Content uploaded by Muna Al-Hawawreh
Author content
All content in this area was uploaded by Muna Al-Hawawreh on Mar 27, 2019
Content may be subject to copyright.
312 Int. J. Computer Applications in Technology, Vol. 57, No. 4, 2018
Copyright © 2018 Inderscience Enterprises Ltd.
An anomaly-based approach for DDoS attack
detection in cloud environment
Adnan Rawashdeh*
Software Engineering Department,
Faculty of IT & CS,
Yarmouk University
Irbid, Jordan
Email: adnan.r@yu.edu.jo
*Corresponding author
Mouhammd Alkasassbeh and
Muna Al-Hawawreh
Computer Science Department,
Faculty of IT,
Mutah University,
Mutah, Jordan
Email: Malkasassbeh@gmail.com
Email: munahawari1@gmail.com
Abstract: Cloud computing is currently a major focal point for researchers owing to its
widespread application and benefits. Cloud computing’s complete reliance on the internet for
service provision and its distributed nature pose challenges to security, the most serious being
insider Distributed Denial of Service (DDoS) which causes a total deactivation of service.
Traditional defence mechanisms, such as firewalls, are unable to detect insider attacks. This work
proposes an anomaly intrusion detection approach in the hypervisor layer to discourage DDoS
activities between virtual machines. The proposed approach is implemented by the evolutionary
neural network which integrates the particle swarm optimisation with neural network for
detection and classification of the traffic that is exchanged between virtual machines. The
performance analysis and results of our proposed approach detect and classify the DDoS attacks
in the cloud environment with minimum false alarms and high detection accuracy.
Keywords: distributed denial of service; DDoS; cloud computing; intrusion detection system;
hypervisor; attacks detection; neural networks.
Reference to this paper should be made as follows: Rawashdeh, A., Alkasassbeh, M. and
Al-Hawawreh, M. (2018) ‘An anomaly-based approach for DDoS attack detection in cloud
environment’, Int. J. Computer Applications in Technology, Vol. 57, No. 4, pp.312–324.
Biographical notes: Adnan Rawashdeh is Associate Professor of Computer Science. Currently,
he is an IT faculty member, in Yarmouk University, Jordan. In 1996, he obtained his PhD degree
in CS from Illinois Institute of Technology (IIT), Chicago, USA. In 1990, he obtained his
Master’s degree in CS from Salford University, Manchester, UK. In 1984, he obtained
his Bachelor’s degree in CS from Yarmouk University, Jordan. He worked as a System
Analyst/Administrator for a Municipal Bonds Trading Firm, HSE, in Chicago, USA. His research
interests include software engineering, reuse, software models, computer networks and
b-learning.
Mouhammd Alkasassbeh graduated from the School of Computing, Portsmouth University, UK in
2008. He is currently an Associate Professor in Information Technology Department, Mutah
University. His research interests include network traffic analysis, network fault detection,
classification network fault and abnormality and machine learning in the area of computer
networking.
Muna Al-Hawawreh graduated from the Computer Science Department, Mutah University,
Jordan in 2016. Her research interests are in computer network and cloud computing.
An anomaly-based approach for DDoS attack detection in cloud environment 313
1 Introduction
Considering the progress made on ‘green IT’, many
organisations have begun to discover ways to minimise IT
costs and defeat economic stagnation. Cloud computing is
among a number of recently emerging techniques in which the
individual only needs to pay for utilisation of services without
the expense of purchasing physical equipment (Radwan et al.,
2017). According to the National Institute of Standards and
Technology (Lui et al., 2011), cloud computing is defined
as “internet-based computing for enabling ubiquitous,
convenient, on-demand network access to a shared pool of
configurable computing resources (e.g. network, servers,
storage, application and services) which can be presented to
the customers as a service on ‘a pay-per-use-basis’. It can be
noticed that clouds offer their services via internet, anytime
and anywhere, you just need an internet connection and the
cloud interface such as computer, laptop, smart phones, or
tablet. Cloud computing provides these scalable services using
virtualisation technology. It is worth mentioning that cloud
computing emerged to take the place of grid computing, which
was a very powerful distributed computing platform to solve
complex and large-scale scientific and mathematical problems
(Ghosh et al., 2017). The cloud computing paradigm has
become the prominent platform due to its availability and
flexibility for public and private users.
Virtualisation is the most powerful factor that
contributed to the evolution of clouds; it provides great
benefits; for example, utilising resources, lowering costs,
easier management of server, and server consolidation
(Manavi et al., 2012). Despite the practical advantages,
cloud computing is not isolated from risks; security is the
biggest obstacle that prevents an organisation from moving
their business to the cloud (Hwang et al., 2009). Owing to the
distributed nature of cloud computing, using virtualisation,
multi-tenant and their reliance on the internet, there are
numerous vulnerabilities that are exploited by assailants to
undermine the confidentiality, integrity, and availability of
the cloud resources and services.
One of the potential assaults to cloud computing is a
neighbour assault where a virtual machine can attack its
neighbour in the same physical host or infrastructure, and
thus prevent it from providing its services. For instance, the
client of a virtual machine (VM) can install the malware in
another VM, and then use it as a zombie machines to launch
a Distributed Denial of Service (DDoS) attack against other
VMs in the same infrastructure (Lindemann, 2015). Today,
insider DDoS attacks constitute a great challenge for the
cloud environment where the unavailability of services and
connectivity issue can deactivate the service totally, which can
inflict immense business and financial losses for customers. So,
the malicious behaviour of virtual machines must be monitored
to reveal pernicious actions in the virtual cloud environment. It
is worth to mention that DoS attack can occur in operational
environment other than cloud computing. For example,
Session Initiation Protocol (SIP) today is considered the
standard protocol for multimedia signalling. Unfortunately,
SIP-based application services can suffer from various
security threats including Denial of Service (DoS) (Jama
and Khalifa, 2016).
To defend against such attacks, an Intrusion Detection
System (IDS) necessarily forms a fundamental and
indispensable part of a successful security set-up. It aims at
safeguarding the computer system and network from
abnormal and unauthorised usage of resources. However,
traditional IDS cannot be applied directly in the cloud
environment when we take into account the fact that the
logical resources (i.e. virtual machines) are dynamic and they
have their own vulnerabilities which can be exploited. On the
other hand, in cloud computing most of behavioural IDS
approaches suffer from the unavailability of datasets which
reflect the evolution in the DDoS behaviour, and the nature of
cloud environment, in particular, virtual cloud. Therefore, we
need a new detection system to work effectively with the
nature of virtual cloud. In addition, we need to collect data
from the cloud environment to evaluate the cloud-based IDS.
