Review of Recent Detection Methods for HTTP DDoS Attack

. With increment in dependency on web technology, a commensurate increase has been noted in destructive attempts to disrupt the essential web technologies, hence leading to service failures. Web servers that run on Hypertext Transfer Protocol (HTTP) are exposed to denial-of-service (DoS) attacks. A sophisticated version of this attack known as distributed denial of service (DDOS) is among the most dangerous Internet attacks, with the ability to overwhelm a web server, thereby slowing it down and potentially taking it down completely. This paper reviewed 12 recent detection of DDoS attack at the application layer published between January 2014 and December 2018. A summary of each detection method is summarised in table view, along with in-depth critical analysis, for future studies to conduct research pertaining to detection of HTTP DDoS attack.


Introduction
A second quarter security report produced by Kaspersky [1] indicated that the source attack of DDoS originated from 86 nations with attack duration up to 122 hours.e report illustrated increment in HTTP DDoS attack from 8.43% to 9.38%.Johnson Singh et al. [2] claimed that 540 Gbps DDoS attack occurred on 31st August 2016 against a federal government official website of Rio Olympic 2016 and the Ministry of Brazilian Sport.Based on the report produced by Arbor Networks (Worldwide Infrastructure Security Report (No. XII), 2017) [3] published in Q1 for the year 2017, attacks that occurred at the application layer were the most targeted, wherein 80% of the target attacked HTTP and 81% targeted at the Domain Name System (DNS).
Meng et al. [4] explained that execution of DDoS attacks at the application layer is complex to detect, because such attacks may be able to mimic a legal request with the purpose of using the system resources.A web server uses the HTTP and Hypertext Transfer Protocol Secure (HTTPS) protocols to process request from users.ese protocols are widely used in commercial to operate business routines among banks, credit card payment gateways, government web servers, online shopping servers, social media servers, and broadcasting servers, to name a few.e consequence of the DDoS attack against a web server leads to monetary loss and loss of trust amongst people [5].Najafabadi et al. [6] explained that the HTTP protocol is designed to have request and response, so as to allow communication to take place between client and web server.
is paper presents the recent detection methods of DDoS attack at the application layer and highlights several recommendations for future research.To the best of the authors' knowledge, no recent review has been produced regarding this topic.e rest of the paper is organised as follows: Section 2 describes DDoS attack at the application layer.Section 3 explains the types of DDoS attacks at application layers.Section 4 lists attack strategies performed by the attack.Section 5 elaborates web server architecture.Section 6 presents four defence techniques against DDoS.Section 7 depicts the recent detection methods of DDoS attack.Section 8 provides a critical analysis of the current detection, and lastly, the paper is concluded in Section 9.

