Case 3:17-cv-05659-WHA Document 1-4 Filed 09/29/17 Page 1 of 27
`Case 3:17-cv-05659-WHA Document 1-4 Filed 09/29/17 Page 1 of 27
`
`
`
`
`
`EXHIBIT 4
`EXHIBIT 4
`
`
`
`
`
`
`
`
`
`
`
`
`
`

`

`Case 3:17-cv-05659-WHA Document 1-4 Filed 09/29/17 Page 2 of 27
`cove roses. os.FANT
`
`US007613926B2
`
`US 7,613,926 B2
`(10) Patent No.:
`a2) United States Patent
`Ederyetal.
`(45) Date of Patent:
`*Nov. 3, 2009
`
`
`(75)
`
`(54) METHOD AND SYSTEM FOR PROTECTING
`A COMPUTER AND A NETWORK FROM
`HOSTILE DOWNLOADABLES
`Inventors: Yigal Mordechai Edery, Pardesia (IL);
`Nimrod Itzhak Vered, Goosh Tel-Mond
`dL); David R. Kroll, San Jose, CA
`(US); Shlomo Touboul, Kefar-Haim (IL)
`(73) Assignee: Finjan Software, Ltd, Netanya (IL)
`(*) Notice:
`Subject to any disclaimer, the term ofthis
`patent is extended or adjusted under 35
`U.S.C. 154(b) by 659 days.
`inal dj
`Thi
`:
`bj
`1s patent 1s subject to a terminal
`dis-
`claimer.
`
`5,359,659 A
`
`10/1994 Rosenthal «0... 726/24
`
`(Continued)
`
`EP
`EP
`
`FOREIGN PATENT DOCUMENTS
`1091276
`4/2001
`1132796
`9/2001
`
`OTHER PUBLICATIONS
`
`Zhong,et al., “Security in the Large: is Java’s Sandbox Scalable?,”
`Seventh IEEE Symposium on Reliable Distributed Systems, pp. 1-6,
`Oct. 1998.
`
`(Continued)
`Primary Examiner—Christopher A Revak
`(74) Attorney, Agent, or Firm—King & Spalding LLP
`(57)
`ABSTRACT
`
`(21) Appl. No.: 11/370,114
`(22)
`Filed:
`Mar.7, 2006
`(65)
`Prior Publication Data
`US 2006/0149968 Al
`Jul. 6, 2006
`Related U.S. Application Data
`Protection systems and methodsprovide for protecting one or
`(63) Continuation of application No. 09/861,229, filed on
`more personal computers (“PCs”) and/or other intermittently
`May17, 2001, now Pat. No. 7,058,822, and a continu-
`or persistently network accessible devices or processes from
`ation-in-part of application No. 09/539,667, filed on
`undesirable or otherwise malicious operations of Java™
`Mar.30, 2000, now Pat. No. 6,804,780, which is a
`applets, ActiveX™ controls, JavaScript™ scripts, Visual
`continuation of application No. 08/964,388,filed on
`Basic scripts, add-ins, downloaded/uploaded programs or
`Nov. 6, 1997, now Pat. No. 6,092,194,said application
`No. 09/861,229 is a continuation-in-part ofapplication—_other “Downloadables”or “mobile code” in whole or part. A
`oe°51,302,filed on Apr. 18, 2000, now Pat. No.
`protection engine embodimentprovides,within a server,fire-
`(60) Provisional application No. 60/205,591, filed on May
`Wall or other suitable “re-communicator,” for monitoring
`17, 2000.
`information received by the communicator, determining
`Int.Cl
`whether received information does or is likely to include
`(51)
`(2006.01)
`GO6F 2V4
`executable code, and if so, causes mobile protection code
`(2006.01)
`G06F 11/30
`(MPC)to be transferred to and rendered operable within a
`(2006.01)
`HOAL 9/00
`destination device ofthe received information, more suitably
`(2006.01)
`GO6F 15/16
`by forming a protection agent including the MPC,protection
`713/181: FIB/175: 713/176:
`50) US.CI
`policies and a detected-Downloadable. An MPC embodiment
`(52) ES reereeescece
`further provides, within a Downloadable-destination,for ini-
`>
`>
`796)94
`.
`tiating the Downloadable, enabling malicious Downloadable
`.
`.
`(58) Field ofClassification Search seseeeeesmeseeeeee None
`operation attempts to be received by the MPC, and causing
`See application
`file
`for complete search
`history.
`(predetermined) corresponding operations to be executed in
`(56)
`References Cited
`response to the attempts, more suitably in conjunction with
`protection policies.
`U.S. PATENT DOCUMENTS
`
`5,077,677 A
`
`12/1991 Murphyetal... 706/62
`
`30 Claims, 10 Drawing Sheets
`
`4401
`
`ben
`
`
`4108
`Determinepolicies in accordance with the
`access
`attampt
`
`
`Execute the policies (including causing an
`wm
`allowable response expects
`bythe Le
`Donwloadable to be retumed to the
`Downloadable)
`
`Start
`
`Install mabile protection code elements
`‘and poiicies within a destination davice
`
`eee
`initiating it ben
`
`Load the downloadble without ectually
`T¥
`1103
`{Form an acoass Interceptorfor intercepting
`downloadable destination device access
`attemptswithin the destination device
`
`Initiate the Downloadable within the
`
`ination devicedestinati
`
`1105
`
`
`
`

