Proceedings of the 5th International Conference on Smart Systems and Inventive Technology (ICSSIT 2023)

IEEE Xplore Part Number: CFP23P17-ART; ISBN: 978-1-6654-7467-2

Machine Learning and Deep Learning based

Intrusion Detection in Cloud Environment: A
Review
2023 5th International Conference on Smart Systems and Inventive Technology (ICSSIT) | 978-1-6654-7467-2/23/$31.00 ©2023 IEEE | DOI: 10.1109/ICSSIT55814.2023.10060868

A.Vinolia Dr N.Kanya Dr V.N.Rajavarman

Research scholar, Department of Professor, Department of Information Professor, Department of Computer
Information Technology, Dr M.G.R Technology, Dr M.G.R Educational Science and Engineering, Dr M.G.R
Educational and Research Institute, and Research Institute, Educational
Chennai, India. Chennai, India. and Research Institute, Chennai,India
Email id: [email protected] Email id: [email protected] Email id:[email protected]

Abstract—Due to its open and dispersed nature, cloud aim to compromise availability, confidentiality, and
computing (CC) faces several security-related difficulties. As a integrity. Applying approaches to intrusion detection -based
result, it is weak and open to breaches that compromise the network security will help network users safeguard their
security, reliability, and integrity of cloud resources and systems from invaders [8].
provided services. The most widely utilized element of
IDS are among the crucial components of the security
computer system security and compliance procedures that
protects cloud environments from numerous threats and infrastructure that can protect against many types of online
attacks is the intrusion detection system (IDS ). The goal of this attacks. In the security literature, various IDS schemes have
article is to study how deep learning (DL) and machi ne been presented. In this context, two types of IDS schemes
learning (ML) networks are used by various methodologies at should be used to protect the environment: host IDS and
various stages of the intrusion detection process to get network IDS strategies [9]. Additionally, deep packet
improved outcomes. The goal of this work is to discuss the state inspection methods and flow-based approaches, which
of the art for detecting intrusions using a variety of techniques, primarily scan the header data of packets, are subcategories
including soft computing, data mining, and other approaches. of network-based IDS schemes [10]. Additionally, IDS
The experimental findings demonstrate that unsupervised,
techniques are split into two types based on their capacity to
deep learning-based techniques achieve superior accuracy of
99.95%. detect anomalies: signature detection and anomaly detection
methods. Various classification approaches for Intrusion
Keywords— Cloud computing, Intrusion Detection System detection are extensively discussed in this research. The key
(IDS),Deep learning, Machine learning, Soft computing, Data contributions of this paper are as follows:
mining.
 This study examines recent research on intrusion
I. INTRODUCTION detection from 2019 to 2022 in a variety of
disciplines.
The current period offers networking technologies and  Demonstrating the design and capabilities of several
the internet of things for daily use because computer
deep learning and machine learning network types.
technology is advancing worldwide [1]. As a result,
 The effectiveness of the IDS methods is analyzed
networking infrastructures are used to store a large amount
based on the accuracy.
of personal data as well as commercial, military, and
 Outlining the areas that need more research and
governmental information [2].Since intellectual property
attention to improve intrusion detection accuracy.
may be easily kept online and copied from the internet,
This discussion covers potential future trends in the
network security is one of the biggest difficulties facing
intrusion context.
internet applications. Firewalls, intrusion detection systems,
and antivirus software are just a few of the various options The major purpose of this study is to provide a thorough
for securing network settings [3].Intrusion detection is one examination of IDS in a cloud computing paradigm. This
of them that is increasingly often used to protect n etworks paper is structured as follows: Background information
and social networking systems. about IDS in cloud computing is offered in Section 2. In
The computer network's hardware and software Section 3 of cloud based IDS in evaluation discussed
components each have their vulnerabilities and dangers. respectively. Then, challenges and future directions are
Threats to hardware systems are immediately observable discussed in 4. In the last section, the conclusion is followed
and solely affect the equipment; in contrast, attacks on by references to be referred to throughout the paper.
software primarily damage data [4-5].The ability to use
online tools and hacking wizards have made it possible for T ABLE I. ACRONYMS AND T HEIR EXPLANAT IONS
someone with strong programming skills to become an ACRO EXPLANATIO N ACRO EXPLANATIO N
excellent hacker. As a result, organizations report a yearly NYM NYM
increase in the hacking problem.Software with many CC Cloud computing H-IDS the host-based intrusion
appealing features that might easily be the target of assaults detection system
IDS Intrusion detection RBF- Radial basis function
is vulnerable to security flaws [6-7].Hence security threats system NN neural network

978-1-6654-7467-2/23/$31.00 ©2023 IEEE 952

Authorized licensed use limited to: Birla Institute of Technology. Downloaded on January 08,2025 at 10:22:56 UTC from IEEE Xplore. Restrictions apply.
 Proceedings of the 5th International Conference on Smart Systems and Inventive Technology (ICSSIT 2023)
IEEE Xplore Part Number: CFP23P17-ART; ISBN: 978-1-6654-7467-2

