Using Argus

Getting Argus

Argus Wiki








Argus has been mentioned in a large number of publications and presentations over the years. Maintaining a complete list is non- trivial, and the list below is the result of a simple search, primarily looking at the ACM Library, so the list is short. If you do not see a book, research paper, presentation, reference that you wrote, or you liked, please send us a pointer. Also, if you find that a link on this page is stale, please send us a note to



C Sanders, J Smith, Applied Network Security Monitoring: Collection, Detection, and Analysis, Waltham, MA, Syngress, 2014.
R. Bejtlich, The Practice of Network Security Monitoring: Understanding Incident Detection and Response, San Francisco: No Starch Press, 2013.
Wireless Networking in the Developing World 3rd Edition,, 2013.
S. Davidoff, J. Ham, Network Forensics: Tracking Hackers through Cyberspace, Prentice Hall, 1st Edition, 2012.
J. Vacca, Managing Information Secuirty, Syngress Publishing, 2010.
R. Marty, Applied Security Visualization, New York:Addison-Wesley Professional, Aug 2008.
A. Lockhart, Network Security Hacks 2nd Edition, O'Reilly Media, Inc., Sestaphol, CA, USA 2007.
J Babbin, et. al., Security Log Management: Identifying Patterns in the Chaos 2nd Edition, Syngress Publishing, Inc., Rockland, MA, USA 2006.
Flickenger R.; Belcher M.; Canessa E.; Zennaro M, How to Accelerate Your Internet: A practical Guide to Bandwidth Management and Optimisation Using Open Source Software Oxford: INASP/ICTP. ISBN: 0-9778093-1-5. 2006.
V Oppleman, O Friedrichs and B Watson, Extreme Exploits: Advanced Defenses Against Hardcore Hacks (Hacking Exposed), McGraw-Hill Osborne Media; 1 edition July 18, 2005.
R. Bejtlich, Extrusion Detection : Security Monitoring for Internal Intrusions, New York:Addison-Wesley, November 2005.
I. Ristic, Apache Security, O'Reilly Media Inc., Sebastopol, CA, USA, 2005.
R. Bejtlich, The Tao of Network Security Monitoring: Beyond Intrusion Detection , New York:Addison-Wesley, 2004.
D. Farmer, W. Venema, Forensic Discovery, New York:Addison-Wesley, 2004.
J. Nazario, Defense and Detection Strategies against Internet Worms, Boston:Artech House, 2004.
Eoghan Casey, Digital Evidence and Computer Crime 2nd Edition, Academic Press, Inc., Orlando, FL, 2004.

Research Articles (examples)

