throbber
Case 3:17-cv-05659-WHA Document 111-13 Filed 06/15/18 Page 1 of 29
`

`

`

`

`

`

`
`Exhibit 14
`
`

`

`Case 3:17-cv-05659-WHA Document 111-13 Filed 06/15/18 Page 2 of 29
`
`USO08079086B1
`
`(12) United States Patent
`Edery et al.
`
`(10) Patent No.:
`(45) Date of Patent:
`
`US 8,079,086 B1
`*Dec. 13, 2011
`
`(54) MALICIOUS MOBILE CODE RUNTIME
`MONITORING SYSTEMAND METHODS
`(75) Inventors: Yigal Mordechai Edery, Pardesia (IL);
`Nimrod Itzhak Vered, Goosh Tel-Mond
`(IL); David R Kroll, San Jose, CA (US);
`Shlomo Touboul, Kefar-Haim (IL)
`(73) Assignee: Finjan, Inc., San Jose, CA (US)
`(*) Notice:
`Subject to any disclaimer, the term of this
`patent is extended or adjusted under 35
`U.S.C. 154(b) by 0 days.
`This patent is Subject to a terminal dis
`claimer.
`(21) Appl. No.: 12/471.942
`(22) Filed:
`May 26, 2009
`Related U.S. Application Data
`(63) Continuation of application No. 1 1/370,114, filed on
`Mar. 7, 2006, now Pat. No. 7,613,926, which is a
`continuation of application No. 09/861.229, filed on
`May 17, 2001, now Pat. No. 7,058,822, which is a
`continuation-in-part of application No. 09/539,667,
`filed on Mar. 30, 2000, now Pat. No. 6,804,780, which
`is a continuation of application No. 08/964.388, filed
`on Nov. 6, 1997, now Pat. No. 6,092,194, said
`application No. 09/861.229 is a continuation-in-part of
`application No. 09/551.302, filed on Apr. 18, 2000,
`now Pat. No. 6,480,962.
`(60) Provisional application No. 60/205,591, filed on May
`17, 2000.
`(51) Int. Cl.
`
`(2006.01)
`(2006.01)
`G06F II/30
`(2006.01)
`G06F 15/16
`(2006.01)
`H04L 9M32
`(52) U.S. Cl. ........................... 726/24; 713/175; 713/176
`(58) Field of Classification Search ........................ None
`See application file for complete search history.
`References Cited
`
`(56)
`
`U.S. PATENT DOCUMENTS
`5,077,677 A 12/1991 Murphy et al. ................. TO6/62
`5,359,659 A 10, 1994 Rosenthal ....................... T26/24
`
`5,361,359 A 11/1994 Tajalliet al. .................... T26/23
`(Continued)
`
`EP
`EP
`
`FOREIGN PATENT DOCUMENTS
`109 1276
`4/2001
`1132796
`9, 2001
`
`OTHER PUBLICATIONS
`Zhong, et al., “Security in the Large: is Java's Sandbox Scalable?”
`Seventh IEEE Symposium on Reliable Distributed Systems, pp. 1-6,
`Oct. 1998.
`
`(Continued)
`Primary Examiner — Christopher Revak
`(74) Attorney, Agent, or Firm —Dawn-Marie Bey; King &
`Spalding LLP
`ABSTRACT
`(57)
`Protection systems and methods provide for protecting one or
`more personal computers (“PCs”) and/or other intermittently
`or persistently network accessible devices or processes from
`undesirable or otherwise malicious operations of Java TN
`applets, ActiveXTM controls, JavaScriptTM scripts, Visual
`Basic scripts, add-ins, downloaded/uploaded programs or
`other “Downloadables' or “mobile code' in whole or part. A
`protection engine embodiment provides, within a server, fire
`wall or other suitable “recommunicator.” for monitoring
`information received by the communicator, determining
`whether received information does or is likely to include
`executable code, and if so, causes mobile protection code
`(MPC) to be transferred to and rendered operable within a
`destination device of the received information, more suitably
`by forming a protection agent including the MPC, protection
`policies and a detected-Downloadable. An MPC embodiment
`further provides, within a Downloadable-destination, for ini
`tiating the Downloadable, enabling malicious Downloadable
`operation attempts to be received by the MPC, and causing
`(predetermined) corresponding operations to be executed in
`response to the attempts, more Suitably in conjunction with
`protection policies.
`
`42 Claims, 10 Drawing Sheets
`
`Receive information swings protected
`informatter isstirator
`a "potential-owcastle'
`
`
`
`
`
`
`
`Y
`
`D
`CO.-----
`sternine whether the potential
`dowrfoadsteicides executable cade
`
`rtcudas
`cess
`
`s
`
`Nis
`
`Forms protection agent expresp to mobiles
`protection code, potential-downloadable
`now a detected-dowritesdaafe - any
`protection policias
`
`cause the protection agent to be deliversti
`to the infortatio-testsir
`
`cause potential-downloadsible
`keelWered to the
`inforatici-destination
`
`
`
`

