HTTP-sCAN: Detecting HTTP-flooding attaCk by modeling multi-features of web browsing behavior from noisy dataset

HTTP-flooding attack disables the victimized Web server by sending a large number of HTTP Get requests. Recent research tends to detect the attacks with the anomaly-based approaches, which detect the HTTP-flooding by modeling the behavior of normal Web users. However, most of the existing anomaly-based detection approaches usually cannot filter the Web crawling traces of the unknown search bots mixed in the normal Web browsing logs. These Web-crawling traces can bias the detection model in the training phase, thus further influencing the performance of the anomaly-based detection schemes. This paper proposes a novel anomaly-based HTTP-flooding detection scheme (HTTP-sCAN), which can eliminate the influence of the Web-crawling traces with the cluster algorithm. The simulation results show that HTTP-sCAN is immune to the interferences of unknown search sessions, and can detect all HTTP-flooding attacks.