Skip to main content
SpringerLink
Log in

GrAVity: A Massively Parallel Antivirus Engine

  • Conference paper
Recent Advances in Intrusion Detection (RAID 2010)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 6307))

Included in the following conference series:

Abstract

In the ongoing arms race against malware, antivirus software is at the forefront, as one of the most important defense tools in our arsenal. Antivirus software is flexible enough to be deployed from regular users desktops, to corporate e-mail proxies and file servers. Unfortunately, the signatures necessary to detect incoming malware number in the tens of thousands. To make matters worse, antivirus signatures are a lot longer than signatures in network intrusion detection systems. This leads to extremely high computation costs necessary to perform matching of suspicious data against those signatures.

In this paper, we present GrAVity, a massively parallel antivirus engine. Our engine utilized the compute power of modern graphics processors, that contain hundreds of hardware microprocessors. We have modified ClamAV, the most popular open source antivirus software, to utilize our engine. Our prototype implementation has achieved end-to-end throughput in the order of 20 Gbits/s, 100 times the performance of the CPU-only ClamAV, while almost completely offloading the CPU, leaving it free to complete other tasks. Our micro-benchmarks have measured our engine to be able to sustain throughput in the order of 40 Gbits/s. The results suggest that modern graphics cards can be used effectively to perform heavy-duty anti-malware operations at speeds that cannot be matched by traditional CPU based techniques.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Aho, A.V., Corasick, M.J.: Efficient String Matching: an Aid to Bibliographic Search. Communications of the ACM 18(6), 333–340 (1975)

    Article  MATH  MathSciNet  Google Scholar 

  2. Baker, Z.K., Prasanna, V.K.: Time and area efficient pattern matching on FPGAs. In: Proceedings of the 2004 ACM/SIGDA 12th International Symposium on Field Programmable Gate Arrays (FPGA 2004), pp. 223–232. ACM, New York (2004)

    Chapter  Google Scholar 

  3. Boyer, R.S., Moore, J.S.: A fast string searching algorithm. Communications of the Association for Computing Machinery 20(10), 762–772 (1977)

    Google Scholar 

  4. Braun, F., Lockwood, J., Waldvogel, M.: Protocol wrappers for layered network packet processing in reconfigurable hardware. IEEE Micro 22(1), 66–74 (2002)

    Article  Google Scholar 

  5. Cha, S.K., Moraru, I., Jang, J., Truelove, J., Brumley, D., Andersen, D.G.: SplitScreen: Enabling efficient, distributed malware detection. In: Proceedings of the 7th USENIX Symposium on Networked Systems Design and Implementation (NSDI), San Jose, CA (April 2010)

    Google Scholar 

  6. Clark, C.R., Lee, W., Schimmel, D.E., Contis, D., Kon, M., Thomas, A.: A Hardware Platform for Network Intrusion Detection and Prevention. In: Crowley, P., Franklin, M.A., Hadimioglu, H., Onufryk, P.Z. (eds.) Network Processor Design: Issues and Practices, vol. 3, pp. 99–118. Morgan Kaufmann, San Francisco (2005)

    Chapter  Google Scholar 

  7. de Bruijn, W., Slowinska, A., van Reeuwijk, K., Hruby, T., Xu, L., Bos, H.: SafeCard: a Gigabit IPS on the network card. In: Zamboni, D., Krügel, C. (eds.) RAID 2006. LNCS, vol. 4219, pp. 311–330. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  8. Dharmapurikar, S., Krishnamurthy, P., Sproull, T.S., Lockwood, J.W.: Deep packet inspection using parallel bloom filters. IEEE Micro 24(1), 52–61 (2004)

    Article  Google Scholar 

  9. Erdogan, O., Cao, P.: Hash-AV: Fast virus signature scanning by cache-resident filters. International Journal of Security and Networks 2(1/2), 50–59 (2007)

    Article  Google Scholar 

  10. Ho, J.T.L., Lemieux, G.G.: PERG-Rx: a hardware pattern-matching engine supporting limited regular expressions. In: FPGA 2009: Proceeding of the ACM/SIGDA International Symposium on Field Programmable Gate Arrays, pp. 257–260. ACM, New York (2009)

    Chapter  Google Scholar 

  11. Huang, N.-F., Hung, H.-W., Lai, S.-H., Chu, Y.-M., Tsai, W.-Y.: A gpu-based multiple-pattern matching algorithm for network intrusion detection systems. In: 22nd International Conference on Advanced Information Networking and Applications - Workshops, AINAW 2008, pp. 62–67 (25-28, 2008)

    Google Scholar 

  12. Kojm, T.: Clamav, http://www.clamav.net/

  13. Kulishov, F.: DFA-based and SIMD NFA-based regular expression matching on Cell BE for fast network traffic filtering. In: SIN 2009: Proceedings of the 2nd International Conference on Security of Information and Networks, pp. 123–127. ACM, New York (2009)

    Chapter  Google Scholar 

  14. Lin, Y.-D., Lin, P.-C., Lai, Y.-C., Liu, T.-Y.: Hardware-Software Codesign for High-Speed Signature-based Virus Scanning. IEEE Micro 29(5), 56–65 (2009)

    Article  Google Scholar 

  15. Lin, Y.-D., Tseng, K.-K., Lee, T.-H., Lin, Y.-N., Hung, C.-C., Lai, Y.-C.: A platform-based SoC design and implementation of scalable automaton matching for deep packet inspection. J. Syst. Archit. 53(12), 937–950 (2007)

