Case 3:17-cv-05659-WHA Document 1-7 Filed 09/29/17 Page 1 of 34
`Case 3:17-cv-05659-WHA Document1-7 Filed 09/29/17 Page 1 of 34
`
`
`
`
`
`EXHIBIT 7
`EXHIBIT 7
`
`
`
`
`
`
`
`
`
`
`
`
`
`

`

`Case 3:17-cv-05659-WHA Document 1-7 Filed 09/29/17 Page 2 of 34
`eememeeiTT
`
`US007975305B2
`
`a2) United States Patent
`US 7,975,305 B2
`(0) Patent No.:
`Jul. 5, 2011
`(45) Date of Patent:
`Rubin et al.
`
`METHOD AND SYSTEM FOR ADAPTIVE
`RULE-BASED CONTENT SCANNERS FOR
`DESKTOP COMPUTERS
`
`(56)
`
`References Cited
`
`U.S. PATENT DOCUMENTS
`
`(54)
`
`(75)
`
`Inventors: Moshe Rubin, Jerusalem (IL); Moshe
`Matitya, Jerusalem (IL); Artem
`Melnick, Beit Shemesh (IL); Shlomo
`Touboul, Kefar-Haim (IL); Alexander
`Yermakov, Beit Shemesh (IL); Amit
`Shaked, Tel Aviv (IL)
`
`(73)
`
`Assignee: Finjan, Inc., San Jose, CA (US)
`
`5,077,677 A
`5,359,659 A
`5,361,359 A
`5,414,833 A *
`5,485,409 A
`
`12/1991 Murphy etal. oc. 706/62
`10/1994 Rosenthal.......
`11/1994 Tajalliet al.
`....
`5/1995 Hersheyet al.
`.
`1/1996 Gupta etal. we. 726/25
`(Continued)
`
`
`
`EP
`
`FOREIGN PATENT DOCUMENTS
`1091276
`4/2001
`
`(Continued)
`
`OTHER PUBLICATIONS
`
`(*)
`
`Notice:
`
`Subject to any disclaimer, the term ofthis
`patent is extended or adjusted under 35
`U.S.C. 154(b) by 1016 days.
`
`D Grune,et al—Parsing Techniques: A Practical Guide, 2000—John
`Wiley & Sons, Inc. New York, NY, USA,p. 1-326.*
`
`(Continued)
`
`(21)
`
`Appl. No.: 11/009,437
`
`(22)
`
`Filed:
`
`Dec. 9, 2004
`
`(65)
`
`(63)
`
`Prior Publication Data
`
`US 2005/0240999 Al
`
`Oct. 27, 2005
`
`Related U.S. Application Data
`
`Continuation-in-part of application No. 10/930,884,
`filed on Aug. 30, 2004, which is a continuation-in-part
`of application No. 09/539,667,filed on Mar. 30, 2000,
`now Pat. No. 6,804,780, which is a continuation of
`application No. 08/964,388, filed on Nov. 6, 1997, now
`Pat. No. 6,092,194.
`
`(51)
`
`Int. Cl.
`
`(2006.01)
`G06F 11/00
`(2006.01)
`G06F 21/00
`US. CL. ccecccccecceeteceeee 726/25; 726/22; 713/153
`Field of Classification Search ..................... None
`
`(52)
`(58)
`
`Primary Examiner — Emmanuel L Moise
`Assistant Examiner — Jeffery Williams
`(74) Attorney, Agent, or Firm — Dawn-Marie Bey; King &
`Spalding LLP
`
`(57)
`
`ABSTRACT
`
`A security system for scanning content within a computer,
`including a network interface, housed within a computer, for
`receiving content from the Internet on its destination to an
`Internet application running on the computer, a database of
`rules corresponding to computer exploits, stored within the
`computer, a rule-based content scanner that communicates
`with said database of rules, for scanning content to recognize
`the presence of potential exploits therewithin, a network traf-
`fic probe, operatively coupled to the network interface and to
`the rule-based content scanner, for selectively diverting con-
`tent from its intended destination to the rule-based content
`scamner, and a rule update manager that communicates with
`said database of rules, for updating said database of rules
`periodically to incorporate new rules that are made available.
`A method and a computer readable storage medium are also
`described and claimed.
`
`See application file for complete search history.
`
`25 Claims, 14 Drawing Sheets
`
`
`
`

