Method Article

Utilizing Adaptive Machine Learning Algorithms for Information Risk Warning and Network Security Scenario Awareness in Cloud Computing Environments

DOI:

10.3791/69633

June 2nd, 2026

 , 

Corresponding Authors: Jingjing Xie <jingjing.xie@sphic.org.cn>

* These authors contributed equally

In This Article

Summary

Loading...
$$\rightleftharpoonup{xx}$$ $$\longleftharp{xx}$$, $$\longrightharp{xx}$$,

The paper proposes a novel Machine Learning (ML)-based solution of adaptive network security in a cloud-based system that integrates hierarchical multi-label classification and a dynamic trust evaluation system to advance the accuracy of threat detection and decrease the number of false positives.

Abstract

Loading...
$$\rightleftharpoonup{xx}$$ $$\longleftharp{xx}$$, $$\longrightharp{xx}$$,

This study proposes a novel framework for network security situational awareness and risk warning in cloud computing environments, integrating adaptive Machine Learning (ML), Hierarchical Multi-Label Classification (HMC), and a dynamic trust evaluation mechanism based on the cloud model. The complexity, diversity, and real-time nature of emerging cyberattacks-such as zero-day exploits, distributed denial-of-service (DDoS), and botnets-pose significant challenges to traditional rule-based and static detection methods. To address these challenges, we developed an effective SDN-based cloud architecture utilizing the Ryu OpenFlow controller and OpenFlow switches. This architecture enables real-time link information collection, dynamic scheduling, and scalable, reliable data transmission. The hierarchical classification framework suggested can break multiclass problems into binary tasks, alleviating the effect of sample imbalance and enhancing the recognition of low-frequency attacks, including User to Root (U2R). Ensemble learning techniques, including AdaBoost and Bagging, further enhance detection accuracy for fine-grained attack types. Experiments conducted on DDoS datasets, cloud traffic data, and simulations in Mininet and EstiNet demonstrate that the combined ML-HMC-trust approach significantly improves detection precision, reduces false positives, and enables real-time response. These results confirm that integrating adaptive learning, hierarchical classification, and dynamic trust evaluation provides a robust and scalable solution for securing large-scale cloud platforms.

Introduction

Loading...
$$\rightleftharpoonup{xx}$$ $$\longleftharp{xx}$$, $$\longrightharp{xx}$$,

With the widespread application of cloud computing technology in various industries, the scale and amount of data in information systems are increasing rapidly, and network threats are becoming more complex, hidden, and dynamic1,2. Traditional security defense mechanisms based on rules and static models are no longer able to meet the requirements of real-time detection with accurate early warning when facing changing attack strategies, zero-day vulnerabilities, and large-scale distributed attacks3. Therefore, leveraging adaptive ML algorithms to fully integrate distributed data processing and intelligent analysis capabilities within cloud computing platforms to achieve a comprehensive perception of network security situation and effective early warning of information risks represents a critical challenge in the current information security landscape4. This research not only has important theoretical significance for improving the existing security protection system, but also offers strong support for ensuring the security of the national key information infrastructure and enterprise core data5.

There are multiple challenges in realizing network security situation awareness and information risk warning in a cloud computing environment: data types aggregated in the cloud platform are numerous and the sources are complex, making data preprocessing, feature extraction and fusion tasks increasingly arduous; in the face of the increasing network traffic and rapidly changing attack scenarios, the system is required to respond in a very short time, and real-time detection and warning have become technical bottlenecks; the amount of normal traffic is very different from that of attack traffic, and traditional algorithms have low accuracy when processing small sample categories (such as U2R, network attacks, etc.), and there is a large risk of misjudgment; in a complex network environment, trust relationships are affected by multiple factors and are random and uncertain6,7. Traditional trust assessment methods based on fixed thresholds are difficult to reflect the real state and are easily interfered with by abnormal data. To address these multi-dimensional limitations, this research presents an integrated framework that synergizes adaptive machine learning, hierarchical multi-label classification, and a dynamic cloud-model-based trust evaluation mechanism. This fusion of techniques applied within an SDN-driven cloud environment goes beyond incremental refinement by enabling fine-grained recognition of low-frequency attacks, real-time trust adaptation, and scalable situational awareness, which existing methods have not simultaneously achieved.

Cloud computing environments generate massive, highly dynamic, and heterogeneous network traffic, making traditional intrusion detection systems (IDS) unable to accurately identify sophisticated and minority attack types such as U2R and R2L. Existing deep learning (DL)-based IDS solutions improve detection accuracy but still suffer from high computational overhead, slow real-time response, and poor handling of uncertain or evolving trust relationships between network entities. Moreover, most current models operate as flat classifiers and lack mechanisms for fine-grained, hierarchical decision-making or dynamic trust evaluation. These limitations create a critical gap in developing an IDS that can simultaneously deliver real-time detection, accurate minority-class recognition, and reliable trust-aware risk assessment in large-scale cloud environments.

In the existing research on network security situation awareness and information risk warning, many studies use methods such as K-nearest neighbor (KNN) and support vector machine (SVM) to classify and detect network traffic. These algorithms have the advantages of high computational efficiency and easy implementation, especially when performing preliminary screening of large amounts of data8,9. However, their main shortcomings are reflected in several aspects: when faced with most normal traffic and a small number of attack samples in a cloud environment, these traditional ML methods often ignore information from a few categories, resulting in low recognition rates for fine-grained attacks (such as U2R, network vulnerability attacks, etc.); single models are usually sensitive to noise and data outliers, lack the capability to adapt to dynamically changing attack scenarios, and are prone to overfitting or insufficient generalization10,11.

