1 Introduction

Cloud networks have paved a suitable way for users to access applications, services and resources over the Internet. An end user with the help of an internet connection and a computer can access the applications, request necessary services and resources anywhere through cloud networks. Such a model has made organisations to shift their focus on providing a pay as you go and on demand business from their usual day-to-day running of information technology (IT) services. Such a business model in recent times is deemed beneficial and is popular. The cloud network model can be briefly categorised into Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS) and Infrastructure-as-a-Service (IaaS) models. Moreover, these models can be installed in the end user environment as either a public, private or hybrid cloud. Google and Amazon and other major software service providers have joined the cloud networks bandwagon and are extremely popular after successfully setting up their cloud services [1].

With such advances in cloud networks, the probability of threats is on the rise. Reports and news suggest malign activities such as data loss and hacking in cloud network are increasing day by day. Availability of the cloud services and user privacy in the cloud network is of prime importance when the cloud service providers such as Amazon and Google setup their services. Absence or unavailability of cloud services can be attributed to many reasons. But the major reason is either due to the cloud network service component failing or attacks such as Denial of Service (DoS) that are aimed towards the cloud network servers. Data loss or privacy alone is not the reason for us to effectively counter such DoS attacks. A DoS attack is an organised network attack which is carried out with an aim of disrupting an organisation’s service operations by effectively denying their access to their end users. It renders the network services of an organisation inaccessible to its users by denying access to the network service. Due to technological advances, even the tools used to carry out such attacks are also updated and hence it is necessary for those defending such attacks to stay up-to-date with high level defence techniques and to know about the recent models used to capture such attacks. A DoS attack is orchestrated through one or more weak systems usually compromised and held in control by an attacker to repeatedly send malicious requests aimed at a target thereby exhausting the target’s resources. Such an attack if executed successfully leads to the unavailability of cloud resources. Based upon the report in [2], it is observed that cloud network platform is one of the most attacked platforms used in the recent years.

Data mining techniques can be effectively used in detection of such attacks in cloud. Classification techniques have been applied in identifying such malign activities in various fields such as Web Security, Intrusion Detection Systems, etc. [3]. Common data mining based intrusion detection methods classify the network traffic as either traffic permissible or malign. The detection methods follow a set of signature patterns, anomaly patterns or a combination of both (hybrid). Signature pattern based intrusion detection methods often use a set of derived malicious network traffic rules or patterns. These are then stored in a knowledge base which is referred and compared against real-time network traffic thereby classifying the traffic as permissible or malign. One pre-requisite for such a method is, the knowledge base must be up-to-date to counter malign packets. High false negatives occur if unknown attack signatures are fed as input to a signature pattern based classification method. This is a major drawback of the signature based method for intrusion detection. Classifiers learn from a set of pre-labelled data use-cases in-order to classify a given test instance into one of the pre-labelled class. Classifiers have two phases namely, the training phase and the testing phase. In training phase, the classifier learns from the given pre-labelled data and during the testing phase, the classifier aims to classify a given test instance into one of the classes. The common output class when it comes to security being legitimate or malign.

In this paper, a new security system called Intelligent Rule based Classification System (IRCS) for detecting DoS attacks in cloud network is proposed. The proposed model uses the knowledge of known patterns present in the knowledge base for making an initial decision. This is validated using the rules provided by a domain experts. Moreover, the Domain-expert validates the decisions by his experience in problem solving on intrusions and also by following the rules declared in the knowledge base for effectively finalizing the classification results to decide on the attacks. For this purpose, two new algorithms namely Feature Selection Algorithm using Scoring and Ranking (FSASR) and Rule based Classification Algorithm for detecting DoS Attacks (RCADA) have been proposed in this paper for developing the intelligent rule based classification algorithm in order to enhance the security of communication in cloud networks. Based on the experiments conducted in this work through simulations, it is proved that the proposed model using feature selection and classification algorithms is able to detect 98.5% of the DoS attacks in cloud networks. Moreover, this proposed model is more secured than the existing security models for cloud networks since the proposed model reduces the false positive rate by increasing the classification accuracy using rules present in the rule base and also by validating with a domain expert.