`

`Case 3:17-cv-05659-WHA Document 111-13 Filed 06/15/18 Page 3 of 29
`
`US 8,079,086 B1
`Page 2
`
`U.S. PATENT DOCUMENTS
`5,414,833 A
`5/1995 Hershey et al. ................. 726/22
`5,485.409 A
`1/1996 Gupta et al.
`T26,25
`5,485,575 A
`1/1996 Chess et al. .
`... 714,38
`5,572,643 A 11, 1996 Judson ........
`709,218
`5,579,509 A 1 1/1996 Furtney et al.
`703/27
`5,606,668 A
`2f1997 Shwed .....
`T26, 13
`5,623,600 A
`4/1997 Ji et al. .
`... 726/24
`5,638,446 A
`6, 1997 Rubin ......
`705/51
`5,675,711 A 10/1997 Kephart et al.
`... 706/12
`5,692,047 A 11/1997 McManis ....
`713, 167
`5,692,124 A 11/1997 Holden et al. .................... 726/2
`5,720,033. A
`2f1998 Deo ............
`726/2
`5,724.425. A
`3/1998 Chang et al. .................... 705/52
`5,740,248 A
`4, 1998 Fieres et al. .................. T13,156
`5,740,441 A
`4, 1998 Yellin et al. ....
`717,134
`5,761,421 A
`6, 1998 van Hoffet al.
`709,223
`5,765,205 A
`6, 1998 Breslau et al. .....
`711,203
`5,784,459 A
`7, 1998 Devarakonda et al.
`713,165
`5,796,952 A
`8, 1998 Davis et al. ........
`709,224
`5,805,829 A
`9, 1998 Cohen et al.
`709f2O2
`5,832,208 A 11/1998 Chen et al. ..
`... 726/24
`5,832,274 A 11, 1998 Cutler et al. .................. 717/171
`5,850,559 A 12/1998 Angelo et al. ................ T13,320
`5,859,966 A
`1/1999 Hayman et al.
`T26/23
`5,864,683 A
`1/1999 Boebert et al. .
`709/249
`5,881,151 A
`3, 1999 Yamamoto ..
`... 726/24
`5,884,033. A
`3, 1999 Duvallet al. ..
`709/206
`5,892,904 A
`4/1999 Atkinson et al.
`T26/22
`5,951,698 A
`9, 1999 Chen et al. .....
`... 714,38
`5,956.481 A
`9, 1999 Walsh et al.
`T26/23
`5,963,742 A 10, 1999 Williams ...................... T17,143
`5,974,549 A 10, 1999 Golan ............................. T26/23
`705/54
`5,978.484 A 11/1999 Apperson et al.
`... 76/13
`5,983,348
`11/1999 Ji ................
`A
`... 726,4
`5,987,611
`11/1999 Freund .....
`A
`726, 1
`6,088,801
`7/2000 Grecsek ...
`A
`6,088,803
`7/2000 TSO et al. .
`T26/22
`A
`*
`6,092,194
`7, 2000 Touboul ......
`... 726/24
`A
`6,154,844
`11/2000 Toubouletal
`... 726/24
`A
`6,167,520
`12/2000 Touboul ......
`T26/23
`A
`6,339,829 B1
`1/2002 Beadle et al.
`T26, 15
`6.425,058 B1
`7/2002 Arimilli et al.
`711 (134
`6,434,668 B1
`8, 2002 Arimilli et al.
`711,128
`6,434,669 B1
`8/2002 Arimilli et al. ............... T11 128
`6,480,962 B1 * 1 1/2002 Touboul .......................... 726/22
`6,487,666 B1
`1 1/2002 Shanklin et al. ...
`T26/23
`6,519,679 B2
`2/2003 Devireddy et al.
`711 114
`6,598,033 B2
`7/2003 ROSS et al. .....
`... 706/46
`6,732,179 B1
`5, 2004 Brown et al.
`709,229
`6,804,780 B1 * 10/2004 Touboul ......
`713, 181
`6,917,953 B2
`7/2005 Simon et al.
`707,204
`7,058,822 B2 * 6/2006 Edery et al. .
`T26/22
`7,143,444 B2 11/2006 Porras et al. .................... T26/30
`7,210,041 B1
`4/2007 Gryaznov et al. ............. T13, 188
`7,308.648 B1
`12/2007 Buchthal et al. ...
`715,234
`7,343,604 B2
`3/2008 Grabarnik et al. .
`719, 313
`7,418,731 B2
`8, 2008 Touboul .........
`T26/22
`7,613,926 B2 * 1 1/2009 Edery et al. .
`713, 181
`7,647,633 B2 *
`1/2010 Edery et al. .
`T26/22
`2003, OO14662 A1
`1/2003 Gupta et al.
`T26/23
`2003/0101358 A1
`5/2003 Porras et al. ...................... T26/4
`2004f0073811 A1
`4/2004 Sanin .............................. T26.13
`2004/0088425 A1
`5/2004 Rubinstein et al. ........... TO9/230
`2005/0050338 A1
`3/2005 Liang et al. ...
`713,188
`2005/0172338 A1
`8, 2005 Sandu et al. ...
`T26/22
`2006/0031207 A1
`2/2006 Bjarnestam et al. .............. 707/3
`2006,004.8224 A1
`3/2006 Duncan et al. ..
`T26/22
`2008/0066160 A1
`3/2008 Becker et al. ..................... T26/4
`2010.0195909 A1
`8/2010 Wasson et al. ................ 382, 176
`
`
`
`OTHER PUBLICATIONS
`Rubin, et al., “Mobile Code Security.” IEEE Internet, pp. 30-34, Dec.
`1998.
`Schmid, et al. "Protecting Data From Malicious Software.” Proceed
`ing of the 18' Annual Computer Security Applications Conference,
