`
`
`
`
`
`
`
`
`
`
`
`
`
`Exhibit 12
`
`
`
`Case 3:17-cv-05659-WHA Document 111-11 Filed 06/15/18 Page 2 of 24
`
`United States Patent (19)
`Touboul
`
`US006092194A
`Patent Number:
`11
`(45) Date of Patent:
`
`6,092,194
`*Jul.18, 2000
`
`54 SYSTEM AND METHOD FOR PROTECTING
`A COMPUTER AND A NETWORK FROM
`HOSTILE DOWNLOADABLES
`
`1/1999 Boebert et al. .................... 395/200.79
`5,864,683
`5,892,904 4/1999 Atkinson et al. .................. 395/187.01
`OTHER PUBLICATIONS
`
`75 Inventor: Shlomo Touboul, Kefar-Haim, Israel
`ra
`73 Assignee: Finjan Software, Ltd., Netanya, Israel
`*
`Notice:
`This patent issued on a continued pros-
`ecution application filed under 37 CFR
`1.53(d), and is Subject to the twenty year
`patent term provisions of 35 U.S.C.
`154(a)(2).
`
`http://ielihs.com:80/cgi-bin/iel
`page:
`Web
`cgi?se...2ehts%26ViewTemplate%3ddocvie%5fb%2ehts,
`Okamato, E. et al., “ID-Based Authentication System For
`Computer Virus Detection', IEEE/IEE Electronic Library
`online, Electronics Letters, vol. 26, Issue 15, ISSN
`O013–5194, Jul. 19, 1990, Abstract and pp. 1169-117O.
`(List continued on next page.)
`Primary Examiner Robert W. BeauSoliel, Jr.
`Assistant Examiner-Christopher Revak
`21 Appl. No.: 08/964,388
`Attorney, Agent, or Firm-Graham & James LLP
`22 Filed:
`Nov. 6, 1997
`57
`ABSTRACT
`Related U.S. Application Data
`60 Provisional application No. 60/030,639, Nov. 8, 1996.
`A System protects a computer from Suspicious Download
`ables. The System comprises a Security policy, an interface
`7
`for receiving a Downloadable, and a comparator, coupled to
`51) Int. Cl.' ........................................................ H04L 1100
`the interface, for applying the Security policy to the Down
`loadable to determine if the Security policy has been vio
`52 U.S. Cl. .............................................................. 713/200
`58 Field of Search ............................... 395.1870), 186; E.
`713/200, 201, 202; 714/38, 704; 709/229
`cuvex " control, a JavaScript' script, or a visual Basic
`Script. The Security policy may include a default Security
`56
`References Cited
`policy to be applied regardless of the client to whom the
`56)
`U.S. PATENT DOCUMENTS
`Downloadable is addressed, or a Specific Security policy to
`a
`be applied based on the client or the group to which the
`5,077,677 12/1991 Murphy et al. ........................... 395/10
`list
`s E.
`es E. ID te
`A.
`Eye
`5,361,359 11/1994 Tajalli et al. ......
`... 395/700
`a Lownloadable
`1dent IIy Ing line LJOWnloadable,
`5,485,409
`1/1996 E. et al. ............................ 395/186
`preferably, by fetching all components of the Downloadable
`5,485,575
`1/1996 Chess et al. ..
`395/183.14
`and performing a hashing function on the Downloadable
`5,572,643 11/1996 Judson .................................... 395/793
`including the fetched components. Further, the Security
`5,623,600 4/1997 Ji et al. ..
`395/187.01
`policy may indicate Several tests to perform, including (1) a
`5,638,446
`6/1997 Rubin ...
`... 380/25
`comparison with known hostile and non-hostile Download
`5,692,047 11/1997 McManis .................................... 380/4
`ables; (2) a comparison with Downloadables to be blocked
`5,692,124 11/1997 Holden et al.
`395/187.01
`or allowed per administrative override; (3) a comparison of
`5,720,033 2/1998 Deo ...............
`... 395/186
`the Downloadable Security profile data against acceSS con
`5,724,425 3/1998 Chang et al. ............................. 380/25
`trol lists; (4) a comparison of a certificate embodied in the
`5,740,248 4/1998 Fieres et al. .............................. 380/25
`Downloadable against trusted certificates; and (5) a com
`5,761,421
`6/1998 van Hoff et al. .
