Description:Adaptive Machine Learning-Based Intrusion Detection System for Cloud Security with Real-Time Anomaly Detection and Behavior Profiling
2. PROBLEM STATEMENT:
Thus, the increased popularity of the cloud computing services leads to greater challenges and opportunities of providing protection to digital resources and sensitive data. The benefits of cloud platforms include scalability, flexibility, and cost savings; nevertheless, the organization using cloud platforms is exposed to security risks such as unauthorized access to cloud and cloud data breaches. Standard anti-virus, coast, firewalls, and other similar measures are ineffective in approaching cloud-based systems compared to the dynamic new models. This leads to the creation of several susceptibilities whereby it becomes extremely important to consider the possibilities of risk on the lookout.
One of the biggest concerns of cloud information security is intrusions and in cases of big data and fluctuating traffic flow. Another factor which exacerbates the issue is the new generation of cyberthreats like APTs and zero-day attacks which are made to avoid common tools and techniques of information security. These threats persist for long they remain unnoticed and in the meanwhile can bring in potential danger such as data loss, system tampering and loss of money.
One of the threats is the ability of users and related systems in the cloud to be profiled. Currently IDS can be rule based where they check for any intrusion based on previous rules or signatures that have already been known to the system or signature-based methods that detect signatures of known threats, but have a weak point for new threats, unknown threats and emerging threats. Also, cloud environments involve even a large number of users and devices from different levels of trust, and hence, the identification of an abnormal behaviour that reflects malicious activity would be even more challenging. If the behavior of users and processes is not precisely identified and controlled, the risks to cloud systems include unauthorized access and use, as well as data leakage.
To counter these issues the problem resides with the limitation of existing intrusion detection system that fails to detect unknown and emerging threats continually in real-time. There is needed an opportunity to analyze big amount of data, to change with new environments of cloud technologies and to decide reliable-identify the deviant or intrusions without additional programming or help from special service. The traditional IDS systems do not make use of the machine learning approach to the level that is necessary to handle the dynamic environment of cloud security threats.
The solution to this problem is known as an Adaptive Machine Learning-Based Intrusion Detection System for Cloud Security with Real-Time Anomaly Detection and Behavior Profiling that uses machine learning algorithms integrated with real-time monitoring to create a highly effective and efficient security solution. It should be able to learn and adapt to the new threat that are emerging, profiling of users and systems and discovery of such behaviors that may depict a threat – thus providing better security and the ability to detect threats that the common security measures may overlook.
In summary, the problem is:
• They are unable to prevent a new and complex attack from happening and they are thereby incapable of preventing security threats.
• Possible Limitations: Firstly, current systems may not be operating in real time that is, the threats are not detected and controlled promptly.
• Challenges: Several factors hold immense challenges due to flexibility and complexity when using cloud resources such as the openness, flexibility, and heterogeneity.
• Nonetheless, several current systems are unable to profile effective and ineffective behavioral patterns for normal user and systems, making systems open to insider threats and other positive deviant behaviors.
These problems can be addressed by an adaptive machine learning approach which will include features like real-time detection, continuous learning, and better identification of new as well as existing threats in cloud environment.

3. EXISTING SOLUTIONS
Since the threat landscape of cloud is rapidly growing, several intrusion detection systems (IDS) have been designed and implemented to control and observe the cloud environment to ensure that there is no intrusion. These solutions are of two types: signature-based solution and anomaly-based solution. However, these systems offer only basic security features and prove insufficient as far as the management of modern complex hosts, as well as dynamic clouds, constantly emerging threats, and real-time identification is concerned. Here are some of the measures that are adopted in an attempt to check Anticipated consequences of cloud security:

3.1 Signature-Based Intrusion Detection Systems (SIDS)
Finally, the signature-based IDS is considered as one of the prominent types of IDS. They operate through a mechanism that checks the data or even the traffic of the network with the database of attacks or patterns. The email or notification the system generates in case of a match is the next step. This method is very effective in identifying well-known attacks and since its is based on the signatures or patterns, it anticipates them.
Limitations:
• Nonetheless, signature-based IDS has problems to detect new and emerging threats since it relies on a list of signatures. This plays the tune that new threats that may be zero-day threats or threats that are unidentified will never be identified.
• Difficulty in Maintenance: Signatures form a database that may need constant update to suit the current operations, which can be expensive and time-consuming since it has to be done manually.
• Scalability Limitations: These systems are least suitable in cloud environments because of scalability; establishing large volumes of data and a large number of devices for signature updates and detection is not easy.

