HTTP-sCAN: detecting HTTP-flooding attaCk by modeling multi-feAtures of web browsing behavior from Noisy dataset

HTTP-flooding attack disables the victimized web server by sending a large number of HTTP Get requests. Recent research tends to detect the attacks with the anomaly-based approaches, which detect the HTTP-flooding by modeling the behavior of normal web users. However, most of the existing anomaly-based detection approaches usually cannot filter the web crawling traces of the unknown search bots mixed in the normal web browsing logs. These web-crawling traces can bias the detection model in the training phase, thus further influencing the performance of the anomaly-based detection schemes. This paper proposes a novel anomaly-based HTTP-flooding detection scheme (HTTP-sCAN), which can eliminate the influence of the web-crawling traces with the cluster algorithm. The simulation results show that HTTP-sCAN is immune to the interferences of unknown search sessions, and can detect all HTTP-flooding attacks.