Lulu Guo,Qianqiong Wu,Shengli Liu,Ming Duan,Huijie Li,Jianwen Sun

DOI: https://doi.org/10.1007/s11554-019-00930-6

2019-12-02

Abstract:With the widespread application of virtual private network (VPN) technology, real-time VPN traffic identification has become an increasingly important task in network management and security maintenance. Since traditional encrypted traffic identification technology is not effective in feature extraction and selection, this paper proposes two deep learning-based models to classify the traffic into VPN and non-VPN traffic, identify VPN traffic generated by six different applications much further. Our models utilize convolutional auto-encoding (CAE) and convolutional neural network (CNN), respectively, preprocessing the traffic samples into session pictures, to accomplish the experiment objectives. The CAE-based method, utilizing the unsupervised nature of CAE to extract the hidden layer features, can automatically learn the nonlinear relationship between original input and expected output. The CNN-based method performs well in extracting two-dimensional local features of images. Experimental results show that our models perform better than traditional identification methods. In the two-category identification, the best result comes from the CAE-based model; the overall identification accuracy rate is 98.77%. Among the six-category identification, the best result comes from CNN-based model; the overall identification accuracy rate is 92.92%.

computer science, artificial intelligence,engineering, electrical & electronic,imaging science & photographic technology

Sujatha S

DOI: https://doi.org/10.22214/ijraset.2024.61288

2024-04-30

International Journal for Research in Applied Science and Engineering Technology

Abstract:Abstract: The widespread adoption of Virtual Private Networks (VPNs) for secure communication over public networks has highlighted the need for accurate detection of encrypted network traffic. This study proposes a comprehensive approach utilizing machine and ensemble learning algorithms to address this detection challenge. Leveraging the ISCX VPN dataset, the project aims to develop a robust system capable of distinguishing between VPN and non-VPN traffic with high accuracy. Key stages include data acquisition, preprocessing, feature extraction, and model training using Decision Tree, Naive Bayes, Random Forest, and Adaboost algorithms. Through rigorous experimentation, the most effective algorithmic approach is identified. The project also offers insights into the diverse nature of encrypted network communication and its implications for network security. The anticipated outcomes include improved understanding and management of VPN traffic, enhancing overall network security and performance. This research contributes to advancing network security practices by offering practical solutions for encrypted traffic detection in real-world settings.

LV Sicai,Chao Wang,Zibo Wang,Shuo Wang,Bailing Wang,Yongzheng Zhang,Sicai LV

DOI: https://doi.org/10.1016/j.comnet.2023.109990

IF: 5.493

2023-08-25

Computer Networks

Abstract:Virtual Private Network(VPN) can provide a concealed transmission channel for communication and protect the privacy of users. However, it also brings hidden dangers to cybersecurity with its wide application. Malicious behavior or harmful information can be transmitted secretly through VPN tunnels to avoid firewall censorship. Therefore, VPN traffic identification is an important part of ensure cybersecurity. Although many efforts have been made for VPN traffic identification, existing methods mainly focus on supervised learning models. In this paper, we propose an one-class classification model called AAE-DSVDD for VPN traffic identification. First, we introduce Adversarial AutoEncoder(AAE) for preliminary modeling of VPN traffic. AAE can match the aggregated posterior distribution of the hidden layer to an arbitrary prior distribution. It associates the samples with a normal distribution in the hidden space. Secondly, We implement representation learning for VPN traffic via Deep Support Vector Data Description(DSVDD). A standardized method is designed to match the output distribution of DSVDD with the aggregated posterior distribution of AAE. It alleviates the hypersphere collapse problem of DSVDD and improves identification performance. Finally, we verify the abilities of the AAE-DSVDD model on the public dataset ISCXVPN. Compared with other one-class models, AAE-DSVDD achieved the best identification ability for VPN traffic identification. It also improves the recognition ability when identifying strange classes that are not included in the training data.

