Case 3:17-cv-05659-WHA Document 110-5 Filed 06/15/18 Page 1 of 27
`
` 
`
` 
`
` 
`
` 
`
` 
`
` 
`
`Exhibit 4
`
`

`

`Case 3:17-cv-05659-WHA Document 110-5 Filed 06/15/18 Page 2 of 27
`see eeeew” SST ATTTATATT
`
`US007613926B2
`
`US 7,613,926 B2
`(10) Patent No.:
`a2) United States Patent
`Ederyetal.
`(45) Date of Patent:
`*Novy.3, 2009
`
`
`(75)
`
`(54) METHOD AND SYSTEM FOR PROTECTING
`A COMPUTER AND A NETWORK FROM
`HOSTILE DOWNLOADABLES
`Inventors: Yigal Mordechai Edery, Pardesia (IL),
`Nimrod Itzhak Vered, Goosh Tel-Mond
`(IL); David R. Kroll, San Jose, CA
`(US); Shlomo Touboul, Kefar-Haim(IL)
`(73) Assignee: Finjan Software, Ltd, Netanya (IL)
`(*) Notice:
`Subject to any disclaimer, the term ofthis
`patent is extended or adjusted under 35
`U.S.C. 154(b) by 659 days.
`.
`:
`:
`:
`:
`This patent is subject to a terminal dis-
`claimer.
`(21) Appl. No.: 11/370,114
`(22)
`Filed:
`Mar.7, 2006
`(65)
`Prior Publication Data
`US 2006/0149968 Al
`Jul. 6, 2006
`Related U.S. Application Data
`
`(51)
`
`(63) Continuation of application No. 09/861,229, filed on
`May 17, 2001, nowPat. No. 7,058,822, and a continu-
`ation-in-part of application No. 09/539,667, filed on
`Mar.30, 2000, now Pat. No. 6,804,780, which is a
`continuation of application No. 08/964,388,filed on
`Nov.6, 1997, now Pat. No. 6,092,194,said application
`No. 09/861,229 is a continuation-in-part ofapplication
`aoe:31,302,filed on Apr. 18, 2000, nowPat. No.
`(60) Provisional application No. 60/205,591, filedon May
`17, 2000.
`Int.Cl
`(2006.01)
`G06F 2V4
`2006.0]
`GU6F11/30
`006,ony
`HOAL 9/00
`,
`<
`(2006.01)
`GO6F 15/16
`713/181: 713/175: 713/176:
`52) US.Cl
`rrrreeenereres
`?
`?
`796]24
`(
`.
`.
`.
`(58) Field of Classification Search ......0000..vette None
`See applicationfile for complete searchhistory.
`References Cited
`U.S. PATENT DOCUMENTS
`5,077,677 A
`12/1991 Murphyetal. oo... 706/62
`
`(56)
`
`5,359,659 A
`
`10/1994 Rosenthal 0... 726/24
`
`(Continued)
`
`EP
`EP
`
`FOREIGN PATENT DOCUMENTS
`1091276
`4/2001
`1132796
`9/2001
`
`OTHER PUBLICATIONS
`
`Zhong,etal., “Security in the Large: is Java’s Sandbox Scalable?,”
`Seventh IEEE Symposium on Reliable Distributed Systems, pp. \-6,
`Oct. 1998
`‘
`
`‘
`
`(Continued)
`Primary Examiner—Christopher A Revak
`(74) Attorney, Agent, or Firm—King & Spalding LLP
`(57)
`ABSTRACT
`
`Protection systems and methodsprovide for protecting one or
`more personal computers (““PCs’’) and/or other intermittently
`or persistently network accessible devices or processes from
`undesirable or otherwise malicious operations of Java™
`applets, ActiveX™ controls, JavaScript™ scripts, Visual
`Basic scripts, add-ins, downloaded/uploaded programs or
`other “Downloadables”or “mobile code” in whole orpart. A
`protection engine embodimentprovides, withina server,fire-
`Wall or other suitable “re-communicator,” for monitoring
`information received by the communicator, determining
`whether received information does or is likely to include
`executable code, and if so, causes mobile protection code
`(MPC) to be transferred to and rendered operable within a
`destination device ofthe receivedinformation, more suitably
`by forming a protection agent including the MPC,protection
`lici
`dad
`4
`nloadabl
`bodi
`policies anda etected-Dow oada e. An MPCem odiment
`further provides, within a Downloadable-destination,for ini-
`tiating the Downloadable, enabling malicious Downloadable
`operation attempts to be received by the MPC, and causing
`(predetermined) corresponding operations to be executed in
`response to the attempts, more suitably in conjunction with
`protection policies
`30 Claims, 10 Drawing Sheets
`
`Start
`
`[27
`
` Install mobile protection code elemerts
`‘and policies within a destination davice
`
`r
`Load the downloadbie without ectualy
`initiating it
`¥
`f
`1 Form an accass Interceptorfor intercepting|_1:03
`downloadabledestination device access
`attemptswithin the destination device
`Initiate the Downloadable within the
`destination device
`
`[27
`
`4108
`Determine policies in accordance win the 2”
`
`
`
`
`acoess attempt Executethe poticies (including causing an
`the Le
`
`allowable response expected by
`Donwioadable tc be retumed to the
`
`wn
`
`FINJAN-JN 000618
`
`

