Fighting malware and spam

How to achieve 10Gbps performance for integrated anti-virus and anti-spam network-based security systems

Jon Curnyn Detica

A growing trend within the anti-virus (AV) and anti-spam (AS) world is the use of specialist hardware that can accelerate certain functions that, up until now, have been performed in software. The main application for this hardware is not client PCs - where the processor is more than capable of supporting the AV and AS needs of a single user - but rather networks, like those found in large Internet service providers, where the number of users may scale into the millions and the volume of data to be scanned can be several gigabytes every second.

The first generation hardware approaches have relied on doing simple tasks, such as pattern matching, in silicon, leaving the software still to do heuristics and more complex content processing. As a result, although the performance bar has been raised, there is still a significant way to go to meet the demands of a truly real-time network-based AV and AS system.

This paper presents the latest advances in integrated anti-virus, anti-spam and IDS systems that can operate on 10Gbps networks in real-time at very low latency. I will explain how a silicon-based content processing engine can perform heuristics, message digests and other complex analysis techniques (as well as pattern matching and data unpacking) in hardware without impacting detection accuracy or the flexibility of adding new detection methods. I will also detail how the content processing engine techniques combine to form a truly integrated defense mechanism against blended virus, worm and spam attacks, including the use of information learnt from monitoring network traffic flows.