摘要

Distributed Denial of Service attack (DDoS) has been one of the greatest threats to network security for years. In recent years, DDoS attackers turn to application layer, which makes DDoS attack detection systems based on net layer and transport layer lose their performance. In this layer, Web service is the most vulnerable application. In this study, we analyze the differentiation between users behaviors, as we extract two feature sequences from Web logs to represent characteristics of user behavior, and then, application layer DDoS attack detection system architecture based on feature sequences is presented. This architecture is divided into two parts. For each part, we propose detection methods, respectively. Specially, we consider users request frequency sequence as sparse vector, and then put forward a kind of classification algorithm called sparse vector decomposition and rhythm matching (SVD-RM), which is based on sparse vector decomposition and rhythm matching. This algorithm is fully considering the discrepancy of different users in access behavior. A cluster algorithm with label, called L-Kmeans, is also proposed as embedded classifier in SVD-RM. Finally, we simulate four kinds of prevalent application layer DDoS attack and conduct experiments to certify the effectiveness of our methods. Experimental results show that proposed methods are good to distinguish legal users and attackers in application layer.