Anomaly Detection for Application Layer User Browsing Behavior Based on Attributes and Features

Abstract

Application layer distributed denial of service (App-DDoS) attacks has posed a great threat to the security of the Internet. Since these attacks occur in the application layer, they can easily evade traditional network layer and transport layer detection methods. In this paper, we extract a group of user behavior attributes from our intercept program instead of web server logs and construct a behavior feature matrix based on nine user behavior features to characterize user behavior. Subsequently, principal component analysis (PCA) is applied to profile the user browsing behavior pattern in the feature matrix and outliers from the pattern are used to recognize normal users and attackers. Experiment results show that the proposed method is good to distinguish normal users and attackers. Finally, we implement three machine learning algorithms (K-means, DBSCAN and SVM) to further validate the effectiveness of the proposed attributes and features.