3.2 Anomaly-Based Intrusion Detection Systems (AIDS)
Anomaly-based IDS, on the other hand, are based on a set system standard and when the system deviates from such standards then it is considered to be a threat. The original version of these systems operate as a type of anomaly detection, where instead of historical values, statistical models, heuristics, or machine learning techniques are used in order to pattern what is considered ‘normal’ traffic and users, in order to investigate anything that is not the norm.

Limitations:
• False Positives: This makes one of the primary issues of the anomaly based systems to have high numbers of false positives. The authors also pointed out that anomaly types as minor and legitimate changes in behavior like new user activity or change in traffic patterns can be described as threats hence setting off alarms and affecting operational contexts.
• Building a baseline: In general, it could be extremely challenging to establishing a baseline, in complex systems which are evitable in cloud environments, given the ever dynamically change that characterizes-user behavior and system configurations. Anomalous behavior can of course falls between normal behavior even within a cloud context, for example new traffic or new users of resources.
• Scalability Limitations: Despite their capability to learn and identify new threats, there is usually the need to retrain such systems in instances where the cloud environment changes such as adding new services or applications or changes in the users’ actions. Thus, in dynamic environments of cloud platforms, these frameworks can be less effective.

3.3 Hybrid Intrusion Detection Systems
To be more effective than the previous methods of IDS, the hybrid IDS incorporate elements of both the methods as explained below. These systems seek for well-known threats while the others try to identify previously unknown threats hence the use of anomaly detection. This kind of approach provides the advantage of using both a signature and an anomaly detection method where the system can detect normal activity and sign of any malicious activity.

Limitations:
• Higher Complexity and Resource Requirement: Overlapping technology boundaries in Hybrid systems may cause higher level of complexity and higher levels of computations and resources consumed in the probability and risk detecting systems.
• Issues to Real-time performance: Crites continually working on both the sphere of signature data and the spherical of anomaly data prevent real time detection that is important for quick identification of threats.
• Scalability and Efficiency: Like any other system, hybrid IDS can likewise have the drawback of scalability The issue become worse especially when working on cloud computing environments where data traffic is large and many. High speed processing of large volumes of information, in many cases, cannot be per fromed with the help of traditional hybrid models.

3.4 Machine Learning-Based Intrusion Detection Systems
The popularity of Machine Learning based IDS is rising day-by-day because it has the advantage of learning through data and do not needs manual interventional. These systems are based or differentiate a network traffic or system behavior by deploying an algorithm including a decision tree, a neural network or an SVM. In the long run, the performance increases to higher accuracy since the system gains knowledge from tagged data.

Limitations:
• Yet, as with any other machine learning models, the adversary depends heavily on vast training data for its proper functioning. At times, it is always a challenge to get the appropriate or rich data that can be used for training in a cloud environment where data is dynamic most of the time.
• Interpretability: One of the issues which are associated with some of the models, especially a segment of the machine learning model such as deep learning model is the interpretability of the model. This is disadvantageous with regard to the goal of providing information as to why a particular behavior was classified as anomalous or malicious, which affects the credibility of the system.
• Overfit and Underfit: It is also possible for the machine learning models to either over-fitting the training data to the extent that it cannot identify new threats or underfitting in the process of ignoring some of the complexities in the training data.

3.5 Cloud-Native Security Solutions
AWS, Microsoft Azure and Google Cloud are some of the common cloud computing service providers who have their own security products on their own platforms. Such services include firewalls, controls with access to certain sections, and security threats’ detection systems. There are also various machine learning based features for anomaly detection offered by some platforms for security enhancement.

Limitations:
• Vendor Lock-in: These solutions are mainly developed for use in a particular cloud vendor and might not be suitable when the business organization is using services from various cloud vendors.
• Lack of Flexibility: Although these solutions are part of the cloud platform, flexibility is not easily achieved for individual solution installation based on an organization’s security needs . It may result in prevention or improper monitoring of threats for complex or different configurations in cloud settings.
• Lack of Control over Security: Cloud service has provided the organization with security and this implies that the organization has left all their security needs in the hands of the provider which may not meet the organization’s standards.

