2. Taxonomy of the Attacks on CC
The CC is defenseless in the face of several attacks that provide serious security dangers. The threat of an attack is determined by the target of the adversary’s attack. The CC service availability can be disrupted partially or entirely for a short or long period.
2.1. Suffocative Attacks
Suffocative attacks are those that are bandwidth-based or involve volumetric attacks. This attack overloads the targeted system with garbage data to consume the bandwidth of the targeted network system, flooding the network and affecting system resources. Its magnitude is measured in bits per second (Bps). Adversaries can launch this attack using UDP, ICMP flooding, or flooding the target with various spoofed packets 
2.2. Protocol Attacks
Protocol attacks consume real server resources and equipment used for networking communication, like load balancer (LB) devices or protection devices. The protocol attack is measured in packets per second (Pps). It exploits the weaknesses of network protocols to increase the burden on the victim’s resources. Some examples of protocol attacks include a smurf attack, fragmented packet attack, SYN floods, and ping of death 
2.3. Economic Denial of Sustainability (EDoS)
A type of DDoS attack on CC that impacts the financial bottom line of victims is called an EDoS attack 
. It is a malicious attack specific to the CC that focuses on impacting the CSP’s OpEx more than the physical resources. It exploits the CC’s elastic or auto-scaling characteristic by attacking targeted services, especially on the application layer, forcing maximum consumption of CC resources until the services become inaccessible. Avoiding this situation requires the CSP to keep providing additional resources to fulfill the SLA for the CCC accessibility, which increases the cost for the CSP 
, resulting in EDoS 
Adversaries could trigger DDoS attacks on CC networks or resources using legitimate service requests to generate EDoS attacks 
. In other words, the basis of this financial damage came from DDoS attacks (the result of EDoS is DDoS attacks usually, and the opposite is also true) that exploited available resources to increase the bill. The bloated cost has to be borne by the CSP or passed along to their clients.
2.4. Permanent Denial-of-Service Attacks
Permanent denial-of-service (PDoS) or Plashing is a fast-moving attack designed to disable the victim’s and prohibit it from providing services. This type of cyber attack, a strain of DDoS attacks with more emphasis on the victim’s hardware, started to increase in frequency in 2017 as more occurrences involving this hardware-damaging attack were found 
. Furthermore, PDoS aims to cause perpetual harm to network equipment via programming, especially configurable network hardware, such as routers. Although PDoS attacks are rare, successful attacks are highly damaging to CC resources to the point of requiring the replacement or re-installation of equipment. Unlike DDoS attacks that disable a service temporarily, PDoS causes permanent hardware damage. It exploits the CC’s security flaws or misconfigurations in the remote administration function on the hardware management interface to alter the device’s firmware with a faulty version, damaging the device to the extent that requires fixing or even destroying essential system functions. All CC resources, such as LB, firewalls, VM, physical servers, storage units, and processors, are vulnerable to PDoS attacks 
. Moreover, since a PDoS attack focuses on the hardware, it requires far fewer resources than a DDoS attack. PDoS is more destructive and has been gaining popularity among adversaries. CSP encountering a PDoS attack will incur business loss since services will be affected, and it could take a very long-time fixing fault. For instance, in 2009, the federal bureau of investigation (FBI) raided DCs in Texas because of fraud against several organizations that worked from out of the DCs 
. In another case, a significant information loss occurred to a CSP providing storage services in Magnolia after experiencing Omni drive failure, leading to its shutting down without notice in 2008.
A Help Net Security site ran a report 
on a universal serial bus (USB) device that disables a machine just by putting it into the USB port. According to the report, the most recent PDoS USB attack works by injecting some electrical power through the machine with the help of a voltage transformer to release a flood of negative electricity into the USB port. An example of a PDoS USB device is PhlashDance, built by Rich Smith in his security lab in 2008 to exhibit the inner working of a PDoS attack 
3. Taxonomy of DDoS Attacks on CC
DDoS attacks on CC have rapidly risen to the top of most cyber security threats lists. Attacks on CC could affect not only the CSP but also CC resources, including VMs and the networks 
. Nevertheless, whatever the motive of an adversary to carry out DDoS attacks, any deterioration in services offered to CCC decreases its value.