In cloud, the Hypervisor or Virtual Machine Monitor
(VMM) is able to monitor and detect any abnormal activity
during communication between virtual machines. Thus, the
appropriate course of action is to install the anomaly IDS as
hypervisor layer. Moreover, to build an efficient anomaly
IDS, soft computing technique poses an attractive approach
because of its capabilities in dealing with uncertain data and
partial truth. It can be used to reveal known and unknown
attacks and to improve the efficiency and the accuracy of
IDS approaches.
In this research work, we propose an anomaly intrusion
detection system in the hypervisor layer to discourage DDoS
activities between virtual machines. The proposed system is
implemented by the evolutionary neural network for
classification of the traffic that is exchanged between virtual
machines. The evolutionary neural network integrates the
particle swarm optimisation with the neural network. Here,
the particle swarm optimisation is used to choose the optimal
weights for the neural network to achieve a high level of
accuracy in the classification and detection process. Our aim
is to ensure the feasibility of the proposed model in detecting
DDoS attacks in virtual cloud. Seeing as there is no currently
available dataset for testing and validating the cloud intrusion
detection system, in this research work we generate a new
cloud dataset that contains two types of DDoS attacks,
namely, TCP-SYN and UDP flood attack.
The organisation of the remainder of the paper is as
follows: Section 2 deals with related work, Section 3 describes
cloud-intrusion detection system, Section 4 presents the
proposed work, Section 5 describes the intrusion detection
system classifiers, Section 6 presents the dataset generation,
while Section 7 outlays the experimental results. Finally, the
work is concluded in Section 8.
2 Related work
Owing to its ability to deal with uncertain data and partial
truth, soft computing is considered an attractive element to be
used in intrusion detection systems. Many soft computing
314 A. Rawashdeh, M. Alkasassbeh and M. Al-Hawawreh
techniques are used to improve the efficiency and the
accuracy of IDS. For example, Artificial Neural Network
(ANN), fuzzy logic, Bayesian, decision tree, random forest,
genetic algorithm, association rule, k-nearest neighbour,
hidden Markov, particle swarm optimisation and others.
The leading accomplishments of software computing
are to make use of the tolerance for faults, uncertainty,
oversights, and approximation to achieve manageability and
reduce the cost of solutions. The principal ideas underlying
soft computing in its current form have their origins in
existing works. These include, Zadeh’s 1965 paper on fuzzy
sets; the 1973 paper on the analysis of complex systems;
and the 1981 paper on possibility theory and soft data
analysis. However, the inclusion of neural and genetic
computing in soft computing emerged at a later date.
There are many techniques of soft computing currently
used to improve the efficiency and the accuracy of IDS. Here
we present the related work accomplished by previous
researchers regarding IDS-based on soft computing techniques
scope.
Akramifard et al. (2015) used a Multi-Level Fuzzy Min-
Max Neural Network (MLF) for detecting malicious
activities in the cloud environment. MLF uses the basic
concept of fuzzy min-max Artificial Neural Network (ANN)
method, but with better coverage area of classes using more
precise and smaller hyper boxes. They randomly used two
non-overlapping groups from the Knowledge Discovery and
Data Mining (KDD) dataset to train and test their approach.
The experiment simulates the behaviours in the system by
sending a large number of HTTP requests at a time. Their
behaviour is similar to that of a malicious user, but their
attack time length is short. In this work, the authors
compared the performance of MLF with other methods such
as Support Vector Machine (SVM), real valued Back
Propagation Neural Network (BPNN), traditional Min-Max
Fuzzy NN and the boat method. The results showed that
MLF and real valued BPNN have the best performance in
terms of detection ratio and reducing the false positive ratio.
However, the MLF is superior to real valued BPNN because
if there is some new data and if we need to train the network
in real valued BPNN, it is necessary to train all data to the
network, but the MLF-NN needs to learn only about the
new data to the network without changing all previous
network trained data. The proposed work achieves 99.6%
accuracy rate. However, their proposed work compared with
BPNN had a lower accuracy rate and higher error rate. On
the other hand, BPNN has some limitations, such as it may
sometimes suffer from local minima problem and has a slow
convergence problem.
Ghosh et al. (2014) presented a hybrid algorithm KNN-
NN (Nearest Neighbour and Neural Network) to improve the
classification performance. The authors used a rough set
theory and the information gained separately to select 25
features from NSL-KDD dataset; as a result, it gives a
reduction in training time and memory usage. After that the
KNN is used to classify the data into normal and abnormal
classes, and then the abnormal classes of KNN are passed to
the Neural Network for classifying a specific attack such as
Denial-of-Service (DOS), user to root (U2R), remote to local
(R2L), and Probe (prob). The results emphasised that for
NSL-KNN information gain is more suitable as compared to
rough set theory to choose the appropriate features. Moreover,
the proposed KNN-NN hybrid multilevel classification
increased the accuracy of IDS. Moreover, the proposed KNN-
NN hybrid multilevel classification compared with KNN, and
NN increased accuracy, achieving a level of 76.54%.
Nevertheless, there are some limitations existing in their
approach due to the very high rate of false alarms, which
reached a level of 23.46%.
Bhat et al. (2013) introduced a machine learning method
to build IDS on the virtual machine monitor (i.e. Hypervisor).
They used a naïve Bayes (NB) tree in the first part to classify
the packet based on the NSL-KDD training dataset. This part
contributes to the building of a better classification model by
determining the most important features. On the other side,
they used a hybrid method NB tree and random forest to
predict the class of data based on the similarity of connection
features. The results showed that their method using NB tree
and a hybrid of NB tree and random forest performed very
well. However, their system still suffers from low detection
accuracy and a high false alarm rate.
A HIDS based on analysing failed system calls, tracing
and classifying them using a KNN classifier to reduce the
computational burden, detects the intrusion early and alerts
the user as proposed by Deshpande et al. (2014). The
proposed work provides security at the infrastructure layer
where each virtual machine uses the IDS. The results show
that the proposed model achieved an average intrusion
detection sensitivity of 96%. This system had only a limited
view of the virtual network activity, as it is only able to
detect the malicious activity on the machine where it is
placed. Similarly, the work presented by Moorthy and
Rajeswari (2014) is a virtual host based IDS in a cloud
environment. The main idea of their work is to detect and
prevent a malicious packet from entering the cloud network.
They installed the IDS between the router and cloud host,
where the router detects any malicious packet based on the
IP address. On the other hand, the IDS sniffs the entire
content of the packet and drops it. The authors used a
genetic algorithm to generate a rule from the dataset. To
improve this work, Kazemi et al. (2015) suggested changing
the fitness function of the genetic algorithm to get more
accurate results. These systems cannot reveal the unknown
attack because their works are based on using GA to
generate the best rule from predefined signatures which
were prepared manually.
