224 Cloud Infrastructures Protection Technique Based on Virtual Machines Live Migration Jan Fesl1, Vineet Gokhale1, Marie Doležalová1, Jiří Cehák1, Jan Janeček2 1. Institute of Applied Informatics, Faculty of Science, University of South Bohemia, CZECH REPUBLIC, České Budějovice, Branišovská 31a, email: {jfesl,vgokhale,dolezm01,jcehak}@prf.jcu.cz 2. Department of Computer Systems, Faculty of Information Technology, Czech Technical University in Prague, CZECH REPUBLIC, Prague, Thákurova 6, email: janecek@fit.cvut.cz Abstract: Cloud computing and virtualization are very traffic between them. popular research areas of the last years. The rising count of running virtual machines brings new opportunities for the malware or intrusion tools. Nowadays, there exist various ways how to detect the potential attack activities. Our paper evaluates such techniques and provides an efficient solution how to link the anomality detectors and hypervisors. This solution provides the way how to eliminate the problems without having to shutdown the running virtual machines. Keywords: IDS, IPS, hypervisor, cloud, security, live migration, virtual machine. I. INTRODUCTION The distributed virtualization infrastructures (DVI) are the engines of powerfull data centres, which create the executive parts of cloud environments. The typical virtualization architecture, which is depicted in figure 1, consists of the management node (MN), virtualization nodes (VN), data storage (DS) and interconnection networks (IN). Virtual machines (VM) run on the virtualization nodes, which contain the hypervisors. Hypervisor is the abstract layer between the physical and virtual hardware. There are more principles of virtualization techniques and their detail description can be found in [1]. Nowadays, the most power efficient hypervisors are based on direct cooperation with the Fig. 1. Typical environment of the distributed virtualization hardware using dedicated instruction set. infrastructure. DVI = {MN,VN, DS, IN} (1) II. SYSTEMS FOR INTRUSION DETECTION AND The virtual machines can be moved during the runtime PREVENTION between all infrastructure nodes. The motion of the virtual machines allows the live migration technique. The detail info The infected virtual machines can be the sources of about it, can the reader find in [2]. The virtual machines have potential network attacks. From the network OSI model point some limitations like allowed count of CPUs, size of of view, the attack types can be divided into L2 and L3 operating memory, size of virtual hard drive or maximal groups. The first group is targeted on the computers and network throughput. All parameters are managed by the devices placed in local segments, the second group can affect hypervisor. The virtual machine lives in its own world and all local and remote devices, which are connected to the shares its resources with other virtual machines. The level, on computer network. which the physical and virtual computers are the same, is the In the data center environment, the greatest problem for the network level, because both types communicate with outer administrator is, that it is not possible to permanently apply world via the same packets. The virtual computers contain strict firewall rules like limit TELNET, SSH, RDP etc. the same operation system like the physical, therefore they services, because the users require to install and use various can suffer from the same security issues. The virtual network services. The data centers can't also require from an machines are interconnected at the same virtualization nodes user a paid antivirus/antimalware protection or firewall. The by virtual networks. The virtual networks can bridge some only one acceptable solution is to suppress the potential issue, virtual machines with others or fully separate the network but not to drop all other services. The traditional firewalls are ACIT 2018, June 1-3, 2018, Ceske Budejovice, Czech Republic 225 highly efficient, but strictly static and are not very good activities from malicious host or network. There are mainly suitable for the data centers. The efficient way is to use more two categories of DSs, network based and host based. IDS is intelligent intrusion detection (IDS) and intrusion prevention key to detect and possibly prevent malicious activities. In the (IPS) systems. Intrusion detection systems (IDS) are an case, that the issue has been discovered, the administrator is essential component of protecting computer systems and informed by sending the message. Such systems have had the network. To detect computer attacks and provide the proper long tradition, but were primary proposed for the common response this is the main aim of IDS. An IDS is defined as computer networks. The basic structure of such system is the technique that is used to detect and respond to intrusion depicted in figure 2. Fig. 2. Main components of the IDS system, which could be used as data center protection system. The really comprehensive overview of this problematics