`

`Case 3:17-cv-05659-WHA Document 1-4 Filed 09/29/17 Page 3 of 27
`Case 3:17-cv-05659-WHA Document 1-4 Filed 09/29/17 Page 3 of 27
`
`US 7,613,926 B2
`
`Page 2
`
`U.S. PATENT DOCUMENTS
`
`
`
`11/1994 Tajalli etal. oo. 726/23
`5,361,359 A
`5/1995 Hershey etal.
`.
`ws 726/22
`5,414,833 A
`1/1996 Guptaetal.
`.
`we 726/25
`5,485,409 A
`1/1996 Chess etal... 714/38
`5,485,575 A
`11/1996 Judson oo... eee 709/218
`5,572,643 A
`11/1996 Furtneyetal.
`.. 703/27
`5,579,509 A
`
`2/1997 Shwed .......
`.. 726/13
`5,606,668 A *
`
`w. 726/24
`..
`4/1997 Jietal.
`5,623,600 A *
`6/1997 Rubin wo. eee 705/51
`5,638,446 A
`10/1997 Kephart et al. oo... 706/12
`5,675,711 A
`11/1997 McManis .......
`. 713/167
`5,692,047 A
`
`11/1997 Holden et al. oe. 726/2
`5,692,124 A
`Q/L99B DOO weeceeseeessccesseeeseeeeee 726/2
`5,720,033 A
`3/1998 Changetal. .
`w+ 705/52
`5,724,425 A
`
`4/1998 Fiereset al.
`713/156
`5,740,248 A
`4/1998 Yellin etal. we. 717/134
`5,740,441 A
`6/1998 van Hoffet al.
`709/223
`5,761,421 A
`
`6/1998 Breslau etal.
`711/203
`5,765,205 A
`7/1998 Devarakonda etal.
`...... 713/165
`5,784,459 A
`.....
`. 709/224
`8/1998 Davis etal.
`5,796,952 A
`
`9/1998 Cohenetal. oe. 709/202
`5,805,829 A
`11/1998 Chenetal. we 726/24
`5,832,208 A
`.
`11/1998 Cutler etal.
`. TITATL
`5,832,274 A
`
`12/1998 Angelo et al.... 713/320
`5,850,559 A
`1/1999 Haymanetal. ..... 726/23
`5,859,966 A
`1/1999 Boebert et al.
`..
`. 709/249
`5,864,683 A
`
`3/1999 Yamamoto ........ cee 726/24
`5,881,151 A
`3/1999 Duvalletal. oe. 709/206
`5,884,033 A
`we» 726/22
`4/1999 Atkinson etal.
`5,892,904 A
`
`9/1999 Chenetal. we 714/38
`5,951,698 A
`9/1999 Walshetal. 0... 726/23
`5,956,481 A
`10/1999 Williams ....... 717/143
`5,963,742 A
`10/1999 Golan
`5,974,549 A
`11/1999 Apperson et al.
`5,978,484 A
`11/1999 Ji
`5,983,348 A
`11/1999 Freund wo... eee 726/4
`5,987,611 A
`7/2000 Grecsek wee eeeee 726/1
`6,088,801 A
`we» 726/22
`7/2000 Tso etal.
`..
`6,088,803 A
`
`7/2000 Touboul oo... 726/24
`6,092,194 A *
`6,154,844 A * 11/2000 Touboul etal... 726/24
`6,167,520 A
`12/2000 Touboul
`6,339,829 Bl
`1/2002 Beadle etal... 726/15
`6,425,058 Bl
`7/2002 Arimilli et al. wo. 711/134
`6,434,668 Bl
`8/2002 Arimilli et al.
`..
`. 711/128
`
`8/2002 Arimilli et al. oo... 711/128
`6,434,669 Bl
`6,480,962 BL* 11/2002 Touboul oo... 726/22
`we 726/23
`6,487,666 Bl
`11/2002 Shanklin et al.
`.
`
`.......... 711/114
`6,519,679 B2
`2/2003 Devireddy et al.
`6,598,033 B2
`7/2003 Rossetal. wc 706/46
`. 709/229
`6,732,179 BL*
`5/2004 Brown etal.
`.
`
`.. 713/181
`6,804,780 B1* 10/2004 Touboul
`.....
`
`6,901,519 BL*
`5/2005 Stewart etal.
`w. 726/24
`
`7/2005 Simonetal. .
`. 707/204
`6,917,953 B2
`ws 726/22
`..
`7,058,822 B2*
`6/2006 Edery etal.
`
`...
`. 713/188
`7,093,135 B1*
`8/2006 Radatti et al.
`
`4/2007 Gryaznovetal.
`. 713/188
`7,210,041 Bl
`7,343,604 B2
`3/2008 Grabarniket al.
`..
`. 719/313
`.. 726/22
`7,418,731 B2
`8/2008 Touboul
`........
`
`4/2004 Sanin oo...
`. 726/13
`2004/0073811 Al
`
`.
`. 709/230
`2004/0088425 Al
`5/2004 Rubinstein et al.
`.......
`we» 726/22
`2005/0172338 Al
`8/2005 Sandu etal.
`
`............ 707/3
`2006/0031207 Al
`2/2006 Bjarnestam et al.
`OTHER PUBLICATIONS
`
`............ 705/54
`
`Rubin,et al., “Mobile Code Security,” JEEE Internet, pp. 30-34, Dec.
`1998 Schmid, et al. “Protecting Data From Malicious Software,”
`Proceedings ofthe 18Annual Computer SecurityApplications Con-
`ference, pp. 1-10, 2002.
`Corradi, et al., “A Flexible Access Control Service for Java Mobile
`Code,” IEEE, pp. 356-365, 2000.
`
`International Search Report for Application No. PCT/IB97/01626, 3
`pp., May 14, 1998 (mailing date).
`International Search Report for Application No. PCT/IL05/00915, 4
`pp., dated Mar. 3, 2006.
