Paper should be in IEEE format with annotations. T

Paper should be in IEEE format with annotations. The document should be 6-8 pages. The contents should be:

1. Abstract

2. Introduction

3. Literature survey

4. Intrusion Detection in Cloud System

5. AI and Machine Learning Implementation

6. Conclusion

Please use below reference documents for this paper and there should be no plagiarism

CYBERSECuRITY

Kleber Vieira, Alexandre Schulter, Carlos Becker Westphall, and Carla Merkle Westphall,
Federal University of Santa Catarina, Brazil

Providing security in a distributed system requires more than user
authentication with passwords or digital certificates and confidentiality
in data transmission. The Grid and Cloud Computing Intrusion Detection
System integrates knowledge and behavior analysis to detect intrusions.

B
ecause of their distributed nature,
grid and cloud computing environ-
ments are easy targets for intruders
looking for possible vulnerabilities to

exploit. By impersonating legitimate users, the
intruders can use a service’s abundant resources
maliciously.

To combat attackers, intrusion-detection sys-
tems (IDSs) can offer additional security mea-
sures for these environments by investigating
configurations, logs, network traffic, and user
actions to identify typical attack behavior.1 How-
ever, an IDS must be distributed to work in a grid
and cloud computing environment. It must mon-
itor each node and, when an attack occurs, alert
other nodes in the environment. This kind of
communication requires compatibility between
heterogeneous hosts, various communication
mechanisms, and permission control over system
maintenance and updates—typical features in
grid and cloud environments.2 Cloud middleware

usually provides these features, so we propose an
IDS service offered at the middleware layer (as
opposed to the infrastructure or software layers).

An attack against a cloud computing system
can be silent for a network-based IDS deployed in
its environment, because node communication
is usually encrypted. Attacks can also be invisi-
ble to host-based IDSs, because cloud-specific
attacks don’t necessarily leave traces in a node’s
operating system, where the host-based IDS re-
sides. In this way, traditional IDSs can’t appro-
priately identify suspicious activities in a grid and
cloud environment3 (see the “Related Work in
Intrusion Detection” sidebar).

Here, we take a careful look at the cloud
case in particular. We propose the Grid and
Cloud Computing Intrusion Detection System
(GCCIDS), which has an audit system designed to
cover attacks that network- and host-based sys-
tems can’t detect. GCCIDS integrates knowledge
and behavior analysis to detect specific intrusions.

Intrusion Detection
for Grid and Cloud
Computing

itpro-12-04-West.indd 38 30/06/10 4:50 PM

Authorized licensed use limited to: University of Houston. Downloaded on February 21,2022 at 18:39:47 UTC from IEEE Xplore. Restrictions apply.

computer.org/ITPro 3 9

Our Proposed Service
In our solution, each node identifies local events
that could represent security violations and alerts
the other nodes. Each individual IDS coopera-
tively participates in intrusion detection. Figure 1
depicts the sharing of information between the
IDS service and the other elements participating
in the architecture: the node, service, event audi-
tor, and storage service.

The node contains the resources, which are
accessed homogeneously through the middle-
ware. The middleware sets the access-control

pol icies a nd suppor t s a ser v ice-or iented
environment.

The service provides its functionality in the
environment through the middleware, which
facilitates communication.

The event auditor is the key piece in the sys-
tem. It captures data from various sources,
such as the log system, service, and node mes-
sages. The IDS service analyzes this data and
applies detection techniques based on user be-
havior and knowledge of previous attacks. If it
detects an intrusion, it uses the middleware’s

Related Work in Intrusion Detection

Here we present some of the relevant research on intrusion detection for grids, discussing in par-
ticular the techniques they apply and the source of
the data they analyze.

Table A classifies related work according to the audit
data source (host, network, or grid), the analysis tech-
nique (knowledge- or behavior-based), and if there
was a proper evaluation. Fang-Yie Leu, Jia-Chun Lin,
Ming-Chang Li, Chao-Tung Yang, and Po-Chi Shih’s
work,1 along with Stuart Kenny and Brian Coghlan’s2
solutions, are based on analyzing data from a grid’s
network, although these approaches can’t detect
grid-specific attacks, because they don’t capture any
high-level data. Guofu Feng, Xiaoshe Dong, Weizhe
Liu, Ying Chu, and Junyang Li integrate a host-based
intrusion-detection system (IDS) into a grid environ-
ment, providing protection against typical operating
system attacks, but not the ones that might target
middleware vulnerabilities.3

Mohamed Tolba4 and Alexandre Schulter5 and
their colleagues view a computational grid as one
big host of resources, and the audit data is collected
from the operating systems as in typical host-based
IDSs. Their solutions focus on analyzing high-level
information regarding grid usage by its users, and

they apply behavior-based techniques in the analy-
sis. In comparison, we conclude that the available
solutions approach the problem in a different way,
especially in regards to the threats we try to de-
fend against by combining two distinct auditing
techniques.

References
1. F-Y. Leu et al., “Integrating Grid with Intrusion Detection,”

Proc. Int’l Conf. Advanced Information Networking and

Applications (AINA 05), vol. 1, IEEE CS Press, 2005,

pp. 304–309.

2. S. Kenny and B. Coghlan, “Towards a Grid-Wide

Intrusion Detection System,” Proc. European Grid Conf.

(EGC 05), Springer, 2005, pp. 275–284.

3. G. Feng et al., “GHIDS: Defending Computational Grids

against Misusing of Shared Resource,” Proc. Asia-Pacific

Conf. Services Computing (APSCC 06), IEEE CS Press,

2006, pp. 526–533.

4. M. Tolba et al., “Distributed Intrusion Detection System

for Computational Grids,” Proc. 2nd Int’l Conf. Intelligent

Computing and Information Systems (ICICIS 05), 2005.

5. A. Schulter et al., “Intrusion Detection for Computational

Grids,” Proc. 2nd Int’l Conf. New Technologies, Mobility,

and Security, IEEE Press, 2008, pp. 1–5.

Table A. Features of related works concerning intrusion detection for grids.

Author
Host-based
IDS

Network-
based IDS

Data from
a grid

Knowledge-
based
technique

Behavior-
based
technique Validation

Tolba Yes No Yes No Yes Yes

Schulter Yes Yes No No Yes Yes

Choon No Yes N/A No No No

Kenny No Yes No Yes No Yes

Leu No Yes No Yes No Yes

Feng Yes No No Yes No Yes

itpro-12-04-West.indd 39 30/06/10 4:50 PM

Authorized licensed use limited to: University of Houston. Downloaded on February 21,2022 at 18:39:47 UTC from IEEE Xplore. Restrictions apply.

40 IT Pro July/August 2010

CYBERSECuRIT Y

communication mechanisms to send alerts
to the other nodes. The middleware synchro-
nizes the known-attacks and user-behavior
databases.

The storage service holds the data that the IDS
service must analyze. It’s important for all nodes
to have access to the same data, so the middle-
ware must transparently create a virtualization of
the homogeneous environment.

IDS Service
The IDS service increases a cloud’s security
level by applying two methods of intrusion
detection. The behavior-based method dictates
how to compare recent user actions to the usual
behavior. The knowledge-based method detects

known trails left by attacks or certain
sequences of actions from a user who
might represent an attack.

The audited data is sent to the IDS
service core, which analyzes the be-
havior using artificial intelligence to
detect deviations. The analyzer uses
a profile history database to deter-
mine the distance between a typical
user behavior and the suspect behav-
ior and communicates this to the IDS
service.

The rules analyzer receives audit
packages and determines whether a
rule in the database is being broken.
It returns the result to the IDS service
core. With these responses, the IDS
calculates the probability that the ac-
tion represents an attack and alerts
the other nodes if the probability is
sufficiently high.

Event Auditor
To detect an intrusion, we need
audit data describing the environ-
ment’s state and the messages being
exchanged. The event auditor can
monitor the data that the analyzers
are accessing. The first component
monitors message exchange between
nodes. Although audit information
about the communication between
nodes is being captured, no network
data is taken into account—only
node information.

The second component monitors the middle-
ware logging system. For each action occurring
in a node, a log entry is created containing the
action’s type (such as error, alert, or warning), the
event that generated it, and the message. With
this kind of data, it’s possible to identify an ongo-
ing intrusion.

Behavior Analysis
Numerous methods exist for behavior-based
intrusion detection, such as data mining, ar-
tificial neural networks, and artificial immu-
nological systems. We use a feed-for wa rd
artificial neural network, because—in contrast
to traditional methods—this type of network can
quickly process information, has self-learning

Figure 1. The architecture of grid and cloud computing intrusion
detection. Each node identifies local events that could represent
security violations and sends an alert to the other nodes.

Knowledge
base

Storage service

IDS service

Service

Grid node

Analyzer

Alert system

Ev
en

t a
ud

ito
r

Behavior
base

Knowledge
base

Storage service

IDS service

Service

Grid node

Analyzer

Alert system

Ev
en

t a
ud

ito
r

Behavior
base

Knowledge
base

Storage service

IDS service

Service

Grid node

Analyzer

Alert system

Ev
en

t a
ud

ito
r

Behavior
base

Database

Service

Alert system

Synchronize
Communication service

itpro-12-04-West.indd 40 30/06/10 4:50 PM

Authorized licensed use limited to: University of Houston. Downloaded on February 21,2022 at 18:39:47 UTC from IEEE Xplore. Restrictions apply.

computer.org/ITPro 4 1

capabilities, and can tolerate small behavior
deviations. These features help overcome some
IDS limitations.4

Using this method, we need to recognize ex-
pected behavior (legitimate use) or a severe be-
havior deviation. Training plays a key role in the
pattern recognition that feed-forward networks
perform. The network must be correctly trained
to efficiently detect intrusions. For a given intru-
sion sample set, the network learns to identify the
intrusions using its retropropagation algorithm.
However, we focus on identifying user behav-
ioral patterns and deviations from such patterns.
With this strategy, we can cover a wider range of
unknown attacks.

Knowledge Analysis
Knowledge-based intrusion detection is the
most often applied technique in the field be-
cause it results in a low false-alarm rate and high
positive rates, although it can’t detect unknown
attack patterns. It uses rules (also called signa-
tures) and monitors a stream of events to find
malicious characteristics.

Using an expert system, we can describe a
malicious behavior with a rule. One advantage
of using this kind of intrusion detection is that
we can add new rules without modifying exist-
ing ones.

In contrast, behavior-based analysis is per-
formed on learned behavior that can’t be
modified without losing the previous learn-
ing. Generating rules is the key element in this
technique—it helps the expert system recognize
newly discovered attacks. Creating a rule con-
sists of defining the set of conditions that repre-
sent the attack.

Increasing Attack Coverage
The two intrusion detection techniques are dis-
tinct. The knowledge-based intrusion detection
is characterized by a high hit rate of known at-
tacks, but it’s deficient in detecting new attacks.
We therefore complemented it with the behavior-
based technique, which can discover deviations
from acceptable use and thus help identify privi-
lege abuse.

The volume of data in a cloud computing en-
vironment can be high, so administrators don’t
observe each user’s actions—they observe only
alerts from the IDS.

Results
We developed a prototype to evaluate the pro-
posed architecture using Grid-M, a middleware
of our research group developed at the Federal
University of Santa Catarina.5

We created data tables to perform the experi-
ments with audit elements coming from both the
log system and from data captured during node
communications. We prepared three types of
simulation data to test.

First, we created data representing legitimate
action by executing a set of known services simu-
lating a regular behavior.

Then, we created data representing behavior
anomalies. To represent anomalous sequences
of actions, we altered the services and their us-
age frequency. For example, for a teaching depart-
ment that posts grades electronically, if two out of
every 100 grades are typically corrected later be-
cause of a mistake, then an anomalous behavior
would be correcting 10 consecutive grades. This
action would deserve special attention to deter-
mine whether it constituted an abuse of privileges.

Finally, we created data representing policy
violation. This was prepared with a set of audit
packages containing a series of elements violat-
ing base rules.

Evaluating the Event Auditor
The event auditor captures all requests received
by a node and the corresponding responses,
which is fundamental for behavior analysis.

For each action a node performs, a log entry
is generated to register the methods and param-
eters invoked during the action.

In the experiments with the behavior-based
IDS, we considered using audit data from both a
log and a communication system. Unfortunately,
data from a log system—with the exception of
the message element—has a limited set of values
with little variation. This made it difficult to find
attack patterns, so we opted to explore communi-
cation elements to evaluate this technique.

We evaluated the behavior-based technique
using artificial intelligence enabled by a feed-
forward neural network.6 In the simulation en-
vironment, we monitored five intruders and five
legitimate users.

We initiated the neural-network training with
a data set representing 10 days of usage simula-
tion. Using this data resulted in a high number

itpro-12-04-West.indd 41 30/06/10 4:50 PM

Authorized licensed use limited to: University of Houston. Downloaded on February 21,2022 at 18:39:47 UTC from IEEE Xplore. Restrictions apply.

42 IT Pro July/August 2010

CYBERSECuRIT Y

of false negatives and a high level of uncertainty.
Increasing the sample period for the learning
phase improved the results.

Evaluating the Behavior-Based System
To measure IDS efficiency,1 we considered ac-
curacy in terms of the system’s ability to de-
tect attacks and avoid false alarms. A system
is imperfect if it accuses a legitimate action of
being malicious. So, we measured accuracy
using the number of false positives (legitimate
actions marked as attacks) and false negatives
(the absence of an alert when an attack has
occurred).

The performance test we designed also eval-
uated the analysis technique’s cost. We per-
formed a load test where the program analyzed
1 to 100,000 actions. The simulation involving
100,000 actions is hypothetical. It surpasses
the usual data volume and served as a base for
understanding system behavior in an overload-
ing condition. An action took approximately
0.000271 seconds to be processed with our
setup.

The training time for an input of 30 days of
sample behavior took 1.993 seconds. However,
the training was sporadic—we had to plan up-
dates to the behavior profile database according
to a routine in the execution environment (since
a user’s behavior tends to change with time).
This helped us identify a convenient period of
days for determining the profile of a legitimate
user. Artificial neural networks aren’t determin-
istic, so the number of false positives and false
negatives didn’t represent a linear decreasing
progression.

Figure 2 shows the results. The neural net-
work tended to avoid identifying legitimate

actions as attacks—there were always
more false negatives than false posi-
tives when using the same quantity of
input data.

No false alarms occurred when
we started the training with 16 days
of simulation, although the uncer-
tainty level was still high, with sev-
eral outputs near zero. With input
periods of 28, 29, and 30 days, the
algorithm showed a low number of
false positives, but after several repe-
titions, the quantity of false positives

varied, again representing the nondeterministic
nature of neural networks.

Evaluating the Knowledge-Based System
In contrast to the behavior-based system, we used
audit data from both a log system and the com-
munication system to evaluate the knowledge-
based system. We created a series of rules to
illustrate security policies that the IDS should
monitor.

We collected audit data referring to a route-
discovery service, service discovery, and service
request and response. The series of policies we
created tested the system’s performance, al-
though our scope didn’t include discovering new
kinds of attacks or creating an attack database.
Our goal was to evaluate our solution’s function-
ality and the prototype’s performance.

The rule below characterizes an attack in any
message related to the storage service. The func-
tions of the rule are as follows:

1. At start-up, the rules stored in an XML file
are loaded into a data structure.

2. The auditor starts to capture data from the
log and communication systems.

3. The data is preprocessed to create a data
structure dividing log data from communi-
cation data to provide easy access to each
element.

4. The corresponding policy for the audit pack-
age is verified.

5. An alert is generated if an attack or violation
occurred.

We performed a load test for this algorithm
simulating the analysis of 10 to 1,000,000
rules for an action. We verified the textual or

Figure 2. The behavior score results. The algorithm had the lowest
number of false positives for input periods with 28–30 days.

10 12 14 16 18 20 22 24 26 28 30

Number of training examples

N
um

be
r o

f f
al

se
p

os
iti

ve
s

an
d

fa
ls

e
ne

ga
tiv

False positive
False negative

itpro-12-04-West.indd 42 30/06/10 4:50 PM

Authorized licensed use limited to: University of Houston. Downloaded on February 21,2022 at 18:39:47 UTC from IEEE Xplore. Restrictions apply.

computer.org/ITPro 4 3

numerical field in comparison to the rules.
The analyzer performed two primary func-
tions: it searched for improper content, and
it compared numerical intervals. Comparing
100,000 rules for an action consumed 0.361
seconds; comparing a million rules consumed
2.7 seconds. This suggests that real-time anal-
ysis is possible up until a certain limit in the
number of rules.

I
n testing our prototype, we learned that it
has a low processing cost while still provid-
ing a satisfactory performance for real-time

implementation. Sending data to other nodes for
processing didn’t seem necessary.7 The individ-
ual analysis performed in each node reduces the
complexity and the volume of data in compari-
son to previous solutions, where the audit data is
concentrated in single points.

In the future, we’ll implement our IDS, help-
ing to improve green (energy-efficient), white
(using wireless networks), and cognitive (using
cognitive networks) cloud computing environ-
ments. We also intend to research and improve
cloud computing security.

References
1. H. Debar, M. Dacier, and A. Wespi, “Towards a Tax-

onomy of Intrusion Detection Systems,” Int’l J. Com-
puter and Telecommunications Networking, vol. 31, no. 9,
1999, pp. 805–822.

2. I. Foster et al., “A Security Architecture for
Computational Grids,” Proc. 5th ACM Conf. Com-
puter and Communications Security, ACM Press, 1998,
pp. 83–92.

3. S. Axelsson, Research in Intrusion-Detection Systems: A
Survey, tech. report TR-98-17, Dept. Computer Eng.,
Chalmers Univ. of Technology, 1999.

4. A. Schulter et al., “Intrusion Detection for
Computational Grids,” Proc. 2nd Int’l Conf. New
Technologies, Mobility, and Security, IEEE Press, 2008,
pp. 1–5.

5. H. Franke et al., “Grid-M: Middleware to Integrate
Mobile Devices, Sensors and Grid Computing,” Proc.
3rd Int’l Conf. Wireless and Mobile Comm. (ICWMC 07),
IEEE CS Press, 2007, p. 19.

6. N.B. Idris and B. Shanmugam, “Artificial Intelligence
Techniques Applied to Intrusion Detection,” Proc.
2005 IEEE India Conf. (Indicon) 2005 Conf., IEEE Press,
2005, pp. 52–55.

7. P.F. da Silva and C.B. Westphall, “Improvements in
the Model for Interoperability of Intrusion Detec-
tion Responses Compatible with the IDWG Model,”
Int’l J. Network Management, vol. 17, no. 4, 2007,
pp. 287–294.

Kleber Vieira is a team leader for a software
development company in Brazil and is a member of the
Networks and Management Laboratory at the Federal
University of Santa Catarina, Brazil. His research
interests include information systems, software engi-
neering, distributed systems, and security. Vieira re-
ceived his MSc in computer science from the Federal
University of Santa Cataria. Contact him at [email protected]
inf.ufsc.br.

Alexandre Schulter is an IT analyst for a Brazilian
government company. Previously, he was a researcher
and software developer at several laboratories in the
Technological Centre at the Federal University of Santa
Catarina, Brazil. His research interests include infor-
mation systems, component-based systems, software
engineering, distributed systems, and security. Schulter
received his MSc in computer science from the Federal
University of Santa Cataria. Contact him at [email protected]
inf.ufsc.br.

Carlos Becker Westphall is a full professor in the
Department of Informatics and Statistics at the Fed-
eral University of Santa Catarina, Brazil, where he
is the leader of the Networks and Management Labo-
ratory. His research interests include network man-
agement, security, and grid and cloud computing.
Westphall received his DSc in computer science from
the Paul Sabatier University, France. Contact him at
[email protected]

Carla Merkle Westphall is a professor in the
Department of Informatics and Statistics at the Federal
University of Santa Catarina, Brazil. Her research
interests include distributed security, identity manage-
ment, and grid and cloud security. Westphall received
her PhD in electrical engineering from the Federal
University of Santa Cataria. Contact her at [email protected]
inf.ufsc.br.

Selected CS articles and columns are available
for free at http://ComputingNow.computer.org.

itpro-12-04-West.indd 43 30/06/10 4:50 PM

Authorized licensed use limited to: University of Houston. Downloaded on February 21,2022 at 18:39:47 UTC from IEEE Xplore. Restrictions apply.

ITEE, 6 (2) pp. 40-45, APR 2017

ITEE Journal
Information Technology & Electrical Engineering

ISSN: – 2306-708X

Volume 6, Issue 2
April 2017

Predicting Critical Cloud Computing Security Issues using Artificial Neural

Network (ANNs) Algorithms in Banking Organizations

Abdelrafe Elzamly1, Burairah Hussin 2, Samy S. Abu Naser3, Tadahiro Shibutani4, and Mohamed Doheir5

1Department of Computer Science, Al-Aqsa University, Gaza, Palestine
2 ,5 Information & Communication Technology, Universiti Teknikal Malaysia Melaka (UTeM), Malaysia

3Department Information Technology, Al-Azhar University, Gaza, Palestine
4Institute of Advanced Sciences, Yokohama National University, Yokohama, Japan

E-mail: [email protected]

ABSTRACT
The aim of this study is to predict critical cloud computing security issues by using Artificial Neural Network (ANNs) algorithms.

However, we proposed the Levenberg–Marquardt based Back Propagation (LMBP) Algorithms to predict the performance for

cloud security level. Also LMBP algorithms can be used to estimate the performance of accuracy in predicting cloud security

level. ANNs are more efficiently used for improving performance and learning neural membership functions. Furthermore, we

used the cloud Delphi technique for data gathering and analysis it in this study. In this study, the samples of 40 panelists were

selected from inside and outside Malaysian banking organizations based on their experienced in banking cloud computing.

However, we have indicated that the LMBP is nonlinear optimization models which used to measure accuracy of the prediction

model, the Mean Square Error (MSE) are measured to determine the performance. The performance is goodness, if the MSE is

small as shown in Table 1. This work has been conducted on groups of cloud banking developers and IT managers. As future

work, we intend to combine another optimal technique with ANNs algorithms to predict and mitigate critical security cloud issues.

