Authors: Ozgun Erdogan, Pei Cao
Addresses: Department of Computer Science, Stanford University, Stanford, CA 94305, USA. ' Department of Computer Science, Stanford University, Stanford, CA 94305, USA
Abstract: Fast virus scanning is becoming increasingly important in today|s internet. While Moore|s law continues to double CPU cycle speed, virus scanning applications fail to ride on the performance wave due to their frequent random memory accesses. This paper proposes Hash-AV, a virus scanning |booster| technique that aims to take advantage of improvements in CPU performance. Using a set of hash functions and a Bloom filter array that fits in CPU second-level (L2) caches, Hash-AV determines the majority of |no-match| cases without accesses to main memory. Experiments show that Hash-AV improves the performance of the open-source virus scanner Clam-AV by a factor of 2–10. The key to Hash-AV|s success lies in a set of |bad but cheap| hash functions that are used as initial hashes. The speed of Hash-AV makes it well suited for |on-access| virus scanning, providing greater protections to the user. Through intercepting system calls and wrapping glibc libraries, we have implemented an |on-access| version for Hash-AV+Clam-AV. The on-access scanner can examine input data at a throughput of over 200 Mb/s, making it suitable for network-based virus scanning.
Keywords: virus scanning algorithms; high performance; prototype; virus signature scanning; cache-resident filters; internet; security.
International Journal of Security and Networks, 2007 Vol.2 No.1/2, pp.50 - 59
Published online: 16 Mar 2007 *Full-text access for editors Access for subscribers Purchase this article Comment on this article