Traffic analysis is the process of intercepting and examining messages in order to deduce information from patterns in communication. It can be performed even when the messages are encrypted.[1] In general, the greater the number of messages observed, the greater information be inferred. Traffic analysis can be performed in the context of military intelligence, counter-intelligence, or pattern-of-life analysis, and is also a concern in computer security.

Traffic analysis tasks may be supported by dedicated computer software programs. Advanced traffic analysis techniques which may include various forms of social network analysis.

Traffic analysis has historically been a vital technique in cryptanalysis, especially when the attempted crack depends on successfully seeding a known-plaintext attack, which often requires an inspired guess based on how specific the operational context might likely influence what an adversary communicates, which may be sufficient to establish a short crib.

Breaking the anonymity of networks

Traffic analysis method can be used to break the anonymity of anonymous networks, e.g., TORs.[1] There are two methods of traffic-analysis attack, passive and active.

In military intelligence

In a military context, traffic analysis is a basic part of signals intelligence, and can be a source of information about the intentions and actions of the target. Representative patterns include:

There is a close relationship between traffic analysis and cryptanalysis (commonly called codebreaking). Callsigns and addresses are frequently encrypted, requiring assistance in identifying them. Traffic volume can often be a sign of an addressee's importance, giving hints to pending objectives or movements to cryptanalysts.

Traffic flow security

Traffic-flow security is the use of measures that conceal the presence and properties of valid messages on a network to prevent traffic analysis. This can be done by operational procedures or by the protection resulting from features inherent in some cryptographic equipment. Techniques used include:

Traffic-flow security is one aspect of communications security.

COMINT metadata analysis

This section has multiple issues. Please help improve it or discuss these issues on the talk page. (Learn how and when to remove these template messages) This section's tone or style may not reflect the encyclopedic tone used on Wikipedia. See Wikipedia's guide to writing better articles for suggestions. (November 2011) (Learn how and when to remove this template message) This section does not cite any sources. Please help improve this section by adding citations to reliable sources. Unsourced material may be challenged and removed. (November 2011) (Learn how and when to remove this template message) (Learn how and when to remove this template message)

The Communications' Metadata Intelligence, or COMINT metadata is a term in communications intelligence (COMINT) referring to the concept of producing intelligence by analyzing only the technical metadata, hence, is a great practical example for traffic analysis in intelligence.[2]

While traditionally information gathering in COMINT is derived from intercepting transmissions, tapping the target's communications and monitoring the content of conversations, the metadata intelligence is not based on content but on technical communicational data.

Non-content COMINT is usually used to deduce information about the user of a certain transmitter, such as locations, contacts, activity volume, routine and its exceptions.


For example, if an emitter is known as the radio transmitter of a certain unit, and by using direction finding (DF) tools, the position of the emitter is locatable, the change of locations from one point to another can be deduced, without listening to any orders or reports. If one unit reports back to a command on a certain pattern, and another unit reports on the same pattern to the same command, the two units are probably related. That conclusion is based on the metadata of the two units' transmissions, not on the content of their transmissions.

Using all or as much of the metadata available is commonly used to build up an Electronic Order of Battle (EOB) by mapping different entities in the battlefield and their connections. Of course, the EOB could be built by tapping all the conversations and trying to understand, which unit is where, but using the metadata with an automatic analysis tool enables a much faster and accurate EOB build-up, which, alongside tapping, builds a much better and complete picture.

World War I

World War II

In computer security

Traffic analysis is also a concern in computer security. An attacker can gain important information by monitoring the frequency and timing of network packets. A timing attack on the SSH protocol can use timing information to deduce information about passwords since, during interactive session, SSH transmits each keystroke as a message.[8] The time between keystroke messages can be studied using hidden Markov models. Song, et al. claim that it can recover the password fifty times faster than a brute force attack.

Onion routing systems are used to gain anonymity. Traffic analysis can be used to attack anonymous communication systems like the Tor anonymity network. Adam Back, Ulf Möeller and Anton Stiglic present traffic analysis attacks against anonymity providing systems .[9] Steven J. Murdoch and George Danezis from University of Cambridge presented [10] research showing that traffic-analysis allows adversaries to infer which nodes relay the anonymous streams. This reduces the anonymity provided by Tor. They have shown that otherwise unrelated streams can be linked back to the same initiator.