In the study by Patel and Srivastava (2013), the authors
used snort to detect a known attack based on acknowledge
storage database, and Bayesian classifier to predict the class
of the packets (i.e. unknown attack) passed by snort. When it
encounters an attack, it generates an alert and stores it in
central log. The knowledge and behaviour databases are
updated dynamically. The experiment was conducted using
10% of KDD dataset and with distributed NIDS. The results
showed that the proposed method achieves high detection rate
An anomaly-based approach for DDoS attack detection in cloud environment 315
with low false positive and false negative. Moreover, it has a
high f-score and affordable computational cost. Similarly,
Modi et al. (2012) used a decision tree instead of Bayesian
classifier, which is faster at learning stage. In their experiment,
they used NSL-KDD and KDD datasets, the results showed a
high performance, especially in the case of KDD dataset due
to its large size. However, these systems may create a burden
on the network due to the deployment of NIDS on different
places and in each VM. Thus, in cloud environment with
a huge number of VMs, this can affect the performance of
the IDS.
An anomaly intrusion detection system is presented in the
article of Ganeshkumar and Pandeeswari (2015). A hypervisor
detector based on the idea that integrates the fuzzy system with
an adaptation and learning proficiencies of neural network has
been proposed. The system is called A Neuro-Fuzzy Inference
System (ANFIS). In ANFIS model, the back-propagation
gradient descent technique with least square are used to update
the parameters of membership functions. Their experiments
were carried out on the KDD-CUP99 dataset with the intention
of training and testing their proposed model. The proposed
model achieved 100% for normal, 100% for DoS, 100% for
probe and 98.4% for R2L and 99.1% for U2R detection
accuracy. The average accuracy rate is 99.5%. Nevertheless,
their work, like all the other previous works, relied on KDD
CUP99 and NSL-KDD datasets to evaluate their intrusion
detection approaches. These datasets suffer from the fact they
are not a good representative for the virtual cloud environment
even though there is a new dataset similar to KDD which was
offered in Alkasassbeh et al. (2016 ) but still does not reflect the
cloud computing scenarios. The KDD CUP 99 dataset is more
than 17 years old, and it has been used widely and extensively
in the intrusion detection systems field. Nowadays, it is quite
obsolete as there has been a massive change in behaviour
of traffic over the years and the same datasets cannot be
used to validate a new DDoS detection system in the
virtual cloud environment. Moreover, up till now the IDS-
based soft computing approaches need to be enhanced for
covering vulnerabilities and presenting a complete protection
approach.
Muthurajkumar et al. (2015) presented a new hybrid
feature selection and hybrid multiclass classification
algorithms to detect attacks in virtual machines. They
proposed a security model which integrates a genetic
algorithm and discrete particle swarm optimisation to select
the best features from NSL-KDD dataset. After that, they
integrate a hidden naïve base with an intelligent agent
vector machine. The performance results of the proposed
work show their hybrid algorithms achieved more than 95%
accuracy rate. In this work, the particle swarm optimisation
was used only to select the best features for IDS. However,
in our work, we used particle swarm optimisation in a
different way to select the optimal parameters (i.e. weights
and bias) for Neural Network based model.
An IDS in cloud that combines the rough set for feature
selection and fuzzy support vector machine for classification
is introduced by Muthurajkumar et al. (2013). The goal of
their work is choosing the optimal feature set to achieve best
detection rate. The authors used KDD CUP 99 dataset in their
experiments; as a result, the proposed model achieved a
beneficial improvement, and for example, it achieves 84.9%
and 91.85% detection rate for DoS before and after the
feature selection process respectively. The research still needs
more improvement on detection accuracy.
3 Cloud-intrusion detection system
In virtual cloud environment, IDS can be emplaced as a
strong defensive mechanism to protect virtual machines
from DDoS attacks. Thus, due to the distributed nature and
the dynamic of resources in cloud, a new type of IDS has to
be designed for cloud environment. The hypervisor or the
Virtual Machine Monitor (VMM), a promising type of IDS
technique, can run in the hypervisor layer as depicted in
Figure 1. This IDS is based on analysing the information
that is exchanged at different interaction levels, such as
communication between virtual machines in the same
physical host or different positions, hypervisor and VMs,
and communication within the hypervisor based virtual
network (Kene and Theng, 2015).
Figure 1 Hypervisor-based intrusion detection system
4 Proposed work
4.1 Hypervisor-based IDS based on soft
computing techniques
In this work, we undertake an analysis of the traffic that is
exchanged between virtual machines to examine the DDoS
attack on virtual networks by a designed IDS-based on soft
computing technique in hypervisor layer. The architecture
of the proposed approach of intrusion detection is shown
in Figure 2. It can be noticed that the proposed approach
consists of the following components:
Sniffer: The sniffer collects the network traffic from
network interfaces within the virtual cloud environment
and stores it. Using the collected traffic, the behaviour
of virtual machines is monitored and analysed.
316 A. Rawashdeh, M. Alkasassbeh and M. Al-Hawawreh
Pre-processing of packets: The pre-processing step is a
very critical requirement in creating an effective IDS. It is
used to filter the raw data and convert it into useful
information because all the information that was captured
in the previous step may not be significant and sometimes
may confuse the classifier algorithm, thus resulting in
wrong decisions. Pre-processing helps to eliminate the
redundant and incomplete data. Therefore, it is necessary
to extract and select only the related information and the
significant features that help in intrusion detection
precisely (Vanathi and Gunasekaran, 2012).
Anomaly classifier: The anomaly classifier performs
pattern comparison, analysis, and makes the decision
to move the received data. This anomaly classifier
module is created for the purpose of detecting the insider
DDoS attack by learning from the behavioural dataset.
Here, we propose a hybrid of soft computing techniques; an
artificial neural network is trained using particle swarm
optimisation to create an optimal neural network model
which is able to classify and determine whether the
packets are anomalous or normal during communication
between VMs with high accuracy and with the least
number of false alarms.
Datasets: The proposed IDS contains two datasets; the
first one has the raw traffic that is captured by the sniffer
for analytical purposes. The second is the behavioural
dataset which has a list of previously emulated data sets
which are considered as a profile for network behaviour.
Based on it, the anomaly classifier can determine the
typical user behaviour and the suspicious behaviour.
Furthermore, the behavioural dataset helps to make a
decision on the new incoming packets.
Alert system: The anomaly classifier will alert the system
administrator to take the appropriate action when any
abnormal activity is monitored in the network. Otherwise,
the IDS allows the packets to pass.
Figure 2 The architecture of hypervisor-based IDS
5 IDS classifiers
In this work, two different classifiers have been investigated
and tested based on the dataset collected. The models are
the ANN, ANN with PSO classifiers. The models are
described as follows.