Though, positive prediction of critical cloud security issues is going to surge the probability of cloud banking success rate.

Keywords: Cloud banking organization, Cloud Computing, Cloud Security Issues, , Artificial Neural Network, Levenberg Marquardt Algorithm,

Back Propagation Algorithm,.

1. NTRODUCTION

Although much research and progress in the area of

cloud computing project, a lot of cloud computing projects

have a very high failure rate particularly when it is related to

the banking area. However, several serious cloud security

issues like data protection and integrity, quality of

services(QoS), Portability and Interoperability, and mobility

need to be controlled and mitigated before cloud computing

able to apply adoptive widely [1]. In addition, cloud

computing has several advantages but cloud computing in

banking organizations is suffering from a lot of cloud

security issues. The aim of cloud risk management is

identification and evaluation of cloud security issues at an

early stage to predict the cloud computing security level [2].

Today, cloud computing risk management became a mutual

practice amongst leading banking organization success. In

the increasing effort to improve development processes and

security; new studies have led to cloud computing risk area.

Risk management aids software project manager and team

to do improved decisions to mitigate cloud-computing risks.

The objective of this study is predicting performance for

cloud computing security issues using Levenberg–

Marquardt based Back Propagation (LMBP) algorithms.

2. LITERATURE REVIEW

Cloud computing risk management consists of

computing processes, methods and techniques that are

useful to mitigate cloud computing risk failure. Security

risk management is increasingly becoming significant

in a diversity of areas linked to information technology

(IT), for example: telecommunications, banking

information systems, cloud computing[3]. Moreover,

the cloud banking model is a resource management

modeling founded on economic philosophies. Its

function like commercial banks in loan and deposit

business [4]. Cloud security is a general subject and any

grouping of policies, controls, and technologies to

safeguard data, services and infrastructure from

conceivable attacks. Additionally, current researches

focused on providing security technologies, instead of

business features such as services stability, availability

and continuity [5]. This study is going to predict the

critical cloud issues in Malaysian banking

organizations. Actually, they presented the conceptual

framework for cloud security banking that involved

components for example security, legal, privacy,

compliance and regulatory issues of banking [6]. As

stated by previous studies we split the framework

modeling cloud computing to five phases as mobility

and banking application, Cloud Deployment Models

(CDM), cloud risk management models (CRMM),

Cloud Service Models (CSM), and cloud security model

(CSM) as follows: Firstly, mobility related to the

possibility of moving and taking place in diverse

locations and through multiple times using any kind of

portable devices like smart phones, Personal Digital

Assistants (PDAs) and wireless laptops. Nonetheless,

mobile banking related to any operation that linked to

banking services like balance check, payments and

receiving banking SMS via a mobile device, and

account transactions [7]. Secondly, CSM depend on

http://www.google.ps/url?sa=t&rct=j&q=utem&source=web&cd=1&cad=rja&sqi=2&ved=0CCYQFjAA&url=http%3A%2F%2Fwww.utem.edu.my%2F&ei=RijMUb5hk5OFB4icgdgP&usg=AFQjCNFlZUFAE2tsaeL4BcNGkSqnLEqnSw&bvm=bv.48340889,d.Yms

ITEE, 6 (2) pp. 40-45, APR 2017

ITEE Journal
Information Technology & Electrical Engineering

ISSN: – 2306-708X

Volume 6, Issue 2
April 2017

some state of the art of web technologies like

Application Programming Interface (API), Web

Services, Web 2.0, and etc. [8]. Also, CSM is split into

four categories that are offered from a cloud provider:

Software as a Service (SaaS), Platform as a Service

(PaaS), Banking Process as a Service (BPaaS), and

Infrastructure as a Service (IaaS). Thirdly, CDM can be

split into four dissimilar types: Public cloud is made

obtainable to the general public or a huge industry group

and are possessed by a third party selling cloud services

[9]. Private Cloud is functioned and possessed by a

single organization or company that focuses on

controlling the mechanism of virtualizing resources and

automating services those are used and tailored by many

lines of business and essential groups [4]. Community

cloud falls among public and private clouds with regard

to the target set of consumers [10]. Community cloud,

this model is used by a specific group of community

within an organization that has the same worry,

objectives or security necessities [11]. Hybrid cloud

uses both public and private cloud methods, where it

smears the strategic notions of the services of public

cloud with the basis of the private cloud. Fourthly,

Cloud Risk Management (CRM): in Cloud computing,

risk required to be taken into consideration in all phases

of interactions and investigated at every service stage in

relation to the possessions that should be protected [12].

Besides, there are diverse types of risks that bank

management should be protected against. For numerous

banks, the main risk is credit risk but there are several

other risks that supervising authorities must notify

banks about connected criteria and require them to

follow [13]. There are eight phases for effective cloud

risk management like Cloud Risk Planning Phase

(CRPL), Cloud Risk Analysis (CRA) phase, Cloud Risk

Identification(CRI) phase, Cloud Risk

Prioritization(CRP) phase, Cloud Risk

Evaluation(CRE) phase, Cloud Risk Treatment(CRT)

phase includes four strategies for responding to cloud

risks: cloud risk mitigation, cloud risk avoidance, cloud

risk transfer, cloud risk elimination, cloud risk

acceptance, Cloud Risk Controlling(CRC) phase, and

Cloud Risk Communication & Documentation (CRCD)

phase. Finally, Cloud Security Issues Models (CSIM):

cloud security is a very common topic and any grouping

of policies, technologies, and controls to protect data,

infrastructure and services from possible attacks or

achieving business objectives all the security domains

should work in an effective manner [14].

3. CLOUD SECURITY ISSUES

Though, classification of critical security issues in

cloud banking is needed to be highlighted in this section

[15]: 3rd Party (Providers) and Policies Security Issues:

Lack of standards, Service Level Agreement (SLAs),

Governance, Legally and policy, Dependency, Lack of

transparency, Cloud service provider viability,

Malicious insiders, Regulatory compliance &

requirements, Shared technology issues, Unknown risk

profile, Trusted cloud, Abuse cloud computing;

Application and program (software) security issues:

Authentication, Authorization, Insecure Interfaces

API’s, Availability and Mobility, Portability and

Interoperability; Data and Information Security Issues:

Privacy, Confidentiality, Data Protection, Data

Limitations and Segregation, Data integrity and

scavenging, Data Location, Data Loss/Leakage,

Detection and Recovery, Hijacking of Account or

Service & Traffic; Security Control & Network Issues:

Information flow Controlling, Intrinsic Constrains of

Wireless Network, Network Access Schemes,

Bandwidth, Anonymity and Network Traffic Analysis,

Network Security, Virtual Network Protection, Limited

control, Distributed Denial of Service (DDoS),

Heterogeneity in Mobile cloud Devices, Platform

Reliability and Latency; Security and Service

Management Issues: Session Management,

Identity/Access Management, Quality of Service (QoS),

IT organizational changes; Physical Infrastructure

Security Issues: Flexibility Infrastructure, Single Point

to Attack and Failure, High-value cyber-attack targets,

the multi-tenancy, Scalability, Cost.

4. EMPIRICAL STRATEGY

The Delphi technique use to collect data as

qualified informants, so we focused on two cloud

developers groups and cloud IT managers in banking

organizations. In this regard the Delphi study is

modified to three phases like identifying, analyzing, and

evaluating as described in Figure 1. The data are

collected by secondary data and Delphi study. In current

study, the population samples of forty panelists were

chosen from inside and outside Malaysian banking

organizations according to their experienced in cloud

banking. Actually, we measure the probability of

occurrence according to a 10 scales (1= “very low

probability of occurrence risk” and 10 = “very high

probability of occurrence risk”), and the brutality of the

cloud security issues described on a 10 scales (1= “very

low influence risk” and 10 = “very high impact risk”.

Actually, we used Delphi techniques for data gathering

and analysis it in this study. However, we will begin a

list of cloud security issues based on secondary data,

experienced of cloud managers and cloud developers.

The Delphi method is collected data and aggregated of

cloud security issues. In fact, we divided the phases of

cloud Delphi technique into three phases such as

identifying, analyzing, and evaluating. However, we

illustrate the concept of Delphi technique for identifying

and classifying cloud security issues in Figure 1 as

follows:

Cloud Delphi Technique

Phase 1: Identifying
 Collected data and aggregated of cloud

security issues.

 Select the experts from both inside and outside

the banking organization.

 Divide panelist to two groups cloud

ITEE, 6 (2) pp. 40-45, APR 2017

ITEE Journal
Information Technology & Electrical Engineering

ISSN: – 2306-708X

Volume 6, Issue 2
April 2017

Figure 1: Illustrates the steps of cloud Delphi study of

collecting data [16]

5. METHODOLOGY (MATERIALS &

METHODS)

However, the data gathered for this study to be used

in the modelling is getting from the managers and cloud

developers in banking organizations. We propose

Artificial Neural Network (ANNs) for predicting cloud

security issues in banking organizations. In order to

manage and predict performance of cloud computing

security level, we can use artificial neural networks

methods. In order to establish the intelligent approaches,

first we need to model the relationship between cloud

computing issues. In addition, artificial neural networks

modelling are used as nonlinear statistical data model to

predict cloud-computing issues. Of course, IT managers

and cloud developers must use practical approaches,

methods, and tools to predict cloud security issues in

banking organization. Indeed, the back-propagation

algorithm is used in layered feed- forward ANNs where

the artificial neurons are structured in layers, and lead

their signals “forward”, and then the errors are

transmitted backwards. The neural network gets input

from input layers and yields the output to the output

layer and the processing can be done in hidden layers.

There must be only one input and output layer, however,

there may be an arbitrary number of hidden layers [17-

19]. Additionally, the BP algorithm should minimize

these errors, till the ANN learns the training data.

Typically the training initiates with random weights,

and the learning objective is to modify them so that the

error is reduced [17-19]. The design of procedures for

predicting cloud security issues using Levenberg-

Marquardt (LM) Based Back Propagation (BP)

Algorithm as follows:

1. Collect and prepare the data for cloud security
issues based on Cloud Delphi Technique.

2. Assign an estimated probability of occurrence
and severity of cloud security issues based on

security models.

3. Build a network analysis
4. Train the network: It generates the neural

network from a Cloud Delphi dataset with

known output data cases.

5. Test the network: A trained neural networks are
used to test how well it does at prediction of

known and new output values.

6. Predict cloud security issues based models by
using artificial neural networks for evaluating

the performance impact of CSI. A trained neural

network is used to predict unknown output

value.

6. RESULTS AND DISCUSSION

Indeed, we used the Levenberg–Marquardt based

Back Propagation (LMBP) Algorithms, as nonlinear

optimization to predict the performance. So we illustrate

the mean square error and Regression (R) values for the

Training, Validation and Testing as in Table 1.

Table 1 Illustrates the MSE and Regression values for the

three types
Types Samples Training

data

(input)%

MSE R

Training 28 70% 4.94160×e-7 9.95213×e-1

Validation 6 15% 8.75807×e-6 9.79262×e-1

Testing 6 15% 1.95378×e-5 9.49600×e-1

Table 1 shows that the overall Mean Square Error

which measure the average squared errors between the

output data and targets data and Regression (R) which

measure correlation between the actual outputs data and

targets data for training, validation and testing samples.

The accuracy of prediction is observed, when the values of

R are closest to 1. Hence, if the dataset was trained by using

(LMBP) Algorithms, the performance obtained was in 3
epochs with 10 hidden neurons yields. The results indicated

that the LMBP algorithms are very efficiently for testing and

training networks. Although, a two-layered feed forward

network hidden neurons and networks are trained using

LMBP Algorithms as shown in Figure 2.

ITEE, 6 (2) pp. 40-45, APR 2017

ITEE Journal
Information Technology & Electrical Engineering

ISSN: – 2306-708X

Volume 6, Issue 2
April 2017

Figure 2 architecture and algorithms and progress of ANN

system

Figure 3 Performance of LMBP Algorithm (MSE vs.

Epochs)

Figure 4 error histogram with 20 bins based LMBP

Indeed, it is trained to measure the performance of networks

by using LMBP algorithms in Matlab R2013b.

Furthermore, we estimated the best validation performance

0.0000087581 at epoch 3 in Figure 3 and the error histogram

with 20 bins is illustrated in Figure 4. Therefore, regression

R values are measured the correlation between outputs and

targets. Hence, the results in the regression analysis plot are

perfect correlation between the outputs and targets as in

Figure 5. In addition, the one mean a close relation between

outputs and targets, zero a random relationship. LMBP is

nonlinear optimal models which used to measure accuracy

of the prediction model, the Mean Square Error (MSE) are

measured to determine the performance. The performance is

goodness, if the MSE is small.

Figure 5 Regression Analysis Plot – Levenber g-Marquardt

Backpropagation Algorithm

7. CONCLUSIONS

The concern of the study is to predict critical cloud

computing security issues using Artificial Neural

Network (ANNs) algorithms. However, we presented

the Levenberg–Marquardt based Back Propagation

(BP) Algorithms to predict the performance for cloud

security level. Also LMBP algorithm is applied to

0 0.5 1 1.5 2 2.5 3 3.5 4 4.5 5

10
-10

10
-5

Best Validation Performance is 8.7581e-06 at epoch 3

M
e

a
n

S
q

u
a

r
e

d
E

r
r
o

s
e

)

5 Epochs

Train

Validation

Test

Best

Error Histogram with 20 Bins

In
s

ta
n

c
e

Errors = Targets – Outputs

-0
.0

0
4
9

-0
.0

0
4
1
8

-0
.0

0
3
4
5

-0
.0

0
2
7
2

-0
.0

0
2

-0
.0

0
1
2
7

-0
.0

0
0
5
5

0
.0

0
0
1
8
1

0
.0

0
0
9
0
7

0
.0

0
1
6
3
2

0
.0

0
2
3
5
8

0
.0

0
3
0
8
4

0
.0

0
3
8
1

0
.0

0
4
5
3
6

0
.0

0
5
2
6
2

0
.0

0
5
9
8
8

0
.0

0
6
7
1
4

0
.0

0
7
4
4

0
.0

0
8
1
6
6

0
.0

0
8
8
9
2

Training

Validation

Test

Zero Error

0.65 0.66 0.67 0.68 0.69
0.65

0.655

0.66

0.665

0.67

0.675

0.68

0.685

0.69

Target

O
u

tp
u

t
~

=
0

.9
7

*
T

a
r
g

e
t

+
0

.0
2

Training: R=0.99521

Data

Fit

Y = T

0.65 0.66 0.67 0.68 0.69
0.65

0.655

0.66

0.665

0.67

0.675

0.68

0.685

0.69

Target

O
u

tp
u

t
~

=
1

.2
*
T

a
r
g

e
t

+
–

0
.1

Validation: R=0.97926

Data

Fit

Y = T

0.65 0.66 0.67 0.68 0.69
0.65

0.655

0.66

0.665

0.67

0.675

0.68

0.685

0.69

Target

O
u

tp
u

t
~

=
1

.3
*
T

a
r
g

e
t

+
–

0
.2

Test: R=0.9496

Data

Fit

Y = T

0.65 0.66 0.67 0.68 0.69
0.65

0.655

0.66

0.665

0.67

0.675

0.68

0.685

0.69

Target

O
u

tp
u

t
~

=
1

.1
*
T

a
r
g

e
t

+
–

0
.0

4
1

All: R=0.9596

Data

Fit

Y = T

ITEE, 6 (2) pp. 40-45, APR 2017

ITEE Journal
Information Technology & Electrical Engineering

ISSN: – 2306-708X

Volume 6, Issue 2
April 2017

estimate and test the performance of accuracy for

predicting cloud security level. ANNs are more

efficiently used for improving performance and learning

neural membership functions. Indeed, the performance

of cloud security is analyzed by using LMBP to give the

best performance in the predicting models.

Furthermore, we used the cloud Delphi technique for

data gathering and analyzing it in this study. In this

study, the samples of 40 panelists were selected from

inside and outside Malaysian banking organizations
based on their experienced in banking cloud computing.

However, we have indicated that the LMBP is nonlinear

optimal models which used to measure accuracy of the

prediction model and to reduce the error between the

actual outputs and targets for training process, the Mean

Square Error(MSE) are measured to determine the

performance. The performance is goodness, if the MSE

is small as shown in Table 1. As future work, we intend
to use another optimal technique with Artificial Neural

Network algorithms to predict and mitigate critical

security cloud issues.

8. Acknowledgements

This work is organized by the Welfare Association in

Palestine; financially supported by the Arab Monetary

Fund, and Bank of Palestine under the program name

(Academic Fellowship Program Zamalah). The authors

also would like to thank Al-Aqsa University, Gaza,

Palestine and Faculty of Information & Communication

Technology, Universiti Teknikal Malaysia Melaka

(UTeM), Malaysia.

References

[1] D. Hoang and L. Chen, “Mobile Cloud for Assistive

Healthcare (MoCAsH),” in 2010 IEEE Asia-Pacific

Services Computing Conference Mobile, (2010), pp.

325–332.

[2] J. Miler and J. Górski, “Supporting Team Risk

Management in Software Procurement and

Development Projects,” in 4th National Conference

on Software Engineering, (2002), pp. 1–15.

[3] J. Mounzer, T. Alpcan, and N. Bambos, “Integrated

Security Risk Management for IT-Intensive

Organizations,” in 2010 Sixth International

Conference on Information Assurance and Security,

(2010), pp. 329–334.

[4] H. Li, Y. Pu, and J. Lu, “A Cloud Computing

Resource Pricing Strategy Research-based on

Resource Swarm Algorithm,” in 2012 International

Conference on Computer Science and Service

System, (2012), pp. 2217–2222.

[5] Z. Gao, Y. Li, H. Tang, and Z. Zhu, “Management

Process Based Cloud Service,” in International

Conference on Cyberspace Technology (CCT 2013),

(2013), pp. 278–281.

[6] M. Alemu and A. Omer, “Cloud Computing

Conceptual Security Framework for Banking

Industry,” J. Emerg. Trends Comput. Inf. Sci., vol.

5, no. 12, pp. 921–930, (2014).

[7] A. Alzahrani, N. Alalwan, and M. Sarrab, “Mobile

Cloud Computing: Advantage, Disadvantage and

Open Challenge,” in Proceedings of the 7th Euro

American Conference on Telematics and

Information Systems, (2014), pp. 4–7.

[8] E. Aruna, A. Shri, and A. Lakkshmanan, “Security

Concerns and Risk at Different Levels in Cloud

Computing,” in 2013 International Conference on

Green Computing, Communication and

Conservation of Energy (ICGCE), (2013), pp. 743–

746.

[9] K. Beckers, J.-C. Kuster, H. Schmidt, and S.

Faßbender, “Pattern-Based Support for Context

Establishment and Asset Identification of the ISO

27000 in the Field of Cloud Computing,” in 2011

Sixth International Conference on Availability,

Reliability and Security Pattern-Based, (2011), pp.

327–333.

[10] S. Goyal, “Public vs Private vs Hybrid vs

Community-Cloud Computing: A Critical Review,”

International Journal of Computer Network and

Information Security, vol. 6, no. 3. pp. 20–29,

(2014).

[11] A. Khrisna and Harlili, “Risk Management

Framework with COBIT 5 and Risk Management

Framework for Cloud Computing Integration,” in

2014 International Conference of Advanced

Informatics: Concept, Theory and Application

(ICAICTA) Risk, (2014), pp. 103–108.

[12] M. Kiran, M. Jiang, D. Armstrong, and K. Djemame,

“Towards a Service Lifecycle based Methodology

for Risk Assessment in Cloud Computing,” in 2011

Ninth IEEE International Conference on

Dependable, Autonomic and Secure Computing,

(2011), pp. 450–457.

[13] M. Ahmadalinejad and S. Hashemi, “A National

Model to Supervise on Virtual Banking Systems

through the Bank 2 . 0 Approach,” ACSIJ Adv.

Comput. Sci. an Int. J., vol. 4, no. 1, pp. 83–93,

(2015).

[14] F. Al-anzi, S. Yadav, and J. Soni, “Cloud

Computing: Security Model Comprising

Governance, Risk Management and Compliance,”

in 2014 International Conference on Data Mining

and Intelligent Computing (ICDMIC), (2014), pp.

1–6.

[15] A. Elzamly, B. Hussin, S. A. Naser, K. Khanfar, M.

Doheir, A. Selamat, and A. Rashed, “A New

Conceptual Framework Modelling for Cloud

Computing Risk Management in Banking

Organizations,” Int. J. Grid Distrib. Comput., vol. 9,

no. 9, pp. 137–154, (2016).

[16] A. Elzamly, B. Hussin, and B. ASH, “Classification

of Critical Cloud Computing Security Issues for

Banking Organizations: A Cloud Delphi Study,” Int.

J. Grid Distrib. Comput., vol. 9, no. 8, pp. 137–158,

(2016).

ITEE, 6 (2) pp. 40-45, APR 2017

ITEE Journal
Information Technology & Electrical Engineering

ISSN: – 2306-708X

Volume 6, Issue 2
April 2017

[17] B. Ibrahim and A. Shanavas, “An Approach to

Predict SOA Security Vulnerabilities using Feed

Forward Artificial Neural Networks,” SIJ Trans.

Comput. Networks Commun. Eng., vol. 3, no. 4, pp.

54–58, (2015)

[18] S. Abu Naser, “Predicting learners performance

using artificial neural networks in linear

programming intelligent tutoring system.”

International Journal of Artificial Intelligence &

Applications vol. 3, no. 2, pp.65-73, (2012) .

[19] S. Abu Naser, et al. “Predicting Student Performance

Using Artificial Neural Network: in the Faculty of

Engineering and Information Technology.”