Serguei A. Mokhov, Michael J. Assels, Joey Paquet, and Mourad Debbabi. 2014. Toward Automated MAC Spoofer Investigations. In Proceedings of the 2014 International C* Conference on Computer Science & Software Engineering (C3S2E '14). ACM, New York, NY, USA, , Article 27 , 6 pages. DOI=10.1145/2641483.2641540
S. García, M. Grill, J. Stiborek, and A. Zunino. 2014. An empirical comparison of botnet detection methods. Comput. Secur. 45 (September 2014), 100-123. DOI=10.1016/j.cose.2014.05.011
N. Hoque, Monowar H. Bhuyan, R. C. Baishya, D. K. Bhattacharyya, and J. K. Kalita. 2014. Review: Network attacks: Taxonomy, tools and systems. J. Netw. Comput. Appl. 40 (April 2014), 307-324. DOI=10.1016/j.jnca.2013.08.001
Serguei A. Mokhov, Michael J. Assels, Joey Paquet, and Mourad Debbabi. 2014. Toward Automated MAC Spoofer Investigations. In Proceedings of the 2014 International C* Conference on Computer Science & Software Engineering (C3S2E '14). ACM, New York, NY, USA, , Article 27 , 6 pages. DOI=10.1145/2641483.2641540
Mansour Alsaleh, Abdullah Alqahtani, Abdulrahman Alarifi, and AbdulMalik Al-Salman. 2013. Visualizing PHPIDS log files for better understanding of web server attacks. In Proceedings of the Tenth Workshop on Visualization for Cyber Security (VizSec '13), John Goodall, Kwan-Liu Ma, Sophie Engle, and Fabian Fischer (Eds.). ACM, New York, NY, USA, 1-8. DOI=10.1145/2517957.2517958
Amit Kumar Tyagi and Sadique Nayeem. Article: Detecting HTTP Botnet using Artificial Immune System (AIS). International Journal of Applied Information Systems 2(6):34-37, May 2012. Published by Foundation of Computer Science, New York, USA.
P. Celeda, P. Velan, M. Rabek, R. Hofstede, and A. Pras, Large-scale geolocation for NetFlow. Proceedings of IM. 2013, 1015-1020.
Nichole Boscia. 2012. Flow Analysis Tool Whitepaper.
Yeonhee Lee and Youngseok Lee. 2012. Toward scalable internet traffic measurement and analysis with Hadoop. SIGCOMM Comput. Commun. Rev. 43, 1 (January 2012), 5-13. DOI=10.1145/2427036.2427038
Rodrigo M. P. Silva and Ronaldo M. Salles. 2012. Methodology for detection and restraint of p2p applications in the network. In Proceedings of the 12th international conference on Computational Science and Its Applications - Volume Part IV (ICCSA'12), Beniamino Murgante, Osvaldo Gervasi, Sanjay Misra, Nadia Nedjah, and Ana C. Rocha (Eds.), Vol. Part IV. Springer-Verlag, Berlin, Heidelberg, 326-339. DOI=10.1007/978-3-642-31128-4_24
Michael J. Assels, Dana Echtner, Michael Spanner, Serguei A. Mokhov, François Carrière, and Manny Taveroff. 2011. Multifaceted faculty network design and management: practice and experience. In Proceedings of The Fourth International C* Conference on Computer Science and Software Engineering (C3S2E '11). ACM, New York, NY, USA, 151-155. DOI=10.1145/1992896.1992916
Saptarshi Guha, Paul Kidwell, Asgrith Barthur, William S Cleveland, John Gerth, and Carter Bullard. 2011. SSH Keystroke Packet Detection, ICS-2011—Monterey, California, Jan 9-11.
Robin Berthier, Michel Cukier, Matti Hiltunen, Dave Kormann, Gregg Vesonder, and Dan Sheleheda. 2010. Nfsight: netflow-based network awareness tool. In Proceedings of the 24th international conference on Large installation system administration (LISA'10). USENIX Association, Berkeley, CA, USA, 1-8.
Hossein Rouhani Zeidanloo, Azizah Bt Abdul Manaf, Rabiah Bt Ahmad, Mazdak Zamani, Saman Shojae Chaeikar. 2010. A Proposed Framework for P2P Botnet Detection. IACSIT International Journal of Engineering and Technology, Vol.2, No.2, April 2010 ISSN: 1793-8236.
