Traffic analysis

Last updated

Traffic analysis is the process of intercepting and examining messages in order to deduce information from patterns in communication. It can be performed even when the messages are encrypted. [1] In general, the greater the number of messages observed, the greater information be inferred. Traffic analysis can be performed in the context of military intelligence, counter-intelligence, or pattern-of-life analysis, and is also a concern in computer security.

Contents

Traffic analysis tasks may be supported by dedicated computer software programs. Advanced traffic analysis techniques which may include various forms of social network analysis.

Traffic analysis has historically been a vital technique in cryptanalysis, especially when the attempted crack depends on successfully seeding a known-plaintext attack, which often requires an inspired guess based on how specific the operational context might likely influence what an adversary communicates, which may be sufficient to establish a short crib.

Breaking the anonymity of networks

Traffic analysis method can be used to break the anonymity of anonymous networks, e.g., TORs. [1] There are two methods of traffic-analysis attack, passive and active.

In military intelligence

In a military context, traffic analysis is a basic part of signals intelligence, and can be a source of information about the intentions and actions of the target. Representative patterns include:

There is a close relationship between traffic analysis and cryptanalysis (commonly called codebreaking). Callsigns and addresses are frequently encrypted, requiring assistance in identifying them. Traffic volume can often be a sign of an addressee's importance, giving hints to pending objectives or movements to cryptanalysts.

Traffic flow security

Traffic-flow security is the use of measures that conceal the presence and properties of valid messages on a network to prevent traffic analysis. This can be done by operational procedures or by the protection resulting from features inherent in some cryptographic equipment. Techniques used include:

Traffic-flow security is one aspect of communications security.

COMINT metadata analysis

The Communications' Metadata Intelligence, or COMINT metadata is a term in communications intelligence (COMINT) referring to the concept of producing intelligence by analyzing only the technical metadata, hence, is a great practical example for traffic analysis in intelligence. [2]

While traditionally information gathering in COMINT is derived from intercepting transmissions, tapping the target's communications and monitoring the content of conversations, the metadata intelligence is not based on content but on technical communicational data.

Non-content COMINT is usually used to deduce information about the user of a certain transmitter, such as locations, contacts, activity volume, routine and its exceptions.

Examples

For example, if an emitter is known as the radio transmitter of a certain unit, and by using direction finding (DF) tools, the position of the emitter is locatable, the change of locations from one point to another can be deduced, without listening to any orders or reports. If one unit reports back to a command on a certain pattern, and another unit reports on the same pattern to the same command, the two units are probably related. That conclusion is based on the metadata of the two units' transmissions, not on the content of their transmissions.

Using all or as much of the metadata available is commonly used to build up an Electronic Order of Battle (EOB) by mapping different entities in the battlefield and their connections. Of course, the EOB could be built by tapping all the conversations and trying to understand, which unit is where, but using the metadata with an automatic analysis tool enables a much faster and accurate EOB build-up, which, alongside tapping, builds a much better and complete picture.

World War I

World War II

In computer security

Traffic analysis is also a concern in computer security. An attacker can gain important information by monitoring the frequency and timing of network packets. A timing attack on the SSH protocol can use timing information to deduce information about passwords since, during interactive session, SSH transmits each keystroke as a message. [8] The time between keystroke messages can be studied using hidden Markov models. Song, et al. claim that it can recover the password fifty times faster than a brute force attack.

Onion routing systems are used to gain anonymity. Traffic analysis can be used to attack anonymous communication systems like the Tor anonymity network. Adam Back, Ulf Möeller and Anton Stiglic present traffic analysis attacks against anonymity providing systems . [9] Steven J. Murdoch and George Danezis from University of Cambridge presented [10] research showing that traffic-analysis allows adversaries to infer which nodes relay the anonymous streams. This reduces the anonymity provided by Tor. They have shown that otherwise unrelated streams can be linked back to the same initiator.

Remailer systems can also be attacked via traffic analysis. If a message is observed going to a remailing server, and an identical-length (if now anonymized) message is seen exiting the server soon after, a traffic analyst may be able to (automatically) connect the sender with the ultimate receiver. Variations of remailer operations exist that can make traffic analysis less effective.

