research-article

Non-intrusive, out-of-band and out-of-the-box systems monitoring in the cloud

Authors:

Todd MummertAuthors Info & Claims

ACM SIGMETRICS Performance Evaluation Review, Volume 42, Issue 1

Pages 249 - 261

https://doi.org/10.1145/2637364.2592009

Published: 16 June 2014 Publication History

Abstract

The dramatic proliferation of virtual machines (VMs) in datacenters and the highly-dynamic and transient nature of VM provisioning has revolutionized datacenter operations. However, the management of these environments is still carried out using re-purposed versions of traditional agents, originally developed for managing physical systems, or most recently via newer virtualization-aware alternatives that require guest cooperation and accessibility. We show that these existing approaches are a poor match for monitoring and managing (virtual) systems in the cloud due to their dependence on guest cooperation and operational health, and their growing lifecycle management overheads in the cloud.

In this work, we first present Near Field Monitoring (NFM), our non-intrusive, out-of-band cloud monitoring and analytics approach that is designed based on cloud operation principles and to address the limitations of existing techniques. NFM decouples system execution from monitoring and analytics functions by pushing monitoring out of the targets systems' scope. By leveraging and extending VM introspection techniques, our framework provides simple, standard interfaces to monitor running systems in the cloud that require no guest cooperation or modification, and have minimal effect on guest execution. By decoupling monitoring and analytics from target system context, NFM provides ``always-on'' monitoring, even when the target system is unresponsive. NFM also works ``out-of-the-box'' for any cloud instance as it eliminates any need for installing and maintaining agents or hooks in the monitored systems. We describe the end-to-end implementation of our framework with two real-system prototypes based on two virtualization platforms. We discuss the new cloud analytics opportunities enabled by our decoupled execution, monitoring and analytics architecture. We present four applications that are built on top of our framework and show their use for across-time and across-system analytics.

References

[1]

Adam Boileau. Hit by a Bus: Physical Access Attacks with Firewire. RuxCon 2006. http://www.security-assessment.com/files/presentations/ab_firewire_rux2k6-final.pdf.

[2]

Amazon. CloudWatch. http://aws.amazon.com/cloudwatch/.

[3]

Amazon. Summary of the October 22,2012 AWS Service Event in the US-East Region. https://aws.amazon.com/message/680342/.

[4]

Anthony Desnos. Draugr - Live memory forensics on Linux. http://code.google.com/p/draugr/.

[5]

M. Auty, A. Case, M. Cohen, B. Dolan-Gavitt, M. H. Ligh, J. Levy, and A. Walters. Volatility - An advanced memory forensics framework. http://code.google.com/p/volatility.

[6]

S. Bahram, X. Jiang, Z. Wang, M. Grace, J. Li, D. Srinivasan, J. Rhee, and D. Xu. DKSM: Subverting Virtual Machine Introspection for Fun and Profit. In SRDS, pages 82--91, 2010.

Digital Library

[7]

P. Barham, B. Dragovic, K. Fraser, S. Hand, T. Harris, A. Ho, R. Neugebauer, I. Pratt, and A. Warfield. Xen and the art of virtualization. In SOSP, pages 164--177, 2003.

Digital Library

[8]

Bryan Payne. Vmitools - An introduction to LibVMI. http://code.google.com/p/vmitools/wiki/LibVMIIntroduction.

[9]

B. D. Carrier and J. Grand. A hardware-based memory acquisition procedure for digital investigations. Digital Investigation, 1(1):50--60, 2004.

Digital Library

[10]

A. Case, L. Marziale, and G. G. RichardIII. Dynamic recreation of kernel data structures for live forensics. Digital Investigation, 7, Supplement(0):S32--S40, 2010.

Digital Library

[11]

ClamAV. Clam AntiVirus. http://www.clamav.net.

[12]

C. Colohan. The Scariest Outage Ever. Carnegie Mellon University SDI/ISTC Seminar Series, 2012.

[13]

David Anderson. White Paper: Red Hat Crash Utility. http://people.redhat.com/anderson/crash_whitepaper/.

[14]

Dell Quest/VKernel. Foglight for Virtualization. http://www. quest.com/foglight-for-virtualization-enterprise-edition/.

