JOURNAL OF NETWORKS, VOL. 7, NO.

9, SEPTEMBER 2012

1327

Multi-core Processors based Network Intrusion

Detection Method
Ziqian Wan
Department of Computer science, Sichuan University, Chengdu, China
Email: wan.ziqian@gmail.com

Gang Liang and Tao Li

Department of Computer science, Sichuan University, Chengdu, China.
Email: lianggang@cs.scu.edu.cn, litao@scu.edu.cn

AbstractIt is becoming increasingly hard to build an

intrusion detection system (IDS), because of the higher
traffic throughput and the rising sophistication of attacking.
Scale will be an important issue to address in the intrusion
detection area. For hardware, tomorrows performance
gains will come from multi-core architectures in which a
number of CPU executes concurrently. We take the
advantage of multi-core processors full power for intrusion
detection in this work. We present an intrusion detection
system based on the Snort open-source IDS that exploits the
computational power of MIPS multi-core architecture to
offload the costly pattern matching operations from the
CPU, and thus increase the systems processing throughput.
A preliminary experiment demonstrates the potential of this
system. The experiment results indicate that this method
can be used effectively to speed up intrusion detection
systems.
Index Terms Multi-core, Intrusion detection system,
network security, pattern matching

I. INTRODUCTION
Network intrusion detection system requirements have
been steadily increasing over the past few years.
Organizations need security systems that are flexible and
adaptable in order to fight against the increasing threats,
which are from virus attacks, software vulnerabilities and
other malicious code, in addition to internal attacks [13].
Most network security architectures like firewalls and
intrusion detection system detect the system attacking by
monitoring both the incoming and outgoing network
packets [21]. Rule set is used to compare against the
network packets in many intrusion detection system.
Rules usually have a filter specification based on the
header fields of a network packet. If one packet matches
one or more rules in the rule set, the system will send an
alert message and log this event to the log files.
Its about 75 percent of the total CPU processing time
that used for signatures match in modern NIDS [2].
Because every byte in each packet need to be matched to
Corresponding author: Gang Liang, lianggang@cs.scu.edu.cn,
Manuscript received September 23, 2011.

2012 ACADEMY PUBLISHER

doi:10.4304/jnw.7.9.1327-1333

a large set of strings from all rules in the rule set by the
string matching algorithms. Take the open-source IDS
snort [18] for example; it has more than 10000 strings
need to be matched for each packet, memory also needed
to store the rules. Signature matches slow down the
process rate and reduce the IDS systems throughput.
Many research have been done to improve the packetprocessing throughput [4, 7, 8, 11, 17, 25, 23]. Special
hardware devices were used to deal with many packets
concurrently. Such as ASIC, Network processors and
GPU, they are very efficient and perform well, but they
are too complex to modify and program. More- over,
some of them are usually tied to one specific
implementation.
Multi-core processing is widely used in modern
network applications. MIPS are one kind of the most
scalable, highest-performance, and lowest-power solution
for intelligent networking applications, which ranges
from 100Mbps to 10Gbps as full duplex. IN this paper,
we explore how MIPS multi-core is used to speed up the
processing throughput of intrusion detection system. We
have implemented a prototype intrusion detection system
that effectively utilizes multi-core for pattern matching
operations in real time.
The paper is organized as follows: In the remainder of
the Introduction we will give an overview of the MIPS
multi-core architecture that we used for this research. In
Section 2 we will briefly present a survey of related work.
Section 3 and 4 presents our prototype architecture and
the implementation details respectively. IN Section 5 we
evaluate and analysis our implementation. Finally, in
Section 6 we present some conclusions.
A. Overview of the MIPS multi-core Architecture
We briefly describe the architecture of CAVIUM
Networks OCTEON MIPS multi-core processor in this
section. There are up to 16 MIPS cores integrated onto
each OCTEON MIPS processor, each core supports a
superset of the industry standard MIPS 64 and MIPS 32
ISA. Cache hierarchy and memory sub-system is
optimized for multi-core programming and it provides
efficient data sharing and minimal access latencies.

