Detecting Application-layer Attacks Based on User's Application-layer Behaviors

This paper presents an application-layer attack detection method based on user's application-layer behaviors. In this method, the keywords of an application-layer protocol and their inter-arrival times are used as the observations, a hidden semi-Markov model is used to describe the application-layer behaviors of a normal user who is using the application-layer protocol. This method is also based anomaly detection. In theory, application-layer anomaly detection can identify the known, unknown and novel attacks happened on application-layer. The experimental results show that this method can identify several application-layer attacks, and has high detection accuracy and low false positive ratio.