International Journal of Hybrid Information

Technology, vol. 8 no. 2, 221-228,(2015)

Authors’ information

Abdelrafe Elzamly, He got a Ph.D.

in Information and Communication

Technology from the Technical

University Malaysia Melaka (UTeM)

in 2016 with a record of about 20

publications. He received his Master

degree in Computer Information

Systems from the University of Banking and Financial

Sciences in 2006. He received his B.Sc. degree in Computer

from Al-Aqsa University, Gaza in 1999. He is currently

working as Assistant Professor in Al-Aqsa University as a

full time. Also, from 1999 to 2007 he worked as a part time

lecturer at the Islamic University in Gaza. Between 2010 and

2012 he worked as a Manager in the Mustafa Center for

Studies and Scientific Research in Gaza. His research

interests are in risk management, software and information

systems engineering, cloud computing security, and data

mining.

Burairah Hussin, He received his

Ph.D. degree in Management

Science-Condition Monitoring

Modelling, from the University of

Salford, UK in 2007. Before that, he

received a M.Sc. degree in

Numerical Analysis and

Programming from the University of Dundee, UK in 1998

and a B.Sc. degree in Computer Science from the University

of Technology Malaysia in 1996. He currently works as a

Professor at the Technical University Malaysia Melaka

(UTeM). He also worked as the Dean at the Faculty of

Information and Communication Technology, Technical

University of Malaysia Melaka (UTeM). His research

interests are in data analysis, data mining, maintenance

modelling, artificial intelligence, risk management,

numerical analysis, and computer network advising and

development.

Samy Abu Naser, He got a Ph.D. in

Computer Science from North

Dakota State University, USA in

1993. He received his M.Sc. Degree

in Computer Science from Western

Kentucky University, USA in 1989.

He received his B.Sc. Degree in

Computer Science from Western

Kentucky University, USA in 1987. He is currently working

as a professor in Al-Azhar University, he worked as the

Dean of the Faculty of Engineering and Information

Technology in AL-Azhar University, he worked as Deputy

Vice President for Planning & Quality Assurance, and he

worked as a deputy dean of the Faculty of Engineering and

Information Technology in Al- Azhar University. His

research interests are in data mining, artificial intelligent,

and risk management.

Tadahiro Shibutani, He received

the Ph.D. degree in mechanical

engineering from Kyoto

University, Kyoto, Japan, in 2000.

He was a Visiting Scholar with the

Center of Advanced Life Cycle

Engineering, University of

Maryland, in 2007. He is currently Associate Professor of

Center for Creation of Symbiosis Society with Risk with

Yokohama National University, Yokohama, Japan. His

research interests include physics of failure, health

monitoring, and risk management for engineering systems.

Mohamed Doheir, He is currently a

PhD candidate in Health Care

Management in University Technical

Malaysia Malaka (UTeM). He

received his M. Sc. degree in Internet

working Technology from University

Technical Malaysia Malaka (UTeM) in

2012. He received his B.Sc. Degree in Educational

Computer Science from Al Aqsa University- Gaza, Palestine

in 2006. His research interests are in Health care, Cloud

Computing and Network Simulation.

Proceedings of IEEE CCIS2012

A NEURAL NETWORK BASED DISTRIBUTED
INTRUSION DETECTION SYSTEM ON CLOUD

PLATFORM
Zhe Li1, Weiqing Sun2, Lingfeng Wang1

1Department of Electrical Engineering and Computer Science,
2Department of Engineering Technology,

University of Toledo, 2801 W. Bancroft St., Toledo, OH 43606, USA
[email protected], [email protected], [email protected]

Abstract: Intrusion detection system (IDS) is an
important component to maintain network security. Also,
as the cloud platform is quickly evolving and becoming
more popular in our everyday life, it is useful and
necessary to build an effective IDS for the cloud.
However, existing intrusion detection techniques will be
likely to face challenges when deployed on the cloud
platform. The pre-determined IDS architecture may lead
to overloading of a part of the cloud due to the extra
detection overhead. This paper proposes a neural
network based IDS which is a distributed system with an
adaptive architecture so as to make full use of the
available resources without overloading any single
machine in the cloud. Moreover, with the machine
learning ability from the neural network, the proposed
IDS can detect new types of attacks with fairly accurate
results. Evaluation of the proposed IDS with the KDD
dataset on a physical cloud testbed shows that it is a
promising approach to detecting attacks in the cloud
infrastructure.

Keywords: Distributed IDS; Neural network; Cloud
security; Anomaly detection.

1 Introduction
Nowadays, cloud computing is known by more and
more people due to its advantages such as high
scalability, high flexibility and low operational cost.
Cloud service users usually do not need to know how
the cloud based software or platform runs; instead, they
only need to send the requests to the cloud provider and
then wait for the results, which is a much easier and
more efficient way to access the needed computing
resources [1]. However, there are several issues for the
current cloud platforms. According to Ref. [2], security
issues such as information leakage, unreliable data and
unauthorized access are the most concerned problems by
the majority of cloud users. Other issues such as stable
operations, support systems and user friendliness have
received less attention.

To address the security problem with the cloud, it is a
natural choice to deploy a distributed IDS system on the
cloud to protect the virtual machines (VMs) and virtual
networks against potential attacks. The major issue with
such a choice is that the IDS could overload some busy

nodes in the cloud and slow down the detection
efficiency if no special arrangements are made. On the
one hand, the IDS should not use too many resources to
affect the performance of the major computing tasks; On
the other hand, the deployed IDS should detect attacks
efficiently. Therefore, it is desirable to equip the
distributed IDS with the flexibility feature in that it can
dynamically adjust its architecture based on the real-
time resource usage information across the cloud.
Moreover, it is important for the IDS system to be
capable of detecting unknown (new) attacks in the cloud.
Hence, anomaly detection will be more suitable, but it
can be more demanding for resources [3, 4]. Thus, a
balance needs to be achieved to satisfy cloud customers
as well as provide the reasonable performance of
intrusion detection simultaneously.

Some approaches have been proposed to address the
security issues in the context of cloud computing. A
multiple dimensional result [5] has been presented by
using an artificial neural network (ANN) based
approach. The work was based on a single machine
instead of the cloud platform. In Ref. [6], the authors
presented an immune system in both anomaly and
misuse detection methods and compared the two
methods. The immune system is based on the
combination of positive and negative characterizations
which come from several features defined as normal or
abnormal states. A trusted agent based approach was
proposed in Ref. [7], which determines whether a
machine in a network is malicious based on the
experiences and its previous operations. In Ref. [8],
Vieria and Schulter proposed an ANN based function to
realize an IDS on the cloud, and a feed-back structure
ANN is used to create a behavior-based system and an
expert system to build a knowledge-based system. And
in Ref. [9] the authors concentrated on alleviating the
network traffic when realizing an IDS based on a
MapReduce framework.

Here a distributed IDS architecture is proposed which
consists of nodes running backpropagation (BP) based
ANNs on the cloud platform. By design, it is expected to
achieve better flexibility, scalability and performance.
The proposed IDS system has two main characteristics:

___________________________________
978-1-4673-1857-0/12/$31.00 ©2012 IEEE

Authorized licensed use limited to: University of Houston. Downloaded on February 21,2022 at 18:56:53 UTC from IEEE Xplore. Restrictions apply.

Proceedings of IEEE CCIS2012

1) It has a flexible distributed architecture which could
adjust its configuration based on real-time resource
usage information to avoid overloading any node in the
cloud.

2) It provides multiple dimensional results which could
be used to not only recognize malicious activities but
also find what malicious activities are taking place.

The remainder of the paper is organized as follows. In
Section 2, the BP-based neural network is introduced.
The design of ANN based intrusion detection in a cloud
environment is detailed in Section 3. The
implementation of the proposed algorithm in a physical
cloud experimental testbed is discussed in Section 4,
coupling with the related experimental results and
analysis. Conclusions and future work are given in the
final section.

2 Backpropagation (BP) algorithm based
neural network
As shown in Figure 1 [10], the whole neural network is
composed of three layers: input layer, hidden layer and
output layer

Figure 1 General architecture of the backpropagation
algorithm based neural network

Now, we can regard a cloud as a lot of virtual machines
which offer services to users. Each machine can be used
to simulate a couple of nodes in a neural network so that
several virtual machines in the same cluster will
constitute a neural network. The following procedure
will show how the ANN algorithm works. Here are
some notations used in introducing the algorithm: x, y, w
represent the input data, output result, weight value
respectively, θ is correction needed only in the hidden
and output layer, it will be continuously updated after
each iteration, e is the error value, σ is error gradient and
p is the number of iterations:

1) Initialize all the weights and threshold levels of the
network to random numbers which are distributed inside
a small range (-2.4/Fi, 2.4/Fi), where Fi is the total
number of inputs of a neuron i in the network.

2) Calculate the outputs of the neurons in the hidden
layer:

y�(p)=sigmoid� [x�(p) ∗ w��
�

��
(p) − θ�]

where n is the number of inputs of neuron j in the hidden
layer, and sigmoid is sigmoid activation function
(sigmoid(s)=1 +
�� , here e is the base of the natural
logarithm).

3) Calculate the actual outputs of the neurons in the
output layer:

y
(p)=sigmoid� [x�
(p) ∗ w�
�

��
(p) − θ
]

where m is the number of inputs of neuron k in the
output layer.

4) Calculate the error gradient for the neurons in the
output layer:

�� (p)=�� (p)*[1-�� (p)]* ��(p)
where �� (p)= �� ,� (p)- �� (p). ��,� is the desired
output value.

5) Calculate the weight corrections:
Δ�� (p)=α*�� (p)* �� (p)

then update
�� (p+1)=�� (p)+Δ�� (p)

where α is termed learning rate.

6) Calculate the error gradient for the neurons in the
hidden layer:

�� (p)=�� (p) ∗ [1 − �� (p)] � �� (�) ∗ �� (�)

7) Calculate the weight corrections:

Δ�� (p)=α*�� (p)* �� (p)
then update

�� (p+1)=�� (p)+Δ�� (p)

8) Increase iteration p by 1, go back to step 2 and repeat
the process until the selected error criterion is satisfied.

The trained ANN acquired the knowledge of normal
activities and attacks for performing anomaly detection
tasks. In our research, KDD database is used in the
training phase. For each network connection, 41
different quantitative and qualitative features were
extracted. So after training, ANN learns what all the
feature values are like in normal activities and in various
attack scenarios. When any event is coming into the
network, it will be treated as at least 41 input values
corresponding to 41 different features of the event, then
all these inputs will pass through the hidden layer and
output layer in the ANN, the output node will get the
result. When a malicious activity is detected, the output
layer will raise an alarm and disallow the malicious
activity. Every activity followed will be recorded in case
the origin of the attack needs to be tracked. The
supervisor of the cloud will fetch this information from
the output layer. The output layer resides in the cluster
leader machine, and the leader is the only machine
which is allowed to communicate with the outside world.
These 41 dimensional vectors make the detections more
accurate in the complex cyber environment.

Input
layer

Output
layer

Input signals

Error signals

wjk

Hidden
layer

wij

Authorized licensed use limited to: University of Houston. Downloaded on February 21,2022 at 18:56:53 UTC from IEEE Xplore. Restrictions apply.

Proceedings of IEEE CCIS2012

3 System architecture
We used Ubuntu Enterprise Cloud (UEC), which is
Ubuntu’s Eucalyptus-powered cloud platform, to build
the cloud on our servers. Eucalyptus is one of the most
popular cloud platforms which is well developed and
feature-rich. Also it is designed to provide an Amazon
EC2 compatible API. The Eucalyptus cloud platform is
composed of five major components as shown in Figure
2:

1) The CLC (Cloud controller) is used to manage the
underlying virtualized resources.

2) The Walrus provides an S3-like service to perform
scalability and access control of virtual machines.

3) The CC (Cluster controller) controls the whole
cluster by managing executions and networking.

4) The SC (Storage controller) handles storage in a
cluster.

5) At least one NC (Node controller) controls activities
in VM instances.

Figure 2 Architecture of the cloud

Based on this cloud platform, the ANN-based IDS will
be established. In the architecture, there is one manager
VM and multiple worker VMs in the network. The
manager VM monitors the load information for the
worker VMs and decides the mapping of ANN on the
worker VMs dynamically. That is, those worker VMs
having certain amounts of resources available will be
chosen to perform the intrusion detection task, and the
worker VMs are assigned to the input layer, hidden layer
and output layer to form an ANN.

The input layer in the proposed ANN structure is
responsible for collecting data from the network. All the
requests or data flow in the network should first be
collected by those nodes and then be passed through the
whole neural network for any malicious activities. The
hidden layer receives the raw data from the input layer
and processes them based on the ANN mechanism
discussed in Section 2, and forwards the results to the
output layer. This layer will also modify weight values
of the input layer after each iteration and pass those
updated values to the input layer. The output layer
derives the final result based on the intermediate results
received from the hidden layer. It also updates weight

values for the hidden layer and sends them to the hidden
layer to improve the overall network behavior.

As mentioned previously, the architecture shown in
Figure 3 is proposed for improving the system flexibility,
which is also important to enhance the robustness of
IDS [11-13]. When one node in the IDS is unavailable
due to situations such as deadlock, poweroff, and scarce
resources, the IDS is able to adjust itself accordingly to
form a new capable architecture.

input

hidden

outputmanager

Figure 3 Architecture of the proposed IDS

Figure 4 shows the process flow for the multi-threaded
manager process. When a client joins the IDS, it will
raise a thread and connect to the server, the server will
then store the thread into the queue with the address and
port number. Once the network connection is established,
all the clients will send the resource usage information
periodically to the manager so as to select the most
appropriate nodes to construct the IDS. After the IDS is
built, all the other IDS nodes will receive the message
from the manager and run the corresponding (input,
hidden, output or wait) function based on the conditional
statement. In addition, the IDS nodes will update the
resource usage information to the manager every 10
seconds, and all other nodes will do the same every 10
minutes.

manager

Conditional statements

wait

Stop connection
Send address and
port number back

Build connection
Read data

…….

Build connection
Do the computing

…….

Stop connection
Build new

connection
…….

Build server
Do the computing

Propagation
…….

wait

stop

update

output

hidden

input

Send
message

Update
every 10
seconds

for nodes
in IDS

Update
every 10
minutes

for nodes
not in

IDS

Figure 4 Process flowchart for the manager

When some nodes in the IDS become unavailable (busy
or power off), the manager will be informed of this

Server 1

Cluster

Server 2

Cloud Controller Walrus

Storage Controller

Node Controller

Cluster Controller

Authorized licensed use limited to: University of Houston. Downloaded on February 21,2022 at 18:56:53 UTC from IEEE Xplore. Restrictions apply.

Proceedings of IEEE CCIS2012

event within 10 seconds based on the system design.
The manager will then choose new nodes based on the
most recent resource usage information. It will send
messages to stop the old connections and ask to build
new ones. Thus, the whole IDS could continue to
function. Also, when some nodes outside the IDS
become unavailable, the manager will be notified of this
change within 10 minutes. So the manager will not
choose them as candidates for IDS nodes. Further, the
structure of the IDS can be adjusted through the
manager, which sends messages to the candidate nodes
to build a new IDS structure as requested. All the
models are trained off-line before they are deployed.

4 Experimental results
Several experiments were performed to demonstrate the
effectiveness of the proposed IDS. As shown in Figure 5,
the servers used to build the cloud platform are two Dell
PowerEdge R710 server machines and one Dell
PowerEdge R610 server machine with Quad-core Intel®
Xeon® CPU, 20 GB RAM and 500GB hard disk. 30
virtual machines were created each with 512MB RAM
to emulate a cloud environment.

Figure 5 The experimental cloud testbed based on Dell®

PowerEdge® R710 and R610 Servers

The first step in the experiment is to train the neural
network. As a flexible IDS is desired, three different
models are pre-trained (the number of models could be
more depending upon the specific applications) by 10
percent of KDD dataset with respective 3, 5, 7 nodes to
achieve the intrusion detection function. The IDS
receives instructional signals from the manager, and
then forms the corresponding architecture for the
intrusion detection tasks. Table I shows the performance
results for different models/structures of the IDS in
terms of training time, detection time and detection
accuracy. The numbers reported are the average across
10 runs. As can be seen from the table, the average
detection accuracy is around 99% for all the three
models, and the training detection time increases as the
number of IDS nodes increases because of additional
communication overhead.

Here we chose the 5-node architecture as an example
and some resultant experiment results will be discussed.
In this 5-node neural network, the ANN is distributed as
a 2-2-1 structure, which means there are 2 nodes in both
input and hidden layers and 1 node in the output layer.
The learning rate chosen is 0.1 and correction in the two

hidden node machines are 0.8 and -0.1 respectively and
correction in the output node machine is 0.3.

Table I Performance results of different IDS models

Model

Structure

Average
training

time

Average
detection

time

Average
detection
accuracy

3 1-1-1 5m3s 20.73s 98.3%
5 2-2-1 5m45s 36.95s 99%
7 3-3-1 6m35s 53.62s 99.7%

In the input layer, those weight values keep changing in
the training phase to adapt to the training data so that the
performance of the whole IDS will be constantly
improved. As there are 41 inputs (based on KDD dataset,
every data flow in the network has 41 different feature
values), after the training phase each input will have a
corresponding weight value. In total 41 weights will be
saved in the input layer, which are ready to be used to
conduct the detection task.

In the output layer, the iteration numbers and the error
between the real result and desired result can be
obtained. In the whole training process, it was found that
though the error value did not keep decreasing after each
single training circle, the general trend did decrease
which means the IDS performance is being improved.
Technically speaking, when the error becomes less than
0.001, the ANN is considered ready to be used.

The total time consumed in the training phase is
between 5 to 6 minutes. As an example, Table II below
shows the value change in one of the 41 input weights
(W1), one of the hidden weights (H1) and the error
value in the output layer (Error).

Table II Results of the training phase

Before
training

During
training

After
training

W1 0.028706280
142065916

0.028726335
91204304

0.0287554975
56997633

H1 0.216313726
1439795

0.216286438
9576207

0.2162630008
1037786

Error
0.247077420
93260648

5.738612462
453663E-4

1.0171468101
10198E-15

Following the training phase, we tested the ANN
performance using KDD no-label dataset and corrected
dataset. From the experimentation results, it was found
that every different state corresponds to a small range of
values. Thus, according to the value obtained from the
output layer, we can not only determine whether there
are malicious actions but also know what kind of attack
is transpiring. The sample results from a test are shown
in Figure 6, and it can be seen that the IDS is able to
classify every abnormal activity and normal activity
without any wrong detection. The accuracy is 100% in
this case. But it does not mean the accuracy can always
be this high. Initial values like weights, corrections,
learning rate are randomly generated and picked so
every time when the ANN is trained, different results
and value intervals of the system states may be yielded.

Authorized licensed use limited to: University of Houston. Downloaded on February 21,2022 at 18:56:53 UTC from IEEE Xplore. Restrictions apply.

Proceedings of IEEE CCIS2012

According to all the tests carried out, a 99% or higher
accuracy can be oftentimes achieved.

Figure 6 A screenshot demonstrating the testing results

To illustrate the result more clearly, Table III below is
used to show multiple dimensional results with different
value intervals based on the same test shown in Figure 6.

Table III Value intervals of different states

Value interval State
0.17~0.181 Ipsweep
0.062~0.067 Normal
0.81~0.82 Snmpgetattack
0.093~0.094 Xsnoop
0.048~0.051 Satan
0.024~0.027 smurf or xterm
0.61~0.63 Warezmaster
0.076~0.079 apache2
0.182~0.185 neptune or back
0.156~0.159 Nmap
0.41~0.43 Portsweep
0.037~0.039 Xlock
>1 buffer_overflow
0.71~0.73 guess_passwd
0.29~0.31 Multihop
0.25~0.27 Mailbomb
0.055~0.057 Mscan
0.067~0.069 Named

Only two sets of states (i.e., smurf and xtem, Neptune
and back) fall in the overlapped intervals. So the overall
performance is satisfactory. We also evaluated the
recovery cost when a number of IDS nodes become
unavailable. The results shown in Table IV are based on
the 7-node model with a 3-3-1 architecture.

Table IV Recovery time for proposed IDS

Number of unavailable
nodes

Average recovery
time

1 3.4s
2 5.2s
3 6.5s

5 Conclusions and future work
In this paper, a neural network based IDS is built on a
cloud platform. The accuracy of the implemented IDS is
shown to be high and the time expense is acceptable.
Implementation of the neural network in the cloud is a
promising direction. There is still much room left for
further improving the current work. For example, the
KDD dataset used is based on every message passing
through a single machine in the network. In fact, there
are various ways to attack a network by compromising
several machines simultaneously [14]. So an enhanced
algorithm should be developed to detect those kinds of
attacks. Also, the anomaly detection algorithm can be
further enhanced by adding misuse detection functions.
The idea is to build an expert database to achieve
knowledge based detection.

References
[1] Ramgovind, S. Eloff and M.M. Smith, E., “The

management of security in Cloud computing”, in
Information Security for South Asia, 2010, pp. 1-7.

[2] M. Okuhara, T. Shiozaki, T. Suzuki, Security
architectures for cloud computing, FUJITSU Sci. Tech.
J., vol. 46, no. 4, (2010) October, pp. 397-402.

[3] A. K. Ghosh and A. Schwartzbard, a study of using
neural network for anomaly and misuse detection,
Proceedings of the 8th USENIX Security Symposium,
page 12, Washington, D.C., USA, August, 1999.

[4] W. Lee and D. Xiang, Information-Theoretic Measures
for Anomaly Detection, Proceedings of 2001 IEEE
Symposium on Security and Privacy, page 130.

[5] S. Mukkamala, G. Janoski, and A. Sung, Intrusion
Detection Using Neural Networks and Support Vector
Machines, Neural Networks, Proc. of the 2002
International Joint Conference, pp. 1702-1707.

[6] D. Dasgupta and F. Gonz´alez An Immunity-Based
Technique to Characterize Intrusions in Computer
Networks, IEEE Transactions on Evolutionary
Computation, 6(3), pp. 1081-1088, June 2002.

