Skip to Main Content
It is a trend to offload signature matching to a hardware engine for high-speed network content security applications. Most existing research works claim the achieved high throughput of the hardware engine only, but it is also significant to study the reasons behind the gap between the throughput of an integrated system and that of the hardware engine alone. We examine this issue by offloading virus scanning in ClamAV to a hardware engine BFAST*. Although the ideal throughput is 8.79 Gbps in the hardware simulation, the bus clock and launching scanning in each batch of data degrade the throughput to 3.01 Gbps, even if the DMA were infinitely fast and the data is already in the DMA buffer. The DMA speed in our platform is also a bottleneck, further degrading the throughput to 912.7 Mbps. The overall throughput of the system is only 151 Mbps, due to copying data from the user space into the DMA buffer. Transferring data from the user space into BFAST* takes about 90% of the total time. From the observations, we can tell how large the performance can be improved in each execution stage, if a solution is devised, e.g., a faster DMA or kernel-level scanning.