Common forms of DoS attacks include user datagram protocol (UDP) Flood, SYN Flood, Ping of Death, Slowloris, HTTP attack, internet control message protocol (ICMP) Flood etc. This proposed work concentrates on protocol based DoS attacks that targets or uses specific protocols in order to be successful with the attack. It requires careful observation and study of different DoS attack tools deployed in real-time cloud network environment where both legitimate and malign packets flow through the network. To establish basic or advanced network communications between two or more nodes, TCP and UDP protocols are the most used as both the protocols support data to be exchanged. Almost all the web applications require either TCP or UDP protocol along with IP protocol, in order to establish network communication and exchange data. This leads to attackers targeting and manipulating these two protocols mostly. This paper mainly concentrates on DoS attacks carried out through TCP and UDP protocols.

The rest of the paper is organised as follows: Sect. 2 provides a literature survey of the related works. Section 3 describes the proposed system in detail. Section 4 shows the experimental details on this work also depicts the ensuing results with related discussions. Finally, Sect. 5 gives conclusions on this paper and also suggests some future works.

2 Literature survey

There are many works on cloud networks which provides schemes for performance improvement and security in cloud [2, 4,5,6]. Moreover, the significant increase in the number of users as well as organizations moving to the cloud network makes it difficult to detect DoS attacks. In this section, we have surveyed the work of authors who had previously used data mining approach to counter DoS attacks. Intrusion detection systems [7, 8] are the major techniques used in a cloud network environment in-order to protect the privacy of the end users as well as add security to the data that resides in the cloud network. Choi et al. [9] proposed an approach that uses map reduce model in-order to effectively mitigate DoS attacks. The work aimed against application layer level hypertext transfer protocol (HTTP) DoS attacks. Snort is a sniffing tool that sniffs network traffic in real time in-order to detect suspicious activity. Their proposed work performed better than Snort tool, resulted in shorter processing time and also identified new attack patterns. Pradeepthi et al. [10] proposed a rule based classifier for detecting DoS attacks on cloud networks by implementing a cloud setup and carrying out tests with DoS attack tools.

Many authors used soft computing techniques for solving problems related to networks which can be applied to cloud networks for providing security and optimal communication [11,12,13]. Gupta et al. [14] proposed a prevention and intrusion detection system based on rules. It uses both Bayesian approach and data analysis to detect malign traffic with the help of unsupervised learning algorithm thereby safeguarding the cloud network against attacks such as Transmission Control Protocol (TCP) SYN flooding. Khorshed et al. [1] built a cloud network environment where typical DoS attack scenario wasrecreated. The incoming traffic was analysed using a Support Vector Machine (SVM) classifier and it reported malign patterns. Santhosh Kumar et al. [15] proposed a hop by hop authentication mechanism which proved effective against DoS attacks in wireless networks. A study of the numerousclient-side as well as server-side protection mechanisms against malign network patterns and DoS attacks proposed so far by various authors was carried out by Wayne Jansen [16]. Many authors have used the features available in cloud network setup such as statistical modelling, Yu et al. [17] and dynamic resource allocation, Girma et al. [18] to effectively counter network attacks. The level of intrusion in cloud network environment and its severity study was proposed by Arshad et al. [19]. Effective security to communication was provided by many researchers by providing secured and intelligent routing algorithms by applying soft computing techniques [20,21,22,23,24].

Using machine learning methodologies, prediction of the severity due to the attacks was done. Ganapathy et al. [3] studied and surveyed the various classification methodologies used in intrusion detection systems. Sindhu et al. [25] used a decision tree based intrusion detection system that employed a wrapper approach. Chonka et al. [26] proposed a methodology which uses cloud trace back technique in-order to trace the source of the DoS attack. The authors employed a back propagating neural network to detect and filter such DoS attacks. Wu et al. [27] proposed a decision tree based method to detect DoS attacks in network layer. Their methodology used a pattern matching technique to classify traffic that is similar to DoS attack. They studied various attack patterns and created a threshold line as the peak traffic rate under normal circumstances. If network traffic is above the pre-defined threshold line, then the traffic is classified as malign by the authors. In spite of the presence of all these works in the literature, the existing systems are not able to detect the DoS attacks with high accuracy. Hence, new algorithms are proposed in this paper to enhance the detection accuracy by applying rules.

3 Proposed work

In this section, a detailed explanation of the proposed work is given. It explains the system architecture, the proposed algorithms for feature selection and classification namely feature selection algorithm using scoring and ranking (FSASR) and rule based classification algorithm for detecting DoS attacks (RCADA) have been explained.

3.1 System architecture

The architecture of the intelligent rule based classifier is shown in Fig. 1.