[15]

B. Dolan-Gavitt, T. Leek, M. Zhivich, J. Giffin, and W. Lee. Virtuoso: Narrowing the Semantic Gap in Virtual Machine Introspection. In IEEE Security and Privacy '11, pages 297--312.

Digital Library

[16]

B. Dolan-Gavitt, B. Payne, and W. Lee. Leveraging forensic tools for virtual machine introspection. Technical Report GT-CS-11-05, Georgia Institute of Technology, 2011.

[17]

Emilien Girault. Volatilitux- Memory forensics framework to help analyzing Linux physical memory dumps. http://code.google.com/p/volatilitux/.

[18]

M. F. Linux Rootkit Implementation. http://average-coder.blogspot.com/2011/12/linux-rootkit.html, 2011.

[19]

Y. Fu and Z. Lin. Space Traveling across VM: Automatically Bridging the Semantic Gap in Virtual Machine Introspection via Online Kernel Data Redirection. In IEEE Security&Privacy'12.

Digital Library

[20]

T. Garfinkel and M. Rosenblum. A Virtual Machine Introspection Based Architecture for Intrusion Detection. In NDSS, pages 191--206, 2003.

[21]

B. Hay and K. Nance. Forensics examination of volatile system data using virtual introspection. SIGOPS Oper. Syst. Rev., 42(3):74--82, 2008.

Digital Library

[22]

O. S. Hofmann, A. M. Dunn, S. Kim, I. Roy, and E. Witchel. Ensuring operating system kernel integrity with OSck. In ASPLOS, pages 279--290, 2011.

Digital Library

[23]

Hypertection. Hypervisor-Based Antivirus. hypertection.com.

[24]

Jack of all Clouds. Recounting EC2 One Year Later. www.jackofallclouds.com/2010/12/recounting-ec2/.

[25]

X. Jiang, X. Wang, and D. Xu. Stealthy malware detection through VMM-based out-of-the-box semantic view reconstruction. In CCS '07, pages 128--138.

Digital Library

[26]

A. Kivity, Y. Kamay, D. Laor, U. Lublin, and A. Liguori. KVM: the Linux Virtual Machine Monitor. In OLS '07: The 2007 Ottawa Linux Symposium, pages 225--230, 2007.

[27]

I. Kollar. Forensic RAM dump image analyser. Master's Thesis, Charles University in Prague, 2010. hysteria.sk/~niekt0/fmem/doc/foriana.pdf.

[28]

Z. Lin, J. Rhee, X. Zhang, D. Xu, and X. Jiang. SigGraph: Brute Force Scanning of Kernel Data Structure Instances Using Graph-based Signatures. In NDSS, 2011.

[29]

L. Litty and D. Lie. Patch auditing in infrastructure as a service clouds. In VEE '11.

Digital Library

[30]

Mariusz Burdach. Digital forensics of the physical memory. 2005. http://forensic.seccure.net/pdf/mburdach_digital_forensics_of_physical_memory.pdf.

[31]

N. Mavroyanopoulos and S. Schumann. Mhash. http://mhash.sourceforge.net.

[32]

Maximillian Dornseif. 0wned by an iPod. PacSec Applied Security Conference 2004. http://md.hudora.de/presentations/firewire/PacSec2004.pdf.

[33]

D. Mosberger and T. Jin. httperf - a tool for measuring web server performance. SIGMETRICS Perform. Eval. Rev., 26(3):31--37, 1998.

Digital Library

[34]

Nirsoft. Windows Vista Kernel Structures. http://www.nirsoft.net/kernel_struct/vista/.

[35]

OpenBenchmarking/Phoronix. x264 Test Profile. http://openbenchmarking.org/test/pts/x264-1.7.0.

[36]

Opscode. Chef. http://www.opscode.com/chef/.

[37]

Y. Padioleau, J. L. Lawall, and G. Muller. Understanding collateral evolution in linux device drivers. In EuroSys'06.

Digital Library

[38]

B. Payne, M. de Carbone, and W. Lee. Secure and Flexible Monitoring of Virtual Machines. In Twenty-Third Annual Computer Security Applications Conference, pages 385--397, 2007.

[39]

PHD Virtual. Virtual Monitoring http://www.phdvirtual.com/.

