Security is more challenging on cloud environment over the past years due to the exponential growth of information, policies, services and resources. The confidentiality, integrity, availability of resources and networks must be protected against possible different types of vulnerabilities happened in cloud for creating and maintaining secure environment for the users. Traditional security approaches such as firewalls, access control and encryption models have failed to prevent the computer systems and networks from complicated attacks and malwares [2]. Intrusion Detection System (IDS) is the appropriate and essential component that detects automatically various kinds of intrusions or unwanted traffic against computer systems by monitoring and analyzing the behavior of users, computer systems or networks. IDS can also manage the huge amount of assessment data such as network access traffic, administrative control of data and application, if any new attack appears and also cope with the increased network throughput and speed without degradation of detection rates.

Present level IDSs have failed to detect the new sophisticated attacks and malwares take place in cloud. Basically, IDSs collect the data that is to be examined, eliminate unnecessary information from the collected data, preprocesses it and then makes a decision by monitoring the behavior of the data, analyzing that any of the activity is violating the security rules. Once the IDS identifies that an unusual activity happens, it then either discards the examined data or gives alert to the security administrator. Detection models used to find out the pattern of intrusive or behavior from the audit data and performance is based on the construction of the detection models. Detection models are constructed with artificial neural networks, fuzzy sets, artificial immune systems, swarm intelligence and soft computing.

Cloud is a distributed and open resource environment that provides possibility of more attacks on its resources and services. It suffers from various attacks such as IP spoofing, ARP spoofing, routing information protocol attack, DNS poisoning, flooding, Denial of Service (DoS) etc. Commonly, cloud attack affects the service availability to authorized user. Rest of the paper is organized as follows: Section 1 discusses various general detection schemes and types applicable to Cloud environment. Existing detection models for clouds are discussed briefly in Section 2. Section 3 presents performance evaluation of IDS. Section 4 discusses with conclusion and references at the end. Finally conclusion section is given.

The efficiency of IDS depends on the techniques used in the design of detection model for recognition and analysis status of the patterns with speed and correctness. There are various techniques used in IDS given below briefly.

Signature Detection is a process of recognizing string or pattern from the examined data and compared with known attack pattern or threat available in the database. It is a simplest and effective method to detect known attacks and ineffective to detect unknown attacks and variants of known attacks [15].It is time consuming and hard to keep patterns up to date. In Cloud, signature based intrusion detection system can be situated either at front-end of cloud to detect external intrusions or at back end of Cloud to detect external/internal intrusions. Signature pattern contains header and options elements such as source address, destination address, ports, payload and Meta data used to determine the legitimate of the traffic. Some exiting work based on Signature based Detection for cloud is discussed in section 2.

Anomaly detection recognizes patterns that do not match to well-known normal behaviors derived from monitoring regular activities, network connections, hosts or users over a period of time [16]. Then apply statistical tests to the observed behavior, which determines whether that behavior is legitimate or not. Anomaly based IDSs compares normal profiles with observed events to recognize significant attacks. It has the advantage of detecting attacks which have not been found previously. The key element for using this approach efficiently is to generate rules in such a way that it can lower the false alarm rate for unknown as well as known attacks. Some exiting work based on anomaly detection for cloud is discussed in section 2. Anomaly detection techniques can be used for Cloud to detect unknown attacks at different levels. In Cloud, large numbers of events (network level, application level or system level) occur, which makes difficult to monitor or control intrusions using anomaly detection technique. There are many detection techniques such as Artificial Neural Network, Fuzzy logic, Association rule mining, Support Vector Machine, Genetic Algorithm , etc. that can be used to improve detection accuracy and efficiency of anomaly detection based IDS. This detection is less dependent on operating system, effective to detect new and unforeseen vulnerabilities in cloud. This approach takes some time to trigger alerts and unavailable during rebuilding of behavior profile.

Artificial Neural Network (ANN) is an adaptive system consists of an interconnected group of artificial neurons and processes information using a connectionist approach to computation. It has three types of parameters such as (i) Interconnection pattern between different layers of neurons. (ii) Learning process for updating the weights of the interconnections and (iii) Activation function that converts a neuron's weighted input to its output activation. The objective of using ANNs for intrusion detection is to be able to generalize data and classify data as being normal or intrusive. The various types of ANNs are used in IDS such as Back Propagation, neural nets, Multi-layer Feed-Forward, and Multi-layer Perceptron [17]. Network features such as protocol ID, Source Port, Destination Port, Source IP address, Destination IP address, ICMP Type, ICMP code, Raw Data Length and Raw Data are used for analysis the accuracy of intrusion detection but it is very low. ANN based IDS is an efficient solution for unstructured network data. Intrusion detection accuracy of ANN based approach is based on number of hidden layers and training phase of ANN. ANN requires more training samples as well as more time for detecting intrusions effectively. Some exiting work based on ANN for cloud is discussed in section 2.

To reduce training time of ANN, Fuzzy logic and association rules can be used for fast detection of known, unknown or variant of known attacks in cloud. Fuzzy logic permits for rough values and assumptions as well as incomplete or uncertain data as opposed to only relying on crisp data. IDS researchers introduced Fuzzy IDS for network intrusions like SYN and UDP floods, Ping of Death, Email Bomb, FTP/ Telnet password guessing and port scanning. Some existing fuzzy based IDSs discussed in section 3 of this paper.

Genetic algorithm gives optimum solution for the problem that requires a genetic representation of the solution domain and a fitness function to evaluate the solution domain. They are used to select network features which can be used in other techniques for achieving result optimization and improving accuracy of IDS [20]. In Cloud environment, selection of optimal parameters such as Duration, Protocol, Source_port, Destination_port, Source_IP, Destination_IP, Attack_name for intrusion detection will increase the accuracy of underlying IDS. For that, Genetic Algorithm (GA) based IDS can be used in Cloud. Dhanalakshmi et al., [21] suggested a method which is used to detect misuse and anomaly by combining fuzzy and genetic algorithms. Fuzzy is used to include quantitative parameters in intrusion detection, whereas genetic algorithm is used to find best fit parameters of introduced numerical fuzzy function. Some existing genetic algorithm based IDSs discussed in section 2 of this paper.

Application Level based IDS are developed based on accounting model using cookies. Cookie prompts with low security. Hence, many authors proposed integrity verification to increase the security level of the cookies. To detect duplicate requests, request history was suggested by the researchers to verify the status of the request. But it is very complicated to maintain the information of the requests at server side. It becomes a overhead. hence, a new idea has been proposed instead of request history at server side to verify the integrity of cookies. Client has opportunity to make modification on the cookie because it is available on client side. In order to avoid this, secure cookie scheme will be proposed. The new standard format for the cookie has been proposed to avoid any modification by the client. Existing proposals on application based IDS have tested with less than 1000 requests. Hence, scalability of the IDS is questionable.

Ifran Gul et al [1] proposed multi-threaded NIDS model for distributed cloud environment to handle large scale amount of network, control and application data for reducing the packet loss. This system provides with three modules namely capture and queuing module, analysis/processing module and reporting module. Capture module collects in-bound and out-bound data packets and sent to the shared queue for analysis. Analysis module checks the packets in the shared queue based on pre-defined rules and signature base. If any violation happened in the packet, report module informs to the third party monitoring and advisory service and then forwarded to cloud providers. In this work, multiple threads are used to analyze concurrently about the status of the packets. The advantages of the model are high volume of data could be handled by a single node IDS, memory consumption and packet loss would be reduced. This IDS could not able to identify the new attacker because it is based on signature base.

It is difficult to detect user profile in cloud environment. So, cloud Service Provider provides username and password to the user for accessing services available in the cloud. Sometimes authorized user can also performs misuse in the available cloud resources and services. To resolve this problem, an agent based IDS was proposed [3] which tracks the activities of the user based on signature pattern. This model has lot of limitations such as no interoperability between various agents in the system. Hence, there is a possibility of conflict occurs in the decision making process of IDS.

Generally, IDS examines the traffic from each Virtual Machine (VM) and generates alert logs to the security administrator. Cloud computing system are used by more numbers of users, therefore, it generates huge amount of logs. and it is very difficult to analyse by the security administers. To solve the above problems, Multi-level IDS and log management [4] based IDS was proposed by applying strong security policy to all traffic and bind users to different security group in accordance with degree of anomaly. AAA (Authentication Authorization and Accounting) module checks the user's authentication, latest anomaly level and assigns appropriate IDS for the inward traffics.

Yizhang Guan et al [5] proposed qualitative analysis framework for the construction of an intrusion detection system in E-government because it is more reasonable strategy to organize the system before the implementation. The behavior of the cloud must be changed when the attack happened. The features of clouds can be extracted as some random variables and limit the value range for the given cloud. In fact, if the cloud without attacks, the random variables is limit the value range in an interval and some attacks are occurring, the value range should be out of the intervals.

Service based or subscription based intrusion detection [6] was proposed by receiving requests from the cloud users and translates these requests into a standardized signature database that can then be deployed and utilized as the Cloud Intrusion Detection Service (CIDS). This idea may fully capable to handle the cloud variations. It consists of three layers namely User layer, System layer and Database layer. User layer defines the subscription, protection requirements and convert into actual IDS runtime configurations. System layer act as a driver for the IDS service, understand the alerting mechanism, signature syntax and provides API. And the third Database layer tracks the subscriber's settings and to enable fast access to their settings for any later updates either to the cloud segment or to the subscription details

Roschke et al. [7] proposed an intrusion detection framework based on the VM-based IDS. In their work, they have developed a general framework for intrusion detection. It consist of separate IDS sensors for each virtual host. The IDS sensors can be of different vendors. To enable the collection and correlations of alerts from the different IDS implementations, an Event Gatherer was made to work as a medium to standardize the output from the different sensors as well as realize the logical communication. The cloud user can have access of both the applications and the IDS sensors. The users can access the sensors, configure, modify rule sets, and modify detection thresholds. Additionally, users can review the alerts generated when attacks that target their virtual hosts or services are spotted. The framework also includes the IDS Management module which is responsible for orchestrating the message passing and alert transfer among the different IDS sensors and the main storage unit whether it was a file system, a network database, or a shared folder. This approach of separating the IDS from the protected hosts is of great advantage. But it is criticized for requiring the large consumption of computing resources since every virtual application, platform, or host needs a separate VM-Based IDS.

Sudhir N. Dhage et al. [8] proposed architecture capable of detecting intrusions and safeguarding it from possible security breaches in a distributed cloud computing environment. Each user deploys a separate instance of IDS and uses a separate controller to manage the instances. This architecture can be a combination of signature and learning based approach that is available to individual users.

Bakshi. A et al [9] suggests virtualization strategy for preventing Denial of Service attack in cloud. Once, cloud identifies abnormal spike in inbound traffic, targeted applications could be immediately transferred to virtual machines hosted in another data center. This approach has been consuming more computation within cloud environment.

CIDS framework [1] was proposed for supporting end users for accessing powerful services and applications through Internet on cloud. This framework reduces the impact of attacks by giving timely notifications about intrusions, providing secure and reliable services in cloud. Architecture provides with multiple elementary detectors and exchange of knowledge among them periodically.

Author proposed in [10] a global view of the monitored cloud network required for accurate detection of intrusions in the cloud. A proposed mechanism monitors message exchange between nodes and action occurring in the node. Audited data is sent to the IDS service core, which analysis the performance using AI to detect if there are any deviations from normal traffic. Analyzer uses a profile history database to determine the distance between a typical user performance and the suspected performance and informs this to the IDS service.

This framework [10] reduces the impact of Denial-of- Service (DoS) attack or Distributed Denial-of-Service (DDoS) in this cloud environment. In this system, each IDSs has a cooperative agent used to compute and determine whether to accept the alerts sent from other IDSs or not. By this way, IDSs could avoid the same type of attack happening. This system increases little computation effort compared with pure Snort based IDS but prevents the system from single point of failure attack. This model enables the identification of malicious activities from different points of network and overcome the deficiency of classical intrusion detection.

A new method was proposed by Sanjay Ram [13] to build a mutual and reliable computing environment by integrating the trusted computing platform with cloud. Cloud should involve a large amount of entities such as users, services and resources from different sources. Trust Platform Module (TPM) is a logic independent hardware which can be used to identify the identity of the users accessing the cloud. It contains private master key that can provide protection for all the information in cloud. It provides trust root for all users accessing the services, and resources in the cloud. Role based accessing model was used to identify the level of permission for each users in cloud. The proposed mutual IDS only increases little computation effort compared with pure snort based IDS but the probability of survival of IDS is improved under denial-of-service attack.