Fig. 1
figure 1

Architecture of intelligent rule based classification system (IRCS)

Full size image

In this proposed architecture, the attack simulator module uses different tools like Low Orbit Ion Cannon (LOIC), XOIC, Pyloris, Ping Flood and SynGUI. The experimental setup is discussed in detail in Sect. 4. A real cloud setup was established and performance metrics with respect to processor usage, memory usage and network bandwidth usage were monitored over a period of time. The values of these metrics differ when the cloud network setup comes under attack due to the traffic generated by the tools as discussed above. The metric values were observed and recorded using TCP dump, process explorer and IPTraf tools. The observed metrics (features) were analysed for their importance and scores were assigned to each feature, as to find the top metrics that impacts the cloud network. The metrics with higher scores were used to form rules for the rule base. When a request arrives, the request is sent to IRCS, where the traffic is analysed and crosschecked by comparing with the stored rules in the rule base to check for the presence of attack patterns. It consults the domain expert during classification. If the request matches any attack pattern, the request is neglected and is not serviced by the decision manager. If IRCS detects any presence of a signature pattern, the process is terminated thereby maintaining the cloud network resources for servicing genuine users. Thus the proposed system effectively manages to thwart any malicious network activity.

3.2 Feature selection algorithm using scoring and ranking

In general, feature selection is carried out to analyse the numerous features available and to identify top features that affects the whole feature set largely with minor or negligible effect with respect to the classification output. It also helps in reducing the size of the feature set, removing redundant and noisy features that might in turn reduce the performance of any classifier. As discussed, performance metrics which affect processor usage, memory usage and network bandwidth usage were observed. The features that were observed during the parameter aggregation phase are given in Table 1.

Table 1 List of observed features with description
Full size table

We formalize the feature selection problem as follows: given is a feature set F, consisting of i features where F = {f1, f2, f3,…,fn}. Here each feature is a vector of n values which is given by, fi = (vi1, vi2,.., vin). Each feature has a value associated with it, fi = Vi. Certain features among the feature set F, might add noise to the classification results rather than helping to achieve better classification. In order to find top features that give the best classification accuracy, a ranking algorithm can be used. In this kind of problem, if we typically apply a ranking algorithm R such as R (F, P) where P denotes priority, the algorithm gives us a list of features F = [f1, f2, …,fn], ordered by their decreasing priority as output. The factor used to calculate the priority of each feature, Priority (fi, i = 1 to n) is different for the kind of ranking algorithm used. The algorithm used to rank the features based upon their scores or importance is given below.

During the application of some existing feature selection methods such as Information Gain, it was observed that features that are important to an attack case were missed when the features were ranked for their priorities. It was found that at times,the priority of a feature fi, was not given due importance as we would like to. Hence, features were ranked based upon their practical importance by adding weights while evaluating a feature fi. For e.g., consider the scenario discussed previously in the beginning of the proposed work. The feature Valid_user finds whether the request sent by the user is genuine by checking for his registration information in the cloud network. If the user is not a registered, the request can be immediately flagged as suspicious. Hence in the experiments features such as Valid_user, CPU_Usagewould have been assigned more weight than the rest of the features.

After ranking all the 21 features using the above algorithm, the best ‘n’ features had to be selected where ‘n’ is fixed by the domain expert. Though most of the features that were observed describe the dataset good enough, only few features were redundant and were not considered while forming rules. We follow such a method because the output obtained using a highly ranked feature set is much more reliable. With a larger number of highly ranked features, the accuracy of the classification algorithm also increases. We have used Fisher’s discriminant criterion for selecting top ‘n’ features from the prioritised feature set Fp, where \( n \le Fp \). We define the problem as follows: To select ‘n’ of ‘m’ available features with the main aim of achieving maximum class separation. Assume a particular feature, for example, “CPU_Usage”. Under different simulated attack scenarios, we know that the value of the feature varies accordingly as given in Table 2.

Table 2 Sample feature subset before normalization
Full size table

After normalization, the feature subset looks like the values given in Table 3.