`... 395/200.53
`parison of the URL from which the Downloadable origi
`57.76 9. ENG. et al... 7:0 nated against trusted and untrusted URLS. Based on these
`5,796,952 8/1998 Davis et al.... 395/200.54 S. E. San determine whether to allow or
`5,805,829 9/1998 Cohen et al. ...................... 395/200.32
`OCKC OWIOCOC.
`5,832,208 11/1998 Chen et al. ........................ 395/187.01
`5,850,559 12/1998 Angelo et al. ..................... 395/750.03
`
`68 Claims, 10 Drawing Sheets
`
`-
`
`680
`
`Receive Results from First
`Comparator, ACL
`Comparator, Certificate
`Comparater and URL
`Comparato
`
`Compare Results with
`Security Policies
`
`
`
`870
`
`872
`
`Stop downloadable
`I
`Ser8 Sustitute
`Dow8 to
`Inform The J58
`
`Pass)(wnloadable
`
`Record Fingings
`
`868
`
`-
`
`
`
`Case 3:17-cv-05659-WHA Document 111-11 Filed 06/15/18 Page 3 of 24
`
`6,092,194
`Page 2
`
`OTHER PUBLICATIONS
`“Finjan Announces a Personal Java TM Firewall For Web
`Browsers—the SurfinShieldTM 1.6”, Press Release of Finjan
`Releases SurfinShield, Oct. 21, 1996, 2 pages.
`“Finjan Software Releases SurfinBoard, Industry's First
`JAVA Security Product For the World Wide Web”, Article
`published on the Internet by Finjan Software, Ltd., Jul. 29,
`1996, 1 page.
`“Powerful PC Security for the New World of JavaTM and
`Downloadables, Surfin ShieldTM'Article published on the
`Internet by Finjan Software Ltd., 1996, 2 Pages.
`“Company Profile Finjan-Safe Surfing, The Java Security
`Solutions Provider” Article published on the Internet by
`Finjan Software Ltd., Oct. 31, 1996, 3 pages.
`“Finjan Announces Major Power Boost and New Features
`for SurfinShieldTM 2.0” Las Vegas Convention Center/Pa
`villion 5 P5551, Nov. 18, 1996, 3 pages.
`
`“Java Security: Issues & Solutions' Article published on the
`Internet by Finjan Software Ltd., 1996, 8 pages.
`“Products' Article published on the Internet, 7 pages.
`Mark LaDue, “Online Business Consultant Article pub
`lished on the Internet, Home Page, Inc. 1996, 4 pages.
`Jim K. Omura, “Novel Applications of Cryptography in
`Digital Communications”, IEEE Communications Maga
`zine, p 27, May 1990.
`Norvin Leach et al., “IE 3.0 applets will earn certification”,
`PC Week, v13, n29, p1(2), Jul 1996.
`MicroSoft Authenticode Technology, "Ensuring Account
`ability and Authenticity for Software Components on the
`Internet”, Microsoft Corporation, Oct. 1996.
`Frequently Asked Questions About Authenticode, Microsoft
`Corporation, Feb. 1997.
