`Case 3:17-cv-05659-WHA Document 126-8 Filed 06/28/18 Page 1 of 19
`REDACTED VERSION OF DOCUMENT SOUGHT TO BE SEALED
`REDACTED VERSION OF DOCUMENT SOUGHTTO BE SEALED
`
`(cid:40)(cid:91)(cid:75)(cid:76)(cid:69)(cid:76)(cid:87)(cid:3)(cid:23)(cid:3)
`Exhibit 4
`(cid:11)(cid:53)(cid:72)(cid:71)(cid:68)(cid:70)(cid:87)(cid:72)(cid:71)(cid:12)(cid:3)
`(Redacted)
`
`(cid:3)
`
`(cid:3) (cid:3) (cid:3) (cid:3) (cid:3) (cid:3) (cid:3) (cid:3) (cid:3) (cid:3)
`
`(cid:3)
`
`
`
`Case 3:17-cv-05659-WHA Document 126-8 Filed 06/28/18 Page 2 of 19
`REDACTED VERSION OF DOCUMENT SOUGHT TO BE SEALED
`
`
`DR. ERIC B. COLEDR. ERIC B. COLE
`
`FINJAN, INC. V JUNIPER NETWORKS, INCFINJAN, INC. V JUNIPER NETWORKS, INC
`Page 1
`
`·1· · · · · · ·THE UNITED STATES DISTRICT COURT
`
`·1· ·A P P E A R A N C E S
`
`
`June 21, 2018June 21, 2018
`
`1–41–4
`Page 3
`
`·2· · · · · · ·NORTHERN DISTRICT OF CALIFORNIA
`
`·2
`
`·3· · · · · · · · ·SAN FRANCISCO DIVISION
`
`·3· ·ON BEHALF OF PLAINTIFF AND THE WITNESS:
`
`·4· ·---------------------------X
`
`·4· · · · KRISTOPHER KASTENS, ESQ.
`
`·5· ·FINJAN, INC., a Delaware
`
`·5· · · · Kramer Levin Naftalis & Frankel LLP
`
`·6· ·Corporation,
`
`·7· · · · · · · Plaintiff,
`
`·6· · · · 990 Marsh Road
`
`·7· · · · Menlo Park, CA 94025
`
`·8· ·V.· · · · · · · · · · · · Case No. 3:17-cv-05659-WHA
`
`·8· · · · kkastens@kramerlevin.com
`
`·9· ·JUNIPER NETWORKS, INC., a
`
`·9· · · · 650.752.1715
`
`10· ·Delaware Corporation,
`
`11· · · · · · · Defendant.
`
`10
`
`11· ·ON BEHALF OF DEFENDANT:
`
`12· ·---------------------------X
`
`12· · · · REBECCA CARSON, ESQ.
`
`13· · · · · · · · Videotaped Deposition of
`
`13· · · · Irell & Manella LLP
`
`14· · · · · · · · · · ·DR. ERIC B. COLE
`
`14· · · · 840 Newport Center Drive, Suite 400
`
`15
`
`15· · · · Newport Beach, CA 92660-6324
`
`16· · · · · · · · ·Herndon, Virginia 20171
`
`16· · · · rcarson@irell.com
`
`17· · · · · · · · ·Thursday, June 21, 2018
`
`17· · · · 949.760.0991
`
`18· · · · · · · · · · · · 8:00 a.m.
`
`18
`
`19
`
`20
`
`21· ·Denise Dobner Vickery, RMR, CRR
`
`22· ·JOB NO. J2328299
`
`·1
`
`·2
`
`·3
`
`·4
`
`·5
`
`·6
`
`19· ·Also Present:
`
`20· · · · DANIEL HOLMSTOCK, Videographer
`
`21
`
`22
`
`
`
`June 21, 2018June 21, 2018
`
`·1· · · · · · · · · · ·C O N T E N T S
`
`·2
`
`
`DR. ERIC B. COLEDR. ERIC B. COLE
`
`FINJAN, INC. V JUNIPER NETWORKS, INCFINJAN, INC. V JUNIPER NETWORKS, INC
`
`Page 2
`
`Page 4
`
`·3· ·EXAMINATION OF DR. ERIC B. COLE· · · · · · · · ·PAGE
`
`·4· ·BY MS. CARSON· · · · · · · · · · · · · · · · ·6, 271
`
`·5· ·AFTERNOON SESSION· · · · · · · · · · · · · · · · 187
`
`·6· ·BY MR. KASTENS· · · · · · · · · · · · · · · · · ·269
`
`·7· · · · · · · · · · · · · · · ·Thursday, June 21, 2018
`
`·7
`
`·8· · · · · · · · · · · · · · · ·8:00 a.m.
