Abstract: A computer-implemented method for providing supply-chain trust networks may include (1) identifying a computational partnership between a primary computing entity and a partnered computing entity, wherein the primary computing entity and the partnered computing entity are under separate control and the partnered computing entity handles at least one computing resource to be used by the primary computing entity, (2) receiving, from a computing environment controlled by the partnered computing entity and with permission from the partnered computing entity, security data that comprises information about at least one security characteristic of the computing environment, (3) analyzing the security data to make a security determination about the computing environment controlled by the partnered computing entity, and (4) providing, in response to identifying the computational partnership, the security determination about the computing environment to the primary computing entity.

Abstract: A computer-implemented method for detecting malware may include (1) identifying a behavioral trace of a program, the behavioral trace including a sequence of runtime behaviors exhibited by the program, (2) dividing the behavioral trace to identify a plurality of n-grams within the behavioral trace, each runtime behavior within the sequence of runtime behaviors corresponding to an n-gram token, (3) analyzing the plurality of n-grams to generate a feature vector of the behavioral trace, and (4) classifying the program based at least in part on the feature vector of the behavioral trace to determine whether the program is malicious. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for improving the classification accuracy of trustworthiness classifiers may include (1) identifying a set of training data that is available for training trustworthiness classifiers used to classify computing resources as clean or malicious, (2) selecting, based at least in part on a characteristic of a specific organization, a subset of training data from the set of training data that is available for training trustworthiness classifiers, (3) training a trustworthiness classifier for the specific organization using the subset of training data selected based at least in part on the characteristic of the specific organization, and then (4) applying the trustworthiness classifier to at least one computing resource encountered by the specific organization to classify the computing resource as clean or malicious. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for handling fraudulent uses of brands may include (1) enabling a subscriber of a brand-protection service to select an action to perform when a fraudulent use of a brand is detected in Internet traffic that is transmitted via any of a plurality of Internet-traffic chokepoints that are managed by the brand-protection service, (2) monitoring, at each of the plurality of Internet-traffic chokepoints, Internet traffic for fraudulent uses of brands, (3) detecting, while monitoring the Internet traffic, the fraudulent use of the brand, and (4) performing the action in response to detecting the fraudulent use of the brand. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Computer-implemented methods and systems for creating or updating approved-file and trusted-domain databases and verifying the legitimacy of files are disclosed. A method for creating or updating an approved-file database may include intercepting a first file, identifying a source domain associated with the first file, identifying a trusted-domain database, determining whether a database record for the source domain associated with the first file exists within the trusted-domain database, creating a hash value for the first file if a database record for the source domain associated with the first file exists within the trusted-domain database, and storing the hash value for the first file in an approved-file database. Methods and systems for verifying the legitimacy of a file and for creating or updating a trusted-domain database are also disclosed.

Abstract: A computer-implemented method for assessing Internet addresses may include (1) identifying an Internet Protocol address, (2) identifying a plurality of files downloaded from the Internet Protocol address, (3) generating an aggregation of security assessments that relates to the Internet Protocol address and that may be based at least in part on a security assessment of each of the plurality of files, (4) determining a trustworthiness of the Internet Protocol address based at least in part on the aggregation of security assessments and (5) facilitating a security action based at least in part on the trustworthiness of the Internet Protocol address. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for handling fraudulent uses of brands may include (1) enabling a subscriber of a brand-protection service to select an action to perform when a fraudulent use of a brand is detected in Internet traffic that is transmitted via any of a plurality of Internet-traffic chokepoints that are managed by the brand-protection service, (2) monitoring, at each of the plurality of Internet-traffic chokepoints, Internet traffic for fraudulent uses of brands, (3) detecting, while monitoring the Internet traffic, the fraudulent use of the brand, and (4) performing the action in response to detecting the fraudulent use of the brand. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method for assessing Internet addresses may include (1) identifying an Internet Protocol address, (2) identifying a plurality of files downloaded from the Internet Protocol address, (3) generating an aggregation of security assessments that relates to the Internet Protocol address and that may be based at least in part on a security assessment of each of the plurality of files, (4) determining a trustworthiness of the Internet Protocol address based at least in part on the aggregation of security assessments and (5) facilitating a security action based at least in part on the trustworthiness of the Internet Protocol address. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method to determine a reputation of at least one telephone number associated with an unclassified source. A first device is monitored for an incoming contact originating from at least one unclassified source. When an incoming contact is detected, at least one attribute of the incoming contact is computed at the first device. The at least one attribute of the incoming contact is transmitted to a second device. A representation of the telephone number associated with the at least one unclassified source of the incoming contact is transmitted to the second device. The reputation of the telephone number is computed at the second device using the at least one attribute.

