1 / 10

VMCoupler: Synchronized Co-migration of Virtual Machines for IDS Offloading

This study presents VMCoupler for synchronized co-migration of VMs with offloaded IDS in IaaS clouds, enhancing security without user cooperation. The guard VM monitors the target VM during migration, reducing downtime significantly.

magnar
Télécharger la présentation

VMCoupler: Synchronized Co-migration of Virtual Machines for IDS Offloading

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Synchronized Co-migration of Virtual Machines for IDS Offloading in Clouds Kenichi Kourai and Hisato Utsunomiya Kyushu Institute of Technology, Japan

  2. IDS in IaaS Clouds VM VM VM IDS IaaS cloud • Users run their VMs in IaaS clouds • The VMs are not always well maintained • Intrusion detection systems (IDSes) are useful • Difficult for IaaS providers to enforce users to install IDSes • They cannot install any software without users' cooperation

  3. IDS Offloading VM IDS IaaS cloud • Runs IDSes in the outside of the target VM • Preventing interferences from intruders in the VM • Using VM introspection to monitor its internals • Attractive to IaaS providers • They can deploy IDSes without any cooperation of users

  4. VM Migration with IDS Offloading destination host source host VM IDS • IaaS clouds migrate VMs for various purposes • E.g., machine maintenance, load balancing, and consolidation • Offloaded IDSes are not automatically moved with migrated VMs • They cannot continue to monitor target VMs

  5. VMCoupler destination host source host target VM guard VM IDS • Enables co-migration of offloaded IDSes and their target VM • Offloaded IDSes run in a guard VM • A guard VM is migrated together with its target VM • IDSes can continue to monitor the target VM without any modification

  6. Guard VM IDS target VM guard VM map virtual switch hypervisor port mirror • Allows IDSes to monitor only their target VM • Accessing the memory of the VM • Memory mapping with a hypervisor call • Capturing the network packets from/to the VM • Port mirroring at the virtual switch • Reading the networked storage for the VM

  7. Co-migration with Monitoring destination host source host target VM guard VM IDS • VMCoupler restores monitoring states • Re-mapping the memory of the target VM • The mapping state is transferred with a guard VM • Re-configuring port mirroring at the virtual switch • Doing nothing for networked storage

  8. Synchronized Co-migration start stop restart ready guard VM migrated target VM start stop ready restart • VMCoupler synchronizes the migration processes of both VMs • A guard VM always monitors its target VM while the target VM is running • Waiting for target VM's stop before guard VM's • Waiting for guard VM's restart before target VM's

  9. Co-migration Time& Downtime migration time downtime • The time for synchronized co-migration • Increased only by 0.6s at maximum • Downtime of the target VM • Increased by 162 ms at worst

  10. Conclusion • We proposed VMCoupler • Offloaded IDSes are run in a guard VM • A guard VM is synchronously co-migrated with its target VM • Future work • Reducing downtime • More synchronization between two VMs • Allowing one guard VM to monitor multiple target VMs • How does VMCoupler migrate them?

More Related