GrAVity: A Massively Parallel Antivirus Engine

  • Giorgos Vasiliadis
  • Sotiris Ioannidis
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6307)


In the ongoing arms race against malware, antivirus software is at the forefront, as one of the most important defense tools in our arsenal. Antivirus software is flexible enough to be deployed from regular users desktops, to corporate e-mail proxies and file servers. Unfortunately, the signatures necessary to detect incoming malware number in the tens of thousands. To make matters worse, antivirus signatures are a lot longer than signatures in network intrusion detection systems. This leads to extremely high computation costs necessary to perform matching of suspicious data against those signatures.

In this paper, we present GrAVity, a massively parallel antivirus engine. Our engine utilized the compute power of modern graphics processors, that contain hundreds of hardware microprocessors. We have modified ClamAV, the most popular open source antivirus software, to utilize our engine. Our prototype implementation has achieved end-to-end throughput in the order of 20 Gbits/s, 100 times the performance of the CPU-only ClamAV, while almost completely offloading the CPU, leaving it free to complete other tasks. Our micro-benchmarks have measured our engine to be able to sustain throughput in the order of 40 Gbits/s. The results suggest that modern graphics cards can be used effectively to perform heavy-duty anti-malware operations at speeds that cannot be matched by traditional CPU based techniques.


