Case 3:17-cv-05659-WHA Document 111-3 Filed 06/15/18 Page 1 of 31
`
` 
`
` 
`
` 
`
` 
`
` 
`
` 
`
`Exhibit 3
`
`

`

`Case 3:17-cv-05659-WHA Document 111-3 Filed 06/15/18 Page 2 of 31
`Case S-ov05650,OoFEMTTT
`
`US007647633B2
`
`a2) United States Patent
`US 7,647,633 B2
`do) Patent No.:
`
`*Jan. 12, 2010(45) Date of Patent:
`Ederyet al.
`
`MALICIOUS MOBILE CODE RUNTIME
`MONITORING SYSTEM AND METHODS
`
`(56)
`
`References Cited
`U.S, PATENT DOCUMENTS
`
`5,077,677 A
`
`12/1991 Murphy et al. oo... 706/62
`
`(Continued)
`FOREIGN PATENT DOCUMENTS
`
`EP
`EP
`
`109 1276
`1132796
`
`4/2001
`9/2001
`
`OTHER PUBLICATIONS
`
`Zhong,et al., “Security in the Large: is Java’s Sandbox Scalable?,”
`Seventh IEEE Symposium on Reliable Distributed Systems, pp. 1-6,
`Oct., 1998.
`
`(Continued)
`
`Primary Examiner—Christopher A Revak
`(74) Attorney, Agent, or Firm—King & Spalding LLP
`
`(57)
`
`ABSTRACT
`
`Protection systems and methodsprovidefor protecting one or
`more personal computers (““PCs’’) and/or other intermittently
`or persistently network accessible devices or processes from
`undesirable or otherwise malicious operations of Java™
`applets, ActiveX™ controls, JavaScript™ scripts, Visual
`Basic scripts, add-ins, downloaded/uploaded programs or
`other “Downloadables” or “mobile code” in whole or part. A
`protection engine embodimentprovides, within a server,fire-
`wall or other suitable “re-communicator,’ for monitoring
`information received by the communicator, determining
`whether received information does or is likely to include
`executable code, and if so, causes mobile protection code
`(MPC) to be transferred to and rendered operable within a
`destination device of the received information, more suitably
`by forming a protection agent including the MPC,protection
`policies and a detected-Downloadable. An MPC embodiment
`further provides, within a Downloadable-destination, for ini-
`tiating the Downloadable, enabling malicious Downloadable
`operation attempts to be received by the MPC,and causing
`(predetermined) corresponding operations to be executed in
`response to the attempts, more suitably in conjunction with
`protectionpolicies.
`
`(54)
`
`(75)
`
`Inventors: Yigal Mordechai Edery, Pardesia (IL);
`Nimrod Itzhak Vered, Goosh Tai-Mond
`(IL); David R. Kroll, San Jose, CA
`(US); Shlomo Touboul, Kefar-Haim(IL)
`
`(73)
`
`Assignee: Finjan Software, Ltd., Netanya (IL)
`
`(*)
`
`Notice:
`
`Subject to any disclaimer, the term ofthis
`patent is extended or adjusted under 35
`U.S.C. 154(b) by 917 days.
`
`This patent is subject to a terminal dis-
`claimer.
`
`(21)
`
`Appl. No.: 11/159,455
`
`(22)
`
`Filed:
`
`Jun. 22, 2005
`
`Prior Publication Data
`
`US 2006/0026677 Al
`
`Feb. 2, 2006
`
`Related U.S. Application Data
`
`Continuation of application No. 09/861,229, filed on
`May 17, 2001, nowPat. No. 7,058,822, and a continu-
`ation-in-part of application No. 09/551,302, filed on
`Apr. 18, 2000, now Pat. No. 6,480,962, and a continu-
`ation-in-part of application No. 09/539,667, filed on
`Mar. 30, 2000, now Pat. No. 6,804,780.
`
`Provisional application No. 60/205,591, filed on May
`17, 2000.
`
`Int. Cl.
`
`(2006.01)
`G06F21/24
`(2006.01)
`G06F 1130
`(2006.01)
`G06F 135/16
`UWS. C1.
`cececcecccccccceesteceeecessseeeseeseseecneceseanenee 726/22
`Field of Classitication Search ........0..00..0... None
`
`(65)
`
`(63)
`
`(60)
`
`(51)
`
`(52)
`(58)
`
`See application file for complete search history.
`
`41 Claims, 10 Drawing Sheets
`
`
`‘Security!
`' Authentication
`1
`Potides
`
`
`Daleetion Engine
`
`Inspection Param
`Not Executable
`(NXEQ}
`
`
`
` 340 341 342 343
`I
`‘\
`I
`
`
`
`[we[ro[>a]
`Transfer
`Engine
`
`
`
`User, policy, interfacing
`or other information
` Protected Package Engine
`
`
`
`FINJAN-JN 000954
`
`

