Argus – Audit Record Generation and Utilization System

Last updated • 4 min readFrom Wikipedia, The Free Encyclopedia

Argus – the Audit Record Generation and Utilization System is the first implementation of network flow monitoring, and is an ongoing open source network flow monitor project. Started by Carter Bullard in 1984 at Georgia Tech, and developed for cyber security at Carnegie Mellon University in the early 1990s, Argus has been an important contributor to Internet cyber security technology over its 30 years. [1] .

Contents

Network Flow Monitoring Timeline Network Flow Monitor Timeline.png
Network Flow Monitoring Timeline

The Argus Project is focused on developing all aspects of large scale network situational awareness and network audit trail establishment in support of Network Operations (NetOps), Performance, and Security Management. Motivated by the telco Call detail record (CDR), Argus attempts to generate network metadata that can be used to perform a large number of network management tasks. Argus is used by many universities, corporations and government entities including US DISA, DoD, DHS, FFRDCs, and GLORIAD, the NSF International network when it was operational. Argus is a Top 100 Internet Security Tool, and has been on the list for over 15 years (maybe longer). [2]

Argus is designed to be a real-time situational awareness system, and its data can be used to track, alarm and alert on wire-line network conditions at up to 400Gbps. The data is used to establish a comprehensive audit of all network traffic, as described in the Zero trust security model, which was initially described in the Red Book, US DoD NCSC-TG-005, [3] supplementing traditional Intrusion detection system (IDS) based network security. [4]

The audit trail has traditionally been used as historical network traffic measurement data for network forensics [5] and Network Behavior Anomaly Detection (NBAD). [6] Argus has been used extensively in cybersecurity, end-to-end performance analysis, software-defined networking (SDN) research. [7] , and recently a very large number of AI/ML research papers. Argus is used to develop network attack datasets, such as the UNSW-NB15 Dataset. [8] Argus has also been a topic in standards for Network Security and Network Management development, as early as RMON (1995) [9] and IPFIX (2001). [10] and more recently at ENISA.

Argus is composed of an advanced comprehensive network flow data generator, the Argus monitor, which processes packets (either capture files or live packet data) and generates detailed network traffic flow status reports of all the flows in the packet stream. Argus monitors all network traffic, data plane, control plane and management plane, not just Internet Protocol (IP) traffic. Argus captures much of the packet dynamics and semantics of each flow, with a great deal of data reduction, so you can store, process, inspect and analyze large amounts of network data efficiently. Argus provides reachability, availability, connectivity, duration, rate, load, good-put, loss, jitter, retransmission (data networks), and delay metrics for all network flows, and captures most attributes that are available from the packet contents, such as Layer 2 addresses, tunnel identifiers (MPLS, GRE, IPsec, etc...), protocol ids, SAP's, hop-count, options, L4 transport identification (RTP detection), host flow control indications, etc... Argus has implemented a number of packet dynamics metrics specifically designed for cyber security. Argus detects human typing behavior in any flow, but of particular interest is key-stroke detection in encrypted SSH tunnels. [11] and Argus generates the Producer Consumer Ratio (PCR) which indicates whether a network entity is a data producer and/or consumer, [12] an important property when evaluating the potential for a node to be involved in an Advanced persistent threat (APT) mediated exfiltration.

Argus is an Open Source (GPL) project, owned and managed by QoSient, LLC, and has been ported to most operating systems and many exotic hardware accelerated platforms, such as Bivio, Pluribus, Arista, and Tilera. The software should be portable to many other environments with little or no modifications. Performance is such that auditing an entire enterprise's Internet activity can be accomplished using modest computing resources.

Supported platforms

Related Research Articles

In computing, traceroute and tracert are diagnostic command-line interface commands for displaying possible routes (paths) and transit delays of packets across an Internet Protocol (IP) network.

In computing, Internet Protocol Security (IPsec) is a secure network protocol suite that authenticates and encrypts packets of data to provide secure encrypted communication between two computers over an Internet Protocol network. It is used in virtual private networks (VPNs).

An intrusion detection system (IDS) is a device or software application that monitors a network or systems for malicious activity or policy violations. Any intrusion activity or violation is typically either reported to an administrator or collected centrally using a security information and event management (SIEM) system. A SIEM system combines outputs from multiple sources and uses alarm filtering techniques to distinguish malicious activity from false alarms.

tcpdump Data-network packet analyzer

tcpdump is a data-network packet analyzer computer program that runs under a command line interface. It allows the user to display TCP/IP and other packets being transmitted or received over a network to which the computer is attached. Distributed under the BSD license, tcpdump is free software.

Network utilities are software utilities designed to analyze and configure various aspects of computer networks. The majority of them originated on Unix systems, but several later ports to other operating systems exist.

An application firewall is a form of firewall that controls input/output or system calls of an application or service. It operates by monitoring and blocking communications based on a configured policy, generally with predefined rule sets to choose from. The two primary categories of application firewalls are network-based and host-based.

NetFlow is a feature that was introduced on Cisco routers around 1996 that provides the ability to collect IP network traffic as it enters or exits an interface. By analyzing the data provided by NetFlow, a network administrator can determine things such as the source and destination traffic, class of service, and the causes of congestion. A typical flow monitoring setup consists of three main components:

A dedicated hosting service, dedicated server, or managed hosting service is a type of Internet hosting in which the client leases an entire server not shared with anyone else. This is more flexible than shared hosting, as organizations have full control over the server(s), including choice of operating system, hardware, etc.

In the field of computer network administration, pcap is an application programming interface (API) for capturing network traffic. While the name is an abbreviation of packet capture, that is not the API's proper name. Unix-like systems implement pcap in the libpcap library; for Windows, there is a port of libpcap named WinPcap that is no longer supported or developed, and a port named Npcap for Windows 7 and later that is still supported.

