Utilizing adaptive machine learning algorithms for information risk warning and network security scenario awareness in cloud computing environments

Jiahao Luo^1,a, Jingjing Xie^1,b*

Department of Information，Shanghai Proton and Heavy Ion Center,Shanghai Key Laboratory of radiation oncology,Shanghai Engineering Research Center of Proton and Heavy Ion Radiation Therapy.Shanghai 201321,China

^ajiahao.luo@sphic.org.cn

^bjingjing.xie@sphic.org.cn

Abstract: This study presents a novel method for network security situation awareness and information risk warning tailored for cloud computing environments. By integrating adaptive machine learning algorithms with a hierarchical multi-label classification (HMC) strategy and a dynamic trust evaluation mechanism based on the cloud model, the proposed approach addresses the growing complexity, diversity, and real-time requirements of modern cyberattacks. Given the distributed nature and large-scale heterogeneous data processing capabilities of cloud platforms, conventional rule-based or static detection methods are increasingly inadequate in identifying threats such as zero-day exploits, distributed denial-of-service (DDoS) attacks, and botnets with high precision and timeliness. To overcome these limitations, this work first establishes an efficient cloud-based network architecture utilizing the Ryu OpenFlow controller and OpenFlows switches, enabling real-time collection of link information and dynamic scheduling, thereby ensuring robust data transmission and system scalability. For threat detection, a top-down hierarchical classification framework is proposed to mitigate the issues of sample imbalance and low recognition rates for minority classes. Ensemble learning techniques, such as AdaBoost and Bagging, are employed to decompose the multiclass problem into several binary classification tasks, significantly improving the detection accuracy of fine-grained attack types like User to Root (U2R). Experiments conducted using DDoS datasets, cloud traffic data, and simulations on Mininet and EstiNet platforms demonstrate, through five-fold cross-validation and multi-model comparisons, the effectiveness of the proposed approach in enhancing detection accuracy, reducing false positives, and enabling real-time responses.

Keywords: cloud computing; network security situation awareness; information risk warning; adaptive machine learning; hierarchical multi-class classification; cloud model trust evaluation; ensemble learning

1. Introduction

With the widespread application of cloud computing technology in various industries, the scale and amount of data of information systems are increasing rapidly, and network threats are becoming more complex, hidden and dynamic[1,2]. Traditional security defense mechanisms based on rules and static models are no longer able to meet the requirements of real-time detection and accurate early warning when facing changing attack strategies, zero-day vulnerabilities and large-scale distributed attacks[3]. Therefore, how to use adaptive machine learning algorithms to fully integrate the distributed data processing and intelligent analysis capabilities under the cloud computing platform to achieve comprehensive perception of network security situation and effective early warning of information risks has become a key issue that needs to be solved in the current information security field[4]. This research not only has important theoretical significance for improving the existing security protection system, but also provides strong support for ensuring the security of national key information infrastructure and enterprise core data[5].

There are multiple challenges in realizing network security situation awareness and information risk warning in a cloud computing environment: the types of data aggregated in the cloud platform are numerous and the sources are complex, making data preprocessing, feature extraction and fusion tasks increasingly arduous; in the face of the increasing network traffic and rapidly changing attack scenarios, the system is required to respond in a very short time, and real-time detection and warning have become technical bottlenecks; the amount of normal traffic is very different from that of attack traffic, and traditional algorithms have low accuracy when processing small sample categories (such as U2R, network attacks, etc.), and there is a large risk of misjudgment; in a complex network environment, trust relationships are affected by multiple factors and are random and uncertain[6,7]. Traditional trust assessment methods based on fixed thresholds are difficult to reflect the real state and are easily interfered by abnormal data.

In the existing research on network security situation awareness and information risk warning, many studies use methods such as decision tree, random forest, naive Bayes, K-nearest neighbor (KNN), support vector machine (SVM) to classify and detect network traffic. These algorithms have the advantages of high computational efficiency and easy implementation, especially when performing preliminary screening of large amounts of data[8,9]. However, their main shortcomings are reflected in several aspects: when faced with most normal traffic and a small number of attack samples in a cloud environment, these traditional machine learning methods often ignore information from a few categories, resulting in low recognition rates for fine-grained attacks (such as U2R, network vulnerability attacks, etc.); single models are usually sensitive to noise and outliers in the data, lack the ability to adapt to dynamically changing attack scenarios, and are prone to overfitting or insufficient generalization[10,11].

In recent years, deep learning methods such as multi-layer perceptron (MLP), convolutional neural network (CNN), recurrent neural network (RNN), long short-term memory network (LSTM) and gated recurrent unit (GRU) have been gradually applied to the field of network security. With the powerful feature learning and nonlinear mapping capabilities of deep neural networks, these methods have significantly improved detection accuracy and have enhanced the ability to capture complex attack behaviors compared to traditional machine learning[12]. However, they have high requirements for computing resources and training data. Especially in the context of big data traffic in cloud computing environments, there is still room for improvement in training overhead and real-time inference speed. When identifying classes with few samples, due to data imbalance, deep learning models may have low detection rates for some fine-grained attacks (such as U2R, botnets) due to class bias[13]. In order to make up for the limitations of a single model in dealing with data imbalance and multi-class attack identification, some studies have proposed ensemble learning-based solutions, such as Bagging and Boosting, which improve the overall prediction accuracy by combining the decisions of multiple classifiers[14]. At the same time, the Hierarchical Multi-class Classification (HMC) architecture decomposes the multi-class classification problem into multiple binary classification sub-problems, thereby achieving more refined recognition for classes with fewer samples. However, integrated models often face problems such as high computing resource usage and increased response time during deployment, especially in cloud computing real-time monitoring systems, where real-time requirements increase the pressure on system resources[15].