`

`Case 3:17-cv-05659-WHA Document 1-7 Filed 09/29/17 Page 3 of 34
`Case 3:17-cv-05659-WHA Document 1-7 Filed 09/29/17 Page 3 of 34
`
`US 7,975,305 B2
`
`Page 2
`
`U.S. PATENT DOCUMENTS
`
`
`
`1/1996 Chess etal. oe. 714/38
`5,485,575 A
`11/1996 Judson.........
`709/218
`5,572,643 A
`
`» 703/27
`11/1996 Furtneyetal.
`5,579,509 A
`
`2/1997 Shwed.
`.....
`.. 726/13
`5,606,668 A
`4/1997 Jietal. ..
`.. 726/24
`5,623,600 A
`
`6/1997 Rubin ..........
`.. 705/51
`5,638,446 A
`5,675,711 A * 10/1997 Kephart et al.
`.. 706/12
`.
`5,692,047 A
`11/1997 McManis .....
`713/167
`
`ve 726/2
`5,692,124 A
`11/1997 Holden etal.
`
`2/1998 Deo wee
`5,720,033 A
`. 7126/2
`.
`. 705/52
`5,724,425 A
`3/1998 Chang etal.
`5,740,248 A
`4/1998 Fieres et al.
`.
`713/156
`5,740,441 A *
`4/1998 Yellinetal. ow. 717/134
`5,761,421 A
`6/1998 van Hoffetal. w...... 709/223
`we 711/203
`5,765,205 A
`6/1998 Breslauet al.
`.....
`
`
`7/1998 Devarakonda etal.
`....... 713/165
`5,784,459 A
`we. 709/224
`5,796,952 A
`8/1998 Davisetal. .....
`
`5,805,829 A
`9/1998 Cohen etal.
`.
`. 709/202
`.. 726/24
`5,832,208 A
`11/1998 Chen et al.
`...
`
`TTI7L
`5,832,274 A
`11/1998 Cutler et al.
`.
`..
`5,850,559 A
`12/1998 Angelo et al.
`713/320
`5,859,966 A
`1/1999 Haymanetal. oo... 726/23
`5,864,683 A
`1/1999 Boebert et al. ww... 709/249
`3/1999 Yamamoto...
`.. 726/24
`5,881,151 A *
`
`...
`709/206
`5,884,033 A *
`3/1999 Duvalletal.
`4/1999 Atkinson etal.
`.. 726/22
`5,892,904 A
`
`...
`.. 714/38
`5,951,698 A
`9/1999 Chen etal.
`
`.
`. 726/23
`5,956,481 A
`9/1999 Walsh etal.
`717/143
`5,963,742 A * 10/1999 Williams .
`
`10/1999 Golan ..........
`. 726/23
`5,974,549 A
`11/1999 Apperson et al. ow... 705/54
`5,978,484 A
`5,983,348 A * 11/1999 Jicece 726/13
`5,987,611 A * 11/1999 Freund..
`. 7126/4
`
`7/2000 Grecsek ...
`6,088,801 A *
`. 7226/1
`
`7/2000 Tso etal.
`.
`.. 726/22
`6,088,803 A *
`.. 726/24
`6,092,194 A
`7/2000 Touboul...
`
`
`11/2000 Toubouletal.
`.. 726/24
`6,154,844 A
`12/2000 Touboul.......
`. 726/23
`6,167,520 A
`. 726/15
`6,339,829 Bl
`1/2002 Beadle etal.
`
`7/2002 Arimilli etal. o...... 711/134
`6,425,058 Bl
`6,434,668 Bl
`8/2002 Arimilli et al. oo... 711/128
`6,434,669 Bl
`8/2002 Arimilli et al.
`.
`711/128
`6,480,962 Bl
`11/2002 Touboul..........
`.. 726/22
`
`6,487,666 Bl
`11/2002 Shanklin etal.
`. 726/23
`
`6,519,679 B2
`2/2003 Devireddyetal.
`711/114
`6,598,033 B2*
`7/2003 Rossetal.
`......
`.. 706/46
`6,732,179 Bl
`5/2004 Brown etal.
`709/229
`
`6,804,780 Bl
`10/2004 Touboul.......
`we 713/181
`. 707/204
`6,917,953 B2
`7/2005 Simonetal. .
`
`7,058,822 B2
`6/2006 Edery etal.
`..
`.. 726/22
`....
`7,143,444 B2
`11/2006 Porras etal.
`.. 726/30
`
`4/2007 Gryaznovetal.
`7,210,041 BL*
`713/188
`12/2007 Buchthaletal. ...
`.. 715/234
`7,308,648 Bl
`
`7,343,604 B2
`3/2008 Grabarnik etal.
`719/313
`8/2008 Touboul..........
`7,418,731 B2
`.. 726/22
`
`5/2002 Spooneretal.
`2002/0059157 Al*
`.. 706/45
`
`5/2002 Schmall etal.
`.
`2002/0066024 Al*
`713/200
`6/2002 Chandnanietal.
`.. 713/200
`2002/0073330 Al*
`
`....
`2003/0014662 Al
`1/2003 Gupta etal.
`. 726/23
`.
`2003/0101358 Al
`5/2003 Porras et al.
`ve 726/4
`
`4/2004 Sanin ou...
`2004/0073811 A1l*
`713/201
`
`5/2004 Rubinstein et al.
`........... 709/230
`2004/0088425 Al*
`2005/0050338 Al
`3/2005 Liangetal. oe. 713/188
`2005/0172338 Al
`8/2005 Sanduet al.
`....
`.. 726/22
`2006/0031207 Al
`2/2006 Bjarnestam etal.
`ve 707/3
`2006/0048224 Al
`3/2006 Duncan etal.
`..
`726/22
`2008/0066160 Al
`3/2008 Becker et al.
`...
`ve 726/4
`2010/0195909 Al*
`8/2010 Wassonetal. ou. 382/176
`
`
`
`EP
`
`FOREIGN PATENT DOCUMENTS
`1132796
`9/2001
`
`OTHER PUBLICATIONS
`
`International Search Report for Application No. PCT/IL05/00915, 4
`pp., dated Mar. 3, 2006.
`Zhong,et al., “Security in the Large: is Java’s Sandbox Scalable?,”
`
`Seventh IEEE Symposium on Reliable Distributed Systems, pp. 1-6,
`Oct. 1998.
`Rubin,et al., “Mobile Code Security,” JEEE Internet, pp. 30-34, Dec.
