A tenant-aware deep learning-based intrusion detection system for detecting DDoS attacks in multi-tenant SaaS networks

Software-as-a-Service (SaaS) platforms are a crucial aspect of cloud computing and are increasingly vulnerable to Distributed Denial of Service (DDoS) attacks, primarily due to their underlying multi-tenant architecture. Conventional intrusion detection systems cannot generalize effectively across tenants, resulting in high levels of false positives and limited adaptability. We have addressed this risk by designing a tenant-aware deep learning-based intrusion detection system for multi-tenant SaaS environments. Our hybrid model employs Capsule Networks to extract spatial features and Long Short-Term Memory (LSTM) networks to recognize temporal patterns. Our innovative contribution is a new tenant embedding system that incorporates tenant-specific behavioral context into the model, enabling the system to capture variations in benign behaviors within the context of evolving attack traffic. Experimental evaluations on CICIDS2017, CICDDoS2019, and CSE-CIC-IDS2018 datasets demonstrated that our proposed model achieved higher accuracy, precision, and generalization across tenants. Furthermore, various ablation test is done to validate our model. However, the zero-shot ablation study shows reduced effectiveness on unseen tenants. This demonstrates the importance of tenant embeddings and motivating future research on adaptive mechanisms. We also integrated SHAP-based interpretability analysis to improve the transparency of the system and provide insights into feature importance. Our work takes initial steps toward developing practical and explainable IDS solutions for adaptive, multi-tenant SaaS environments.