In the VERCA research project, an intelligent CIDS with a high detection rate of known and unknown attacks and parallelisation options is to be developed that meets current requirements for effective protection against complex attacks (such as DDoS and APT) on IT and network infrastructures. In particular, the following core problems must be investigated for this purpose:

• Developing approaches to detect modern highly distributed attacks, combining anomaly-based and signature-based models in the form of a hybrid approach.
• Determination of an effective dynamic communication architecture of the CIDS (centralised, hierarchical, fully distributed or combinations thereof, possibly based on distributed peer-to-peer algorithms).
• Development of efficient distribution and correlation mechanisms so that exchanged alert information from different IT infrastructures leads to more effective local anomaly detection and thus distributed attack scenarios can be detected at an early stage through a global view (granularity of information, global monitoring)
• Collective exchange of security-critical information and resolution of occurring model conflicts between system components (including signature matching and majority voting)
• Categorisation of occurring alarms and derivation of suitable preventive measures to protect against recurring attacks
• Securing the overall system against external and internal compromise attempts: as an IT system, a CIDS itself must be hardened against attacks (Resilient CIDS), so that concepts for global security solutions such as confidentiality and integrity of exchanged information, but also access control mechanisms and system availability must be investigated and solution approaches developed and implemented
• Development of new methods for preserving local and global data protection policies when exchanging sensitive data for the overall system
• Development of a visualisation concept with isolated views for the involved parties
• Further development of suitable network management and monitoring solutions (cf. SDN/NFV, streaming telemetry) for early detection and containment of anomalies in network traffic and support of proactive defence procedures
• Shifting the detection and correlation mechanisms towards a programmable control/date plane of the network used (cf. In-Network Attack Detection, In-band Telemetry)
• Close interlocking of CIDS components with network and cloud infrastructure platforms as a basis for dynamic and adaptive detection of distributed attacks and reduction of the false positive rate through the inclusion of management, discovery and logging data of the monitored infrastructure.
• Inclusion of machine learning methods for the evaluation of fine-granular and high-resolution management and streaming logging data (cf. Cognitive Management, Network Automation).
• Prototypical implementation of a scalable CIDS for massively distributed IT infrastructures.