Article Preview
TopIntroduction
Cloud computing is a new computing paradigm that offers computing resources as a service via the internet (Xiong et al., 2014). It has revolutionized the conventional usage of hardware and software resources as organizations can cut the cost of purchasing and maintaining expensive hardware and software by subscribing for it on a pay-per-use basis. Cloud computing is a promising and emerging IT technology with enormous potentials and benefits to customers; however, it has underlying security issues and vulnerabilities (Khorshed, Ali, & Wasimi, 2012). Example of security threats capable of compromising the cloud security are DoS and DDoS (Mishra, Pilli, Varadharajan, & Tupakula, 2017). Therefore, providing effective security is paramount to the quality of service of cloud computing. Intrusion detection is the process of monitoring events occurring in a system or network and analyzing it for evidence of security incidents that breaches or presents impending threat of breach of system security policy or standard security practice (Scarfone & Mell, 2007). IDS can be classified into signature-based and anomaly detection depending on whether the kinds of attacks to be detected is known beforehand or unknown. The signature-based detection process captures activities in a network and compare them with a collection of attack signatures (Liao, Lin, Lin, & Tung, 2013). Anomaly detection on the other hand is more suited for detection of unknown attack but it suffers from high false alarm (Singh, Patel, Borisaniya, & Modi, 2016). Also coordinated attacks such as DDoS attacks which simultaneously occur in many networks results in difficulties in detection of this attacks (Zhou, Leckie, & Karunasekera, 2009). This difficulty is due to the coordinated nature of the attacks where attacks are spread over multiple network. Therefore, a collaborative effort is required to tackle the attack. For instance, Smurf based DDoS used a spoofed IP address to send ICMP request to large number of reflector host when the reflector host receives the request. They reply to the spoofed IP address thereby flooding it (Bhuyan, Bhattacharyya, & Kalita, 2015).