2014 International Conference on Computational Science and Computational Intelligence

An Intelligent Intrusion Detection System for Cloud Computing (SIDSCC)

Saeed M. Alqahtani Maqbool Al Balushi Robert John

School of Computer Science Dept. of Networking and Information Security (NIS), School of Computer Science
ASAP Research Group, Deputy of NIS, Head of ASAP Research Group,
University of Nottingham, Ministry of Manpower, University of Nottingham,
Nottingham, UK, Muscat, Oman, Nottingham, UK,
[email protected] [email protected] [email protected]

Abstract—Cloud computing is a distributed architecture that
has shared resources, software, and information. There exists
a great number of implementations and research for Intrusion
Detection Systems (IDS) in grid and cloud environments;
however they are limited in addressing the requirements for
an ideal intrusion detection system. Security issues in Cloud
Computing (CC) have become a major concern to its users,
availability being one of the key security issues. Distributed
Denial of Service (DDoS) is one of these security issues that
poses a great threat to the availability of the cloud services.
The aim of this research is to evaluate the performance of
IDS in CC when the DDoS attack is detected in a private
cloud, named SaaSCloud. A model has been implemented on
three virtual machines; SaaSCloud Model, DDoS attack Model,
and IDSServer Model. Through this implementation, Service
Intrusion Detection System in Cloud Computing (SIDSCC) will
be proposed, investigated and evaluated.
Keywords-IDS; DDoS Attack; ICMP Flood; Cloud Comput-
ing; SaaSCloud; IDSServer; SIDSCC
cloud computing by large organisations is the threat posed
to its security [8]. There are high chances of induction into
the data due to distributed nature of such systems. Today,
it is noted that business organisations dismiss potentially
theoretical threats that could occur through the use of Cloud
Service Providers (CSP), however they emphasise practical
fears and threats [9]. Such these threats to security include
integrity of data, the level of confidentiality and availability
[10].
As this current research investigates the effectiveness of
IDS in cloud computing through DDoS attack, the data, the
application and the non-availability of services can be seen
by the help of the DOS and the DDoS [11]. This research
will highlight the importance of IDS whereby it relies on
the host, the network and the use of specific kind of host
machines.

I. I NTRODUCTION There are several detection techniques, which are Host

There has been a revolution in the IT world when
considering the services and benefits provided by cloud
computing. These benefits include its infrastructure, low
maintenance costs, assurance of service availability, ease of
access and scalability [1]. Vaquero et al. (2011) state that
cloud computing has several layers in abstraction, which
are (1) the system layer that includes the virtual machine
abstraction server, (2) the layer of platform that includes the
virtualization of the operating system of server and (3) a
layer of application that includes the web applications [2].
The layer of hardware is not included, as there it is not
directly accessed by users [3].
There are three models in cloud computing, which are
Platform as a Service (PaaS), Infrastructure as a Service
(IaaS)and Software as a Service (SaaS) [4]. The model for
SaaS enables worry free installation and running of software
services from self-machines [5]. Currently there are large
could service providers such as Salesforce.com, Google and
Amazon where the application of service is on a pay per
usage basis [6]. Although cloud computing has the support
of the distributed paradigm, there are many threats to its
security [7]. One of the biggest hurdles in the adoption of
Based IDS (HIDS) and Network Based IDS (NIDS) [12].
HIDS technique monitors specific cost based IDS, which
displays the specific type of host machines and the key net-
work points on the monitor. The NIDS technique identifies
key points in a network. There is another technique stated
by Peng et al. (2009) called the distributed IDS (DIDS) [13],
which is used for the host network. NIDS technique has been
used because (1) it can be set up on a backbone network to
monitor all traffic (2) it can be set up to monitor traffic for
a particular server, switch, gateway, or router [14] and [15].
In this paper we firstly present a background of IDS
and its approaches of its implementations. In section III we
have proposed a system called SIDSCC and explained its
general functionality. Moreover, a comparison of our system
to other relevant researches in terms of modelling has been
undertaken. In section IV we have conducted and discussed
SIDSCC system, using SaaSCloud and IDSServer. In section
V we have evaluated the SIDSCC system from the several
perspectives; CPU, memory load, available bandwidth, la-
tency, and rate filter by destination. Finally, a summary in the
conclusion section will be outlined while presenting results
further discussing recommendations for future work.

