100 likes | 185 Views
Synchronized Co-migration of Virtual Machines for IDS Offloading in Clouds. Kenichi Kourai and Hisato Utsunomiya Kyushu Institute of Technology, Japan. IDS in IaaS Clouds. VM. VM. VM. IDS. IaaS cloud. Users run their VMs in IaaS clouds The VMs are not always well maintained
E N D
Synchronized Co-migration of Virtual Machines for IDS Offloading in Clouds Kenichi Kourai and Hisato Utsunomiya Kyushu Institute of Technology, Japan
IDS in IaaS Clouds VM VM VM IDS IaaS cloud • Users run their VMs in IaaS clouds • The VMs are not always well maintained • Intrusion detection systems (IDSes) are useful • Difficult for IaaS providers to enforce users to install IDSes • They cannot install any software without users' cooperation
IDS Offloading VM IDS IaaS cloud • Runs IDSes in the outside of the target VM • Preventing interferences from intruders in the VM • Using VM introspection to monitor its internals • Attractive to IaaS providers • They can deploy IDSes without any cooperation of users
VM Migration with IDS Offloading destination host source host VM IDS • IaaS clouds migrate VMs for various purposes • E.g., machine maintenance, load balancing, and consolidation • Offloaded IDSes are not automatically moved with migrated VMs • They cannot continue to monitor target VMs
VMCoupler destination host source host target VM guard VM IDS • Enables co-migration of offloaded IDSes and their target VM • Offloaded IDSes run in a guard VM • A guard VM is migrated together with its target VM • IDSes can continue to monitor the target VM without any modification
Guard VM IDS target VM guard VM map virtual switch hypervisor port mirror • Allows IDSes to monitor only their target VM • Accessing the memory of the VM • Memory mapping with a hypervisor call • Capturing the network packets from/to the VM • Port mirroring at the virtual switch • Reading the networked storage for the VM
Co-migration with Monitoring destination host source host target VM guard VM IDS • VMCoupler restores monitoring states • Re-mapping the memory of the target VM • The mapping state is transferred with a guard VM • Re-configuring port mirroring at the virtual switch • Doing nothing for networked storage
Synchronized Co-migration start stop restart ready guard VM migrated target VM start stop ready restart • VMCoupler synchronizes the migration processes of both VMs • A guard VM always monitors its target VM while the target VM is running • Waiting for target VM's stop before guard VM's • Waiting for guard VM's restart before target VM's
Co-migration Time& Downtime migration time downtime • The time for synchronized co-migration • Increased only by 0.6s at maximum • Downtime of the target VM • Increased by 162 ms at worst
Conclusion • We proposed VMCoupler • Offloaded IDSes are run in a guard VM • A guard VM is synchronously co-migrated with its target VM • Future work • Reducing downtime • More synchronization between two VMs • Allowing one guard VM to monitor multiple target VMs • How does VMCoupler migrate them?