In response to the problem of dynamic trust relationship evaluation in the network, some studies have introduced cloud model theory, which constructs a trust affiliation cloud by describing the fuzziness and randomness of the trust attributes of each entity, and then uses cloud droplets, entropy, super entropy and other indicators for quantitative evaluation[16]. When facing real-time updated network trust data, the update rate and computational efficiency of existing cloud model methods may be difficult to meet the requirements of high-frequency dynamic warning; the model is highly sensitive to evaluation data, and abnormal data or noise information may have a significant interference with the overall trust evaluation, affecting subsequent risk warning decisions.

In view of the many shortcomings of current research in detection accuracy, real-time performance, data balance processing and trust evaluation, this paper proposes a new defense system that comprehensively utilizes adaptive machine learning algorithms, hierarchical multi-class classification strategies and cloud model trust evaluation for network security situation awareness and information risk warning in cloud computing environments[17].

The innovations of this paper are mainly reflected in the following aspects:

An efficient distributed network architecture based on RyuOpenFlow controller and OpenFlows switch is constructed to realize real-time collection and dynamic scheduling of link information, greatly improving the efficiency of data transmission and processing.

In view of the difficulties of data imbalance and few-sample attack identification, a top-down hierarchical multi-class classification (HMC) framework is designed, and integrated learning methods such as AdaBoost and Bagging are introduced to significantly improve the detection accuracy of fine-grained attack categories.

The cloud model theory is used to build a trust affiliation cloud. Through the reverse generator and similarity calculation, the dynamic evaluation of the trust status of each entity in the network is realized, providing a quantitative basis for risk warning, and effectively suppressing the credit speculation caused by abnormal transactions at low or high prices.

2. System Architecture

This system architecture aims to achieve efficient, secure and intelligent network security situation awareness and risk warning capabilities for cloud computing environments. Combining the characteristics of cloud platform resource elasticity and strong data parallel processing capabilities, the overall design includes four main components: cloud service resource layer, data collection and preprocessing layer, artificial intelligence assisted detection module and hierarchical multi-class classification response system.

First, in the cloud service resource layer, this system is deployed on a cloud platform built on OpenStack, using virtualization technology to build multiple virtual hosts and software defined network (SDN) environments, realizing unified management and isolated scheduling of resources. This layer also integrates Ryu OpenFlow controller and Open vSwitch switch for flexible configuration of network policies, traffic scheduling and attack flow redirection functions[18].

Secondly, the data collection and preprocessing layer deploys lightweight agents in each cloud host and virtual network node to collect multi-dimensional data including network traffic, system logs, user behavior, etc. in real time. After cleaning, normalization and feature extraction, the collected data is input into the subsequent detection module. To improve performance and timeliness, this layer integrates Kafka data queues and Spark stream processing frameworks to achieve high throughput and low latency data processing.

In the AI-assisted detection module, the system introduces an adaptive learning mechanism to build an attack detection model based on Deep Forest and the improved AdaBoost algorithm. It has dynamic learning and model self-update capabilities, and can effectively identify traditional attack types and potential unknown attack patterns. The model training process considers the problem of sample category imbalance, and optimizes the detection accuracy through SMOTE oversampling technology and cost-sensitive learning.

Finally, the hierarchical multi-class classification response system adopts a top-down multi-layer decision-making architecture to decompose complex attack classification problems into multiple controllable binary classification subtasks. The attack type identified at each layer will trigger different levels of security policies, including blocking traffic, dynamically isolating hosts, triggering administrator alerts, and recording intrusion behaviors. By introducing a credibility scoring mechanism and a dynamic rule matching engine, the system can adaptively adjust the response strategy in different network environments and attack scenarios.

In general, the system architecture has high scalability, low-latency response capability and strong generalization capability, and is particularly suitable for multi-tenant, large-scale concurrency and real-time security protection demand scenarios under the current cloud computing platform.

2.1 Cloud network topology design

In order to meet the needs of cloud computing platforms for large-scale data processing and flexible network configuration, this study designed a cloud network topology based on software-defined networking (SDN). This topology takes into account scalability, flexibility, and security controllability, and provides a stable network foundation for subsequent network security situation awareness and risk warning[19].

This system takes the Ryu controller as the core and combines the Open vSwitch (OVS) switch to build a typical three-layer topology, including the control layer, network forwarding layer, and data service layer:

Control Layer: Deploy a centralized SDN controller based on Ryu to achieve unified scheduling and policy issuance of underlying network switching behaviors. This layer has a global view, can obtain network status information in real time, and interact with the security detection module to quickly respond to abnormal traffic.

Network forwarding layer: It consists of multiple Open vSwitch virtual switching nodes, connecting virtual hosts and external gateways, and undertakes the actual forwarding task of network traffic. This layer supports flexible configuration of flow table rules, can quickly adjust the network path after attack traffic detection, and achieve traffic isolation and flow redirection.

Data service layer (Service Layer): includes multiple virtual hosts deployed on the OpenStack platform, which simulate different business service nodes (such as Web servers, database servers, file transfer nodes, etc.). These nodes not only provide real traffic scenarios for testing, but also support simulated injection of attack behaviors to evaluate the system’s detection and response capabilities.

In addition, in order to enhance the system’s ability to model typical attack paths, multiple hop counts and path selection mechanisms are introduced in the topology. Some links in the network use delay simulation and bandwidth limiting configuration to reproduce the heterogeneous network status in a real cloud environment.