Given all the solutions that have been presented, there is no perfect system that has been designed to address the issues of RiD in cloud computing systems. Another issue is that signature-based system is not able to identify new threats, anomaly-based system is too prone to false positives and has low baseline accuracy, while machine learning-based systems may require large amount of training data and in addition, they could be uninterpretable. Further, most solutions been developed are either tied to a particular platform or poorly adaptive to the virtual attributes of cloud architectures.

Malware detection in the current systems is inadequate in terms of flexibility, real-time identification, anddd scalability to meet the increased and diverse security threats arising in organizations using the clouds. Hence the proposal for the Adaptive Machine Learning-Based Intrusion Detection System for Cloud Security that will address these disadvantages due to its ability to detect the anomalies in correct and immediate way, carry out continuous profiling of behaviour and most of all, the ability to learn on its own in a scalable and efficient manner.
PREAMBLE
The AMLS-Cloud is a complex solution, which is proposed to meet the constantly evolving threats and challenges of cloud computing security, as described in the next section. Over the recent past, the development of cloud infrastructures within organizations has led to the need to protect the data and to prevent people who are not supposed to have access to some information or data to have it. The suggested system incorporates techniques of ML with some of the most sophisticated techniques in anomaly detection to ensure a real-time protection against modern and emerging threats.

This is one that is capable of real-time, passive observation of the cloud environment traffic, system logs and users’ activities comparing their behavior with known patterns of normal behavior. It also differentiates this kind of system from conventional IDS that depend on the databases of known signatures or rules of detection where this system it has capabilities to learn making it good at identifying new tricks as well as old ones. It is also capable of adapting to the new configurations in the cloud for example when new users, devices or services enter the network or when there is the addition of other facilities such as cabs, etc without necessarily having to it beprogrammed.

One of the greatest strengths of this system is the ability to constantly monitor and create real-time behavior patterns of both the users and different systems operating on the cloud system. By creating the baseline of the normal user or system behavior, the system will be also able to detect possible signs of the attack or violation. If, for instance, VIA’s network has access to another set of destinations not commonly used frequently or if the normal user logins appear sudden and erratic, or data transfer activities are occurring in atypical patterns, then such must be seen as anomalies. For that reason, it has adaptive learning ability that means it will be relevant as long as the users’ behaviors and locating clouds are changing gradually.

The ability to get these two functionalities working in parallel in real-time is useful for detecting elaborate tactics that include insider threats, APTs, and zero-day attacks. This greatly minimizes the chances of such threats to go unnoticed, which is a plus to cloud service providers and their clientele. Also, the system scale ability which means the system will be able to work effectively with large volume and complexity of data in large cloud based application right from small applications to the large scale cloud based enterprise organizations.

Moreover, it is the best solution because; it is not invasive and the least that requires input from my team. As it integrates with current cloud architecture, it does not create any overhead to the processes or an applications, thereby ensuring that security of the cloud services does not hinder the regular running of processes. It enables business to have a high level of security, can give high performance and have good looks.

This IDS is effective due to the use of technology unlike traditional security solutions that make it useful in protecting data and cloud applications from new threats through the use of real time threat detection, ability to learn while in operation as well as the capability to profile various users in a similar manner. Since machine learning can process big data, recognize trends, and operate based on more information, such change is a way to ensure the system’s relevance in a cloud computing context..

6. METHODOLOGY
AMLS4CS-RABP consists of following steps in order to make it capable of giving accurate intrusion detection in real-time while considering the dynamicity of cloud computing environments: This system uses supervised and unsupervised learning, behaviors patterns, and anomaly detection techniques to be used in identifying, analyzing, and responding to threats that affects cloud-based systems. This article seeks to present details of the method that has been adopted in the undertaking of this task, indicating the various phases as well as the part and parcels of the system that are involved in performing their functions.

1. Data Collection
The first stage of the method requires data collection from different sources within the aspect of cloud infrastructure. This data can include:
• Network Traffic: This refers to information that is transmitted across and through the cloud networks, such as requests and responses, as well as all the other activities done on the cloud.
• System Logs: Logs created by various software which subscribe to cloud computing technology such as login records, system activity records.
• User Activity: Information on events of activity that occurs on the user’s side including login timings, usage dynamics of the resources, etc.
• Cloud Infrastructure Data: This kind of data refers to the details of the cloud structure provision including new resources to accounts and gadgets.
This information is used as the basis of performing anomaly detection as well as behavior profiling of individuals.

