Abstract
We are proposing a new, heterogeneous approach to performing malicious code detection in intrusion detection systems using an innovative hybrid implementation of the Aho-Corasick automaton, commonly used in pattern-matching applications. We are introducing and defining the Aho-Corasick polymorphic automaton, a new type of automaton which can change its nodes and transitions in real-time on adequate hardware, using an approach we designed for heterogeneous hardware and which easily scales to hybrid heterogeneous systems with multiple CPUs and GPUs. Using as a test-bed a set of the latest virus signatures from the ClamAV database, we analyze the performance impact of several different types of heuristics on the new type of automata and discuss its feasibility and potential applications in real-time intelligent malicious code detection.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Aho, A., Corasick, M.: Efficient string matching: An Aid to blbiographic search. CACM 18(6), 333–340 (1975)
Cha, S.K., Moraru, I., Jang, J., Truelove, J., Brumley, D., Andersen, D.G.: Split Screen: Enabling Efficient, Distributed Malware Detection. In: Proc. 7th USENIX NSDI (2010)
Lee, T.H.: Generalized Aho-Corasick Algorithm for Signature Based Anti-Virus Applications. In: Proceedings of 16th International Conference on Computer Communications and Networks, ICCN (2007)
Snort, http://www.snort.org/
Paxson, V.: Bro: A system for detecting network intruders in real-time. Computer Networks 31, 2435–2463 (1999)
Pungila, C.: A Bray-Curtis Weighted Automaton for Detecting Malicious Code Through System-Call Analysis. In: 11th International Symposium on Symbolic and Numeric Algorithms for Scientific Computing (SYNASC), pp. 392–400 (2009)
Arshad, J., Townend, P., Xu, J.: A novel intrusion severity analysis approach for Clouds. Future Generation Computer Systems (2011), doi:10.1016/j.future.2011.08.009
Corchado, E., Herrero, A.: Neural visualization of network traffic data for intrusion detection. Applied Soft Computing 11(2), 2042–2056 (2011)
Panda, M., Abraham, A., Patra, M.R.: Hybrid Intelligent Approach for Network Intrusion Detection. Procedia Engineering 30, 1–9 (2012), doi:10.1016/j.proeng.2012.01.827
Wang, Z., Xu, G., Li, H., Zhang, M.: A Fast and Accurate Method for Approximate String Searc. In: Proceedings of the 49th Annual Meeting of the Association for Computational Linguistics: Human Language Technologies, vol. 1, pp. 52–61 (2011)
Pungila, C.: Improved file-carving through data-parallel pattern matching for data forensics. In: 7th IEEE International Symposium on Applied Computational Intelligence and Informatics (SACI), pp. 197–202 (2012)
Pungila, C.: Hybrid Compression of the Aho-Corasick Automaton for Static Analysis in Intrusion Detection Systems. In: Herrero, Á., Snášel, V., Abraham, A., Zelinka, I., Baruque, B., Quintián, H., Calvo, J.L., Sedano, J., Corchado, E. (eds.) Int. Joint Conf. CISIS’12-ICEUTE’12-SOCO’12. AISC, vol. 189, pp. 77–86. Springer, Heidelberg (2013)
Pungila, C., Negru, V.: A Highly-Efficient Memory-Compression Approach for GPU-Accelerated Virus Signature Matching. In: Gollmann, D., Freiling, F.C. (eds.) ISC 2012. LNCS, vol. 7483, pp. 354–369. Springer, Heidelberg (2012)
Lee, V.W., Kim, C., Chhugani, J., Deisher, M., Kim, D. Nguyen, A.D., Satish, N., Smelyanskiy, M., Chennupaty, S., Hammarlund, P., Singhal, R., Dubey, P.: Debunking the 100X GPU vs. CPU myth: an evaluation of throughput computing on CPU and GPU. In: Proceedings of the 37th Annual International Symposium on Computer Architecture (ISCA 2010), pp. 451–460. ACM, New York, http://doi.acm.org/10.1145/1815961.1816021 , doi:10.1145/1815961.1816021
Clam AntiVirus, http://www.clamav.net
Hamming, R.W.: Error detecting and error correcting codes. Bell System Technical Journal 29(2), 147–160 (1950)
Needleman, S.B., Wunsch, C.D.: A general method applicable to the search for similarities in the amino acid sequence of two proteins. J. Mol. Biol. 47, 443–453 (1970)
Bray-Curtis dissimilarity, http://www.code10.info/index.php?view=article&id=46
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Pungila, C., Negru, V. (2014). Real-Time Polymorphic Aho-Corasick Automata for Heterogeneous Malicious Code Detection. In: Herrero, Á., et al. International Joint Conference SOCO’13-CISIS’13-ICEUTE’13. Advances in Intelligent Systems and Computing, vol 239. Springer, Cham. https://doi.org/10.1007/978-3-319-01854-6_45
Download citation
DOI: https://doi.org/10.1007/978-3-319-01854-6_45
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-01853-9
Online ISBN: 978-3-319-01854-6
eBook Packages: EngineeringEngineering (R0)