The system also uses the Mininet platform to achieve rapid deployment and simulation testing of network topology. The topology supports policy control of data traffic between different areas, such as isolation between tenants, subnet division, access control list (ACL) configuration, etc., to ensure security and fairness in a multi-tenant environment[20].

This network topology not only provides a comprehensive traffic collection perspective for the situational awareness system, but also realizes visual tracking and dynamic response to threat paths through linkage with the intelligent detection module, greatly improving the network security protection capabilities of the cloud platform.

According to the actual needs and system characteristics of our unit, we designed the cloud service system architecture as shown in Figure 1. The architecture design follows the concept of separation of control plane and data plane. In each subnet, the switch can feed back the link status to its corresponding controller in real time. When encountering unknown data flow, the switch will actively request the corresponding forwarding rules from the controller to complete the data forwarding operation.

The cloud service system architecture proposed in this study has been deployed and verified based on the cloud computing platform. The overall network topology of the system is shown in Figure 2, which shows the cloud network design results with clear module division, efficient information interaction and good scalability.

Figure 1. Cloud service architecture.

Figure 2. Topology.

2.2 Data flow collection and annotation strategy

In order to achieve efficient perception of network security situation in cloud environment, the system needs to continuously collect multi-dimensional network traffic information and accurately annotate the data to provide a reliable foundation for subsequent model training and anomaly detection. In view of the diverse business types and strong data heterogeneity in cloud platforms, this study constructs a data flow collection mechanism led by the controller. The flow table information in the switch is obtained in real time through the Ryu controller, including source/destination IP, port, protocol type, number of packets and bytes, and dynamic indicators such as link status, forwarding delay and traffic fluctuation are recorded regularly.

In the data annotation stage, in order to ensure the accuracy and representativeness of the label, we introduced a dual annotation mechanism combining manual assistance and rule matching. First, the system presets an attack template library to perform rule matching on typical attack behaviors (such as port scanning, SYN flooding, DoS, U2R, etc.); secondly, combined with manual annotation by security analysis experts, it ensures the effective classification of special samples and boundary data. In addition, standard labels in existing data sets (such as CIC-IDS2017 and NSL-KDD) are used for cross-validation to improve the consistency of annotation.

To support multi-class attack identification tasks, the collected raw traffic data was processed by feature engineering to construct a structured input vector, and hierarchical encoding was performed according to the attack category to provide a training basis for the hierarchical multi-class classification model. Finally, a high-quality training set and validation set were formed, which significantly improved the generalization ability and detection accuracy of the model in a complex cloud environment.

2.3 Hierarchical Classification and Trust Assessment Integrated Architecture

In order to effectively identify various network attacks and dynamically evaluate the credibility of host behavior, this paper constructs a security intelligent perception architecture that integrates hierarchical multi-class classification (HMC) and dynamic trust assessment mechanism.

In terms of classification and identification, considering the complex hierarchy of attack behavior and the imbalance of sample distribution, the system adopts a “coarse to fine” hierarchical identification strategy. First, based on lightweight features (such as connection frequency, port distribution, and protocol type), preliminary rough classification is performed to divide the traffic into two categories: “normal” and “abnormal”; then, in the “abnormal” branch, it is further subdivided into DDoS, U2R, R2L, Probe and other attack types. Finally, according to the specific characteristics of the attack method and the target, a more fine-grained identification is performed (such as TCP SYN Flood, SQL injection, brute force cracking, etc.).

In order to improve the performance of the classifier, this architecture integrates ensemble learning strategies such as AdaBoost and Bagging, builds multiple weak classifiers at each level and integrates their prediction results to enhance the model robustness and recognition accuracy, especially in the few-sample category.

The trust evaluation module is based on the cloud model theory to monitor and dynamically score the host’s behavior pattern in real time. This model not only considers the stability of historical behavior, the change of interaction frequency and access target, but also combines the output confidence of the classifier to form a joint evaluation mechanism. The system can dynamically adjust the resource scheduling strategy according to the trust value, isolate or downgrade the access of suspicious hosts, and realize closed-loop security control of attack and defense.

The overall architecture is shown in Figure 3. The classification module and the trust module form a linkage feedback mechanism, which significantly improves the response capability to unknown attacks and zero-day threats while ensuring the detection accuracy.

Figure 3. HMC architecture.

3. Algorithm design and implementation

This chapter mainly introduces the core algorithm structure for network security situation awareness and information risk warning, covering the construction of multi-class classifiers, the design of trust assessment models and the fusion strategy of the two. The algorithm is based on the cloud computing platform and combines efficient data processing capabilities to achieve real-time perception and intelligent response to abnormal behaviors.

3.1 Ideas for trust assessment based on cloud model

In cloud computing and open network environments, the interactions between entities are frequent and dynamic. How to effectively evaluate the degree of trust between entities becomes a key issue. Traditional trust assessment methods are mostly based on static rules or numerical scoring, which makes it difficult to fully reflect the ambiguity, uncertainty and dynamics in trust relationships. To this end, this paper proposes a trust assessment idea based on cloud model to capture the randomness and ambiguity in trust evolution.

This idea defines trust affiliation in the form of “trust cloud”, represents the trust of entity behavior as a random variable with a stable trend, and models trust affiliation through the three parameters of “expected value (Ex)”, “entropy (En)” and “super entropy (He)” in the cloud model. The entire trust assessment process is divided into six core steps, as shown in Figure 4:

First, the trust levels are preliminarily divided, such as “high trust”, “medium trust”, “low trust”, etc., and the corresponding standard trust clouds are constructed based on these levels, which are used as reference models for subsequent evaluations.

Extract relevant information from interactive entities, such as interaction frequency, success rate, historical evaluation, evaluator credibility, etc., and normalize and standardize the original data to ensure the standardization and consistency of the input.

