Dynamic intrusion detection and prevention in computer networks

We claim: 1. A method comprising: clustering, using a data clustering technique, a plurality of network sites into a plurality of clusters of network sites based on a plurality of parameters, wherein the plurality of parameters are related to operational features and a network threat associated with the plurality of network sites; training, using machine learning, one or more data models upon the plurality of clusters of network sites developed through the clustering, the training of the one or more data models being based on training data; executing, by a system comprising a hardware processor, the one or more data models to predict a threat frequency of the network threat for each cluster of the plurality of clusters of network sites; determining, by the system, a threat frequency difference between the predicted threat frequency of the network threat and a corresponding baseline frequency for each cluster of the plurality of clusters of network sites, wherein the determining produces a plurality of threat frequency differences for respective clusters of the plurality of clusters of network sites; and configuring, by the system, a corresponding dynamic ruleset for each corresponding cluster of the plurality of clusters of network sites by integrating, into the corresponding dynamic ruleset, rules applicable to prevent the network threat in the corresponding cluster, wherein a count of the rules integrated into the corresponding dynamic ruleset depends on a respective threat frequency difference of the plurality of threat frequency differences. 2. The method of claim 1 , wherein the plurality of parameters include one or more of: a location score of a network segment, software stack embedding, a score based on bandwidth consumption by applications running across the network segment, a score based on a pattern of network traffic, a score based on a number of different types of network devices connected in the network segment, a score based on user diaspora, a score based on a reputation of the network segment, a score based on a network threat to the network segment, or a score based on network classification. 3. The method of claim 1 , further comprising training the one or more data models based on the predicted threat frequency of the network threat. 4. The method of claim 1 , wherein the configuring of the corresponding dynamic ruleset comprises adding a new rule to the corresponding dynamic ruleset based on the respective threat frequency difference. 5. The method of claim 4 , wherein the configuring of the corresponding dynamic ruleset comprises removing an existing rule from the corresponding dynamic ruleset based on the respective threat frequency difference being less than the predefined threshold. 6. The method of claim 1 , wherein the baseline frequency for a given cluster of the plurality of clusters of network sites includes a count of network attacks in the given cluster. 7. The method of claim 1 , wherein each data model of the one or more data models is trained on a separate cluster of the plurality of clusters of network sites. 8. The method of claim 1 , wherein the one or more data models when executed predict threat frequencies for respective network threats for each cluster of the plurality of clusters of network sites, and the method comprises: determining, by the system, threat frequency differences between the predicted threat frequencies for the respective network threats and corresponding baseline frequencies for each cluster of the plurality of clusters of network sites; and configuring, by the system, the corresponding dynamic ruleset for each corresponding cluster of the plurality of clusters of network sites using the determined threat frequency differences. 9. The method of claim 1 , wherein the network threat comprises one or more of an intrusion into a network site, a denial of service attack, a man in the middle attack, a phishing attack, ransomware, a virus, or a worm. 10. A system comprising: a processor; a non-transitory storage medium storing instructions executable on the processor to: cluster, using a data clustering technique, a plurality of network sites into a plurality of clusters of network sites based on a plurality of parameters, wherein the plurality of parameters are related to operational features and a network threat associated with the plurality of network sites; train, using machine learning, one or more data models upon the plurality of clusters developed through the clustering, the training of the one or more data models being based on training data; execute the one or more data models to predict a threat frequency of the network threat for each cluster of the plurality of clusters of network sites; determine a threat frequency difference between the predicted threat frequency of the network threat and a corresponding baseline frequency for each cluster of the plurality of clusters of network sites, wherein the determining produces a plurality of threat frequency differences for respective clusters of the plurality of clusters of network sites; and configure a corresponding dynamic ruleset for each corresponding cluster of the plurality of clusters of network sites by integrating, into the corresponding dynamic ruleset, rules applicable to prevent the network threat in the corresponding cluster, wherein a count of the rules integrated into the corresponding dynamic ruleset depends on a respective threat frequency difference of the plurality of threat frequency differences. 11. The system of claim 10 , wherein the plurality of parameters are collected by a virtual gateway serving devices operating in the plurality of network sites, and provided to the system over a network. 12. The system of claim 10 , wherein the plurality of parameters include one or more of: a location score of a network segment, a score based on bandwidth consumption by applications running across the network segment, a score based on a pattern of network traffic, a score based on a number of different types of network devices connected in the network segment, a score based on a reputation of the network segment, or a score based on a network threat to the network segment. 13. The system of claim 10 , wherein the configuring of the corresponding dynamic ruleset comprises removing an existing rule from the corresponding dynamic ruleset based on the respective threat frequency difference being less than a predefined threshold. 14. The system of claim 13 , wherein the configuring of the corresponding dynamic ruleset comprises adding a new rule to the corresponding dynamic ruleset based on the respective threat frequency difference exceeding the predefined threshold. 15. The system of claim 14 , wherein adding the new rule to the corresponding dynamic ruleset increases a scope of network threat detection in the corresponding cluster. 16. The system of claim 14 , wherein removing the existing rule from the corresponding dynamic ruleset reduces a scope of network threat detection in the corresponding cluster. 17. The system of claim 10 , wherein the plurality of parameters are captured along with their timestamps. 18. The system of claim 10 , wherein the baseline frequency for a given cluster of the plurality of clusters of network sites includes a count of network attacks in the given cluster. 19. The system of claim 10 , wherein the network threat comprises one or more of an intrusion into a network site, a denial of service attack, a man in the middle attack, a phishing attack, ransomware, a virus, or a worm.