Skip to Main Content
This paper is focused on a new type sneaky HTTP attack which has no obvious anomaly characteristics. A new light-weight anomaly detection scheme is introduced for large-scale Web sites whose workload is much heavier and more bursty than the general Web sites. Based on stack distance values of HTTP requests, an improved event-driven hidden semi-Markov model is applied to describe the stochastic process of HTTP traffic. Normalized Viterbi score of incoming HTTP request sequence fitting to the given model is used as a measure criterion. Experiments based on a real Web traffic and an emulated attack are implemented to valid the proposal.