DDoS Attack at Application Layers
DDoS attacks launched at the application layer pose challenges to detect as the request packet appears similar to the normal request packet [5,7,8].Configuration and function related to application may lead to DDoS attack at the application layer [9], and the consequences of this attack may exhaust resources, such as network bandwidth, CPU processing, and memory [10].Jin et al. [11] explained that HTTP DDoS attacks occur when legitimate HTTP requests are initiated in large numbers.
DDOS attacks launched at the application layer require lower bandwidth to prevent legitimate users from surfing a web server, apart from mimicking traffic close to the authentic traffic [12].e three factors that make DDOS detection difficult at the application layer are as follows [13]: (1) obscurity, HTTP protocol uses Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) connections to run its operation, hence the intricacy to differentiate legitimate from illegitimate traffic; (2) efficiency, HTTP DDOS attack only requires fewer connections to initiate a DDOS attack; and (3) lethality, the capability of the attack to overwhelm a web server immediately, thus resulting in service breakdown regardless of the type of hardware and its performance.
Protocol weaknesses at the application layer allow cyber intruders to exploit and execute malicious activities via HTTP, File Transfer Protocol (FTP), and telnet, among others [13].DDoS attack at the application layer focuses on sending large amounts of GET request to a web server, and detection of this attack becomes more complicated when flash crowd is implemented.A flash crowd refers to the increasing number of legitimate HTTP GETrequest received by a web server due to several events, such as result announcements, new product launches, and breaking news [14].Iyengar and Ganapathy [15] mentioned that flash crowds occur when plenty of authentic concurrent incoming connections are received by a web server in a short period of time.Ni et al. [10] explained that HTTP DDoS attacks occur due to higher request rate by a small group, while flash crowd increases the number of clients.
e source of DDoS is distributed as it is derived from various locations, including botnet participation to generate plenty of traffic against a server.Zargar et al. [12] explained the use of botnet in an HTTP communication, which poses challenge to track botnet structure called command and control.Botnet is created by using the HTTP protocol that dismisses command-and-control server, such as IRC-based botnet, since a web-based bot receives instruction periodically during a web request.Web-based botnets are stealthier as they can hide within authentic traffic.Botnets launched at the application layer are of two types: botnets that control and are configured by complicated Personal Home Page (PHP) script via protocol HTTP or HTTPS and web-based botnets that operate to report a website statistics [16].Kolias et al. [17] explained in the light of Internet of ings (IoT) that popularity of IoT makes the devices a great tool to launch cyberattack.e IoT device is constantly connected to the Internet with naive security level, and these devices are vulnerable to botnet, thus may generate a vast number of DDOS attack traffics.
e largest DDoS attack reported generated 1.2 TBps after using IoT devices, such as printer and camera home router, to launch the attack [18].e existence of DDoS as services, such as boosters or stresses, simplifies the execution of the attack [19].Besides, HTTP DDoS tools available for download without cost also contribute to cyberattack.

Types of DDOS Attack at Application Layer
Many studies have analysed (see [12,13,[20][21][22]) the DDOS attack at the application layer based on the following categories.

Session Flooding Attack.
Resources of a server become exhausted when session request rates get higher than valid users.is malicious activity may result in DDOS flooding attack, for instance, HTTP GET/POST flooding attack.In executing this attack, an attacker requires a large authentic HTTP request, and typically, a botnet is used as its ability to generate a valid request, commonly exceeding 10 requests in a second.is attack only requires a botnet to successfully initiate an attack.

Request Flooding Attack.
is attack occurs when an attacker initiates a vast number of requests in one session.
is request is larger than the request of a valid user.e HTTP GET/POST session is an instance of attack in this category that takes advantage from HTTP 1.1 feature, which allows more than one request within a single HTTP session.
e structure of HTTP 1.1 allows the attacker to limit the HTTP session rate.e use of HTTP 1.1 also causes the attacker to bypass defence mechanism of session rate of a number of security systems.Rai and Challa [23] claimed that the botnet is used for this attack.e botnet is designed to have a command-and-control structure that allows cyber intruders to issue a command to botnet machines.e impacted machines are known as botnet-listed in commandand-control server as they give instruction to the botnet to launch HTTP GET flood.
is attack can exhaust server resources as the botnet sends plenty of HTTP GET flood requests to a server.

Asymmetric Attack.
Cyber intruders use HTTP session that contains high workload of requests, which is generated by downloading huge files or excessive running queries from a database server.

Slow Request/Response
Attack.An attacker sends high workload of requests to initiate attack in the form of a session.
e consequence of this attack introduces inaccessibility against a server as the attacker partially sends HTTP requests that grow quickly and repeatedly, update slowly, and never close.is continuous attack will make an available socket of a server to be full due to these requests.Another example of this attack is HTTP fragmentation, where the connection of HTTP is held for some time to bring down the server.Rai and Challa [23] asserted that the attack operates under a threshold limit to complicate the victim with malicious traffic that resembles legitimate traffic.e Slowloris attack is the example from this attack category, and it works by sending a large amount of simultaneous HTTP requests, be it GET or POST, to a server.A server will continuously open separate connections as each HTTP request fails to complete its connection.e consequence of 2 Journal of Computer Networks and Communications this attack denies users from gaining connection to a server as the server concurrent connection is exhausted.