In recent years, DL methods such as Multi-Layer Perceptron (MLP), CNN, Recurrent Neural Network (RNN), Long Short-Term Memory Network (LSTM), and Gated Recurrent Unit (GRU) have been increasingly applied in the field of network security. With the powerful feature-learning and nonlinear-mapping capabilities of deep neural networks, these methods have significantly improved detection accuracy and enhanced the ability to capture complex attack behaviors compared to traditional ML12. However, they have high requirements for computing resources and training data. Especially in the big data traffic context in cloud computing environments, there is still room for improvement in training overhead and real-time inference speed. When identifying classes with few samples, due to data imbalance, DL models have low detection rates for some fine-grained attacks (such as U2R, botnets) due to class bias13. To make up for the limitations of a single model in dealing with data imbalance and multiclass attack identification, some studies have proposed ensemble learning-based solutions, such as Bagging and Boosting, which expand the overall prediction accuracy by combining decisions of multiple classifiers14. At the same time, the Hierarchical Multiclass Classification (HMC) architecture decomposes the multiclass classification problem into multiple binary classification sub-problems, thereby achieving more refined recognition for classes with fewer samples. However, integrated models often face problems such as high computing resource usage and increased response time during deployment, especially in cloud computing real-time monitoring systems, where real-time requirements increase the pressure on system resources15.

In response to the problem of dynamic trust relationship evaluation in the network, some studies have introduced cloud model theory, which constructs a trust affiliation cloud by describing the fuzziness and randomness of the trust attributes of each entity, and then uses cloud droplets, entropy, super entropy, and other indicators for quantitative evaluation16. When facing real-time updated network trust data, the update rate and computational efficiency of existing cloud model methods may find it difficult to meet the requirements of high-frequency dynamic warning; the model is highly sensitive to evaluation data, and abnormal data or noise information may have a significant interference with the overall trust evaluation, affecting subsequent risk warning decisions.

In view of the many shortcomings of current research in detection accuracy, real-time performance, data balance processing, and trust evaluation, this paper proposes a new defense system that comprehensively utilizes adaptive ML algorithms, hierarchical multiclass classification strategies, and cloud model trust evaluation for network security situation awareness and information risk warning in cloud computing environments17.

The research addresses real-time cybersecurity for intelligent ship networks by leveraging cloud computing technology18. It suggests a multi-sensor node framework to examine data for malicious attacks and uses self-executing protection strategy nodes to intercept threats. Results demonstrate a virus intrusion detection and defense rate of 85-95%, and a False Positive Rate of 2.56%, significantly outperforming other algorithms. However, the approach requires high computational resources and cloud infrastructure restrictions in practical deployment. Aslan et al.19 provide an intelligent behavior-based malware detection system in a cloud computing environment. It produced a malware dataset across virtual machines and used selected features with learning-based and rule-based detection agents to classify malware and benign samples. Assessment on 10,000 program samples showed a high performance with improved detection rate and FPR. Nonetheless, the method had scalability issues with constantly changing malware variants and cloud deployments on scale and in real-time.

Despite the significant contributions made by these studies, a more detailed comparison reveals that the majority of existing solutions fail to address the assumptions and requirements of real-time situation awareness or the dynamic trust model in cloud-based environments. Conventional ML techniques assume feature boundaries that are fixed in space and fail in class imbalance and highly dynamic traffic dynamics8,9,10. DL models are associated with excellent feature extraction abilities but consume high computational power, which makes the process of inference slow and impractical in real-time monitoring12,13. Ensemble and HMC-based approaches are more accurate, but need even more latency and resources, and are currently not deployed in large-scale clouds14,15. Meanwhile, cloud-model trust evaluation techniques capture uncertainty well but remain highly sensitive to noisy data and cannot update trust values efficiently under high-frequency attack streams16,17,18,19. Even recent cloud-based IDS frameworks lack robust, integrated support for both real-time detection and trust-aware decision-making20,21. These restrictions collectively highlight the necessity for an efficient, unified, and trust-enabled intrusion detection framework. This research overcomes these limitations by integrating adaptive ML, HMC, and cloud-model-based dynamic trust evaluation within an SDN-enabled cloud architecture, enabling real-time detection, improved minority-class accuracy, and uncertainty-aware risk assessment.

The innovations of this paper are mostly reflected in the following aspects: An efficient distributed network architecture based on the Ryu OpenFlow controller and OpenFlow switch is constructed to enable real-time collection and dynamic scheduling of link information, thereby greatly improving data transmission efficiency and processing.

In view of the difficulties posed by data imbalance and few-sample attack identification, a top-down HMC framework is designed, and integrated learning methods such as AdaBoost and Bagging are introduced to significantly improve the detection accuracy of fine-grained attack categories.

The cloud model theory is used to build a trust affiliation cloud. Through the reverse generator and similarity calculation, the dynamic evaluation of the trust status of each entity in the network is realized, providing a quantitative basis for risk warning and effectively suppressing the credit speculation caused by abnormal transactions at low or high prices.

Protocol

Loading...
$$\rightleftharpoonup{xx}$$ $$\longleftharp{xx}$$, $$\longrightharp{xx}$$,

NOTE: This protocol describes how to construct a cloud-based network security situational awareness system and implement hierarchical classification with dynamic trust evaluation. Follow the steps below to design the cloud network topology, collect and annotate data flows, and deploy the hierarchical multiclass classification and trust assessment modules. Figure 1 illustrates the proposed SDN-cloud framework integrating adaptive ML, hierarchical classification, and trust evaluation for real-time attack detection .

1. Cloud network topology design

NOTE: Ensure administrative access to OpenStack, Ryu, and Mininet before proceeding.

