Amid the rapid growth of Internet users, cybercrime is becoming one of the most challenging tasks for the systems and applications designers to deal with. The cybercrime threat is reflected in the increased number of cases and methods used by criminals. Systems based on cloud computing are natural targets due to their complexity (greater room for security weaknesses) and increasing popularity. Cloud computing is a modern technology that enables users to share resources in a virtual storage and computing environment. A cloud system is based on multiple physical servers. It provides a universal environment with a (large) number of Virtual Machines (VMs) that is available to many users accessing this system via the Internet. This form of access makes cloud systems weaker than physical networks. In order to prevent or minimize the number of attacks and in turn to secure data storage, any malicious behaviour such as external undesirable interventions should be rapidly identified and halted if possible. In this paper, we focus on the discovery of malicious behaviour via determining unwanted symptoms rather than via targeting particular malicious behaviours of the system directly. The main contribution of this paper consists in several new mechanisms for monitoring Virtual Machines and further experimental work targeting efficient ways of visiting VMs in order to discover malicious symptoms. We want to find the fastest and the best set of weights for visiting VMs.