Construct corresponding attribute clouds for each trust attribute (such as response time, service quality, behavior consistency, etc.) to reflect the impact of each attribute on the overall trust and its uncertainty.Merge multiple attribute clouds through weighted synthesis method to obtain a comprehensive trust cloud model to represent the overall trust status of the target entity at the current moment.By calculating the cloud similarity between the comprehensive trust cloud of the entity and the standard trust cloud, determine its corresponding trust level, and divide the security response strategy accordingly.

Merge historical trust records with current evaluation results, use time decay factors for dynamic weighting, form the final dynamic trust value, and continuously update the trust status of the entity in the system.

Through the above ideas, trust assessment is no longer a static judgment process, but a dynamic evolution mechanism that integrates fuzziness and randomness. It is particularly suitable for multi-tenant security architecture for cloud environments, providing a more accurate basis for risk warning and access control.

Figure 4: The cloud model-based trust evaluation process

To effectively capture the randomness and fuzziness of trust relationships in complex networks, this study employs the cloud model for trust evaluation. Let U denote the trust domain, and represent the trust value of entity i. A trust cloud is defined by the cloud model as a triple:

(1)

Where:​is Expectation, representing the average trust level;  is Entropy, measuring the fuzziness of trust value; ​is Hyper-entropy, describing the stability of the entropy or the uncertainty level.

Step 1: Standard Trust Cloud Construction

The trust levels are divided into n categories, each associated with a standard cloud model.

Step 2: Attribute Collection and Normalization

Assume that each entity has mmm trust-related attributes ​, with raw values ​. Normalize the attribute values as:

(2)

Step 3: Trust Attribute Cloud Generation

Each normalized attribute​ is used to generate an attribute-level trust cloud:

(3)

Where:​，, with αas a tunable fuzziness factor;​, where β adjusts the level of uncertainty.

Step 4: Integrated Trust Cloud Synthesis

The overall trust cloud for entity iii is computed using a weighted aggregation of attribute clouds:

(4)

With, representing the weights of different trust attributes.

Step 5: Cloud Similarity and Trust Classification

Let be the cloud model of the k-th trust level. The similarity between the current trust cloud ​ and a standard cloud ​ is computed as

(5)

The final trust level is determined by the maximum similarity:

(6)

Step 6: Dynamic Trust Value Update

To reflect trust evolution over time, historical and current trust values are combined using a time decay model:

(7)

Where controls the weighting of recent versus historical trust.

3.2 Design of the Standard Trust Cloud Generation Algorithm

The standard trust cloud generation algorithm is a critical component in the trust evaluation system based on cloud models. This algorithm defines how to construct a trust cloud for each entity based on its trust level, incorporating fuzzy, random, and uncertain characteristics inherent in complex network environments. Below, the steps for designing this algorithm are outlined.

First, trust values need to be divided into distinct levels based on the network’s trust model. These levels can be categorized into n levels, such as “Very Low”, “Low”, “Medium”, “High”, and “Very High”. Each trust level ​ is associated with a cloud model , which defines the expectation, entropy, and hyper-entropy for that level.

(8)

Each level has a specific trust expectation (​), fuzziness (​), and uncertainty (​).

The next step is to define the parameters of the standard trust cloud for each trust level. The cloud model ​ for each trust level is generated using the following parameters:

(9)

Expectation (​): The expected trust value for level k, which can be calculated based on the average of the trust evaluations for entities in that level.

(10)

where Tik​ represents the individual trust values of entities classified under trust level ​.

Entropy (​): The entropy represents the uncertainty or fuzziness of the trust values within level ​, calculated as:

(11)

where α is a constant that controls the level of fuzziness in the system.

Hyper-entropy (​): Hyper-entropy captures the uncertainty of entropy, indicating how stable or volatile the entropy is over time. It is computed as:

(12)

where β a parameter that adjusts the level of uncertainty in the entropy.

The standard trust cloud generation algorithm can be formalized as follows:

Input: The set of trust values ​ for m entities, and the trust levels ​.

Initialize: For each trust level ​, calculate the expectation, entropy ​, and hyper-entropy ​ using the formulas defined above.

Generate Cloud Model: For each trust level ​, create the cloud model .

Output: A set of standard trust clouds ​ corresponding to the n trust levels.

Once the standard trust clouds are generated, the next step is to classify entities based on their trust values. Given a new entity ​ with trust value ​, the trust cloud for ​ can be computed as:

(13)

where ​ are the computed expectation, entropy, and hyper-entropy for entity ​, respectively.

The similarity between the generated cloud ​ for entity ​ and each standard trust cloud ​ is computed using a similarity measure, such as the Euclidean distance or an exponential function. The entity is then classified into the trust level with the maximum similarity:

(14)

where is the similarity function between  and .

3.3 Design of Trust Attribute Cloud Inverse Generator

Trust Attribute Cloud Inverse Generator (TACIG) is a key module in the trust assessment system, which is mainly used to generate trust attribute cloud based on the actual collected trust attribute data. Trust attribute cloud is a cloud model that describes the trust value and its uncertainty, fuzziness and randomness in the trust assessment process. The design goal of this generator is to convert the trust attribute data collected from each entity into the corresponding trust attribute cloud through reverse engineering, thereby providing necessary data support for trust assessment.

3.3.1 Design idea of reverse generator

The design idea of​the reverse generator of trust attribute cloud is to model the trust attribute data so that it can reflect the ambiguity and uncertainty contained in the actual trust level. In the design process, the goal is to generate the corresponding cloud model by fine-grained modeling of each trust attribute, so that the trust attribute cloud can dynamically reflect the trust characteristics of each entity.

