Detection and classification of exploit kits

What is claimed is: 1. A non-transitory computer readable storage medium having stored thereon instructions, the instructions being executable by one or more processors to perform operations including: responsive to determining that a correlation between a representation of the first portion of received network traffic and a representation of a known exploit kit results in a level of similarity above a first prescribed score value, classifying the representation of the first portion of the received network traffic into an exploit kit family corresponding to the representation the known exploit kit; and responsive to determining that the level of similarity resulting from the correlation between the representation of the first portion of the received network traffic and the representation of the known exploit kit is below the first prescribed score value and above a second prescribed score value, (i) analyzing, by an expert system logic executed by the one or more processors, the representation of the first portion of the received network traffic, and (ii) processing, within a virtual machine, at least a second portion of the received network traffic to determine whether processing of the received network traffic results in behavior indicative of an exploit kit. 2. The computer readable storage medium of claim 1 having stored thereon further instructions that, when executed by one or more processors, perform operations further comprising: correlating, by a correlation logic executed by the one or more processors, the representation of the first portion of the received network traffic with the representation of the known exploit kit. 3. The computer readable storage medium of claim 2 having stored thereon further instructions that, when executed by one or more processors, perform operations further comprising: prior to the correlating, removing one or more hardcoded parameters from the representation of the first portion of the received network traffic, wherein the representation of the first portion of the received network traffic is an Abstract Syntax Tree (AST). 4. The computer readable storage medium of claim 1 having stored thereon further instructions that, when executed by one or more processors, perform operations further comprising: generating a score representing a level of confidence that processing the representation of the first portion of received network traffic results in malicious, anomalous or unwanted behavior. 5. The computer readable storage medium of claim 4 having stored thereon further instructions that, when executed by one or more processors, perform operations further comprising: responsive to determining the score is above a third threshold, configuring the virtual machine in accordance with a context of the score. 6. The computer readable storage medium of claim 1 , wherein the analyzing by the expert system logic includes applying at least one of a heuristic algorithm, a probabilistic algorithm or a machine learning algorithm to the representation of the first portion of received network traffic. 7. The computer readable storage medium of claim 1 , wherein the analyzing by the expert system logic includes an analysis for a presence of one or more of a shell code pattern, a No-Operation (NOOP) sled or a function call known to be vulnerable. 8. The computer readable storage medium of claim 1 , wherein the analyzing by the expert system logic includes an n-gram analysis on a name of a file that is included in the received network traffic. 9. The computer readable storage medium of claim 1 , wherein the first portion of the received network traffic includes less than an entirety of a representation of the received network traffic. 10. The computer readable storage medium of claim 1 , wherein processing in the virtual machine includes performance of one or more simulated human interactions. 11. An apparatus for exploit kit detection and classification, the apparatus comprising: one or more processors; a storage device communicatively coupled to the one or more processors; a correlation logic for (i) correlating an abstract syntax tree (AST) representation of network traffic to one or more ASTs representing known exploit kits and (ii) determining whether a level of similarity exists (a) above a first threshold or (b) below the first threshold and above a second threshold; an AST analysis logic for applying at least one of a heuristic algorithm, a probabilistic algorithm or a machine learning algorithm to the AST representation of the network traffic when the level of similarity is below the first threshold and above the second threshold; a dynamic analysis logic including one or more virtual machines for processing the AST representation of the network traffic, and a score determination logic for determining a score indicating a likelihood of the network including an exploit kit, wherein the score is based on one or more of the analysis of the AST analysis logic or the processing of the AST representation of the network traffic in the one or more virtual machines. 12. The apparatus of claim 11 further comprising: an AST generating and filtering logic for extracting JavaScript from the received network traffic, generating the AST representation of the network traffic from the extracted JavaScript and filtering the AST representation of the network traffic. 13. The apparatus of claim 12 , wherein the filtering includes removing one or more hardcoded parameters from the AST representation of the network traffic. 14. The apparatus of claim 11 further comprising: a classification logic for classifying the AST representation of the network traffic into an exploit kit family when the level of similarity is above the first threshold. 15. The apparatus of claim 11 , wherein responsive to determining the score is above a third threshold, configuring the virtual machine in accordance with a context of the score. 16. The computer readable storage medium of claim 1 , wherein the analyzing by the expert system logic includes applying at least one of a heuristic algorithm, a probabilistic algorithm or a machine learning algorithm to the representation of the first portion of received network traffic. 17. A method for exploit kit detection comprising: correlating an abstract syntax tree (AST) representation of network traffic to a AST representation of a known exploit kit; responsive to determining a first level of similarity exists below a first threshold and above a second threshold, applying at least one of a heuristic algorithm, a probabilistic algorithm or a machine learning algorithm to the AST representation of the network traffic; and processing the AST representation of the network traffic in a virtual machine to determine a likelihood that the network traffic includes an exploit kit, wherein the determination of the likelihood is based on results of one or more of (i) the application of at least one of the heuristic algorithm, the probabilistic algorithm or the machine learning algorithm, or (ii) the processing in the virtual machine. 18. The method of claim 17 further comprising: responsive to determining that a second level of similarity exists above a first threshold, classifying the AST representation of the network traffic into an exploit kit family corresponding to the AST representation the known exploit kit. 19. The method of claim 17 further comprising: responsive to determining the application at least one of the heuristic algorithm, the probabilistic algorithm or the machine lea