Argus – Audit Record Generation And Utilization System
   HOME

TheInfoList



Click Here for Items Related To - Argus – Audit Record Generation And Utilization System
OR:
Argus – Audit Record Generation And Utilization System on:   [Wikipedia]   [Google]   [Amazon]

Argus – the Audit Record Generation and Utilization System is the first implementation of network flow monitoring, and is an ongoing open source network flow monitor project. Started by Carter Bullard in 1984 at Georgia Tech, and developed for cyber security at Carnegie Mellon University in the early 1990s, Argus has been an important contributor to Internet
cyber security Computer security, cybersecurity (cyber security), or information technology security (IT security) is the protection of computer systems and networks from attack by malicious actors that may result in unauthorized information disclosure, the ...
technology over its 30 years.

The Argus Project is focused on developing all aspects of large scale network
situational awareness Situational awareness or situation awareness (SA) is the perception of environmental elements and events with respect to time or space, the comprehension of their meaning, and the projection of their future status. An alternative definition is tha ...
and network
audit trail An audit trail (also called audit log) is a security-relevant chronological record, set of records, and/or destination and source of records that provide documentary evidence of the sequence of activities that have affected at any time a specific ...
establishment in support of Network Operations (
NetOps NetOps is defined as the operational framework consisting of three essential tasks, Situational Awareness (SA), and Command & Control (C2) that the Commander (CDR) of US Strategic Command (USSTRATCOM), in coordination with DoD and Global NetOps Co ...
), Performance and Security Management. Motivated by the telco
Call detail record A call detail record (CDR) is a data record produced by a telephone exchange or other telecommunications equipment that documents the details of a telephone call or other telecommunications transactions (e.g., text message) that passes through that ...
(CDR), Argus attempts to generate network metadata that can be used to perform a large number of
network management Network management is the process of administering and managing computer networks. Services provided by this discipline include fault analysis, performance management, provisioning of networks and maintaining quality of service. Network managem ...
tasks. Argus is used by many universities, corporations and government entities including US
DISA Disa is the heroine of a Swedish legendary saga, which was documented by Olaus Magnus, in 1555. It is believed to be from the Middle Ages, but includes Old Norse themes. It was elaborated by Johannes Messenius in his drama ''Disa'', which was t ...
, DoD,
DHS The United States Department of Homeland Security (DHS) is the U.S. federal executive department responsible for public security, roughly comparable to the interior or home ministries of other countries. Its stated missions involve anti-ter ...
, FFRDCs,
GLORIAD GLORIAD (Global Ring Network for Advanced Application Development) is a high-speed computer network used to connect scientific organizations in Russia, China, United States, the Netherlands, Korea and Canada. India, Singapore, Vietnam, and Egypt w ...
and is a Top 100 Internet Security Tool. Argus is designed to be a
real-time Real-time or real time describes various operations in computing or other processes that must guarantee response times within a specified time (deadline), usually a relatively short time. A real-time process is generally one that happens in defined ...
situational awareness system, and its data can be used to track, alarm and alert on wire-line network conditions. The data can also be used to establish a comprehensive audit of all network traffic, as described in the Red Book, US DoD NCSC-TG-005, supplementing traditional
Intrusion detection system An intrusion detection system (IDS; also intrusion prevention system or IPS) is a device or software application that monitors a network or systems for malicious activity or policy violations. Any intrusion activity or violation is typically rep ...
(IDS) based
network security Network security consists of the policies, processes and practices adopted to prevent, detect and monitor unauthorized access, misuse, modification, or denial of a computer network and network-accessible resources. Network security involves th ...
. The audit trail is traditionally used as historical
network traffic measurement In computer networks, network traffic measurement is the process of measuring the amount and type of traffic on a particular network. This is especially important with regard to effective bandwidth management. Techniques Network performance cou ...
data for
network forensics Network forensics is a sub-branch of digital forensics relating to the monitoring and analysis of computer network traffic for the purposes of information gathering, legal evidence, or intrusion detection. Unlike other areas of digital forensic ...
and
Network Behavior Anomaly Detection #REDIRECT Network behavior anomaly detection {{Rcatshell, {{R from move{{R from alternative capitalisation ...
(NBAD). Argus has been used extensively in
cybersecurity Computer security, cybersecurity (cyber security), or information technology security (IT security) is the protection of computer systems and networks from attack by malicious actors that may result in unauthorized information disclosure, t ...
, end-to-end performance analysis, and more recently,
software-defined networking Software-defined networking (SDN) technology is an approach to network management that enables dynamic, programmatically efficient network configuration in order to improve network performance and monitoring, making it more like cloud computing t ...
(SDN) research. Argus has also been a topic in
network management Network management is the process of administering and managing computer networks. Services provided by this discipline include fault analysis, performance management, provisioning of networks and maintaining quality of service. Network managem ...
