Anthony Penta

Classifiers may be used to analyze a valid certificate received from an unverified entity in an attempt to establish a secure connection with the unverified entity. The classifiers may determine a probability that the certificate is being used improperly by an unauthorized third party. An action may be taken based on the probability, such as allowing the unverified entity to establish a secure connection, blocking the unverified entity from establishing a secure connection, etc. The classifiers… Show more

Classifiers may be used to analyze a valid certificate received from an unverified entity in an attempt to establish a secure connection with the unverified entity. The classifiers may determine a probability that the certificate is being used improperly by an unauthorized third party. An action may be taken based on the probability, such as allowing the unverified entity to establish a secure connection, blocking the unverified entity from establishing a secure connection, etc. The classifiers may be trained by employing machine learning techniques on a collection of valid, authorized certificates. Additionally, or alternatively, received certificates may be sampled for further analysis based on the probability and/or predefined sampling percentages. Show less

Many applications and services provide security for computing devices. In an example, a security service, such as an antivirus service, may scan a computer to identify 'infected' files that have viruses, malware, malicious code, etc. The security service may identify, isolate, and/or remove such files. The security service may also disseminate information regarding such files in an effort to protect other computing devices from such files.

Proxy networks enable a source to send traffic to one or more targets through a set of nodes operating as proxies. However, proxy networks are typically nonselective (often by design), and do not enable a source to specify properties of the nodes selected as proxies to send traffic to the target. Presented herein are proxy network techniques that enable sources to specify node properties in a target request, and that utilize a set of node managers for respective subsets of nodes. For a target… Show more

Proxy networks enable a source to send traffic to one or more targets through a set of nodes operating as proxies. However, proxy networks are typically nonselective (often by design), and do not enable a source to specify properties of the nodes selected as proxies to send traffic to the target. Presented herein are proxy network techniques that enable sources to specify node properties in a target request, and that utilize a set of node managers for respective subsets of nodes. For a target request specifying selected node properties, the node managers may select as proxies nodes having the node properties specified in the target request. Additionally, the techniques presented herein promote the flexibility of the proxy network (e.g., adding groups of nodes, expanding the variety of nodes and node properties, and sending various forms of traffic using any protocol to various topics on behalf of many and various sources). Show less

In many information security scenarios, a certificate issued by a certificate authority may be presented to a client in order to assert a trust level of a certificated item, such as a message or a web page. However, due to a decentralized structure and incomplete coordination among certificate authorities, the presence and exploitation of security vulnerabilities to issue untrustworthy certificates may be difficult to determine, particularly for an individual client. Presented herein are… Show more

In many information security scenarios, a certificate issued by a certificate authority may be presented to a client in order to assert a trust level of a certificated item, such as a message or a web page. However, due to a decentralized structure and incomplete coordination among certificate authorities, the presence and exploitation of security vulnerabilities to issue untrustworthy certificates may be difficult to determine, particularly for an individual client. Presented herein are techniques for advising clients of the reputations of respective certificate authorities by evaluating the certificates issued by such certificate authorities, such as the number and types of domains certified by the certificate; the number and pattern of certificates issued for the domain; and the certification techniques used to issue the certificates. Such evaluation enables a determination of a certificate authority trust level that may be distributed to the clients in a certificate authority trust set. Show less

Malware detection is often based on monitoring a local application binary and/or process, such as detecting patterns of malicious code, unusual local resource utilization, or suspicious application behavior. However, the volume of available software, variety of malware, and sophistication of evasion techniques may reduce the effectiveness of detection based on monitoring local resources. Presented herein are techniques for identifying malware based on the reputations of remote resources (e.g.… Show more

Malware detection is often based on monitoring a local application binary and/or process, such as detecting patterns of malicious code, unusual local resource utilization, or suspicious application behavior. However, the volume of available software, variety of malware, and sophistication of evasion techniques may reduce the effectiveness of detection based on monitoring local resources. Presented herein are techniques for identifying malware based on the reputations of remote resources (e.g., web content, files, databases, IP addresses, services, and users) accessed by an application. Remote resource accesses may be reported to a reputation service, which may identify reputations of remote resources, and application reputations of applications that utilize such remote resources. These application reputations may be used to adjust the application policies of the applications executed by devices and servers. These techniques thereby achieve rapid detection and mitigation of newly identified malware through application telemetry in a predominantly automated manner. Show less

In one embodiment, an intelligent detection system 102 may determine if a network target 108 is an adversarial site based on comparing responses to different network sources. The intelligent detection system 102 may select a test apparent network source 110 and a control apparent network source 112 from a network source pool 106. The intelligent detection system 102 may receive the test response responding to a test request from the test apparent network source 110 to a network target 108. The… Show more

