NetMoniAI: An Agentic AI Framework for Network Security & Monitoring

📝 Paper Summary

Agentic AI Network Security Distributed Systems

NetMoniAI integrates autonomous node-level micro-agents for local packet analysis with a central LLM-powered controller for system-wide threat correlation and strategic response.

Core Problem

Traditional network monitoring struggles to balance detailed packet-level visibility with scalability; centralized systems are slow to adapt, while flow-based methods miss fine-grained threats.

Why it matters:

Packet-level analysis is accurate but computationally infeasible at scale, while flow-based monitoring is scalable but lacks precision.
Static rule engines and centralized log analysis generate high false positives and require frequent manual updates, failing against distributed or novel attacks.
Current ML approaches often rely on heavy synchronization or lack the autonomy to make decisions at the edge.

Concrete Example: In a distributed DDoS attack, individual nodes might see slightly elevated traffic that doesn't trigger local thresholds. Without coordination, the attack goes unnoticed until the network collapses. NetMoniAI's central controller correlates these minor local anomalies to identify the broader coordinated pattern.

Key Novelty

Hybrid Agentic Framework for Network Security

Deploys lightweight micro-agents on edge nodes that autonomously switch from monitoring metrics to capturing/analyzing packets using local models or LLMs.
Uses a Central Controller that doesn't micromanage but aggregates semantic reports from agents to detect cross-node patterns (like distributed scanning) and suggest global policies.

Architecture

The NetMoniAI architecture including the Node-Level Agent structure and the Central Controller loop.

Evaluation Highlights

Achieved detection latencies under 5 seconds for local anomalies in a degraded network environment (1Mbps, 600ms delay).
Successfully identified coordinated multi-source TCP flood attacks in an 8-node NS-3 simulation by correlating distributed agent reports.
Demonstrated robust operation under 'Very Bad Network' conditions (600ms latency), maintaining real-time dashboard updates and threat classification.

Breakthrough Assessment

7/10

Solid application of agentic AI to network security, effectively balancing edge autonomy with central reasoning. Strong practical validation, though the novelty lies more in the architectural integration than new fundamental AI algorithms.

⚙️ Technical Details

Problem Definition

Setting: Real-time distributed network monitoring and anomaly detection across edge nodes

Inputs: Raw network packets, system performance metrics (latency, jitter), and inter-agent semantic reports

Outputs: Structured threat alerts (JSON), natural language summaries, and mitigation policy recommendations

Pipeline Flow

Service Layer (Data Acquisition)
Agent Layer (Local Decision Making)
Model Layer (Semantic Inference)
Central Controller (Global Correlation)

System Modules

Packet Capture Module (Service Layer)

Captures raw traffic using tshark when performance thresholds are breached

Model or implementation: tshark

Feature Extraction Module (Service Layer)

Parses raw packets into structured CSV format

Model or implementation: scapy

Security Analysis Module

Performs semantic inference to detect threats in packet data

Model or implementation: GPT-O3 or local BERT

Central Controller

Aggregates node reports, correlates cross-node events, and manages system-wide state

Model or implementation: FastAPI service with Pandas aggregation and LLM reasoning

Novel Architectural Elements

Two-tier agentic design: Autonomous edge agents for immediate local action coupled with a central 'advisory' controller that correlates but doesn't micromanage.
Hybrid monitoring trigger: Agents continuously monitor lightweight metrics (latency/jitter) and only trigger heavy packet capture/LLM analysis upon threshold breaches.

Modeling

Base Model: GPT-O3 (via API) or BERT (local execution)

Training Method: Inference-only pipeline using pre-trained models (LLMs/BERT)

Compute: Edge nodes run lightweight Python services; Central Controller requires sufficient throughput for aggregation. Tested on Ubuntu 22.04 with 1Mbps bandwidth constraints.

Comparison to Prior Work

vs. Quantized Autoencoders: NetMoniAI adds semantic reasoning and natural language explanations via LLMs, rather than just numerical anomaly scores.
vs. Graph Neural Networks: NetMoniAI combines packet-level detail with flow-level correlation, whereas GNNs typically rely solely on flow summaries.
vs. Standard Federated Learning: NetMoniAI agents are autonomous decision-makers that can act independently, not just model update contributors.
+ 1 more
vs. Traditional SIEM [not cited in paper]: NetMoniAI uses active agentic probing and LLM reasoning rather than static rule-based log correlation.

Limitations

Reliance on external LLM APIs (GPT-O3) introduces latency and privacy concerns for sensitive packet data.
The degraded network test was limited to a specific profile (1Mbps, 600ms delay), which may not cover all edge scenarios.
Scalability testing was performed in simulation (NS-3) with 50 nodes, not on a physical large-scale cluster.

Reproducibility

Code: https://github.com/pzambare3/NetMoniAI

Code is publicly available at https://github.com/pzambare3/NetMoniAI. The paper specifies versions for core libraries (Python 3.10, FastAPI 0.95, Scapy 2.5.0, etc.). It uses proprietary models (GPT-O3, Gemini Pro) which may affect exact reproducibility of reasoning outputs.

📊 Experiments & Results

Evaluation Setup

Hybrid evaluation using a physical Linux micro-testbed for responsiveness and NS-3 simulation for scalability.

Benchmarks:

Local Micro-Testbed (Real-time degradation and anomaly detection) [New]
NS-3 Simulation (Multi-node distributed attack detection (DDoS, Port Scanning)) [New]

Metrics:

Detection Latency
Responsiveness under network degradation
Accuracy of threat classification
Statistical methodology: Not explicitly reported in the paper

Key Results

Benchmark	Metric	Baseline	This Paper	Δ
Performance on Local Micro-Testbed under degraded network conditions (1Mbps bandwidth, 600ms delay).
Local Micro-Testbed	Latency	Not reported in the paper	5 seconds	-
Performance in NS-3 Simulation (8-node topology, TCP flood attack).
NS-3 Simulation	Identification Accuracy	Not reported in the paper	Accurate identification	-

Experiment Figures

Dashboard views during the local testbed experiment showing latency anomalies and LLM summaries.

NS-3 simulation results visualizing traffic flows during a DDoS attack.

Main Takeaways

The system maintains responsiveness (<5s detection) even under severe network constraints (600ms delay), validating the edge-heavy processing model.
The central controller successfully correlates distributed events (e.g., distinguishing attacker vs. victim nodes) without needing raw packet data from every node.
LLM integration allows for human-readable summaries and policy recommendations, bridging the gap between raw packet analysis and operator decision-making.

📚 Prerequisite Knowledge

Prerequisites

Network protocols (TCP/UDP, packet structures)
Basic understanding of Large Language Models (LLMs) and prompting
Distributed system architectures

Key Terms

tshark: A terminal-based network protocol analyzer (part of Wireshark) used to capture and display packet data

scapy: A Python program that enables the user to send, sniff, dissect, and forge network packets

NS-3: A discrete-event network simulator for Internet systems, used primarily for research and educational use

FastAPI: A modern, fast (high-performance) web framework for building APIs with Python

Pydantic: Data validation and settings management using Python type annotations

promiscuous mode: A network card mode that allows a controller to intercept and read all network traffic that arrives at the controller, not just traffic addressed to it

LLM: Large Language Model—a type of AI model trained on vast amounts of text to understand and generate human language