Argus – the Audit Record Generation and Utilization System is the first implementation of network flow monitoring, and is an ongoing open source network flow monitor project. Started by Carter Bullard in 1984 at Georgia Tech, and developed for cyber security at Carnegie Mellon University in the early 1990s, Argus has been an important contributor to Internet cyber security technology over its 30 years.[1] http://resources.sei.cmu.edu/asset_files/Presentation/2014_017_001_90132.pdf.
The Argus Project is focused on developing all aspects of large scale network situational awareness and network audit trail establishment in support of Network Operations (NetOps), Performance, and Security Management. Motivated by the telco Call detail record (CDR), Argus attempts to generate network metadata that can be used to perform a large number of network management tasks. Argus is used by many universities, corporations and government entities including US DISA, DoD, DHS, FFRDCs, and GLORIAD, the NSF International network when it was operational. Argus is a Top 100 Internet Security Tool, and has been on the list for over 15 years (maybe longer).[2]
Argus is designed to be a real-time situational awareness system, and its data can be used to track, alarm and alert on wire-line network conditions at up to 400Gbps. The data is used to establish a comprehensive audit of all network traffic, as described in the Zero trust security model, which was initially described in the Red Book, US DoD NCSC-TG-005,[3] supplementing traditional Intrusion detection system (IDS) based network security.[4]
The audit trail has traditionally been used as historical network traffic measurement data for network forensics[5] and Network Behavior Anomaly Detection (NBAD).[6] Argus has been used extensively in cybersecurity, end-to-end performance analysis, software-defined networking (SDN) research.[7], and recently a very large number of AI/ML research papers. Argus is used to develop network attack datasets, such as the UNSW-NB15 Dataset.[8] Argus has also been a topic in standards for Network Security and Network Management development, as early as RMON (1995) [9] and IPFIX (2001).[10] and more recently at ENISA.
Argus is composed of an advanced comprehensive network flow data generator, the Argus monitor, which processes packets (either capture files or live packet data) and generates detailed network traffic flow status reports of all the flows in the packet stream. Argus monitors all network traffic, data plane, control plane and management plane, not just Internet Protocol (IP) traffic. Argus captures much of the packet dynamics and semantics of each flow, with a great deal of data reduction, so you can store, process, inspect and analyze large amounts of network data efficiently. Argus provides reachability, availability, connectivity, duration, rate, load, good-put, loss, jitter, retransmission (data networks), and delay metrics for all network flows, and captures most attributes that are available from the packet contents, such as Layer 2 addresses, tunnel identifiers (MPLS, GRE, IPsec, etc...), protocol ids, SAP's, hop-count, options, L4 transport identification (RTP detection), host flow control indications, etc... Argus has implemented a number of packet dynamics metrics specifically designed for cyber security. Argus detects human typing behavior in any flow, but of particular interest is key-stroke detection in encrypted SSH tunnels.[11] and Argus generates the Producer Consumer Ratio (PCR) which indicates whether a network entity is a data producer and/or consumer,[12] an important property when evaluating the potential for a node to be involved in an Advanced persistent threat (APT) mediated exfiltration.
Argus is an Open Source (GPL) project, owned and managed by QoSient, LLC, and has been ported to most operating systems and many exotic hardware accelerated platforms, such as Bivio, Pluribus, Arista, and Tilera. The software should be portable to many other environments with little or no modifications. Performance is such that auditing an entire enterprise's Internet activity can be accomplished using modest computing resources.