[7] S. Pal, S. Khatua, N. Chaki, and S. Sanyal, A New
Trusted and Collaborative Agent Based Approach for
Ensuring Cloud Security, Annals of Faculty Engineering
Hunedoara International Journal of Engineering, Vol. 10,
Issue 1, February, 2012.

[8] K. Vieira, A. Schulter, C. Westphall, and C. Westphall,
“Intrusion detection techniques in grid and cloud
computing environment,” IT Professional, vol. 99, 2009.

[9] M. D. Holtz, B. M. David, and R. T. de Sousa Junior,
“Building Scalable Distributed Intrusion Detection
Systems Based on the MapReduce Framework”,
REVISTA Telecomunicacoes, no. 2, pp. 22-31, 2011.

[10] N. Michael, Artificial Intelligence – A Guide to
Intelligent Systems-2nd edition, Addison Wesley, 2005.

[11] V. Kotov, V. Vasilyev, “A Survey of Modern Advances
in Network Intrusion Detection”, 13th International
Workshop on Computer Science and Information
Technologies (CSIT’2011), pp. 18-21, 2011.

[12] P. Guan and X. Li, “Minimizing distribution cost of
distributed neural networks,” Scalable Software Systems
Laboratory, Department of Computer Science,
Oklahoma State University, Stillwater, pp. 1-5, 2007.

[13] Y. Chen, V. Paxson, and R. Katz, “What’s New About
Cloud Computing Security?” Technical Report No.
UCB/EECS-2010-5.

[14] S. Bharadwaja, W. Sun, M. Niamat, F. Shen, Collabra: A
Xen Hypervisor based Collaborative Intrusion Detection
System, Eighth International Conference Information
Technology: Next Generations, pp. 695-700, 2011.

Authorized licensed use limited to: University of Houston. Downloaded on February 21,2022 at 18:56:53 UTC from IEEE Xplore. Restrictions apply.

Artificial Intelligence based Network Intrusion
Detection with Hyper-Parameter Optimization

Tuning on the Realistic Cyber Dataset CSE-CIC-
IDS2018 using Cloud Computing

V. Kanimozhi and T. Prem Jacob

Abstract—One of the latest emerging technologies is artificial
intelligence, which makes the machine mimic human behavior.
The most important component used to detect cyber attacks or
malicious activities is the Intrusion Detection System (IDS).
Artificial intelligence plays a vital role in detecting intrusions and
widely considered as the better way in adapting and building IDS.
In trendy days, artificial intelligence algorithms are rising as a
brand new computing technique which will be applied
to actual time issues. In modern days, neural network algorithms
are emerging as a new artificial intelligence technique that can be
applied to real-time problems. The proposed system is to detect a
classification of botnet attack which poses a serious threat to
financial sectors and banking services. The proposed system is
created by applying artificial intelligence on a realistic cyber
defense dataset (CSE-CIC-IDS2018), the very latest Intrusion
Detection Dataset created in 2018 by Canadian Institute for
Cybersecurity (CIC) on AWS (Amazon Web Services). The
proposed system of Artificial Neural Networks provides an
outstanding performance of Accuracy score is 99.97% and an
average area under ROC (Receiver Operator Characteristic)
curve is 0.999 and an average False Positive rate is a mere value of
0.001. The proposed system using artificial intelligence of botnet
attack detection is powerful, more accurate and precise. The novel
proposed system can be implemented in n machines to
conventional network traffic analysis, cyber-physical system
traffic data and also to the real-time network traffic analysis.

Index Terms—Artificial Intelligence, AWS, CSE-CIC-IDS2018,
hyper-parameter optimization and realistic network traffic cyber
dataset.

I. INTRODUCTION

T HE objective of network intrusion detection is at identifying and monitoring malicious activities. Most of the

V. Kanimozhi, Research Scholar, with the Department of Computer Science,
Sathyabama Institute of Science and Technology, Chennai, India (e-mail:
[email protected])

Dr. T. Prem Jacob, Associate Professor, with the Department of Computer
Science, Sathyabama Institute of Science and Technology, Chennai, India (e-
mail: [email protected])

current IDSs can be partitioned into two fundamental
classes. They are intrusion detections based on signature
and based on anomaly IDS. An IDS based on signature
detects by comparing the already known attacks with the
incoming network traffic tries to detect the intrusions, that
are stored in the database as signatures. Existing attacks are
well detected by IDS, but it often fails to detect novel
(unseen) attacks. The next category is called IDS based
anomaly. The normal traffic is modelled by the IDS models
through learning patterns in the training phase. The
deviations from these learned patterns are labelled as
anomaly or intrusion. The implementation of real-time IDS
based on anomaly is a herculean task because of the rapid
increase in the network traffic behavior and very limited
availability of computational resources (computation time
and memory)[1-5].
There is another challenge, and that is the risk of over
fitting due to the high dimensional feature space and the
model complexity of IDS. Artificial Intelligence (AI) based
techniques play a crucial role in the development of IDS
and has more advantages over other techniques. There is no
appropriate and well-defined technique to solve the
anomaly detection problems[6-8].
The scheme of the proposed system can facilitate the
higher understanding of various intrusion detections during
which analysis has been made in the sphere of IDS. They
are helpful for those that have an interest in applications
of AI-based techniques to IDS and connected fields. In
this paper, we proposed an experimental approach of
Artificial Neural Networks with hyper-parameter
optimization on the realistic new IDS cyber dataset (cse-
cic-ids2018) included most of the up-to-date attacks
(PCAP) along with labeled flows covering more than 80
features (CSV) which obtained through cloud computing on
AWS services for intrusion detection in order to provide
more accurate accuracy[9-12].
The rest of the paper sectioned as below. Section II
contains the background of the work and previous work.
Section III and IV describes the methodology and
implementation of the work. Section V discuss about the
results. At last, Section VI concludes the paper with
conclusion.

0033

International Conference on Communication and Signal Processing, April 4-6, 2019, India

Authorized licensed use limited to: University of Houston. Downloaded on February 21,2022 at 18:39:06 UTC from IEEE Xplore. Restrictions apply.

II. BACKGROUND AND PREVIOUS WORK
A lot of research work carried out in Intrusion Detection
Methods Either Intrusion Detection On Host (HIDS) Or
Intrusion Detection on a Network (NIDS) and also on
Artificial Intelligence, but there is no comprehensive
reliable cyber dataset which covers both contemporary and
modern-day attacks for network intrusion detection
system[13,14]. According to Alex Shenfield and his co-
authors stated that the studies did an offline technique
for recognizing shellcode designs inside data [1].
Networks are more vulnerable day by day due to modern
attacks. In this proposed system, we make use of realistic
latest cyber dataset which compromises of both existing
attacks and zero-day attacks by Canadian Cybersecurity
which is obtained through cloud computing[15,16].

III. METHODOLOGY
A. Botnet
A botnet is an attack which is coined from two words
“Robot” and “Network”. It is a network which can be
operated or commanded by remotely controlled computers.
Moreover, it is nothing but a malware that makes the
system or server to be controlled and commanded remotely
by an operator.
Botnet performs various criminal and malicious activities
like stealing information especially in the banking and
financial sectors by logging and grabbing customers
information. It hijacks the confidential information like
login names, user passwords, and other credential
information. Some of the botnet attacks techniques
described as follows.
Crypto-Locker ransomware – It is a luxurious software
which attacks the window operating system by encrypting
all the files in the user system with RSA-2048 public key. It
claims hefty ransom in order to decrypt the file. It is
astounding fact that the virus earned $30 million in hundred
days.
Cyber apocalypse – It is another malware and poses a
serious threat to networks which produces the impact of an
army of bots. Eg of bots. Zeus, Ares etc. Denial-of-service
attacks are launched by Botnets of zombie computers which
can be propagated through Drive-by-downloads and spam
emails.
Credential stuffing is a malicious activity which handles
the automated injection attack by making usage of botnets
in it to access the online services by stealing the significant
credentials. Researchers from Akamai reported the fact that
30 hundred million malevolent login endeavors
were created between Gregorian calendar month 2017
to June 2018 from the states of the U.S., Russia, and
Vietnam.

B. Artificial Neural Networks

Artificial Neural Network models are a structure
gaining knowledge from the machine that endeavors to
mirror the learning example of natural neural systems
ie.biological system. Natural neural systems work in the
sense that the dendrites receive inputs which are said to be
presented in the interconnected neurons of the human brain.

Based on these inputs, through an axon to another neuron,
they produce an output signal. We will attempt to imitate
this procedure utilizing Artificial Neur al Networks
(ANN), simply refer to as neural systems starting now
and into the foreseeable future. Neural systems are the
establishment of profound learning. It is a subset of
machine learning in charge of the absolute technical
advances today!

C. Multi-layer Perceptron tuning with hyper-parameter
optimization Classifier Model
The realistic cyber dataset is preprocessed and all the
object features are converted into numeric features and
we trained the model for Artificial Intelligence in the
training phase and finally we tested to find the detection
accuracy in the testing phase. We used Multi-Layer
Perceptron (MLP) to build the proposed Artificial
Intelligence. Perceptron is delicate to attribute or feature
scaling. Therefore, scaling your data should be advisable.
A Perceptron has the subsequent: one or extra inputs, a
bias, a function of activation, and a resultant output. Inputs
(ie.,80 features of this IDS2018 dataset) are received by the
perceptron, applies a few weight, and the output (attack or
normal) is produced by way of the activation unit which
receives the weighted inputs. The neural network can be
modeled by adding perceptrons layers together to form
Multi-layer perceptrons of our proposed framework.
As for hyper-parameter optimization, GridSearchCV
Optimization technique is used. Tuning a neural network
for optimization is a herculean task and it is a lengthy
process. The hyper-parameters which are considered for
tuning are alpha that could be a comparison of
various values of regularization parameters and another
parameter for tuning is hidden layer sizes. It operates on
parallel and can be iterated, with 10-fold cross-validation.
We model our neural network by starting with two layers
[1].
Solver has been picked in this model as ‘lbfgs’. And try to
find alpha parameter using L2 regularization. Better
prediction and accuracy will not be generated without
regularization method. In our proposed framework, we
tend to distinguish the classification either “Benign” or
“Malicious” supported the output.

High-quality F1 rating : 0.9991678456370812
Fine parameter : ‘alpha’: 1e-05,’hidden_layer_sizes’:
(9, 4)

IV. IMPLEMENTATION

A. CSE-CIC-IDS2018
We built an MLP Classifier model on realistic cyber
defense dataset by Canadian Institute for Cybersecurity
(CIC) on AWS (Amazon Web Services).
Datasets by CIC and ISCX are used around the world for
security testing and malware prevention. Knowledge on
AWS is a must for accessing that dataset which is stored in
Resource type -S3 Bucket and Amazon Resource
Name(ARN) is arn:aws:s3:::cse-cic-ids2018 and also AWS
Region Ca-central-1under License[17].

0034
Authorized licensed use limited to: University of Houston. Downloaded on February 21,2022 at 18:39:06 UTC from IEEE Xplore. Restrictions apply.

It consists of a detailed description of intrusions at the
side of abstract distribution patterns for the subsequent:
applications, network protocols, and other sublevel
network entities. The very last dataset includes seven
distinct attack eventualities: brute-force, heartbleed,
botnet, dos, ddos, web assaults, and infiltration of the
network from inside. The attacking infrastructure
consists of 50 machines. The victim agency has five
departments and consists of 420 machines and 30
servers. The dataset consists of the captures community
site visitors and gadget logs of every machine, along
with eighty attributes extracted from the c aptured traffic
the usage of CICFlowmeter-v3[2].

B. Creating an Artificial Neural Network with Anaconda,
Jupyter Notebook and SciKit- Learn
To build this Artificial Neural Network, we use Anaconda
3.0 and the latest Scikit version 0.19.1 and Pandas version
0.23.1 in Jupyter Notebook. It can be installed through pip
or Miniconda (Package Manager).

C. Receiver Operating Characteristics Curve
Receiver Operating Characteristics curve is utilized to
picture the execution of multi-dimensional data
classification. It is being considered as one of the most
prominent evaluation metrics for evaluating any
classification model’s accuracy. It is also referred to as
AUROC(Area Under the Receiver Operating
Characteristics)
Let’s start the proposed artificial Intelligence model. To
get the whole evaluation metrics, I have created two
functions. The calculate_auc function also produces ROC.
To make an outline for the basic layout of execution
measurements, and that has been executed by pandas.

V RESULTS
A. ROC Curve
The curve generated in Fig. 1 when True positive versus
against False Negative rate at various threshold points and
the curve implies how well the binary classifier
discriminated between two different classes i.e., Benign or
malicious. Theclassifier model runs a sample of 1048575
records with 80 features and optimize it with 10 Fold Cross
Validation to produce the ROC curve in Fig. 1.

Fig. 1. ROC CURVE

B. AUC SCORE
It is the region under the roc curve, and it outlines the overall
executed performance of the binary classifier. Higher the
score, better the classifier model performance.
AUC SCORE : 0.9991680

C. Confusion Matrix
It gives insights of the number of positive and negative
predictions and also summarizes the count of normal and
malicious attacks in this model and the below graph is shown
with samples how 100% it identifies the normal and malicious
botnet attacks. So overall confusion Matrix outperforms the
evaluation metrics of this model which is shown in Fig. 2.

Fig. 2. Confusion Matrix of Neural Network

D. Classification Report of Neural Network Model
The Classification Report of our proposed Artificial
Intelligence is as shown below in Table I and also the
Accuracy score is given below.

TABLE
CLASSIFICATION REPORT OF NEURAL NETWORK

Training Data Performance Metrics
Accuracy Precision Recall F1 AUC
1.0 1.0 1.0 1.0 1.0

Test Data Performance Metrics
Accuracy Precision Recall F1 AUC
0.9997 1.0 1.0 1.0 1.0

Artificial Intelligence Model Training Accuracy: 1.0
Artificial Intelligence Model Testing Accuracy: 0.99975

E. Default MLP Classifier Model Comparison
If the version has no longer been set by way of any
parameter, the default value of alpha is 0.0001 and
hundred neurons is the size of a single layer. You may
envision the score of accuracy and the power of
optimization can be realized.
Artificial Intelligence Model Training Accuracy: 0.99983
Artificial Intelligence Model Testing Accuracy: 0.9995

0035
Authorized licensed use limited to: University of Houston. Downloaded on February 21,2022 at 18:39:06 UTC from IEEE Xplore. Restrictions apply.

VI. CONCLUSION
The proposed system can be extended to detect all other
remaining classes of attacks in this realistic dataset which
includes all real-time and existing attacks. The framework
used in this artificial Intelligence Scikit learn framework
optimization is based on Central Processing Unit, not on
Graphics Processing Unit, the optimization may be
powerfully tuned by other such frameworks like Google’s
open sourced Tensor Flow. The performance issue is a
common task when we come across pandas to work with
larger data (100 gigabytes to multiple terabytes), but Spark
is an open-sourced Apache Framework used for big data
processing can handle parallel computing with massive
datasets, ranging from 100 gigabytes to multiple terabytes
across clustered computers.

REFERENCES

[1] Alex Shenfield, David Day, and Aladdin Ayesh, “Intelligent
intrusion detection system using artificial neural networks,” vol. 4,
no.2, pp. 95-99, June 2018.

[2] Iman Sharafaldin, ArashHabibiLashkari, and Ali A. Ghorbani,
“Toward Generating a New Intrusion Detection Dataset and intrusion
Traffic Characterization”, 4th International Conference on
Information Systems Security and Privacy (ICISSP), Portugal,
January 2018.

[3] D. Stiawan, A.H. Abdullah, and M.Y. Idris, “The trends of intrusion
prevention system network, in 2010” 2nd International Conference
on Education Technology and Computer, vol. 4, pp. 217-221, June
2010.

[4] Singh R., Kumar H., Singla R.K., and Ketti R.R. “Internet attacks
and intrusion detection system: A review of the literature”Online
Inform. Rev., 41 (2), pp. 171-184, 2017.CrossRefView Record in
ScopusGoogle Scholar.

[5] Liao H.-J., Lin C.-H.R., Lin Y.-C., and Tung K.-Y. “Intrusion
detection system: A comprehensive review” Network Computing.
Appl., Rev., 36 (1), pp. 16-24,2013. [Online]. Available
https://www.kdnuggets.com/2016/10/beginners-guide-neural-
networks-python-scikit-learn.html. [Acessed:14-SEP-2018]

[6] Zhang G.P. “Neural networks for classification: A survey” IEEE
Trans. Syst. Man Cybern. C, Rev., 30 (4), pp. 451-462, 2000.

[7] Wu J., Peng D., Li Z., Zhao L., and Ling H. “Network intrusion
detection based on a general regression neural network optimized by
an improved artificial immune algorithm.”Rev.,10 (3), 2015.
[Online] Available https://www.ncbi.nlm.nih.gov/pubmed/25807466
[Acessed:14-SEP-2018].

[8] Rosenblatt F. “The perceptron: A probabilistic model for
informationstorage and organization in the brain” Psychol.
Rev., 65 (6), pp. 386-408, 1958.

[9] Gulshan Kumar. “The use of artificial intelligence based techniques
for intrusion detection: a review”, Artificial Intelligence Review,
09/04/2010.

[10] Antonia Nisioti, Alexios Mylonas, Paul D. Yoo, Vasilios Katos.
“From Intrusion Detection to Attacker Attribution: A Comprehensive
Survey of Unsupervised Methods”, IEEE Communications Surveys
& Tutorials, 2018.

[11] Monowar H. Bhuyan, Dhruba K. Bhattacharyya, Jugal K. Kalita.
“Network Traffic Anomaly Detection and Prevention”, Springer
Nature, 2017.

[12] JChristina Ting, Richard Field, Andrew Fisher, Travis
Bauer.”Compression Analytics for Classification and Anomaly
Detection within Network Communication”, IEEE Transactions on
Information Forensicsa nd Security, 2018.

[13] Sang-Jun Han, Sung-Bae Cho. “Rule-based integration of multiple
measure-models for effective intrusion detection”, SMC’03
Conference Proceedings. 2003 IEEE International Conference on
Systems, Man and Cybernetics. Conference Theme – System Security
and Assurance (Cat.No.03CH37483), 2003.

[14] Ghorbani A., Lu W., and Tavallaee M., 2010, “Network Intrusion
Detection and Prevention: Concepts and Techniques”, Springer
Science, LLC.

[15] Pervez M. S. and Farid D. M., “Feature selection and intrusion
classification in NSL-KDD cup 99 dataset employing SVMs,” The
8th International Conference on Software, Knowledge, Information
Management and Applications (SKIMA 2014), Dhaka, 2014, pp.1-6.

[16] Engen, Vegard. Machine learning for network based intrusion
detection: an investigation into discrepancies in findings with the
KDDCUP’99 data set and multi-objective evolution of neural
network classifier ensembles from imbalanced data. Diss.
Bournemouth University,2010.

[17] License: http://www.unb.ca/cic/datasets/ids-2018.html [Acessed:14-
SEP-2018]

0036
Authorized licensed use limited to: University of Houston. Downloaded on February 21,2022 at 18:39:06 UTC from IEEE Xplore. Restrictions apply.

Indion 2005 Confrence, ChennI, IndIa, 11-13 Dec. 2005

Artificial Intelligence Techniques Applied to
Intrusion Detection

Norbik Bashah Idris and Bharanidlran Shanmugam

Abstract – Intrusion Detection Systems are increasingly a key
part of systems defense. Various approaches to Intrusion
Detection are currently being used, but they are relatively
ineffective. Artificial Intelligence plays a driving role in security
services. This paper proposes a dynamic model Intelligent
Intrusion Detection System, based on specific Al approach for
intrusion detection. The techniques that are being investigated
includes neural networks and fuzzy logic with network profiling,
that uses simple data mining techniques to process the network
data. The proposed system is a hybrid system that combines
anomaly, misuse and host based detection. Simple Fuzzy rules,
allow us to construct if-then rules that reflect common ways of
describing security attacks. For host based intrusion detection
we use neural-networks along with self organizing maps.
Suspicious intrusions can be traced back to their original source
path and any traffic from that particular source will be
redirected back to them in future. Both network traffic and
system audit data are used as inputs for both.
Keywords – Intrusion Detection, Network Security, Data
Mining, Fuzzy Logic

1. INTRODUCTION

Information has become an organization’s most precious as-
set. Organizations have become increasingly dependent on
it since more information is being stored and processed on

network-based systems. The wide spread use ofe-commerce,
has increased the necessity ofprotecting the system to a very
high extend. Confidentiality, Integrity and availability of in-
formation are major concerns in the development and exploi-
tation of network based computer systems. Intrusion
Detection System, can detect, prevent and react to the attacks.
Intrusion Detection has become an integral part of the infor-
mation security process. But, it is not technically feasible to
build a system with no vulnerabilities; intrusion detection
continues to be an important area ofresearch.
The remaining part of this paper is organized as follows:

Section 11 gives an overview of current Intrusion Detection
Systems and also about the usage of fuzzy and data mining
techniques; Section III elucidates the overview of our pro-
posed architecture. Section IV briefs about the usage ofSOM
in our proposed model and Section V summarizes the work
and points out what we will do in future

CASE-UTM City Campus, Jalan Semarak, Kuala Lumpur,
Malaysia-541 00 E-mail: [email protected]

II. OVERVIEW OF CURRENT INTRUSION DETECTION
SYSTEMS

A. An Overview ofCurrent Intrusion Detection Systems

Intrusion Detection is defined [1] as the process of intelli-
gently monitoring the events occurring in a computer system
or network and analyzing them for signs of violations of the
security policy. The primary aim of Intrusion Detection Sys-
tems (IDS) is to protect the availability, confidentiality and
integrity of critical networked information systems. Intrusion
Detection Systems (IDS) are defined by both the method used
to detect attacks and the placement ofthe IDS on the network.
IDS may perform either misuse detection or anomaly detec-
tion and may be deployed as either a network-based system or
a host-based system. This results in four general groups: mis-
use-host, misuse-network, anomaly-host and anomaly-net-
work. Misuse detection relies on matching known patterns of
hostile activity against databases of past attacks. They are
highly effective at identifying known attack and vulnerabili-
ties, but rather poor in identifying new security threats.
Anomaly detection will search for something rare or unusual
by applying statistical measures or artificial intelligence to
compare current activity against historical knowledge. Com-
mon problems with anomaly-based systems are that, they of-
ten require extensive training data for artificial learning
algorithms, and they tend to be more computationally expen-
sive, because several metrics are often maintained, and these
need to be updated against every systems activity. Some IDS
combine qualities from all these categories (usually
implementing both misuse and anomaly detection) and are
known as hybrid systems.
Artificial Intelligence techniques have been applied both to

misuse detection and also for anomaly detection. SRI’s
intrusion Detection Expert System (IDES) [2] encodes an
expert’s knowledge of known patterns of attack and system
vulnerabilities as if-then rules. Time-based Inductive
machine (TIM) for intrusion detection [3] learns sequential
patterns. Recently, techniques from data mining area have
been used to mine normal patterns from audit data [4,5,6].
Several approaches applying artificial neural networks in the
intrusion detection system have been proposed [7,8,9].
NeGPAlM [10] based on trend analysis, fuzzy logic and neu-

0-7803-95034/05/$20.00 02005 IEEE

52 IEEE Indicon 2005 Conference, Chennai, India, I I – 1 3 Dec. 2005

IEEE Indicon — ——205Cnfrne Chenai Inia 1-1 Dec 200553–

ral networks to minimize and control intrusion. Existing in-
trusion detection especially commercial intrusion detection
systems that must resist intrusion attacks are based on misuse
detection approach, which means these systems will only be
able to detect known attack types and in most cases they tend
to be ineffective due to various reasons like non-availability
of attack patterns, time consumption for developing new
attack patterns, insufficient attack data, etc.

