Traffic Analysis The Most Powerful and Least Understood Attack - - PowerPoint PPT Presentation

traffic analysis
SMART_READER_LITE
LIVE PREVIEW

Traffic Analysis The Most Powerful and Least Understood Attack - - PowerPoint PPT Presentation

Jan 03, 2023 204 likes •358 views

Traffic Analysis The Most Powerful and Least Understood Attack Methods Raven Alder, Riccardo Bettati, Jon Callas, Nick Matthewson 1 What is Traffic Analysis? Signals intelligence that ignores content Information for analysis is the

slide-1
SLIDE 1

Traffic Analysis

The Most Powerful and Least Understood Attack Methods

Raven Alder, Riccardo Bettati, Jon Callas, Nick Matthewson

1

slide-2
SLIDE 2

What is Traffic Analysis?

  • Signals intelligence that ignores content
  • Information for analysis is the metadata
  • “Traffic analysis, not cryptanalysis, is the backbone of

communications intelligence.” Susan Landau and Whitfield Diffie.

2

slide-3
SLIDE 3

Interesting Metadata

  • Endpoint addresses
  • Timing

– Duration – Sequencing

  • Location?
  • etc.

3

slide-4
SLIDE 4

Why is it important?

  • The title of the panel says it all

– We are going to startle you

  • Everyone needs to think differently

– Often we’re protecting the wrong thing – TA shows the limits of possible defense

  • Potential for new research and creativity

4

slide-5
SLIDE 5

Historic Uses

  • Finding size, scope, intentions of military
  • Marketing research
  • Reconfigure networks

5

slide-6
SLIDE 6

Why do this?

  • Crypto
  • Too much data, already
  • It’s easier than analyzing everything
  • It’s hard to defend against

6

slide-7
SLIDE 7

Defenses

  • Include

– Don’t communicate – Don’t be seen communicating

  • Spread Spectrum, etc.

– Insert false communications

  • Naïve defenses often worse than nothing

– Everything you know about this is wrong

7

slide-8
SLIDE 8

What can we do?

  • Determine alert status of military

– Notorius “Domino’s Metric”

  • Identify authors of text

– “Primary Colors” break against Joe Klein

  • Crack SSH passwords

– Timing Analysis of Keystrokes and Timing Attacks on SSH [Usenix 2001]

8

slide-9
SLIDE 9

What more can we do?

  • Identify OS of remote hosts
  • Identify host as it moves around the net
  • Correlate virtual-to-physical hosts
  • Unravel mix nextworks

9

slide-10
SLIDE 10

What else can we do?

  • Remove text redacting

– http://cryptome.org/cia-decrypt.htm

  • Identify movies being played

– http://www.cs.washington.edu/research/security/ usenix07devices.pdf

  • Identify music being downloaded / played

– CDDB finds albums with TA-like methods

10

slide-11
SLIDE 11

And even more

  • De-multiplex IPsec tunnels
  • Spatially locate hosts
  • Voice analysis of some speech patterns
  • Analysis of social networks
  • Google PageRank
  • nmap, p0f
  • Credit card fraud detection

11

slide-12
SLIDE 12

Open Questions?

  • How do we guard against TA?
  • How do we use TA?

– Can it be used against spam, botnets? – Are there offensive and defensive uses?

12

slide-13
SLIDE 13

Additional Reading

  • “Introducing Traffic Analysis” by George

Danezis

– http://homes.esat.kuleuven.be/~gdanezis/TAIntro- book.pdf – http://homes.esat.kuleuven.be/~gdanezis/talks/TAIntro- prez.pdf – http://one.revver.com/watch/147903

13

slide-14
SLIDE 14

14