Automated creation of lightweight behavioral indicators of compromise (IOCS)

What is claimed is: 1. A method comprising: receiving, by a device, execution records regarding executions of a plurality of binaries from one or more monitoring agents that capture the execution records, the one or more monitoring agents being executed by one or more clients at which the binaries are executed, wherein the execution records comprise command line arguments used during the executions of the plurality of binaries; determining, by the device, measures of similarity between the executions of the binaries based on their command line arguments; clustering, by the device, the executions into clusters based on the determined measures of similarity; and flagging, by the device, the command line arguments for a particular one of the clusters as an indicator of compromise for malware, based on at least one of the binaries associated with the particular cluster being malware that uses the same command line arguments as at least a portion of the flagged command line arguments. 2. The method as in claim 1 , further comprising: providing, by the device and via a network, data regarding the indicator of compromise to a monitoring agent executed by a client, wherein the monitoring agent uses the indicator of compromise to detect malware on the client. 3. The method as in claim 1 , wherein determining the measures of similarity between the executions of the binaries comprises: assigning term frequency-inverse document frequency scores to the command line arguments. 4. The method as in claim 1 , wherein clustering, by the device, the executions into clusters based on the determined measures of similarity comprises: applying parallel label propagation to the command line arguments, to perform graph clustering on the command line arguments. 5. The method as in claim 1 , wherein flagging the command line arguments for a particular one of the clusters as an indicator of compromise for a type of malware comprises: filtering out at least one of the clusters based on the filtered cluster being associated with a benign binary or a binary with high prevalence of execution by a set of clients. 6. The method as in claim 1 , wherein flagging the command line arguments for a particular one of the clusters as an indicator of compromise for a type of malware comprises: selecting the particular cluster for the flagging, based on the number of unique binaries associated with the particular cluster. 7. The method as in claim 1 , wherein flagging the command line arguments for a particular one of the clusters as an indicator of compromise for a type of malware comprises: selecting the particular cluster for the flagging, based on the particular cluster being associated with a high-risk malware. 8. The method as in claim 1 , further comprising: preventing, by the device, use of the indicator of compromise for detection of malware, when the indicator of compromise triggers a threshold amount of binaries to be deemed as malware. 9. An apparatus, comprising: one or more network interfaces to communicate with a network; a processor coupled to the network interfaces and configured to execute one or more processes; and a memory configured to store a process executable by the processor, the process when executed configured to: receive execution records regarding executions of a plurality of binaries from one or more monitoring agents that capture the execution records, the one or more monitoring agents being executed by one or more clients at which the binaries are executed, wherein the execution records comprise command line arguments used during the executions of the plurality of binaries; determine measures of similarity between the executions of the binaries based on their command line arguments used by the plurality of binaries during execution; cluster the executions into clusters based on the determined measures of similarity; and flag the command line arguments for a particular one of the clusters as an indicator of compromise for malware, based on at least one of the binaries associated with the particular cluster being malware that uses the same command line arguments as at least a portion of the flagged command line arguments. 10. The apparatus as in claim 9 , wherein the process when executed is further configured to: provide, via a network, data regarding the indicator of compromise to a monitoring agent executed by a client, wherein the monitoring agent uses the indicator of compromise to detect malware on the client. 11. The apparatus as in claim 9 , wherein the apparatus determines the measures of similarity between the executions of the binaries by: assigning term frequency-inverse document frequency scores to the command line arguments. 12. The apparatus as in claim 9 , wherein the apparatus clusters the executions into clusters based on the determined measures of similarity by: applying parallel label propagation to the command line arguments, to perform graph clustering on the command line arguments. 13. The apparatus as in claim 9 , wherein the apparatus flags the command line arguments for a particular one of the clusters as an indicator of compromise for a type of malware by: filtering out at least one of the clusters based on the filtered cluster being associated with a benign binary or a binary with high prevalence of execution by a set of clients. 14. The apparatus as in claim 9 , wherein the apparatus flags the command line arguments for a particular one of the clusters as an indicator of compromise for a type of malware by: selecting the particular cluster for the flagging, based on the number of unique binaries associated with the particular cluster. 15. The apparatus as in claim 9 , wherein the apparatus flags the command line arguments for a particular one of the clusters as an indicator of compromise for a type of malware comprises: selecting the particular cluster for the flagging, based on the particular cluster being associated with a high-risk malware. 16. The apparatus as in claim 9 , wherein the process when executed is further configured to: prevent use of the indicator of compromise for detection of malware, when the indicator of compromise triggers a threshold amount of binaries to be deemed as malware. 17. A tangible, non-transitory, computer-readable medium storing program instructions that cause a device to execute a process comprising: receiving, by the device, execution records regarding executions of a plurality of binaries from one or more monitoring agents that capture the execution records, the one or more monitoring agents being executed by one or more clients at which the binaries are executed, wherein the execution records comprise command line arguments used during the executions of the plurality of binaries; determining, by the device, measures of similarity between the executions of the binaries based on their command line arguments; clustering, by the device, the executions into clusters based on the determined measures of similarity; and flagging, by the device, the command line arguments for a particular one of the clusters as an indicator of compromise for malware, based on at least one of the binaries associated with the particular cluster being malware that uses the same command line arguments as at least a portion of the flagged command line arguments.