978-1-4799-3010-4/14 $31.00 © 2014 IEEE 619

135
DOI 10.1109/CSCI.2014.108
 II. BACKGROUND
Principally there is the production of alerts by IDS, which
is based on the true alarms where there is an instance
of intrusion; however, there is a case of false alarms in
case of detection by the systems, as the issue of ID can
be judged by the degree of the identity and the lesser
number of false alarms [16]. Additionally, there can be the
detection of intrusion patterns by the inspection of network
packets through the use of signatures (pre-defined rules) and
generation of alarms for system administrators [11].
In looking at these methods of detection techniques,
Vaquero et al. (2011) state that there are two approaches
being used by IDS known as Anomaly Detection (AD) and
Signature Detection (SD). AD is the detection of anomalies
that work on behaviour patterns and suspicious behaviour,
whereas SD is misused detection which uses signature-
based detection systems that detect attacks by comparing
the observed patterns of the network track with known attack
signatures from a database wherein there is a set of defined
rules against the different kinds of attacks by the use of port
scanning [17]. Studies have discussed the distribution of the
IDS to each of the nodes, so that the alert may take place
if an attack happens on any node [2], [18].
Foster et al. (2008) have proposed a system named
GCCIDS (Grid and Cloud Computing Intrusion Detection
Systems) which was designed for covering the attacks for
the host based systems that cannot monitor detection of
intrusion. This method looks at the analysis of knowledge
and behaviour for the detection of specific kinds of intrusion
that take place [1]. However, this system cannot detect any
new kinds of attack nor have the creation of a database that
needs to be taken into the consideration while creating the
IDS.
Overall, researchers have been trying to overcome the
threats of security in cloud computing environment through
the use of IDS [19], as well as, evaluating the performance
of IDS through limited characteristics such as measuring
CPU load and available bandwidth [19]. Therefore, there
was a need to propose a service based on IDS in cloud
computing that provides more benefits such as memory
load, latency and the rate filter by destination and resources,
overhead, payload, coverage, actual packets, availability, the
volume and the speed alongside the time. A service named
SIDSCC has been proposed which utilises these features.
The SIDSCC system is used for the utilisation of the data
through virtual machine monitors. The modification of the
system cannot be breached as all the monitoring is also done
outside of the system.
Several types of IDs cannot be handled by this system,
such as the access of the account of users without the
required kind of permission. In addition to that, any activity
would be taken as an intrusion if it were perceived as an
abnormal activity. All of these factors should be taken into
136
620
the consideration before the implementation of IDS.
With regards to the attacks, there are many types that
exist in cloud computing and intrusion detection. Bhadauria
et al. (2011) discussed a number of issues regarding the
privacy and security of the cloud [20]. DDoS is considered
one of the most dangerous security threats [4], [21]. Wang
et al. (2011) state that there are three common scenarios
for implementing DDoS attack, which are through using
SYN Flood, UDP Flood, and ICMP Flood [22]. Even though
these types of attack have been around for a long time, they
can still be very difficult to defend against [23]. The ICMP
scenario has been chosen between three scenarios due to
flooding of a network by the ICMP packets that consume
all of the available bandwidth [4]. This can be by any type of
packet where the attacker cannot use one computer to lead
an attack in any of this fashion. This is due to the reason
that a single system cannot lead to the creation of enough
requests for blocking of the equipment of a network. Hence,
it can be seen that the DDoS happens when the attacker uses
a coordination of systems for flooding of the victim [4], [21].
III. H OW SIDSCC S YSTEM W ORKS
A. Modelling The System
Table 1 shows the comparison of SIDSCC with the rele-
vant published researches on integrating intrusion detection
systems with cloud computing networks. As stated in the
below table, the SIDSCC have enough advantages that the
other cloud IDS solutions do not have. Both Yee and Bosins
works are designed for client protection [17], [24]. However
Bosins work focuses on managing access to multiple IDs
sensors by different vendors. Clients cannot change the
options of any single IDs process but rather change to