1328

JOURNAL OF NETWORKS, VOL. 7, NO. 9, SEPTEMBER 2012

The MIPS multi-core system is one solution for

intelligent networking applications. These softwarecompatible processors, with one to sixteen MIPS cores on
a single chip, integrate next-generation networking I/O
bind with the most advanced security, storage, and
application
hardware
acceleration,
providing
unprecedented throughput and programmability for the
Layer 2 to Layer 7 processing requirements of intelligent
networks. DFA hardware is used in the MIPS system to
speed up the pattern matching method. The DFA engines
are hardware used for the pattern matching, it is much
more efficiently than normal professor in string match
area. The OCTEON architecture uses application specific
hardware acceleration and high performance multi-core
processor architecture techniques to speed up the process
rate. This optimal combination can offer a high
performance and efficient solutions for packets, content,
and security processing. It also has well defined
algorithms and application specific processing functions
which are accelerated and automatic through configurable
hardware. The OCTEON architecture provides much
higher efficiency in low power consumptions and
minimized development complexity when it is compared
to alternative architectures, which rely on software
implementations of these functions. Highly configurable
hardware automation is used for scheduling packetprocessing work among all MIPS cores. This intelligent
hardware can maximize parallelism of processing among
all the MIPS cores, it ensure that both the required
ordering and atomic sequences will be maintained
without explicit software locking.
II. RELATED WORK
An intrusion detection system (IDS) is a software
application or device that monitors network and/or
system activities for malicious activities or policy
violations and produces reports to a Management Station.
Some systems may attempt to stop an intrusion attempt
but this is neither required nor expected of a monitoring
system. Intrusion detection is primarily focused on
identifying possible incidents, logging information about
them, and reporting attempts. In addition, organizations
use IDS for other purposes, such as identifying problems
with security policies, documenting existing threats, and
deterring individuals from violating security policies. It
have become a necessary addition to the security
infrastructure of nearly every organization.
There are two kinds IDS system: signature based
detection and anomaly based detection. A signature is a
pattern that corresponds to a known attack or type of
attack. Signature-based detection is the process of
comparing signatures against observed events to identify
possible attacks. Signature-based detections are very
effective at detecting known attacks but largely
ineffective at detecting previously unknown attacks,
attacks disguised by the use of evasion techniques, and
many variants of known attacks. For example, if an
attacker modified the malware in the previous example to
use a filename of example.exe, a signature looking for
example.exe would not match it.
2012 ACADEMY PUBLISHER

Anomaly-based detection is the process of comparing

definitions of normal activity against observed events to
identify significant deviations. An IDS using anomalybased detection has profiles that represent the normal
behavior of such things as users, hosts, network
connections,
or
applications.
Monitoring
the
characteristics of typical activity over a period of time
develops the profiles. The major benefit of anomalybased detection methods is that they can be very effective
at detecting previously unknown attacks.
Most signature based intrusion detection system use
regular expressions and finite automata [3, 16] to match
patterns. Coit [9] combine the Aho-Corasick key- word
with the skipping feature of the Boyer-Moore algorithms
[6] to improve the performance of snort. Fish give new
algorithms called set-wise Boyer Moore-Horspool [12],
which is faster than Boyer-Moore. Tuck[21] proposed an
optimized Aho-Corasick algorithms using path
compression. The snort pro- gram use Aho-Corasick for
exact-match pattern detection since the version 2.6.
Many IDS use special hardware to speed up the
inspection processing. Sidhu used a regular expression
matching
architecture
for
FPGAs[20],
Baker
implemented time and area efficient pattern matching on
FPGAs[4], Attig proposed a framework for packet header
processing in reconfigurable net- work system[3]. Onchip memory [4, 11] is used in several approaches to
reduce the amount of memory, but, as the number of
characters to be searched increase, the consumption
grows linearly. Some people use the network processors
[5, 8, 10] to speed up the throughput. Works based on
computer clusters have also been proposed to offload the
workload of a single computer processor [15, 19, 22, 24].
However, its cost still high because of some other cost,
such as a clustered management system. Some work
based on GPU to offloads packet matching to a GPU [14]
However, The GPU programming was complicated, since
the 6800GT did not support a general programming
model for GPUs. The system encodes Snort rules and
packets to textures and performs the string searching
using the KMP algorithm on the 16 fragment shades in
parallel. However it does not achieve any speed-up under
normal-load conditions.
Snort is one open source network based intrusion
detection system. It has the ability to process real-time
traffic analysis and packet logging according to Internet
Protocol (IP) networks. It can perform protocol analysis,
content matching, and content searching. The program
can also be used to detect probes or attacks, including,
but not limited to, operating system fingerprinting
attempts, common gateway interface, buffer overflows,
server message block probes, and stealth port scans. In
intrusion detection mode, the program will monitor
network traffic and analyze it against a rule set defined by
the user. The program will then perform a specific action
based on what has been identified.
Snort is useful when it is not cost efficient to deploy
commercial IDS sensors. Modern commercial intrusion
detection systems cost thousands of dollars at minimum,
tens or even hundreds of thousands in extreme cases.