[40]

A. Ranadive, A. Gavrilovska, and K. Schwan. Ibmon: monitoring vmm-bypass capable infiniband devices using memory introspection. In HPCVirt, pages 25--32, 2009.

Digital Library

[41]

Reflex. vWatch Monitoring. http://www.reflexsystems.com/Products/vWatch.

[42]

Russell Coker. Bonnie++ http://www.coker.com.au/bonnie++/.

[43]

A. Srivastava and J. Giffin. Tamper-Resistant, Application-Aware Blocking of Malicious Network Connections. In RAID, pages 39--58, 2008.

Digital Library

[44]

S. Thomas, K. Sherly, and S. Dija. Extraction of memory forensic artifacts from windows 7 ram image. In IEEE ICT '13, pages 937--942, April 2013.

[45]

VMware. vCenter Operations Management Suite. http://www.vmware.com/products/vcenter-operations-management/.

[46]

VMware. VIX API Documentation. http://www.vmware.com/support/developer/vix-api/.

[47]

VMware. VMCI Overview. http://pubs.vmware.com/vmci-sdk/.

[48]

VMware. VMWare Tools. http://kb.vmware.com/kb/340.

[49]

VMware. vShield Endpoint. http://www.vmware.com/products/vsphere/features-endpoint.

[50]

VMWare Inc. VMWare VMSafe security technology. http://www.vmware.com/company/news/releases/vmsafe_vmworld.html.

[51]

S. Vogl. A bottom-up Approach to VMI-based Kernel-level Rootkit Detection. PhD Thesis, Technische Unversitat Munchen., 2010.

[52]

C. A. Waldspurger. Memory resource management in VMware ESX server. SIGOPS Oper. Syst. Rev., 36(SI):181--194, 2002.

Digital Library

Cited By

Xiong MLi YGu LPan SZeng DLi P(2020)Reinforcement Learning Empowered IDPS for Vehicular Networks in Edge ComputingIEEE Network10.1109/MNET.011.190032134:3(57-63)Online publication date: May-2020
https://doi.org/10.1109/MNET.011.1900321
Borisaniya BPatel D(2019)Towards virtual machine introspection based security framework for cloudSādhanā10.1007/s12046-018-1016-644:2Online publication date: 25-Jan-2019
https://doi.org/10.1007/s12046-018-1016-6
Wang CChen XJia WLi BQiu HZhao SCui HSeshan SBanerjee S(2018)PloverProceedings of the 15th USENIX Conference on Networked Systems Design and Implementation10.5555/3307441.3307483(483-499)Online publication date: 9-Apr-2018
https://dl.acm.org/doi/10.5555/3307441.3307483
Show More Cited By

Index Terms

Non-intrusive, out-of-band and out-of-the-box systems monitoring in the cloud
1. Social and professional topics
  1. Professional topics
    1. Management of computing and information systems
      1. System management
        Centralization / decentralization
2. Software and its engineering
  1. Software organization and properties
    1. Software system structures
      1. Distributed systems organizing principles

Recommendations

Non-intrusive, out-of-band and out-of-the-box systems monitoring in the cloud
SIGMETRICS '14: The 2014 ACM international conference on Measurement and modeling of computer systems

The dramatic proliferation of virtual machines (VMs) in datacenters and the highly-dynamic and transient nature of VM provisioning has revolutionized datacenter operations. However, the management of these environments is still carried out using re-...
Agentless Cloud-Wide Streaming of Guest File System Updates
IC2E '14: Proceedings of the 2014 IEEE International Conference on Cloud Engineering

We propose a non-intrusive approach for monitoring virtual machines (VMs) in the cloud. At the core of this approach is a mechanism for selective real-time monitoring of guest file updates within VM instances. This mechanism is agentless, requiring no ...
Enabling Instantaneous Relocation of Virtual Machines with a Lightweight VMM Extension
CCGRID '10: Proceedings of the 2010 10th IEEE/ACM International Conference on Cluster, Cloud and Grid Computing

We are developing an efficient resource management system with aggressive virtual machine (VM) relocation among physical nodes in a data center. Existing live migration technology, however, requires a long time to change the execution host of a VM, it ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM SIGMETRICS Performance Evaluation Review