`

`Case 3:17-cv-05659-WHA Document 111-3 Filed 06/15/18 Page 3 of 31
`Case 3:17-cv-05659-WHA Document 111-3 Filed 06/15/18 Page 3 of 31
`
`US 7,647,633 B2
`
`Page 2
`
`International Search Report for Application No. PCT/IB97/01626, 3
`pp., May 14, 1998 (mailing date).
`International Search Report for Application No. PCT/IL05/00915, 4
`pp., March 3, 2006.
`Written Opinion for Application NO. PCT/IL05/00915, 5 pp., Mar. 3,
`2006 (mailing date).
`International Search Report for Application No. PCT/IB01/01138,
`44 pp., Sep. 20, 2002 (mailing date).
`International Preliminary Examination Report for Application No.
`PCT/IBO1/01138, 2 pp., dated Dec. 19, 2002.
`Gerzic, Amer, “Write Your Own Regular Expression Parser,’ Nov.
`17, 2003, 18 pp.,.
`Power, James, “Lexical Analysis,” 4 pp., May 14, 2006, Retrieved
`from the Internet:.
`Sitaker, Kragen “Rapid Genetic Evolution of Regular Expression”
`[online], Zhe MialArchive, Apr. 24, 2004 (retrieved on Dec. 7, 2004),
`5 pp...
`“Lexical Analysis: DFA Minimization & Wrap Up”[online], Fall,
`2004 [retrieved on Mar. 2, 2005], 8 pp.,.
`“Minimization of DFA”[online], [retrieved on Dec. 7, 2004], 7 pp.,
`Retrieved. from the Internet:
`“Algorithm: NFS -> DFA”[online], Copyright 1999-2001 [retrieved
`on Dec. 7, 2004], 4 pp...
`“CS 3813: Introduction to Formal Languages and Automata - State
`Minimization and Other Algorithms for Finite Automata,” [retrieved
`on May11, 2003], 38 pp.
`Watson, Bruce W., “Constructing Minimal Acyclic Deterministic
`Finite Automata,”[retrieved on Mar. 20, 2005], 38 pp.
`Chang, Chia-Hsiang. “From Regular Expression to DFA’s Using
`Compressed NFA’s,” Oct., 1992, 243 pp.
`“Products,” Articles published on the Internet, “Revilutionary Secu-
`rity for a New Computing Paradigm”regarding SurfinGate™, 7 pp.
`no date provided.
`“Release Notes for the Microsoft, ActiveX Development Kit,” Aug.
`13, 1996, activex.adsp.or.jp/inctsdk/readme.txt, pp. 1-10.
`Doyle et al., “Microsoft Press Computer Dictionary,” Microsoft
`Press, 2d Edition, pp. 137-138, 1993.
`Finjan Software Ltd., “Powerful PC Security for the New World of
`Java! and Downloadables, SurfinShield!™” Article published on
`the Internet by Finjan Software Ltd., 2 pp. 1996.
`Finjan Sofrtware Ltd., “Finjan Announces as Personal Java™
`Firewall for Web Browsers - The SurfinShield™1.6 (formerly known
`as SurfinBoard),” Press Release of Finjan Releses SurfinShield 1.6,
`pp., Oct. 21, 1996.
`Finjan Software Ltd., “Finjan Announces Major Power Boost and
`New features for SurfinShield™ 2.0,” Las Vegas Convention Center/
`Pavillion 5 P5551, 3 pp., Nov. 18, 1996.
`Finjan Software Ltd., “Finjan Software Releases SurfinBoard, Indus-
`try’s Fist JAVA Security Product for the World Wide Web,” Article
`published on the Internet by Finjan Software Ltd., Ip., Jul. 29, 1996.
`Tinjan Software Ltd., “Java Security: Issues & Solutions,” Article
`published on the Internet by I'injan Software Ltd., 8 pp. 1996.
`Finjan Software Ltd., Company Profile, “Finjan - Safe Surfing, the
`Java Security Solutions Provider,’ Article published on the Internet
`by Finjan Software Ltd., 3 pp., Oct. 31, 1996.
`“IBM AntiVirus User’s Guide, Version 2.4,”, International Business
`Machines Corporation, pp. 6-7, Nov. 15, 1995.
`Khare, R., “Microsoft Authenticode Analyzed” [online], Jul. 22,
`1996[retrieved on Jun. 25, 2003], 2 pp.
`LaDue,M., Online Business Consultant: Java Security: Whose Busi-
`nessis It?, Article published on the Internet, Home PagePress,Inc.,
`4 pp., 1996.
`Leach, Norvin, et al., “IE 3.0 Applets Will Earn Certification,’ PC
`Week, vol. 13, No. 29, 2 pp., Jul. 22, 1996.