`
`
`
`Case 3:17-cv-05659-WHA Document 111-11 Filed 06/15/18 Page 4 of 24
`
`U.S. Patent
`
`Jul.18, 2000
`
`Sheet 1 of 10
`
`6,092,194
`
`1OO
`-1
`
`105
`
`
`
`
`
`
`
`
`
`
`
`External Computer Network
`
`Internal NetWork
`Security System
`
`Internal Computer Network
`
`120
`
`
`
`Security
`Management
`Console
`
`FIG. 1
`
`
`
`Case 3:17-cv-05659-WHA Document 111-11 Filed 06/15/18 Page 5 of 24
`
`U.S. Patent
`
`Jul.18, 2000
`
`Sheet 2 of 10
`
`6,092,194
`
`0 || ||
`
`OZZ
`
`092
`
`
`
`
`
`GOZ
`
`O |
`
`
`
`Case 3:17-cv-05659-WHA Document 111-11 Filed 06/15/18 Page 6 of 24
`Case 3:17-cv-05659-WHA Document 111-11 Filed 06/15/18 Page 6 of 24
`
`U.S. Patent
`
`Jul. 18, 2000
`
`Sheet 3 of 10
`
`6,092,194
`
`IlI
`
`
`
`
`
`je01B07ysul4fallod
`
`00€
`
`
`
` snojoidsnsuoneeeIIIIl
`
`TOV
`
`
`
`alqepeojumogJoyeseduioy
`
`GOE
`
`SaidAndes
`
`apod
`
`Jauueos
`
`‘THN
`
`
`
`‘qlsasn
`
`paaisooy
`
`aiqepeojumoq
`
`eulbuy||Buideey|Ipios9y!IIJoyeredwosJauueog|
`
`
`
`
`
`
`
`
`
`soyeseduo9JapulyJoyejauag|!SPEIYISDIEMIUOD;eulbug
`
`SvZ
`
`607
`
`JUSAQ¢©)|4p---------------------------------------~-~~~+~~-|OSE!1SEE1Joyeredwos|Tan
`
`
`
`
`
`Case 3:17-cv-05659-WHA Document 111-11 Filed 06/15/18 Page 7 of 24
`
`U.S. Patent
`
`Jul.18, 2000
`
`Sheet 4 of 10
`
`6,092,194
`
`Security Policies
`305
`
`-
`
`
`
`Policy Selectors
`
`Access Control
`Lists
`
`Trusted
`Certificate Lists
`
`URL Rule Bases
`
`Lists of DOWnloadables
`to Allow or Block per
`Administrative Override
`
`FIG. 4
`
`
`
`Case 3:17-cv-05659-WHA Document 111-11 Filed 06/15/18 Page 8 of 24
`
`U.S. Patent
`
`Jul.18, 2000
`
`Sheet S of 10
`
`6,092,194
`
`120
`
`TO/From
`Internal Computer
`Network
`
`135
`
`510
`
`515
`
`Event Log
`Analysts
`Engine
`
`User
`Notification
`Engine
`
`
`
`
`
`Security
`Policy Editor
`
`
`
`FIG 5
`
`
`
`Case 3:17-cv-05659-WHA Document 111-11 Filed 06/15/18 Page 9 of 24
`
`U.S. Patent
`
`Jul.18, 2000
`
`Sheet 6 of 10
`
`6,092,194
`
`600
`N
`
`
`
`614
`
`
`
`616
`
`URL
`Comparison
`required?
`
`Compare URL
`
`
`
`
`
`
`
`
`
`602
`
`Receive Downloadable
`
`604
`
`Generate DOWnloadable ID
`
`606
`
`Find Security Policy
`
`
`
`608
`
`DOWnloadable
`allowed?
`
`
`
`
`
`Downloadable
`blocked?
`
`ACL
`Comparison
`required?
`
`
`
`
`
`Previously
`decomposed
`2
`
`Yes
`
`TCL
`Comparison
`required?
`
`NO
`Decompose Downloadable
`into DSP data
`
`
`
`
`
`Scan Certificate
`
`Compare Certificate
`With TCL
`
`Compare DSP with ACL
`
`630
`
`F.G. 6A
`
`612
`
`Send results to
`Logical Engine
`
`End
`
`
`
`Case 3:17-cv-05659-WHA Document 111-11 Filed 06/15/18 Page 10 of 24
`
`U.S. Patent
`
`Jul.18, 2000
`
`Sheet 7 of 10
`
`6,092,194
`
`606
`
`Security policy defined
`for User-D and
`DOWnloadable?
`
`
`
`
`
`
`
`
`
`Fetch the generic
`security policy for
`User ID
`
`
`
`Fetch the policy
`for
`User D and
`Downloadable
`
`
`
`F.G. 6B
`
`
`
`Case 3:17-cv-05659-WHA Document 111-11 Filed 06/15/18 Page 11 of 24
`
`U.S. Patent
`
`Jul.18, 2000
`
`Sheet 8 of 10
`
`6,092,194
`
`655
`
`-
`
`Receive Results from First
`Comparator, ACL
`Comparator, Certificate
`Comparator and URL
`Comparator
`
`660
`
`662
`
`Compare Results with
`Security Policies
`
`
`
`664
`
`
`
`
`
`
`
`Security Policies
`Confirm Pass?
