Attack using traffic analysis

Computer security systems focus on protecting the contents of messages, ensuring confidentiality , integrity and availability . However, associated with the transmitted data, the metadata includes the time and length of the message, detailed information about the communicating streams, the identification data of the parties and their location. Analysis of this information and knowledge of the types of computer networks can be used to obtain confidential information from intercepted messages by an attacker. ^[2]

Consider an example of an attack in networks with packet data (see Figure 1). Let Alice access the global network using an Internet service provider (ISP) via a DSL connection . Let Alice use a secure protocol, such as TLS , to secure confidential data (such as passwords and credit card numbers). Bob wants to follow Alice's actions. He has direct access to the Internet (possibly another ISP), but does not have access to Alice’s computer or her ISP . However, Bob has access to the resource that Alice uses, namely, the queue of packets inside her DSL router (router). Bob sends out messages to Alice's router with high frequency but low bandwidth , measuring their time to receive and transmit . DSL uses two ports to transmit data: the first for data coming from Alice and the other for incoming traffic. Bob's requests and Alice's incoming traffic share the same queue, hence the delay that Bob observes will change based on the traffic addressed to Alice. Despite the fact that ping'i move through various intermediate routers, their time of reception and transmission, first of all, depends on Alice's traffic. This is due to two reasons. On the one hand, intermediate routers have much higher throughput compared to the amount of traffic flowing through them. On the other hand, intermediate routers betray several information flows. Therefore, the delays in these routers do not change with time. Consequently, the delays caused by users' information flows are constant. The delay in sending Bob’s traffic is strictly correlated with Alice’s traffic model, so Bob can determine Alice’s action. The advantage of this attack is that it does not require special access or privileges for the attacker. The attacker does not even need high computing power. By carrying out such an attack it is possible to show only the synchronization and the amount of traffic, and not the actual content of the packets. ^[3]

However, you can get more meaningful data by simply analyzing user traffic. Based on the intercepted data, Bob can perform traffic analysis and recover secret data based on the number and size of packets, synchronization time. Using traffic analysis, you can get user information such as a list of visited websites, get passwords, and restore conversations using VoIP . An attacker could send his traffic to one of the routers that Alice receives data on, and then use the router's shared queue to send information from it to a third-party channel (and conduct further analysis of the intercepted information). The target of an attack could be, for example, an internal network of an enterprise or a military base if this network goes onto the Internet. ^[3]

The reason for the attack using traffic analysis can be:

1) Cyberbullying : an attacker can monitor the behavior of a particular user on the Internet. Motives may be different. For example, determine whether the user is at home and determine the composition of his family, income level. There are methods for analyzing encrypted traffic, which allow you to get the content of user-transmitted data: statistical models can recover the entered characters based on the keystroke synchronization time or determine the language of the encrypted VoIP calls and test for the presence of certain phrases in a conversation. ^[3]

2) Unmasking Relationships : Remote traffic analysis can also be used to detect whether users are communicating to understand which social or professional relationships between them. Data can be obtained by analyzing a direct network connection between users via TCP or VoIP, or by analyzing their indirect communication with instant messages . ^[3]

Traffic analysis is one of the key methods of electronic intelligence and electronic warfare . The book “Intelligence Power in Peace and War” by Michael Hermann, who was chairman of the United Kingdom Joint Intelligence Committee, describes the value of extracting data from secondary signs of radio messages. During hostilities, such methods allow to obtain data on the location of targets, thus determining the course of the battle. Data can be obtained without first decrypting it. Traffic analysis was used by the military before the invention of wireless communications. However, it began to occupy a key role when wireless communications became widely used, especially in marine and air operations. An example of the use of traffic analysis is the British interception of messages transmitted over the radio by the German Air Force in 1941, which made it possible to determine the number of enemy aircraft. ^[2]

During World War II, radio operators recognized other operators by the characteristic way they dial the Morse code. Compared to cryptanalysis , traffic analysis allows you to avoid significant time and effort. You can also ensure a high level of reliability of the information received from the intercepted data of the enemy. ^[2]

• VF Shangin. Information security of computer systems and networks . - Moscow: INFRA-M Publishing House, FORUM Publishing House, 2011. - p. 40. - ISBN 978-5-8199-0331-5 (I.D. "FORUM") 978-5-16- 003132-3 (I.D. "INFRA-M").

• George Danezis. Introducing Traffic Analysis Attacks, Defences and Public Policy Issues . - Leuven-Heverlee, Belgium. - p . 1-12 .