Emmanuel S. Pilli, R. C. Joshi, and Rajdeep Niyogi. 2010. Network forensic frameworks: Survey and research challenges. Digit. Investig. 7, 1-2 (October 2010), 14-27. DOI=10.1016/j.diin.2010.02.003
Christopher M. Inacio and Brian Trammell. 2010. YAF: yet another flowmeter. In Proceedings of the 24th international conference on Large installation system administration (LISA'10). USENIX Association, Berkeley, CA, USA, 1-16.
2010. Proceedings of the Seventh International Symposium on Visualization for Cyber Security. ACM, New York, NY, USA.
Lin Quan and John Heidemann. 2010. On the characteristics and reasons of long-lived internet flows. In Proceedings of the 10th Annual Conference on Internet Measurement (IMC '10). ACM, New York, NY, USA, 444-450. [doi=10.1145/1879141.1879198]
Mohammed Sqalli, Raed AlShaikh, and Ezzat Ahmed. 2010. A distributed honeynet at KFUPM: a case study. In Proceedings of the 13th International Conference on Recent Advances in Intrusion Detection (RAID'10), Somesh Jha, Robin Sommer, and Christian Kreibich (Eds.). Springer-Verlag, Berlin, Heidelberg, 486-487.
Pavel Minarik, Jan Vykopal, and Vojtech Krmicek. 2009. Improving Host Profiling with Bidirectional Flows. In Proceedings of the 2009 International Conference on Computational Science and Engineering - Volume 03 (CSE '09), Vol. 3. IEEE Computer Society, Washington, DC, USA, 231-237. [doi=10.1109/CSE.2009.23]
Cristian Morariu, Peter Racz, and Burkhard Stiller. 2009. Design and Implementation of a Distributed Platform for Sharing IP Flow Records. In Proceedings of the 20th IFIP/IEEE International Workshop on Distributed Systems: Operations and Management: Integrated Management of Systems, Services, Processes and People in IT (DSOM '09), Claudio Bartolini and Luciano Paschoal Gaspary (Eds.). Springer-Verlag, Berlin, Heidelberg, 1-14. [doi=10.1007/978-3-642-04989-7_1]
H. Okamura, T. Dohi, K. S. Trivedi, Markovian Arrival Process Parameter Estimation With Group Data, IEEE/ACM Transactions on Networking (TON) Vol 17, Issue 4, p.1326-1339, August , 2009, Piscataway, NJ, USA [doi>10.1109/TNET.2008.2008750]
T. Yen, X. Huang, F. Monrose, M. Reiter, Browser Fingerprinting from Coarse Traffic Summaries: Techniques and Implications, Detection of Intrusions and Malware, and Vulnerability Assessment 6th International Conference, DIMVA 2009, Como, Italy, July 9-10, 2009. Proceedings [doi>10.1007/978-3-642-02918-9]
S. Lin, Z. Gao, K. Xu, Web 2.0 traffic measurement: analysis on online map applications, Proceedings of the 18th international workshop on Network and operating systems support for digital audio and video, p.7-12, June 03 - 05, 2009, Williamsburg, VA, USA [doi>10.1145/1542245.1542248]
S. Tricaud, P. Saadé, Applied Parallel Coordinates for Logs and Network Traffic Attack Analysis, European Institute for Computer Anti-Virus Research (EICAR) 18th Annual Conference, May 11 - 12, 2009, Berlin, Germany [pdf]
G. Louthan, B. Deetz, M. Walker, J. Hale, Proceedings of the 5th Annual Workshop on Cyber Security and Information Intelligence Research: Cyber Security and Information Intelligence Challenges and Strategies, Session: Track 8, Article No. 67, Apr 13 - 15, 2009, Oak Ridge, Tennessee, USA [doi>10.1145/1558607.1558684]
G. Vandenberghe, Network Traffic Exploration Application: A Tool to Assess, Visualize, and Analyze Network Security Events, Proceedings of the 5th International Workshop on Visualization for Computer Security, VizSec 2008, p. 181-196, September 15, 2008, Cambridge, MA, USA [doi>10.1007/978-3-540-85933-8_18]