`

`Case 3:17-cv-05659-WHA Document 110-5 Filed 06/15/18 Page 3 of 27
`Case 3:17-cv-05659-WHA Document 110-5 Filed 06/15/18 Page 3 of 27
`
`US 7,613,926 B2
`
`Page 2
`
`U.S. PATENT DOCUMENTS
`
`International Search Report for Application No. PCT/IB97/01626, 3
`pp., May 14, 1998 (mailing date).
`International Search Report for Application No. PCT/IL05/00915, 4
`pp., dated Mar. 3, 2006.
`Written Opinion for Application no. PCT/IL05/00915, 5 pp., dated.
`Mar. 3, 2006 (mailing date).
`International Search Report for Application No. PCT/IB01/01138, 4
`pp., Sep. 20, 2002 (mailing date).
`International Preliminary Examination Report for Application No.
`PCT/IB01/01138, 2 pp., dated Dec. 19, 2002.
`Gerzic, Amer, “Write Your Own Regular Expression Parser,” Nov.
`17, 2003, 18 pp.
`Power, James, “Lexical Analysis,” 4 pp., May 14, 2006.
`Sitaker, Kragen, “Rapid Genetic Evolution of Regular Expressions”
`[online], Zhe MialArchive, Apr. 24, 2004 (retrieved on Dec. 7, 2004),
`5 pp.
`“Lexical Analysis: DFA Minimization & Wrap Up”[online], Fall,
`2004 [retrieved on Mar. 2, 2005], 8 pp.
`“Minimization of DFA”[online], [retrieved on Dec. 7, 2004], 7 pp.
`“Algorithm: NFS -> DFA”[online], Copyright 1999-2001 [retrieved
`on Dec. 7, 2004], 4 pp.
`“CS 3813: Introduction to Formal Languages and Automata—State
`Minimization and OtherAlgorithmsfor Finite Automata,” 3 pp., May
`11, 2003.
`Watson, Bruce W., “Constructing Minimal Acyclic Deterministic
`Finite Automata,” [retrieved on Mar. 20, 2005], 38 pp.
`Chang, Chia-Hsiang, “From Regular Expressions to DFA’s Using
`Compressed NFA’s,” Oct. 1992, 243 pp.
`“Products,” Articles published on the Internet, “Revolutionary Secu-
`rity for a New Computing Paradigm”regarding SurfinGate™, 7 pp.
`“Release Notes for the Microsoft ActiveX DevelopmentKit,” Aug.
`13, 1996, pp. 1-10.
`Doyle, et al., “Microsoft Press Computer Dictionary,” Microsoft
`Press, 2d Fdition, pp. 137-138, 1993.
`Finjan Software Ltd., “Powerful PC Security for the New World of
`Java™ and Downloadables, Surfin Shield™,” Article published on
`the Internet by Finjan Software Ltd., 2 pp. 1996.
`Finjan Sofrtware Ltd., “Finjan Announcesa Personal Java™ Firewall
`for Web Browsers—the SurfinShield™ 1.6 (formerly known as
`SurfinBoard),” Press Release of Finjan Releases SurfinShield 1.6, 2
`pp., Oct. 21, 1996.
`Finjan Software Ltd., “Finjan Announces Major Power Boost and
`New Features for SurfinShield™2.0,” Las Vegas Convention Centes/
`Pavillion 5 P5551, 3 pp., Nov. 18, 1996.
`Finjan Software Ltd., “Finjan Software Releases SurfinBoard, Indus-
`try’s First JAVA Security Product for the World Wide Web,” Article
`published on the Intemetby Finjan Software Ltd., 1 p., Jul. 29, 1996.
`Finjan Software Ltd., “Java Security: Issues & Solutions,” Article
`published on the Internet by Finjan Software Ltd., 8 pp. 1996.
`Finjan Software Ltd., Company Profile, “Finjan—Safe Surfing, The
`Java Security Solutions Provider,’ Article published on the Internet
`by Finjan Software Ltd., 3 pp., Oct. 31, 1996.
`“IBM AntiVirus User’s Guide, Version 2.4,”, International Business
`Machines Corporation, pp. 6-7, Nov. 15, 1995.
`Khare, R., “Microsoft Authenticode Analyzed” [online], Jul. 22,
`1996 [retrieved on Jun. 25, 2003], 2 pp.
`TaDue, M., Online Business Consultant: Java Security: Whose Busi-
`nessis It?, Article published on the Internet, Home PagePress,Inc.,
`4 pp., 1996.
`Leach, Norvin, et al., “IE 3.0 Applets Will Earn Certification,’ PC
`Week, vol. 13, No. 29, 2 pp., Jul. 22, 1996.
`Moritz, R., “Why We Shouldn’t Fear Java,” Java Report, pp. 51-56,
`Feb. 1997.
`“Microsoft ActiveX Software Development Kit”
`Microsoft,
`[Online], Aug. 12, 1996 [retrieved on Jun. 25, 2003], pp. 1-6.
