Enhancing Cloud Security Through Virtual Machine Co-Migration for IDS Offloading
Explore the innovative approach of synchronized co-migration of virtual machines for offloading Intrusion Detection Systems (IDS) in Cloud environments. This method allows IaaS providers to deploy IDS without user cooperation, enabling better monitoring and security in the cloud.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
E N D
Presentation Transcript
Synchronized Co-migration of Virtual Machines for IDS Offloading in Clouds Kenichi Kourai and Hisato Utsunomiya Kyushu Institute of Technology, Japan
IDS in IaaS Clouds Users run their VMs in IaaS clouds The VMs are not always well maintained Intrusion detection systems (IDSes) are useful Difficult for IaaS providers to enforce users to install IDSes They cannot install any software without users' cooperation VM VM VM IDS IaaS cloud
IDS Offloading Runs IDSes in the outside of the target VM Preventing interferences from intruders in the VM Using VM introspection to monitor its internals Attractive to IaaS providers They can deploy IDSes without any cooperation of users VM IDS IaaS cloud
VM Migration with IDS Offloading IaaS clouds migrate VMs for various purposes E.g., machine maintenance, load balancing, and consolidation Offloaded IDSes are not automatically moved with migrated VMs They cannot continue to monitor target VMs source host destination host VM IDS
VMCoupler Enables co-migration of offloaded IDSes and their target VM Offloaded IDSes run in a guard VM A guard VM is migrated together with its target VM IDSes can continue to monitor the target VM without any modification destination host source host target VM guard VM IDS
Guard VM Allows IDSes to monitor only their target VM Accessing the memory of the VM Memory mapping with a hypervisor call Capturing the network packets from/to the VM Port mirroring at the virtual switch Reading the networked storage for the VM IDS target VM guard VM map virtual switch hypervisor port mirror
Co-migration with Monitoring VMCoupler restores monitoring states Re-mapping the memory of the target VM The mapping state is transferred with a guard VM Re-configuring port mirroring at the virtual switch Doing nothing for networked storage destination host source host guard VM target VM IDS
Synchronized Co-migration VMCoupler synchronizes the migration processes of both VMs A guard VM always monitors its target VM while the target VM is running Waiting for target VM's stop before guard VM's Waiting for guard VM's restart before target VM's start stop restart ready guard VM migrated target VM start stop ready restart
Co-migration Time & Downtime The time for synchronized co-migration Increased only by 0.6s at maximum Downtime of the target VM Increased by 162 ms at worst sync no sync sync no sync 25 1.2 1.0 20 time (sec) time (sec) 0.8 15 0.6 10 0.4 migration time downtime 5 0.2 0 0.0 0 256 512 768 1024 0 256 512 768 1024 size of a guard VM (MB) size of a guard VM (MB)
Conclusion We proposed VMCoupler Offloaded IDSes are run in a guard VM A guard VM is synchronously co-migrated with its target VM Future work Reducing downtime More synchronization between two VMs Allowing one guard VM to monitor multiple target VMs How does VMCoupler migrate them?
