This talk presents Traffic Mining (TM) particularly in regard to VoiP applications such as Skype. TM is a method to digest and understand large quantities of data. Voice over IP (VoIP) has experienced a tremendous growth over the last few years and is now widely used among the population and for business purposes. The security of such VoIP systems is often assumed, creating a false sense of privacy. Stefan will present research into leakage of information from Skype, a widely used and protected VoIP application. Experiments have shown that isolated phonemes can be classified and given sentences identified. By using the dynamic time warping (DTW) algorithm, frequently used in speech processing, an accuracy of 60% can be reached. The results can be further improved by choosing specific training data and reach an accuracy of 83% under specific conditions.

1. Encrypted Traffic Mining (TM) e.g. Leaks in Skype Benoit DuPasquier, Stefan Burschka

3. ﺤﺮﺐ Who: Since Feb 2011 @ Torben Sebastian Antonino Francesco Noe Stefan Mischa ? Fabian Dago © Rouxel © Rouxel Antonio, Patrick, Hugo, Pascal, K-Pascal, Mehdi, Javier, Seili, Flo, Frederic, Markus, ... Nur & Malcolm Ulrich, Ernst, ... Sakir, Benoit, Antonio Wurst © NASA

5. WTF is in it?

8. If you plainly start listening to this 22:06:51.410006 IP 193.5.230.58.3910 > 193.5.238.12.80: P 1499:1566(67) ack 2000 win 64126 0x0000: 0000 0c07 ac0d 000f 1fcf 7c45 0800 4500 ..........|E..E. 0x0010: 006b 9634 4000 8006 0e06 c105 e63a c105 .k.4@........:.. 0x0020: ee0c 0f46 0050 1b03 ae44 faba ef9e 5018 ...F.P...D....P. 0x0030: fa7e 9c0a 0000 28d8 f103 e595 8451 ea09 .~....(......Q.. 0x0040: ba2c 8e91 9139 55bf df8d 1e07 e701 7a09 .,...9U.......z. 0x0050: cf96 8f05 84c2 58a8 d66b d52b 0a56 e480 ......X..k.+.V.. 0x0060: 472d e34b 87d2 5c64 695a 580f f649 5385 G-.K..iZX..IS. 0x0070 : ea31 721f d699 f905 e7 .1r...... Payload Header You will end like that

9. Distinguish from by listening Gap in tracks So, what is the Task? Packet Length Packet Fire Rate (Interdistance) Sound ~

11. TM Exercise: See the features? Burschka (Fischkopp) Linux Dominic (Student) Windows Codec training Ping min l =3 SN

15. Basic Lab setup Phonem DB from Voice Recognition Project with different speakers MS Windoof XP Pro Ver 2002 SP3 Intel(R) Core(TM) 2 E6750 @ 2.66 GHz 2.99 Gz RAM 2.00 GB Skype Version 4.0.0.224 Skype’s audio codec SILK

17. Derive the Transfer Function H

18. Example: Frequency sweep

19. Result: Skype Transfer Model Desync packet generation process and codec output Speeds unsyncronized codec Ip layer

21. Attack, Comb, Decay, Sustain, Release Phoneme / /, e.g. in word pleasure Find Homomorphism between 44 Phonems Commutativity f (a * b) = f (b * a) Additivity f (a * b) = f (a) * f (b)

23. Sentence Signals Same sentences, similar output  

24. Different Sentences same Speaker 

26. Young children should avoid exposure to contagious diseases Matching DTW map path Optimal Path

27. Non-matching DTW map path Young children should avoid exposure to contagious diseases The fog prevented them from arriving on time

31. Example: Constant Line Estimation Estimation Goal Data Kalman Filter Estimation

32. Kalman Model for one Sentence

35. Next: All IP Signal Processing

36. Science is a way of thinking much more than it is a body of knowledge. Carl Sagan Questions / Comments [email_address] http://sourceforge.net/projects/tranalyzer/ V0.57