`pp. 1-10, 2002.
`
`Corradi, et al., “A Flexible Access Control Service for Java Mobile
`Code.” IEEE, pp. 356-365, 2000.
`International Search Report for Application No. PCT/IB97/01626, 3
`pp., May 14, 1998 (mailing date).
`International Search Report for Application No. PCT/IL05/00915, 4
`pp., dated Mar. 3, 2006.
`Written Opinion for Application No. PCT/IL05/00915, 5 pp., dated
`Mar. 3, 2006 (mailing date).
`International Search Report for Application No. PCT/IB01/01138, 4
`pp., Sep. 20, 2002 (mailing date).
`International Preliminary Examination Report for Application No.
`PCT/IB01/01138, 2 pp., dated Dec. 19, 2002.
`Gerzic, Amer, “Write Your Own Regular Expression Parser.” Nov.
`17, 2003, 18 pp.
`Power, James, “Lexical Analysis,” 4 pp., May 14, 2006.
`Sitaker, Kragen, “Rapid Genetic Evolution of Regular Expressions'
`online). The Mial Archive, Apr. 24, 2004 (retrieved on Dec. 7, 2004),
`5 pp.
`“Lexical Analysis: DFA Minimization & Wrap Up' online). Fall,
`2004 retrieved on Mar. 2, 2005, 8 pp.
`“Minimization of DFA' online), retrieved on Dec. 7, 2004), 7 pp.
`“Algorithm: NFS -> DFA' online), Copyright 1999-2001 retrieved
`on Dec. 7, 2004), 4 pp.
`“CS 3813: Introduction to Formal Languages and Automata—State
`Minimization and Other Algorithms for Finite Automata.”3 pp., May
`11, 2003.
`Watson, Bruce W. “Constructing Minimal Acyclic Deterministic
`Finite Automata.” retrieved on Mar. 20, 2005), 38 pp.
`Chang, Chia-Hsiang, “From Regular Expressions to DFA's Using
`Compressed NFA’s.” Oct. 1992, 243 pp.
`“Products.” Articles published on the Internet, “Revolutionary Secu
`rity for a New Computing Paradigm' regarding SurfinGate M.7 pp.
`“Release Notes for the Microsoft ActiveX Development Kit,” Aug.
`13, 1996, activex.adsp.or.jp/inetsdk/readme.txt, pp. 1-10.
`Doyle, et al., “Microsoft Press Computer Dictionary.” Microsoft
`Press, 2d Edition, pp. 137-138, 1993.
`Finjan Software Ltd., “Powerful PC Security for the New World of
`JavaTM and Downloadables, Surfin ShieldTM.” Article published on
`the Internet by Finjan Software Ltd., 2 pp. 1996.
`Finjan Sofrtware Ltd., “Finjan Announces a Personal JavaTM Firewall
`for Web Browsers the SurfinShieldTM 1.6 (formerly known as
`SurfinBoard).” Press Release of Finjan Releases SurfinShield 1.6, 2
`pp., Oct. 21, 1996.
`Finjan Software Ltd., “Finjan Announces Major Power Boost and
`New Features for SurfinShieldTM 2.0.” Las Vegas Convention Center?
`Pavillion 5 P5551, 3 pp., Nov. 18, 1996.
`Finjan Software Ltd., “Finjan Software Releases SurfinBoard, Indus
`try's First JAVA Security Product for the World WideWeb.” Article
`published on the Internet by Finjan Software Ltd., 1 p., Jul. 29, 1996.
`Finjan Software Ltd., “Java Security: Issues & Solutions.” Article
`published on the Internet by Finjan Software Ltd., 8 pp. 1996.
`Finjan Software Ltd., Company Profile, “Finjan Safe Surfing. The
`Java Security Solutions Provider.” Article published on the Internet
`by Finjan Software Ltd., 3 pp., Oct. 31, 1996.
`“IBM AntiVirus User's Guide, Version 2.4.”. International Business
`Machines Corporation, pp. 6-7, Nov. 15, 1995.
`Khare, R., “Microsoft Authenticode Analyzed” online), Jul. 22.
`1996 retrieved on Jun. 25, 2003), 2 pp.
`LaDue, M. Online Business Consultant: Java Security: Whose Busi
`ness is It?. Article published on the Internet, Home Page Press, Inc.,
`4 pp., 1996.
`Leach, Norvin, et al., “IE 3.0 Applets Will Earn Certification.” PC
`Week, vol. 13, No. 29, 2 pp., Jul 22, 1996.
`Moritz, R., “Why We Shouldn't Fear Java.” Java Report, pp. 51-56,
`Feb. 1997.
`Microsoft, “Microsoft ActiveX Software Development Kit' online).
`Aug. 12, 1996 retrieved on Jun. 25, 2003), pp. 1-6.
`Microsoft(R) Authenticode Technology, "Ensuring Accountability
`and Authenticity for Software Components on the Internet.”
`Microsoft Corporation, Oct. 1996, including Abstract, Contents,
`Introduction, and pp. 1-10.
`
`

