Skip to main content
ARGUS and ML

ARGUS + ML

Argus is used by US National Laboratories and Universities world-wide as a data source for Machine Learning enabled network anomaly detection.

Read more
ARGUS The Sensor

ARGUS Sensor

The Argus project is all about generating the best network flow data from anywhere in the enterprise; core, enterprise edge, border edges, workgroup edge, integrated into switches, SDNs, clouds, wireless APs, and endpoints.

Read more
ARGUS Clients

ARGUS Clients

Argus-clients develops the libraries, methods, tools, routines, programs and analytics that process network flow data.

Read more
ARGUS and Analytics

ARGUS + Analytics

The rich data that Argus generates has been used to develop analytics for network security, performance and operations management.

Read more
ARGUS Detections

ARGUS Detections

Argus data have a rich feature set that can enable a powerful set of Cyber Security detections. The unique approach of the Argus network data system can support a large number of real-time as well as historical retrospective detections.

Read more
ARGUS and EDR

Putting the N in EDR

Moving network detection into the endpoint is the next wave in network awareness.  Argus is ready 

Read more

Latest News

  • Mon JUN 24 10:34:35 EDT 2024

    Argus V 5.0 release

    We've released Argus 5.0, which is available on github.  Argus 5.0 is a major release of the network sensor and the clients programs, involving over 2000 commits, and over 900 contributions to the core software.  Argus 5.0 is now them main branch for both the sensor and the client programs.  To revert to argus-3.x, checkout one of the tags.

    The key changes are modifications to the argus data structure to handle 128-bit UUID and IPv6 addresses as ARGUS_MONITOR_IDs, performance enhancements for endpoint deployment, and a large number of bug fixes.

    Argus-clients 3.0 programs cannot read Argus 5.0 data, but Argus 5.0 clients are backward and forward compatible in that they all can read and write 3.x data.

  • Wed Mar 19 11:42:17 EDT 2024

    Argus Endpoint Project

    We have started the Argus Endpoint project on the github site.  This project is designed to promote the use of argus on enterprise endpoints, generating network visbility data that can be used in the Advanced Zero Trust Visibility and Analytics Pillars.

    The endpoint needs a network detection capability that has a very small footprint, uses minimal resources, and is zero-configuration capable.  We'll work on these concepts in this project.

  • Wed Feb 03 16:53:41 EDT 2024

    Private Passive DNS Project

    We have started the Private Passive DNS project on the github site.  This project is designed to use the new control plane full content capture capability of argus v5.0 to develop a complete accounting of the use of DNS in enterprise endpoints, to address issues in the Advanced Zero Trust Visibility and Analytics Pillars.

    The Private Passive DNS project introduces radns.1, which extracts DNS information from argus v5.0 flow data and tracks the DNS servers, their clients, the names requested and the complete DNS responses observed.  With this data, you can detect when rogue DNS servers are in use, and what DNS data they serve.

    Get involved !!!

  • Mon Jan 29 09:13:51 EDT 2024

    Argus 5.0 Release Candidate on GitHub

    We've uploaded the next generation of argus, v 5.0.0, as a branch on GitHub.  This represents transition of commerical argus software to the open source.

    To use simply checkout the v5.0.0 branch

    % git checkout v5.0.0

  • Sat Mar 26 11:52:43 EDT 2022

    Argus Reads Zeek !!!

    We've added zeek conn log conversion to argus binary flow data in the new minor release of the argus clients programs.  Zeek conversion is done using new functionality in raconvert.1, and we've introduced a new configuration file, raconvert.zeek.conf to the support/Config directory.

    Converting zeek conn logs to argus binary records enables the use of Zeek data in the entire Argus framework.  While Zeek isn't a network audit system, it is a great NDR system.  Processing this data with argus should be really intersting.

  • Mon Mar 14 09:33:21 EST 2022

    Moving to GitHub

    We've moved the development of argus and argus-clients to GitHub !!! Find the official open source argus distribution at openargus/argus and the clients programs at openargus/clients.  

  • Tue Mar 1 11:50:57 EST 2022

    Emerging from Pandemic

    COVID-19 really took a toll on Argus development, but we're back !!!  We have new software to support Machine Learning which was developed with Sandia and Purdue University throughout 2021.  We'll be releasing the Python library we developed in Mar/April.  Please Stay Tuned !!!

  • Fri Sep 4 10:12:43 EST 2020

    New Test Version of Argus - 3.0.8.3

    We've uploaded the next release candidate for argus and its client programs, 3.0.8.3, which are available in the argus.dev directory.  Lots of bug fixes, with key client features include JSON printing and better SQL support.  This release is designed to support the ML development we're doing, so please take a look, and comment on the mailing list.

  • Wed Jul 7 13:00:00 EST 2020

    CERIAS Summer Security Seminar Series .... Predictive Analytics with Argus

    The CERIAS at Purdue University Summer Security Seminar Series will host a presentation by Carter Bullard on Network Predictive analytics using Argus. This will highlight the work we've done at DHS developing large scale network awareness for an enterprise SOC.

  • Tue Apr 7 13:17:21 EST 2020

    Argus ENISA Introduction to Network Forensics

    The European Union Agency for Cyber Security has published Introduction to Network Forensics, Final, Version 1.1, August 2019. This is an excellent document, and refers to the use of Argus quite a bit. Do take a look if you haven't seen it.