CERT experts (a variety of researchers) say most DDoS attacks against the CERT target the application layer. The vast majority of DDoS attacks use a tremendous amount of requests of a standard communication protocol, making them hard to detect. Furthermore, they typically use well-known patterns to imitate legitimate traffic to throw off detection attempts. Therefore, standard network security strategies are not well suited to detect or prevent such attacks.
3.1. SYN Floods
An adversary executes SYN flood attacks on CC by sending SYN requests using a spoofed source IP address, forcing the VM to respond and allocate the necessary resources to handle the requests. The VM waits for an acknowledgment from the ‘sender’ that never arrives. Continuous attacker’s requests finally exhaust the VM of all its resources, such as memory and CPU 
. Consequently, the VM is forced to reject all subsequent user requests, including the legitimate ones.
3.2. UDP Floods
In this attack, the network bandwidth of CC is fully exhausted, although no user exists. Adversary injects a huge number of UDP packets into the network 
3.3. Ping of Death
A ping of death (PoD) attack involves an adversary using unusually large packets to cripple the CC’s VM or resources. The adversary changed the ping instruction by modifying the Fragment Offset field in the IP header to create a packet larger than the maximum permissible value for that field, which is 65,536 bytes. A ping packet with a size larger than the limit set by TCP/IP could overflow the buffer of the destination OS 
, affecting the victim’s computer connected to the CC networks and influencing the CC services linked to those networks. However, nowadays, all modern network equipment and OS ignore 65,535-byte IP packets that may cause a crash or slowdown of the OS, making today’s network and machines less susceptible to this attack.
3.4. ICMP Flood Attack
ICMP messages are used to locate hosts on a network, map network structure, and determine the OS in use. It can also be used as a vehicle for various DDoS attacks on CC. For example, an adversary could crash the targeted host with ICMP Echo Request (ping) packets by broadcasting them quickly without waiting for replies, similar to the UDP flood attack principle. The targeted VM’s resources would deplete rapidly, affecting the VM’s availability. All Internet protocols permit specific data packets. In this attack, the destination CC resources or VM receives more data packets than the protocol allows, forcing the TCP/IP stack to fragment all data packets on the sender side and assemble them on the receiving side. When large amounts of fragmented data must be reassembled, the destination system’s performance will suffer. In other words, adversaries flooded the victim machine by sending a huge number of ICMP echo requests. When the infected machine tries to respond, the maximum bandwidth used will be near the maximum amount. As a result, legitimate users could not connect to the CC network. When the CCC tries to send the reply, adversaries send an ICMP echo request packet. The bandwidth utilization will reach the maximum, and new users cannot connect to the network during this time 
. Furthermore, the adversary could leverage a compromised CC device as an intermediary to send ICMP echo requests to flood the local network, resulting in an insider attack.
3.5. HTTP Flood
The application layer is vital for CC since the CSPs deliver many essential services to their users using application layer protocols, such as HTTP. HTTP is the primary application layer protocol used by web servers. Since CC usually hosts many web application servers, a massive number of HTTP requests can easily overwhelm web services. An example of an application layer attack is an HTTP flood. In an HTTP flood, the attackers may send enormous volumes of malicious HTTP requests to the victims to exhaust the resources and services running in the cloud and cause an EDoS attack, which is explained in Section 5.1
A client, via a web browser or terminal, “talks” to a VM or web application server by sending a POST or GET request. The client uses POST queries to access dynamic resources, while GET requests retrieve static information like images. The two main categories of HTTP flood attacks are HTTP-POST and HTTP-GET. Attackers could overwhelm a targeted site or VM with HTTP-GET requests using valid packets without reflection or spoofing. Because many requests are sent to the web application server, and the VM generates many more responses than the zombie army receives, this attack is achievable by small botnets 
In this situation, an attacker sends an HTTP-GET request to the target application to test its availability. If the attacker receives an acknowledgment from the target application, the attacker transmits new HTTP-GET requests successively without waiting for acknowledgments. Since the web application server does not filter HTTP-GET requests to check if they are legitimate or not 
, it will continue accepting and processing the requests.
