Co-migration of Virtual Machines with Synchronization for IDS Offloading

Since Infrastructure-as-a-Service (IaaS) clouds contain many vulnerable virtual machines (VMs), intrusion detection systems (IDSes) should be run for all the VMs. IDS offloading is promising for this purpose because it allows IaaS providers to run IDSes outside of VMs without any cooperation of the users. However, offloaded IDSes cannot continue to monitor their target VM when the VM is migrated to another host. In this paper, we propose VMCoupler for enabling co-migration of offloaded IDSes and their target VM. Our approach is running offloaded IDSes in a special VM called a guard VM, which can monitor the internals of a target VM using VM introspection. VMCoupler can migrate a guard VM together with its target VM and restore the state of VM introspection at the destination. The migration processes of these two VMs are synchronized so that a target VM does not run without being monitored. We have confirmed that the overhead of monitoring and co-migration was small.