`
`Yes
`
`666
`
`Pass Downloadable
`
`Stop Downloadable
`
`
`
`Record Findings
`
`Send Substitute
`DOwnloadble to
`Inform The User
`
`
`
`668
`
`FIG. 6C
`
`670
`
`672
`
`
`
`Case 3:17-cv-05659-WHA Document 111-11 Filed 06/15/18 Page 12 of 24
`
`U.S. Patent
`
`Jul.18, 2000
`
`Sheet 9 of 10
`
`6,092,194
`
`628
`
`-
`
`705
`
`710
`
`Disassemble the Machine
`Code
`
`Resolve a Respective
`Command in The COde
`
`715
`
`NO
`
`ls The Resolved
`Command Suspect?
`
`Decode and Register The
`Command and The
`Command Parameters as
`DSP Data
`
`NO
`
`725
`
`Yes
`End
`
`
`
`
`
`
`
`
`
`
`
`
`
`FIG. 7
`
`
`
`Case 3:17-cv-05659-WHA Document 111-11 Filed 06/15/18 Page 13 of 24
`
`U.S. Patent
`
`Jul.18, 2000
`
`Sheet 10 0f 10
`
`6,092,194
`
`-
`
`Start
`
`Receive a DOWnloadable
`
`Fetch DOWnloadable
`Components
`
`include Fetched Components in
`The DOWnloadable
`
`
`
`Perform a Hashing Function on
`the Downloadable to Generate
`a DOWnloadable ID
`
`Store the Downloadable ID
`
`810
`
`82O
`
`830
`
`840
`
`850
`
`FG. 8
`
`
`
`Case 3:17-cv-05659-WHA Document 111-11 Filed 06/15/18 Page 14 of 24
`
`6,092,194
`
`1
`SYSTEMAND METHOD FOR PROTECTING
`A COMPUTER AND A NETWORK FROM
`HOSTILE DOWNLOADABLES
`
`INCORPORATION BY REFERENCE TO
`RELATED APPLICATION
`This application hereby incorporates by reference related
`U.S. patent application Ser. No. 08/790,097, entitled “Sys
`tem and Method for Protecting a Client from Hostile
`Downloadables, filed on Jan. 29, 1997, by inventor Shlomo
`Touboul.
`
`PRIORITY REFERENCE TO PROVISIONAL
`APPLICATION
`This application claims benefit of and hereby incorporates
`by reference provisional application Ser. No. 60/030,639,
`entitled “System and Method for Protecting a Computer
`from Hostile Downloadables,” filed on Nov. 8, 1996, by
`inventor Shlomo Touboul.
`
`15
`
`BACKGROUND OF THE INVENTION
`
`1. Field of the Invention
`This invention relates generally to computer networks,
`and more particularly provides a System and method for
`25
`protecting a computer and a network from hostile Down
`loadables.
`2. Description of the Background Art
`The Internet is currently a collection of over 100,000
`individual computer networks owned by governments,
`universities, nonprofit groups and companies, and is expand
`ing at an accelerating rate. Because the Internet is public, the
`Internet has become a major Source of many System dam
`aging and System fatal application programs, commonly
`35
`referred to as “viruses.”
`Accordingly, programmerS continue to design computer
`and computer network Security Systems for blocking these
`Viruses from attacking both individual and network com
`puters. On the most part, these Security Systems have been
`40
`relatively Successful. However, these Security Systems are
`not configured to recognize computer viruses which have
`been attached to or configured as Downloadable application
`programs, commonly referred to as "Downloadables. A
`Downloadable is an executable application program, which
`45
`is downloaded from a Source computer and run on the
`destination computer. Downloadable is typically requested
`by an ongoing proceSS Such as by an Internet browser or web
`engine. Examples of Downloadables include JavaTM applets
`designed for use in the JavaTM distributing environment
`developed by Sun MicroSystems, Inc., JavaScript Scripts
`also developed by Sun Microsystems, Inc., ActiveXTM con
`trols designed for use in the ActiveXTM distributing envi
`ronment developed by the Microsoft Corporation, and
`Visual Basic also developed by the Microsoft Corporation.
`Therefore, a System and method are needed to protect a
`network from hostile Downloadables.
`
`50
`
`55
`
`SUMMARY OF THE INVENTION
`The present invention provides a System for protecting a
`60
`network from Suspicious Downloadables. The System com
`prises a Security policy, an interface for receiving a
`Downloadable, and a comparator, coupled to the interface,
`for applying the Security policy to the Downloadable to
`determine if the security policy has been violated. The
`Downloadable may include a JavaTM applet, an ActiveXTM
`control, a JavaScript TM Script, or a Visual Basic script. The
`
`65
`
`2
`Security policy may include a default Security policy to be
`applied regardless of the client to whom the Downloadable
`is addressed, a specific Security policy to be applied based on
`the client or the group to which the client belongs, or a
`Specific policy to be applied based on the client/group and on
`the particular Downloadable received. The System uses an
`ID generator to compute a Downloadable ID identifying the
`Downloadable, preferably, by fetching all components of the
`Downloadable and performing a hashing function on the
`Downloadable including the fetched components.