B. Computer Attack Categories
DARPA [11 ] categorizes the attacks into five major types

based on the goals and actions of the attacker.
DoS attacks try to make services provided by or to computer

users be restricted or denied. For example, SYN-Flood attack,
where the attacker floods the victim host with more TCP con-
nection requests than it can handle, causing the host to be un-
able to respond even to valid requests.
Probe attacks attempt to get information about an existing

computer or network configuration.
Remote-to-local (R2L) attacks are caused by an attacker

who only has remote access rights. These attacks occur when
the attacker tries to get local access to a computer or network
User-to-root(U2R) attacks are performed by an attacker

who has rights of user level access and tries to obtain super
user access

Data attacks are performed to gain access to some informa-
tion to which the attacker is not permitted access. Any R2L
and U2R has a goal of accessing the secret files.

C. Data Capturing using SNORT
Snort is mainly a so called Network Intrusion Detection sys-

tem (NIDS), it is Open Source an.d available for a variety of
unices. Snort also can be used as a sniffer to troubleshoot net-
work problems. Basically there are three main, modes in
which Snort can be configured: sniffer, packet logger and net-
work intrusion detection system. Sniffer mode simply reads
the packets off the network and displays them for you. in. a
continuous stream on the console. Packet logger mode logs
the packets to the disk. Network intrusion detection mode is
the most complex and configurable configuration., allowing
Snort to analyze network traffic for matches against a user de-
fined rule set and performs several actions based upoIn what it
sees. We configure Snort in Packet logger mode for our ex-
perimental needs.

D. Data Mining and Association Rules
Data Mining is the automated extraction ofpreviously unre-

alized information from large data sources for the purpose of
supporting actions. The recent rapid development in data
mining has made available a wide variety of algorithms,
drawn from the fields of statistics, pattern recognition, ma-
chine learming and databases. Specifically, data mining ap-

proaches have been proposed [4,12] and used for anomaly de-
tection. Association rule algorithms find correlations between
features or attributes used to describe a data set. The most
popular algorithm for mining rules based on two-valued at-
tributes is APRIORI. But this algorithm leads to the problem
of categorizing numerical attributes. A solution to this prob-
lem was given in [13] by transforming quantitative variables
into a set ofbinary variables by partitioning the domain vari-
ables into discrete intervals. This approach, however, suf-
fered from “sharp boundary problem”. An alternative
solution, [14] using fuzzy, offered smooth transitions from
one fuzzy set to another.

E. Fuzzy Logic and Intrusion Detection
Applying fuzzy methods for the development ofIDS yields

some advantages, compared to classical approach. So, Fuzzy
logic techniques have been employed in the computer secu-
rity field since the early part of90’s. The fuzzy logic provides
some flexibility to the uncertain problem of intrusion detec-
tion and. allows much greater complexity for IDS. Most ofthe
fuzzy IDS require human experts to determine the fuzzy sets
and set offuzzy rules. These tasks are time consuming. How-
ever, if the fuzzy rules are automatically generated, less time
would be consumed for building a good intrusion classifier
and shortens the development time ofbuilding or updating an.
intrusion classifier.
In this paper we propose a mechanism for IDS which u.tilizes

Fuzzy logic along with Data mining technique which is the
modified version ofFIRE [15] system. The FIRE system uses
a simple data-mining algorithm to identify the features that
will. be helpful in detecting attacks. The security administrator
uses the fuzzy sets produced by the system. to create fuzzy
rules. However, here we will propose a mechanism to auto-
mate the rules generation process and reduce the human. inter-
vention. Al techniques have also been explored to build
intrusion detection. systems based on knowledge of past be-
havior and normal use. They have shown potentiality for
anoma.ly detection with limited ability.

]11. GOALS AND PROPOSED ARCHITECTURE

Our aim. is to design and develop an Intelligent Intrusion De-
tection System. (IIDS) that would be accurate, low in false
alarms, not easily cheated by small variations in patterns,
adaptive and be of real time.
In our mod-el we use SNORT [16], a. leading and famou.s

open source packet sniffer. The da.ta processor and classifier
summarizes and tabulates the data into carefully selected cat-
egories i.e. the attack types are carefully correlated. This is the
stage where a kind of data miniing is perfonrned on the col-
lected data. In the next stage, the current data is compared
with the historical miined data to create values that reflect how

IEEE Indicon 2005 Conference, Chennai, India, I I – 1 3 Dec. 2005 53

IEE Indcon 005Cnfernce,hennI I 1

new data differs from the past observed data. The inference
engine is MySQL based and is bi-directional. Its inference
speed is faster than any other text-oriented inference. Based
on the facts from the analyzer, the decision will be taken
whether to activate the detection phase or not. If the detection
phase is activated then an alert will be issued and the tracer
phase will be initiated. This phase will trace back to the in-
truders original source address location. Based on the initial
research work we propose a framework for tracing the abnor-
mal packets back to its original source. This tends to be the
most tedious phase of the project. Once the original path has
been identified and verified then all the attacks from that par-
ticular host will be redirected to their source in future.
SNORT_INLINE [17] has proved to be the best in changing
the appropriate packet values.

A. Attributes
Prior to any data analysis, attributes representing relevant

features of the input data (packets) must be established. The
set of attributes provided to the Data Analyzer is a subset of
all possible attributes pertaining to the information contained
in packet headers, packet payloads, as well as aggregate infor-
mation such as statistics on the number and type ofpackets or
established TCP connections. Attributes are represented by

4————————

names that will be used as linguistic variables [18] by the Data
Miner and the Fuzz;y Inference Engine.

B. Data analyzer
Once attributes of relevance have been defined and a data

source identified, a Data Analyzer is employed to compute
configuration parameters that regulate operation of the IDS.
This module analyzes packets and computes aggregate infor-
mation by grouping packets. Packets can be placed in fixed
size groups (s-group) or in groups of packets captured in a
fixed amount of time (t-group). Each s-group contains the
same number of packets covering a variable time range and
each t-group contains a variable number ofpackets captured
over a fixed period of time.

C. Rules
Rules are expressed as a logic implication p _ q where p is

called the antecedent of the rule and q is called the conse-
quence of the rule.

D. Tracebackframework
The need for tracing the source of the packet is needed for

getting the exact information about the intruder [19]. The IDS
will be providing information that an exceptional event has
occurred, the packet and the time ofattack. Once trace back is
requested, a query message consisting of the packet, egress

– – – – – – – — – – – – -_schos
Aalore V traffic reuted

Resul

L Cental Manager –

-A,4_D ision
Engine

Reactor

Fig 1. Proposed Architecture

54 IEEE Indicon 2005 Conference, Chennai, India, I I – 1 3 Dec. 2005

55~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

point and the time ofreceipt is sent to all the Local Data Man-
agers (LDM).Time is critical because this must happen while
the appropriate values are still resident at the DC (Data Col-
lector). Once the values are safely transferred to TM, the trace
back process will no longer be under real-time constraints.
Local Data Manager is responsible for a particular network.
Later LDM responds with the partial attack graph and the
packet as it entered the region. The attack graph either termi-
nates within the region managed by the LDM, in which a
source has been identified, or it contains nodes to the edges of
the other LDM network region. Next, TM sends a query to the
LDM adjacent of that edge node.
The architecture as shown in Fig. 1 is now under construc-

tion. Our preliminary research work demonstrates that fuzzy
network profiling with data mining can and will provide an
efficient solution for Intrusion problems.

IV. HOST BASED INTRUSION DETECTION

Previous researches have proven that usage of SOM [20] is
very efficient in unsupervised learning. In order to fulfill our
aim of automating the process of Intrusion detection actions,
we first will try to identify the behavior/ characteristic of the
common user. The first problem is to establish the nature of
initial information on which the rest of the work is based on.
Intrusion, detection modules may work on a number of differ-
ent data streams. A lot of systems utilize off-line information
(UNIX log-files). In our work, UNIX session information
will be used as the features of the system and the characteris-
tics of a common user are defined based on this information.
This information is stored for later usage to find out if any
user has unusual or different characteristics.

V. SUMMARY AND FUTURE WORK

A hybrid system has been proposed for aiding network per-
sonal in the task of computer intrusion detection. We have
combined fuzzy logic with data mining to provide efficient
technique for anomaly based intrusion detection and used
SOM for host based intrusion detection. This model is now at
an infant stage ofdevelopment. Our long term goal is to make
this system implement in a real time environment. More re-
sults could be obtained once we finish deploying the system.

REFERENCE

[1] Bace R.G, Intrusion. Detection, Technical Publishing (ISBN 1-57870-
185-6)

[2] Lunt. T, “Detecting intruders in computer systems”, Conference on au-
diting and computer technology, 1993

[3] Teng H., Chen K., and Lu S., “Adaptive real time anomaly detection us-
ing inductively generated sequential patters”, IEEE computer society
symposium on research in security and-privacy, California, IEEE Com-
puter Society 278-84, 1990

[4] Lee, Stolfo S., Mok K., “Mining audit data to build data to build intru-
sion detection models,” Fourth international conference on knowledge
discovery and data mining, New York, AAAI Press 66-72, 1998

[5] Mukkamala, R., Gagnon J., Jaiodia S., “Integrating data mining tech-
niques with intrusion detection methods”, Research Advances in Data-
base and Information systems security, 33-46, 2000

[6] Stolfo S., Lee, Chanm,”Data mining-based Intrusion detectors: An
overview-of the Columbia IDS”, Project SIGMOD Record, Vol 30, No
4,2001

[7] Debar, Becker M., Siboni D., “A neural network component for an in-
trusion detection system,” IEEE Computer Society Symposium on Re-
search in Computer Security and Privacy, 240-250, 1992

[8] Tan K., “The Application ofNeural Networks to UNIX Computer secu-
rity”, IEEE International conference on Neural Networks Vol 1,
476-481, 1995

[9] Wang J., Wang Z., Dai K., “A Network intrusion detection system
based on ANN”, InfoSecuO4, ACM 2004(ISBNI-581 13-955-1)

[10] Botha M., Solms R., Perry K., Loubser E., Yamoyany G., “The utiliza-
tion of Artificial Intelligence in a Hybrid lntrusion Detection System”,
SAICSIT, 149-155, 2002

[11] MIT Lincolon Laboratory, 1999 DARPA intrusion detection evalua-
tion design and procedure, DARPA Technical report, Feb 2001

[12] Dokas .P, Ertoz L., Kumar V., Lazarevic A., Srivastava J., Tan P., “Data
Mining for Network Intrusion Detection”, Proceedings ofNSF Work-
shop on Next Generation Data Mining, 2002

[13] Agrawal R., Srikant R., “Fast algorithms for mining association rules”
20th international conference on very large databases, September 1994

[14] Kuok, C., Fu A., Wong M., “Mining fuzzy association rules in data-
bases”, SIGMOD Record 17 (1) 41-46.

[15] Dickerson J E., Dickerson J A., ” Fuzzy Network Profiling for Intrusion
Detection”, Proceedings ofNAFIPS 19th International Conference of
the North American Fuzzy Information Processing Society, Atlanta
2000.

[16] SNORT, www.snort.org
[17] SNORT INLINE, http://snort-inline.sourceforge.net/
[18] Zadeh, L. A., “The concept ofa linguistic variable and its application to

approximate reasoning, Parts 1, 2, and 3,” Information Sciences, 1975,
8:199-249, 8:301-357, 9:43-80.

[19] Yuebin. B, Kobayashi, “Intrusion Detection Systems: Technology and
Development,” Proceedings of the 1]7th International Conference on
Advanced Information Networking and Applications, Xi’an China,
2003

[20] Hoglund A.J., Hatonen K., Sorvari A.S., ” A Computer Host Based
User Anomaly Detection System Suing Self Organizing Map”, Pro-
ceedings of the International Joint Conference on Neural Networks,
IEEE IJCNN 2000, Vol 5, pp4 1 -416

IEEE Indicon 2005 Conference, Chennai, India, 1 1 – 1 3 Dec. 2005 55

Journal of Network and Computer Applications 36 (2013) 42–57

Contents lists available at SciVerse ScienceDirect

Journal of Network and Computer Applications

1084-80

http://d

n Corr

E-m

journal homepage: www.elsevier.com/locate/jnca

Review

A survey of intrusion detection techniques in Cloud

Chirag Modi a,n, Dhiren Patel a, Bhavesh Borisaniya a, Hiren Patel b,
Avi Patel c, Muttukrishnan Rajarajan c

a NIT Surat, Gujarat, India
b S.P. College of Engineering, Gujarat, India
c City University London, UK

a r t i c l e i n f o

Article history:

Received 3 January 2012

Received in revised form

15 May 2012

Accepted 16 May 2012
Available online 2 June 2012

Keywords:

Cloud computing

Firewalls

Intrusion detection system

Intrusion prevention system

45/$ – see front matter & 2012 Elsevier Ltd. A

x.doi.org/10.1016/j.jnca.2012.05.003

esponding author. Tel.: þ91 9408883560.

ail address: [email protected] (C. Modi

a b s t r a c t

In this paper, we survey different intrusions affecting availability, confidentiality and integrity of Cloud

resources and services. Proposals incorporating Intrusion Detection Systems (IDS) and Intrusion

Prevention Systems (IPS) in Cloud are examined. We recommend IDS/IPS positioning in Cloud

environment to achieve desired security in the next generation networks.

Contents

1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

2. Intrusions to Cloud systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

2.1. Insider attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

2.2. Flooding attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

2.3. User to root attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

2.4. Port scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

2.5. Attacks on virtual machine (VM) or hypervisor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

2.6. Backdoor channel attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

3. Firewalls: common solution to intrusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

4. IDS and IPS techniques: evolution. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

4.1. Signature based detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

4.2. Anomaly detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

4.3. Artificial neural network (ANN) based IDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

4.4. Fuzzy logic based IDS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

4.5. Association rule based IDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

4.6. Support vector machine (SVM) based IDS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

4.7. Genetic algorithm (GA) based IDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

4.8. Hybrid techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

5. Various types of IDS/IPS used in Cloud computing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

5.1. Host based intrusion detection systems (HIDS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

5.2. Network based intrusion detection system (NIDS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

5.3. Distributed intrusion detection system (DIDS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

5.4. Hypervisor-based intrusion detection system. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

5.5. Intrusion prevention system (IPS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

5.6. Intrusion detection and prevention system (IDPS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

ll rights reserved.

www.elsevier.com/locate/jnca

dx.doi.org/10.1016/j.jnca.2012.05.003

mailto:[email protected]

dx.doi.org/10.1016/j.jnca.2012.05.003

C. Modi et al. / Journal of Network and Computer Applications 36 (2013) 42–57 43

6. Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

1. Introduction

Cloud computing aims to provide convenient, on-demand,
network access to a shared pool of configurable computing
resources (e.g. networks, servers, storage, applications, and ser-
vices), which can be rapidly provisioned and released with
minimal management effort or service provider interactions
(Mell and Grance, 2011). Cloud provides services in various
forms: Software as a Service-SaaS (e.g. Google apps, 2011), Plat-
form as a Service-PaaS (e.g. Google app engine (2011)), Micro-
soft’s Azure (Azure services platform, 2011)) and Infrastructure as
Service-IaaS (e.g. Amazon web services, 2011(AWS); Eucalyptus,
2011; Open Nebula (Opennebula, 2011)).

As Cloud services are provisioned through the Internet; secur-
ity and privacy of Cloud services are key issues to be looked upon.
International Data Corporation (IDC) survey (Gens, 2009) showed
that security is the greatest challenge of Cloud computing. The
recent Cloud computing security white paper by Lockheed Martin
Cyber Security division (Martin, 2010) shows that the major
security concern after data security is intrusion detection and
prevention in Cloud infrastructures. Cloud infrastructure makes
use of virtualization techniques, integrated technologies and runs
through standard Internet protocols. These may attract intruders
due to many vulnerabilities involved in it.

Cloud computing also suffers from various traditional attacks
such as IP spoofing, Address Resolution Protocol spoofing, Routing
Information Protocol attack, DNS poisoning, Flooding, Denial of
Service (DoS), Distributed Denial of Service (DDoS), etc. For e.g.
DoS attack on the underlying Amazon Cloud infrastructure caused
BitBucket.org, a site hosted on AWS to remain unavailable for few
hours (Brooks, 2009). Computing-cost using current crypto-
graphic techniques cannot be overlooked for Cloud (Chen and
Sion, 2010). Firewall can be a good option to prevent outside
attacks but does not work for insider attacks. Efficient intrusion
detection systems (IDS) and intrusion prevention systems (IPS)
should be incorporated in Cloud infrastructure to mitigate these
attacks.

Rest of the paper is organized as follows: Section 2 discusses
various attacks applicable to Cloud environment. Traditional
firewalls as a security solution are discussed briefly in Section 3.
Section 4 presents various techniques for IDS/IPS. Section 5
surveys existing IDS/IPS types and examines Cloud specific work
on IDS with conclusion and references at the end.

2. Intrusions to Cloud systems

There are several common intrusions affecting availability,
confidentiality and integrity of Cloud resources and services.

2.1. Insider attack

Authorized Cloud users may attempt to gain (and misuse)
unauthorized privileges. Insiders may commit frauds and disclose
information to others (or modify information intentionally). This
poses a serious trust issue. For example, an internal DoS attack
demonstrated against the Amazon Elastic Compute Cloud (EC2)
(Slaviero, 2009).

2.2. Flooding attack

In this attack, attacker tries to flood victim by sending huge
number of packets from innocent host (zombie) in network.
Packets can be of type TCP, UDP, ICMP or a mix of them.
This kind of attack may be possible due to illegitimate network
connections.

In case of Cloud, the requests for VMs are accessible by anyone
through Internet, which may cause DoS (or DDoS) attack via
zombies. Flooding attack affects the service’s availability to
authorized user. By attacking a single server providing a certain
service, attacker can cause a loss of availability of the intended
service. Such an attack is called direct DoS attack. If the server’s
hardware resources are completely exhausted by processing the
flood requests, the other service instances on the same hardware
machine are no longer able to perform their intended tasks. Such
type of attack is called indirect DoS attack.

Flooding attack may raise the usage bills drastically as the
Cloud would not be able to distinguish between the normal usage
and fake usage.

2.3. User to root attacks

Here, an attacker gets an access to legitimate user’s account by
sniffing password. This makes him/her able to exploit vulnerabil-
ities for gaining root level access to system. For example, Buffer
overflows are used to generate root shells from a process running
as root. It occurs when application program code overfills static
buffer. The mechanisms used to secure the authentication process
are a frequent target. There are no universal standard security
mechanisms that can be used to prevent security risks like weak
password recovery workflows, phishing attacks, keyloggers, etc.

In case of Cloud, attacker acquires access to valid user’s
instances which enables him/her for gaining root level access to
VMs or host.

2.4. Port scanning

Port scanning provides list of open ports, closed ports and
filtered ports. Through port scanning, attackers can find open
ports and attack on services running on these ports. Network
related details such as IP address, MAC address, router, gateway
filtering, firewall rules, etc. can be known through this attack.
Various port scanning techniques are TCP scanning, UDP scan-
ning, SYN scanning, FIN scanning, ACK scanning, Window scan-
ning etc. In Cloud scenario, attacker can attack offered services
through port scanning (by discovering open ports upon which
these services are provided).

2.5. Attacks on virtual machine (VM) or hypervisor

By compromising the lower layer hypervisor, attacker can gain
control over installed VMs. For e.g. BLUEPILL (Rutkowska, 2006),
SubVir (King et al., 2006) and DKSM (Bahram et al., 2010) are
some well-known attacks on virtual layer. Through these attacks,
hackers can be able to compromise installed-hypervisor to gain
control over the host.

New vulnerabilities, such as zero-day vulnerability, are found
in Virtual Machines (VMs) (NIST: National vulnerability database,
2011) that attract an attacker to gain access to hypervisor or other
installed VMs. Zero-day exploits are used by attackers before the

C. Modi et al. / Journal of Network and Computer Applications 36 (2013) 42–5744

developer of the target software knows about the vulnerability.
A zero-day vulnerability was exploited in the HyperVM virtuali-
zation application which resulted in destruction of many virtual
server based websites (Goodin, 2009).