5.1 Artificial neural network (ANN)
ANN is a computer program inspired by biological neural
networks where each neuron in the network is well
programmed based on its properties and works together with
the other neurons to solve artificial intelligence problems
(Li et al., 2012). Multilayer Perception neural network
(MLP) is the most popular ANN type (Minsky and Papert,
1969). It is a feed forward neural network that contains
multiple layers of nodes: that is, an input layer, an output
layer, and one or more hidden layers as shown in the
Figure 3. The nodes in each layer are fully connected to the
nodes in the next one. The output layer consists of one or
more neurons that allow the network to deliver one or more
outputs for one or more inputs. In addition, each node in
the network except the inputs is a neuron with non-linear
activation function, namely, Sigmoid function, and
hyperbolic tangent (Svozil et al., 1997). Sigmoid is the most
popular function, which can be calculated using the following
equation:
1
1
x
fx e
(1)
Figure 3 The architecture of MLP-NN
Feed Forward Neural Network utilises a supervised learning
called Back Propagation (BP) algorithm to train the
network. Back Propagation algorithm is a gradient-based
method used to adjust the weights of connections during
Neural Network training phase to minimise the total error of
the network. Generally, BP algorithm has two basic steps
which are repeated several times; forward pass and
backward pass (Cilimkovic, 2015). In forward pass, the
training data is fed into the input layer, and propagated to
the hidden layer then propagated to the output layer. Each
node in the hidden layer receives data from all nodes in the
input layer multiplied by connection weights then added
together. After that, the outputs of the hidden layer which is
An anomaly-based approach for DDoS attack detection in cloud environment 317
a non-linear transformation of the resulting sum, multiplied
by appropriate weights and added together, then passed to
each node in the output layer. Thus, the resulting output
layer is compared with the target output values. The error
between the actual output value and the target output value
is used to teach the neural network. Hence, it is calculated
and propagated backward to the hidden layer. This is called
backward pass. So, using an error, the weights of connections
of input-to-hidden and hidden-to-output are updated.
ANN and other machine learning techniques have been
explored in detail in the work of Jama and Khalifa (2016).
The work of Jama and Khalifa (2016) showed how standard
ANN can be used for intrusion detection system in
cloud computing, however, the accuracy of this model is
dependent on the number of nodes in the hidden layer as
well as the number of instances in the training phase. ANN
always needs time for building the model to detect any type
of attack that has been trained for.
Although the back propagation algorithm is widely used
up until now in the research area for training neural
network, it has several limitations which lead some
researchers to not use it and search for alternatives (Zhang
et al., 2007; Ahmed, 2016). For example, back propagation
is a slow algorithm for training, and it easily gets trapped in
local minima, particularly for those non-linearly separable
pattern classification problems. It sometimes fails in finding
a global optimal solution.
ANN has been used in different areas such as prediction
and estimation of the power of a solar Stirling heat engine in a
smart grid (Sameti et al., 2017), in the field of environment
(Al-kasassbeh, 2013), in medical diagnosis (Cheh, 2013) and
others (Karayiannis, 2013).
5.2 Particle swarm optimisation (PSO)
PSO is one of the most popular metaheuristic optimisation
algorithms developed by James Kennedy and Russell
Eberhart in 1995. It is inspired by the behaviour of animal
societies which do not have an obvious leader, such as a
swarm of bees, a flock of birds, or a school of fish. Usually,
a group of animals that has no clear leader will discover the
location of food by random, following one of the individuals
(particles) of the swarm which has the nearest position
to the food source (potential solution) (Rini et al., 2011).
As one individual that happens upon a food source or
favourable conditions communicates that information to
other members of the swarm, the whole group repositions
and organises to take advantage of that food source or
conditions. This is an on-going process as each member of
the group relays information to the others to achieve the
current desired place for the entire swarm.
Particle swarm optimisation poses multi-agent parallel
search techniques which keep up a swarm of particles and
each particle represents a potential solution in the swarm.
All particles fly through a multi-dimensional search space
where every particle is modifying its position (X) according
to its personal experience (Pbest) and the overall experience
(Gbest) and the velocity (V). The experiences accelerated by
two random numbers generated between [0, 1], whereas the
present velocity is multiplied by an inertia factor w
changing between [w min, w max] (Li et al., 2012). Suppose
the initial population (swarm) size is N with dimension D is
symbolised as X={X1, X2, X3… XN}, each particle Xi (i= 1,
2, 3 …N) is given as Xi = {Xi.1, Xi.2, …, Xi.D}. In addition,
the velocity of the populations is symbolised as V = [V1, V2,
V3…..VN], and each particle has velocity Vi (i =1, 2, 3……N)
which is given as Vi= {Vi.1, Vi.2, …,Vi.D}. Here, the index i
changes from 1 to N, and the index j changes from 1 to D.
The velocity (Vi) and the position of particle (Xi) are
updated by the following equations (Alam, 2016):
1
, , 1 1 , ,
22 ,
kk kk
ij ij ij ij
kk
jij
VwVcrPbestX
cr Gbest X
(2)
11
, , ,
kkk
ij ij ij
X
XV
(3)
In equation (2), the ,
k
ij
P
best presents the personal best j-th
component of i-th member, whereas the k
j
Gbest represent
the j-th component of the best member of population up to
iteration k.
PSO has many advantages over other optimisation
methods. For example, PSO does not have complicated
evolutionary operators such as overlapping, crossover, or
mutation calculation, and does not need any gradient
information of the function to be optimised and uses only
primitive mathematical operators, and there are few
parameters to adjust compared to other optimisation methods.
Moreover, the PSO generally has a strong ability to find the
most optimistic result (Talukder, 2011).
5.3 Anomaly classifier based on training
MLP-NN using PSO
A neural network (NN) has been widely used thus far, and
it poses a good choice for categorising a network activity
because it is a particularly strong tool in multiple class
classification, especially when utilised in applications where
the formal examination would be extremely troublesome or
even impossible, for example, pattern recognition and non-
linear system identification. The NN can work with uncertain
and incomplete data. This implies that they can perceive
additional patterns not exhibited during the learning phase
(Devikrishna and Ramakrishna, 2013). However, the process
of finding a set of appropriate weights for feed forward NN is
not a trivial one. It is a dynamic process in that any change
of one weight requires adjustment of many others. Back
propagation is usually used to find the set of weights for
FNN, in spite of the fact that there is not widespread
satisfaction with the effectiveness of this method (Eberhart
and Kennedy, 1995).
318 A. Rawashdeh, M. Alkasassbeh and M. Al-Hawawreh
To improve the performance of ANN as an intrusion
detection system, we used the PSO to find the appropriate
set of weights for feed forward neural network. The process
is divided into two phases, namely the training phase and
testing phase. In the training phase, we used part of data as
training set to calculate the fitness function (NN error rate)
for each particle (solution). After that, based on the error
rate, the personal best and global best are calculated. As
long as the criterion is not met, the positions and the velocity
of particles are updated, and each time a new generation of
particles is introduced. Finally, when the conditions are
satisfied, a NN model with global best parameters (i.e.
weights and bias) is ready to use in testing phase. The basic
summary of training NN using PSO algorithm is presented as
follows:
Input: Inputs data I, Target data T, Network with neuron
in hidden layer net (n), Population size pop, Acceleration
coefficient (c1, c2), max_iteration, Pbest, Gbest.
