Hardware Accelerator to Detect Multi-Segment Virus Patterns

Research output: Journal Publications and Reviews (RGC: 21, 22, 62)21_Publication in refereed journalpeer-review

5 Scopus Citations
View graph of relations

Author(s)

Related Research Unit(s)

Detail(s)

Original languageEnglish
Pages (from-to)2443-2460
Journal / PublicationComputer Journal
Volume58
Issue number10
Publication statusPublished - 1 Oct 2015

Abstract

Multi-segment pattern is a common virus structure, and there are 2229 multi-segment patterns in the ClamAV virus database version 54. We observe that (i) the pattern set contains over 100 nondistinctive short segments, e.g. 2 bytes of zero; (ii) some of the 2-byte segments can appear many times in one or more patterns; (iii) some patterns contain a large number of 2-byte segments; (iv) many short segments are substrings/suffixes of other longer segments; and (v) adjacent segments may contain overlapping bytes. The aforementioned properties pose great difficulties to the conventional detection methods. Instead of viewing the virus signature as a byte sequence, we regard the pattern to be composed of a sequence of tokens, where each token corresponds to a segment. We transform the input byte stream into a token stream. The detection engine will then process the token stream to determine if any virus signatures can be found. Our detection method for the 2229 multi-segment patterns can be implemented on a field programmable gate array (FPGA) using 290 KB on-chip memory. The device can operate at 170 MHz and it can process 1 byte per cycle. The processing architecture is memory based. When the pattern set is updated, the FPGA need not be reconfigured.

Research Area(s)

  • hardware detection engine, memory-based architecture, regular expression matching, string matching, virus detection

Citation Format(s)

Hardware Accelerator to Detect Multi-Segment Virus Patterns. / Wang, Xing; Or, Nga Lam; Lu, Ziyan; Pao, Derek.

In: Computer Journal, Vol. 58, No. 10, 01.10.2015, p. 2443-2460.

Research output: Journal Publications and Reviews (RGC: 21, 22, 62)21_Publication in refereed journalpeer-review