Received January 4, 2021, accepted January 12, 2021, date of publication January 25, 2021, date of current version

February 5, 2021.
Digital Object Identifier 10.1109/ACCESS.2021.3054129

Machine Learning for Cloud Security:

A Systematic Review
ALI BOU NASSIF 1 , MANAR ABU TALIB2 , QASSIM NASIR3 , HALAH ALBADANI 2,

AND FATIMA MOHAMAD DAKALBAB 2

1 Department of Computer Engineering, University of Sharjah, Sharjah, United Arab Emirates
2 Department of Computer Science, University of Sharjah, Sharjah, United Arab Emirates
3 Department of Electrical Engineering, University of Sharjah, Sharjah, United Arab Emirates

Corresponding author: Ali Bou Nassif ([email protected])

This work was supported by the OpenUAE Research and Development Group, University of Sharjah.

ABSTRACT The popularity and usage of Cloud computing is increasing rapidly. Several companies are
investing in this field either for their own use or to provide it as a service for others. One of the results of
Cloud development is the emergence of various security problems for both industry and consumer. One of
the ways to secure Cloud is by using Machine Learning (ML). ML techniques have been used in various ways
to prevent or detect attacks and security gaps on the Cloud. In this paper, we provide a Systematic Literature
Review (SLR) of ML and Cloud security methodologies and techniques. We analyzed 63 relevant studies
and the results of the SLR are categorized into three main research areas: (i) the different types of Cloud
security threats, (ii) ML techniques used, and (iii) the performance outcomes. We have defined 11 Cloud
security areas. Moreover, distributed denial-of-service (DDoS) and data privacy are the most common
Cloud security areas, with a 16% level of use and 14%respectively. On the other hand, we found 30 ML
techniques used, some used hybrid and others as standalone. The most popular ML used is SVM in both
hybrid and standalone models. Furthermore, 60% of the papers compared their models with other models to
prove the efficiency of their proposed model. Moreover, 13 different evaluation metrics were enumerated.
The most applied metric is true positive rate and least used is training time. Lastly, from 20 datasets found,
KDD and KDD CUP’99 are the most used among relevant studies.

INDEX TERMS Cloud security, machine learning, DDos, privacy, security.

I. INTRODUCTION Cloud infrastructure runs through standard Internet protocols

Cloud computing is a technological advance that offers the and uses virtualization techniques, it may be vulnerable to
facilities, platform and software of information technology attacks. Those attacks may come from traditional sources
as Internet services [1]. It is considered to be the conversion such as Address Resolution Protocol, IP spoofing, Denial
of a long-lasting dream called ‘‘Computing for Use’’ and it is of Service (DoS) etc., [8], [9]. They may also come from
being gradually embraced by organizations as private, public other sources. Zero-day attacks, for example, referred to as
or hybrid Clouds [2]–[4]. Its main objective is to let users use unknown attacks, are seen as a significant challenge in the
and pay for what they want, promising on-demand services cyber security domain [10]. Traditional techniques used for
for their software or infrastructure needs [5]–[7] detection and prevention are not efficient enough to handle
Although Cloud computing is seen as a significant and those attacks while also dealing with a large data flow.
positive IT infrastructure shift, much security work is still Machine Learning (ML) techniques are very helpful for
needed to minimize its deficiencies. Since a significant identifying attacks, whether traditional or zero-day attacks.
amount of personal and corporate information is placed in Machine learning includes a series of algorithms that can
the Cloud data centers, those Cloud security issues and vul- learn patterns from data and predict accordingly [11].
nerabilities need to be identified and prevented. Because ML combines computer science and statistics to enhance the
prediction [11]. ML comprises three main types of learn-
The associate editor coordinating the review of this manuscript and ing, supervised, unsupervised and semi-supervised [12], [13].
approving it for publication was Inês Domingues . Supervised machine learning depends on classified data that

This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
VOLUME 9, 2021 20717
 A. B. Nassif et al.: ML for Cloud Security: A Systematic Review

are trained to build the classification model. Unsupervised tenancy, vulnerabilities in Internet protocol, unauthorized
learning algorithms enable training a model without guid- access to management interface, injection vulnerabilities, and
ance [11]. There are different algorithms for each, such vulnerabilities in browsers and APIs [26], [29]. Those vulner-
as Nearest Neighbor, Naïve Bayes, Decision Trees, Linear abilities pose consequent effects, such as allowing network
Regression, Support Vector Machines (SVM). . . etc. K-means attacks, giving access control to intruders, allowing unau-
clustering is an example of unsupervised algorithms. Deep thorized service access and disclosure of private data. All
Learning (DL) enables multi-layered computing models to of these vulnerabilities expose Cloud to threats, directly or
learn data depictions with various abstraction levels [14]. indirectly, such as with business. Some of these threats are
It has achieved significant improvements in multiple appli- (i) the changes to a business model which can hinder the
cations such as image analysis, speech recognition and text usage of Cloud computing services, (ii) abusive use of Cloud
recognition [15]. computing, (iii) insecure interfaces and API, (iv) malicious
The main objective of this study is to conduct a systematic insiders, (v) data loss and leakage, (vi) service hijacking,
review of the ML techniques used to solve, detect or prevent and (vii) unknown risk profile.
Cloud security issues and vulnerabilities. In order to protect the Cloud from those threats and prevent
Despite the large number of research studies conducted any damage, the attacks that can be launched need to be
on Cloud security using machine learning, to the best of our identified and understood. The attacks most often discussed
knowledge, there are very few Systematic Reviews on this in Cloud computing [23], [26], [29] are the following:
topic. For our study, research papers were carefully collected Denial of Service (DoS) attack: is an attempt to
and selected with regards to: (I) the ML techniques used for affect service availability for users. Distributed Denial of
Cloud security, (II) the security areas that ML techniques are Services (DDoS) is used to launch DoS using multiple
used for, and (III) the estimation and accuracy of the ML computers.
techniques used. Zombie attack: when an attacker floods the victim
The remainder of this study is divided into five sections: with requests from innocent hosts in the network. Such an
Section II provides the literature review. The methodology for assault interrupts Cloud’s anticipated behavior, influencing
conducting this review is described in Section III. The find- the accessibility of Cloud services.
ings and results are listed in Section IV. Section V addresses Phishing attack: is an attempt to manipulate and gain
the limitations of this review, while Section VI includes dis- personal information from innocent people by redirecting
cussion and suggestions for future work. them to a false link. At Cloud, an attacker may be hosting
a Cloud service to hide the accounts and services of other
II. LITERATURE REVIEW Cloud users via a phishing attack site.
A. CLOUD COMPUTING SECURITY Man-in-the Middle attack: where an attacker is able
In this section, we discuss the security and privacy issues that to access the communication path between two users.
currently exist in Cloud computing. Cloud computing itself is An intruder can access information interactions between data
a very broad field, because it transmits and hosts its facilities centers in the Cloud
on the Internet. It provides services to meet the needs of the There are other attacks such as Cloud malware injec-
clients and charges accordingly [21]. This makes the Cloud tion attack, breach of confidentiality, authentication attacks,
crucial as people start to depend on it and organizations can attacks on virtualization, etc.
now hire a Cloud service easily.
According to Khorshed et al. [1], gaps in Cloud computing B. ATTACK DETECTION FOR CLOUD COMPUTING USING
are defined as the trust issues between customers and Cloud MACHINE LEARNING TECHNIQUES
providers, where customers fear policies that are hidden from From the papers we have collected, we noticed that ML is
them. On the other hand, Cloud providers are afraid that used in many ways for Cloud attack detection. One of the
customers might take advantage and conduct attacks using main ways is traditional detection, where it detects and alerts
their Cloud services. The main determinants of the selection users when an attack happens. Another detection approach is
of a Cloud provider are the expectations of their organi- preventing the attack before it happens by checking the Cloud
zations and what facilities they will obtain from a specific security itself for any gaps or vulnerabilities.
provider. Vulnerabilities, according to Modi et al. [26], are Table 1 represents related work or surveys/reviews con-
defined as Cloud safety loopholes, which an opponent can ducted on cloud security issues or ML techniques used for
use to obtain access to the network and other infrastructure cloud security. It shows the paper title and year it was pub-
resources. A Cloud threat is a possible negative occurrence lished, describes what the paper discusses, and notes the
that can be malicious or incidental [26]. An attack involves a difference between our review and the paper.
Cloud resource damage activity, and a vulnerability exploita- The papers above include cloud security issues and some of
tion may influence the accessibility of Cloud computing and them include ML techniques. However, they either limit the
financial benefits [26]. research to one or two cloud security issues or do not include
Major vulnerabilities in Cloud computing that can pose ML techniques at all. Our research reviews cloud security that
serious threats are vulnerabilities in virtualization/multi uses ML techniques in their research up to the present date.

20718 VOLUME 9, 2021

A. B. Nassif et al.: ML for Cloud Security: A Systematic Review

TABLE 1. Literature review: Survey papers that discussed similar topics as our paper and the difference between our work and their work.

