Sunteți pe pagina 1din 27


The word "Computer Virus" is introduced by mathematician Dr. Frederick Cohen, the "father" of computer virus, in 1984 and is defined as follows: "A virus is a program that is able to infect other programs by modifying them to include a possibly-evolved copy of itself. Computer viruses are harmful and have the following features. 1. Computer virus is an executable program which can attack the host program. 2. Computer virus can put a precise copy of itself or a possibly-evolved copy of itself in the other programs, namely the host programs by modifying the other programs, thereby infecting the host programs. 3. Computer virus can also modify the relative information or parts of the host program, and link the virus code and the host program together; thereby infecting the host program. Computer viruses destroy the computer materials and gravely affect the system performance. First, viruses occupy large quantities of computer materials, especially the CPU, which makes computer run slowly. Second, viruses access data illegally. They can access the secret or private data of the user, and even steal the business or government secret. Third, viruses unlawfully destroy or delete data stored in a computer. These data may be important user data or some system files. The illegal deletion of these user data may cause inestimable expense to users and the destroying of system files may cause the system break down. Since computer viruses harm seriously, the computer anti-virus technology has greatly developed. There are many useful anti-virus methods: the detection, removal viruses, immunity and prevention of virus. There into, the detection of virus is the simplest, but the most applied method which based on the detection of virus signature. It is widely used in the business antivirus soft. At present, the viruses spread widely through the high-speed network. It puts forward higher requirements to the performance of virus scan systems such as high throughput and

accuracy. In this paper, a virus scan system based on hardware-accelerated - the HVSS (HIFN/Hardware accelerated Virus Scan System) - is proposed to satisfy the high-speed network. This paper is organized as follows. Section 2 introduces the related work on computer viruses and antiviruses, indicates the ubiquitous shortcomings of current virus scan systems and gives our own solvents to these problems. Section 3 introduces the design and implementation of HVSS. The experimental results and performance analysis are given in Section 4, and Section 5 is a conclusion.

1.1. VIRUS
A computer virus is a computer program that can copy itself and infect a computer. The term "virus" is also commonly but erroneously used to refer to other types of malware, adware, and spyware programs that do not have the reproductive ability. A true virus can only spread from one computer to another (in some form of executable code) when its host is taken to the target computer; for instance because a user sent it over a network or the Internet, or carried it on a removable medium such as a floppy disk, CD, DVD, or USB drive. Viruses can increase their chances of spreading to other computers by infecting files on a network file system or a file system that is accessed by another computer. The term "computer virus" is sometimes used as a catch-all phrase to include all types of malware. Malware includes computer viruses, worms, Trojans, most root kits, spyware, dishonest adware, crime ware, and other malicious and unwanted software, including true viruses. Viruses are sometimes confused with computer worms and Trojan horses, which are technically different. A worm can exploit security vulnerabilities to spread itself to other computers without needing to be transferred as part of a host, and a Trojan horse is a program that appears harmless but has a hidden agenda. Worms and Trojans, like viruses, may cause harm to a computer system's hosted data, functional performance or networking throughput, when they are executed. Some viruses and other malware have symptoms noticeable to the computer user, but many are surreptitious or go unnoticed.


In order to replicate itself, a virus must be permitted to execute code and write to memory. For this reason, many viruses attach themselves to executable files that may be part of legitimate programs. If a user attempts to launch an infected program, the virus' code may be executed simultaneously. Viruses can be divided into two types based on their behavior when they are executed. Nonresident viruses immediately search for other hosts that can be infected, infect those targets, and finally transfer control to the application program they infected. Resident viruses do not search for hosts when they are started. Instead, a resident virus loads itself into memory on execution and transfers control to the host program. The virus stays active in the background and infects new hosts when those files are accessed by other programs or the operating system itself.


Nonresident viruses can be thought of as consisting of a finder module and a replication module. The finder module is responsible for finding new files to infect. For each new executable file the finder module encounters, it calls the replication module to infect that file.


