In general

Being able to sufficiently distinguish whether an item of interest (IOI) exists or not.

Note that detectability does not imply information disclosure. Detectability concerns IOIs of which the content is not known (to the attacker).


  • Inference: by detecting whether an IOI exists, one can deduce certain information, even without actually having access to that information (e.g. by knowing that a celebrity has a health record in a rehab facility, you can deduce the celebrity has an addiction, even without having access to the actual health record)

Impacted by

  • /


Detectability of data flow

LINDDUN detectability of flow

Tree in general

Knowing that a message is sent, without actually knowing what is contained in the message, can often reveal additional (sensitive) information. For example, when a smart grid system only sends consumption messages from the customer’s home system to the back-end when electricity is being consumed, detecting that such a message is sent to the back-end reveals that there are currently people in the house. (In practice, certain household appliances will still be consuming electricity, even though nobody is home. Therefore, detecting messages being sent at irregular or very short intervals, will reveal that someone is home.)

Leaf nodes explanation

No or weak covert channel (D_DF1)

A first type of threat that can lead to detectability of a data flow is that the system lacks a covert channel (D_DF1). This can happen when the covert channel uses too much bandwidth from a legitimate channel (D_DF6), resulting in the detection of the covert communication. It can also be because the patterns or characteristics of the communications medium of the legitimate channel are controlled or examined by legitimate users (D_DF7), e.g. checking file opening and closing operations patterns (D_DF12) or watching the timing of requests (D_DF13), such that covert communication is detected.

Side channel attacks (D_DF2)

Side channel analysis (D_DF2) can be based on timing information, power consumption, electromagnetic leaks, etc. It is used as an extra source of information which can be exploited to detect the communication.

Weak information hiding (D_DF3)

When weak information hiding techniques (D_DF3) are used, steganalysis attacks (D_DF8) are possible (detecting messages hidden using steganography).

No or insufficient dummy traffic (D_DF4)

Transmitted data can become detectable when there is no or insufficient dummy traffic (D_DF4) sent at some lower layer of the communication network, such that messages fail to appear random for all parties except the sender and the recipient(s).

Weak spread spectrum communication (D_DF5)

The detectability threat can occur because of a weak spread spectrum communication (D_DF5), resulting in deficiencies in the establishment of secure communications (allowing eavesdropping (D_DF9)), insufficient resistance to natural interference and jamming (D_DF10), and insufficient resistance to fading (D_DF11).

Detectability of data store

LINDDUN detectability of data store

Tree in general

Knowing that an item of interest (IOI) exists, without actually having access to it, can already reveal (possibly sensitive) information. For example, knowing that a rehab clinic has a file on a certain celebrity, already reveals information (i.e. the celebrity has been in rehab), without actually having access to the file.

Leaf nodes explanation

Detectability at the data store can occur when there is insufficient access control (D_DS1), because of information disclosure threats (ID_DS) and if insufficient information hiding techniques (D_DS2) are applied, such that information is revealed due to weak steganography algorithms which enable steganalysis attacks (D_DS3).

Note that the access control should not only apply to the actual data but also to their corresponding metadata, as knowing that an item exists without actually having access to it, can also reveal sensitive information.


Detectability of process

LINDDUN detectability of process

Tree in general

Detectability of process implies that it can be detected that the process has been run. It is however a very rare threat.

Leaf nodes explanation

Detectability of a process can only occur after information disclosure of this process (ID_P). We therefore refer to that tree.