Welcome to Argus

Argus is the first network flow system, developed by Carter Bullard in the early 1980's at Georgia Tech, and adapted for cyber security incident response at the first Computer Emergency Response Team (CERT) in Carnegie Mellon's Software Engineering Institute in the late 1980's.  Since then, network flow technology has become a critical part of modern networking and cyber security and Argus has been an active part of that evolution.

Argus is network audit technology, providing a network activity audit engine for all network traffic, not just IP.  It was modeled after the Public Switched Telephone Networks (PSTN) Call Detail Record (CDR), and is designed to account for all network activity in a way that can support all types of network management functions, including security management.   Audit is a fundamental NIST security control.

The Argus Project is an open source project focused on proof of concept demonstrations of all aspects of large scale network awareness derived from network flow data.  Argus, attempts to be the "bleeding edge" of network flow technology, processing packets really fast, either on the wire or in captures, into the richest network flow data available. The Argus system attempts to address a large number of the issues of network flow data processing; scale, performance, applicability, privacy and utility.

Even though Argus is a proof of concept project, it has been used operationally in US Govt, US DoD, DHS, DOE, large corporations and university networks world wide.  It is widely used in network research, supporting diverse projects in network performance analysis, situational awareness, cyber security, machine learning and even Software Defined Networks (SDNs) chip design, just to name a few.

The Argus architecture is designed to support small and very large scale network auditing.  The real-time data provides a lot of information, which can be stored in files for processing later, or the clients programs can be pieced together to provide real-time network data streams for simple network awareness, large scale distributed visibility, even active cyber defense.

If you are interested in using argus, grab the code and dive in.  If you would like to participate in the development of Argus, sign up to the mailing lists, grab the code and start playing with what we have, so you can see where you can contribute. 

Getting Argus

The latest version of argus and it client programs, v5.0.0 and the current development version, v5.1.0, are available on the openargus GitHub site.

https://github.com/openargus

To get copies of the source code, use git.

% git clone https://github.com/openargus/argus
% git clone https://github.com/openargus/clients

We have moved all the 3.x legacy source code into the GitHub repositories so you can checkout prior versions from the same repo's.

Argus packages for Linux distros are maintained by a diverse group of teams and individuals, as a result Argus is available for RedHat, Debian, Suse, and Ubuntu using the native software management tools.  For Ubuntu, just as an example:

% sudo apt install argus-server
% sudo apt install argus-clients

Argus has been ported to over 20 operating systems over the years, and there is a chance that the source code will compile on your system, as long as you use gcc, flex and bison.

 

Working with Argus

Argus is an open source project released under the GPLv2 License.  We do want everyone to use Argus, so if the GPL is not to your liking, please contact us for other available licensing options.

Argus is a network audit system.  It is composed of 2 packages:

  1. A packet processing network flow sensor, argus, that generates Argus flow data.
  2. A collection of argus data processing programs, called argus-clients.

which can be coupled to build high performance data flow pipelines that can process network data in real-time, or uncoupled to support large data science analytics, such as statistical analysis and machine learning.  The records can be processed to generate simple reports, such as billing or resource utilization reports on an endpoint basis.  Argus performance metrics can be used to report on degradation of network function or verification of SLAs.  The ability to label network flow data with geospatial information enables reports to be oriented around country, state, and AS number.

Many organizations store Argus records for up to 2 years, to support forensics investigations when a break-in is suspected, to establish baselines of expected activity, AI/ML training, operations troubleshooting, network usage accounting, or to generate compliance reports (to name a few).

The Argus Project is divided into a number of efforts:

  1. Data generation
  2. Transport, collection
  3. Storage, databases
  4. Analytics
  5. Metadata enhancements (classification).

People contribute to the project through opinions, testing, bug-fixes, modifications to existing programs and library routines, contributions of whole programs, suggestions on architectural approaches, as well as coding style, and marketing, so there are lots of ways to contribute.

A key element is the argus data generated by the sensor.  Argus data can be considered is a superset of all the various flow data technologies today, NetFlow, Jflow, Qflow, Kflow, IPFIX, and the historical flow-tools.  It's models, formats, and attributes are designed to support network operations, performance and cyber security, answering questions regarding historical, current and future network activity and use.  The data has over 175 attributes covering network identification, services, resource utilization, and packet dynamics, and can be extended with metadata and content labeling.  The rich  feature set has been used in over 900 academic papers and dozens of PhD and Masters thesis investigating divergent topics ranging from machine learning and analytics for cyber security to SD-WAN chip architecture and design.

The argus sensor has been ported to over 24 platforms, that include all popular OSs, embedded in a number of systems, with support for realtime OSs, like pSoS, VxWorks, as well as modern SDN switches, clouds, VMs and wireless access points.  Keeping argus current has always been a focus of the Argus Project and is a part of the project that can always use some help.

The argus-clients effort focuses on the large number of data processing efforts including but not limited to data distribution, collection, filtering, aggregation, binning, minimization, privacy, metadata enhancement, geolocation, net-spatial location, compression, anonymization, graphing, databases, analytics, storage, and error correction.  With so much to do, you can image that here is a space that can use a lot of help.

Working With Argus

Using Argus

The best way to get started using argus, is to get the argus sensor and client software (see Getting Argus above), and play around with analyzing a few packet streams, to see how it basically works.

Then depending on your network awareness needs you may want to use real-time argus tools such as ratop.1 to watch the behavior and performance of individual flows, or you know you would like to store argus data for forensic analysis, in case you get broken, or to establish a data lake for AI/ML development and training.

GET STARTED