Real-Time Polymorphic Aho-Corasick Automata for Heterogeneous Malicious Code Detection

Part of the Advances in Intelligent Systems and Computing book series (AISC, volume 239)


We are proposing a new, heterogeneous approach to performing malicious code detection in intrusion detection systems using an innovative hybrid implementation of the Aho-Corasick automaton, commonly used in pattern-matching applications. We are introducing and defining the Aho-Corasick polymorphic automaton, a new type of automaton which can change its nodes and transitions in real-time on adequate hardware, using an approach we designed for heterogeneous hardware and which easily scales to hybrid heterogeneous systems with multiple CPUs and GPUs. Using as a test-bed a set of the latest virus signatures from the ClamAV database, we analyze the performance impact of several different types of heuristics on the new type of automata and discuss its feasibility and potential applications in real-time intelligent malicious code detection.


aho-corasick intelligent malicious code detection heterogeneous hardware parallel algorithm 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Aho, A., Corasick, M.: Efficient string matching: An Aid to blbiographic search. CACM 18(6), 333–340 (1975)MathSciNetMATHCrossRefGoogle Scholar
  2. 2.
    Cha, S.K., Moraru, I., Jang, J., Truelove, J., Brumley, D., Andersen, D.G.: Split Screen: Enabling Efficient, Distributed Malware Detection. In: Proc. 7th USENIX NSDI (2010)Google Scholar
  3. 3.
    Lee, T.H.: Generalized Aho-Corasick Algorithm for Signature Based Anti-Virus Applications. In: Proceedings of 16th International Conference on Computer Communications and Networks, ICCN (2007)Google Scholar
  4. 4.
  5. 5.
    Paxson, V.: Bro: A system for detecting network intruders in real-time. Computer Networks 31, 2435–2463 (1999)CrossRefGoogle Scholar
  6. 6.
    Pungila, C.: A Bray-Curtis Weighted Automaton for Detecting Malicious Code Through System-Call Analysis. In: 11th International Symposium on Symbolic and Numeric Algorithms for Scientific Computing (SYNASC), pp. 392–400 (2009)Google Scholar
  7. 7.
    Arshad, J., Townend, P., Xu, J.: A novel intrusion severity analysis approach for Clouds. Future Generation Computer Systems (2011), doi:10.1016/j.future.2011.08.009Google Scholar
  8. 8.
    Corchado, E., Herrero, A.: Neural visualization of network traffic data for intrusion detection. Applied Soft Computing 11(2), 2042–2056 (2011)CrossRefGoogle Scholar
  9. 9.
    Panda, M., Abraham, A., Patra, M.R.: Hybrid Intelligent Approach for Network Intrusion Detection. Procedia Engineering 30, 1–9 (2012), doi:10.1016/j.proeng.2012.01.827CrossRefGoogle Scholar
  10. 10.
    Wang, Z., Xu, G., Li, H., Zhang, M.: A Fast and Accurate Method for Approximate String Searc. In: Proceedings of the 49th Annual Meeting of the Association for Computational Linguistics: Human Language Technologies, vol. 1, pp. 52–61 (2011)Google Scholar
  11. 11.
    Pungila, C.: Improved file-carving through data-parallel pattern matching for data forensics. In: 7th IEEE International Symposium on Applied Computational Intelligence and Informatics (SACI), pp. 197–202 (2012)Google Scholar
  12. 12.
    Pungila, C.: Hybrid Compression of the Aho-Corasick Automaton for Static Analysis in Intrusion Detection Systems. In: Herrero, Á., Snášel, V., Abraham, A., Zelinka, I., Baruque, B., Quintián, H., Calvo, J.L., Sedano, J., Corchado, E. (eds.) Int. Joint Conf. CISIS’12-ICEUTE’12-SOCO’12. AISC, vol. 189, pp. 77–86. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  13. 13.
    Pungila, C., Negru, V.: A Highly-Efficient Memory-Compression Approach for GPU-Accelerated Virus Signature Matching. In: Gollmann, D., Freiling, F.C. (eds.) ISC 2012. LNCS, vol. 7483, pp. 354–369. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  14. 14.
    Lee, V.W., Kim, C., Chhugani, J., Deisher, M., Kim, D. Nguyen, A.D., Satish, N., Smelyanskiy, M., Chennupaty, S., Hammarlund, P., Singhal, R., Dubey, P.: Debunking the 100X GPU vs. CPU myth: an evaluation of throughput computing on CPU and GPU. In: Proceedings of the 37th Annual International Symposium on Computer Architecture (ISCA 2010), pp. 451–460. ACM, New York,, doi:10.1145/1815961.1816021
  15. 15.
    Clam AntiVirus,
  16. 16.
    Hamming, R.W.: Error detecting and error correcting codes. Bell System Technical Journal 29(2), 147–160 (1950)MathSciNetCrossRefGoogle Scholar
  17. 17.
    Needleman, S.B., Wunsch, C.D.: A general method applicable to the search for similarities in the amino acid sequence of two proteins. J. Mol. Biol. 47, 443–453 (1970)CrossRefGoogle Scholar
  18. 18.

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  1. 1.West University of TimisoaraTimisRomania

Personalised recommendations