`Further, the Security policy may indicate Several tests to
`perform, including (1) a comparison with known hostile and
`non-hostile Downloadables; (2) a comparison with Down
`loadables to be blocked or allowed per administrative over
`ride; (3) a comparison of the Downloadable security profile
`data against access control lists; (4) a comparison of a
`certificate embodied in the Downloadable against trusted
`certificates; and (5) a comparison of the URL from which the
`Downloadable originated against trusted and untrusted
`URLS. Based on these tests, a logical engine can determine
`whether to allow or block the Downloadable.
`The present invention further provides a method for
`protecting a computer from Suspicious Downloadables. The
`method comprises the Steps of receiving a Downloadable,
`comparing the Downloadable against a Security policy to
`determine if the Security policy has been violated, and
`discarding the Downloadable if the Security policy has been
`violated.
`It will be appreciated that the system and method of the
`present invention may provide computer protection from
`known hostile Downloadables. The system and method of
`the present invention may identify Downloadables that
`perform operations deemed Suspicious. The System and
`method of the present invention may examine the Down
`loadable code to determine whether the code contains any
`Suspicious operations, and thus may allow or block the
`Downloadable accordingly.
`BRIEF DESCRIPTION OF THE DRAWINGS
`FIG. 1 is a block diagram illustrating a network System,
`in accordance with the present invention;
`FIG. 2 is a block diagram illustrating details of the
`internal network security system of FIG. 1;
`FIG. 3 is a block diagram illustrating details of the
`Security program and the Security database of FIG. 2;
`FIG. 4 is a block diagram illustrating details of the
`security policies of FIG. 3;
`FIG. 5 is a block diagram illustrating details of the
`Security management console of FIG. 1;
`FIG. 6A is a flowchart illustrating a method of examining
`for Suspicious Downloadables, in accordance with the
`present invention;
`FIG. 6B is a flowchart illustrating details of the step for
`finding the appropriate Security policy of FIG. 6A,
`FIG. 6C is a flowchart illustrating a method for determin
`ing whether an incoming Downloadable is to be deemed
`Suspicious,
`FIG. 7 is a flowchart illustrating details of the FIG. 6 step
`of decomposing a Downloadable; and
`FIG. 8 is a flowchart illustrating a method 800 for
`generating a Downloadable ID for identifying a Download
`able.
`
`DETAILED DESCRIPTION OF THE
`PREFERRED EMBODIMENT
`FIG. 1 is a block diagram illustrating a network System
`100, in accordance with the present invention. The network
`
`
`
`Case 3:17-cv-05659-WHA Document 111-11 Filed 06/15/18 Page 15 of 24
`
`6,092,194
`
`1O
`
`15
`
`4
`separate paths, namely, via Path 1, via Path 2, via Path 3 and
`via Path 4. Path 1 includes a direct connection from the first
`comparator 320 to the logical engine 333. Path 2 includes a
`code Scanner coupled to the first comparator 320, and an
`Access Control List (ACL) comparator 330 coupling the
`code scanner 325 to the logical engine 333. Path 3 includes
`a certificate scanner 340 coupled to the first comparator 320,
`and a certificate comparator 345 coupling the certificate
`scanner 340 to the logical engine 333. Path 4 includes a
`Uniform Resource Locator (URL) comparator 350 coupling
`the first comparator 320 to the logical engine 3330. A
`record-keeping engine 335 is coupled between the logical
`engine 333 and the event log 245.
`The Security program 255 operates in conjunction with
`the Security database 240, which includes Security policies
`305, known Downloadables 307, known Certificates 309
`and Downloadable Security Profile (DSP) data 310 corre
`sponding to the known Downloadables 307. Security poli
`cies 305 includes policies specific to particular users 260 and
`default (or generic) policies for determining whether to
`allow or block an incoming Downloadable. These security
`policies 305 may identify specific Downloadables to block,
`Specific Downloadables to allow, or necessary criteria for
`allowing an unknown Downloadable. Referring to FIG. 4,
`security policies 305 include policy selectors 405, access
`control lists 410, trusted certificate lists 415, URL rule bases
`420, and lists 425 of Downloadables to allow or to block per
`administrative override.