another IDs by another provider if the options are not
suitable. On the other hand, Yees works focus on protecting
the web service in the cloud [24]. These web services
are owned or used by cloud clients, but the protection is
fixed and cannot be customised or accessed by the clients.
Therefore, the service can be drawn as shown in Fig. 1.
Table I
C OMPARISON OF SIDSCC TO OTHER R ELEVANT R ESEARCHES
According to the table above, SIDSCC service works
on a virtual machine such as SaaSCloud. To start running
this service, Snort was installed on XP Windows as an
IDSServer. The IDSServer monitored the in-bound and out-
bound traffic on SaaSCloud. If the administrator notices
malicious activities, the system shows that the attacker has
sent an ICMP flood to SaaSCloud. If the ICMP packets are
received, the SaaSCloud requests the IDSServer to detect
the IPs so that the activity can be blocked. The admin in
turn needs to send an alert to the SaaSCloud user while the
IDSServer is analysing the console for intrusion databases.
Then the admin will send the malicious IPs to CSP to deal
with them.
Figure 1. Flowchart of How SIDSCC Service Works
B. An intelligent SIDSCC System Approach
Prior to the design of this approach there was a ques-
tionnaire undertaken that was based on the literature review
and the information that had to be collected so that the
aims of the project could be investigated. The questionnaire
was to be answered by a sample group with some specialist
knowledge, experience or interest in IDS in order to observe
different opinions in cloud computing and IDS [25]. This
was propagated through social networking websites such as
LinkedIn, Facebook and Twitter. The time of responses taken
was two weeks.
The types of questions used in the questionnaire were
closed-ended questions so quantitative analysis could be
collected. Thus allowing for answers defined as ’a series
of statements all of which are related to a particular target
which respondents are asked to indicate the extent to which
they agree or disagree with by marking one of the responses
ranging from 1 highest level of importance to 5 lowest
level of importance [26]. Participants are asked 10 questions
relating to the importance of the most advantages level in
cloud computing. The focal point of the questionnaire was
to:
• study the effectiveness of cloud computing.
• specify a proper service and type of cloud computing
• determine the main security issues
• measure the complicity of the most common attacks
137
621
• identify the scenario and proper way of detecting DDoS
attack and its method to apply the IDS in cloud.
• specify the proper applications that should run on the
system from the participants point of view.
Overall, there were thirty-seven participants in this re-
search. The responses were collected from six countries,
which are UK, Germany, Syria, Saudi Arabia, Pakistan
and Oman. Based on the results of the questionnaire, the
artefact was developed (SIDSCC System) depending on the
following scenario: In the setup (as shown in Fig. 2), ma-
licious activities detection was performed by an IDSServer
and administrator alerts occurred when a packet from the
ICMP layer came through the network traffic. The network
using the IDSServer had to be placed on an individual
virtual machine so that it could work effectively. Windows
7 was used as a virtual machine so that SaaSCloud server
could be created in it. To create a private cloud Web
Page was deployed using Win-SQLServer and Apache using
WampServer in order to run the server. The administrator
monitored unusual traffic by EagleX, as it reported all the
logs to the admin immediately. If there was an attacker
attempting penetration of data or attempting to flood the
network, the notification would not go to the user. It would
be notified in an indirect manner by the help of a service
provider. In the SIDSCC system, there was the presence of
a great deal of traffic in the SaaSCloud, so they were not in
a position to handle any large amounts data.
Figure 2. Scenario of Artefact
This scenario emphasises on monitoring the SaaSCloud
for the DDoS attack. This relies on evaluation metrics of
IDS: load and memory load, available bandwidth, latency
and filter by destination and resources.
C. Artefact Development (SIDSCC System)
As mentioned earlier, the scenario of ICMP flood has
been proposed due to the flooding of network when ICMP
packets consume all the available bandwidth [21]. In this
scenario, the SaaSCloud with a DDoS attack and IDSServer
was investigated and evaluated where the IDSServer reacts
to the attacks when they go to the SaaSCloud.
 1) SaaSCloud
Firstly a PHP webpage was created in order for the
attacker to implement and send the ICMP attack on it