Table 3 Sample feature subset after normalization
Full size table

Thus the within class scatter matrix for a feature can be calculated as shown in Eq. (1).

$$ F_{w} = \sum\limits_{i = 1}^{n} {P(fi)} $$
(1)

The mean of a feature set and the total mean for multiple feature-set is calculated as shown in Eq. (2).

$$ \mu = \sum\limits_{i = 1}^{n} {\frac{xi}{n}} \, \, {\text{and}}\, \, \mu_{g} = \sum\limits_{i = 1}^{n} {P(fi)} \mu_{i} $$
(2)

The between class scatter matrix for multi-class feature set can be given as Eq. (3).

$$ F_{b} = \sum\limits_{i = 1}^{n} {P(fi} )(\mu i - \mu_{g} )(\mu i - \mu_{g} )^{T} $$
(3)

Thus, the feature covariance with respect to the total mean can be calculated asequation (4).

$$ F_{c} = \, F_{w} + \, F_{b} $$
(4)

Finally, Fisher’s discriminant criterion can be given as shown in Eq. (5).

$$ FC \, = \frac{{trace \left( {\text{Fw}} \right)}}{{trace \left( {\text{Fb}} \right)}}\, {\text{or}}\,{\text{trace }}\left\{ {F_{w}^{ - 1} F_{b} } \right\} $$
(5)

Using Fisher’s criterion, features that possess good class wise separability are automatically selected for the rule base. It is useful when different attack instances needs to be classified using lesser number of highly ranked features.

3.3 Rule based classification algorithm for detecting DoS attacks

Using the feature selection algorithm as discussed above, rules were formed based upon the priority of the different attack instances that were observed. The list of rules that were formulated for the rule base is given below. The rules given above are generic if–then rules which describe the condition and the certain outcome of the condition if met as shown in the rule give below:

$$ \left\{ {if{\text{ }}rule{\text{ }}'{r_1}'{\text{ }}is{\text{ }}condition - 1,{\text{ }}if{\text{ }}rule{\text{ }}'{r_2}'{\text{ }}is{\text{ }}condition - 2 \ldots {\text{ }}if{\text{ }}rule{\text{ }}'{r_n}'{\text{ }}is{\text{ }}condition - n{\text{ }}then{\text{ }}class{\text{ }}is{\text{ }}{C_1}} \right\} $$

where r1, r2…rn are the observed parameter values and C1 is the attack class it belongs too. Additionally, the following rules are used in this paper for effective detection of DoS attacks.

Proposed Rule I:

ifIO_Reads > IO_Reads (avg) and

ifIO_Read-bytes > IO_Read-bytes (avg) and

ifTCP_W_time > TCP_W_time (avg) and

ifP_Network > P_Network (avg) and

ifP_System > P_System (avg),

then declare pattern as DoSIM attack

Proposed Rule II:

ifIO_Reads > IO_Reads (avg) and

ifIO_Read-bytes > IO_Read-bytes (avg) and

ifCPU_Usage > CPU_Usage (avg) and

if CPU_Load5 > CPU_Load5 (avg) and

if CPU_Load10 > CPU_Load10 (avg),

then declare pattern as SynGUI attack.

Proposed Rule III:

ifP_Handles > P_Handles (avg) and

ifP_Threads > P_Threads (avg) and

ifTCP_W_time > TCP_W_time (avg) and

ifMem_Used > Mem_Used (avg) and

ifMem_Buffd > Mem_Buffd (avg),

then declare pattern as XOIC attack.

Proposed Rule IV:

ifTCP_W_time > TCP_W_time (avg) and

ifMem_Used > Mem_Used (avg) and

ifMem_Buffd > Mem_Buffd (avg) and

ifMem_Free < Mem_Free (avg) and

ifP_Network > P_Network (avg) and

ifCPU_Usage > CPU_Usage (avg) and

if CPU_Load5 > CPU_Load5 (avg) and

if CPU_Load10 > CPU_Load10 (avg),

then declare pattern as LOIC attack.

Proposed Rule V:

ifTCP_W_time > TCP_W_time (avg) and

ifCPU_Usage > CPU_Usage (avg) and

if CPU_Load5 > CPU_Load5 (avg) and

if CPU_Load10 > CPU_Load10 (avg) and

ifIO_Reads > IO_Reads (avg) and

ifIO_Read-bytes > IO_Read-bytes (avg) and

ifP_Handles > P_Handles (avg) and

ifP_Threads > P_Threads (avg),

then declare pattern as Pyloris attack.

In order to arrive at the average values for the different parameters observed the calculation is done as given by Eq. (6).

$$ CPU\_Usage \, \left( {avg} \right) = \left\{ {\frac{CPU\_Usage1 + CPU\_Usage2 \cdots + CPU\_Usagen}{n}} \right\} $$
(6)

where ‘n’ is the number of instances of the selected feature.