`
`·8· · · · · · · · · · ·E X H I B I T S
`
`
`800.211.DEPO (3376)800.211.DEPO (3376)
`
`EsquireSolutions.comEsquireSolutions.com
`
`·9
`
`·9· · · · · · · · ·(Attached to Transcript)
`
`10· · · · Videotaped deposition of DR. ERIC B. COLE, held
`
`10· ·DEPOSITION EXHIBITS· · · · · · · · · · · · · · ·PAGE
`
`11· ·at the conference rooms of:
`
`11· ·Exhibit 1033· Declaration of Dr. Eric Cole in· · ·18
`
`12
`
`12· · · · Support of Plaintiff Finjan, Inc.'s Notice of
`
`13· · · · · · ·THE WESTIN WASHINGTON DULLES AIRPORT
`
`13· · · · Motion and Motion for Summary Judgment of
`
`14· · · · · · ·2520 Wasser Terrace
`
`14· · · · Infringement of Claim 10 of U.S. Patent No.
`
`15· · · · · · ·Herndon, VA 20171
`
`15· · · · 8,677,494
`
`16
`
`17
`
`16· ·Exhibit 1034· Sky ATP Analysis Pipeline· · · · · 151
`
`17· · · · JNPR-FNJN_29017_00552908
`
`18· · · · Pursuant to notice, before Denise Dobner
`
`18· ·Exhibit 1035· Exhibit 16:· Sky Advanced Threat· ·151
`
`19· ·Vickery, Certified Realtime Reporter, Registered
`
`19· · · · Prevention Architecture FINJAN-JN 044838
`
`20· ·Merit Reporter, and Notary Public in and for the
`
`20· ·Exhibit 1036· Exhibit 11:· Sky Advanced Threat· ·152
`
`21· ·Commonwealth of Virginia.
`
`21· · · · Prevention Guide FINJAN-JN 044759
`
`22
`
`22
`
`
`800.211.DEPO (3376)800.211.DEPO (3376)
`
`EsquireSolutions.comYVer1fEsquireSolutions.comYVer1f
`
`
`
`Case 3:17-cv-05659-WHA Document 126-8 Filed 06/28/18 Page 3 of 19
`REDACTED VERSION OF DOCUMENT SOUGHT TO BE SEALED
`
`
`DR. ERIC B. COLEDR. ERIC B. COLE
`
`FINJAN, INC. V JUNIPER NETWORKS, INCFINJAN, INC. V JUNIPER NETWORKS, INC
`Page 53
`·1· ·analysis where you're looking at the executable
`·2· ·program, that's not always a component.· So since
`·3· ·both of those would be under the area of scanning,
`·4· ·parsing is a component, but not necessarily a
`·5· ·requirement of the claim language because it's not
`·6· ·specifically listed in Claim 10.
`·7· ·BY MS. CARSON:
`·8· · · · · Q.· ·So it's your understanding under the
`·9· ·plain meaning of Claim 10 that a dynamic analyzer is
`10· ·also a scanner?
`11· · · · · · · · · · ·MR. KASTENS:· Objection.· Form.
`12· · · · · · · · · · ·THE WITNESS:· ·(Reviews document).
`13· · · · · · · · · · ·Yes, dynamic analysis scanner is a
`14· ·type of scanner.
`15· ·BY MS. CARSON:
`16· · · · · Q.· ·Does the scanner in Claim 10 require
`17· ·decompiling the code?
`18· · · · · · · · · · ·MR. KASTENS:· Objection.· Form.
`19· · · · · · · · · · ·THE WITNESS:· ·(Reviews document).
`20· · · · · · · · · · ·In Claim 10, I do not see the word
`21· ·"decompiling" or seeing that as a restrictive
`22· ·element of the claim language.
`
`
`June 21, 2018June 21, 2018
`
`53–5653–56
`Page 55
`
`·1· · · · · · · · · · ·MR. KASTENS:· Objection.· Form.
`·2· · · · · · · · · · ·THE WITNESS:· ·Once again, those
`·3· ·terms can have generic specific meaning.· So if
`·4· ·there's a specific reference, I would adjust, but --
`·5· ·but in general, decompiling is when you're going in
`·6· ·and reversing the code back to the original
`·7· ·language.· And decomposing is just breaking down the
`·8· ·current code at the components or pieces.