Tolerance tolerance_value.
Output: Training Neural Network net (n)
1. Begin
2. Generate the initial solutions (particles) randomly
3. Evaluate each particle based on fitness function
(Neural network error rate)
4. While (iteration < max_iteration & tolerance >
tolerance_value)
5. Find the Pbest for each particle based on the
minimum error rate.
6. Find the Gbest = min (Pbest).
7. For i = 1 to pop
8. For j = 1 to D
9. // modify particle velocity and positions
10.
, , 1 1 , , 2 2
ij ij ij ij
VwVcrPbestX cr
,
j
ij
Gbest X
11. , , ,
ij ij ij
X
XV
12. End for
13. End for
14. Calculate the tolerance
15. Increase iteration_number.
16. End while
17. Configure the Neural Network net (n) based on
Gbest values.
18. End algorithm
6 Dataset generation
In cloud computing, behavioural-based approaches suffer
from the unavailability of datasets, where most previous
research used KDD CUP 99 and NSL-KDD datasets to
evaluate their approaches. These datasets suffer from the
fact they are not a good representative for the virtual cloud
environment, in addition, they are quite obsolete as there is
a massive change in the behaviour of traffic over the years
and the same datasets cannot be used to validate new DDoS
detection system in the virtual cloud environment. As well
the simulated dataset which generated by Alkasassbeh et al.
(2016 ) is new DDoS dataset, however, it does not represent
the cloud environment. So, to handle this issue and on-going
development in DDoS attack, it is necessary create a
new dataset that reflects the nature of the virtual cloud
environment to test and evaluate the intrusion detection
approach based soft computing.
6.1 Architectural framework
The whole architecture which is included in generating the
final dataset is presented in Figure 4. As it can be seen,
when the virtual environment test bed experiment is
performed, the TCPDUMP files (i.e. PCAP files) are
generated by using the TCPDUMP tool. After that, the
collected traffic is pre-processed and the features are
extracted by TShark tool and statistical processes. Finally,
we randomly choose the final number of records for each
label which are collected in CSV file.
Figure 4 Dataset generation framework
6.2 Testbed environment
The experiment was conducted on a computer with
configuration of Intel ® Core ™ i7-6500U CPU of 2.50
GHz processor speed and 8.00GB (RAM) with Windows 10
64bit operating system. Using Oracle Virtual Box -5.1.0-
108711-win, we created four virtual machines as shown in
Figure 5. Each VM has Linux-Debian (32 bit) installed as
the operating system. To generate normal traffic, we used
iMacros scripts to robotise online activities via web-based
applications. Thus, the VM2, VM3, VM4 exchange the
traffic with VM1 (i.e. Main server). They browse the site,
fill the forms in the beef website with random time between
events to verify normal situation. Furthermore, to generate
more UDP traffic, we requested querying the DNS for
resource using a command like nslookup and dig. At the
same time, to capture the normal traffic, we installed
TCPDUMP tool in the VM1.
An anomaly-based approach for DDoS attack detection in cloud environment 319
Figure 5 Environment testbed
The attack traffic was generated by launching attacks from
two virtual machines VM2, VM3 using hping3 tool. We
executed two scenarios for two types of attacks: TCP SYN,
and UDP Flood attack. At the same time, VM4 generated
background traffic in both scenarios. Since the spoofed IP
address can be blocked in the virtual cloud environment, in
TCP SYN attack scenario our concern was to initiate the
DDoS attacks with a real IP address. In this situation, the
attacker can send many TCP SYN packets to the victim
machine. However, the attacker’s operating system must not
respond to the SYN-ACKs, because any ACKs, RSTs, or
ICMP message allows the listener to move the Transmission
Control Block (TCB) out of SYN-RECIVED (Bogdanoski
et al., 2013). So, to prevent the operating system on the
attacker’s side from responding to the SYN-ACK, the
attacker can set some firewall table, and this is what we did
in our experiments through Linux iptables.
iptables – I OUTPUT 1-d 10.0.2.4-p tcp – tcp-flags
RST – j Drop
In UDP flood attack scenario, the virtual machines send UDP
packets of small size (here is the default size in the hping3
attacker tool is 60 bytes) to the specific port (i.e. port 80) to
saturate the victim machine very quickly, and as a result the
victim is crashed and the service to the legitimate users is
blocked.
6.3 Data pre-processing and feature extraction
After capturing the normal and attack traffic using
TCPDUMP tool, TShark tool has been used to filter and
analyse traffic then extract features. 20,000 records have
been chosen for each label to create a final dataset. A
detailed list of extracted features is given in Table 1.
Table 1 List of extracted features
Number Feature name Feature description
1 pro
Protocol type (TCP, UDP)
2 Serv
Service (http, domain, ftp,
etc.)
3 totalpkt
Total number of packets
4 Totalbyt
Total number of bytes
5 pktStoD
Number of packet from
source to destination
6 bytStoD
Number of bytes from source
to destination
7 pktDtoS
Number of packets from
destination to source
8 bytDtoS
Number of bytes from
destination to source
9 Relstime
Start time of connection
10 Duration
Duration of connection
11 bpsStoD
Average bit per second from
source to destination
12 bpsDtoS
Average bit per second from
destination to source
13 Avgpktsize
Average packet size
320 A. Rawashdeh, M. Alkasassbeh and M. Al-Hawawreh
7 Experimental results
The environment of MATLAB R 2014a is used for the
implementation and evolution of the classifier algorithm. Here,
the proposed dataset is used for experiment. This dataset has
60,000 connections, 20,000 of which are normal connections,
20,000 UDP flood attack connections, and 20,000 TCP SYN
flood attack connections. The proposed hypervisor-based
intrusion detection approach uses ANN with PSO design.
To configure the anomaly classifier, the PSO is used to
train the ANN and choose the optimal weights and bias.
In our experiment, the anomaly classifier is trained with
40,000 connections and tested with 20,000 connections; the
distribution of testing data is depicted in Table 2.
Table 2 Distribution of testing data
Type of attacks Number of samples
Normal 6633
UDP Flood 6629
TCP SYN 6739
7.1 Performance analysis
This paper compares the anomaly classifier with Back
Propagation Neural Network (BPNN) based model. For our
implementations of FNN, we chose the structure of NN which
is mentioned in Table 3. On the other hand, the parameters of
PSO play a vital role in its effectiveness (Carlisle and Dozier,
2001). Some of these parameter values have a large impact on
the efficiency while the other parameters do not have any
effect. The basic PSO parameters are swarm size (i.e. number
of particles), acceleration coefficients, number of iterations, and
velocity components. From a number of empirical studies
(Engelbrecht, 2007; Talukder, 2011), it has been shown
that most of the PSO implementations use swarm size interval
[20, 60], acceleration constants should be 12
2cc
, number
of iterations [500, 10,000], initial velocity is 10% of position.