2. Data Preprocessing
Thus, when the raw data is obtained, it is preprocessed. This is important in aiding in cleaning the data and make it into a good format that will be easy for Analysis. The preprocessing tasks include:
• Data Normalization: Making sure that the data collected from different source such as network, system and user is in a similar range. For example, the process of standardizing the traffic to be as equal as possible throughout the periods.
• Data Preprocessing: Elimination of the records that may be misleading or prevent the detection of the desired result.
• Data Cleansing: This will involve eliminating noise data which could likely cause a false alarm in the respective detection of an anomaly.

3. Feature Extraction
The next step is feature extraction whereby important features to be used in the classification process are selected from the preprocessed data. Attributes are the certain characteristics of the data that define potential frightening characteristics or signs of an attack. These can include:
• Traffic Volumes: It was defined as the total volume of traffic that transits between the users and the cloud repositories.
• Login Frequency: The frequency and location of user login attempts. In the context of cloud services, the former refers to the specific services and resources used by users on a regular basis.
• Cloud deviations: The metric characterizes the fact of increased usage of resources in comparisons with their average consumption, for instance, increased CPU or memory usage may signal about malicious activity. This is aimed at ascertaining geographical location(s) that is/are not characteristic of employees trying to access a specific account.
This makes it easier for machine learning algorithms to analyze all these features and determine their suitability for creating an efficient mobile application.

4. Behavior Profiling and Baseline Creation
In this phase the system first creates the users and systems normal behavior pattern to be monitored. The baseline refers to everyday usage of an environment that can be pertaining to the individual users, device or the whole system within the cloud environment. This is done using:
• Statistical Models: A baseline is then established as a simple predictive model based on the past data of each user/system. This may involve for instance the normal access times, the amount of data traffic which traverses the system on a normal day and the typical loading of the systems.
• Analysis Techniques: There are further analytical approaches like clustering or classification that are used to categorize entities having a behavioral pattern and distinguish a normal user behavior from an unauthorized or malicious one in case of cloud environment.
The baseline is always updated as new data comes, and this means that the current system is able to follow the changing behavior as it gets recorded.

5. Real-Time Anomaly Detection
The heart of the system is to detect anomalous behavior in animal populations on the farm in real-time. After defining the baseline behavior, the system starts permanently analyzing newly arrived elementary data (e.g., network traffic, users’ activities) and comparing them to the baseline. When the incoming data go beyond the baseline for an extended period, it is above or below that expected range then such a data is termed as an outlier. There are the following steps in the anomaly detection process:
• Then, the real-time data feed into the training models for the machine learning that has identified the baseline pattern. This data has to first be compressed and filtered after which classification techniques like the decision trees, support vector machines, or even the neural networks can be used to classify the set data as either normal or anomalous.
• Anomaly Scouting: The new read data item is assigned an anomaly value which is the difference from a normal value. This implies that it is easier to predict the occurrence of malicious or abnormal activity since the scores above have high chances of being associated with it.
• Thresholding: if value of the anomaly score surpasses some predetermined value, the system sends an alert and notifies the user that it is probably experiencing the signs of security violation.

6. Threat Classification
After identifying an anomaly the incidence potential is determined depending on the characteristics of the detected anomaly. This step is critical in the identification of the difference between normal fluctuations (normal processes such as the updates and maintenance, user behavior) and normal and abnormal events (for instance, a break in or intrusion into the system or data leakage).
• Machine Learning Classification: Through the use of supervised learning, the system came up with classifications of the anomalous events into possibilities, for example, “insider threat,” “external attack”, or “suspicious activity.”
• Prediction: It also encompasses the context factors such as time of the day; roles of the user to cut down on false positives as well as improve the accuracy of classification.

7. Real-Time Response and Mitigation
If the threat is fully identified and categorized, it is possible to respond to the threat in real-time to eliminate risks. Responses can include:
• Suspension of Access: If there is any intrusion or possible threat to violate certain elements of the cloud computing, the system can suspend or lock the problematic user or even the cloud segment in question.
• Alert Generation: The alert for security administrators contains information about the threat and its type of threat as well as the action to be taken.
• Mitigation Actions: Upon analyzing the threats identified by the system, mitigation actions can be taken to enhance detection as well as the response to a future threat.

8. Continuous Learning and Model Update
Another favorable aspect of a teaching system under consideration is an ability to learn. Moreover, the given system has provisions that adapt machine learning models to the real data and feedback from the field to improve the system as new attacks unfold and as the user behavior changes. This process includes:
• Updating of models: The system updates its models using new data to enhance the training since new threats are produced frequently.
• model fine-tuning: depending on the assessment of the threat and its reaction recognition, the system refines detection models, aiming at the better accuracy, fewer false alarms, new cloud profile configurations, and end-users’ behaviors.

