Can AI agents identify threats that your Security Operations Center overlooks?

A new research project called NetMoniAI demonstrates how AI agents could transform network monitoring and security. Developed by a team at Texas Tech University, the framework integrates distributed monitoring at the edge with AI-driven analysis at the centre. Although still in the research stage, it provides Chief Information Security Officers (CISOs) with insights into the potential of agentic AI systems in enterprise environments. The project is open source, allowing the community to test and build upon its findings. The system features a central controller architecture with a layered design for detection and correlation. Lightweight agents operate on individual machines, monitoring local network traffic for anomalies and relaying their findings. These agents utilise language models to classify events and generate human-readable summaries. The central controller aggregates reports from the agents, identifying patterns across the network. This design enables local agents to act independently while providing a comprehensive view of the network’s status.

Early results from the project indicate promising speed and scalability. The team conducted tests on a small physical testbed, where the system successfully detected anomalies and classified traffic within approximately five seconds. Additionally, simulations involving up to 50 nodes were performed, including scenarios with denial of service and reconnaissance attacks. In these tests, local agents identified unusual traffic, and the controller correlated these observations to confirm coordinated threats. For CISOs, the key takeaway is that the design effectively managed both small-scale and larger scenarios without significant delays. It also provided interpretability through a dashboard and chatbot, which explained the system’s observations. Hybrid monitoring, as proposed by NetMoniAI, could revolutionise Security Operations Centre (SOC) operations by merging the strengths of packet-level inspection and flow-based monitoring. This approach could reduce redundant alerts and highlight distributed attacks that traditional siloed monitoring often misses. Corey Nachreiner, CISO at WatchGuard, noted that many real-world attacks begin locally, affecting a single server or workstation, before expanding to broader enterprise networks. An AI-based hybrid system could significantly enhance detection and response capabilities in such scenarios.