standards development.
RMON The Remote Network Monitoring (RMON) MIB was developed by the IETF to support monitoring and protocol analysis of LANs. The original version (sometimes referred to as RMON1) focused on OSI layer 1 and layer 2 information in Ethernet and Token Rin ...
(1995) and
IPFIX Internet Protocol Flow Information Export (IPFIX) is an IETF protocol, as well as the name of the IETF working group defining the protocol. It was created based on the need for a common, universal standard of export for Internet Protocol flow infor ...
(2001). Argus is composed of an advanced comprehensive network flow data generator, the Argus monitor, which processes packets (either capture files or live packet data) and generates detailed network
traffic flow In mathematics and transportation engineering, traffic flow is the study of interactions between travellers (including pedestrians, cyclists, drivers, and their vehicles) and infrastructure (including highways, signage, and traffic control dev ...
status reports of all the flows in the packet stream. Argus monitors all
network traffic Network traffic or data traffic is the amount of data moving across a network at a given point of time. Network data in computer networks is mostly encapsulated in network packets, which provide the load in the network. Network traffic is the main c ...
,
data plane In routing, the forwarding plane, sometimes called the data plane or user plane, defines the part of the router architecture that decides what to do with packets arriving on an inbound interface. Most commonly, it refers to a table in which the ...
,
control plane In network routing, the control plane is the part of the router architecture that is concerned with drawing the network topology, or the information in a routing table that defines what to do with incoming packets. Control plane functions, such as ...
and management plane, not just
Internet Protocol The Internet Protocol (IP) is the network layer communications protocol in the Internet protocol suite for relaying datagrams across network boundaries. Its routing function enables internetworking, and essentially establishes the Internet. ...
(IP) traffic. Argus captures much of the packet dynamics and semantics of each flow, with a great deal of data reduction, so you can store, process, inspect and analyze large amounts of network data efficiently. Argus provides
reachability In graph theory, reachability refers to the ability to get from one Vertex (graph theory), vertex to another within a graph. A vertex s can reach a vertex t (and t is reachable from s) if there exists a sequence of Glossary of graph theory#Basics, ...
,
availability In reliability engineering, the term availability has the following meanings: * The degree to which a system, subsystem or equipment is in a specified operable and committable state at the start of a mission, when the mission is called for at ...
,
connectivity Connectivity may refer to: Computing and technology * Connectivity (media), the ability of the social media to accumulate economic capital from the users connections and activities * Internet connectivity, the means by which individual terminal ...
, duration, rate, load, good-put,
loss Loss may refer to: Arts, entertainment, and media Music * ''Loss'' (Bass Communion album) (2006) * ''Loss'' (Mull Historical Society album) (2001) *"Loss", a song by God Is an Astronaut from their self-titled album (2008) * Losses "(Lil Tjay son ...
, jitter,
retransmission (data networks) Retransmission, essentially identical with automatic repeat request (ARQ), is the resending of packets which have been either damaged or lost. Retransmission is one of the basic mechanisms used by protocols operating over a packet switched comput ...
, and delay metrics for all network flows, and captures most attributes that are available from the packet contents, such as Layer 2 addresses, tunnel identifiers (
MPLS Multiprotocol Label Switching (MPLS) is a routing technique in telecommunications networks that directs data from one node to the next based on labels rather than network addresses. Whereas network addresses identify endpoints the labels identif ...
, GRE,
IPsec In computing, Internet Protocol Security (IPsec) is a secure network protocol suite that authenticates and encrypts packets of data to provide secure encrypted communication between two computers over an Internet Protocol network. It is used in ...
, etc...), protocol ids, SAP's, hop-count, options, L4 transport identification ( RTP detection), host flow control indications, etc... Argus has implemented a number of packet dynamics metrics specifically designed for cyber security. Argus detects human typing behavior in any flow, but of particular interest is key-stroke detection in encrypted SSH
tunnels A tunnel is an underground passageway, dug through surrounding soil, earth or rock, and enclosed except for the entrance and exit, commonly at each end. A Pipeline transport, pipeline is not a tunnel, though some recent tunnels have used ...
. and Argus generates the Producer Consumer Ratio (PCR) which indicates whether a network entity is a data producer and/or consumer,https://qosient.com/argus/presentations/Argus.FloCon.2014.PCR.Presentation.pdf an important property when evaluating the potential for a node to be involved in an
Advanced persistent threat An advanced persistent threat (APT) is a stealthy threat actor, typically a nation state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period. In recent times, the term may ...
(APT) mediated exfiltration. Argus is an Open Source (
GPL The GNU General Public License (GNU GPL or simply GPL) is a series of widely used free software licenses that guarantee end users the four freedoms to run, study, share, and modify the software. The license was the first copyleft for general u ...
) project, owned and managed by QoSient, LLC, and has been ported to most operating systems and many hardware accelerated platforms, such as Bivio, Pluribus, Arista, and Tilera. The software should be portable to many other environments with little or no modifications. Performance is such that auditing an entire enterprise's Internet activity can be accomplished using modest computing resources.


