Role Classification of Hosts within Enterprise Networks Based on Connection Patterns

TL;DR

This paper presents practical algorithms for classifying hosts into roles within enterprise networks based on connection patterns, aiding network management and security analysis.

Contribution

It introduces two algorithms that effectively group hosts by connection behavior, handling temporal changes, and demonstrates their application in real enterprise networks.

Findings

Number of host groups can be two orders of magnitude smaller than total hosts.

Grouped hosts reflect the logical network structure accurately.

Algorithms are implemented in a commercial network monitoring product.

Abstract

Role classification involves grouping hosts into related roles. It exposes the logical structure of a network, simplifies network management tasks such as policy checking and network segmentation, and can be used to improve the accuracy of network monitoring and analysis algorithms such as intrusion detection. This paper defines the role classification problem and introduces two practical algorithms that group hosts based on observed connection patterns while dealing with changes in these patterns over time. The algorithms have been implemented in a commercial network monitoring and analysis product for enterprise networks. Results from grouping two enterprise networks show that the number of groups identified by our algorithms can be two orders of magnitude smaller than the number of hosts and that the way our algorithms group hosts highly reflects the logical structure of the networks.