`Known Downloadables 307 include lists of Download
`ables which Original Equipment Manufacturers (OEMs)
`know to be hostile, of Downloadables which OEMs know to
`be non-hostile, and of Downloadables previously received
`by this security program 255. DSP data 310 includes the list
`of all potentially hostile or Suspicious computer operations
`that may be attempted by each known Downloadable 307,
`and may also include the respective arguments of these
`operations. An identified argument of an operation is
`referred to as “resolved.” An unidentified argument is
`referred to as “unresolved. DSP data 310 is described below
`with reference to the code scanner 325.
`The ID generator 315 receives a Downloadable (including
`the URL from which it came and the userID of the intended
`recipient) from the external computer network 105 via the
`external communications interface 210, and generates a
`Downloadable ID for identifying each Downloadable. The
`Downloadable ID preferably includes a digital hash of the
`complete Downloadable code. The ID generator 315 pref
`erably prefetches all components embodied in or identified
`by the code for Downloadable ID generation. For example,
`the ID generator 315 may prefetch all classes embodied in
`or identified by the Java TM applet bytecode to generate the
`Downloadable ID. Similarly, the ID generator 315 may
`retrieve all components listed in the INF file for an
`ActiveXTM control to compute a Downloadable ID.
`Accordingly, the Downloadable ID for the Downloadable
`will be the same each time the ID generator 315 receives the
`same Downloadable. The ID generator 315 adds the gener
`ated Downloadable ID to the list of known Downloadables
`307 (if it is not already listed). The ID generator 315 then
`forwards the Downloadable and Downloadable ID to the
`policy finder 317.
`The policy finder 317 uses the userID of the intended user
`and the Downloadable ID to select the specific security
`policy 305 that shall be applied on the received Download
`able. If there is a specific policy 305 that was defined for the
`user (or for one of its Super groups) and the Downloadable,
`then the policy is selected. Otherwise the generic policy 305
`
`25
`
`3
`system 100 includes an external computer network 105,
`such as the Wide Area Network (WAN) commonly referred
`to as the Internet, coupled via a communications channel
`125 to an internal network security system 110. The network
`system 100 further includes an internal computer network
`115, such as a corporate Local Area Network (LAN),
`coupled via a communications channel 130 to the internal
`network computer System 110 and coupled via a communi
`cations channel 135 to a Security management console 120.
`The internal network security system 110 examines
`Downloadables received from external computer network
`105, and prevents Downloadables deemed suspicious from
`reaching the internal computer network 115. It will be
`further appreciated that a Downloadable is deemed Suspi
`cious if it performs or may perform any undesirable
`operation, or if it threatens or may threaten the integrity of
`an internal computer network 115 component. It is to be
`understood that the term "Suspicious' includes hostile,
`potentially hostile, undesirable, potentially undesirable, etc.
`Security management console 120 enables viewing, modi
`fication and configuration of the internal network Security
`system 110.
`FIG. 2 is a block diagram illustrating details of the
`internal network security system 110, which includes a
`Central Processing Unit (CPU) 205, such as an Intel Pen
`tium(R) microprocessor or a Motorola Power PC(R)
`microprocessor, coupled to a signal buS 220. The internal
`network security system 110 further includes an external
`communications interface 210 coupled between the com
`munications channel 125 and the signal bus 220 for receiv
`ing Downloadables from external computer network 105,
`and an internal communications interface 225 coupled
`between the signal buS 220 and the communications channel
`130 for forwarding Downloadables not deemed suspicious
`to the internal computer network 115. The external commu
`35
`nications interface 210 and the internal communications
`interface 225 may be functional components of an integral
`communications interface (not shown) for both receiving
`Downloadables from the external computer network 105 and
`forwarding Downloadables to the internal computer network
`115.
`Internal network security system 110 further includes
`Input/Output (I/O) interfaces 215 (such as a keyboard,
`mouse and Cathode Ray Tube (CRT) display), a data storage
`device 230 Such as a magnetic disk, and a Random-AcceSS
`Memory (RAM) 235, each coupled to the signal bus 220.
