Malicious site detection for a cyber threat response system

What is claimed is: 1. A cyber security appliance, comprising: one or more memory storage devices; one or more processors, coupled to the one or more memory storage devices, the one or more processors configured to cause: a phishing site detector having a segmentation module to break up an image of a page of a site under analysis into multiple segments, transform each segment of the multiple segments into a fixed rendered size, and analyze each transformed segment of the multiple segments of the image of the page to determine visually whether a key text-like feature exists in each transformed segment of the multiple segments; a signature creator to create a digital signature for each transformed segment containing a particular key text-like feature, wherein the digital signature for the transformed segment containing the particular key text-like feature is at least indicative of a visual appearance of the particular key text-like feature; a trained AI model to compare digital signatures from a first set of key text-like features detected in the image of the page from an unknown site under analysis to digital signatures of a second set of key text-like features from a plurality of known bad phishing sites to output a likelihood of maliciousness of the unknown site under analysis; wherein the segmentation module is configured to use a machine learning algorithm for breaking up and segmenting the image of the site under analysis, and wherein the machine learning algorithm is implemented in Neural Networks, where when any software instructions are implemented in the cyber security appliance, then the software instructions are stored in an executable form in the one or more memories and are configured to be executed by the one or more processors. 2. The cyber security appliance of claim 1 , wherein the phishing site detector has a categorizing module to use a blended approach to analyze at least a first transformed segment of the multiple segments in the image determined to have a first key text-like feature via i) OCR text recognition and with ii) analysis of a literal visual representation from the image of that page under analysis to determine what does the first key text-like feature on the page visually look like, and then iii) use both of resulting text from the OCR text recognition and the visual appearance of the key text-like feature to determine a category that the first key text-like feature in the first transformed segment of the multiple segments of the image of the page under analysis belongs to, wherein the image of the page of the unknown site under analysis is a page that harvests log-in credentials for the unknown site. 3. The cyber security appliance of claim 1 , wherein the trained AI model is trained to compare i) one or more key text-like features from the first set of key text-like features detected in the image under analysis in a particular category of features to ii) digital signatures in the same category for key text-like features from the second set of key text-like features from the known bad phishing sites stored in a library of digital signatures. 4. The cyber security appliance of claim 3 , wherein the phishing site detector includes an autonomous response module configured to, upon a determination that enough key text-like features from the first set of key text-like features closely match digital signatures in the second set of key text-like features from known bad phishing sites, lock out a user's ability to access the unknown site under analysis, and generate a notice to the user that the unknown site is likely a malicious phishing site. 5. The cyber security appliance of claim 1 , wherein the segmentation module is configured to detect the first set of key text-like features in the multiple segments of the image and determine coordinates around each key text-like feature. 6. The cyber security appliance of claim 5 , wherein the machine learning algorithm implemented in the Neural Networks is configured to analyze the image to look for specific key features that appear text-like, including any of actual text and logos on the image of the page under analysis, by detecting gradients in color change in one or more areas and a ratio to a background color to establish a beginning and an end of each specific key feature that appears text-like, wherein these key text-like features will then have a bounding box formed around the coordinates of each key text-like feature. 7. The cyber security appliance of claim 6 , wherein the phishing site detector includes a categorizing module to perform OCR text analysis on a first key text-like feature in the first set of key text-like features and an analysis of a literal visual representation on the first key text-like feature to determine the meaning the first key text-like feature is trying to convey to help catalog the first key text-like feature for a comparison, wherein each key text-like feature has its own bounding box. 8. The cyber security appliance of claim 1 , wherein the trained AI model is configured to compare the digital signatures from the first set of key text-like features detected in the unknown site under analysis to the digital signatures of the second set of key text-like features of known bad phishing sites, wherein each key text-like feature is compared to another key text-like feature in that same category, to output the likelihood of maliciousness of the unknown site under analysis, wherein the page is a login page of the site under analysis. 9. The cyber security appliance of claim 1 , wherein the trained AI model is configured to compare the digital signatures from the first set of key text-like features detected in the unknown site under analysis to the digital signatures of the second set of key text-like features of known bad phishing sites, wherein the phishing site detector includes has an access module that is configured to access, when an email under analysis is checked, a link in the email to capture the image of at least a login page associated with the unknown site accessed through the link. 10. The cyber security appliance of claim 9 , wherein the access module is further configured to capture one or more screenshots of the page of the unknown site under analysis to create the image of at least the login page and feed the one or more screenshots to the segmentation module. 11. A method for a cyber security appliance, comprising: breaking up an image of a page of a site under analysis into multiple segments, transforming each segment of the multiple segments into a fixed rendered size, and analyzing each transformed segment of the multiple segments of the image of the page to determine visually whether a key text-like feature exists in each transformed segment of the multiple segments; creating a digital signature for each transformed segment containing a particular key text-like feature, wherein the digital signature for the transformed segment containing the particular key text-like feature is at least indicative of a visual appearance of the particular key text-like feature; comparing digital signatures from a first set of key text-like features detected in the image of that page of an unknown site under analysis to digital signatures of a second set of key text-like features from a plurality of known bad phishing sites to output a likelihood of maliciousness of the unknown site under analysis; wherein a machine learning algorithm is used for breaking up and segmenting the image of the unknown site under analysis, and wherein the machine learning algorithm is implemented in Neural Networks, where when any software instructions are implemented in the cyber security appliance, then the software instructions