A Highly-Efficient Memory-Compression Approach for GPU-Accelerated Virus Signature Matching

  • Ciprian Pungila
  • Viorel Negru
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7483)


We are proposing an approach for implementing highly compressed Aho-Corasick and Commentz-Walter automatons for performing GPU-accelerated virus scanning, suitable for implementation in real-world software and hardware systems. We are performing experiments using the set of virus signatures from ClamAV and a CUDA-based graphics card, showing how memory consumption can be improved dramatically (along with run-time performance), both in the pre-processing stage and at run-time. Our approach also ensures maximum bandwidth for the data transfer required in the pre-processing stage, between the host and the device memory, making it ideal for implementation in real-time virus scanners. Finally, we show how using this model and an efficient combination of the two automata can result in much lower memory requirements in real-world implementations.


gpu gpu-accelerated cuda commentz-walter aho-corasick wu-manber memory efficient virus scan malicious code detection 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Aho, A., Corasick, M.: Efficient string matching: An Aid to blbiographic search. CACM 18(6), 333–340 (1975)MathSciNetzbMATHGoogle Scholar
  2. 2.
    Boyer, R.S., Moore, J.S.: A fast string searching algorithm. Communications of the ACM 20, 762–772 (1977)zbMATHCrossRefGoogle Scholar
  3. 3.
    Commentz-Walter, B.: A String Matching Algorithm Fast on the Average. In: Maurer, H.A. (ed.) ICALP 1979. LNCS, vol. 71, pp. 118–132. Springer, Heidelberg (1979)CrossRefGoogle Scholar
  4. 4.
    Wu, S., Manber, U.: A fast algorithm for multi-pattern searching. Technical Report TR-94-17, University of Arizona (1994)Google Scholar
  5. 5.
    Clam AntiVirus,
  6. 6.
    Vasiliadis, G., Ioannidis, S.: GrAVity: A Massively Parallel Antivirus Engine. In: Jha, S., Sommer, R., Kreibich, C. (eds.) RAID 2010. LNCS, vol. 6307, pp. 79–96. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  7. 7.
    NVIDIA: NVIDIA CUDA Compute Unified Device Architecture Programming Guide, version 4.1,
  8. 8.
    Lee, T.H.: Generalized Aho-Corasick Algorithm for Signature Based Anti-Virus Applications. In: Proceedings of 16th International Conference on Computer Communications and Networks, ICCN (2007)Google Scholar
  9. 9.
    Pungila, C.: A Bray-Curtis Weighted Automaton for Detecting Malicious Code Through System-Call Analysis. In: 11th International Symposium on Symbolic and Numeric Algorithms for Scientific Computing, SYNASC, pp. 392–400 (2009)Google Scholar
  10. 10.
    Erdogan, O.: Hash-AV: fast virus signature scanning by cache-resident filters. International Journal of Security and Networks 2(1/2) (2007)Google Scholar
  11. 11.
    Lin, P.C., Lin, Y.D., Lai, Y.C.: A Hybrid Algorithm of Backward Hashing and Automaton Tracking for Virus Scanning. IEEE Transactions on Computers 60(4), 594–601 (2011)MathSciNetCrossRefGoogle Scholar
  12. 12.
    Cha, S.K., Moraru, I., Jang, J., Truelove, J., Brumley, D., Andersen, D.G.: Split Screen: Enabling Efficient, Distributed Malware Detection. In: Proc. 7th USENIX NSDI (2010)Google Scholar
  13. 13.
    Miretskiy, Y., Das, A., Wright, C.P., Zadok, E.: Avfs: An On-Access Anti-Virus File System. In: Proceedings of the 13th USENIX Security Symposium (2004)Google Scholar
  14. 14.
    Tuck, N., Sherwood, T., Calder, B., Varghese, G.: Deterministic memory-efficient string matching algorithms for intrusion detection. In: 23rd Annual Joint Conference of the IEEE Computer and Communications Societies, INFOCOM, vol. 4, pp. 2628–2639 (2004)Google Scholar
  15. 15.
  16. 16.
    Zha, X., Sahni, S.: Highly Compressed Aho-Corasick Automata For Efficient Intrusion Detection. In: IEEE Symposium on Computers and Communications, ISCC, pp. 298–303 (2008)Google Scholar
  17. 17.
    Vasiliadis, G., Polychronakis, M., Ioannidis, S.: MIDeA: A Multi-Parallel Intrusion Detection Architecture. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, CCS, pp. 297–308 (2011)Google Scholar
  18. 18.
    Vasiliadis, G., Antonatos, S., Polychronakis, M., Markatos, E.P., Ioannidis, S.: Gnort: High Performance Network Intrusion Detection Using Graphics Processors. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 116–134. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  19. 19.
    Liu, C.H., Chien, L.S., Chang, S.C., Hon, W.K.: PFAC Library: GPU-based string matching algorithm. In: PU Technology Conference, GTC (2012)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Ciprian Pungila
    • 1
  • Viorel Negru
    • 1
  1. 1.West University of TimisoaraTimisoaraRomania

Personalised recommendations