DDOS Attack Strategies at Application Layer
Singh et al., [9] categorised HTTP DDOS attacks into several subclasses, as follows.
4.1.Server Load.e attacker uses botnet to continuously send malicious requests against a web server aggressively, hence causing the server to drop legitimate requests as the web server resources run out.

Increasing.
e attacker uses the low request value to initiate attack and slowly raises the value.is behaviour of attack is difficult to detect as malicious HTTP traffic does not send requests aggressively to the server during the attack.

Constant.
Cyber intruders must specify a number of request rates to be sent to the victim HTTP web server.e request number is called constant as it has the same number as when the botnet sends malicious requests to a web server.

Target Web
Page.HTTP DDOS attack occurs at single and multiple web pages, where the attacker imitates legitimate users access pattern to deceive attack detection.e web pages are accessed by botnets that mimic the human access pattern.

Single Web Pages Attack.
e attacker uses a single web page that belongs to a website.e botnet continuously send malicious HTTP requests to the web server.

Main Page Attack.
Cyber intruders specifically focus on the main page of the websites to deny access among legitimate users.e traffic botnet is used to repeatedly send malicious requests to the HTTP server.e impact of this attack only occurs on the main page of the website, while the subpages of the website are not affected.

Dominant Page Attack.
Cyber intruders figure out web pages that are sought by legitimate users for access.e attacker then focuses on that page to execute HTTP DDOS attacks in order to prevent a legitimate user from accessing the greater interest of the web pages. is attack only affects web pages with greater interest for users to browse.

Multiple Page Attack.
A cyber attacker initiates the attack at multiple web pages from a website. is technique avoids detection as the malicious HTTP request imitates a human access pattern.For instance, a human will open more than one web page to find information while surfing a website.During this attack, pages that exist in the website will not be accessible as the attacker targets multiple web pages.

Reply Flood Attack.
e botnet command by the attacker sends an HTTP traffic at an inflated rate to gain a resource of the web server to prevent the web server to surf legitimate HTTP request.e attacks work by gaining human access pattern to prohibit the detection system from blocking the malicious request.

Rare Change Page Attack.
e common structure of a web system will group a page into a specific group to make the page content more structured and user-friendly.Since the arrangement of the web page is grouped, the attacker may compromise the group page by commanding botnet to that web page.Because the web page is designed in the group, the page becomes the most targeted group.is attack prevents a user from opening a web page that belongs to a specific group.

Frequent Changes
Attack.An attacker performs attack into a web page that belongs to different categories. is attack will rotate the sent malicious request to distinct web page categories. is attack only affects specific categories of the website, as other web pages are still accessible during the attack.4.12.Hot Pages Attack.Each web-based system will have frequent open pages.Hence, cyber intruders attack the most visited pages to prevent legitimate users from accessing, as the main objective for the DDOS attack is to avoid users from opening the pages.

Web Proxy Attack.
e attacker uses the proxy server as a mediator to generate attack traffic.e use of the proxy server to generate attack traffic introduces difficulties in detecting the source attack.Multiple proxy servers are used to generate plenty of HTTP requests to overwhelm the web server.

Web Server Architecture
Clients' requests for online services initiate an HTTP GET request to a server.Prior to this, a TCP connection must be established before a client can successfully obtain response from a web server.Singh et al. [9] listed the processes involved in HTTP GET requests.First, a web server listens to an incoming connection, including TCP connection, as this connection must be established prior to other stages.In the second stage, socket queue, which is responsible for holding the entire HTTP GET request until a dedicated thread, is assigned to serve the request.ird, the request queue is accountable to process and respond to individual request.Upon completing these processes, the web server sends an HTTP response.During the HTTP GET flood attacks, the request queue becomes full immediately, thus dropping the incoming requests sent by authentic users.Figure 1 illustrates the typical architecture of a web server during HTTP GET request and response.
A web server does not perform filtering to determine if an HTTP GET request is genuine or fake [9].During the HTTP GET flood attack, a web server will continuously receive and process the request as it assumes the request is from authentic sources.e continuity of such requests at a higher rate will collapse a web server as it is unable to process a valid HTTP GET request.Beitollahi and Deconinck [24] and Sree and Bhanu [25] mentioned that an HTTP GET flood attack can stress bandwidth and outbound traffic, memory, CPU cycles, and input and output devices.