`1998.
`Schmid,et al. “Protecting Data From Malicious Software,” Proceed-
`ing ofthe 18" Annual Computer Security Applications Conference,
`pp. 1-10, 2002.
`Corradi, et al., “A Flexible Access Control Service for Java Mobile
`Code,” IEEE, pp. 356-365, 2000.
`International Search Report for Application No. PCT/IB97/01626, 3
`pp., May 14, 1998 (mailing date).
`Written Opinion for Application No. PCT/IL05/00915, 5 pp., dated
`Mar. 3, 2006 (mailing date).
`International Search Report for Application No. PCT/IB01/01138, 4
`pp., Sep. 20, 2002 (mailing date).
`International Preliminary Examination Report for Application No.
`PCT/IBO1/01138, 2 pp., dated Dec. 19, 2002.
`Gerzic, Amer, “Write Your Own Regular Expression Parser,’ Nov.
`17, 2003, 18 pp., Retrieved from the Internet: http://www.codeguru.
`com/Cpp/Cpp/cpp__mfc/parsing/article.php/c4093/.
`Power, James, “Lexical Analysis,” 4 pp., May 14, 2006, Retrieved.
`from the Internet: http://www.cs.may.ie/~jpower/Courses/compil-
`ers/notes/lexical pdf.
`Sitaker, Kragen, “Rapid Genetic Evolution of Regular Expressions”
`[online], The MialArchive, Apr. 24, 2004 (retrieved on Dec. 7, 2004),
`5 pp., Retrieved from the Internet: http://www.mail-archive.com/
`kragen-tol@canonical.org/msg00097 html.
`“Lexical Analysis: DFA Minimization & Wrap Up”[online], Fall,
`2004 [retrieved on Mar. 2, 2005], 8 pp., Retrieved from the Internet:
`http://www.owlnet.rice.edu/~comp4 | 2/Lectures/L06LexWrapup4.
`pdf.
`“Minimization of DFA”[online], [retrieved on Dec. 7, 2004], 7 pp.,
`Retrieved. from the Internet: http://www.cs.odu.edu/~toida/nerzic/
`390teched/regular/fa/min-fa.html.
`“Algorithm: NFS -> DFA”[online], Copyright 1999-2001 [retrieved.
`on Dec. 7, 2004], 4 pp., Retrieved from the Internet: http://rw4.cs.
`uni-sb.de/~ganimal/GANIFA/page16__e.htm.
`“CS 3813: Introduction to Formal Languages and Automata—State
`Minimization and Other Algorithmsfor Finite Automata,”3 pp., May
`11, 2003, Retrieved. from the Internet: http://www.cs.msstate.edu/~
`hansen/classes/38 13 fall01/slides/O6Minimize.pdf.
`Watson, Bruce W., “Constructing Minimal Acyclic Deterministic
`Finite Automata,” [retrieved on Mar. 20, 2005], 38 pp., Retrieved.
`from the Internet: http://www.win.tue.nl/~watson/2R870/down-
`loads/madfa_algs.pdf.
`Chang, Chia-Hsiang, “From Regular Expressions to DFA’s Using
`Compressed NFA’s,” Oct. 1992, 243 pp., http://www.cs.nyu.edu/
`web/Research/Theses/chang__chia-hsiang.pdf.
`“Products,” Articles published on the Internet, “Revolutionary Secu-
`rity for a New Computing Paradigm”regarding SurfinGate™,7 pp.
`“Release Notes for the Microsoft ActiveX Development Kit,’ Aug.
`13, 1996, activex.adsp.or.jp/inetsdk/readme.txt, pp. 1-10.
`Doyle, et al., “Microsoft Press Computer Dictionary,’ Microsoft
`Press, 2d Edition, pp. 137-138, 1993.
`Finjan Software Ltd., “Powerful PC Security for the New World of
`Java™ and Downloadables, Surfin Shield™,” Article published on
`the Internet by Finjan Software Ltd., 2 pp. 1996.
`Finjan Sofrtware Ltd., “Finjan Announcesa Personal Java™Firewall
`for Web Browsers—the SurfinShield™ 1.6 (formerly known s
`SurfinBoard),” Press Release of Finjan Releases SurfinShield 1.6, 2
`pp., Oct. 21, 1996.
`Finjan Software Ltd., “Finjan Announces Major Power Boost and.
`NewFeatures for SurfinShield™ 2.0,” Las Vegas Convention Center/
`Pavillion 5 P5551, 3 pp., Nov. 18, 1996.
`Finjan Software Ltd., “Finjan Software Releases SurfinBoard, Indus-
`try’s First JAVA Security Product for the World Wide Web,” Article
`publishedonthe Internet by Finjan Software Ltd., 1 p., Jul. 29, 1996.
`Finjan Software Ltd., “Java Security: Issues & Solutions,” Article
`published on the Internet by Finjan Software Ltd., 8 pp. 1996.
`Finjan Software Ltd., CompanyProfile, “Finjan—Safe Surfing, The
`Java Security Solutions Provider,” Article published on the Internet
`by Finjan Software Ltd., 3 pp., Oct. 31, 1996.
`
`

