Suspicious activity detection in computer networks

What is claimed is: 1. A computer-implemented method comprising: receiving, by a processor, a user profile of a user who requested to access a network, wherein the user profile comprises at least an email address of the user, the email address comprises a domain name; determining, by the processor, whether the domain name is valid; in response to determining that the domain name is invalid, classifying, by the processor, the user as a suspicious user; in response to determining that the domain name is valid: determining, by the processor, a likelihood that the email address is a script-generated email address, wherein the determining of the likelihood is based on a difference between the email address and a plurality of email addresses, the plurality of email addresses comprises the domain name, and the plurality of email addresses are associated with other users who have requested access to the network; in response to determining, based on the likelihood, that the email address is a script-generated email address, classifying, by the processor, the user as a suspicious user; in response to determining, based on the likelihood, that the email address is not a script-generated email address: comparing, by the processor, usage behavior of the user with a reference model, wherein the usage behavior indicates historical usage of the network by the user; determining, by the processor, whether there is a presence of abnormal usage behavior exhibited by the user on the network based on the comparison; in response to determining the presence of abnormal usage behavior exhibited by the user on the network, classifying, by the processor, the user as a suspicious user; and rejecting, by the processor, a subsequent request from the user to access the network. 2. The computer-implemented method of claim 1 , further comprising in response to determining that there is no presence of abnormal usage behavior exhibited by the user on the network, permitting, by the processor, the subsequent request from the user to access the network. 3. The computer-implemented method of claim 1 , wherein determining whether the domain name is valid comprises: sending, by the processor, a query for the domain name to a domain name system; in response to receiving a mail exchange record indicating a mapping of the domain name to a list of servers, determining, by the processor, that the domain name is valid; and in response to not receiving the mail exchange record indicating the mapping of the domain name to a list of servers, determining, by the processor, that the domain name is invalid. 4. The computer-implemented method of claim 1 , wherein determining the likelihood that the email address is a script-generated email address comprises: determining, by the processor, a first mean of differences between the email address and the plurality of email addresses; determining, by the processor, a coefficient of variation of lengths of the plurality of email addresses; determining, by the processor, a second mean of a difference between the email address and a name of the user, and differences between the plurality of email addresses and names of corresponding users; determining, by the processor, a score based on the first mean, the coefficient of variation of lengths, and the second mean; comparing, by the processor, the score with a threshold; determining, by the processor, the likelihood that the email address is a script-generated email address based on the comparison of the score with the threshold. 5. The computer-implemented method of claim 1 , wherein determining whether there is a presence of abnormal usage behavior comprises using a robust principal component analysis. 6. The computer-implemented method of claim 1 , further comprising: determining, by the processor, a number of email addresses that comprises the domain name; comparing, by the processor, the determined number of email addresses with a threshold; and wherein determining the likelihood that the email address is a script-generated email address is performed in response to determining that the number of email addresses is greater than the threshold. 7. The computer-implemented method of claim 1 , wherein the comparison of the usage behavior with the reference model is performed in response to detecting a presence of activities performed by the user on the network. 8. The computer-implemented method of claim 1 , wherein the reference model is based on usage behavior exhibited by the other users who have requested access to the network. 9. The computer-implemented method of claim 1 , wherein comparing the usage behavior with the reference model comprises comparing, by the processor, the usage behavior with historical usage behavior exhibited by suspicious users on the network. 10. A system comprising: a memory device configured to store a user setting of a user who requested to access a network, wherein the user setting comprises at least an email address and usage behavior of the user, the email address comprises a domain name, and the usage behavior indicates historical usage of the network by the user; a hardware processor configured to be in communication with the memory device, the hardware processor being configured to: determine whether the domain name is valid; in response to a determination that the domain name is invalid, classify the user as a suspicious user; in response to a determination that the domain name is valid: determine a likelihood that the email address is a script-generated email address, wherein the determination of the likelihood is based on a difference between the email address and a plurality of email addresses, the plurality of email addresses comprises the domain name, and the plurality of email addresses are associated with other users who have requested access to the network; in response to a determination, based on the likelihood, that the email address is a script-generated email address, classify the user as a suspicious user; in response to a determination, based on the likelihood, that the email address is not a script-generated email address: compare the usage behavior with a reference model; determine whether there is a presence of abnormal usage behavior exhibited by the user on the network based on the comparison; in response to the determination of the presence of abnormal usage behavior exhibited by the user on the network, classify the user as a suspicious user; and reject a subsequent request from the user to access the network. 11. The system of claim 10 , wherein the hardware processor is further configured to, in response to determining that there is no presence of abnormal usage behavior exhibited by the user on the network, permit the subsequent request from the user to access the network. 12. The system of claim 10 , wherein the hardware processor is further configured to: send a query for the domain name to a domain name system; in response to a receipt of a mail exchange record indicating a mapping of the domain name to a list of servers, determine that the domain name is valid; and in response to no receipt of the mail exchange record indicating the mapping of the domain name to a list of servers, determine that the domain name is invalid. 13. The system of claim 10 , wherein the hardware processor is further configured to: determine a first mean of differences between the email address and the plurality of email addresses; determine a coefficient of variation of lengths of the plurality of email addresses; determine a second mean of a difference between the email address and a name of the user, and differences