Traffic analysis involves intercepting and scrutinizing cybersecurity threats to gather valuable insights about anonymous data flowing through the exit node. By using technique rooted in dark web crawling and specializing software, one can identify the specific characteristics of a client's network traffic within the dark web. [11]

Countermeasures

It is difficult to defeat traffic analysis without both encrypting messages and masking the channel. When no actual messages are being sent, the channel can be masked [12] by sending dummy traffic, similar to the encrypted traffic, thereby keeping bandwidth usage constant . [13] "It is very hard to hide information about the size or timing of messages. The known solutions require Alice to send a continuous stream of messages at the maximum bandwidth she will ever use...This might be acceptable for military applications, but it is not for most civilian applications." The military-versus-civilian problems applies in situations where the user is charged for the volume of information sent.

Even for Internet access, where there is not a per-packet charge, ISPs make statistical assumption that connections from user sites will not be busy 100% of the time. The user cannot simply increase the bandwidth of the link, since masking would fill that as well. If masking, which often can be built into end-to-end encryptors, becomes common practice, ISPs will have to change their traffic assumptions.

See also

Related Research Articles

<span class="mw-page-title-main">Encryption</span> Process of converting plaintext to ciphertext

In cryptography, encryption is the process of encoding information. This process converts the original representation of the information, known as plaintext, into an alternative form known as ciphertext. Ideally, only authorized parties can decipher a ciphertext back to plaintext and access the original information. Encryption does not itself prevent interference but denies the intelligible content to a would-be interceptor.

<span class="mw-page-title-main">One-time pad</span> Encryption technique

In cryptography, the one-time pad (OTP) is an encryption technique that cannot be cracked, but requires the use of a single-use pre-shared key that is larger than or equal to the size of the message being sent. In this technique, a plaintext is paired with a random secret key. Then, each bit or character of the plaintext is encrypted by combining it with the corresponding bit or character from the pad using modular addition.

<span class="mw-page-title-main">Signals intelligence</span> Intelligence-gathering by interception of signals

Signals intelligence (SIGINT) is the act and field of intelligence-gathering by interception of signals, whether communications between people or from electronic signals not directly used in communication. Signals intelligence is a subset of intelligence collection management. As classified and sensitive information is usually encrypted, signals intelligence may necessarily involve cryptanalysis. Traffic analysis—the study of who is signaling to whom and in what quantity—is also used to integrate information, and it may complement cryptanalysis.

Computer and network surveillance is the monitoring of computer activity and data stored locally on a computer or data being transferred over computer networks such as the Internet. This monitoring is often carried out covertly and may be completed by governments, corporations, criminal organizations, or individuals. It may or may not be legal and may or may not require authorization from a court or other independent government agencies. Computer and network surveillance programs are widespread today and almost all Internet traffic can be monitored.

In cryptography and computer security, a man-in-the-middle (MITM) attack, or in-path attack, is a cyberattack where the attacker secretly relays and possibly alters the communications between two parties who believe that they are directly communicating with each other, as the attacker has inserted themselves between the two parties.

<span class="mw-page-title-main">Onion routing</span> Technique for anonymous communication over a computer network

Onion routing is a technique for anonymous communication over a computer network. In an onion network, messages are encapsulated in layers of encryption, analogous to the layers of an onion. The encrypted data is transmitted through a series of network nodes called "onion routers," each of which "peels" away a single layer, revealing the data's next destination. When the final layer is decrypted, the message arrives at its destination. The sender remains anonymous because each intermediary knows only the location of the immediately preceding and following nodes. While onion routing provides a high level of security and anonymity, there are methods to break the anonymity of this technique, such as timing analysis.

