Evidence Detection in Cloud Forensics: Classifying Cyber-Attacks in IaaS Environments using machine learning

Introduction: Cloud computing is considered a remarkable paradigm shift in Information Technology (IT), offering scalable and virtualized resources to end users at a low cost in terms of infrastructure and maintenance. These resources offer an exceptional degree of flexibility and adhere to established standards, formats, and networking protocols while being managed by several management entities. However, the existence of flaws and vulnerabilities in underlying technology and outdated protocols opens the door for malicious network attacks. Methods: This study addresses these vulnerabilities by introducing a method for classifying attacks in Infrastructure as a Service (IaaS) cloud environments, utilizing machine learning methodologies within a digital forensics framework. Various machine learning algorithms are employed to automatically identify and categorize cyber-attacks based on metrics related to process performance. The dataset is divided into three distinct categories—CPU usage, memory usage, and disk usage—to assess each category’s impact on the detection of attacks within cloud computing systems. Results: Decision Tree and Neural Network models are recommended for analyzing disk-related features due to their superior performance in detecting attacks with an accuracy of 90% and 87.9%, respectively. Neural Network is deemed more suitable for identifying CPU behavior, achieving an accuracy of 86.2%. For memory-related features, K-Nearest Neighbor (KNN) demonstrates the best False Negative Rate (FNR) value of 1.8%. Discussion: Our study highlights the significance of customizing the selection of classifiers based on the specific system feature and the intended focus of detection. By tailoring machine learning models to particular system features, the detection of malicious activities in IaaS cloud environments can be enhanced, offering practical insights into effective attack classification.