The HTTP flooding attack is the hardest type of
DDoS attacks to detect since the malicious packets are hidden
in the huge amount of normal traffic. Most detection schemes
available up to now use similarity method of communication
attributes (i.e. fixed threshold for every attribute ) or machine
learning algorithms.it is notable,however,that attributes number
very dramatically according to the users activity. Also, using
machine learning need a large amount of data for training.In this
paper, we introduce a new detection scheme for HTTP flooding
attack that exhausting servers. the proposed detection scheme is
based on HTTP request/raspons protocol.During normal cases,
any server can measure various statistical attributes for its users
and their traffic. a server can keep the statistical attributes
as a reference profile. during the attack time, measuring some
attributes for every connection (i.e. Request number, Response
number, Not finished connections number, Number of TCP
packets, Number of UDP packets and Number of ICMP packets)
then computes distance between its attributes and statistical
attributes in normal cases. the proposed detection scheme uses
small amount of data to specify the score for a normal connection,
also it does not take into consideration a fixed threshold for
every attribute in normal connections. Extensive trace-driven
simulation has been conducted to demonstrate the efficiency of
the proposed scheme in terms of its detection rate, probability
of false positive and also average detection time.