Abstract: Techniques for social sharing security information between client entities forming a group are described herein. The group of client entities is formed as a result of a security server providing one or more secure mechanisms for forming a group among client entities, the client entities each belonging to a different organization. The security service then automatically shares security information of a client entity in the group with one or more other client entities in the group.

Abstract: A method is provided in one example embodiment and includes receiving a reputation value based on a hash of a file making a network connection and on a network address of a remote end of the network connection. The network connection may be blocked if the reputation value indicates the hash or the network address is associated with malicious activity. In more specific embodiments, the method may also include sending a query to a threat analysis host to request the reputation value. Additionally or alternatively the reputation value may be based on query patterns in particular embodiments. In yet more specific embodiments, the network connection may be an inbound connection and/or an outbound connection, and the reputation value may be based on a file reputation associated with the hash and a connection reputation associated with the network address of the remote end of the network connection.

Abstract: A kernel-level security agent is described herein. The kernel-level security agent is configured to observe events, filter the observed events using configurable filters, route the filtered events to one or more event consumers, and utilize the one or more event consumers to take action based at least on one of the filtered events. In some implementations, the kernel-level security agent detects a first action associated with malicious code, gathers data about the malicious code, and in response to detecting subsequent action(s) of the malicious code, performs a preventative action. The kernel-level security agent may also deceive an adversary associated with malicious code. Further, the kernel-level security agent may utilize a model representing chains of execution activities and may take action based on those chains of execution activities.

Abstract: A method is provided in one example embodiment that includes generating a fingerprint based on properties extracted from data packets received over a network connection and requesting a reputation value based on the fingerprint. A policy action may be taken on the network connection if the reputation value received indicates the fingerprint is associated with malicious activity. The method may additionally include displaying information about protocols based on protocol fingerprints, and more particularly, based on fingerprints of unrecognized protocols. In yet other embodiments, the reputation value may also be based on network addresses associated with the network connection.

Abstract: A kernel-level security agent is described herein. The kernel-level security agent is configured to observe events, filter the observed events using configurable filters, route the filtered events to one or more event consumers, and utilize the one or more event consumers to take action based at least on one of the filtered events. In some implementations, the kernel-level security agent detects a first action associated with malicious code, gathers data about the malicious code, and in response to detecting subsequent action(s) of the malicious code, performs a preventative action. The kernel-level security agent may also deceive an adversary associated with malicious code. Further, the kernel-level security agent may utilize a model representing chains of execution activities and may take action based on those chains of execution activities.

Abstract: Methods and systems for assigning reputation to communications entities include collecting communications data from distributed agents, aggregating the communications data, analyzing the communications data and identifying relationships between communications entities based upon the communications data.

Abstract: Methods and systems for operation upon one or more data processors for detecting image spam by detecting an image and analyzing the content of the image to determine whether the incoming communication comprises an unwanted communication.

Abstract: Methods and systems for assigning reputation to communications entities include collecting communications data from distributed agents, aggregating the communications data, analyzing the communications data and identifying relationships between communications entities based upon the communications data.

Abstract: Deception-based techniques for responding to security attacks are described herein. The techniques include transitioning a security attack to a monitored computing device posing as a computing device impacted by the security attack and enabling the adversary to obtain deceptive information from the monitored computing device. Also, the adversary may obtain a document configured to report identifying information of an entity opening the document, thereby identifying the adversary associated with the attack. Further, the techniques include determining that a domain specified in a domain name request is associated with malicious activity and responding to the request with a network address of a monitored computing device to cause the requesting process to communicate with the monitored computing device in place of an adversary server. Additionally, a service may monitor dormant domains names associated with malicious activity and, in response to a change, respond with an alert or a configuration update.

Abstract: A distributed proxy server system is operable to receive a request for Internet data from a user, obtain the user's identity, store at least one cookie on the user's web browser identifying the user, and filter undesired content before forwarding requested Internet data to the user. A master cookie is associated with the proxy server including user identity information, and an injected domain cookie is associated with the domain of the requested Internet data including user identity information.

