The recent emergence of cloud computing technology has drastically altered the way we perceive computing infrastructure, software delivery and development models. This massive leap from mainframe computers to highly scalable, dynamically configurable and heterogeneous cloud technology has turned computing and data centres to an innovative technology. This rapid transition towards the cloud has triggered security concerns on this delivery model. The two security challenges addressed in this paper are (i) Dynamic Large Scale System, where most cloud defence systems provide cloudprovider-oriented security in which the defence components are placed at the entrance of the cloud without considering scalability of the cloud and heterogeneity of the applications that run on the platform. (ii) Detection Rate vs. Performance, where we have an inverse relationship between detection rate and performance. However, as the underlying technology is changing, security experts are not amending their approach towards tackling the security challenges of cloud computing. This is because they do not consider the above challenges when building their cloud defence systems. They treat cloud computing security issues as if they were traditional network environments with homogeneous applications that are not easily scalable. To solve this problem, we introduced a lightweight, hierarchical, highly dynamic intrusion detection system architecture that is more suited for cloud computing environment. Our model uses application layer detection mechanisms to detect intrusions at different levels of the cloud computing hierarchy. We identified a number of rules that need to be checked in the application layer protocol to detect the possibility of attacks on the application server. The checking of the rules is not done at certain nodes in the cloud instead, our system decides where to check them based on the current load and the attacks detected at the node and the child nodes of the architecture. This solves the scalability issue of cloud computing architecture, because intrusion detection load will be distributed across the cloud eliminating single points of contention and failure. Our solution also addresses the heterogeneity challenge, because servers (virtual machines (VM)) running different applications can apply different detection approaches. We employed randomised approaches to improve the detection performance of our system, for instance, by selecting a subset of the rules to detect attacks; this is to improve the detection rate and performance challenge. To justify efficiency of our system, we present preliminary results comparing the detection rate vs. system performance. It is worthy to note that although in this paper, we concentrated on Denial of Service and Distributed Denial of Service attacks, our model can be extended to other types of attacks as well.