Cloud Computing is popular nowadays due to its storage and data access services. Security and privacy are prime concerns when network threats increase. Cloud computing offers organizations and enterprises a scalable, flexible, and cost-effective infrastructure to store data on the Web. An anomaly-based IDS implementation protects the integrity of the data in a database by identifying and quarantining records when something appears to have changed unexpectedly. Machine learning based clustering and classification methods are used for anomaly based IDS attack classification and scalability in advanced networking environments. Machine learning is a fast, efficient, and adaptable approach to develop intrusion detection models that can deal with emerging threats, i.e., known and unknown attacks (including zero-day attacks). This paper proposes an efficient Hybrid clustering and classification models for implementing an anomaly-based IDS for malicious attack type classifications such as normal (no intrusion), DoS, Probe, U2R, and R2L using threshold-based functions, and the results are tested with two different threshold values (e), 0.01 & 0.5. The experiments have been performed on two tested datasets, namely, NSL-KDD and KDDcup99. Detection rate, False alarm ratio, and accuracy have been used to study the performance of the proposed methodology. After applying the proposed approach, the K-means with random forest has been shown at two different threshold values to have a better classification accuracy, detection rate, and false alarm rate of 99.85%, 99.78% and 0.09% on the NSL-KDD dataset and 98.27%, 98.12% and 2.08% respectively on the KDDcup99 dataset.
Cloud network-based Intrusion Detection Systems (IDS) use anomaly-based methods to secure cloud-based applications. In a cloud network, there are many types of attacks on service applications, such as state and protocol attacks, volumetric Denial-of-Service (DoS) attacks , and encrypted or malicious input attacks. Injecting intrusions or threats into the system’s network compromises its security and confidentiality. A common defense against attacks is known as an Intrusion Detection System (IDS), which will detect suspicious activities and intrusions before any damage is done. For example, an Intrusion Detection System (IDS) is used in cloud infrastructure as an early-warning system against intrusion and its consequences. IDS in cloud infrastructures present challenges such as false positives and the high cost of deploying large IDS systems. There are two common types of IDS: network-based and host-based, which detect and respond to intrusions . Anomaly detection techniques have the ability to identify previously unseen forms of attack. The lack of automatic tuning and the prevalence of false positives are two major issues. In order to detect attacks in large-scale, distributed multi-cloud environments, a number of complicated rules must be configured .
Clustering and classification methods are highly recommended for use in intrusion detection. In the last few years, there has been significant development of clustering and classification techniques that can automatically detect new attacks without human intervention. This is why it makes sense to use machine learning to create IDSs that can detect previously unseen threats. The effectiveness of these systems is highly reliant on accurate model tuning and a method for monitoring how attacks are evolving over time. NSL-KDD  provides the mechanism for clustering and classification that can be incorporated into IDS to enable the automated discovery of previously unseen threats. i.e., Denial of Service attacks (DoS),R2L, U2R (User to Root Attack), probe, normal . The primary contribution of this study is to built an intrusion Detection System utilizing hybrid clustering and classification approaches, tested with two alternative threshold values, and evaluated on two benchmark datasets to handle anomaly detection problems in a distributed cloud computing environment.
From the empirical results and analyses, it can be concluded that the proposed model is efficient enough in detecting various attack types on a cloud environment. The NSL-KDD and KDD99 IDS benchmark datasets were used in an experiment to evaluate the GMM and K-Means clustering methods in conjunction with the RF Classifier. The goal of this research is to confirm and find malicious attacks on the cloud network in real time. This will help the network to stable and safe even though these attacks happen often. In developing an effective IDS with a low false alarm rate, our proposed model shows the result based on scaled threshold points such as 0.5 to 001, i.e., where the threshold is set to 0.5 K-Means clustering with an RF gain detection rate of 99.78% and a false alarm rate of 0.9%. The threshold was set at 0.01 on test data. The detection rate was 98–99% with a 14–15% false alarm rate. Similarly, for GMM with RF Classifiers, with a DR of 99.7% of training data and a FAR of 0.5%, The threshold was set at 0.01 for the test data. This method has a DR of 94.33% and a FAR of 14.12%. KDDcup99 has also been implemented using the same model. Furthermore, this paper implemented a supervised hybrid classifier method for identifying and categorizing individual attacks; the results demonstrated that the random forest classifier performed best for identifying and labeling DoS and normal attacks with high accuracy, low FAR, high DR, and high AUC. Future research will be conducted on more refined methods of modeling network traffic and attack behavior that best represents the parameters of individual attacks.