Resident viruses contain a replication module that is similar to the one that is employed by nonresident viruses. This module, however, is not called by a finder module. The virus loads the replication module into memory when it is executed instead and ensures that this module is executed each time the operating system is called to perform a certain operation. The replication module can be called, for example, each time the operating system executes a file. In this case the virus infects every suitable program that is executed on the computer. Resident viruses are sometimes subdivided into a category of fast infectors and a category of slow infectors. Fast infectors are designed to infect as many files as possible. A fast infector, for instance, can infect every potential host file that is accessed. This poses a special problem when using anti-virus software, since a virus scanner will access every potential host file on a computer when it performs a system-wide scan. If the virus scanner fails to notice that such a virus is present in memory the virus can "piggy-back" on the virus scanner and in this way infect all files that are

scanned. Fast infectors rely on their fast infection rate to spread. The disadvantage of this method is that infecting many files may make detection more likely, because the virus may slow down a computer or perform many suspicious actions that can be noticed by anti-virus software. Slow infectors, on the other hand, are designed to infect hosts infrequently. Some slow infectors, for instance, only infect files when they are copied. Slow infectors are designed to avoid detection by limiting their actions: they are less likely to slow down a computer noticeably and will, at most, infrequently trigger anti-virus software that detects suspicious behavior by programs. The slow infector approach, however, does not seem very successful.

In computer science, concurrency is a property of systems in which several computations are executing simultaneously, and potentially interacting with each other. The computations may be executing on multiple cores in the same chip, preemptively time-shared threads on the same processor, or executed on physically separated processors. A number of mathematical models have been developed for general concurrent computation including Petri nets, process calculi, the synchronous model and the Actor model.

Real-time protection, on-access scanning, background guard, resident shield, auto protect, and other synonyms refer to the automatic protection provided by most antivirus, antispyware, and other antimalware programs, which is arguably their most important feature. This monitors computer systems for suspicious activity such as computer viruses, spyware, adware, and other malicious objects in 'real-time', in other words while data is coming into the computer, for example when inserting a CD, opening an email, or browsing the web or when a file already on the computer is opened or executed, in other words loaded into the computer's active memory. This means all data in files already on the computer is analyzed each time that the user attempts to access the files. This can prevent infection by not yet activated malware that entered the computer unrecognized before the antivirus received an update. Real-time protection and its synonyms are used in contrast to the expression "on-demand scan" or similar expressions that mean a user-activated scan of part or all of a computer.

3 steps to keep the computer free from viruses: 1. Keep Windows Critical updates current For Windows XP or Windows 2000, it is important to keep the Windows critical updates current. Some viruses attack Windows vulnerabilities. The updates protect against many flaws in the operating system. These updates and virus scans should be run in Safe Mode. 2. Have Antivirus software installed and run scans 3. Remove Ad software and Spyware from computer


In computing, hardware acceleration is the use of hardware to perform some function faster than is possible in software running on the general purpose CPU. Examples of hardware acceleration include blitting acceleration functionality in graphics processing units (GPUs) and instructions for complex operations in CPUs. Normally, processors are sequential, and instructions are executed one by one. Various techniques are used to improve performance; hardware acceleration is one of them. The main difference between hardware and software is concurrency, allowing hardware to be much faster than software. Hardware accelerators are designed for computationally intensive software code. Depending upon granularity, hardware acceleration can vary from a small functional unit to a large functional block like motion estimation in MPEG2. The hardware that performs the acceleration, when in a separate unit from the CPU, is referred to as a hardware accelerator, or often more specifically as graphics accelerator or floating-point accelerator, etc. Those terms, however, are older and have been replaced with less descriptive terms like video card or graphics card.