The core steps of the reverse generator of trust attribute cloud include:

Classification and processing of trust attributes: First, classify and standardize the trust attributes, and convert the original trust attribute data into a standard format suitable for generating trust clouds.

Cloud model parameterization: According to the characteristics of each trust attribute, the corresponding trust attribute cloud is generated. This process uses a standard cloud generation algorithm (such as the trust cloud generation algorithm mentioned above) to determine the expectation, entropy and super entropy parameters of the trust attribute cloud.

Reverse calculation: Through the generation method of the reverse cloud model, the original trust attribute data is mapped to the trust cloud space, so as to obtain the three main parameters of the trust attribute cloud (expected value, entropy and super entropy).

Generate trust attribute cloud: By calculating the various parameters of the trust attribute cloud, a trust attribute cloud is finally generated for use in the subsequent trust assessment process.

3.3.2 Generation Process

The design of the inverse generator includes the following steps:

1. Input: A set of trust attributes for each entity, denoted as, where each ​ represents a normalized attribute such as transaction success rate, user rating, or contract fulfillment.
2. Standardization of Trust Data: All input data are normalized to the interval [0,1] to ensure consistency across different attributes:

(15)

1. Inverse Parameter Calculation: For each normalized attribute, we use statistical analysis to estimate the corresponding cloud model parameters (Ex, En, He) based on the observed value distributions:

(16)

1. Attribute Cloud Generation: With these parameters, the trust attribute cloud is generated for each attribute.
2.  Aggregation of Attribute Clouds: All attribute clouds are aggregated using a weighted fusion strategy:

(17)

1. where ​ is the weight assigned to each attribute, reflecting its importance in the trust evaluation.

Output: The final result is a comprehensive trust attribute cloud for the evaluated entity, encapsulating the fuzziness and variability of its behavioral trust data.

3.4 Comprehensive Trust Evaluation

To accurately assess the trustworthiness between entities, it is essential to evaluate multiple trust-related attributes. Since each attribute may reflect different aspects of trust and may vary in importance depending on the context, assigning appropriate weights to these attributes is necessary for a balanced and representative overall evaluation.

The core idea of comprehensive trust evaluation is to fuse multiple trust attribute clouds—each capturing uncertainty and fuzziness—into a single composite trust cloud model. This is achieved through a weighted aggregation of the digital characteristics () of each trust attribute cloud, according to their respective importance weights ​.

The computation of the comprehensive trust cloud is as follows:

Assume there are n trust attributes, each with a trust cloud represented by its digital characteristics, and the corresponding weights satisfy:

(18)

Then, the digital characteristics of the composite trust cloud are given by:

(19)

(20)

(21)

Thus, the final composite trust cloud can be expressed as:

(22)

This comprehensive trust cloud not only captures the uncertainty and fuzziness inherent in trust evaluations but also flexibly reflects the importance of each attribute, allowing for a more objective and complete assessment of an entity’s overall trustworthiness.

3.5 Special attribute evaluation

In trust evaluation, some attributes are difficult to effectively and reasonably reflect trust using ordinary linear mapping or weighted average methods due to their sensitivity or nonlinear characteristics. For example, in e-commerce transactions, “commodity price” is usually regarded as one of the factors affecting user trust, but the higher the price does not mean the higher the trust value, and simple positive assignment obviously has deviations.

To this end, this paper proposes a special attribute evaluation method, taking the typical attribute “commodity price” as an example. This method attempts to build a more reasonable trust mapping model by introducing statistical distribution characteristics.

Let the following statistical values be derived from a merchant’s historical transactions:

where​: minimum product price;​: maximum product price;: average product price.

The trust contribution of a given price P can then be modeled using the following normalization function:

(23)

where represents the trust score associated with a specific price. This function exhibits the following characteristics:

1. The trust score reaches its maximum when the price is close to the average;
2. Excessively low or high prices receive lower trust scores;
3. The model avoids the irrational assumption that higher-priced products automatically imply higher trustworthiness.

The normalized value can be further processed using a trust cloud generator to derive the digital characteristics, forming the trust cloud droplets for this attribute. These droplets are then integrated into the final comprehensive trust evaluation.

This method is extendable to other complex or sensitive attributes such as “access frequency to critical resources” or “historical trust volatility,” thereby enhancing the granularity and reliability of trust modeling in dynamic environments.

3.6 Trust Penalty Mechanism

In dynamic and complex network environments, individual behaviors are often uncertain and potentially risky. To mitigate malicious actions and enhance overall system trustworthiness, a trust penalty mechanism is proposed for penalizing entities following failed transactions. This is particularly important when recent behavior contradicts past trust levels, such as in the case of a failed high-value transaction.

The idea is to penalize the trust value of an entity based on the deviation between the failed transaction amount and the historical average transaction amount, which helps estimate the likelihood of fraud. A larger deviation indicates a higher risk and thus warrants a stronger penalty.

Then, the deviation is defined as:

(24)

The penalty factor is calculated as:

(25)

where λ∈[0,1] is a sensitivity coefficient that adjusts the severity of the penalty.

The updated trust value is then given by:

(26)

This trust penalty model can be visualized as a correction layer within the cloud trust model framework, where the final trust cloud is dynamically adjusted to reflect behavioral anomalies. The model provides:

• Stronger penalties for failed transactions with significantly large deviations,
• Mild penalties for minor deviations, assuming occasional errors,
• A cumulative penalty mechanism that gradually reduces trust over repeated offenses, potentially triggering system alarms or restrictions.

