GrAVity

A massively parallel antivirus engine

Giorgos Vasiliadis, Sotiris Ioannidis

Research output: Chapter in Book/Report/Conference proceedingConference contribution

41 Citations (Scopus)

Abstract

In the ongoing arms race against malware, antivirus software is at the forefront, as one of the most important defense tools in our arsenal. Antivirus software is flexible enough to be deployed from regular users desktops, to corporate e-mail proxies and file servers. Unfortunately, the signatures necessary to detect incoming malware number in the tens of thousands. To make matters worse, antivirus signatures are a lot longer than signatures in network intrusion detection systems. This leads to extremely high computation costs necessary to perform matching of suspicious data against those signatures. In this paper, we present GrAVity, a massively parallel antivirus engine. Our engine utilized the compute power of modern graphics processors, that contain hundreds of hardware microprocessors. We have modified ClamAV, the most popular open source antivirus software, to utilize our engine. Our prototype implementation has achieved end-to-end throughput in the order of 20 Gbits/s, 100 times the performance of the CPU-only ClamAV, while almost completely offloading the CPU, leaving it free to complete other tasks. Our micro-benchmarks have measured our engine to be able to sustain throughput in the order of 40 Gbits/s. The results suggest that modern graphics cards can be used effectively to perform heavy-duty anti-malware operations at speeds that cannot be matched by traditional CPU based techniques.

Original languageEnglish
Title of host publicationRecent Advances in Intrusion Detection - 13th International Symposium, RAID 2010, Proceedings
Pages79-96
Number of pages18
Volume6307 LNCS
DOIs
Publication statusPublished - 2010
Externally publishedYes
Event13th International Symposium on Recent Advances in Intrusion Detection Systems, RAID 2010 - Ottawa, ON
Duration: 15 Sep 201017 Sep 2010

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume6307 LNCS
ISSN (Print)03029743
ISSN (Electronic)16113349

Other

Other13th International Symposium on Recent Advances in Intrusion Detection Systems, RAID 2010
CityOttawa, ON
Period15/9/1017/9/10

Fingerprint

Malware
Gravity
Gravitation
Engine
Signature
Engines
Program processors
Throughput
Arsenals
Graphics Processors
Network Intrusion Detection
Software
Necessary
Open Source Software
Intrusion detection
Microprocessor
Electronic Mail
Microprocessor chips
Servers
Server

ASJC Scopus subject areas

  • Theoretical Computer Science
  • Computer Science(all)

Cite this

Vasiliadis, G., & Ioannidis, S. (2010). GrAVity: A massively parallel antivirus engine. In Recent Advances in Intrusion Detection - 13th International Symposium, RAID 2010, Proceedings (Vol. 6307 LNCS, pp. 79-96). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 6307 LNCS). https://doi.org/10.1007/978-3-642-15512-3_5

GrAVity : A massively parallel antivirus engine. / Vasiliadis, Giorgos; Ioannidis, Sotiris.

Recent Advances in Intrusion Detection - 13th International Symposium, RAID 2010, Proceedings. Vol. 6307 LNCS 2010. p. 79-96 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 6307 LNCS).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Vasiliadis, G & Ioannidis, S 2010, GrAVity: A massively parallel antivirus engine. in Recent Advances in Intrusion Detection - 13th International Symposium, RAID 2010, Proceedings. vol. 6307 LNCS, Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 6307 LNCS, pp. 79-96, 13th International Symposium on Recent Advances in Intrusion Detection Systems, RAID 2010, Ottawa, ON, 15/9/10. https://doi.org/10.1007/978-3-642-15512-3_5
Vasiliadis G, Ioannidis S. GrAVity: A massively parallel antivirus engine. In Recent Advances in Intrusion Detection - 13th International Symposium, RAID 2010, Proceedings. Vol. 6307 LNCS. 2010. p. 79-96. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). https://doi.org/10.1007/978-3-642-15512-3_5
Vasiliadis, Giorgos ; Ioannidis, Sotiris. / GrAVity : A massively parallel antivirus engine. Recent Advances in Intrusion Detection - 13th International Symposium, RAID 2010, Proceedings. Vol. 6307 LNCS 2010. pp. 79-96 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).
@inproceedings{7ca58d0c51ec41028c071e9c65cdefd7,
title = "GrAVity: A massively parallel antivirus engine",
abstract = "In the ongoing arms race against malware, antivirus software is at the forefront, as one of the most important defense tools in our arsenal. Antivirus software is flexible enough to be deployed from regular users desktops, to corporate e-mail proxies and file servers. Unfortunately, the signatures necessary to detect incoming malware number in the tens of thousands. To make matters worse, antivirus signatures are a lot longer than signatures in network intrusion detection systems. This leads to extremely high computation costs necessary to perform matching of suspicious data against those signatures. In this paper, we present GrAVity, a massively parallel antivirus engine. Our engine utilized the compute power of modern graphics processors, that contain hundreds of hardware microprocessors. We have modified ClamAV, the most popular open source antivirus software, to utilize our engine. Our prototype implementation has achieved end-to-end throughput in the order of 20 Gbits/s, 100 times the performance of the CPU-only ClamAV, while almost completely offloading the CPU, leaving it free to complete other tasks. Our micro-benchmarks have measured our engine to be able to sustain throughput in the order of 40 Gbits/s. The results suggest that modern graphics cards can be used effectively to perform heavy-duty anti-malware operations at speeds that cannot be matched by traditional CPU based techniques.",
author = "Giorgos Vasiliadis and Sotiris Ioannidis",
year = "2010",
doi = "10.1007/978-3-642-15512-3_5",
language = "English",
isbn = "3642155111",
volume = "6307 LNCS",
series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",
pages = "79--96",
booktitle = "Recent Advances in Intrusion Detection - 13th International Symposium, RAID 2010, Proceedings",