`

`Case 3:17-cv-05659-WHA Document 1-7 Filed 09/29/17 Page 4 of 34
`Case 3:17-cv-05659-WHA Document 1-7 Filed 09/29/17 Page 4 of 34
`
`US 7,975,305 B2
`
`Page 3
`
`“IBM AntiVirus User’s Guide, Version 2.4,”, International Business
`Machines Corporation, pp. 6-7, Nov. 15, 1995.
`Khare, R., “Microsoft Authenticode Analyzed” [online], Jul. 22,
`1996 [retrieved on Jun. 25, 2003], 2 pp., Retrieved from the Internet:
`http://www.xent.com/FoRK-archive/smmer96/0338 html.
`LaDue, M., Online Business Consultant: Java Security: Whose Busi-
`nessis It?, Article published on the Internet, Home PagePress,Inc.,
`4 pp., 1996.
`Leach, Norvin, et al., “IE 3.0 Applets Will Earn Certification,” PC
`Week, vol. 13, No. 29, 2 pp., Jul. 22, 1996.
`Moritz, R., “Why We Shouldn’t Fear Java,” Java Report, pp. 51-56,
`Feb. 1997.
`Microsoft, “Microsoft ActiveX Software DevelopmentKit” [online],
`Aug. 12, 1996 [retrieved on Jun. 25, 2003], pp. 1-6, Retrieved from
`the Internet: activex.adsp.or.jp/inetsdk/help/overview.htm.
`Microsoft® Authenticode Technology, “Ensuring Accountability
`and Authenticity for Software Components on the Internet,”
`Microsoft Corporation, Oct. 1996,
`including Abstract, Contents,
`Introduction, and pp. 1-10.
`
`Microsoft Corporation, Web Page Article “Frequently Asked Ques-
`tions About Authenticode,” last updated Feb. 17, 1997, printed Dec.
`23,
`1998, URL:
` http://www.microsoft.com/workshop/security/
`authcode/signfaq.asp#9, pp. 1-13.
`Okamoto, E., et al., “ID-Based Authentication System for Computer
`Virus Detection,” JEEEEE Electronic Library online, Electronics
`Letters, vol. 26, Issue 15, ISSN 0013-5194, Jul. 19, 1990, Abstract
`and pp. 1169-1170, URL: http://iel.ihs.com:80/cgi-bin/iel__cgi?se...
`2ehts%26ViewTemplate%3ddocview%5 fb%2ehts.
`Omura, J. K., “Novel Applications of Cryptography in Digital Com-
`munications,” JEEE Communications Magazine, pp. 21-29, May
`1990.
`Schmitt, D.A., “.EXEfiles, OS-2 style,” PC Tech Journal, vol. 6, No.
`11, p. 76(13), Nov. 1988.
`Zhang, X. N., “Secure Code Distribution,” JEEEJEE Electronic
`Library online, Computer, vol. 30, Issue 6, pp. 76-79, Jun. 1997.
`Power, James, “Notes on Formal Language Theory and Parsing,”
`National University of Ireland, pp. 1-40, 1999.
`
`* cited by examiner
`
`

`

`Case 3:17-cv-05659-WHA Document 1-7 Filed 09/29/17 Page 5 of 34
`Case 3:17-cv-05659-WHA Document 1-7 Filed 09/29/17 Page 5 of 34
`
`U.S. Patent
`
`Jul. 5, 2011
`
`Sheet 1 of 14
`
`US 7,975,305 B2
`
`tb
`
`GATEWAY
`
`FIG.1
`
`35
`
`S3
`
`NETWORK
`
`

`

`Case 3:17-cv-05659-WHA Document 1-7 Filed 09/29/17 Page 6 of 34
`Case 3:17-cv-05659-WHA Document 1-7 Filed 09/29/17 Page 6 of 34
`
`U.S. Patent
`
`Jul. 5, 2011
`
`Sheet 2 of 14
`
`US 7,975,305 B2
`
`g
`
`iu
`
`i
`a
`
`g
`
`zeo
`
`ao
`
`O2s
`
`270
`
`FIG,2 SU8-SCANNER
`200
`
`
`
`PARSETREE
`
`
`
`PARSERRULES
`
`=]=
`N
`
`
`
`BYTESOURCE
`
`

`

`Case 3:17-cv-05659-WHA Document 1-7 Filed 09/29/17 Page 7 of 34
`Case 3:17-cv-05659-WHA Document 1-7 Filed 09/29/17 Page 7 of 34
`
`U.S. Patent
`
`Jul. 5, 2011
`
`Sheet 3 of 14
`
`US 7,975,305 B2
`
`
`
`[vopenjound,)‘fey]
`
`€‘Old
`
`uonenjound
`
`(uonenjound,]
`
`
`