JOURNAL OF NETWORKS, VOL. 7, NO. 9, SEPTEMBER 2012

Snort is available under the GNU General Public License

[GNU89], and is free for use in any environment, making
the employment of Snort as a network security system
more of a network management and coordination issue
than one of affordability. It is a lib-pcap based packet
sniffer and logger that can be used as a lightweight
network intrusion detection system (NIDS). It features
rules based logging to perform content pattern matching
and detect a variety of attacks and probes, such as buffer
overflows, stealth port scans, CGI attacks, SMB probes,
and much more. Snort has real-time alerting capability,
with alerts being sent to syslog, Server Message Block
(SMB) WinPopup messages, or a separate alert file.
Snort is configured using command line switches and
optional Berkeley Packet Filter commands. The detection
engine is programmed using a simple language that
describes per packet tests and actions. Ease of use
simplifies and expedites the development of new exploit
detection rules.
Snort from version 2.6 and onwards exact match
pattern detection by using only flavors of the AhoCorasick. A variety of implementations that are
differentiated by the type of the finite automaton they use.
The best performance was achieved by using the full
version deterministic finite automaton (DFA) at the cost
of high memory utilization.
While, Regular expressions are the method used in the
snort rules for pat- tern matching. It provides flexibility in
specifying the context of every match. The use of logical

1329

operators is very useful for specifying the context for

matching a relevant pattern. Regular expressions can be
matched efficiently by compiling the expressions into
state machines, in a similar way to some fixed string
pattern matching algorithms.
III.OVERVIEW OF THE ARCHITECTURE
Though they both relate to network security, an
intrusion detection system differs from a firewall in that a
firewall looks outwardly for intrusions in order to stop
them from happening. Firewalls limit access between
networks to prevent intrusion and do not signal an attack
from inside the network. IDS evaluate a suspected
intrusion once it has taken place and signals an alarm. An
IDS also watches for attacks that originate from within a
system. Figure 1 shows our IDS systems deployment.
Our system is between the firewall and the Internet. In
case your network contains a demilitarized zone
(DMZ), our IDS may be placed in that zone as well.
The overall architecture of our system, is shown in
Figure 2, is based on the Snort IDS. We can separate the
architecture of our system in three different tasks: the
transfer of the packets to the MIPS cores, the pattern
matching processing on the DFA hardware, and finally
the transfer of the results back to the MIPS cores.

Figure 1: Overall architecture of IDS

A.

Get Packet from the Network Interface

The packets will be transferred from the network
interface to the IDS system before it can be processed.
Due to the overhead associated with the data transfer
operation. We copy packets in batches instead of making
each packets transfer separately to the system memory.