`The data storage device 230 stores a security database 240,
`which includes Security information for determining
`whether a received Downloadable is to be deemed suspi
`cious. The data storage device 230 further stores a users list
`260 identifying the users within the internal computer net
`work 115 who may receive Downloadables, and an event log
`245 which includes determination results for each Down
`loadable examined and runtime indications of the internal
`network security system 110. An operating system 250
`controls processing by CPU 205, and is typically stored in
`data storage device 230 and loaded into RAM 235 (as
`illustrated) for execution. A security program 255 controls
`examination of incoming Downloadables, and also may be
`stored in data storage device 230 and loaded into RAM 235
`(as illustrated) for execution by CPU 205.
`FIG. 3 is a block diagram illustrating details of the
`security program 255 and the security database 240. The
`security program 255 includes an ID generator 315, a policy
`finder 317 coupled to the ID generator 315, and a first
`comparator 320 coupled to the policy finder 317. The first
`comparator 320 is coupled to a logical engine 333 via four
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`
`
`Case 3:17-cv-05659-WHA Document 111-11 Filed 06/15/18 Page 16 of 24
`
`6,092,194
`
`25
`
`S
`that was defined for the user (or for one of its Super groups)
`is selected. The policy finder 317 then sends the policy to the
`first comparator 320.
`The first comparator 320 receives the Downloadable, the
`Downloadable ID and the security policy 305 from the
`policy finder 317. The first comparator 320 examines the
`security policy 305 to determine which steps are needed for
`allowing the Downloadable. For example, the Security
`policy 305 may indicate that, in order to allow this
`Downloadable, it must pass all four paths, Path 1, Path 2,
`Path 3 and Path 4. Alternatively, the security policy 305 may
`indicate that to allow the Downloadable, it must pass only
`one of the paths. The first comparator 320 responds by
`forwarding the proper information to the paths identified by
`the security policy 305.
`Path 1
`In path 1, the first comparator 320 checks the policy
`selector 405 of the security policy 305 that was received
`from the policy finder 317. If the policy selector 405 is either
`“Allowed” or “Blocked,” then the first comparator 320
`forwards this result directly to the logical engine 333.
`Otherwise, the first comparator 320 invokes the comparisons
`in path 2 and/or path 3 and/or path 4 based on the contents
`of policy selector 405. It will be appreciated that the first
`comparator 320 itself compares the Downloadable ID
`against the lists of Downloadables to allow or block per
`administrative override 425. That is, the system security
`administrator can define Specific Downloadables as
`“Allowed or “Blocked.”
`Alternatively, the logical engine 333 may receive the
`results of each of the paths and based on the policy Selector
`405 may institute the final determination whether to allow or
`block the Downloadable. The first comparator 320 informs
`the logical engine 333 of the results of its comparison.
`Path 2
`In path 2, the first comparator 320 delivers the
`Downloadable, the Downloadable ID and the security policy
`305 to the code Scanner 325. If the DSP data 310 of the
`received Downloadable is known, the code scanner 325
`retrieves and forwards the information to the ACL compara
`40
`tor 330. Otherwise, the code scanner 325 resolves the DSP
`data 310. That is, the code Scanner 325 uses conventional
`parsing techniques to decompose the code (including all
`prefetched components) of the Downloadable into the DSP
`data 310. DSP data 310 includes the list of all potentially
`45
`hostile or Suspicious computer operations that may be
`attempted by a specific Downloadable 307, and may also
`include the respective arguments of these operations. For
`example, DSP data 310 may include a READ from a specific
`file, a SEND to an unresolved host, etc. The code Scanner
`325 may generate the DSP data 310 as a list of all operations
`in the Downloadable code which could ever be deemed
`potentially hostile and a list of all files to be accessed by the
`Downloadable code. It will be appreciated that the code
`Scanner 325 may search the code for any pattern, which is
`undesirable or Suggests that the code was written by a
`hacker.
`An Example List of Operations Deemed Potentially Hostile
`File operations: READ a file, WRITE a file;
`60
`Network operations: LISTEN on a socket, CONNECT to
`a socket, SEND data, RECEIVE data, VIEW INTRA
`NET:
`Registry operations: READ a registry item, WRITE a
`registry item;
`Operating system operations: EXIT WINDOWS, EXIT
`BROWSER, START PROCESS/THREAD, KILL
`
`6
`PROCESS/THREAD, CHANGE PROCESS /
`THREAD PRIORITY, DYNAMICALLY LOAD A
`CLASS/LIBRARY, etc.; and
`ReSource usage thresholds: memory, CPU, graphics, etc.
