Skip to main content
SpringerLink
Log in

Real-Time Polymorphic Aho-Corasick Automata for Heterogeneous Malicious Code Detection

  • Conference paper
International Joint Conference SOCO’13-CISIS’13-ICEUTE’13

Part of the book series: Advances in Intelligent Systems and Computing ((AISC,volume 239))

Abstract

We are proposing a new, heterogeneous approach to performing malicious code detection in intrusion detection systems using an innovative hybrid implementation of the Aho-Corasick automaton, commonly used in pattern-matching applications. We are introducing and defining the Aho-Corasick polymorphic automaton, a new type of automaton which can change its nodes and transitions in real-time on adequate hardware, using an approach we designed for heterogeneous hardware and which easily scales to hybrid heterogeneous systems with multiple CPUs and GPUs. Using as a test-bed a set of the latest virus signatures from the ClamAV database, we analyze the performance impact of several different types of heuristics on the new type of automata and discuss its feasibility and potential applications in real-time intelligent malicious code detection.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 169.00
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 219.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Aho, A., Corasick, M.: Efficient string matching: An Aid to blbiographic search. CACM 18(6), 333–340 (1975)

    Article  MathSciNet  MATH  Google Scholar 

  2. Cha, S.K., Moraru, I., Jang, J., Truelove, J., Brumley, D., Andersen, D.G.: Split Screen: Enabling Efficient, Distributed Malware Detection. In: Proc. 7th USENIX NSDI (2010)

    Google Scholar 

  3. Lee, T.H.: Generalized Aho-Corasick Algorithm for Signature Based Anti-Virus Applications. In: Proceedings of 16th International Conference on Computer Communications and Networks, ICCN (2007)

    Google Scholar 

  4. Snort, http://www.snort.org/

  5. Paxson, V.: Bro: A system for detecting network intruders in real-time. Computer Networks 31, 2435–2463 (1999)

    Article  Google Scholar 

  6. Pungila, C.: A Bray-Curtis Weighted Automaton for Detecting Malicious Code Through System-Call Analysis. In: 11th International Symposium on Symbolic and Numeric Algorithms for Scientific Computing (SYNASC), pp. 392–400 (2009)

    Google Scholar 

  7. Arshad, J., Townend, P., Xu, J.: A novel intrusion severity analysis approach for Clouds. Future Generation Computer Systems (2011), doi:10.1016/j.future.2011.08.009

    Google Scholar 

  8. Corchado, E., Herrero, A.: Neural visualization of network traffic data for intrusion detection. Applied Soft Computing 11(2), 2042–2056 (2011)

    Article  Google Scholar 

  9. Panda, M., Abraham, A., Patra, M.R.: Hybrid Intelligent Approach for Network Intrusion Detection. Procedia Engineering 30, 1–9 (2012), doi:10.1016/j.proeng.2012.01.827

    Article  Google Scholar 

  10. Wang, Z., Xu, G., Li, H., Zhang, M.: A Fast and Accurate Method for Approximate String Searc. In: Proceedings of the 49th Annual Meeting of the Association for Computational Linguistics: Human Language Technologies, vol. 1, pp. 52–61 (2011)

    Google Scholar 

  11. Pungila, C.: Improved file-carving through data-parallel pattern matching for data forensics. In: 7th IEEE International Symposium on Applied Computational Intelligence and Informatics (SACI), pp. 197–202 (2012)

    Google Scholar 

  12. Pungila, C.: Hybrid Compression of the Aho-Corasick Automaton for Static Analysis in Intrusion Detection Systems. In: Herrero, Á., Snášel, V., Abraham, A., Zelinka, I., Baruque, B., Quintián, H., Calvo, J.L., Sedano, J., Corchado, E. (eds.) Int. Joint Conf. CISIS’12-ICEUTE’12-SOCO’12. AISC, vol. 189, pp. 77–86. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

  13. Pungila, C., Negru, V.: A Highly-Efficient Memory-Compression Approach for GPU-Accelerated Virus Signature Matching. In: Gollmann, D., Freiling, F.C. (eds.) ISC 2012. LNCS, vol. 7483, pp. 354–369. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  14. Lee, V.W., Kim, C., Chhugani, J., Deisher, M., Kim, D. Nguyen, A.D., Satish, N., Smelyanskiy, M., Chennupaty, S., Hammarlund, P., Singhal, R., Dubey, P.: Debunking the 100X GPU vs. CPU myth: an evaluation of throughput computing on CPU and GPU. In: Proceedings of the 37th Annual International Symposium on Computer Architecture (ISCA 2010), pp. 451–460. ACM, New York, http://doi.acm.org/10.1145/1815961.1816021 , doi:10.1145/1815961.1816021

  15. Clam AntiVirus, http://www.clamav.net

  16. Hamming, R.W.: Error detecting and error correcting codes. Bell System Technical Journal 29(2), 147–160 (1950)

    Article  MathSciNet  Google Scholar 

  17. Needleman, S.B., Wunsch, C.D.: A general method applicable to the search for similarities in the amino acid sequence of two proteins. J. Mol. Biol. 47, 443–453 (1970)

    Article  Google Scholar 

  18. Bray-Curtis dissimilarity, http://www.code10.info/index.php?view=article&id=46

Download references

Author information

Authors and Affiliations

  1. West University of Timisoara, Blvd. V. Parvan 4, Timisoara, 300223, Timis, Romania

    Ciprian Pungila & Viorel Negru

Authors
  1. Ciprian Pungila
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Viorel Negru
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Ciprian Pungila .

Editor information

Editors and Affiliations

  1. Department of Civil Engineering, University of Burgos, Burgos, Spain

    Álvaro Herrero

  2. Department of Civil Engineering, University of Burgos, Burgos, Spain

    Bruno Baruque

  3. German Workforce ADL Partnership Laboratory, Waltershausen, Germany

    Fanny Klett

  4. Scientific Network for Innovation and Research Excellence, Machine Intelligence Research Labs (MIR Labs), Auburn, Washington, USA

    Ajith Abraham

  5. Department of Computer Science Faculty of Ele. Eng. & Computer Science, VŠB-TU Ostrava, Ostrava, Czech Republic

    Václav Snášel

  6. Department of Computer Science, University of Sao Paulo at Sao Carlos, Sao Carlos, Brazil

    André C.P.L.F. de Carvalho

  7. DeustoTech Computing, University of Deusto, Bilbao, Spain

    Pablo García Bringas

  8. Department of Computer Science Faculty of Elec. Eng. and Comp. Science, VŠB-TU Ostrava, Ostrava, Czech Republic

    Ivan Zelinka

  9. University of Salamanca, Salamanca, Spain

    Héctor Quintián

  10. University of Salamanca, Salamanca, Spain

    Emilio Corchado

Rights and permissions

Reprints and permissions

Copyright information

© 2014 Springer International Publishing Switzerland

About this paper

Cite this paper

Pungila, C., Negru, V. (2014). Real-Time Polymorphic Aho-Corasick Automata for Heterogeneous Malicious Code Detection. In: Herrero, Á., et al. International Joint Conference SOCO’13-CISIS’13-ICEUTE’13. Advances in Intelligent Systems and Computing, vol 239. Springer, Cham. https://doi.org/10.1007/978-3-319-01854-6_45

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-01854-6_45

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-01853-9

  • Online ISBN: 978-3-319-01854-6

  • eBook Packages: EngineeringEngineering (R0)

Publish with us

Policies and ethics

Search

Navigation