HTTP DDoS Detection
ere are several phases that are involved in defencing DDoS attack, and prior studies [20,26] explained four phases involved as follows.

Prevention.
e prevention phase focuses on protecting a system against an attack by applying appropriate security appliances at varied places.Besides that, prevention also protects server resources and ensures that online services are ready to surf the genuine client.DDoS attacks launched through automated tools allows several programs to access certain web pages without human intervention.Possible prevention against this type of attack through website design is to allow only the authentic user to access web server services and resource.Web design should be efficient that could not be delayed by the attacker.

Mitigation.
e mitigation phase is applied when an attack occurs, and a suitable security countermeasure is executed to handle the attack or to slow down the attack.A mitigation technique operates by stopping the attack.Formation of DDoS mitigation is considered better when the attack traffic recognised as normal is minimal, which is also known as false positive rate.Apart from that mitigation technique supposed to block a source IP address of illegitimate traffic that generates the attack, this process will directly guarantee the authentic client to be able to access a web service.

Detection.
e detection phase requires analysis of the running system to discover malicious traffic that leads to DDoS attack.Detection involves a sophisticated approach to identify large illegal GET request traffic against a web server.Most of the detection techniques were applied to form DDoS detection known as pattern matching, clustering, statistical methods, deviation analysis, associations, and correlation.Formation of detection usually employs data history as the main source to train the data to generate a threshold which will be assigned to a parameter via a specific method to count the GET request received.e false positive rate refers to incorrect classification of attack traffic predicted as genuine, and effective DDoS detection generates a minimal false positive rate.

Monitoring.
As for the monitoring phases, necessary information about a host or network is obtained by using tools, such as network monitoring software.Monitoring is conducted in real time as it becomes compulsory for detection of DDoS attack.A process of monitoring becomes complicated when the attacker utilised botnet that is situated at multiple locations around the world to launch DDoS attack at a minimal rate.According to [27], dynamic monitoring is required in order to constitute defences for attacks.Figure 2 presents the graphical view of the defence life cycle.

