Domain classification

1 . A method for domain classification, the method comprising: sorting, by a processor, a set of sample domains into leaves based on syntactical features of the domains, wherein each sample domain belongs to a family of domains; identifying, for each leaf, a regular expression for each family with at least one domain in the leaf; determining, for each leaf, at least one lobe with a set of domains in the leaf that matches the regular expression for a first family with at least one domain in the leaf, and that does not match the regular expression for the other families with at least one domain in the leaf; and creating, by the processor, a classifier for the domains in each lobe by using the set of domains from each family in the lobe as training classes for machine learning. 2 . The method of claim 1 wherein the syntactical features are defined by a 4-tuple of a top level domain, a length of a first private domain, a length of a prefix and a total number of levels below the top level domain. 3 . The method of claim 1 wherein the regular expression codify domains within a leaf that are from a particular family 4 . The method of claim 1 further comprising: receiving, by the processor, an unclassified domain; determining, by the processor, the leaf that matches the unclassified domain; determining, by the processor, the lobe that matches the unclassified domain; and applying, by the processor, the classifier for the determined lobe to the unclassified domain. 5 . The method of claim 1 further comprising: calculating, by the processor, a probability that an unclassified domain belongs to a family of domains. 6 . The method of claim 1 wherein at least one family is designated as one of a malicious family or a benign family. 7 . The method of claim 1 wherein at least one domain is classified as being benign. 8 . The method of claim 1 further comprising: determining a union and an intersection of the regular expressions. 9 . The method of claim 1 wherein at least one domain is classified as having been generated by a known domain generation algorithm. 10 . A system for domain classification comprising: a value determiner to determine a value for each domain in a set of sample domains based on syntactical features of the domains; a leaf creator to create at least one leaf of domains, wherein each domain in the leaf has a same value; a regex identifier to identify, for each leaf, a regular expression for each family containing at least one domain in the leaf; a lobe determiner to determine, for each leaf, at least one lobe of possible combinations of the regular expressions and a complement of regular expressions for families compatible with at least one domain in the leaf; and a classifier creator to create a classifier for the domains in each set in each lobe by using the set of domains from each family in the lobe as training classes for machine learning. 11 . The system of claim 10 wherein each family has a set of possible values and each leaf consists of domains with values are possible for the families in the leaf. 12 . The system of claim 10 wherein the syntactical features are defined by a 4-tuple of a top level domain, a length of a first private domain, a length of a prefix and a total number of levels below the top level domain. 13 . A non-transitory machine-readable storage medium comprising instructions executable by a processor of a computing device for application launch state determination, the machine-readable storage medium comprising instructions to: sort a set of domains into leaves based on syntactical features of the domains; identify each family of domains in each leaf, wherein at least one family defines a set of domain generating algorithms; identify a regular expression for each family; determine, for each leaf, a lobe of possible combinations of the regular expressions and a complement of the regular expressions for families compatible with at least one domain in the leaf; and create a classifier for the domains in each lobe by using the set of domains from each family in the lobe as training classes for machine learning. 14 . The non-transitory machine-readable storage medium of claim 12 , wherein the syntactical features are defined by a 4-tuple of a top level domain, a length of a first private domain, a length of a prefix and a total number of levels below the top level domain. 15 . The non-transitory machine-readable storage medium of claim 12 further comprising instructions to: receive a test domain; determine the lobe that matches the test domain; and apply the classifier for the determined lobe to the test domain.