Our systematic review differs from those described above study differs in several aspects from the related work listed
as we present a comprehensive cloud security research study in Table 1, such as:
with machine learning techniques. Moreover, to the best of 1. Review machine learning techniques, the types of
our knowledge there is no systematic literature review that the models and whether the model is hybrid or
covers the same areas our review provides. Adding more, our standalone.

VOLUME 9, 2021 20719

 A. B. Nassif et al.: ML for Cloud Security: A Systematic Review

2. Precision comparison of the advantages and disadvan- • Springer Online

tages of each technique. • Scopus
3. A comprehensive cloud security analysis of the issues • IEEE Xplore
in this area. In this review, 63 publications were used, based on our
4. Present the highest precision values in terms of security inclusion / exclusion criteria; 24 of them are Journal papers
area. and 36 are conference papers.
5. It covers the very recent period from 2004 to 2019.
C. STUDY SELECTION
III. METHODOLOGY We originally obtained 230 search studies based on the
In this review, we conducted a systematic review based specific search conditions. The authors carried out further
on Kitchenham’s and Charters’ methodology [30]. Their filtration to guarantee that only appropriate documents were
methodologies divide the process into several phases, and included in this review as shown in Table 2.
each phase includes several stages. These phases are plan-
ning, conducting and finally reporting. TABLE 2. Inclusion and exclusion criteria.
The following sections illustrate the review protocol that
this paper followed.

A. RESEARCH QUESTIONS
This SLR aims to summarize and clarify the Machine Learn-
ing (ML) techniques and implementations that were used in
Cloud security from 2004 to 2019 inclusive. Towards this end,
the following three research questions (RQs) are raised:
RQ1: Which Cloud security areas are addressed by this
review?
RQ1 addresses the Cloud security areas that are explored
in the collected papers, including the categories, number of
studies and whether they are conference papers or journal
papers.
RQ2: Which machine learning algorithms are used in D. QUALITY ASSESSMENT RULES (QARs)
Cloud computing security? The last stage in identifying the final list of articles included
RQ2 addresses machine learning model type, analysis type in this review was the application of quality assessment rules.
and features used in the collected papers. This RQs analyzes We developed six QARs to determine the quality and rele-
the common features among the studies. vancy of the articles to our research, where each QAR is worth
RQ3: What is the overall estimation and accuracy of 1 mark out of 10. Each QAR score is assigned as follows:
machine learning models? ‘‘fully answered’’ = 1, ‘‘above average’’ = 0.75, ‘‘aver-
RQ3 focuses in four aspects of estimation accuracy found age’’ = 0.5, ‘‘below average’’ = 0.25, ‘‘not answered’’ = 0.
on the papers that mention them: the accuracy metric, accu- The total value of all 6 QARs is the overall score of each
racy value, data set of construction, and model validation paper. A rating of less than 3 implies that this review has not
methods. It compares these aspects with the other papers. included the document. The following QARs were used:
1. Are the objectives of the study clearly stated in the
B. SEARCH STRATEGY article?
This section of the paper presents on the following: 2. Is the paper well-structured?
The main search terms from the research question are 3. Does the article provide appropriate background infor-
identified. mation?
New terms have been defined to substitute for main terms 4. Is the specific area of Cloud security clearly defined?
To make search results more relevant, Boolean logic is 5. Are machine learning techniques explained in enough
added in the form of search operators. (AND, OR, quotations, detail?
parentheses) 6. Are the outcomes and conclusions of the experiment
We used search terms that are related to Cloud Secu- clearly reported?
rity and Machine learning, such as ‘‘Cloud security’’ AND Accordingly, we got 63 relevant papers with a quality score
‘‘(Machine learning’’ OR ‘‘ML’’). higher than or equal to 3. The quality scores of these studies
Survey resources are presented in the Appendix B.
In the search for the necessary research papers, the follow-
ing digital libraries were used: E. DATA EXTRACTION STRATEGY
• Google Scholar This step aims to provide a semi-structured response to the
• ACM Digital Library research questions for each article. The following data is

20720 VOLUME 9, 2021

A. B. Nassif et al.: ML for Cloud Security: A Systematic Review

obtained from every article: paper number, paper title, pub- TABLE 4. Papers that discusses anomaly detection security aspect in
cloud.
lication year, publication type, domain, RQ1, RQ2 and RQ3.
It should be noted that not all articles addressed all research
questions.

F. SYNTHESIS OF EXTRACTED DATA

In order to synthesize the data derived from the selected
papers, we use different methods to extract evidence to
address the RQs. This explains in detail the synthesis
procedure we adopted:
• RQ1 and RQ2: narrative synthesis method is used to
tabulate extracted information according to RQ1 and
RQ2.
• RQ3: for quantitative data extraction, we use binary
outcomes to calculate the results of RQ3.
One of the top Cloud security area discussed in our sample
IV. RESULTS AND DISCUSSION of papers is data privacy. Security and privacy are the biggest
For each RQ, the outcomes of this SLR will be provided and challenges for both clients and Cloud service providers, since
addressed in the following subsections. Appendix A shows many confidential and sensitive data are stored in the Cloud
all papers collected with their IDs and titles. that can be of value to an attacker [31].
Murakami et al. [32] propose a system that encrypts a
A. RQ1: CLOUD SECURITY AREAS secret message that is embedded into an image file by using
From the 63 papers we have collected, we deduce that a dynamically generated morphing image based steganogra-
11 Cloud security issues are addressed and researched. These phy technique. This method ensures the security of the data
are: anomaly detection, attack detection, confidentiality of because human beings cannot perceive the image hiding the
data, data privacy, DoS, DDoS, intrusion detection (ID), message internally.
malware, privacy preservation, security and vulnerability Another paper that is about encrypting Cloud data is by
detection. Wang et al. [33]. However, this paper uses another approach
Table 3 shows the number of research papers in each cloud where users encrypt their data using their own key and store
security area and the frequency of the area, as well as the the data in the Cloud so that they can securely access and
percentage. retrieve them without compromising data privacy. They pro-
pose two efficient schemes, Vitamin+ and Vitamin∗ .
TABLE 3. Cloud security area found from collected research papers. Eskandari et al. [34] focus on the data privacy of geoloca-
tion that is stored and processed in the Cloud. In some specific
compliance situations, knowing and managing the physical
place of information for storing and handling reasons could
be crucial for organizations using Cloud. Therefore, VLOC (a
Verifier for physical LOCation of a virtual machine) a geolo-
cation approach that is able to verify the physical location of
a VM and notify the user if the location is unauthorized—
comes into play. Moreover, it does not rely on a network
of fixed landmarks. The experimental results indicate that
VLOC is accurate enough to be used in practice.
According to Bondada and Bhanu [35], data breach is the
biggest problem in the Cloud, and an insider attack is the
Detection of anomalies involves finding patterns in data worst threat. Hence, they propose an approach using a hot
that do not correspond to anticipated behavior. Anomaly based user profiling technique that analyzes user keystrokes
detection is important because data anomalies are essential to provide authentication to the user. In the case of an abnor-
and often critical information that can be acted on in a broad mality in the behavior, an alarm will be raised and the current
range of applications. We found a total of 6 papers that session in VM will be locked.
cover anomaly detection. However, we noticed that 3 of these The rest of the papers are summarized in Table 5. One
papers cover anomaly detection in user behavior. As shown of the top Cloud security area discussed in our sample of
in Table 4, the first three papers discuss frameworks or papers is data privacy. Security and privacy are the biggest
systems involving anomalies detection in the Cloud. Even challenges for both clients and Cloud service providers, since
though A4-A5 involve research on anomalies, they focused many confidential and sensitive data are stored in the Cloud
on behavior anomalies. that can be of value to an attacker [31].