  1. Deploy the system on an OpenStack-built cloud platform. Use virtualization technology to create multiple virtual hosts and configure a software-defined network (SDN) environment for unified resource management and isolated scheduling.
  2. Deploy and configure Ryu and Open vSwitch (OVS) to work with SDN control and traffic management.
  3. Construct a three-layer topology where the Ryu controller is the core and the OVS switches are the forwarding nodes, consisting of a control layer, a network forwarding layer, and a data service layer.
    1. Control layer configuration: Implement a centralized SDN controller with Ryu. Enable real-time network status monitoring by using the REST API of Ryu and connect it to the security detection module to respond quickly to abnormal traffic.
    2. Network forwarding layer configuration: Set up a number of OVS virtual switching nodes with virtual hosts and external gateways. Set flow table policies on OVS to enable dynamic path changes, traffic separation, and flow redirection when attack traffic is detected.
    3. Data service layer configuration: Configure several virtual hosts on the OpenStack platform. Create virtual machines acting as web, database, and file servers to generate realistic data traffic and support injected attack flows.
  4. Add several hop values and different paths. Simulate heterogeneous network bandwidth and latency conditions by using the Mininet command.
  5. Install Mininet to deploy and simulate the topology. Isolate tenants, subnet segmentation, and access control lists (ACLs) using the Mininet CLI.
  6. Verify the setup to ensure the topology facilitates real-time traffic capture and has direct integration with the detection module.
  7. Record the completed system architecture (Figure 2) and topology (Figure 3) with all the interconnections among the layers and the flow of information.

2. Data flow collection and annotation strategy

CAUTION: Make sure to comply with data privacy regulations (e.g., GDPR, local cybersecurity policies). Pre-anonymize user identifiers and IP addresses.

  1. Install small data collection agents on every virtual host and network node. Set up every agent to constantly examine network traffic, system logs, and user behavioral information.
  2. Install Kafka (v3.5) as a data queue and Apache Spark streaming (v3.4) to process stream data in real-time. Configure Kafka throughput to be 10,000 events/s or higher and Spark micro-batch interval to be 500 ms or less.
  3. Process the collected data sequentially as follows:
    1. Clean the data to eliminate duplicate records, incomplete records, and noise. Filter out invalid packets by checking protocol headers.
    2. Normalize numerical attributes to a standard range [0,1] using min-max normalization for consistent feature scaling.
    3. Extract important characteristics, including source/destination IPs, ports, protocol type, number of packets, number of bytes, forwarding delay, and measures of traffic variation.
  4. Feed the processed dataset into the AI-assisted detection module to train and validate.
  5. Establish a dual annotation system for accurate data labeling:
    1. Create an attack template library. Identify common attack patterns (e.g., port scanning, SYN flood, DoS, U2R) with rule-based pattern matching.
    2. Manually check ambiguous samples to maintain consistency in the labeling.
  6. Use established benchmark datasets such as CIC-IDS2017 and NSL-KDD for cross-validation. Align labels to maintain ≥90% inter-annotator consistency.
  7. Perform feature engineering to construct structured input vectors. Encode attack hierarchies based on multi-level category definitions.
  8. Split datasets into 80% training and 20% testing.

3. Hierarchical classification and trust assessment integrated architecture

  1. Construct an intelligent perception architecture integrating Hierarchical Multiclass Classification (HMC) and a dynamic trust assessment mechanism (Figure 4).
  2. Implement the HMC module following a "coarse-to-fine" strategy:
    1. Use lightweight connection features (e.g., frequency, port distribution, protocol type) to classify traffic into "normal" and "abnormal" categories.
    2. For "abnormal" traffic, perform second-level classification into attack categories such as DDoS, U2R, R2L, and Probe using mid-level statistical features such as packet interval and payload size.
    3. Identify fine-grained subtypes (e.g., TCP SYN Flood, SQL Injection, Brute Force Attack) by analyzing attack signatures and target attributes.
  3. Optimize the classification module.
    1. Apply AdaBoost and Bagging ensemble learning methods, building 5-8 weak classifiers at each hierarchy level (e.g., decision tree, logistic regression).
    2. Combine classifier outputs using weighted majority voting based on accuracy scores.
  4. Implement the dynamic trust evaluation module using cloud model theory:
    1. Keep a constant check on host behavioral indicators, e.g., past stability, frequency of communication, and variation in access targets.
    2. Include model output credibility in the computation of trust. Estimate the actual trust score (0 to 1) with the help of expectation (Ex), entropy (En), and hyper-entropy (He) parameters.
  5. Configure the linkage feedback mechanism between HMC and trust modules.
    1. Auto-schedule systems based on trust values: isolate hosts with trust ≤ 0.3 and reduce privileges of hosts with trust 0.3-0.6.
    2. Re-train the classifier with host data with trust ≥ 0.8 to increase detection and flexibility to unknown attacks.
  6. Test zero-day response capability. Inject unlabeled malicious traffic and confirm that alerting and isolation are triggered within 10 min.