4. Taxonomy of DDoS Attack Detection Approaches on CC
4.1. Signature-Based Detection
Signature-based, misused-based, or rule-based approaches detect a DDoS attack if the incoming packets or traffic patterns match the predefined signatures or rules in its attack signatures database 
. The drawback of these approaches is they cannot detect zero-day attacks.
The authors in 
outlined the design of an offline signature-based network IDS that uses distributed processing and a Naive Bayesian classifier to detect DoS and DDoS attacks against HTTP servers. They or other researchers should do more work to build an inline IDS to identify attacks in real time. Because the current technique can only detect known attacks, more research is needed to detect new ones. The performance of the Naïve Bayesian classifier, having different classification methods, was evaluated on a testbed, achieving 97.82% classification accuracy for slow read attacks and 96.46% detection accuracy for normal behavior.
Anitha and Malliga 
attempted to solve the problem of HTTP and XML Denial of Service (HX-DoS) attacks using CLASSIE, a rule-based detection system, and the modulo marking approach, which prevents spoofing attacks. For decision and packets dropping on the victim side, the Reconstruct and Drop method is employed. It helps improve the detection and filtering of DDoS attacks while lowering the false-positive rate. These attacks can be quickly detected on the adversary side by utilizing a packet-based marking mechanism. It can be filtered using the discovered packets on the victim side by dropping the marked packets. As a result, the overhead of packet marking and the false-positive rate of DoS attacks are considerably decreased.
Wang et al. 
presented a dataset shift attack detection system based on a graphic model. The simulation findings suggest that their architecture can deal with the security difficulties posed by the new network paradigm effectively and efficiently. Additionally, the simulation result indicates that their attack detection system can effectively report numerous threats using real-world network traffic.
They proposed a new IPS service that uses signature-based devices, known as service-based intrusion prevention systems in CC (SIPSCC), to prevent SQL injections on CC websites (CCW). They used three VMs to test a model. Their implementation proposes, investigates, and evaluates SIPSCC from three perspectives: vulnerability detection, average time, and false positives. The suggested technique identifies and prevents key vulnerabilities in CCW 
Khatri and Khilari 
proposed an architecture that includes the implementation of Suricata IDS for securing virtualized servers on CC and the validation of the IDS in detecting DDoS attacks against virtualized environments, effectively protecting the CC from vulnerabilities.
Sangeetha et al. 
proposed combining a multi-threaded network IDS (NIDS) and host IDS (HIDS) to provide an efficient, quick, and secure HIDS. Cloud-IDS now captures packets from the network, analyses them, and sends reports to the CC Administrator based on the analysis. The K-Nearest neighbor and neural network (KNN-NN) hybrid classifier analyze packets. Further, the NSL-KDD dataset is used for training and testing purposes. After receiving the notification from Cloud-IDS, the CSP will alert the user and keep a log list of the malicious IP addresses. This approach effectively manages huge data packets, analyses them, and generates reports while detecting anomalies and misuse.
The E-CARGO model 
is used to present a collaborative intrusion detection architecture. The components of an IDS are described by the common intrusion detection frame (CIDF). They also create and clearly outline the agent’s behaviors and their relationships. The experiments show that their proposed technique can detect slow-scanning and DDoS attacks, which validates their model. The authors planned to study combining cooperative computing with IDS to deal with real-world problems in future work.
4.2. Anomaly-Based Detection
Anomaly-based detection is based on a profiling program that will be created for the normal behavior of the network, which the anomaly-based detection system will use as a baseline. Deviation from this baseline will be treated as an anomaly or a possible intrusion 
. Anomaly-based detection approaches can trigger multiple false alarms due to the changing nature of network behavior or zombies and suspicious requests on the application layer if the detecting algorithm parameters are not properly tuned. Without any tuning to optimization, the classifier will not increase the detecting accuracy. If not, collecting the correct logs in a good way to choose the features well will not contribute to the best detection. The input to detection could be in the form of a vector, object, point, or observation named as single data instances 
or a combination of data instances. Several anomaly-based approaches are using DL and ML to detect HTTP flooding DDoS attacks.