`

`Case 3:17-cv-05659-WHA Document 1-7 Filed 09/29/17 Page 8 of 34
`Case 3:17-cv-05659-WHA Document 1-7 Filed 09/29/17 Page 8 of 34
`
`U.S. Patent
`
`Jul. 5, 2011
`
`Sheet 4 of 14
`
`US 7,975,305 B2 FIG. 4A-1
`
`

`

`Case 3:17-cv-05659-WHA Document 1-7 Filed 09/29/17 Page 9 of 34
`Case 3:17-cv-05659-WHA Document 1-7 Filed 09/29/17 Page 9 of 34
`
`U.S. Patent
`
`Jul. 5, 2011
`
`Sheet 5 of 14
`
`US 7,975,305 B2
`
`FIG. 4A-2
`
`epsilon
`
`

`

`U.S. Patent
`
`Jul. 5, 2011
`
`Case 3:17-cv-05659-WHA Document 1-7 Filed 09/29/17 Page 10 of 34
`Case 3:17-cv-05659-WHA Document 1-7 Filed 09/29/17 Page 10 of 34
`
`Sheet 6 of 14
`
`US 7,975,305 B2
`
`

`

`Case 3:17-cv-05659-WHA Document 1-7 Filed 09/29/17 Page 11 of 34
`Case 3:17-cv-05659-WHA Document 1-7 Filed 09/29/17 Page 11 of 34
`
`U.S. Patent
`
`Jul. 5, 2011
`
`Sheet 7 of 14
`
`US 7,975,305 B2
`
`NUMBER
`
`

`

`Case 3:17-cv-05659-WHA Document 1-7 Filed 09/29/17 Page 12 of 34
`Case 3:17-cv-05659-WHA Document 1-7 Filed 09/29/17 Page 12 of 34
`
`U.S. Patent
`
`Jul. 5, 2011
`
`Sheet 8 of 14
`
`US 7,975,305 B2
`
`
`CALL TOKENIZER TO RETRIEVE NEXT
`
`
`
`TOKEN ADD TOKEN TO PARSE TREE
`
`MATCH WITH A
`PARSER RULE?
`
`
`
` IS THERE A PATTERN
`
`
`
`DOES THE RULE
`HAVE A NONODE
`
`
`ATTRIBUTE?
`
`
` PERFORM ACTION ASSOCIATED WITH
`MATCHED PARSER RULE:
`CREATE A NEW NODE, CALLED [RULE-
`NAME} AND PLACE THE MATCHING
`NODES UNDER THE NEW NODE
`
`
`DOES THE RULE
`HAVE A NOANALYZE
`
`
`
`
`
`ATTRIBUTE?
`POTENTIAL EXPLOIT '(S PRESENT
`
` CALL ANALYZER TO DETERMINEIF A
`
`AN ANALYZER RULE
`
`PERFORM ACTION ASSOCIATED WITH
`MATCHED ANALYZER RULE:
`RECORD ANALYZER RULE AT CURRENT
`NODE, AS LEVEL0
`
`
`
` DOES ANALYZER FIND
`MATCH?
`
`
`
`
`
`
` PROPAGATE ANALYZER RULE UPWARD
`
`THROUGH NODE PARENTS, AS
`SUCCESSIVELY INCREASING LEVEL
`
`FIG. 6
`
`

`

`Case 3:17-cv-05659-WHA Document 1-7 Filed 09/29/17 Page 13 of 34
`Case 3:17-cv-05659-WHA Document 1-7 Filed 09/29/17 Page 13 of 34
`
`U.S. Patent
`
`Jul. 5, 2011
`
`Sheet 9 of 14
`
`US 7,975,305 B2
`
`
`
`Fvavosims™,
`
`
`
`2yavasing
`
`L‘Dld
`
`

`

`Case 3:17-cv-05659-WHA Document 1-7 Filed 09/29/17 Page 14 of 34
`Case 3:17-cv-05659-WHA Document 1-7 Filed 09/29/17 Page 14 of 34
`
`U.S. Patent
`
`Jul. 5, 2011
`
`Sheet 10 of 14
`
`US 7,975,305 B2
`
`BUILDER
`
`ARB SCANNER FACTORY
`
`SCANNER REPOSITORY
`
`ARB SCANNER
`
`ARB SCANNER
`
`JAVASCRIPT
`
`ARB SCANNER
`URI
`
`TOKENIZER
`
`TOKENIZER
`
`TOKENIZER
`
`PARSER
`
`PARSER
`
`PARSER
`
`FIG. 8
`
`

`

`Case 3:17-cv-05659-WHA Document 1-7 Filed 09/29/17 Page 15 of 34
`Case 3:17-cv-05659-WHA Document 1-7 Filed 09/29/17 Page 15 of 34
`
`U.S. Patent
`
`Jul. 5, 2011
`
`Sheet 11 of 14
`
`US 7,975,305 B2
`
` TOBROWSER,MAIL
`APPLICATIONS
`
`CLIENTANDOTHERINTERNET
`
`
`CONTENTBLOCKER
`
`FIG.9 RULES
`MANAGER
`
`
`EXPLOITRULESDATABASE
`UPDATE
`
`NETWORKINTERFACE
`
` RULES
`
`
`
`INTERNETTRAFFICTODESKTOPOVERTCP/IP
`
`
`
`
` UPDATETODESKTOP HTTP,HTTPS,FTP,SMTP,POPS,etc.
`
`Se
`
`

