Traffic analysis

Traffic analysis is the process of intercepting and examining messages in order to deduce information from patterns in communication. It can be performed even when the messages are encrypted and cannot be decrypted. In general, the greater the number of messages observed, or even intercepted and stored, the more can be inferred from the traffic. Traffic analysis can be performed in the context of military intelligence or counter-intelligence, and is a concern in computer security.

Traffic analysis tasks may be supported by dedicated computer software programs, including commercially available programs such as those offered by i2, Visual Analytics, Memex, Orion Scientific, Pacific Northwest National Labs, Genesis EW's GenCOM Suite and others. Advanced traffic analysis techniques may include various forms of social network analysis.

In military intelligence

In a military context, traffic analysis is a basic part of signals intelligence, and can be a source of information about the intentions and actions of the enemy. Representative patterns include:

* Frequent communications — can denote planning
* Rapid, short, communications — can denote negotiations
* A lack of communication — can indicate a lack of activity, or completion of a finalized plan
* Frequent communication to specific stations from a central station — can highlight the chain of command
* Who talks to whom — can indicate which stations are 'in charge' or the 'control station' of a particular network. This further implies something about the personnel associated with each station
* Who talks when — can indicate which stations are active in connection with events, which implies something about the information being passed and perhaps something about the personnel/access of those associated with some stations
* Who changes from station to station, or medium to medium — can indicate movement, fear of interception

There is a close relationship between traffic analysis and cryptanalysis (commonly called codebreaking). Callsigns and addresses are frequently encrypted, requiring assistance in identifying them. Traffic volume can often be a sign of an addressee's importance, giving hints to pending objectives or movements to cryptanalysts.

Traffic flow security

Traffic-flow security is the use of measures that conceal the presence and properties of valid messages on a network to prevent traffic analysis. This can be done by operational procedures or by the protection resulting from features inherent in some cryptographic equipment. Techniques used include:

* changing radio callsigns frequently
* encryption of a message's sending and receiving addresses (codress messages)
* causing the circuit to appear busy at all times or much of the time by sending dummy traffic
* sending a continuous encrypted signal, whether or not traffic is being transmitted. This is also called masking

Traffic-flow security is one aspect of communications security.

COMINT metadata analysis

The Communications' Metadata Intelligence, or COMINT metadata is a term in COMINT referring to the concept of producing intelligence by analyzing only the technical metadata, hence, is a great practical example for traffic analysis in intelligence.

While traditionally information gathering in COMINT is derived from intercepting transmissions, tapping the target's communications and monitoring the content of conversations, the metadata intelligence is not based on content but on technical communicational data.

Non content COMINT is usually used to figure information about the user of a certain transmitter, such as locations, contacts, activity volume, routine and its exceptions.

Examples

For example, if a certain emitter is known as the radio transmitter of a certain unit, and by using DF (direction finding) tools, the position of the emitter is locatable; hence the changes of locations can be monitored. That way we're able to understand that this certain unit is moving from one point to another, without listening to any orders or reports. If we know that this unit reports back to a command on a certain pattern, and we know that another unit reports on the same pattern to the same command, than the two units are probably related, and that conclusion is based on the metadata of the two units' transmissions, and not on the content of their transmissions.

Using all, or as many of the metadata available is commonly use in order to build up an Electronic Order of Battle (EOB) – mapping different entities in the battlefield and their connections. Of course the EOB could be built by tapping all the conversations and trying to understand which unit is where, but using the metadata with an automatic analysis tool enables a much faster and accurate EOB build-up that alongside tapping builds a much better and complete picture.

World War I

* British analysts in World War I noticed that the call sign of German Vice Admiral Reinhard Scheer, commanding the hostile fleet, had been transferred to a land-based station. Admiral Beattie, ignorant of Scheer's practice of changing callsigns upon leaving harbor, dismissed its importance and disregarded Room 40 analysts' attempts to make the point. The German fleet sortied, and the British were late in meeting them at the Battle of Jutland. If traffic analysis been taken more seriously, the British might have done better than a 'draw'.

World War II

* In early World War II, the aircraft carrier HMS "Glorious" was evacuating pilots and planes from Norway. Traffic analysis produced indications "Scharnhorst" and "Gneisenau" were moving into the North Sea, but the Admiralty dismissed the report as unproven. The captain of "Glorious" did not keep sufficient lookout, and was subsequently surprised and sunk. Harry Hinsley, the young Bletchley Park liaison to the Admiralty, later said his reports from the traffic analysts were taken much more seriously thereafter [cite web
url = http://www.warship.org/no11994.htm
title = The Loss of HMS Glorious: An Analysis of the Action
author = Howland, Vernon W.
date = 2007-10-01
accessdate = 2007-11-26 ] .
* During the planning and rehearsal for the attack on Pearl Harbor, very little traffic passed by radio, subject to interception. The ships, units, and commands involved were all in Japan and in touch by phone, courier, signal lamp, or even flag. None of that traffic was intercepted, and could not be analyzed [cite book
title = The Codebreakers: The Story of Secret Writing
author = Kahn, David
year = 1974
id = Kahn-1974
publisher = Macmillan
iSBN-10 = 0025604600 ] .
* The espionage effort against Pearl Harbor before December didn't send an unusual number of messages; Japanese vessels regularly called in Hawaii and messages were carried aboard by consular personnel. At least one such vessel carried some Japanese Navy Intelligence officers. Such messages cannot be analyzed. It has been suggested [cite book
author = Costello, John
title = Days of Infamy: Macarthur, Roosevelt, Churchill-The Shocking Truth Revealed : How Their Secret Deals and Strategic Blunders Caused Disasters at Pear Harbor and the Philippines
publisher = Pocket
year = 1995
ISBN-10= 0671769863] , however, the volume of diplomatic traffic to and from certain consular stations might have indicated places of interest to Japan, which might thus have suggested locations to concentrate traffic analysis and decryption efforts.Fact|date=November 2007
* Admiral Nagumo's Pearl Harbor Attack Force sailed under radio silence, with its radios physically locked down. It is unclear if this deceived the U.S.; Pacific Fleet intelligence was unable to locate the Japanese carriers in the days immediately preceding the attack on Pearl HarborHarv | Kahn.
* The Japanese Navy played radio games to inhibit traffic analysis (see Examples, below) with the attack force after it sailed in late November. Radio operators normally assigned to carriers, with a characteristic Morse Code "fist", transmitted from inland Japanese waters, suggesting the carriers were still near JapanHarv | Kahn [cite book
title = "And I Was There": Pearl Harbor And Midway -- Breaking the Secrets.
author = Layton, Edwin T.
coauthors = Roger Pineau, John Costello
publisher = William Morrow & Co
year = 1985
ISBN-10 =0688048838]