The term computer virus was introduced by Cohen in 1984, according to the recommendation of his advisor, Professor Leonard Adleman, who picked the name from science fiction novels. The most important feature of the computer virus is self-replicating. The idea of self-replicating systems that model self-replication structures has been around since the Hungarian-American, John von Neumann, suggested it in 1948. Von Neumann proposed the idea of self-replicating and gave a model to describe nature's self-reproduction with the idea of selfbuilding automata. A few years later, Stanislaw Ulam suggested to Von Neumann to use the processes of cellular automation to describe this model. Instead of using "machine parts," states of cells were introduced. Neumann's model mathematically proved the possibility of selfreproducing structures: Regular, non-living parts (molecules) could be combined to create selfreproducing structures and potentially living organisms. In 1968, Second International Multisymposium on Computer and Computational Sciences Codd simplified Neumann's model using cells that had eight states in 5-cell environments. Such simplification is the base for "selfreplicating loops developed by artificial life researchers, such as Christopher G. Langton, in 1979. Such replication loops eliminate the complexity of universal machine from the system and to focus on the needs of replication. A computer virus is executable programs that can self reproduce and infect its host programs. People did not recognize the damage of computer caused by early viruses, until the 1988, the famous Morris worm event (although speak seriously, worm is not virus). From then on, especially with the development of network, the technology of computer virus puts up some new features. 1. General-service computer viruses: They are the viruses that can infect different kinds of operating systems. 2. The new viruses live in new operating systems: As the new operating systems occurred, the new viruses were produced to infect them.

3. Aiming at the network: As the network developed, some viruses were generated to attack the network, so as to access the network materials illegally, to acquire the accounts and passwords of other people, and even to attack the network bank systems or the nations important departments. 4. The tools to generate viruses automatically: The occurrence of the tools to generate viruses automatically makes the production of viruses. There occurs large quantity of viruses. The wide spread of viruses makes the technology of anti-viruses to attract peoples attention. A lot of technologies of anti-virus are recently proposed. There are four classes of antivirus technologies, the detection of virus, the removing of virus, the immunity of virus and the prevention of virus. There into, the virus detection is the most important technology in the virus resistance. Everyone knows that the viruses are some executable programs. Before resisting them, they should be identified. There are two kinds of situations. First, if the computer has not been infected by viruses, when it downloads data from network or other devices, the data can be scanned first to avoid downloading the viruses. Second, if the computer has already been infected, the computer can be scanned for viruses, and then delete them. Therefore, whether or not, people should as soon as possible to kill viruses. The most widely used virus detection technologies include the character code, the check sum, the action monitor, and the infecting experiment. The character code is the simplest method with lowest spending in virus detection. The steps are as follows. Step 1: Gather the samples of viruses. Step 2: Pick up the character code in the virus samples. Step 3: Add the character code in the virus database. Step 4: Scan the file for the character codes stored in the virus database. Step 5: If a character code is found in the file, that means the file is infected. HVSS uses the method of character code because it has the following advantages. 1. Detect quickly and accurately.

2. Can identify the name of viruses. 3. Has a low false alert rate. 4. The detection result is to help to remove the viruses. The method of character code also has the following typical shortages especially under current high speed network environment. 1. Cannot detect the unknown viruses. 2. As the number of viruses becomes larger, a big virus database needs to be maintained. Scanning the big database waste time and the virus scan will affect the bandwidth of networks seriously. Aiming at fixing these shortages of character code, we propose our own solvents in HVSS. HVSS has the following features. 1. HVSS is hardware supported. An accelerator card of HIFN -YUQUAN - is used for virus scan. YUQUAN adopts Pattern Match algorithm which provides an accurate and fast virus scan. 2. HVSS uses an effective protocol. The hpmd communication protocol is specially designed to provide effective communication between the client and the virus scan server. 3. HVSS supports multiple clients. Multiple clients can connect to the virus scan server at the same time. It enhances the ability of concurrent processing and increases the throughput of the server. 4. HVSS has the well-designed software. The software is of clear structure and complete function. The synchronization mechanism is well designed to satisfy the max concurrency.


