Synchronized Co-migration of Virtual Machines for IDS Offloading in Clouds Kenichi Kourai and Hisato Utsunomiya Kyushu Institute of Technology, Japan.

Slides:

Advertisements

Similar presentations

Live migration of Virtual Machines Nour Stefan, SCPD.

Advertisements

Live Migration of an Entire Network (and its Hosts) Eric Keller, Soudeh Ghorbani, Matthew Caesar, Jennifer Rexford HotNets 2012.

Locality-Aware Dynamic VM Reconfiguration on MapReduce Clouds Jongse Park, Daewoo Lee, Bokyeong Kim, Jaehyuk Huh, Seungryoul Maeng.

A Fast Rejuvenation Technique for Server Consolidation with Virtual Machines Kenichi Kourai Shigeru Chiba Tokyo Institute of Technology.

An Approach to Secure Cloud Computing Architectures By Y. Serge Joseph FAU security Group February 24th, 2011.

Kenichi Kourai (Kyushu Institute of Technology) Takeshi Azumi (Tokyo Institute of Technology) Shigeru Chiba (Tokyo University) A Self-protection Mechanism.

ContainerApp Container -X memory -Y CPU -Z Storage -N Network -Port ContainerManager Container Hypervisor (Java Runtime) -Understands IaaS of Cloud / Provider.

 Max Planck Institute for Software Systems Towards trusted cloud computing Nuno Santos, Krishna P. Gummadi, and Rodrigo Rodrigues MPI-SWS.

Efficient VM Introspection in KVM and Performance Comparison with Xen

Virtualization and the Cloud

Inside Windows Azure Virtual Machines Vijay Rajagopalan Microsoft Corporation.

Virtualization for Cloud Computing

Virtualization Infrastructure Administration Cluster Jakub Yaghob.

Private Cloud or Dedicated Hosts Mason Mabardy & Matt Maples.

Microsoft Virtual Academy Module 4 Creating and Configuring Virtual Machine Networks.

VIRTUALISATION OF HADOOP CLUSTERS Dr G Sudha Sadasivam Assistant Professor Department of CSE PSGCT.

5205 – IT Service Delivery and Support

MULTICOMPUTER 1. MULTICOMPUTER, YANG DIPELAJARI Multiprocessors vs multicomputers Interconnection topologies Switching schemes Communication with messages.

Name Title Microsoft Windows Azure: Migrating Web Applications.

Elad Hayun Agenda What's New in Hyper-V 2012 Storage Improvements Networking Improvements VM Mobility Improvements.

Presented by : Ran Koretzki. Basic Introduction What are VM’s ? What is migration ? What is Live migration ?

WHAT IS PRIVATE CLOUD? Michał Jędrzejczak Główny Architekt Rozwiązań Infrastruktury IT

Virtual AMT for Unified Management of Physical and Virtual Desktops Kenichi Kourai Kouki Oozono Kyushu Institute of Technology.

SDN Problem Statement and Use Cases for Data Center Applications Ping Pan Thomas Nadeau November 2011.

Yury Kissin Infrastructure Consultant Storage improvements Dynamic Memory Hyper-V Replica VM Mobility New and Improved Networking Capabilities.

HyperSpector: Virtual Distributed Monitoring Environments for Secure Intrusion Detection Kenichi Kourai Shigeru Chiba Tokyo Institute of Technology.

NICE :Network Intrusion Detection and Countermeasure Selection in Virtual Network Systems.

Virtualization. Virtualization  In computing, virtualization is a broad term that refers to the abstraction of computer resources  It is "a technique.

Kenichi Kourai (Kyushu Institute of Technology) Takuya Nagata (Kyushu Institute of Technology) A Secure Framework for Monitoring Operating Systems Using.

Secure & flexible monitoring of virtual machine University of Mazandran Science & Tecnology By : Esmaill Khanlarpour January.

Improving Network I/O Virtualization for Cloud Computing.

Microsoft Virtual Academy.

Zero-copy Migration for Lightweight Software Rejuvenation of Virtualized Systems Kenichi Kourai Hiroki Ooba Kyushu Institute of Technology.

Adam Duffy Edina Public Schools.  Traditional server ◦ One physical server ◦ One OS ◦ All installed hardware is limited to that one server ◦ If hardware.

High Performance File System Service for Cloud Computing Kenji Kobayashi, Osamu Tatebe University of Tsukuba, JAPAN.

Dynamic Resource Monitoring and Allocation in a virtualized environment.

Windows Server 2012 Hyper-V Networking

Chapter 8-2 : Multicomputers Multiprocessors vs multicomputers Multiprocessors vs multicomputers Interconnection topologies Interconnection topologies.

Dynamic and Secure Application Consolidation with Nested Virtualization and Library OS in Cloud Kouta Sannomiya and Kenichi Kourai (Kyushu Institute of.

Switch Features Most enterprise-capable switches have a number of features that make the switch attractive for large organizations. The following is a.

Virtual Machines Created within the Virtualization layer, such as a hypervisor Shares the physical computer's CPU, hard disk, memory, and network interfaces.