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Tiru Wu,Xi Xiao,Qing Li,Qixu Liu,Guangwu Hu,Xiapu Luo,Yong Jiang

DOI: https://doi.org/10.1109/secon58729.2023.10287511

2023-01-01

Abstract:With the increasing popularity of encryption pro-tocols in application and the rapid development of network applications, traffic classification has become a major challenge for mobile service providers. The failure of traditional classification methods and low classification accuracy are the problems that need to be solved urgently in traffic classification research. Therefore, we propose the scheme of BehavSniffer to sniff user behaviors from the encrypted traffic. The core idea is to propose Traffic Burst Graph (TBG) for extracting multidimensional features from bidirectional interactive data flows, and do feature fusion based on Kernel Principal Component Analysis (KPCA) and Deep Neural Network (DNN). In this way, BehavSniffer can learn both high and low-order combined structural features from traffic patterns of user behavior. Meanwhile, we propose the user behavior dataset, named WWT, from three widely used social media applications (WeChat, WhatsApp, Telegram). Experimental results show that BehavSniffer outperforms stateof-the-art methods, with AUC of 0.987 and accuracy of 99.8%, respectively.

Diwen Xue,Reethika Ramesh,Arham Jain,Michalis Kallitsis,J. Alex Halderman,Jedidiah R. Crandall,Roya Ensafi

2024-03-07

Abstract:VPN adoption has seen steady growth over the past decade due to increased public awareness of privacy and surveillance threats. In response, certain governments are attempting to restrict VPN access by identifying connections using "dual use" DPI technology. To investigate the potential for VPN blocking, we develop mechanisms for accurately fingerprinting connections using OpenVPN, the most popular protocol for commercial VPN services. We identify three fingerprints based on protocol features such as byte pattern, packet size, and server response. Playing the role of an attacker who controls the network, we design a two-phase framework that performs passive fingerprinting and active probing in sequence. We evaluate our framework in partnership with a million-user ISP and find that we identify over 85% of OpenVPN flows with only negligible false positives, suggesting that OpenVPN-based services can be effectively blocked with little collateral damage. Although some commercial VPNs implement countermeasures to avoid detection, our framework successfully identified connections to 34 out of 41 "obfuscated" VPN configurations. We discuss the implications of the VPN fingerprintability for different threat models and propose short-term defenses. In the longer term, we urge commercial VPN providers to be more transparent about their obfuscation approaches and to adopt more principled detection countermeasures, such as those developed in censorship circumvention research.

Cryptography and Security

Guangyuan Gao,Weina Niu,Jiacheng Gong,Dujuan Gu,Song Li,Mingxue Zhang,Xiaosong Zhang

DOI: https://doi.org/10.1109/tifs.2024.3443596

IF: 7.231

2024-08-24

IEEE Transactions on Information Forensics and Security

Abstract:DNS tunnels, due to their versatility and concealment, have become a preferred method for attackers to execute Command and Control (C&C) attacks, posing a significant security threat to terminal devices. Therefore, the efficient and accurate detection of DNS tunnels is important in reducing the economic losses and privacy risks faced by both enterprises and individuals. Despite notable advancements in the research of intelligent detection of DNS tunnels, existing model-based approaches predominantly concentrate on the surface-level features of domain names or packet payloads. This narrow focus leads to low detection accuracy when dealing with unknown DNS tunnel attacks and traffic from wildcard DNS. Furthermore, these methods struggle with accurately identifying DNS tunneling tools, complicating the task of swiftly locating and mitigating malware for analysts. This paper proposes GraphTunnel, a framework based on graph neural networks for detecting DNS tunnels and identifying tunneling tools. It delves into the correlations among DNS resolutions to construct paths that represent the recursive resolution process of DNS. By using central nodes that denote the gateways, these paths are connected and transformed into graph structures. Concurrently, it employs GraphSage to aggregate the features of nodes and their edges in the graph, enabling effective detection of DNS tunnels. Additionally, GraphTunnel utilizes the G2M algorithm to capture the statistical features of nodes in the graph and maps them into grayscale images, which are then processed by a CNN for multi-class identification of DNS tunneling tools. Experimental results demonstrate that in non-wildcard DNS scenarios, GraphTunnel achieves a 100% accuracy in DNS tunnel detection, encompassing unknown DNS tunnels. Even in high false-positive environments caused by wildcard DNS, GraphTunnel maintains an F1-Score of 99.78%. Moreover, GraphTunnel can identify DNS tunneling tools with an accuracy rate exceeding 98.57%, enhancing the rapid mitigation capabilities of emergency responders in dealing with malicious DNS tunnels.

computer science, theory & methods,engineering, electrical & electronic

Shihe Zhang,Ruidong Chen,Jingxue Chen,Yukun Zhu,Manyuan Hua,Jiaying Yuan,Fenghua Xu