This invention discusses the detailed architecture of this system, which comprises a number of steps to protect cloud computing environments through Application of Machine Learning in Intrusion Detection Systems. The functionality guarantees the ability to detect pertinent threats in environments within and around clouds as well as protect from both traditional and new-age threats. Self-improving features make the system have a long-term sustainability to accommodate for new methods of hacks and scams.

Figure 1. Methodology of the Adaptive Machine Learning-Based Intrusion Detection System.

7. Result (Include tables, Graphs and etc..)
The Result section of the patent describes the outcomes and performance metrics of the proposed Adaptive Machine Learning-Based Intrusion Detection System for Cloud Security with Real-Time Anomaly Detection and Behavior Profiling. This section also include information of types of cyber threats that the system will be able to identify, its capacity, versatility, and contribution to cloud security. It is usually presented in terms of performance indices, graphical illustrations, tabular form and with other IDS to justify the effectiveness of the proposed system.
In other words, in order to show that the proposed IDS based on adaptive machine learning works effectively, the outcomes of the detection rate, false positives, and speed of the new IDS may be compared to other known IDS types, for example, signature-based IDS and anomaly-based IDS. This is how the results may best be formatted in tables and graphs as follows.

Table 1: Performance Comparison with Traditional IDS
Metric Signature-Based IDS Anomaly-Based IDS Proposed System
True Positive Rate 85% 90% 95%
False Positive Rate 5% 10% 3%
Precision 83% 88% 94%
Recall 82% 87% 92%
F1-Score 82.50% 88% 93%
Accuracy 90% 88% 96%
Processing Speed Medium Slow Fast

Figure 2. Performance Comparison.

Table 1 and figure 2 highlights some of the main parameters for evaluation of Signature-Based IDS, Anomaly-Based IDS and Proposed System. On True Positive Rate analysis, it can be seen that Proposed System capture[s] the highest intrusion detect rate at 95% compared to Signature-Based IDS which [is] at 85% and Anomaly Based IDS at 90%. Looking at this particular aspect, the Proposed System has a 3% False Positive Rate which is better than that of Anomaly-Based IDS which was at 10% and is a equal to that of the Signature-Based IDS which was also at 5%. The Performance Evaluation of the Proposed System shows that the values of the Precision and Recall are higher at 94% and 92% respectively as opposed to Signature-Based IDS and Anomaly-Based IDS which has 83% and 82% for Signature-Based IDS while 88% and 87% for Anomaly-Based IDS respectively. The F1-Score of the proposed System is 93% which is better than the two other IDS’s; Signature-Based IDS – 82.5% & Anomaly-Based IDS – 88%. The new system of Proposed System is scores 96%, whereas IDS with signature based and IDS with anomaly based has scores 90% and 88% only. Last but not the least, concerning the aspect of Processing Speed, the Proposed System takes shortest time for the processing of every packet of data as it provides the shortest Mean Time between detection of Anomalous Traffic and the True Positive while the Anomaly-Based IDS and the Signature-Based IDS have relatively longer time to process and detect an anomalous traffic consecutively. According to the above analysis, it conveys that the Proposed System excels in threat detection by producing higher precision, accuracy, and efficiency.

Table 2: Real-Time Detection Latency
Cloud Environment Signature-Based IDS Anomaly-Based IDS Proposed System
Small Cloud (1000 users) 200 ms 350 ms 150 ms
Medium Cloud (5000 users) 400 ms 550 ms 250 ms
Large Cloud (10,000 users) 600 ms 900 ms 400 ms

Figure 3. Realtime Detection Latency.

Table 2 and figure 3 compares the real-time detection latency across different cloud environments (Small, Medium, and Large Cloud) for Signature-Based IDS, Anomaly-Based IDS, and the Proposed System. Based on the Usability metrics, the Proposed System has the least latency of only 150 for Small Cloud with 1000 users, and surpasses both the latency of Signature-Based IDS which is 200 and Anomaly-Based IDS with latency of 350. In the Medium Cloud with 5000 users, thus the Proposed System has small latency of 250ms, whereas Signature-Based IDS has 400ms and Anomaly-Based IDS has 550ms. This means that the Proposed System in the Large Cloud environment suffices the user requirements with a low latency level at 400 ms contrary to the high latencies of 600 ms realized by Signature-Based IDS and 900 ms of Anomaly-Based IDS. This shows that Proposed System takes much less time in terms of real time detection as compared to Actual System in large cloud environments which again proves that the Proposed System is more competent and efficient than the Actual System when cloud size increases.