`Written Opinion for Application no. PCT/IL05/00915, 5 pp., dated
`Mar. 3, 2006 (mailing date).
`International Search Report for Application No. PCT/IB01/01138, 4
`pp., Sep. 20, 2002 (mailing date).
`International Preliminary Examination Report for Application No.
`PCT/IBO1/01138, 2 pp., dated Dec. 19, 2002.
`Gerzic, Amer, “Write Your Own Regular Expression Parser,’ Nov.
`17, 2003, 18 pp.
`Power, James, “Lexical Analysis,” 4 pp., May 14, 2006.
`Sitaker, Kragen, “Rapid Genetic Evolution of Regular Expressions”
`[online], The MialArchive, Apr. 24, 2004 (retrieved on Dec. 7, 2004),
`5 pp.
`“Lexical Analysis: DFA Minimization & Wrap Up”[online], Fall,
`2004 [retrieved on Mar. 2, 2005], 8 pp.
`“Minimization of DFA”[online], [retrieved on Dec. 7, 2004], 7 pp.
`“Algorithm: NFS -> DFA”[online], Copyright 1999-2001 [retrieved.
`on Dec. 7, 2004], 4 pp.
`“CS 3813: Introduction to Formal Languages and Automata—State
`Minimization and Other Algorithmsfor Finite Automata,”3 pp., May
`11, 2003.
`Watson, Bruce W., “Constructing Minimal Acyclic Deterministic
`Finite Automata,” [retrieved on Mar. 20, 2005], 38 pp.
`Chang, Chia-Hsiang, “From Regular Expressions to DFA’s Using
`Compressed NFA’s,” Oct. 1992, 243 pp.
`“Products,” Articles published on the Internet, “Revolutionary Secu-
`rity for a New Computing Paradigm”regarding SurfinGate™,7 pp.
`“Release Notes for the Microsoft ActiveX Development Kit,’ Aug.
`13, 1996, pp. 1-10.
`Doyle, et al., “Microsoft Press Computer Dictionary,’ Microsoft
`Press, 2d Edition, pp. 137-138, 1993.
`Finjan Software Ltd., “Powerful PC Security for the New World of
`Java™ and Downloadables, Surfin Shield™,” Article published on
`the Internet by Finjan Software Ltd., 2 pp. 1996.
`Finjan Sofrtware Ltd., “Finjan Announcesa Personal Java™Firewall
`for Web Browsers—the SurfinShield™ 1.6 (formerly known as
`SurfinBoard),” Press Release of Finjan Releases SurfinShield 1.6, 2
`pp., Oct. 21, 1996.
`Finjan Software Ltd., “Finjan Announces Major Power Boost and.
`NewFeatures for SurfinShield™ 2.0,” Las Vegas Convention Center/
`Pavillion 5 P5551, 3 pp., Nov. 18, 1996.
`Finjan Software Ltd., “Finjan Software Releases SurfinBoard, Indus-
`try’s First JAVA Security Product for the World Wide Web,” Article
`publishedonthe Internet by Finjan Software Ltd., 1 p., Jul. 29, 1996.
`Finjan Software Ltd., “Java Security: Issues & Solutions,” Article
`published on the Internet by Finjan Software Ltd., 8 pp. 1996.
`Finjan Software Ltd., CompanyProfile, “Finjan—Safe Surfing, The
`Java Security Solutions Provider,” Article published on the Internet
`by Finjan Software Ltd., 3 pp., Oct. 31, 1996.
`“IBM AntiVirus User’s Guide, Version 2.4,”, International Business
`Machines Corporation, pp. 6-7, Nov. 15, 1995.
`Khare, R., “Microsoft Authenticode Analyzed” [online], Jul. 22,
`1996 [retrieved on Jun. 25, 2003], 2 pp.
`LaDue, M., Online Business Consultant: Java Security: Whose Busi-
`nessis It?, Article published on the Internet, Home PagePress,Inc.,
`4 pp., 1996.
`Leach, Norvin, et al., “IE 3.0 Applets Will Earn Certification,” PC
`Week, vol. 13, No. 29, 2 pp., Jul. 22, 1996.
`Moritz, R., “Why We Shouldn’t Fear Java,” Java Report, pp. 51-56,
`Feb. 1997.
`“Microsoft ActiveX Software Development Kit”
`Microsoft,
`[Online], Aug. 12, 1996 [retrieved on Jun. 25, 2003], pp. 1-6.
`Microsoft® Authenticode Technology, “Ensuring Accountability
`and Authenticity for Software Components on the Internet,”
`Microsoft Corporation, Oct. 1996,
`including Abstract, Contents,
`Introduction, and pp. 1-10.
`Microsoft Corporation, Web Page Article “Frequently Asked Ques-
`tions About Authenticode,” last updated Feb. 17, 1997, printed Dec.
`23, 1998, pp. 1-13.
`
`