`

`Case 3:17-cv-05659-WHA Document 111-13 Filed 06/15/18 Page 4 of 29
`
`US 8,079,086 B1
`Page 3
`
`Microsoft Corporation, Web Page Article “Frequently Asked Ques
`tions About Authenticode.” last updated Feb. 17, 1997, printed Dec.
`23, 1998, pp. 1-13.
`Okamoto, E., et al., “ID-Based Authentication System for Computer
`Virus Detection.” IEEE/IEEElectronic Library online, Electronics
`Letters, vol. 26, Issue 15, ISSN 0013-5 194, Jul. 19, 1990, Abstract
`and pp. 1169-1170.
`Omura, J. K., “Novel Applications of Cryptography in Digital Com
`munications.” IEEE Communications Magaine, pp. 21-29, May
`1990.
`
`Schmitt, D.A., “.EXE files, OS-2 style.” PC Tech Journal, vol. 6, No.
`11, p. 76(13), Nov. 1988.
`Zhang, X. N. “Secure Code Distribution.” IEEE/IEE Electronic
`Library online, Computer, vol. 30, Issue 6, pp. 76-79, Jun. 1997.
`D. Grune, et al., “Parsing Techniques: A Practical Guide.” John Wiley
`& Sons, Inc., New York, New York, USA, pp. 1-326, 2000.
`Power, James, “Notes on Formal Language Theory and Parsing.”
`National University of Ireland, pp. 1-40, 1999.
`* cited by examiner
`
`

`

`Case 3:17-cv-05659-WHA Document 111-13 Filed 06/15/18 Page 5 of 29
`
`U.S. Patent
`
`Dec. 13, 2011
`
`Sheet 1 of 10
`
`US 8,079,086 B1
`
`100
`
`107
`
`
`
`Redundancy Support
`Subsystem-1
`(Sandbox Protected)
`
`105
`
`
`
`
`
`106
`
`
`
`
`
`External
`Network
`(Internet)
`
`Subsystem-N
`(Unprotected)
`
`
`
`Subsystem-M
`(Protected)
`
`F.G. 1 a
`
`ResourceServer-1
`
`Resource-1
`
`ResourceServer-N
`
`102
`
`121
`
`103
`
`131
`132
`
`104a
`
`
`
`104b.
`
`
`
`Corporate Server
`141b T 143
`Firewal 1
`
`---------es
`
`142)
`
`
`
`
`
`
`
`
`
`User
`Device-n
`
`User
`Device
`
`FG 1b.
`
`FIG. 1c
`
`

`

`Case 3:17-cv-05659-WHA Document 111-13 Filed 06/15/18 Page 6 of 29
`
`U.S. Patent
`
`US 8,079,086 B1
`
`
`
`
`
`
`
`Z0Z
`
`•
`
`

`

`Case 3:17-cv-05659-WHA Document 111-13 Filed 06/15/18 Page 7 of 29
`
`U.S. Patent
`
`US 8,079,086 B1
`
`
`
`00$
`
`