Alqahtani and Gamble 
came up with a DDoS attack detection technique for the CC service and developed a four-layer algorithm to resolve the originating service for the attack. The levels are so structured that each level is suitable for detecting the attacks’ symptoms using local data. Their detection techniques achieved O(n2) time in the worst-case scenario. They also reported a link between DDoS attacks and unauthorized messages passed across services.
Abusitta et al. 
proposed a correlation mechanism by employing hypervisors to determine the predicted resource load of current compromised VMs based on specified metrics. The calculated resource load is then compared to the total resource load. The proposed approach collects system metrics to train the SVM classifier to distinguish between normal and malicious (i.e., DoS attack) VM activities. The results show that when utilizing the model to make resource adjustments, the detection accuracy hits 97.60%. Their findings also demonstrate that the accuracy of the revoking and granting adjustments was reduced by just 1.79 percent and 1.43 percent, respectively, under the effect of resource adjustments, which have minimal impact and may be ignored.
Choi et al. 
proposed a way to detect HTTP-GET flood DDoS attacks using MapReduce. This method ensures the target system’s availability for precise and reliable detection of HTTP-GET flood attacks. The experimental results show that the proposed approach outperforms Snort detection because its processing time decreases as congestion increases.
Chen et al. 
proposed a CC-based network monitoring and threat detection mechanism comprising monitoring agents, CC infrastructure, and operation center components. The proposed mechanism used Hadoop, Spark, and MapReduce to speed up data processing using separation and concurrent processing of data streams. Furthermore, they conducted a real-world experiment to evaluate the effectiveness of the developed network monitoring and threat detection and system performance to limit the risk of DoS attacks. The evaluation results reveal that the mechanism successfully detects and mitigates these attacks. Furthermore, the defensive system detects all published vulnerabilities and can identify unknown attacks 
Xiao et al. 
proposed a protocol-free detection (PFD) algorithm to detect ransom denial of service (RDoS) attacks against the CC regardless of the protocol utilized in the attack. PFD calculates the flow correlation coefficient (FCC) between flow pairs and issues a warning once suspicious flows have been identified. The simulation result indicates it is effective in detecting RDoS attacks and can help detect and isolate adversary flows.
Dhanapal and Nithyanadam 
used the OpenStack CC platform to implement their solution that detects, mitigates, and prevents low-rate HTTP DDoS attacks in the CC environment. The experiments yielded accurate findings in identifying attacks in the early phases.
The authors in 
studied the existing DDoS attack detection frameworks and their flaws, then proposed a CC testbed framework on top of an OpenStack platform 
for testing HTTP flood DDoS attack solution. They also looked into numerous attack paths to the web server on the CC, internally and externally.
The authors present a novel approach to protecting mobile-based systems from DDoS attacks. The model is built on anomaly detection to defend the public/private CC against zero-day attacks. By preventing CC DDoS attacks, the availability of CC applications significantly improved, and users will receive high-quality services 
. Evaluations of the proposed model’s efficiency and performance were promising in safeguarding mobile-based CC systems against DDoS attacks. The focus is on detecting and protecting mobile-based systems from DDoS attacks 
reported the approach’s complexity analysis, efficacy, and performance assessments, and the improved version is documented in 
Hazavehi and Rahmani 
proposed and developed a mechanism called TPANGND for detecting DDoS attacks based on anomalies. Their mechanism uses flow-based classifier (FBC) to group similar input patterns into several clusters to determine an attack. Unique scenarios exist where FBC cannot distinguish between benign and malicious traffic. The suspect traffic is recognized in this situation by looking at the correlation between the VM instance issued by the CSP at a specific timestamp and the suspicious source list. The experimental results show that the suggested technique has a higher detection rate than existing K-means, fuzzy c-means clustering, bat clustering, and Bartd methods. It can detect unknown threats with fewer false alarms 
Abbasi et al. 
proposed a new framework to detect various EDoS attacks by creating a profile that learns from and categorizes normal and abnormal activities. The more demanding resources are only allocated to VMs with a normal state in this framework, preventing the propagation of attacks and resource misuse in the CC.