because they typically su#er from comparatively higher false including algorithms description is listed in [2] and some alarm rate (not every anomaly is related to the attack) other in [3]. The basic detection techniques used in IDSs are rendering them useless in practice, since network operator as follows. can analyze only few incidents per day [3]. That is why the Signature matching signature based IDS are still widely used even they are not able to detect new types of attack nor to find anomalous This techniques identify attacks by matching network behavior of the network users. packet contents against specific attack signatures. These In the literature [4], there are known five types of IDS signatures are created using already identified and well- systems, which can be used in the cloud computing. described attack samples, which is time consuming and can take from couple of hours up to several days, which gives Host based intrusion detection system (HIDS) attackers plenty of time for their criminal activities. The Such system is an intrusion detection system that monitors biggest weakness of this solution is that it is detecting only and analyzes the information collected from a specific host known attacks, which can be due to smart evasion techniques machine. HIDS running on a virtualization node detects used by malware limiting. With the growing proportion of intrusion for the virtual machine by collecting information. encrypted traffic, use of self-modifying malware, and other HIDS observes modification in host kernel, host file system evasion techniques, the use of a detection technique tailored and behavior of the program. Upon detection of deviation to catch predefined known set of attacks is becoming from expected behavior, it reports the existence of attack. The irrelevant. efficiency of HIDS depends on chosen system characteristics Anomaly-based detection to monitor. Each HIDS detects intrusion for the machines in which it is placed. With respect to Cloud computing, HIDS This concept tries to decrease the human work (e.g. manual can be placed on a host machine, VM or hypervisor to detect creation of signatures) by building a statistical model of a intrusive behavior through monitoring and analyzing log file, normal behavior and detect all deviations from it. This security access control policies and user login information. enables to detect new, previously unknown attacks provided that their statistical behavior is different from that of the Network based Intrusion Detection System (NIDS) normal traffic. While anomaly-based methods are attractive It is an intrusion detection system that tries to detect conceptually, they have not been widely adopted. This is malicious activity such as DoS attacks, port scans or even ACIT 2018, June 1-3, 2018, Ceske Budejovice, Czech Republic 226 attempts to crack into computers by the network traffic enables network monitoring. The intrusion detection monitoring. The information collected from network is components collect the system information and convert it into compared with known attacks for intrusion detection. NIDS a standardized form to be passed to the central analyzer. has stronger detection mechanism to detect network intruders Central analyzer is a machine that aggregates information by comparing current behavior with already observed from multiple IDS and analyzes the same. Combination of behavior in real time. NIDS mostly monitors IP and transport anomaly and signature based detection approaches are used layer headers of individual packet and detects intrusion for the analysis purpose. DIDS can be used for detecting activity. NIDS uses signature based and anomaly based known and unknown attacks since it takes advantages of both intrusion detection techniques. NIDS has very limited the NIDS and HIDS, which are complement of each other. visibility inside the host machines. If the network traffic is In cloud environment, DIDS can be placed on the encrypted, there is really no effective way for the NIDS to virtualization nodes. decrypt the traffic for analysis. NIDS can be deployed on Hypervisor based intrusion detection system (HIDS) edge node interacting with external network. However, it has several limitations. It can't help when it comes to attack The proposal of such system is still more in theoretical within a virtual network that runs entirely inside the surface then in some real implementation. From the real hypervisor. In cloud environment, NIDS must be installed by world, Hyper-V hypervisor [5] contains the L3 firewall, the service provider. which can be used for blocking of some attacks. The principle is depicted in figure 3. The greatest trouble is its Distributed Intrusion Detection System (DIDS) implementation, which can cause the rapid virtualization This system consists of many IDS over a large network, technology performance decreasing. which communicate together or with a central server that Fig. 3. Hypervisor based IDS, integration with the operating system. Virtual machine