Abstract: A computer-implemented method for detecting malicious files may include determining that a file on a client system may be subject to a security assessment, generating an initial fingerprint of the file, the generation of the initial fingerprint excluding at least part of the file, sending the initial fingerprint to a server and receiving a response from the server including an indication that the initial fingerprint matches at least one known malicious file but that the file from which the initial fingerprint was generated may not match the malicious file, generating an additional hash of the file on the client system based at least in part on the part of the file excluded in the generation of the initial fingerprint, sending the additional hash to the server, and receiving a response indicating that the file on the client system is malicious. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Reputations of objects are determined by a reputation system using reports from clients identifying the objects. Confidence metrics for the clients are generated using information determined from the reports. Confidence metrics indicate the amounts of confidence in the veracity of the reports. Reputation scores of objects are calculated using the reports from the clients and the confidence metrics for the clients. Confidence metrics and reputation scores are stored in correlation with identifiers for the objects. An object's reputation score is provided to a client in response to a request.

Abstract: Reputations of objects are determined by a reputation system using reports from clients identifying the objects. Confidence metrics for the clients are generated using information determined from the reports. Confidence metrics indicate the amounts of confidence in the veracity of the reports. Reputation scores of objects are calculated using the reports from the clients and the confidence metrics for the clients. Confidence metrics and reputation scores are stored in correlation with identifiers for the objects. An object's reputation score is provided to a client in response to a request.

Abstract: A computer-implemented method for neutralizing file-format-specific exploits contained within electronic communications may include (1) identifying an electronic communication, (2) identifying at least one file contained within the electronic communication, and then (3) neutralizing any file-format-specific exploits contained within the file. In one example, neutralizing any file-format-specific exploits contained within the file may include applying at least one file-format-conversion operation to the file. Additionally or alternatively, neutralizing any file-format-specific exploits contained within the file may include constructing a sterile version of the file that selectively omits at least a portion of any exploitable content contained within the file. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: To prevent gaming of a reputation system, a security token is generated for a security module using metadata about the client observed during the registration of the security module. The registration server selects metadata for use in generating the security token. The generated security token is provided to identify the client in later transactions. A security server may conduct a transaction with the client and observe metadata about the client during the transaction. The security server also extracts metadata from the security token. The security server correlates the observed metadata during the transaction with the extracted metadata from the security token. Based on the result of the correlation, a security policy is applied. As a result, the metadata in the security token enables stateless verification of the client.

Abstract: Trojanized apps for mobile environments are identified. Multiple apps for a specific mobile environment are obtained from one or more external sources. Code and digital signers are extracted from the apps and stored. For each given specific one of the obtained apps, the code of the specific app is compared to the code of other obtained apps, to determine whether the specific app 1) contains at least a predetermined threshold amount of code in common with one of the other apps, and 2) contains additional code not contained therein. If so, the digital signer of the specific app is compared to the digital signer of the other app. If it is also the case that the digital signer of the specific app is not the same as the digital signer of the other app, the specific app is identified as being trojanized.

Abstract: Methods, apparati, and computer-readable media for updating proxy executable code. An apparatus embodiment of the present invention comprises generic universal proxy executable code that can be instantiated multiple times, with each instance being driven by a different set of files comprising a protocol specification file and a proxy activity code file, to control protocol decomposition and proxy functions, respectively. In a method embodiment of the present invention, a protocol specification is created or updated; proxy activity code, separate from the protocol specification, is created or updated; and the proxy executable code is executed using the protocol specification and the proxy activity code.

Abstract: To prevent gaming of a reputation system, a security token is generated for a security module using metadata about the client observed during the registration of the security module. The registration server selects metadata for use in generating the security token. The generated security token is provided to identify the client in later transactions. A security server may conduct a transaction with the client and observe metadata about the client during the transaction. The security server also extracts metadata from the security token. The security server correlates the observed metadata during the transaction with the extracted metadata from the security token. Based on the result of the correlation, a security policy is applied. As a result, the metadata in the security token enables stateless verification of the client.

Abstract: To prevent gaming of a reputation system, a security token is generated for a security module using metadata about the client observed during the registration of the security module. The registration server selects metadata for use in generating the security token. The generated security token is provided to identify the client in later transactions. A security server may conduct a transaction with the client and observe metadata about the client during the transaction. The security server also extracts metadata from the security token. The security server correlates the observed metadata during the transaction with the extracted metadata from the security token. Based on the result of the correlation, a security policy is applied. As a result, the metadata in the security token enables stateless verification of the client.

Abstract: Trojanized apps for mobile environments are identified. Multiple apps for a specific mobile environment are obtained from one or more external sources. Code and digital signers are extracted from the apps and stored. For each given specific one of the obtained apps, the code of the specific app is compared to the code of other obtained apps, to determine whether the specific app 1) contains at least a predetermined threshold amount of code in common with one of the other apps, and 2) contains additional code not contained therein. If so, the digital signer of the specific app is compared to the digital signer of the other app. If it is also the case that the digital signer of the specific app is not the same as the digital signer of the other app, the specific app is identified as being trojanized.

Abstract: An incoming network traffic manager circumstantially blocks incoming network traffic (103) containing code (107). The incoming network traffic manager (101) monitors (201) incoming network traffic (103) addressed to a target computer (105). The network traffic manager (101) detects (203) incoming network traffic (103) containing code (107). The network manager (101) blocks (205) incoming traffic (103) containing code (107) from reaching the target computer (105), responsive to circumstances being such that it is undesirable to allow incoming traffic (103) containing code (107) to reach the target computer (105).