Security Vulnerabilities in A Virtual Environment

NTU Cloud 2010/05/30. System Diagram Architecture Gluster File System – Provide a distributed shared file system for migration NFS – A Prototype Image.

Copyright © 2005 VMware, Inc. All rights reserved. How virtualization can enable your business Richard Allen, IBM Alliance, VMware

70-412: Configuring Advanced Windows Server 2012 services

Cloud Computing – UNIT - II. VIRTUALIZATION Virtualization Hiding the reality The mantra of smart computing is to intelligently hide the reality Binary->

Microsoft Virtual Academy Module 12 Managing Services with VMM and App Controller.

Module Objectives At the end of the module, you will be able to:

Chapter 11 – Cloud Application Development. Contents Motivation. Connecting clients to instances through firewalls. Cloud Computing: Theory and Practice.

Secure Offloading of Legacy IDSes Using Remote VM Introspection in Semi-trusted IaaS Clouds Kenichi Kourai Kazuki Juda Kyushu Institute of Technology.

Split Migration of Large Memory Virtual Machines

RHEV Platform at LHCb Red Hat at CERN 17-18/1/17

Fujitsu Training Documentation Online Storage Migration

Prepared by: Assistant prof. Aslamzai

Kenichi Kourai Kouta Sannomiya Kyushu Institute of Technology, Japan

VceTests VCE Test Dumps

Kenichi Kourai Hiroki Ooba Kyushu Institute of Technology, Japan

Shohei Miyama Kenichi Kourai Kyushu Institute of Technology, Japan

Anna Giannakou Christine Morin, Jean-Louis Pazat, Louis Rilling

Sho Kawahara and Kenichi Kourai Kyushu Institute of Technology, Japan

Concept of VLAN (Virtual LAN) and Benefits

Managing Services with VMM and App Controller

I'm Kenichi Kourai from Kyushu Institute of Technology.

Resource Cages: A New Abstraction of the Hypervisor for Performance Isolation Considering IDS Offloading Kenichi Kourai*, Sungho Arai**, Kousuke Nakamura*,

Specialized Cloud Architectures

Virtual Machine Migration for Secure Out-of-band Remote Management in Clouds T.Unoki, S.Futagami, K.Kourai (Kyushu Institute of Technology) OUT-OF-BAND.

Kenichi Kourai Kyushu Institute of Technology

T. Kashiwagi, M. Suetake , K. Kourai (Kyushu Institute of Technology)

Low-cost and Fast Failure Recovery Using In-VM Containers in Clouds

Efficient Migration of Large-memory VMs Using Private Virtual Memory

Presentation transcript:

Synchronized Co-migration of Virtual Machines for IDS Offloading in Clouds Kenichi Kourai and Hisato Utsunomiya Kyushu Institute of Technology, Japan

IDS in IaaS Clouds  Users run their VMs in IaaS clouds  The VMs are not always well maintained  Intrusion detection systems (IDSes) are useful  Difficult for IaaS providers to enforce users to install IDSes  They cannot install any software without users' cooperation IaaS cloud IDS VM

IDS Offloading  Runs IDSes in the outside of the target VM  Preventing interferences from intruders in the VM  Using VM introspection to monitor its internals  Attractive to IaaS providers  They can deploy IDSes without any cooperation of users IaaS cloud IDS VM

VM Migration with IDS Offloading  IaaS clouds migrate VMs for various purposes  E.g., machine maintenance, load balancing, and consolidation  Offloaded IDSes are not automatically moved with migrated VMs  They cannot continue to monitor target VMs IDS source host destination host VM

VMCoupler  Enables co-migration of offloaded IDSes and their target VM  Offloaded IDSes run in a guard VM  A guard VM is migrated together with its target VM  IDSes can continue to monitor the target VM without any modification source host destination host target VM IDS guard VM

Guard VM  Allows IDSes to monitor only their target VM  Accessing the memory of the VM  Memory mapping with a hypervisor call  Capturing the network packets from/to the VM  Port mirroring at the virtual switch  Reading the networked storage for the VM virtual switch guard VM target VM hypervisor IDS map port mirror

Co-migration with Monitoring  VMCoupler restores monitoring states  Re-mapping the memory of the target VM  The mapping state is transferred with a guard VM  Re-configuring port mirroring at the virtual switch  Doing nothing for networked storage target VM IDS guard VM source host destination host

Synchronized Co-migration  VMCoupler synchronizes the migration processes of both VMs  A guard VM always monitors its target VM while the target VM is running  Waiting for target VM's stop before guard VM's  Waiting for guard VM's restart before target VM's guard VM target VM ready stopstart stop restart ready start migrated

Co-migration Time & Downtime  The time for synchronized co-migration  Increased only by 0.6s at maximum  Downtime of the target VM  Increased by 162 ms at worst migration time downtime

Conclusion  We proposed VMCoupler  Offloaded IDSes are run in a guard VM  A guard VM is synchronously co-migrated with its target VM  Future work  Reducing downtime  More synchronization between two VMs  Allowing one guard VM to monitor multiple target VMs  How does VMCoupler migrate them?