Rodrigo Werlinger , Kirstie Hawkey , Kasia Muldner , Pooya Jaferian , Konstantin Beznosov, The challenges of using an intrusion detection system: is it worth the effort?, Proceedings of the 4th symposium on Usable privacy and security, July 23-25, 2008, Pittsburgh, Pennsylvania [doi>10.1145/1408664.1408679]
Guofei Gu , Roberto Perdisci , Junjie Zhang , Wenke Lee, BotMiner: clustering analysis of network traffic for protocol- and structure-independent botnet detection, Proceedings of the 17th conference on Security symposium, p.139-154, July 28-August 01, 2008, San Jose, CA
T-F Yen and M. K. Reiter, Traffic aggregation for malware detection, In Detection of Intrusions and Malware, and Vulnerability Assessment, 5th International Conference, DIMVA 2008 (Lecture Notes in Computer Science 5137), pages 207-227, July 10-11 2008, Paris, France [doi:10.1007/978-3-540-70542-0_11]
Mansour Alsaleh, David Barrera, and P. C. van Oorschot. 2008. Improving Security Visualization with Exposure Map Filtering. In Proceedings of the 2008 Annual Computer Security Applications Conference (ACSAC '08). IEEE Computer Society, Washington, DC, USA, 205-214. DOI=10.1109/ACSAC.2008.16
G. Nychis, V. Sekar, D Andersen, H Kim, H Zhang, An empirical evaluation of entropy-based traffic anomaly detection, Proceedings of the 8th ACM SIGCOMM conference on Internet measurement, p 151-156, October 20-22, 2008, Vouliagmeni, Greece
Kiran Lakkaraju , Adam Slagell, Evaluating the utility of anonymized network traces for intrusion detection, Proceedings of the 4th international conference on Security and privacy in communication networks, September 22-25, 2008, Istanbul, Turkey [doi>10.1145/1460877.1460899]
L. Merkle, Automated Network Forensics, Proceedings of the 2008 GECCO Conference Companion on Genetic and Evolutionary Computation, p.1929-1932, 2008, Atlanta, GA, USA.
M. Ekmanis, V Novikovs, A Rusko, Unauthorized Network Services Detection by Flow Analysis, Electronics and Electrical Engineering. – Kaunas: Technologija, No. 5(85), p.49-56, 2008.
J. Naous, D. Ericson, A. Covington, G Appenzeller, N. McKeown, Implementing an OpenFlow switch on the NetFPGA platform, Symposium On Architecture For Networking And Communications Systems, p.1-9, 2008, San Jose, CA
Doantam Phan, John Gerth, Marcia Lee, Andreas Paepcke, and Terry Winograd, Visual Analysis of Network Flow Data with Timelines and Event Plots, VizSEC 2007: Proceedings of the Workshop on Visualization for Computer Security, 2007 [doi>10.1007/978-3-540-78243-8_6]
Christoforos Kachris, Chidamber Kulkarni, Configurable Transactional Memory, Field-Programmable Custom Computing Machines, 2007. FCCM 2007. 15th Annual IEEE Symposium on, Page(s):65 - 72, April 2007 Napa, Ca, USA. [doi>10.1109/FCCM.2007.41]
David Botta , Rodrigo Werlinger , André Gagné , Konstantin Beznosov , Lee Iverson , Sidney Fels , Brian Fisher, Towards understanding IT security professionals and their tools, Proceedings of the 3rd symposium on Usable privacy and security, July 18-20, 2007, Pittsburgh, Pennsylvania [doi>10.1145/1280680.1280693]
H. Okamura, Y. Kamahara, T. Dohi, Estimating Markov-modulated compound Poisson processes, Proceedings of the 2nd international conference on Performance evaluation methodologies and tools, Article 28, October 22-27, 2007, Nantes, France.
M. Masuya, t Yamanoue, S. Kubota, An experience of monitoring university network security using a commercial service and DIY monitoring, Proceedings of the 34th annual ACM SIGUCCS conference on User services, p.225-230, November 5-8, 2006, Edmonton, Alberta, Canada [doi>10.1145/1181216.1181267]
