Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, that facilitate resource and space efficient analysis of large scale datasets. Methods include obtaining activity data for objects in a dataset. For each data item in the dataset, a hashed parameter having a binary representation is generated using an identifier for the object. A register is identified from among a set of registers based on the hashed parameter. A determination is made that the hashed parameter for the object contributes to an aggregation amount that specifies a number of occurrences of the object in the dataset. Based on this determination, an aggregation amount stored in the register is updated. Based on aggregation amounts stored in the set of registers, a reporting output is generated that provides an aggregate distribution of the objects in the dataset based on the activity data for the objects.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, that facilitate resource and space efficient analysis of large scale datasets. Methods include obtaining activity data for objects in a dataset. For each data item the dataset, a hashed parameter having a binary representation is generated using an identifier for the object. A register is identified from in a set of registers based on the hashed parameter. A determination is made that the hashed, parameter for the object contributes to an aggregation amount that specifies a number of occurrences of the object in the dataset Based on this determination, an aggregation amount stored in the register is updated. Based on aggregation amounts stored in the set of registers, a reporting output is generated that provides an aggregate distribution of the objects in the dataset based on the activity data for the objects.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for an object grouping system that obtains data for multiple sketches that are each stored using a set of registers and are a sampling of objects in a dataset. Each object in the dataset is a member of a digital audience. For each sketch, the system uses an identifier for a first object to generate a hashed parameter. The system determines whether the hashed parameter contributes to describing demographic attributes of the sampling of objects. The system stores demographic attributes of the first object at a register in the set when it determines that the hashed parameter contributes to describing the demographic attributes. The system generates an output that indicates a number of objects in the digital audience that were reached by content directed at the digital audience and demographic attributes for the number of objects.

Abstract: A computer-implemented method for managing network security may include identifying a set of trusted Internet domains, identifying traffic information that indicates Internet traffic volume for each trusted Internet domain in the set of trusted Internet domains, and analyzing the traffic information to select, from the set of trusted Internet domains, a subset of trusted Internet domains that each have higher Internet traffic volume than one or more other trusted Internet domains in the set of trusted Internet domains. The method may also include including the selected subset of trusted Internet domains in an Internet domain whitelist. The method may further include configuring a network gateway system to perform a less intensive scan on Internet traffic that originates from an Internet domain identified in the Internet domain whitelist than on traffic that originates from other Internet domains. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method for assessing Internet addresses may include (1) identifying an Internet Protocol address, (2) identifying a plurality of files downloaded from the Internet Protocol address, (3) generating an aggregation of security assessments that relates to the Internet Protocol address and that may be based at least in part on a security assessment of each of the plurality of files, (4) determining a trustworthiness of the Internet Protocol address based at least in part on the aggregation of security assessments and (5) facilitating a security action based at least in part on the trustworthiness of the Internet Protocol address. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method for trust propagation of signed files across devices may include identifying a signed file on a device, calculating, on the device, a hash based at least in part on the signed file, querying, with the hash, a server which has verified that the signed file is trustworthy based on a digital signature of the signed file having been verified by an additional device capable of verifying digital signatures, receiving on the device, in response to querying the server, a trust indicator indicating that the digital signature of the signed file has been verified and trusting the signed file on the device, based on the trust indicator indicating that the digital signature of the signed file has been verified. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method for assessing Internet addresses may include (1) identifying an Internet Protocol address, (2) identifying a plurality of files downloaded from the Internet Protocol address, (3) generating an aggregation of security assessments that relates to the Internet Protocol address and that may be based at least in part on a security assessment of each of the plurality of files, (4) determining a trustworthiness of the Internet Protocol address based at least in part on the aggregation of security assessments and (5) facilitating a security action based at least in part on the trustworthiness of the Internet Protocol address. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A plurality of classifiers is identified. A set of test cases is selected based on time. The set of test cases are grouped into a plurality of datasets based on time where each of the plurality of datasets is associated with a corresponding interval of time. Each of the plurality of classifiers is applied to each of the plurality of datasets to generate classifications for test cases in each of the plurality of datasets. For each of the plurality of classifiers, a classification performance score is determined for each of the plurality of datasets based on the classifications generated for the test cases of each dataset. A classifier is selected from among the plurality of classifiers for production based on the classification performance scores of each of the plurality of classifiers across the plurality of datasets.

Abstract: A computer-implemented method for preventing chronic false positives may include (1) whitelisting a file based on a challenge notification that challenges a classification of the file as insecure, (2) obtaining attribute information about the file, (3) identifying, by analyzing the attribute information, a primitive that identifies a source of origin for the file, (4) determining, based on an analysis of files that originate from the source of origin, that the source of origin identified by the primitive is trustworthy, and (5) adjusting, based on the determination that the source of origin identified by the primitive is trustworthy, a security policy associated with the primitive to prevent future false positives for other files that originate from the source of origin. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A client sends a file information request to a security server, where the file information request identifies a URL from which the client is attempting to download a file. Upon receiving the request, the security server determines the stability information of the identified URL and provides the requested file information for the file provided by the URL. The security server determines the stability information of a URL by analyzing the file identifiers and URLs identified in downloaded file reports received from multiple clients. The determination of the stability information of a URL may be based on a variety of factors, such as stability of a URL over time, a textual analysis of the URL, and the set of files provided by the URL. A user of the client can review the file information and decide whether to expend the resources to download the file.