2012 ACADEMY PUBLISHER

Each packet captured from the network interface is

putted in to a special data structure called work, a new
work head is added to each packet. The tag bits in work
head are used for multi-core based packet identification.
The work units will be decoded and processed before it
is transferred to the DFA engines. Snort organizes the
content signatures in groups based on the source and
destination port numbers of each rule. A separate

1330

JOURNAL OF NETWORKS, VOL. 7, NO. 9, SEPTEMBER 2012

detection engine is used to search for the patterns of each

rule group. There are more than 200 rule groups in the
Snort version 2.6 which have 7179 rules.
Buffer is used for temporarily storing of each groups
packets. One packet is copied to the corresponding buffer

once it has been classified to a special group. All packets

in one buffer will be transferred to the DFA hardware
when the buffer gets full. The packets in the buffer will
be transferred in a fixed time even the buffer is not full.

Figure 2: Overall architecture of our system

B. Packets Processing in the System

The Snort rules are stored in the flash card before the
system running, each rule is complied with a state change
graph during the initialization phase. The graphs are read
into the memory when the IDS system starts. At the
searching phase, all the state change graphs are reside in
the system memory in different rule groups.
The DFA engines, which used for pattern matching
and regular expression acceleration, are part of the
OCTEON architecture. MIPS cores manage these engines
by submitting instructions with pointer to the packet data
located in L2 cache or memory, and pointer to the rules
stored in the DDR2 memory. These acceleration engines
walk through the rules and perform pattern matching on
the relevant packet data in parallel. In addition, the
RLDRAM2 memory serves as low latency memory for
generic MIPS software usage. There are MIPS
instructions for accessing the RLDRAM2 memory.
Once the packets have been transferred to the DFA
engines, we use the state machine to perform the pattern
matching operation. It iterates through all the bytes of the
input stream and move the current state to the next
correct state using a state change graph set which has
been constructed in the initialization phase.
C. Transfer the Detect Result to the System
When a DFA engine matches a pattern inside a work
unit, it reports the result by appending it in a queue that
has been previously allocated in the shared memory. Each
report including the ID of the rule that was matched and
the index inside the packet where it was found. One
MIPS core is used to get the reports from the queue and
put them to the systems display.
IV. BUILDING THE INTRUSION DETECTION SYSTEM

2012 ACADEMY PUBLISHER

We have implemented the snort system on the

OCTEON 16 multi-core architecture. There are more
than 7000 rules are used in our Snort based multi- core
system. The Snort IDS is divided into four parts in our
system, they are decode part, preprocess part, pattern
match part and out report part. We use the MIPS core to
process decode, preprocess and out report parts. While,
DFA engines are used for the pattern match part.
The PCRE library is used in Snort for the regular
expression matching. It uses DFA for regular matching.
PCRE provides a rich syntax for creating descriptive
expressions, as well as extra modifiers that can enrich the
behavior of the whole expression, like case-insensitive
and multi-line matching. Moreover, Snort introduces its
own modifiers based on internal information such as the
position of the last pattern match, or the decoded URI.
These modifiers are very useful in case an expression
should be matched in relation to the end of the previous
match.
A DFA can be efficiently implemented in software,
every possible input letter leads to at most one new state.
We compile every rule in the snort rules set to a statechanging graph, which is used at the searching phase to
match the contents of a packet. Then we put all the
graphs to the DFA hardware to speed up the processing
throughput.
To start our IDS system, First, Network packets
captured from the net- work interface were put into work
unit and transferred to the work queue. Then, the MIPS
cores decode and preprocess the work units, which are
got from the work unit. Next, The work units are divided
into different groups by their source and distinction
address, each unit group has a relate buffer to store the
work units. Then, the DFA engines processed work units
from different group buffer, the out report is put into the
out queue at the same time. Finally, The MIPS core get

