Web Application-Layer DDoS Attack Detection Based on Generalized Jaccard Similarity and Information Entropy.

With the rapid growth of the number of Web services, the application-layer DDoS attack problem has become increasingly serious. User behavior in the application-layer is often closely related to DDoS attacks, and the abnormal behavior of users can be analyzed to identify and discover DDoS attacks at an early stage. Firstly, the feature vectors describing user behavior are extracted by using information entropy, then the deviation degree between the feature vectors describing normal user behavior and current user behavior can be described by calculating the generalized Jaccard similarity of the feature vectors. If the deviation degree exceeds the threshold we set, it is determined that the current user behavior is abnormal. Based on the above detection process, we construct an application-layer DDoS attack detection system based on user behavior anomaly detection. Besides, we test the function and performance of the system by using the actual data set on the network. The test results indicate that the system can describe user behavior well and detect DDoS attack effectively.