Can AI Agents Identify What Your Security Operations Center Overlooks?

A new research project called NetMoniAI demonstrates how AI agents could transform network monitoring and security. Developed by a team at Texas Tech University, the framework integrates distributed monitoring at the edge with AI-driven analysis at the centre. Although still in the research stage, it provides Chief Information Security Officers (CISOs) with insights into the potential of agentic AI systems in enterprise environments. The project is open source, allowing the community to test and build upon its findings. The system features a central controller architecture with a layered design for detection and correlation. Lightweight agents operate on individual machines, monitoring local network traffic for anomalies and relaying their findings. These agents utilise language models to classify events and generate human-readable summaries. The central controller aggregates reports from the agents, identifying patterns across the network. This dual-layer approach enables local agents to act independently while providing a comprehensive view of the network’s status.

Early results from the project indicate promising speed and scalability. The team conducted tests on a small physical testbed, where the system successfully detected anomalies and classified traffic within approximately five seconds. Additionally, simulations involving up to 50 nodes were performed, including scenarios with denial of service and reconnaissance attacks. In these tests, local agents identified unusual traffic, and the controller correlated these observations to confirm coordinated threats. For CISOs, the key takeaway is that the design effectively managed both small-scale and larger scenarios without significant delays. The system also offered interpretability through a dashboard and chatbot, which explained its findings. Hybrid monitoring, as proposed by NetMoniAI, could revolutionise Security Operations Centre (SOC) operations by merging the strengths of packet-level inspection and flow-based monitoring. This approach may reduce redundant alerts and highlight distributed attacks that traditional siloed monitoring often misses. Corey Nachreiner, CISO at WatchGuard, noted that many real-world attacks begin locally but can expand to affect broader enterprise networks, underscoring the potential impact of an AI-based hybrid system. 

Categories: AI-Driven Network Monitoring, Distributed Security Architecture, Hybrid Threat Detection 

Tags: NetMoniAI, Network Monitoring, AI Agents, Distributed Monitoring, Anomalies, Central Controller, Hybrid Monitoring, SOC Operations, Interpretability, Open Source