State of the Art Intrusion Detection System for Cloud Computing.
There are problems with the implementation of Cloud computing systems that will be as a basis in this paper. Cloud computing is the new concept of computing where people only need to pay for services and resources without needed to place any cost for physical hardware. With the implementation of Cloud computing in the application today, it emerges a new technique in software development and deployment. It also changes how people are using and managing resources. Cloud computing can be defined as internet-based computing, where shared resource, software and information are provided to the user on demand .
Cloud computing systems are distributed and nesting a lot of resources and private information, therefore because of their nature, cloud computing environments are easy targets for intruders looking for possible vulnerabilities to exploit . When organizations and companies which are using Cloud computing services, they will move their resources from their own private infrastructure to the Cloud infrastructure. If the Cloud is compromised, the organization's resource will be at risk. Cloud Computing systems need protection mechanisms that will monitor the network activity and detect if any intrusion attempts happen within the Cloud Computing infrastructure whether it was from external or internal sources . In fact, the cheap availability of significant amounts of computational resources can be regarded as a means for easily perpetrating distributed attacks, as it has recently been observed in several security incidents involving Amazon's EC2 cloud infrastructure .
Cloud implementation introduces a new term, "co-residency" which means that multiple independent customer share the same physical infrastructure . Hence, it was possible for different Cloud host residing in a single machine. There are several methods for neighbour discovery between Virtual Machine (VM) in a Cloud infrastructure; therefore, it is crucial to provide countermeasures for this type of attack. Ristenpart et al simulates the "co-residency" attack on Amazon EC2, which is one of the largest Cloud service providers . Their works make use on freely available open source software. Inter VM's communication also become a big concern when we are implementing Cloud Computing system where communication between Clouds are not monitored and controlled. When implementing VM in the system layer of the Cloud, each Guest Operating system (OS) exposed to the risk of being attacked by other Guest OS either intentionally or accidentally. In a way to protect each Cloud, a new method is required to monitor inter VM's activity and detect if any abnormalities occur and at the same time to block the events from occurring .
In addition, there are lack of specific IDS built to protect Cloud computing systems . Current implementation of IDS in the Cloud computing systems are still using the traditional way which installing traditional open source or enterprise IDS in the Cloud Computing server to protect the Cloud Computing systems. These traditional IDS implementation, such as on virtual machines (VM), which is considered more vulnerable with diverse security requirements . Implementing traditional IDS need a lot of self-maintenance and did not scale with the customer security requirements. In addition, maintenance of traditional IDS in Cloud Computing system requires expertise and consume more time where not each Cloud user have [10, 11]. An attack against a cloud computing system can be silent for a network-based IDS deployed in its environment, because node communication is usually encrypted. Attacks can also be invisible to host-based IDSs, because cloud-specific attacks don't necessarily leave traces in a node's operating system, where the host-based IDS reside. In this way, traditional IDSs can't appropriately identify suspicious activities in a cloud environment.
Worse come to worst, a decentralized traditional IDS approach where being implemented in current Cloud computing infrastructure will make the IDS management become more complicated . Cloud subscribers that concern about their data protection will install their own IDS and this action will isolate the Cloud Service Provider (CSP) from the IDS management realm and CSP will have no authority in managing each Cloud subscribers' local IDS. This approach also affects the bill that Cloud subscribers will pay if the IDS were installed on their own host because monitoring intrusions may consume excessive amount of hidden data transfer . Furthermore, each of the subscriber' IDS will not be the same in term of type and configurations and each user may have the risk of outdated signatures. If any attack happens and the IDS signature was outdated, the IDS will not treat the event the same way as IDS with updated signature and some of the IDS may cause a false negative detection. This will bring risk not only to the Cloud subscriber itself but also to the other Cloud users and in worst case scenario, this attack also may affect CSP and the whole system.
Cloud Computing is a new implementation of computer technology and open a new research area and create a lot of opportunity of exploration. One of the new implementation in Cloud is Intrusion Detection System (IDS). Cloud Computing is a Model for enabling convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction. Cloud computing is based on five attributes: multi-tenancy (shared resources), massive scalability, elasticity, pay as you go and self-provisioning of resources.
The objective of this study is to characterise and provide a comprehensive review on the state of the art research in Cloud IDS. To the author's knowledge very few comprehensive studies on Cloud IDS have been conducted. For this purpose, a comprehensive review is conducted within this paper to discuss the state of the art research on Cloud IDS.
2. Motivation: the need for Cloud Intrusion Detection System
With respect to Cloud computing, to the best of our knowledge, we are the first to identify the intrusion detection problem for such systems based on artificial immune system (AIS). However, there have been efforts in traditional systems to address this problem. An obvious example of such systems is network intrusion detection system (NIDS) where an intrusion detection system is usually deployed at a border node to look after a whole network of computers. As part of the network, different sub-domains or clusters can have varying security requirements . This NIDS implementation introduce a new Virtual Machine (VM) level threats in cloud computing because the existence of numerous VMs owned by different Cloud users significantly increases attack surface for cross-VM (or VM-to-VM) attacks .
Traditional IDS need a lot of self-maintenance and did not scale with the customer security requirements. In addition, maintenance of traditional IDS requires expertise and consume more time that normal company did not have [10, 11]. The cost of maintaining and installing the traditional IDS is also a big consideration in implementing IDS in an organization. In addition, a decentralized traditional IDS approach where being implemented in traditional IDS can increase the network vulnerabilities in the protected system when the IDS system is deployed and implemented together in the same network and made visible to others. The IDS itself are exposed to the internal attacks where attacker from the same network will have access to the IDS and launching attack directly towards the IDS. The IDS must be isolated and invisible from the same network where the host and servers reside .
To protect computing infrastructures which contains valuable assets from cyber-attacks, most enterprises set their strategy to deploy their IDS on dedicated hardware. However, such strategy is no longer effective today when small and medium enterprises (SMEs) are conveniently tapping into the Cloud environment which provides them the platform, infrastructure and software as services on a pay-per-use basis . Moreover, IDS is commonly deployed in the traditional way, such as on virtual machines (VM), which is considered more vulnerable with diverse security requirements. In the traditional deployment, the benefits of customization and on-demand operations offered by Cloud are contradicted by the lengthy intrusion response time and thus affecting the overall security of the system .
2.1 Research on Cloud Computing Intrusion Detection System
This paper reviews the research related to the detection of intrusions for Cloud Computing in particular. Therefore, the existing literature in these domains has been explored to draw a comparative analysis of the proposed approach with the related works in Cloud Intrusion Detection. Fig.1 shows the scattered plot of the research that being investigated within this review. The plot was marked with numbers which indicated the reference number at the end of this paper.
2.1.1 Virtual Machine Introspection (VMI-based) and Grid Cloud IDS
The research related to Cloud IDS started since 2003 where Garfinkel.T and Rosenblum.M proposed the virtual machine introspection based architecture for intrusion detection . At that time, normal implementation of cloud infrastructures includes the deployment of virtual machine monitors (VMM). Hence, this research also related to the research based on VMM. Virtual machine introspection (VMI) is the process of monitoring and inspecting a virtual machine from the outside for the purpose of analysing the software running inside it . As explained in their paper, VMI IDS will monitor cloud client directly by using command namely Inspection Command to monitor VM state, Monitor Commands to monitor VM event and Administrative Commands to control the execution of a VM. This host-based IDS (HIDS) make a decision based on the Operating System (OS) Interface Library and Policy Engine. The prototype, Livewire will suspend the execution of the VM until the administrator responds to that event. This procedure may bring a concern when the VM operation suspended and user is unable to access the VM. This may affect the availability of the Cloud guest system. The experiment conducted using custom attacks that launch at the monitored host. The results show that Livewire are able to detect all the attacks. From the author point of view, this implementation is successful but may need some improvement in term of resource management especially if this system is implemented in cloud environment.