`In the preferred embodiment, the code scanner 325 performs
`a full-content inspection. However, for improved Speed but
`reduced Security, the code Scanner 325 may examine only a
`portion of the Downloadable such as the Downloadable
`header. The code Scanner 325 then stores the DSP data into
`DSP data 310 (corresponding to its Downloadable ID), and
`sends the Downloadable, the DSP data to the ACL com
`parator 330 for comparison with the security policy 305.
`The ACL comparator 330 receives the Downloadable, the
`corresponding DSP data and the security policy 305 from the
`code scanner 325, and compares the DSP data against the
`security policy 305. That is, the ACL comparator 330
`compares the DSP data of the received Downloadable
`against the access control lists 410 in the received Security
`policy 305. The access control list 410 contains criteria
`indicating whether to pass or fail the Downloadable. For
`example, an access control list may indicate that the Down
`loadable fails if the DSP data includes a WRITE command
`to a system file. The ACL comparator 330 sends its results
`to the logical engine 333.
`Path 3
`In path 3, the certificate scanner 340 determines whether
`the received Downloadable was signed by a certificate
`authority, Such as VeriSign, Inc., and Scans for a certificate
`embodied in the Downloadable. The certificate Scanner 340
`forwards the found certificate to the certificate comparator
`345. The certificate comparator 345 retrieves known certifi
`cates 309 that were deemed trustworthy by the security
`administrator and compares the found certificate with the
`known certificates 309 to determine whether the Download
`able was signed by a trusted certificate. The certificate
`comparator 345 sends the results to the logical engine 333.
`Path 4
`In path 4, the URL comparator 350 examines the URL
`identifying the source of the Downloadable against URLs
`stored in the URL rule base 420 to determine whether the
`Downloadable comes from a trusted Source. Based on the
`security policy 305, the URL comparator 350 may deem the
`Downloadable suspicious if the Downloadable comes from
`an untrustworthy source or if the Downloadable did not
`come from a trusted Source. For example, if the Download
`able comes from a known hacker, then the Downloadable
`may be deemed Suspicious and presumed hostile. The URL
`comparator 350 sends its results to the logical engine 333.
`The logical engine 333 examines the results of each of the
`paths and the policy selector 405 in the security policy 305
`to determine whether to allow or block the Downloadable.
`The policy selector 405 includes a logical expression of the
`results received from each of the paths. For example, the
`logical engine 333 may block a Downloadable if it fails any
`one of the paths, i.e., if the Downloadable is known hostile
`(Path 1), if the Downloadable may request Suspicious opera
`tions (Path 2), if the Downloadable was not signed by a
`trusted certificate authority (Path 3), or if the Downloadable
`came from an untrustworthy source (Path 4). The logical
`engine 333 may apply other logical expressions according to
`the policy selector 405 embodied in the security policy 305.
`If the policy selector 405 indicates that the Downloadable
`may pass, then the logical engine 333 passes the Download
`able to its intended recipient. Otherwise, if the policy
`Selector 405 indicates that the Downloadable should be
`blocked, then the logical engine 333 forwards a non-hostile
`Downloadable to the intended recipient to inform the user
`
`5
`
`15
`
`35
`
`50
`
`55
`
`65
`
`
`
`Case 3:17-cv-05659-WHA Document 111-11 Filed 06/15/18 Page 17 of 24
`
`6,092,194
`
`7
`that internal network security system 110 discarded the
`original Downloadable. Further, the logical engine 333
`forwards a Status report to the record-keeping engine 335,
`which Stores the reports in event log 245 in the data Storage
`device 230 for Subsequent review, for example, by the MIS
`director.
`FIG. 5 is a block diagram illustrating details of the
`Security management console 120, which includes a Security
`policy editor 505 coupled to the communications channel
`135, an event log analysis engine 510 coupled between
`communications channel 135 and a user notification engine
`515, and a Downloadable database review engine 520
`coupled to the communications channel 135. The security
`management console 120 further includes computer com
`ponents similar to the computer components illustrated in
`15
`FIG. 2.
`The security policy editor 505 uses an I/O interface
`similar to I/O interfa