`

`Case 3:17-cv-05659-WHA Document 1-4 Filed 09/29/17 Page 4 of 27
`Case 3:17-cv-05659-WHA Document 1-4 Filed 09/29/17 Page 4 of 27
`
`US 7,613,926 B2
`Page 3
`
`Okamoto, E., et al., “ID-Based Authentication System for Computer
`Virus Detection,” JEEE/IEE Electronic Library online, Electronics
`Letters, vol. 26, Issue 15, ISSN 0013-5194, Jul. 19, 1990, Abstract
`and pp. 1169-1170.
`Omura, J. K., “Novel Applications of Cryptography in Digital Com-
`munications,” JEEE Communications Magazine, pp. 21-29, May
`1990.
`
`Schmitt, D.A., “.EXEfiles, OS-2 style,” PC Tech Journal, vol. 6, No.
`11, p. 76(13), Nov. 1988.
`Zhang, X. N., “Secure Code Distribution,” JEEEJEE Electronic
`Library online, Computer, vol. 30, Issue 6, pp. 76-79, Jun. 1997.
`D. Grune,et al., “Parsing Techniques: A Practical Guide,” John Wiley
`& Sons, Inc., New York, New York, USA,pp. 1-326, 2000.
`
`* cited by examiner
`
`

`

`Case 3:17-cv-05659-WHA Document 1-4 Filed 09/29/17 Page 5 of 27
`Case 3:17-cv-05659-WHA Document 1-4 Filed 09/29/17 Page 5 of 27
`
`U.S. Patent
`
`Nov. 3, 2009
`
`Sheet 1 of 10
`
`US 7,613,926 B2
`
`100
`
`
`
`Redundancy Support
`
`Subsystem-1
`(Sandbox Protected)
`
`Subsystem-N
`(Unprotected)
`
`Subsystem-M
`(Protected)
`
`107
`
`
`
`
`
`
`
`
`ResourceServer-1
`
`Resource-1
`
`102
`
`121
`
`051
`
`106
`
`Extemal
`Network
`
`(Internet)
`ResourceServer-N
` 131
`
`
`103
`
`Resource-M
`Resource-N
`
`132
`
`104a
`
`141b
`
`FIG.la
`
`140a
`
`104b
`
`144
`
`440b
`
`143
`
`maeerceeens
`
`
`
`\. MPC, D
`4
`
`145
`
`
`
`Device-n
`
`
`146
`
`Client
`
`145
`
`146
`
`FIG. 1b
`
`FIG. Ic
`
`

`

`Case 3:17-cv-05659-WHA Document 1-4 Filed 09/29/17 Page 6 of 27
`Case 3:17-cv-05659-WHA Document 1-4 Filed 09/29/17 Page 6 of 27
`
`U.S. Patent
`
`Nov.3, 2009
`
`Sheet 2 of 10
`
`US 7,613,926 B2
`
`JapeoyWINIpsy]adeI0}S
`
`
`woskgsuneiodg
`
`swesso1gWO
`ALOWIDJA]BULTIOAA,
`
`
`(s)9oraaqnding
`cOM|os
`(s)estao0q
`SuOeoTuNUItoT)
`
`oeCO?
`
`767
`
`607
`
`807
`
`L0¢
`
`JOBJIOIUT
`
`T0Z
`
`907
`
`SOc
`
`
`
`a[qQepeoyJamdwog
`
`
`
`UINIPsy]282101
`
`
`
`a]qQupesyJoynduros
`
`v0z
`
`£07
`
`Indu]
`
`NS
`
`007
`
`
`
`
`

`

`Case 3:17-cv-05659-WHA Document 1-4 Filed 09/29/17 Page 7 of 27
`Case 3:17-cv-05659-WHA Document 1-4 Filed 09/29/17 Page 7 of 27
`
`U.S. Patent
`
`Nov.3, 2009
`
`Sheet 3 of 10
`
`US 7,613,926 B2
`
`P9AI9993]
`
`UOLBULIOJU]
`
`/ajqeynoaxg-uON)
`
`
`
`(oyuyayquinosxy
`
`EAN4
`
`ZOE10¢
`
`ajqeynoexy
`
`JONTee
`
`>00£
`
`UONO9JOld
`
`
`
`(3d)eulbug
`
`¢Ol
`
`
`
`
`

`

`
`
`
`psxy|vopeuuort[uedDe]BunquysaysUEIL
`pax[roseRea
`
`JO}UOYYreungaulbuyeuibuy
`-vepeed|gJoya]9qapo4LUuoneojuayiny|
`
`boat!80b"
`uoNse}aqMit|77~T7Loeeeveeeeeeeeeeeeececeneeeeeeeeeeeeda.
`
`—-WTrTWt[welesuonoedsul|ionWVLey2bSrareinoaeal
`
`
`
`
`L8rcarcoreulbuy
`
`
`
`
`
`UOTEULIOJUIJYIO103OBERPAPA
`
`
`
`eulbuyaBeyoegpapajo!
`
`Case 3:17-cv-05659-WHA Document 1-4 Filed 09/29/17 Page 8 of 27
`Case 3:17-cv-05659-WHA Document 1-4 Filed 09/29/17 Page 8 of 27
`
`U.S. Patent
`
`Nov.3, 2009
`
`Sheet 4 of 10
`
`US 7,613,926 B2
`
`LOF
`
`oo em mem em ese n nn poate enter nore reen
`
`
`
`<delvoeonuayjny1Ayunaag
`
`/Roljogcr
`
`TT7Jezsjeuy|cor
`
`LOP
`
`abeioys
`
`
`
`
`
`Surovysayur‘Aotod‘1esc)
`
`(OAXN)
`
`rerenWY
`
`EVEChELPEOpe
`
`ewes ee eet eee seesaw atesweere
`
`00P
`
`
`
`bOM
`
`
`
`
`