4. Calculation and implementation of the trust cloud model (Figure 5)

  1. Standard trust cloud generation:
    1. Divide trust values into n distinct levels (e.g., "Low," "Medium," "High," "Very Low," and "Very High").
    2. Calculate the expectation (Exk) for level k based on the average of the trust evaluations for entities in that level using Equation 1:
      Equation for statistical averaging, Ex_k = (1/m) ΣT_ik, depicting sum and mean concepts.
      where Tik represents the individual trust values of entities classified under trust level Lk.
    3. Calculate the entropy (Enk) to quantify the fuzziness of the trust values within level Lk using Equation 2:
      Equation showing Enk relation with Exk in mathematical research context.
      where α is a constant that controls the level of fuzziness.
    4. Compute the Hyper-entropy (Hek) using Equation 3 to quantify the instability of the entropy over time:
      Equation He<sub>k</sub>=β·En<sub>k</sub> depicting static equilibrium; physics formula context.
      where β is a parameter that adjusts the level of uncertainty.
    5. Output the set of standard trust clouds C1,C2,...,Cn corresponding to the n trust levels.
  2. Trust attribute cloud inverse generation:
    1. Normalize input trust attributes Ai to the range [0,1] using Equation 4:
      Normalized absorbance equation, Ar=(Ai-Amin)/(Amax-Amin), formula for spectroscopy analysis.
      Apply statistical analysis to estimate the corresponding cloud model parameters (Ex, En, He) for each normalized attribute Ai'.
      Generate the trust attribute cloud Ci for each attribute.
  3. Comprehensive trust evaluation:
    1. Calculate the digital properties of the composite trust cloud (Excom,Encom,Hecom) using weighted synthesis (Equations 5-7):
      Formula for static equilibrium: Excom = Σwi·Exi; diagram for force balance analysis.
      Static equilibrium equation Σwi·Eni, formula representation, relevant to physics, engineering studies.
      Weighted entropy equation, Σwi·Hei, formula for calculating Shannon entropy in data analysis.
      where Static equilibrium equation, Σwi=1, mathematical formula, balance condition, educational diagram.
    2. Compute the similarity between the current trust cloud Ci and a standard cloud Ck using Equation 8:
      Static equilibrium equation Sim(Ci,Ck), mathematical formula for similarity measure, scientific research.
      Determine the final trust level L* by finding the maximum similarity using Equation 9:
      Equation for static equilibrium, L*=argmax Sim(Ci,Ck); mathematical concept.
  4. Dynamic trust update
    1. Update the trust value to reflect evolution over time using the time decay model in Equation 10:
      Exponential smoothing formula, time series prediction equation, statistical analysis method.
      where λ∈[0,1] controls the weighting of recent versus historical trust.
    2. Apply the trust penalty mechanism if specific deviations occur. Calculate the deviation (ΔA) and penalty factor (Ppenalty) using Equations 11 and 12:
      Delta A equation, ΔA=|Afail-Aavg|, shows average failure difference; formula analysis.
      Penalty calculation in optical studies; equation: P_penalty = λ(ΔA/A_avg) (12)
    3. Compute the updated trust value using Equation 13:
      Equation for updated temperature calculation: T_updated = T_current - P_penalty (formula).

5. Experimental validation of attack detection performance

  1. Configure the experimental environment and prepare the dataset.
    1. Use a Windows 11 workstation equipped with Visual C++ tools for algorithm compilation and testing.
    2. Obtain the KDDCUP_10% dataset from verified sources and preprocess it following institutional data protection guidelines.
    3. Set algorithm parameters: time interval T = 10s, sampling rounds h = 20, and data samples n = 1000.
    4. Split data into training (80%) and testing (20%) sets by means of stratified sampling.
  2. Validate binary classification performance.
    1. Conduct 5-fold cross-validation for reliability.
    2. Train and test eight classifiers: Decision Tree (DT), Naive Bayes (NB), Random Forest (RF), K-Nearest Neighbor (KNN), Adaptive Boosting (AdaBoost), Support Vector Machine (SVM), Bagging, and Gradient Boosting.
    3. Run 100 epochs per model and record precision, accuracy, recall, and F1-score.
  3. Validate multiclass classification performance.
    1. Train classifiers to detect DDoS, U2R, R2L, Probe, and normal traffic.
    2. Implement five DL architectures (MLP, CNN, GRU, RNN, and LSTM) using parameters specified in Table 1.
    3. Compare performance using precision-recall curves and confusion matrices for each class.
  4. Validate the HMC algorithm.
    1. Implement HMC with AdaBoost and Bagging as ensemble strategies.
    2. Decompose multiclass problems into binary sub-classifications through hierarchical logic.
    3. Compare results with baseline models for minority attack types (U2R, R2L).
  5. Implement attack simulation.
    1. Deploy the trained trust-detection model on the cloud testbed.
    2. Create UDP Flood and SYN Flood attacks using multi-virtual hosts to target assigned servers.
    3. Keep attack traffic around 30% of network throughput.
    4. Keep track of network statistics (transmission rate, session length, frequency of port access, abnormal connections).
    5. Measure detection error, false positives, and mean system response time.

Results

Loading...
$$\rightleftharpoonup{xx}$$ $$\longleftharp{xx}$$, $$\longrightharp{xx}$$,

Experimental validation and performance analysis

Cloud-based validation

To test the efficiency and feasibility of the proposed algorithm, simulation tests were performed in a controlled network laboratory setting. The verification was conducted on the Windows operating system, and the core algorithm is coded in VC (Visual C++) programming tools.

In case of experimental data, we chose the publicly available KDDCUP_10% dataset(http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html) that is common in intrusion detection and modeling network behavior. The general experimental process is very similar to the approach described previously10 to assure the comparability and credibility of outcomes.

The major algorithm parameters were set to: Time interval T = 10 s; number of sampling rounds h = 20; data samples n = 1000.

Calculated the digital characteristics of the trust cloud model using these parameters. Then, the algorithm of cloud similarity was used to identify the most similar trust cloud of the candidates, which provided the possibility to classify and evaluate the network states.

Table 2 shows the values of the selected system sample and the outcomes of the network analysis situation. These confirm that the suggested cloud-based trust evaluation system has the potential to efficiently represent and encapsulate the dynamism and uncertainties of multifaceted network settings.

The experiment confirms the possibility of implementing cloud models in conjunction with real-time trust assessment and provides a framework for further application in the adaptive security management system.

Attack verification

To perform a thorough verification of the proposed algorithm's performance in this experiment, it is necessary to evaluate the attack detection capabilities of binary classification, multi-classification, and HMC within a cloud computing environment. The experimental assessment is separated into three primary phases: the application of DDoS attack data for checking the functionality of the AI module, the evaluation of the functionality of various ML algorithms, and the analysis of the functionality of the DL models to forecast attacks.

Binary classification performance verification

In the first phase of the experiment, the DDoS attack dataset was used to verify the AI module, the main purpose of which was to test the prediction accuracy of the model in a cloud computing environment. We used a 5-fold cross-validation method, and the ratio of training data to test data was set to 8:2, that is, 80% of the data was utilized for training, and 20% was used for testing. In each experiment, a different test set was used to verify the model to ensure that each sample appeared as a test set once. The training process lasted for 5 epochs, and the average result was taken.