A few years later Roschke et al proposed a VM compatible IDS architecture in their paper Intrusion Detection in the Cloud . This research provides a solution to protect Cloud environment by placing the IDS at each VM nodes. The NIDS rely on the detection of the signature-based IDS that analysed and detect any intrusions targeting the Cloud. At the same time, AV. Dastjerdi et al proposed mobile agent implementations in Cloud computing environment where the IDS located at every VM host . The proposed system based on anomaly detection engine where it provides IDS for Cloud application regardless by their location. The issue with their proposed system is the implementation will produce network load with the increase of VMs attached to mobile agent.
K. Viera et al also proposed a solution in protecting Cloud in general but more focused on Grid computing implementation . The proposed hybrid system integrates knowledge and behaviour analysis together to detect specific intrusions and placed on each node of the grid system. Each IDS node cooperatively takes part in intrusion detections and once any attacks were detected, they will broadcast the alert among them using middleware communication mechanism. The experiments were conducted with a prototype that they developed to evaluate the proposed architecture using Grid-M . Grid-M is a middleware for simulating mobile device, sensor and grid computing developed by a research group at the Federal University of Santa Catarina. The datasets were generated from audit elements coming from both the log system and from data captured during node communications. The results show that the proposed system generates low number of false positives, but after several repetitions, the quantity of false positives varied and uncertain. However, this system provides low processing cost while still providing a satisfactory performance for real-time implementation.
Work by S Gupta et al provided a solution if detecting insider attacks or inter-VM attacks by detecting malicious system call sequences of well-known program . Their proposed system will grab the fingerprint of the well-known program and monitor the system call activities during execution. The detections are based on the stored system call array and if the execution did not execute the next expected system call, the event will be considered malicious. From our point of view, developing the system calls fingerprint is a time-consuming task and the author still using manual technique which is not suitable in Cloud environment.
The recent work from P. Mishra et al proposed Cloud IDS based on VMI which having two major detection components; Traffic Monitoring for performing traffic analysis in detecting network based attack and Process Monitoring which does the process-monitoring at VMM-level without affecting any operations running on VMs . They use three different datasets for experiment and the results shows a great performance result where 98.8% detection accuracy for UOC dataset , 98.9% accuracy for CAIDA  and 95.43% accuracy for UNSW-NB dataset . Table 1 summarizes cloud IDS research on VMM technology that reviewed in this sub-section.
2.1.2 Distributed, Collaborative and Agent based Cloud IDS
Distributed Cloud IDS introduced by Irfan Gul and M. Hussain make use of multi-threading agent in monitoring and handling large amount of information in Cloud environment . The agents then send the monitoring information to the third-party monitoring service for analysis and reporting any incidents. Their proposed system was tested with custom Denial of Service (DoS) attack targeting the Cloud network and the results show that the multi-threading system provides nearly 50% improvement of processing time compared to single-threading system. The same year, Cloud IDS described by ST. Zargar et al covers protection for two service level; Infrastructure level which provides a comprehensive hybrid Intrusion Detection and Prevention (IDP) system and virtual level where users are provided with software level IDP . Within infrastructure level, the system cooperates with each other to create a comprehensive global version of all the clusters' databases on global infrastructure layer that is shared and used for detection and prevention among different cloud providers.
Some of the solutions focused on developing adaptive and distributed Cloud IDS. D Krishnan and M Chatterjee suggest that Cloud IDS can perform very well if the Cloud IDS can adapt to the environment and at the same time communicate with other IDS in different Cloud locations . Their hybrid IDS which contains both anomaly and behaviour based detection will monitor Cloud environment and if any intrusions event occur, the IDS will distribute the alert to other IDS nodes so that each nodes update with the situations. IDS detection using behaviour based will monitor the current behaviour of the Cloud environment like number of users connected, log in time of users, bandwidth utilization, incoming and outgoing traffic flow, various connected ports, protocols and IP addresses used in incoming received requests and the detection engine will report if any deviation occurs compared to the recorded normal behaviour profile.
Nguyen Doan Man and Eui-Nam Huh proposed a collaborative intrusion detection system framework for protecting cloud computing environments. Their work consists of three main components; IDS Manager, which resides at the management region of a Collaborative Cloud, IDS Dispatcher, which is built inside each Cloud region, and Elementary Detector, which is distributed to monitor each VM and generates alarms for any detected intrusions . The author did not provide any experiments and results from this research.
A similar work from P. Ghosh et al improves the model by generating Virtualised "Mini-IDS" for each Cloud host besides provides multi-threading monitoring and third party analysis service . A mini IDS will be assigned for a specific Cloud host each time a new host is generated. Each instance supervises on each user activities and sends a report of all the activities to the IDS Controller via cloud NIDS after the end of each session. The proposed system will be able to handle large network traffic from Cloud users and provides security at the same time. The work of K.M.M. Vieira et al proposed a new approach to combine autonomous system and machine learning . In their work, the autonomous system is following Monitor-Analyse-Plan-Knowledge (MAPE-K) cycle composed by the monitoring, analysis, planning and executing modules. They used sensors for collecting data from IDS logs, network traffic, system logs, and data communication. They also make use of Apache Hadoop for storage and analytics.
I. Jeganathan and A. Prakasam proposed agent-based Cloud intrusion detection system that monitoring and analysing clients' network packet at the same time filter the illegal user from accessing the cloud environment . The agents send intrusion alert to a monitoring service for further action. Their proposed system will be placed outside the cloud environment where there are heavy network traffics such as switch, router or gateway for network traffic monitoring to have a global view of the system.
Araujo et al. proposed an elastic and internal Cloud-based detection system (EICIDS). This type of IDS is based on protection of virtual machines against internal users who can use some VMs to perform malicious activities which is part of our research . Monitoring of virtual machines is done by IDS sensors dispersed in the cloud environment, and the instantiation of these sensors is made in each VM, where the packets passing in VMs are captured and subsequently analysed for the identification of threats. Thus, the entire virtual environment is monitored, while the remaining components of EICIDS reside outside the virtual environment are thus protected from possible attacks by compromised VMs. However, the architecture of EICIDS is centralised IDS admin and there is no signature generation system. Even this proposed system did not provide protection for outsider attacks.
In their research, Al Haddad et al proposed a collaborative network intrusion detection system for cloud computing environment. Their work proposed that the NIDS should be placed at the front end as well as at the back end on Virtual Machine Monitor (VMM) of a cloud network environment . This hybrid-based NIDS consists of packet sniffing module, signature-based detection, anomaly detection, alert system and central log database. From author point of view, placing multiple NIDS inside a cloud network environment will result a complex configuration of a set of NIDS and the monitoring process will consume more resources than what we can imagine. The researcher still in the experiment phase and so far, no experimental results were provided.
Singh et al proposed a novel Collaborative IDS Framework for Cloud computing environment . This framework integrates Snort to detect the known attacks using signature matching. To detect unknown attacks, anomaly detection system (ADS) is built using Decision Tree Classifier and Support Vector Machine (SVM). Alert Correlation and automatic signature generation reduce the impact of DoS and Distributed Denial of Service (DDoS) attacks and increase the performance and accuracy of IDS. However, it requires a high training time. Table 2 lists and analyses the distributive, collaborative and agent-based cloud IDS research based on their type, method, positioning, dataset, advantages and also their limitations.
2.1.3 IDS as a Service
There are some researchers provide different perspectives of Cloud IDS such as providing IDS as a Service. The work of Wang et al distributes IDS into local and remote components which local components collect and analyse logs in the client location while remote component focused on detecting intrusions based on the analysis from the local components . W. Yassin et al suggests an alternative in intrusion detection where a framework of IDS based on Cloud was proposed . The cloud-based IDS make use the Cloud technology for managing and detecting intrusions targeting a normal network environment. In detail, the IDS components such as User Database, Signature Database and Analysis Engine located in a Cloud environment, where the users' traffic are directed to the IDS through a secured Virtual Private Network (VPN) connection. The concerns about this implementation are internal attack may become invisible from the view of IDS and the VPN network is a single point of failure where any disruption of the connection will bring down the whole system. In addition, the increasing number of clients will increase the workload of the IDS Cloud. The same idea also shared in Hamad H. and Al-Hoby work on managing IDS as a service . Their work tries to replace the traditional local server-based network environments with a cloud-based network infrastructure that monitor the network traffic and analyse for any intrusion attempt. This mechanism is offered to the end user as a service. In the proposed work, they utilise the huge performance of Cloud infrastructure for fast and efficient search algorithms. The proposed system able to receive the subscriptions requests from the cloud users and translates these requests into a standardised signature that can be deployed and utilised as the Cloud Intrusion Detection Service (CIDS). An experiment was conducted by using 500 signature definitions and the detection rate form the proposed system less than the traditional implementations. However, this system shows an improvement in term of detection overhead, compared to the traditional IDS implementation.
