Systems and methods for detecting security threats

What is claimed is: 1. A computer-implemented method for detecting security threats, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising: detecting, by a software security product, a security incident at a client device such that the software security product generates a signature report to identify the security incident; querying an association database with the signature report to deduce another signature report that a different software security product would have predictably generated at the client device, the different software security product having been unavailable at the client device at a time of detecting the security incident; and performing at least one protective action to protect the client device from a security threat associated with the security incident based on the other signature report deduced by querying the association database, wherein: the protective action comprises: revising a security incident report to include information about the other signature report as a phantom event to provide context for the security incident; and prompting a user to perform an action that is tailored to the other signature report, the action comprising at least one of: updating an antivirus signature set; executing an inoculation script; enabling a security setting; and disabling a hardware, virtual, and/or network computing resource; and the other signature report satisfies a statistical threshold of correlation with the signature report that was actually generated. 2. The computer-implemented method of claim 1 , wherein the association database is constructed according to an association rule mining algorithm. 3. The computer-implemented method of claim 2 , wherein the association rule mining algorithm identifies a group of at least two signature reports that occur together beyond a threshold frequency. 4. The computer-implemented method of claim 1 , wherein deducing the other signature report comprises deducing at least two signature reports. 5. The computer-implemented method of claim 4 , further comprising filtering at least one signature report of the at least two signature reports based on a determination that the at least one signature report indicates a security compromise. 6. The computer-implemented method of claim 5 , wherein the determination that the at least one signature report indicates a security compromise comprises a determination that the signature report is associated disproportionately with security compromise situations according to a statistical measurement. 7. The computer-implemented method of claim 5 , wherein the determination that the at least one signature report indicates a security compromise comprises a determination that an automated measurement of confidence in the signature report indicating a security compromise satisfies a confidence threshold. 8. The computer-implemented method of claim 1 , wherein deducing the other signature report comprises inferring an attribute of the security incident. 9. The computer-implemented method of claim 8 , wherein the attribute comprises at least one of: a file identifier for a file that caused the security incident; a uniform resource locator for a web location that caused the security incident; and an Internet Protocol address for a web location that caused the security incident. 10. The computer-implemented method of claim 8 , further comprising: measuring a degree of confidence that the inferring of the attribute is correct; and determining that the measured degree of confidence satisfies a confidence threshold. 11. A system for detecting security threats, the system comprising: a detection module, stored in memory, that detects, as part of a software security product, a security incident at a client device such that the software security product generates a signature report to identify the security incident; a querying module, stored in memory, that queries an association database with the signature report to deduce another signature report that a different software security product would have predictably generated at the client device, the different software security product having been unavailable at the client device at a time of detecting the security incident; a performance module, stored in memory, that performs at least one protective action to protect the client device from a security threat associated with the security incident based on the other signature report deduced by querying the association database; and at least one physical processor configured to execute the detection module, the querying module, and the performance module, wherein: the protective action comprises: revising a security incident report to include information about the other signature report as a phantom event to provide context for the security incident; and prompting a user to perform an action that is tailored to the other signature report, the action comprising at least one of: updating an antivirus signature set; executing an inoculation script; enabling a security setting; and disabling a hardware, virtual, and/or network computing resource; and the other signature report satisfies a statistical threshold of correlation with the signature report that was actually generated. 12. The system of claim 11 , wherein the association database is constructed according to an association rule mining algorithm. 13. The system of claim 12 , wherein the association rule mining algorithm identifies a group of at least two signature reports that occur together beyond a threshold frequency. 14. The system of claim 11 , wherein the querying module deduces the other signature report by deducing at least two signature reports. 15. The system of claim 14 , wherein the querying module filters at least one signature report of the at least two signature reports based on a determination that the at least one signature report indicates a security compromise. 16. The system of claim 15 , wherein the determination that the at least one signature report indicates a security compromise comprises a determination that the signature report is associated disproportionately with security compromise situations according to a statistical measurement. 17. The system of claim 15 , wherein the determination that the at least one signature report indicates a security compromise comprises a determination that an automated measurement of confidence in the signature report indicating a security compromise satisfies a confidence threshold. 18. The system of claim 11 , wherein the querying module deduces the other signature report by inferring an attribute of the security incident. 19. The system of claim 18 , wherein the attribute comprises at least one of: a file identifier for a file that caused the security incident; a uniform resource locator for a web location that caused the security incident; and an Internet Protocol address for a web location that caused the security incident. 20. A non-transitory computer-readable medium comprising one or more computer-executable instructions that, when executed by at least one processor of a computing device, cause the computing device to: detect, by a software security product, a security incident at a client device such that the software security product generates a signature report to identify the security incident; query an association database with the signature report to deduce another signature report that a different soft