In computer security

Traffic analysis is also a concern in computer security. An attacker can gain important information by monitoring the frequency and timing of network packets. A timing attack on the SSH protocol used timing information to deduce information about passwords (Song et al, 2001). How? During interactive sessions, SSH transmits each key stroke as a message. The time between keystroke messages can be studied using hidden Markov models. The authors claim that it can recover the password fifty times faster than a brute force attack.

Onion routing systems are used to gain anonymity. Traffic analysis can be used to attack anonymous communication systems like the Tor anonymity network. Steven J. Murdoch and George Danezis from University of Cambridge presented [cite web
author = Murdoch, Steven J.
coauthor = George Danezis
url = http://www.cl.cam.ac.uk/users/sjm217/papers/oakland05torta.pdf
title = Low-Cost Traffic Analysis of Tor
work = 2005 IEEE Symposium on Security and Privacy
year = 2005] research showing that traffic-analysis allows adversaries to infer which nodes relay the anonymous streams. This reduces the anonymity provided by Tor. They have shown that otherwise unrelated streams can be linked back to the same initiator.

Remailer systems can also be attacked via traffic analysis. If a message is observed going to a remailing server, and an identical-length (if now anonymized) message is seen exiting the server soon after, a traffic analyst may be able (automatically) connect the sender with the ultimate receiver. Variations of remailer operations exist that can make traffic analysis less effective.

Countermeasures

It is difficult to defeat traffic analysis without both encrypting messages and masking the channel. When no actual messages are being sent, we can mask [cite web
url = http://students.cs.tamu.edu/xinwenfu/paper/ICCNMC03_Fu.pdf
title = Active Traffic Analysis Attacks and Countermeasures
coauthors = Xinwen Fu, Bryan Graham, Riccardo Bettati and Wei Zhao
accessdate = 2007-11-06] the channel by sending dummy traffic, similar to the encrypted traffic, thereby keeping the channel 100% busy [ cite book
author = Niels Ferguson and Bruce Schneier
title = Practical Cryptography
publisher = John Wiley & Sons
year = 2003 ] . "It is very hard to hide information about the size or timing of messages. The known solutions require Alice to send a continuous stream of messages at the maximum bandwidth she will ever use...This might be acceptable for military applications, but it is not for most civilian applications." The military-versus-civilian problems applies in situations where the user is charged for the volume of information sent.

Even for Internet access, where there is not a per-packet charge, ISPs make statistical assumption that connections from user sites will not be busy 100% of the time. The user cannot simply increase the bandwidth of the link, since masking would fill that as well. If masking, which often can be built into end-to-end encryptors, becomes common practice, ISPs will have to change their traffic assumptions.

See also

* SIGINT
* Electronic Order of Battle
* ELINT
* Network analysis
* Telecommunications data retention
* Data warehouse
* Zendian Problem
* ECHELON

References

* Ferguson, Niels, Schneier, Bruce. "Practical Cryptography", 2003. p114. ISBN 0-471-22357-3.
* Dawn Xiaodong Song, David Wagner and Xuqing Tian, Timing Analysis of Keystrokes and Timing Attacks on SSH, 10th USENIX Security Symposium, 2001.
* X. Y. Wang, S. Chen and S. Jajodia [http://ise.gmu.edu/~xwangc/Publications/CCS05-VoIPTracking.pdf “Tracking Anonymous Peer-to-Peer VoIP Calls on the Internet”] . In Proceedings of the 12th ACM Conference on Computer Communications Security (CCS 2005), November 2005.
* [http://www.fmv.se/upload/Bilder%20och%20dokument/Vad%20gor%20FMV/Uppdrag/LedsystT/FMLS/FMLS_Generic%20Design/LT1K%20P06-0035%20SD%20Provide%20Streaming%20Data%202.0%20-%20c.pdf FMV Sweden]
* [http://ieeexplore.ieee.org/Xplore/login.jsp?url=/iel5/6676/18015/00832361.pdf Multi-source data fusion in NATO coalition operations]
* [http://seeker.dice.com/jobsearch/servlet/JobSearch?op=101&dockey=xml/4/5/4562220fc28ae47508f252d9212a80b6@endecaindex&c=1&source=20 request for COMINT metadata analysts]

Further reading

* [http://www.totse.com/en/privacy/161755.html Interception Capabilities 2000 - study by Duncan Campbell ]
*http://www.onr.navy.mil/02/baa/docs/07-026_07_026_industry_briefing.pdf
* [http://www.totse.com/en/hack/understanding_the_internet/162925.html Intelligence Community Markup Language]
* [http://freehaven.net/anonbib/ Anonymity bibliography at freehaven]