JOURNAL OF NETWORKS, VOL. 7, NO. 9, SEPTEMBER 2012

the out reports from the output buffer which has been
allocated in the shared memory and send them to the
systems display.
The Snort rules are stored in the flash memory before
the system starting. The state change graphs that are used
for each group are stored in the systems shared memory
after they are created in the initialization phase. The
system doesnt support dynamic modification for the state
graph. Thus, we should change the rules in the flash
memory firstly, then, we can modify the state change
graphs by restarting the system.
There are four parts in a Snort detecting system: packet
decoder, preprocessor, detection engine and event output
module.
The packet decoder takes packets from different types
of network interfaces, and then prepares the packets to be
preprocessed or to be sent to the detection engine. The
inter- faces may be Ethernet or SLIP. Our system gets the
network packets from the Ethernet interface.
Preprocessors are components or plug-ins, which can
be used with Snort to arrange or change data packets
before the detection engine does some operation to find
out if an intruder is using the packet. Some preprocessors
also perform detection by finding anomalies in packet
headers and generating alerts. Preprocessors are very
important for any IDS to prepare data packets to be
analyzed against rules in the detection engine.
Preprocessors are also used for packet defragmentation.
When a big data chunk is transferred to a host, the
packet is usually fragmented. Preprocessors in Snort
can defragment packets, re-assemble TCP streams and
so on.
The detection engine is the most important part of an
intrusion detection system. Its responsibility is to detect if
any intrusion activity reside in a packet. The detection
engine use Snort rules for this purpose. The rules are read
into internal data structures or chains where they are
matched against all packets. If a packet matches any rule,
appropriate action is trigged; otherwise the packet is pass.
Appropriate actions may be logging the packet or
generating alerts. The detection engine stops further
processing of a packet when a rule is matched.
Depending upon the rule, the detection engine takes
appropriate action by logging the packet or generating an
alert. This means that if a packet matches criteria defined
in multiple rules, only the first rule is applied to the
packet without looking for other matches.
Event output modules can do different operations
depending on how you want to save output generated
by the logging and alerting system of Snort. It can log
the activity or generate an alert. Logs are stored in
simple text files, TCP dump style files or some other
form. Basically this modules control the type of output
generated by the logging and alerting system.
We assume the four parts workload is T1, T2, T3 and
T4. The process rate of MIPS core is V, the DFA engines
process rate is Vdfa. If we use MIPS core instead of the
DFA engines to do the pattern match, the process time for
a group work units T is define as:

2012 ACADEMY PUBLISHER

1331

T=(T1 +T2 +T3 +T4)/V

However, the DFA engines are much faster than the
MIPS core in pattern matching, the process time for a
group work units using DFA engines Tdfa is defined as:
Tdfa = T1/V + T2/V + T3/ Vdfa + T4/V +t
Where t is the time used for packets from the group
buffers to the DFA engines. Because all hardware use the
same shared memory, t is a very small value. To estimate
the advance of using DFA engines, we use time
difference between the two methods to analysis their
performance. It is defined as:
(T Tdfa) = T3/V T3/ Vdfa t
Where T3 is the workload of detect pattern matching
which take about 75% of the total CPU processing time
of modern IDS.
The DFA an engine is a special hardware designed by
the OCTEON MIPS system for pattern matching, it has a
high performance in processing pattern matching. Thus,
We can see from the figure 3 that system using DFA
engines process much faster than system without it,
because of the large Vdfa value and small t value.
V. EVALUATION
In this section, we explore the performance of our
implementation. First, we want to get the different packet
sizes and how they affect overall performance. We then
examine how the hardware performs in a realistic
scenario. In our experiments we used the OCTEON
CN38xx multi-core processor to build our IDS, which
contains 16 MIPS processors organized in one multiprocessor, operating with 2GB of memory. We use the
network packets as small as 64 bytes and as large as 2048
bytes to test the throughput of the system.

Figure 3: The time difference for pattern matching

We can see from the figure 4 that the system can

process more than 8Gbps data when the packet size is 64
bytes. The throughout of the system is more than10 Gbps
when the average packet size is larger than 128 bytes.