    Article  Google Scholar 

  16. Miretskiy, Y., Das, A., Wright, C.P., Zadok, E.: Avfs: An On-Access Anti-Virus File System. In: Proceedings of the 13th USENIX Security Symposium, p. 6. USENIX Association, Berkeley (2004)

    Google Scholar 

  17. Moscola, J., Lockwood, J., Loui, R., Pachos, M.: Implementation of a Content-Scanning Module for an Internet Firewall. In: Proceedings of IEEE Symposium on Field-Programmable Custom Computing Machines (FCCM), Napa, CA, USA, pp. 31–38 (April 2003)

    Google Scholar 

  18. NVIDIA. NVIDIA CUDA Compute Unified Device Architecture Programming Guide, version 3.0, http://developer.download.nvidia.com/compute/cuda/3_0/toolkit/docs/NVIDIA_CUDA_ProgrammingGuide.pdf

  19. Scarpazza, D.P., Villa, O., Petrini, F.: Exact multi-pattern string matching on the cell/b.e. processor. In: CF 2008: Proceedings of the 2008 Conference on Computing Frontiers, pp. 33–42. ACM, New York (2008)

    Chapter  Google Scholar 

  20. Sidhu, R., Prasanna, V.: Fast regular expression matching using FPGAs. In: IEEE Symposium on Field-Programmable Custom Computing Machines, FCCM 2001 (2001)

    Google Scholar 

  21. Smith, R., Goyal, N., Ormont, J., Sankaralingam, K., Estan, C.: Evaluating GPUs for Network Packet Signature Matching. In: Proceedings of the International Symposium on Performance Analysis of Systems and Software (2009)

    Google Scholar 

  22. Song, T., Zhang, W., Wang, D., Xue, Y.: A Memory Efficient Multiple Pattern Matching Architecture for Network Security. In: INFOCOM 2008. The 27th Conference on Computer Communications, pp. 166–170. IEEE, Los Alamitos (13-18, 2008)

    Chapter  Google Scholar 

  23. Sourdis, I., Pnevmatikatos, D.: Pre-decoded CAMs for efficient and high-speed NIDS pattern matching. In: FCCM 2004: Proceedings of the 12th Annual IEEE Symposium on Field-Programmable Custom Computing Machines, Washington, DC, USA, pp. 258–267. IEEE Computer Society, Los Alamitos (2004)

    Chapter  Google Scholar 

  24. Sourdis, I., Pnevmatikatos, D.N., Vassiliadis, S.: Scalable multigigabit pattern matching for packet inspection. IEEE Transactions on Very Large Scale Integration (VLSI) Systems 16(2), 156–166 (2008)

    Article  Google Scholar 

  25. Tumeo, A., Villa, O., Sciuto, D.: Efficient pattern matching on GPUs for intrusion detection systems. In: CF 2010: Proceedings of the 7th ACM International Conference on Computing Frontiers, pp. 87–88. ACM, New York (2010)

    Chapter  Google Scholar 

  26. Vasiliadis, G., Antonatos, S., Polychronakis, M., Markatos, E.P., Ioannidis, S.: Gnort: High Performance Network Intrusion Detection Using Graphics Processors. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 116–134. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  27. Vasiliadis, G., Polychronakis, M., Antonatos, S., Markatos, E.P., Ioannidis, S.: Regular Expression Matching on Graphics Hardware for Intrusion Detection. In: Proceedings of 12th International Symposium on Recent Advances in Intrusion Detection (RAID) (2009)

    Google Scholar 

  28. Wu, C., Yin, J., Cai, Z., Zhu, E., Chen, J.: A Hybrid Parallel Signature Matching Model for Network Security Applications Using SIMD GPU. In: Dou, Y., Gruber, R., Joller, J.M. (eds.) APPT 2009. LNCS, vol. 5737, pp. 191–204. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  29. Yu, F., Katz, R.H., Lakshman, T.V.: Gigabit Rate Packet Pattern-Matching Using TCAM. In: Proceedings of the 12th IEEE International Conference on Network Protocols (ICNP 2004), Washington, DC, USA, pp. 174–183. IEEE Computer Society, Los Alamitos (October 2004)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Institute of Computer Science, Foundation for Research and Technology – Hellas, N. Plastira 100, Vassilika Vouton, GR-700 13, Heraklion, Crete, Greece

    Giorgos Vasiliadis & Sotiris Ioannidis

Authors
  1. Giorgos Vasiliadis
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Sotiris Ioannidis
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Computer Sciences Department, University of Wisconsin, 53706, Madison, WI, USA

    Somesh Jha

  2. International Computer Science Institute, 1947 Center Street, Suite 600, 94704, Berkeley, CA, USA

    Robin Sommer  & Christian Kreibich  & 

Rights and permissions

Reprints and permissions

Copyright information

© 2010 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Vasiliadis, G., Ioannidis, S. (2010). GrAVity: A Massively Parallel Antivirus Engine. In: Jha, S., Sommer, R., Kreibich, C. (eds) Recent Advances in Intrusion Detection. RAID 2010. Lecture Notes in Computer Science, vol 6307. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-15512-3_5

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-15512-3_5

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-15511-6

  • Online ISBN: 978-3-642-15512-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation