Introduction
CIDS is a scalable and elastic solution with a P2P architecture with no central coordinator, it enables to distribute the IDS processing load at several locations of the cloud. CIDS isolates the user tasks from the cloud by � executing them inside a virtual machine monitored by VM monitor. This helps in protecting CIDS components from threats that can control a task in the VM and that can modify CIDS. This means that it has moderate attack resistibility. 
How CIDS increase attack coverage
- CIDS integrates knowledge techniques and behavior based ones.
- It collects events and audits from VMs so that the detector and correlator components can analyze them.
Each node also includes an audit system with three functions:
- First, it monitors messages among nodes to deduce the behavior of the cloud users.
- Second it monitors the middleware logging system and collects logs from the node middleware.
- Third, it collects events and logs from the VM system using the VMM
Using the audit system and by providing access to both knowledge and behavior databases in each node for sharing or exchanging audit data, CIDS can cover the host-based, masquerading and the distributed attacks. Furthermore, CIDS provides a parser and summarizer component that parses and summarizes a highly intensive number of alerts fired by NIDS component in a physical or virtual switch inside the cloud virtual network.