Journal Article

Hardware Accelerator to Detect Multi-Segment Virus Patterns

Xing Wang, Nga Lam Or, Ziyan Lu and Derek Pao

in The Computer Journal

Published on behalf of British Computer Society

Volume 58, issue 10, pages 2443-2460
Published in print October 2015 | ISSN: 0010-4620
Published online August 2014 | e-ISSN: 1460-2067 | DOI: https://dx.doi.org/10.1093/comjnl/bxu079
Hardware Accelerator to Detect Multi-Segment Virus Patterns

Show Summary Details

Preview

Multi-segment pattern is a common virus structure, and there are 2229 multi-segment patterns in the ClamAV virus database version 54. We observe that (i) the pattern set contains over 100 nondistinctive short segments, e.g. 2 bytes of zero; (ii) some of the 2-byte segments can appear many times in one or more patterns; (iii) some patterns contain a large number of 2-byte segments; (iv) many short segments are substrings/suffixes of other longer segments; and (v) adjacent segments may contain overlapping bytes. The aforementioned properties pose great difficulties to the conventional detection methods. Instead of viewing the virus signature as a byte sequence, we regard the pattern to be composed of a sequence of tokens, where each token corresponds to a segment. We transform the input byte stream into a token stream. The detection engine will then process the token stream to determine if any virus signatures can be found. Our detection method for the 2229 multi-segment patterns can be implemented on a field programmable gate array (FPGA) using 290 KB on-chip memory. The device can operate at 170 MHz and it can process 1 byte per cycle. The processing architecture is memory based. When the pattern set is updated, the FPGA need not be reconfigured.

Keywords: virus detection; string matching; regular expression matching; hardware detection engine; memory-based architecture

Journal Article.  0 words. 

Subjects: Computer Science

Full text: subscription required

How to subscribe Recommend to my Librarian

Users without a subscription are not able to see the full content. Please, subscribe or login to access all content. subscribe or purchase to access all content.