{"title":"Hash-AV:通过驻留缓存的过滤器快速扫描病毒特征","authors":"Ozgün Erdogan, P. Cao","doi":"10.1504/IJSN.2007.012824","DOIUrl":null,"url":null,"abstract":"Fast virus scanning is becoming increasingly important in today's Internet. While Moore's law continues to double CPU cycle speed, virus scanning applications fail to ride on the performance wave due to their frequent random memory accesses. This paper proposes Hash-AV, a virus scanning \"booster\" technique that aims to take advantage of improvements in CPU performance. Using a set of hash functions and a bloom filter array that fits in CPU second-level (L2) caches, Hash-AV determines the majority of \"no-match\" cases without accesses to main memory. Experiments show that Hash-AV improves the performance of the open-source virus scanner Clam-AV by a factor of 2.5 to 10. The key to Hash-AV's success lies in a set of \"bad but cheap\" hash functions that are used as initial hashes. The speed of Hash-AV makes it well suited for \"on-access\" virus scanning, providing greater protections to the user. Through intercepting system calls and wrapping glibc libraries, we have implemented an \"on-access\" version for Hash-AV+Clam-AV. The on-access scanner can examine input data at a throughput of over 200 Mb/s, making it suitable for network-based virus scanning.","PeriodicalId":319736,"journal":{"name":"GLOBECOM '05. IEEE Global Telecommunications Conference, 2005.","volume":"474 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2007-03-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"93","resultStr":"{\"title\":\"Hash-AV: fast virus signature scanning by cache-resident filters\",\"authors\":\"Ozgün Erdogan, P. Cao\",\"doi\":\"10.1504/IJSN.2007.012824\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Fast virus scanning is becoming increasingly important in today's Internet. While Moore's law continues to double CPU cycle speed, virus scanning applications fail to ride on the performance wave due to their frequent random memory accesses. This paper proposes Hash-AV, a virus scanning \\\"booster\\\" technique that aims to take advantage of improvements in CPU performance. Using a set of hash functions and a bloom filter array that fits in CPU second-level (L2) caches, Hash-AV determines the majority of \\\"no-match\\\" cases without accesses to main memory. Experiments show that Hash-AV improves the performance of the open-source virus scanner Clam-AV by a factor of 2.5 to 10. The key to Hash-AV's success lies in a set of \\\"bad but cheap\\\" hash functions that are used as initial hashes. The speed of Hash-AV makes it well suited for \\\"on-access\\\" virus scanning, providing greater protections to the user. Through intercepting system calls and wrapping glibc libraries, we have implemented an \\\"on-access\\\" version for Hash-AV+Clam-AV. The on-access scanner can examine input data at a throughput of over 200 Mb/s, making it suitable for network-based virus scanning.\",\"PeriodicalId\":319736,\"journal\":{\"name\":\"GLOBECOM '05. IEEE Global Telecommunications Conference, 2005.\",\"volume\":\"474 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2007-03-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"93\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"GLOBECOM '05. IEEE Global Telecommunications Conference, 2005.\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1504/IJSN.2007.012824\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"GLOBECOM '05. IEEE Global Telecommunications Conference, 2005.","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1504/IJSN.2007.012824","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
Hash-AV: fast virus signature scanning by cache-resident filters
Fast virus scanning is becoming increasingly important in today's Internet. While Moore's law continues to double CPU cycle speed, virus scanning applications fail to ride on the performance wave due to their frequent random memory accesses. This paper proposes Hash-AV, a virus scanning "booster" technique that aims to take advantage of improvements in CPU performance. Using a set of hash functions and a bloom filter array that fits in CPU second-level (L2) caches, Hash-AV determines the majority of "no-match" cases without accesses to main memory. Experiments show that Hash-AV improves the performance of the open-source virus scanner Clam-AV by a factor of 2.5 to 10. The key to Hash-AV's success lies in a set of "bad but cheap" hash functions that are used as initial hashes. The speed of Hash-AV makes it well suited for "on-access" virus scanning, providing greater protections to the user. Through intercepting system calls and wrapping glibc libraries, we have implemented an "on-access" version for Hash-AV+Clam-AV. The on-access scanner can examine input data at a throughput of over 200 Mb/s, making it suitable for network-based virus scanning.