DOI: https://doi.org/10.3390/electronics13214222

IF: 2.9

2024-10-28

Electronics

Abstract:Recently, with a crucial role in developing smart transportation systems, the Internet of Vehicles (IoV), with all kinds of in-vehicle devices, has undergone significant advancement for autonomous driving, in-vehicle infotainment, etc. With the development of these IoV devices, the complexity and volume of in-vehicle data flows within information communication have increased dramatically. To adapt these changes to secure and smart transportation, encrypted communication realization, real-time decision-making, traffic management enhancement, and overall transportation efficiency improvement are essential. However, the security of a traffic system under encrypted communication is still inadequate, as attackers can identify in-vehicle devices through fingerprinting attacks, causing potential privacy breaches. Nevertheless, existing IoV traffic application models for encrypted traffic identification are weak and often exhibit poor generalization in some dynamic scenarios, where route switching and TCP congestion occur frequently. In this paper, we propose LineGraph-GraphSAGE (L-GraphSAGE), a graph neural network (GNN) model designed to improve the generalization ability of the IoV application of traffic identification in these dynamic scenarios. L-GraphSAGE utilizes node features, including text attributes, node context information, and node degree, to learn hyperparameters that can be transferred to unknown nodes. Our model demonstrates promising results in both UNSW Sydney public datasets and real-world environments. In public IoV datasets, we achieve an accuracy of 94.23%(↑0.23%). Furthermore, our model achieves an F1 change rate of 0.20%(↑96.92%) in α train, β infer, and 0.60%(↑75.00%) in β train, α infer when evaluated on a dataset consisting of five classes of data collected from real-world environments. These results highlight the effectiveness of our proposed approach in enhancing IoV application identification in dynamic network scenarios.

engineering, electrical & electronic,computer science, information systems,physics, applied

Fei Wang,Liusheng Huang,Zhili Chen,Haibo Miao,Wei Yang

DOI: https://doi.org/10.1007/978-3-319-04283-1_15

2014-01-01

Abstract:The web tunnel is a common attack technique in the Internet and it is very easy to be implemented but extremely difficult to be detected. In this paper, we propose a novel web tunnel detection method which focuses on protocol behaviors. By analyzing the interaction processes in web communications, we give a scientific definition to web sessions that are our detection objects. Under the help of the definition, we extract four first-order statistical features which are widely used in previous research of web sessions. Utilizing the packet lengths and inter-arrival times in the transport layer, we divide TCP packets into different classes and discover some statistical correlations of them in order to extract another three second-order statistical features of web sessions. Further, the seven features are regarded as a 7-dimentional feature vector. Exploiting the vector, we adopt a support vector machine classifier to distinguish tunnel sessions from legitimate web sessions. In the experiment, our method performs very well and the detection accuracies of HTTP tunnels and HTTPS tunnels are 82.5% and 91.8% respectively when the communication traffic is above 500 TCP packets.

Yongwei Meng,Tao Qin,Haonian Wang,Zhouguo Chen

DOI: https://doi.org/10.1109/trustcom56396.2022.00025

2022-01-01

Abstract:VPN has posed many difficulties for network security management. In this paper, we develop a robust method to classify the VPN traffic. Firstly, we investigate the VPN transmission process and find the turning packet interval (Named as TPI) is a valuable feature for VPN traffic classification. Then we employ the probability distribution of TPI to improve the robustness of classification process, which is named as TPIPD. Secondly, we evaluate our method using the ISCXVPN2016 dataset and find our method has higher classification accuracy compared with other related methods. We also find the distribution of the first few TPIs can be used to represent that of the entire TPIs of specific flow, thus our method can be used for online traffic classification. As TPIPD is a kind of probability feature, it is more robust than other traditional features. Finally, the experiments verify our methods can be used for mice flow identification.