The parameter values which were used in the experiment are
displayed in Table 4.
Table 3 Neural network parameters
Feedforward neural network parameters
Number of layers 3 (input, one hidden
layer, output)
Number of neurons in
input layer 13 attributes
Number of neurons in
hidden layer 8
Number of neurons in
output layer 3
Maximum iteration 1000
Activation function Sigmoid
Table 4 PSO parameters in our experiments
Particle swarm optimisation parameters
Swarm size 25
Acceleration coefficient (c1,c2) c1=2, c2=2
Inertia weight (w) [0.1, 0.5]
Boundary of population [–1.5, 1.5]
Maximum number of iterations 500
Initial velocity 10% of positions
The performance of the anomaly classifier can be evaluated
as follows:
True Positive (TP): The number of positive records that
are correctly classified.
True Negative (TN): The number of negative records
that are correctly classified.
False Negative (FN): The number of records that are
incorrectly identified as a negative, although they are in
fact positive.
False Positive (FP): The number of records that are
incorrectly identified as a positive, although they are in
fact negative.
Figure 6 Detection rate for NN and NN with PSO
UDPFlood Normal TCPSYN
NN 99.96% 94.94% 94.94%
NN+PSO 99.99% 99.99% 100%
94%
95%
96%
97%
98%
99%
100%
Accuracy
An anomaly-based approach for DDoS attack detection in cloud environment 321
However, herein the performance of PSO with ANN based
model is compared with BPNN based model in terms of
detection accuracy, and the error rate. The performances of two
models are compared by using detection accuracy value which
is presented in Figure 6. From Figure 6 it is observed that the
UDP flood attack, TCP SYN Flood attack, and normal traffic
have approximately the same values under PSO with ANN
based model, where UDP Flood attack and Normal traffic have
99.99% and 100% for TCP SYN attack while for BPNN based
model the UDP flood attack achieves 99.96% and 94.94% for
TCP SYN attack and normal traffic.
Figure 7 shows the performance comparison for two
models using error rate value. From Figure 7 it is evident
that PSO with ANN based model has the minimum false
alarm rate when compared to BPNN based model.
From performance analysis using detection accuracy and
error rate, it can be shown that the PSO with ANN-based model
can detect the abnormal activities with high accuracy and
minimum false alarms. However, these factors are not sufficient
for evaluating the performance with minimum number of
instances. Hence, other factors such as precision, recall,
specificity, and f-measure which do not rely on the size of the
input samples can be used. These performance measures can be
calculated using the following equations (Mikolajczyk and
Schmid, 2005):
TP
Precision TP FP
(4)
TP
Recall TP FN
(5)
TN
Specificity TN FP
(6)
2* *
precision Recall
FScore precision Recall
(7)
Figure 8 shows the performance comparison of PSO with
ANN based model and BPNN based model using precision,
recall, specificity, and F-measure for UDP flood attack. From
the results herein, it is evident that the PSO with ANN based
model has the highest performance metrics values. In Figures 9
and 10, it is shown that the PSO with ANN based model is
the best for normal and TCP SYN attack detection with
highest performance metrics. As found in most of previous
related works, the KDD Cup 99 dataset was used to evaluate
the cloud IDSs. This dataset has many drawbacks that limit
using it nowadays; first, it has a numerous number of
redundant records in the training set, and this affects the result
of detection and biases to the most frequent records. Second,
there are multiple missing records that are considered a key
operator in changing the nature of the data (Moustafa and
Slay, 2015). Lastly, it is outdated and is not considered
appropriate for the virtual cloud environment. As a result,
using KDD Cup 99 dataset leads to lack of precise results
when deploying the IDSs in real environment.
Figure 7 Error rate for NN and NN with PSO
UDPFlood Normal TCPSYN
NN 0.04% 5.06% 5.06%
NN+PSO 0.01 0.01 0
0%
1%
2%
3%
4%
5%
6%
Error
Figure 8 Performance metrics for UDP flood attack
Precision RecallSpecifictyF‐measure
NN 99.91% 99.98% 99.95% 99.95%
NN+PSO 100% 99.97% 100% 99.98%
99.4%
99.5%
99.6%
99.7%
99.8%
99.9%
100.0%
322 A. Rawashdeh, M. Alkasassbeh and M. Al-Hawawreh
Figure 9 Performance metrics for normal
Precision Recall Specificty F‐measure
NN 99.98% 84.76% 99.99% 91.74%
NN+PSO 99.97% 100% 99.99% 99.99%
82%
85%
88%
91%
94%
97%
100%
Figure 10 Performance metrics for TCP SYN flood attack
Precision Recall Specificty F‐measure
NN 87.02% 100.00% 92.42% 93.06%
NN+PSO 100.00% 100% 100.00% 100.00%
82%
84%
86%
88%
90%
92%
94%
96%
98%
100%
Hence, to ensure the efficiency of cloud intrusion detection
approaches, we must use a good quality dataset that not only
gives an efficient result in the offline system but also
provides potential effectiveness when it is deployed in the
real environment. Herein, the hypervisor-intrusion detection
approach based on PSO with ANN is trained and tested
using a new data that is collected during the communication
between virtual machines. This data reflects the virtual
cloud environment nature and handles the insider DDoS
problem.
8 Conclusion
The characteristics of cloud computing, being distributed,
utilising virtualisation, being multi-tenant and relying on the
internet to provide services, inherently make network
security a major obstacle. Insider denial of service attack is
a primary challenge for any cloud operational environment
because it can deactivate the service completely, and result
in financial losses for organisations. Therefore, to protect
the virtual environment of the cloud from DDoS activities,
organisations need more than just traditional defence
mechanisms such as firewalls that check the incoming
packets at the boundary of the network, but do nothing
about insider attacks.
In this research work, we proposed an anomaly intrusion
detection system in the hypervisor layer to discourage
the DDoS activities between virtual machines. The proposed
system is implemented by the evolutionary neural
network for classification of the traffic that is exchanged
between virtual machines. The evolutionary neural network
integrates the particle swarm optimisation to choose the
optimal weights for the neural network in order to achieve a
high level of accuracy in the classification and detection
process. Our aim is to ensure the feasibility of the proposed
model in detecting DDoS attacks in virtual cloud. Usually,
there is no currently available dataset for testing and
validating the cloud intrusion detection system thus, in this
research work, a new cloud dataset that contains two types
of DDoS attacks, namely, TCP-SYN and UDP has been
generated.
