Network-based Intrusion Detection

In parallel with the statistical analysis of network traffic, the Security Team also runs the "Zeek" Intrusion Detection System (IDS). Zeek performs in-depth packet inspection comparing the packet contents with hundreds of thousands of different patterns (so-called "rules") managed through CERN's internal MISP instance.

These patterns stem from hundreds of affiliated computer security teams, CERTs and CSIRTs worldwide, added with CERN's own proprietary patterns, and are targeted to find malicious behaviour and infected or compromized devices as well as certain policy violations (as definied as subsidiary rules to CERN's Computing Rules.