Liang Li,Yuanhui He,Feiyang Huang,Ziming Zhao,Zhuoxue Song,Tong Zhou,Zhenyuan Li,Fan Zhang

DOI: https://doi.org/10.1109/cscwd61410.2024.10580010

2024-01-01

Abstract:Intrusion Detection Systems (IDSs) are vital in detecting network attacks and ensuring the confidentiality and integrity of network resources. Currently, industry-standard IDSs primarily rely on rule-based or anomaly-detection techniques. However, existing detection techniques often generate false positives and negatives, also known as the alert fatigue problem. This influx of incorrect events diminishes the IDS’s efficiency by overburdening security analysts. In this paper, we present ACVS, an innovative automated alert cross-verification system that leverages Graph Neural Networks for identifying misclassifications in security events. Initially, ACVS generates event graphs using attributes like IP addresses and timestamps from sequences of security events and then employs correlation analysis on these events, utilizing alert information to verify misclassifications. Finally, the system uses Graph Neural Networks to classify and correct these security events automatically. We conduct evaluations for ACVS on a substantial real-world dataset comprising over 5 million security events, which are categorized into 5 distinct groups. The results reveal that ACVS markedly enhances the accuracy of intrusion detection systems and substantially reduces the need for manual analysis.

Yao Zhao,Zhaosheng Zhu,Yan Chen,Dan Pei,Jia Wang

DOI: https://doi.org/10.1109/INFCOM.2009.5061959

2009-01-01

Abstract:Continuous monitoring and diagnosis of network performance are of crucial importance for the Internet access service and virtual private network (VPN) service providers. Various operational constraints, which are crucial to the practice, are largely ignored in previous monitoring system designs, or are simply replaced with load balancing problems which do not work for real heterogeneous networks. Given these real-world challenges, in this paper, we design a VScope monitoring system with the following contributions. First, we design a greedy-assisted linear programming algorithm to select as few monitors as possible that can monitor the whole network under the operational constraints. Secondly, VScope takes a multi-round measurement approach to further reduce monitors deployment/management cost, by scheduling the path measurements in different rounds under the operational constraints. Evaluations based on several real VPN topologies from a tier-1 ISP as well as some other synthetic topologies demonstrate that VScope is promising to solve the aforementioned challenges.

Zhuoqun Fu,Mingxuan Liu,Yue Qin,Jia Zhang,Yuan Zou,Qilei Yin,Qi Li,Haixin Duan

DOI: https://doi.org/10.1145/3545948.3545983

2022-01-01

Abstract:Malicious activities on the Internet continue to grow in volume and damage, posing a serious risk to society. Malware with remote control capabilities is considered one of the most threatening malicious activities, as it can enable arbitrary types of cyber-attacks. As a countermeasure, many malware detection methods are proposed to identify malicious behaviours based on traffic characteristics. However, the emerging encryption and evasion techniques pose substantial barriers to the full exploitation of network information. This significantly impairs the effectiveness of existing malware detection methods relying on a singular type of characteristics. In this paper, we propose ST-Graph to resolve this issue. In addition to traditional stream attributes, ST-Graph explores spatial and temporal characteristics of network behaviours based on a graph representation learning algorithm and integrates all available information to boost the detection decision. To illustrate the effectiveness of ST-Graph, we evaluate it on two datasets. Experimental results demonstrate that ST-Graph outperforms state-of-the-art malware detection systems and also shows good performance in efficiency, generalizability, and robustness. Specifically, it achieves over 99% precision and recall, and its False Positive Rate is even two orders of magnitude lower than (nearly 0.02 times) that of baseline models. Meanwhile, the deployment of ST-Graph in two real network scenarios for around one year shows an outstanding efficiency with only 160 seconds time cost for 5-minute traffic in 1.7 Gbps bandwidth.

Weishi Sun,Yaning Zhang,Jie Li,Chenxing Sun,Shuzhuang Zhang

DOI: https://doi.org/10.3390/electronics12010115

IF: 2.9

2022-12-28

Electronics

Abstract:Network traffic classification has great significance for network security, network management and other fields. However, in recent years, the use of VPN and TLS encryption had presented network traffic classification with new challenges. Due to the great performances of deep learning in image recognition, many solutions have focused on the deep learning-based method and achieved positive results. A traffic classification method based on deep learning is provided in this paper, where the concept of Packet Block is proposed, which is the aggregation of continuous packets in the same direction. The features of Packet Block are extracted from network traffic, and then transformed into images. Finally, convolutional neural networks are used to identify the application type of network traffic. The experiment is conducted using captured OpenVPN dataset and public ISCX-Tor dataset. The results shows that the accuracy is 97.20% in OpenVPN dataset and 93.31% in ISCX-Tor dataset, which is higher than the state-of-the-art methods. This suggests that our approach has the ability to meet the challenges of VPN and TLS encryption.

