Argus



Chris Geib
Robert Goldman
Steve Harp
Walt Heimerdinger
Vic Thomas


Honeywell Technology Center, Minneapolis

Argus
An Architecture for Cooperating Intrusion Detection and Mitigation Applications

This is the webpage for the Argus project. Argus is an architecture to detect and manage computer network intrusions. Argus is being developed under the DARPA Strategic Intrusion Assessment program (SIA) (DARPA BAA99-10). The significant features of this system include:

  • A "blackboard" architecture that acts as a repository of data shared by different applications, and a router of information among applications. A blackboard offers a means for disparate applications to work together without having to know much about each other.
  • An intrusion reference model (IRM) that describes the structure of the system being protected, security rules and alert levels in force for the system, operational behaviors of the system, types of intrusions to be protected against, etc.
  • An evidence aggregator for combining the evidence provided by multiple detectors. This component is based on qualitative probability theory which allows for maximum flexibility in dynamic domains while still producing globally reasonable conclusions about the possibility of intrusion.
 
  • Status Reports
    • DARPA "Quad Chart"
      (PowerPoint | HTML)
    • 1999 Kickoff Slides
      (PowerPoint | HTML)
      Selected slides from the July 1999 DARPA Strategic Intrusion Assessment kickoff meeting.
    • December 1999 Status Slides
      (PowerPoint | HTML)
      Selected slides from the December 1999 DARPA Strategic Intrusion Assessment Principal Investigator Meeting.
    • 2000 Status Slides
      (PowerPoint | HTML)
      Selected slides from the July 2000 DARPA Information Assurance Joint Principal Investigator Meeting.
  • Products

Documentation of the Network Entity Relationship Database(NERD)
(Word)(HTML)
The Network Entity Relationship Database (NERD) is intended to provide a common model of a network and contained hosts suitable for configuration and interoperability of intrusion detection systems and related security software. The NERD is part of a larger Intrusion Reference Model (IRM), which contains additional information about security goals and attack plans. This document represents a preliminary (and incomplete) draft of the schema, intended for comment.

Browsable IRM/NERD Schema
(HTML)
An intrusion reference model schema (containing the network entity schema) sufficient to represent the Lincoln Labs test network.

 		 
 

Copyright (c) August 2000, Honeywell International, Inc.