`Moritz, R., “Why We Shouldn’t Fear Java,” Java Report, pp. 51-56,
`Teb., 1997.
`Microsoft, “Microsoft ActiveX Software DevelopmentKit”[online],
`Aug. 12, 1996 [retrieved on Jun. 25, 2003], pp. 1-6.
`Microsoft® Authenticode ‘lechnology, “Ensuring Accountability
`and Authenticity for Software Components on the Internet,”
`
`FINJAN-JN 000955
`
`U.S. PATENT DOCUMENTS
`
`10/1994 Rosenthal.....
`.. 726/24
`5,359,659 A
`
`11/1994 Tajalli et al.
`...
`... 726/23
`5,361,359 A
`
`5/1995 Hershey etal.
`...
`... 726/22
`5,414,833 A
`1/1996 Guptaet al.
`...
`. 726/25
`5,485,409 A
`
`1/1996 Chessetal. .......
`... 714/38
`5,485,575 A
`11/1996 Judson 0... eee
`eeseeeee 709/218
`5,572,643 A
`11/1996 Furtneyetal.
`... 703/27
`5,579,509 A
`
`
`.. 726/13
`2/1997
`5,606,668 A *
`4/1997 Jietal.
`... 726/24
`5,623,600 A *
`i
`6/1997
`705/51
`5,638,446 A
`
`10/1997 Kephart et al.
`....
`... 706/12
`5,675,711 A
`
`11/1997 McManis ...............000-5 713/167
`5,692,047 A
`11/1997 Holdenetal.
`« 7126/2
`5,692,124 A
`
`.seeescesccccsccescenseseeeee 726/2
`ZQ/1998 Deo
`5,720,033 A
`3/1998 Chang etal. oe 705/52
`5,724,425 A
`4/1998 Fiereset al.
`. 713/156
`5,740,248 A
`.
`4/1998 Yellin et al.
`. 717/134
`5,740,441 A
`6/1998 van Hoffetal.
`. 709/223
`5,761,421 A
`....
`6/1998 Breslau etal.
`. 711/203
`5,765,205 A
`7/1998 Devarakondaetal.
`. 713/165
`5,784,459 A
`. 709/224
`8/1998 Davis etal.
`....
`5,796,952 A
`
`. 709/202
`9/1998 Cohenet al.
`5,805,829 A
`11/1998 Chen etal.
`. 726/24
`5,832,208 A
`11/1998 Cutler et al.
`. TATA
`5,832,274 A
`.....
`12/1998 Angelo etal.
`we 713/320
`5,850,559 A
`1/1999 Hayman etal... 726/23
`5,859,966 A
`.
`. 709/249
`1/1999 Boebert et al.
`5,864,683 A
`
`3/1999 Yamamolo.......
`726/24
`5,881,151 A
`
`.........
`.. 709/206
`3/1999 Duvalletal.
`5,884,033 A
`4/1999 Atkinsonet al.
`. 726/22
`5,892,904 A
`
`9/1999 Chenetal. ........
`... 714/38
`5,951,698 A
`
`9/1999 Walsh etal. wee 726/23
`5,956,481 A
`10/1999 Williams .
`. 717/143
`5,963,742 A
`
`5,974,549 A * 10/1999 Golan
`726/23
`
`11/1999 Apperson etal.
`....
`.. 705/54
`5,978,484 A
`5,983,348 A * 11/1999 Ji wo.
`726/13
`
`5,987,611 A
`11/1999 Freund.
`....
`726/4
`
`7/2000 Grecsek ........
`6,088,801 A
`726/1
`. 726/22
`6,088,803 A
`7/20
`Tso et al.
`.
`
`6,092,194 A *
`7/20!
`Touboul
`..
`726/24
`6,154,844 A *
`11/20
`Toubouletal.
`. 726/24
`
`6,167,520 A *
`12/20
`Touboul
`.....
`726/23
`6,339,829 Bl
`1/20
`Beadle etal.
`726/15
`6,425,058 Bl
`7/20
`Arimilli et al.
`711/134
`6,434,668 Bl
`8/20)
`Arimilli et al.
`711/128
`6,434,669 Bl
`8/20)
`Arimilli et al
`711/128
`
`Touboul
`.......
`6,480,962 B1* 11/20
`
`...
`6,487,666 Bl
`11/20
`Shanklin et al.
`
`...
`6,519,679 B2
`2/20
`Devireddyet al.
`6,598,033 B2
`7/2003 Rossetal.
`.....
`
`
`6,732,179 B1*
`5/20!
`Brownetal. ......
`6,804,780 B1* 10/20
`Touboul
`
`6,917,953 B2
`7/20
`Simonet al.
`
`7,058,822 B2*
`6/20!
`Edery etal. .......
`
`7,210,041 Bl
`4/20
`Gryaznovetal. ....
`7,343,604 B2
`3/20
`Graharnik et. al
`
`7,418,731 B2
`8/20
`Touboul
`2004/0073811 Al
`4/20
`Sanin ...........0.
`
`2004/0088425 Al
`§/20
`Rubinstein et al.
` veeeee 726/22
`2005/0172338 Al
`8/20
`Sanduet al.
`2006/0031207 Al
`2/20
`Bjarnestamet al. «2.0.0.0... 7107/3
`
`
`
`
`
`..
`
`..
`.
`.
`
`
`
`000022222
`
`23
`
`44567884456
`
`OTHER PUBLICATIONS
`
`Rubin,et al., “Mobile Code Security,’ ZEEEInternet, pp. 30-34, Dec.,
`1998.
`Schmid,et al. “Protecting Data From Malicious Software,” Proceed-
`ing ofthe 18Annual Computer Security Applications Conference,
`pp. 1-10, 2002.
`Corradi, et al., ““A Flexible Access Control Service for Java Mobile
`Code,” IEEE, pp. 356-365, 2000.
`
`

