Discovering yet unknown malicious entities using relational data

What is claimed is: 1 . A method comprising: collecting data from a database arrangement about behavior of observed entities operating in a network, wherein the collected data includes one or more features associated with the observed entities; generating a probabilistic model that correlates the one or more features with malicious and/or benign behavior of the observed entities; collecting data from the database arrangement for unobserved entities that have at least one common feature with at least one of the observed entities; determining that one of the unobserved entities is a malicious entity based on the at least one common feature and the probabilistic model; and applying network policies to packets sent from the malicious entity. 2 . The method of claim 1 , further comprising determining a numerical value indicating a level of confidence that the one of the unobserved entities is malicious. 3 . The method of claim 2 , further comprising determining a numerical threshold for the probabilistic model such that a deviation of the numerical value from the numerical threshold is indicative that the one of the unobserved entities is malicious. 4 . The method of claim 3 , further comprising determining an acceptable false positive rate at which the probabilistic model will falsely identify benign entities as malicious entities, and setting the numerical threshold to a value to achieve the acceptable false positive rate. 5 . The method of claim 1 , wherein collecting data from the database arrangement for unobserved entities comprises collecting data from a database of social networking data. 6 . The method of claim 1 , wherein collecting data from the database arrangement for unobserved entities comprises collecting data from a WHOIS database. 7 . The method of claim 1 , wherein the database arrangement comprises a first database and a second database. 8 . The method of claim 1 , wherein applying network polices to the packets comprises blocking network packets sent by the malicious entity. 9 . An apparatus, comprising: a network interface; and a processor, wherein the processor is configured to: collect data from a database arrangement about behavior of observed entities operating in a network, wherein the collected data includes one or more features associated with the observed entities; generate a probabilistic model that correlates the one or more features with malicious and/or benign behavior of the observed entities; collect data from the database arrangement for unobserved entities that have at least one common feature with at least one of the observed entities; determine that one of the unobserved entities is a malicious entity based on the at least one common feature and the probabilistic model; and apply, via the network interface, network policies to packets sent from the malicious entity. 10 . The apparatus of claim 9 , wherein the processor is configured to determine a numerical value indicating a level of confidence that the one of the unobserved entities is malicious. 11 . The apparatus of claim 10 , wherein the processor is configured to determine a numerical threshold for the probabilistic model such that a deviation of the numerical value from the numerical threshold is indicative that the one of the unobserved entities is malicious. 12 . The apparatus of claim 11 , wherein the processor is configured to determine an acceptable false positive rate at which the probabilistic model will falsely identify benign entities as malicious entities, and set the numerical threshold to a value to achieve the acceptable false positive rate. 13 . The apparatus of claim 9 , wherein the processor is configured to collect data from the database arrangement for unobserved entities by collecting data from a database of social networking data. 14 . The apparatus of claim 9 , wherein the processor is configured to collect data from the database arrangement for unobserved entities by collecting data from a WHOIS database. 16 . The apparatus of claim 9 , wherein the processor is configured to collect apply network polices to the packets by blocking network packets sent by the malicious entity. 17 . A tangible, non-transitory computer readable medium encoded with instructions, wherein the instruction, when executed by a processor, cause the processor to: collect data from a database arrangement about behavior of observed entities operating in a network, wherein the collected data includes one or more features associated with the observed entities; generate a probabilistic model that correlates the one or more features with malicious and/or benign behavior of the observed entities; collect data from the database arrangement for unobserved entities that have at least one common feature with at least one of the observed entities; determine that one of the unobserved entities is a malicious entity based on the at least one common feature and the probabilistic model; and apply, via a network interface, network policies to packets sent from the malicious entity. 18 . The computer readable media of claim 17 , further comprising instructions that cause the processor to determine a numerical value indicating a level of confidence that the one of the unobserved entities is malicious. 19 . The computer readable media of claim 18 , further comprising instructions that cause the processor to determine a numerical threshold for the probabilistic model such that a deviation of the numerical value from the numerical threshold is indicative that the one of the unobserved entities is malicious. 20 . The computer readable media of claim 19 , further comprising instructions that cause the processor to determine an acceptable false positive rate at which the probabilistic model will falsely identify benign entities as malicious entities, and set the numerical threshold to a value to achieve the acceptable false positive rate.