Distributed Denial of Service (DDoS) attacks have caused continuous critical threats to the Internet services. DDoS attacks are generally conducted at the network layer. Many DDoS attack detection methods are focused on the IP and TCP layers. However, they are not suitable for detecting the application layer DDoS attacks. In this paper, the authors propose a scheme based on web user browsing behaviors to detect the application layer DDoS attacks (app-DDoS). A clustering method is applied to extract the access features of the web objects.