`

`Case 3:17-cv-05659-WHA Document 111-3 Filed 06/15/18 Page 4 of 31
`Case 3:17-cv-05659-WHA Document 111-3 Filed 06/15/18 Page 4 of 31
`
`US 7,647,633 B2
`Page 3
`
`including Abstract, Contents,
`
`Microsoft Corporation, Oct., 1996,
`Introduction, and pp. 1-10.
`Microsoft Corporation, Web Page Article “Frequently Asked Ques-
`tions About Authenticode,”last updated Feb. 17, 1997, printed Dec.
`23, 1998.
`Okamoto, E., et al., “ID-Based Authentication System for Computer
`Virus Detection,” IEEE/IEE Electronic Library online, Electronics
`Letters, vol. 26, Issue 15, ISSN 0013-5194, Jul. 19, 1990, Abstract
`and pp. 1169-1170.
`
`Omura, J. K., “Novel Applications of Cryptography in Digital Com-
`munications,” JEEE Communications Magazine, pp. 21-29, May,
`1990
`Schmitt, D.A., “.EXEfiles, OS-2 style,’ PC Tech Journal , vol.6, No.
`11, p. 76(13), Nov., 1988.
`Zhang, X. N., “Secure Code Distribution,’ IEEE/IEE Electronic
`Library online, Computer,vol. 30, Issue 6, pp. 76-79, Jun., 1997.
`D. Grune, et al., “Parsing Techniques: A Practical Guide,” John
`Wiley & Sons, Inc., New York, New York, USA,pp. 1-326, 2000.
`
`* cited by examiner
`
`FINJAN-JN 000956
`
`

`

`Case 3:17-cv-05659-WHA Document 111-3 Filed 06/15/18 Page 5 of 31
`Case 3:17-cv-05659-WHA Document 111-3 Filed 06/15/18 Page 5 of 31
`
`U.S. Patent
`
`Jan. 12, 2010
`
`Sheet 1 of 10
`
`US 7,647,633 B2
`
`100
`
`Redundancy Support
`
`107
`
`102
`
`
`Resource-1
`
`
`External
`Network
`
`(Intemet)
`
`
`ResourceServer-N 131
`
` Subsystem-M
`132
`
`
`Subsystem-1
`(Sandbox Protected)
`
`Subsystem-N
`(Unprotected)
`
`(Protected)
`
`105
`
`106
`
`ResourceServer-1
`
`124
`
`103
`
`FIG.la
`
`
`
`104a
`
`104b
`
`
`
`Protection Engine
`(PE)
`
`145a
`
`_— 145
`
`
`
`N 142a
`
`146
`
`Client
`
`
`
`FIG. 1b
`
`FIG.1c
`
`FINJAN-JN 000957
`
`

`

`Case 3:17-cv-05659-WHA Document 111-3 Filed 06/15/18 Page 6 of 31
`Case 3:17-cv-05659-WHA Document 111-3 Filed 06/15/18 Page 6 of 31
`
`U.S. Patent
`
`Jan. 12, 2010
`
`Sheet 2 of 10
`
`US 7,647,633 B2
`
`907
`
`S07
`
`
`
`a1qepeayJomnduwo07
`
`
`
`UMIPs|A[932.10}
`
`v07
`
`
`
`a[qepesyJoyndwoy
`
`JopeayUMIpsy]93%10}5
`
`
`
`(s)eotaagindjng
`
`€6Z
`
`
`
`wia3skgsuneiodg
`
`AIOWDJSUDYIOM,
`
`607
`
`807
`
`¢OW
`
`o8ei01590RJID}U]
`
`(s)eotaagjnduy
`suolestunww0Z
`T0¢|ommen|707
`
`£07
`
`LOZ
`
`NS
`
`007
`
`FINJAN-JN 000958
`
`
`
`
`
`
`
`
`
`
`

`

`Case 3:17-cv-05659-WHA Document 111-3 Filed 06/15/18 Page 7 of 31
`Case 3:17-cv-05659-WHA Document 111-3 Filed 06/15/18 Page 7 of 31
`
`U.S. Patent
`
`Jan. 12, 2010
`
`Sheet 3 of 10
`
`US 7,647,633 B2
`
`paalaooy
`
`UOTJBULIOJUT
`
`/a|qeynsex7y-uoN)
`
`
`
`(ojuyatqeynsexq
`
`COL
`
`JeMeul4
`
`UOHI9}Ol¢| Toe
`
`OcE
`
`
`
`(4d)auibuZ
`
`tOW
`
`FINJAN-JN 000959
`
`aiqeinoaxy
`
`JON
`
`Tee
`
`00¢
`
`
`

`

`Case 3:17-cv-05659-WHA Document 111-3 Filed 06/15/18 Page 8 of 31
`Case 3:17-cv-05659-WHA Document 111-3 Filed 06/15/18 Page 8 of 31
`
`U.S. Patent
`
`Jan. 12, 2010
`
`Sheet 4 of 10
`
`US 7,647,633 B2
`
`|sapoijoga)voneonuayjny|purses
`LevcSLL|7||||
`
`Vie
`
`|ar7sozAjeuy\-sepeey-uonesnuauanyit
`AaN0dcc
`
`EveCreLeOve (D3XN)
`
`
`
`31QeyNISxXIJON
`
`eeeLLJ
`
`ow00r
`
`
`
`
`
`sulseyisqul‘Aorpod‘1asy)
`
`03x
`
`UONPULUOJU|
`
`JoyuOW
`
`uaAdl|0q
`
`“U8OdW
`
`
`
`JOJBsaUedyusby
`
`Buryury
`
`eulbug
`
`JOjSUBI)
`
`eul6ug
`
`
`
`UOTLBULOJUIJ3yJO10
`
`
`
`abeyorypayajoldg
`
`bOI oujbuy
`
`FINJAN-JN 000960
`
`
`
`
`
`
`
`
`
`