`

`Case 3:17-cv-05659-WHA Document 1-4 Filed 09/29/17 Page 9 of 27
`Case 3:17-cv-05659-WHA Document 1-4 Filed 09/29/17 Page 9 of 27
`
`U.S. Patent
`
`Nov.3, 2009
`
`Sheet 5 of 10
`
`US 7,613,926 B2
`
`
`
`SUBJQWBIEYWEYEd
`
`
`
`sigjaweied485f}
`
`
`
`SJOVOWeIEJe1OUaL)
`
`
`
`SIOJOWEIEYSOBLA}U]
`
`
`
`s1aaWeledwaysksSc09
`
`
`
`
`
`SI9JBWELdBPODsIqeIndexyb09
`
`
`
`SIDJOWUEIEAlajqeinoaxy
`
`LOS
`
`Fyeq
`
`A9YD}O4
`
`SOP
`
`Jayury
`
`paysp-jsod
`
`Josseso.d
`
`
`
`89°)S°DOM
`
`(osseidwu09)BEr9
`
`99°DLA
`
`qer9
`
`i/23su|
`
`ne
`1.“0dOdWVoax|10d|remy
`ae[Ble
`ee
`je|
`
`Lec
`6S
`
`
`ess-019938q
`w————/1
`“Serg
`
`soyesaUds)aulbug
`
`queByoo,JeysueslOL
`
` icouayed\!|Joweieq|!sel—Aeuia_|
`
`40}0939q
`
`zy|!
`
`----wyaqog1------—
`
`soVeyuy
`
`yoyap-aid)
`
`(Giossao0d
`
`
`
`edA|aly
`
`Joyoayag
`
`vOSLor
`
`jouyyuoy|
`
`—_—-'4
`
`BupuryOL
`
`eulsug
`
`
`
`
`
`
`
`
`
`

`

`Case 3:17-cv-05659-WHA Document 1-4 Filed 09/29/17 Page 10 of 27
`Case 3:17-cv-05659-WHA Document 1-4 Filed 09/29/17 Page 10 of 27
`
`U.S. Patent
`
`Nov.3, 2009
`
`Sheet 6 of 10
`
`US 7,613,926 B2
`
`700
`Ny
`
`340
`
`\y
`Protection|
`Agent }———
`
`i
`
`701
`
`Memory Space-N
`
`
`
`Destination
`» Resources
`
`MCInitiator
`(JVM)
`
`Sandbox Engine
`
`704
`
`703
`
`Memory Space-P2
`
`
`
`
`805
`
`
`806
`
`807
`
`801
`
`802
`
`803
`
`804
`
`
`
`
`MPC De-Installer
`
`FIG. 7b
`
`FIG. 8
`
`

`

`Case 3:17-cv-05659-WHA Document 1-4 Filed 09/29/17 Page 11 of 27
`Case 3:17-cv-05659-WHA Document 1-4 Filed 09/29/17 Page 11 of 27
`
`U.S. Patent
`
`Nov.3, 2009
`
`Sheet 7 of 10
`
`US 7,613,926 B2
`
`6D1
`
`Le
`
`+é6
`
`£6aiqepeojumog-enuajodasne5
`
`BOG|ttteerstrececrececssengrtetetectte_eoeeed
`RLGreneefee
`
`
`2-4Kaanyepwauinojena
`UOeUysep-UONeWWOJUI
`OU}O}PAlBAI]EpOQO}
`
`
`616aliqow0)dseuooyuebeuojsejod@WWO4
`
`
`
`£06paaioideGuiaeyuonewJojulaAlecay
`
`
`
`106(JaAias°6'a)JOJETIUNLULOD-24JOPUOW
`
`
`paJaaliap9q0}JUsHeuoRIajOudOyjasneD
`
`aiqepequmog-jejuayod‘poouoyoajoid
`
`
`
`@poogigeinoaxesapnjaulajqepeojumoq
`Kue+(ajqepeo|um0G-pay2a}ep2BMou)
`
`
`-jenuajoday}JOuJaYMaUIa}eq
`UOReURSeg-UOHeWOJU!By}0}
`(,21qepeojumog-jenuajod,2)
`
`uojeisdo
`
`
`
`UCHeUYSSPUOHBULOJU!
`
`=©Pauluueyapun
`
`S16
`
`oné9p09
`
`sapnjau|
`
`say
`
`
`
`sa1oyjoduoloe}od
`
`
`
`
`
`
`
`