VOLUME 9, 2021 20721

 A. B. Nassif et al.: ML for Cloud Security: A Systematic Review

Murakami et al. [32] propose a system that encrypts a TABLE 6. Papers that discusses ID in cloud.
secret message that is embedded into an image file by using
a dynamically generated morphing image based steganogra-
phy technique. This method ensures the security of the data
because human beings cannot perceive the image hiding the
message internally.
Another paper that is about encrypting Cloud data is by
Wang et al. [33]. However, this paper uses another approach
where users encrypt their data using their own key and store
the data in the Cloud so that they can securely access and
retrieve them without compromising data privacy. They pro-
pose two efficient schemes, Vitamin+ and Vitamin∗ .
Eskandari et al. [34] focus on the data privacy of geoloca-
tion that is stored and processed in the Cloud. In some specific
compliance situations, knowing and managing the physical
place of information for storing and handling reasons could
be crucial for organizations using Cloud. Therefore, VLOC
(a Verifier for physical LOCation of a virtual machine)—
a geolocation approach that is able to verify the physical
location of a VM and notify the user if the location is
unauthorized—comes into play. Moreover, it does not rely
on a network of fixed landmarks. The experimental results
indicate that VLOC is accurate enough to be used in practice. given before the data is secured. Different public and private
According to Bondada and Bhanu [35], data breach is keys are needed to provide encryption and decryption [36].
the biggest problem in the Cloud, and an insider attack is Through privacy, we can safely and securely maintain and
the worst threat. Hence, they propose an approach using a communicate information in any channel. six papers cover
hot based user profiling technique that analyzes user key privacy preservation.
strokes to provide authentication to the user. In the case of According to Hesamifard et al. [37], ML algorithms based
an abnormality in the behavior, an alarm will be raised and on deep neural networks are the mainstream in current AI
the current session in VM will be locked. research. However, training the models requires access to raw
The rest of the papers are summarized in Table 5. data that are often privacy sensitive and might create privacy
risks. Hence, they provide a solution that enables parties to
TABLE 5. Papers that discusses data privacy in cloud.
use the service without revealing their sensitive data to other
parties. This is done by applying neural network algorithms
to encrypted data.
A similar problem is presented by Yuan and Yu [38] How-
ever it focuses on back-propagation neural network learning
privacy preserving. In order to enhance the precision of the
learning outcome, multiple parties can cooperate on the union
of their corresponding information sets by undertaking joint
back-propagation neural network learning. Yet none of these
parties wants to disclose their private data to others, so Yuan
solves this problem by having parties encrypt their data pri-
vately and upload them to the Cloud. This enables the Cloud
The fundamental function of IDSs, which calls for elevated to execute the operations pertaining to the learning algorithms
accuracy, low false alarm rates and effectiveness to predict without knowing the original private data.
alarms based on positive or true alarms when intrusion occurs Ma et al. [39] propose a novel privacy preservation deep
and false positive or false alarms in the event of a failure [8]. learning model, named PDLM, to solve privacy issues around
Those can be used to defend the systems from different kind collected data used for deep learning training. The PDLM
of attacks [11] Intrusion, which implies access to the scheme applies deep learning over the data owners’ encrypted data
by force or without consent from anyone, is the biggest threat under multiple keys and uploads the encrypted data to service
to the Internet [11]. Nine of the selected papers take up providers. Service providers and the Cloud platform train the
intrusion detection for Cloud security as seen in Table 6. They model based on the multi-key encrypted data with a privacy
propose or develop techniques and systems to secure Cloud. preservation calculation toolkit.
Privacy plays a main role in the management of many Even though the Wang model [40] is discussed in data
security services. Low tier encryption and decryption are privacy Cloud security, it also covers privacy preserving for

20722 VOLUME 9, 2021

A. B. Nassif et al.: ML for Cloud Security: A Systematic Review

online learning. EXPLORER framework offers an additional Earning-Based Secure Information Classification, which
tool for privacy preservation where it provides a high-level classifies information in a way that avoids leaking data that
guarantee for protecting sensitive encrypted information that can be harmful to the institution or its customers. Using
is exchanged between the server and the client. decision tree techniques, the model predicts the potential risks
Table 7 summarizes the rest of the papers in privacy preser- of the data that is shared between institutions, along with
vation area. reducing the chances of privacy leakage.
TABLE 7. Papers that discusses privacy preservation in cloud. To secure password authentication, Omri et al. [46] uses
handwritten recognition to secure access to data in the cloud
on mobile phones. According to their research, biometrics
provides better security than traditional authentication meth-
ods. Their framework is composed of pre-processing, feature
extraction, classification and authentication process.
The issue of the security of medical image analysis over
cloud computing is addressed by Marwan et al. [47]. They
Denial of service attacks (DoS) prevent access to the net- propose a method that alleviates security and privacy con-
work and other resources by lawful customers. Distributed cerns when preforming image analysis using cloud comput-
denial of service (DDoS) is a type of DoS attack, in which ing. Their cloud framework is designed to not reveal hidden
the attacker uses a bunch of remotely controlled comput- medical data to cloud providers. In addition, it secures data
ers for the attack instead of a single machine [41]. A total processing in the cloud environment. The remaining papers
of 13 papers cover this type of security, 3 of them focus on are listed in Table 10.
Dos and the rest on DDos. Although Khorshed et al. [1] presents a survey of gaps
He et al. [41] propose a detection system for DoS attack that slow down cloud adoption at the beginning of the
to prevent attacks on the source side in the Cloud. The paper research, they still propose a solution for attack detection.
analyzes in their framework the statistical features of different Their ‘‘Proactive Attack Detection’’ model is able to detect
kinds of attacks including flooding attacks, spoofing attacks an attack when it starts or during the attack. It also alerts the
and brute-force attacks. Those 3 attacks are the most prevalent customer if the Cloud provider tries to hide attack informa-
DDoS attacks. tion. Testing several popular ML techniques, they found SVM
To protect virtual machine (VM) against Dos attacks in to be the most efficient for their model.
a Cloud environment, Kumar et al. [5] propose a platform Wu et al. [48] on the other hand, propose and analyze
named Eucalyptus. This platform is an intrusion detection attacks in CMS, CyberManufacturing system, which is con-
system that is designed to detect DoS attacks on VMs in the sidered as a blueprint for future manufacturing systems. CMS
Cloud by any external or internal machine in the Internet. has multiple layers, therefore attacks on CMS is enlarged by
According to Chonka et al. [42], two of the major threats the additional layers and Internet connections. As a solution
to Cloud computing are HTTP Denial of Service and XML of detecting malicious attacks, they use ML methods on
Denial of Service. For this, SOTA model (Service-Oriented CMS environment for security and in 3D printers and CNC
Traceback Architectural) is updated to a Cloud model to pro- machines, providing experimental results in the end. The
tect Cloud computing from X_DoS?H-DoS attacks. It traces remaining papers are listed in Table 11.
back to find the source of these attacks and detects them Graepel et al. [49] demonstrate a way to implement con-
though a back propagation neutral network, called Cloud fidentiality of ML training and test data. According to their
Protector. research, encrypting the data before uploading it to the cloud
SDN controller, software defined network, manages the is one way to preserve confidentiality. However, this may
whole system yet is vulnerable to any DDoS attack that will limit the utility of the data. Therefore, the homomorphic
cause paralysis of the entire network. XGBoost [43], extreme Encryption scheme makes it possible to provide confiden-
gradient boosting, is a detection method in SDN based Cloud tiality, by applying polynomial approximations to known ML
that is proven to have a higher accuracy and lower false algorithms.
positive rate than other algorithms. A new system is developed by Vijayakumar and Arun [50]
Modi et al. [44] propose a structure that integrates a that assesses the vulnerabilities on the applications before and
network intrusion detection system (NIDS) into the Cloud after deploying them into the Cloud. The system assesses the
infrastructure to detect and prevent DoS arracks and other online vulnerabilities at regular intervals and checks to see if
malicious activities at the network layer. This is done by there is any change in the structure of the code or the code
monitoring network traffic while sustaining performance and itself in the application.
service quality. The remaining papers are shown in Table 9.
Security is researched in 5 of the selected papers. The B. RQ2: MACHINE LEARNING ALGORITHMS
research of Gai et al. [45] shows concern about privacy Machine learning offers a highly responsive and automated
information leakage among financial service institutions and security solution, and it is used since it solves security prob-
customers. They propose the SEB-SIC model, Supervised lems and handle data in a more effective way. Instead of

VOLUME 9, 2021 20723

 A. B. Nassif et al.: ML for Cloud Security: A Systematic Review

TABLE 8. ML models used in each research paper collected.

TABLE 9. Papers that discusses DDoS in cloud. TABLE 11. Papers that discusses attack detection on cloud.

We identified ML algorithms that had been applied by

researchers in Cloud security areas. The list of these algo-
rithms is shown in Table 8.
Out of the 30 ML techniques used, SVM is the most
common.
LS-SVM, One-class SVM and Linear SVM are part of
SVM technique. LS-SVM and One-class SVM have been
used as standalone models. Table 12 shows the hybrid models
used for SVM and other techniques.

TABLE 12. Papers that used hybrid models.

TABLE 10. Papers that discusses security attacks in cloud.

Random Forest was used 8 times in total. Research paper

focusing only on detecting confidential data trends, ML solu- A43 uses C4.5 algorithm, which is part of Random Forest.
tions should use a comprehensive approach to protecting Four papers (A2, A13, A40, A59) used it as a standalone
organizational information across all cloud applications of an model, while 3 out of 6 papers used KNN as a stan-
organization. ML focuses on advancing computer programs dalone model. CKNN is part of KNN that is proposed by
which can find the right rate for their own learning [51]. A52 research and is a standalone model. It is a lightweight

20724 VOLUME 9, 2021

A. B. Nassif et al.: ML for Cloud Security: A Systematic Review

method used to detect DDoS attacks. Decision Tree is used

as a standalone method in A26, A44, A51 and A53 research
papers.
Ten models from Table 8 are DL models. DL uses the
backpropagation algorithm to discover complex structures
in large information sets [14]. Neural networks (NN) have
been developed as an important classification tool [52]. Those
models are ANN, DNN, Back Propagation NN, PDLM and
KNN.
According to Table 8, SVM is also the most used technique
in the hybrid models. All hybrid models were found to use
two techniques except A49, which combines 3 techniques to
provide efficient detection speed and mechanism. FIGURE 1. Performance metrics used in collected papers.
To choose the right ML technique or to prove that it is
effective and accurate, some papers compare their models
to other ML. Almost 60% of the papers collected use the
comparison method. Some compare with multiple types of
ML, others with only one ML that is the most relevant to their
model.
Appendix table D present each research paper ID along to
the ML technique applied and the advantages and disadvan-
tages of that technique.

