; Japanese vessels regularly called in Hawaii and messages were carried aboard by consular personnel. At least one such vessel carried some Japanese Navy Intelligence officers. Such messages cannot be analyzed. It has been suggested, however, the volume of diplomatic traffic to and from certain consular stations might have indicated places of interest to Japan, which might thus have suggested locations to concentrate traffic analysis and decryption efforts.
- Admiral Nagumo's Pearl Harbor Attack Force sailed under radio silence, with its radios physically locked down. It is unclear if this deceived the U.S.; Pacific Fleet intelligence was unable to locate the Japanese carriers in the days immediately preceding the attack on Pearl HarborAttack on Pearl HarborThe attack on Pearl Harbor was a surprise military strike conducted by the Imperial Japanese Navy against the United States naval base at Pearl Harbor, Hawaii, on the morning of December 7, 1941...
. - The Japanese NavyImperial Japanese NavyThe Imperial Japanese Navy was the navy of the Empire of Japan from 1869 until 1947, when it was dissolved following Japan's constitutional renunciation of the use of force as a means of settling international disputes...
played radio games to inhibit traffic analysis (see Examples, below) with the attack force after it sailed in late November. Radio operators normally assigned to carriers, with a characteristic Morse Code "fist", transmitted from inland Japanese waters, suggesting the carriers were still near Japan - Operation QuicksilverOperation Quicksilver (WWII)In World War II, Operation Quicksilver was a sub-plan of Operation Fortitude, the 1944 deception plan designed to induce the Germans to hold troops away from Normandy in belief that the Normandy landing was only a feint and that the major invasion would come in the Pas-de-Calais...
, part of the British deception plan for the Invasion of Normandy in World War IIWorld War IIWorld War II, or the Second World War , was a global conflict lasting from 1939 to 1945, involving most of the world's nations—including all of the great powers—eventually forming two opposing military alliances: the Allies and the Axis...
, fed German intelligence a combination of true and false information about troop deployments in Britain, causing the Germans to deduce an order of battle which suggested an invasion at the Pas-de-Calais instead of Normandy. The fictitious divisions created for this deception were supplied with real radio units, which maintained a flow of messages consistent with the deception. p. 233
In computer security
Traffic analysis is also a concern in computer securityComputer security
Computer security is a branch of computer technology known as information security as applied to computers and networks. The objective of computer security includes protection of information and property from theft, corruption, or natural disaster, while allowing the information and property to...
. An attacker can gain important information by monitoring the frequency and timing of network packets. A timing attack on the SSH
Secure Shell
Secure Shell is a network protocol for secure data communication, remote shell services or command execution and other secure network services between two networked computers that it connects via a secure channel over an insecure network: a server and a client...
protocol can use timing information to deduce information about password
Password
A password is a secret word or string of characters that is used for authentication, to prove identity or gain access to a resource . The password should be kept secret from those not allowed access....
s since, during interactive session, SSH transmits each keystroke as a message. The time between keystroke messages can be studied using hidden Markov model
Hidden Markov model
A hidden Markov model is a statistical Markov model in which the system being modeled is assumed to be a Markov process with unobserved states. An HMM can be considered as the simplest dynamic Bayesian network. The mathematics behind the HMM was developed by L. E...
s. Song, et al. claim that it can recover the password fifty times faster than a brute force attack
Brute force attack
In cryptography, a brute-force attack, or exhaustive key search, is a strategy that can, in theory, be used against any encrypted data. Such an attack might be utilized when it is not possible to take advantage of other weaknesses in an encryption system that would make the task easier...
.
Onion routing
Onion routing
Onion routing is a technique for anonymous communication over a computer network. Messages are repeatedly encrypted and then sent through several network nodes called onion routers. Like someone unpeeling an onion, each onion router removes a layer of encryption to uncover routing instructions, and...
systems are used to gain anonymity. Traffic analysis can be used to attack anonymous communication systems like the Tor anonymity network
Tor (anonymity network)
Tor is a system intended to enable online anonymity. Tor client software routes Internet traffic through a worldwide volunteer network of servers in order to conceal a user's location or usage from someone conducting network surveillance or traffic analysis...
. Steven J. Murdoch and George Danezis from University of Cambridge presented
research showing that traffic-analysis allows adversaries to infer which nodes relay the anonymous streams. This reduces the anonymity provided by Tor. They have shown that otherwise unrelated streams can be linked back to the same initiator.
Remailer
Anonymous remailer
An anonymous remailer is a server computer which receives messages with embedded instructions on where to send them next, and which forwards them without revealing where they originally came from...
systems can also be attacked via traffic analysis. If a message is observed going to a remailing server, and an identical-length (if now anonymized) message is seen exiting the server soon after, a traffic analyst may be able to (automatically) connect the sender with the ultimate receiver. Variations of remailer operations exist that can make traffic analysis less effective.
Countermeasures
It is difficult to defeat traffic analysis without both encrypting messages and masking the channel. When no actual messages are being sent, the channel can be maskedby sending dummy traffic, similar to the encrypted traffic, thereby keeping bandwidth usage constant
. "It is very hard to hide information about the size or timing of messages. The known solutions require Alice
Alice and Bob
The names Alice and Bob are commonly used placeholder names for archetypal characters in fields such as cryptography and physics. The names are used for convenience; for example, "Alice sends a message to Bob encrypted with his public key" is easier to follow than "Party A sends a message to Party...
to send a continuous stream of messages at the maximum bandwidth
Bandwidth (computing)
In computer networking and computer science, bandwidth, network bandwidth, data bandwidth, or digital bandwidth is a measure of available or consumed data communication resources expressed in bits/second or multiples of it .Note that in textbooks on wireless communications, modem data transmission,...
she will ever use...This might be acceptable for military applications, but it is not for most civilian applications." The military-versus-civilian problems applies in situations where the user is charged for the volume of information sent.
Even for Internet access, where there is not a per-packet charge, ISPs make statistical assumption that connections from user sites will not be busy 100% of the time. The user cannot simply increase the bandwidth of the link, since masking would fill that as well. If masking, which often can be built into end-to-end encryptors, becomes common practice, ISPs will have to change their traffic assumptions.
See also
- SIGINT
- Electronic Order of Battle
- ELINT
- Social network analysis
- Telecommunications data retentionTelecommunications data retentionIn the field of telecommunications, data retention generally refers to the storage of call detail records of telephony and internet traffic and transaction data by governments and commercial organisations...
- Data warehouseData warehouseIn computing, a data warehouse is a database used for reporting and analysis. The data stored in the warehouse is uploaded from the operational systems. The data may pass through an operational data store for additional operations before it is used in the DW for reporting.A data warehouse...
- Zendian ProblemZendian ProblemThe Zendian Problem was an exercise in communication intelligence operations devised by Lambros D. Callimahos as part of an advanced course, CA-400, that Callimahos taught to National Security Agency cryptanalysts....
- ECHELON
Further reading
- Interception Capabilities 2000 — a study by Duncan Campbell
- http://www.onr.navy.mil/02/baa/docs/07-026_07_026_industry_briefing.pdf
- Selected Papers in Anonymity — on Free HavenFree HavenFrom their webpage:Free Haven hosts the Tor "onion routing" software which can make SSL transactions such as web browsing anonymous as well as the Mixminion Type III anonymous remailer. Tor has been supported both by a US Navy grant and by the Electronic Frontier Foundation.-External links:**...