antivirus engine
play

Antivirus Engine Giorgos Vasiliadis and Sotiris Ioannidis - PowerPoint PPT Presentation

GrAVity: A Massively Parallel Antivirus Engine Giorgos Vasiliadis and Sotiris Ioannidis FORTH-ICS, Greece RAID10, 15 September 2010 Overview Increase the processing throughput of virus scanning applications, using the Graphics


  1. GrAVity: A Massively Parallel Antivirus Engine Giorgos Vasiliadis and Sotiris Ioannidis FORTH-ICS, Greece RAID’10, 15 September 2010

  2. Overview • Increase the processing throughput of virus scanning applications, using the Graphics Processing Unit (GPU)

  3. Outline • Introduction • Architecture • Performance evaluation • Conclusions

  4. Motivation • Antivirus software is running on e-mail servers, gateway proxies, user desktops – Require significant computational resources • Graphics cards – Easy to program – Powerful and ubiquitous • Why not use GPUs to speed-up virus scanning operations?

  5. CPU vs GPU • The GPU is specialized for compute-intensive, highly parallel computation – More transistors are devoted to data processing rather than data caching and flow control

  6. Anti-Virus Databases • Contain thousands of signatures • ClamAV contains more than 60K signatures, with length varying from 4 to 392 bytes – Significant longer than NIDS > 80% > 90%

  7. Virus Scanning in ClamAV Filtering Verification Files Module Module • ClamAV uses a small part from each signature for a first-pass filtering • Every potential match is processed by the verification module

  8. Virus Scanning in ClamAV Filtering Verification Files Module Module • Usually, the majority of data do not contain any virus  Only a small number of file segments pass to the verification module

  9. Our Approach: GPU Offloading Filtering Verification Files Module Module

  10. GRAVITY DESIGN

  11. Basic Design • Three-stage pipeline GPU Verification Files Module

  12. Files Journey (1/5) • File scanning example GPU File contents are buffered back-to-back Verification Files Module

  13. Files Journey (2/5) • File scanning example 1. File contents Verification Files Module

  14. Files Journey (3/5) • File scanning example GPU filters out clean segments 1. File contents Verification Files Module

  15. Files Journey (4/5) • File scanning example GPU 1. File contents 2. Matched offsets Verification Files Module

  16. Files Journey (5/5) • File scanning example GPU Verify matches and report 1. File contents 2. Matched offsets Verification Files Module Full Virus Signatures

  17. GPU IMPLEMENTATION

  18. Prefix Filtering • Take the first n bytes from each signature – e.g. Worm.SQL.Slammer.A:0:*: 4e65742d576f726d2e57696e33322e536c616d6d65725554 • Compile all n -bytes sub-signatures into a single Scanning Trie • The Scanning Trie can quickly filter clean data segments in linear time.

  19. Scanning Trie • GrAVity: Variable trie height 4 patterns (avg) per 14 -char prefix

  20. Virus Scanning on the GPU • Each thread operate on different data – May overlap for spanning patterns, but … – … no communication/synchronization costs. – Highly scalable (million threads can run in parallel)

  21. Memory Management Optimizations • Exploit texture cache, to achieve better reading throughput 4 cycles Cache DRAM 700 cycles • Cache misses are hidden by running a large number of threads in parallel Cache Cache miss miss thread thread switch switch

  22. PERFORMANCE EVALUATION

  23. GrAVity vs ClamAV 12x 100x  Up to 20 Gbps end-to-end performance

  24. Execution Time Breakdown • CPU time results in 20% of the total execution time, with a prefix length equal to 14 • Increasing the prefix length, results in less matches

  25. Raw Computational Throughput • With 8M threads, the GPU achieves 42Gbits/s throughput

  26. Scaling factor • Fast evolution

  27. Conclusions • Virus scanning on the GPU is practical and fast! • Over 20 Gbit/s throughput – Suitable for network-based virus scanning • Future work includes – Adapt memory-efficient algorithms (XFA, D 2 FA) – Multiple GPUs

  28. GrAVity: A Massively Parallel Antivirus Engine thank you! Giorgos Vasiliadis, gvasil@ics.forth.gr Sotiris Ioannidis, sotiris@ics.forth.gr

Recommend


More recommend