Traffic analysis

From Wikipedia, the free encyclopedia

Traffic analysis is the process of intercepting and examining messages in order to deduce information from patterns in communication. It can be performed even when the messages are encrypted and cannot be decrypted. In general, the greater the number of messages observed, or even intercepted and stored, the more can be inferred from the traffic. Traffic analysis can be performed in the context of military intelligence or counter-intelligence, and is a concern in computer security.

Traffic analysis tasks may be supported by dedicated computer software programs, including commercially available programs such as those offered by i2, Visual Analytics, Memex, Orion Scientific, Pacific Northwest National Labs, and others. Advanced traffic analysis techniques may include various forms of social network analysis.

Contents 1 In military intelligence 2 In computer security 3 Countermeasures 4 Examples 5 See also 6 External links 7 References

[edit] In military intelligence

In a military context, traffic analysis is usually performed by a signals intelligence agency, and can be a source of information about the intentions and actions of the enemy. Example patterns include:

• Frequent communications — can denote planning
• Rapid, short, communications — can denote negotiations
• A lack of communication — can indicate a lack of activity, or completion of a finalized plan
• Frequent communication to specific stations from a central station — can highlight the chain of command
• Who talks to whom — can indicate which stations are 'in charge' and which aren't, which further implies something about the personnel associated with each station
• Who talks when — can indicate which stations are active in connection with events, which implies something about the information being passed and perhaps something about the personnel/access of those associated with some stations
• Who changes from station to station, or medium to medium — can indicate movement, fear of interception

There is a close relationship between traffic anaylsis and cryptanalysis (commonly called codebreaking). Callsigns and addresses are frequently encrypted, requiring assistance in identifying them. Traffic volume can often be a sign of an addressee's importance, giving hints to pending objectives or movements to cryptanalysts.

[edit] In computer security

Traffic analysis is also a concern in computer security. An attacker can gain important information by monitoring, for example, the frequency and timing of network packets. For example, a timing attack on the SSH protocol used timing information to deduce information about passwords (Song et al, 2001). For interactive sessions, SSH transmits a message after each key stroke. The timings between messages can be studied using hidden Markov models, and the authors estimate that it can be used to recover the password fifty times faster than a brute force attack.

Onion routing systems are often used to improve anonymity. Traffic analysis can also be used for attack on anonymous communication systems, like the Tor anonymity network. Steven J. Murdoch and George Danezis from University of Cambridge presented this in an article Low-Cost Traffic Analysis of Tor, presented in 2005 IEEE Symposium on Security and Privacy, Oakland, California, USA, May 8 – 11, 2005. They presented traffic-analysis techniques that allow adversaries with only a partial view of the network to infer which nodes are being used to relay the anonymous streams and therefore greatly reduce the anonymity provided by Tor. They have also shown that otherwise unrelated streams can be linked back to the same initiator.

Remailer systems can also be attacked via traffic analysis. If a message is observed going to a remailing server, and an identical length (if now anonymized) message is observed leaving that server shortly thereafter, a traffic analyst may be able (automatically) to pierce the anonymity of that sender by connecting the sender with the ultimate receiver. Several variations in remailer operation have been developed which can make such analysis much less informative.

[edit] Countermeasures

It is difficult to completely eliminate traffic analysis: "It is extremely hard to hide information such as the size or the timing of the messages. The known solutions require Alice to send a continuous stream of messages at the maximum bandwidth she will ever use...This might be acceptable for military applications, but it is not acceptable for most civilian applications." (Ferguson and Schneier, 2003).

The usefulness of traffic analysis can be reduced if traffic is faked or if traffic cannot be intercepted. Both occurred in the period before the attack on Pearl Harbor (December 7, 1941):

• During the planning and rehearsal for the attack, very little interceptable traffic was generated. The ships, units, and commands involved were all in Japan and in touch by phone, courier, signal lamp, or even flag. None of that traffic was interceptable, and could not be analyzed.
• The espionage effort against Pearl Harbor before December didn't send an unusual number of messages; Japanese vessels regularly called in Hawaii and messages could be (and were) carried aboard by consular personnel. At least one such vessel carried some Japanese Navy Intelligence officers. Such messages cannot be analyzed. The consulate had every opportunity to hide intelligence reports to Tokyo in routine traffic from a busy consulate (see steganography). If undetected, this traffic cannot be analyzed either. A famous example, probably concealing something other than the surface content, was the intercepted phone conversation about flowers shortly before the 7th. (This is called "doubletalk code".) Some messages from Ensign Yoshikawa on Oahu were sent under routine diplomatic addresses, and so were not identified as intelligence traffic. It has been suggested^[1], however, the volume of diplomatic traffic to and from certain consular stations might have indicated places of interest to Japan, which might thus have suggested locations to concentrate traffic analysis and decryption efforts.
• The Japanese Navy played radio games to inhibit traffic analysis (see Examples, below) with the attack force after it sailed in late November.

[edit] Examples

• British analysts in World War I noticed that the call sign of German Vice Admiral Reinhard Scheer, commanding the hostile fleet, had been transferred to a land-based station. Admiral Beattie, ignorant of Scheer's practice of changing callsigns upon leaving harbor, dismissed its importance and disregarded Room 40 analysts' attempts to make the point. The German fleet sortied, and the British were late in meeting them at the Battle of Jutland. Had traffic analysis been taken more seriously, the British might have done better than a 'draw'.
• In early World War II, the aircraft carrier HMS Glorious was evacuating pilots and planes from Norway. Traffic analysis produced indications Scharnhorst and Gneisenau were moving into the North Sea, but the Admiralty dismissed the report as unproven. The captain of Glorious did not keep sufficient lookout, and was subsequently surprised and sunk. Harry Hinsley, the young Bletchley Park liaison to the Admiralty, later said his reports from the traffic analysts were taken much more seriously thereafter.
• Admiral Nagumo's Pearl Harbor Attack Force sailed under radio silence, with its radios physically locked down, and left its radio operators in Japan to simulate ordinary traffic for the benefit of listeners, as, in those days, an operator's 'fist' was individually recognizable. It is unclear if this deceived the U.S.; Pacific Fleet intelligence was unable to locate the Japanese carriers in the days immediately preceding the attack on Pearl Harbor.
• Traffic analysis and planespotting techniques were used to infer the existence of secret CIA flights [1], prisons [2] and the transfer of prisoners to and from these prisons, the so-called Torture Taxis.

[edit] See also

• SIGINT
• ELINT
• Traffic-flow security
• Network analysis
• Telecommunications data retention
• Data warehouse
• Zendian Problem

[edit] External links

• Anonymity bibliography at freehaven

[edit] References

• Ferguson, Niels, Schneier, Bruce. Practical Cryptography, 2003. p114. ISBN 0-471-22357-3.
• Dawn Xiaodong Song, David Wagner and Xuqing Tian, Timing Analysis of Keystrokes and Timing Attacks on SSH, 10th USENIX Security Symposium, 2001.
• X. Y. Wang, S. Chen and S. Jajodia “Tracking Anonymous Peer-to-Peer VoIP Calls on the Internet”. In Proceedings of the 12th ACM Conference on Computer Communications Security (CCS 2005), November 2005.
• Costello, John. Days of Infamy. Pocket Books (hardback), 1994.