Singh et al. 
proposed collaborative IDS (CIDS), a system that combines cascading decision trees (DTs) and SVM to increase detection accuracy. DT speeds up the learning process and divides the dataset into smaller subsets; SVM on each sub-dataset (e.g., KDD99, NSL KDD, and ITOC) reduces SVM learning time, overcomes over-fitting, and reduces the size of the DT, allowing faster detection.
Raja Sree and Mary Saira Bhanu 
proposed a method that scans log files to extract essential information related to HTTP flooding threats by grouping similar input patterns using fuzzy bat clustering and determining unusual behavior using deviating anomaly scores. They compared the findings with existing methodologies such as k-means clustering, fuzzy c-means clustering, bat clustering, and the Bartd method, showing the proposed method accurately diagnoses anomalies with low false alarms.
4.3. Hybrid Detection
A hybrid detection approach combines multiple detection approaches, including signature- and anomaly-based approaches. However, it has some drawbacks, such as a conflict between the two approaches, resulting in increased detection time. Therefore, the hybrid approach requires balancing options and complimentary features for each approach to improve discovery and detection rates.
Several researchers have adopted this approach and have presented architecture and methods for performing intrusion detection utilizing hypervisor performance metrics using virtualization technology based on CC. Furthermore, it is demonstrated that suspicious activities can be profiled without detailed knowledge of the OS running within the VMs using VM performance metrics gathered from hypervisors, such as packets transmitted/received, block device read/write requests, and CPU utilization 
Patil et al. 
have designed an efficient security framework called Protocol Specific Multi-threaded Network IDS to detect DDoS attacks in a CC. It works by separating the incoming packets based on the protocol. These packets are sent in a queue for processing therein. The framework thread is responsible for handling each queue which also extracts the relevant features and applies protocol-specific classifiers for each packet in the queue. They used the KDD’99 dataset.
SaiSindhuTheja and Shyam 
proposed an efficient DoS attack detection system based on the oppositional crow search algorithm (OCSA), which combines the crow search algorithm (CSA) and the opposition-based learning (OBL) technique. The proposed method has two stages: feature selection with OCSA and classification with an RNN classifier. The OCSA method identifies the key features, then feeds into the RNN classifier. The RNN classifier is used to classify incoming data during the testing process. It ensures that standard data (saved in the CC) is isolated from compromised data. The results show that this strategy outperforms other conventional methods by 98.18%, 95.13%, 93.56%, and 94.12% in terms of Precision, Recall, F-Measure, and Accuracy, respectively, using the benchmark data set. In addition, the suggested approach surpasses existing efforts by 3% on average across all metrics.
Many existing ML algorithms, such as neural classifiers, can detect DDoS attacks. The researchers in 
discussed the findings of a survey on DDoS attacks in the CC environment. DDoS attacks are frequently categorized as bandwidth and resource consumption attacks. SYN Flood and Flash Crowd are prevalent DDoS attacks in a CC context. Nagaraja et al. 
also tested many ML algorithms to detect DDoS attacks; some are more accurate than others. The use of ML techniques resulted in a higher false-positive detection rate. According to their study, after examining several studies on network attack detection in the CC environment, the most extensively utilized technique to detect DDoS attacks in the CC is ANN, SVM, KNN, J48, feature rank, and feature selection.
4.4. Entropy-Based Detection
Entropy is the ratio of arbitrariness in the data. Entropy-based detection approach analyzes random data, the entropy, or the Shannon-Wiener index to evaluate uncertainty associated with the data. Maximum randomness in the data implies a maximum entropy value 
. For example, if the data only has one class, its entropy value will be lower. On the contrary, the data with numerous classes will have a higher entropy value. This way, the tested headers are broken down for port and IP, and their entropy is computed.