HVSS is designed for high-speed networks. The YUQUAN accelerator card is used in HVSS for virus scanning. YUQUAN is a Chinese manufacturing company that produces hardware components like PCI cards, NIC cards etc. YUQUAN card provides hardware acceleration for virus scanning. YUQUAN card uses the efficiently HIFN pattern match (HPM) algorithm, designed by a software company called HIFN.HIFN usually develop network security solutions. HPM can scan virus quickly. In this section, the system architecture, the hpmd communication protocol and the system implementation will be explained in detail.


The system architecture is shown in Figure 3.1. When a client downloads data from a server through a proxy, the proxy will intercept the data, divide it into data blocks and send them to a virus scan server for scanning. After receiving the corresponding data block, the virus scan server sends the data to the task queue of YUQUAN for the virus scan. With help of YUQUAN card the scan is performed and the scan result is sent back and when the scan result is returned from YUQUAN, the virus scan server will send the scan result to the proxy. For each scanned data block, there are three kinds of scan results; Normal, Virus or Error. After checking the scan result only the normal data block will be sent from the proxy to the client. The Data blocks for which the scan result is Error or Virus is immediately deleted from the Proxy. Thus if Virus is identified in one of the data blocks of a file, the subsequent data blocks are immediately deleted. The detailed flow will be introduced in the subsequent sections.

Fig.3.1 Architecture of HVSS YUQUAN is an accelerator card which is installed in the PCIE interface of the virus scan server directly. It operates as a flow-through or a look-aside security processor to allow a modular upgrade to security appliances. Virus scanning in a big database takes heavy load to the host CPU. YUQUAN is believed to have the following advantages: 1. A potentially larger pattern match speed per thread (about 250M) makes YUQUAN more competitive to other existing solutions. 2. It has a flow-through path for specified applications. 3. There are eight pattern match engines in YUQUAN. Each engine handles one scan thread. They are incorporated to achieve a 1Gbps performance. 4. It contains a bandwidth control.

In addition, a host can also send the local files to the virus scan server for scanning. It has a compact pattern match engine allows YUQUAN to contain larger amount of rules


The hpmd (HIFN Pattern Match Detection) communication protocol is designed to provide effective communication between the proxy and the virus scan sever. It defines the message format and manner of the interaction ways between them.


Data sent from the proxy to the virus scan server should be encapsulated as the following message format in Figure 3.2. The message contains two parts; the eight-byte message header and the data that need to be scanned. The message header contains a 16-bit flag, a 16-bit file ID and a 32-bit data length.

Fig.3.2 Message format from proxy to virus scan server. Message Header: 8 bytes

Fig.3.3 Flag format of request.

Flag: 16-bits Bit 0 : This bit should be set to 0 for request packet.

Bit 1~13 : reserved Bit 14~15: block flag 0 0 - the middle data block in file 0 1 - the first data block in file 1 0 - the last data block in file 1 1 - the full file File ID: 16-bits integer, file identification. A file can be divided into blocks and sent to the server for virus scan. The File ID is used to identify which file the block belongs to. Data Length: 32-bits integer, indicate the length of data need to be scanned, it is the length of message data, not includes the length of the message header. Message Data: Message data is a character sequence. It is the data block sent from the proxy to the server for a virus scan, and the length of the data is indicated by the "Data Length" parameter in the message header.


The response coming from the virus scan server should be formatted as the following message format in Figure 3.4. The message contains two parts, the 8-byte message header and the data responded from server. The message header contains a 16-bit flag, a 16-bit file ID and a 32-bit data length. The request message and the response message are of the compatible formats.

Fig.3.4 Message format from virus scan server to proxy. Message Header: 8 bytes

Fig.3.5 Flag format of response. Flag: 16-bits Bit 0: This bit should be set to 1 for response packet. Bit 1~9: reserved Bit 10: unexpected errors when 1 is set Bit 11: viruses found when 1 is set Bit12~15: reserved File ID: 16-bits integer, file identification. After a block is scanned, the server will send the result to the proxy; and the File ID is used to indicate which file the block belongs to. Data Length: 32-bits integer, indicate the length of data responded from server, it is the length of Attribute Data, not including the length of message header.