`

`Case 3:17-cv-05659-WHA Document 111-13 Filed 06/15/18 Page 8 of 29
`
`U.S. Patent
`
`Dec. 13, 2011
`
`Sheet 4 of 10
`
`US 8,079,086 B1
`
`DEIX
`
`– – – – – – ]
`
`| |
`
`
`
`
`
`
`
`
`
`
`
`No. cael
`
`907
`
`

`

`Case 3:17-cv-05659-WHA Document 111-13 Filed 06/15/18 Page 9 of 29
`
`U.S. Patent
`
`Dec. 13, 2011
`
`Sheet 5 of 10
`
`US 8,079,086 B1
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`| 09
`
`– – – – – ]
`
`

`

`Case 3:17-cv-05659-WHA Document 111-13 Filed 06/15/18 Page 10 of 29
`
`U.S. Patent
`
`Dec. 13, 2011
`
`Sheet 6 of 10
`
`US 8,079,086 B1
`
`701
`
`702
`
`as as a sewer apa was a sea
`
`Memory Space-N
`
`
`
`
`
`MC initiator
`(JVM)
`
`
`
`
`
`
`
`Sandbox Engine
`
`FG. 7a
`
`341
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`801
`802
`803
`804.
`805
`806
`807
`
`FG. 8
`
`

`

`Case 3:17-cv-05659-WHA Document 111-13 Filed 06/15/18 Page 11 of 29
`
`U.S. Patent
`
`Dec. 13, 2011
`
`Sheet 7 of 10
`
`US 8,079,086 B1
`
`
`
`ººº !!!!!!!!!!!!!
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`

`

`Case 3:17-cv-05659-WHA Document 111-13 Filed 06/15/18 Page 12 of 29
`
`U.S. Patent
`
`Dec. 13, 2011
`
`Sheet 8 of 10
`
`US 8,079,086 B1
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`100\,
`
`
`
`VOI "?INH
`
`

`

`Case 3:17-cv-05659-WHA Document 111-13 Filed 06/15/18 Page 13 of 29
`
`U.S. Patent
`
`Dec. 13, 2011
`
`Sheet 9 of 10
`
`US 8,079,086 B1
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Install mobile protection code elements
`and policies within a destination device
`
`1101
`
`toad the downloadble without actually
`initiating it
`
`V
`Form an access interceptor for intercepting
`downloadable destination device access
`attempts within the destination device
`
`1102
`
`1103
`
`Initiate the DOwnloadable within the
`destination device
`
`1105
`
`
`
`Malicious
`aCCeSS
`
`No
`
`Yes
`Determine policies in accordance with the
`access attempt
`
`Execute the policies (including causing an
`allowable response expected by the
`DOnWloadable to be returned to the
`Downloadable)
`
`1109
`
`1111
`
`F.G. 11
`
`

`

`Case 3:17-cv-05659-WHA Document 111-13 Filed 06/15/18 Page 14 of 29
`
`U.S. Patent
`
`US 8,079,086 B1
`
`
`
`CIZI “?IH
`
`
`
`
`
`
`
`
`
`
`
`
`
`

