Indicator centroids for malware handling

The invention claimed is: 1. A computer-implemented method comprising: receiving an artifact; extracting features from the artifact to form a feature vector; determining to alter a malware processing workflow based on a distance of one or more features in the feature vector relative to one or more indicator centroids, each indicator centroid specifying a threshold distance to trigger an action; and altering, based on the determining, the malware processing workflow from a first machine learning-based classification workflow to a second machine learning-based classification workflow. 2. The method of claim 1 further comprising: inputting, as part of either of the first machine-learning based classification workflow or the second machine-learning based classification workflow, the feature vector into at least one machine learning model trained to generate a score that characterizes whether the artifact comprises malicious code. 3. The method of claim 2 further comprising: preventing the artifact from being executed or from continuing to execute when the at least one machine learning model indicates that the artifact comprises malicious code. 4. The method of claim 1 , wherein the altering comprises: transmitting, as part of the second machine-learning based classification workflow, the feature vector to a remote computing system based on an action specified by an indicator centroid, the remote computing system providing a classification of the artifact based on the transmitted feature vector. 5. The method of claim 4 , wherein the remote computing system provides the classification by executing at least one machine learning model. 6. The method of claim 1 , wherein the altering comprises: transmitting, as part of the second machine-learning based classification workflow, the artifact to a remote computing system based on an action specified by an indicator centroid, the remote computing system providing a classification of the artifact based on the transmitted feature vector. 7. The method of claim 6 , wherein the remote computing system provides the classification by executing at least one machine learning model. 8. The method of claim 1 , wherein the altering comprises: providing a notification based on an action specified by a corresponding indicator centroid. 9. The method of claim 8 , wherein the providing the notification comprises at least one of: causing the notification to be displayed in an electronic visual display, storing the notification in physical persistence, loading the notification in memory, transmitting the notification to a remote computing device. 10. The method of claim 2 , wherein the altering comprises: altering the score generated by the at least one machine learning model based on an action specified by a corresponding indicator centroid. 11. A system comprising: at least one data processor; and memory storing instructions which, when executed by the at least one data processor, result in operations comprising: receiving an artifact; extracting features from the artifact to form a feature vector; determining to alter a malware processing workflow based on a distance of one or more features in the feature vector relative to one or more indicator centroids, each indicator centroid specifying a threshold distance to trigger an action; and altering, based on the determining, the malware processing workflow from a first machine learning-based classification workflow to a second machine learning-based classification workflow. 12. The system of claim 11 , wherein the operations further comprise: inputting, as part of either of the first machine-learning based classification workflow or the second machine-learning based classification workflow, the feature vector into at least one machine learning model trained to generate a score that characterizes whether the artifact comprises malicious code. 13. The system of claim 12 , wherein the operations further comprise: preventing the artifact from being executed or from continuing to execute when the at least one machine learning model indicates that the artifact comprises malicious code. 14. The system of claim 11 , wherein the altering comprises: transmitting, as part of the second machine-learning based classification workflow, the feature vector to a remote computing system based on an action specified by an indicator centroid, the remote computing system providing a classification of the artifact based on the transmitted feature vector. 15. The system of claim 14 , wherein the remote computing system provides the classification by executing at least one machine learning model. 16. The system of claim 11 , wherein the altering comprises: transmitting, as part of the second machine-learning based classification workflow, the artifact to a remote computing system based on an action specified by an indicator centroid, the remote computing system providing a classification of the artifact based on the transmitted feature vector. 17. The system of claim 16 , wherein the remote computing system provides the classification by executing at least one machine learning model. 18. The system of claim 11 , wherein the altering comprises: providing a notification based on an action specified by a corresponding indicator centroid, the notification comprising at least one of: causing the notification to be displayed in an electronic visual display, storing the notification in physical persistence, loading the notification in memory, or transmitting the notification to a remote computing device. 19. The system of claim 12 , wherein the altering comprises: altering the score generated by the at least one machine learning model based on an action specified by a corresponding indicator centroid. 20. A non-transitory computer program product comprising instructions which, when executed by at least one computing device, result in operations comprising: receiving an artifact; extracting features from the artifact to form a feature vector; determining to alter a malware processing workflow based on a distance of one or more features in the feature vector relative to one or more indicator centroids, each indicator centroid specifying a threshold distance to trigger an action; and altering, based on the determining, the malware processing workflow from a first machine learning-based classification workflow to a second machine learning-based classification workflow.