Fig.3.6 Attribute data format.

Fig.3.7 Attribute format.

Attribute Data: Attribute data is the response sent from the server to the proxy as the result of scan, which includes one or more attributes, the length of attribute data is indicated by the "Data Length" parameter in the message header. Type : 8-bits, Indicate the scan result

Length: 8-bits integer; the length of the attribute value Value : a character sequence; the length of the "value" is indicated by the "length" field Attribute field:  Type: 0 - The scanned block in the file is normal, the scanned block length will be returned as the value. Length: 4 - The value of the block length will occupy 4-bytes. Value: The block length has been scanned

 Type: 1 - Viruses are found in the block. The virus name will be returned as the value. Length: The string length of the virus name Value: The virus name  Type:2 - There are errors during the virus scan, the error bitmap will be returned as value Length: 4 - The value of the error bitmap will occupy 4 bytes. Value: The error bitmap


To make the virus scan server work, a function module hpmd should be run on the server to communicate with the proxy and call the functions of YUQUAN. The processing of hpmd communication protocol is as follows. 1. When the proxy gets a file from ftp server, it will divide the file into blocks according to the block size, encapsulate these blocks in the stated message format and send them to hpmd. For the message sent from the proxy to hpmd, the bit 0 of flag field should be set to 0. If the file size is bigger than the block size, the file will be separated into blocks. For the first block, middle block and last block in the file, bit 14~15 of flag should be set to "0 1", "0 0" and "1 0" respectively. If the file size is less than or equal to the block size, the file does not to be separated. The block will be a full file and bit 14~15 of flag will be set to "1 1". File ID field should be set correctly. It can be used to identify the file that the block belongs to. The Data Length field is the length of the block to be scanned. Data field is not a pointer to the block. It is the block of data itself. The block of data should fill in the data field completely. 2. The hpmd on the virus scan server will receive the messages from proxy and send them to the simulation software or YUQUAN for a virus scan. Hpmd can process multiple requests from the proxy and support multiple clients. If viruses are found in the block, or errors occur during the operation, the subsequent blocks in the same file (according to File ID) need not to be scanned,

the blocks in the same file will be deleted and a corresponding response will be encapsulated in the stated message format which will be sent to the proxy. If the block is normal, the subsequent blocks in the same file will be sent for a virus scan until all the blocks in the file are scanned or abnormity (virus or error) occurred. For the message sent from hpmd to proxy, the bit 0 of the flag field should be set to 1. For the virus block, the bit 11 will be set to 1. For the error block, the bit 10 will be set to 1. For the normal block, the bit 10~11 will be "0 0". That the bit 10~11 is "1 1" should not occur. 3. When the proxy receives the response from hpmd, it will check the response type. If the response is virus found or if an error occurred, the proxy will not send the block to the user and it deletes all the blocks with the same File ID to the block (since virus has been found or error occurs, the remain blocks of the file need not to be scanned). If the response is normal, the proxy will send the block to the user and deletes the block only. The hpmd communication protocol has the following advantages. 1. It saves the disk space: First, the virus scan server does not need to keep the data block for a long time. After a data block is sent to YUQUAN for a scan, the data block can be deleted. Second, when the proxy receives the scan result, if a virus or an error occurs, all the data blocks belong to the same file will be deleted. If it is normal, the data block will be sent to the client. The proxy does not need to keep the block anymore. 2. Suitable for high-speed networks: Hpmd is designed to support multiple clients. It is a single process multiple threads function module. So hpmd is of great parallelism. Experimental results show that two hpmds will enhance the throughput of the virus scan greatly. 3. It is easy to realize: Hpmd communication protocol is easy to realize. First, the message format is simple. Second, there are many open source codes can be used such as the frox.


