With the rapid developments of information technology,various industries become much more dependent on networks.Driven by economic interests and the game between countries reflected by growing cyberspace confrontations,evasive network attacks on information infrastructures with high-tech,high concealment and longterm sustainability become severe threats to national security.In this paper,we propose a novel two-phased method for the detection of evasive network attacks which exploit or pretend to be common legal encryption services in order to escape security inspection.Malicious communications which camouflage themselves as legal encryption application are identified in the SSL’session structure verification phase firstly,and then by serverside X.509 certificate based anomaly detection,suspicious attack behaviors are further distinguished effectively.Experiment results show that our method is very useful for detecting the network activities of certain unknown threats or new malwares.Besides,the proposed method can be applied to other similar services easily. With the rapid developments of information technology, various industries become much more dependent on networks. Driving under economic interests and the game between countries reflected by growing cyberspace confrontations, evasive network attacks on information infrastructures with high-tech, high concealment and longterm sustainability become severe threats to national security.In this paper, we propose a novel two-phased method for the detection of evasive network attacks which exploit or pretend to be common legal encryption services in order to escape security inspection. Malicious communications which camouflage themselves as legal encryption application are identified in the SSL session mechanism verification phase first, and then by serverside X.509 certificate based anomaly detection, suspicious attack behaviors are further distinguished effectively. Trial results show that our method is very useful for detecting the network activities of yet or new malwares.Be sides, the proposed method can be applied to other similar services easily.