1. Field
The present technology relates to information security. More particularly, the technology relates to security techniques for protecting networks from traffic flow analysis. The technology is relevant generally to network communications, including networks with contention-based multiple access architectures.
2. Description of the Related Art
Traffic flow analysis attacks refer to the situation in which an adversary attempts to deduce information about the network and its users by analyzing the transmitted traffic. Although encryption methods have become increasingly sophisticated, a determined adversary can still derive valuable information by analyzing the statistics of traffic on the network, for example the volume or its timing, even though the information relayed between users on the network may be encrypted. This type of threat is relevant to any network communications where an adversary is able to receive transmitted traffic in a network. This type of threat is especially relevant for “bent-pipe” satellite communication systems since the return link is reflected by the satellite back to the earth without change to the original modulation and can easily be observed by an adversary over wide geographic areas.
Commonly, bent-pipe satellite communication systems operate in an asymmetric network fashion, meaning many remote terminals are serviced from a single hub terminal via satellite. The remote terminals send their return signals to the hub and the hub in turn sends a single forward signal to all of the remote terminals, where this forward signal is a shared transport medium for all data going from the hub site to the remote terminals, for example as a time-division multiplexed (TDM) carrier. This asymmetric network configuration is often referred to as “hub-spoke” or “star” for example. The remote terminals typically transmit and receive using small satellite antennas (typical ranges from sub-1m up to ˜2 m depending on frequency bands, including ones as small as ˜0.3-0.6 m or smaller in diameter) while the hub terminal transmits and receives using a significantly larger satellite antenna (˜2.4-4.5 m or larger) at a significantly larger power output.
A typical satellite in an asymmetric bent-pipe communication network scheme includes a number of repeaters on the satellite (transponders), each of which provides a large-capacity communication channel. Each transponder has a receiver tuned to a frequency range (bandwidth) that has been allocated for uplink communication signals from Earth to the satellite. Following the receiver, each transponder includes a frequency translator to change the received signals to a downlink frequency suitable for satellite-to-Earth transmission, a filter tuned to the frequency of the transponder, and a power amplifier to transmit signals back to Earth. This means that all signals uplinked to the satellite are downlinked throughout the entire range of coverage including (in many cases) the location from which the uplink transmission was made.
In order to minimize the required bandwidth of the system, a frequency sharing technique can be utilized in which the return channels occupy the same physical bandwidth as the forward channel (e.g., ViaSat's Paired Carrier Multiple Access (PCMA) technique, for example as used in the ArcLight® Satellite Communications System. Descriptions of frequency sharing systems and techniques can be found in U.S. Pat. Nos. 6,011,952, 6,725,017, 6,907,093, among others.). This technique can reduce the bandwidth required by the system by up to half, which can also reduce the number of transponders used.
In a typical asymmetric frequency sharing satellite communication system installation, the remote terminal signals are transmitted back down to earth by the satellite along with the forward signal, occupying the same bandwidth. Because the hub antenna tends to be transmitting essentially constantly to unknown recipients, analyzing the forward hub traffic when encryption is used would likely not produce much information. However, an adversary in the vicinity of the remote terminals or the hub could remove the strong and detectable forward signal by studying the received symbols and deriving the modulation scheme. Commercial products capable of this functionality, such as those made by GlowLink, already exist and are available for purchase. After removing the forward signal an adversary would be able to see the amount of traffic on the return downlinks and derive information about the number of users in the network or the amount of traffic communicated by these users. In many applications this type of privacy breach could be detrimental.
Consider the scenario of a military unit beginning an operation. Using simple traffic flow analysis an adversary could identify the increase in remote terminal traffic and infer that a unit is preparing for an operation. This would allow the adversary to take measures to prepare for such a mission and thus the element of surprise may be lost. Another illustrative scenario might be an unmanned aerial vehicle (UAV) flying at a high altitude in order to observe places and people on the ground. By performing traffic analysis an adversary may see an increase in data traffic and know that they “are being watched” and attempt to conceal their activity.
One straightforward method for concealing traffic on the network is to have remote terminals constantly transmit regardless of the actual traffic they may have to send. Thus the remote terminals transmit so-called “dummy” bursts in order to make the network seem constantly utilized. This is a common technique used for time-division multiple access (TDMA) networks as part of an overall transmission security method. However, in a contention channel this has the disadvantage of creating unnecessary traffic, and thus self-induced interference or packet collisions, reducing the throughput of the network available for actual traffic, while not necessarily completely obfuscating the actual user traffic. For example, dummy packets may not completely obfuscate the actual user traffic unless transmitted at a high enough volume. However, transmitting at a volume sufficient to obfuscate the actual user traffic may not be possible, as the necessary volume may make it impossible to then transmit real traffic. Furthermore, in the case for which the remote terminals are power limited, as in the case of many mobile terminals, for example those powered by a battery, the transmission of dummy bursts consumes valuable terminal power.
In spite of the undesired increase in packet collisions and wasting of terminal power, the dummy burst method described above is currently the only method identified to mitigate traffic flow analysis attacks.