2.6. Backdoor channel attacks

It is a passive attack which allows hacker to gain remote access
to the infected node in order to compromise user confidentiality.
Using backdoor channels, hacker can control victim’s resources
and can make it as zombie to attempt DDoS attack. It can also be
used to disclose the confidential data of victim. Due to this,
compromised system faces difficulty in performing its regular
tasks. In Cloud environment, attacker can get access and control
Cloud user’s resources through backdoor channel and make VM as
Zombie to initiate DoS/DDoS attack.

Firewall (in Cloud) could be the common solution to prevent
some of the attacks listed above. To prevent attacks on VM/
Hypervisor, anomaly based intrusion detection techniques can be

Table 1
Summary of firewalls.

Firewall type Summary

Static packet filtering firewalls � Allow/deny packet by inspecting only header in

� Do not detect malicious code in packets and ca

Stateful packet filtering

firewalls

� Used in client server environment where client

firewall rules.

� Requires additional resources like memory for s

Stateful inspection firewalls � Enhanced form of stateful packet filtering firew

� Used for applications like FTP where multiple p

protocol.

Proxy firewalls � Can isolate internal network within Internet. An

� Require lots of network resources.

Fig. 1. Basic firewall installation (2011, http://teleco-network.blogspot.com/).

used. For flooding attack and backdoor channel attack, either
signature based intrusion detection or anomaly based intrusion
detection techniques can be used.

3. Firewalls: common solution to intrusions

Firewall protects the front access points of system and is
treated as the first line of defense. Firewalls are used to deny or
allow protocols, ports or IP addresses. It diverts incoming traffic
according to predefined policy. Basic firewall installation is shown
in Fig. 1 (2011, http://teleco-network.blogspot.com/), where it is
installed at entry point of servers. Several types of firewalls are
discussed in Sequeira (2002).

In Table 1, we summarize different firewalls used in network
for security purpose. As firewalls sniff the network packets at the
boundary of a network, insider attacks cannot be detected by
traditional firewalls. Few DoS or DDoS attacks are also too
complex to detect using traditional firewalls. For instance, if there
is an attack on port 80 (web service), firewalls cannot distinguish
good traffic from DoS attack traffic (2011, http://en.wikipedia.org/
wiki/Denial-of-service_attack).

4. IDS and IPS techniques: evolution

Another solution is to incorporate IDS or IPS in Cloud. However
the efficiency of IDS/IPS depends on parameters like technique
used in IDS, its positioning within network, its configuration, etc.
Traditional IDS/IPS techniques such as signature based detection,
anomaly detection, artificial intelligence (AI) based detection etc.
can be used for Cloud.

4.1. Signature based detection

Signature based intrusion detection attempts to define a set of
rules (or signatures) that can be used to decide that a given
pattern is that of an intruder. As a result, signature based systems
are capable of attaining high levels of accuracy and minimal
number of false positives in identifying intrusions. Little variation
in known attacks may also affect the analysis if a detection
system is not properly configured (Brown et al., 2002). Therefore,
signature based detection fails to detect unknown attacks or
variation of known attacks. One of the motivating reasons to
use signature based detection is ease in maintaining and updating
preconfigured rules. These signatures are composed by several
elements that identify the traffic. For example, in SNORT (2011,
https://www.snort.org/) the parts of a signature are the header

formation such as source or destination address, port numbers etc.

nnot prevent against spoofing and fragment attack.

initiates request and server responses which are allowed in bypassing the

tate tables maintained in hardware or software.

alls.

orts are used and examine the payload and open or close the ports as per the

alyze the protocol syntax by breaking up client/server connection.

http://teleco-network.blogspot.com/

http://en.wikipedia.org/wiki/Denial-of-service_attack

https://www.snort.org/

http://teleco-network.blogspot.com/

C. Modi et al. / Journal of Network and Computer Applications 36 (2013) 42–57 45

(e.g. source address, destination address, ports) and its options
(e.g. payload, metadata), which are used to determine whether or
not the network traffic corresponds to a known signature.
Stiawan et al. (2010) presented some issues regarding signature
based intrusion prevention system and showed different possible
frameworks.

In Cloud, signature based intrusion detection technique can be
used to detect known attack. It can be used either at front-end of
Cloud to detect external intrusions or at back end of Cloud to
detect external/internal intrusions. Like traditional network,
it cannot be used to detect unknown attacks in Cloud. Approaches
presented by Roschke et al. (2009), bakshi and Yogesh (2010),
Lo et al. (2008), and Mazzariello et al. (2010) use signature based
intrusion detection system for detecting intrusions on VMs (or
front end of Cloud environment). These approaches are discussed
in the later section.

4.2. Anomaly detection

Anomaly (or behavioral) detection is concerned with identify-
ing events that appear to be anomalous with respect to normal
system behavior. A wide variety of techniques including data
mining, statistical modeling and hidden markov models have
been explored as different ways to approach the anomaly detec-
tion problem. Anomaly based approach involves the collection of
data relating to the behavior of legitimate users over a period of
time, and then apply statistical tests to the observed behavior,
which determines whether that behavior is legitimate or not.
It has the advantage of detecting attacks which have not been
found previously. The key element for using this approach
efficiently is to generate rules in such a way that it can lower
the false alarm rate for unknown as well as known attacks.

Dutkevyach et al. (2007) provided anomaly based solution to
prevent intrusion in real time system, which analyzes protocol
based attack and multidimensional traffic. However, there is a
scope of optimization to reduce number of IPS. Zhengbing et al.
(2007) presented lightweight intrusion detection system to detect
the intrusion in real-time, efficiently and effectively. In this work,
behavior profile and data mining techniques are automatically
maintained to detect the cooperative attack.

Anomaly detection techniques can be used for Cloud to detect
unknown attacks at different levels. In Cloud, large numbers of
events (network level or system level) occur, which makes
difficult to monitor or control intrusions using anomaly detection
technique. Garfinkel and Rosenblum (2003), Vieira et al. (2010),
Dastjerdi et al. (2009) and Guan and Bao (2009) proposed
anomaly detection techniques are proposed to detect intrusions
at different layers of Cloud.

The ability of soft computing techniques to deal with uncertain
and partially true data makes them attractive to be applied in
intrusion detection (Moradi and Zulkernine, 2004). There are
many soft computing techniques such as Artificial Neural Net-
work (ANN), Fuzzy logic, Association rule mining, Support Vector
Machine (SVM), Genetic Algorithm (GA), etc. that can be used to
improve detection accuracy and efficiency of signature based IDS
or anomaly detection based IDS.

4.3. Artificial neural network (ANN) based IDS

The goal of using ANNs (Han and Kamber, 2006) for intrusion
detection is to be able to generalize data (from incomplete data)
and to be able to classify data as being normal or intrusive
(Ibrahim, 2010). Types of ANN used in IDS are as (Ibrahim,
2010): Multi-Layer Feed-Forward (MLFF) neural nets, Multi-Layer
Perceptron (MLP) and Back Propagation (BP).

Cannady (1998) proposed a three layer neural network for
misuse detection in network. The feature vector used in Cannady
(1998) was composed of nine network features (Protocol ID, Source
Port, Destination Port, Source IP Address, Destination IP Address,
ICMP Type, ICMP Code, Raw Data Length, Raw Data). However,
intrusion detection accuracy is very low. Moradi and Zulkernine
(2004) presented MLP based IDS. They showed that inclusion of
more hidden layers increase detection accuracy of IDS. This
approach improves detection accuracy of the approach proposed
in Cannady (1998). Grediaga et al. (2006) compared the rate of
successively finding intrusion with MLP and self organization map
(SOM) and showed that SOM has high detection accuracy than ANN.
It is claimed that, Distributed Time Delay Neural Network (DTDNN)
(Ibrahim, 2010) has higher detection accuracy for most of the
network attacks. DTDNN is a simple and efficient solution for
classifying data with high speed and fast conversion rates. Accuracy
of this approach can be improved by combining it with other soft
computing techniques mentioned above.

ANN based IDS is an efficient solution for unstructured net-
work data. The intrusion detection accuracy of this approach is
based on number of hidden layers and training phase of ANN.

An approach proposed by Vieira et al. (2010), uses ANN based
anomaly detection technique for Cloud environment, which
requires more training samples as well as more time for detecting
intrusions effectively.

4.4. Fuzzy logic based IDS

Fuzzy logic (Han and Kamber, 2006) can be used to deal with
inexact description of intrusions.

Tillapart et al. (2002) proposed Fuzzy IDS (FIDS) for network
intrusions like SYN and UDP floods, Ping of Death, E-mail Bomb,
FTP/Telnet password guessing and port scanning. Evolving fuzzy
neural network (EFuNN) is introduced in Chavan et al. (2004) for
reducing training time of ANN. It uses mixture of supervised and
unsupervised learning. The experimental results shown indicate
that using reduced number of inputs EFuNN has better classifica-
tion accuracy for IDS than only using ANN. The approaches
proposed by Tillapart et al. (2002) and Chavan et al. (2004)
cannot be used in real time for detecting network intrusions as
the training time is significant by more. Fuzzy association rules
presented by Su et al. (2009 are used to detect network intrusion
in real time. Two rule sets are generated and mined online from
training data. Features for comparison are taken from network
packet header. This approach is used for large scale DoS/DDoS
attacks.

To reduce training time of ANN (Vieira et al., 2010), fuzzy logic
with ANN can be used for fast detection of unknown attacks
in Cloud.

4.5. Association rule based IDS

Some intrusion attacks are formed based on known attacks or
variant of known attacks. To detect such attacks, signature apriori
algorithm (Han et al., 2002) can be used, which finds frequent subset
(containing some features of original attack) of given attack set.

Han et al. (2002) proposed network based intrusion detection
using data mining technique. In this approach, signature based
algorithm generates signatures for misuse detection. However,
drawback of the proposed algorithm is its time consumption
for generating signatures. Zhengbing et al. (2008) solved the
database scanning time problem examined in Han et al. (2002).
They proposed scanning reduction algorithm to reduce number of
database scans for effectively generating signatures from pre-
viously known attacks. However, it has very high false positive
alarm rate since unwanted patterns are produced. Lei et al. (2010)

C. Modi et al. / Journal of Network and Computer Applications 36 (2013) 42–5746

proposed length decreasing support based apriori algorithm to
detect intrusions to reduce production of short pattern as
derived by Han et al. (2002) and Zhengbing et al. (2008) and
allows some interesting patterns. It is faster than other apriori
based approaches.

In Cloud, association rules can be used to generate new
signatures. Using newly generated signatures, variations of
known attacks can be detected in real time.

4.6. Support vector machine (SVM) based IDS

SVM (Han and Kamber, 2006) is used to detect intrusions
based on limited sample data, where dimensions of data will not
affect the accuracy.

In Chen et al. (2005), it is shown that the results (regarding
false positive rate) are better in case of SVM compared with that
of ANN, since ANN requires large amount of training samples for
effective classification, whereas SVM has to set fewer parameters.
However, SVM is used only for binary data. Nevertheless, detec-
tion accuracy can be improved by combining SVM with other
techniques (Li and Lu, 2010). Li and Lu, 2010 designed an
intelligent module for network intrusion prevention system with
a combination of SNORT and configurable firewall. The SVM
classifier is also used with SNORT to reduce false alarm rate and
improve accuracy of IPS.

In Cloud, if limited sample data are given for detecting
intrusions, then use of SVM is an efficient solution; since dimen-
sions of data are not affecting accuracy of SVM based IDS.

4.7. Genetic algorithm (GA) based IDS

Genetic algorithms (GAs) (Dhanalakshmi and Ramesh Babu,
2008; Li, 2004) are used to select network features (to determine
optimal parameters) which can be used in other techniques for
achieving result optimization and improving accuracy of IDS.

Gong et al. (2005) used seven features (Duration, Protocol,
Source_port, Destination_port, Source_IP, Destination_IP, Attack_-
name) of captured packet. They used support confidence based

U
S
E
R
S

Host-base
Information
Source

Network-base
Information
Source

Application
Information
Source

Internal
Responder

C
O
L
L
E
C
T
O
R

C
O
U
P
L
E
R

Information
Refiner

Central
DBMS

Central
Database

CLIENT EXT HOST

Fig. 2. Architecture of NeGPA

framework for fitness function, which is simple and flexible.
Generated rules are used to detect network intrusions. The paper
uses quantitative as well as categorical features of network for
generating classification rules. This increases the detection rate
and improves accuracy. However, limitation of this approach is
the best fit problem. Lu and Traore (2004) presented GP based
approach to generate rules from network features. They used
support confidence based fitness function for deriving rules,
which classifies network intrusions effectively. However, training
period for the fitness function takes more time. Xiao et al. (2005)
proposed information theory and GA based approach that is used
to detect abnormal behavior. It identifies small number of net-
work features closely with network attacks based on mutual
information between network features and type of intrusion.
However, this approach only considers discrete features.
Dhanalakshmi and Ramesh Babu (2008) proposed a method
which is used to detect misuse and anomaly by combining fuzzy
and genetic algorithms. Fuzzy is used to include quantitative
parameters in intrusion detection, whereas genetic algorithm is
used to find best fit parameters of introduced numerical fuzzy
function. This approach solves best fit problem as reported by Lu
and Traore (2004).

In Cloud environment, selection of optimal parameters (net-
work features) for intrusion detection will increase the accuracy
of underlying IDS. For that, Genetic algorithm (GA) based IDS can
be used in Cloud.

4.8. Hybrid techniques

Hybrid techniques use the combination of two or more of
above techniques.

As shown in Fig. 2 (Botha et al., 2002), NeGPAIM is based on
hybrid technique combining two low level components including
fuzzy logic for misuse detection and neural networks for anomaly
detection, and one high level component which is a central engine
analyzing outcome of two low level components. It is an effective
model, which does not require dynamic updates of rules.

C
O
U
P
L
E
R

Internal
Manager

Central Analysis
Engine

GUI: Ext
Manager

Ext
Responder

Fuzzy Engine

Template DB

Neural Engine
User
Behavior DB

INT HOST

IM (Botha et al., 2002).

C. Modi et al. / Journal of Network and Computer Applications 36 (2013) 42–57 47

To improve performance of IDS, Katar (2006) presented an
approach which uses combination of Naı̈ve Bayes, ANN and
Decision Tree (DT) classifiers on three separate sets of data input.
Independent output of each classifier is generated and combined
using the multiple fusion techniques. This approach uses the
advantages of each classifier and improves overall performance
of IDS.

It is advantageous to use soft computing techniques on
traditional IDS for Cloud environment. However, each technique
has some advantages and limitations, which affect the
performance of IDS. For e.g. Higher time consumption to
learn ANN network and lesser flexibility are the major drawbacks
of ANN. Combining fuzzy logic to data mining techniques
improves flexibility. GA with fuzzy logic enhances performance
of IDS, since GA selects best fit rules for IDS. GA has better
efficiency for matching patterns but in specific manner
rather than general (Beg et al., 2010). For handling large number
of network features, SVM is preferable. Association rule based
IDS is efficient for only correlated attacks. However, an efficiency
of association rule based IDS depends on the used knowledge
base.

In Table 2, a summary of existing IDS/IPS techniques is
presented with their strengths and limitations.

5. Various types of IDS/IPS used in Cloud computing

There are mainly four types of IDS used in Cloud: Host based
intrusion detection system (HIDS), Network based intrusion
detection system (NIDS), Hypervisor based intrusion detection
system and Distributed intrusion detection system (DIDS).

5.1. Host based intrusion detection systems (HIDS)

HIDS monitors and analyzes the information collected from a
specific host machine. HIDS detects intrusion for the machine by

Table 2
Summary of IDS/IPS techniques.

IDS/IPS technique Characteristics/advantages

Signature based

detection

� Identifies intrusion by matching captured patterns with

preconfigured knowledge base.

� High detection accuracy for previously known attacks.

� Low computational cost.

Anomaly detection � Uses statistical test on collected behavior to identify intru

� Can lower the false alarm rate for unknown attacks.

ANN based IDS � Classifies unstructured network packet efficiently.

� Multiple hidden layers in ANN increase efficiency of class

Fuzzy Logic based

IDS

� Used for quantitative features.

� Provides better flexibility to some uncertain problems.

Association rules

based IDS

� Used to detect known attack signature or relevant attacks

detection.

SVM based IDS � It can correctly classify intrusions, if limited sample data

� Can handle massive number of features.

GA based IDS � It is used to select best features for detection.

� Has better efficiency.

Hybrid techniques � It is an efficient approach to classify rules accurately.

collecting information such as file system used, network events,
system calls, etc. HIDS observes modification in host kernel, host
file system and behavior of the program. Upon detection of
deviation from expected behavior, it reports the existence of
attack. The efficiency of HIDS depends on chosen system char-
acteristics to monitor. Each HIDS detects intrusion for the
machines in which it is placed as shown in Fig. 3.

With respect to Cloud computing, HIDS can be placed on a host
machine, VM or hypervisor to detect intrusive behavior through
monitoring and analyzing log file, security access control policies,
and user login information. If installed on VM, HIDS should be
monitored by Cloud user whereas in case of installing it on
Hypervisor, Cloud provider should monitor it (cox, 2011).

HIDS based architecture for Cloud environment is proposed
by (Vieira et al., 2010). In this architecture, each node of Grid/
Cloud contains IDS which provides interaction among service
offered (e.g. IaaS), IDS service and storage service. As shown in
Fig. 4 (Vieira et al., 2010), IDS service is composed of two
components: Analyzer and Alert System.

The event auditor captures data from various resources like
system logs. Based on the data received from event auditor, the
IDS service is used for detecting intrusion by using behavior based
technique or knowledge based technique. Knowledge based
technique is used to detect known attacks, whereas the behavior
based technique is used to detect unknown attacks. For detecting
unknown attacks, artificial neural network (ANN) is used in this
approach. When any attack or intrusion is detected, alert system
informs other nodes. So, this approach is efficient even for
detecting unknown attacks by applying feed forward ANN.

The experiments demonstrated by Vieira et al. (2010) show
that the false positive and false negative alarm rate is very low
when large numbers of training samples are applied for behavior
analysis method. The limitation of this approach is that it cannot
detect any insider intrusions which are running on VMs.

For effective usage of Cloud resources, multilevel IDS and log
management (Lee et al., 2011) is applied at different level of

Limitations/challenges

� Cannot detect new or variant of known attacks.

� High false alarm rate for unknown attacks.

sion. � More time is required to identify attacks.

� Detection accuracy is based on amount of collected behavior or

features.

ification.

� Requires more time and more samples training phase.

� Has lesser flexibility.

� Detection accuracy is lower than ANN.

in misuse � It cannot detect totally unknown attacks.

� It requires more number of database scans to generate rules.

� Used only for misuse detection.

are given. � It can classify only discrete features. So, preprocessing of those

features is required.

� It is complex method.

� Used in specific manner rather than general.

� Computational cost is high.

C. Modi et al. / Journal of Network and Computer Applications 36 (2013) 42–5748

security strength (e.g. high, medium, and low) to user based on
the degree of anomaly. As shown in Fig. 5, AAA is used for
authentication, authorization and accounting. Authenticated
user’s information (stored in database) is used to calculate
anomaly level. AAA uses anomaly level to select proper IDS that
has corresponding security level. Then host OS (where selected

E
ve

nt
a

ud
it

Service

IDS Service
Analyzer

Alert system

Storage service

Knowledge
base

Behavior
base

Grid node

E
ve

nt
a

ud
it

Ser

IDS Service
Anal

Alert s

Storage servic

Knowledge
base

Grid node

Fig. 4. IDS architecture for Grid/Cloud

Fig. 3. Host based intrusion detection system (HIDS) (2011, http://maltainfosec.
org/archives/26-The-concept-of-Intrusion-Detection-Systems.html).

IDS is installed) is requested to assign guest OS image to user.
Database stores user information, system log, transaction of user
and system, whereas storage center stores user’s private data
which are isolated from one user to another. This approach
provides fast detection mechanism. However, it requires more
guest OSs (having IDS) for high level users.

Guan and Bao (2009) have proposed change point based idea
to detect all types of attacks in attack space. In this approach, all
attacks are taken as a sample space. Then the set is decomposed
using statistics based on mutually exclusive sets. The generated
subsets which belong to sample space are used to construct
intrusion detection algorithm. However, no experimental results
or deployment mechanisms are reported yet.

In self-similarity based lightweight intrusion detection
method for Cloud Computing (Kwon et al., 2011), the number of
events from the Windows’ security event log is extracted. Feature
selection procedure makes groups by combining security ID (SID)
and EventID in Windows system. Then each VM measures self-
similarity. Self-similarity is calculated using two techniques viz;
cosine and hybrid (Kwon et al., 2011). If calculated similarity
deviated from normal behavior, IDS generates alerts. Outlier
source procedure identifies intruder and associated IP address.
Then IDS reports the information to a system administrator. This
approach is cost effective and efficient for detecting anomaly in
Cloud environment. However, it works only for Windows system.

Arshad et al. (2011) proposed an abstract model for intrusion
detection and severity analysis to provide the overall security of
the Cloud. It consists of six components viz; system call handler,
detection module, security analysis module, profile engines,
global components and intrusion response system. System call
handler collects system calls executed by guest VM. Detection
module applies anomaly or signature based techniques to col-
lected system calls for detecting intrusions in VM. Severity
analysis module calculates severity of detected intrusion for
victim VM. Profile engine generates and manages profiles specific

E
ve

nt
a

ud
it

Service

IDS Service
Analyzer

Alert system

Storage service

Knowledge
base

Behavior
base

Grid node

vice

yzer

ystem

Behavior
base

environment (Vieira et al., 2010).

http://maltainfosec.org/archives/26-The-concept-of-Intrusion-Detection-Systems.html

Hypervisor

Host OS

Multi-IDS

Guest
OS

Hypervisor

Host OS

Multi-IDS

Guest
OS

Storage Center Database

AAA

Internet

Terminal

Fig. 5. Multilevel IDS architecture (Lee et al., 2011).