`Microsoft® Authenticode Technology, “Ensuring Accountability
`and Authenticity for Software Components on the Internet,”
`Microsoft Corporation, Oct. 1996,
`including Abstract, Contents,
`Introduction, and pp. 1-10.
`Microsoft Corporation, Web Page Article “Frequently Asked Ques-
`tions About Authenticode,” last updated Feb. 17, 1997, printed Dec.
`23, 1998, pp. 1-13.
`
`FINJAN-JN 000619
`
`5,361,359 A
`... 726/23
`......
`11/1994 Tajalli et al.
`
`5,414,833 A
`... 726/22
`5/1995 Hershey etal.
`...
`5,485,409 A
`1/1996 Guptaet al.
`......
`... 726/25
`5,485,575 A
`1/1996 Chesset al.
`.
`- T1438
`
`5,572,643 A
`11/1996 Judson....
`.. 709/218
`
`5,579,509 A
`11/1996 Furtney etal.
`... 703/27
`
`5,606,668 A *
`2/1997 Shwed
`.. 726/13
`5,623,600 A *
`.. 726/24
`4/1997
`
`5,638,446 A
`6/1997 Rubin .....
`705/51
`
`
`5,675,711 A
`10/1997 Kephart et al
`. 706/12
`5,692,047 A
`11/1997 McManis ....
`713/167
`
`5,692,124 A
`11/1997 Holden etal.
`.....
`
`5,720,033 A
`2/1998 Deo
`
`5,724,425 A
`3/1998 Changetal.
`. 705/52
`
`5,740,248 A
`wee 713/156
`4/1998 Fiereset al.
`
`5,740,441 A
`4/1998 Yellin et al. ..........
`wee TLT/134
`5,761,421 A
`. 709/223
`6/1998 van Hoffetal.
`
`5,765,205 A
`wee 711/203
`6/1998 Breslauetal.
`5,784,459 A
`7/1998 Devarakondaetal.
`...... 713/165
`5,796,952 A
`. 709/224
`8/1998 Davis etal.
`....
`
`5,805,829 A
`......
`we 709/202
`9/1998 Cohen etal.
`
`5,832,208 A
`11/1998 Chenet al. oo. 726/24
`5,832,274 A
`. WATT
`11/1998 Cutler et al.
`
`5,850,559 A
`.....
`w. 713/320
`12/1998 Angelo etal.
`5,859,966 A
`1/1999 Hayman etal. .......... 726/23
`5,864,683 A
`1/1999 Boebert et al.
`.
`. 709/249
`5,881,151 A
`3/1999 Yamamoto ..
`.. 726/24
`5,884,033 A
`...
`3/1999 Duvall etal.
`. 709/206
`5,892,904 A
`4/1999 Atkinsonet al.
`. 726/22
`5,951,698 A
`9/1999 Chenetal.
`..
`. 714/38
`5,956,481 A
`9/1999 Walshetal.
`. 726/23
`5,963,742 A
`10/1999 Williams......
`717/143
`5,974,549 A
`10/1999 Golan
`5,978,484 A
`11/1999 Apperson etal.
`.......... 705/54
`5,983,348 A
`11/1999 Ji
`
`5,987,611 A
`726/4
`11/1999 Freund....
`6,088,801 A
`. 726/1
`7/2000 Grecsek ...
`
`6,088,803 A
`.......
`w- 726/22
`7/2000 Tso etal.
`
`6,092,194 A *
`.. 726/24
`7/2000 Touboul
`
`6,154,844 A * 11/2000 Touboul etal.
`...
`.. 726/24
`6,167,520 A
`12/2000 Touboul
`6,339,829 Bl
`1/2002 Beadleetal.
`........ 726/15
`.
`6,425,058 Bl
`7/2002 Arimilli et al.
`. 711/134
`....
`6,434,668 Bl
`8/2002 Arimilli et al.
`wee TLL/128
`
`6,434,669 Bl
`8/2002 Arimilli et al.
`....
`w. T1L/128
`w. 726/22
`6,480,962 B1* 11/2002 Touboul
`
`11/2002 Shanklin et al.
`...
`... 726/23
`6,487,666 Bl
`
`2/2003 Devireddy etal.
`.......... 711/114
`6,519,679 B2
`6,598,033 B2
`7/2003 Ross ctal.
`.....
`... 706/46
`6,732,179 B1*
`5/2004 Brown ctal.
`. 709/229
`6,804,780 B1* 10/2004 Touboul
`.....
`713/181
`.
`6,901,519 B1*
`5/2005 Stewart etal.
`726/24
`6,917,953 B2
`7/2005 Simonetal. ...
`. 707/204
`7,058,822 B2*
`6/2006 Edery etal.
`.
`w. 726/22
`..
`7,093,135 B1*
`8/2006 Radatti et al.
`. 713/188
`7,210,041 Bl
`4/2007 Gryaznov etal.
`.
`. 713/188
`3/2008 Grabarnik etal
`. 719/313
`7,343,604 B2
`
`7,418,731 B2
`8/2008 Touboul
`726/22
`
`4/2004 Sanin ...... eee
`2004/0073811 Al
`726/13
`. 709/230
`5/2004 Rubinstein etal.
`2004/0088425 Al
`
`wee 726/22
`2005/0172338 Al
`8/2005 Sanduetal.
`2006/0031207 Al
`2/2006 Bjarnestam et al.
`............ 1707/3
`OTIIER PUBLICATIONS
`
`
`
`
`
`
`
`
`
`
`Rubin,ct al., “Mobile Code Security,” JEEE Internet. pp. 30-34, Dec.
`1998.Schmid, et al. “Protecting Data From Malicious Software,”
`Proceedings ofthe 18" Annual ComputerSecurityApplications Con-
`Jerence, pp. 1-10, 2002.
`Corradi, et al., ““A Flexible Access Control Service for Java Mobile
`Code,” IEEE, pp. 356-365, 2000.
`
`