Figure 3.1 showed the basic architecture of HVSS. The implementation of HVSS contains two aspects: the hardware and the software. In the hardware aspect, it includes a proxy and a virus scan server equipped with YUQUAN. In the software aspect, it is mainly the implementation of hpmd communication protocol which includes the communication modules on both sides: the proxy and the virus scan server. At present, HVSS have only realized the function of the virus scan for the ftp. In future HVSS will be extended to support more protocols, such as http, telnet and so on. For the virus scan of ftp, an improved open source codes frox works on the proxy. Frox is a transparent ftp proxy which is released under the GPL. It optionally supports caching, either through an external http cache such as Squid or by maintaining a cache locally; and/or running a virus scanner, on downloaded files. It is written with security in mind. An hpmd module works on the virus scan server. It is a software module developed independently. The hpmd communication protocol is realized between the frox and the hpmd. The processing of the protocol is as shown above. There is something that needs to be noted during the implementation. First, the action of hpmd: 1. When the response of a block has been sent from hpmd to frox, the block does not need to be stored in the server, it will be deleted. 2. When a virus and an error occur at the same time, the virus has the higher priority and the response message of the block should be marked as virus. 3. The response message can include multiple attributes. These attributes should be of the same type. It occurs in the situation where multiple viruses are found in one block. Each virus is in accordance with an attribute.

4. When a virus or an error occur during the processing of a block, the subsequent blocks in the same file will not be scanned and all the blocks with the same File ID on the hpmd will be deleted. Second, the action of frox: 1. Frox will divide file into blocks according the default block size. These blocks will be identified according to the File ID. 2. After frox receives the response message from hpmd, it will do corresponding process according to the flag of message. If the scan result of the block is virus or error, frox will not send the block to the user, and will delete all the blocks with the same File ID as the scanned block. If the block is normal, frox will send the block to the user and will delete the block from buffer.


HVSS can support all kinds of protocols. Here, HVSS is being tested with ftp protocol for which it is easy to get the open source ftp proxy (the frox) easily. The test environment is as follows: The ftp server is the AMD Athlon 64 Processor, 1.8GHz CPU, 512KB Cache and 512MB Memory. The frox gateway is Intel Pentium D CPU 2.8GHz, 2MB Cache, 2GB Memory. IXIA1600T is a special device to test the throughput of HVSS. Ixia 1600T is a 16-slot Traffic generator/performance analyzer. It has multiple Gigabit port and can generate a large throughput of data packets. Ixia test systems deliver the industry's most comprehensive solutions for the performance, functional, and conformance testing of networks and applications. The experiment is as follows: IXIA is configured as ftp client, and downloads a total of 1000MB different size of files from one or more ftp servers through ftp proxy (the frox). IXIA can simulate multi ftp clients and test the throughput flow through the enabled port. The four kinds of situations are compared below: 1. Ixia with a single frox and hpmd disabled network configuration 2. Ixia with single frox and hpmd enabled network configuration 3. Ixia with two froxes and hpmd disabled network configuration 4. Ixia with two froxes and hpmd enabled network configuration


Fig. 4.1 Ixia with single frox, hpmd disabled network configuration

Table4.1. Results for single frox, with Virus scan disabled File size(Bytes) 4MB 1MB 256KB 64KB 15M(Clean) 15M(virus at begin) 15M(virus at middle) 15M(virus at end) Throughput(Mbps) 424 384 184 200 424 424 424 424


Fig.4.2 Ixia with single frox, hpmd enabled network configuration

Table4.2. Results for single frox, with Virus scan enabled File size(Bytes) 4MB 1MB 256KB 64KB 15M(Clean) 15M(virus at begin) 15M(virus at middle) 15M(virus at end) Throughput(Mbps) 408 384 176 184 408 416 408 408


Fig. 4.3 Ixia with two froxes, hpmd disabled network configuration Table4.3. Results for two froxes, with Virus scan disabled File size(Bytes) 4MB 1MB 256KB 64KB 15M(Clean) 15M(virus at begin) 15M(virus at middle) 15M(virus at end) Throughput(Mbps) 920 816 440 424 920 920 920 920