introspection (VMI) based IDS III. PROTECTION TECHNIQUE BASED ON VMI is the main idea behind out-of-box intrusion VIRTUAL MACHINES LIVE MIGRATION detection. VMI is a technique of inspecting VM state by The basic idea behind this technique is as follows. The moving the inspection module outside of the VM. The virtualization infrastructure with an active IDS can be divided software running inside the guest system is analyzed into three smaller elastic independent groups. The groups externally to detect any intrusion. One advantage of this differs by the level of network traffic filtering – {A,B,C}. technique is that malware detection continues to work The group A contains virtualization nodes with VMs with no unaffectedly even in the presence of an intrusion. This traffic filtering. The group B contains virtualization nodes, capability is missing in HIDS and NIDS. In the case of a which are L3 protected for some outgoing L3 attacks e.g. compromise, HIDS starts reporting falsely while NIDS has SSH, TELNET or SMTP. The type of the supressed traffic for limited visibility. More info can be found in [6] or [7] and concrete VM is strictly evaluated by the IPS. The group C is [8]. ACIT 2018, June 1-3, 2018, Ceske Budejovice, Czech Republic 227 called “Quarantine” and has at L2 strictly separated and 2. For all VMs in V find the destination nodes (DN) filtrated traffic off all virtual machines. The specific outgoing according to R values for their migrations. L3 traffic is filtered as well - it can be the most of the L3 3. Apply all L2/L3 protection rules on DN for all VMs in V. outgoing traffic, depends on IPS decision. The users, who 4. Give a command for live migration of all VMs in V to all manage VMs in the group C, can connect to them via the involved hypervisors. specific terminal service. The IDS directly cooperates with 5. Give a message to all administrators of the affected VMs the hypervisors of all virtualization nodes. If the IDS detects which VMs were migrated. some issue, it gives a command to the specific hypervisor The algorithm can be more generalized for the positive which migrates the affected VM to the virtualization node, reevaluation which means, that if some issue on the VM which is the member of other more secured group. Before the disappears, the VM can be back migrated to less strict group. migration of VM, all restrictions proposed by IPS are activated on the destination node. Live migration serves for IV. CONCLUSION isolation of potential malicious and health virtual machines. We proposed the new technique which is able to help by The principle is depicted in figure 4. This principle is further the protection of the distributed virtualization network summarized in he following 5 step algorithm. infrastructures. Its deploying depends on the election of the proper IPS element. The greatest benefit of such solution stands in the runtime protection without supressing more services, than it's necessary. The solution requires for the deployment such hypervisor type, which is able to migrate the VMs during the runtime. The advertised technique is suitable for all L2 or L3 network attack types. REFERENCES [1] J. Fesl, "Virtual distributed systems and their application", dissertation thesis, Czech Technical University in Prague, 2017, pp. 10-27 [2] Fesl, J., et al., "Live Migration of Virtual Distributed Computing Systems",, International Journal of Innovative Computing Information and Control. (IJICIC) 2015, Vol. 11, Issue 3 [3] J.Grill, "Combining network anomality detectors", dissertation thesis, Czech Technical University in Prague, 2016, pp. 3-17 [4] F. Alruwaili, T. Gulliver, "CCIPS: A Cooperative Intrusion Detection and Prevention Framework for Cloud Services", International Journal Latest Trens of Computing, Vol. 4, Issue 4, 2014 [5] A. Lownds et al.,"Windows Server 2012 Hyper-V Installation and Configuration Guide” [6] A. Riaz et al., "Intrusion Detection Systems in Cloud Computing: A Contemporary Review of Techniques and Solutions", Journal of Information Science and Engineering, Issue 4, 2016 Fig. 4. Live migration protection technique principle. [7] T. Hwang, Y. Shin, K.Son, H.Park, "Design of a Hypervisor-based Rootkit Detection Method for The 5-step protection algorithm (managed by IDS) Virtualized Systems in Cloud Computing Environments", V is the set of new potential affected virtual machines. R AASRI Winter International Conference on Engineering is the set of recommendations, which means the new running and Technology, 2013 groups for V-contained VMs, e.g. VM runs in A, but has a [8] Y. Tayyebi, D. Bhilare, "Cloud security through Intrusion security issue, than IDS recommends move this VM from A Detection System (IDS): Review of Existing Solutions", to B, R({VM,A→B}) . International Journal of Emerging Trends & Technology in Computer Science (IJETTCS), Vol. 4., Issue 6, 2015 1. Detect all possible problematic running VMs and store them in V and their recommendations in R. ACIT 2018, June 1-3, 2018, Ceske Budejovice, Czech Republic