`

`Case 3:17-cv-05659-WHA Document 111-3 Filed 06/15/18 Page 9 of 31
`Case 3:17-cv-05659-WHA Document 111-3 Filed 06/15/18 Page 9 of 31
`
`U.S. Patent
`
`Jan. 12, 2010
`
`Sheet 5 of 10
`
`US 7,647,633 B2
`
`SINSWEILY4a1\QeynNoExy
`
`
`
`
`
`SIBJAWEI2gEPODaiqeinoaxy409
`
`
`
`siqjewBeYgwaned
`
`
`
`suayaweedJasy)
`
`
`
`SUBJOWIEJEYJEJBUaS
`
`siajeweedwajskS209
`
`LOS
`
`eeq
`
`J9uD}04
`
`CITTTwewog|
`
`sayeyuy
`
`pajep-ad)
`
`(sossacoid
`
`adh4alts
`
`40}99)2q
`
`
`
`SJSJAWEIEYGOELAIUISa!ihe
`
`SOSbs|10109;8q_
`NyyPedS—..|I|
`
`Areurg
`
`~o_oLjoyuoD|
`
`ber
`
`SOP
`
`Nm
`
`¢
`
`Josseocida.yoojap-jsod
`eui6ugGuu]
`
`(sossaidui09)
`
`‘Bley[einerg
`
`499°DIA
`
`89°Old$‘DOL
`
`t
`
`
`
`Joye19UageulBug
`
`quaByo1Jaysues)OF
`
`Buyyuryof
`
`auiBug
`
`FINJAN-JN 000961
`
`
`
`
`
`
`
`
`

`

`Case 3:17-cv-05659-WHA Document 111-3 Filed 06/15/18 Page 10 of 31
`Case 3:17-cv-05659-WHA Document 111-3 Filed 06/15/18 Page 10 of 31
`
`U.S. Patent
`
`Jan. 12, 2010
`
`Sheet 6 of 10
`
`US 7,647,633 B2
`
`700
`Ny
`
`Protection
`been uatercnstseemeee?
`
`702
`701
`
` 340
`
`Memory Space-N
`
`
`
`
`,
`
`MC initiator
`(JVI)
`
`
`
`FIG. 7a
`
`341
`
`
`
`
`803
`
`
`&D4
`
`
`805
`806
`
`
`
`
`804
`
`802
`
`
`
`807
`
`FINJAN-JN 000962
`
`FIG.8
`
`Resource Access Analyzer
`
`Policy Enforcer
`MPC De-Instalier
`
`

`

`Case 3:17-cv-05659-WHA Document 111-3 Filed 06/15/18 Page 11 of 31
`Case 3:17-cv-05659-WHA Document 111-3 Filed 06/15/18 Page 11 of 31
`
`U.S. Patent
`
`Jan. 12, 2010
`
`Sheet 7 of 10
`
`US 7,647,633 B2
`
`
`
`901
`
` Monitor re-communicator (e.g. server)
`operation
`
`
`Receive information having a protected
`information destination
`
`(a "potential-Downloadable")
`
`903
`
`
`Code ?
`
`Includes
`
`
`
` 919
`
`
`
`o17
`
`Cause potential-Downloadable
`to be delivered to the
`information-destination
`
`Form a protection agent corresp to mobile
`protection code, potential-Downloadable
`(now a detected-Downloadable) + any
`protection policies
`
`
`
`Causethe protection agent to be delivered
`to the information-Destination
`
`921
`
`FIG. 9
`
`FINJAN-JN 000963
`
`

`

`Case 3:17-cv-05659-WHA Document 111-3 Filed 06/15/18 Page 12 of 31
`Case 3:17-cv-05659-WHA Document 111-3 Filed 06/15/18 Page 12 of 31
`
`U.S. Patent
`
`Jan. 12, 2010
`
`Sheet 8 of 10
`
`US 7,647,633 B2
`
`G00‘Dl
`
`VOSl
`
`
`
`24}0}Burpioo0eapoouoNOaj}OJNdajiqow
`
`
`
`
`
`LLOL
`
`
`
`
`
`WO}pueSiajaUeJedUONDe}O/dSASSY
`
`616
`
`+001
`
`slajowesed
`
`si9}ouesed
`
`ELOL
`
`WHO}puesiajeweJedUONoa}O1daASLUyOY
`
`
`
`
`
`ayy03Bulpso00esajoljoduolj99}01d
`
`
`e001$}U9JUODjyOU)JOYJOUMBUIWIA}EG
`
`
`
`SuJa}edapooJouoHewoju!Aieuigapnjoul
`
`
`
`-[Equajoday)JauyaUMaulLJa}eq
`
`
`
`
`
`
`
`
`
`91Ge)NdexeUesa}eolpulajqepeo|uMOG
`
`
`
`adh}ayy
`
`SOL
`
`
`
`
`
`‘apooUON}Da}OIdayIqoWWau}ajdnoy
`
`
`
`
`
`“PaAlaza/puesainijoduoNsejod
`
`
`
`
`
`
`
`
`
`SU}JEU)BJEIIPU!EOOLPueLOOLSdajs4|
`
`
`
`
`
`
`
`(Plu)fyPue‘puodassaloiiod‘}s4yOd
`
`‘B'a)yuaBeuonsajoidewo}0}UoneWOjUL
`
`
`
`2aiqepeojumog-jenuajodauyvapisuoo
`
`SOOL
`
`
`
`
`
`Ayay!|sowajqepeo|umoq-jeljuaj}od
`
`
`
`
`
`‘apooaiqeynoexesepnjoul
`
`a|qepeojumoqg-pe}sajap
`
`€16
`
`FINJAN-JN 000964
`
`
`
`
`
`
`
`
`

