The document proposes NICE, a network intrusion detection and countermeasure selection framework for virtual network systems. NICE uses attack graph models to detect multi-step attacks. It deploys lightweight agents on cloud servers to capture traffic and analyze vulnerabilities. Suspicious VMs are put in inspection state, where deep packet inspection and virtual network changes are applied to detect attacks without interrupting services. NICE uses software switching and programmable networking to dynamically configure intrusion detection and isolate compromised VMs. Evaluations show NICE efficiently detects attacks while minimizing overhead on cloud resources.