A network security system monitors, during a time period, data traffic transmitted between devices in a network to identify a plurality of commands transmitted between the devices. The network security system determines, from the plurality of commands, a first set of commands that were transmitted between a first device and a second device in the network. The network security system determines that the first set of commands includes a threshold number of commands from a first predetermined command group of a plurality of predetermined command groups. Each predetermined command group includes a listing of commands. The network security system generates a first policy based on the first predetermined command group.