then the IDS could detect and alert the administrator.
Apache was then used as a web server, which has
been used because of its ease of use even though it is
Figure 3. SIDSCC Performance
fairly limited in its functionality. However, it allows
the system to operate on logs produced by different
web servers, such as Apache and Microsoft Internet
Information Services (IIS). The technique of Apache is ICMP. It should be noted from the latter part of the first day
a straightforward way of logging attempts at accessing of this experiment that the alarm was increased dramatically
vulnerable scripts or programs on a website. Lastly, the and steady whereas the web page was not available as it was
application of Microsoft SQL Server has been installed flooded by the ICMP attack. The IDSServer, in this scenario,
in order to create computer databases for the Microsoft is reacting to the ICMP attacks where, in this attack, the
Windows family of server operating systems and it attacker sends intelligent ICMP packets over the SaaSCloud
provides an environment used to generate databases in specified time intervals in an intermittent manner with
that can be accessed from workstations or via the low period time while the SaaSCloud is down.
internet.
2) IDSServer
In order to establish IDS server, Snort, as an open
source for detecting malicious activities in cloud com-
puting, works as an IDS Server. This has been con-
figured and installed on Windows 7 (32-bit) operating
system, and then, configured and installed its rules, Figure 4. SaaSCloud Downtime
which includes DDoS rules particularly ICMP flood,
and deciphering alerts and tailoring to SaaSCloud.
After that SIDSCC service used two virtual machines 3) IDSServer Performance: As mentioned earlier, the
using BackTrack5 operating system in order to test the IDSServer utilised for detection of the malicious activities of
effectiveness of IDSServer to detect the ICMP attack. the ICMP attack that comes into SaaSCloud. IDSServer has
been designed to rely on the interactive start. This means that
IV. T ESTING AND D ISCUSSION if the BackTrack user demands more than standard range, the
1) SIDSCC System Performance: Several unique require- IDSServer considers that the attacker is intentionally trying
ments, according to the comparison of SIDSCC to other to perform the DDoS attack.
relevant researches, have been set prior to designing and im- In this experiment as shown in Fig. 5., several ICMP pack-
plementing the SaaSCloud components of SIDSCC system. ets has been sent over SaaSCloud network, and IDSServer
According to the Fig. 3, it shows that the SIDSCC system informed the admin to block this specific IP, namely, when
measures the performance of IDS in cloud computing, which an attacker wanted to send ICMP packets with a suspect total
is represented in percentage of alarms, response time, CPU length, IDSServer was activated and monitored the IP of the
load and traffic. The period of testing this service was over attacker. At this time, the performance of SaaSCloud was
three days but was not continuous. During this period, it kept in certain variables because when the attacker sends
was noted that the line of alarm increased gradually and another request at next time range, the amount of time for
was detecting the ICMP packets that came into SaaSCloud. the new packet is added to the total time variable. Then the
Moreover, SIDSCC service measured the amount of com- SIDSCC system compared this variable with the behavioural
putational work that was performed. It is also noted that the start; if it is higher, SaaSCloud users identify the attacker
load average represents the average of SIDSCC performance and then IDSServer will automatically block it.
during over three days. There was a sharp increase in the
Overall, the easiest way for defining the start of DDoS
second day, as the SIDSCC system was overwhelmed by
attack was to set the constant value for it. However, this
the DDoS attack. The traffic was abnormal when sending
was not an optimal solution owing to the probability of
ICMP packets to SaaSCloud while the response time was
false detection when it was high. An important point is
down; however it rose highly when the victim received the
that this value should be chosen so that possibility of false-
DDoS attack.
negative detection (legitimate users rather than the attacker)
2) SaaSCloud Performance: As shown in Fig. 4, it shows
is reduced. In the SIDSCC system, the threshold determined
that SaaSCloud is affected by DDoS attack when the attacker
as a dynamic variable was based on the network position and
started flooding the SaaSCloud network by several packets of
pressure of traffic automatically.

