Network infrastructure detection

What is claimed is: 1. A method for automatic detection of network infrastructure, the method comprising: receiving, by a network sensor, a new network message, wherein the new network message comprises deserialized event data; determining whether the new network message is potentially malicious based on the presence of an indicator-of-compromise (IoC), wherein the determining comprises: decorating the deserialized event data by adding, to the deserialized event data, at least one of a timestamp, geo-location data, threat intelligence data, and a connection-identifier; retrieving a set of IoC rules for detecting one or more IoCs in the decorated event data; applying the set of IoC rules to the decorated event data; and identifying the decorated event data as including one or more IoCs based on application of the set of IoC rules and further decorating the deserialized event data with corresponding IoC information; and in response to determining that the new network message is potentially malicious, assigning a risk-label to the new network message based on associations with information from other network messages, wherein the identifying comprises: extracting, from the decorated event data, a source-address of the new network message; assembling a plurality of unique similar-addresses based on the source-address comprising: identifying one on or more source-metadata values associated with the source-address; searching a group of previous network messages for matching network messages to the new network message, based on the matching network messages having metadata of at least a threshold similarity to at least one of the source-metadata values with the source-address; and adding the matching network messages to the plurality of unique similar-addresses; generating metadata to associate with the source-address for the new message, wherein the metadata is generated by recursively assembling related metadata from each of the plurality of unique-similar addresses; assigning, using a plurality of factors, risk-labels to the source-address of the new network message and the plurality of unique similar-addresses based, at least in part, on the metadata associated with the source-address recursively assembled from the related metadata for the plurality of unique-similar addresses, wherein the risk-labels are selected from among a plurality of possible risk-labels, wherein the plurality of possible risk-labels include a safe-label indicating no unsafe behavior was found associated with the address and a tainted-label indicating the address was found to be associated with network architecture identified as malicious; and performing one or more network security actions based on the risk-labels. 2. The method of claim 1 , wherein the metadata includes at least one of the group consisting of domain-name, nameserver, and registrant-email. 3. The method of claim 2 , wherein the metadata includes each of domain-name, nameserver, and registrant-email. 4. The method of claim 1 , wherein the plurality of factors includes a factor comprising a comparison between a number of domains associated with a registrant emails of each of the plurality of unique similar-addresses being greater than a first threshold value, wherein the number of domains being less than the first threshold value indicates a likelihood of unsafe behavior. 5. The method of claim 1 , wherein the plurality of factors includes a factor comprising a determination that a registrant email of at least one of the plurality of unique similar-addresses was previously identified as tainted. 6. The method of claim 1 , wherein the plurality of factors includes a factor comprising a comparison, for each of the plurality of unique-similar addresses, between 1) a number of domains registered with an organization owning the unique-similar address and 2) a number of domains registered by the unique-similar address, wherein an exact match between 1) and 2) indicates a likelihood of unsafe behavior being associated with the unique-similar address. 7. The method of claim 1 , wherein the plurality of factors includes a factor comprising a comparison between a number of domains registered with an organization owning each of the plurality of unique-similar addresses and a second threshold value, wherein the number of domains being less than the second threshold value indicates a likelihood of unsafe behavior being associated with the unique-similar address. 8. The method of claim 1 , wherein the plurality of factors includes a factor comprising a comparison between a number of websites hosted on a server that hosts a resource addressed by each of the plurality of unique-similar addresses and a third threshold value, wherein the number of websites hosted being less than the third threshold value indicates a likelihood of unsafe behavior being associated with the unique-similar address. 9. A system comprising: one or more hardware processors; and non-transitory computer memory tangibly containing instructions that, when executed by the processor, cause the processor to perform operations comprising: receiving, by a network sensor, a new network message, wherein the new network message comprises deserialized event data; determining whether the new network message is potentially malicious based on the presence of an indicator-of-compromise (IoC), wherein the determining comprises: decorating the deserialized event data by adding, to the deserialized event data, at least one of a timestamp, geo-location data, threat intelligence data, and a connection-identifier; retrieving a set of IoC rules for detecting one or more IoCs in the decorated event data; applying the set of IoC rules to the decorated event data; and identifying the decorated event data as including one or more IoCs based on application of the set of IoC rules and further decorating the deserialized event data with corresponding IoC information; and in response to determining that the new network message is potentially malicious, assigning a risk-label to the new network message based on associations with information from other network messages, wherein the identifying comprises: extracting, from the decorated event data, a source-address of the new network message; assembling a plurality of unique similar-addresses based on the source-address comprising: identifying one on or more source-metadata values associated with the source-address; searching a group of previous network messages for matching network messages to the new network message, based on the matching network messages having metadata of at least a threshold similarity to at least one of the source-metadata values with the source-address; and adding the matching network messages to the plurality of unique similar-addresses; generating metadata to associate with the source-address for the new message, wherein the metadata is generated by recursively assembling related metadata from each of the plurality of unique-similar addresses; assigning, using a plurality of factors, risk-labels to the source-address of the new network message and the plurality of unique similar-addresses based, at least in part, on the metadata associated with the source-address recursively assembled from the related metadata for the plurality of unique-similar addresses, wherein the risk-labels are selected from among a plurality of possible risk-labels, wherein the plurality of possible risk-labels include a safe-label indicating no unsafe behavior was found associated with the address and a tainted-label indicating the address was found to be associated with network architecture identified as malicious; and performing one or more network security actions based on the risk-labels.