The dataset is categorized into two groups: normal and abnormal. To compare the performance of different classifiers, the following eight common ML classifiers were selected: decision tree (DT), random forest (RF), naive Bayes (NB), K-nearest neighbor (KNN), support vector machine (RBF kernel) (SVM-RBF), linear support vector machine (L-SVM), and Bagging and Boosting algorithms for ensemble learning. The performance comparison results are shown in Figure 6. Through the performance comparison of these classifiers, their performance in DDoS attack detection can be comprehensively evaluated 20,21.

Multi-classification performance verification

In the second phase of the experiment, the dataset was expanded to multi-classification problems, involving different types of network attacks, including DDoS, U2R (user-to-root attack), R2L (remote-to-local attack), normal data, etc. Multi-classification problems test the model's capability to identify and organize multiple attack types.

Five DL classifiers were used for validation, including MLP, CNN, RNN, long short-term memory (LSTM) network, and GRU network. The specific parameter settings of each model are presented in Table 1, Table 3, and Table 4. When performing multi-classification validation, the precision and recall of the model across multiple categories were evaluated in detail.

Verification of HMC's multi-classification performance

In the third stage, the HMC algorithm was used to compare the performance of all the above ML and DL models in multiclass classification tasks. The HMC algorithm significantly improves the accuracy of detecting fine-grained attacks (such as U2R, R2L, etc.) by decomposing complex multiclass problems into multiple binary classification sub-problems. The advantages of HMC were verified by enhancing attack detection accuracy compared with traditional classification methods.

Experimental results and analysis

Through the experiments in the above three stages, we obtained the performance indicators of each classifier and DL model under different attack types. Table 3 shows performance indicators such as accuracy, recall rate, F1 value, etc. in different classification methods. In the experiment, HMC showed high accuracy and robustness in the detection of multiclass attacks, especially when dealing with U2R and R2L attacks. Compared with traditional SVM and RF methods, HMC has achieved significant improvement.

Through these experimental results, we verified the effectiveness of the proposed AI module for attack detection in a cloud computing environment, and provided a reliable basis for subsequent model optimization and application deployment.

Experimental results indicate that among the ML models, Decision Tree (DT), Random Forest (RF), and ensemble methods (Bagging, Boosting) achieved superior performance, with F1-scores reaching 1.0. This validates their robustness and precision in distinguishing DDoS patterns from normal traffic. In contrast, the naive Bayes (NB) model performed poorly in abnormal packet prediction, with an F1 score of 0.62, indicating that the model has a certain risk of misclassification when facing complex attack types.

Figure 7 shows the performance of MLP, CNN, RNN, LSTM, and GRU. After optimizing the parameters, the binary F1 scores of the DL models were 0.93 and 0.98, respectively, indicating that the DL models effectively capture the deep data features, especially when processing time series data and complex pattern recognition, and they perform better than traditional ML models.

Comprehensive analysis shows that decision trees, ensemble learning methods, and neural network models all show excellent performance in detecting DDoS attacks, but in specific applications, the selection of a suitable model still needs to consider factors such as attack type, data volume, and computing resources. To further enhance the detection capability of the model, multiple models can be integrated in the future to achieve higher accuracy and a lower false alarm rate.

Figure 8 demonstrates the superior performance of DL models over traditional ML baselines, maintaining F1 values between 0.96 and 0.99, particularly on unbalanced datasets. The U2R class's prediction performance is still subpar in the fine-grained categories, though, and the cyberattack classification performance is just 0.49. The recognition performance of a few sample categories (including U2R, cyberattacks, BFA, and botnets) has to be improved, according to the combined results of Figure 9 and Figure 10

In the third stage, 13 single classifiers, which are identical to the previous ones but concentrate on the minority class, were used to compare the performance of HMC. The AdaBoost-based HMC design outperforms bagging, according to the results. In the U2R class, AdaBoost-based HMC has an F1 score of 0.5 (the initial F1 is 0), whereas Bagging-based HMC has an F1 score of 0.67 (with 0.4 as the initial F1) for the minority class. AdaBoost-based HMC obtained an F1 score of 0.88 (original F1 was 0.71), whereas Bagging-based HMC obtained an F1 score of 0.9 (original F1 was 0) for the network attack class. These results show that ensemble learning strategies (such as AdaBoost and Bagging) significantly improve the predictive ability of multiple classifiers on minority classes.

Attack simulation case

To further verify the practicality and robustness of the proposed model in an actual network environment, this paper designed and implemented an attack simulation case and conducted a simulation experiment on the DDoS attack scenario. The simulation environment is built on a virtual cloud computing platform, using multiple virtual hosts to simulate the interaction between normal users and attackers. The simulation scenario includes a mixed network environment where normal business access and malicious traffic coexist.

In the experiment, the attacker launched UDP flood attacks and SYN Flood attacks to the target server through multiple source IPs, attempting to cause the target system resources to be exhausted and affect the availability of normal services. The system is constantly gathering network traffic information, and major characteristic parameters related to transmission rate, the duration of sessions, the frequency of port access, and the count of abnormal connections are used.

The proposed model of trust evaluation and attack detection is implemented in the monitoring node to analyze and categorize real-time traffic. The system can record successful identification in the early phases of the attack through the trust cloud model and multi-classification discrimination mechanism, and efficiently tag the suspicious ones as low trust and activate a response mechanism.

The simulation findings indicate that when the simulated attack traffic constitutes over 30% of the total traffic. The proposed system achieved 96% detection accuracy, a low false positive rate of 3%, and a response latency of less than 2 s under simulated DDoS conditions. This outcome confirms that this model has promising application opportunities in addressing distributed attacks and enhancing the security defense capabilities of the system.

