Securing virtualized infrastructures is a critical challenge in cloud computing due to dynamic resource allocation and sophisticated cyberattacks. Traditional intrusion detection systems (IDS) often fall short in addressing cloud-specific requirements such as scalability, elasticity, and diverse attack vectors. This work introduces CloudIDS, an intrusion detection system tailored for cloud environments. CloudIDS employs Principal Component Analysis (PCA) to extract key features from network traffic and applies Change Point Models (CPMs), including Mann-Whitney and Cramer-von-Mises statistics, to detect abrupt shifts in network behavior indicative of attacks.

Two Riemannian-based sliding window algorithms—chunking and rolling—enable the detection of stable and transient patterns in virtual machine (VM) traffic. Experiments using the ISOT-CID dataset, which covers various attack types (e.g., scanning, dictionary attacks, reconnaissance, and denial-of-service), demonstrate that CloudIDS achieves high detection accuracy with minimal delay compared to conventional methods. Parameter tuning, particularly Average Run Length (ARL0) and startup length, reveals trade-offs between detection speed and false positives. An ablation study further validates the critical roles of PCA feature extraction and Riemann-based windowing.

CloudIDS presents a flexible, adaptive solution for intrusion detection in cloud environments. Future work will focus on integrating real-time monitoring, reinforcement learning-based adaptation, and contextual metadata to further enhance detection performance accuracy.