This work addresses the challenge of dynamically evolving host connectivity patterns in enterprise networks by proposing two efficient clustering algorithms that group hosts into roles based on their connection behaviors. Accurate host role classification facilitates the revelation of logical network structure and simplifies policy management and network segmentation. The proposed approach significantly reduces the number of groups—by two orders of magnitude compared to the total number of hosts—while faithfully preserving the underlying logical topology of real-world networks. The algorithms have been integrated into a commercial network monitoring product and validated for both effectiveness and practicality in two large-scale enterprise environments.

Role classification involves grouping hosts into related roles. It exposes the logical structure of a network, simplifies network management tasks such as policy checking and network segmentation, and can be used to improve the accuracy of network monitoring and analysis algorithms such as intrusion detection. This paper defines the role classification problem and introduces two practical algorithms that group hosts based on observed connection patterns while dealing with changes in these patterns over time. The algorithms have been implemented in a commercial network monitoring and analysis product for enterprise networks. Results from grouping two enterprise networks show that the number of groups identified by our algorithms can be two orders of magnitude smaller than the number of hosts and that the way our algorithms group hosts highly reflects the logical structure of the networks.