Still in the context of Cloud-based IDS perspective, one of the concerns in this type of implementation is the IDS became the victim of the attack itself. By considering this issue, HA Kholidy and F Baiardi proposed Cloud-based Intrusion Detection system (CIDS) which applied scalable and elastic architecture with point-to-point (P2P) solution and no central coordinator, which means they try to eliminate single point of failure . Their proposed system distributes the workload of a single IDS into several cloud locations and isolates the task using monitored VM. This hybrid IDS claim that it can detect the masqueraders that access from several nodes and both host-based and network-based attacks because they are monitoring any intrusion in the middleware layer of a cloud. Based on CIDS, the same author proposed the enhanced version of their works named Hierarchical and Autonomous IDS for Cloud Systems (HA-CIDS) . In this model, their IDS not only detect masquerades attack, but the detection also covers DDoS, host based and network-based attack with the inclusion of OSSEC HIDS, Snort NIDS and integrity checker within their detection mechanism. The detection mechanism is not distributed as previous model but located in a single cloud node.
The recent work by Azuan et al provides a Danger Theory Model Cloud-based IDS. This is the only work that using Artificial Immune System (AIS) for Cloud-based IDS, namely SaaSIDS . SaaSIDS is a Cloud host that receive network traffic and analysing them for intrusion detections via hybrid engine which provides signature-based and anomaly detections. The system consists of three major components; SaaSIDS sensor, a sensor that installed on users' network and forward the packet through VPN to the SaaSIDS cloud. The other component is SaaSIDS Service Component which filter network traffic and pre-processing them before analyse it is using Hybrid Detection Engine for intrusion detections.
The problem of traffic bottlenecking is the main issue for IDS as a Service model. The work of S Garg and K Kaur provides a solution for this problem by maintaining a group of IDS as a Service and load balancing them to support a heavy traffic of clients' network data . The signature-based IDS use Snort NIDS for intrusion detection. From the experiment, their proposed model able to eliminate single point of failure by introducing concept of multiple IDS in cloud environment and increase availability of IDS service for cloud users by balancing load between IDSs.
Recent work from SM Alqahtani et al proposed a Cloud-based IDS for detecting DDoS attack . They proposed that the IDS placed in a separate VM and dedicated for analysing intrusion data. Another VM was created for monitoring and sending suspicious packet to the IDS. From the experiment, the processing required for detecting ICMP Flood attack is 39-40%. Their system is able to provide promising performance improvement compared to traditional method.
Single point of failure is the main concern of IDS as a Service architecture. The work of M. Mbaye and C. Ba proposed distributed Cloud-based IDS with the Publish and Subscribe paradigm . They considered client as a Publisher which sent intrusion data to the IDS while the IDS as a Subscriber which receive the intrusion data together with the taxonomy of the intrusion. The distributed IDS will receive the data based on the taxonomy which each IDS will support different kind of taxonomy. In a simple view, table 3 describes Cloud IDS as a Service research in tabular form.
2.1.4 Open Source Cloud IDS
Open source software is the best cost-effective solutions in solving real world problems and at the same time did not sacrifice the performance. Mazzariello et al in their research provides a solution for detecting intrusions by using network intrusion detection system (NIDS) for Open Source Cloud Computing environment . In the paper, they provide a review on eucalyptus, an open source cloud management system and deploying a signature-based IDS inside the eucalyptus environment. They try to prove that a carefully deployed traditional solution could mitigate a severe problem in cloud computing environment. In the implementation, they install IDS at the frontend of the cloud environment. Such implementation has a flaw where it tends to make inter-cloud attacks invisible from detection. The author did not provide any IDS performance result based on detection rate.
B Borisaniya et al proposed a solution in Cloud IDS by implementing open source technology in developing their prototype . They choose to use Eucalyptus for the Cloud framework and Snort as the NIDS that located in each Cluster Controller (CC) to monitor network traffic. From their perspective, this approach allows the Cloud administrator to monitor the type and source of the attack, which in turn can be used to prevent the similar future attacks. They employ Honeypot in detecting unknown attacks since honeypot will monitor for suspicious behaviour. The experiment shows that the proposed system able to detect medium and low level of security threats and still need some improvement in detecting high level of security threat.
HM Alsafi and WM Abduallah proposed a Cloud IDS that focused on Infrastructure as a Service (IaaS) layer of Cloud environment and implementing hybrid detection mechanism which combine anomaly and signature based detection . Further than just detect and reporting intrusion, their proposed system includes the protection mechanism which terminates the user session that is being used for the attack, block access to the target from the offending source and block all access to the targeted host, service, application, or other resource.
More recent work that take the benefits of honeypot in protecting Cloud environment also been done by AA Thu which . The proposed system placed honeypot within the Cloud environment to monitor any internal attacks that targeted the other Cloud host. The honeypot will work closely with IDPS in protecting the Cloud infrastructure. From the testing, the result shows that IDPS system with honeypot works better than traditional implementation of IDPS.
The work of T Xing et al also implemented open source technology in their proposed system, SnortFlow . SnortFlow is the combination of Snort, an open source NIDS and OpenFlow, communications protocol that gives access to the forwarding plane of a network switch or router over the network. The proposed system has multiple module including SnortFlow Server which evaluates the network security status and generates actions to be pushed into the controller, SnortFlow daemon for collecting alert data from Snort agent in Dom 0 and Alert Interpreter, takes care of parsing the alert and targets the suspect traffic. The experiments are conducted to find the best place for implementing SnortFlow. From the result, the SnortFlow perform more efficient when implemented in the Domain 0. The work from T Kuldeep et al also proposed the usage of Snort NIDS in their implementations. They proposed the location of Snort NIDS is behind the gateway which monitors all the traffic going through the network gateway . JK Khatri and G Khilari on the other hand proposed the Cloud IDS by using Kernel-based Virtual Machine (KVM) and Suricata NIDS . Both open source applications were installed on Ubuntu Linux. Recent work from Priyanka Sharma et al provides Cloud environment using VirtualBox open source virtualisation software and OpenStack Cloud environment framework . They launched DoS attack targeting their Cloud and the result shows that OpenStack take longer time to load an image compared during normal situation.
There is an implementation where multiple open source applications are combine and work closely in protecting Cloud from threats. The work from C Ambikavathi and SK Srivatsa make use OpenNebula as the Cloud computing platform, Snort as the signature -based NIDS, Bro also as signature-based NIDS and OSSEC open source signature-based HIDS . The aim of the author is to provide total protection mechanisms by implementing all the available open source applications. The same work also proposed by W. Muche where they integrate the use of Snort for NIDS, OSSEC for HIDS and expand the capability of anomaly detection by using Naive Bayes Tree (NBTree) classifier . By using KDD'99 dataset, their work was able to achieve 95.5% detection. Table 4 listed the Cloud IDS research based on open source approaches.
2.1.5 Machine Learning Cloud IDS
Make use data mining and machine learning algorithm for classifying intrusions is also being adapted by several researchers. G. Sathya and K Vasanthraj proposed a work based on data mining technique . In their work make use of C4.5 algorithm in detecting anomaly attacks. In their multi-level IDS for Cloud computing, they monitored network traffic and identified the attack at the first level. The second level classifies the attack into four categories and the third level identifies the type of the attack. More recent work by M Moorthy and M Rajeswari focused on using Genetic Algorithm (GA) in generating new rules in their proposed cloud Intrusion detection system . Their work generate the network profile based on CIDD  by analysing real-traces in the dataset. Their proposed system can achieve 80% of True Positive Rate (TPR) during the experiment.