C. RQ3: ESTIMATION AND ACCURACY

For this section, we assembled all of the Estimations of
accuracy that we found from the collected papers. We focused
on four aspects: the accuracy metric, accuracy value, data set
of construction, and model validation methods.
Thirty-six papers showed performance metrics in their
research. After collecting the metrics they used, we ended up
with more than 30 metrics. For this reason, we will include
only the metrics that are used more than once. From the
13 metrics that we got; True Positive Rate is the most used
among them. It is also known as sensitivity, recall or detection
rate. TPR is the value of normal data correctly predicted or
classified. 16 papers use Accuracy for performance evalu- FIGURE 2. Data sets used in collected papers.
ation as it shows the efficiency of their ML model. False
Positive Rate is used by 12 papers, where a value of normal
data incorrectly predicted or classified. Precision is how often
a model correctly predicts a positive result. 6 papers used True papers in each dataset were used for evaluation. Following
Negative Rate, also known as specificity, to get the value of them is the NSL KDD ’99 dataset and Real datasets, which
normal data that are predicted as normal. Following this in is used in 3 papers. CADIA and UNSW are used in 2 papers
frequency of use is False Alarm Rate, which is used in 5 each. The rest of the datasets are only used once.
studies. This is followed by Detection value and Specificity,
which are both used in 4 studies. The mean of recall and D. CRITICAL ANALYSIS
precision is F-measure, also known as F-score or F-value. In this section, we present the analysis we established after
False Negative Rate is used only twice to calculate the data answering the research questions, along with the open 3 chal-
that were falsely predicted. Figure 1 shows the performance lenges and future works of some papers. Table 14 shows the
metrics overall summary of the research papers that showed the high-
Data sets are essential for arriving at an evaluation of est accuracy according to their security aspect. For example,
the model and play an essential part in getting the best paper A58 covered attack detection in cloud security and the
result. Thus, we conducted a review of the data sources that model they presented had an accuracy of 96.67% which is
were used in the relevant articles, ending up with a total considered to be the highest among other collected research
of 36 datasets. Figure 2 represent the datasets that were used, articles that covered the same security aspect. Appendix table
along with their frequency. As shown, KDD and KDD CUP C summarizes the performance metrics used in the papers
’99 are the most used among the datasets, where 4 research collected that mentioned their research results.

VOLUME 9, 2021 20725

 A. B. Nassif et al.: ML for Cloud Security: A Systematic Review

TABLE 13. Summary of open challenges in collected papers.

FIGURE 3. Risk levels in terms impact and the risk likelihood.

TABLE 15. Future work similarity in collected papers.

TABLE 14. Highest accuracy values in collected research papers

according to the security aspect.

• Low Risk
◦ Cloud processes and/or stores public data
◦ Cloud is easily recoverable and reproducible
◦ Cloud provides an informational / non-critical ser-
vice
• Moderate Risk
◦ Cloud processes and/or stores non-public or
internal-use data
◦ Cloud is internally trusted by other networked sys-
tems
◦ Cloud provides a normal or important service
• High Risk
◦ Cloud processes and/or stores confidential or
restricted data
In accordance with policy IT-19, Institutional Data Access, ◦ Cloud is highly trusted by UI networked systems
Business Owners (as defined in IT-16, Roles and Responsi- ◦ Cloud provides a critical or campus-wide service
bilities for Information Security Policy) classify systems into Risk Analysis must take into consideration the sensitivity
one of three risk categories: of data processed, as well as the likelihood and impact of

20726 VOLUME 9, 2021

A. B. Nassif et al.: ML for Cloud Security: A Systematic Review

TABLE 16. Appendix A: Referenced papers used in this research study.

VOLUME 9, 2021 20727

 A. B. Nassif et al.: ML for Cloud Security: A Systematic Review

TABLE 17. Appendix B: QAR and the score of the collected papers. TABLE 18. Appendix C: Performance metrics used in collected papers.

potential threat events. These probabilities into risk levels and

an overall system risk level.
Although there are many threat events related to a system,
they can be generally organized into three main categories:
• Loss of Confidentiality:
◦ The system and its data are compromised
◦ The system and its data are released publicly
◦ The system and its data erroneously publish data on
public

20728 VOLUME 9, 2021

A. B. Nassif et al.: ML for Cloud Security: A Systematic Review

TABLE 18. (Continued.) Appendix C: Performance metrics used in • Loss of Integrity:

collected papers.
◦ The system and its data cannot be trusted
◦ The system and its data are not complete or incor-
rect
• Loss of Availability:
◦ The system and its data no longer exist
◦ The system and its data no longer respond to valid
queries
◦ The system and its data cannot be retrieved by an
authorized user (e.g. DDOS)
Risk levels are calculated as the product of the likelihood
and impact of a potential threat event / threat event category.
The risk level for each threat event category is then calculated.
The overall risk level for the system is equal to the highest risk
level for any risk event. Figure 3 shows the risk levels.
As discussed in many papers, there are many challenges
to be addressed. In two papers, the need of more data that
are properly trained is a challenge to them. Some papers find
it a challenge to enhance and the ML algorithm, or that the
ML contains a performance overhead such as paper A4. Paper
A53 states that accuracy detection might degrade against
some heavy attacks, while paper A32 states that the consider-
ation of new features would naturally invoke a computational
trade off. Furthermore, according to Table 13 we classified
the open challenges into several fields machine learning, data,
security, DDoS attack, and performance. There are 5 papers
that discuss the open challenge of training the ML classifier or
enhance the model. As for the data aspect, there are 4 papers
that found challenge in the lack of data available due the
privacy concern of data sharing.
For future work, we noticed that most papers will further
evaluate their research work by adding more tests or combin-
ing different ML. Other papers state for their future work is
to improve their proposed work by adding more features or
enable it to detect more types of attacks. Table 15 shows the
similarity of future work of the collected papers. We found
that 11 papers want to work on trying other ML classifiers
or using hybrid methods. As well as 10 papers want to focus
on enhancing their proposed model from several aspects, and
other papers want to conduct more experiments in different
datasets.
Furthermore, we collected the type of cloud security prob-
lems as reported in the papers. We found that almost 51%
of the problems are considered as classification problems,
7% are clustering, and 5% are regression. Some papers
used more than one type in same research. Please note that
machine learning techniques are very powerful to tackle such
problems.
As for the future work of our study, we plan to look for
more security threats in cloud that can be solved through
ML techniques. Moreover, we will explore more of ML
techniques and which achieve the highest results in almost
all security aspects in cloud. Furthermore, we will look into
a wider aspect of the applications of Cloud security such as
Cyber Physical Systems (IoTs) and SDNs.

VOLUME 9, 2021 20729

 A. B. Nassif et al.: ML for Cloud Security: A Systematic Review

TABLE 19. Appendix D: ML techniques used in collected papers with their pros and cons.

20730 VOLUME 9, 2021

A. B. Nassif et al.: ML for Cloud Security: A Systematic Review

TABLE 19. (Continued.) Appendix D: ML techniques used in collected papers with their pros and cons.

V. LIMITATIONS OF THIS REVIEW preservation, security, vulnerability detection, confiden-

This work is restricted to journal and conference papers tiality of data, data privacy, DDoS, DoS, and intrusion
related to ML in Cloud security. By applying our detection (ID). DDoS and data privacy are analyzed
search approach strategy, we excluded a large number of the most, with a 16% frequency of usage and 14%
non-relevant research papers. The papers we selected fully respectively.
match our research objective, hence the small number of • RQ2 counted 30 ML techniques used, some used as
papers collected. In addition, we applied quality assessment hybrid and others as standalone. The most popular ML
criteria to select articles that provide synthesized results. used is SVM in both hybrid and standalone models. 60%
of the papers compared their models with other ML
VI. CONCLUSION models to get the best evaluation to either prove their
We carried out a systematic literature review to analyze ML accuracy or to further improve their model.
techniques used in Cloud security. The review investigated • RQ3 enumerated 13 different evaluation metrics;
relevant studies that answered 3 RQs; Cloud security area, TPR, Accuracy, FPR Precision, TNR, FAR, Detec-
type of ML techniques used, and the accuracy estimation of tion, F-measure, FNR and Training time. The most
the ML model. Overall, we obtained 60 research papers after used metric was TPR, and the least used was Train-
applying our selection criteria. Our conclusions are summa- ing time, respectively. Furthermore, datasets have
rized as follows: been used to evaluate models’ performance. From the
• RQ1 findings are the 11 Cloud security areas iden- 20 datasets found, KDD and KDD CUP ’99 are the most
tified; anomaly detection, attack detection, privacy used.