`

`Case 3:17-cv-05659-WHA Document 110-5 Filed 06/15/18 Page 4 of 27
`Case 3:17-cv-05659-WHA Document 110-5 Filed 06/15/18 Page 4 of 27
`
`US 7,613,926 B2
`Page 3
`
`Okamoto, F., et al., “T1D-Based Authentication System for Computer
`Virus Detection,” JEEEIEE Electronic Library online, Electronics
`Letters, vol. 26, Issue 15, ISSN 0013-5194, Jul. 19, 1990, Abstract
`and pp. 1169-1170.
`Omura, J. K., “Novel Applications of Cryptography in Digital Com-
`munications,” JEEE Communications Magazine, pp. 21-29, May
`1990.
`
`Schmitt, D.A., “.EXF files, OS-2 style,’ PC Tech Journal, vol.6, No.
`11, p. 76(13), Nov. 1988.
`Zhang, X. N., “Secure Code Distribution,” JEEE/IEE Electronic
`Libraryonline, Computer, vol. 30, Issue 6, pp. 76-79, Jun. 1997.
`D. Grune,et al., “Parsing Techniques: A Practical Guide,” John Wiley
`& Sons,Inc., New York, NewYork, USA,pp. 1-326, 2000.
`
`* cited by examiner
`
`FINJAN-JN 000620
`
`

`

`Case 3:17-cv-05659-WHA Document 110-5 Filed 06/15/18 Page 5 of 27
`Case 3:17-cv-05659-WHA Document 110-5 Filed 06/15/18 Page 5 of 27
`
`U.S. Patent
`
`Nov.3, 2009
`
`Sheet 1 of 10
`
`US 7,613,926 B2
`
`100
`
`
`
`Redundancy Support
`
`Subsystem-1
`(Sandbox Protected)
`
`
`
`Subsystem-N
`(Unprotected)
`
`Subsystem-M
`(Protected)
`
`107
`
`105
`
`
`106
`
`
`
`
`Resource-1
`
`
`Extemal
`Network
`
`
`
`(Internet)
`ResourceServer-N
` 131
`
`
`ResourceServer-1
`
`102
`
`121
`
`103
`
`Resource-M
`Resource-N
`
`132
`
`FIG.la
`
`104b
`
`140b
`
`143
`
`
`
`‘MPC, D
`4
`
`145
`
`
`
`Device-n
`
`
`146
`
`
`145
`
`146
`
`FIG. 1b
`
`FIG. Ic
`
`FINJAN-JN 000621
`
`

`

`Case 3:17-cv-05659-WHA Document 110-5 Filed 06/15/18 Page 6 of 27
`Case 3:17-cv-05659-WHA Document 110-5 Filed 06/15/18 Page 6 of 27
`
`U.S. Patent
`
`Nov.3, 2009
`
`Sheet 2 of 10
`
`US 7,613,926 B2
`
`767
`
`
`
`sweisolgIWIO
`
`
`
`wis}shgSuTeiadg
`
`
`
`ALOUIDJA,SULYIOAN,
`
`2381016sow
`
`aoejla
`
`SUOWBOTUNTITIOZ
`
`607
`
`807
`
`LOZ
`
`
`
`a]qupesyJoyndurog
`
`JapeoyUMNIpPsp]3deI0}S
`
`
`
`(s)9oraaqqnding
`
`907
`
`S07
`
`
`
`a[qepeoyJomnduiog
`
`
`
`UINIPs|]98RI01§
`
`F07
`
`£07
`
`
`(s)estaoqIndu;
`coe0¢
`
`10Z
`
`007
`
`@OM
`
`FINJAN-JN 000622
`
`
`
`
`
`
`

`

`Case 3:17-cv-05659-WHA Document 110-5 Filed 06/15/18 Page 7 of 27
`Case 3:17-cv-05659-WHA Document 110-5 Filed 06/15/18 Page 7 of 27
`
`U.S. Patent
`
`Nov.3, 2009
`
`Sheet 3 of 10
`
`US 7,613,926 B2
`
`POATOI0%
`
`UOTBULIOJU]
`
`fajqeynsaxg-UON)
`
`
`
`(oyuapquinoexyq
`
`eMail4
`
`ZOE10€
`
`gjqeyndexy
`
`JONTee
`
`>00¢
`
`UONO9}Olq
`
`
`
`(3d)eulbuZ
`
`¢OL
`
`FINJAN-JN 000623
`
`
`
`
`

`

`Case 3:17-cv-05659-WHA Document 110-5 Filed 06/15/18 Page 8 of 27
`Case 3:17-cv-05659-WHA Document 110-5 Filed 06/15/18 Page 8 of 27
`
`U.S. Patent
`
`Nov.3, 2009
`
`Sheet 4 of 10
`
`US 7,613,926 B2
`
`
`
`
`
`Burovysayut‘Aood‘raspy
`
`
`
`UOTEULIOJU]J9YIOIO
`
`03x
`
`OAXN
`uOnHeWLOsU]
`
`JoWUOW
`
`t0v
`
`YORRoUaYINY
`
`“JBDEOY
`
`TTpe7Jezhjeuy
`
`teLSPcor
`
`
`
`AOWOg“etm
`
`procs ocsteorn-
`
`=41voBoquaLny1jAunsag
`
`B0r}
`
`00b
`
`{ saoyog
`
`[777Me
`
`weeeeeeeeewReSeeeeweeReeeeEeEOSRRRHSESSSSESTeeeeeseaeSe
`
`cOV
`
`
`
`eulfuyuonsayaq
`
`
`
`weedudjoedsul
`
`
`
`©]qejndaxXyJON
`
`(D3XN)
`
`
`
`Joyeauss)yusby
`
`*U8S)DelWW
`
`Guru
`
`eulbuy
`
`nyWN
`
`EVECHELVEOpe
`
`eee eee eet eee ee ee eee wee eee seers
`
`JaysuesL
`
`auibuy
`
`
`
`
`
`eulbugsbeyoe,gpapa}old
`
`bOL
`
`FINJAN-JN 000624
`
`
`
`
`
`
`
`
`

