Statistical Network Traffic Analysis

In parallel with the IDS packet inspection, the Security Team is also performing an automatic statistical analysis of all traffic flows into and out of CERN networks. Such a statistical analysis allows identifying compromized or infected PCs due to their communication behavior. Usually, infected or compromized PCs connect to a variety of other devices in order to e.g. perform network scans, spread their infection, or attack them. For forensics purposes, all these flows are stored for one year and purged afterwards. Access is restricted to the CERN Computer Security Team only.