SVM Support vector KNN K-Nearest Neighbor the fundamental properties of every category, and then the
machine findings are improved utilizing regularization technique.
LR Logistic regression SGD Stochastic Gradient
Descent The assaults are then categorized utilizing combination of
DT Decision tree LKM leader-based k-means classifiers, including neural networks, decision trees, and
clustering linear discriminate analysis with the bagging technique for
NB Naïve Bayes FLS Fuzzy logic system every category. In order to detect DDoS attacks, Velliangiri,
ANN Artificial neural WFCM Weighted Fuzzy K- S., Premalatha, J., et al. [14] introduced the RBF-NN
network means clustering
algorithm detector and the Bat algorithm (BA), which automatically
AANN Auto Associative DNN Deep neural network configures the RBF-NN. Some RBF-NN training techniques
Neural Network begin with a specified network architecture that is chosen
RNN Recurrent neural DBF deep blockchain either a priori or based on prior experiences.
network framework (DBF)
Bi- bidirectional long BPNN Back Propagation Game theory were introduced by Pirozmand et al. [15]
LST M short-term memory Neural Network
RBM Restricted GA Genetic Algorithm
to identify a type of botnet attack that poses a severe danger
Boltzmann to the financial indus try and banking services. The
Machines suggested technique thoroughly analyses the attackers
CNN Convolutional GWO Grey Wolf infiltrate mode and the behaviour of the IDS as a two -
Neural Network Optimization
player.According to the ideal feature subset, K-Nearest
Neighbor (KNN) was recommended by Zhang et al. [16] for
II. BACKGROUND the categorization of network anomalies.
This section goes over the different DL networks and IDS An efficient network-based intrusion detection model
datasets that the examined IDS methods have used. utilizing four categorize approach (Boosted tree, subspace
A. Machine learning based Intrusion Detection discriminant, bagged tree, and RUS Booted) and a voting
system was introduced by Singh, P. and Ranga, V. [17]. The
Supervised and semi-supervised machine learning voting method is integrated into the system to produce an
algorithms are two categories. While an unsupervised aggregated prediction accuracy.Ibrahim, N. M., and A.
learning algorithm gains knowledge from unlabeled Zainal [18] developed a distributed IDS that uses a parallel
examples, a supervised learning algorithm does so from SGD with SVM (SGD-SVM) to do distributed detection and
labeled samples. a binary segmentation change point detection technique to
determine the optimal period to transfer malware data to
a) Supervised Learning remote IDS nodes.
To improve the accuracy of seldom detectable attacks, Manickam, M. and Rajagopalan, S. P. developed an
Chkirbene et al. [11] developed a supervised machine effective anomaly detection system for cloud computing
learning system using the historical knowledge of network [19]. In order to train profiles and detect intrusions, support
nodes and a specialized best effort iterative technique. A vector machines are used. An ensemble support vector
classifier that distinguishes between the examined assaults is machine for intrusion detection was first introduced by Wei
created using a machine learning technique. Krishnaveni et et al. [20]. Every bag has several interconnected data flows
al. [12] presented a hybridapproach(SVM, NB, logistic that can properly portray intrusion behavior, particularly
regression, and DT) for classifying whether network traffic persistent infiltration. The merits and Demerits of the
behavior is normal or malicious. existing papers are shown in table 2s.
According to Besharati et al. [13], a host-based IDS (H-
IDS) should be used to safeguard virtual machines in a
cloud context.Initially, logistic regression is used to identify
T ABLE II. MERIT S AND DEMERIT S

YEAR REFERENCE MERITS DEMERITS

2020 Chkirbene et al. It displays resistance to irrelevant traits. Its accuracy is impacted by the failure to account for feature
[11] interdependencies for categorization purposes.
2021 Krishnaveni et al. Outperforms a single classifier in performance. It demands more storage and requires complicated processing.
[12] It also lessens the variance
2019 outperforms a single classifier in performance increased temporal complexity as a result of using several
Besharati et al. classifiers simultaneously
[13]
2019 Velliangiri, S and Both the process of feature selection and the In particular, it is less effective at detecting known assaults than
Premalatha, J et al. number of inputs needed are significantly the method of supervised learning.
[14] reduced.
2020 Pirozmand et al. Can make the data less difficult. It must be employed with other ML techniques to construct a
[15] security method because it is not an anomaly detection tool.
2020 Zhang et al. [16] It is resistant to overfitting. It is difficult to determine the ideal value of K and locate
missing nodes.
2021 Singh, P., & Used a variety of data sets, including real data, Only known attacks were able to be found
Ranga, V. [17] to evaluate the efficiency
2020 Ibrahim, N. M., T he expense of a categorization error has been is more computationally intensive than Snort

978-1-6654-7467-2/23/$31.00 ©2023 IEEE 953

Authorized licensed use limited to: Birla Institute of Technology. Downloaded on January 08,2025 at 10:22:56 UTC from IEEE Xplore. Restrictions apply.
 Proceedings of the 5th International Conference on Smart Systems and Inventive Technology (ICSSIT 2023)
IEEE Xplore Part Number: CFP23P17-ART; ISBN: 978-1-6654-7467-2

&Zainal, A. [18] reduced

2019 Manickam, M., It prevents single points of failure for IDS. It was necessary to add host-based IDS to cover the full range
&Rajagopalan, S. of IDS solutions.
P. [19]
2020 Wei et al. [20] Results from experiments are very clearly T here have been no specific types of attacks found. viewed all
displayed. assaults as anomalous
2020 Shyla, S. I., & An excellent comparison of outcomes utilizing Not used in a distributed environment
Sujatha, S. S. [21] various methods
2020 Jaber, A. N., & It quickly and cheaply identified both internal Despite many attacks being identified, the centralized
Rehman, S. U. and external assaults. infrastructure made it difficult to identify DDoS attacks.
[22]
2019 Samriya, J. K., & Labeled data are not required for k-Means In general, it is less efficient in detecting known assaults than
Kumar, N. [23] clustering. the supervised learning method.
2019 Yadav, R. M [24] can make the data less complex T o build a security framework, it needs to be integrated with
other ML methods.
2021 Zhang et al. [25] Almost no samples are needed for training. DoS attacks are undetectable