A. Ferro, I Delgado, A Munoz, F Liberal, An analytical model for loss estimation in network traffic analysis systems, Journal of Computer and System Sciences, Vol. 72, Issue 7, November 2006 [doi>10.1016/j.jcss.2005.12.004]
L. Xiao, J. Gerth, P. Hanrahan, Enhancing Visual Analysis of Network Traffic Using a Knowledge Representation, Visual Analytics Science And Technology, 2006 IEEE Symposium On, p 107-114, Oct 31 - Nov 2, 2006, Baltimore, MD, USA [doi>10.1109/VAST.2006.261436]
Javier Verdú , Jorge Garcí , Mario Nemirovsky , Mateo Valero, Architectural impact of stateful networking applications, Proceedings of the 2005 ACM symposium on Architecture for networking and communications systems, October 26-28, 2005, Princeton, NJ, USA [doi>10.1145/1095890.1095893]
William Yurcik, Visualizing NetFlows for security at line speed: the SIFT tool suite, Proceedings of the 19th conference on Large Installation System Administration Conference, p.16-16, December 04-09, 2005, San Diego, CA
Kiran Lakkaraju , William Yurcik , Adam J. Lee, NVisionIP: netflow visualizations of system state for security situational awareness, Proceedings of the 2004 ACM workshop on Visualization and data mining for computer security, October 29-29, 2004, Washington DC, USA [doi>10.1145/1029208.1029219]
Dogu Arifler , Gustavo de Veciana , Brian L. Evans, A factor analytic approach to inferring congestion sharing based on flow level measurements, IEEE/ACM Transactions on Networking (TON), v.15 n.1, p.67-79, February 2007 [doi>10.1109/TNET.2006.890103]
Thorsten Voss, Klaus-Peter Kossakowski, "Detecting New Patterns of Attacks - Results and Applications of Large Scale Sensoring Networks.," IT-Incidents Management & IT-Forensics - IMF 2006, Conference Proceedings, October, 18th-19th, 2006, Stuttgart.
Sun-Myung Hwang, "P2P Protocol Analysis and Blocking Algorithm", Computational Science and Its Applications – ICCSA 2005 Lecture Notes in Computer Science Volume 3481, 2005, pp 21-30
Javier Verdu, Mario Nemirovsky, Jorge Garcia, and Mateo Valero, "Workload Characterization of Stateful Networking Applications", In Procs. of the 6th International Symposium on High Performance Computing (ISHPC-VI), Higashikasugano, Nara City, Japan, September 2005.
Nick Duffield, "Sampling for Passive Internet Measurement: A Review", Statistical Science, vol. 19, no. 3 472-498, 2004, doi:10.1214/088342304000000206.
Kevin Chen, Jennifer Tu, Alex Vandiver, "Analyzing Network Traffic from a Class B Darknet",, Dec 2004.
Frederic Raynal, Yann Berthier, Philippe Biondi, Danielle Kaminsky, "Honeypot Forensics Part I: Analyzing the Network," IEEE Security and Privacy, vol. 2, no. 4, pp. 72-78, July 2004, doi:10.1109/MSP.2004.47
Nick Duffield, Carsten Lund, and Mikkel Thorup. 2002. Properties and prediction of flow statistics from sampled packet streams. In Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment (IMW '02). ACM, New York, NY, USA, 159-171. DOI=10.1145/637201.637225
Nick Duffield , Carsten Lund , Mikkel Thorup, Charging from sampled network usage, Proceedings of the 1st ACM SIGCOMM Workshop on Internet Measurement, November 01-02, 2001, San Francisco, California, USA [doi>10.1145/505202.505232]
Steve Romig. 2000. The OSU Flow-tools Package and CISCO NetFlow Logs. In Proceedings of the 14th USENIX conference on System administration (LISA '00). USENIX Association, Berkeley, CA, USA, 291-304.
Marcus J. Ranum, Kent Landfield, Mike Stolarchuk, Mark Sienkiewicz, Andrew Lambeth, and Eric Wall. 1997. Implementing a Generalized Tool for Network Monitoring: ("Best Paper" Award!). In Proceedings of the 11th USENIX conference on System administration (LISA '97). USENIX Association, Berkeley, CA, USA, 1-8.

