GrAVity: a massively parallel antivirus engine

Authors:
Giorgos Vasiliadis;Sotiris Ioannidis
Affiliations:
Institute of Computer Science, Foundation for Research and Technology-Hellas, Heraklion, Crete, Greece;Institute of Computer Science, Foundation for Research and Technology-Hellas, Heraklion, Crete, Greece
Venue:
RAID'10 Proceedings of the 13th international conference on Recent advances in intrusion detection
Year:
2010

Citing 24
Cited 4

A fast string searching algorithm

Communications of the ACM
Efficient string matching: an aid to bibliographic search

Communications of the ACM
Protocol Wrappers for Layered Network Packet Processing in Reconfigurable Hardware

IEEE Micro
Implementation of a Content-Scanning Module for an Internet Firewall

FCCM '03 Proceedings of the 11th Annual IEEE Symposium on Field-Programmable Custom Computing Machines
Time and area efficient pattern matching on FPGAs

FPGA '04 Proceedings of the 2004 ACM/SIGDA 12th international symposium on Field programmable gate arrays
Pre-Decoded CAMs for Efficient and High-Speed NIDS Pattern Matching

FCCM '04 Proceedings of the 12th Annual IEEE Symposium on Field-Programmable Custom Computing Machines
Gigabit Rate Packet Pattern-Matching Using TCAM

ICNP '04 Proceedings of the 12th IEEE International Conference on Network Protocols
Fast Regular Expression Matching Using FPGAs

FCCM '01 Proceedings of the the 9th Annual IEEE Symposium on Field-Programmable Custom Computing Machines
Avfs: an on-access anti-virus file system

SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
A platform-based SoC design and implementation of scalable automaton matching for deep packet inspection

Journal of Systems Architecture: the EUROMICRO Journal
Hash-AV: fast virus signature scanning by cache-resident filters

International Journal of Security and Networks
Exact multi-pattern string matching on the cell/b.e. processor

Proceedings of the 5th conference on Computing frontiers
Scalable multigigabit pattern matching for packet inspection

IEEE Transactions on Very Large Scale Integration (VLSI) Systems
A GPU-Based Multiple-Pattern Matching Algorithm for Network Intrusion Detection Systems

AINAW '08 Proceedings of the 22nd International Conference on Advanced Information Networking and Applications - Workshops
Gnort: High Performance Network Intrusion Detection Using Graphics Processors

RAID '08 Proceedings of the 11th international symposium on Recent Advances in Intrusion Detection
Deep Packet Inspection using Parallel Bloom Filters

IEEE Micro
PERG-Rx: a hardware pattern-matching engine supporting limited regular expressions

Proceedings of the ACM/SIGDA international symposium on Field programmable gate arrays
A Hybrid Parallel Signature Matching Model for Network Security Applications Using SIMD GPU

APPT '09 Proceedings of the 8th International Symposium on Advanced Parallel Processing Technologies
DFA-based and SIMD NFA-based regular expression matching on cell BE for fast network traffic filtering

Proceedings of the 2nd international conference on Security of information and networks
Hardware-Software Codesign for High-Speed Signature-based Virus Scanning

IEEE Micro
Regular Expression Matching on Graphics Hardware for Intrusion Detection

RAID '09 Proceedings of the 12th International Symposium on Recent Advances in Intrusion Detection
Efficient pattern matching on GPUs for intrusion detection systems

Proceedings of the 7th ACM international conference on Computing frontiers
SplitScreen: enabling efficient, distributed malware detection

NSDI'10 Proceedings of the 7th USENIX conference on Networked systems design and implementation
SafeCard: a gigabit IPS on the network card

RAID'06 Proceedings of the 9th international conference on Recent Advances in Intrusion Detection

Experiences with string matching on the fermi architecture

ARCS'11 Proceedings of the 24th international conference on Architecture of computing systems
A highly-efficient memory-compression approach for GPU-Accelerated virus signature matching

ISC'12 Proceedings of the 15th international conference on Information Security
Review: Intrusion detection system: A comprehensive review

Journal of Network and Computer Applications
The impact of the antivirus on the digital evidence

International Journal of Electronic Security and Digital Forensics

Quantified Score

Hi-index	0.00

Visualization

Abstract

In the ongoing arms race against malware, antivirus software is at the forefront, as one of the most important defense tools in our arsenal. Antivirus software is flexible enough to be deployed from regular users desktops, to corporate e-mail proxies and file servers. Unfortunately, the signatures necessary to detect incoming malware number in the tens of thousands. To make matters worse, antivirus signatures are a lot longer than signatures in network intrusion detection systems. This leads to extremely high computation costs necessary to perform matching of suspicious data against those signatures. In this paper, we present GrAVity, a massively parallel antivirus engine. Our engine utilized the compute power of modern graphics processors, that contain hundreds of hardware microprocessors. We have modified ClamAV, the most popular open source antivirus software, to utilize our engine. Our prototype implementation has achieved end-toend throughput in the order of 20 Gbits/s, 100 times the performance of the CPU-only ClamAV, while almost completely offloading the CPU, leaving it free to complete other tasks. Our micro-benchmarks have measured our engine to be able to sustain throughput in the order of 40 Gbits/s. The results suggest that modern graphics cards can be used effectively to perform heavy-duty anti-malware operations at speeds that cannot be matched by traditional CPU based techniques.