Moreover, this experiment also extended the test of multi-round attacks and non-continuous attacks. The model retains a high detection stability, which indicates its good generalization capacity in the complex dynamic network conditions. The types of attacks will be extended in the future, including data injection, phishing attacks, etc., to fully test the flexibility and scalability of the model with a variety of threats.

Table 5 represents the statistical significance of performance improvements. This table displays the results of paired t-tests that compare baseline models with the proposed Adaptive ML-HMC-Trust framework in terms of the main performance metrics. The table consists of the mean and standard deviation values, t-values, p-values, and the significance levels of accuracy, F1-score, minority-class detection, false-positive rate, and detection latency.

Cloud network setup; data flowchart; acquisition, preprocessing, HMC, trust evaluation, result analysis.
Figure 1: Methodology flow representation. Flowchart illustrating the proposed SDN-cloud framework integrating adaptive ML, hierarchical classification, and trust evaluation for real-time attack detection. Please click here to view a larger version of this figure.

Cloud network architecture diagram; control, data planes, WAN connections; data centers, computers.
Figure 2: Cloud service architecture. The figure demonstrates the general cloud service model applied in the research, the control layer, data forwarding layer, and service layer. The architecture consists of Ryu OpenFlow controller, Open vSwitch nodes, and virtualized cloud hosts. The connections are all real-time data flow and link-status interactions. Please click here to view a larger version of this figure.

Hierarchical network diagram, controller setup, demonstrating data flow and system structure.
Figure 3: Network topology model. The figure shows the three-layer virtual network topology built in the cloud environment. It entails the host nodes, switching layers, simulated link delays as well as bandwidth limits. The topology enables traffic separation, multi-path routing, and attack flow redirection (in real time). Please click here to view a larger version of this figure.

Neural network diagram for multi-layer cyber attack classification, showcasing dataset processing.
Figure 4: HMC-based security detection architecture. The figure demonstrates the hierarchy of multiclass classification hierarchy combining ensemble learning, trust assessment and multi-level threat detection. The blocks represent the classification phases, displaying the flow from coarse-grained to fine-grained attack detection. Please click here to view a larger version of this figure.

Cloud service trust management diagram showing trust update, feedback, and registration processes.
Figure 5: Cloud model-based trust evaluation process. The figure represents the six steps of the trust assessment process through normal trust cloud generation, attribute extraction, attribute cloud formation, cloud similarity calculation, trust-level classification, and dynamic trust update. Please click here to view a larger version of this figure.

Machine learning performance bar chart on DDoS-SDN dataset, F1-score comparison of classifiers.
Figure 6: Machine learning performance on DDoS dataset. The figure examines how eight classical ML models perform in a binary arrangement of normal vs. DDoS attack traffic. The metrics are recall, precision, F1-score, and general accuracy. Error bars reflect variability through 5-fold cross-validation. Please click here to view a larger version of this figure.

Deep learning classifiers performance bar chart in DDoS-SDN dataset; shows F1-Scores for MLP, CNN, RNN, LSTM, and GRU.
Figure 7: Deep learning model performance on DDoS dataset. The figure shows the binary classification performance of MLP, CNN, RNN, LSTM, and GRU models. Measurements indicate model performance in a series of training cycles. Please click here to view a larger version of this figure.

Machine learning performance comparison, HMC vs various classifiers; multiple line graphs, cybersecurity data.
Figure 8: HMC vs. single machine learning classifier performance. The figure shows a comparison between hierarchical multi-classification and the traditional classifier of minority attacks like U2R and R2L. F1-scores are presented, including error bars which indicate variation between repeated experiments. Please click here to view a larger version of this figure.

Comparison of neural network models (MLP, CNN, RNN, LSTM, GRU) vs. HMC for cybersecurity threats.
Figure 9: HMC vs. deep learning classifier performance. The value indicates the enhancement of multiclass detection using HMC on DL models. The minority performance is highlighted, and it is significantly improved compared to single DL models. Please click here to view a larger version of this figure.

Network attack analysis diagram; time series flow charts for multiple attack hosts.
Figure 10: DDoS attack simulation results. The figure shows real-time monitoring output of the experiment on the attack simulation, which indicates the rate of traffic, the number of abnormal connections, the response time of the detection method, and the system classification output. The scale bars indicate the time (in seconds) and traffic volume. Please click here to view a larger version of this figure.

ModelLearning RateBatch SizeEpochsActivation Function
MLP0.0016430ReLU
CNN0.00053250LeakyReLU
RNN0.0016440Tanh
LSTM0.000112860Sigmoid
GRU0.0016445ReLU

Table 1: Deep learning model parameter settings. This table contains the hyperparameters of deep learning experiments: the batch size, the learning rate, the number of epochs, and the architecture specifications.

Sample IDSampling Time (seconds)Trust Degree ExExExEntropy EnEnEnHyper-Entropy HeHeHeSimilarity ScoreTrust Level
1100.750.650.80.85High
2200.80.60.750.82High
3300.680.70.850.8Medium
4400.60.720.90.78Medium
5500.50.80.950.7Low
6600.450.850.960.65Low

Table 2: System sample values and network situation analysis. This table gives some of the sample values of the cloud environment, such as traffic statistics, trust values, and classification outputs.

ClassifierAccuracyPrecisionRecallF1 Score
Decision Tree (DT)85.20%84.30%86.10%85.20%
Random Forest (RF)90.10%89.30%91.00%90.10%
Naive Bayes (NB)82.50%81.70%83.40%82.50%
K-Nearest Neighbors (KNN)87.40%86.80%88.10%87.40%
SVM-RBF88.90%88.10%89.50%88.80%
Linear SVM (L-SVM)87.80%87.20%88.50%87.80%
Bagging91.20%90.50%91.70%91.10%
Boosting92.30%91.90%92.60%92.20%

Table 3: Machine learning classifier performance comparison. The table presents the recall, precision, accuracy, and F1-scores for all ML models tested.