}

TY - GEN

T1 - GrAVity

T2 - A massively parallel antivirus engine

AU - Vasiliadis, Giorgos

AU - Ioannidis, Sotiris

PY - 2010

Y1 - 2010

N2 - In the ongoing arms race against malware, antivirus software is at the forefront, as one of the most important defense tools in our arsenal. Antivirus software is flexible enough to be deployed from regular users desktops, to corporate e-mail proxies and file servers. Unfortunately, the signatures necessary to detect incoming malware number in the tens of thousands. To make matters worse, antivirus signatures are a lot longer than signatures in network intrusion detection systems. This leads to extremely high computation costs necessary to perform matching of suspicious data against those signatures. In this paper, we present GrAVity, a massively parallel antivirus engine. Our engine utilized the compute power of modern graphics processors, that contain hundreds of hardware microprocessors. We have modified ClamAV, the most popular open source antivirus software, to utilize our engine. Our prototype implementation has achieved end-to-end throughput in the order of 20 Gbits/s, 100 times the performance of the CPU-only ClamAV, while almost completely offloading the CPU, leaving it free to complete other tasks. Our micro-benchmarks have measured our engine to be able to sustain throughput in the order of 40 Gbits/s. The results suggest that modern graphics cards can be used effectively to perform heavy-duty anti-malware operations at speeds that cannot be matched by traditional CPU based techniques.

AB - In the ongoing arms race against malware, antivirus software is at the forefront, as one of the most important defense tools in our arsenal. Antivirus software is flexible enough to be deployed from regular users desktops, to corporate e-mail proxies and file servers. Unfortunately, the signatures necessary to detect incoming malware number in the tens of thousands. To make matters worse, antivirus signatures are a lot longer than signatures in network intrusion detection systems. This leads to extremely high computation costs necessary to perform matching of suspicious data against those signatures. In this paper, we present GrAVity, a massively parallel antivirus engine. Our engine utilized the compute power of modern graphics processors, that contain hundreds of hardware microprocessors. We have modified ClamAV, the most popular open source antivirus software, to utilize our engine. Our prototype implementation has achieved end-to-end throughput in the order of 20 Gbits/s, 100 times the performance of the CPU-only ClamAV, while almost completely offloading the CPU, leaving it free to complete other tasks. Our micro-benchmarks have measured our engine to be able to sustain throughput in the order of 40 Gbits/s. The results suggest that modern graphics cards can be used effectively to perform heavy-duty anti-malware operations at speeds that cannot be matched by traditional CPU based techniques.

UR - http://www.scopus.com/inward/record.url?scp=78249247403&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=78249247403&partnerID=8YFLogxK

U2 - 10.1007/978-3-642-15512-3_5

DO - 10.1007/978-3-642-15512-3_5

M3 - Conference contribution

SN - 3642155111

SN - 9783642155116

VL - 6307 LNCS

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 79

EP - 96

BT - Recent Advances in Intrusion Detection - 13th International Symposium, RAID 2010, Proceedings

ER -