Dissertations and Theses

Intensional Cyberforensics, Thesis, Serguei A. Mokhov, Mar 2014.
A comparative study of in-band and out-of-band VoIP protocols in layer 3 and layer 2.5 environments, Thesis, George Pallis, Jan 2011.
Visualization of Network Traffic to Detect Malicious Network Activity, Thesis, Zhihua Jin, June 2008.
Supporting the Visualization and Forensic Analysis of Network Events, Disseration, Doantham Phan, December 2007.
Keeping Track of Network Flows: An Inexpensive and Fexible Solution, Thesis, Alexander Fedyukin, November 2005.
Using Netflows for slow portscan detection, Thesis, Bjarte Malmedal, 2005.

Web Articles - Blogs

Know Your Tools: use Picviz to find attacks Sebastien Tricaud, Victor Amaducci, The Honeynet Project, Nov 2009
WHEN {PUFFY} MEETS ^REDDEVIL^ (C.S. Lee's Security Blog)
After an Exploit: mitigation and remediation
Security Incident Management Essentials (
Michael Cloppert: Computer Forensic Hero SANS Computer Forensics, Mar 2009
Detecting Botnets Grzegorz Landecki, Linux Journal, Jan 2009
Mass-Mailing Worms: Prevention, Detection and Response Richard Gadsden, SANS Institute, 2009
Nmap facts with parallel coordinates Sebastien Tricaud, Dec 2008
iX Magazine Security Special with DAVIX (December 2008)
Building SElinux policy for Argus Jan-Frode Myklebust, Oct 2008.
Expanding Response: Deeper Analysis for Incident Handlers Russ McRee, SANS Institute, Oct 2008 Network Security (April 2008)
argus - Auditing Network Activity - Performance & Status Monitoring (Jan 2008)
Flowtime - Create a Timeline for Packet Flow (Jan 2008)
Argus - Auditing network activity Russ McRee, ISSA Journal, Nov 2007
Practical Botnet Detection (April 2007)
Keeping an eye on the network with Argus Ralf Spenneberg, Linux Magazine, Feb 2007
Network Security Monitoring: Beyound Intrusion Detection (2006)
Network Defense Applications using IP Sinkholes (2006)
Argus 3.0 on FreeBSD (Aug 2006)
Survey of Network Performance Monitoring Tools (2006)
Network Flow Analysis (2006)
Using archived argus flow records to secure and troublehshoot your network (July 2005)
Defending Networks with Intrustion Detection Systems (June 2004).


Argus Metadata Tutorial FloCon 2014 (2014)
Argus Past Present and Future Flocon (2014)
Argus PCR Presentation FloCon (2014)
GLORIAD Argus Presenation FloCon (2014)
Argus Multi-Source Correlation FloCon (2013)
Argus Tutorial FloCon 2012 (2012)
Argus Packet Dynamics Implementation 2012 (2012)
Argus Tutorial FloCon 2011 (2011)
Argus Milcom Presentation (2010)
Argus ICCS Presentation (2010)
Network Flow Data Fusion - GeoSpatial and NetSpatial Data Enhancement (2010)
Using Argus to Analyze Network Flows (2009)
Using Argus and Postgres to Analyze Network Flows for Security(2009)
Flow Based Control Plane Situational Awareness (2009)
Network Monitoring with Argus, NetFlow, and Other Tools (2009)
Network Forensics (2007 APRICOT '07)
NAF: The NetSA Aggregated Flow Tool Suite (2006 LISA '06)
Network Flows and Security (Black Hat Briefings 2005)
Distributed QoS Monitoring - High Performance Network Assurance (FloCon 2005)
A Network of IDS-Sensors for Attack-Statistics (2004 PRESECURE Consulting GmbH)
More Netflow Tools: For Performance and Security (2004 LISA XVIII)
Using Argus Audit Trails to Enhance IDS Analysis (2003)
Implementing Network Security Monitoring with Open Source Tools (2003)
Argus Presentation to IPFIX WG (2001)
Reference to IETF RMON Argus-1.3 Presentation (1994)