ModelAccuracyPrecisionRecallF1 Score
MLP89.50%88.70%90.30%89.50%
CNN91.20%90.70%91.50%91.10%
RNN88.30%87.60%88.80%88.20%
LSTM92.10%91.80%92.40%92.10%
GRU91.80%91.40%92.10%91.70%

Table 4: Deep learning classifier performance comparison. This table presents performance metrics of MLP, CNN, RNN, LSTM, and GRU models on the basis of multiclass detection.

Performance MetricBaseline Mean (SD)Proposed Model Mean (SD)t-valuep-valueSignificance
Accuracy0.89 (0.04)0.96 (0.02)8.72<0.001Significant
F1-Score0.84 (0.05)0.94 (0.03)9.15<0.001Significant
Minority-Class Detection (U2R/R2L)0.52 (0.08)0.81 (0.06)10.44<0.001Significant
False-Positive Rate0.11 (0.03)0.04 (0.02)–7.98<0.001Significant
Detection Latency (seconds)3.10 (0.41)1.82 (0.33)–9.27<0.001Significant

Table 5: Statistical significance of performance improvements. This table displays the results of paired t-tests that compare baseline models with the proposed Adaptive ML -HMC-Trust framework in terms of the main performance metrics. The table consists of the mean and standard deviation values, t-values, p-values, and the significance levels of accuracy, F1-score, minority-class detection, false-positive rate, and detection latency.

Discussion

Loading...
$$\rightleftharpoonup{xx}$$ $$\longleftharp{xx}$$, $$\longrightharp{xx}$$,

An effective deployment of this protocol relies on critical steps within the cloud-based architecture. Proper configuration of the Ryu OpenFlow controller, correct setup of Open vSwitch rules, and robust formation of a multi-layer topology are essential to ensure full traffic capture. The selection of Ryu as the controller and Open vSwitch as the switching platform significantly strengthens the system's practical value; their lightweight, modular, and fully programmable characteristics make them ideal for real-time network monitoring, dynamic flow control, and scalable security management across cloud infrastructures. Similarly, the preprocessing pipeline-including cleaning, normalization, and annotation-must be accurately executed to prevent bias during hierarchical classification, addressing the inherent complexities of cloud security analytics.

During deployment, several adjustments were necessary to ensure optimal performance. Ensemble models initially exhibited overfitting in minority classes, requiring tuning of weak-learner depth and voting weights, mirroring challenges found in anomaly detection. To mitigate trust value volatility caused by noisy traffic, the cloud model entropy and decay parameters were recalibrated. Furthermore, streaming bottlenecks in the Kafka-Spark pipelines were resolved by scaling up topic partitioning to support high-throughput cloud environments.

The experimental results from simulations in Mininet and EstiNet, as well as evaluations using real cloud traffic and DDoS datasets, demonstrate that the proposed ML-HMC-trust fusion approach provides clear improvements in detection precision, false-positive reduction, and real-time responsiveness. This confirms the effectiveness of aligning adaptive learning algorithms with a hierarchical classification model to decompose complex multiclass attack detection tasks. This approach offers significant advantages over conventional non-reactive and rule-based frameworks, which struggle with dynamic attack techniques and minority-category threats. Specifically, by combining HMC with AdaBoost and Bagging, the protocol achieves higher accuracy in fine-grained detection of rare attack classes like U2R and R2L, addressing the class imbalance limitations of single ML models. Additionally, the dynamic trust model enhances decision-making capabilities in uncertain situations.

Despite these advancements, the protocol is subject to certain limitations reported in related work. Machine learning techniques remain challenged by extreme data imbalance, particularly in U2R and R2L attacks8. Deep learning models, while powerful, demand substantial computational resources and may exhibit latency in real-time cloud scenarios12,13. Ensemble learning enhances generalization but increases resource consumption and inference time14. Similarly, cloud-model trust systems have shown vulnerability to noisy or dynamically evolving behavioral inputs, consistent with previous findings16. The proposed method features a modular design suitable for larger cloud and edge environments, enabling integration with federated learning, fog computing, and distributed IoT-cloud systems. While the current study focused on functional validation in moderate-scale scenarios, future research will extend to large-scale, highly distributed cloud environments and multi-controller SDN architectures to enhance fault tolerance. Planned extensions also include investigating reinforcement learning-based trust adaptation, zero-day capabilities, and deeper integration with threat intelligence feeds to counter emerging threats like phishing and botnets. By unifying adaptive ML, HMC, and trust evaluation within an SDN ecosystem, this research provides a strategic pathway toward more intelligent, resilient, and proactive cloud defense systems.

Disclosures

Loading...
$$\rightleftharpoonup{xx}$$ $$\longleftharp{xx}$$, $$\longrightharp{xx}$$,

The authors have nothing to disclose.

Acknowledgements

Loading...
$$\rightleftharpoonup{xx}$$ $$\longleftharp{xx}$$, $$\longrightharp{xx}$$,

The authors express their gratitude to the Department of Information at the Shanghai Proton and Heavy Ion Center for providing the essential computing resources and research environment required for this study. We also extend our appreciation to our colleagues for their valuable technical insights during the system design and testing phases.

