In order to improve the current performance bottlenecks facing IPS, false positive, false negative and attack speed issue etc, this paper presents a distributed “analysis and testing+centralized control+upgrade services” Architecture for Network Intrusion Detection and Prevention System. Analysis and testing can be achieved mainly through protocol identification and analysis, protocol anomaly detection, traffic anomaly detection and response methods. Centralized control is primarily used for intrusion detection and prevention monitoring and control system operation and system configuration. Upgrade Service is responsible for regular upgrades attack signature updates to make sure that the system provides the most cutting-edge security. Compatible with other security products, this system forms the depth of defense, to protect businesses and organizations to maximize network security.