Machine learning algorithm also implemented in the work of MN Ismail et al. They proposed an IDS for detecting flooding based DoS attack targeting Cloud network by using covariance matrix approach . The experiment is done in two phases; Training phase where the IDS were run with the normal network traffic and Testing phase where the IDS were run with the abnormal network traffic which contains flooding attacks. From the experiment they prove that there is a huge different between normal network traffic and network traffic under flooding-based DoS attack by using covariance matrix.
The latest work from HA. Kholidy et al implemented finite state Hidden Markov Model (HMM) in predicting multi stage attack in Cloud computing environments . They include HMM as an improvement from their previous work in  for predicting and provides early warning for any future attacks. Their proposed system works by tracking the evolution of an attack while it is in progress, the state changes and the system can trigger appropriate responses based on a confidence level threshold, which would result in a lower false positive rate. The proposed prediction model has successfully fired the early warning alerts before the launching of the LLDDoS1.0 attack by 39 minutes plus 37 seconds and 64 minutes plus 42 seconds before the detection phase starts.
J. Arshad et al. proposed an intrusion severity analysis for cloud computing where in their research, they used the hybrid approach where the attacks were detected based on the attack database that they provide and from the Profile Engine (PE) which is based on the behaviour of the monitored virtual machines (VM). This machine learning based IDS using classification technique for intrusion severity analysis from the monitored system calls. The dataset used in this research is the artificial data generated from the computer program. This dataset did not provide the real cloud environment and did not represent the actual response of a cloud environment towards any attack . The results obtained from the research successfully demonstrate the effectiveness of the intrusion severity analysis method for Clouds but the dataset and may be questionable because the research used the self-generated dataset and they did not provide details about the methodology in building their datasets.
In the same year, work from U Hameed et al using Genetic Algorithm (GA) in detecting intrusions in Cloud computing environment especially in SaaS model . Their proposed genetic algorithm engine analysed data and matched the data with the signature database in the detection engine. This system checks the intrusions by matching the signature in knowledge base. If the location is not matched with any existing details in the knowledge base it provides an exit from the system. If existence check is passed it analyse and matches the data for the proper recognition based on the fitness function X=[delta]X0. If the fitness is proven, then different authentication checks are implemented to reach the result at each step it applies genetic algorithm. If the desired record is not matched it reproduces the new record by mutation, performs fitness test X=[delta]X0 and rechecks from the data in knowledge base. Same method will be repeated for three generations as per termination criteria.
The same algorithm also sparks the inspiration for P Singh and B Hazela to propose a Cloud IDS model based on GA . GAs aim is to produce the best solutions by the evolution of a sample set of potential solutions . Inside the sample set, solutions that are poor tend to die out while the better solutions mate and propagate their advantageous traits, thus introducing more solutions into the set that boast better potential. Their proposed work is the mix of Cloud Intrusion Detection System and two types of chromosomes based on different criteria which is based on the job length and bandwidth utilisation of the resources. Based on the selected criteria, the system performs the crossover operation with the aid of neural network. The result will be the best chromosome of the first generation. From the experiment, the proposed model able to detect 57% of random sets of cloud attacks.
JK Seth and S Chandra come with a proposal that provides Cloud protection based on the user risk level . They believe that every cloud user did not require the same security level of protection. In their proposed work, they classify the user risk level into four categories; normal, low, medium and high, based upon stored rules and pattern and this process will use Artificial Neural Network (ANN) classification algorithm. The repository will update the rules on occurrence of new pattern and train the classifier at the time of minimal load on cloud. The proposed model increases resource availability and optimise IDS resource utilisation.
Deshpande et al in their research proposed a HIDS for cloud computing environment based on system call trace analysis where only the failed system call were used to predict the intrusion . The proposed system makes use of k-nearest neighbour (kNN) algorithm for comparing the current information with the available database. The prototype developed based on four main modules; Data Logging Module, Pre-processing Module, Analysis and decision engine and Management Module. Based on the paper, the experiment was conducted using a list of self-generated system calls based on Linux API. The result has been estimated using three different real-time datasets, with a time window of 30 and 60 s. From the paper the prototype can achieve the accuracy with a high sensitivity of 96%.
As discussed in the previous section, "co-residency attack" is a current threat in Cloud computing environment. N Pitropakis and C Lambrinoudakis support this statement by providing a solution for detecting this type of attack by using Smith-Waterman algorithm . In their latest work, they make use of Graphical Processing Unit (GPU) processing in supporting the huge and complex calculation related to Cloud. GPU processing may improve the overhead processing of Cloud IDS in analysing and detecting intrusion from a large amount of data. From the experiment, they found that using GPU parallel processing achieved six times faster performance compared to normal Central Processing Unit (CPU) processing.
In computer networking, port mirroring is the method to duplicate all port in the network device towards a single port. NS Aljurayban and A Emam implement port mirroring method in collecting network traffic in the Cloud environment and analyse the traffic using Artificial Neural Network (ANN) algorithm . From the experiment they got great result of sensitivity with a good result in accuracy. Extending the work of previous research, GK Chaturvedi et al combine Fuzzy-Clustering with Artificial Neural Network in providing a better intrusion detection model for Cloud Computing . The dataset is divided into two groups which are training and testing. Their proposed work divides the training data into several subsets using fuzzy clustering technique while at the same time trains the different ANN using different subsets. Then their model will determine membership grades of these subsets and combines them via a new ANN to get final results.
In their paper, Kwon.H et al proposed a self-similarity based lightweight intrusion detection method as a solution for protecting cloud environment. They used Cosine Similarity Based Self-similarity as a detection algorithm and during the experiment, they monitored Windows event log from the DARPA 1999 datasets for any intrusion based on Security ID (SID) and EventID . In this experiment, the overall false-positive ratio was 4.17%. They claim that their IDS can work robustly even though the Windows event log does not include enough information regarding security rather than the other operating system's audit log.
Recently, game theory has been used extensively to model and analyse network security issues. Game theory is a machine learning approach that provides a set analytical and mathematical framework to model rational decision-making or strategies of multiple players having different objectives interacting with each other . The proposed work from Z. Li et al provides a protection for Cloud from intrusions by using differential game model . The simulation results show the changes in the probability under the optimal strategies condition. Using the game theoretic framework, dynamic optimal strategies can improve the security of cloud computing system and energy consumption in the proposed optimal strategy is significantly lower than the static strategy. Artificial Immune System (AIS) is one of the solutions that try to mimic our body protection against pathogen. This is because our body protection system always accurate and less prone to fails and this is become the main reason why AIS will provide the same result. One of AIS method, namely Dendritic Cell Algorithm (DCA) was inspired by one of our body cell type that monitored the body tissue for any pathogen . This algorithm activated by multiple signals for calculating the maturity of the monitored environment where the matured Dendritic Cell (DC) indicates the malicious level of the environment and on the other hand, semi-mature DC indicates the normal environment. The work from Azuan et al, using DCA for detecting intrusions attempt that targeting Cloud environment . Their integrated system monitored Cloud infrastructure from the agents that installed on each Cloud VM and from virtual switch level where the "co-residency" attack could be detected. Each agent and virtual switch collect numbers of specific data recognised as signals value in DCA. The signals value then being normalised and analysed for the results between mature or semi-mature conditions. Table 5 provides a summary of Cloud IDS research in machine learning approaches.
Based on the related literature, we found that the following issues have not been sufficiently solved. These are gaps in the reviewed work that would prove to be directions for future works. Table 6 shows a clear gap analysis that Cloud IDS research should fill especially in the following issues:
* Providing real Cloud IDS implementation: In identifying the performance and workability of a proposed Cloud IDS, prototypes need to be developed and tested in a physical Cloud computing environment. Most of the research provides solution and results based on simulation and static data analysis. Even some research that claim to be real implementation still provide analysis results based on static dataset and this is not really represents real Cloud IDS implementation. The real Cloud IDS must be developed based on a working prototype that monitoring Cloud network traffic or system calls or both which is termed as hybrid. Other research especially that implemented open source technology in developing Cloud IDS, more focused on making use of traditional methods in protecting Cloud environment. This framework did not really represent the state of the art Cloud IDS technology because implementing traditional method in Cloud computing environment will introduce another risk to the environment.
* Cloud subscribers' data privacy: Within the process of detecting intrusions involve monitoring enormous data flow and most of the data belong to subscribers and may contains sensitive or private information. As discussed in , protecting data privacy is the major challenges in Cloud computing and pooling user's data in Cloud introduces a new risk in data privacy breach.
* Detecting co-residency attack:  and  describe co-residency attack as an internal attack conducted by a tenant targeting another tenant residing within the same Cloud infrastructure. This type of attack is unique to Cloud and exist because of the nature of Cloud computing. Although this issue is important, little research has been carried out covering this challenge. Although multiple reviewed frameworks stressed on the importance for protecting Cloud from co-residency attack, very few of them implemented it. Other frameworks more focused on entry point security and endpoint security while neglecting the importance of monitoring the risk of co-residency attack.
Cloud IDS aims to provides protection for Cloud computing environment from attacks while maintaining its functionality. Protecting Cloud is importance since its nature that pool user data in centralised source . We have given an extensive survey of current Cloud IDS research in this review which focused on different approaches in developing Cloud IDS frameworks. We also highlight the motivations for Cloud IDS and the basic definitions and principle of Cloud IDS in the literature.
Research in Cloud IDS is still expanding and there are areas of research to be explored especially with the current advancement of detection algorithm. As previously discussed where Cloud IDS research evolved from the Grid computing protection mechanism and current technologies make use of machine learning algorithm including game theory and Artificial Immune System (AIS). The future will explore the specific data set that represents Cloud computing environment which the analysis will describe true performance of Cloud IDS.
The future also may explore the detection of intrusions for big data that become the continuity of the Cloud computing research.  discussed that big data will become the future of Cloud research where data collected by Cloud become larger than any typical database may capture, stored and analyse. Future Cloud IDS framework need to be prepared for threat analysis related to big data.
 P. Mell and T. Grance, "The NIST definition of cloud computing (draft)," NIST special publication, vol. 800, p. 145, 2011.
 S. Carlin and K. Curran, "Cloud computing security," 2011.
 K. Vieira, A. Schulter, C. B. Westphall, and C. M. Westphall, "Intrusion detection for grid and cloud computing," It Professional, vol. 12, pp. 38-43, 2010.
 I. Federico, "Integrating a Network IDS into an Open Source Cloud Computing Environment," 2010.
 Z. Xiao and Y. Xiao, "Security and privacy in cloud computing," IEEE Communications Surveys & Tutorials, vol. 15, pp. 843-859, 2013.
 T. Ristenpart, E. Tromer, H. Shacham, and S. Savage, "Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds," in Proceedings of the 16th ACM conference on Computer and communications security, pp. 199-212, 2009.
 P. Cox. (2010). Intrusion detection in a cloud computing environment. Available: http://searchcloudcomputing.techtarget.com/tip/Intrusion-detection-in-a-cloud-computing-environment
 D.-G. Feng, M. Zhang, Y. Zhang, and Z. Xu, "Study on cloud computing security," Journal of software, vol. 22, pp. 71-83, 2011.
 S. Subashini and V. Kavitha, "A survey on security issues in service delivery models of cloud computing," Journal of Network and Computer Applications, vol. 34, pp. 1-11, 2011.
 I. Cymtec Systems. Scout Cloud-Enabled IDS Fact Sheet. Available: http://go.pardot.com/l/12332/2012-04-16/kjv2/12332/9341/Cymtec_Scout_IDS_Fact_Sheet_021412v2.pdf, 2012
 W. Yassin, N. Udzir, Z. Muda, A. Abdullah, and M. Abdullah, "A Cloud-based Intrusion Detection Service framework," in Cyber Security, Cyber Warfare and Digital Forensic (CyberSec), 2012 International Conference on, pp. 213-218, 2012
 C. Modi, D. Patel, B. Borisaniya, H. Patel, A. Patel, and M. Rajarajan, "A survey of intrusion detection techniques in cloud," Journal of Network and Computer Applications, vol. 36, pp. 42-57, 2013.
 A. Greenberg, J. Hamilton, D. A. Maltz, and P. Patel, "The cost of a cloud: research problems in data center networks," ACM SIGCOMM computer communication review, vol. 39, pp. 68-73, 2008.
 J. Arshad, P. Townend, and J. Xu, "A novel intrusion severity analysis approach for Clouds," Future Generation Computer Systems, vol. 29, pp. 416-428, 2013.
 N. D. Man and E.-N. Huh, "A collaborative intrusion detection system framework for cloud computing," in Proceedings of the International Conference on IT Convergence and Security 2011, pp. 91-109, 2012.
 T. Garfinkel and M. Rosenblum, "A Virtual Machine Introspection Based Architecture for Intrusion Detection," in NDSS, pp. 191-206, 2003.
 K. Nance, B. Hay, and M. Bishop, "Virtual machine introspection," IEEE Computer Society, vol. 6, pp. 32-37, 2008.
 S. Roschke, F. Cheng, and C. Meinel, "Intrusion detection in the cloud," in Dependable, Autonomic and Secure Computing, 2009. DASC'09. Eighth IEEE International Conference on, pp. 729-734, 2009.
 A. V. Dastjerdi, K. A. Bakar, and S. G. H. Tabatabaei, "Distributed intrusion detection in clouds using mobile agents," in Advanced Engineering Computing and Applications in Sciences, 2009. ADVCOMP'09. Third International Conference on, pp. 175-180, 2009.
 H. A. Franke, F. L. Koch, C. O. Rolim, C. B. Westphall, and D. O. Balen, "Grid-m: Middleware to integrate mobile devices, sensors and grid computing," in Wireless and Mobile Communications, 2007. ICWMC'07. Third International Conference on, pp. 19-19, 2007.
 S. Gupta, P. Kumar, A. Sardana, and A. Abraham, "A fingerprinting system calls approach for intrusion detection in a cloud environment," in Computational aspects of social networks (CASoN), 2012 fourth international conference on, pp. 309-314, 2012.
 P. Mishra, E. S. Pilli, V. Varadharajant, and U. Tupakula, "NvCloudIDS: A security architecture to detect intrusions at network and virtualization layer in cloud environment," in Advances in Computing, Communications and Informatics (ICACCI), 2016 International Conference on, pp. 56-62, 2016.
 D. Kirat, G. Vigna, and C. Kruegel, "BareCloud: Baremetal Analysis-based Evasive Malware Detection," in USENIX Security, pp. 287-301, 2014.
 M. H. Bhuyan, D. Bhattacharyya, and J. K. Kalita, "An empirical evaluation of information metrics for low-rate and high-rate DDoS attack detection," Pattern Recognition Letters, vol. 51, pp. 1-7, 2015.
 N. Moustafa and J. Slay, "The evaluation of Network Anomaly Detection Systems: Statistical analysis of the UNSW-NB15 data set and the comparison with the KDD99 data set," Information Security Journal: A Global Perspective, vol. 25, pp. 18-31, 2016.
 I. Gul and M. Hussain, "Distributed cloud intrusion detection model," International Journal of Advanced Science and Technology, vol. 34, p. 135, 2011.
 S. T. Zargar, H. Takabi, and J. B. Joshi, "DCDIDP: A distributed, collaborative, and data-driven intrusion detection and prevention framework for cloud computing environments," in Collaborative computing: Networking, applications and worksharing (collaboratecom), 2011 7th international conference on, pp. 332-341, 2011.
 D. Krishnan and M. Chatterjee, "An adaptive distributed intrusion detection system for cloud computing framework," in International Conference on Security in Computer Networks and Distributed Systems, pp. 466-473, 2012.
 P. Ghosh, R. Ghosh, and R. Dutta, "An alternative model of virtualization based intrusion detection system in cloud computing," International Journal of Scientific & Technology Research, vol. 3, pp. 199-203, 2014.
