The Secure Migration of a Virtual Machine Introspection Intrusion Detection System

Ferrol Aderholdt and Stephen L. Scott


Cloud Computing, Network Security


This paper presents a method to perform a live migration of a virtual machine introspection (VMI) intrusion detection system (IDS) from one physical node to another with its associated virtual machine (VM). This is extremely impor- tant as more attention is given to VMI IDSes in the areas of both Enterprise and Cloud Computing environments where live migration is utilized for load balancing and fault tolerance. Current VMI IDS systems neglect the live migration capabilities of VMs restricting the monitored VM to that specific node. Our work is to investigate the potential methodologies to perform this task such that VMI IDSes become feasible within practical computing environments. We have designed a methodology to accomplish this goal and extended the VMI IDS known as the virtual system-level lightweight integrity monitor (vSLIM) in order to validate our work. We have evaluated this design using man-in-the-middle attacks which modify the VM during transit in order to verify the correctness of our design and found less than 3% overhead when compared to the cost of migrating a VM without a VMI IDS. Likewise, the cost of this migration provides little impact on the performance of co-located VMs.

Important Links:

Go Back