**2.3.3 Central control module**

Central control module is the core of the whole system, in charge of coordinating various modules, and conducts centralized management. It locates at central position of the whole system, and connects with intrusion prevention module and log record module. The main functions of central control module include:

Customized policy: central control module is able to establish corresponding policies based on intrusion detection and prevention logs. Log management: central control module can analyze intrusion prevention logs and firewall logs saved in log server in real time and provide corresponding statistical information.

System management: central control module has the ability to manage various intrusion prevention nodes by console, such as dynamical management of intrusion detection rules and firewall rules, management of log server, network traffic statistics and load balancing.

#### **2.3.4 Communication module**

It is an important component for secure and reliable communication among various modules of DXIPS. This module mainly refers to the communication among central control module, intrusion prevention module and log record module.

To achieve the interoperation among modules, there is a need of general communication protocol, which contributes to simplifying the management of DXIPS. For example, if central control module is to disable the intrusion prevention function of certain node, a control message is sent to this node by console, and then this node returns an acknowledgement message after it quits normally.

The general communication protocol is derived from standard TCP/IP protocol with farther encapsulation, and it is an application layer protocol.

Fig. 4. Customized protocol unit

60 Security Enhanced Applications for Information Systems

There are three manners for log server to collect intrusion detection log of Snort\_inline and

This can be done by outputting log records directly to log database with Snort\_inline output plugin and LOG target of IPtables. The defect of this manner is to improve the system overhead in that intrusion prevention module needs to execute log operations as well as perform intrusion detection and prevention. Additionally, this manner compromises the

Though this manner decreases the overhead of intrusion prevention module, it compromises real time performance of the whole system. Log server can't get log information in time, thus central control module is unable to monitor the protected network

These daemons are responsible for receiving and dispatching logs of various intrusion prevention nodes and saving to log server in distributed network environment. Compared to the preceding manners, this manner shortens handling time, reduces system overhead,

Central control module is the core of the whole system, in charge of coordinating various modules, and conducts centralized management. It locates at central position of the whole system, and connects with intrusion prevention module and log record module. The main

Customized policy: central control module is able to establish corresponding policies based on intrusion detection and prevention logs. Log management: central control module can analyze intrusion prevention logs and firewall logs saved in log server in real time and

System management: central control module has the ability to manage various intrusion prevention nodes by console, such as dynamical management of intrusion detection rules and firewall rules, management of log server, network traffic statistics and load balancing.

It is an important component for secure and reliable communication among various modules of DXIPS. This module mainly refers to the communication among central control

To achieve the interoperation among modules, there is a need of general communication protocol, which contributes to simplifying the management of DXIPS. For example, if central control module is to disable the intrusion prevention function of certain node, a control message is sent to this node by console, and then this node returns an acknowledgement

**All the nodes of intrusion prevention module directly interact with log server** 

extensibility of the whole system for the duplicated implementation of log recording. **Log server accesses logs saved in every intrusion prevention nodes at regular time** 

firewall log of Netfilter configured by IPtables:

**Apply specialized log collection daemon** 

functions of central control module include:

provide corresponding statistical information.

module, intrusion prevention module and log record module.

and provides better extensibility.

**2.3.3 Central control module** 

**2.3.4 Communication module** 

message after it quits normally.

in real time.

Customized protocol header is composed of version, type and total length. Type field specifies the type of message such as control message, log message or acknowledgement message according to specific functions. Meanwhile, type field specifies the format of data.


Fig. 5. Format of customized protocol header

The format of payload field varies according to type field. The format of a sample log message is as follows:


Fig. 6. Format of payload field of a sample log message

Customized communication protocol provides the better extensibility for later new function to be updated or new communication needs. Also it supports encryption manners for secure and reliable communication.
