Computer Security: transparent monitoring for your protection

Computer security can be handled in one of two ways: in secrecy, behind a black curtain; or out in the open, subject to scrutiny and with full transparency. We believe that the latter is the only right way for CERN, and have always put that belief into practice. In keeping with this spirit, here is a reminder of how we monitor (your) CERN activities in order to guarantee timely responses to computer security incidents.


We monitor all network traffic coming into and going out of CERN. Automatic tools look for suspicious patterns like connections to known malicious IP addresses, web pages or domains. They check for malicious files being downloaded and make statistical analyses of connections in order to identify unusual behaviour. The automatic analysis of the logs from the CERN Domain Name Servers complements this and provides a redundant means of detection.

We also constantly scan the CERN office network and keep an inventory of the individual network services running on each device: web servers, SSH clients, etc. The antivirus software installed on centrally-managed Windows computers provides our virus experts with alerts in the event of malicious or suspicious activity being discovered. For similar purposes, all e-mails into or out of CERN are automatically scanned by the Microsoft spam filters. Statistical tools identify mail accounts that send spam – it is only in very rare cases that people manage to send more than 3000 legitimate e-mails a day…

We monitor your logins, whether they are using SSH or the CERN Single Sign-On portal (  If the origin of the login is unusual in our eyes (and bear with us if it is not unusual for you!), we automatically notify you and ask you to check. We also automatically inspect all activities on our central computing clusters, including commands and parameters typed, network traffic and connections, manipulations to the kernel or installed software, etc. Finally, we monitor external feeds which, depending on their nature, report on compromised or vulnerable webpages, publish stolen password files, etc. Google Alerts helps us with that, too.

Most of these data sources are fed into a single analysis framework. Our new analysis infrastructure will be able to cope with the automatic live analysis of about one terabyte of data every day. If your account/webpage/device appears to be compromised or negatively affected, you will get an automatic notification. Let’s hope that you never do! For later use (e.g. for forensics purposes), all this data is stored for one year and then purged. Access is restricted to the CERN Computer Security Team only.

However, rest assured that the Computer Security Team has no right to “just” look at your activities for fun. Our accesses are governed by the CERN Computing Rules (OC5). Direct access to your mailbox or to your private files stored on CERN’s file systems is strongly regulated by the CERN Data Protection Policy (in draft) and its subsidiary policy and requires official authorisation by the Director-General. Any violation is considered to be professional misconduct and will result in dismissal.

For further information, questions or help, check our website or contact us at

Do you want to learn more about computer security incidents and issues at CERN? Follow our Monthly Report

Access the entire collection of Computer Security articles here.

by Stefan Lueders, Computer Security Team