Given the widening scope of the utilization and application of cloud computing services from general to mission-critical systems such as strategic military, financial, and the information systems of governmental agencies, the need for the development of improved methods to ensure the stability and security of cloud data and services is being increasingly emphasized. Various approaches have been developed to improve the security and stability of cloud infrastructure. In particular, the continuous inspection of the memory of Virtual Machine (VM) instances in the cloud platform has been an important factor in identifying the causes of security incidents related to zero-day vulnerabilities and critical system faults in cloud infrastructure. However, despite numerous studies in the field of continuous memory inspection, it is difficult to find a practical solution that is deployable in commercial-off-the-shelf cloud platforms. For instance, continuous memory snapshots generally cause various problems such as increased VM downtime occurrences, user-obstructive latency for memory snapshots, VM performance degradation, and massive data generation. To alleviate these limitations, we propose Cloud-BlackBox, which enables the recording of the memory of VM swarms running on cloud platforms that require a very high level of stability and security, and facilitates the flexible analysis of the recorded memory on a large-scale. A VM swarm refers to an environment in which multiple VMs are run in parallel. The proposed Cloud-BlackBox method provides the following benefits. First, by clustering VM swarm kernel memory, the amount of computation required to capture memory snapshots and the size of the generated snapshot images are minimized. Further, we propose a mechanism to merge kernel memory by rapidly identifying the homogeneity of the memory layout through analysis of the underlying base image and introspection of the running VM. The application of the proposed mechanism led to a storage reduction by a factor of 12.85. Second, a cognitive-scale bitmap was designed to track changes in the memory of VM swarms. The cognitive-scale bitmap is a mechanism that can dynamically manage the tracking of memory change information by recognizing the memory usage patterns of component VMs. With the designed cognitive-scale bitmap, the time required for the collection of a memory snapshot was reduced by more than 14.85 times, and the VM input/output (I/O) performance degradation was reduced by 50%. Third, a synchronized accessible memory interchange (SAMI) mechanism is proposed to facilitate the agile in-depth analysis of large-scale memory resources. Cloud-BlackBox tracks and records memory change information. Therefore, a procedure for restoring the recorded memory to a raw-memory analyzable form is required to analyze the recorded memory. The SAMI mechanism assists the analyst in ensuring consistent memory restoration performance when arbitrarily selecting recorded memory. Furthermore, SAMI is useful for reducing the scope of analysis without memory restoration simply by analyzing recorded metadata. Consequently, the revised schemes inside Cloud-BlackBox have several applications in various fields, such as advanced detection of malicious activities, service error recovery, malware analysis, and antivirus functions. In addition, the proposed approach has been implemented on a campus-wide cloud computing service called SysCore-Cloud.
Read full abstract