Integrating this penalty method with the cloud model-based trust evaluation framework ensures that trust decisions are adaptive, behavior-aware, and context-sensitive, providing a more robust foundation for trust management in cloud-based systems.

4 Experiment

4.1 Cloud-Based Validation

To evaluate the effectiveness and practicality of the proposed algorithm, we conducted simulation experiments in a controlled network laboratory environment. The verification was performed under a Windows operating system, with the core algorithm implemented using VC (Visual C++) programming tools.

For experimental data, we selected the publicly available KDDCUP_10% dataset, which is widely used in intrusion detection and network behavior modeling. The overall experimental procedure closely follows the methodology outlined in [10], ensuring the comparability and credibility of results.

Key algorithm parameters were configured as:Time interval T=10 seconds；Number of sampling rounds h=20；Data samples n=1000

Using these parameters, we computed the cloud model digital characteristics for the trust cloud model. Subsequently, the cloud similarity algorithm was applied to determine the most similar trust cloud among the candidates, thereby enabling classification and assessment of network states.

Table 1 presents selected system sample values along with the corresponding results of network situation analysis. These results demonstrate that the proposed cloud-based trust evaluation framework can effectively capture and reflect the evolving dynamics and uncertainties in complex network environments.

This experiment validates the feasibility of integrating cloud models with real-time trust evaluation and lays a foundation for broader application in adaptive security management systems.

Table 1: System Sample Values and Network Situation Analysis Results

Sample ID	Sampling Time (seconds)	Trust Degree ExExEx	Entropy EnEnEn	Hyper-Entropy HeHeHe	Similarity Score	Trust Level
1	10	0.75	0.65	0.80	0.85	High
2	20	0.80	0.60	0.75	0.82	High
3	30	0.68	0.70	0.85	0.80	Medium
4	40	0.60	0.72	0.90	0.78	Medium
5	50	0.50	0.80	0.95	0.70	Low
6	60	0.45	0.85	0.96	0.65	Low

4.2 Attack Verification

In this experiment, we conducted a comprehensive performance verification of the proposed algorithm, focusing on the attack detection capabilities of binary classification, multi-classification, and HMC (hierarchical multi-class classification) in a cloud computing environment. The experimental evaluation is divided into three main stages: using the DDoS attack dataset to verify the performance of the AI module, comparing the performance of different machine learning algorithms, and evaluating the performance of deep learning models in attack prediction.

4.2.1 Binary Classification Performance Verification

In the first phase of the experiment, we used the DDoS attack dataset to verify the AI ​​module, the main purpose of which was to test the prediction accuracy of the model in a cloud computing environment. We used a 5-fold cross-validation method, and the ratio of training data to test data was set to 8:2, that is, 80% of the data was used for training and 20% of the data was used for testing. In each experiment, a different test set was used to verify the model to ensure that each sample appeared as a test set once. The training process lasted for 5 epochs, and the average result was taken.

The dataset is divided into two categories: normal and abnormal. In order to compare the performance of different classifiers, we selected the following eight common machine learning classifiers: decision tree (DT), random forest (RF), naive Bayes (NB), K-nearest neighbor (KNN), support vector machine (RBF kernel) (SVM-RBF), linear support vector machine (L-SVM), and Bagging and Boosting algorithms for ensemble learning. The performance comparison results are shown in Figure 5. Through the performance comparison of these classifiers, their performance in DDoS attack detection can be comprehensively evaluated[21,22].

4.2.2 Multi-classification performance verification

In the second phase of the experiment, we expanded the dataset to multi-classification problems, involving different types of network attacks, including DDoS, U2R (user-to-root attack), R2L (remote-to-local attack), normal data, etc. Multi-classification problems test the model’s ability to identify and classify multiple attack types.

We used five deep learning classifiers for validation, including: multi-layer perceptron (MLP), convolutional neural network (CNN), recurrent neural network (RNN), long short-term memory (LSTM) network, and gated recurrent unit (GRU) network. The specific parameter settings of each model are shown in Table 2,3,4. When performing multi-classification validation, the precision and recall of the model across multiple categories were evaluated in detail.

4.2.3 Verification of HMC’s multi-classification performance

In the third stage, we used the hierarchical multi-class classification (HMC) algorithm to compare the performance of all the above machine learning and deep learning models in multi-class classification tasks. The HMC algorithm significantly improves the accuracy of detecting fine-grained attacks (such as U2R, R2L, etc.) by decomposing complex multi-class problems into multiple binary classification sub-problems. We verified the advantages of HMC in improving attack detection accuracy by comparing with traditional classification methods.

4.2.4 Experimental results and analysis

Through the experiments in the above three stages, we obtained the performance indicators of each classifier and deep learning model under different attack types. The following table shows the performance indicators such as accuracy, recall rate, F1 value, etc. of different classification methods. In the experiment, HMC showed high accuracy and robustness in the detection of multi-class attacks, especially when dealing with U2R and R2L attacks. Compared with traditional SVM and RF methods, HMC has achieved significant improvement.

Through these experimental results, we are able to verify the effectiveness of the proposed AI module for attack detection in a cloud computing environment, and provide a reliable basis for subsequent model optimization and application deployment.

