Generalized aho-corasick algorithm for signature based anti-virus applications

Tsern-Huei Lee

doi:10.1109/ICCCN.2007.4317914

Generalized aho-corasick algorithm for signature based anti-virus applications

Tsern-Huei Lee^*

^*Corresponding author for this work

National Chiao Tung University

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

19 Scopus citations

Abstract

Because of its accuracy, signature matching is considered an important technique in anti-virus/worm applications. Among some famous pattern matching algorithms, the Aho-Corasick (AC) algorithm can match multiple patterns simultaneously and guarantee deterministic performance under all circumstances and thus is widely adopted in various systems, especially when worst-case performance such as wire speed requirement is a design factor. However, the AC algorithm was developed only for strings while virus/worm signatures could be specified by simple regular expressions. In this paper, we generalize the AC algorithm to systematically construct a finite state pattern matching machine which can indicate the ending position in a finite input string for the first occurrence of virus/worm signatures that are specified by strings or simple regular expressions. The regular expressions studied in this paper may contain the following operators: * (match any number of symbols), ? (match any symbol), and {min, max} (match minimum of min, maximum of max symbols), which are defined in ClamAV, a popular open source anti-virus/worm software module, for signature specification.

Original language	English
Title of host publication	Proceedings of 16th International Conference on Computer Communications and Networks 2007, ICCCN 2007
Pages	792-797
Number of pages	6
DOIs	https://doi.org/10.1109/ICCCN.2007.4317914
State	Published - 1 Dec 2007
Event	16th International Conference on Computer Communications and Networks 2007, ICCCN 2007 - Honolulu, HI, United States Duration: 13 Aug 2007 → 16 Aug 2007

Publication series

Name	Proceedings - International Conference on Computer Communications and Networks, ICCCN
ISSN (Print)	1095-2055

Conference

Conference	16th International Conference on Computer Communications and Networks 2007, ICCCN 2007
Country	United States
City	Honolulu, HI,
Period	13/08/07 → 16/08/07

Access to Document

10.1109/ICCCN.2007.4317914

Link to publication in Scopus

Fingerprint Dive into the research topics of 'Generalized aho-corasick algorithm for signature based anti-virus applications'. Together they form a unique fingerprint.

Cite this

Lee, T-H. (2007). Generalized aho-corasick algorithm for signature based anti-virus applications. In Proceedings of 16th International Conference on Computer Communications and Networks 2007, ICCCN 2007 (pp. 792-797). [4317914] (Proceedings - International Conference on Computer Communications and Networks, ICCCN). https://doi.org/10.1109/ICCCN.2007.4317914

@inproceedings{e9686a1b58c5460e9471e49b3818998d,

title = "Generalized aho-corasick algorithm for signature based anti-virus applications",

abstract = "Because of its accuracy, signature matching is considered an important technique in anti-virus/worm applications. Among some famous pattern matching algorithms, the Aho-Corasick (AC) algorithm can match multiple patterns simultaneously and guarantee deterministic performance under all circumstances and thus is widely adopted in various systems, especially when worst-case performance such as wire speed requirement is a design factor. However, the AC algorithm was developed only for strings while virus/worm signatures could be specified by simple regular expressions. In this paper, we generalize the AC algorithm to systematically construct a finite state pattern matching machine which can indicate the ending position in a finite input string for the first occurrence of virus/worm signatures that are specified by strings or simple regular expressions. The regular expressions studied in this paper may contain the following operators: * (match any number of symbols), ? (match any symbol), and {min, max} (match minimum of min, maximum of max symbols), which are defined in ClamAV, a popular open source anti-virus/worm software module, for signature specification.",

author = "Tsern-Huei Lee",

year = "2007",

month = dec,

day = "1",

doi = "10.1109/ICCCN.2007.4317914",

language = "English",

isbn = "9781424412518",

series = "Proceedings - International Conference on Computer Communications and Networks, ICCCN",

pages = "792--797",

booktitle = "Proceedings of 16th International Conference on Computer Communications and Networks 2007, ICCCN 2007",

note = "null ; Conference date: 13-08-2007 Through 16-08-2007",

}

Lee, T-H 2007, Generalized aho-corasick algorithm for signature based anti-virus applications. in Proceedings of 16th International Conference on Computer Communications and Networks 2007, ICCCN 2007., 4317914, Proceedings - International Conference on Computer Communications and Networks, ICCCN, pp. 792-797, 16th International Conference on Computer Communications and Networks 2007, ICCCN 2007, Honolulu, HI, United States, 13/08/07. https://doi.org/10.1109/ICCCN.2007.4317914

Generalized aho-corasick algorithm for signature based anti-virus applications. / Lee, Tsern-Huei.

Proceedings of 16th International Conference on Computer Communications and Networks 2007, ICCCN 2007. 2007. p. 792-797 4317914 (Proceedings - International Conference on Computer Communications and Networks, ICCCN).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

TY - GEN

T1 - Generalized aho-corasick algorithm for signature based anti-virus applications

AU - Lee, Tsern-Huei

PY - 2007/12/1

Y1 - 2007/12/1

N2 - Because of its accuracy, signature matching is considered an important technique in anti-virus/worm applications. Among some famous pattern matching algorithms, the Aho-Corasick (AC) algorithm can match multiple patterns simultaneously and guarantee deterministic performance under all circumstances and thus is widely adopted in various systems, especially when worst-case performance such as wire speed requirement is a design factor. However, the AC algorithm was developed only for strings while virus/worm signatures could be specified by simple regular expressions. In this paper, we generalize the AC algorithm to systematically construct a finite state pattern matching machine which can indicate the ending position in a finite input string for the first occurrence of virus/worm signatures that are specified by strings or simple regular expressions. The regular expressions studied in this paper may contain the following operators: * (match any number of symbols), ? (match any symbol), and {min, max} (match minimum of min, maximum of max symbols), which are defined in ClamAV, a popular open source anti-virus/worm software module, for signature specification.

AB - Because of its accuracy, signature matching is considered an important technique in anti-virus/worm applications. Among some famous pattern matching algorithms, the Aho-Corasick (AC) algorithm can match multiple patterns simultaneously and guarantee deterministic performance under all circumstances and thus is widely adopted in various systems, especially when worst-case performance such as wire speed requirement is a design factor. However, the AC algorithm was developed only for strings while virus/worm signatures could be specified by simple regular expressions. In this paper, we generalize the AC algorithm to systematically construct a finite state pattern matching machine which can indicate the ending position in a finite input string for the first occurrence of virus/worm signatures that are specified by strings or simple regular expressions. The regular expressions studied in this paper may contain the following operators: * (match any number of symbols), ? (match any symbol), and {min, max} (match minimum of min, maximum of max symbols), which are defined in ClamAV, a popular open source anti-virus/worm software module, for signature specification.

UR - http://www.scopus.com/inward/record.url?scp=40949162082&partnerID=8YFLogxK

U2 - 10.1109/ICCCN.2007.4317914

DO - 10.1109/ICCCN.2007.4317914

M3 - Conference contribution

AN - SCOPUS:40949162082

SN - 9781424412518

T3 - Proceedings - International Conference on Computer Communications and Networks, ICCCN

SP - 792

EP - 797

BT - Proceedings of 16th International Conference on Computer Communications and Networks 2007, ICCCN 2007

Y2 - 13 August 2007 through 16 August 2007

ER -