`

`Case 3:17-cv-05659-WHA Document 111-13 Filed 06/15/18 Page 15 of 29
`
`US 8,079,086 B1
`
`1.
`MALICIOUS MOBILE CODE RUNTIME
`MONITORING SYSTEMAND METHODS
`
`PRIORITY REFERENCE TO RELATED
`APPLICATIONS
`
`This application is a continuation of assignee's application
`Ser. No. 1 1/370,114, filed Mar. 7, 2006, now U.S. Pat. No.
`7,613,926, entitled “Method and System for Protecting a
`Computer and a Network from Hostile Downloadables.”
`which is a continuation of Ser. No. 09/861.229, filed on May
`17, 2001, now U.S. Pat. No. 7,058,822, entitled “Malicious
`Mobile CodeRuntime Monitoring System And Methods', all
`of which are hereby incorporated by reference. U.S. applica
`tion Ser. No. 09/861.229 claims benefit of provisional appli
`cation Ser. No. 60/205,591, entitled “Computer Network
`Malicious Code Run-time Monitoring.” filed on May 17,
`2000 by inventors Nimrod Itzhak Vered, et al., which is
`hereby incorporated by reference. U.S. application Ser. No.
`09/861.229 is also a Continuation-In-Part of U.S. patent
`application Ser. No. 09/539,667, entitled “System and
`Method for Protecting a Computer and a Network From Hos
`tile Downloadables' filed on Mar. 30, 2000 by inventor
`Shlomo Touboul, now U.S. Pat. No. 6,804,780, and hereby
`incorporated by reference, which is a continuation of assign
`ee's U.S. patent application Ser. No. 08/964,388, filed on
`Nov. 6, 1997, now U.S. Pat. No. 6,092,194, also entitled
`“System and Method for Protecting a Computer and a Net
`work from Hostile Downloadables' and hereby incorporated
`by reference. U.S. Ser. No. 09/861.229 is also a Continuation
`In-Part of U.S. patent application Ser. No. 09/551.302,
`entitled “System and Method for Protecting a Client During
`Runtime From Hostile Downloadables', filed on Apr. 18,
`2000 by inventor Shlomo Touboul, now U.S. Pat. No. 6,480,
`962, which is hereby incorporated by reference.
`
`10
`
`15
`
`25
`
`30
`
`35
`
`BACKGROUND OF THE INVENTION
`
`40
`
`45
`
`50
`
`1. Field of the Invention
`This invention relates generally to computer networks, and
`more particularly provides a system and methods for protect
`ing network-connectable devices from undesirable down
`loadable operation.
`2. Description of the Background Art
`Advances in networking technology continue to impact an
`increasing number and diversity of users. The Internet, for
`example, already provides to expert, intermediate and even
`novice users the informational, product and service resources
`of over 100,000 interconnected networks owned by govern
`ments, universities, nonprofit groups, companies, etc. Unfor
`tunately, particularly the Internet and other public networks
`have also become a major source of potentially system-fatal
`or otherwise damaging computer code commonly referred to
`as “viruses.”
`Efforts to forestall viruses from attacking networked com
`55
`puters have thus far met with only limited success at best.
`Typically, a virus protection program designed to identify and
`remove or protect against the initiating of known viruses is
`installed on a network firewall or individually networked
`computer. The program is then inevitably surmounted by
`Some new virus that often causes damage to one or more
`computers. The damage is then assessed and, if isolated, the
`new virus is analyzed. A corresponding new virus protection
`program (or update thereof) is then developed and installed to
`combat the new virus, and the new program operates Success
`65
`fully until yet another new virus appears—and so on. Of
`course, damage has already typically been incurred.
`
`60
`
`2
`To make matters worse, certain classes of viruses are not
`well recognized or understood, let alone protected against. It
`is observed by this inventor, for example, that Downloadable
`information comprising program code can include distribut
`able components (e.g. JavaTM applets and JavaScript scripts,
`ActiveXTM controls, Visual Basic, add-ins and/or others). It
`can also include, for example, application programs, Trojan
`horses, multiple compressed programs such as Zip or meta
`files, among others. U.S. Pat. No. 5,983,348 to Shuang, how
`ever, teaches a protection system for protecting against only
`distributable components including “Java applets or ActiveX
`controls, and further does so using resource intensive and
`high bandwidth static Downloadable content and operational
`analysis, and modification of the Downloadable component;
`Shuang further fails to detect or protect against additional
`program code included within a tested Downloadable. U.S.
`Pat. No. 5,974,549 to Golan teaches a protection system that
`further focuses only on protecting against ActiveX controls
`and not other distributable components, let alone other
`Downloadable types. U.S. Pat. No. 6,167,520 to Touboul
`enables more accurate protection than Shuang or Golan, but
`lacks the greater flexibility and efficiency taught herein, as do
`Shuang and Golan.
`Accordingly, there remains a need for efficient, accurate
`and flexible protection of computers and other network con
`nectable devices from malicious Downloadables.
`
`SUMMARY OF THE INVENTION
`
`The present invention provides protection systems and
`methods capable of protecting a personal computer (“PC”) or
`other persistently or even intermittently network accessible
`devices or processes from harmful, undesirable, Suspicious or
`other “malicious' operations that might otherwise be effec
`tuated by remotely operable code. While enabling the capa
`bilities of prior systems, the present invention is not nearly so
`limited, resource intensive or inflexible, and yet enables more
`reliable protection. For example, remotely operable code that
`is protectable against can include downloadable application
`programs, Trojan horses and program code groupings, as well
`as software “components, such as JavaTM applets,
`ActiveXTM controls, JavaScriptTM/Visual Basic scripts, add
`ins, etc., among others. Protection can also be provided in a
`distributed interactively, automatically or mixed configurable
`manner using protected client, server or other parameters,
`redirection, local/remote logging, etc., and other server/client
`based protection measures can also be separately and/or
`interoperably utilized, among other examples.
`In one aspect, embodiments of the invention provide for
`determining, within one or more network "servers' (e.g. fire
`walls, resources, gateways, email relays or other devices/
`processes that are capable of receiving-and-transferring a
`Downloadable) whether received information includes
`executable code (and is a “Downloadable'). Embodiments
`also provide for delivering static, configurable and/or exten
`sible remotely operable protection policies to a Download
`able-destination, more typically as a sandboxed package
`including the mobile protection code, downloadable policies
`and one or more received Downloadables. Further client
`based or remote protection code/policies can also be utilized
`in a distributed manner. Embodiments also provide for caus
`ing the mobile protection code to be executed within a Down
`loadable-destination in a manner that enables various Down
`loadable operations to be detected, intercepted or further
`responded to via protection operations. Additional server/
`information-destination device security or other protection is
`also enabled, among still further aspects.
`
`