`

`Case 3:17-cv-05659-WHA Document 110-5 Filed 06/15/18 Page 9 of 27
`Case 3:17-cv-05659-WHA Document 110-5 Filed 06/15/18 Page 9 of 27
`
`U.S. Patent
`
`Nov.3, 2009
`
`Sheet 5 of 10
`
`US 7,613,926 B2
`
`
`
`
`
`
`
`
`
`sugjowBeYailajqeynoexy
`
`LOS
`
`seyeyuy
`
`yoyap-aud)
`
`Gossas0id
`
`neWw
`(Ta
`—a2
`ee
`N1
`
`
`‘oye‘ejoyy'paddiz
`
`|ee|
`
`ens
`
`suajaweiegtas}cen
`
`
`
`aeyuUr]Josseoid
`2¥9
`auibugBurry
`02"Liemu[tem|]eepg~~—£9
`
` 10}2338q|iowWayed||sosj20198100||—--4
`
`esssoOysaIUss)eulbug
`yao|905
`
`aajuebyo1seysues)OL
`OSLev
`
`SIO}BWEIAYBPODSjqeyndexybO9SdAyeit
`
`89°DL$°DOI
`
`syio|!
`
`
`
`SIDJOWBIE,YWEEdoyoayaq
`
`Areurg1y||SIa}WEIegBOBPa}U]Se---—-!l;LyenuodN\
`
`SUOPOWEJEJeieUaDsoyoajaq|TTTTy
` siayaueegwajsksCODaJ
`
`
`
`49Y9}O4
`
`SOP
`
`poyep-ysod
`
`(ossaidu0n)
`
`q9°DI
`
`oax
`
`Gero
`
`Lo
`
`BurryOL
`
`oulsug
`
`FINJAN-JN 000625
`
`
`
`
`
`
`
`
`
`
`

`

`Case 3:17-cv-05659-WHA Document 110-5 Filed 06/15/18 Page 10 of 27
`Case 3:17-cv-05659-WHA Document 110-5 Filed 06/15/18 Page 10 of 27
`
`U.S. Patent
`
`Nov.3, 2009
`
`Sheet 6 of 10
`
`US 7,613,926 B2
`
`700
`NX
`
`340
`
`Protection
`
`|
`
`701
`702
`
`
`Memory Space-N
`
`presences
`
`
`
` Sandbox Engine
`
`
`
`MC Initiator
`(JVM)
`
`FIG.7a
`
`703
`
`Memory Space-P2
`343
`
`
`
`341
`
`NX
`
`
`
`
`
`
`801
`
`802
`
`803
`
`804
`
`
`
`805
`806
`
`
`807
`
`FIG. 7b
`
`FIG. 8
`
`FINJAN-JN 000626
`
`

`

`Case 3:17-cv-05659-WHA Document 110-5 Filed 06/15/18 Page 11 of 27
`Case 3:17-cv-05659-WHA Document 110-5 Filed 06/15/18 Page 11 of 27
`
`U.S. Patent
`
`Nov.3, 2009
`
`Sheet 7 of 10
`
`US 7,613,926 B2
`
`bL6f
`
`2-4soressiuuipy“(shuaigARON|B16
`
`
`
`
`~jequajodayyJoyjaymsUIUA}eq
`
`
`
`UCHEUSSPUOeWUOgU!
`
`(,a1qepeojumac-jequajod,2)
`
`
`
`
`
`£06pajoajoudeGuiaeyvonewJojutaAlesey
`
`uojeiado
`
`
`
`L086(JaAlas‘6'9)JOJESIUNLULUOS-84JOYUOWY
`
`
`
`
`
`
`
`@pooaqeinoexeSapnjaulajqepeojumog
`
`
`
`
`
`
`
`aiqepeojumog-equajodosneg
`
`BUY}O}PSJBAIBPBqO}
`
`uoeuRsep-uoneWWOUt
`
`
`a|KJOW0)dseoojusbeuoyIeyoudBWO
`
`
`
`
`
`diqepeojumoc)-jejusjod‘apoouoyoayoud
`
`6OM
`
`hue+(ajqepeo|uMog-pajoajepemou)
`
`
`
`So1o1joduoe}O.d
`
`
`
`paJaaijepoq0}JueGeuonsajosdouasneD
`
`UONBUNSEG-UOREWIOJU!By}OF
`
`FINJAN-JN 000627
`
`
`
`
`
`
`