Abstract: Methods and systems for operation upon one or more data processors for detecting image spam by detecting an image and analyzing the content of the image to determine whether the incoming communication comprises an unwanted communication.

Abstract: Methods and systems for assigning reputation to communications entities include collecting communications data from distributed agents, aggregating the communications data, analyzing the communications data and identifying relationships between communications entities based upon the communications data.

Abstract: A system derives a reputation for a plurality of network addresses, the reputation of each network address determined by analyzing a plurality of high-level email features related to one or more emails originating from the network address. The plurality of high-level email features include domain registration analysis, hashed term frequency indexing, persistent communication, address age, correlation analysis, zombie detection, and hash vault matching.

Abstract: A kernel-level security agent is described herein. The kernel-level security agent is configured to observe events, filter the observed events using configurable filters, route the filtered events to one or more event consumers, and utilize the one or more event consumers to take action based at least on one of the filtered events. In some implementations, the kernel-level security agent detects a first action associated with malicious code, gathers data about the malicious code, and in response to detecting subsequent action(s) of the malicious code, performs a preventative action. The kernel-level security agent may also deceive an adversary associated with malicious code. Further, the kernel-level security agent may utilize a model representing chains of execution activities and may take action based on those chains of execution activities.

Abstract: Methods and systems for processing electronic communications based upon reputation. Reputation of an entity associated with the electronic communication can be generated. The communication can be placed in a queue based upon the reputation. The queued communication can be processed based upon updated information about the entity.

Abstract: Techniques for social sharing security information between client entities forming a group are described herein. The group of client entities is formed as a result of a security server providing one or more secure mechanisms for forming a group among client entities, the client entities each belonging to a different organization. The security service then automatically shares security information of a client entity in the group with one or more other client entities in the group.

Abstract: Methods and systems for managing data communications are described. The method includes receiving a data communication; analyzing the data communication to determine a particular type of sender or recipient activity associated with the data communication based at least in part on an application of a plurality of tests to the data communication; assigning a total risk level to the data communication based at least in part on one or more risks associated with the particular type of sender or recipient activity and a tolerance for each of the one or more risks; comparing the total risk level assigned to the data communication with a maximum total acceptable level of risk; and allowing the data communication to be delivered to a recipient in response to the comparison indicating that the total risk level assigned to the data communication does not exceed the maximum total acceptable level of risk.

Abstract: Methods and systems for operation upon one or more data processors for biasing a reputation score. A communication having data that identifies a plurality of biasing characteristics related to a messaging entity associated with the communication is received. The identified plurality of biasing characteristics related to the messaging entity associated with the communication based upon a plurality of criteria are analyzed, and a reputation score associated with the messaging entity is biased based upon the analysis of the identified plurality of biasing characteristics related to the messaging entity associated with the communication.

Abstract: A kernel-level security agent is described herein. The kernel-level security agent is configured to observe events, filter the observed events using configurable filters, route the filtered events to one or more event consumers, and utilize the one or more event consumers to take action based at least on one of the filtered events. In some implementations, the kernel-level security agent detects a first action associated with malicious code, gathers data about the malicious code, and in response to detecting subsequent action(s) of the malicious code, performs a preventative action. The kernel-level security agent may also deceive an adversary associated with malicious code. Further, the kernel-level security agent may utilize a model representing chains of execution activities and may take action based on those chains of execution activities.

Abstract: Methods, systems and apparatus, including computer programs encoded on a computer storage medium, for receiving, at a global server system, from each of a plurality of local network devices, network data specifying network communication activity at the local network device, wherein the plurality of local network devices collectively provide backbone communications facilities for multiple networks; aggregating, at the global server system, the network data from each of the local network devices; analyzing, at the global server system, the aggregated network data to identify network activities; generating, at the global server system, update data based on the analysis of the aggregated network data, the update data including instructions for the local network devices for processing network communications to or from the local network devices; and transmitting from the global server system the update data to the local network devices.