Argus – Audit Record Generation and Utilization System

Argus – the Audit Record Generation and Utilization System is the first implementation of network flow monitoring, and is an ongoing open source network flow monitor project. Started by Carter Bullard in 1984 at Georgia Tech, and developed for cyber security at Carnegie Mellon University in the early 1990s, Argus has been an important contributor to Internet cyber security technology over its 30 years.^[1] [1].

Network Flow Monitoring Timeline

The Argus Project is focused on developing all aspects of large scale network situational awareness and network audit trail establishment in support of Network Operations (NetOps), Performance and Security Management. Motivated by the telco Call detail record (CDR), Argus attempts to generate network metadata that can be used to perform a large number of network management tasks. Argus is used by many universities, corporations and government entities including US DISA, DoD, DHS, FFRDCs, GLORIAD and is a Top 100 Internet Security Tool.^[2] Argus is designed to be a real-time situational awareness system, and its data can be used to track, alarm and alert on wire-line network conditions. The data can also be used to establish a comprehensive audit of all network traffic, as described in the Red Book, US DoD NCSC-TG-005,^[3] supplementing traditional Intrusion detection system (IDS) based network security.^[4] The audit trail is traditionally used as historical network traffic measurement data for network forensics^[5] and Network Behavior Anomaly Detection (NBAD).^[6] Argus has been used extensively in cybersecurity, end-to-end performance analysis, and more recently, software-defined networking (SDN) research.^[7] Argus has also been a topic in network management standards development. RMON (1995) ^[8] and IPFIX (2001).^[9]

Argus is composed of an advanced comprehensive network flow data generator, the Argus monitor, which processes packets (either capture files or live packet data) and generates detailed network traffic flow status reports of all the flows in the packet stream. Argus monitors all network traffic, data plane, control plane and management plane, not just Internet Protocol (IP) traffic. Argus captures much of the packet dynamics and semantics of each flow, with a great deal of data reduction, so you can store, process, inspect and analyze large amounts of network data efficiently. Argus provides reachability, availability, connectivity, duration, rate, load, good-put, loss, jitter, retransmission (data networks), and delay metrics for all network flows, and captures most attributes that are available from the packet contents, such as Layer 2 addresses, tunnel identifiers (MPLS, GRE, IPsec, etc...), protocol ids, SAP's, hop-count, options, L4 transport identification (RTP detection), host flow control indications, etc... Argus has implemented a number of packet dynamics metrics specifically designed for cyber security. Argus detects human typing behavior in any flow, but of particular interest is key-stroke detection in encrypted SSH tunnels.^[10] and Argus generates the Producer Consumer Ratio (PCR) which indicates whether a network entity is a data producer and/or consumer,^[11] an important property when evaluating the potential for a node to be involved in an Advanced persistent threat (APT) mediated exfiltration.

Argus is an Open Source (GPL) project, owned and managed by QoSient, LLC, and has been ported to most operating systems and many hardware accelerated platforms, such as Bivio, Pluribus, Arista, and Tilera. The software should be portable to many other environments with little or no modifications. Performance is such that auditing an entire enterprise's Internet activity can be accomplished using modest computing resources.

Supported platforms

• Linux: Unix operating system running the Linux kernel
• Solaris: Unix operating system developed by Sun Microsystems
• BSD: Unix operating system family (FreeBSD, NetBSD, OpenBSD)
• OS X: Unix operating system developed by Apple Inc.
• IRIX: Unix operating system developed by Silicon Graphics
• AIX, Unix operating system developed by IBM
• Windows, (under Cygwin) operating system developed by Microsoft
• OpenWrt: Unix operation system running the Linux kernel on embedded devices

References

1. "Openargus - Publications".
2. "Home". sectools.org.
3. National Computer Security Center (31 July 1987). "Trusted Network Interpretation (NCSC-TG-005)". Computer Security Resource Center.
4. Bejtlich, Richard (2008). The Tao of network security monitoring: beyond intrusion detection (Nachdr. ed.). Boston Munich: Addison-Wesley. ISBN 978-0321246776.
5. Pilli, Emmanuel S.; Joshi, R. C.; Niyogi, Rajdeep (2010). "Network forensic frameworks: Survey and research challenges". Digit. Investig. 7 (1–2): 14–27. doi:10.1016/j.diin.2010.02.003.
6. G. Nychis, V. Sekar, D Andersen, H Kim, H Zhang, An empirical evaluation of entropy-based traffic anomaly detection, Proceedings of the 8th ACM SIGCOMM conference on Internet measurement, pp 151–156, October 20–22, 2008, Vouliagmeni, Greece
7. J. Naous, D. Ericson, A. Covington, G Appenzeller, N. McKeown, Implementing an OpenFlow switch on the NetFPGA platform, Symposium On Architecture For Networking And Communications Systems, pp. 1–9, 2008, San Jose, CA
8. ftp://ietf.org/ietf/rmonmib/rmonmib-minutes-94dec.txt
9. "Argus-2.0.1".
10. Saptarshi Guha, Paul Kidwell, Asgrith Barthur, William S Cleveland, John Gerth, and Carter Bullard. 2011. SSH Keystroke Packet Detection, ICS-2011—Monterey, California, Jan 9–11.
11. Bullard, Carter; Gerth, John (2014-01-13). PCR - A New Flow Metric (PDF). FloCon 2014. Charleston, South Carolina, United States.

External links

• Argus website