`

`Case 3:17-cv-05659-WHA Document 111-3 Filed 06/15/18 Page 13 of 31
`Case 3:17-cv-05659-WHA Document 111-3 Filed 06/15/18 Page 13 of 31
`
`U.S. Patent
`
`Jan. 12, 2010
`
`Sheet 9 of 10
`
`US 7,647,633 B2
`
`Install mobile protection code elements
`and policies within a destination device
`
`Load the downloadble without actually
`initiating it
`
`1101
`
`1102
`
`
`
`Form an accessinterceptor for intercepting
`downloadable destination device access
`attempts within the destination device
`
`1103
`
`Initiate the Downloadable within the
`destination device
`
`1105
`
`
`Malicious
`access
`
`
`
`
`Yes
`
`;
`——
`-
`Determinepolicies in accordance with the
`access attempt
`
`
`
`Execute the policies (including causing an
`allowable response expected by the
`Donwloadable to be returned to the
`
`Downloadable)
`
`1109
`
`1111
`
`End
`
`FIG. 11
`
`FINJAN-JN 000965
`
`

`

`Case 3:17-cv-05659-WHA Document 111-3 Filed 06/15/18 Page 14 of 31
`Case 3:17-cv-05659-WHA Document 111-3 Filed 06/15/18 Page 14 of 31
`
`U.S. Patent
`
`Jan. 12, 2010
`
`Sheet 10 of 10
`
`US 7,647,633 B2
`
`1103
`
`e
`
`
`
`
`Install the Downloadable
`
`Modify the Downloadable APIto divert
`malicious access requests to the mobile
`protection code
`
`1201
`
`1203
`
`1109
`
`FIG. 12a
`
`
`
`Receive a Downloadable access request
`via the modified AP|
`
`1211
`
`Query stored policies to determine a policy
`corresponding to the Downloadable
`access request
`
`1213
`
`
`
`
`FIG. 12b
`
`FINJAN-JN 000966
`
`

