VPNSniffer: Identifying VPN Servers Through Graph-Represented Behaviors
Keywords: VPN Detection, Active Probing, Node Classification
Abstract: Identifying VPN servers is a crucial task in various situations, such as geo-fraud detection, bot traffic analysis and network attack identification. Although numerous studies that focus on network traffic detection have achieved excellent performance in closed-world scenarios, particularly those methods based on deep learning, they may exhibit significant performance degradation due to changes in the network environment. To mitigate this issue, a few studies have attempted to use methods based on active probing to detect VPN servers. However, these methods still have some limitations. They cannot handle situations where probing responses are absent, and lack generalization due to their focus on specific VPNs. In this work, we propose VPNSniffer, which utilizes the graph-represented behaviors to detect VPN servers in real-world scenarios. VPNSniffer outperforms existing methods in four offline datasets. The results based on our datasets, which contain multiple different VPNs, also indicate that VPNSniffer has better generalization. Furthermore, we deploy VPNSniffer in an Internet Service Provider's (ISP) environment to evaluate its effectiveness. The results show that VPNSniffer can improve the coverage of sophisticated detection engines and serve as a complement to existing methods.
Track: Security
Submission Guidelines Scope: Yes
Submission Guidelines Blind: Yes
Submission Guidelines Format: Yes
Submission Guidelines Limit: Yes
Submission Guidelines Authorship: Yes
Student Author: Yes
Submission Number: 1393
Loading