project maker
06-08-2014, 10:54 AM
Detecting Computer Viruses using GPUs
[attachment=66622]
Abstract
Anti-virus software is the main defense mechanism against malware, which is becoming more common
and advanced. A significant part of the virus scanning process is dedicated to scanning a given file against
a set of virus signatures. As it is important that the overall scanning process be as fast as possible, efforts
must be done to minimize the time spent in signature matching. Recently, graphics processing units have
increased in popularity in high performance computation, due to their inherently parallel architecture.
One of their possible applications is performing matching of multiple signatures in parallel. In this
work, we present details on the implemented multiple string searching algorithm based on deterministic
finite automata which runs on a graphics processing unit. Due to space concerns inherent to DFAs
our algorithm only scans for a substring of each signature, thereby serving as a high-speed pre-filtering
mechanism. Multiple optimizations were implemented in order to increase its performance. In our
experiments with sets of test files, the implemented solution was found to have a speedup of around 28
when compared to the pattern matching portion of ClamAV, an open-source anti-virus engine. On other
sets of test files with different characteristics the solution does not have such a good performance, but
future work is described to improve it in these situations.
Introduction
As technology gets more advanced, malware writers are using a whole new set of techniques to build
malware that is more efficient and harder to detect. Malware is also becoming more prevalent in the
web: for instance, anti-virus companies can receive malware samples at a rate of about one sample
every 5 seconds. Due to this emergence, both IT professionals and regular users alike are facing various
challenges when it comes to protection. An example of an effort to increase the defenses against viruses
is the cooperation between anti-virus companies to detect a new variation of a virus (or a new virus
itself): samples of recent viruses are placed into a shared repository to which the anti-virus companies
have access. Yet, there is still a given time window (from the time where the virus first appears to the
time where an anti-virus company updates their product) in which users are vulnerable.
Anti-virus products try to minimize the chance of infection of a machine, employing various techniques
to do so. For instance, they might take a sample and analyze their behavior in run-time, in order to
check if the sample does anything that it is not supposed to. However, this run-time analysis should
not be the first thing to do to a newly arrived sample, as it is very time consuming. The first step in
identifying a virus is usually done by scanning a file, and matching its body to a set of rules or patterns,
called signatures. Each signature can correspond to a different virus or strain of one, and if it occurs in
the body of a file, then we know that such file is malicious.
As stated above, viruses are becoming more and more common on the web, and due to this, signature
sets can only increase in size. Scanning for all of them on a single file can be a process which is very
time-consuming, and if the search was to be done in a naive manner (repeatedly comparing the text
characters against all of the signatures), the process would surely not be completed in an acceptable time
frame. In anti-virus products, this process has to be especially fast, as if it is too slow, then the anti-virus
application becomes the bottleneck of the system, which can cause a significant decrease in the overall
system performance.
Anti-virus product
Conclusions
We started by showing the problem that we proposed ourselves to solve, along with background on it.
We gave an introduction to general purpose computing on GPUs, and showed how they can be utilized
50to achieve high performance. We then presented related work on the area, which served as a basis for
our own.
Details were shown for our system, an O(n) algorithm running on two GPUs which pre-processes files
in a high-speed manner in order to detect if possible virus signatures are present in them. It differs from
other related work using ClamAV as it is capable of scanning a high quantity of files in parallel.
The system was found to have a good speed-up on the case that it was designed for: an e-mail gateway
with a large amount of files with limited sizes. A number of optimizations were implemented in order to
achieve this performance, which was not possible with a first implementation.
Our solution did not perform so well on some cases, and it is open to targeted attacks. Future work
was then proposed to mitigate some of these issues and further improve the solution’s performance.
[attachment=66622]
Abstract
Anti-virus software is the main defense mechanism against malware, which is becoming more common
and advanced. A significant part of the virus scanning process is dedicated to scanning a given file against
a set of virus signatures. As it is important that the overall scanning process be as fast as possible, efforts
must be done to minimize the time spent in signature matching. Recently, graphics processing units have
increased in popularity in high performance computation, due to their inherently parallel architecture.
One of their possible applications is performing matching of multiple signatures in parallel. In this
work, we present details on the implemented multiple string searching algorithm based on deterministic
finite automata which runs on a graphics processing unit. Due to space concerns inherent to DFAs
our algorithm only scans for a substring of each signature, thereby serving as a high-speed pre-filtering
mechanism. Multiple optimizations were implemented in order to increase its performance. In our
experiments with sets of test files, the implemented solution was found to have a speedup of around 28
when compared to the pattern matching portion of ClamAV, an open-source anti-virus engine. On other
sets of test files with different characteristics the solution does not have such a good performance, but
future work is described to improve it in these situations.
Introduction
As technology gets more advanced, malware writers are using a whole new set of techniques to build
malware that is more efficient and harder to detect. Malware is also becoming more prevalent in the
web: for instance, anti-virus companies can receive malware samples at a rate of about one sample
every 5 seconds. Due to this emergence, both IT professionals and regular users alike are facing various
challenges when it comes to protection. An example of an effort to increase the defenses against viruses
is the cooperation between anti-virus companies to detect a new variation of a virus (or a new virus
itself): samples of recent viruses are placed into a shared repository to which the anti-virus companies
have access. Yet, there is still a given time window (from the time where the virus first appears to the
time where an anti-virus company updates their product) in which users are vulnerable.
Anti-virus products try to minimize the chance of infection of a machine, employing various techniques
to do so. For instance, they might take a sample and analyze their behavior in run-time, in order to
check if the sample does anything that it is not supposed to. However, this run-time analysis should
not be the first thing to do to a newly arrived sample, as it is very time consuming. The first step in
identifying a virus is usually done by scanning a file, and matching its body to a set of rules or patterns,
called signatures. Each signature can correspond to a different virus or strain of one, and if it occurs in
the body of a file, then we know that such file is malicious.
As stated above, viruses are becoming more and more common on the web, and due to this, signature
sets can only increase in size. Scanning for all of them on a single file can be a process which is very
time-consuming, and if the search was to be done in a naive manner (repeatedly comparing the text
characters against all of the signatures), the process would surely not be completed in an acceptable time
frame. In anti-virus products, this process has to be especially fast, as if it is too slow, then the anti-virus
application becomes the bottleneck of the system, which can cause a significant decrease in the overall
system performance.
Anti-virus product
Conclusions
We started by showing the problem that we proposed ourselves to solve, along with background on it.
We gave an introduction to general purpose computing on GPUs, and showed how they can be utilized
50to achieve high performance. We then presented related work on the area, which served as a basis for
our own.
Details were shown for our system, an O(n) algorithm running on two GPUs which pre-processes files
in a high-speed manner in order to detect if possible virus signatures are present in them. It differs from
other related work using ClamAV as it is capable of scanning a high quantity of files in parallel.
The system was found to have a good speed-up on the case that it was designed for: an e-mail gateway
with a large amount of files with limited sizes. A number of optimizations were implemented in order to
achieve this performance, which was not possible with a first implementation.
Our solution did not perform so well on some cases, and it is open to targeted attacks. Future work
was then proposed to mitigate some of these issues and further improve the solution’s performance.