 K. M. Vieira, F. Schubert, G. A. Geronimo, R. de Souza Mendes, and C. B. Westphall, "Autonomic intrusion detection system in cloud computing with big data," in Proceedings of the International Conference on Security and Management (SAM), p. 1, 2014.
 I. Jeganathan and A. Prakasam, "Secure the Cloud Computing Environment from Attackers using Intrusion Detection System," 2014.
 J. D. Araujo, D. de Andrade Rodrigues, L. S. de Melo, and Z. Abdelouahab, "EICIDS-elastic and internal cloud-based detection system," International Journal of Communication Networks and Information Security, vol. 7, p. 34, 2015.
 Z. Al Haddad, M. Hanoune, and A. Mamouni, "A Collaborative Network Intrusion Detection System (CNIDS) in Cloud Computing," International Journal of Communication Networks and Information Security, vol. 8, p. 130, 2016.
 D. Singh, D. Patel, B. Borisaniya, and C. Modi, "Collaborative IDS Framework for Cloud," International Journal of Network Security, vol. 18, pp. 699-709, 2016.
 X. Wang, T.-l. Huang, and X.-y. Liu, "Research on the Intrusion detection mechanism based on cloud computing," in Intelligent computing and integrated systems (ICISS), 2010 international conference on, pp. 125-128, 2010.
 H. Hamad and M. Al-Hoby, "Managing intrusion detection as a service in cloud networks," International Journal of Computer Applications, vol. 41, 2012.
 H. A. Kholidy and F. Baiardi, "CIDS: A framework for intrusion detection in cloud systems," in Information Technology: New Generations (ITNG), 2012 Ninth International Conference on, pp. 379-385, 2012.
 H. A. Kholidy, A. Erradi, S. Abdelwahed, and F. Baiardi, "Ha-cids: A hierarchical and autonomous ids for cloud systems," in Computational Intelligence, Communication Systems and Networks (CICSyN), 2013 Fifth International Conference on,, pp. 179-184, 2013.
 A. Ahmad, B. Shanmugam, N. B. Idris, and G. N. Samy, "Danger Theory Based Hybrid Intrusion Detection Systems for Cloud Computing," International Journal of Computer and Communication Engineering, vol. 2, p. 650, 2013.
 S. Garg and K. Kaur, "Rules based Enhancement in Cloud Intrusion Detection System Service," International Journal of Computer Applications, vol. 72, 2013.
 M. Mbaye and C. Ba, "A distributed IDS Cloud service: an architecture based on Pub-Sub paradigm," in Pages 225-235. 12th African Conference on Research in Computer Science and Applied Mathematics (CARI 2014), p. 376, 2014.
 C. Mazzariello, R. Bifulco, and R. Canonico, "Integrating a network ids into an open source cloud computing environment," in Information Assurance and Security (IAS), 2010 Sixth International Conference on, pp. 265-270, 2010.
 B. Borisaniya, A. Patel, D. R. Patel, and H. Patel, "Incorporating honeypot for intrusion detection in cloud infrastructure," in IFIP International Conference on Trust Management, pp. 84-96, 2012.
 H. M. Alsafi, W. M. Abduallah, and A.-S. K. Pathan, "IDPS: an integrated intrusion handling model for cloud computing environment," International Journal of Computing & Information Technology (IJCIT), vol. 4, pp. 1-16, 2012.
 A. A. Thu, "Integrated intrusion detection and prevention system with honeypot on cloud computing environment," International Journal of Computer Applications, vol. 67, 2013.
 T. Xing, D. Huang, L. Xu, C.-J. Chung, and P. Khatkar, "Snortflow: A openflow-based intrusion prevention system in cloud environment," in Research and Educational Experiment Workshop (GREE), 2013 Second GENI, pp. 89-92, 2013.
 T. Kuldeep, S. Tyagi, and A. Richa, "Overview-Snort Intrusion Detection System in Cloud Environment," 2014.
 J. K. Khatri and G. Khilari, "Advancement in Virtualization Based Intrusion Detection System in Cloud Environment," International Journal of Science, Engineering and Technology Research (IJSETR), vol. 4, 2015.
 P. Sharma, R. Sharma, E. S. Pilli, and A. K. Mishra, "A Detection Algorithm for DoS Attack in the Cloud Environment," in Proceedings of the 8th Annual ACM India Conference, pp. 107-110, 2015.
 C. Ambikavathi and S. Srivatsa, "Integrated Intrusion Detection Approach for Cloud Computing," Indian Journal of Science and Technology, vol. 9, 2016.
 E. W. Muche, "HYBRID INTRUSION DETECTION SYSTEM FOR PRIVATE CLOUD: AN INTEGRATED APPROACH," 2016.
 G. Sathya and K. Vasanthraj, "Network activity classification schema in IDS and log audit for cloud computing," in Information Communication and Embedded Systems (ICICES), 2013 International Conference on, pp. 502-506, 2013.
 M. Moorthy and M. Rajeswari, "Virtual Host based Intrusion Detection System for Cloud," International Journal of Engineering & Technology, pp. 0975-4024, 2013.
 M. N. Ismail, A. Aborujilah, S. Musa, and A. Shahzad, "Detecting flooding based DoS attack in cloud computing environment using covariance matrix approach," in Proceedings of the 7th International Conference on Ubiquitous Information Management and Communication,, p. 36, 2013.
 H. A. Kholidy, A. Erradi, S. Abdelwahed, and A. Azab, "A finite state hidden markov model for predicting multistage attacks in cloud systems," in Dependable, Autonomic and Secure Computing (DASC), 2014 IEEE 12th International Conference on, pp. 14-19, 2014.
 U. Hameed, S. Naseem, F. Ahamd, T. Alyas, and W.-A. Khan, "Intrusion Detection and Prevention in Cloud Computing using Genetic Algorithm," International Journal of Scientific & Engineering Research, vol. 5, 2014.
 P. Singh and B. Hazela, "Design & Development of a new hybrid system to Prevent Intrusion at cloud using genetic algorithm," International Journal, vol. 4, 2016.
 C. Wang, Q. Wang, K. Ren, and W. Lou, "Privacy-preserving public auditing for data storage security in cloud computing," in Infocom, 2010 proceedings ieee, pp. 1-9, 2010.
 J. K. Seth and S. Chandra, "An Optimistic Approach for Intrusion Security in Cloud," International Journal of Computer Applications, vol. 97, 2014.
 P. Deshpande, S. Sharma, S. Peddoju, and S. Junaid, "HIDS: A host based intrusion detection system for cloud computing environment," International Journal of System Assurance Engineering and Management, pp. 1-10, 2014.
 N. Pitropakis, C. Lambrinoudakis, and D. Geneiatakis, "Till all are one: Towards a unified Cloud IDS," in International Conference on Trust and Privacy in Digital Business, pp. 136-149, 2015.
 N. S. Aljurayban and A. Emam, "Framework for cloud intrusion detection system service," in Web Applications and Networking (WSWAN), 2015 2nd World Symposium on, pp. 1-5, 2015.
 G. K. Chaturvedi, A. K. Chaturvedi, and V. R. More, "A study of Intrusion Detection System for Cloud Network Using FC-ANN Algorithm," 2016.
 H. Kwon, T. Kim, S. J. Yu, and H. K. Kim, "Self-similarity based lightweight intrusion detection method for cloud computing," in Asian Conference on Intelligent Information and Database Systems, pp. 353-362, 2011.
 T. Alpcan and T. Basar, "An intrusion detection game with limited observations," in Proceedings of the 12th Int. Symp. on Dynamic Games and Applications, 2006.
 Z. Li, H. Xu, and Y. Liu, "A differential game model of intrusion detection system in cloud computing," International Journal of Distributed Sensor Networks, vol. 13, p. 1550147716687995, 2017.
 J. Greensmith and U. Aickelin, "Dendritic cells for SYN scan detection," in Proceedings of the 9th annual conference on Genetic and evolutionary computation,, pp. 49-56, 2007.
 A. Ahmad, N. B. Idris, and M. N. Kama, "Cloud Intrusion Detection
Model Inspired by Dendritic Cell Mechanism", International Journal of Communication Networks and Information Security (IJCNIS), vol. 9, No.1, 2017.