In computing, ioctl is a system call for device-specific input/output operations and other operations which cannot be expressed by regular file semantics. It takes a parameter specifying a request code; the effect of a call depends completely on the request code. Request codes are often device-specific. For instance, a CD-ROM device driver which can instruct a physical device to eject a disc would provide an ioctl request code to do so. Device-independent request codes are sometimes used to give userspace access to kernel functions which are only used by core system software or still under development.

Netlink is a socket family used for inter-process communication (IPC) between both the kernel and userspace processes, and between different userspace processes, in a way similar to the Unix domain sockets available on certain Unix-like operating systems, including its original incarnation as a Linux kernel interface, as well as in the form of a later implementation on FreeBSD. Similarly to the Unix domain sockets, and unlike INET sockets, Netlink communication cannot traverse host boundaries. However, while the Unix domain sockets use the file system namespace, Netlink sockets are usually addressed by process identifiers (PIDs).

OSSEC (Open Source HIDS SECurity) is a free, open-source host-based intrusion detection system (HIDS). It performs log analysis, integrity checking, Windows registry monitoring, rootkit detection, time-based alerting, and active response. It provides intrusion detection for most operating systems, including Linux, OpenBSD, FreeBSD, OS X, Solaris and Windows. OSSEC has a centralized, cross-platform architecture allowing multiple systems to be easily monitored and managed. OSSEC has a log analysis engine that is able to correlate and analyze logs from multiple devices and formats.

The Berkeley Packet Filter is a network tap and packet filter which permits computer network packets to be captured and filtered at the operating system level. It provides a raw interface to data link layers, permitting raw link-layer packets to be sent and received, and allows a userspace process to supply a filter program that specifies which packets it wants to receive. For example, a tcpdump process may want to receive only packets that initiate a TCP connection. BPF returns only packets that pass the filter that the process supplies. This avoids copying unwanted packets from the operating system kernel to the process, greatly improving performance. The filter program is in the form of instructions for a virtual machine, which are interpreted, or compiled into machine code by a just-in-time (JIT) mechanism and executed, in the kernel.

<span class="mw-page-title-main">OpenBSD</span> Operating system

OpenBSD is a security-focused, free and open-source, Unix-like operating system based on the Berkeley Software Distribution (BSD). Theo de Raadt created OpenBSD in 1995 by forking NetBSD 1.0. The OpenBSD project emphasizes portability, standardization, correctness, proactive security, and integrated cryptography.

<span class="mw-page-title-main">Junos OS</span> Real-time operating system (RTOS) software

Junos OS is a FreeBSD-based network operating system used in Juniper Networks routing, switching and security devices.

In computing, a firewall is a network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules. A firewall typically establishes a barrier between a trusted network and an untrusted network, such as the Internet.

Tiger is a security software for Unix-like computer operating systems. It can be used both as a security audit tool and a host-based intrusion detection system and supports multiple UNIX platforms. Tiger is free under the GPL license and unlike other tools, it needs only of POSIX tools, and is written entirely in shell language.

ngrep Packet analyser

ngrep is a network packet analyzer written by Jordan Ritter. It has a command-line interface, and relies upon the pcap library and the GNU regex library.

The OpenBSD Cryptographic Framework (OCF) is a service virtualization layer for the uniform management of cryptographic hardware by an operating system. It is part of the OpenBSD Project, having been included in the operating system since OpenBSD 2.8. Like other OpenBSD projects such as OpenSSH, it has been ported to other systems based on Berkeley Unix such as FreeBSD and NetBSD, and to Solaris and Linux. One of the Linux ports is supported by Intel for use with its proprietary cryptographic software and hardware to provide hardware-accelerated SSL encryption for the open source Apache HTTP Server.

The following outline is provided as an overview of and topical guide to computer security:

References

  1. "Openargus - Publications".
  2. "Home". sectools.org.
  3. National Computer Security Center (31 July 1987). "Trusted Network Interpretation (NCSC-TG-005)". Computer Security Resource Center.
  4. Bejtlich, Richard (2008). The Tao of network security monitoring: beyond intrusion detection (Nachdr. ed.). Boston Munich: Addison-Wesley. ISBN   978-0321246776.
  5. Pilli, Emmanuel S.; Joshi, R. C.; Niyogi, Rajdeep (2010). "Network forensic frameworks: Survey and research challenges". Digit. Investig. 7 (1–2): 14–27. doi:10.1016/j.diin.2010.02.003.
  6. G. Nychis, V. Sekar, D Andersen, H Kim, H Zhang, An empirical evaluation of entropy-based traffic anomaly detection, Proceedings of the 8th ACM SIGCOMM conference on Internet measurement, pp 151–156, October 20–22, 2008, Vouliagmeni, Greece
  7. J. Naous, D. Ericson, A. Covington, G Appenzeller, N. McKeown, Implementing an OpenFlow switch on the NetFPGA platform, Symposium On Architecture For Networking And Communications Systems, pp. 1–9, 2008, San Jose, CA
  8. "The UNSW-NB15 Dataset | UNSW Research".
  9. ftp://ietf.org/ietf/rmonmib/rmonmib-minutes-94dec.txt
  10. "Argus-2.0.1".
  11. Saptarshi Guha, Paul Kidwell, Asgrith Barthur, William S Cleveland, John Gerth, and Carter Bullard. 2011. SSH Keystroke Packet Detection, ICS-2011—Monterey, California, Jan 9–11.
  12. Bullard, Carter; Gerth, John (2014-01-13). PCR - A New Flow Metric (PDF). FloCon 2014. Charleston, South Carolina, United States.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.