RustiFlow: Bridging the Gap Between Security Research and Practice using eBPF-based Network Flow Extraction

Abstract

Large organizations generate billions of network flows daily, creating a high-velocity data challenge for modern security monitoring and threat detection. Researchers frequently develop custom flow extraction tools tailored for AI-driven security analyses, but these solutions often lack the performance, scalability, and interoperability required for real-world use. At the same time, existing production-ready flow extractors lack flexibility and customization, limiting their application for advanced security research. To bridge this gap, we introduce RustiFlow, an open-source, eBPF-based network flow feature extractor developed in Rust. Designed for both research and operational deployments, RustiFlow delivers high throughput, realtime processing, and modular feature extraction, ensuring adaptability across diverse security applications. Our performance evaluation demonstrates that RustiFlow outperforms established extractors such as NFStream, nProbe, and CICFlowMeter, offering the fastest offline PCAP processing and zero packet loss while monitoring a multi-gigabit interface under load, while maintaining minimal resource overhead. Real-world case studies in a university data center and a network security testbed validate RustiFlow's reliability, efficiency, and practical applicability. During a 24-hour test in a data center, RustiFlow processed over 1 billion packets and 5.8TB of traffic with zero packet loss, while maintaining stable resource usage. In an adversarial security scenario, it operated with negligible resource consumption, demonstrating its efficiency for constrained environments. RustiFlow has the potential to become an essential tool for AI-based network security analysis, empowering future research and closing the gap between research and practice.