1332

JOURNAL OF NETWORKS, VOL. 7, NO. 9, SEPTEMBER 2012

To get the systems performance for systems

connection establishment ability, we use different number
of cores to examine it. Figure 5 shows the result that one
single core can process more than 90 thousands
connections. While, The system can process more than
1200 thousands TCP connections when 14 cores are used.

We did this work at Network and Information Security

Lab, Sichuan University. We would like to thank Qian
wang, Juanxi Yao and Zhongqiu Han for their valuable
comments on this paper. The Chinese national science

fund number 0873246 and 605731130 supported this

work.
REFERENCES
[1]
[2]

[3]

[4]

[5]

[6]
Figure 4: Measured processing Performance for different size
packets

[7]
[8]

[9]

[10]

[11]

Figure 5: Measured TCP Performance

VI. SUMMARY
We have introduced an intrusion detection system that
utilizes MIPS multi-core structure to offload patternmatching computation. We have implemented this
structure to the OCTEON MIPS multi-core platform. Our
system was able to achieve a maximum throughput of 8
Gbit/s using the 64 bytes small size packets. Moreover,
the systems throughput is more than 10 Gbit/s if the
packet size is larger than 128 bytes.
VII. ACKNOWLEDGMENTS

2012 ACADEMY PUBLISHER

[12]
[13]

[14]

[15]

Aho, A., Corasick, M., 1975. Efficient string matching: an

aid to bibli- ographic search. Communications of the ACM
18 (6), 333340.
Antonatos, S., Anagnostakis, K., Markatos, E., 2004.
Generating realis- tic workloads for network intrusion
detection systems. ACM SIGSOFT Software Engineering
Notes 29 (1), 207215.
Attig, M., Lockwood, J., 2005. A framework for rule
processing in reconfigurable network systems. In:
Proceedings of the13th Annual IEEE Symposium on FieldProgrammable Custom Computing Ma- chines (FCCM05).
IEEE, pp. 225234.
Baker, Z., Prasanna, V., 2004. Time and area efficient
pattern matching on FPGAs. In: Proceedings of the 2004
ACM/SIGDA 12th international symposium on Field
programmable gate arrays. ACM, pp. 223232.
Bos, H., Huang, K., 2006. Towards software-based
signature detection for intrusion prevention on the network
card. In: Recent Advances in Intrusion Detection. Springer,
pp. 102123.
Boyer, R., Moore, J., 1977. A fast string-searching
algorithm. Commu- nications of the ACM 20 (10), 762
772.
Chen,N, and shen, 2011, System intrusion detection
method based on classifier selection, Computer
Engineering and Design,pp.1280-1283
Clark, C., Lee, W., Schimmel, D., Contis, D., Kon e, M.,
Thomas, A., 2004. A hardware platform for network
intrusion detection and prevention. Network Processor
Design: Issues and Practices 3, 99118.
Coit, C., Staniford, S., McAlerney, J., 2002. Towards faster
string matching for intrusion detection or exceeding the
speed of snort. In: DARPA Information Survivability
Conference & Exposition II, 2001. DISCEX01.
Proceedings. Vol. 1. IEEE, pp. 367373.
De Bruijn, W., Slowinska, A., Van Reeuwijk, K., Hruby,
T., Xu, L., Bos, H., 2006. Safecard: a gigabit ips on the
network card. In: Recent Advances in Intrusion Detection.
Springer, pp. 311330.
Dharmapurikar, S., Lockwood, J., 2008. Fast and scalable
pattern matching for content filtering. In: Architecture for
networking and com- munications systems, 2005. ANCS
2005. Symposium on. IEEE, pp. 183 192.
Fisk, M., Varghese, G., NM., L. A. N. L., 2002. Applying
fast string matching to intrusion detection. Citeseer.
Garuba, M., Liu, C., Fraites, D., 2008. Intrusion techniques:
Comparative study of network intrusion detection systems.
In: Information Tech- nology: New Generations, 2008.
ITNG 2008. Fifth International Con- ference on. IEEE, pp.
592598.
Jacob, N., Brodley, C., 2006. Offloading IDS Computation
to the GPU. In: Computer Security Applications
Conference, 2006. ACSAC06. 22nd Annual. IEEE, pp.
371380.
Kruegel, C., Valeur, F., Vigna, G., Kemmerer, R., 2005.
Stateful intru- sion detection for high-speed networks. In:
Security and Privacy, 2002. Proceedings. 2002 IEEE
Symposium on. IEEE, pp. 285293.