It can be concluded that our work focused on creating
IDS-based on soft computing techniques, in particular, PSO
with a feed forward neural network for detecting insider
DDoS in the virtual cloud. The proposed IDS has been used
to monitor, detect and classify the traffic exchange between
virtual machines. In addition, it has been trained and tested
with a new generated dataset to identify and handle the
An anomaly-based approach for DDoS attack detection in cloud environment 323
insider DDoS attack problem in the virtual cloud environment.
The experimental results demonstrated that the proposed IDS
based on ANN with PSO outperformed the ANN-based
model in all performance metrics. Most importantly, it
showed superior performance in term of detection rate and
least error rate.
Owing to the unavailability of datasets compiled for the
cloud environment, this study conducted the IDS on a
dataset that was generated by this research work. This
dataset is limited to only two types of DDoS attacks: UDP
flood and TCP SYN. Future research can be conducted with
new types of attack such as EDoS attack and other
variations of DDoS. On the other hand, our dataset only
handles the traffic that exchanges between VMs, so the
traffic that comes from an outside host machine could be
studied in future work. In addition, the proposed IDS in this
research work is based on soft computing techniques, a
possible future research is to adopt an alternative algorithm
and attempt to achieve low computation time and high
recognition rate.
References
Ahmed, I. (2016) ‘Enhancement of network attack classification
using particle swarm optimization and multi-layer
perceptron’, International Journal of Computer Application,
Vol. 137, No. 12, pp.18–22.
Akramifard, H., Mohammad, L., Balafar, M. and Davtalab, R.
(2015) ‘Intrusion-detection in the cloud environment using
multi-level fuzzy neural network’, Proceedings of the
International Conference on Security and Management
(SAM), The Steering Committee of The World Congress in
Computer Science, Computer Engineering and Applied
Computing (WorldComp).
Alam, M. (2016) ‘Codes in MATLAB for training artificial neural
network using particle swarm optimization’, Research Gate,
pp.1–16. http://dx.doi.org/10.13140/RG.2.1.2579.3524.
Alam, M. (2016) ‘Particle Swarm Optimization: Algorithm and its
code in Matlab’, DOI: 10.13140/RG.2.1.4985.3206.
Al-kasassbeh, M. (2013) ‘Predicting of surface ozone using
artificial neural networks and support vector machines’,
International Journal of Advanced Science and Technology,
Vol. 55.
Alkasassbeh, M., Al-Naymat, G., Hassanat, A. and Almseidin, M.
(2016) ‘Detecting distributed denial of service attacks using
data mining techniques’, International Journal of Advanced
Computer Science & Applications, Vol. 7, No. 1, pp.436–445 .
Alsafi, H., Abduallah, W. and Pathan, K. (2012) ‘IDPS: an
integrated intrusion handling model for cloud computing
environment’, International Journal of Computing &
Information Technology, Vol. 4, pp.1–16.
Bhat, H., Patra, S. and Jena, D. (2013) ‘Machine learning approach
for intrusion detection on cloud virtual machines’, International
Journal of Application or Innovation in Engineering &
Management, Vol. 2, No. 6, pp.56–66.
Bogdanoski, M., Shuminoski, T. and Risteski, A. (2013) ‘Analysis
of the SYN flood DoS attack’, International Journal of
Computer Network and Information Security, pp.1–11. DOI:
10.5815/ijcnis.2013.08.01
Carlisle, A. and Dozier, G. (2001) ‘An Off-The-Shelf PSO’,
Workshop Particle Swarm Optimization, Indianapolis.
Cheh, J.J., Weinberg, R.S. and Yook, K.C. (2013) ‘Artificial
neural networks in medical diagnosis’, Journal of Applied
Business Research, Vol. 15, No. 4, pp.33–46.
Cilimkovic, M. (2015) Neural Networks and Back Propagation
Algorithm, Institute of Technology Blanchardstown,
Blanchardstown Road, North Dublin.
Deshpande, P., Sharma, C, and Peddouj, K. (2014) ‘HIDS: a host
based intrusion detection system for cloud computing
environment’, International Journal of System Assurance
Engineering and Management, pp.1–10. https://doi.org/
10.1007/s13198-014-0277-7
Devikrishna, S. and Ramakrishna, B. (2013) ‘An artificial neural
network based intrusion detection system and classification of
attacks’, International Journal of Engineering Research and
Applications, Vol. 3, No. 4, pp.1959–1964.
Eberhart, R. and Kennedy, J. (1995) ‘A new optimizer using particle
swarm theory’, Proceedings of the 6th International
Symposium on Micro Machine and Human Science, pp.39–43.
Engelbrecht, A. (2007) Computational Intelligence: An Introduction,
John Wiley and Sons.
Ganeshkumar, P. and Pandeeswari, N. (2015) ‘Adaptive neuro-
fuzzy-based anomaly detection system in cloud’, International
Journal of Fuzzy Systems, Vol. 18, No. 3, pp.1–12.
Ghosh, P., Debnath, C., Metia, D. and Dutta, R. (2014) ‘An
efficient hybrid multilevel intrusion detection system in cloud
environment’, IOSR Journal of Computer Engineering,
Vol. 16, No. 4, pp.16–26.
Ghosh, T.K., Das, S., Barman, S. and Goswami, R. (2017) ‘Job
scheduling in computational grid based on an improved
cuckoo search method’, International Journal of Computer
Applications in Technology, Vol. 55, No. 22, pp.138–146.
Hwang, K., Kulkarni, S. and Hu, Y. (2009) ‘Cloud security with
virtualized defense and reputation-based trust management’,
Eighth IEEE International Conference on Dependable,
Autonomic and Secure Computing, pp.717–722.
Jama, A.M. and Khalifa, O. (2016) ‘Review of SIP based DoS
attacks’, International Journal of Computer Applications
Technology and Research, Vol. 5, No. 12, pp.775–781.
Karayiannis, N. and Venetsanopoulos, A.N. (2013) Artificial Neural
Networks: Learning Algorithms, Performance Evaluation, and
Applications, Springer Science & Business Media.
Kazemi, S., Aghazarian, V. and Hedayati, A. (2015) ‘Improving
hypervisor-based intrusion detection in IaaS cloud for
securing virtual machine’, International Journal of
Computing and Technology, Vol. 2, No. 9, pp.334–340.
Kene, S. and Theng, D. (2015) ‘A review on intrusion detection
techniques for cloud computing and security challenges’,
IEEE International Conference on Electronics and
Communication Systems (ICECS), pp.227–232.
Kumar, U. and Gohil, B. (2015) ‘A survey on intrusion detection
systems for cloud computing environment’, International
Journal of Computer Applications, Vol. 109, No. 1, pp.6–15.