Entropy is usually used to calculate the randomness of IP source addresses or port numbers. A high entropy value indicates the traffic originates from various sources, which is the clue to detecting DDoS attacks 
. A threshold can be put in place to distinguish DDoS attack traffic from normal traffic. The administrator should be alerted of DDoS attacks if the entropy value exceeds the threshold. If the detection of DDoS attacks involves multiple levels, the procedure can be partitioned into three stages:
First stage: The client is permitted to go through the switch, and the detection calculation confirms that it is genuine.
Second stage: The entropy is calculated based on the data packet size and the client’s authentication.
Third stage: The entropy value is compared with the threshold to determine if it is a DDoS attack or not.
Once the location of any abnormality is discovered, an information message is sent to CSP owners to take necessary action. The authors in 
proposed an approach to detect HTTP flooding DDoS attacks in a CC using information-theoretic entropy (ITE) and ML to improve the false-positive rates. They are planning a real-world deployment of their approach for evaluation using several HTTP DDoS attack tools in the future.
The authors in 
developed an entropy-based detection technique for DDoS attacks, achieving a 90 percent accuracy without extra packet overhead, resulting in excellent QoS. In addition, they have used CCs to implement the same algorithm. Meanwhile, the authors in 
used a Gossip-based DDoS attacks detection apparatus for attack detection in a computer network by exchanging a stream of traffic-over-line.
The authors in 
used an improved entropy to detect the cause of overload and locate the source of the problem, but 
is similar in its approach to these authors. It appears that a reduction in traffic and improved response time could be feasible with the data simulated.
Girma et al. 
examined and compared various DDoS attack detection techniques against multiple parameters. After discussing their benefits and drawbacks, they proposed a hybrid statistical model that could significantly mitigate DDoS attacks, providing a better solution to current detection issues. The authors of 
looked at the standard EPA-HTTP (environmental protection agency-hypertext transfer protocol) dataset. They chose the input parameters for the classifier model to distinguish an attack from a regular profile.
4.5. Filtering Tree-Based Detection
A technique proposed in 
identifies flood attacks by analyzing network logs and keeping track of the connection states, such as the active IPs of incoming requests. It alters the window size (number of time slots) and measures the sliding window of dynamic entropy, which is dependent on traffic load. In a CC setting, traditional DDoS attacks on servers and network resources could morph into a new breed of attack called EDoS attacks, which target the CCC’s economic resources. The researchers have presented a unique mitigation strategy against EDoS threats, utilizing source checking, counting, and Turing Test. The simulation results suggest that their technology can mitigate CC EDoS attacks.
Researchers in 
proposed a CC defender system named cloud service queuing defender (CSQD) to detect and remediate XML vulnerabilities in online services. CSQD, a self-learner, employs a traceback solution to determine the source of the attack. Suppose an attack successfully shuts down the server; the CSQD system will detect the malicious requests and store them in its database to prevent similar attacks in the future. The authors presented a game-theoretic model and study that predicted widespread strategy adoption, reducing the risk of DNS amplification attacks. They have demonstrated the ability to implement their concept as a CC-based service to cut costs further and provide additional defenses for DNS servers.
A new solution dubbed an enhanced DDoS-mitigation system (Enhanced DDoS-MS) has been developed to combat EDoS attacks by leveraging firewall capabilities to control a verification process to protect the targeted system. Researchers used a simulated environment to assess their proposed system, showing the firewall successfully mitigates DDoS attacks by increasing users’ services in response time and server load under attack 
Fontaine et al. 
proposed a simplified CC security utilizing ML approaches to address the challenge of complex and platform-specific CC security architectures. It leads to a more general design that employs decision trees and neural networks as classifiers, trained using data gathered by CC apps. Iyengar et al. proposed a multilevel thrust filtration (MTF) mechanism as a solution against DDoS attacks in a CC environment. The mechanism authenticates incoming requests and detects various types of DDoS attacks at various levels at the early stage to prevent unnecessary traffic from reaching the DC