Ml based domain risk scoring and its applications to advanced url filtering

What is claimed is: 1 . A system, comprising: one or more processors configured to: identify a subset of higher risk websites based on using a classifier, wherein the higher risk websites are at risk for potential malware injection or modification; and in response to identifying the subset of higher risk websites, perform an active measure based at least in part on the identified subset of higher risk websites; and a memory coupled to the one or more processors and configured to provide the one or more processors with instructions. 2 . The system of claim 1 , wherein the classifier is a machine learning model. 3 . The system of claim 2 , wherein the machine learning model comprises a random forest machine learning model. 4 . The system of claim 1 , wherein performing the active measure in response to determining that a candidate domain is comprised in the subset of higher risk websites comprises: applying a security policy based on a classification of the candidate domain as being a higher risk website. 5 . The system of claim 4 , wherein applying the security policy comprises: handling network traffic to/from the candidate domain based at least in part on (i) a classification that the candidate domain is a higher risk website, and (ii) the security policy. 6 . The system of claim 1 , wherein the active measure comprises storing a set of classifications for the subset of higher risk website in a domain classification database. 7 . The system of claim 6 , wherein the domain classification database is used to detect higher risk website and in response to detection of the higher risk website, enforcing a security policy for handling traffic to or from the higher risk website. 8 . The system of claim 6 , wherein the one or more processors are further configured to: obtain a candidate sample to be classified; infer a classification for the candidate sample based at least in part on querying the domain classification database; and perform an action based at least in part on the classification for the candidate sample. 9 . The system of claim 1 , wherein the subset of higher risk websites comprises one or more subdomains and one or more registered domains. 10 . The system of claim 1 , wherein the classifier is used to provide real-time analysis of a risk level for a candidate domain associated with a URL. 11 . The system of claim 10 , wherein the classifier used to provide real-time analysis is a lightweight inline machine learning model. 12 . The system of claim 11 , wherein the lightweight inline machine learning model is trained using a fewer number of features than an offline machine learning model that provides offline detection or classification of websites. 13 . The system of claim 1 , wherein the subset of higher risk websites are periodically crawled at a more frequent rate than websites classified as benign or low or medium risk. 14 . The system of claim 1 , wherein the one or more processors are further configured to: in response to classifying a candidate website as a higher risk website, causing the candidate website to be crawled; and causing the candidate website to be analyzed for malware based at least in part on results of crawling the candidate website. 15 . The system of claim 1 , wherein the classifier comprises a rentable domain classifier and a non-rentable domain classifier. 16 . The system of claim 15 , wherein the rentable domain classifier is used to classify a candidate website in response to determining that a corresponding domain is a rentable domain. 17 . The system of claim 15 , wherein the non-rentable domain classifier is used to classify a candidate website in response to determining that a corresponding domain is a non-rentable domain. 18 . The system of claim 15 , wherein the rentable domain classifier and the non-rentable domain classifiers comprise machine learning models that are trained using different sets of features. 19 . The system of claim 1 , wherein the classifier is configured to predict whether a candidate domain is likely to become malicious within a predetermined period of time. 20 . The system of claim 19 , wherein the classifier assigns a risk score based on a likelihood that the candidate domain will become malicious within the predetermined period of time. 21 . The system of claim 20 , wherein the risk score is based at least in part on a machine learning-based computation that incorporates information from multiple data sources. 22 . The system of claim 1 , wherein the classifier comprises one or more of (i) an inline rentable domain classifier, (ii) an offline rentable domain classifier, (iii) an inline non-rentable domain classifier, and (iv) an offline non-rentable domain classifier. 23 . The system of claim 1 , wherein the classifier is an offline classifier that performs classifications offline that is asynchronous to an interception of network traffic. 24 . The system of claim 1 , wherein the classifier is an inline classifier that generates classifications contemporaneous with an interception and handling of network traffic. 25 . The system of claim 24 , wherein the inline classifier generates the classifications in less than 100 ms. 26 . The system of claim 1 , wherein the one or more processors are further configured to: obtain a predicted classification for a candidate website from the classifier; perform a post-filtering to be performed with respect to the predicted classification to determine whether the predicted classification is a false positive classification; and determining a classification for the candidate website based at least in part on a result of post-filtering the predicted classification. 27 . A method, comprising: identifying a subset of higher risk websites, wherein the higher risk websites are at risk for potential malware injection or modification; and in response to identifying the subset of higher risk websites, performing an active measure based at least in part on the identified subset of higher risk websites. 28 . A computer program product embodied in a non-transitory computer readable medium and comprising computer instructions for: identifying a subset of higher risk websites, wherein the higher risk websites are at risk for potential malware injection or modification; and in response to identifying the subset of higher risk websites, performing an active measure based at least in part on the identified subset of higher risk websites. 29 . A system, comprising: one or more processors configured to: collect a set of features for a set of training sample websites, the set of training sample websites comprising a subset of benign or low risk domains, and a subset of high risk domains; and perform a machine learning process to generate a domain classifier based at least in part on the set of features for the set of training sample websites; deploy the domain classifier in a system to perform detection of malicious domains; and a memory coupled to the one or more processors and configured to provide the one or more processors with instructions. 30 . The system of claim 29 , wherein the set of features are generated based at least in part one or more of crawled website content, lexical data, registration historical risk scores, pDNS data, an