VOLUME 9, 2021 20731

 A. B. Nassif et al.: ML for Cloud Security: A Systematic Review

Our study also found very few surveys based on ML tech- [8] B. Xu, S. Chen, H. Zhang, and T. Wu, ‘‘Incremental k-NN SVM method in
niques in Cloud security form, with no usage of their feature intrusion detection,’’ in Proc. 8th IEEE Int. Conf. Softw. Eng. Service Sci.
(ICSESS), Nov. 2017, pp. 712–717, doi: 10.1109/ICSESS.2017.8343013.
selection/extraction strategy. Therefore, we recommend more [9] R. Moreno-Vozmediano, R. S. Montero, E. Huedo, and I. M. Llorente,
thorough research and more empirical experiments to address ‘‘Efficient resource provisioning for elastic cloud services based on
the need for ML in Cloud security. In addition, research machine learning techniques,’’ J. Cloud Comput., vol. 8, no. 1, p. 5,
Dec. 2019, doi: 10.1186/s13677-019-0128-9.
papers should present their results using multiple evaluation [10] A. AlEroud and G. Karabatis, ‘‘A contextual anomaly detection approach
metrics when considering imbalanced datasets. to discover zero-day attacks,’’ in Proc. Int. Conf. Cyber Secur., Dec. 2012,
Moreover, we noticed that little work has been done using pp. 40–45, doi: 10.1109/CyberSecurity.2012.12.
[11] N. Chand, P. Mishra, C. R. Krishna, E. S. Pilli, and M. C. Govil, ‘‘A
deep learning techniques in cloud security. We encourage comparative analysis of SVM and its stacking with other classifica-
researchers to take advantage of the deep learning in this tion algorithm for intrusion detection,’’ in Proc. Int. Conf. Adv. Com-
regard. put., Commun., Autom. (ICACCA) (Spring), Apr. 2016, pp. ‘1–6, doi:
10.1109/ICACCA.2016.7578859.
Another important observation is that most of the datasets
[12] J. Arshad, P. Townend, and J. Xu, ‘‘A novel intrusion severity analy-
used are relatively old such as KDD. Researchers are encour- sis approach for clouds,’’ Future Gener. Comput. Syst., vol. 29, no. 1,
aged to use recent datasets such as CICIDS2017, CSE-CIC- pp. 416–428, Jan. 2013, doi: 10.1016/j.future.2011.08.009.
IDS2018 and Kyoto 2006+ for intrusion detection. [13] D. Kwon, H. Kim, J. Kim, S. C. Suh, I. Kim, and K. J. Kim, ‘‘A survey
of deep learning-based network anomaly detection,’’ Cluster Comput.,
vol. 22, pp. 949–961, Sep. 2017, doi: 10.1007/s10586-017-1117-8.
APPENDIX [14] Y. LeCun, Y. Bengio, and G. Hinton, ‘‘Deep learning,’’ Nature, vol. 521,
no. 7553, pp. 436–444, May 2015, doi: 10.1038/nature14539.
See Tables 16–19.
[15] Q. Zhang, L. T. Yang, Z. Chen, and P. Li, ‘‘A survey on deep learn-
ing for big data,’’ Inf. Fusion, vol. 42, pp. 146–157, Jul. 2018, doi:
ACKNOWLEDGMENT 10.1016/j.inffus.2017.10.006.
[16] H. Tabrizchi and M. Kuchaki Rafsanjani, ‘‘A survey on security chal-
The authors would like to thank the University of Sharjah and lenges in cloud computing: Issues, threats, and solutions,’’ J. Supercomput.,
OpenUAE Research and Development Group for funding this vol. 76, no. 12, pp. 9493–9532, Dec. 2020, doi: 10.1007/s11227-020-
research study. They also grateful to our research assistants 03213-1.
[17] L. Alhenaki, A. Alwatban, B. Alamri, and N. Alarifi, ‘‘A survey on the
who helped in collecting, summarizing, and analyzing the security of cloud computing,’’ in Proc. 2nd Int. Conf. Comput. Appl. Inf.
research articles for this SLR study. Secur. (ICCAIS), May 2019, pp. 1–7, doi: 10.1109/CAIS.2019.8769497.
[18] R. Kumar and R. Goyal, ‘‘On cloud security requirements, threats, vul-
nerabilities and countermeasures: A survey,’’ Comput. Sci. Rev., vol. 33,
AVAILABILITY OF DATA AND MATERIALS pp. 1–48, Aug. 2019, doi: 10.1016/j.cosrev.2019.05.002.
The data extracted in this research is tabulated in the [19] L. B. Bhajantri and T. Mujawar, ‘‘A survey of cloud computing secu-
Appendix rity challenges, issues and their countermeasures,’’ in Proc. 3rd Int.
Conf. I-SMAC (IoT Social, Mobile, Anal. Cloud) (I-SMAC), Dec. 2019,
pp. 376–380, doi: 10.1109/I-SMAC47947.2019.9032545.
COMPETING INTERESTS [20] K. V. Uma and E. S. Blessie, ‘‘Survey on Android malware detection
and protection using data mining algorithms,’’ in Proc. 2nd Int. Conf. I-
The authors declare that they have no competing interests SMAC (IoT Social, Mobile, Anal. Cloud) (I-SMAC)I-SMAC (IoT Social,
Mobile, Anal. Cloud) (I-SMAC), 2nd Int. Conf., Aug. 2018, pp. 209–212,
REFERENCES doi: 10.1109/I-SMAC.2018.8653720.
[21] D. Dave, N. Meruliya, T. D. Gajjar, G. T. Ghoda, D. H. Parekh, and
[1] M. T. Khorshed, A. B. M. S. Ali, and S. A. Wasimi, ‘‘Trust issues R. Sridaran, ‘‘Cloud security issues and challenges,’’ in Advances in Intel-
that create threats for cyber attacks in cloud computing,’’ in Proc. IEEE ligent Systems and Computing, vol. 654. New York, NY, USA: Springer,
17th Int. Conf. Parallel Distrib. Syst., Dec. 2011, pp. 900–905, doi: 2018, pp. 499–514, doi: 10.1007/978-981-10-6620-7_48.
10.1109/ICPADS.2011.156. [22] I. Avdagic and K. Hajdarevic, ‘‘Survey on machine learning algorithms as
[2] A. P. Achilleos, K. Kritikos, A. Rossini, G. M. Kapitsaki, J. Domaschka, cloud service for CIDPS,’’ in Proc. 25th Telecommun. Forum (TELFOR),
M. Orzechowski, D. Seybold, F. Griesinger, N. Nikolov, D. Romero, Nov. 2017, pp. 1–4, doi: 10.1109/TELFOR.2017.8249467.
and G. A. Papadopoulos, ‘‘The cloud application modelling and execu- [23] G. Nenvani and H. Gupta, ‘‘A survey on attack detection on cloud using
tion language,’’ J. Cloud Comput., vol. 8, no. 1, p. 20, Dec. 2019, doi: supervised learning techniques,’’ in Proc. Symp. Colossal Data Anal. Netw.
10.1186/s13677-019-0138-7. (CDAN), Mar. 2016, pp. 1–5, doi: 10.1109/CDAN.2016.7570872.
[3] P. Kumar and P. J. A. Alphonse, ‘‘Attribute based encryption in cloud com- [24] B. Nelson and T. Olovsson, ‘‘Security and privacy for big data: A sys-
puting: A survey, gap analysis, and future directions,’’ J. Netw. Comput. tematic literature review,’’ in Proc. IEEE Int. Conf. Big Data (Big Data),
Appl., vol. 108, pp. 37–52, Apr. 2018, doi: 10.1016/j.jnca.2018.02.009. Dec. 2016, pp. 3693–3702, doi: 10.1109/BigData.2016.7841037.
[4] T. Halabi and M. Bellaiche, ‘‘Towards quantification and evaluation of [25] S. G. Kene and D. P. Theng, ‘‘A review on intrusion detection tech-
security of cloud service providers,’’ J. Inf. Secur. Appl., vol. 33, pp. 55–65, niques for cloud computing and security challenges,’’ in Proc. 2nd Int.
Apr. 2017, doi: 10.1016/j.jisa.2017.01.007. Conf. Electron. Commun. Syst. (ICECS), Feb. 2015, pp. 227–232, doi:
[5] R. Kumar, S. P. Lal, and A. Sharma, ‘‘Detecting denial of service 10.1109/ECS.2015.7124898.
attacks in the cloud,’’ in Proc. IEEE 14th Int. Conf. Dependable, [26] C. Modi, D. Patel, B. Borisaniya, A. Patel, and M. Rajarajan, ‘‘A survey
Autonomic Secure Comput., 14th Int. Conf. Pervas. Intell. Comput., on security issues and solutions at different layers of cloud computing,’’
2nd Int. Conf. Big Data Intell. Comput. Cyber Sci. Technol. Congr. J. Supercomput., vol. 63, pp. 561–592, Oct. 2013, doi: 10.1007/s11227-
(DASC/PiCom/DataCom/CyberSciTech), Aug. 2016, doi: 10.1109/DASC- 012-0831-5.
PICom-DataCom-CyberSciTec.2016.70. [27] C. Modi, D. Patel, B. Borisaniya, H. Patel, A. Patel, and M. Rajarajan, ‘‘A
[6] T. Halabi and M. Bellaiche, ‘‘A broker-based framework for standardiza- survey of intrusion detection techniques in cloud,’’ J. Netw. Comput. Appl.,
tion and management of cloud security-SLAs,’’ Comput. Secur., vol. 75, vol. 36, no. 1, pp. 42–57, 2013, doi: 10.1016/j.jnca.2012.05.003.
pp. 59–71, Jun. 2018, doi: 10.1016/j.cose.2018.01.019. [28] A. Patel, M. Taghavi, K. Bakhtiyari, and J. C. Júnior, ‘‘An intrusion detec-
[7] M. R. Chinnaiah and N. Niranjan, ‘‘Fault tolerant software systems using tion and prevention system in cloud computing: A systematic review,’’
software configurations for cloud computing,’’ J. Cloud Comput., vol. 7, J. Netw. Comput. Appl., vol. 36, no. 1, pp. 25–41, Jan. 2013, doi:
p. 3, Jan. 2018, doi: 10.1186/s13677-018-0104-9. 10.1016/j.jnca.2012.08.007.