`

`Case 3:17-cv-05659-WHA Document 111-13 Filed 06/15/18 Page 16 of 29
`
`3
`A protection engine according to an embodiment of the
`invention is operable within one or more network servers,
`firewalls or other network connectable information re-com
`municating devices (as are referred to herein Summarily one
`or more “servers' or “re-communicators'). The protection
`engine includes an information monitor for monitoring infor
`mation received by the server, and a code detection engine for
`determining whether the received information includes
`executable code. The protection engine also includes a pack
`aging engine for causing a sandboxed package, typically
`including mobile protection code and downloadable protec
`tion policies to be sent to a Downloadable-destination in
`conjunction with the received information, if the received
`information is determined to be a Downloadable.
`A sandboxed package according to an embodiment of the
`15
`invention is receivable by and operable with a remote Down
`loadable-destination. The sandboxed package includes
`mobile protection code (“MPC) for causing one or more
`predetermined malicious operations or operation combina
`tions of a Downloadable to be monitored or otherwise inter
`cepted. The sandboxed package also includes protection poli
`cies (operable alone or in conjunction with further
`Downloadable-destination stored or received policies/MPCs)
`for causing one or more predetermined operations to be per
`formed if one or more undesirable operations of the Down
`25
`loadable is/are intercepted. The sandboxed package can also
`include a corresponding Downloadable and can provide for
`initiating the Downloadable in a protective “sandbox”. The
`MPC/policies can further include a communicator for
`enabling further MPC/policy information or “modules' to be
`utilized and/or for event logging or other purposes.
`A sandbox protection system according to an embodiment
`of the invention comprises an installer for enabling a received
`MPC to be executed within a Downloadable-destination (de
`vice/process) and further causing a Downloadable applica
`tion program, distributable component or other received
`downloadable code to be received and installed within the
`Downloadable-destination. The protection system also
`includes a diverter for monitoring one or more operation
`attempts of the Downloadable, an operation analyzer for
`determining one or more responses to the attempts, and a
`security enforcer for effectuating responses to the monitored
`operations. The protection system can further include one or
`more security policies according to which one or more pro
`tection system elements are operable automatically (e.g. pro
`grammatically) or in conjunction with user intervention (e.g.
`as enabled by the security enforcer). The security policies can
`also be configurable/extensible in accordance with further
`downloadable and/or Downloadable-destination informa
`tion.
`A method according to an embodiment of the invention
`includes receiving downloadable information, determining
`whether the downloadable information includes executable
`code, and causing a mobile protection code and security
`policies to be communicated to a network client in conjunc
`tion with security policies and the downloadable information
`if the downloadable information is determined to include
`executable code. The determining can further provide mul
`tiple tests for detecting, alone or together, whether the down
`loadable information includes executable code.
`A further method according to an embodiment of the
`invention includes forming a sandboxed package that
`includes mobile protection code (“MPC), protection poli
`cies, and a received, detected-Downloadable, and causing the
`sandboxed package to be communicated to and installed by a
`receiving device or process (“user device’) for responding to
`one or more malicious operation attempts by the detected
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`US 8,079,086 B1
`
`5
`
`10
`
`4
`Downloadable from within the user device. The MPC/poli
`cies can further include a base “module” and a “communica
`tor' for enabling further up/downloading of one or more
`further “modules' or other information (e.g. events, user/user
`device information, etc.).
`Another method according to an embodiment of the inven
`tion includes installing, within a user device, received mobile
`protection code (“MPC) and protection policies in conjunc
`tion with the user device receiving a downloadable applica
`tion program, component or other Downloadable(s). The
`method also includes determining, by the MPC, a resource
`access attempt by the Downloadable, and initiating, by the
`MPC, one or more predetermined operations corresponding
`to the attempt. (Predetermined operations can, for example,
`comprise initiating user, administrator, client, network or pro
`tection system determinable operations, including but not
`limited to modifying the Downloadable operation, extricating
`the Downloadable, notifying a user/another, maintaining a
`local/remote log, causing one or more MPCs/policies to be
`downloaded, etc.)
`Advantageously, systems and methods according to
`embodiments of the invention enable potentially damaging,
`undesirable or otherwise malicious operations by even
`unknown mobile code to be detected, prevented, modified
`and/or otherwise protected against without modifying the
`mobile code. Such protection is further enabled in a manner
`that is capable of minimizing server and client resource
`requirements, does not require pre-installation of security
`code within a Downloadable-destination, and provides for
`client specific or generic and readily updateable security mea
`sures to be flexibly and efficiently implemented. Embodi
`ments further provide for thwarting efforts to bypass security
`measures (e.g. by “hiding undesirable operation causing
`information within apparently inert or otherwise “friendly'
`downloadable information) and/or dividing or combining
`security measures for even greater flexibility and/or effi
`ciency.
`Embodiments also provide for determining protection
`policies that can be downloaded and/or ascertained from
`other security information (e.g. browser settings, administra
`tive policies, user input, uploaded information, etc.). Differ
`ent actions in response to different Downloadable operations,
`clients, users and/or other criteria are also enabled, and
`embodiments provide for implementing other security mea
`Sures, such as verifying a downloadable source, certification,
`authentication, etc. Appropriate action can also be accom
`plished automatically (e.g. programmatically) and/or in con
`junction with alerting one or more users/administrators, ulti
`lizing user input, etc. Embodiments further enable desirable
`Downloadable operations to remain substantially unaffected,
`among other aspects.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`FIG.1a is a block diagram illustrating a network system in
`accordance with an embodiment of the present invention;
`FIG. 1b is a block diagram illustrating a network sub
`system example in accordance with an embodiment of the
`invention;
`FIG. 1c is a block diagram illustrating a further network
`Subsystem example in accordance with an embodiment of the
`invention;
`FIG. 2 is a block diagram illustrating a computer system in
`accordance with an embodiment of the invention;
`FIG. 3 is a flow diagram broadly illustrating a protection
`system host according to ru an embodiment of the invention;
`
`