engineering, electrical & electronic,computer science, information systems,physics, applied

Ammar Almomani

DOI: https://doi.org/10.1016/j.eij.2022.06.006

IF: 4.195

2022-07-27

Egyptian Informatics Journal

Abstract:Virtual Private Networks (VPNs) are one example of encrypted communication services commonly used to bypass censorship and access geographically locked services. This study performed VPN and non-VPN traffic analysis and developed a classification system based on the new techniques of machine learning classifiers known as stacking ensemble learning. The methods used for VPN and Non-VPN classification use three machine learning techniques: random forest, neural network, and support vector machine. To assess the proposed method's performance, we tested it on a dataset containing 61 features. The experiment results accurately prove the study's classifiers to differentiate between VPN and Non-VPN traffic. The accuracy level was approximately 99% in the training and testing phase. The study's classifiers also show the best standard deviation, with a 100% accuracy rate compared to other A.I. classifier methods.

computer science, information systems, artificial intelligence

Gazy Abbas,Umar Farooq,Parvinder Singh,Surinder Singh Khurana,Paramjeet Singh

DOI: https://doi.org/10.1007/s42979-023-01944-5

2023-07-29

SN Computer Science

Abstract:With the rapid advancement in technology, the constant emergence of new applications and services has resulted in a drastic increase in Internet traffic, making it increasingly challenging for network analysts to maintain network security and classify traffic, especially when encrypted or tunneled. To address this issue, the proposed strategy aims to distinguish between regular traffic and traffic tunneled through a virtual private network and characterize traffic from seven different applications. The proposed approach utilizes various ensemble machine learning techniques, which are efficient and accurate and consume minimal computational time for training and prediction compared to conventional machine and deep learning models. These models were applied for both the classification and characterization of network traffic, deriving efficient results. The extreme and light gradient boosting algorithms performed well in multiclass classification, while AdaBoost and Light GBM performed well in binary classification. However, when all the datasets were merged and categorized into two classes and various feature engineering methods were applied, the proposed system achieved an accuracy of more than 99%, with minimal error scores using light GBM with min–max scaling over stratified fivefold, thereby outperforming all existing approaches. This research highlights the efficiency and potential of the proposed model in detecting network traffic.

Kun Wang,Chengcheng Zhao,Jinpei Chu,Yiping Shi,Jianyuan Lu,Biao Lyu,Shunmin Zhu,Peng Cheng,Jiming Chen

DOI: https://doi.org/10.1109/tnet.2024.3469386

2024-01-01

Abstract:The Virtual Private Cloud (VPC) service enables users to configure shared resources within public clouds on demand, providing isolation between users. However, configuring the VPC network is a complex and error-prone task, and misconfiguration has been the leading cause of cloud network security issues. The large number of complex network components and configurations makes it difficult to perform scalable, efficient, and accurate fault verification of the network behavior. To address this issue, we design a comprehensive and automated fault diagnosis and localization tool, called, which is built upon an innovative modular network model that accurately captures the logic functions of real components within VPC networks, and propose eleven functions to verify network reachability and security requirements. We conduct performance testing of on various datasets and compared it with other verification tools. The experiments show that outperforms in modeling and analyzing real VPC scenarios while also possessing the fastest verification speed. It can model and analyze large VPC networks with tens of thousands of components and millions of configuration rules in less than half an hour.

Wei LI,Xiaoxiao DI,Di WANG,Yunchun LI

DOI: https://doi.org/10.3969/j.issn.1671-1122.2018.02.001

2018-01-01

Abstract:With the accelerating variation of malicious code and its concealment from strength to strength, the network anomaly detection approach based on traffic features has higher false negatives, especially when the attacker confuses the traffic characteristics. In this paper, we propose a modeling method which establishes the directed graph model of a 4-layer tree structure in the order of local hosts, local ports, remote ports and remote hosts. This model reflects the relationships of end-hosts and the relationships among the processes in end-hosts. Based on this model, a subgraph model is established for the server's client behavior and server-side behavior respectively. Due to the long-term stability of server-side behavior in subgraph structure, this paper proposes a subgraph-based server network behavior anomaly detection algorithm SNBAD. The algorithm divides the server's network traffic into several data-windows and establishes the service subgraph models for each window respectively, and characterizes the communication features of each subgraph. The algorithm detects abnormal behavior by calculating the Jaccard similarity coefficient of the continuous data window. In this paper, the flow of host infected malicious code is mixed into the real network traffic data, and the SNBAD algorithm is verified. The experimental results show that the SNBAD algorithm can detect the abnormal of the server-side behavior of server effectively.