b) Unsupervised Learning Sai SindhuTheja, R, and Shyam, G. K. [28] presented

an effective assault detection system that uses the OCSA,
A unique IDS built on the integration of a leader-based which incorporates the CSA and OBLapproach to handling
k-means clustering (LKM) and an ideal fuzzy logic system such challenges. The two stages of the developed
was suggested by Shyla, S. I., and Sujatha, S. S. [21]. The framework are feature selection using OCSA and
fuzzy logic system makes the distinction between data that categorization utilizing an RNN classifier.
is normal and data that is abnormal (FLS). To improve the
IDS accuracy in a cloud computing environment, Jaber, A. Back Propagation Neural Network (BPNN) was
N. and Rehman, S. U. [22] designed an IDS that introduced by Chiba et al. [29] using an Enhanced Genetic
incorporates a fuzzy c means clustering (FCM) approach Algorithm (IGA). Through the use of Parallel Computing,
with a support vector machine (SVM). A hybrid technique which decreases computational time and converging phase
combining SVM and FCM clustering was used to generate while conserving interpretive ability, Genetic Algorithms
the hypervisor inspectors. (GA) are improved. Recurrent convolutional neural network
(RCNN) was employed by Prabhakaran, V. and
Samriya, J. K., and Kumar, N. [23] introduced fuzzy- Kulandasamy, A. [30] to determine whether text data are
based ANN for the effective clustering of anomalies, as intrusive or not. The non-intrusion text data was utilized for
opposed to fuzzy-based clustering which is further refined additional operations and encrypted utilizing two -way
by employing the spider-monkey optimization technique. encryption technique. They provide the ECC technique for
Thus, the suggested approach can more accurately and enhancing the safety of non-intrusion data.
efficiently detect anomalies that lead to increased traffic in
the cloud computing environment and better security than GWO and CNN are used in an ensemble data
current methods. Yadav, R. M. [24] introduced the WFCM- processing approach for network anomaly detection that was
AANN. The classifier correctly recognizes the virus. To presented by Garg et al [31]. Chiba et al. [32] suggested a
boost the effectiveness of intrusion detection systems, hybrid optimization framework (IGASAA) based on an
Zhang et al. [25] introduced a sparse autoencoder. A DNN Improved Genetic Algorithm (IGA) and Simulated
called AE uses unsupervised learning to extract features Annealing Algorithm as a practical and efficientDNN-based
from unlabeled data. anomalous Network IDS (SAA). A DL-based IDS for DDoS
attacks was introduced by Ferrag et al. [33] using three
B. Deep Learning based Intrusion Detection strategies: CNN, DNN, and RNN.
Recently developed DL for feature selection, For DDoS attacks in a cloud setting, Kachavimath, A.
perception, and machine learning has emerged from V. and Narayan, D. G. [34] introduced long short-term
machine learning systems. With the help of several memory (LSTM). Different patterns of sequences were
subsequent layers, this algorithm implements its operations. acquired from the intercepted traffic for DDoS attack
a) Supervised Learning detection. Pu et al. [35] introduced an intrusion detection
system design that combines the K-means algorithm and the
A hybrid categorization model known as "NK-RNN" CNN method. The data flow is first clus tered using the K-
that integrates the normalized K-means clustering approach means technique, and the aberrant data is isolated before
with an RNN was created by Balamurugan. V and being given to the convolution. The algorithm using neural
Saravanan. R et al. [26] and examines packets from users. networks evaluates the intrusion data flow.
To protect the consumer from attackers, they suggest a
signature for cloud consumers when accessing data on the ElSayed et al. [36] offer a new hybrid deep learning
cloud.A deep blockchain framework (DBF) was presented (DL) technique based on CNN to categorize flow traffic into
by Alkadi et al. [27] to provide security-based distributed normal or malicious classifications. To solve the issue of
IDS and privacy-based blockchain with smart contracts in overfitting and increase the capabilities of NIDSs in
IoT networks. Then, long short-term bidirectional memory detecting unobserved intrusion events, a novel regularizer
(Bi-LSTM) was used. approach, SD-Reg has been deployed.

b) Unsupervised Learning

978-1-6654-7467-2/23/$31.00 ©2023 IEEE 954

Authorized licensed use limited to: Birla Institute of Technology. Downloaded on January 08,2025 at 10:22:56 UTC from IEEE Xplore. Restrictions apply.
 Proceedings of the 5th International Conference on Smart Systems and Inventive Technology (ICSSIT 2023)
IEEE Xplore Part Number: CFP23P17-ART; ISBN: 978-1-6654-7467-2