Recent Detection Methods for HTTP DDoS Attack
is section focuses on the recent HTTP DDoS detection techniques proposed and applied since the past five years based on the published work.
Hameed and Ali [19] introduced a framework called HADEC to detect live high-rate DDoS attack that occurs at network and application layers, such as TCP-SYN, HTTP GET, UDP, and ICMP.e framework is composed of two main components: detection server and capture server.Live DDoS detection begins by capturing the server that is responsible to capture live network traffic and transfer the log e detection calculates incoming packet for UDP, ICMP, and HTTP to detect an attack if the source connection exceeds the prede ned threshold.e proposed detection provides low-cost solutions for nancial institution, as well as small and medium companies.
Behal et al. [28] proposed a detection method called D-FACE to detect four tra c types: legitimate user, low-rate, high-rate, and ash event tra c. e detection employs entropy di erence that contains normal tra c ow, while the value of source IP entropy is the detection matrix to reckon the attack.e detection begins with extraction of the related header that classi es the network into a unique network ow.Segregation of low-rate, high-rate, and ash event tra c is based by comparing the current incoming tra c rate in each time window and based on information tra c value.
Singh et al. [29] introduced a method that detects HTTP DDoS attack via the machine-learning approach to distinguish botnet from legitimate users in detecting attack tra c, authentic tra c, and ash tra c. e proposed system is deployed as proxy and performs inspection against user behaviour instead of monitoring the entire tra c. e proposed work detects the botnet source and examines user behaviour to detect malicious request against the web server.
Sreeram and Vuppala [30] proposed a machine-learning matrix with a bio-inspired bat algorithm to allow fast and early detection of HTTP DDoS attacks.e work incorporated time intervals, instead of user sessions, and packet patterns to generate a detection algorithm.e time interval uses machine-learning matrix by assigning a value of maximum sessions for one-time interval and computing a number of sessions in one-time interval to detect DDoS attack at application layers.e matrix also accounts for two pages of HTTP GET request.e frequency of a web page accessed by users and the time gap between rst page request and second page are determined to monitor user behaviour.
Aborujilah and Musa [31] introduced cloud-based detection of HTTP DDoS by using statistical approach with the covariance matrix.e detection introduced two algorithms known as training and testing to recognise a di erent type of HTTP ooding attack based on attack behaviour.A training algorithm was used to construct normal patterns of network tra c, and the testing algorithm was used to determine the types of tra c received.e outcomes obtained from this research had been evaluated by using the confusion matrix to measure detection performance and provide results of internal and external cloud environment.
Singh and De [32] employed multilayer perceptron with a genetic algorithm (MLP-GA) to detect HTTP DDoS attack.
e proposed detection utilised four parameters to generate detection at application layers.A normal user has speci c time interval, as an authentic user searches and reads when accessing a web page and when moving to other pages.e detection technique suggested by the researchers counts the number of HTTP GET requests received by the web server and calculates the number of IP addresses targeting the server over 20 seconds.e proposed detection also inspects the port number used by HTTP DDoS, as ports used by HTTP DDoS attackers are varied and remain open.e detection method employed xed frame length to conduct detection, as according to these researchers, HTTP DDoS attackers employ static protocol lengths.
Hoque et al. [33] proposed a method for detection of DDoS at the application layer in real time at the victim end.
e proposed work utilised software and hardware adopted from the framework created to distinguish normal from fake tra c in real time.e three main components incorporated into the framework were preprocessor, hardware module, and security manager, which processed source IPs, source IPs index variation, and packet rate, to detect the attack.
Johnson Singh et al. [2] introduced a detection scheme to reckon high and low rates of DDoS attack.e detection was performed by computing a number of HTTP GET request, entropy, and variance for each connection.e HTTP GET requests were counted within 20 s time window.
Liao et al. [34] proposed a detection technique based on user access frequencies, speci cally focusing on request time interval and frequency request to detect DDoS attacks at the application layer.e time interval refers to the present and the next HTTP GET requests.
e time interval for a standard user may be larger when compared to those of an attacker, as a normal user will spend more time browsing interesting pages.For instance, the time interval for normal browsing is 246 seconds for the rst page and around 572 seconds to open the next page.However, in the case of DDoS attacks, the time interval for the present and subsequent requests is shorter.
Shiaeles and Papadaki [35] introduced multilayer IP spoo ng to detect application layer DDoS attack against the web server.e proposed detection method is called fuzzy hybrid spoo ng detection (FHSD) and used source MAC address, hop count, geographical of IP address, operating system (OS) passive ngerprinting, and web browser user agents.In order to decrease false positive and false negative, cross inspection was performed via operating passive ngerprinting and HTTP user agents.Passive operating ngerprinting and HTTP user agents were used to con rm the name of the OS used by a client.e proposed work also detects botnet in a local network using MAC address and IP paring.e limitation of the proposed work refers to the database that stores information required to update daily for better results.Wang et al. [36] proposed a detection technique for HTTP flooding attacks based on web browsing clicks called HTTP soldier.It displayed the ability to distinguish normal user from malicious one through the use of large-deviation probability.e technique highly relied on web page popularity to detect HTTP flood attack.e operation of HTTP soldier used a predefined threshold to be compared with large-deviation probability.e large-deviation probability may affect some normal users.
e researchers clearly mentioned that a single URL attack was ineffective to detect by using their technique.is study employed simulation software to evaluate their proposed detection and only measured false-positive rate.
Nam and Djuraev [37] proposed a detection technique based on the workload of the source node. is technique used multiple levels to protect a web server.e first layer allowed or rejected a received connection by inspecting the source IP address with the whitelist.e registered IP addresses were allowed to establish a connection with web servers to obtain service, while the connection of nonregistered IP addresses was dropped.
e allowed IP addresses were inspected, and if they behaved maliciously, the connection would be dropped, and the IP addresses would be blacklisted.e researchers stressed that their work has limitation when legitimate user access a server for streaming services or when downloading huge file, as this can lead to false positive.e result of this study sheds light on server response time.e outcome shows that the proposed defence system detects DDoS attacks after 90 seconds and the server response time goes back to normal upon detection of attack.