Mohammad Lotfollahi,Ramin Shirali Hossein Zade,Mahdi Jafari Siavoshani,Mohammdsadegh Saberian

DOI: https://doi.org/10.48550/arXiv.1709.02656

2018-07-04

Abstract:Internet traffic classification has become more important with rapid growth of current Internet network and online applications. There have been numerous studies on this topic which have led to many different approaches. Most of these approaches use predefined features extracted by an expert in order to classify network traffic. In contrast, in this study, we propose a \emph{deep learning} based approach which integrates both feature extraction and classification phases into one system. Our proposed scheme, called "Deep Packet," can handle both \emph{traffic characterization} in which the network traffic is categorized into major classes (\eg, FTP and P2P) and application identification in which end-user applications (\eg, BitTorrent and Skype) identification is desired. Contrary to most of the current methods, Deep Packet can identify encrypted traffic and also distinguishes between VPN and non-VPN network traffic. After an initial pre-processing phase on data, packets are fed into Deep Packet framework that embeds stacked autoencoder and convolution neural network in order to classify network traffic. Deep packet with CNN as its classification model achieved recall of $0.98$ in application identification task and $0.94$ in traffic categorization task. To the best of our knowledge, Deep Packet outperforms all of the proposed classification methods on UNB ISCX VPN-nonVPN dataset.

Machine Learning,Cryptography and Security,Networking and Internet Architecture

Guangli Wu,Xingyue Wang,Jing Zhang

DOI: https://doi.org/10.1016/j.cose.2024.103775

IF: 5.105

2024-02-24

Computers & Security

Abstract:P2P botnets are distributed with complex topology and communication behavior, making them harder to detect and remove. Individuals or organizations can effectively detect P2P botnets by analyzing abnormal behaviors in network traffic. Existing works focus on extracting deterministic traffic interaction features, which are highly dependent on statistical features. Moreover, these methods are mainly aimed at generalized botnet detection and lack specificity for detecting P2P botnets. They ignore the topological information of P2P botnets, resulting in unsatisfactory detection accuracy. Among the few existing methods targeting P2P botnets, they consider the topological information but mainly rely on classical graph theory statistical features, such as degree, feature vector centrality, etc. This limits the generalization ability of the detection model. In this paper, we delve into the topological features of P2P botnets from the perspective of complex graph theory. We propose a P2P botnet detection method that combines representation learning and graph contrastive learning, dubbed PeerG. Specifically, we construct the communication graphs based on the flow interaction behavior between components of the P2P botnets. The Line algorithm is employed to embed the nodes of the communication graph into a low-dimensional representation vector space. Subsequently, the graph contrastive learning approach is utilized to optimize the feature extractor, enabling it to capture more representative node features. PeerG serves as a benchmark detection model for identifying P2P botnet nodes. Additionally, we devise two optimized contrastive detection strategies (PeerG-PreG and PeerG-PreF) based on graph-level and feature-level to boost the performance of PeerG. Extensive experiments demonstrate that PeerG brings significant improvements in detection accuracy over state-of-art detection methods. Furthermore, compared with PeerG, the detection strategies PeerG-PreG and PeerG-PreF have further improved detection performance, and achieve the best detection accuracy among multiple filtered P2P botnet types.

computer science, information systems

Qi-wei WU,Yong SHI,Zhi XUE

DOI: https://doi.org/10.3969/j.issn.1009-8054.2015.12.067

2015-01-01

Abstract:With the development of Internet and information security, there appears a new attack method:ATP (Advanced Persis￣tent Threat). At the last stage of APT, when wanting to steal sensitive data from victimized network, the attacker may use covert tun￣nel. Virtual private networks are point-to-point connections across a private or public network such as Internet. VPN has always been considered safe in the past few years, but in fact, it may also bring a lot of potential safety hazards. For example, the attacker may take advantage of virtual private network, and make it an APT covert tunnel for transmitting sensitive data. In view of such a double-edged sword, it is necessary to find a way for detecting malignant virtual private network and preventing the existence of APT covert tunnel.