In general, classification algorithms do not consider a domain expert’s knowledge while solving a problem. In the proposed methodology, we have formulated Intelligent Rule based Classification System for better accuracy instead of relying upon generic classification algorithms for decision making. It is well known that a domain expert’s knowledge for classification tasks improves the results obtained.The detailed steps of the proposed algorithm namely the Rule based Classification algorithm for detecting DoS attacks for the proposed system is given below:

As explained previously, the proposed system considers a scenario where a user who registers with the cloud network setup alone can use the cloud network resources. Hence, each request when received in the cloud network traffic is checked first for its authenticity. Only the traffic originating from a valid user is allowed. Once the request is received, it is analysed with respect to change in the observed parameters. These observed values are then compared along with the rules in the rule base. If the pattern matches with any rule formulated in the rule base, then the request is flagged as malicious or it is flagged as legitimate if it doesn’t match with the rules. The decision manager follows it up with the necessary action that needs to be taken. In a simple case, the decision manager either allows the network traffic if it is legitimate or rejects it if it is found to be malicious.

4 Results and discussions

4.1 Cloud network environment

In this section, we illustrate the environment used to accomplish different DoS experiments for study and analysis. The cloud network setup was not deployed and tested in a real environment due to issues such as security and legality. For this proposed work, we however cloned a physical network virtually and it was connected to a real network. An overview of the setup is given diagrammatically in Fig. 2. The setup runs on

Fig. 2
figure 2

Experimental Setup

Full size image
  1. a.

    Dell server (Dell Poweredge M620)

  2. b.

    Oracle VirtualBox Software

  3. c.

    Virtual routers connecting different virtual nodes and virtual subnets

The configuration of the experimental cloud network setup is given in Table 6.

Table 6 System configuration
Full size table

Genuine traffic was collected from the real physical network environment. This virtual cloud network environment was setup to conduct the attack experiments using different DoS tools and to study the impact of the attacks on the server (victim). It also minimises the probability of the test network packets flooding out to the regular environment. Third party dataset providers such as DARPA and KDD CUP [28] do not update their datasets with latest DoS attack scenarios. Hence for research purpose we decided to generate the own dataset.Various parameters such as processor usage, memory usage, network bandwidth usage etc. were observed so as to form the initial training dataset. Further analysis on this work was entirely based upon this training dataset. The main objective for us to setup a virtual cloud network environment was to carry out DoS attacks in varying frequency (higher frequency and lower frequency). The virtual environment was setup with the help of Oracle Virtual Box software in order to mimic a physical network.

The setup consisted of clones comprising switches, routers, servers and networks. The virtual nodes comprised of Linux and Windows systems and they were placed on different subnets (virtual). The virtual environment consists of three machines. The first system being a Windows Server 2012 machine which had VirtualBox software installed in it and was used to create multiple virtual nodes to launch DoS attacks. The second system is a Linux system and it houses the proposed IRCS. The third system is a Windows system running Windows 7 and it acted as the server.

4.2 Evaluation and results

We created five different instances of attack classes which included Pyloris, LOIC,XOIC, SynGUI and DoSIM attacks for testing the proposed classifier. The dataset was prepared in such a way that a total of approximately 5000 attack instances were collected. The total instances were split into multiple datasets of 100, 500, 1000, 2000 and 5000 instances respectively. Dataset ‘A’ has 100 instances of all the above attack types. Dataset ‘B’ has 500 instances and so on. In order to measure the accuracy of the proposed classifier, we have used standard detection measures. We refer the proposed work with Recall, Precision and F-Measure. They are defined as shown in Eqs. (7), (8) and (9).

$$ {\text{Recall Rate }} = {\text{ True Positive}}/\left( {{\text{True Positive }} + {\text{ False Negative}}} \right) \, \times \, 100 $$
(7)
$$ {\text{Precision }} = {\text{ True Positive}}/\left( {{\text{True Positive }} + {\text{ False Positive}}} \right) \, \times \, 100 $$
(8)
$$ {\text{F - Measure }} = \, 2*\left( {{\text{Precision}}*{\text{Recall}}} \right)/\left( {{\text{Precision}} + {\text{ Recall}}} \right) $$
(9)

where True Positive is given as attack instances that were rightly identified as attacks. False Positive being genuine request or traffic wrongly interpreted as an attack. True Negative is where the genuine request or traffic is flagged as genuine traffic and False Negative being malign request or attack traffic that were wrongly classified as genuine traffic. Recall measure is also known as True Positive Rate. It can be defined as malign requests or malign traffic being admitted as malign traffic itself. Precision can be said as the rate of proportion of True positives with respect to both true positive rate and false positive rates combined. The measurements discussed above are summarised in Table 7 using confusion matrix.