`·9· · · · · · · · · · ·But once again, these terms have a
`10· ·lot of meaning.· So depending on any specific
`11· ·context, the terms could be adjusted.
`12· ·BY MS. CARSON:
`13· · · · · Q.· ·When you were applying Claim 10 to
`14· ·Juniper's products, did you assume that the scanner
`15· ·required any decomposing of the code?
`16· · · · · · · · · · ·MR. KASTENS:· Objection.· Form.
`17· · · · · · · · · · ·THE WITNESS:· ·When I applied
`18· ·Claim 10 or any claim in any case to a product, I'm
`19· ·looking at the specific claim language.· So I'm
`20· ·going through and looking at the exact claim
`21· ·language.
`22· · · · · · · · · · ·And once again, there is no
`
`
`DR. ERIC B. COLEDR. ERIC B. COLE
`
`FINJAN, INC. V JUNIPER NETWORKS, INCFINJAN, INC. V JUNIPER NETWORKS, INC
`
`Page 54
`
`·1· ·BY MS. CARSON:
`·2· · · · · Q.· ·So when you were applying Claim 10 to
`·3· ·Juniper's product, it was not your understanding
`·4· ·that the term "scanner" required any decompiling of
`·5· ·the code; correct?
`·6· · · · · · · · · · ·MR. KASTENS:· Objection.· Form.
`·7· · · · · · · · · · ·THE WITNESS:· ·That could be a
`·8· ·component of scanning, but that wasn't a limiting
`·9· ·element in the claim language.
`10· ·BY MS. CARSON:
`11· · · · · Q.· ·What's the difference between
`12· ·decomposing and decompiling?
`13· · · · · · · · · · ·MR. KASTENS:· Objection.· Form.
`14· ·Outside the scope.
`15· · · · · · · · · · ·THE WITNESS:· ·Are you asking
`16· ·generically, or is there a specific portion of my
`17· ·report you're referring to?
`18· ·BY MS. CARSON:
`19· · · · · Q.· ·I'm just asking generically as one of
`20· ·skill in the art whether you have an understanding
`21· ·of the difference between decomposing and
`22· ·decompiling in the context of this technology.
`
`
`
`June 21, 2018June 21, 2018
`
`
`800.211.DEPO (3376)800.211.DEPO (3376)
`
`EsquireSolutions.comEsquireSolutions.com
`
`Page 56
`·1· ·decompiling or decomposing in Claim 10.· So that was
`·2· ·not a specific term I was looking at for
`·3· ·infringement.· I was looking at the exact language
`·4· ·of the claim.
`·5· ·BY MS. CARSON:
`·6· · · · · Q.· ·And the term "scanner" as one of skill
`·7· ·in the art doesn't necessitate any decomposing,
`·8· ·decompiling, or parsing; is that fair?
`·9· · · · · · · · · · ·MR. KASTENS:· Objection.· Form.
`10· · · · · · · · · · ·THE WITNESS:· ·It could absolutely
`11· ·be a key component of it, but it's not a restrictive
`12· ·element of the claim language.
`13· ·BY MS. CARSON:
`14· · · · · Q.· ·You mentioned that there's different
`15· ·types of scanners.
`16· · · · · · · ·Do you remember that?
`17· · · · · · · · · · ·MR. KASTENS:· Objection.· Form.
`18· · · · · · · · · · ·THE WITNESS:· ·Not specifically,
`19· ·but there are different types of scanners.· So I
`20· ·won't -- I won't debate that -- that comment.
`21· ·BY MS. CARSON:
`22· · · · · Q.· ·Could you provide me some examples of
`
`
`800.211.DEPO (3376)800.211.DEPO (3376)
`
`EsquireSolutions.comYVer1fEsquireSolutions.comYVer1f
`
`
`
`Case 3:17-cv-05659-WHA Document 126-8 Filed 06/28/18 Page 4 of 19
`REDACTED VERSION OF DOCUMENT SOUGHT TO BE SEALED
`
`
`DR. ERIC B. COLEDR. ERIC B. COLE
`
`FINJAN, INC. V JUNIPER NETWORKS, INCFINJAN, INC. V JUNIPER NETWORKS, INC
`Page 57
`·1· ·different types of scanners that you're aware of?
`·2· · · · · A.· ·(Reviews document).
