A Stacking Ensemble Framework for Resource-Based Cyber Attack Detection in Cloud IaaS Forensic Environments

Authors

  • Ashraf Al-Ou’n Department of Computer Science, Faculty of Prince Al-Hussein Bin Abdallah II for Information Technology, Al Al-Bayt University, Mafraq, 25113, Jordan.
  • Mazen Alzyoud Department of Computer Science, Faculty of Prince Al-Hussein Bin Abdallah II for Information Technology, Al Al-Bayt University, Mafraq, 25113, Jordan.
  • Esraa Abu Elsoud Department of Cybersecurity and Cloud Computing, Faculty of Information Technology, Applied Science Private University, Amman, Jordan.
  • Suhaila Abuowaida Department of Data Science and Artificial Intelligence, Faculty of Prince Al-Hussein Bin Abdallah II for IT, Al Al-Bayt University, Mafraq, 25113, Jordan.
  • Ayoub Alsarhan Department of Data Science and Artificial intelligence, Faculty of Information Technology, Al-Ahliyya Amman University, Amman, Jordan & Department of Information Technology, Faculty of Prince Al-Hussein Bin Abdallah II for Information Technology, The Hashemite University, Zarqa, Jordan.

DOI:

https://doi.org/10.56979/1101/2026/1379

Keywords:

Cloud forensics, Cyber Attacks, Ensemble, stacking

Abstract

Cloud computing has revolutionized how organizations implement their IT infrastructures; however, it also brings many new security challenges due to its distributed and dynamic nature – especially within Infrastructure as a Service (IaaS) environment. In this environment, cyber-attacks may originate from compromised virtual machines which use cloud resources, creating forensic evidence in the form of usage patterns of system resources (e.g., disk space, CPU time and memory). To address these challenges, this research will develop and evaluate a sophisticated stacking ensemble framework that will utilize resource utilization data (disk, CPU and memory) to identify anomalous activity in cloud environments. To create a large and representative dataset of normal operation, an OpenNebula testbed for private clouds using a KVM-based hypervisor was created, and used to simulate attacks on the testbed. Each of the resource categories were evaluated individually using various ensemble classification techniques (voting and stacking) to determine which ensemble technique produced the best results. A dataset of 9,611 instances (44 features) was collected from an OpenNebula/KVM private cloud testbed under normal and simulated attack conditions. The proposed stacking ensemble with Logistic Regression as meta-learner outperformed all base learners: achieving 95.2% accuracy for disk features, 94.2% for CPU features, and 91.2% for memory features, with AUC-ROC scores of 96.2%, 95.2%, and 92.2% respectively. Statistical significance testing confirmed performance improvements (p < 0.05). Results demonstrate that (1) classifier performance varies by resource type; (2) stacking significantly outperforms individual ensemble methods; and (3) resource-specific forensic analysis provides an adaptable detection framework for IaaS environments. This research contributes a scalable, data-driven stacking ensemble approach for cloud forensic attack detection, integrating multi-resource analysis with advanced meta-learning to address critical gaps in IaaS threat detection.

Downloads

Published

2026-06-01

How to Cite

Ashraf Al-Ou’n, Mazen Alzyoud, Esraa Abu Elsoud, Suhaila Abuowaida, & Ayoub Alsarhan. (2026). A Stacking Ensemble Framework for Resource-Based Cyber Attack Detection in Cloud IaaS Forensic Environments. Journal of Computing & Biomedical Informatics, 11(01). https://doi.org/10.56979/1101/2026/1379

Issue

Accepted Articles

Section

Articles

License

This is an open Access Article published by Research Center of Computing & Biomedical Informatics (RCBI), Lahore, Pakistan under CCBY 4.0 International License