Generally, IDSs are designed to handle specific types of attacks. It is obvious that no single technique can guarantee protection against future attacks. Hence, there is a need for an integrated scheme which can provide robust protection against a complete spectrum of threats. There is great need for technology that enables the network and its hosts to defend themselves with some level of intelligence in order to accurately identify the block malicious traffic and activities. Based on this above, authors [14] proposed an effective and efficient model which combines both IDS and IPS in a single mechanism by integrating two techniques namely, Anomaly Detection (AD) and Signature Detection (SD) that can work in cooperation to detect various numbers of attacks and stop them through the capability of IPS.

Authors [18] introduced an Intrusion Detection Software component based on text mining techniques to learn the characteristics of both normal and malicious user behavior from the log entries generated by the web server. This concept is being directly applied to the application layer instead of the network layer. Novelty of this approach is the use of text mining methods and particularly text categorization to detect misuses of the web application on the access control aspects.

ANN based IDSs are still lack in detection stability, detection precision for low frequent attacks. Hence, Gang Wang et al., proposed [19] a new approach called FC- ANN to achieve higher detection rate, less false positive rate and stronger stability. In this method, fuzzy clustering technique is used to generate different training subsets, different ANN models are trained to formulate different base models and eliminate the errors of different ANNs fuzzy aggregation module is proposed to learn again by combine the results of different ANNs and predict accurate decision making.

This work is based on a novel combination of behavior and knowledge based mechanisms in intrusion detection system [22]. Behavior based approach facilitates improved detection whereas knowledge based approach supports the detection scheme with its definitive rule base. Integrated functionality of these approaches has been improved to lowering the false positives. This approach sends alert to each cluster in detecting false alarms from any malicious nodes.

Authors [23] proposed cookie based accounting model to detect duplicate request attacks at the server. Cookie provides low security but this accounting model increase the level of security of the cookie through integrity verification. Every client sends the request and gets the response through the entry and exit points respectively. When the client request enters the server, the request history integrity will be verified through the hash value verifier and the request history will be analyzed through the hash value verifier and history analyzer. If the request is legitimate, the request of the client will be processed by the client request processor and the response is prepared and sent to the request history generator. If the incoming request is for the first time, it will generate request history otherwise it will be updated in the request history. In addition to that, the hash value will be generated and store it in the hash value database for preceding history verification. In this proposed model, cookie may be vulnerable during key update and confidentiality. This may be considered in our future work.

Application layer level denial of service attack impacts [25] on sending numerous Web Service Definition Language (WSDL) on Requests. Where such request provides with multiple signature block and deep XML in message. Hence, the prevention of these application layer level DoS attacks is very much important to save the memory and CPU cycle, and also protect the critical infrastructures. In the OTP-based model [26], for every new cookie or for each update of an old one, a new random key will be created and the cookie information is encrypted and the older keys are removed. Whenever the server creates the cookie or updates the cookie, it also needs to create a new random key to encrypt the information and also the random key will be stored by replacing the older one in the database with additional details like session time and the index string to identify the database. Whenever the server receives the cookie, it will decrypt the cookie using the key stored in database and allow the client request for process if the cookie is valid. At the end, again, the updated cookie will be encrypted with a new key and embedded within the response.

Alfantookh et.al [24] introduced a new neural network based intelligent IDS to detect the duplicate request attack in the web service environment. As in [23] the client history accounting model was proposed to detect and prevent the duplicate request attack in the web service environment. This model was efficiently accounts the request history and servicing the client with less computational time, also prevents the replay and the modification attack on the request history.

This survey paper presents with computational techniques such as artificial neural networks, fuzzy systems, evolutionary computation methods, artificial immune systems, swarm intelligence and accounting models at application level provided in intrusion detection systems. Cloud computing is a large scale computing infrastructures which are available on demand to fulfill customized user requirements. However, as with any other emerging paradigm, security underpins extensive adoption of Clouds. In addition to the contemporary security issues, Clouds present novel security challenges which require dedicated efforts for their solution. Important aspect of intrusion detection is the ability of adaptation to constantly changing environments. Current IDS is not flexible enough to cope with behavioral changes and detection accuracy. Hence, new IDS will be proposed at application level for the purposes of easy maintaining, extensible and portable in cloud.