 Z. Wang, "Security and privacy issues within the Cloud Computing," in Computational and Information Sciences (ICCIS), 2011 International Conference on, pp. 175-178, 2011.
 Y. Zhang, A. Juels, A. Oprea, and M. K. Reiter, "Homealone: Co-residency detection in the cloud via side-channel analysis," in Security and Privacy (SP), 2011 IEEE Symposium on,, pp. 313-328, 2011.
 A. Al-Qerem1, A. Hamarsheh, "Statistical-Based Heuristic for Tasks Scheduling in Cloud Computing Environment", International Journal of Communication Networks and Information Security (IJCNIS), Vol. 10, No. 2, 2018.
 J. Manyika, M. Chui, B. Brown, J. Bughin, R. Dobbs, C. Roxburgh, et al., "Big data: The next frontier for innovation, competition, and productivity," 2011.
Azuan Ahmad (1), Wan Shafiuddin Zainudin (2), Mohd Nazri Kama (3), Norbik Bashah Idris (4), Madihah Mohd Saudi (1), Nur Hafiza Zakaria (1)
(1) Faculty of Science and Technology, Universiti Sains Islam Malaysia, Nilai, Negeri Sembilan, Malaysia
(2) CyberSecurity Malaysia, Malaysia
(3) Advanced Informatics School, Universiti Teknologi Malaysia, Kuala Lumpur, Malaysia
(4) Kulliyyah of Information and Communication Technology, International Islamic University Malaysia, Malaysia
Table 1. Cloud Intrusion Detection System on Virtual Machine Monitor Title IDS Type Detection Positioning Dataset Method Livewire  HIDS Anomaly On the Custom Dataset hypervisor Intrusion NIDS Signature On each VM Not stated Detection in the based Cloud  detection IDS Hybrid Anomaly On each Grid log system and for Grid and based node from data Cloud captured during Computing  node communications Fingerprinting HIDS Signature- Domain 0 Custom Dataset system calls based approach for IDS in Cloud NvCloudIDS Hybrid Hybrid VMI based UOC, UNSW-NB  IDS and CAIDA Title Advantages Limitations Livewire  Livewire are Livewire will able to detect suspend the all the attacks execution of in their the VM until experiment the admin responds to that event Intrusion Secures VM Multiple Detection in the based on instances of Cloud  user IDS are configuration. required which degrades performance. IDS Low Varied and for Grid and processing cost uncertainty Cloud and satisfactory false positive Computing  performance results. Fingerprinting Detects Time system calls malicious consuming approach for software by tasks and the IDS in system call author still Cloud sequence using manual technique NvCloudIDS Provides high Attack on the  detection result hypervisor will bring down the whole system. Table 2. Distributive, Collaborative and Agent-based Cloud IDS Research Title IDS Type Detection Positioning Method Distributed NIDS Signature-based On Domain 0 Cloud IDS  Adaptive NIDS Hybrid Any nodes Distributed IDS for Cloud Computing  Collaborative Hybrid Real Time On each node intrusion detection  Mini-IDS  NIDS Signature-based On each cloud host IRAS  NIDS Anomaly-based Agent on each Cloud host Agent based NIDS Signature-based Outside of Cloud IDS  cloud network EICIDS  NIDS Real Time On each node Collaborative NIDS Hybrid On each cloud NIDS  host and at the front end Collaborative NIDS Signature-based On each cluster IDS Framework for Cloud  Title Dataset Advantages Distributed Custom DOS Improvement in Cloud IDS  attack term of processing time Adaptive No explanation May detects Distributed both Network IDS attacks and host for Cloud attacks. Computing  Collaborative No explanation May detects intrusion both Network detection  attacks and host attacks. Mini-IDS  No Able to handle Implementation large network traffic IRAS  Not yet provide self- implemented awareness, self-configuration and self-healing in the cloud. Agent based No Get the overall Cloud IDS  implementation view of network traffic EICIDS  Custom Attacks EICIDS may detects inter-VM attacks Collaborative Not provided Can monitor NIDS  both external and internal attack Collaborative KDDCup 99 Protect against IDS DDoS attack Framework for Cloud  Title Limitations Distributed May unable to Cloud IDS  detect inter-VM attack. Adaptive Communication Distributed among IDS IDS nodes may create for Cloud additional Computing unwanted traffic  for the Cloud network. Collaborative Need more intrusion explanations detection  about the experiments and analysis. Mini-IDS  Did not detect unknown attacks IRAS  Single point of failure Agent based Unable to detect Cloud IDS  new unknown attacks and inter- VM attack EICIDS  Not fault tolerant since the architecture is centralised Collaborative Will result a NIDS  complex configuration of a set of NIDS and the monitoring process will consume more resources Collaborative Requires more IDS training samples Framework for Cloud  Table 3. Cloud IDS as a Service Research Title IDS Type Detection Method Cloud-based IDS NIDS Signature-based IDS as a  service SIDSCC  NIDS Signature-based IDS as a service IDS as a service NIDS Signature-based Snort is  provided as a web service CIDS  Hybrid Hybrid IDS as a service A hierarchical, Hybrid Hybrid Located in a autonomous, and cloud node forecasting cloud IDS  SaaSIDS  NIDS Hybrid IDS as a service Rules based NIDS Signature-based IDS as a Enhancement in service Cloud IDS Service  Pub-Sub IDS  NIDS Signature-based IDS as a Service Title Dataset Advantages Limitations Cloud-based IDS Experiment are Reduce cost of Single point of  not being done managing IDS failure and and cost of internal attack resource will be invisible. SIDSCC  ICMP Flood Provide Did not detect attack promising unknown performance. attacks IDS as a service Custom dataset Able to detect Invisible to  known attack. unknown or new attack. CIDS  CIDD Able to detect The analysis both known may have delay and unknown because of the masquerade location of attack. distributed Eliminate analysis cloud. single point of failure. A hierarchical, CIDD Detect more Single point of autonomous, and attacks than failure. forecasting cloud previous IDS  version SaaSIDS  Custom Dataset Reduce cost of The IDS can be implementing flooded by the IDS and human traffic of the resource client. Rules based Custom dataset Able to Did not detect Enhancement in eliminate unknown Cloud IDS Service single point of attacks  failure and increase availability of IDS service Pub-Sub IDS  No Prevent single Unable to Implementation point of failure detect unknown attack Table 4. Cloud IDS Research based on Open Source Approaches Title IDS Type Detection Positioning Method NIDS for Open NIDS No On Virtual Source Cloud explanation in Machine  the paper Manager (VMM) IDPS  NIDS Hybrid and Traditional prevention Network location Incorporating NIDS Hybrid Cluster Honeypot for Controller IDS (Eucalyptus in Cloud  framework) Integrated NIDS Hybrid Within Cloud IDPS with Network honeypot on cloud computing environment  SnortFlow  NIDS Signature- Domain 0 based Snort for NIDS Signature-based Behind Cloud IDS  gateway Suricata and NIDS Signature-based On multiple KVM Cloud places IDS  Integrated Hybrid Signature-based Hypervisor Open Source Cloud IDS  IDS for private Hybrid Hybrid In VM host Cloud  Title Dataset Advantages Limitations NIDS for Open No explanation The IDS has a No IDS Source Cloud good performance  performance result based on result based on detection rate the resource usage IDPS  No explanation Able to detect Inter-VM attack both known will be invisible and unknown from IDS attack Incorporating Custom dataset Detect known Need some Honeypot for and unknown improvement in IDS attacks. detecting high in Cloud  Controlled use level of security of honeypot threat generates less number of false alarms for unknown Attacks. Integrated Own dataset Detect and The honeypot is IDPS with prevent internal