The Argus open source sensor has integrated analytics that are designed to reveal specific indicators of behavior that can only be detected in the Argus sensor itself. These features can be used to detect very sophisticated network based attack strategies.
Argus has within its packet dynamics engine, a machine learning based detection model that identifies potential keystrokes in encrypted network streams. Based on a collaboration between Purdue University, Stanford University and the Argus Project (QoSient) in 2010, we implemented an integrated analytic designed to detect behavior in SSH traffic, and extended that to any TCP based communication.
Having the count of potential keystrokes is a great start to recognizing any form of remote access terminals (RATs) in any traffic.
One of the first integrated behavioral detections implemented in Argus was to monitor IP Fragments, to see if there were re-assembly bugs and performance problems in IP stacks. At the CERT, we researched the potential for IP fragments to present a problem to firewalls, and the result was an integrated detection feature when Argus saw fragment overlapping, where a IP fragment wrote over the contents of a previous packet. This type of behavior is a direct indication of packet protocol manipulation, and is still today a very serious (nation state level) indication of intrusion.
The Argus open source distribution has client programs that can match flow data against 3rd party intelligence data, like Emerging Threats and Firehol. Simple programs like rafilteraddr.1 can read the lists of IP addresses from these intelligence sources and test flow records against very large lists of IP addresses, either in real-time, or against stored data for a retrospective detection. While these tools are rather simple, they can be integrated into more complex processes that create very sophisticated detection schemes.
Argus has a specific 6-tuple flow model for DNS traffic, which enables argus flow data to capture the complete DNS transaction. Collect all of the DNS transactions off the wire, and you have a great opportunity to do a number of cyber detections. As an example, with this data and programs like radns.1, you can detect if entities in your network lookup names from 3rd party intelligence lists, in either real-time or historically.
The open source project currently has prototype programs to do the basics, and the data enables development of the most sophisticated of detections.
The key to behavioral anomaly detection is to have a concise method of defining normal behavior, and a simple means of comparing behaviors over time. Argus is all about network summarization. The sensor generates summarizations of packets and their contents, and the client tools provide summarizations of flow data records through aggregation. When you use the tools to generate hourly, daily, weekly, monthly, annual or life-time summarizations, you are beginning to walk down the path toward effective behavioral anomaly detection.
Argus has been used at a number of US Gov't and University sites to develop persistent behavioral baselines of network activity. Tracking simple metrics such as the total number of bytes, or the total ingress packets or the number of hosts that an endpoint talks to in a day, can enable a large family of new anomaly detections.
The open source code provides the basic data and methods needed to develop any number of complex behavioral baselines, and to generate simple statistical indicators of change.
Argus data contains a large number of network traffic features that are used by IDS systems to generate security alarms and alerts. This sets up the ability for argus client programs to look for addresses, protocols and ports to detect many IDS events.
Modern IDS uses Deep Packet Inspection to look for patterns in network traffic payloads. Argus can be configured to capture selective payloads of every flow, and with a well chosen user data capture configuration, you capture enough payload data to satisfy most IDS packet content inspection requirements. We call this "shallow packet inspection".
Using these techniques, Argus can provide a full featured IDS capability, much like a Snort IDS capability, against historical Argus data. The current open source has many of these capabilities integrated into the client programs. rafilteraddr.1 can match against large numbers of IP addresses, it can perform regular expression matching on payload contents and it can pipe its output into the ralabel.1 client program that can match against large numbers of flow specifications (n tuple matches) and label the flows with specific indicators.
When new signatures are discovered, if you have a good set of historical Argus data and a good grasp of the argus client program strategy, you can look back to see if your enterprise has seen most new attack techniques.