`

`Case 3:17-cv-05659-WHA Document 1-4 Filed 09/29/17 Page 12 of 27
`Case 3:17-cv-05659-WHA Document 1-4 Filed 09/29/17 Page 12 of 27
`
`U.S. Patent
`
`Nov.3, 2009
`
`Sheet 8 of 10
`
`US 7,613,926 B2
`
`
`
`
`
`
`
`‘6'a)JuabeuoHoay}oide@WO}0}UOWEUUOYUI
`
`
`
`
`
`(pulyypyue‘pudsessald1jod‘JssyOdW
`
`d0T‘Old
`
`
`
`VOl‘Old
`
`LOL
`
`
`
`
`
`UNO)pueSiajauBJedUOI|Oa}OldBASW}OY
`
`616
`
`LOOL
`
`
`
`
`
`-|enuUa}Oday}JOUJOUMBUIWIE}9q
`
`sigjoweled
`
`ELOLWo}puesidjoeJeduo!Oaj}O1dSASjOY
`
`
`au}0}BuipsoooesaloijoduoNoa}old
`
`
`
`
`SootS]UJUODSII}AU}VaYJEYMSUIW9}EQ
`
`
`suiayedapooJouoHeUOyU!AeuIgepnjour
`
`
`
`
`
`QU}0}Buipsov0eapoUOIDS}OUdajIqouW
`
`sigjowesed
`
`
`
`ajqeynoexeuesazeolpule|qepeo|umMoq
`
`adf}ary
`
`£16
`
`
`
`-panlaoespuesaioijoduonosjoid
`
`SOOL
`
`SLOL‘apouOHoayOJdayIqowWay}ajdnog
`
`
`
`au}JEU)BJedIPU!EOOLPueLOOLSde}S41
`
`
`
`Ajay]G10ajqepeo|uMoq-jeljua}od
`
`
`
`
`
`‘@pooajqe}noexsSepnjoul
`
`
`
`eajqepeojumog-jenuajodau}Jap|suod
`
`aiqepeojumMog-peyosjap
`
`
`
`
`
`
`
`
`

`

`Case 3:17-cv-05659-WHA Document 1-4 Filed 09/29/17 Page 13 of 27
`Case 3:17-cv-05659-WHA Document 1-4 Filed 09/29/17 Page 13 of 27
`
`U.S. Patent
`
`Nov. 3, 2009
`
`Sheet 9 of 10
`
`US 7,613,926 B2
`
`Install mobile protection code elements
`and policies within a destination device
`
`Load the downloadble without actually
`initiating it
`
`1101
`
`1102
`
`
`
`y
`
`1103
`
`
`Form an accessinterceptorfor intercepting
`downloadable destination device access
`
`
`attempts within the destination device
`
`Initiate the Downloadable within the
`destination device
`
`1705
`
`
`
`
`
`
`
`
`
`
`Malicious
`access No
`
`Yes
`
`Determine policies in accordancewith the
`access atiempt
`
`
`
`Execute the policies (including causing an
`allowable response expected by the
`Donwloadable to be returnedto the
`Downloadable)
`
`1109
`
`1111
`
`FIG.11
`
`

`

`Case 3:17-cv-05659-WHA Document 1-4 Filed 09/29/17 Page 14 of 27
`Case 3:17-cv-05659-WHA Document 1-4 Filed 09/29/17 Page 14 of 27
`
`U.S. Patent
`
`Nov.3, 2009
`
`Sheet 10 of 10
`
`US 7,613,926 B2
`
`eTOI
`
`
`
`apoouaoajoid
`
`
`
`q7t“OW
`
`
`
`LZAaijod@auluajep0}satoljodpasojsAand
`
`
`
`a1qepeo|umogau30}Bulpuodsa.ioo
`
`
`
`Jsenbessaooe
`
`Id'¥Palyy|powau}BIA
`
`
`
`
`
`Luziysanba,ssao0eaiqepeo|umog&snle9ay
`
`Loz
`
`
`
`SIQepeo|uUMOGOu)|/2}SU]
`
`
`
`£0ZLHEAIPO}Idsigepeojumogay;AyIpoy)
`
`
`
`
`
`alIGoWay}0}s}senbasssaooesnololew
`
`corr
`
`60TT
`
`
`
`
`