These results indicate that the current work is far superior to the existing systems in respect of TPR, precision, and accuracy, and rivals the existing systems with reference to FPR and processing speed. It is evident that the F1-score also gives better overall performance, and that means that the system can detect relevant items as well as avoid raising too many false alarms.

It keeps low latency in real-time detection as compared to the other existing methods in the various cloud sizes and stands out better with the increase in cloud size. This proves that the system can also be well adapted and well performed in huge cloud platforms.

8. DISCUSSION
The use of machine learning for the new cloud security system to detect real-time intrusions and adjust to the user’s behavioral patterns has several benefits compared to traditional approaches to intrusion detection. In this regard, the proposed system is more accurate, adaptive and scalable in identifying the anomalous activity in cloud environment with the help of machine learning and real-time anomaly detection. As illustrated in the previous section, the system performs well in identifying known and unknown threats,with low susceptibility to false positive, and rapid speed, even as the cloud resources grow.

• Superior Detection Accuracy: The performance comparison shows that the proposed system has better performance as compared to the other system such as S-BID and A-BID in different measure such as TPR, Precision, Recall, and Accuracy. A traditional pattern detection system offers a high capability in identifying known attacks but lacks when it comes to the new one or the changing ones. That is why such a system is effective in detecting hitherto unknown threats using the historical data and can learn in real-time in cloud environments, including dynamic and unpredictable changes. This makes the system be on standby for not only known threats but also for new APTs or the zero-day attacks.
• Minimization of False Positives: Some of the other advantages that can be accrue from the current invention include; The proposed system also has minimal chances of giving false alarms. From the results it is clear that False Positive Rate in proposed system is much less (3% approximately) to that of Signature Based IDS (5%) and Anomaly Based IDS (approx 10%). False positivism, as aforementioned, means that an alarm will be raised when there is no genuine violation actually taking place; this interferences with the normal running of activities while pointing resources at unreal threats, which must be looked into. It is worth noting that enhanced instance of machine learning and behavior profiling makes it easier for the proposed system to differentiate between legitimate and suspicious user activities, hence averted by minimizing false alarm incidences while achieving maximum threat seçenek.
• Real-Time Performance and Scalability: The real-time detection latency and system response time of the proposed system is good. As illustrated in the latency charts, it calibrates over the conventional approaches to showing better results for the proposed system in all the three deployed cloud models: Small Cloud, Medium Cloud, Large Cloud. It has low latency even with the explosion of more cloud resource instances, and as such, is very scalable. This is extremely important for the cloud platforms as the size of data and number of users, and resources in the cloud can increase dramatically. This means that, from the aspect of the detection latency, the ability of the system to quickly identify threats is an awesome factor that helps in preventing damages as much as possible.
• Adaptability to Evolving Cloud Environments: Cloud security thus faces multiple problems where one of the most striking is the dynamic nature of both the cloud environment and threats. Indeed, It is expected that construction of different cloud structures are dynamic since users, applications, and services are created or transformed periodically. Typically, with such changes in computers networks, traditional intrusion detection systems are unable to deal with them since they need to be updated or reconfigured. The proposed system, however, is going to be smart system, this means that the system will learn from new behaviors and data on their own without the help of the DM. This self-learning capability means that the system is sustainable in its operation as the cloud changes to improve its efficiency since it does not require frequent updates and reprogramming.
• Improved Processing Speed: Besides the high accuracy and flexibility, the proposed system also achieves higher processing times of system activities than the Signature-Based IDS and Anomaly-Based IDS. This is a desirable trait because cloud environments have huge throughput and high-speed information processing of high accuracy is an essential requirement. Due to the effectiveness of the proposed system in large-scale cloud environments, the implementation of the system can be more realistic in large-scale enterprises and service providers who want to protect their cloud architectures in a more complex network environment without affecting the efficiency.