ACM SIGMETRICS Performance Evaluation Review Volume 42, Issue 1

Performance evaluation review

June 2014

569 pages

ISSN:0163-5999

DOI:10.1145/2637364

Editors:
Derek Eager
University of Saskatchewan
,
Carey Williamson
University of Calgary

Issue’s Table of Contents

SIGMETRICS '14: The 2014 ACM international conference on Measurement and modeling of computer systems
June 2014
614 pages
ISBN:9781450327893
DOI:10.1145/2591971
General Chairs:
Sujay Sanghavi
The University of Texas at Austin
,
Sanjay Shakkottai
The University of Texas at Austin
,
Program Chairs:
Marc Lelarge
INRIA, France
,
Bianca Schroeder
University of Toronto

Copyright © 2014 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 16 June 2014

Published in SIGMETRICS Volume 42, Issue 1

Check for updates

Author Tags

Qualifiers

Research-article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

32
Total Citations
View Citations
506
Total Downloads

Downloads (Last 12 months)11
Downloads (Last 6 weeks)2

Reflects downloads up to 12 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Xiong MLi YGu LPan SZeng DLi P(2020)Reinforcement Learning Empowered IDPS for Vehicular Networks in Edge ComputingIEEE Network10.1109/MNET.011.190032134:3(57-63)Online publication date: May-2020
https://doi.org/10.1109/MNET.011.1900321
Borisaniya BPatel D(2019)Towards virtual machine introspection based security framework for cloudSādhanā10.1007/s12046-018-1016-644:2Online publication date: 25-Jan-2019
https://doi.org/10.1007/s12046-018-1016-6
Wang CChen XJia WLi BQiu HZhao SCui HSeshan SBanerjee S(2018)PloverProceedings of the 15th USENIX Conference on Networked Systems Design and Implementation10.5555/3307441.3307483(483-499)Online publication date: 9-Apr-2018
https://dl.acm.org/doi/10.5555/3307441.3307483
Nadgowda SIsci CBal M(2018)DéjàVuProceedings of the 19th International Middleware Conference Industry10.1145/3284028.3284031(17-24)Online publication date: 10-Dec-2018
https://dl.acm.org/doi/10.1145/3284028.3284031
Taherizadeh SStankovski V(2017)Quality of Service Assurance for Internet of Things Time-Critical Cloud Applications: Experience with the Switch and Entice Projects2017 6th IIAI International Congress on Advanced Applied Informatics (IIAI-AAI)10.1109/IIAI-AAI.2017.209(289-294)Online publication date: Jul-2017
https://doi.org/10.1109/IIAI-AAI.2017.209
Abderrahim MOuzzif MGuillouard KFrancois JLebre A(2017)A Holistic Monitoring Service for Fog/Edge Infrastructures: A Foresight Study2017 IEEE 5th International Conference on Future Internet of Things and Cloud (FiCloud)10.1109/FiCloud.2017.30(337-344)Online publication date: Aug-2017
https://doi.org/10.1109/FiCloud.2017.30
Qiang WXu GDai WZou DJin H(2017)CloudVMI: A Cloud-Oriented Writable Virtual Machine IntrospectionIEEE Access10.1109/ACCESS.2017.27583565(21962-21976)Online publication date: 2017
https://doi.org/10.1109/ACCESS.2017.2758356
Jafarian JNiakanlahiji AAl-Shaer EDuan QLiu PWang C(2016)Multi-dimensional Host Identity Anonymization for Defeating Skilled AttackersProceedings of the 2016 ACM Workshop on Moving Target Defense10.1145/2995272.2995278(47-58)Online publication date: 24-Oct-2016
https://dl.acm.org/doi/10.1145/2995272.2995278
Ren JLiu LZhang DZhang QBa H(2016)Tenants Attested Trusted Cloud Service2016 IEEE 9th International Conference on Cloud Computing (CLOUD)10.1109/CLOUD.2016.0085(600-607)Online publication date: Jun-2016
https://doi.org/10.1109/CLOUD.2016.0085
Wang HZhang GWang DDeng J(2022)KubeRM: a distributed rule-based security management system in cloud native environmentInternational Conference on Cloud Computing, Internet of Things, and Computer Applications (CICA 2022)10.1117/12.2642849(128)Online publication date: 28-Jul-2022
https://doi.org/10.1117/12.2642849
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Issue’s Table of Contents