`

`Case 3:17-cv-05659-WHA Document 1-7 Filed 09/29/17 Page 16 of 34
`Case 3:17-cv-05659-WHA Document 1-7 Filed 09/29/17 Page 16 of 34
`
`U.S. Patent
`
`Jul. 5, 2011
`
`Sheet 12 of 14
`
`US 7,975,305 B2
`
`INTERNETTRAFFICTODESKTOPOVERTCP/IP
`
`
`
`HTTP,HTTPS,FTP,SMTP,POP3,etc.
`
`
`
`
`RULESUPDATETODESKTOP
`
`
`SERVER
`
`
`RULESUPDATE
`;oeEWRULEDUt...
`
`
`
`*sss4,,,UPDATEDRULE...
` NEWEXPLOIT.+4004,
`
`RULESCOMPILER
`DESCRIPTION=”
`
`FIG.10
`
`

`

`Case 3:17-cv-05659-WHA Document 1-7 Filed 09/29/17 Page 17 of 34
`Case 3:17-cv-05659-WHA Document 1-7 Filed 09/29/17 Page 17 of 34
`
`U.S. Patent
`
`Jul. 5, 2011
`
`Sheet 13 of 14
`
`US 7,975,305 B2
`
`YINNVOSGuy
`
`
`
`ALIMNDASTWO07
`
`
`
`SHOWS3NdOud
`
`
`
`ALMNDSZSWWI0T
`
`
`
`AHOVS314dOud
`
`
`
`ALINDASTWuLNad
`
`
`
`AHOVOAUsOud
`
`ALRNDASW017
`
`
`
`SHOVO311d0ud
`
`It‘Old
`
`
`
`YANNYVOSauv
`
`
`
`ALRNDISTWD01
`
`
`
`AHOVOa1Id0ud
`
`

`

`Case 3:17-cv-05659-WHA Document 1-7 Filed 09/29/17 Page 18 of 34
`Case 3:17-cv-05659-WHA Document 1-7 Filed 09/29/17 Page 18 of 34
`
`U.S. Patent
`
`Jul. 5, 2011
`
`Sheet 14 of 14
`
`US 7,975,305 B2
`
`Oc
`
`Ozzt
`
`OfZ1
`
`ALINNDAS
`
`340d
`
`
`YANNVOSXOGGNVS
`
`
`ALRNDSASTYOOT
`SHOVS3AWsAONd
`
`YANNVOSGuy
`
`JWsOYd=sH40udOS1sIGOWALPENDAS
`
`ALIMNDAS
`
`cl‘Old
`
`
`
`
`
`
`