Supported platforms

*
Linux Linux ( or ) is a family of open-source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991, by Linus Torvalds. Linux is typically packaged as a Linux distribution, w ...
: Unix operating system running the Linux kernel * Solaris: Unix operating system developed by Sun Microsystems * BSD: Unix operating system family ( FreeBSD, NetBSD, OpenBSD) * OS X: Unix operating system developed by
Apple Inc. Apple Inc. is an American multinational technology company headquartered in Cupertino, California, United States. Apple is the largest technology company by revenue (totaling in 2021) and, as of June 2022, is the world's biggest company ...
* IRIX: Unix operating system developed by
Silicon Graphics Silicon Graphics, Inc. (stylized as SiliconGraphics before 1999, later rebranded SGI, historically known as Silicon Graphics Computer Systems or SGCS) was an American high-performance computing manufacturer, producing computer hardware and sof ...
*
AIX Aix or AIX may refer to: Computing * AIX, a line of IBM computer operating systems *An Alternate Index, for a Virtual Storage Access Method Key Sequenced Data Set * Athens Internet Exchange, a European Internet exchange point Places Belgi ...
, Unix operating system developed by IBM *
Windows Windows is a group of several proprietary graphical operating system families developed and marketed by Microsoft. Each family caters to a certain sector of the computing industry. For example, Windows NT for consumers, Windows Server for ser ...
, (under Cygwin) operating system developed by
Microsoft Microsoft Corporation is an American multinational technology corporation producing computer software, consumer electronics, personal computers, and related services headquartered at the Microsoft Redmond campus located in Redmond, Washin ...
*
OpenWrt OpenWrt (from ''open wireless router'') is an open-source project for embedded operating systems based on Linux, primarily used on embedded devices to route network traffic. The main components are Linux, util-linux, musl, and BusyBox. All ...
: Unix operation system running the Linux kernel on embedded devices


References


External links


Argus website
{{DEFAULTSORT:Argus - Audit Record Generation and Utilization System Network flow problem Network analyzers Network performance Software performance management Packets (information technology) Internet Protocol based network software