Application layer DDoS detection using clustering analysis

Many methods were designed in previous literatures to protect systems from IP and TCP layers distributed denial of service attacks instead of the application layer. However, they will not work well any more when encountering with application layer distributed denial of service. We will introduce clustering method to analysis application layer ddos in this paper. To capture users' browsing behavior, we cluster users' sessions. We consider bots' browsing behavior as abnormally behavior. That is, different from normal human behavior. We first extract four features from session to cluster users sessions-average size of objects requested in the session, request rate, average popularity of all objects in the session, average transition probability. Then, we use large amount of legitimate request sequence to get normal user browsing behavior models. Finally, conduct simulation experiments with attack dataset to validate the models.