In order to create trained models for forecasting the Unsupervised DL techniques with semi-supervised
status (attack or not) of suspected intrusions, Abusitta et al. learning were given by Zavrak and Iskefiyeli [39] to identify
[37] presented a stacked denoising autoencoder that allows IDS and unusual network traffic from flow-based data. A
for the exploitation of historically received feedback. The NIDS depend on unsupervised learning method AE that can
ability of DA to learn how to recreate IDS input from learn methods without labeled data was introduced by Choi
incomplete feedback is what gives it its potency. This et al. [40]. To determine a reconstruction loss threshold,
enables us to make proactive judgements about suspicious they presented a heuristic method depend on the proportion
incursions even in the absence of comprehensive IDS of anomalous data in training data. Nguyen et al. [41]
feedback.Mayuranathan et al. [38] introduced a DL-based introduced GEE, a technique for identifying anomalies in
classifier method utilizing RBM to identify the DDoS network traffic. For dealing with detecting abnormalities, it
assault. Seven additional levels are added to the RBM's uses a variational auto-encoder, an unsupervised deep-
visible and hidden layers to increase the detection rate of learning approach, and a gradient-based fingerprinting
DDoS attacks. Precise outcomes are obtained by tuning the technique.Gowdhaman, V., and R. Dhanapal [42] presented
parameters of the provided RBM models. The likelihood of a DNN based IDS. To discover intrusions, the cross -
the visible layer in the RBM approach was replaced with a correlation technique is utilised to choose the finest
Gaussian function. characteristics from the database, and the choosed
parameters are employed for DNN.
(Continued)
2019 Balamurugan, V., & T he model simply needs to be run once to Its training is challenging, and its outcomes are unpredictable.
Saravanan, R. [26] generate a sample.
2020 Alkadi et al. [27] suitable for extracting key features from In the event that the training dataset does not accurately reflect
unlabeled data with training the testing dataset, the results might not be as expected.
2021 SaiSindhuT heja, R., the capacity to recognize zero-day assaults Its training is challenging, and the outcomes are unpredictable.
&Shyam, G. K [28]
2019 Chiba et al. [29] T he situations where sequential data processing Complicated and computationally intensive.
is required are best suited.
2021 Prabhakaran, V., perform better in situations with a lot of features Unknown assaults have not been discovered. T here is only
&Kulandasamy, A. and uncertainty theoretical analysis done.
[30]
2019 Garg et al. [31] It quickly and cheaply identified both internal It has not evaluated its outcomes to those of other current
and external assaults. strategies.
2019 Chiba et al. [32] It has produced better outcomes. T here has not been a specific form of attack found.
2021 Ferrag et al. [33] Network traffic was detected using two separate Its training is challenging, and its outcomes are unpredictable.
methods based on dynamic features.
2021 Kachavimath, A. DL classifiers are capable of improving the Despite many attacks being identified, the centralized
V., & Narayan, D. performance of t he model. infrastructure made it difficult to identify DDoS attacks.
G. [34]
2022 Pu et al. [35] It yields a greater results High computational complexity
2021 ElSayed et al.[36] can make the data less complex Not used in a distributed environment
2019 Abusitta et al. [37] Feature extraction and dimensionality reduction Depending on how representative the training dataset is of the
have both been accomplished with the help of validation dataset, it might not yield the expected results.
AEs.
2021 Mayuranathan et al. It is quicker to analyze and uses fewer system large computational expenses required
[38] resources.
2020 Zavrak, S., & Ideal for contexts where data must be processed It has not been used in a real-world context.
Iskefiyeli, M., [39] in a sequential manner
2019 Choi et al. [40] Appropriate for real-world situations It has not evaluated its outcomes to those of other current
strategies.
2020 Nguyen, M.T ., Kim, Classifiers help improve the performance of AEs requires a lot of calculation.
K., [41] models.
2022 Gowdhaman, V., suitable for extracting key features from T here has not been a specific form of attack found.
&Dhanapal, R.[42] unlabeled data with training

III. DISCUSSION AND EVALUATION OF RESULTS detection technologies based on DL. Techniques for
extracting features were used. The total number of intrusion
A. Discussions detection systems created using every DL approach.

The purpose of this subsection is to contrast the different

strategies and methodologies used in IDS. The findings of
this sections may be helpful in indicating future study
directions. This section contains the following details
regarding these strategies:

Simulation metrics were utilised to evaluate the investigated

intrusion detection technologies. Platforms, languages, and
simulation tools were required in order to validate the
proposed IDS.Datasets utilised examine and assess intrusion

978-1-6654-7467-2/23/$31.00 ©2023 IEEE 955

Authorized licensed use limited to: Birla Institute of Technology. Downloaded on January 08,2025 at 10:22:56 UTC from IEEE Xplore. Restrictions apply.
 Proceedings of the 5th International Conference on Smart Systems and Inventive Technology (ICSSIT 2023)
IEEE Xplore Part Number: CFP23P17-ART; ISBN: 978-1-6654-7467-2

Similarly, Figure 3 shows the proportion of tools used

in the investigated methods to assess their effectiveness and
highlight the benefits. It demonstrates that trials for the
stated DL-based IDS techniques primarily used a Tensor
Flow simulator and the Python. Tensor Flow is a Google
open-source software tool for operating systems such as
Mac, iOS, Linux, Windows and android.

B. Dataset description

This section contains information on the well-known

datasets that the researcher used to evaluate the
effectiveness of their suggested methodology. The following
datasets are the most frequently used: KDD Cup 99, NSL-
KDD, CSE-CIC-IDS2018, ISCXIDS2012, UNSW-NB15,
Fig. 1. Number of DL approaches applied on evaluation metrics CICIDS2017, and CIDDS. Figure 4 depicts the datasets
used in the explored methods.
Figure 1 depicts some of the assessment metrics used by DL
based IDS algorithms, as well as the quantity of devices that KDD Cup 99: The NSL-KDD dataset is an enhanced
used every element in tests to validate their findings. version of the KDD"99 datasets, which is frequently used
Metrics like as accuracy, precision, and recall are commonly for the IDS. There are five million records in this collection,
utilized by the investigated intrusion detection techniques, and every record has 41 characteristics. The four assault
as illustrated in this picture. classifications found in the NSL-KDD dataset are DoS
assaultsR2L attacks, U2R attacks, and Probe attacks.

NSL-KDD:The researchers that published their

findings in attempted to fix KDD-99's flaws by developing
NSL-KDD. The emphasis in this more proportionate KDD-
99 resampling is on occurrences of predicted to trained
classifier on the basic KDD-99. The dataset still has issues,
as their researchers acknowledge, such as the under
representation of minimal footprint attacks.

CSE-CIC-IDS2018: Canadian Institute for

Cybersecurity (CIC) dataset on cyber defense on AWS.
Worldwide security testing and malware prevention employ
datasets from CIC and ISCX. The most recent dataset
includes seven different attack scenarios, such as brute
force, heart bleed, botnet, DDoS, DoS, online attacks, and
internal network infiltration.
Fig. 2. Percentage of feature extraction approaches used in DL
ISCXIDS2012: ISCXIDS2012 is a dataset that was
Figure 2 depicts the proportion of various feature
developed utilizing the profile idea and contains
extraction approaches used in the DL based IDS approaches descriptions of intrusions as well as abstract models of
studied. As illustrated in the picture, the stated IDS schemes
distribution for lower-level network components, protocols,
make extensive use of feature extraction approaches such as
and applications. The profiles are used to simulate user
entropy and PCA.
behavior. For the purpose of creating a database in the
required test bed, these profiles are used. Various scenarios
for multi-stage assaults are employed to create the dataset's
anomalous portion.

