Nowadays, numerous online algorithms are available for identifying virus-infected code snippets. An inherent challenge lies in the considerable computational and memory expenses associated with these algorithms. Our objective revolves around investigating the feasibility of extracting virus code exact-match substrings, incorporating them into a hashtable, and subsequently employing dedicated hardware to execute an algorithm for an initial virus search. This approach aims to enhance efficiency and dependability in virus detection.
-
Data Process: extract content and pcre rules from Snort's ruleset to build an exact-match sub-signatures ruleset
-
Insert the processed data into a Hashtable while optimizing the table size and its utilization according to the length of each substring and the gap between two substrings. (we have used libcuckoo)
-
Given that stage 2 results are not satisfying enough, the data will be processed by the Aho-Corasick algorithm.
-
Given that stage 3 results are not satisfying enough, the data will be processed by a dedicated algorithm that was developed in the ACSL lab.
The project can be run using an automated script named run_project.sh
.
./run_project.sh {snort.rules}
Were snort.rules
is the path to the snort.rules file you wish to use. If not specified the script will use Auxillary/snort3-commuinty.rules
Postrunning a directory named Data
will be created will the relevant files and statistics.
- This script was tested on
wsl
using Ubuntu 20.04.6 distribution. - Try using
dos2unix
if the script fails to run.
- Idan Baruch - [email protected]
- Itai Benyamin - [email protected]
- This project is under the supervision of Alon Rashelbach in the ACSL lab at the Technion.