In view of overload, nonsupport of multi-computer conjunction analysis and maintenance of huge rule database in traditional Intrusion Detection System (IDS), a new kind of cloud architecture IDS with Incremental Support Vector Machine (ISVM) algorithm based on KKT condition and hyper-sphere, namely KS-ISVM was proposed. The network data captured by client were preprocessed and sent to the cloud as samples. The KS-ISVM was used to analyze these samples in cloud. According to the KKT condition, the samples that violated the KKT condition were selected as useful samples, and the others that met the KKT condition were removed. In addition, in order to ensure that the removed samples were redundant, they were screened again by hyper-sphere, after that, the samples which met the hyper-sphere rule were regarded as useful samples, while the others were deleted. Finally, the SVM was trained and updated by merging those selected useful samples. Contrast experiments with SVM, Batch-SVM and Incremental SVM based on KKT (K-ISVM) were carried out on KDDCUP 99. The results show that KS-ISVM has good performance in prediction and selection of samples, its accuracy can reach 90.3%, but the accuracy of SVM, Batch-SVM and K-ISVM are all below 89%. Through analyzing the parallel KS-ISVM processes, the analyzing time of the single process is 6351 s, while that of 16 processes is 146 s, which proves that the multi-process techniques is effiective, and it can meet the efficiency and accuracy requirements of IDS in cloud computing environment.