`

`Case 3:17-cv-05659-WHA Document 111-3 Filed 06/15/18 Page 15 of 31
`Case 3:17-cv-05659-WHA Document 111-3 Filed 06/15/18 Page 15 of 31
`
`US 7,647,633 B2
`
`1
`MALICIOUS MOBILE CODE RUNTIME
`MONITORING SYSTEM AND METHODS
`
`PRIORITY REFERENCE TO RELATED
`APPLICATIONS
`
`This application is a continuation of and incorporates by
`reference patent application Ser. No. 09/861,229, filed May
`17, 2001 now U.S. Pat. No. 7,058,822, which claims benefit
`of reference provisional application Ser. No. 60/205,591
`entitled “Computer Network Malicious Code Runtime Moni-
`toring,” filed on May 17, 2000 byinventors Nimrod Itzhak
`Vered, et al. This application also incorporates by reference
`the provisional application Ser. No. 60/205,591. This appli-
`cation is also a Continuation-In-Part of and hereby incorpo-
`rates by reference patent application Ser. No. 09/539,667,
`now USS. Pat. No. 6,804,780, entitled “System and Method
`for Protecting a Computer and a Network from Hostile
`Downloadables”filed on Mar. 30, 2000 by inventor Shlomo
`Touboul. This application is also a Continuation-In-Part of
`and hereby incorporates by reference patent application Ser.
`No. 09/551,302, now U.S. Pat. No. 6,480,962,entitled “Sys-
`tem and Method for Protecting a Client During Runtime
`From Hostile Downloadables”, filed on Apr. 18, 2000 by
`inventor Shlomo Touboul.
`
`BACKGROUNDOF THE INVENTION
`
`1. Field of the Invention
`
`This invention relates generally to computer networks, and
`more particularly provides a system and methodsfor protect-
`ing network-connectable devices from undesirable down-
`loadable operation.
`2. Description of the Background Art
`Advances in networking technology continue to impact an
`increasing numberand diversity of users. The Internet, for
`example, already provides to expert, intermediate and even
`novice users the informational, product and service resources
`of over 100,000 interconnected networks owned by govern-
`ments, universities, nonprofit groups, companies, etc. Unfor-
`tunately, particularly the Internet and other public networks
`have also become a major source of potentially system-fatal
`or otherwise damaging computer code commonly referred to
`as “viruses.”
`
`20
`
`25
`
`40
`
`45
`
`Efforts to forestall viruses from attacking networked com-
`puters have thus far met with only limited success at best.
`Typically, a virus protection program designedto identify and
`remove or protect against the initiating of known viruses is
`installed on a network firewall or individually networked
`computer. The program is then inevitably surmounted by
`some new virus that often causes damage to one or more
`computers. The damageis then assessed and, if isolated, the
`new virus is analyzed. A corresponding new virus protection
`program (or update thereof) is then developed andinstalled to
`combatthe new virus, and the new program operates success-
`fully until yet another new virus appears—and so on. Of
`course, damagehas alreadytypically been incurred.
`To make matters worse, certain classes of viruses are not
`well recognized or understood, let alone protected against. It
`is observed by this inventor, for example, that Downloadable
`information comprising program code can include distribut-
`able components (e.g. Java™applets and JavaScriptscripts,
`ActiveX™controls, Visual Basic, add-ins and/or others). It
`can also include, for example, application programs, Trojan
`horses, multiple compressed programs such as zip or meta
`files, among others. U.S. Pat. No. 5,983,348 to Shuang, how-
`ever, teaches a protection system for protecting against only
`
`60
`
`65
`
`2
`distributable components including “Java applets or ActiveX
`controls”, and further does so using resource intensive and
`high bandwidth static Downloadable content and operational
`analysis, and modification of the Downloadable component;
`Shuang further fails to detect or protect against additional
`program code included within a tested Downloadable. U.S.
`Pat. No. 5,974,549 to Golan teachesa protection system that
`further focuses only on protecting against ActiveX controls
`and not other distributable components,
`let alone other
`Downloadable types. U.S. Pat. No. 6,167,520 to Touboul
`enables more accurate protection than Shuang or Golan, but
`lacksthegreater flexibility and efficiency taught herein, as do
`Shuang and Golan.
`Accordingly, there remains a need for efficient, accurate
`and flexible protection of computers and other network con-
`nectable devices from malicious Downloadables.
`
`SUMMARYOF THE INVENTION
`
`The present invention provides protection systems and
`methods capable ofprotecting a personal computer (“PC”) or
`other persistently or even intermittently network accessible
`devicesor processes from harmful, undesirable, suspicious or
`other “malicious” operations that might otherwise be effec-
`tuated by remotely operable code. While enabling the capa-
`bilities ofprior systems, the present invention is not nearly so
`limited, resource intensiveor inflexible, and yet enables more
`reliable protection. For example, remotely operable code that
`is protectable against can include downloadable application
`programs, Trojan horses and program code groupings, as well
`as
`software
`“components”,
`such as Java!
`applets,
`ActiveX™controls, JavaScript™/Visual Basic scripts, add-
`ins, etc., among others. Protection can also be provided in a
`distributed interactively, automatically or mixed configurable
`manner using protected client, server or other parameters,
`redirection, local/remote logging, etc., and other server/client
`based protection measures can also be separately and/or
`interoperably utilized, among other examples.
`In one aspect, embodiments of the invention provide for
`determining, within one or more network “servers”(e.g. fire-
`walls, resources, gateways, email relays or other devices/
`processes that are capable of receiving-and-transferring a
`Downloadable) whether
`received information includes
`execulable code (and is a “Downloadable”). Embodiments
`also provide for delivering static, configurable and/or exten-
`sible remotely operable protection policies to a Download-
`able-destination, more typically as a sandboxed package
`including the mobile protection code, downloadable policies
`and one or more received Downloadables. Further client-
`
`based or remote protection code/policics can also be utilized
`in a distributed manner. Embodiments also provide for caus-
`ing the mobile protection code to be executed within a Down-
`loadable-destination in a mannerthat enables various Down-
`loadable operations to be detected, intercepted or further
`responded to via protection operations. Additional server/
`information-destination device security or other protection is
`also enabled, amongstill further aspects.
`A protection engine according to an embodiment of the
`invention is operable within one or more network servers,
`firewalls or other network connectable information re-com-
`municating devices (as are referred to herein summarily one
`or more “servers” or “re-communicators”). The protection
`engine includes an information monitor for monitoring infor-
`mation received by theserver, and a code detection engine for
`determining whether the received information includes
`executable code. The protection engine also includes a pack-
`aging engine for causing a sandboxed package, typically
`
`FINJAN-JN 000967
`
`