9. CONCLUSION
The two broad areas of cloud security, real-time anomaly detection and behavior profiling with the proposed new adaptive machine learning-based IDS reveal a promising approach containing enhancement over the traditional mediums in form of IDS in terms of performance and adaptability. This system employs the most recent machine learning libraries and real-time values analysis and behavior assessment to provide efficient and effective security for cloud platforms. In this way, by utilizing historical data, as well as the possibility to update the model and learn from new data online, the system is capable of accurately predicting new as well as already known threats with a minimum of false positives, and also to respond in a reasonable amount of time despite the extent of the cloud infrastructure.

The results shown in the paper prove that the presented system is more efficient than Signature-Based IDS and Anomaly-Based IDS in such criteria as True Positive Rate, Precision, Recall, F1-Score, and Accuracy. In addition, the real-time detection latency and response time of the system are much better than those of the traditional systems making the system to be highly efficient for large and dynamic cloud environment. There is no doubt that this systems’ flexibility and versatility recommend it to organisations, which implement their applications and data in the cloud environment, and fight against different kinds of growing cyber threats.

All in all, the adaptive machine learning-based intrusion detection system proposed in this paper is a powerful and efficient method that possesses high speed, high accuracy, and self-adaptation to protect cloud computing systems. This is due to the feature that allows the program to learn from the new data, avoid false alarms and detect new threats in real time which makes it secure our future. With the extension of cloud environments and types it also supplies an essential toolkit for sustaining secure cloud environments as well as key principles for creating proper knowledge about imperious information targets, to allow organizations to establish proper secure, solid, and tenacious cloud settings.
, Claims:. CLAIMS
1. Features of an adaptive-machine learning System: An intrusion detection system (IDS) for cloud security involves the following elements:
• A gathering of data acquisition tool which is used for network traffic, system log data, behavior data and cloud infrastructure data.
• An essential module in the data pre-processing layer to correct the sort of noises observed in the acquired data.
• A feature extraction module that incorporates techniques of analyzing the behavioral data and extracting the all important features for defining the behavior of the user.
• A behavior profiling module that generates predefined behavior standards of users as well as systems from past usage patterns.
• Anomaly score risking-based module that involves analyzing of received real-time data against baseline data profiles.
• A threat classification module that categorizes the identified threats into threat classes for instance; “suspicious threat,” “malicious threat,” or “benign threat”.
• A response segment that involves avenues of automatically triggering a notification generation system, blacklisting/blocking users or resources and more as the threats are identified.
• Training that occurs in a cycle where behavior profiles, as well as detection models, are modified according to incoming flow of information.
2. The system of any one of the previous claims, the real-time anomaly detection module uses machine learning algorithms including but not limited to decision trees, support vector machines or deep learning models that categorize data as normal or anomalous data.
3. The continuous learning module of the system of the claim 1 is that the system instantaneously modifies its detection models and behavior profiles without requiring user interaction, making it possible for the system to change according to changes in users or how the cloud operates in the long run.
4. According to the first aspect of the invention, the feature extraction module comprises extracting features related to network traffic load, user log-in time, usage, access frequency, and geographical location of user’s activity.
5. The system as provided in claim 1 includes real-time alarms that to the security administrators about any threat identified by the system and the details of type of threat and possible actions to take to counteract the threat identified.
6. The system of claim 1 incorporates the behavior profiling module that helps to create individual and device models for particular users and cloud setup with the opportunity to modify these models as people and cloud arrangements change over time.
7. The system in accordance with any of the preceding claims, where the systems capabilities include low detection latency, resulting in nearly instant threat detection and control, even in the large cloud environments encompassing thousands of users and resources.
8. In the detection of the mentioned anomalies, the response module may perform automatic actions like the locking of unauthorized access, seclusion of the compromised cloud resources, and release of the access revocation instructions.
9. A method for detecting intrusions in a cloud environment with the use of the adaptive machine learning based intrusion detection system as set out in Claim 1, consisting of:
• Acquiring service- and time-specific information about the user interactions, network activity, or system logs.
• Cleaning the collected data and converting the data into a form that is easy for analysis.
• The development of user and system behavior profile from the data required to build the identification model.
• Using the recognized baseline profiles about a subject or object as a reference point to determine which new data incoming in the system are unusual.
• Identifying the categorisation of the recognized anomalies based on set criteria or with the help of machine learning algorithms.
• Carrying out of real-time responses involving the issuing of an alert and taking action on the detected anomalies.
10. A tangible computer product in which instructions for performing the steps of data acquisition, data preprocessing, feature extraction, anomaly detection, threat categorization, and the execution of response in the adaptive machine learning-based intrusion detection system for the provision of cloud security are contained.