An Efficient Heterogeneous Approach to Building Compressed Automata for Malware Signature Matching

  • Ciprian Pungila
  • Viorel Negru
Part of the Advances in Intelligent Systems and Computing book series (AISC, volume 299)


We are presenting an innovative, deterministic approach to constructing highly compressed automata commonly used in malware signature scanning. Our implementation allows building a very efficient (storage-wise) approach for automata, with particular focus on the Aho-Corasick and Commentz-Walter algorithms, using a heterogeneous architecture that not only performs faster, but also supports much larger automata. Experimental results have shown that the memory required for the construction process of our approach is two times lower than in the classic CPU-only approach, while the overall construction time for the automata is improved by at least 50% on average in our experiments.


compressed automata efficient storage heterogeneous construction Aho-Corasick Commentz-Walter GPU processing 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    NVIDIA, NVIDIA CUDA Compute Unified Device Architecture Programming Guide, version 4.1.,
  2. 2.
  3. 3.
    Vasiliadis, G.: GPU-assisted malware. In: 5th International Conference on Malicious and Unwanted Software (MALWARE) (2010)Google Scholar
  4. 4.
    Stewin, P., Bystrov, I.: Understanding DMA Malware. In: Flegel, U., Markatos, E., Robertson, W. (eds.) DIMVA 2012. LNCS, vol. 7591, pp. 21–41. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  5. 5.
    Ladakis, E., Koromilas, L., Vasiliadis, G., Polychronakis, M., Ioannidis, S.: You Can Type, but You Can’t Hide: A Stealthy GPU-based Keylogger. In: 6th European Workshop on System Security (EuroSec) (2013)Google Scholar
  6. 6.
    Herrero, A., Zurutuza, U., Corchado, E.: A Neural-Visualization IDS for Honeynet Data. Int. J. Neural Syst. 22(2) (2012)Google Scholar
  7. 7.
    Herrero, A., Navarro, M., Corchado, E., Julián, V.: RT-MOVICAB-IDS: Addressing real-time intrusion detection. Future Generation Comp. Syst. 29(1), 250–261 (2013)CrossRefGoogle Scholar
  8. 8.
    Aho, A., Corasick, M.: Efficient string matching: An Aid to bibliographic search. Communications of the ACM 18(6), 333–340 (1975)CrossRefMATHMathSciNetGoogle Scholar
  9. 9.
    Pungila, C., Negru, V.: Towards Building Efficient Malware Detection Engines Using Hybrid CPU/GPU-Accelerated Approaches. In: Ruiz-Martinez, A., Marin-Lopez, R., Pereniguez-Garcia, F. (eds.) Architectures and Protocols for Secure Information Technology Infrastructures, pp. 237–264. IGI Global, Hershey (2014)Google Scholar
  10. 10.
    Commentz-Walter, B.: A string matching algorithm fast on the average. In: Maurer, H.A. (ed.) Automata, Languages and Programming. LNCS, vol. 71, pp. 118–132. Springer, Heidelberg (1979)CrossRefGoogle Scholar
  11. 11.
    Wu, S., Manber, U.: A fast algorithm for multi-pattern searching. Technical Report TR-94-17, 1–11 (2004)Google Scholar
  12. 12.
    Boyer, R.S., Moore, J.S.: A fast string searching algorithm. Communications of the ACM 20, 762–772 (1977)CrossRefMATHGoogle Scholar
  13. 13.
    Pungila, C., Negru, V.: A Highly-Efficient Memory-Compression Approach for GPU-Accelerated Virus Signature Matching. In: Gollmann, D., Freiling, F.C. (eds.) ISC 2012. LNCS, vol. 7483, pp. 354–369. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  14. 14.
    Clam AntiVirus,
  15. 15.
    Pungila, C., Negru, V.: Real-Time Polymorphic Aho-Corasick Automata for Heterogeneous Malicious Code Detection. In: Herrero, A., Baruque, B., Klett, F., Abraham, A., Snasel, V., de Carvalho, A.C.P.L.F., Bringas, P.G., Zelinka, I., Quintian, H., Corchado, E. (eds.) International Joint Conference SOCO’13-CISIS’13-ICEUTE’13. AISC, vol. 239, pp. 439–448. Springer, Heidelberg (2014)Google Scholar
  16. 16.
    Pungila, C., Reja, M., Negru, V.: Efficient parallel automata construction for hybrid resource-impelled data-matching. Future Generation Computer Systems (2013) ISSN 0167-739XGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  1. 1.Faculty of Mathematics and Informatics, Computer Science DepartmentWest University of TimisoaraTimisoaraRomania

Personalised recommendations