`

`Case 3:17-cv-05659-WHA Document 111-13 Filed 06/15/18 Page 17 of 29
`
`US 8,079,086 B1
`
`5
`FIG. 4 is a block diagram illustrating a protection engine
`according to an embodiment of the invention;
`FIG. 5 is a block diagram illustrating a content inspection
`engine according to an embodiment of the invention;
`FIG. 6a is a block diagram illustrating protection engine
`parameters according to an embodiment of the invention;
`FIG. 6b is a flow diagram illustrating a linking engine use
`in conjunction with ordinary, compressed and distributable
`sandbox package utilization, according to an embodiment of
`the invention;
`FIG. 7a is a flow diagram illustrating a sandbox protection
`system operating within a destination system, according to an
`embodiment of the invention;
`FIG.7b is a block diagram illustrating memory allocation
`usable in conjunction with the protection system of FIG. 7a,
`according to an embodiment of the invention;
`FIG. 8 is a block diagram illustrating a mobile protection
`code according to an embodiment of the invention;
`FIG. 9 is a flowchart illustrating a protection method
`according to an embodiment of the invention;
`FIG.10a is a flowchart illustrating method for determining
`if a potential-Downloadable includes or is likely to include
`executable code, according to an embodiment of the inven
`tion;
`FIG. 10b is a flowchart illustrating a method for forming a
`protection agent, according to an embodiment of the inven
`tion;
`FIG. 11 is a flowchart illustrating a method for protecting a
`Downloadable destination according to an embodiment of the
`invention;
`FIG.12a is a flowchart illustrating a method for forming a
`Downloadable access interceptor according to an embodi
`ment of the invention; and

This document is available on Docket Alarm but you must sign up to view it.


Or .

Accessing this document will incur an additional charge of $.

After purchase, you can access this document again without charge.

Accept $ Charge
throbber

Still Working On It

This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.

Give it another minute or two to complete, and then try the refresh button.

throbber

A few More Minutes ... Still Working

It can take up to 5 minutes for us to download a document if the court servers are running slowly.

Thank you for your continued patience.

This document could not be displayed.

We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.

Your account does not support viewing this document.

You need a Paid Account to view this document. Click here to change your account type.

Your account does not support viewing this document.

Set your membership status to view this document.

With a Docket Alarm membership, you'll get a whole lot more, including:

  • Up-to-date information for this case.
  • Email alerts whenever there is an update.
  • Full text search for other cases.
  • Get email alerts whenever a new case matches your search.

Become a Member

One Moment Please

The filing “” is large (MB) and is being downloaded.

Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.

Your document is on its way!

If you do not receive the document in five minutes, contact support at support@docketalarm.com.

Sealed Document

We are unable to display this document, it may be under a court ordered seal.

If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.


Access Government Site

We are redirecting you
to a mobile optimized page.





Document Unreadable or Corrupt

Refresh this Document
Go to the Docket

We are unable to display this document.

Refresh this Document
Go to the Docket