20732 VOLUME 9, 2021

A. B. Nassif et al.: ML for Cloud Security: A Systematic Review

[29] M. T. Khorshed, A. B. M. S. Ali, and S. A. Wasimi, ‘‘A survey on [49] T. Graepel, K. Lauter, and M. Naehrig, ‘‘ML confidential: Machine learn-
gaps, threat remediation challenges and some thoughts for proactive attack ing on encrypted data,’’ in Lecture Notes in Computer Science (Includ-
detection in cloud computing,’’ Future Gener. Comput. Syst., vol. 28, no. 6, ing Subseries Lecture Notes in Artificial Intelligence and Lecture Notes
pp. 833–851, Jun. 2012, doi: 10.1016/j.future.2012.01.006. in Bioinformatics), (Lecture Notes in Computer Science), vol. 7839.
[30] B. Kitchenham and S. Charters, ‘‘Guidelines for performing systematic New York, NY, USA: Springer, Jul. 2013, pp. 1–21, doi: 10.1007/978-3-
literature reviews in software engineering,’’ Engineering, vol. 45, no. 4, 642-37682-5_1.
p. 1051, 2007, doi: 10.1145/1134285.1134500. [50] K. Vijayakumar and C. Arun, ‘‘Continuous security assessment of
[31] D. Mittal, D. Kaur, and A. Aggarwal, ‘‘Secure data mining in cloud based applications using distributed hashing algorithm in SDLC,’’
cloud using homomorphic encryption,’’ in Proc. IEEE Int. Conf. Cluster Comput., vol. 22, no. S5, pp. 10789–10800, Sep. 2019, doi:
Cloud Comput. Emerg. Markets (CCEM), Oct. 2014, pp. 1–7, doi: 10.1007/s10586-017-1176-x.
10.1109/CCEM.2014.7015496. [51] U. A. Butt, M. Mehmood, S. B. H. Shah, R. Amin, M. W. Shaukat,
[32] K. Murakami, R. Hanyu, Q. Zhao, and Y. Kaneda, ‘‘Improvement of S. M. Raza, D. Y. Suh, and M. J. Piran, ‘‘A review of machine learning algo-
security in cloud systems based on steganography,’’ in Proc. Int. Joint rithms for cloud computing security,’’ Electronics, vol. 9, no. 9, p. 1379,
Conf. Awareness Sci. Technol. Ubi-Media Comput. (iCAST UMEDIA ), Aug. 2020, doi: 10.3390/electronics9091379.
Nov. 2013, pp. 503–508, doi: 10.1109/ICAwST.2013.6765492. [52] G. P. Zhang, ‘‘Neural networks for classification: A survey,’’ ACS
[33] B. Wang, M. Li, S. S. M. Chow, and H. Li, ‘‘Computing encrypted cloud Appl. Mater. Interfaces, vol. 10, no. 12, pp. 10513–10519, 2018, doi:
data efficiently under multiple keys,’’ in Proc. IEEE Conf. Commun. Netw. 10.1021/acsami.7b16653.
Secur. (CNS), Oct. 2013, pp. 504–513, doi: 10.1109/CNS.2013.6682768. [53] N. Pandeeswari and G. Kumar, ‘‘Anomaly detection system in cloud envi-
[34] M. Eskandari, A. S. De Oliveira, and B. Crispo, ‘‘VLOC: An approach ronment using fuzzy clustering based ANN,’’ Mobile Netw. Appl., vol. 21,
to verify the physical location of a virtual machine in cloud,’’ in Proc. no. 3, pp. 494–505, Jun. 2016, doi: 10.1007/s11036-015-0644-x.
IEEE 6th Int. Conf. Cloud Comput. Technol. Sci., Dec. 2014, pp. 86–94, [54] T. Salman, D. Bhamare, A. Erbad, R. Jain, and M. Samaka, ‘‘Machine
doi: 10.1109/CloudCom.2014.47. learning for anomaly detection and categorization in multi-cloud envi-
[35] M. B. Bondada and S. M. S. Bhanu, ‘‘Analyzing user behavior using ronments,’’ in Proc. IEEE 4th Int. Conf. Cyber Secur. Cloud Comput.
keystroke dynamics to protect cloud from malicious insiders,’’ in Proc. (CSCloud), Jun. 2017, pp. 97–103, doi: 10.1109/CSCloud.2017.15.
IEEE Int. Conf. Cloud Comput. Emerg. Markets (CCEM), Oct. 2014, [55] T. Shon and J. Moon, ‘‘A hybrid machine learning approach to network
pp. 1–8, doi: 10.1109/CCEM.2014.7015481. anomaly detection,’’ Inf. Sci., vol. 177, no. 18, pp. 3799–3821, Sep. 2007,
[36] A. Nagaraja, N. Mangathayaru, and N. Rajashekar, ‘‘Privacy preserving doi: 10.1016/j.ins.2007.03.025.
and data security—A survey,’’ in Proc. Int. Conf. Eng. MIS (ICEMIS), [56] C.-Y. Chiu, C.-T. Yeh, and Y.-J. Lee, ‘‘Frequent pattern based user behavior
Sep. 2016, pp. 1–6, doi: 10.1109/ICEMIS.2016.7745350. anomaly detection for cloud system,’’ in Proc. Conf. Technol. Appl. Artif.
[37] E. Hesamifard, H. Takabi, M. Ghasemi, and C. Jones, ‘‘Privacy-preserving Intell., Dec. 2013, pp. 61–66, doi: 10.1109/TAAI.2013.25.
machine learning in cloud,’’ in Proc. Cloud Comput. Secur. Workshop,
[57] T. Kim, Y. Choi, S. Han, J. Yoon Chung, J. Hyun, J. Li, and J. W. Hong,
2017, pp. 39–43, doi: 10.1145/3140649.3140655.
‘‘Monitoring and detecting abnormal behavior in mobile cloud infras-
[38] J. Yuan and S. Yu, ‘‘Privacy preserving back-propagation neural net-
tructure,’’ in Proc. IEEE Netw. Operations Manage. Symp., Apr. 2012,
work learning made practical with cloud computing,’’ IEEE Trans.
pp. 1303–1310, doi: 10.1109/NOMS.2012.6212067.
Parallel Distrib. Syst., vol. 25, no. 1, pp. 212–221, Jan. 2014, doi:
[58] M. S. Sarma, Y. Srinivas, M. Abhiram, L. Ullala, M. S. Prasanthi, and
10.1109/TPDS.2013.18.
J. R. Rao, ‘‘Insider threat detection with face recognition and KNN user
[39] X. Ma, J. Ma, H. Li, Q. Jiang, and S. Gao, ‘‘PDLM: Privacy-preserving