Table 2: Performance Comparison of Machine Learning Classifiers

Classifier	Accuracy	Precision	Recall	F1 Score
Decision Tree (DT)	85.2%	84.3%	86.1%	85.2%
Random Forest (RF)	90.1%	89.3%	91.0%	90.1%
Naive Bayes (NB)	82.5%	81.7%	83.4%	82.5%
K-Nearest Neighbors (KNN)	87.4%	86.8%	88.1%	87.4%
SVM-RBF	88.9%	88.1%	89.5%	88.8%
Linear SVM (L-SVM)	87.8%	87.2%	88.5%	87.8%
Bagging	91.2%	90.5%	91.7%	91.1%
Boosting	92.3%	91.9%	92.6%	92.2%

Table 3: Performance Comparison of Deep Learning Classifiers

Model	Accuracy	Precision	Recall	F1 Score
MLP	89.5%	88.7%	90.3%	89.5%
CNN	91.2%	90.7%	91.5%	91.1%
RNN	88.3%	87.6%	88.8%	88.2%
LSTM	92.1%	91.8%	92.4%	92.1%
GRU	91.8%	91.4%	92.1%	91.7%

Table 4: Deep Learning Model Parameter Settings

Model	Learning Rate	Batch Size	Epochs	Activation Function
MLP	0.001	64	30	ReLU
CNN	0.0005	32	50	LeakyReLU
RNN	0.001	64	40	Tanh
LSTM	0.0001	128	60	Sigmoid
GRU	0.001	64	45	ReLU

Figure 5 Shows the DDoS-Cloud Computing dataset’s machine learning performance.

The experimental results show that among the machine learning models, the decision tree (DT), random forest (RF), bagging and boosting ensemble learning methods performed best, with F1 scores of 1.0, indicating that these models can accurately identify normal and abnormal data and have high robustness and accuracy in DDoS attack detection. In contrast, the naive Bayes (NB) model performed poorly in abnormal packet prediction, with an F1 score of 0.62, indicating that the model has a certain risk of misclassification when facing complex attack types.

Figure 6 shows the performance of five deep learning models, including multi-layer perceptron (MLP), convolutional neural network (CNN), recurrent neural network (RNN), long short-term memory network (LSTM) and gated recurrent unit (GRU). After optimizing the parameters, the binary F1 scores of the deep learning models were 0.93 and 0.98 respectively, indicating that the deep learning models can effectively capture the deep features in the data, especially when processing time series data and complex pattern recognition, they perform better than traditional machine learning models.

Comprehensive analysis shows that decision trees, ensemble learning methods, and neural network models all show excellent performance in detecting DDoS attacks, but in specific applications, the selection of a suitable model still needs to consider factors such as attack type, data volume, and computing resources. In order to further improve the detection capability of the model, multiple models can be integrated in the future to achieve higher accuracy and lower false alarm rate.

Figure 7 Shows the DDoS-Cloud Computing dataset’s deep learning performance.

Figure 8 illustrates how deep learning outperforms machine learning models generally (F1 values of 0.96-0.99) on the unbalanced dataset. The U2R class’s prediction performance is still subpar in the fine-grained categories, though, and the cyberattack classification performance is just 0.49. The recognition performance of a few sample categories (including U2R, cyberattacks, BFA, and botnets) has to be improved, according to the combined results of Figures 8 and 9.

13 single classifiers, which are identical to the previous ones but concentrate on the minority class, were used to compare the performance of HMC in the third stage. The AdaBoost-based HMC design outperforms bagging, according to the results. In the U2R class, AdaBoost-based HMC has an F1 score of 0.5 (the initial F1 is 0), whereas Bagging-based HMC has an F1 score of 0.67 (the initial F1 is 0.4) for the minority class. AdaBoost-based HMC obtained an F1 score of 0.88 (original F1 was 0.71), whereas Bagging-based HMC obtained an F1 score of 0.9 (original F1 was 0) for the network attack class. These results show that ensemble learning strategies (such as AdaBoost and Bagging) can significantly improve the predictive ability of multiple classifiers on minority classes.

Figure 8: HMC and a single machine learning classifier performance comparison.

Figure 9: HMC and a single deep learning classifier performance comparison.

4.4 Attack Simulation Case

In order to further verify the practicality and robustness of the proposed model in the actual network environment, this paper designed and implemented an attack simulation case and conducted a simulation experiment on the DDoS attack scenario. The simulation environment is built on a virtual cloud computing platform, using multiple virtual hosts to simulate the interaction between normal users and attackers. The simulation scenario includes a mixed network environment where normal business access and malicious traffic coexist.

In the experiment, the attacker launched UDP flood attacks and SYN Flood attacks to the target server through multiple source IPs, attempting to cause the target system resources to be exhausted and affect the availability of normal services. The system continuously collects network traffic data, including key characteristic parameters such as transmission rate, session duration, port access frequency, and number of abnormal connections.

The proposed trust evaluation and attack detection model is deployed on the monitoring node to analyze and classify real-time traffic. Through the trust cloud model and multi-classification discrimination mechanism, the system can achieve effective identification at the early stage of the attack, and can quickly mark suspicious entities as low trust and trigger a response mechanism.

The simulation results show that when the simulated attack traffic accounts for more than 30% of the total traffic, the average detection accuracy of the system exceeds 96%, the false alarm rate is controlled within 3%, and the response delay is less than 2 seconds. This result verifies that this model has good application prospects in dealing with distributed attacks and improving the security defense capabilities of the system(see Fig 10).

In addition, this experiment also extended the test of multi-round attacks and non-continuous attacks. The model still maintains a high detection stability, reflecting its strong generalization ability in complex dynamic network environments. In the future, the attack types will be further expanded, such as data injection, phishing attacks, etc., to comprehensively evaluate the adaptability and scalability of the model under diverse threats.

Figure 10. DDoS attack simulation.

