Argus – Audit Record Generation and Utilization System

Argus – the Audit Record Generation and Utilization System is the first implementation of network flow monitoring, and is an ongoing open source network flow monitor project. Started by Carter Bullard in 1984 at Georgia Tech, and developed for cyber security at Carnegie Mellon University in the early 1990s, Argus has been an important contributor to Internet cyber security technology over its 30 years.[1] [1].

Network Flow Monitoring Timeline

The Argus Project is focused on developing all aspects of large scale network situational awareness and network audit trail establishment in support of Network Operations (NetOps), Performance, and Security Management. Motivated by the telco Call detail record (CDR), Argus attempts to generate network metadata that can be used to perform a large number of network management tasks. Argus is used by many universities, corporations and government entities including US DISA, DoD, DHS, FFRDCs, and GLORIAD, the NSF International network when it was operational. Argus is a Top 100 Internet Security Tool, and has been on the list for over 15 years (maybe longer).[2]

Argus is designed to be a real-time situational awareness system, and its data can be used to track, alarm and alert on wire-line network conditions at up to 400Gbit/s. The data is used to establish a comprehensive audit of all network traffic, as described in the Zero trust security model, which was initially described in the Red Book, US DoD NCSC-TG-005,[3] supplementing traditional Intrusion detection system (IDS) based network security.[4]

The audit trail has traditionally been used as historical network traffic measurement data for network forensics[5] and Network Behavior Anomaly Detection (NBAD).[6] Argus has been used extensively in cybersecurity, end-to-end performance analysis, software-defined networking (SDN) research,[7] and recently a very large number of AI/ML research papers. Argus is used to develop network attack datasets, such as the UNSW-NB15 Dataset.[8] Argus has also been a topic in standards for Network Security and Network Management development, as early as RMON (1995) [9] and IPFIX (2001).[10] and more recently at ENISA.

Argus is composed of an advanced comprehensive network flow data generator, the Argus monitor, which processes packets (either capture files or live packet data) and generates detailed network traffic flow status reports of all the flows in the packet stream. Argus monitors all network traffic, data plane, control plane and management plane, not just Internet Protocol (IP) traffic. Argus captures much of the packet dynamics and semantics of each flow, with a great deal of data reduction, so you can store, process, inspect and analyze large amounts of network data efficiently. Argus provides reachability, availability, connectivity, duration, rate, load, good-put, loss, jitter, retransmission (data networks), and delay metrics for all network flows, and captures most attributes that are available from the packet contents, such as Layer 2 addresses, tunnel identifiers (MPLS, GRE, IPsec, etc...), protocol ids, SAP's, hop-count, options, L4 transport identification (RTP detection), host flow control indications, etc... Argus has implemented a number of packet dynamics metrics specifically designed for cyber security. Argus detects human typing behavior in any flow, but of particular interest is key-stroke detection in encrypted SSH tunnels.[11] and Argus generates the Producer Consumer Ratio (PCR) which indicates whether a network entity is a data producer and/or consumer,[12] an important property when evaluating the potential for a node to be involved in an Advanced persistent threat (APT) mediated exfiltration.

Argus is an Open Source (GPL) project, owned and managed by QoSient, LLC, and has been ported to most operating systems and many exotic hardware accelerated platforms, such as Bivio, Pluribus, Arista, and Tilera. The software should be portable to many other environments with little or no modifications. Performance is such that auditing an entire enterprise's Internet activity can be accomplished using modest computing resources.

Supported platforms

edit

References

edit
  1. ^ "Openargus - Publications".
  2. ^ "Home". sectools.org.
  3. ^ National Computer Security Center (31 July 1987). "Trusted Network Interpretation (NCSC-TG-005)". Computer Security Resource Center.
  4. ^ Bejtlich, Richard (2008). The Tao of network security monitoring: beyond intrusion detection (Nachdr. ed.). Boston Munich: Addison-Wesley. ISBN 978-0321246776.
  5. ^ Pilli, Emmanuel S.; Joshi, R. C.; Niyogi, Rajdeep (2010). "Network forensic frameworks: Survey and research challenges". Digit. Investig. 7 (1–2): 14–27. doi:10.1016/j.diin.2010.02.003.
  6. ^ G. Nychis, V. Sekar, D Andersen, H Kim, H Zhang, An empirical evaluation of entropy-based traffic anomaly detection, Proceedings of the 8th ACM SIGCOMM conference on Internet measurement, pp 151–156, October 20–22, 2008, Vouliagmeni, Greece
  7. ^ J. Naous, D. Ericson, A. Covington, G Appenzeller, N. McKeown, Implementing an OpenFlow switch on the NetFPGA platform, Symposium On Architecture For Networking And Communications Systems, pp. 1–9, 2008, San Jose, CA
  8. ^ "The UNSW-NB15 Dataset | UNSW Research".
  9. ^ ftp://ietf.org/ietf/rmonmib/rmonmib-minutes-94dec.txt
  10. ^ "Argus-2.0.1".
  11. ^ Saptarshi Guha, Paul Kidwell, Asgrith Barthur, William S Cleveland, John Gerth, and Carter Bullard. 2011. SSH Keystroke Packet Detection, ICS-2011—Monterey, California, Jan 9–11.
  12. ^ Bullard, Carter; Gerth, John (2014-01-13). PCR - A New Flow Metric (PDF). FloCon 2014. Charleston, South Carolina, United States.
edit