CICIDS2017: There are several entries for the security

attack in this dataset that mimic actual traffic data. It
generates natural benign traffic while profiling human
behavior using the B-Profile technology. The behavior of 25
users for email protocols, HTTPS, HTTP, SSH, and FTP is
built into this dataset. Additionally, it includes records for
security threats like DDoS, Heart bleed, Web Attacks, Brute
Force SSH, and Brute Force FTP.

UNSW-NB15: In order to construct the dataset's

anomalous and normal network traffic traces, a programme
known as IXIA Perfect Storm is employed, which is used to
Fig. 3.Percentage of tools used in investigated methods analyze NIDSs. The IXIA programme can replicate nine

978-1-6654-7467-2/23/$31.00 ©2023 IEEE 956

Authorized licensed use limited to: Birla Institute of Technology. Downloaded on January 08,2025 at 10:22:56 UTC from IEEE Xplore. Restrictions apply.
 Proceedings of the 5th International Conference on Smart Systems and Inventive Technology (ICSSIT 2023)
IEEE Xplore Part Number: CFP23P17-ART; ISBN: 978-1-6654-7467-2

different sorts of security attacks and use newly updated

attack data from a website that also offers information on T ABLE III. DAT ASET ANALYSIS
security flaws.
Datasets Year Attack Attack
types
CIDDS: For analyzing network anomaly intrusion KDD Cup 99 1998 4 U2R, DoS, R2L, Probe
detections, CIDDS s are made available. They feature CSE-CIC- 2018 7 Heart bleed, Botnet, Brute force,
labeled flows utilizing Open Stack in a virtual environment. IDS2018 Infiltration, DDoS, Web, DoS
The dataset takes into account a modest environment that CICIDS2017 2017 14 FT P-Patator, PortScan, Web
Attack Sql Injection, BENIGN,
has several servers and clients. Additionally, using Python DoS slow loris, Bot, DDoS, DoS
scripts, the dataset creates innocuous user behavior like GoldenEye, DoS Slow-httptest,
online browsing. Each user completes their task according Heartbleed, filtration, DoS Hulk,
to a set schedule, and their attributes are described in a SSH-Patator
configuration file, which helps to ensure realistic user UNSW- 2015 9 DoS, Reconnaissance, shellcode,
NB15 Fuzzers, Exploits, Generic, Port
behavior. This dataset contains malicious traffic including scans, Backdoors, worms
port scans, brute force assaults, and DDoS attacks. Various NSL-KDD 2009 4 DoS, R2L, Probe, U2R
dataset details can be shown in table 3 and figure 4.
C. Comparison of the approaches

The following table provides a comparison of various

ML and DL-based approaches. Table 4 shows that the
majority of intrusion detection techniques lately proposed to
use cloud-based technologies

Fig. 4. Applied datasets

. T ABLE IV. COMPARISON OF ML AND DL APPROACHES BASED ON T HE ACCURACY

YEAR REFERENCE TYPES O F TECHNIQ UES DATASETS ACCURACY (%)

CATEGO RIZATIO N
2020 Chkirbene et al. [11] Machine learning based weight optimization UNSW dataset 99.21
supervised approach algorithm
2021 Krishnaveni et al. [12] Machine learning based SVM, NB, LR, DT Real-time 98.89
supervised approach Honeypot, Kyoto
2006, and NSL-
KDD Dataset
2019 Machine learning based logistic regression NSL-KDD data set 97.51
Besharati et al. [13] supervised approach (LR)
2019 Velliangiri, S and Machine learning based Radial basis function NSL-KDD data set 99.56
Premalatha, J et al. [14] supervised approach neural network (RBF-
NN)
2020 Pirozmand et al. [15] Machine learning based Artificial Neural - -
supervised approach Networks
2020 Zhang et al. [16] Machine learning based K-Nearest Neighbor NSL-KDD 98.57
supervised approach (KNN)
2021 Singh, P., & Ranga, V. Machine learning based Boosted tree, bagged CICIDS 2017 and 97.24
[17] supervised approach tree, subspace CloudSim
discriminant, and RUS
Booted
2020 Ibrahim, N. M., &Zainal, Machine learning based SGD-SVM NSL-KDD 99.6
A. [18] supervised approach
2019 Manickam, M., ML based supervised approach SVM DARPA’s KDD -
&Rajagopalan, S. P. [19] cup
2020 Wei et al. [20] ML based supervised learning SVM Kyoto -
2006+,KDD Cup
99
2020 Shyla, S. I., & Sujatha, S. MLbased unsupervised learning LKM NSL-KDD -
S. [21]
2020 Jaber, A. N., & Rehman, Machine learning based fuzzy c means clustering NSL-KDD 97.37

978-1-6654-7467-2/23/$31.00 ©2023 IEEE 957

Authorized licensed use limited to: Birla Institute of Technology. Downloaded on January 08,2025 at 10:22:56 UTC from IEEE Xplore. Restrictions apply.
 Proceedings of the 5th International Conference on Smart Systems and Inventive Technology (ICSSIT 2023)
IEEE Xplore Part Number: CFP23P17-ART; ISBN: 978-1-6654-7467-2

