Classifying locator generation kits

1 . A method for classifying malicious locators accessible through a network, the method comprising: receiving, through an interface to a non-transitory computer-readable medium, at least one locator that comprises the location of a malicious network-accessible resource; extracting at least one feature associated with the at least one locator; assigning membership probabilities to the at least one locator based on the extracted at least one feature, wherein the membership probabilities each represent a probability the at least one locator belongs to a particular family of kits; and labeling the at least one locator as being generated by a kit with which the locator has the highest membership probability. 2 . The method of claim 1 , wherein the at least one locator is a uniform resource locator (URL). 3 . The method of claim 1 , wherein labeling the at least one locator as being generated by the kit includes labeling the at least one locator as being generated by a specific URL-generation kit. 4 . The method of claim 1 , further comprising: accessing a plurality of training locators that each comprise the location of a malicious network-accessible resource; extracting at least one feature associated with each of the plurality of training locators; labeling each of the plurality of training locators as being generated by a specific source based on the extracted features; providing the extracted features and the source label for each of the plurality of locators to a classification module to train the classification module. 5 . The method of claim 4 , wherein the label assigned to each of the plurality of training locators is based on a highest membership probability for each of the plurality of training locators. 6 . The method of claim 1 , wherein the at least one feature includes one or more of locator string length, character frequency distribution, domain levels, number of directories, number of words, number of words from a predetermined list of words, number of vowels, and number of consonants in the locator. 7 . The method of claim 1 , further comprising producing weights for each of the at least one feature to assist in determining the kit that generated the at least one locator. 8 . The method of claim 1 , further comprising issuing a message indicating the kit that was labeled as generating the at least one locator. 9 . The method of claim 1 , further comprising classifying the at least one locator as malicious or non-malicious. 10 . A system for classifying malicious locators accessible through a network, the system comprising: an interface to a non-transitory computer-readable medium configured to access at least one locator that comprises the location of a malicious network-accessible resource; a network interface; and a processor in communication with the medium interface and the network interface, the processor configured to: extract at least one feature associated with the at least one locator; assign membership probabilities to the at least one locator based on the extracted at least one feature, wherein the membership probabilities each represent a probability the at least one locator belongs to a particular family of kits; and label the at least one locator as being generated by a kit with which the locator has the highest membership probability. 11 . The system of claim 10 , wherein the at least one locator is a uniform resource locator (URL). 12 . The system of claim 10 , wherein the processor is configured to label the at least one locator as being generated by a specific URL-generation kit. 13 . The system of claim 10 , wherein the processor is configured to: access a plurality of training locators that each comprise the location of a malicious network-accessible resource; extract at least one feature associated with each of the plurality of training locators; label each of the plurality of training locators as being generated by a specific source based on the extracted features; provide the extracted features and the source label for each of the plurality of locators to a classification module to train the classification module. 14 . The system of claim 13 , wherein the label assigned to each of the plurality of training locators is based on a highest membership probability for each of the plurality of locators. 15 . The system of claim 10 , wherein the at least one feature includes one or more of locator string length, character frequency distribution, domain levels, number of directories, number of words, number of words from a predetermined list of words, number of vowels, and number of consonants in the locator. 16 . The system of claim 10 , wherein the processor is configured to produce weights for each of the at least one feature to assist in determining the kit that generated the at least one locator. 17 . The system of claim 10 , wherein the processor is configured to issue a message indicating the kit that was labeled as generating the at least one locator. 18 . The system of claim 10 , wherein the processor is configured to classify the at least one locator as malicious or non-malicious. 19 . The system of claim 13 , wherein the processor is configured to assign weights to each of the extracted at least one feature associated with each of the plurality of training locators. 20 . A non-transitory computer readable medium containing computer-executable instructions for performing a method for classifying malicious locators accessible through a network, the medium comprising: computer-executable instructions for receiving, through an interface to a non-transitory computer-readable medium, at least one locator that comprises the location of a malicious network-accessible resource; computer-executable instructions for extracting at least one feature associated with the at least one locator; computer-executable instructions for assigning membership probabilities to the at least one locator based on the extracted at least one feature, wherein the membership probabilities each represent a probability the at least one locator belongs to a particular family of kits; and computer-executable instructions for labeling the at least one locator as being generated by a kit with which the locator has the highest membership probability.