Table 7 Confusion matrix
Full size table

False positive rate acts as an important measure against other security threats such as phishing webpage detection, medical data mining, intrusion detection etc. When the false positive rate is lower, it translates to better classifier performance. The graph comparing the false positive rate of different dataset combinations is given in Fig. 3.

Fig. 3
figure 3

False positive rates of the proposed classifier with different dataset sizes

Full size image

During the experiments, we measured the number of packets arriving per second in the virtual cloud network. We have summarised the TCP and UDP packet arrival rate with increasing number of attackers in Table 8. The table indicates how the number of TCP and UDP packets being sent increases quickly with respect to increase in the number of attackers. We can see the number of attackers influence the number of malign packets sent over the network. We have used the tool IPTraf to automatically calculate the total number of TCP and UDP packets sent.

Table 8 TCP packet arrival rate
Full size table

Recall, Precision and F-Measure values obtained for the different dataset sizes are givenin Table 9.

Table 9 Recall, Precision and F-Measure values obtained
Full size table

The average Recall, Precision and the F-Measure values obtained in the experiments is given in Table 10.

Table 10 Average Recall, Precision and F-Measure values
Full size table

We calculated the accuracy of the proposed classifier and then compared it with similar literature works. Accuracy can be defined as Eq. (10).

$$ {\text{Accuracy }} = \left\{ {\frac{{\left( {{\text{True Positive}} + {\text{True Negative}}} \right)}}{{\left( {{\text{True Positive}} + {\text{True Negative}} + {\text{False Positive}} + {\text{False Negative}}} \right)}}} \right\}*100 $$
(10)

The accuracy rate obtained by the classifier for different datasets is given in Table 11. We can see that the classifier performs better when it can study large attack instances. The proposed IRCS has higher accuracy rates as the size of the dataset increases.

Table 11 Accuracy rate of IRCS for different datasets
Full size table

The accuracy rate obtained by the proposed classifier along with the accuracy rates achieved by previous literature works [29] is shown in Table 12 and Fig. 4.

Table 12 Comparison of IRCS with existing works
Full size table
Fig. 4
figure 4

Accuracy analysis achieved without feature selection for classification algorithms

Full size image

Figure 4 shows the accuracy analysis achieved without feature selection for various classification algorithms namely Naïve Bayes, Decision Tree Algorithm (C4.5), Multilayer Perceptron from Artificial Neural Networks (ANN), Support Vector Machine (SVM) and IRCS.

From Fig. 4, it is observed that the accuracy of the proposed system IRCS is high when compared to the other existing works namely Naïve Bayes, C4.5, ANN, SVM. This achievement is obtained due to the use of rules and also the effective application of experts opinions in IRCS.

Figure 5 shows the accuracy analysis achieved with feature selection for various classification algorithms namely Naïve Bayes, C4.5, ANN, SVM and the proposed IRCS.

Fig. 5
figure 5

Accuracy rates achieved with feature selection for classification algorithms

Full size image

From Fig. 5, it is observed that the accuracy of the proposed system IRCS is high when compared to the other existing works namely Naïve Bayes, C4.5, ANN and SVM. This achievement is obtained due to the use of rules, the effective application of experts opinions and with feature selection methods in IRCS.

5 Conclusion and future works

Cloud network is a model for data storage and communication has been used in various organisations and industries. These organisational data are also exposed to large volume of attacks specifically targeting their cloud network resources. Therefore, an intelligent security system is proposed in this paper which uses newly proposed feature selection and classification techniques for effective detection of DoS attacks. Moreover, the proposed model uses the experts advice for making final decisions on security and hence the proposed system achieved an accuracy of 98.5% with respect to the detection of attacks. The experimental results obtained from this work showed that the knowledge provided by a domain expert increases the efficiency of the proposed classifier when it is compared with the commonly used classification algorithms. The major advantages of the proposed model include the reduction in false positive rate and increase in security. Future works in this direction can be the use of temporal constraints to capture dynamic nature of attacks. Moreover, fuzzy rules can be used to handle uncertainty and to make further accurate decisions.