US Patent 11689548 Domain clustering for malicious campaign identification

A method for identification of malicious domains is provided. The method extracts a set of domain information from one or more input streams. The set of domain information includes a set of domains and a set of domain characteristics describing each domain. The method clusters the set of domains to generate a set of campaign clusters of related domains. The clusters are based on the set of domain characteristics. The method modifies the set of campaign clusters with a set of threat intelligence ratings to generate a set of enriched campaign clusters. A portion of the set of threat intelligence ratings correspond to one or more domains within the set of campaign clusters. The method determines a cluster designation for each campaign cluster of the set of enriched campaign clusters and distributes the cluster designations for each campaign cluster to one or more threat intelligence resource.