In　cloud　networks,　edging　network　virtualization　technology　is　widely　adopted　to　protect　tenants　with　isolated　networks　mainly　from　threats　inside　the　cloud.　However,　since　tenants　completely　rely　on　cloud　service　provider＇s　service　interface　to　be　aware　of　their　current　network　policy,　malicious　admin　alone　or　with　concluded　tenants　is/are　fully　capable　of　acquiring　any　target　tenant　network　data　by　attacking　corresponding　policies　stored　and　enforced　on　the　edging　end　hosts　without　tenants　knowing.　Therefore,　this　paper　presents　cloud　insider　attack　detector　and　locator　(CIADL)　on　multi-tenant　network　isolation　for　OpenStack.　We　propose　an　insider　attack　threat　model　with　attack　category.　A　layered　state　model　based　constructing　and　attack　detection　methods　are　also　proposed,　enabling　efficient　policy　confliction　detection　between　expected　policy　on　central　node　and　enforcing　policy　on　end　hosts.　Along　with　a　threat　locating　method　with　fine　granularity　of　device　policy　rules　for　recovery　purpose.　We　implements　the　proof　of　concept　system　of　CIADL,　and　the　experiments　and　analysis　show　our　method　can　cover　all　attack　types　defined　in　threat　model　with　low　overheads,　and　scales　well　with　network　and　policy　size　and　attack　number　increase.　Compared　to　existing　work　model　with　VM-VM　state,　CIADL　state　model　with　NET-NET　state　gets　about　8.5%　and　92.3%　improvement　on　construction　and　verification　time　costs　with　most　hostile　environment　(AP　=　80%)　and　largest　policy　scale　(PS　=　4000),　which　suggests　CIADL　is　both　efficient　and　scalable.