`

`Case 3:17-cv-05659-WHA Document 1-7 Filed 09/29/17 Page 19 of 34
`Case 3:17-cv-05659-WHA Document 1-7 Filed 09/29/17 Page 19 of 34
`
`US 7,975,305 B2
`
`1
`METHOD AND SYSTEM FOR ADAPTIVE
`RULE-BASED CONTENT SCANNERS FOR
`DESKTOP COMPUTERS
`
`CROSS REFERENCES TO RELATED
`APPLICATIONS
`
`2
`Behavioral analysis is an automated process that parses and
`diagnoses a software program, to determine if such program
`can carry out an exploit.
`The present invention provides a method and system for
`scanning content that includes mobile code, to produce a
`diagnostic analysis of potential exploits within the content.
`The present invention is preferably used within a network
`gateway or proxy, to protect an intranet against viruses and
`other malicious mobile code.
`
`This application is a continuation-in-part of assignee’s
`pending application U.S. Ser. No. 10/930,884, filed on Aug.
`30, 2004, entitled “Method and System for Adaptive Rule-
`Based Content Scanners,” which is a continuation-in-part of
`assignee’s application U.S. Ser. No. 09/539,667, filed on Mar.
`30, 2000, now U.S. Pat. No. 6,804,780, entitled “System and
`Methodfor Protecting a Computer and a Network from Hos-
`tile Downloadables,” which is a continuation of assignee’s
`patent application U.S. Ser. No. 08/964,388, filed on 6 Nov.
`1997, now U.S. Pat. No. 6,092,194, also entitled “System and
`Methodfor Protecting a Computer and a Network from Hos-
`tile Downloadables.”
`
`10
`
`15
`
`20
`
`FIELD OF THE INVENTION
`
`The present invention relates to network security, and in
`particular to scanning of mobile content for exploits.
`
`25
`
`BACKGROUND OF THE INVENTION
`
`The content scanners of the present invention are referred
`to as adaptive rule-based (ARB) scanners. An ARB scanneris
`able to adapt itself dynamically to scan a specific type of
`content, such as inter alia JavaScript, VBScript, URI, URL
`and HTML. ARBscannersdiffer from prior art scanners that
`are hard-codedfor one particular type of content. In distinc-
`tion, ARB scanners are data-driven, and can be enabled to
`scan any specific type of content by providing appropriate
`rule files, without the need to modify source code. Rule files
`are textfiles that describe lexical characteristics of a particu-
`lar language. Rule files for a language describe character
`encodings, sequences of characters that form lexical con-
`structs of the language, referred to as tokens, patterns of
`tokens that form syntactical constructs of program code,
`referred to as parsing rules, and patterns of tokens that corre-
`spond to potential exploits, referred to as analyzer rules.
`Rules files thus serve as adaptors, to adapt an ARB content
`scamnerto a specific type of content.
`The present invention alsoutilizes a novel description lan-
`guage for efficiently describing exploits. This description
`Conventionalanti-virus software scans a computerfile sys-
`language enables an engineerto describe exploits as logical
`tem by searching for byte patterns, referred to as signatures
`combinationsofpatterns of tokens.
`that are present within knownviruses. Ifa virus signature is
`Thusit may be appreciatedthat the present invention is able
`discovered within a file, the file is designated as infected.
`to diagnose incoming content for malicious behavior. As
`Content that enters a computer from the Internet poses
`such, the present invention achieves very accurate blocking of
`additional security threats, as such content executes upon
`content, with minimal over-blocking as compared with prior
`entry into a client computer, without being saved into the
`art scanning technologies.
`computer’s file system. Content such as JavaScript and
`There is thus provided in accordance with a preferred
`VBScript is executed by an Internet browser, as soon as the
`embodimentof the present invention a security system for
`contentis received within a web page.
`scanning content within a computer, including a network
`Conventional network security software also scans such
`interface, housed within a computer, for receiving content
`mobile content by searching for heuristic virus signatures.
`from the Internet on its destination to an Internet application
`However, in order to be as protective as possible, virus sig-
`running on the computer, a database ofrules corresponding to
`natures for mobile content tend to be over-conservative,
`computer exploits, stored within the computer, a rule-based
`which results in significant over-blocking of content. Over-
`content scanner that communicates with said database of
`blocking refers to false positives; i.e., in addition to blocking
`rules, for scanning contentto recognize the presence ofpoten-
`of malicious content,prior art technologies also block a sig-
`nificant amount of content that is not malicious.
`tial exploits therewithin, a networktraffic probe, operatively
`coupledto the network interface and to the rule-based content
`Another drawback with priorart network security software
`scamner, for selectively diverting content from its intended
`is that it is unable to recognize combinedattacks, in which an
`destination to the rule-based content scanner, and a rule
`exploit is split among different content streams. Yet another
`update manager that communicates with said database of
`drawbackis that prior art network security software is unable
`rules, for updating said database ofrules periodically to incor-
`to scan content containers, such as URI within JavaScript.
`All of the above drawbacks with conventional network
`porate new rules that are madeavailable.
`There is moreover provided in accordance withapreferred
`security software are due to an inability to diagnose mobile
`embodimentofthe present invention a method for scanning
`code. Diagnosisis a dauntingtask,since it entails understand-
`content within a computer, including receiving content from
`ing incoming byte source code. The same malicious exploit
`the Internet onits destination to an Internet application, selec-
`can be encoded in an endless variety of ways, so it is not
`tively diverting the received content from its intended desti-
`sufficient to look for specific signatures.
`nation, scanning the selectively diverted content to recognize
`Nevertheless, in order to accurately block malicious code
`potential exploits therewithin, based on a database ofrules
`with minimal over-blocking,
`a thorough diagnosis
`is
`corresponding to computer exploits, and updating the data-
`required.
`base of rules periodically to incorporate new rules that are
`made available.
`There is further provided in accordance with a preferred
`embodiment of the present invention a computer-readable
`storage medium storing program code for causing a computer
`to perform the steps of receiving content from the Internet on
`its destination to an Internet application, selectively diverting
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`SUMMARY OF THE DESCRIPTION
`
`The present invention enables behavioral analysis of con-
`tent. As distinct from prior art approachesthat search for byte
`patterns, the approach of the present invention is to analyze
`incoming content in terms of its programmatic behavior.
`
`