Critical Analysis
8.1.Results.Based on the results reported by each author, only Sreeram and Vuppala [30] evaluated their proposed solution by using a complete matrix of detection (e.g., true positive, true negative, false positive, false negative, precision, recall, specificity, and accuracy).is review found that Aborujilah and Musa and Singh and De [31,32] only employed true and false detection matrix to assess their proposed methods.Meanwhile, other studies were uncertain as some evaluated detection rate, false positive, and accuracy, failed in providing a full detection matrix, as explained above.is constraint must be prevented to ensure that the proposed work is ready to be deployed in producing environment, apart from having the ability to work precisely in detecting all attack scenarios.
A complete detection matrix allows future researches to improve detection performance, hence resulting in full detection matrix that should be executed and shared publicly.Implementation of the confusion matrix that measures detection performance is the best option as this matrix has a wide range of measurement of detection.e matrix has also been utilised by many researchers [38][39][40][41][42][43][44][45].

Dataset.
e experiment datasets utilised by prior scholars were mixed, while some relied only on one dataset [30,36,37].
e use of only one dataset as reference (e.g., benchmark and analysis) seems insufficient as HTTP DDoS attack patterns are varied.Further analysis performed [2,28,29,[31][32][33][34][35] took into account more than one dataset.Nevertheless, the used datasets were obsolete to perform comparison and analysis.Critical inspection against researchers who employed more than one dataset showed that they also executed their experiments to obtain the dataset.Old datasets should be avoided as they contain obsolete and meaningless data [9], while retrieving real cutting-edge attack dataset is challenging as they are unavailable publicly [46].8.3.Self-Generate Dataset.Future direction for detection of HTTP DDoS attack should focus on the self-generate dataset by utilising real HTTP tools.e actual tools are available for download and can be used for multiple purposes such as investigation and evaluate a proposed work.
e selfgenerate dataset is a solution that can be deployed by future researches in resolving issues related to old dataset and not publicly share.

Evaluation Method.
is review also found that a few researchers evaluated their proposed work by using simulation software [30][31][32]36].On the other hand, some [2,19,28,[33][34][35] performed real experiments to evaluate their outcomes and found only one study [37] assessed their work by using simulation software and experimental works.
A proposed work should be evaluated by considering a wide range of network architectures and potential attack strategies that may be utilised by an attacker for detection purpose.e good evidence for this statement can be supported by studies performed by Singh et al. [9], who mentioned that network address translation (NAT) and web proxies led to complexity and could result in incorrect detection outcomes.e evaluation of a proposed work should weigh in a wide range of network designs, along with lists of potential attack strategies, so as to ensure that the proposed detection method has the ability to work outside the academic world and not merely for education purposes.Singh et al. [9] outlined a list of approaches used by attackers to launch DDoS against web pages of online services, which may serve as reference for future research.In order to achieve this goal, several challenging factors must be faced, such as time constraint, knowledge about network and security, hardware and software to purchase, and viable configuration.

Detection Method for Future Work.
Future research studies should focus on providing solutions that are practical for implementation in the actual environment, apart from using real HTTP DDoS tools when evaluating their proposed detection techniques, so as to offer benefits to both the parties, academic and industry.is is because a proposed 6 Journal of Computer Networks and Communications Journal of Computer Networks and Communications detection method should not only work to achieve an academic target but also offer an option for the world cyber security in detecting HTTP DDoS attacks.
e proposed solutions to DDoS are academic interest, and only some have been implemented in real time [47,48].e use of real tools of HTTP DDoS attack will help to gain input about the current attack strategies and prediction about a future attack.