`

`Case 3:17-cv-05659-WHA Document 110-5 Filed 06/15/18 Page 12 of 27
`Case 3:17-cv-05659-WHA Document 110-5 Filed 06/15/18 Page 12 of 27
`
`U.S. Patent
`
`Nov.3, 2009
`
`Sheet 8 of 10
`
`US 7,613,926 B2
`
`LOL
`
`ELOL
`
`SOL
`
`a01“Did
`
`VorOld
`
`siayouesed
`
`siayowesed
`
`Wo}pueSusjeWevedUONDe}OIdBASUIIY
`
`
`au}0}Buipuoo9esaloljoduojoa}osd
`
`
`
`
`S001$]Ua]UOD9}!)Sy)JAaYJEYyMSU|LWI}Eq
`
`
`swayedepooJouoneuoyu!Aveuigepnjour
`
`
`
`
`
`69)yuaBeUOHOSJOIdBWWJO}0}UONEUWOJUI
`
`
`
`
`
`(piluypypue‘pucsassa!o}jod‘js4yOd
`
`
`
`-paniacepuesaioyjoduoyoajoid
`
`
`
`
`
`‘gpo0duonDa}Oldayqoway}ajdnog
`
`SOOL
`
`
`
`
`
`auJEU)SJEdIPU!COOLPueLODLSde}s41
`
`
`
`
`
`Ajo)Quowaiqepeojumoqg-jejuajod
`
`
`
`
`
`‘@pooaiqeynsexesepnjoul
`
`
`
`&ajqepeojumoc-jenuajodoy}Japisuod
`
`a\qepeo|uMOG-pe}oe}ep
`
`
`
`au0}BuipucooeapodUO!}Oa}O/dBfIqoWW
`
`
`
`
`
`
`
`
`
`UNOpuesrajoUUBedUOIOa}O/dBASLJEY
`
`616
`
`bool
`
`
`
`
`
`-jenuajodau}JeuyeyMaujuUa}9q
`
`
`
`g|qeynoexeueSa}eolpulajqepeo|uMod
`
`
`
`adh}ayty
`
`C16
`
`FINJAN-JN 000628
`
`
`
`
`
`
`
`
`

`

`Case 3:17-cv-05659-WHA Document 110-5 Filed 06/15/18 Page 13 of 27
`Case 3:17-cv-05659-WHA Document 110-5 Filed 06/15/18 Page 13 of 27
`
`U.S. Patent
`
`Nov.3, 2009
`
`Sheet 9 of 10
`
`US 7,613,926 B2
`
`Install mobile protection code elements
`and policies within a destination device
`
`Form an accessinterceptorfor intercepting
`downloadable destination device access
`attempts within the destination device
`
`1104
`
`1102
`
`1103
`
`
`
`
`
`Load the downloadble without actually
`initiating it
`
`
`
`
`Initiate the Downloadable within the
`destination device
`
`1105
`
`
`
`
`
`
`
`
`
`
`Malicious
`access
`
`Yes
`
`No
`
`Determine policies in accordance with the
`access atiempt
`
`Execute the policies (including causing an
`allowable response expected by the
`Donwloadable to be returned to the
`Downloadable)
`
`1109
`
`1111
`
`FIG.11
`
`FINJAN-JN 000629
`
`

`

`Case 3:17-cv-05659-WHA Document 110-5 Filed 06/15/18 Page 14 of 27
`Case 3:17-cv-05659-WHA Document 110-5 Filed 06/15/18 Page 14 of 27
`
`U.S. Patent
`
`Nov.3, 2009
`
`Sheet 10 of 10
`
`US 7,613,926 B2
`
`eT“Old
`
`
`
`@poouojoejoud
`
`LOdL
`
`B1Qepeoj|uMOGoy}|/e}suU]
`
`€0cLUBEAIPO}[dVBigepeojumogdauAJI|PoW
`
`
`
`
`
`SIQOLWBl}0}s}sanbayssacoesnoloew
`
`cOrT
`
`60TT
`
`
`
`
`
`Luziysanba,ssao0eajqepeojumogeenlecey
`
`Q7T“DOW
`
`
`
`ELZLAayjod2suluajep0}saroljodpaiojsant
`
`
`
`alqepeo|umogeu}0}Bulpuodsaiice
`
`
`
`jsanbassao0e
`
`Id'¥Pelj]pouauyBIA
`
`FINJAN-JN 000630
`
`
`
`
`