useless if no honeypot on attack attack targeting cloud them computing environment  SnortFlow  Custom dataset Performance is Unable to detect good in inter-VM attacks handling multiple packets Snort for No Provide overall Unable to detect Cloud IDS  implementation perimeter inter-VM or protection for internal attack cloud Suricata and No information Reduce cost Unable to detect KVM Cloud unknown attacks IDS  Integrated Not describe Cost effective Redundancy of Open Source solutions NIDS may Cloud IDS  sacrifice performance IDS for private KDD99 95.5% Can be expand Cloud  detection rate. with real implementations Table 5. Cloud IDS Research in Machine Learning approaches Title IDS Type Detection Positioning Method Self-similarity HIDS Anomaly On each cloud IDS  based host Network NIDS Anomaly Behind Router activity based classification and log audit for cloud computing  Virtual HIDS NIDS (even Anomaly Behind router for Cloud  the title based HIDS) Detecting DoS NIDS Anomaly-based Domain 0 attack in cloud computing environment using covariance matrix  HMM NIDS Hybrid On VMM prediction model  GA Cloud IDS NIDS Signature On domain 0  based ANN Cloud HIDS Anomaly-based VMM IDS  HIDS for HIDS Signature On each cloud Cloud  based host Smith- HIDS Signature-based On Domain 0 Waterman GPU Cloud IDS  ANN Cloud NIDS Anomaly-based On the switch. IDS  GA Cloud NIDS Anomaly-based Simulation IDS FC-ANN NIDS Anomaly-based On the switch Cloud IDS  Differential Numerical Anomaly-based MATLAB Game Model Analysis Simulation  DCA Hybrid Hybrid Virtual Switch CloudIDS  and Each Cloud VM Title Dataset Advantages Self-similarity DARPA 1999 May work IDS  robustly even though the Windows event log does not include enough information. Short learning periods. Network Not describe Detecting activity unknown classification attack based on and log audit traffic analysis for cloud computing  Virtual HIDS CIDD Up to 80% for Cloud  TPR Detecting DoS Custom attack Able to detect attack in cloud the DoS computing environment using covariance matrix  HMM LLDDoS1.0 Successfully prediction fired the early model  warning alerts before the launching of the attack GA Cloud IDS No GA with fixed  implementation generational iteration helps in enhancing the security features ANN Cloud No information Increases IDS  resource availability and optimise IDS resource utilisation HIDS for Custom System Up to 96% of Cloud  Call dataset accuracy Smith- Custom co- Six times faster Waterman residency attack performance GPU Cloud IDS  ANN Cloud ISOT dataset Provide great IDS  accuracy result GA Cloud Custom dataset 57% detections IDS of random sets of cloud attacks FC-ANN Not implemented Improve the Cloud IDS result of ANN  Cloud IDS Differential No explanations Improve cloud Game Model security and  reduce energy consumption DCA DARPA 1999 Total CloudIDS  protection for every part of Cloud IDS Title Limitations Self-similarity Did not detect co- IDS  residency attack Network Unable to detect activity inter-VM or classification internal attack. and log audit for cloud computing  Virtual HIDS Unable to detect for Cloud  inter-VM or internal attack. Detecting DoS attack in cloud computing environment using covariance matrix  HMM Require further prediction testing with other model  attacks. GA Cloud IDS Did not detect  unknown attack. ANN Cloud Unable to detect IDS  network-based attack HIDS for Unable to detect Cloud  novel attack and the system did not provide real time implementation. Smith- Unable to detect Waterman unknown attack. GPU Cloud IDS  ANN Cloud Unable to detect IDS  internal attacks GA Cloud The detection rate IDS can be improved in the future works FC-ANN Single point of Cloud IDS failure when  implemented IDS on switch. Differential Requires more Game Model explanation on  the experiment in real environment. DCA Did not handle CloudIDS  very well in term of high traffic data Table 6. Summary of Cloud IDS Research Title IDS Type Co-residency detection Livewire  HIDS No Intrusion Detection in the Cloud NIDS No  Distributed intrusion detection in Hybrid No clouds using mobile agents  Intrusion Detection Hybrid No for Grid and Cloud Computing  Distributed Cloud IDS  NIDS No NIDS for Open Source Cloud NIDS No  SIDSCC  NIDS No Self-similarity IDS  HIDS No Cloud-based IDS  NIDS No IDS as a service  NIDS No CIDS  Hybrid No IDPS  NIDS No Collaborative intrusion detection Hybrid Yes  Adaptive Distributed IDS NIDS Yes for Cloud Computing  Incorporating Honeypot for IDS NIDS No in Cloud  Fingerprinting system calls HIDS No approach for IDS in Cloud  A hierarchical, autonomous, and Hybrid No forecasting cloud IDS  Network activity classification NIDS No schema in IDS and log audit for cloud computing  Virtual HIDS for Cloud  NIDS No Integrated IDPS with honeypot on NIDS No cloud computing environment  SnortFlow  NIDS No Detecting DoS attack in cloud NIDS No computing using covariance matrix  SaaSIDS  NIDS No Rules based Enhancement in NIDS No Cloud IDS Service  Mini-IDS  NIDS No Pub-Sub IDS  NIDS No IRAS  NIDS No HIDS for Cloud  HIDS No HMM prediction model  NIDS No GA Cloud IDS  NIDS No Snort for Cloud IDS  NIDS No Agent based Cloud IDS  NIDS No ANN Cloud IDS  HIDS Yes EICIDS  NIDS Yes Smith-Waterman GPU Cloud IDS HIDS Yes  Suricata and KVM Cloud IDS NIDS Yes  ANN Cloud IDS  NIDS No Integrated Open Source Cloud Hybrid Yes IDS  FC-ANN Cloud IDS  NIDS No Collaborative NIDS  NIDS Yes Collaborative IDS Framework for NIDS Yes Cloud  GA Cloud IDS NIDS No IDS for private Cloud  Hybrid Yes NvCloudIDS  Hybrid Yes Differential Game Model  Numerical No Analysis DCA CloudIDS  Hybrid Yes Title Data Privacy Real-time Concern Detection Livewire  Yes Yes Intrusion Detection in the Cloud Yes Yes  Distributed intrusion detection in No Yes clouds using mobile agents  Intrusion Detection No No for Grid and Cloud Computing  Distributed Cloud IDS  No No NIDS for Open Source Cloud No Yes  SIDSCC  No Yes Self-similarity IDS  No No Cloud-based IDS  No No IDS as a service  No Yes CIDS  No Yes IDPS  Yes No Collaborative intrusion detection No Yes  Adaptive Distributed IDS No No for Cloud Computing  Incorporating Honeypot for IDS No Yes in Cloud  Fingerprinting system calls No No approach for IDS in Cloud  A hierarchical, autonomous, and No Yes forecasting cloud IDS  Network activity classification No No schema in IDS and log audit for cloud computing  Virtual HIDS for Cloud  No No Integrated IDPS with honeypot on No No cloud computing environment  SnortFlow  No Yes Detecting DoS attack in cloud No Yes computing using covariance matrix  SaaSIDS  No Yes Rules based Enhancement in No No Cloud IDS Service  Mini-IDS  No No Pub-Sub IDS  No No IRAS  No No HIDS for Cloud  No Yes HMM prediction model  No Yes GA Cloud IDS  No No Snort for Cloud IDS  No No Agent based Cloud IDS  No No ANN Cloud IDS  No No EICIDS  No Yes Smith-Waterman GPU Cloud IDS No Yes  Suricata and KVM Cloud IDS No Yes  ANN Cloud IDS  Yes No Integrated Open Source Cloud No Yes IDS  FC-ANN Cloud IDS  No No Collaborative NIDS  No Yes Collaborative IDS Framework for Yes No Cloud  GA Cloud IDS No No IDS for private Cloud  No No NvCloudIDS  No No Differential Game Model  No No DCA CloudIDS  Yes Yes
|Printer friendly Cite/link Email Feedback|
|Author:||Ahmad, Azuan; Zainudin, Wan Shafiuddin; Kama, Mohd Nazri; Idris, Norbik Bashah; Saudi, Madihah Mohd;|
|Publication:||International Journal of Communication Networks and Information Security (IJCNIS)|
|Date:||Dec 1, 2018|
|Previous Article:||Evaluation Method for SDN Network Effectiveness in Next Generation Cellular Networks.|
|Next Article:||An Improved Fully Homomorphic Encryption Scheme for Cloud Computing.|