Detection Techniques.
e parameter used to generate detection is verities.is review revealed that the use of the right parameter is important to ensure that the proposed detection method is able to detect HTTP DDoS attack.is review also discovered that the detection method of HTTP DDoS is built based on three main elements: (1) technique, e.g., IP spoofing; (2) parameter, e.g., TCP header; and (3) flow, e.g., operation flow [2,[30][31][32][34][35][36][37].A component selection for the three elements mentioned above is crucial as it leads to detection quality, e.g., true positive, true negative, false positive, false negative, precision, recall, specificity, and accuracy.A future researcher has to consider the main elements stated above to ease formation of the proposed detection technique.

Level of Attack.
Based on the review presented in Table 1, no study has proposed a solution that is able to detect three types of DDoS attacks: flash crowd, high-rate, and low-rate DDoS attack.Most studies focused on detecting HTTP DDoS at the high rate, while only one researcher focused on low-rate HTTP DDoS attack.e detection scope should extend to cater to all types of HTTP DDoS, as the techniques reviewed in this paper tend to propose solutions in a segregated manner.A list of researchers specified DDoS attack at application down to several categories: request flooding, session flooding, and asymmetric and slow request [12,13,[20][21][22]. is appears to be a great indicator for future research studies to look deep down the attack patterns.8.8.Learn Programming and Explore Attack Codes.HTTP DDoS tools, such as GoldenEye, UFONET, Wreckquest, and HULK, are available for download, and they are written in the python programming language.us, learning programming language can bring us to a step forward in detecting HTTP DDoS and prediction of future attacks by exploring the attack code with consideration of DDoS attack strategies, as outlined by Singh et al. [9].Exploration of the code enhances our understanding towards the behaviour of HTTP DDoS, apart from discovering appropriate strategies to counter the attack.8.9.Academic and Industry.Academic and industry have to cooperate in sharing attack logs for academic purposes.Behal and Kumar [49] conducted a study related to DDoS using prior dataset and drew some limitations against publicly available dataset as the dataset was captured from the network layer and had concealed information about the application layer.Hence, an industry that receives real dataset or received HTTP DDoS attack should filter and remove private data related to its web server so as to ensure no data leakage.e attack pattern would give direct impact as a researcher is able to write HTTP DDoS code based on the pattern and to seek solution, thus highlighting the importance of programming.8.10.Mixed HTTP Traffic.HTTP DDoS attack has a number of attack strategies to mix the traffic to be more complex for detection; thus, the future work to detect DDoS attack should cater varied types of attack strategies, such as attack that comes from proxy, botnet, and web crawler simultaneously.Besides, the use of the IoT device may lead to worse circumstance of HTTP DDoS as the attacker may utilise a botnet that originates from such devices to recruit a cyber army to launch attack against a web server.Table 1 indicates that all the proposed solutions catered to only the HTTP protocol that applied port 80 to detect an attack.Hence, future research studies should consider HTTPS protocol detection in an in-depth manner.Zolotukhin et al. [50] explained that most of the latest studies seemed to focus on HTTP DDoS attack, while leaving detection of HTTPS protocol for DDoS in the dark.

Conclusion
is paper presents a review of the recent detection methods in recognising DDoS attack at the application layer.Researches related to DDoS attack have gained much attention, particularly those that occur at the application layer.e detection of DDoS attack is rather challenging as the traffic has the ability to mimic the genuine GET request.Due to many forms of devices that can be affected by botnet, such as IoTdevices and existence of DDoS as services, the detection of such attack can become significantly complex.
e recent techniques employed to detect HTTP DDoS attack have produced various approaches for detection purposes.However, it should be noted that challenges need to be identified and overcome for different types of DDoS attack strategies.
e critical analysis has outlined several points that one would need to give closer attention for future research.

Table 1 :
Summary of recent detection techniques of HTTP DDoS attack.