Low-latency identification of network-device properties

What is claimed is: 1. A method comprising: analyzing, by a machine-learning model, a first network communication with a first set of inputs; inferring, by the machine-learning model and based on the analyzing, that a first device that is a party to the first network communication exhibits a device property; extracting, from the machine-learning model, a first set of significant inputs that had a significant impact on the inferring; and creating, using the first set of inputs, a rule for identifying the device property, wherein the rule establishes a condition that, when present in a network communication, implies that a party to that network communication exhibits the device property. 2. The method of claim 1 , wherein the extracting comprises: identifying, for each input in the first set of inputs, an input weight; ranking the input weights of the first set of inputs; and selecting the first set of significant inputs based on the ranking. 3. The method of claim 2 , further comprising: analyzing, by the machine-learning model, a second network communication with a second set of inputs; and inferring, by the machine-learning model and based on the analyzing, that a second device that is a party to the second network communication exhibits the device property; wherein the extracting further comprises: identifying, for each input in the second set of inputs, an input weight; and combining the input weights of the first set of inputs and the second set of inputs. 4. The method of claim 1 , wherein the machine-learning model is an attention-based model. 5. The method of claim 1 , wherein the rule is an if-then statement. 6. The method of claim 1 , further comprising: applying the rule to a real-time network communication; detecting the condition in the real-time network communication; inferring, based on the detecting, that a second device that is party to the real-time network communication exhibits the device property; and blocking, based on the identifying, the real-time network communication. 7. The method of claim 1 , wherein the first set of significant inputs comprises a domain name. 8. A system comprising: a processor; and a memory in communication with the processor, the memory containing program instructions that, when executed by the processor, are configured to cause the processor to perform a method, the method comprising: analyzing, by a machine-learning model, a first set of network communications with a first set of inputs; inferring, by the machine-learning model and based on the analyzing, that each device is a set of devices exhibits a device property, wherein each device is a party to a network communication in the first set of network communications; extracting, from the machine-learning model, a first set of significant inputs that had a significant impact on the inferring; and creating, using the first set of inputs, a rule for identifying the device property, wherein the rule establishes a condition that, when present in a set of real-time network communications, implies that a party to that set of real-time network communications exhibits the device property. 9. The system of claim 8 , wherein the machine-learning model is an attention-based model, and wherein the extracting comprises: identifying, for a particular device in the set of devices, a list of attention weights that express the importance of each particular input in the first set of inputs for the inferring for that particular device; combining, for a particular input for the particular device, the attention weight in the list with the attention weights of corresponding inputs in the set of inputs for the other devices in the set of devices, resulting in a combined weight for that input that corresponds to all devices in the set of devices; comparing the combined weight with other combined weights for other inputs in the set of inputs; determining, based on the comparing, that the particular input is a significant input; and adding the particular input to the first set of significant inputs. 10. The system of claim 9 , wherein the particular input for the particular device is a DNS name that the device queried, and wherein the corresponding inputs for the other devices in the set of devices are the DNS name that those other devices queried. 11. The system of claim 10 , wherein the rule comprises inferring that a network device exhibits the device property if the network device queries the DNS name. 12. The system of claim 8 , wherein the rule comprises inferring that a network device exhibits the device property if the network device queries the DNS name and a second DNS name. 13. The system of claim 8 , wherein the first set of significant inputs comprises a particular sequence of bytes in a real-time network communication. 14. The system of claim 8 , wherein the first set of significant inputs comprises a DNS name, and the condition comprises querying the DNS name at least a threshold number of times over a particular time period. 15. A computer program product, the computer program product comprising a computer readable storage medium having program instructions embodied therewith, the program instructions executable by a computer to cause the computer to: analyze, by a machine-learning model, a first set of network communications with a first set of inputs; infer, by the machine-learning model and based on the analyzing, that each device is a set of devices exhibits a device property, wherein each device is a party to a network communication in the first set of network communications; extract, from the machine-learning model, a first set of significant inputs that had a significant impact on the inferring; and create, using the first set of inputs, a rule for identifying the device property, wherein the rule establishes a condition that, when present in a set of real-time network communications, implies that a party to that set of real-time network communications exhibits the device property. 16. The computer program product of claim 15 , wherein the machine-learning model is an attention-based model, and wherein the extracting comprises: identifying, for a particular device in the set of devices, a list of attention weights that express the importance of each particular input in the first set of inputs for the inferring for that particular device; and combining, for a particular input for the particular device, the attention weight in the list with the attention weights of corresponding inputs in the set of inputs for the other devices in the set of devices, resulting in a combined weight for that input that corresponds to all devices in the set of devices. 17. The computer program product of claim 16 , wherein the particular input for the particular device is a DNS name that the device queried, and wherein the corresponding inputs for the other devices in the set of devices are the DNS name that those other devices queried. 18. The computer program product of claim 15 , wherein the rule comprises inferring that a network device exhibits the device property if the network device queries the DNS name. 19. The computer program of claim 15 , wherein the rule comprises inferring that a network device exhibits the device property if the network device queries the DNS name and a second DNS name. 20. The computer program of claim 15 , wherein the first set of significant inputs comprises a DNS name, and the condition comprises querying the DNS name at least a threshold number of times over a