S. U. [22] unsupervised learning (FCM)-SVM

2019 Samriya, J. K., & Kumar, Machine learning based Fuzzy based ANN KDD99 dataset, -
N. [23] unsupervised learning NSL-KDD
2019 Yadav, R. M [24] Machine learning based WFCM-AANN - -
unsupervised learning
2021 Zhang et al. [25] Machine learning based sparse autoencoder CICIDS2017 91.83
unsupervised learning dataset
2019 Balamurugan, V., & Deep learning based supervised K-means clustering NSL-KDD -
Saravanan, R. [26] learning algorithm with RNN
2020 Alkadi et al. [27] Deep learning based supervised Bi-LST M UNSW-BN15 and 99.79
learning
BoT -IoT data sets
2021 SaiSindhuT heja, R., Deep learning based supervised Recurrent Neural KDD cup 99 94.12
&Shyam, G. K [28] learning Network (RNN) dataset
2019 Chiba et al. [29] Deep learning based supervised Back Propagation Neural CloudSim 99.16
learning Network (BPNN) simulator 4.0 and
DARPA’s KDD
cup datasets
2021 Prabhakaran, V., Deep learning based supervised recurrent convolutional KDD CUP 99 data 99.67
&Kulandasamy, A. [30] learning neural network (RCNN) sets
2019 Garg et al. [31] DL based supervised learning GWO and CNN DARPA’98 and 98.42
KDD’99
2019 Chiba et al. [32] Deep learning based supervised Deep Neural Network CICIDS2017, 99.93
learning (DNN) NSL-KDD
2021 Ferrag et al. [33] Deep learning based supervised CNN, DNN, RNN CIC-DDoS2019 99.95
learning and T ON_IoT data
2021 Kachavimath, A. V., & DL based supervised learning LST M DDoS attack -
Narayan, D. G. [34]
2022 Pu et al. [35] DL based supervised learning CNN& k-means KDDCUP99 98.41
dataset
2021 ElSayed et al.[36] DL based supervised learning CNN NSL-KDD -

2019 Abusitta et al. [37] Deep learning based stacked denoising real-life dataset 95
unsupervised learning autoencoder
2021 Mayuranathan et al. [38] Deep learning based Restricted Boltzmann KDD′99 dataset 99.92
unsupervised learning Machines (RBM)
2020 Zavrak, S., & Iskefiyeli, Deep learning based Semi supervised learning KDDCUP99 -
M., [39] unsupervised learning dataset
2019 Choi et al. [40] Deep learning based Autoencoder NSL-KDD 91.70
unsupervised learning
2020 Nguyen, M.T ., Kim, K., Deep learning based Variational autoencoder NSL-KDD dataset 98.09
[41] unsupervised learning
2022 Gowdhaman, V., Deep learning based DNN UNSW-BN15 98.64
&Dhanapal, R.[42] unsupervised learning

From table 2 it is observed that the RBM, Deep Neural in the area of intrusion detection utilizing ML and DL
Network (DNN), RCNNand RBF-NN techniques provide algorithms. Following are some issues and potential future
the best results. They help to provide better classification research paths that emerge from cloud computing systems.
accuracy. When comparing with overall machine learning
techniques it reveals that supervised-based RBF-NN  A high-quality dataset connected to IoT IDS is
achieves greater accuracy of 99.56%. Similarly, when crucial for testing and validating proposed NIDS.
comparing with overall deep learning techniques it reveals Such datasets should include a sizable amount of
that an unsupervised based ensemble of CNN, DNN and network traffic data with labels that describe both
RNN gains greater accuracy of 99.95% accuracy. attack and regular behavior.
 Building an anomaly-based, live IDS for networks is
IV. CHALLENGES AND FUTURE RESEARCH quite difficult. This is due to the fact that an IDS of
DIRECTIONS this type would need to first understand regular
behavior to detect anomalous or abnormalactivities.
Although the community conducting research in cyber The learning phase presupposes the absence of noise
security has created several intrusion detection methods and
and attack traffic, which cannot be guaranteed. If
distributed frameworks capable of securing big networks, these problems are not resolved, such an IDS can
possible difficulties with cloud-specific issues still exist. As produce erroneous alerts.
a result, one of the findings of this study is that it is very
 The majority of NIDS attempt to build a method that
difficult to create an all-encompassing IDS that can provide
get the profile of every potential pattern or behavior
high accuracy, scalability, resilience, and protection from all
of regular traffic. This is particularly difficult,
threats. The main problems and difficulties that researchers
though, because these methods have a tendency to
will likely encounter in the future are discussed below.
favor the dominating class the normal class leading to
Because cloud measures are still in their infancy, there is a
large FPR.
huge amount of scope for future study in this field, notably

978-1-6654-7467-2/23/$31.00 ©2023 IEEE 958

Authorized licensed use limited to: Birla Institute of Technology. Downloaded on January 08,2025 at 10:22:56 UTC from IEEE Xplore. Restrictions apply.
 Proceedings of the 5th International Conference on Smart Systems and Inventive Technology (ICSSIT 2023)
IEEE Xplore Part Number: CFP23P17-ART; ISBN: 978-1-6654-7467-2