classification,’’ in Proc. IEEE Int. Conf. Cloud Comput. Emerg. Markets
deep learning model on cloud with multiple keys,’’ IEEE Trans. Services
(CCEM), Nov. 2017, pp. 39–44, doi: 10.1109/CCEM.2017.16.
Comput., early access, Sep. 5, 2018, doi: 10.1109/TSC.2018.2868750.
[59] F. A. Narudin, A. Feizollah, N. B. Anuar, and A. Gani, ‘‘Evaluation of
[40] S. Wang, X. Jiang, Y. Wu, L. Cui, S. Cheng, and L. Ohno-Machado,
machine learning classifiers for mobile malware detection,’’ Soft Comput.,
‘‘EXpectation propagation logistic regression (EXPLORER): Distributed
vol. 20, no. 1, pp. 343–357, Jan. 2016, doi: 10.1007/s00500-014-1511-6.
privacy-preserving online model learning,’’ J. Biomed. Informat., vol. 46,
no. 3, pp. 480–496, Jun. 2013, doi: 10.1016/j.jbi.2013.03.008. [60] B. Amos, H. Turner, and J. White, ‘‘Applying machine learning classifiers
[41] Z. He, T. Zhang, and R. B. Lee, ‘‘Machine learning based DDoS attack to dynamic Android malware detection at scale,’’ in Proc. 9th Int. Wireless
detection from source side in cloud,’’ in Proc. IEEE 4th Int. Conf. Commun. Mobile Comput. Conf. (IWCMC), Jul. 2013, pp. 1666–1671, doi:
Cyber Secur. Cloud Comput. (CSCloud), Jun. 2017, pp. 114–120, doi: 10.1109/IWCMC.2013.6583806.
10.1109/CSCloud.2017.58. [61] Y. Ye, T. Li, S. Zhu, W. Zhuang, E. Tas, U. Gupta, and
[42] A. Chonka, Y. Xiang, W. Zhou, and A. Bonti, ‘‘Cloud security defence M. Abdulhayoglu, ‘‘Combining file content and file relations for
to protect cloud computing against HTTP-DoS and XML-DoS attacks,’’ cloud based malware detection,’’ in Proc. 17th ACM SIGKDD Int.
J. Netw. Comput. Appl., vol. 34, no. 4, pp. 1097–1107, 2011, doi: Conf. Knowl. Discovery Data Mining (KDD), 2011, pp. 222–230, doi:
10.1016/j.jnca.2010.06.004. 10.1145/2020408.2020448.
[43] Z. Chen, F. Jiang, Y. Cheng, X. Gu, W. Liu, and J. Peng, ‘‘XGBoost [62] P. Shamsolmoali and M. Zareapoor, ‘‘Statistical-based filtering system
classifier for DDoS attack detection and analysis in SDN-based cloud,’’ against DDOS attacks in cloud computing,’’ in Proc. Int. Conf. Adv.
in Proc. IEEE Int. Conf. Big Data Smart Comput. (BigComp), Jan. 2018, Comput., Commun. Informat. (ICACCI), Sep. 2014, pp. 1234–1239, doi:
pp. 251–256, doi: 10.1109/BigComp.2018.00044. 10.1109/ICACCI.2014.6968282.
[44] C. Modi, D. Patel, B. Borisanya, A. Patel, and M. Rajarajan, ‘‘A novel [63] P. Mishra, E. S. Pilli, V. Varadharajant, and U. Tupakula, ‘‘NvClou-
framework for intrusion detection in cloud,’’ in Proc. 5th Int. Conf. Secur. dIDS: A security architecture to detect intrusions at network and
Inf. Netw. (SIN), 2012, pp. 67–74, doi: 10.1145/2388576.2388585. virtualization layer in cloud environment,’’ in Proc. Int. Conf. Adv.
[45] K. Gai, M. Qiu, and S. A. Elnagdy, ‘‘Security-aware information classifi- Comput., Commun. Informat. (ICACCI), Sep. 2016, pp. 56–62, doi:
cations using supervised learning for cloud-based cyber risk management 10.1109/ICACCI.2016.7732025.
in financial big data,’’ in Proc. IEEE IEEE 2nd Int. Conf. Big Data Secur. [64] B. Gulmezoglu, T. Eisenbarth, and B. Sunar, ‘‘Cache-based applica-
Cloud (BigDataSecurity) Int. Conf. High Perform. Smart Comput. (HPSC), tion detection in the cloud using machine learning,’’ in Proc. ACM
IEEE Int. Conf. Intell. Data Secur. (IDS), Apr. 2016, pp. 197–202, doi: Asia Conf. Comput. Commun. Secur., Apr. 2017, pp. 288–300, doi:
10.1109/BigDataSecurity-HPSC-IDS.2016.66. 10.1145/3052973.3053036.
[46] F. Omri, S. Foufou, R. Hamila, and M. Jarraya, ‘‘Cloud-based mobile sys- [65] G. Loukas, T. Vuong, R. Heartfield, G. Sakellari, Y. Yoon, and D. Gan,
tem for biometrics authentication,’’ in Proc. 13th Int. Conf. ITS Telecom- ‘‘Cloud-based cyber-physical intrusion detection for vehicles using deep
mun. (ITST), Nov. 2013, pp. 325–330, doi: 10.1109/ITST.2013.6685567. learning,’’ IEEE Access, vol. 6, pp. 3491–3508, 2017.
[47] M. Marwan, A. Kartit, and H. Ouahmane, ‘‘Security enhancement in [66] A. Rukavitsyn, K. Borisenko, and A. Shorov, ‘‘Self-learning method for
healthcare cloud using machine learning,’’ Procedia Comput. Sci., vol. 127, DDoS detection model in cloud computing,’’ in Proc. IEEE Conf. Rus-
pp. 388–397, 2018, doi: 10.1016/j.procs.2018.01.136. sian Young Researchers Electr. Electron. Eng. (EIConRus), Feb. 2017,
[48] M. Wu, Z. Song, and Y. B. Moon, ‘‘Detecting cyber-physical attacks in pp. 544–547, doi: 10.1109/EIConRus.2017.7910612.
CyberManufacturing systems with machine learning methods,’’ J. Intell. [67] Q. Zhang, L. T. Yang, and Z. Chen, ‘‘Privacy preserving deep computation
Manuf., vol. 30, no. 3, pp. 1111–1123, Mar. 2019, doi: 10.1007/s10845- model on cloud for big data feature learning,’’ IEEE Trans. Comput.,
017-1315-5. vol. 65, no. 5, pp. 1351–1362, May 2016, doi: 10.1109/TC.2015.2470255.