`

`Case 3:17-cv-05659-WHA Document 111-3 Filed 06/15/18 Page 16 of 31
`Case 3:17-cv-05659-WHA Document 111-3 Filed 06/15/18 Page 16 of 31
`
`US 7,647,633 B2
`
`3
`including mobile protection code and downloadable protec-
`tion policies to be sent to a Downloadable-destination in
`conjunction with the received information, if the received
`information is determined to be a Downloadable.
`
`A sandboxed package according to an embodimentof the
`inventionis receivable by and operable with a remote Down-
`loadable-destination. The
`sandboxed package includes
`mobile protection code (“MPC”) for causing one or more
`predetermined malicious operations or operation combina-
`tions of a Downloadable to be monitored or otherwise inter-
`cepted. The sandboxed packagealso includesprotection poli-
`cies
`(operable
`alone or
`in conjunction with further
`Downloadable-destination stored or received policies/MPCs)
`for causing one or more predetermined operations to be per-
`formed if one or more undesirable operations of the Down-
`loadable is/are intercepted. The sandboxed package can also
`include a corresponding Downloadable and can provide for
`initiating the Downloadable in a protective “sandbox”. The
`MPC’/policies can further
`include a communicator
`for
`enabling further MPC/policy information or “modules”to be
`utilized and/or for event logging or other purposes.
`A sandbox protection system according to an embodiment
`ofthe invention comprises an installer for enabling a received
`MPCto be executed within a Downloadable-destination (de-
`vice/process) and further causing a Downloadable applica-
`tion program, distributable component or other received
`downloadable code to be received and installed within the
`
`Downloadable-destination. The protection system also
`includes a diverter for monitoring one or more operation
`attempts of the Downloadable, an operation analyzer for
`determining one or more responses to the attempts, and a
`security enforcer for effectuating responses to the monitored
`operations. The protection system can further include one or
`more security policies according to which one or more pro-
`tection system elements are operable automatically (e.g. pro-
`grammatically) or in conjunction with user intervention (e.g.
`as enabled bythe security enforcer). The security policies can
`also be configurable/extensible in accordance with further
`downloadable and/or Downloadable-destination informa-
`tion.
`A method according to an embodiment of the invention
`includes receiving downloadable information, determining
`whether the downloadable information includes executable
`
`code, and causing a mobile protection code and security
`policies to be communicated to a network client in conjunc-
`tion with security policies and the downloadable information
`if the downloadable information is determined to include
`executable code. The determining can further provide mul-
`tiple tests for detecting, alone or together, whether the down-
`loadable information includes executable code.
`
`A further method according to an embodiment of the
`invention includes
`forming a
`sandboxed package that
`includes mobile protection code (“MPC”), protection poli-
`cies, and a received, detected-Downloadable, and causing the
`sandhoxed package to be communicated to and installed by a
`receiving device or process (“user device”) for responding to
`one or more malicious operation attempts by the detected-
`Downloadable from within the user device. The MPC/poli-
`cies can further include a base “module”and a “communica-
`
`tor” for enabling further up/downloading of one or more
`further “modules”or other information (e.g. events, user/user
`device information,etc.).
`Another method according to an embodimentofthe inven-
`tion includesinstalling, within a user device, received mobile
`protection code (“MPC”) and protection policies in conjunc-
`tion with the user device receiving a downloadable applica-
`tion program, component or other Downloadable(s). The
`
`4
`method also includes determining, by the MPC, a resource
`access attempt by the Downloadable, andinitiating, by the
`MPC,one or more predetermined operations corresponding
`to the attempt. (Predetermined operations can, for example,
`comprise initiating user, administrator, client, network orpro-
`tection system determinable operations, including but not
`limited to modifying the Downloadableoperation,extricating
`the Downloadable, notifying a user/another, maintaining a
`local/remote log, causing one or more MPCs/policies to be
`downloaded, etc.)
`systems and methods according to
`Advantageously,
`embodiments of the invention enable potentially damaging,
`undesirable or otherwise malicious operations by even
`unknown mobile code to be detected, prevented, modified
`and/or otherwise protected against without modifying the
`mobile code. Such protection is further enabled in a manner
`that is capable of minimizing server and client resource
`requirements, does not require pre-installation of security
`code within a Downloadable-destination, and provides for
`client specific or generic and readily updateable security mea-
`sures to be flexibly and efficiently implemented. Embodi-
`ments further provide for thwarting efforts to bypass security
`measures (e.g. by “hiding” undesirable operation causing
`information within apparently inert or otherwise “friendly”
`downloadable information) and/or dividing or combining
`security measures for even greater flexibility and/or effi-
`ciency.
`Embodiments also provide for determining protection
`policies that can be downloaded and/or ascertained from
`other security information(e.g. browser settings, administra-
`tive policies, user input, uploaded information,etc.). Differ-
`ent actions in responseto different Downloadable operations,
`clients, users and/or other criteria are also enabled, and
`embodiments provide for implementing other security mcea-
`sures, such as verifying a downloadable source,certification,
`authentication, etc. Appropriate action can also be accom-
`plished automatically (e.g. programmatically) and/or in con-
`junction with alerting one or more users/administrators, uti-
`lizing user input, etc. Embodiments further enable desirable
`Downloadable operations to remain substantially unaffected,
`amongother aspects.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`FIG.1a is a block diagram illustrating a network systemin
`accordance with an embodimentof the present invention;
`FIG. 16 is a block diagram illustrating a network sub-
`system example in accordance with an embodiment of the
`invention;
`FIG. 1c is a block diagram illustrating a further network
`subsystem example in accordance with an embodimentofthe
`invention;
`FIG.2 is a block diagramillustrating a computer systemin
`accordance with an embodimentofthe invention;
`FIG.3 is a flow diagram broadly illustrating a protection
`system host according to an embodimentofthe invention;
`FIG.4 is a block diagram illustrating a protection engine
`according to an embodimentofthe invention;
`FIG. 5 is a block diagram illustrating a content inspection
`engine according to an embodimentofthe invention;
`FIG.6a is a block diagram illustrating protection engine
`parameters according to an embodimentofthe invention;
`FIG.66 is a flow diagram illustrating a linking engine use
`in conjunction with ordinary, compressed and distributable
`sandbox package utilization, according to an embodiment of
`the invention;
`
`10
`
`15
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`FINJAN-JN 000968
`
`

`

`Case 3:17-cv-05659-WHA Document 111-3 Filed 06/15/18 Page 17 of 31
`Case 3:17-cv-05659-WHA Document 1