 Computational complexity is increased at [8] Alghamdi, S. A. (2021). Novel trust -aware intrusion detection
and prevention system for 5G MANET –Cloud. International
variousphases of the design and implementation of Journal of Information.
NIDS, such as feature reduction and data preparation, [9] T . Nathiya and G.Suseendran, “ An effective hybrid intrusion
training, and deployment in particular, Machine detection system for use in security monitoring in the virtual
Learning and Deep Learning based NIDS. network layer of cloud computing technology ,” In Data
management, analytics and innovation, vol.1, no.1, pp. 483-497,
Consequently, creating an effective NIDS with low 2019.
computing demands is another difficulty and field for [10] J. Brugman, M. Khan, S. Kasera and M. Parvania, “ Cloud based
future research. intrusion detection and prevention system for industrial control
 For training a model on a big dataset, approaches and systems using software defined networking,” In 2019 Resilience
Week (RWS) Vol. 1, no.1, pp. 98-104. IEEE, 2019.
algorithms based on DL and ML are frequently used. [11] Z. Chkirbene, A. Erbad, R. Hamila, A. Gouissem, A. Mohamed
This has made it easier to handle cyber-attacks and M.Hamdi, “ Machine learning based cloud computing
effectively. However, there are significant issues that anomalies detection,” IEEE Network, vol. 34, no. 6, pp. 178-183,
require the attention of researchers when using DL 2020.
[12] S. Krishnaveni, S. Sivamohan, S. S. Sridhar and S. Prabakaran,
and ML systems for threat detection in clouds. “ Efficient feature selection and classification through ensemble
method for network intrusion detection on cloud computing,”
V. CONCLUSION Cluster Computing, vol. 24, no. 3, pp.1761-1779, 2021.
[13] E. Besharati, M. Naderan and E. Namjoo, “ LR-HIDS: logistic
IDSs are designed to find attacks, so it's critical to regression host -based intrusion detection system for cloud
environments,” Journal of Ambient Intelligence and Humanized
choose the right data source based on the attack's Computing, vol. 10, no.9, pp. 3669-3692, 2019.
characteristics. This article has provided a summary of IDS [14] S. Velliangiri and J.Premalatha, “ Intrusion detection of
tactics used in cloud environments. A general overview of distributed denial of service attack in cloud,” Cluster Computing,
IDS is given first. In order to give new researchers an vol. 22, no. 5, pp. 10615-10623, 2019.
[15] P. Pirozmand, M. A. Ghafary, S. Siadat and J. Ren, “ Intrusion
overview of state-of-the-art research, current trends, and detection into cloud-fog-based iot networks using game theory,”
field advancement, this study provides a thorough Wireless Communications and Mobile Computing, vol.1, no.1,
assessment of NIDSmechanisms based on ML and DL pp.23-45, 2020.
methodologies. DL techniques are a tremendous topic for [16] Z. Zhang, J. Wen, J. Zhang, X. Cai and L. Xie, “ A many
objective-based feature selection model for anomaly detection in
research and are becoming more and more important. Deep cloud environment,” IEEE Access, vol. 8, no.1, pp. 60218-60231,
learning models have better generalization and fitting 2020.
capabilities than shallow machine learning models. Even if [17] P. Singh and V. Ranga, “ Attack and intrusion detection in cloud
there are numerous ways to manage IDS in the cloud, computing using an ensemble learning approach,” International
Journal of Information Technology, vol. 13, no. 2, pp. 565-571,
machine learning-based systems still need a lot of attention. 2021.
This study covers the most recent typical investigations to [18] N. M. Ibrahim andA. Zainal, “ A distributed intrusion detection
provide references for other researchers conducting in-depth scheme for cloud computing,” International Journal of
studies before analyzing and fine-tuning the challenges and Distributed Systems and T echnologies (IJDST ), vol. 11, no. 1, pp.
68-82, 2020.
projected trends in the field. [19] M. Manickam and S. P.Rajagopalan, “ A hybrid multi-layer
intrusion detection system in cloud,” Cluster Computing, vol. 22,
REFERENCES no. 2, pp. 3961-3969, 2019.
[20] J. Wei, C. Long, J. Li and J. Zhao, “ An intrusion detection
[1] M. M. Sakr, M. A. T awfeeq and A. B. El-Sisi,“ Network intrusion algorithm based on bag representation with ensemble support
detection system based PSO-SVM for cloud
vector machine in cloud computing,” Concurrency and
computing,”International Journal of Computer Network and
Computation: Practice and Experience, vol. 32, no. 24, e5922,
Information Security, vol. 10, no. 3, pp. 22, 2019.
2020.
[2] L. Karuppusamy, J. Ravi, M. Dabbu and S. Lakshmanan,
[21] S. I. Shyla and S. S. Sujatha, “ Cloud security: LKM and optimal
“ Chronological salp swarm algorithm based deep belief network
fuzzy system for intrusion detection in cloud environment ,”
for intrusion detection in cloud using fuzzy entropy ,”
Journal of Intelligent Systems, vol. 29, no. 1, pp. 1626-1642.
International Journal of Numerical Modelling: Electronic
[22] A. N. Jaber and S. U. Rehman, “ FCM–SVM based intrusion
Networks, Devices and Fields, vol.35, no. 1, pp.12-45, e2948,
detection system for cloud computing environment ,” Cluster
2022.
Computing, vol. 23, no. 4, pp. 3221-3231, 2020.
[3] I. H. Abdulqadder, S. Zhou, D. Zou, I. T . Aziz and S. M. A.
[23] J. K. Samriya and N. Kumar, “ A novel intrusion detection system
Akber, “ Multi-layered intrusion detection and prevention in the
using hybrid clustering-optimization approach in cloud
SDN/NFV enabled cloud of 5G networks using AI-based defense
computing,” Materials Today: Proceedings, vol.2, no.1, pp.23-54,
mechanisms,” Computer Networks, vol. 179, no.1, pp.107364,
2020.
2020.
[24] R. M. Yadav, “ Effective analysis of malware detection in cloud
[4] W. Wang, X. Du, D. Shan, R. Qin and N. Wang, “Cloud intrusion computing,” Computers & Security, vol. 83, no.1, pp. 14-21,
detection method based on stacked contractive auto-encoder and
2019.
support vector machine,” IEEE T ransactions on Cloud
[25] C. Zhang, Y. Chen, Y. Meng, F. Ruan, R. Chen, Y. Li and Y.
Computing, vol.1, no.1, pp.20-34, 2020.
Yang, “ A novel framework design of network intrusion detection
[5] K. Venkatachalam, P. Prabu, B. S. Balaji, B. G. Kang, Y. Nam
based on machine learning techniques,” Security and
andM. Abouhawwash, “ Cross-Layer Hidden Markov Analysis for
Communication Networks, vol.2, no.1, pp.34-56, 2021.
Intrusion Detection,” CMC-Computers, Materials & Continua,
[26] V. Balamurugan and R. Saravanan, “ Enhanced intrusion
vol. 70, no.1, pp. 3685-3700, 2021.
detection and prevention system on cloud environment using
[6] P. Ghosh, A. Karmakar, J. Sharma and S.Phadikar, “ CS-PSO
hybrid classification and OTS generation,” Cluster Computing,
based intrusion detection system in cloud environment ,” In
vol. 22, no. 6, pp. 13027-13039, 2019.
Emerging T echnologies in Data Mining and Information
[27] O. Alkadi, N. Moustafa, B. T urnbull and K. K. R.Choo, “ A deep
Security, vol.1, no.1, pp. 261-269, 2019.
blockchain framework-enabled collaborative intrusion detection
[7] R. M. Yadav, “ Effective analysis of malware detection in cloud
for protecting IoT and cloud networks,” IEEE Internet of T hings
computing,” Computers & Security, vol. 83, no.1, pp. 14-21,
Journal, vol. 8, no. 12, pp. 9463-9472, 2020.
2019.