138
622

Figure 5. IDSServer Performance
V. E VALUATION
The experiments that have been described in the previous
sections were completed including sending the attacking
traffic and the background traffic. The IDSServer was
stopped at the end of each of the experiments and the data
was analysed at a further point in time. Additionally, the
machine that was hosting IDSServer was restarted after all
the experiments to ensure the environment after each of the
experiments was the same. Fig. 6. is a representation of
the CPU load in complete relation with the speed traffic
of the ICMP attacks that took place. In Fig.7., there is an
illustration of the results of memory load; the data for the
experiment have been taken at a similar time to the time that
the CPU load results have been seen. After this point, the
results of the available bandwidth are also shown in the Fig.
8., but the Fig.9 is a representation of the results related to
the latency. The Fig. 10 and Fig. 11 are representative of
viewing the filter rate by the experiments at destination and
they are filtered by the source experiment. If the results are
seen of the attacking traffic ICMP packet with a value of
0 pps, it is representative of the background value crossing
the IDS value [27] and [28].
A. CPU and Memory Load
There is reliance of CPU load on the rate of traffic that
can be processed by SaaSCloud and IDSServer. The attack
of ICMP was in need of fewer amounts of resources, as the
value stays at 40-39% of the usage of CPU. In case of an
ICMP, the sent packets were seen to be very small; thereby
the processing time was very small for taking a decision
towards these packets. After the rate of 6000 pps, it was
seen to have been reached the load stays stable around 40%.
The results of the ICMP highlight the fact that there may
be an optimisation by IDSServer at the processing stage
of the packets. Although the results have showcased an
augmentation of the memory load, this is not significant
because the augmentation is in range of 20 Mbytes. This
may be due to the fact that the machine is running on a very
limited kind of virtual machine, and there was no possibility
of knowing the handling of memory by the system [27].
B. Available Bandwidth
The availability of the bandwidth was seen to be 8.05
Mbps, when the IDSServer was not seen as a part of the
network. The available bandwidth was seen to be 7.86 Mbps,
when it was seen as part of the network. It can be concluded
139
623
Figure 6. Evaluating CPU Load in SIDSCC System
Figure 7. Evaluating Memory Load on SIDSCC System
that the experiment does not lead to any kind of bias in the
test. Only if SaaSCloud is being crossed by the background
traffic, the value is seen to be 2.47 Mbps. There is a result
from the ICMP protocols, when the attacking traffic has
reached a value of close to 15000 pps. In case of the
available bandwidth being zero the value is seen to be 25000
pps. After this value, the rate of malicious traffic is seen to
reach a value of 6000 pps; the bandwidth that is valuable can
detect half the value, but in case of crossing of background
traffic by the IDSServer.
Figure 8. Evaluating Available Bandwidth on SIDSCC System
C. Latency
There was a growth of latency along with the growth
in background traffic. For the availability of bandwidth,
there has been a conduction of the test without the use of
IDSServer and the experiment for the evaluation of impact of
the test on the overall results. If IDSServer was not there, the
latency was seen to be 0.4105 ms and the rest of IDSServer
is around 0.7435ms. The aforementioned is conclusive of the
fact that the experiment does not affect the results because
of the relatively small impact it has on the experiment. The
latency is seen to be 2.219ms when there was crossing of
background traffic by SaaSCloud. There was a multiplication
of latency by two between each of the measures. If the rate
of 6,000 pps is reached, the latency value for ICMP attack
is seen in area of 23ms and in case of attacking traffic on
display value of 7,500 pps, the latency is seen to be in range
of 71ms. This is a highlight of the fact that IDS may have to
process a certain degree of optimisation in case of latency
becoming a very important factor.
D. Rate Filter by Destination
The experimental results are in direct correlation with the
expected type of results. Along with the growth of detected
packets, the growth of malicious packets is very important.

