The document describes the NICE model for preventing vulnerable virtual machines from DDoS attacks in the cloud. The NICE model uses a network-based intrusion detection system agent in each cloud server to monitor traffic between virtual machines. It profiles virtual machines to gather configuration details and detects attacks by constructing scenario attack graphs. When attacks are detected, the network controller can reconfigure the virtual network to mitigate the attacks.