VOLUME 9, 2021 20733

 A. B. Nassif et al.: ML for Cloud Security: A Systematic Review

[68] O. A. Kwabena, Z. Qin, Z. Qin, and T. Zhuang, ‘‘MSCryptoNet: [87] M. T. Sandikkaya, Y. Yaslan, and C. D. Özdemir, ‘‘DeMETER in clouds:
Multi-scheme privacy-preserving deep learning in cloud Detection of malicious external thread execution in runtime with machine
computing,’’ IEEE Access, vol. 7, pp. 29344–29354, 2019, doi: learning in PaaS clouds,’’ Cluster Comput., vol. 23, no. 4, pp. 2565–2578,
10.1109/ACCESS.2019.2901219. Dec. 2020, doi: 10.1007/s10586-019-03027-8.
[69] M. R. Watson, N.-U.-H. Shirazi, A. K. Marnerides, A. Mauthe, and [88] A. Abusitta, M. Bellaiche, M. Dagenais, and T. Halabi, ‘‘A deep learning
D. Hutchison, ‘‘Malware detection in cloud computing infrastructures,’’ approach for proactive multi-cloud cooperative intrusion detection sys-
IEEE Trans. Dependable Secure Comput., vol. 13, no. 2, pp. 192–205, tem,’’ Future Gener. Comput. Syst., vol. 98, pp. 308–318, Sep. 2019, doi:
Mar. 2016, doi: 10.1109/TDSC.2015.2457918. 10.1016/j.future.2019.03.043.
[70] Q. Lu, Y. Xiong, X. Gong, and W. Huang, ‘‘Secure collaborative out- [89] M. A. Zardari, L. T. Jung, and N. Zakaria, ‘‘K-NN classifier for data
sourced data mining with multi-owner in cloud computing,’’ in Proc. confidentiality in cloud computing,’’ in Proc. Int. Conf. Comput. Inf. Sci.
IEEE 11th Int. Conf. Trust, Secur. Privacy Comput. Commun., Jun. 2012, (ICCOINS), Jun. 2014, pp. 1–6, doi: 10.1109/ICCOINS.2014.6868432.
pp. 100–108, doi: 10.1109/TrustCom.2012.251. [90] A. Inani, C. Verma, and S. Jain, ‘‘A machine learning algorithm TsF
[71] H. Zhao, M. Xu, N. Zheng, J. Yao, and Q. Hou, ‘‘Malicious executa- K-NN based on automated data classification for securing mobile cloud
bles classification based on behavioral factor analysis,’’ in Proc. Int. computing model,’’ in Proc. IEEE 4th Int. Conf. Comput. Commun. Syst.
Conf. e-Educ., e-Bus., e-Manage. e-Learn., Jan. 2010, pp. 502–506, doi: (ICCCS), Feb. 2019, pp. 9–13, doi: 10.1109/CCOMS.2019.8821756.
10.1109/IC4E.2010.78. [91] T. Ayodele and D. Adeegbe, ‘‘Cloud based emails boundaries and vulner-
[72] P. Wang and Y.-S. Wang, ‘‘Malware behavioural detection and vac- abilities,’’ in Proc. Sci. Inf. Conf., Oct. 2013, pp. 912–914.
cine development by using a support vector model classifier,’’ J. Com-
put. Syst. Sci., vol. 81, no. 6, pp. 1012–1026, Sep. 2015, doi:
10.1016/j.jcss.2014.12.014.
[73] N. Sengupta, ‘‘Designing encryption and IDS for cloud security,’’ in Proc.
2nd Int. Conf. Internet things, Data Cloud Comput., Mar. 2017, pp. 1–5,
doi: 10.1145/3018896.3018954.
[74] Z. Li, W. Sun, and L. Wang, ‘‘A neural network based distributed
intrusion detection system on cloud platform,’’ in Proc. IEEE 2nd
Int. Conf. Cloud Comput. Intell. Syst., Oct./Nov. 2012, pp. 75–79, doi:
10.1109/CCIS.2012.6664371.
[75] Y. Zhu, Z. Huang, and T. Takagi, ‘‘Secure and controllable k-NN query
over encrypted cloud data with key confidentiality,’’ J. Parallel Distrib.
Comput., vol. 89, pp. 1–12, Mar. 2016, doi: 10.1016/j.jpdc.2015.11.004. ALI BOU NASSIF received the master’s degree in
[76] A. Sahi, D. Lai, Y. Li, and M. Diykh, ‘‘An efficient DDoS TCP flood attack computer science and the Ph.D. degree in electri-
detection and prevention system in a cloud environment,’’ IEEE Access, cal and computer engineering from Western Uni-
vol. 5, pp. 6036–6048, 2017, doi: 10.1109/ACCESS.2017.2688460. versity, London, ON, Canada, in 2009 and 2012,
[77] P. Mishra, E. S. Pilli, V. Varadharajan, and U. Tupakula, ‘‘Efficient respectively. He is currently the Assistant Dean of
approaches for intrusion detection in cloud environment,’’ in Proc. Int. Graduate Studies with the University of Sharjah,
Conf. Comput., Commun. Autom. (ICCCA), Apr. 2016, pp. 1211–1216, United Arab Emirates. He is also an Associate Pro-
doi: 10.1109/CCAA.2016.7813926. fessor with the Department of Computer Engineer-
[78] X. Li, Y. Zhu, and J. Wang, ‘‘Secure naïve Bayesian classification over ing, as well as an Adjunct Research Professor with
encrypted data in cloud,’’ in Lecture Notes in Computer Science (Including Western University. His research interests include
Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in the applications of statistical and artificial intelligence models in differ-
Bioinformatics). New York, NY, USA: Springer, 2016, pp. 130–150, doi: ent areas, such as software engineering, electrical engineering, e-learning,
10.1007/978-3-319-47422-9_8. security, networking, signal processing, and social media. He has published
[79] K. Borisenko, A. Smirnov, E. Novikova, and A. Shorov, ‘‘DDoS attacks
more than 65 refereed conference and journal papers. He is a Registered
detection in cloud computing using data mining techniques,’’ in Lecture
Professional Engineer (P.Eng) in Ontario, as well as a member of IEEE
Notes in Computer Science (Including Subseries Lecture Notes in Artificial
Intelligence and Lecture Notes in Bioinformatics), vol. 9728. New York,
Computer Society.
NY, USA: Springer, 2016, pp. 197–211, doi: 10.1007/978-3-319-41561-
1_15.
[80] P. Xiao, W. Qu, H. Qi, and Z. Li, ‘‘Detecting DDoS attacks against data
center with correlation analysis,’’ Comput. Commun., vol. 67, pp. 66–74,
Aug. 2015, doi: 10.1016/j.comcom.2015.06.012.
[81] A. Saied, R. E. Overill, and T. Radzik, ‘‘Detection of known and unknown
DDoS attacks using artificial neural networks,’’ Neurocomputing, vol. 172,
pp. 385–393, Jan. 2016, doi: 10.1016/j.neucom.2015.04.101.
[82] Z. Chkirbene, A. Erbad, and R. Hamila, ‘‘A combined decision for secure
cloud computing based on machine learning and past information,’’ in
Proc. IEEE Wireless Commun. Netw. Conf. (WCNC), Apr. 2019, pp. 1–6,
doi: 10.1109/WCNC.2019.8885566. MANAR ABU TALIB is currently teaching with
[83] V. Sharma, V. Verma, and A. Sharma, ‘‘Detection of DDoS attacks using the University of Sharjah, United Arab Emirates.
machine learning in cloud computing,’’ in Proc. Int. Conf. Adv. Inform. Her research interests include software engineer-
Comput. Res., vol. 1076, 2019, pp. 260–273, doi: 10.1007/978-981-15- ing with substantial experience and knowledge
0111-1_24. in conducting research in software measurement,
[84] H. Abbasi, N. Ezzati-Jivan, M. Bellaiche, C. Talhi, and M. R. Dagenais, software quality, software testing, ISO 27001 for
‘‘Machine learning-based EDoS attack detection technique using execu-
information security, and open source software.
tion trace analysis,’’ J. Hardw. Syst. Secur., vol. 3, no. 2, pp. 164–176,
She is also working on ISO standards for measur-
Jun. 2019, doi: 10.1007/s41635-018-0061-2.
ing the functional size of software and has been
[85] H. Kim, J. Kim, Y. Kim, I. Kim, and K. J. Kim, ‘‘Design of network
threat detection and classification based on machine learning on cloud involved in developing the Arabic version of ISO
computing,’’ Cluster Comput., vol. 22, no. S1, pp. 2341–2350, Jan. 2019, 19761 (COSMIC-FFP measurement method). She published more than
doi: 10.1007/s10586-018-1841-8. 50 refereed conferences, journals, manuals, and technical reports. She is also
[86] P. Mishra, K. Khurana, S. Gupta, and M. K. Sharma, ‘‘VMAnalyzer: the ArabWIC VP of Chapters in Arab Women in Computing Association
Malware semantic analysis using integrated CNN and bi-directional LSTM (ArabWIC), the Google Women Tech Maker Lead, a Co-Coordinator of
for detecting VM-level attacks in cloud,’’ in Proc. 12th Int. Conf. Contemp. OpenUAE Research and Development Group, and the International Collabo-
Comput. (IC3), Aug. 2019, pp. 1–6, doi: 10.1109/IC3.2019.8844877. rator to Software Engineering Research Laboratory, Montreal, ON, Canada.

20734 VOLUME 9, 2021

A. B. Nassif et al.: ML for Cloud Security: A Systematic Review

QASSIM NASIR has been an Associate Professor FATIMA MOHAMAD DAKALBAB received the
with the University of Sharjah, since 2009, and the bachelor’s degree in information technology mul-
Chairman of scientific publishing unit. His current timedia with a 3.92/4 GPA. She is currently pur-
research interests include telecommunication and suing the M.Sc. degree in computer science from
network security, such as in CPS and the IoT. the University of Sharjah, United Arab Emirates.
He also conducts research in drone and GPS jam- She is also working as a Graduate Research Assis-
ming as well. He is also a Co-Coordinator with tant with the OpenUAE Research and Develop-
the OpenUAE Research Group which focuses on ment Group, University of Sharjah. Her research
blockchain performance and security, and the use interests include inter-blockchain communication,
of artificial intelligence in security applications. the Internet of things (IoT), and machine learn-
Prior to joining the University of Sharjah. He was working with Nortel Net- ing in anomaly detection and conducting systematic literature reviews.
works, Canada, as a Senior System Designer with the Network Management Moreover, she has also been a member of the Sharjah Google Developer
Group for OC-192 SONET. He was a Visiting Professor with the Helsinki Group (GDG) and the Arab Women in Computing Association (ArabWIC),
University of Technology, Finland, from the summers of 2002 to 2009, and since 2016. In addition to being an Events and Workshops Co-Coordinator
the GIPSA Laboratory, Grenoble France to work on a Joint research project in the student chapter in UAE for Association for Computing Machinery
on MAC protocol and MIMO and Sensor Networks and MIMO research (ACM).
projects. He has published more than 90 refereed conferences, journals, book
chapter, and technical reports.

HALAH ALBADANI is currently a Research

Assistant with the University of Sharjah, United
Arab Emirates. She is majoring in Informa-
tion Technology Multimedia. She is also work-
ing as a Research Assistant with the OpenUAE
Research and Development Group. Her research
interests include the Internet of Vehicles (IoV)
and Artificial Intelligence (AI). She has also been
a member with the Sharjah Google Developer
Group (GDG) and Arab Women in Computing
Association (ArabWIC), since 2016.

VOLUME 9, 2021 20735