System and method for deriving network address spaces affected by security threats to apply mitigations

We claim: 1 . A method comprising: determining, by at least one server, a plurality of users of one or more levels of riskiness in a network environment, and network locations of the users; generating, by the at least one server using a plurality of clustering features, a network space comprising a cluster of network locations corresponding to a subset of the users of at least a defined level of riskiness; and performing, by the at least one server, a mitigation action on the subset of users corresponding to the generated network space. 2 . The method of claim 1 , comprising limiting, by the at least one server, a size of a contiguous address space that forms the network space. 3 . The method of claim 1 , comprising generating, by the at least one server, a plurality of network spaces corresponding to subsets of users of different levels of riskiness. 4 . The method of claim 1 , wherein the plurality of clustering features includes at least one of: analytics data, external threat data, user activity data, network metadata, risk scores of the users, or network performance data. 5 . The method of claim 4 , wherein the network metadata includes information of at least one of: a private network, a public network, an internet service provider, reputation or location, associated with at least one of the users. 6 . The method of claim 5 , wherein the information of the location includes at least one of: a country, a city, a region, a longitude, a latitude, a geographic indicator, a network address, a subnet identifier, or an internet protocol address. 7 . The method of claim 1 , wherein performing the mitigation action comprises at least one of: analyzing a threat associated with the subset of users, applying at least one policy to the subset of users, performing an audit on the subset of users, logging off subset of users, or recording sessions of subset of users. 8 . The method of claim 1 , comprising correlating, by the at least one server, information from at least some of the plurality of clustering features. 9 . The method of claim 1 , wherein when at least some of the users are in public network space, the plurality of clustering features includes information on geographic location. 10 . A system comprising: at least one processor configured to: determine a plurality of users of one or more levels of riskiness in a network environment, and network locations of the users; generate, using a plurality of clustering features, a network space comprising a cluster of network locations corresponding to a subset of the users of at least a defined level of riskiness; and perform a mitigation action on the subset of users corresponding to the generated network space. 11 . The system of claim 10 , wherein the at least one processor is configured to limit a size of a contiguous address space that forms the network space. 12 . The system of claim 10 , wherein the at least one processor is configured to generate a plurality of network spaces corresponding to subsets of users of different levels of riskiness. 13 . The system of claim 10 , wherein the plurality of clustering features includes at least one of: analytics data, external threat data, user activity data, network metadata, risk scores of the users, or network performance data. 14 . The system of claim 13 , wherein the network metadata includes information on at least one of: a private network, a public network, an internet service provider, reputation or location, associated with at least one of the users. 15 . The system of claim 14 , wherein the information of the location includes at least one of: a country, a city, a region, a longitude, a latitude, a geographic indicator, a network address, a subnet identifier, or an internet protocol address. 16 . The system of claim 1 , wherein the mitigation action includes at least one of: analyzing a threat associated with the subset of users, applying at least one policy to the subset of users, performing an audit on the subset of users, logging off subset of users, or recording sessions of subset of users. 17 . The system of claim 1 , wherein the at least one processor is configured to correlate information from at least some of the plurality of clustering features. 18 . The system of claim 1 , wherein when at least some of the users are in public network space, the plurality of clustering features includes information on geographic location. 19 . A non-transitory computer readable medium storing program instructions for causing at least one processor to: determine a plurality of users of one or more levels of riskiness in a network environment, and network locations of the users; generate, using a plurality of clustering features, a network space comprising a cluster of network locations corresponding to a subset of the users of at least a defined level of riskiness; and perform a mitigation action on the subset of users corresponding to the generated network space. 20 . The non-transitory computer readable medium of claim 19 , wherein the plurality of clustering features includes at least one of: analytics data, external threat data, user activity data, network metadata, risk scores of the users, or network performance data.