Hash-AV: fast virus signature scanning by cache-resident filters

International Journal of Security and Networks

Volumn 2, Issue 1-2, 2007, Pages 50-59

  Erdogan, Ozgun ^a   Cao, Pei ^a  

^a Stanford University   (United States)

Author keywords

high performance; prototype; virus scanning algorithm

Indexed keywords

EID: 74049111426     PISSN: 17478405     EISSN: 17478413     Source Type: Journal    
DOI: 10.1504/ijsn.2007.012824     Document Type: Article

References (31)

1. Aho, A.V. and Corasick, M.J. (1975) ‘Efficient string matching: an aid to bibliographic search’, Communications of the ACM, Vol. 18, No. 6, pp.333–340.
2. Boyer, R.S. and Moore, J.S. (1977) ‘A fast string searching algorithm’, Communications of the ACM, Vol. 20, No. 10.
3. Broder, A. and Mitzenmacher, M. (2002). ‘Network applications of bloom filters: a survey’, Allerton 2002, Available at: http://www.eecs.harvard.edu/ichaelm/NEWWORK/papers.
4. Cisco (2004) ‘Network-based application recognition and distributed network-based application recognition’, Available at: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t8/dtnbarad.htm.
5. Clementi, A. (2005) ‘Anti-virus comparative’, Available at: http://www.av-comparatives.org/index.html? http://www.av-comparatives.org/seiten/comparatives.html.
6. Dharmapurikar, S., Krishnamurthy, T.S.P. and Lockwood, J. (2003) ‘Deep packet inspection using parallel bloom filters’, Proceedings of the 11th Symposium on High Performance Internconnects.
7. Dounin, M. (2004) ‘Clamav developer forum’, Available at: http://sourceforge.net/mailarchive/forum.php?forum=clamav-devel.
8. Erdogan, O. and Cao, P. (2005) ‘Hash-av: fast virus signature scanning by cache-resident filters’, Available at: http://crypto.stanford.edu/˜co/hash-av/.
9. Gardner, J.S. (2001) ‘Pc motherboard technology’, Available at: http://www.extremetech.com/article2/0,1558,1148755,00.asp.
10. GmbH, H.D. (2004) ‘Dazuko’, Available at: http://www.dazuko.org.
11. GNU (1991) ‘hashlib.c – functions to manage and access hash tables for bash’, Available at: http://www.opensource.apple.com/darwinsource/10.3/bash-29/bash/hashlib.c.
12. Inc., W. (2004) ‘Watchguard announces gateway antivirus for e-mail for the firebox x security appliance’, Available at: http://www.watchguard.com/press/releases/wg294.asp.
13. Kephart, J.O. and Arnold, W.C. (1994) ‘Automatic extraction of computer virus signatures’, Proceedings of the Fourth Virus Bulletin International Conference, pp.178–184.
14. Kojm, T. (2004) ‘Clamav’, Available at: http://www.clamav.net.
15. Fan, L., Cao, J.A.P. and Broder, A. (1998) ‘Summary cache: a scalable wide-area web cache sharing protocol’, Proceedings of the 1998 ACM SIGCOMM Conference.
16. Leitold, F. and Csotai, J. (1992) ‘Virus searching and killing language’, Proceedings of the 2nd Virus Bulletin International Conference, pp.159–172.
17. Lonardi, S. (2004) ‘Pattern matching pointers’, Available at: http://www.cs.ucr.edu/stelo/pattern.html.
18. Microsoft (2004) ‘What you should know about download.ject’, Available at: http://www.microsoft.com/security/incident/download_ject.mspx.
19. Miretskiy, Y. Das, C.P.W.A. and Zadok, E. (2004) ‘Avfs: an on-access anti-virus file system’, Proceedings of the 13th USENIX Security Symposium.
20. Noll, L.C. (2004) ‘Fowler/noll/vo (fnv) hash’, Available at: http://www.isthe.com/chongo/tech/comp/fnv/.
21. Roesch, M. (2004) ‘Snort: Network intrusion detection system’, Available at: http://www.snort.org.
22. Scalabium (2004) ‘Elf hash algorithm’, Available at: http://www.scalabium.com/faq/dct0136.htm.
23. Seward, J. (2004) ‘Cachegrind: A cache miss profiler’, Available at: http://developer.kde.org/˜sewardj/docs-2.0.0/cg_main.html.
24. Skulason, F. (2004) ‘The evolution of polymorphic viruses’, Available at: http://vx.netlux.org/lib/static/vdat/polyevol.htm.
25. Szor, P. (2004) The Art of Computer Virus Research and Defense, Symantec Press.
26. Tuck, N., Sherwood, B.C.T. and Varghese, G. (2004) ‘Deterministic memory-efficient string matching algorithms for intrusion detection’, Proceedings of the 2004 IEEE Infocom Conference.
27. Yigit, O. (1990) ‘sdbm – substitute dbm’, Available at: http://search.cpan.org/src/NWCLARK/perl-5.8.4/ext/SDBM _File/sdbm.
28. Yigit, O. (2004) ‘Hash functions’, Available at: http://www.cs. yorku.ca/oz/hash.html.
29. Last year’s episode of Download.Ject web site infection (Microsoft, 2004) clearly highlights the importance of scanning viruses at Web proxy gateways.
30. A Bloom filter is a bit array holding results of multiple hash functions on a set of strings. A string can be queried against the filter; the filter generates false positives but never false negatives. Bloom filters are used wherever a compact representation of a set is needed (Broder and Mitzenmacher, 2002).
31. Clam-AV chooses to hash three-byte chunks so that the shift table fits in the CPU cache. It has been suggested that Clam-AV’s choice of three-byte chunks is not optimal and ten-byte chunks should be used. However, we experimented with Clam-AV hashing ten-byte chunks (by setting the parameter BM_MIN_LENGTH to 10), and found that the throughput was reduced by 60%. Thus, in our experiments we use the default Clam-AV settings.