Figure 9. Evaluating Latency on SIDSCC System
The detected packets number increase rapidly after the ratio
of 5,000 attacking packets per second has been reached.
After the value of 15,000pps, the total amount of detected
traffic was representative of 50% of the value.
Figure 10. Evaluating Rate Filter By Destination on SIDSCC System
VI. C ONCLUSION AND F UTURE W ORK
SIDSCC service results illustrate that IDSServer possesses
an effective mechanism against ICMP packets that comes
over SaaSCloud. It highlights the major vulnerabilities of
SaaSCloud network, which is the rate of packets lost.
When the SIDSCC system reaches 16%, 58%, or 54% CPU
load depending on ICMP packets increases and then the
IDSServer starts detecting the attack and alarms SaaSCloud
user and IDSServer admin. There was a known alarm
wherein the admin deal with this attack or allow the CSP
to solve it. There was a connection where the attacking the
traffic speed of 6000 pps which was the point of IDSServer.
When the rate rises to this level, the IDSServer could not
guarantee that the legitimate user will still have access
to the services of the trusted SaaSCloud neither that no
abnormal ICMP packets will arrive to its target. SIDSCC
Service also provided an excellent reliability wherein it
could detect ICMP attack within more than 10 hours without
causing any problem in terms of impact metrics. It is very
significant to note that the number of packets detected
increase with the time of use. Overall, these results proved
that the vulnerabilities of SaaSCloud and evaluation metrics
design of SIDSCC service can be used to evaluate IDS in
cloud computing. It can be said that the overall findings
indicate that after implementation and collection of these
results from the SIDSCC system, IDSServer can be used
to protect the SaaSCloud, which will not be greater than
1Mbps. However, this system will not be a possible target
to ICMP packets that will use attacking rates higher than
6000 pps. When this rate is overcome legitimate users might
have to endure a DOS which will likely be the goal of the
attacker. Having reviewed these findings, it can be claimed
that the current study enhances our understanding of how
IDSServer in practice can secure SaaSCloud against DDoS
attacks. One possible implication is that ICMP attack should
140
624
be configured on Snort properly and then linked to the
IDScenter so that it can attack SaaSCloud and alarm the
admin of IDSServer to detect and then blocked by CSP.
Having identified the limitations of this project, a more
comprehensive study that employs a combination of quanti-
tative and qualitative research methods as well as covering a
wider technical area within DDoS attacks would be recom-
mended, following the evolution metrics to SIDSCC system.
Through observation the levels of IDS such as HIDS and
NIDS and techniques of IDS such as SD and AD would
be also greatly recommended followed by a comparison
between each level and technique which would give the
SIDSCC a technological and scientific value. As a result,
future studies may consider implementing as many type
of attacks as possible using labs of institutions where they
should work alongside technicians. It is also recommended
to engage with other interested parties in the project, not
only educational institutions, but industries implementing
such technologies.
R EFERENCES
[1] I. Foster, Y. Zhao, I. Raicu, and S. Lu, “Cloud computing and
grid computing 360-degree compared,” in Grid Computing
Environments Workshop, 2008. GCE’08. Ieee, 2008, pp. 1–
10.
[2] L. M. Vaquero, L. Rodero-Merino, and D. Morán, “Locking
the sky: a survey on iaas cloud security,” Computing, vol. 91,
no. 1, pp. 93–118, 2011.
[3] S. Roschke, F. Cheng, and C. Meinel, “Intrusion detection in
the cloud,” in Dependable, Autonomic and Secure Computing,
2009. DASC’09. Eighth IEEE International Conference on.
IEEE, 2009, pp. 729–734.
[4] P. Presseria. (2012) Cyber attacks statis-
tics.¨[online]. hackmageddon, 2012a. [Online]. Available:
http://hackmageddon.com/2013-cyber-attacks-statistics/
[5] B. Al-Duwairi and G. Manimaran, “Just-google: a search
engine-based defense against botnet-based ddos attacks,” pp.
1–5, 2009.
[6] Amazon. (2009) Amazon virtual private cloud.¨(amazon
vpc) [online]. amazon web services. [Online]. Available:
http://aws.amazon.com/vpc/
[7] J. O. Fitó and J. Guitart, “Initial thoughts on business-driven
it management challenges in cloud computing providers,”
in Integrated Network Management (IM), 2011 IFIP/IEEE
International Symposium on. IEEE, 2011, pp. 1070–1073.
[8] G. Brunette and R. Mogull, “Security guidance for critical
areas of focus in cloud computing v2. 1,” Cloud Security
Alliance, Tech. Rep., 2009.
[9] S. Bates. (2010) Understanding risk management
approaches in the cloud computing service model.”,
[online]. security thought. [Online]. Available:
http://shaynebates.blogspot.co.uk/2010/11/understanding-
risk-management.html
[10] J. Brodkin, “Gartner: Seven cloud-computing security risks,”
2008.
[11] C.-C. Lo, C.-C. Huang, and J. Ku, “A cooperative intrusion
detection system framework for cloud computing networks,”
in Parallel Processing Workshops (ICPPW), 2010 39th Inter-
national Conference on. IEEE, 2010, pp. 280–284.
[12] H. Kozushko, “Intrusion detection: host-based and network-
based intrusion detection systems,” on September, vol. 11,
2003.
[13] J. Peng, X. Zhang, Z. Lei, B. Zhang, W. Zhang, and Q. Li,
“Comparison of several cloud computing platforms,” in In-
formation Science and Engineering (ISISE), 2009 Second
International Symposium on. IEEE, 2009, pp. 23–27.
[26] Z. Dörnyei and T. Taguchi, Questionnaires in second lan-
guage research: Construction, administration, and process-
ing. Routledge, 2009.
[27] W. J. Buchanan, F. Flandrin, R. Macfarlane, and J. Graves,
“A methodology to evaluate rate-based intrusion prevention
system against distributed denial-of-service (ddos).” 2011.
[28] J. Sommers, V. Yegneswaran, and P. Barford, “Toward com-
prehensive traffic generation for online ids evaluation,” Uni-
versity of Wisconsin, Tech. Rep, 2005.