Abstract: A computer-implemented method for treating locally created files as trustworthy may include identifying at least one file created on a computing system protected by a security system that determines whether files encountered by the computing system are trustworthy. The method may also include identifying a software application used to create the file on the computing system. The method may further include determining that the software application used to create the file on the computing system comprises a reputable software application used to create trustworthy files within a user community comprising users of computing systems protected by the security system. In addition, the method may include establishing a trustworthiness exception that causes the security system to treat the file as trustworthy on the computing system that created the file. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A method and apparatus for automatically excluding false positives from detection as malware is described. In one embodiments, a method for using one or more processors to provide false positive reduction for heuristic-based malware detection of a plurality of files in memory includes accessing global first appearance information associated with a plurality of files, accessing global malware information comprising heuristics and an emergence date associated with each malware group of a plurality of malware groups, comparing the global malware information with the global first appearance information to identify at least one false positive amongst the plurality of files and preventing detection of the at least one false positive as malware.

Abstract: A parsing module identifies a framed page within a web page received from a network. The parsing module further identifies information regarding the frame such as the framed page's uniform resource locator. A lookup module accesses a memory module to determine if the identified information regarding the frame is included in a protection list stored in the memory module. A notification module notifies a client's user that the framing web page is fraudulent if the identified information regarding the frame is included in the protection list. Alternatively, the parsing module is adapted to identify a security tag within the framed page indicating that the framed page is not permitted to be displayed within a frame. If the framed page includes a security tag, the notification module notifies the client's user that the framing web page is fraudulent.

Abstract: A parsing module receives a web page from a network. The parsing module identifies a frame embedded within the intercepted web page. The parsing module identifies information regarding the embedded frame. A collection module collects the identified information regarding the embedded frame and maintains such information in an exclusion list stored in a memory module. A lookup module intercepts a web page from the network before the web page reaches the client. The lookup module identifies information regarding this web page and accesses the memory module to determine if the identified information is included in the exclusion list. If the identified information regarding the web page is not included in the exclusion list, a modification module modifies the web page such that the web page will not be loaded on the client within a frame.

Abstract: A method for using acquisitional contexts to prevent false-positive malware classifications. The method may include (1) receiving, from at least one client-side computing device within a community of users, contextual information associated with a file, (2) determining, based at least in part on the contextual information received from the client-side computing device, a reputation rating for the file, and (3) providing the reputation rating for the file to at least one additional client-side computing device within the community in order to prevent the additional client-side computing device from falsely classifying the file as untrustworthy due to acquiring an additional instance of the file via a context that is insufficient to determine that the additional instance of the file is trustworthy. Various other methods and systems are also disclosed.

Abstract: A method for detecting malware may include 1) receiving a request to determine whether a connection from a client device to a server is being blocked, 2) attempting to connect to the server from a kernel mode of the client device, 3) determining that the client device successfully connected to the server from the kernel mode, 4) attempting to connect to the server from a user mode of the client device, 5) determining that the client device did not successfully connect to the server from the user mode, 6) determining, based on the client device successfully connecting to the server from the kernel mode and failing to connect to the server from the user mode, that malware is blocking the connection from the client device to the server, and 7) in response to determining that the malware is blocking the connection, performing at least one security action.

Abstract: Known legitimate applications are analyzed to establish a list of trusted user-agent strings used by the applications to download content from a network. Traffic interception modules connected to the network examine traffic exchanged between clients and servers on the network, recognize traffic associated with downloads of content from the network, and create content download descriptions describing the downloads. The content download descriptions are analyzed to identify content downloads using the trusted user-agent strings. Identifiers of the content downloaded using the trusted user-agent strings are added to a white list of legitimate content. Access to the white list is provided to clients and the clients use the white list to identify legitimate content.

Abstract: A plurality of queuing components each monitor an incoming email stream, and identify incoming email messages with suspicious attachments. Each queuing component generates signatures of the suspicious attachments, and submits periodic reports to a correlation component. The reports list signatures and receipt times for suspicious attachments received since a last submitted report. The queuing component queues the suspicious attachments for a specified hold time, and further processes queued attachments based upon information concerning attachment acceleration rates received from the correlation component. The correlation component receives reports from the plurality of queuing components, and uses information in the submitted reports to maintain a system wide receipt history for each suspicious attachment.

Abstract: A method and apparatus for preventing leakage of sensitive information from a computer is described. The method includes identifying data entered into the computer system as sensitive data, tainting the sensitive data with at least one taint bit to form a tainted data, tracking the tainted data within the computer system and identifying at least one condition that compromises the security of the tainted data. The system is a computer system including taint analysis software for identifying data entered into the computer system as sensitive data, tainting the sensitive data with at least one taint bit to form a tainted data, tracking the tainted data within the computer system and identifying at least one condition that compromises the security of the tainted data.

Abstract: An executable program including packed code is launched in an API-monitored environment, such as a sandboxed environment, in which each call to an API issued by the executable program is intercepted. A packer API profile list including one or more packer API profiles identifying associated sets of one or more APIs utilized by an associated known packer to unpack packed code is accessed. The executable program is allowed to run so long as the executable program issues calls to APIs within an API set of a packer API profile in the packer API profile list. When the executable program issues a call to an API not within an API set of a packer API profile in said packer API profile list, the packed code is assumed to be unpacked in memory as a memory image. The memory image is evaluated, e.g., scanned, for malicious code, and upon detection of malicious code, protective action is taken.