To defense application-layer Distributed Denial of Service (DDoS) built on the normal network layer, a defense model based on Web behavior trajectory in the Web application server was constructed. User's access behavior was abstracted into Web behavior trajectory, and according to the generation approach about attack request as well as behavior characteristics of user access to Web pages, four kinds of suspicion were defined, including access dependency suspicion, behavior rate suspicion, trajectory similarity suspicion, and trajectory deviation suspicion. The deviation values between normal sessions and attack sessions were calculated to detect the application-layer DDoS to a specific website. The defense model prohibited the user access from DDoS when detecting the attack request generated by the user. In the experiment, real data was acted as the training set. Then, through simulating different kinds of attack request, the defense model could identify the attack request and take the defense mechanism against the attack. The experimental results demonstrate that the model can detect and defense the application-layer DDoS to a specific website.