[14] R. Bace and P. Mell, “Nist special publication on intrusion

detection systems,” DTIC Document, Tech. Rep., 2001.

[15] J. McHugh, A. Christie, and J. Allen, “Defending yourself:

The role of intrusion detection systems,” Software, IEEE,
vol. 17, no. 5, pp. 42–51, 2000.

[16] A. Bakshi and B. Yogesh, “Securing cloud from ddos attacks

using intrusion detection system in virtual machine,” in Com-
munication Software and Networks, 2010. ICCSN’10. Second
International Conference on. IEEE, 2010, pp. 260–264.

[17] A. Bosin, N. Dessı̀, and B. Pes, “A service based approach

to a new generation of intrusion detection systems,” in on
Web Services, 2008. ECOWS’08. IEEE Sixth European Con-
ference. IEEE, 2008, pp. 215–224.

[18] A. Weiss, “Computing in the clouds,” networker, vol. 11,

no. 4, 2007.

[19] J. Nikolai, “Detecting unauthorized usage in a cloud using

tenant,” in Network Security, 2010, UK. TechRepublic, 2012,
pp. 7–10.

[20] R. Bhadauria, R. Chaki, N. Chaki, and S. Sanyal, “A sur-

vey on security issues in cloud computing,” arXiv preprint
arXiv:1109.5388, 2011.

[21] P. Praolo. (2012) Cyber attacks time-

line.¨[online]. hackmageddon, 2012b. [Online]. Avail-
able: http://hackmageddon.com/2012/08/20/august-2012-
cyber-attacks-timeline-part-i/

[22] Q. Chen and Q.-n. Deng, “Cloud computing and its key
techniques,” Journal of Computer Applications, vol. 29, no. 9,
p. 2565, 2009.

[23] C. Douligeris and A. Mitrokotsa, “Ddos attacks and defense

mechanisms: classification and state-of-the-art,” Computer
Networks, vol. 44, no. 5, pp. 643–666, 2004.

[24] C. G. Yee, W. H. Shin, and G. Rao, “An adaptive intrusion

detection and prevention (id/ip) framework for web services,”
in Convergence Information Technology, 2007. International
Conference on. IEEE, 2007, pp. 528–534.

[25] A. G. Tartakovsky. (2012) Selected re-

search projects,” [online]. california: University
of southern california. 2012. [Online]. Available:
http://cams.usc.edu/usr/facmemb/tartakov/resdetail.html

141
625