`

`Case 3:17-cv-05659-WHA Document 1-7 Filed 09/29/17 Page 20 of 34
`Case 3:17-cv-05659-WHA Document 1-7 Filed 09/29/17 Page 20 of 34
`
`US 7,975,305 B2
`
`3
`4
`under general operational conditions, without executing the
`the received content from its intended destination, scanning
`the selectively diverted contentto recognize potential exploits
`content, and derives a security profile for the content that
`therewithin, based on a database of rules corresponding to
`identifies conditionally malicious code therein, which is
`computer exploits, and updating the database of rules peri-
`malicious or non-malicious depending upon values of opera-
`odically to incorporate new rules that are made available.
`tional data, and a second scanner, connectedin series with the
`There is yet further provided in accordance withapreferred
`first scanner, that analyzes the content under specific opera-
`embodimentof the present invention, a method for network
`tional conditions corresponding to specific values of the
`security, including scanning content received over a computer
`operational data, by executing the content, and modifies the
`network for potential malicious code, the intended destina-
`security profile for the contentif the conditionally malicious
`tion of the content being a software application, including
`code identified in the security profile is found to be malicious
`deriving a hash value for the received content, querying a
`for the specific values of the operational data.
`local security cache for the presence of the hash value, the
`There is yet further provided in accordance with a preferred
`local security cache storing hash values for content and cor-
`embodimentof the present invention a method for network
`responding security profiles, whereby security profiles iden-
`security, including analyzing incoming content under general
`tify potentially malicious code within content, and if the
`operational conditions, without executing the content, deriv-
`querying is affirmative, then retrieving a security policy for
`ing a security profile for the contentthat identifies condition-
`the content from the local security cache,else if the querying
`ally malicious code therein, which is malicious or non-mali-
`is not affirmative, then deriving a security profile for the
`cious depending upon values of operational data, if the
`received content, storing the hash value and the derived secu-
`security profile identifies conditionally malicious code within
`rity policy in the local security cache, and transmitting the
`the content, then further analyzing the content underspecific
`hash value andthe security policy to a central security cache,
`and periodically updating the local security cache with hash
`operational conditions correspondingto specific values ofthe
`values and corresponding security profiles from the central
`operational data, by executing the content, and modifying the
`security cache.
`security profile for the contentif the conditionally malicious
`There is additionally provided in accordance with a pre-
`code identified in the security profile is found to be malicious
`ferred embodimentof the present invention a network secu-
`for the specific values ofthe operationaldata, so asto identify
`rity system including a plurality of inter-connected comput-
`the conditionally malicious code as being malicious.
`ers within a network, each of the plurality of computers
`There is yet further provided in accordance with a preferred
`including a local security cache that stores hash values for
`embodiment of the present invention a computer-readable
`content and corresponding contentsecurity profiles, whereby
`storage medium storing program code for causing a computer
`security profiles identify potentially malicious code within
`to perform the steps of analyzing incoming content under
`content, a scanner that communicates bi-directionally with
`general operational conditions, without executing the con-
`the local security cache, for (1) examining incoming content
`tent, deriving a security profile for the content that identifies
`and deriving a hash valuetherefor, the intended destination of
`conditionally malicious code therein, which is malicious or
`the content being a software application; (11) querying the
`non-malicious depending upon values of operationaldata, if
`local security cache for the presence of the derived hash
`the security profile identifies conditionally malicious code
`value; and (ili) examining incoming content and deriving a
`within the content, then further analyzing the content under
`security profile therefor, and a central security cache storing
`specific operational conditions corresponding to specific val-
`hash values for content and corresponding content security
`ues of the operational data, by executing the content, and
`profiles, to which hash values and corresponding security
`modifying the security profile for the content ifthe condition-
`profiles are received from the plurality of inter-connected
`ally malicious code identified in the security profile is found
`computers, and from which updated hash values andcorre-
`to be maliciousfor the specific values of the operational data,
`sponding security profiles are transmitted to the plurality of
`so as to identify the conditionally malicious code as being
`malicious.
`local security caches.
`There is moreover provided in accordance with a preferred
`embodiment of the present invention a computer-readable
`storage medium storing program code for causing a computer
`to perform the steps of scanning content received over a
`computer network for potential malicious code, the intended
`destination of the content being a software application,
`including deriving a hash value for the received content,
`querying a local security cache for the presence of the hash
`value, the local security cache storing hash values for content
`and corresponding security profiles, whereby security pro-
`files identify potentially malicious code within content,and if
`the querying is affirmative, then retrieving a security policy
`for the content from the local security cache, else if the
`queryingis not affirmative, then deriving a security profile for
`the received content, storing the hash value andthe derived
`security policy in the local security cache, and transmitting
`the hash value and the security policy to a central security
`cache, and periodically updating the local security cache with
`hash values and corresponding security profiles from the
`central security cache.
`There is further provided in accordance with a preferred
`embodimentofthe present invention a network security sys-
`tem includinga first scanner that analyzes incoming content
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`The present invention will be more fully understood and
`appreciated from the following detailed description, taken in
`conjunction with the drawings in which:
`FIG.1 is a simplified block diagram of an overall gateway
`security system that uses an adaptive rule-based (ARB) con-
`tent scanner, in accordance with a preferred embodimentof
`the present invention;
`FIG.2 is a simplified block diagram of an adaptive rule-
`based content scanner system, in accordancewith a preferred
`embodimentof the present invention;
`FIG.3 is an illustration of a simple finite state machine for
`detecting tokens “a” and “ab”, used in accordance with a
`preferred embodimentofthe present invention;
`FIG. 4A is an example of a non-deterministic finite
`automaton (NFA) for matching a pattern of tokens;
`FIG.4Bis an example of a deterministic finite automaton
`(DFA) which is equivalent to the NFA of FIG. 4A;
`FIG. 5 is an illustration of a simple finite state machine for
`a pattern, used in accordance with a preferred embodiment of
`the present invention;
`
`20
`
`25
`
`40
`
`45
`
`

`

`Case 3:17-cv-05659-WHA Document 1-7 Filed 09/29/17 Page 21 of 34
`Case 3:17-cv-05659-WHA Document 1-7 Filed 09/29/17 Page 21 of 34
`
`US 7,975,305 B2
`
`5
`FIG.6 is a simplified flowchart of operation of a parser for
`a specific content language within an ARB content scanner, in
`accordance with a preferred embodiment