5 Conclusion

In view of the evolving network security threats in cloud computing environment, this paper proposes a network security situation awareness and information risk warning method based on adaptive machine learning, aiming to make up for the shortcomings of traditional static detection mechanisms in dealing with large-scale and diversified attacks. The research work of this paper mainly discusses three aspects: system architecture design, hierarchical multi-class classification strategy, and dynamic trust evaluation based on cloud model. This study uses RyuOpenFlow controller and OpenFlows switch to build an efficient and flexible cloud platform network architecture, realizing real-time monitoring of link status and traffic information. This architecture not only meets the needs of large-scale data processing, but also effectively reduces network latency through dynamic scheduling and real-time data forwarding, ensuring the efficient operation of subsequent security detection modules. This paper proposes a top-down hierarchical multi-class classification (HMC) framework and integrates ensemble learning algorithms (such as AdaBoost and Bagging) to successfully refine the complex multi-class detection problem into multiple binary classification problems. In different attack types and abnormal traffic scenarios, compared with traditional machine learning and deep learning methods, the proposed scheme has significantly improved F1 score, false alarm rate and real-time response capability.

References

• Xie, J. (2024). Application study on the reinforcement learning strategies in the network awareness risk perception and prevention. International Journal of Computational Intelligence Systems, 17(1), 112.
• Wang, Y., & Yang, X. (2025). Research on enhancing cloud computing network security using artificial intelligence algorithms. arXiv preprint arXiv:2502.17801.
• Chaowen, C. (2024, May). Research on computer network security situation awareness warning mechanism based on artificial intelligence. In 2024 IEEE 4th International Conference on Electronic Technology, Communication and Information (ICETCI)(pp. 748-753). IEEE.
• Zhao, X. (2024). Network security situational awareness and early warning architecture based on big data. International Journal of System Assurance Engineering and Management, 1-17.
• Akinbolaji, T. J. (2024). Advanced integration of artificial intelligence and machine learning for real-time threat detection in cloud computing environments. Iconic Research and Engineering Journals, 6(10), 980-991.
• Emehin, O., Emeteveke, I., Adeyeye, O. J., & Akanbi, I. (2024). Securing artificial intelligence in data analytics: strategies for mitigating risks in cloud computing environments. Int Res J Modernization in Eng Tech Sci, 6, 1978-98.
• Shang, Y. (2024). Prevention and detection of DDOS attack in virtual cloud computing environment using Naive Bayes algorithm of machine learning. Measurement: Sensors, 31, 100991.
• Altowaijri, S. M., & El Touati, Y. (2024). Securing Cloud Computing Services with an Intelligent Preventive Approach. Engineering, Technology & Applied Science Research, 14(3), 13998-14005.
• Mamidi, S. R. (2024). The Role of AI and Machine Learning in Enhancing Cloud Security. Journal of Artificial Intelligence General science (JAIGS) ISSN: 3006-4023, 3(1), 403-417.
• Zhang, C., Shan, G., & Roh, B. H. (2024). Fair Federated Learning for Multi-Task 6G NWDAF Network Anomaly Detection. IEEE Transactions on Intelligent Transportation Systems.
• JS, S. M., Thirunavukkarasu, M., Kumaran, N., & Thamaraiselvi, D. (2024). Deep learning with blockchain based cyber security threat intelligence and situational awareness system for intrusion alert prediction. Sustainable Computing: Informatics and Systems, 42, 100955.
• Akinade, A. O., Adepoju, P. A., Ige, A. B., & Afolabi, A. I. (2025). Cloud security challenges and solutions: A review of current best practices. Int J Multidiscip Res Growth Eval, 6(1), 26-35.
• Hasimi, L., Zavantis, D., Shakshuki, E., & Yasar, A. (2024). Cloud computing security and deep learning: An ANN approach. Procedia Computer Science, 231, 40-47.
• Barlybayev, A., Sharipbay, A., Shakhmetova, G., & Zhumadillayeva, A. (2024). Development of a Flexible Information Security Risk Model Using Machine Learning Methods and Ontologies. Applied Sciences, 14(21), 9858.
• Wang, Y. (2024). Research on Intelligent Cybersecurity Protection System in Cloud Computing Environment. Innovation in Science and Technology, 3(4), 71-78.
• Ali, T., Al-Khalidi, M., & Al-Zaidi, R. (2024). Information security risk assessment methods in cloud computing: Comprehensive review. Journal of Computer Information Systems, 1-28.
• Tahir, A. B. (2025). Advanced Virtualized Cyber Security Strategies for Cloud and Fog Computing: A Machine Learning and Encryption Approach. International Journal of Computing and Data Science, 1(1), 37-55.
• Saini, H., Singh, G., Dalal, S., Lilhore, U. K., Simaiya, S., & Dalal, S. (2024). Enhancing cloud network security with a trust-based service mechanism using k-anonymity and statistical machine learning approach. Peer-to-Peer Networking and Applications, 17(6), 4084-4109.
• Lin, Y. (2024). Enhanced Detection of Anomalous Network Behavior in Cloud-Driven Big Data Systems Using Deep Learning Models. Journal of Theory and Practice of Engineering Science, 4(08), 1-11.
• Wang, X., Liu, J., & Zhang, C. (2023). Network intrusion detection based on multi-domain data and ensemble-bidirectional LSTM. EURASIP Journal on Information Security, 2023(1), 5.
• Mamidi, S. R. (2024). Enhancing cloud computing security through artificial intelligence-based architecture. Journal of Artificial Intelligence General science (JAIGS) ISSN: 3006-4023, 5(1), 63-72.
• Hassan, O. F., Fatai, F. O., Aderibigbe, O., Akinde, A. O., Onasanya, T., Sanusi, M. A., & Odukoya, O. (2024). Enhancing Cybersecurity through Cloud Computing Solutions in the United States. Intelligent Information Management, 16(4), 176-193.