`

`Case 3:17-cv-05659-WHA Document 110-5 Filed 06/15/18 Page 15 of 27
`Case 3:17-cv-05659-WHA Document 110-5 Filed 06/15/18 Page 15 of 27
`
`US 7,613,926 B2
`
`1
`METHOD AND SYSTEM FOR PROTECTING
`A COMPUTER AND A NETWORK FROM
`HOSTILE DOWNLOADABLES
`
`PRIORITY REFERENCE TO RELATED
`APPLICATIONS
`
`2
`information comprising program code can include distribut-
`able components(e.g. Java™ applets and JavaScript scripts,
`ActiveX™controls, Visual Basic, add-ins and/or others). It
`can also include, for example, application programs, Trojan
`horses, multiple compressed programs such as zip or meta
`files, among others. U.S. Pat. No. 5,983,348 to Shuang, how-
`ever, teaches a protection system for protecting against only
`
`‘This application is a continuation of assignee’sapplication distributable components including “Java applets or ActiveX
`Ser. No. 09/861,229, filed on May 17, 2001, now U.S. Pat. No.
`controls”, and further does so using resource intensive and
`7,058,822. entitled “Malicious Mobile Code Runtime Moni-
`high bandwidth static Downloadable content and operational
`toring System And Methods”, which is hereby incorporated
`analysis, and modification of the Downloadable component;
`by reference. U.S. application Ser. No. 09/861,229 claims
`Shuang further fails to detect or protect against additional
`benefit of provisional application Ser. No. 60/205,591,
`program code included within a tested Downloadable. U.S.
`entitled “Computer Network Malicious Code Run-time
`Pat. No. 5,974,549 to Golan teaches a protection system that
`Monitoring,” filed on May 17, 2000 by inventors Nimrod
`further focuses only on protecting against ActiveX controls
`Itzhak Vered, et al., which is hereby incorporated by refer-
`and not other distributable components,
`let alone other
`ence. U.S. application Ser. No. 09/861,229 is also a Continu-
`Downloadable types. U.S. Pat. No. 6,167,520 to Touboul
`ation-In-Part of U.S. patent application Ser. No. 09/539,667,
`enables more accurate protection than Shuang or Golan, but
`entitled “System and Method for Protecting a Computer and
`lacksthe greater flexibility and efficiency taught herein, as do
`a Network From Hostile Downloadables” filed on Mar. 30,
`Shuang and Golan.
`2000 by inventor Shlomo Touboul, now U.S. Pat. No. 6,804,
`Accordingly, there remains a need for efficient, accurate
`780, and hereby incorporated by reference, which is a con-
`and flexible protection of computers and other network con-
`nectable devices from malicious Downloadables.
`tinuation of assignee’s patent application U.S. Ser. No.
`08/964,388, filed on Nov. 6, 1997, nowU.S. Pat. No. 6,092,
`194, also entitled “System and Methodfor Protecting a Com-
`puter and a Network from Hostile Downloadables” and
`hereby incorporated byreference. U.S. Ser. No. 09/861,229 is
`also a Continuation-In-Part of U.S. patent application Ser.
`No. 09/551,302, entitled “System and Methodfor Protecting
`a Client During Runtime From Hostile Downloadables”, filed
`on Apr. 18, 2000 by inventor Shlomo Touboul, now U.S. Pat.
`No. 6,480,962, which is hereby incorporated by reference.
`
`20
`
`25
`
`BACKGROUNDOF THE INVENTION
`
`1. Field of the Invention
`
`This invention relates generally to computer networks, and
`more particularly provides a system and methodsfor protect-
`ing network-connectable devices from undesirable down-
`loadable operation.
`2. Description of the Background Art
`Advances in networking technology continue to impact an
`increasing number and diversity of users. The Internet, for
`example, already provides to expert, intermediate and even
`novice users the informational, product and service resources
`of over 100,000 interconnected networks owned by govern-
`ments, universities, nonprofit groups, companies, etc. Unfor-
`tunately, particularly the Internet and other public networks
`have also become a major source of potentially system-fatal
`or otherwise damaging computer code commonlyreferred to
`as “viruses.”
`
`35
`
`40
`
`45
`
`Efforts to forestall viruses from attacking networked com-
`puters have thus far met with only limited success at best.
`Typically, a virus protection program designedto identify and
`removeor protect against the initiating of known virusesis :
`installed on a network firewall or individually networked
`computer. The program is then inevitably surmounted by
`some new virus that often causes damage to one or more
`computers. The damageis then assessed and, if isolated, the
`new virus is analyzed. A corresponding new virus protection
`program (or update thereof) is then developed andinstalled to
`combatthe new virus, and the new program operates success-
`fully until yet another new virus appears—and so on. Of
`course, damagehasalreadytypically been incurred.
`To make matters worse, certain classes of viruses are not
`well recognized or understood, let alone protected against. It
`is observed by this inventor, for example, that Downloadable
`
`60
`
`65
`
`SUMMARYOF THE INVENTION
`
`The present invention provides protection systems and
`methods capable of Protecting a personal computer (“PC”) or
`other persistently or even intermittently network accessible
`devicesor processes from harmful, undesirable, suspicious or
`other “malicious” operations that might otherwise be effec-
`tuated by remotely operable code. While enabling the capa-
`bilities ofprior systems, the present invention is not nearly so
`limited, resource intensiveor inflexible, and yet enables more
`reliable protection. For example, remotely operable code that
`is protectable against can include downloadable application
`programs, Trojan horses and program code groupings, as well
`as
`software
`“components”,
`such as
`Java™ applets,
`ActiveX™controls, JavaScript™/Visual Basic scripts, add-
`ins, etc., among others. Protection can also be provided in a
`distributed interactively, automatically or mixed configurable
`manner using protected client, server or other parameters,
`redirection, local/remote logging, ctc., and other server/clicnt
`based protection measures can also be separately and/or
`interoperably utilized, among other examples.
`In one aspect, embodiments of the invention provide for
`determining, within one or more network “servers”(e.g. fire-
`walls, resources, gateways, email relays or other devices/
`processes that are capable of receiving-and-transferring a
`Downloadable) whether
`received information includes
`executable code (and is a “Downloadable’”). Embodiments
`also provide for delivering static, configurable and/or exten-
`sible remotely operable protection policies to a Download-
`able-destination, more typically as a sandboxed package
`including the mobile protection code, downloadable policies
`and one or more received Downloadables. Further client-
`
`based or remote protection code/policies can also be utilized
`in a distributed manner. Umbodiments also provide for caus-
`ing the mobile protection code to be executed within a Down-
`loadable-destination in a mannerthat enables various Down-
`loadable operations to be detected, intercepted or further
`responded to via protection operations. Additional server/
`information-destination device security or other protectionis
`also enabled, amongstill further aspects.
`A protection engine according to an embodiment of the
`invention is operable within one or more network servers,
`firewalls or other network connectable information re-com-
`
`FINJAN-JN 000631
`
`