A secret broadcast is, simply put, a broadcast that is not for the consumption of the general public. The invention of the wireless was initially greeted as a boon by armies and navies. Units could now be coordinated by nearly instant communications. An adversary could glean valuable and sometimes decisive intelligence from intercepted radio signals:

Stream ciphers, where plaintext bits are combined with a cipher bit stream by an exclusive-or operation (xor), can be very secure if used properly. However, they are vulnerable to attacks if certain precautions are not followed:

Secure communication is when two entities are communicating and do not want a third party to listen in. For this to be the case, the entities need to communicate in a way that is unsusceptible to eavesdropping or interception. Secure communication includes means by which people can share information with varying degrees of certainty that third parties cannot intercept what is said. Other than spoken face-to-face communication with no possible eavesdropper, it is probable that no communication is guaranteed to be secure in this sense, although practical obstacles such as legislation, resources, technical issues, and the sheer volume of communication serve to limit surveillance.

Station HYPO, also known as Fleet Radio Unit Pacific (FRUPAC), was the United States Navy signals monitoring and cryptographic intelligence unit in Hawaii during World War II. It was one of two major Allied signals intelligence units, called Fleet Radio Units in the Pacific theaters, along with FRUMEL in Melbourne, Australia. The station took its initial name from the phonetic code at the time for "H" for Heʻeia, Hawaii radio tower. The precise importance and role of HYPO in penetrating the Japanese naval codes has been the subject of considerable controversy, reflecting internal tensions amongst US Navy cryptographic stations.

<span class="mw-page-title-main">Mix network</span> Routing protocol

Mix networks are routing protocols that create hard-to-trace communications by using a chain of proxy servers known as mixes which take in messages from multiple senders, shuffle them, and send them back out in random order to the next destination. This breaks the link between the source of the request and the destination, making it harder for eavesdroppers to trace end-to-end communications. Furthermore, mixes only know the node that it immediately received the message from, and the immediate destination to send the shuffled messages to, making the network resistant to malicious mix nodes.

<span class="mw-page-title-main">Signals intelligence operational platforms by nation</span>

Signals intelligence operational platforms are employed by nations to collect signals intelligence, which is intelligence-gathering by interception of signals, whether between people or between machines, or mixtures of the two. As sensitive information is often encrypted, signals intelligence often involves the use of cryptanalysis. However, traffic analysis—the study of who is signalling whom and in what quantity—can often produce valuable information, even when the messages themselves cannot be decrypted.

Before the development of radar and other electronics techniques, signals intelligence (SIGINT) and communications intelligence (COMINT) were essentially synonymous. Sir Francis Walsingham ran a postal interception bureau with some cryptanalytic capability during the reign of Elizabeth I, but the technology was only slightly less advanced than men with shotguns, during World War I, who jammed pigeon post communications and intercepted the messages carried.

After the end of World War II, all the Western allies began a rapid drawdown of military forces, including those of signals intelligence. At the time, the US still had a COMINT organization split between the Army and Navy. A 1946 plan listed Russia, China, and a [redacted] country as high-priority targets.

Network intelligence (NI) is a technology that builds on the concepts and capabilities of deep packet inspection (DPI), packet capture and business intelligence (BI). It examines, in real time, IP data packets that cross communications networks by identifying the protocols used and extracting packet content and metadata for rapid analysis of data relationships and communications patterns. Also, sometimes referred to as Network Acceleration or piracy.

<span class="mw-page-title-main">Data Intercept Technology Unit</span> US FBI special unit

The Data Intercept Technology Unit is a unit of the Federal Bureau of Investigation (FBI) of the United States, which is responsible for intercepting telephone calls and e-mail messages of terrorists and foreign intelligence targets inside the US. It is not known when DITU was established, but the unit already existed in 1997.

Mass surveillance is the pervasive surveillance of an entire or a substantial fraction of a population. Mass surveillance in Russia includes surveillance, open-source intelligence and data mining, lawful interception as well as telecommunications data retention.

Network eavesdropping, also known as eavesdropping attack, sniffing attack, or snooping attack, is a method that retrieves user information through the internet. This attack happens on electronic devices like computers and smartphones. This network attack typically happens under the usage of unsecured networks, such as public wifi connections or shared electronic devices. Eavesdropping attacks through the network is considered one of the most urgent threats in industries that rely on collecting and storing data. Internet users use eavesdropping via the Internet to improve information security.

