1. Synchronized Co-migration of Virtual Machines for IDS Offloading in Clouds Kenichi Kourai and Hisato Utsunomiya Kyushu Institute of Technology, Japan

2. IDS in IaaS Clouds  Users run their VMs in IaaS clouds  The VMs are not always well maintained  Intrusion detection systems (IDSes) are useful  Difficult for IaaS providers to enforce users to install IDSes  They cannot install any software without users' cooperation IaaS cloud IDS VM

3. IDS Offloading  Runs IDSes in the outside of the target VM  Preventing interferences from intruders in the VM  Using VM introspection to monitor its internals  Attractive to IaaS providers  They can deploy IDSes without any cooperation of users IaaS cloud IDS VM

4. VM Migration with IDS Offloading  IaaS clouds migrate VMs for various purposes  E.g., machine maintenance, load balancing, and consolidation  Offloaded IDSes are not automatically moved with migrated VMs  They cannot continue to monitor target VMs IDS source host destination host VM

5. VMCoupler  Enables co-migration of offloaded IDSes and their target VM  Offloaded IDSes run in a guard VM  A guard VM is migrated together with its target VM  IDSes can continue to monitor the target VM without any modification source host destination host target VM IDS guard VM

6. Guard VM  Allows IDSes to monitor only their target VM  Accessing the memory of the VM  Memory mapping with a hypervisor call  Capturing the network packets from/to the VM  Port mirroring at the virtual switch  Reading the networked storage for the VM virtual switch guard VM target VM hypervisor IDS map port mirror

7. Co-migration with Monitoring  VMCoupler restores monitoring states  Re-mapping the memory of the target VM  The mapping state is transferred with a guard VM  Re-configuring port mirroring at the virtual switch  Doing nothing for networked storage target VM IDS guard VM source host destination host

8. Synchronized Co-migration  VMCoupler synchronizes the migration processes of both VMs  A guard VM always monitors its target VM while the target VM is running  Waiting for target VM's stop before guard VM's  Waiting for guard VM's restart before target VM's guard VM target VM ready stopstart stop restart ready start migrated

9. Co-migration Time & Downtime  The time for synchronized co-migration  Increased only by 0.6s at maximum  Downtime of the target VM  Increased by 162 ms at worst migration time downtime

10. Conclusion  We proposed VMCoupler  Offloaded IDSes are run in a guard VM  A guard VM is synchronously co-migrated with its target VM  Future work  Reducing downtime  More synchronization between two VMs  Allowing one guard VM to monitor multiple target VMs  How does VMCoupler migrate them?