`

`Case 3:17-cv-05659-WHA Document 110-5 Filed 06/15/18 Page 16 of 27
`Case 3:17-cv-05659-WHA Document 110-5 Filed 06/15/18 Page 16 of 27
`
`US 7,613,926 B2
`
`3
`municating devices (as are referred to herein summarily one
`or more “servers” or “re-communicators”). The protection
`engine includes an information monitor for monitoring infor-
`mation received bythe server, and a code detection engine for
`determining whether the received information includes
`executable code. The protection engine also includes a pack-
`aging engine for causing a sandboxed package, typically
`including mobile protection code and downloadable protec-
`tion policies to be sent to a Downloadable-destination in
`conjunction with the received information, if the received
`information is determined to be a Downloadable.
`
`A sandboxed package according to an embodimentof the
`invention is receivable by and operable with a remote Down-
`loadable-destination. The
`sandboxed package includes
`mobile protection code (“MPC”) for causing one or more
`predetermined malicious operations or operation combina-
`tions of a Downloadable to be monitored or otherwiseinter-
`
`cepted. The sandboxed packagealso includesprotection poli-
`cies
`(operable
`alone or
`in conjunction with further
`Downloadable-destination stored or received policies/MPCs)
`for causing one or more predetermined operations to be per-
`formed. if one or more undesirable operations of the Down-
`loadable is/are intercepted. The sandboxed package can also
`include a corresponding Downloadable and can provide for
`initiating the Downloadable in a protective “sandbox”. The
`MPC/policies can further
`include a communicator
`for
`enabling further MPC/policy information or “modules”to be
`utilized and/or for event logging or other purposes.
`A sandbox protection system according to an embodiment
`ofthe invention comprises an installer for enabling a received
`MPCto be executed within a Downloadable-destination (de-
`vice/process) and further causing a Downloadable applica-
`tion program, distributable component or other received
`downloadable code to be received and installed within the
`Downloadable-destination. The protection system also
`includes a diverter for monitoring one or more operation
`attempts of the Downloadable, an operation analyzer for
`determining one or more responses to the attempts, and a
`security enforcer for effectuating responses to the monitored
`operations. ‘he protection system can further include one or
`more security policies according to which one or more pro-
`tection system elements are operable automatically (e.g. pro-
`grammatically) or in conjunction with user intervention (e.g.
`as enabled bythe security enforcer). The security policies can
`also be configurable/extensible in accordance with further
`downloadable and/or Downloadable-destination informa-
`tion.
`
`10
`
`15
`
`20
`
`25
`
`30
`
`35
`
`45
`
`A method according to an embodiment of the invention
`includes receiving downloadable information, determining
`whether the downloadable information includes executable
`
`50
`
`code, and causing a mobile protection code and security
`policies to be communicated to a network client in conjunc-
`tion with security policies and the downloadable information
`if the downloadable information is determined to include
`executable code. The determining can further provide mul-
`tiple tests for detecting, alone or together, whether the down-
`loadable information includes executable code.
`
`A further method according to an embodiment of the
`invention includes
`forming a
`sandboxed package that
`includes mobile protection code (“MPC”), protection poli-
`cies, and a received, detected-Downloadable, and causing the
`sandboxed package to be communicated to and installed by a
`receiving device or process (“user device”) for responding to
`one or more malicious operation attempts by the detected-
`Downloadable from within the user device. The MPC/poli-
`cies can further include a base “module”and a “communica-
`
`4
`tor” for enabling further up/downloading of one or more
`further “modules”or other information (e.g. events, user/user
`device information, etc.).
`Another method according to an embodimentof the inven-
`tion includesinstalling, withina user device, received mobile
`protection code (“MPC”) and protection policies in conjunc-
`tion with the user device receiving a downloadable applica-
`tion program, component or other Downloadable(s). The
`method also includes determining, by the MPC, a resource
`access attempt by the Downloadable, and initiating, by the
`MPC,one or more predetermined operations corresponding
`to the attempt. (Predetermined operations can, for example,
`comprise initiating user, administrator, client, network orpro-
`tection system determinable operations, including but not
`limited to modifying the Downloadableoperation,extricating
`the Downloadable, notifying a user/another, maintaining a
`local/remote log, causing one or more MPCs/policies to be
`downloaded, etc.)
`systems and methods according to
`Advantageously,
`embodiments of the invention enable potentially damaging,
`undesirable or otherwise malicious operations by even
`unknown mobile code to be detected, prevented, modified
`and/or otherwise protected against without modifying the
`mobile code. Such protection is further enabled in a manner
`that is capable of minimizing server and client resource
`requirements, does not require pre-installation of security
`code within a Downloadable-destination, and provides for
`client specific or generic and readily updateable security mea-
`sures to be flexibly and efficiently implemented. Embodi-
`ments further provide for thwarting efforts to bypass security
`measures (e.g. by “hiding” undesirable operation causing
`information within apparently inert or otherwise “friendly”
`downloadable information) and/or dividing or combining
`security measures for even greater flexibility and/or effi-
`ciency.
`Embodiments also provide for determining protection
`policies that can be downloaded and/or ascertained from
`other security information (e.g. browser settings, administra-
`tive policies, user input, uploaded information, etc.). Differ-
`ent actions in responseto different Downloadable operations,
`clients, users and/or other criteria are also enabled, and
`embodiments provide for implementing other security mea-
`sures, such as verifying a downloadable source,certification,
`authentication, etc. Appropriate action can also be accom-
`plished automatically (e.g. programmatically) and/or in con-
`junction with alerting one or more users/administrators, uti-
`lizing user input, etc. Embodiments further cnable desirable
`Downloadable operations to remain substantially unaffected,
`among other aspects.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`55
`
`60
`
`65
`
`FIG.1a is a block diagram illustrating a network systemin
`accordance with an embodimentofthe pr