Remailer systems can also be attacked via traffic analysis. If a message is observed going to a remailing server, and an identical-length (if now anonymized) message is seen exiting the server soon after, a traffic analyst may be able to (automatically) connect the sender with the ultimate receiver. Variations of remailer operations exist that can make traffic analysis less effective.

Traffic analysis involves intercepting and scrutinizing cybersecurity threats to gather valuable insights about anonymous data flowing through the exit node. By using technique rooted in dark web crawling and specializing software, one can identify the specific characteristics of a client's network traffic within the dark web.[11]


It is difficult to defeat traffic analysis without both encrypting messages and masking the channel. When no actual messages are being sent, the channel can be masked [12] by sending dummy traffic, similar to the encrypted traffic, thereby keeping bandwidth usage constant .[13] "It is very hard to hide information about the size or timing of messages. The known solutions require Alice to send a continuous stream of messages at the maximum bandwidth she will ever use...This might be acceptable for military applications, but it is not for most civilian applications." The military-versus-civilian problems applies in situations where the user is charged for the volume of information sent.

Even for Internet access, where there is not a per-packet charge, ISPs make statistical assumption that connections from user sites will not be busy 100% of the time. The user cannot simply increase the bandwidth of the link, since masking would fill that as well. If masking, which often can be built into end-to-end encryptors, becomes common practice, ISPs will have to change their traffic assumptions.

See also


  1. ^ a b c Soltani, Ramin; Goeckel, Dennis; Towsley, Don; Houmansadr, Amir (2017-11-27). "Towards provably invisible network flow fingerprints". 2017 51st Asilomar Conference on Signals, Systems, and Computers. IEEE. pp. 258–262. arXiv:1711.10079. doi:10.1109/ACSSC.2017.8335179. ISBN 978-1-5386-1823-3. S2CID 4943955.((cite conference)): CS1 maint: date and year (link)
  2. ^ "Dictionary of Military and Associated Terms" (PDF). Department of Defense. 12 April 2001. Archived from the original (PDF) on 2009-11-08.
  3. ^ a b c d e Kahn, David (1974). The Codebreakers: The Story of Secret Writing. Macmillan. ISBN 0-02-560460-0. Kahn-1974.
  4. ^ Howland, Vernon W. (2007-10-01). "The Loss of HMS Glorious: An Analysis of the Action". Archived from the original on 2001-05-22. Retrieved 2007-11-26.
  5. ^ Costello, John (1995). Days of Infamy: Macarthur, Roosevelt, Churchill-The Shocking Truth Revealed : How Their Secret Deals and Strategic Blunders Caused Disasters at Pear Harbor and the Philippines. Pocket. ISBN 0-671-76986-3.
  6. ^ Layton, Edwin T.; Roger Pineau, John Costello (1985). "And I Was There": Pearl Harbor And Midway -- Breaking the Secrets. William Morrow & Co. ISBN 0-688-04883-8.
  7. ^ Masterman, John C (1972) [1945]. The Double-Cross System in the War of 1939 to 1945. Australian National University Press. p. 233. ISBN 978-0-7081-0459-0.
  8. ^ Song, Dawn Xiaodong; Wagner, David; Tian, Xuqing (2001). "Timing Analysis of Keystrokes and Timing Attacks on SSH". 10th USENIX Security Symposium. ((cite journal)): Cite journal requires |journal= (help)
  9. ^ Adam Back; Ulf Möeller and Anton Stiglic (2001). "Traffic Analysis Attacks and Trade-Offs in Anonymity Providing systems" (PDF). Springer Proceedings - 4th International Workshop Information Hiding.
  10. ^ Murdoch, Steven J.; George Danezis (2005). "Low-Cost Traffic Analysis of Tor" (PDF).
  11. ^ Gokhale, C.; Olugbara, O. O. (2020-08-17). "Dark Web Traffic Analysis of Cybersecurity Threats Through South African Internet Protocol Address Space". SN Computer Science. 1 (5): 273. doi:10.1007/s42979-020-00292-y. ISSN 2661-8907.
  12. ^ Xinwen Fu, Bryan Graham, Riccardo Bettati and Wei Zhao. "Active Traffic Analysis Attacks and Countermeasures" (PDF). Archived from the original (PDF) on 2006-09-13. Retrieved 2007-11-06.((cite web)): CS1 maint: multiple names: authors list (link)
  13. ^ Niels Ferguson & Bruce Schneier (2003). Practical Cryptography. John Wiley & Sons.

Further reading