Fig.4.4 Ixia with two froxes, hpmd enabled network configuration Table4.4 Results for two froxes, with Virus scan enabled File size(Bytes) 4MB 1MB 256KB 64KB 15M(Clean) 15M(virus at begin) 15M(virus at middle) 15M(virus at end) Throughput(Mbps) 792 704 392 376 776 864 824 776

The results with hpmd disabled reflect the real throughput of our network testing environment. It can be seen from Figure 4.3 and Table 4.3 that, the proposed network is near to Gbps and can be used as a high-speed network environment

Fig. 4.5 The throughput comparison of these four kinds of situations Figure 4.5 shows the throughput comparisons of these four kinds of situations. From these figures, we can draw the following conclusions: 1. When downloading files from ftp servers, the virus scan does not have obviously effect on the throughput of ftp. Comparing the curves with virus scan enabled and disabled, it can be found that when virus scan is enabled, the throughput of ftp does not have obviously reduction. It proves that the virus scan is fast enough to work on the high-speed network. It can reach nearly 900Mbps when two froxes are used. 2. When doubling the number of the frox, the throughput of ftp is almost doubled. First, it proves that HVSS has good expansibility. Second, the virus scan is fast with hardware accelerated. 3. The throughput of large files is higher than small files. The reason is that, when download a total of 1000MB of data, there are more small files than large files. The small files will waste more transfer time. Of course, the file size cannot be infinite. There is a balance point. Experiments show that the performance is higher with a file size between 1MB and 15MB. According to the testing results, HVSS does not affect the bandwidth of the high-speed network, and it has good expansibility. It can support the virus scan for more ftp servers at the same time

HVSS is designed for the high-speed network. In order to work on a high-speed network, HVSS uses an accelerator card to accelerate the virus scan. In the meantime, a special protocol is designed to provide effective communication between the proxy and the virus scan server. The protocol is easy to realize and has a lower error rate and makes HVSS work swimmingly. Experimental results show that HVSS does not have obviously effect on the bandwidth of a highspeed network and has good expansibility. It can provide virus scan for multiple ftp servers at the same time. Though only tested with ftp protocol, HVSS is designed to support multiple protocols from the beginning. It can be used to scan data encapsulated in other protocols with little modification. HVSS will be improved further in immediate future.


Table 4.1 Results for single frox, with Virus scan disabled Table 4.2 Results for single frox, with Virus scan enabled Table 4.3 Results for two froxes, with Virus scan disabled Table 4.4 Results for two froxes, with Virus scan enabled Fig 3.1 System architecture Fig 3.2 Request message format Fig 3.3 Flag format Fig 3.4 Response message format Fig 3.5 Flag format Fig 3.6 Attribute data format Fig 3.7 Attribute format Fig 4.1 Ixia with single frox, hpmd disabled network configuration Fig 4.2 Ixia with single frox, hpmd enabled network configuration Fig 4.3 Ixia with two froxes, hpmd disabled network configuration Fig 4.4 Ixia with two froxes, hpmd enabled network configuration Fig 4.5 Performance graph 20 21 22 23 10 11 11 13 13 14 14 20 21 22 23 24

1. H. T. Zhang, The technology of computer virus and anti-virus, Publisher: Tsinghua University Publishing Company, 2nd edition, December, 1996. 2. P. Szor, The art of computer virus research and defense, Publisher: Addison Wesley Professional, February 03, 2005. 3. F. B. Cohen, A Short Course on Computer Viruses, Wiley Professional Computing, New York, 2nd edition, 1994, ISBN: 0471007684. 4. IEEE paper, Virus scan system based on hardware acceleration By, Baojun Zhang, Jiebing Wang and Xuezeng Pan 5. V. V. Bontchev, Methodology of computer anti-virus research, University of Hamburg Dissertation, 1998. 6. J. V. Neumann, The general and logical theory of automata, Hixon Symposium, 1948. 7. 8.