Cloud security is one of most important issues that has attracted a lot of research and development effort in past few years.Particularly, attackers can explore vulnerabilities of a cloud system and compromise virtual machines to deploy further large-scaleDistributed Denial-of-Service (DDoS). DDoS attacks usually involve early stage actions such as multi-step exploitation, low frequencyvulnerability scanning, and compromising identified vulnerable virtual machines as zombies, and finally DDoS attacks through thecompromised zombies. Within the cloud system, especially the Infrastructure-as-a-Service (IaaS) clouds, the detection of zombieexploration attacks is extremely difficult. This is because cloud users may install vulnerable applications on their virtual machines. Toprevent vulnerable virtual machines from being compromised in the cloud, we propose a multi-phase distributed vulnerability detection,measurement, and countermeasure selection mechanism called NICE, which is built on attack graph based analytical models andreconfigurable virtual network-based countermeasures. The proposed framework leverages OpenFlow network programming APIs tobuild a monitor and control plane over distributed programmable virtual switches in order to significantly improve attack detection andmitigate attack consequences. The system and security evaluations demonstrate the efficiency and effectiveness of the proposedsolution. NICE Network Intrusion Detection and Countermeasure Selection in Virtual Network Systems