`

`Case 3:17-cv-05659-WHA Document 1-4 Filed 09/29/17 Page 15 of 27
`Case 3:17-cv-05659-WHA Document 1-4 Filed 09/29/17 Page 15 of 27
`
`US 7,613,926 B2
`
`1
`METHOD AND SYSTEM FOR PROTECTING
`A COMPUTER AND A NETWORK FROM
`HOSTILE DOWNLOADABLES
`
`PRIORITY REFERENCE TO RELATED
`APPLICATIONS
`
`This application is a continuation of assignee’s application
`Ser. No. 09/861 ,229, filed on May 17, 2001, now U.S. Pat. No.
`7,058,822, entitled “Malicious Mobile Code Runtime Moni-
`toring System And Methods”, which is hereby incorporated
`by reference. U.S. application Ser. No. 09/861,229 claims
`benefit of provisional application Ser. No. 60/205,591,
`entitled “Computer Network Malicious Code Run-time
`Monitoring,” filed on May 17, 2000 by inventors Nimrod
`Itzhak Vered, et al., which is hereby incorporated by refer-
`ence. U.S. application Ser. No. 09/861,229 is also a Continu-
`ation-In-Part of U.S. patent application Ser. No. 09/539,667,
`entitled “System and Method for Protecting a Computer and
`a Network From Hostile Downloadables”filed on Mar. 30,
`2000 by inventor Shlomo Touboul, now USS. Pat. No. 6,804,
`780, and hereby incorporated by reference, which is a con-
`tinuation of assignee’s patent application U.S. Ser. No.
`08/964,388, filed on Nov. 6, 1997, now U.S. Pat. No. 6,092,
`194, also entitled “System and Methodfor Protecting a Com-
`puter and a Network from Hostile Downloadables” and
`hereby incorporated by reference. U.S. Ser. No. 09/861,229 is
`also a Continuation-In-Part of U.S. patent application Ser.
`No. 09/551,302, entitled “System and Methodfor Protecting
`a Client During Runtime From Hostile Downloadables”, filed
`on Apr. 18, 2000 by inventor Shlomo Touboul, now U.S. Pat.
`No. 6,480,962, which is hereby incorporated by reference.
`
`BACKGROUND OF THE INVENTION
`
`1. Field of the Invention
`This invention relates generally to computer networks, and
`moreparticularly provides a system and methodsfor protect-
`ing network-connectable devices from undesirable down-
`loadable operation.
`2. Description of the Background Art
`Advancesin networking technology continue to impact an
`increasing number and diversity of users. The Internet, for
`example, already provides to expert, intermediate and even
`novice users the informational, product and service resources
`of over 100,000 interconnected networks owned by govern-
`ments, universities, nonprofit groups, companies, etc. Unfor-
`tunately, particularly the Internet and other public networks
`have also become a major source of potentially system-fatal
`or otherwise damaging computer code commonlyreferred to
`as “viruses.”
`
`Efforts to forestall viruses from attacking networked com-
`puters have thus far met with only limited success at best.
`Typically, a virus protection program designedto identify and
`removeor protect against the initiating of known viruses is
`installed on a network firewall or individually networked
`computer. The program is then inevitably surmounted by
`some new virus that often causes damage to one or more
`computers. The damageis then assessed and,if isolated, the
`new virus is analyzed. A corresponding newvirus protection
`program (or update thereof) is then developed andinstalled to
`combatthe newvirus, and the new program operates success-
`fully until yet another new virus appears—and so on. Of
`course, damagehasalready typically been incurred.
`To make matters worse, certain classes of viruses are not
`well recognized or understood,let alone protected against. It
`is observedbythis inventor, for example, that Downloadable
`
`10
`
`15
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`2
`information comprising program code can include distribut-
`able components(e.g. Java™ applets and JavaScript scripts,
`ActiveX™controls, Visual Basic, add-ins and/or others). It
`can also include, for example, application programs, Trojan
`horses, multiple compressed programs such as zip or meta
`files, among others. U.S. Pat. No. 5,983,348 to Shuang, how-
`ever, teaches a protection system for protecting against only
`distributable components including “Java applets or ActiveX
`controls”, and further does so using resource intensive and
`high bandwidth static Downloadable content and operational
`analysis, and modification of the Downloadable component;
`Shuang further fails to detect or protect against additional
`program code included within a tested Downloadable. U.S.
`Pat. No. 5,974,549 to Golan teaches a protection system that
`further focuses only on protecting against ActiveX controls
`and not other distributable components,
`let alone other
`Downloadable types. U.S. Pat. No. 6,167,520 to Touboul
`enables more accurate protection than Shuang or Golan, but
`lacks the greater flexibility and efficiency taught herein, as do
`Shuang and Golan.
`Accordingly, there remains a need for efficient, accurate
`and flexible protection of computers and other network con-
`nectable devices from malicious Downloadables.
`
`SUMMARY OF THE INVENTION
`
`The present invention provides protection systems and
`methods capable of Protecting a personal computer (“PC”) or
`other persistently or even intermittently network accessible
`devices or processes from harmful, undesirable, suspicious or
`other “malicious” operations that might otherwise be effec-
`tuated by remotely operable code. While enabling the capa-
`bilities ofprior systems, the present invention is not nearly so
`limited, resource intensive orinflexible, and yet enables more
`reliable protection. For example, remotely operable code that
`is protectable against can include downloadable application
`programs, Trojan horses and program code groupings, as well
`as
`software
`“components”,
`such as
`Java™ applets,
`ActiveX™controls, JavaScript™/Visual Basic scripts, add-
`ins, etc., among others. Protection can also be provided in a
`distributed interactively, automatically or mixed configurable
`manner using protected client, server or other parameters,
`redirection, local/remote logging,etc., and other server/client
`based protection measures can also be separately and/or
`interoperably utilized, among other examples.
`In one aspect, embodiments of the invention provide for
`determining, within one or more network “servers”(e.g. fire-
`walls, resources, gateways, email relays or other devices/
`processes that are capable of receiving-and-transferring a
`Downloadable) whether
`received information includes
`executable code (and is a “Downloadable”). Embodiments
`also provide for delivering static, configurable and/or exten-
`sible remotely operable protection policies to a Download-
`able-destination, more typically as a sandboxed package
`including the mobile protection code, downloadable policies
`and one or more received Downloadables. Further client-
`
`based or remote protection code/policies can also be utilized
`in a distributed manner. Embodiments also provide for caus-
`ing the mobile protection codeto be executed within a Down-
`loadable-destination in a mannerthat enables various Down-
`loadable operations to be detected, intercepted or further
`responded to via protection operations. Additional server/
`information-destination device security or other protection is
`also enabled, amongstill further aspects.
`A protection engine according to an embodimentof the
`invention is operable within one or more network servers,
`firewalls or other network connectable information re-com-
`
`

