Hierarchical model for intrusion detection systems in the cloud environment

Muhammed Abdulazeez, Dariusz Kowalski

Research output: Chapter in Book/Report/Conference proceedingConference contribution


The recent emergence of cloud computing technology has drastically altered the way we perceive computing infrastructure, software delivery and development models. This massive leap from mainframe computers to highly scalable, dynamically configurable and heterogeneous cloud technology has turned computing and data centres to an innovative technology. This rapid transition towards the cloud has triggered security concerns on this delivery model. The two security challenges addressed in this paper are (i) Dynamic Large Scale System, where most cloud defence systems provide cloudprovider-oriented security in which the defence components are placed at the entrance of the cloud without considering scalability of the cloud and heterogeneity of the applications that run on the platform. (ii) Detection Rate vs. Performance, where we have an inverse relationship between detection rate and performance. However, as the underlying technology is changing, security experts are not amending their approach towards tackling the security challenges of cloud computing. This is because they do not consider the above challenges when building their cloud defence systems. They treat cloud computing security issues as if they were traditional network environments with homogeneous applications that are not easily scalable. To solve this problem, we introduced a lightweight, hierarchical, highly dynamic intrusion detection system architecture that is more suited for cloud computing environment. Our model uses application layer detection mechanisms to detect intrusions at different levels of the cloud computing hierarchy. We identified a number of rules that need to be checked in the application layer protocol to detect the possibility of attacks on the application server. The checking of the rules is not done at certain nodes in the cloud instead, our system decides where to check them based on the current load and the attacks detected at the node and the child nodes of the architecture. This solves the scalability issue of cloud computing architecture, because intrusion detection load will be distributed across the cloud eliminating single points of contention and failure. Our solution also addresses the heterogeneity challenge, because servers (virtual machines (VM)) running different applications can apply different detection approaches. We employed randomised approaches to improve the detection performance of our system, for instance, by selecting a subset of the rules to detect attacks; this is to improve the detection rate and performance challenge. To justify efficiency of our system, we present preliminary results comparing the detection rate vs. system performance. It is worthy to note that although in this paper, we concentrated on Denial of Service and Distributed Denial of Service attacks, our model can be extended to other types of attacks as well.

Original languageEnglish (US)
Title of host publication14th European Conference on Cyber Warfare and Security, ECCWS 2015
EditorsNasser Abouzakhar
PublisherCurran Associates Inc.
Number of pages9
ISBN (Electronic)9781910810286
StatePublished - 2015
Externally publishedYes
Event14th European Conference on Cyber Warfare and Security, ECCWS 2015 - Hatfield, United Kingdom
Duration: Jul 2 2015Jul 3 2015

Publication series

NameEuropean Conference on Information Warfare and Security, ECCWS
ISSN (Print)2048-8602
ISSN (Electronic)2048-8610


Conference14th European Conference on Cyber Warfare and Security, ECCWS 2015
Country/TerritoryUnited Kingdom


  • Application layer security
  • Cloud security
  • Denial of Service
  • Intrusion detection
  • Virtual machine

ASJC Scopus subject areas

  • Information Systems
  • Information Systems and Management
  • Safety, Risk, Reliability and Quality


Dive into the research topics of 'Hierarchical model for intrusion detection systems in the cloud environment'. Together they form a unique fingerprint.

Cite this