Multi-protocol / multi-session process identification

What is claimed is: 1. A method comprising: obtaining, at a device, one or more packets of a traffic session in a network comprising at least one QUIC packet; determining, by the device and for a particular packet of the one or more packets that matches a filter, a fingerprint for the particular packet; identifying, by the device, a plurality of traffic sessions whose packets match the fingerprint, wherein each of the plurality of traffic sessions is associated with at least one process; and associating, by the device, a process with the traffic session by applying a classifier to the plurality of traffic sessions. 2. The method as in claim 1 , further comprising: enhancing, by the device, the classifier with a host model. 3. The method as in claim 2 , wherein the host model is associated with a host device of the network that sent the one or more packets. 4. The method as in claim 2 , wherein the host model is modeled based on previous traffic sessions of a host device. 5. The method as in claim 1 , wherein the one or more packets comprise additional QUIC packets, Datagram Transport Layer Security packets, HTTP, or SSH packets. 6. The method as in claim 1 , wherein the plurality of traffic sessions is according to a plurality of different communications protocols. 7. The method as in claim 1 , wherein the plurality of traffic sessions is according to a single communication protocol. 8. The method as in claim 1 , further comprising: determining, by the device, that the process associated with the traffic session comprises malware or represents a security threat. 9. An apparatus, comprising: one or more network interfaces to communicate with a network; a processor coupled to the one or more network interfaces and configured to execute one or more processes; and a memory configured to store program instructions that are executable by the processor, the program instructions when executed configured to: obtain one or more packets of a traffic session in the network comprising at least one QUIC packet; determine, for a particular packet of the one or more packets that matches a filter, a fingerprint for the particular packet; identify a plurality of traffic sessions whose packets matches the fingerprint, wherein each of the plurality of traffic sessions is associated with at least one process; and associate a process with the traffic session by applying a classifier to the plurality of traffic sessions. 10. The apparatus as in claim 9 , wherein the program instructions when executed are further configured to: enhance the classifier with a host model. 11. The apparatus as in claim 10 , wherein the host model is associated with a host device of the network that sent the one or more packets. 12. The apparatus as in claim 10 wherein the host model is modeled based on previous traffic sessions of a host device. 13. The apparatus as in claim 9 , wherein the one or more packets comprise additional QUIC packets, Datagram Transport Layer Security packets, HTTP, or SSH packets. 14. The apparatus as in claim 9 , wherein the plurality of traffic sessions whose packets match the fingerprint are according to a plurality of different communications protocols. 15. The apparatus as in claim 9 , wherein the plurality of traffic sessions whose packets match the fingerprint are according to a single communication protocol. 16. A tangible, non-transitory, computer-readable medium that stores program instructions that cause a device in a network to execute a procedure comprising: obtaining, at the device, one or more packets of a traffic session in the network comprising at least one QUIC packet; determining, for a particular packet of the one or more packets that matches a filter, a fingerprint for the particular packet; identifying a plurality of traffic sessions whose packets matches the fingerprint, wherein each of the plurality of traffic sessions is associated with at least one process; and associating a process with the traffic session by applying a classifier to the plurality of traffic sessions. 17. The tangible, non-transitory, computer-readable medium as in claim 16 , wherein the procedure further comprises: enhancing the classifier with a host model. 18. The tangible, non-transitory, computer-readable medium as in claim 17 , wherein the host model is associated with a host device of the network that sent the one or more packets. 19. The tangible, non-transitory, computer-readable medium as in claim 17 , wherein the host model is modeled based on previous traffic sessions of a host device. 20. The tangible, non-transitory, computer-readable medium as in claim 16 , wherein the one or more packets comprise additional QUIC packets, Datagram Transport Layer Security packets, HTTP, or SSH packets.