Two-phased method for detecting evasive network attack channels

With the rapid developments of information technology, various industries become much more dependent on networks. Driven by economic interests and the game between countries reflected by growing cyberspace confrontations, evasive network attacks on information infrastructures with high-tech, high concealment and long-term sustainability become severe threats to national security. In this paper, we propose a novel two-phased method for the detection of evasive network attacks which exploit or pretend to be common legal encryption services in order to escape security inspection. Malicious communications which camouflage themselves as legal encryption application are identified in the SSL1 session structure verification phase firstly, and then by server-side X.509 certificate based anomaly detection, suspicious attack behaviors are further distinguished effectively. Experiment results show that our method is very useful for detecting the network activities of certain unknown threats or new malwares. Besides, the proposed method can be applied to other similar services easily.