978-1-6654-7467-2/23/$31.00 ©2023 IEEE 959

Authorized licensed use limited to: Birla Institute of Technology. Downloaded on January 08,2025 at 10:22:56 UTC from IEEE Xplore. Restrictions apply.
 Proceedings of the 5th International Conference on Smart Systems and Inventive Technology (ICSSIT 2023)
IEEE Xplore Part Number: CFP23P17-ART; ISBN: 978-1-6654-7467-2

[28] R. SaiSindhuT heja and G. K. Shyam, “ An efficient metaheuristic [35] X.Pu, Y.Zhang and Q. Ruan, “ Optimization of Intrusion
algorithm based feature selection and recurrent neural network Detection System Based on Improved Convolutional Neural
for DoS attack detection in cloud computing environment ,” Network Algorithm,” Mathematical Problems in Engineering,
Applied Soft Computing, vol. 100, no.1, pp. 106997, 2021. vol. 1, no.1, pp.23-56, 2022. (deep- super)
[29] Z. Chiba, N. Abghour, K. Moussaid, A. El Omri and M.Rida, [36] M. S.ElSayed, N. A.Le-Khac, M. A.Albahar and A.Jurcut, “ A
“ New anomaly network intrusion detection system in cloud novel hybrid model for intrusion detection systems in SDNs
environment based on optimized back propagation neural based on CNN and a new regularization technique,” Journal of
network using improved genetic algorithm,” International Journal Network and Computer Applications, vol. 191, no.1, pp. 103160,
of Communication Networks and Information Security, vol. 11, 2021.
no. 1, pp. 61-84, 2019. [37] A.Abusitta, M.Bellaiche, M.Dagenais and T .Halabi, “ A deep
[30] V. Prabhakaran andKulandasamy, “ Integration of recurrent learning approach for proactive multi-cloud cooperative intrusion
convolutional neural network and optimal encryption scheme for detection system,” Future Generation Computer Systems, vol. 98,
intrusion detection with secure data storage in the cloud,” no.1, pp. 308-318, 2019.
Computational Intelligence, vol. 37, no. 1, pp. 344-370, 2021. [38] M.Mayuranathan, M.Murugan and V. Dhanakoti, “ Best features
[31] S. Garg, K. Kaur, N. Kumar, G. Kaddoum, A. Y. Zomaya and based intrusion detection system by RBM model for detecting
R.Ranjan, “ A hybrid deep learning-based model for anomaly DDoS in cloud environment ,” Journal of Ambient Intelligence
detection in cloud datacenter networks,” IEEE T ransactions on and Humanized Computing, vol. 12, no. 3, pp. 3609-3619, 2021.
Network and Service Management, vol. 16, no. 3, pp. 924-935, [39] S.Zavrak and M. Iskefiyeli, “ Anomaly-based intrusion detection
2019. from network flow features using variational autoencoder,” IEEE
[32] Z. Chiba, N. Abghour, K. Moussaid and M. Rida,“ Intelligent Access,vol. 8, no.1, pp. 108346–108358, 2020.
approach to build a Deep Neural Network based IDS for cloud [40] H.Choi, M.Kim, G.Lee and W. Kim, “ Unsupervised learning
environment using combination of machine learning algorithms,” approach for network intrusion detection system using
Computers & Security, vol. 86, no.1, pp. 291-317, 2019. autoencoders. J. Supercomput, vol. 75, no.1, pp. 5597–5621,
[33] M. A. Ferrag, L. Shu, H. Djallel and K. K. R. Choo, “ Deep 2019..
learning-based intrusion detection for distributed denial of service [41] M.T . Nguyen and K. Kim, “ Genetic convolutional neural network
attack in Agriculture 4.0,” Electronics, vol. 10, no. 11, pp. 1257, for intrusion detection systems,” Future Generat. Comput. Syst.
2021. Vol. 113, no.1, pp. 418–427, 2020.
[34] A. V.Kachavimath and D. G. Narayan, “ A deep learning-based [42] V. Gowdhaman and R. Dhanapal, “ An intrusion detection system
framework for distributed denial-of-service attacks detection in for wireless sensor networks using deep neural network,” Soft
cloud environment ,” In Advances in comput ing and network Computing, vol. 26, no. 23, pp. 13059-13067, 2022.
communications, vol.1, no.1, pp. 605-618, 2021.

978-1-6654-7467-2/23/$31.00 ©2023 IEEE 960

Authorized licensed use limited to: Birla Institute of Technology. Downloaded on January 08,2025 at 10:22:56 UTC from IEEE Xplore. Restrictions apply.