In one embodiment, an intelligent detection system 102 may determine if a network target 108 is an adversarial site based on comparing responses to different network sources. The intelligent detection system 102 may select a test apparent network source 110 and a control apparent network source 112 from a network source pool 106. The intelligent detection system 102 may receive the test response responding to a test request from the test apparent network source 110 to a network target 108. The intelligent detection system 102 may receive the control response responding to a control request from the control apparent network source 112 to the network target 108. The intelligent detection system 102 may execute a comparison of the test response to the control response. Show less

Described is a technology by which phishing-related data sources are processed into aggregated data and a given site evaluated the aggregated data using a predictive model to automatically determine whether the given site is likely to be a phishing site. The predictive model may be built using machine learning based on training data, e.g., including known phishing sites and/or known non-phishing sites. To determine whether an object corresponding to a site is likely a phishing-related object… Show more

Described is a technology by which phishing-related data sources are processed into aggregated data and a given site evaluated the aggregated data using a predictive model to automatically determine whether the given site is likely to be a phishing site. The predictive model may be built using machine learning based on training data, e.g., including known phishing sites and/or known non-phishing sites. To determine whether an object corresponding to a site is likely a phishing-related object are described, various criteria are evaluated, including one or more features of the object when evaluated. The determination is output in some way, e.g., made available to a reputation service, used to block access to a site or warn a user before allowing access, and/or used to assist a hand grader in being more efficient in evaluating sites. Show less

One or more techniques and/or systems are provided for internet connectivity protection. In particular, reputational information assigned to infrastructure components (e.g., IP addresses, name servers, domains, etc.) may be leveraged to determine whether an infrastructure component associated with a user navigating to content of a URL is malicious or safe. For example, infrastructure component data associated with a web browser navigating to a website of a URL may be collected and sent to a… Show more

One or more techniques and/or systems are provided for internet connectivity protection. In particular, reputational information assigned to infrastructure components (e.g., IP addresses, name servers, domains, etc.) may be leveraged to determine whether an infrastructure component associated with a user navigating to content of a URL is malicious or safe. For example, infrastructure component data associated with a web browser navigating to a website of a URL may be collected and sent to a reputation server. The reputation server may return reputation information associated with the infrastructure component data (e.g., an IP address may be known as malicious even though the URL may not yet have a reputation). In this way, the user may be provided with notifications, such as warnings, when various unsafe conditions arise, such as interacting with an infrastructure component with a bad reputation, a resolved IP address not matching the URL, etc. Show less

Identification of email forwarders is described. In an implementation, a method includes using heuristics to identify email forwarders for use in a reputation system for locating spammers. In another implementation, a method includes determining a likelihood that a particular Internet Protocol (IP) address corresponds to an email forwarder and processing email originating from the particular IP address based on the determined likelihood. In a further implementation, a method includes collecting… Show more

Identification of email forwarders is described. In an implementation, a method includes using heuristics to identify email forwarders for use in a reputation system for locating spammers. In another implementation, a method includes determining a likelihood that a particular Internet Protocol (IP) address corresponds to an email forwarder and processing email originating from the particular IP address based on the determined likelihood. In a further implementation, a method includes collecting heuristic data that describes characteristics of emails sent from one or more Internet Protocol (IP) addresses and constructing a model from the heuristic data for identifying whether at least one of the IP address is an email forwarder. In yet a further implementation, a method includes identifying that a particular Internet Protocol (IP) address likely corresponds to an email forwarder and processing email from the particular IP address based on an implied sender of the email. Show less

Phishing detection, prevention, and notification is described. In an embodiment, a messaging application facilitates communication via a messaging user interface, and receives a communication, such as an email message, from a domain. A phishing detection module detects a phishing attack in the communication by determining that the domain is similar to a known phishing domain, or by detecting suspicious network properties of the domain. In another embodiment, a Web browsing application receives… Show more

Phishing detection, prevention, and notification is described. In an embodiment, a messaging application facilitates communication via a messaging user interface, and receives a communication, such as an email message, from a domain. A phishing detection module detects a phishing attack in the communication by determining that the domain is similar to a known phishing domain, or by detecting suspicious network properties of the domain. In another embodiment, a Web browsing application receives content, such as data for a Web page, from a network-based resource, such as a Web site or domain. The Web browsing application initiates a display of the content, and a phishing detection module detects a phishing attack in the content by determining that a domain of the network-based resource is similar to a known phishing domain, or that an address of the network-based resource from which the content is received has suspicious network properties. Show less

Disclosed are systems and methods that facilitate spam detection and prevention at least in part by building or training filters using advanced IP address and/or URL features in connection with machine learning techniques. A variety of advanced IP address related features can be generated from performing a reverse IP lookup. Similarly, many different advanced URL based features can be created from analyzing at least a portion of any one URL detected in a message.