Li, C., Yang, S. and Nguyen, T. (2012) ‘A self-learning particle
swarm optimizer for global optimization problems’, IEEE
Transactions on Systems, Man, and Cybernetics, Part B
(Cybernetics), Vol. 42, No. 3, pp.627–646.
Li, Z., Sun, W. and Wang, L. (2012) ‘A neural network based
distributed intrusion detection system on cloud platform’,
IEEE International Conference on Cloud Computing and
Intelligence Systems, Vol. 1, pp.75–79.
Lindemann, J. (2015) ‘Towards abuse detection and prevention in
IaaS towards cloud computing’, 10th International Conference
on Availability, Reliability and Security, pp.211–217.
324 A. Rawashdeh, M. Alkasassbeh and M. Al-Hawawreh
Lo, C., Huang, C. and Ku, J. (2010) ‘A cooperative intrusion detection
system framework for cloud computing networks’, International
Conference on Parallel Processing Workshops, pp.280–284.
Lonea, M., Popescu, E. and Tianfield, H. (2013) ‘Detecting DDoS
attacks in cloud computing environment’, International
Journal of Computers Communications & Control, Vol. 8,
No. 1, pp.70–78.
Lui, F., Tong, J., Mao, J., Bohn, R., Messina, J. and Badge, L.
(2011) NIST Cloud Computing Reference Architecture, NIST
Special Publication 500-292.
Lui, F., Tong, J., Mao, J., Bohn, R., Messina, J. and Badger, L.
(2011) Recommendations of the National Institute of
Standards and Technology (cloud computing program).
Manavi, S., Mohammadalian, S., Udzir, N. and Abdullah, A. (2012)
‘Hierarchical secure virtualization model for cloud’, Cyber
Security, Cyber Warfare and Digital Forensic (CyberSec), 2012
International Conference on (IEEE), pp.219–224.
Mikolajczyk, K. and Schmid, C. (2005) ‘A performance
evaluation of local descriptors’, IEEE Transactions on
Pattern Analysis and Machine Intelligence, Vol. 27, No. 10,
pp.1615–1630.
Minsky, M. and Papert, S. (1969) Perceptrons, MIT Press,
Cambridge.
Modi, C., Patel, D. and Borisanya, B. (2012) ‘A novel framework
for intrusion-detection in cloud’, Proceedings of the Fifth
International Conference on Security of Information and
Networks, pp.67–74.
Modi, C., Patel, D., Borisaniya, B., Patel, H., Patel, A. and
Rajarajan, M. (2013) ‘A survey of intrusion detection
techniques in cloud’, Journal of Network and Computer
Applications, Vol. 36, No. 1, pp.42–57.
Moorthy, M. and Rajeswari, M. (2014) ‘Virtual host based
intrusion detection system for cloud’, International Journal
of Engineering and Technology, Vol. 5, No. 6, pp.5023–5029.
Moustafa, N. and Slay, J. (2015) ‘UNSW-NB15: a comprehensive
data set for network intrusion detection system’, 2015 Military
Communications and Information Systems Conference.
Muthurajkumar, S., Ganapathy, S., Vijayalakshmi, M. and Kannan, A.
(2015) ‘An effective intrusion detection on cloud virtual
machines using hybrid feature selection and multiclass classifier’,
Australian Journal of Basic and Applied Sciences, pp.38–41.
Muthurajkumar, S., Kulothungan, K., Vijayalakshmi, M.,
Jaisankar, N. and Kannan, A. (2013) ‘A rough set based
feature selection algorithm for effective intrusion detection in
cloud model’, International Conference on Advances in
Communication, Network, and Computing, pp.8–13.
Nadiammai, G. and Hemalatha, M. (2013) ‘Effective approach toward
intrusion detection system using data mining techniques’,
Egyptian Informatics Journal, Vol. 15, No. 1, pp.37–50.
Patel, J. and Panchal, K. (2015) ‘Effective intrusion detection
system using data mining techniques’, Journal of Emerging
Technologies and Innovative Research, Vol. 2, No. 6,
pp.1869–1878.
Patel, K. and Srivastava, R. (2013) ‘Classification of cloud data
using Bayesian classification’, International Journal of
Science and Research, Vol. 2, No. 6.
Potteti, S. and Parati, N. (2015) ‘Hybrid intrusion detection
architecture for cloud environment’, International Journal
of Engineering and Computer Science, Vol. 4, No. 5,
pp.12146–12151.
Priya, N. and Vasantha, S. (2014) ‘Heuristic based hybrid network
intrusion detection system: a novel approach’, Asian Journal
of Information Technology, Vol. 13, No. 12, pp.733–738.
Radwan, T., Azer, M.A. and Abdelbaki, N. (2017) ‘Cloud
computing security: challenges and future trends’,
International Journal of Computer Applications in
Technology, Vol. 55, No. 2, pp.158–172.
Raja, S. and Ramaiah, S. (2016) ‘An efficient fuzzy-based hybrid
system to cloud intrusion’, International Journal of Fuzzy
Systems, Vol. 19, No. 1, pp.62–77.
Rini, D.P., Shamsuddin, S.M. and Yuhaniz, S.S. (2011) ‘Particle
swarm optimization: technique, system and challenges’,
International Journal of Computer Applications, Vol. 14, No. 1,
pp.19–27.
Sameti, M., Jokar, M.A. and Astaraei, F.R. (2017) ‘Prediction of
solar Stirling power generation in smart grid by GA-ANN
model’, International Journal of Computer Applications in
Technology, Vol. 55, No. 2, pp.147–157.
Svozil, D., KvasniEka, V. and Pospichal, J. (1997) ‘Introduction to
multi-layer feed-forward neural networks’, Chemometrics and
Intelligent Laboratory Systems, Vol. 39, No. 1, pp.43–62.
Talukder, S. (2011) Mathematical Modelling and Applications of
Particle Swarm Optimization, Doctoral dissertation, Blekinge
Institute of Technology.
Vanathi, R. and Gunasekaran, S. (2012) ‘Comparison of network
intrusion detection in cloud computing environment’,
International Conference on Computer Communication and
Informatics (ICCCI), pp.1–6.
Vieira, K., Schulter, A., Westphall, C. and Westphall, C. (2010)
‘Intrusion detection techniques in grid and cloud computing
environment’, IT Professional, IEEE Computer Society,
Vol. 12, No. 4, pp.38–43.
Zarrabi, A. and Zarrabi, A. (2012) ‘Internet intrusion detection
system service in a cloud’, International Journal of Computer
Science Issues, Vol. 9, No. 5, pp.308–315.
Zhang, J-R., Zhang, J., Lok, T-M. and Lyu, M. (2007) ‘A hybrid
particle swarm optimization–back-propagation algorithm for
feedforward neural network training’, Applied Mathematics
and Computation, Vol. 185, No. 2, pp.1026–1037.