Thread Block Direct Memory Access Texture Memory Pattern Match Algorithm Virus Signature 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Aho, A.V., Corasick, M.J.: Efficient String Matching: an Aid to Bibliographic Search. Communications of the ACM 18(6), 333–340 (1975)zbMATHCrossRefMathSciNetGoogle Scholar
  2. 2.
    Baker, Z.K., Prasanna, V.K.: Time and area efficient pattern matching on FPGAs. In: Proceedings of the 2004 ACM/SIGDA 12th International Symposium on Field Programmable Gate Arrays (FPGA 2004), pp. 223–232. ACM, New York (2004)CrossRefGoogle Scholar
  3. 3.
    Boyer, R.S., Moore, J.S.: A fast string searching algorithm. Communications of the Association for Computing Machinery 20(10), 762–772 (1977)Google Scholar
  4. 4.
    Braun, F., Lockwood, J., Waldvogel, M.: Protocol wrappers for layered network packet processing in reconfigurable hardware. IEEE Micro 22(1), 66–74 (2002)CrossRefGoogle Scholar
  5. 5.
    Cha, S.K., Moraru, I., Jang, J., Truelove, J., Brumley, D., Andersen, D.G.: SplitScreen: Enabling efficient, distributed malware detection. In: Proceedings of the 7th USENIX Symposium on Networked Systems Design and Implementation (NSDI), San Jose, CA (April 2010)Google Scholar
  6. 6.
    Clark, C.R., Lee, W., Schimmel, D.E., Contis, D., Kon, M., Thomas, A.: A Hardware Platform for Network Intrusion Detection and Prevention. In: Crowley, P., Franklin, M.A., Hadimioglu, H., Onufryk, P.Z. (eds.) Network Processor Design: Issues and Practices, vol. 3, pp. 99–118. Morgan Kaufmann, San Francisco (2005)CrossRefGoogle Scholar
  7. 7.
    de Bruijn, W., Slowinska, A., van Reeuwijk, K., Hruby, T., Xu, L., Bos, H.: SafeCard: a Gigabit IPS on the network card. In: Zamboni, D., Krügel, C. (eds.) RAID 2006. LNCS, vol. 4219, pp. 311–330. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  8. 8.
    Dharmapurikar, S., Krishnamurthy, P., Sproull, T.S., Lockwood, J.W.: Deep packet inspection using parallel bloom filters. IEEE Micro 24(1), 52–61 (2004)CrossRefGoogle Scholar
  9. 9.
    Erdogan, O., Cao, P.: Hash-AV: Fast virus signature scanning by cache-resident filters. International Journal of Security and Networks 2(1/2), 50–59 (2007)CrossRefGoogle Scholar
  10. 10.
    Ho, J.T.L., Lemieux, G.G.: PERG-Rx: a hardware pattern-matching engine supporting limited regular expressions. In: FPGA 2009: Proceeding of the ACM/SIGDA International Symposium on Field Programmable Gate Arrays, pp. 257–260. ACM, New York (2009)CrossRefGoogle Scholar
  11. 11.
    Huang, N.-F., Hung, H.-W., Lai, S.-H., Chu, Y.-M., Tsai, W.-Y.: A gpu-based multiple-pattern matching algorithm for network intrusion detection systems. In: 22nd International Conference on Advanced Information Networking and Applications - Workshops, AINAW 2008, pp. 62–67 (25-28, 2008)Google Scholar
  12. 12.
    Kojm, T.: Clamav,
  13. 13.
    Kulishov, F.: DFA-based and SIMD NFA-based regular expression matching on Cell BE for fast network traffic filtering. In: SIN 2009: Proceedings of the 2nd International Conference on Security of Information and Networks, pp. 123–127. ACM, New York (2009)CrossRefGoogle Scholar
  14. 14.
    Lin, Y.-D., Lin, P.-C., Lai, Y.-C., Liu, T.-Y.: Hardware-Software Codesign for High-Speed Signature-based Virus Scanning. IEEE Micro 29(5), 56–65 (2009)CrossRefGoogle Scholar
  15. 15.
    Lin, Y.-D., Tseng, K.-K., Lee, T.-H., Lin, Y.-N., Hung, C.-C., Lai, Y.-C.: A platform-based SoC design and implementation of scalable automaton matching for deep packet inspection. J. Syst. Archit. 53(12), 937–950 (2007)CrossRefGoogle Scholar
  16. 16.
    Miretskiy, Y., Das, A., Wright, C.P., Zadok, E.: Avfs: An On-Access Anti-Virus File System. In: Proceedings of the 13th USENIX Security Symposium, p. 6. USENIX Association, Berkeley (2004)Google Scholar
  17. 17.
    Moscola, J., Lockwood, J., Loui, R., Pachos, M.: Implementation of a Content-Scanning Module for an Internet Firewall. In: Proceedings of IEEE Symposium on Field-Programmable Custom Computing Machines (FCCM), Napa, CA, USA, pp. 31–38 (April 2003)Google Scholar
  18. 18.
    NVIDIA. NVIDIA CUDA Compute Unified Device Architecture Programming Guide, version 3.0,
  19. 19.
    Scarpazza, D.P., Villa, O., Petrini, F.: Exact multi-pattern string matching on the cell/b.e. processor. In: CF 2008: Proceedings of the 2008 Conference on Computing Frontiers, pp. 33–42. ACM, New York (2008)CrossRefGoogle Scholar
  20. 20.
    Sidhu, R., Prasanna, V.: Fast regular expression matching using FPGAs. In: IEEE Symposium on Field-Programmable Custom Computing Machines, FCCM 2001 (2001)Google Scholar
  21. 21.
    Smith, R., Goyal, N., Ormont, J., Sankaralingam, K., Estan, C.: Evaluating GPUs for Network Packet Signature Matching. In: Proceedings of the International Symposium on Performance Analysis of Systems and Software (2009)Google Scholar
  22. 22.
    Song, T., Zhang, W., Wang, D., Xue, Y.: A Memory Efficient Multiple Pattern Matching Architecture for Network Security. In: INFOCOM 2008. The 27th Conference on Computer Communications, pp. 166–170. IEEE, Los Alamitos (13-18, 2008)CrossRefGoogle Scholar
  23. 23.
    Sourdis, I., Pnevmatikatos, D.: Pre-decoded CAMs for efficient and high-speed NIDS pattern matching. In: FCCM 2004: Proceedings of the 12th Annual IEEE Symposium on Field-Programmable Custom Computing Machines, Washington, DC, USA, pp. 258–267. IEEE Computer Society, Los Alamitos (2004)CrossRefGoogle Scholar
  24. 24.
    Sourdis, I., Pnevmatikatos, D.N., Vassiliadis, S.: Scalable multigigabit pattern matching for packet inspection. IEEE Transactions on Very Large Scale Integration (VLSI) Systems 16(2), 156–166 (2008)CrossRefGoogle Scholar
  25. 25.
    Tumeo, A., Villa, O., Sciuto, D.: Efficient pattern matching on GPUs for intrusion detection systems. In: CF 2010: Proceedings of the 7th ACM International Conference on Computing Frontiers, pp. 87–88. ACM, New York (2010)CrossRefGoogle Scholar
  26. 26.
    Vasiliadis, G., Antonatos, S., Polychronakis, M., Markatos, E.P., Ioannidis, S.: Gnort: High Performance Network Intrusion Detection Using Graphics Processors. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 116–134. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  27. 27.
    Vasiliadis, G., Polychronakis, M., Antonatos, S., Markatos, E.P., Ioannidis, S.: Regular Expression Matching on Graphics Hardware for Intrusion Detection. In: Proceedings of 12th International Symposium on Recent Advances in Intrusion Detection (RAID) (2009)Google Scholar
  28. 28.
    Wu, C., Yin, J., Cai, Z., Zhu, E., Chen, J.: A Hybrid Parallel Signature Matching Model for Network Security Applications Using SIMD GPU. In: Dou, Y., Gruber, R., Joller, J.M. (eds.) APPT 2009. LNCS, vol. 5737, pp. 191–204. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  29. 29.
    Yu, F., Katz, R.H., Lakshman, T.V.: Gigabit Rate Packet Pattern-Matching Using TCAM. In: Proceedings of the 12th IEEE International Conference on Network Protocols (ICNP 2004), Washington, DC, USA, pp. 174–183. IEEE Computer Society, Los Alamitos (October 2004)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Giorgos Vasiliadis
    • 1
  • Sotiris Ioannidis
    • 1
  1. 1.Institute of Computer ScienceFoundation for Research and Technology – HellasHeraklion, CreteGreece

Personalised recommendations