C. Modi et al. / Journal of Network and Computer Applications 36 (2013) 42–57 49

to VM. These profiles are used for differentiating malicious
behavior and normal behavior of user. Global components are
used for overall infrastructure including resource manager, sche-
duler, profile and other security components. Intrusion response
system is used to select appropriate response mechanism for a
particular intrusion. This approach has minimal response time
and human intervention. However, experimental results are not
evaluated.

5.2. Network based intrusion detection system (NIDS)

NIDS monitors network traffic to detect malicious activity such
as DoS attacks, port scans or even attempts to crack into
computers. The information collected from network is compared
with known attacks for intrusion detection. NIDS has stronger
detection mechanism to detect network intruders by comparing
current behavior with already observed behavior in real time.
NIDS mostly monitors IP and transport layer headers of individual
packet and detects intrusion activity. NIDS uses signature based
and anomaly based intrusion detection techniques. NIDS has very
limited visibility inside the host machines. If the network traffic is
encrypted, there is no effective way for the NIDS to decrypt the
traffic for analysis.

Hemairy et al. (2009) surveyed about the security solutions
that can be applicable to detect ARP spoofing attacks through
experiments and implementation. They concluded that XArp 2
tool (2011, http://www.filecluster.com/Network-Tools/Network-
Monitoring/Download-XArp.html) is an efficient available secur-
ity solution that can accurately detect ARP spoofing attacks
among other tools. By combining it to ARP request storm and
ARP scanning detection mechanism, its performance can be
improved.

Fig. 6 represents positioning of NIDS in a typical network with
aim to direct the traffic through the NIDS. NIDS placed between
firewall and various hosts of the network.

NIDS can be deployed on Cloud server interacting with
external network, for detecting network attacks on the VMs and

hypervisor. However, it has several limitations. It cannot help
when attack is within a virtual network that runs entirely inside
the hypervisor. In Cloud environment, installing NIDS is the
responsibility of Cloud provider.

VM compatible IDS architecture proposed by Roschke et al.
(2009) is shown in Fig. 7. There are mainly two components used
in this approach: IDS management unit and IDS sensor.

IDS management unit consists of event gatherer, event data-
base, analysis component and remote controller. Event gatherer
collects malicious behavior identified by IDS sensor and stores in
event database. Event database stores information regarding
captured events. Analysis component (configured by users)
accesses event database and analyze events. IDS-VMs are mana-
ged by the IDS Remote Controller which can communicate with
IDS-VMs and IDS sensors. IDS sensors on the VM detects and
reports malicious behavior and transmits triggered event to event
gatherer. Sensors can be NIDS configured by IDS remote con-
troller. In this approach, new sensors can be easily integrated,
which require only sender/receiver pair to connect event gath-
erer. IDS-VM management controls, monitors and configures VM.
The VM management can also recover VMs. This approach is used
in virtualized environment to prevent VMs from being compro-
mised. However, this approach requires multiple instances of IDS.

In the approach proposed (bakshi and Yogesh, 2010), for
detecting DDoS attack in VM, IDS is installed in virtual switch
to log incoming or outgoing traffic into database. To detect known
attacks, the logged packets are analyzed and compared by the IDS
in real time with known signature. The IDS determines nature of
attacks and notifies virtual server. Then virtual server drops
packets coming from the specified IP address. If attack type is
DDoS, all the zombie machines are blocked. The virtual server
then transfers targeted applications to other machines hosted by
separate data center and routing tables are immediately updated.
Firewall (placed at new server) blocks all the packets coming from
identified IP address. This approach can block the DDoS attack in
virtualized environment and can secure services running on
virtual machines.

http://www.filecluster.com/Network-Tools/Network-Monitoring/Download-XArp.html

C. Modi et al. / Journal of Network and Computer Applications 36 (2013) 42–5750

Mazzariello and Bifulco (2010) presented SNORT based misuse
detection in open source Eucalyptus Cloud. In this approach,
SNORT is deployed at Cloud controller (CC) as well as on physical
machines (hosting virtual machines) to detect intrusions coming
from external network. This approach solves the problem of
deploying multiple instances of IDS as in bakshi and Yogesh
(2010). It is a fast and cost effective solution. However, it can
detect only known attacks since only SNORT (2011, https://www.
snort.org/) is involved.

Hamad and Hoby (2012) proposed a method for providing
intrusion Detection as a Service in Cloud, which delivers Snort for
Cloud clients in a service-based manner. Fig. 8 shows subscription
and IDS operation request of Cloud intrusion detection service
(CIDS). User request related to his subscription details is for-
warded to the database layer, whereas the IDS operation requests
are forwarded to the system layer. The system layer and the
database layer can communicate with each other to translate
preferences (that exist in the database layer) into runtime-
configurations that are used at the system layer. The limitation

Fig. 7. Architecture of VM integrated IDS

Fig. 6. Network based intrusion detection system (2011, http://maltainfosec.org/
archives/26-The-concept-of-Intrusion-Detection-Systems.html).

of this service is that it can detect only known attacks at
network level.

Sandar and Shenai (2012) introduced new type of DDoS attack,
called Economic Denial of Sustainability (EDoS) in Cloud services
and proposed solution framework for EDoS protection. EDoS attack
can be called as HTTP and XML based DDoS attack. EDoS protection
framework uses firewall and puzzle server to detect EDoS attack.
Firewall is used to detect EDoS at entry point of Cloud, where as
puzzle server is used to authenticate user. In this work, authors
demonstrated EDoS attack in the Amazon EC2 Cloud. However,
proposed solution is not efficient since it uses only traditional
firewall. Research is still needed to detect EDoS attack in Cloud.

Houmansadr et al. (2011) proposed Cloud based intrusion
detection and response system for mobile phones. In this
approach, intrusion detection and response services are delivered
to registered smartphones. It copies smartphone to VM in Cloud
using proxy that copies incoming traffic to device. This traffic is
used for intrusion detection. If any intrusion is detected, intrusion
response mechanism selects an action for detected intrusion and
sends a non-intrusive software agent in the device.

5.3. Distributed intrusion detection system (DIDS)

A Distributed IDS (DIDS) consists of several IDS (e.g. HIDS,
NIDS, etc.) over a large network, all of which communicate with
each other, or with a central server that enables network
monitoring. The intrusion detection components collect the
system information and convert it into a standardized form to
be passed to central analyzer. Central analyzer is machine that
aggregates information from multiple IDS and analyzes the same.
Combination of anomaly and signature based detection
approaches are used for the analysis purpose. DIDS can be used
for detecting known and unknown attacks since it takes advan-
tages of both the NIDS and HIDS (Jones and Sielken, 2000). Fig. 9,
demonstrates the working of DIDS.

In Cloud environment, DIDS can be placed at host machine or
at the processing server (in backend).

In cooperative agent based approach (Lo et al., 2008), indivi-
dual NIDS module is deployed in each Cloud region as shown in
Fig. 10 (Lo et al., 2008). If any Cloud region detects intrusions, it
alerts other region. Each ID sends alert to each other, to judge
severity of this alert. If new attack is detected, the new blocking
rule is added to block list. So, this type of detection and preven-
tion helps to resist attacks in Cloud.

management (Roschkeet al., 2009).

https://www.snort.org/

http://maltainfosec.org/archives/26-The-concept-of-Intrusion-Detection-Systems.html

CooperativeCooperative
AgentAgent

Internet

Response &
Block

ThresholdThreshold
Check Check

Alert ClusteringAlert Clustering

DetectionDetection
Intrusion Intrusion

Fig. 10. Block diagram of cooperative agent based approach (Lo et al., 2008).

Internet

IDS 1

IDS 3

IDS 5

IDS 2

IDS 4

Network
Router

Firewall

Internet

Fig. 9. Distributed intrusion detection system (DIDS).

User Layer

Database LayerSystem Layer

User

User Requests

Dispatch subscriptions
requests

Dispatch protection
requests

Configure requests to
Runtime configuration

Update subscriptionUpdate Protection
Review Alerts

Cloud IDS Subscription DB

Fig. 8. Intrusion detection as a service in Cloud (Hamad and Hoby, 2012).

C. Modi et al. / Journal of Network and Computer Applications 36 (2013) 42–57 51

The system architecture consists of intrusion detection, alert
clustering, threshold check, intrusion response and blocking and
cooperative agent. In case of intrusion detection, it drops attacker
packet, then sends alert message about the attack detected by
itself to other region. Alert clustering module collects alert
produced by other regions. The decision about alert (whether it
is true or false) is identified after calculating severity of collected
alerts. This approach is suitable for preventing Cloud system from
single point of failure caused by DDoS attack.

Dastjerdi and Bakar (2009) proposed scalable, flexible and cost
effective method to detect intrusion for Cloud applications regardless
of their locations using mobile agent. This method aims for protecting
VMs that are outside the organization. Mobile agent collects evi-
dences of an attack from all the attacked VM for further analysis and
auditing. This approach is used to detect intrusion in VM migrated
outside the organization. However, it produces more network load.

Ram (2012) proposed mutual agent based approach to detect
DDoS attack in Cloud computing. In this approach, IDS module is
deployed in each Cloud region, as presented by Lo et al. (2008). If
any region finds intrusion, mutual agent at that region notifies other
regions. Each region calculates severity of alerts generated from
other regions. If new attack is found after calculating severity of
intrusion, new blocking rule is added into block table at each region.
In such a way, DDoS attack is detected in whole Cloud by using
mutual cooperation among Cloud regions. For intrusion detection,
Snort is used in this approach. Therefore, known attacks in network
can be detected. However, it cannot detect unknown attack. Also, it
requires high computation cost for exchanging alerts.

5.4. Hypervisor-based intrusion detection system

Hypervisor is a platform to run VMs Hypervisor-based intru-
sion detection system is running at hypervisor layer. It allows
user to monitor and analyze communications between VMs,
between hypervisor and VM and within the hypervisor based
virtual network. Availability of information is one of the benefits
of hypervisor-based IDS.

VM introspection based IDS (Garfinkel and Rosenblum, 2003)
is one of the examples of hypervisor based intrusion detection

system. Hypervisor based IDS is one of the important techniques,
specifically in Cloud computing, to detect intrusion in virtual
environment.

Virtual machine introspection based IDS (VMI-IDS) architecture
is shown in Fig. 11 (Garfinkel and Rosenblum, 2003). VMI-IDS is
different from traditional HIDS since it directly observes hardware
states, events and software states of host and offers more robust
view of the system than HIDS. Virtual machine monitor (VMM) is
responsible for hardware virtualization and also offers isolation,
monitoring and interposition properties. VMI-IDS has greater access
to the VMM than the code running in monitored VM.

VMM interface is used for VMI-IDS to communicate with
VMM, which allows VMI-IDS to get VM state information,
monitoring certain events and controlling VMs. This VMM inter-
face is composed of Unix socket to send commands or receive
responses to/from VMM. It also supports physical memory access
of monitored VM. OS interface library is used to provide low level
machine states from VMM in terms of higher level OS structure.
Policy engine is incorporated for making high-level queries about
the OS of monitored host. Policy engine responds in appropriate
manner, even if system is compromised. VMI-IDS implements

Fig. 11. VMI-based IDS architecture (Garfinkel and Rosenblum, 2003).

Ethernet Switch

Internet IPS

IPS

Attacker

Router/Firewall/Proxy

Protected DMZ

Protected Internal
Resources

Protected Internal Subnet

Fig. 12. Network based intrusion prevention system (2011, http://www.javvin.com/networksecurity/IPS.html).

C. Modi et al. / Journal of Network and Computer Applications 36 (2013) 42–5752

complex anomaly detection. It is used for lie detection, signature
detection, program integrity detection and row socket detection.
According to results shown by (Garfinkel and Rosenblum, 2003),
performance of policy engine is good in terms of workload and
time. However, VMM or OS library can be compromised.

Recently IBM Research is pursuing virtual machine introspec-
tion approach to create a layered set of security services inside
protected VM running on same physical machine as the guest
VMs running in the Cloud (2011, http://www.zurich.ibm.com/csc/
security/securevirt.html#top).

5.5. Intrusion prevention system (IPS)

IPS monitors network traffic and system activities to detect
possible intrusions (With the help of IDS) and dynamically
responds to intrusions for blocking the traffic or quarantine it.

IPS should be configured accurately for expected results; other-
wise it stops flow of packets resulting in network unavailability.
For intrusion prevention, mostly firewall with IDS is used which
contains signature specifying network traffic rules. Based on the
preconfigured rules, IPS decides whether network traffic should
be passed or blocked. In response to detected attack, IPS can stop
the attack itself, can change the attack contents or change
security environment.

Ahmed et al. (2009) proposed efficient network based intru-
sion detection and prevention approach, which does not require
installing IDS on every node. This approach solves trust problem
and transferring alert message problem. It has less overhead and
no false alarm rate. Leu and Li (2009) proposed Cumulative-Sum-
based Intrusion Prevention System (CSIPS) for preventing DoS or
DDoS attacks. In this work, authors used packet classification
algorithm and three detection algorithms (namely inbound,

http://www.zurich.ibm.com/csc/security/securevirt.html#top

http://www.javvin.com/networksecurity/IPS.html

C. Modi et al. / Journal of Network and Computer Applications 36 (2013) 42–57 53

outbound, and forwarded) which cooperatively detect DDoS
attack and send their logs to remote IPS machine.

IPSs are mainly classified into two categories: Host based IPS
(HIPS) and Network based IPS (NIPS). The possible positioning of
IPS in a typical network is shown in Fig. 12.

In Cloud computing architecture, HIPS can be used to detect
and prevent intrusion on VM, Hypervisor or host system where it
is deployed. NIPS can be used to protect the whole network (or
part of network) to safeguard multiple systems (such as VMs) at
a time.

Fagui et al. (2009) presented Xen based host system firewall
and its extensions. In this approach, Netfilter and Iptables are
used to build firewall on host Linux system which inspects
network data. Netfilter is the framework which Linux kernel
implements. Iptables is a firewall management program based
on Netfilter framework. As shown in Fig. 13 (Fagui et al., 2009),
Iptables extensions consist of two parts: First part is interacting
with Iptables application layer which is developed as shared
library and second part is Iptable kernel developed as kernel
dynamic library. Kernel dynamic library is uploaded at runtime.
Moreover, a firewall GUI is used to configure firewall rules.
Iptables application extension is used for authentication of rules
configured by users and to parse the parameters of the rules. Each
rule filled in data structure supplied by Iptables. Iptable kernel

Firewall GUI

Netfilter Kernel

Iptables
Application

Extend Module

Iptables Kernel
Iptables Kernel
Extend Module

Netfilter
Extend
Module

Fig. 13. The architecture of Xen based firewall and its extension (Fagui et al., 2009).

The credible
knowledge base

learning

The feature rules
repository or

policies

The data
switcher

External
Network

Fig. 14. Architecture of dynamic intelligenc

extension uploaded dynamically when the firewall is running. It is
developed based on Netfilter/Iptables. When network packet goes
through HOOK, HOOK function is called.

The HOOK function identifies whether the data packet matches
the preconfigured rules or not and returns the result to kernel which
will decide to accept or to drop the packet. General data structure
then transferred to HOOK function which transforms data structure
to another structure defined as Iptable application module. Also
pointer to skb buffer storing the packet information is transferred to

Fig. 15. Positioning IDPS in network (Scarfone and Mell, 2007).

The defending
agents

The expert
system

The detecting
and identifying

agents

Internal
network

The
monitoring
workstation

e Cloud firewall (Jia and Wang, 2011).

Fig. 16. Placement of IDS on VMs and hypervisor/host system.

Table 3
Summary of IDS/IPS types.

IDS/IPS

Type

Characteristics/strengths Limitations/Challenges Positioning in Cloud Deployment and monitoring

authority

HIDS � Identify intrusions by monitoring host’s file

system, system calls or network events.

� No extra hardware required.

� Need to install on each

machine (VMs,

hypervisor or host

machine).

� It can monitor attacks

only on host where it is

deployed.

On each VM, Hypervisor or Host

system.

On VMs: Cloud Users. On

Hypervisor: Cloud provider.

NIDS � Identify intrusions by monitoring network traffic.

� Need to place only on underlying network.

� Can monitor multiple systems at a time.

� Difficult to detect

intrusions from

encrypted traffic.

� It helps only for

detecting external

intrusions.

� Difficult to detect

network intrusions in

virtual network.

In external network or in virtual

network.

Cloud provider.

Hypervisor

based

IDS

� It allows user to monitor and analyze

communications between VMs, between

hypervisor and VM and within the hypervisor

based virtual network.

New and difficult to

understand.

In hypervisor. Cloud provider.

DIDS � Uses characteristics of both NIDS and HIDS, and

thus inherits benefits from both of them.

� Central server may be

overloaded and difficult

to manage in

centralized DIDS.

� High communication and

computational cost.

In external network, on Host, on

Hypervisor or on VM.

On VMs: Cloud Users. For

other cases: Cloud provider.

IPS � Prevents intrusion attacks.

� NIPS prevent network attacks.

� HIPS prevent system level attacks.

� Detection accuracy for

preventing attacks is

lower than IDS.

For NIPS: In external/internal

network. For HIPS: On VM or

Hypervisor.

NIPS: Cloud provider. HIPS on

VM: Cloud user. HIPS on

Hypervisor: Cloud provider.

IDPS � Effectively detect and prevent intrusion attacks. � Complex architecture. Network based IDPS: In

external/internal network. Host

based IDPS: On VM or

hypervisor.

NIDPS: Cloud provider. HIDPS

(on VM): Cloud user. HIDPS

(on Hypervisor): Cloud

provider.

C. Modi et al. / Journal of Network and Computer Applications 36 (2013) 42–5754

HOOK function to identify the rules irrespective of the rules
matching the data. The skb buffer saves the data of the packet, such
as source IP address, destination port number, which is captured
when it goes through the HOOK. However, Unknown attacks cannot
be prevented by this approach.

Jia and Wang (2011) designed an IPS model based on
dynamically distributed Cloud firewall linkage. Authors intro-
duced the structure and function of Cloud firewall. As shown in
Fig. 14, external information is trained using data switcher
through credible database. Then this information is learned

Table 4
Summary of existing IDS approaches in Cloud

Title IDS type Technique used Positioning Pros Cons

IDS architecture for Cloud

environment (Vieira et al., 2010)

HIDS Signature based

and Anomaly

detection using

ANN.

On each node False rate for unknown attack

is lower since ANN used.

Requires more training time and

samples for detection accuracy.

Multi-level IDS (Lee et al., 2011) HIDS Anomaly detection On each Guest OS Provides fast detection

mechanism.

Requires more resources for high level

users.

Self-similarity based IDS

(Kwon et al., 2011)

HIDS Anomaly detection On each VM Can be used in real time. Works only for Windows system.

Abstract model of IDS

(Arshad et al., 2011)

HIDS Signature based

and anomaly

detection

On each VM It has minimal response time

and human intervention.

Experimental results are not

evaluated.

VM compatible IDS architecture

(Roschke et al., 2009)

NIDS Signature based

detection

On each VM Secures VM based on user

configuration.

Multiple instances of IDS are required

which degrades performance.

DDoS attack detection in virtual

machine (bakshi and Yogesh, 2010)

NIDS Signature based

detection

On each VM Secures VM from DDoS

attacks.

Can only detects known attacks.

NIDS in open source Cloud

(Mazzariello et al., 2010)

NIDS Signature based

detection

On traditional network Can detect several known

attacks.

It cannot detect insider attacks as well

as unknown attacks.

IDS as a Service (Hamad and

Hoby, 2012)

NIDS Signature based

detection

Snort is provided as a

web service

Provides user to detect

known attack on his/her

running service.

It cannot detect unknown attacks.

EDoS protection

(Sandar and Shenai, 2012)

NIDS Signature based

detection

On traditional network Blocks HTTP and XML based

DDoS attack.

It cannot detect unknown attacks.

Cloud based IDS for mobile phones

(Houmansadr et al., 2011)

NIDS Anomaly detection On VM Detects malicious behavior on

smartphones.

It cannot be used as general purpose.

Cooperative agent based approach

(Lo et al., 2008)

DIDS Signature based

detection

On each Cloud region Prevents system from single

point failure.

Cannot be used for all types of

attacks.Computational overhead high.

Mobile agent based approach

(Dastjerdi et al., 2009)

DIDS Anomaly detection On each VM Provides IDS for Cloud

application regardless by

their location.

Produce network load with increase

of VMs attached to mobile agent.

Mutual agent based approach

(Ram, 2012)

DIDS Signature based

detection

On each Cloud region Detects DDoS attack in whole

cloud environment.

Cannot be used to detect unknown

attacks.High computational cost.

VMI-IDS based architecture

(Garfinkel and Rosenblum, 2003)

Hypervi-

sor based

Anomaly detection. On hypervisor Detects attacks on VMs VMI IDS can be attacked.

Very complex method

Xen based Host system firewall (Fagui

et al., 2009)

– Prevention On each Host Prevention using user

configured rules

Not used for preventing unknown

attacks

IPS model based on cloud firewall

linkage (Jia and Wang, 2011)

HIPS Anomaly

prevention.

In internal network Can be used for real time

interactive defense and better

optimization to Cloud firewall

Experimental results are not yet

available

CP based approach

(Guan and Bao, 2009)

– Anomaly detection – Used to detect all types of

attacks. Solves limitation of

computing time

Experimental results are not yet

available

C. Modi et al. / Journal of Network and Computer Applications 36 (2013) 42–57 55

using knowledge base and compared with predefined rules or
policies. Rules or policies are generated by using data mining
techniques. The defending agents, expert system, and the
detecting and identifying agents are used for real time defense,
detection of intrusions and identification. If the intrusions are
detected, the monitor station calls defending filter, prevention
and generates alerts, then give auditing record. The monitoring
work station is used to monitor internal intrusions. An intelli-
gent IPS module based on dynamically distributed Cloud fire-
wall linkage is used for real time interactive defense and better
optimization of Cloud firewall. When user of internal network
accesses external network resources, IPS uses feature detection
and recognition mode of Cloud security for analyzing and
deciding safety of resources which are accessed by users. It
uses expert system used in Cloud firewall. In this approach
user’s behaviors, files, web pages etc are used for calculating
resources’ reputation and detecting intrusions. Experimental
results of this approach are not evaluated.

