HTTP-sCAN: Detecting HTTP-Flooding Attack by Modeling Multi-Features of Web Browsing Behavior from Noisy Web-Logs

HTTP-flooding attack disables the victimized web server by sending a large number of HTTP Get requests. Recent research tends to detect HTTP-flooding with the anomaly-based approaches, which detect the HTTP-flooding by modeling the behavior of normal web surfers. However, most of the existing anomaly-based detection approaches usually cannot filter the web-crawling traces from unknown searching bots mixed in normal web browsing logs. These web-crawling traces can bias the base-line profile of anomaly-based schemes in their training phase, and further degrade their detection performance. This paper proposes a novel web-crawling traces-tolerated method to build baseline profile, and designs a new anomaly-based HTTP-flooding detection scheme (abbr. HTTP-sCAN). The simulation results show that HTTP-sCAN is immune to the interferences of unknown web-crawling traces, and can detect all HTTP-flooding attacks.