`

`Case 3:17-cv-05659-WHA Document 1-4 Filed 09/29/17 Page 16 of 27
`Case 3:17-cv-05659-WHA Document 1-4 Filed 09/29/17 Page 16 of 27
`
`US 7,613,926 B2
`
`3
`municating devices (as are referred to herein summarily one
`or more “servers” or “re-communicators”’). The protection
`engine includes an information monitor for monitoring infor-
`mation receivedbythe server, and a code detection engine for
`determining whether the received information includes
`executable code. The protection engine also includes a pack-
`aging engine for causing a sandboxed package, typically
`including mobile protection code and downloadable protec-
`tion policies to be sent to a Downloadable-destination in
`conjunction with the received information, if the received
`information is determined to be a Downloadable.
`
`A sandboxed package according to an embodimentof the
`invention is receivable by and operable with a remote Down-
`loadable-destination. The
`sandboxed package includes
`mobile protection code (“MPC”) for causing one or more
`predetermined malicious operations or operation combina-
`tions of a Downloadable to be monitored or otherwise inter-
`cepted. The sandboxed packagealso includesprotection poli-
`cies
`(operable alone or
`in conjunction with further
`Downloadable-destination stored or received policies/MPCs)
`for causing one or more predetermined operationsto be per-
`formed if one or more undesirable operations of the Down-
`loadable is/are intercepted. The sandboxed package can also
`include a corresponding Downloadable and can provide for
`initiating the Downloadable in a protective “sandbox”. The
`MPC/policies can further
`include a communicator
`for
`enabling further MPC/policy information or “modules”to be
`utilized and/or for event logging or other purposes.
`A sandboxprotection system according to an embodiment
`ofthe invention comprises an installer for enabling a received
`MPCto be executed within a Downloadable-destination (de-
`vice/process) and further causing a Downloadable applica-
`tion program, distributable component or other received
`downloadable code to be received and installed within the
`Downloadable-destination. The protection system also
`includes a diverter for monitoring one or more operation
`attempts of the Downloadable, an operation analyzer for
`determining one or more responses to the attempts, and a
`security enforcer for effectuating responses to the monitored
`operations. The protection system can further include one or
`more security policies according to which one or more pro-
`tection system elements are operable automatically (e.g. pro-
`grammatically) or in conjunction with user intervention(e.g.
`as enabled by the security enforcer). The security policies can
`also be configurable/extensible in accordance with further
`downloadable and/or Downloadable-destination informa-
`tion.
`
`10
`
`15
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`A method according to an embodiment of the invention
`includes receiving downloadable information, determining
`whether the downloadable information includes executable
`
`50
`
`code, and causing a mobile protection code and security
`policies to be communicated to a network client in conjunc-
`tion with security policies and the downloadable information
`if the downloadable information is determined to include
`executable code. The determining can further provide mul-
`tiple tests for detecting, alone or together, whether the down-
`loadable information includes executable code.
`
`A further method according to an embodiment of the
`invention includes
`forming a sandboxed package that
`includes mobile protection code (“MPC”), protection poli-
`cies, anda received, detected-Downloadable, and causing the
`sandboxed package to be communicatedto and installed by a
`receiving device or process (“user device’’) for responding to
`one or more malicious operation attempts by the detected-
`Downloadable from within the user device. The MPC/poli-
`cies can further include a base “module”and a “communica-
`
`4
`tor” for enabling further up/downloading of one or more
`further “modules”or other information (e.g. events, user/user
`device information, etc.).
`Another method according to an embodimentofthe inven-
`tion includesinstalling, within a user device, received mobile
`protection code (“MPC”) and protection policies in conjunc-
`tion with the user device receiving a downloadable applica-
`tion program, component or other Downloadable(s). The
`method also includes determining, by the MPC, a resource
`access attempt by the Downloadable, and initiating, by the
`MPC,one or more predetermined operations corresponding
`to the attempt. (Predetermined operations can, for example,
`comprise initiating user, administrator, client, networkor pro-
`tection system determinable operations, including but not
`limited to modifying the Downloadable operation,extricating
`the Downloadable, notifying a user/another, maintaining a
`local/remote log, causing one or more MPCs/policies to be
`downloaded, etc.)
`systems and methods according to
`Advantageously,
`embodiments of the invention enable potentially damaging,
`undesirable or otherwise malicious operations by even
`unknown mobile code to be detected, prevented, modified
`and/or otherwise protected against without modifying the
`mobile code. Such protection is further enabled in a manner
`that is capable of minimizing server and client resource
`requirements, does not require pre-installation of security
`code within a Downloadable-destination, and provides for
`client specific or generic and readily updateable security mea-
`sures to be flexibly and efficiently implemented. Embodi-
`ments further provide for thwarting efforts to bypass security
`measures (e.g. by “hiding” undesirable operation causing
`information within apparently inert or otherwise “friendly”
`downloadable information) and/or dividing or combining
`security measures for even greater flexibility and/or effi-
`ciency.
`Embodiments also provide for determining protection
`policies that can be downloaded and/or ascertained from
`other security information(e.g. browsersettings, administra-
`tive policies, user input, uploaded information,etc.). Differ-
`ent actions in responseto different Downloadable operations,
`clients, users and/or other criteria are also enabled, and
`embodiments provide for implementing other security mea-
`sures, such as verifying a downloadable source, certification,
`authentication, etc. Appropriate action can also be accom-
`plished automatically (e.g. programmatically) and/or in con-
`junction with alerting one or more users/administrators, uti-
`lizing user input, etc. Embodiments further enable desirable
`Downloadable operations to remain substantially unaffected,
`amongother aspects.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`55
`
`60
`
`65
`
`FIG.1a is a block diagramillustrating a network system in
`accordance with an embodimentof the present invention;
`FIG. 16 is a block diagram illustrating a network