5.6. Intrusion detection and prevention system (IDPS)

Having their own strengths and weaknesses, individual IDS
and IPS are not capable of providing full-fledged security. It is
very effective to use combination of IDS and IPS, which is called
IDPS. Apart from identifying possible intrusions, IDPS stops and
reports them to security administrators (Scarfone and Mell,

2007). Proper configuration and management of IDS and IPS
combination can improve security. NIST (Scarfone and Mell,
2007) explained how intrusion detection and prevention can be
used together to strengthen security, and also discussed different
ways to design, configure, and manage IDPS.

IDPS is classified into three broad categories: Signature-based,
anomaly-based, and stateful protocol analysis. There are many
types of IDPS technologies. IDPS are divided into four groups
based on the type of events that they monitor and the ways in
which they are deployed (Scarfone and Mell, 2007): (a) Network-
Based (b) Wireless (c) Network Behavior Analysis (NBA) (d) Host-
Based. Positioning of network based IDPS in typical network is
shown in Fig. 15 (Scarfone and Mell, 2007).

Considering the Cloud scenario, network-based IDPS can be used
to protect multiple VMs from network end points. Host-based IDPS
can be deployed at VMs or hypervisors to protect the machines on
which it is placed.

Concluding the whole section, we now graphically represent
positioning of various types of IDS/IPS (mentioned above) in the
different layers of Cloud architecture. Fig. 16 demonstrates the
same followed by its summary.

Incorporating IDS on VM allows monitoring the activity of VM
itself. Cloud user should be held responsible to deploy, manage
and monitor IDS on VM. Placing IDS on underlying hypervisor
provides ability to detect intrusion activity including communica-
tion between VMs on that hypervisor. However large amount

C. Modi et al. / Journal of Network and Computer Applications 36 (2013) 42–5756

of communicating data reduces performance of IDS or causes
packet dropping. Deploying, managing and monitoring IDS should
be done by Cloud provider. The virtual network (established in
host system) allows VMs to communicate directly without
using external network. IDS can be located within such network
to monitor traffic between the VMs as well as between the
VM and host. Cloud provider can be given duties to manage IDS.
IDS can be deployed in external network, which is a door to
Cloud system for users. It allows monitoring of network traffic
over the traditional network. Cloud provider should be the proper
entity to serve here. Summary of various IDSs are shown in
Table 3.

In Tables 4, we summarize presented approaches with their
type, technique, positioning in Cloud, pros and cons. This illus-
trates several challenges which need to be addressed before a
standard security framework for the Cloud can be proposed.

6. Conclusions

We discussed several intrusions which can threat integrity,
confidentiality and availability of Cloud services. Firewall only
may not be sufficient to solve Cloud security issues. This paper
emphasized the usage of alternative options to incorporate
intrusion detection and intrusion prevention techniques into
Cloud and explored locations in Cloud where IDS/IPS can be
positioned for efficient detection and prevention. Recent research
findings incorporating IDS/IPS in Cloud have been discussed with
their advantages and disadvantages. The adoption of soft comput-
ing techniques in IDS/IPS can improve the security. We finally
identify several security challenges that need to be addressed by
the research community to make Cloud a secure and trusted
platform for the delivery of future Internet of Things.

References

Azure services platform, Website, /http://www.microsoft.com/azureS; 2011.
Amazon web services, Website, /http://aws.amazon.comS; 2011.
Arshad J, Townend P, Xu J. An abstract model for integrated intrusion detection

and severity analysis for clouds. International Journal of Cloud Applications
and Computing 2011;1(1):1–17.

Ahmed M., Pal, R., Hossain, H.M., Bikas, M., Hasan, M.K., NIDS: A Network Based
Approach to Intrusion Detection and Prevention, Computer Science and
Information Technology—Spring Conference;2009: pp. 141–4.

Brooks C, Amazon EC2 Attack Prompts Customer Support Changes. Tech Target,
/http://searchcloudcomputing.techtarget.com/news/article/0,289142,sid201_
gci1371090,00.htmlS; 2009.

Bahram S, Jiang X, Wang Z, Grace M. DKSM: subverting virtual machine
introspection for fun and profit.In: Proceedings of the 29th IEEE international
symposium on reliable distributed systems; 2010.

Brown DJ, Suckow B, Wang T, A Survey of Intrusion Detection Systems. Depart-
ment of Computer Science, University of California, San Diego; 2002.

Bakshi A, Yogesh, B. Securing cloud from DDOS attacks using intrusion detection
system in virtual machine. In: Second international conference on commu-
nication software and networks; 2010: pp. 260–4.

Botha M, Solms R, Perry K, Loubser E, Yamoyany G. The utilization of artificial
intelligence in a hybrid intrusion detection system. SAICSIT 2002:149–55.

Beg S, Naru1 U, Ashraf M, Mohsin S. Feasibility of intrusion detection system with
high performance computing: a survey. International Journal for Advances in
Computer Science 2010;1(1).

Chen Y, Sion R. On securing untrusted clouds with cryptography. In WPES 2010;10:
109–14.

Cannady J. Artificial neural networks for misuse detection, National Information
Systems Security Conference, 1998.

Chavan S, Shah K, Dave N, Mukherjee S, Adaptive neuro-fuzzy intrusion detection
systems, IEEE international conference on information technology: coding and
computing (ITCC’04); 2004: pp 70–4.

Chen W-H, Su S-H, Shen H-P. Application of svm and ann for intrusion detection.
Computer Oper Res 2005;32(10):2617–34.

Dutkevyach T, Piskozub A, Tymoshyk, N. Real-time intrusion prevention and
anomaly analyze system for corporate networks. In: Fourth IEEE workshop
on intelligent data acquisition and advanced computing systems: technology
and applications, 2007. IDAACS 2007: 2007: pp. 599–602.

Dastjerdi AV, Bakar KA, Tabatabaei SGH. Distributed intrusion detection in
clouds using mobile agents. In: Third international conference on advanced

engineering computing and applications in sciences, 2009. ADVCOMP ’09;
2009: pp. 175–180.

Dhanalakshmi Y, Ramesh Babu I. Intrusion detection using data mining along
fuzzy logic and genetic algorithms. International Journal of Computer Science
& Security 2008;8(2):27–32.

Eucalyptus, Website, /http://eucalyptus.cs.ucsb.edu/S; 2011.
Fagui Liu L, Xiang S Wenqianl Su, L. The design and application of xen-based host

system firewall and its extension. In: The 2009 international conference on
electronic computer technology; 2009: pp. 392–5.

Google apps, Website, /http:/www.google.comS; 2011.
Google app engine, Website, /http://code.google.com/appengine/S; 2011.
Gens F, New IDC IT Cloud Service Survey: Top Benefits and Challenges, IDC

Exchange, /http://blogs.idc.com/ie/?p=730S; 2009.
Goodin, D, Webhost Hack Wipes Out Data for 100,000 Sites, /http://www.

theregister.co.uk/2009/06/08/webhost_attack/S; 2009.
Garfinkel T, Rosenblum M. A Virtual Machine Introspection Based Architecture for

Intrusion Detection. Proc. Network and Distributed Systems Security Sympo-
sium 2003:191–206.

Guan Y, Bao J. A CP Intrusion detection strategy on cloud computing, in
international symposium on web information systems and applications
(WISA); 2009: pp 84–7.

Grediaga A, Ibarra F, Garcı́a F, Ledesma B, Brotons F. Application of neural networks in
network control and information security. LNCS 2006:208–13.

Gong RH, Zulkernine M, Abolmaesumi P. A software implementation of a genetic
algorithm based approach to network intrusion detection. In: Proceedings of
the sixth international conference on software engineering, artificial intelligence,
networking and parallel/distributed computing and first ACIS international
workshop on self-assembling wireless networks (SNPD/SAWN‘05); 2005.

Han J, Kamber M. Data mining concepts and techniques. 2nd edition Morgan
Kaufmann Publishers; 2006.

Han H, Lu XL, Ren LY.Using data mining to discover signatures in network-based
intrusion detection. In: Proceedings of the first international conference on
machine learning and cybernetics, Beijing (1) (2002).

Hemairy MA, Amin S, Trabelsi Z. Towards more sophisticated ARP Spoofing
detection/prevention systems in LAN networks. In: International conference
on the current trends in information technology (CTIT); 2009: pp. 1–6.

Hamad H, Hoby MA. Managing intrusion detection as a service in cloud networks.
International Journal of Computer Applications 2012;41(1):35–40.

Houmansadr A, Zonouz SA, Berthier, R, Cloud-based, A. Intrusion detection and
response system for mobile phones. In: Proceedings of the 2011 IEEE/IFIP 41st
international conference on dependable systems and networks workshops;
2011: pp. 31–2.

Ibrahim LM. Anomaly network intrusion detection system based on distributed
time-delay neural network. Journal of Engineering Science and Technology
2010;5(4):457–71.

Jones AK, Sielken RS. Computer system intrusion detection: a survey, /http://
www.cs.virginia.edu/�jones/IDS-research/Documents/jones-sielken-sur
vey-v11.pdfS; 2000.

Jia T, Wang X. The research and design of intelligent IPS model based on dynamic
cloud firewall linkage. International Journal of Digital Content Technology and
its Applications 2011;5(3):304–9.

King S, Chen P, Wang Y-M. SubVirt: Implementing malware with virtual machines.
In: 2006 IEEE symposium on security and privacy; 2006: pp 314–27.

Katar C. Combining multiple techniques for intrusion detection. International
Journal of Computer Science & Network Security 2006;6(2B):208–18.

Kwon H, Kim,T, Yu, SJ, Kim HK. Self-similarity based lightweight intrusion
detection method for cloud computing. In: Proceedings of the third interna-
tional conference on intelligent information and database systems—Volume
Part II; 2011: pp. 353–62.

Lo CC, Huang CC, Ku J. Cooperative Intrusion detection system framework for
cloud computing networks. In: First IEEE International Conference on Ubi-
Media Computing; 2008: pp. 280–4.

Lei L, Yang D-Z, Shen F-C. A Novel rule based Intrusion Detection system using
Data Ming. 3rd IEEE International Conference on Computer Science and
Information Technology 2010;6:169–72.

Li H, Liu D. Research on intelligent intrusion prevention system based on snort.
International Conference on Computer, Mechatronics, Control and Electronic
Engineering (CMCE), 2010;1:251–3.

Li W. A genetic algorithm approach to network intrusion detection.USA: SANS
Institute; 2004.

Lu W, Traore I. Detecting new forms of network intrusion using genetic program-
ming. Computational Intelligence 2004;20(3):475–94.

Lee, J-H, Park M-W, Eorn J-H, Chung T-M. Multi-level Intrusion detection system
and log management in cloud computing. In: 13th International conference on
advanced communication technology (ICACT); 2011, pp. 552–5.

Leu FY, Li ZY. Detecting DoS and DDoS attack using an intrusion detection and
remote prevention system. Fifth International Conference on Information
Assurance and Security 2009;2:251–4.

Mell P, Grance T, The NIST definition of cloud computing (draft), NIST, /http://
csrc.nist.gov/publications/drafts/800-145/Draft-SP-800-145_cloud-definition.
pdfS ; 2011.

Martin L, White Paper, /http://www.lockheedmartin.com/data/assets/isgs/docu
ments/CloudComputingWhitePaper.pdfS; 2010.

Mazzariello C, Bifulco R, Canonoco R. Integrating a network IDS into an open
source cloud computing. In: Sixth international conference on information
assurance and security (IAS); 2010; pp. 265–70.

http://www.microsoft.com/azure

http://aws.amazon.com

http://searchcloudcomputing.techtarget.com/news/article/0,289142,sid201_gci1371090,00.html

http://eucalyptus.cs.ucsb.edu/

http:/www.google.com

http://code.google.com/appengine/

http://blogs.idc.com/ie/?p=730

http://www.theregister.co.uk/2009/06/08/webhost_attack/

http://www.cs.virginia.edu/~jones/IDS-research/Documents/jones-sielken-survey-v11.pdf

http://csrc.nist.gov/publications/drafts/800-145/Draft-SP-800-145_cloud-definition.pdf

http://www.lockheedmartin.com/data/assets/isgs/documents/CloudComputingWhitePaper.pdf

C. Modi et al. / Journal of Network and Computer Applications 36 (2013) 42–57 57

Moradi M, Zulkernine M, A neural network based system for intrusion detection
and classification of attacks. In: Proceedings of the 2004 IEEE international
conference on advances in intelligent systems—theory and applications; 2004.

NIST: National vulnerability database, Website, Available from: /http://web.nvd.
nist.gov/view/ vuln/detail?vulnId=CVE-S2009-3733; 2011.

Opennebula, Website, /http://www.opennebula.orgS; 2011.
Rutkowska J, Subverting VistaTM Kernel for Fun and Profit, Black Hat Conference;

2006.
Roschke S, Feng C, Meinel C. An extensible and virtualization compatible IDS

management architecture. In: Fifth international conference on information
assurance and security, 2; 2009: pp. 130–4.

Ram S. Secure cloud computing based on mutual intrusion detection system.
International journal of computer application 2012;2(1):57–67.

Slaviero M. BlackHat presentation demo vids: Amazon, /http://www.sensepost.
com/blog/3797.htmlS; 2009.

Sequeira D, Intrusion Prevention Systems- Security’s Silver Bullet? SANS Institute
InfoSec Reading Room 2002, /http://www.sans.org/reading_room/whitepa
pers/detection/intrusion_prevention_systems_securitys_silver_bullet_366?
show=366.php&cat=detectionS; 2002.

Su M-Y, Yu G-J, Lin C-Y. A real-time network intrusion detection system for large-
scale attacks based on an incremental mining approach. Computer Security
2009:301–9.

Sandar SV, Shenai S. Economic denial of sustainability (EDoS) in cloud services
using HTTP and XML based DDoS attacks. International Journal of Computer
Applications 2012;41(20):11–6.

Scarfone K, Mell P, Guide to intrusion detection and prevention systems (IDPS),
Recommendations of the National Institute of Standards and Technology,
/http://csrc.nist.gov/publications/nistpubs/800-94/SP800-94.pdfS; 2007:175–180
457–471.

Tillapart P, Thumthawatworn T, Santiprabhob P. Fuzzy intrusion detection system.
Assump University J Technology (A.U. J.T.) 2002;6(2):109–14.

Vieira K, Schulter A, Westphall C, Westphall C. Intrusion detection techniques in
grid and cloud computing environment. IEEE IT Professional Magazine 2010.

Xiao T, Qu G, Hariri S, Yousif M. An efficient network intrusion detection method
based on information theory and genetic algorithm. In: Proceedings of the
24th IEEE international performance computing and communications con-
ference (IPCCC ‘05), Phoenix, AZ, USA; 2005.

Zhengbing H, Jun S, Shirochin VP. An intelligent lightweight intrusion detection
system with forensic technique. In: 4th IEEE workshop on intelligent data
acquisition and advanced computingsystems: technology and applications,
2007. IDAACS; 2007: pp. 647–51.

Zhengbing H, Zhitang L, Jumgi W, Novel A. Intrusion detection system (NIDS)
based on signature search of datamining, WKDD First International Workshop
on Knowledge discovery and Data Ming; 2008: pp. 10–6.

cox P. Intrusion detection in a cloud computing environment. /http://searchcloud
computing.techtarget.com/tip/Intrusion-detection-in-a-cloud-computing-en
vironmentS; 2011.

Firewall, Telecom-Network Tech,/http://teleco-network.blogspot.com/S; 2011.
Denial-of-service attack, Website, /http://en.wikipedia.org/wiki/Denial-of-servi

ce_attackS; 2011.
Snort-Home page, Website, /https://www.snort.org/S; 2011.
The concept of Intrusion Detection System, Website, /http://maltainfosec.org/

archives/26-The-concept-of-Intrusion-Detection-Systems.htmlS (2011).
XArp 2.2.2, Website, /http://www.filecluster.com/Network-Tools/Network-Moni

toring/Download-XArp.htmlS; 2011.
IBM Research-Zurich, Website, /http://www.zurich.ibm.com/csc/security/secure

virt.html#topS; 2011.
IPS: Intrusion Prevention System. Javvin, Website,/http://www.javvin.com/net

worksecurity/IPS.htmlS; 2011.
stiawanD, Abdullah, AH, Idris, MY.The trends of intrusion prevention system

network. In: Second international conference on education technology and
computer (ICETC) 4; 2010: 217–21.

http://web.nvd.nist.gov/view/ vuln/detail?vulnId=CVE-

http://www.opennebula.org

http://www.sensepost.com/blog/3797.html

http://www.sans.org/reading_room/whitepapers/detection/intrusion_prevention_systems_securitys_silver_bullet_366?show=366.php&cat=detection

http://csrc.nist.gov/publications/nistpubs/800-94/SP800-94.pdf

http://searchcloudcomputing.techtarget.com/tip/Intrusion-detection-in-a-cloud-computing-environment

http://teleco-network.blogspot.com/

http://en.wikipedia.org/wiki/Denial-of-service_attack

https://www.snort.org/

http://maltainfosec.org/archives/26-The-concept-of-Intrusion-Detection-Systems.html

http://www.filecluster.com/Network-Tools/Network-Monitoring/Download-XArp.html

http://www.zurich.ibm.com/csc/security/securevirt.html#top

http://www.javvin.com/networksecurity/IPS.html

A survey of intrusion detection techniques in Cloud

Introduction
Intrusions to Cloud systems

Insider attack
Flooding attack
User to root attacks
Port scanning
Attacks on virtual machine (VM) or hypervisor
Backdoor channel attacks

Firewalls: common solution to intrusions
IDS and IPS techniques: evolution

Signature based detection
Anomaly detection
Artificial neural network (ANN) based IDS
Fuzzy logic based IDS
Association rule based IDS
Support vector machine (SVM) based IDS
Genetic algorithm (GA) based IDS
Hybrid techniques

Various types of IDS/IPS used in Cloud computing

Host based intrusion detection systems (HIDS)
Network based intrusion detection system (NIDS)
Distributed intrusion detection system (DIDS)
Hypervisor-based intrusion detection system
Intrusion prevention system (IPS)
Intrusion detection and prevention system (IDPS)

Conclusions
References

Get Your Paper Before the Deadline. Our Services are 100% private and Confidential

Useful Links That Will Help You Around

Link to new order https://studentsolutionsusa.com/orders/stud/new

link to login page https://studentsolutionsusa.com/orders/login

New user registration link https://studentsolutionsusa.com/orders/register

Forgot Password https://studentsolutionsusa.com/orders/forgot/password

FREQUENTLY ASKED QUESTIONS

Question: How does this work?

Answer: Good Question. We are a group of a freelance board of students and professional essay writers. At our website, you may get help with any type of academic assignments: essay, coursework, term paper, business plan, case study, article review, research paper, presentation, and speech. Top writers can help with complex assignments such as dissertations, thesis papers, etc. All of them are professionals possessing excellent knowledge in their field of expertise, perfect writing skills, quality, and speed. When you place an order on our website, we assign it to the best writer. Once the writer finishes the work, the paper is submitted to our quality assurance desk who go through it and ensure it is unique and plagiarism free and that the instructions were followed to the detail. After this step we upload the paper in your account, we also send a copy to the email that you used to register the account with. we can guarantee you that the paper will be 100% plagiarism free. Besides, our services are 100% private and confidential

Question: How do I place an Order after getting to the order page

Answer: There are three major steps in the ordering process

Step 1 ....................................................paper details In this step, you will fill in the instructions of your paper; you can upload any materials that you feel will make your assignment a success. Besides, you can also email us at [email protected] Remember to specify the correct academic level. Please note that sources mean the number of references.

Step 2...................................................... Price calculation Kindly specify the number of pages, type of spacing and the correct deadline. This step will give you the estimated cost minus discount -- you may add the extra features if you wish.

Step 3 ....................................................discount and payment Use the discount code HAPPY2018 to enjoy up to 30% discount of your total cost After this step, proceed to safe payment; you can checkout using your card or PayPal Please note we will send the complete paper to the email you will provide while registering. A copy will also be uploaded to your account

Question: How will I know when my paper is complete? or How will I get the complete Paper?

Answer: Once we are done with the paper, we will be uploaded to your account. A copy will also be sent to the email you registered with. We can guarantee you the following:- 1. Our service is private and confidential; we don't spam or share your contacts with anyone 2. The final paper will be plagiarism free. We will send a Turnitin Report to the email you registered with 3. At our company, willing to do free unlimited revisions until you are satisfied with your paper

Question:- Am a new client, How can I get the guarantee that the paper will be completed and sent to me before my deadline?

Answer: Thank you for expressing your concerns. We would love to have you as our loyal customer. We are certain if we do good work, you will come back for me. Besides, you will give us referrals to your friends and family. For that reason, we can’t fail to deliver your paper within your specified time frame. We will ensure we submit the paper on time so that you can have enough time to go through it, if you have problems with the paper delivered, you can request a free revision. You are entitled to as many revisions as you would wish until you get a paper that satisfies you

Paper should be in IEEE format with annotations. T

Useful Links That Will Help You Around

FREQUENTLY ASKED QUESTIONS

Question: How does this work?

Question: How do I place an Order after getting to the order page

Question: How will I know when my paper is complete? or How will I get the complete Paper?

Question:- Am a new client, How can I get the guarantee that the paper will be completed and sent to me before my deadline?

Useful Links That Will Help You Around

Contact Us