Download presentation
Presentation is loading. Please wait.
Published byJewel Carroll Modified over 8 years ago
1
Synchronized Co-migration of Virtual Machines for IDS Offloading in Clouds Kenichi Kourai and Hisato Utsunomiya Kyushu Institute of Technology, Japan
2
IDS in IaaS Clouds Users run their VMs in IaaS clouds The VMs are not always well maintained Intrusion detection systems (IDSes) are useful Difficult for IaaS providers to enforce users to install IDSes They cannot install any software without users' cooperation IaaS cloud IDS VM
3
IDS Offloading Runs IDSes in the outside of the target VM Preventing interferences from intruders in the VM Using VM introspection to monitor its internals Attractive to IaaS providers They can deploy IDSes without any cooperation of users IaaS cloud IDS VM
4
VM Migration with IDS Offloading IaaS clouds migrate VMs for various purposes E.g., machine maintenance, load balancing, and consolidation Offloaded IDSes are not automatically moved with migrated VMs They cannot continue to monitor target VMs IDS source host destination host VM
5
VMCoupler Enables co-migration of offloaded IDSes and their target VM Offloaded IDSes run in a guard VM A guard VM is migrated together with its target VM IDSes can continue to monitor the target VM without any modification source host destination host target VM IDS guard VM
6
Guard VM Allows IDSes to monitor only their target VM Accessing the memory of the VM Memory mapping with a hypervisor call Capturing the network packets from/to the VM Port mirroring at the virtual switch Reading the networked storage for the VM virtual switch guard VM target VM hypervisor IDS map port mirror
7
Co-migration with Monitoring VMCoupler restores monitoring states Re-mapping the memory of the target VM The mapping state is transferred with a guard VM Re-configuring port mirroring at the virtual switch Doing nothing for networked storage target VM IDS guard VM source host destination host
8
Synchronized Co-migration VMCoupler synchronizes the migration processes of both VMs A guard VM always monitors its target VM while the target VM is running Waiting for target VM's stop before guard VM's Waiting for guard VM's restart before target VM's guard VM target VM ready stopstart stop restart ready start migrated
9
Co-migration Time & Downtime The time for synchronized co-migration Increased only by 0.6s at maximum Downtime of the target VM Increased by 162 ms at worst migration time downtime
10
Conclusion We proposed VMCoupler Offloaded IDSes are run in a guard VM A guard VM is synchronously co-migrated with its target VM Future work Reducing downtime More synchronization between two VMs Allowing one guard VM to monitor multiple target VMs How does VMCoupler migrate them?
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.