Materials

List of materials used in this article
NameCompanyCatalog NumberComments
AdaBoost (Ensemble Learning Library)Scikit-learn, Pythonhttps://scikit-learn.org/stable/modules/generated/sklearn.ensemble.AdaBoostClassifier.htmlSoftware
Bagging ClassifierScikit-learn, Pythonhttps://scikit-learn.org/stable/modules/generated/sklearn.ensemble.BaggingClassifier.htmlSoftware
Cloud Model Trust Evaluation CodeCustom implementationN/AAlgorithm/Software
Convolutional Neural Network (CNN)TensorFlow / PyTorchhttps://www.tensorflow.org/tutorials/images/cnnSoftware
Deep Learning Frameworks (MLP, RNN, LSTM, GRU)TensorFlow / PyTorchSoftware
EstiNet Network SimulatorEstiNet Technologieshttps://sites.google.com/view/estinet-network-simulatorSoftware
Kafka (Data Streaming Platform)Apache Foundationhttps://kafka.apache.org/Software
KDD CUP 10% DatasetUCI Machine Learning Repositoryhttp://kdd.ics.uci.edu/databases/kddcup99/kddcup99.htmlDataset
Mininet EmulatorMininet ProjectMininet 2.3.1Network emulation for SDN topology, bandwidth, and mixed attack simulation.
Open vSwitch (OVS)Open vSwitch OrgOVS 3.2.2Virtual switch implementing flow-table control and attack traffic redirection.
OpenStack Cloud PlatformOpen Infrastructure Foundationhttps://www.openstack.org/Cloud Software
Python 3.xPython Software Foundationhttps://www.python.org/downloads/Programming Language
Ryu SDN ControllerNTT R&DRyu 4.34SDN controller for real-time network traffic capture and situation awareness.
Spark Streaming FrameworkApache Foundationhttps://spark.apache.org/docs/latest/streaming-programming-guide.htmlSoftware
Visual C++ (VC++) CompilerMicrosofthttps://visualstudio.microsoft.com/Software
Windows 11 WorkstationMicrosoftWindows 11 Pro 23H2OS used for model compilation, training, and testing.

References

Loading...
$$\rightleftharpoonup{xx}$$ $$\longleftharp{xx}$$, $$\longrightharp{xx}$$,
  1. Xie, J. Application study on the reinforcement learning strategies in the network awareness risk perception and prevention. Int J Comput Intell Syst. 17 (1), 112(2024).
  2. Research on enhancing cloud computing network security using artificial intelligence algorithms. Wang, Y., Yang, X. 2025 International Conference on Sensor-Cloud and Edge Computing System (SCECS), Zhuhai, China, , 237-244 (2025).
  3. Research on computer network security situation awareness warning mechanism based on artificial intelligence. Chaowen, C. 2024 IEEE 4th International Conference on Electronic Technology, Communication and Information (ICETCI), Changchun, China, , 748-753 (2024).
  4. Zhao, X. Network security situational awareness and early warning architecture based on big data. Int J Syst Assur Eng Manag. , (2024).
  5. Akinbolaji, T. J. Advanced integration of artificial intelligence and machine learning for real-time threat detection in cloud computing environments. Iconic Res Eng J. 6 (10), 980-991 (2024).
  6. Emehin, O., Emeteveke, I., Adeyeye, O., Akanbi, I. Securing artificial intelligence in data analytics: strategies for mitigating risks in cloud computing environments. Int Res J Mod Eng Technol Sci. 6, 1978-1998 (2024).
  7. Shang, Y. Prevention and detection of DDoS attack in virtual cloud computing environment using naive Bayes algorithm of machine learning. Meas Sens. 31, 100991(2024).
  8. Altowaijri, S. M., El Touati, Y. Securing cloud computing services with an intelligent preventive approach. Eng Technol Appl Sci Res. 14 (3), 13998-14005 (2024).
  9. Mamidi, S. The role of AI and machine learning in enhancing cloud security. J Artif Intell Gen Sci. 3 (1), 403-417 (2024).
  10. Zhang, C., Shan, G., Roh, B. H. Fair federated learning for multi-task 6G NWDAF network anomaly detection. IEEE Trans Intell Transp Syst. 26 (10), 17359-17370 (2025).
  11. Shyam Mohan, J. S., Thirunavukkarasu, M., Kumaran, N., Thamaraiselvi, D. learning with blockchain based cyber security threat intelligence and situational awareness system for intrusion alert prediction. Sustain Comput Inform Syst. 42, 100955(2024).
  12. Akinade, A. O., Adepoju, P. A., Ige, A. B., Afolabi, A. I. Cloud security challenges and solutions: a review of current best practices. Int J Multidiscip Res Growth Eval. 6 (1), 26-35 (2025).
  13. Hasimi, L., Zavantis, D., Shakshuki, E., Yasar, A. Cloud computing security and deep learning: an ANN approach. Procedia Comput Sci. 231, 40-47 (2024).
  14. Barlybayev, A., Sharipbay, A., Shakhmetova, G., Zhumadillayeva, A. Development of a flexible information security risk model using machine learning methods and ontologies. Appl Sci. 14 (21), 9858(2024).
  15. Wang, Y. Research on intelligent cybersecurity protection system in cloud computing environment. Innov Sci Technol. 3 (4), 71-78 (2024).
  16. Ali, T., Al-Khalidi, M., Al-Zaidi, R. Information security risk assessment methods in cloud computing: comprehensive review. J Comput Inf Syst. 66 (1), 123-150 (2026).
  17. Tahir, A. B. Advanced virtualized cyber security strategies for cloud and fog computing: a machine learning and encryption approach. Int J Comput Data Sci. 1 (1), 37-55 (2025).
  18. Guo, J., Guo, H. Real-time risk detection method and protection strategy for intelligent ship network security based on cloud computing. Symmetry. 15 (5), 988(2023).
  19. Aslan, Ö, Ozkan-Okay, M., Gupta, D. Intelligent behavior-based malware detection system on cloud computing environment. IEEE Access. 9, 83252-83271 (2021).
  20. Mamidi, S. Enhancing cloud computing security through artificial intelligence-based architecture. J Artif Intell Gen Sci. 5 (1), 63-72 (2024).
  21. Omolola, H., et al. Enhancing cybersecurity through cloud computing solutions in the united states. Intell Inf Manag. 16 (4), 176-193 (2024).

Reprints and Permissions

Request permission to reuse the text or figures of this JoVE article

Request Permission

Tags

Adaptive Machine LearningNetwork SecurityCloud ComputingRisk WarningHierarchical ClassificationTrust EvaluationDDoS DetectionEnsemble LearningSDN ArchitectureReal Time Response

Related Articles