JOURNAL OF NETWORKS, VOL. 7, NO. 9, SEPTEMBER 2012

[16] Paxson, V., 1999. Bro: a system for detecting network

intruders in real time Computer networks 31 (23-24),
24352463.
[17] Paxson, V., Sommer, R., Weaver, N., 2008. An
architecture for exploiting multi-core processors to
parallelize network intrusion prevention. In: Sarnoff
Symposium, 2007 IEEE. IEEE, pp. 17.
[18] Roesch, M., et al., 1999. Snort-lightweight intrusion
detection for net- works. In: Proceedings of the 13th
USENIX conference on System ad- ministration. Seattle,
Washington, pp. 229238.
[19] Schaelicke, L., Wheeler, K., Freeland, C., 2005. SPANIDS:
a scalable network intrusion detection loadbalancer. In:
Proceedings of the 2nd Conference on Computing
Frontiers. ACM, pp. 315322.
[20] Sidhu, R., Prasanna, V., 2005. Fast regular expression
matching using FPGAs. In: Field-Programmable Custom
Computing Machines, 2001. FCCM01. The 9th Annual
IEEE Symposium on. IEEE, pp. 227238.
[21] Tavallaee,M. and Cybernetics, 2010, Toward credible
evaluation of anomaly-based intrusion-detection methods,
Systems, Man, and Cybernetics, Part C: Applications and
Reviews, IEEE Transactions on,pp516-524
[22] Vallentin, M., Sommer, R., Lee, J., Leres, C., Paxson, V.,
Tierney, B., 2007. The NIDS cluster: Scalable, stateful
network intrusion detection on commodity hardware. In:
Recent Advances in Intrusion Detection. Springer, pp.
107126.
[23] Vasiliadis, G., Antonatos, S., Polychronakis, M., Markatos,
E., Ioan- nidis, S., 2008. Gnort: High performance network
intrusion detection using graphics processors. In: Recent
Advances in Intrusion Detection. Springer, pp. 116134.

2012 ACADEMY PUBLISHER

1333

[24] Ganapathy, S. and Jaisankar, 2011, An Intelligent Intrusion

Detection System Using Outlier Detection and Multiclass
SVM, International Journal on Recent Trends in
Engineering & Technology.
[25] Yu, F., Katz, R., Lakshman, T., 2005. Gigabit rate packet
patternmatching using TCAM. In: Network Protocols,
2004. ICNP 2004. Proceedings of the 12th IEEE
International Conference on. IEEE, pp. 174 183.
Ziqian Wan was come from Sichuan University, he received a
B.Sc in Computer Science from Sichuan University in 2007.
Following his graduation, he worked in the network and
information security lab, Department of Computer, Sichuan
University, China. Ziqian Wan joined the working group on
Applied Security and Privacy (WASP) at UC Santa Cruz, which
is a research division embedded within the well-established
Storage Systems Research Center in 2010. His research is about
computer security and digital forensics.
Gang Liang has been a teacher and member of the network and
information security lab in Sichuan University since fall of 2007.
His research and interests include computer security, network
intrusion protection, computer immunity system, and computer
security.
Tao Li is a professor in the department of computer science,
Sichuan University, China. He in charge of the network and
information security lab in Sichuan University His research
interests includes network security, computer security, and data
disaster recovery and data storage.