The United States Coast Guard Unit 387 became the official cryptanalytic unit of the Coast Guard collecting communications intelligence for Coast Guard, U.S. Department of Defense, and the Federal Bureau of Investigation (FBI) in 1931. Prior to becoming official, the Unit worked under the U.S. Treasury Department intercepting communications during the prohibition. The Unit was briefly absorbed into the U.S. Navy in 1941 during World War II (WWII) before returning to be a Coast Guard unit again following the war. The Unit contributed to significant success in deciphering rum runner codes during the prohibition and later Axis agent codes during WWII, leading to the breaking of several code systems including the Green and Red Enigma machines.

References

  1. 1 2 3 Soltani, Ramin; Goeckel, Dennis; Towsley, Don; Houmansadr, Amir (2017-11-27). "Towards provably invisible network flow fingerprints". 2017 51st Asilomar Conference on Signals, Systems, and Computers. IEEE. pp. 258–262. arXiv: 1711.10079 . doi:10.1109/ACSSC.2017.8335179. ISBN   978-1-5386-1823-3. S2CID   4943955.{{cite conference}}: CS1 maint: date and year (link)
  2. "Dictionary of Military and Associated Terms" (PDF). Department of Defense. 12 April 2001. Archived from the original (PDF) on 2009-11-08.
  3. 1 2 3 4 5 Kahn, David (1974). The Codebreakers: The Story of Secret Writing . Macmillan. ISBN   0-02-560460-0. Kahn-1974.
  4. Howland, Vernon W. (2007-10-01). "The Loss of HMS Glorious: An Analysis of the Action". Archived from the original on 2001-05-22. Retrieved 2007-11-26.
  5. Costello, John (1995). Days of Infamy: Macarthur, Roosevelt, Churchill-The Shocking Truth Revealed : How Their Secret Deals and Strategic Blunders Caused Disasters at Pear Harbor and the Philippines . Pocket. ISBN   0-671-76986-3.
  6. Layton, Edwin T.; Roger Pineau, John Costello (1985). "And I Was There": Pearl Harbor And Midway -- Breaking the Secrets . William Morrow & Co. ISBN   0-688-04883-8.
  7. Masterman, John C (1972) [1945]. The Double-Cross System in the War of 1939 to 1945. Australian National University Press. p. 233. ISBN   978-0-7081-0459-0.
  8. Song, Dawn Xiaodong; Wagner, David; Tian, Xuqing (2001). "Timing Analysis of Keystrokes and Timing Attacks on SSH". 10th USENIX Security Symposium.{{cite journal}}: Cite journal requires |journal= (help)
  9. Adam Back; Ulf Möeller and Anton Stiglic (2001). "Traffic Analysis Attacks and Trade-Offs in Anonymity Providing systems" (PDF). Springer Proceedings - 4th International Workshop Information Hiding. Archived (PDF) from the original on 2013-06-23. Retrieved 2013-10-05.
  10. Murdoch, Steven J.; George Danezis (2005). "Low-Cost Traffic Analysis of Tor" (PDF). Archived (PDF) from the original on 2013-11-26. Retrieved 2005-10-18.
  11. Gokhale, C.; Olugbara, O. O. (2020-08-17). "Dark Web Traffic Analysis of Cybersecurity Threats Through South African Internet Protocol Address Space". SN Computer Science. 1 (5): 273. doi: 10.1007/s42979-020-00292-y . ISSN   2661-8907. Archived from the original on 2024-04-10. Retrieved 2023-12-15.
  12. Xinwen Fu, Bryan Graham, Riccardo Bettati and Wei Zhao. "Active Traffic Analysis Attacks and Countermeasures" (PDF). Archived from the original (PDF) on 2006-09-13. Retrieved 2007-11-06.{{cite web}}: CS1 maint: multiple names: authors list (link)
  13. Niels Ferguson & Bruce Schneier (2003). Practical Cryptography. John Wiley & Sons.

Further reading

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.