`·3· · · · · · · ·So two -- two general types are static
`·4· ·analysis scanner and dynamic analysis scanning.
`·5· · · · · Q.· ·Can you think of any others?
`·6· · · · · A.· ·(Pause).· And there's also like
`·7· ·antivirus scanning, signature scanning.· There's a
`·8· ·lot of different types of scanning.
`·9· · · · · Q.· ·Okay.· So recognizing that this might
`10· ·not be an exhaustive list, the examples we've talked
`11· ·about today are static, dynamic, antivirus, and
`12· ·signature scanning.
`13· · · · · · · ·Is the '494 patent -- strike that.
`14· · · · · · · ·Is Claim 10 of the '494 patent limited
`15· ·to any particular type of scanning within those
`16· ·examples that we just discussed?
`17· · · · · · · · · · ·MR. KASTENS:· Objection.· Form.
`18· · · · · · · · · · ·THE WITNESS:· ·(Reviews document).
`19· · · · · · · · · · ·Once again, I always go back to
`20· ·the claim language.· So if you look at 10(b), "a
`21· ·Downloadable scanner coupled with said receiver, for
`22· ·deriving security profile data for the
`
`
`June 21, 2018June 21, 2018
`
`57–6057–60
`Page 59
`·1· ·10(b), "a Downloadable scanner."· So I don't see any
`·2· ·restrictions in the claim language on a specific
`·3· ·type or other limiting details on the type of
`·4· ·scanner.
`·5· ·BY MS. CARSON:
`·6· · · · · Q.· ·Now, static scanners, did they exist
`·7· ·prior to the '494 patent?
`·8· · · · · · · · · · ·MR. KASTENS:· Objection.· Form.
`·9· · · · · · · · · · ·THE WITNESS:· ·Once again, I'd
`10· ·have to go back and do research on specific dates.
`11· ·BY MS. CARSON:
`12· · · · · Q.· ·Do you know if dynamic scanners existed
`13· ·prior to the '494 patent?
`14· · · · · A.· ·Once again, I'd have to go back and --
`15· ·and do some research and check the dates.
`16· · · · · Q.· ·Do you know if antivirus scanners
`17· ·existed prior to the '494 patent?
`18· · · · · · · · · · ·MR. KASTENS:· Objection.· Form.
`19· · · · · · · · · · ·THE WITNESS:· ·Once again, I'd
`20· ·have to go back and -- and research to give you
`21· ·specific -- specific dates and information.
`22· ·BY MS. CARSON:
`
`
`DR. ERIC B. COLEDR. ERIC B. COLE
`
`FINJAN, INC. V JUNIPER NETWORKS, INCFINJAN, INC. V JUNIPER NETWORKS, INC
`
`Page 58
`
`·1· ·Downloadable."
`·2· · · · · · · · · · ·There's no restrictions or
`·3· ·specific caveats on the words in the claim.
`·4· ·BY MS. CARSON:
`·5· · · · · Q.· ·So just by way of example, if you had a
`·6· ·signature scanner, so long as it met all of the
`·7· ·other requirements of the claim, it could satisfy
`·8· ·the scanner element; is that fair?
`·9· · · · · · · · · · ·MR. KASTENS:· Objection.· Form.
`10· · · · · · · · · · ·THE WITNESS:· ·(Reviews document).
`11· · · · · · · · · · ·Once again, I'm not an attorney,
`12· ·but my understanding is, if a product meets all the
`13· ·elements of the claim language, then it infringes
`14· ·that claim element.· So -- so, yes, if there was a
`15· ·product that met every single element of Claim 10,
`16· ·then it would infringe.
`17· ·BY MS. CARSON:
`18· · · · · Q.· ·And that's without regard to what
`19· ·particular type of scanner it is?
`20· · · · · · · · · · ·MR. KASTENS:· Objection.· Form.
`21· · · · · · · · · · ·THE WITNESS:· ·Once again, it's
`22· ·always driven by the claim language.· So looking at
`
`Page 60
`
`
`
`June 21, 2018June 21, 2018
`
`
`800.211.DEPO (3376)800.211.DEPO (3376)
`
`EsquireSolutions.comEsquireSolutions.com
`
`·1· · · · · Q.· ·What about signature scanners?· Did
`·2· ·they exist before the '494 patent?
`·3· · · · · · · · · · ·MR. KASTENS:· Objection.· Form.
`·4· · · · · · · · · · ·THE WITNESS:· ·Once again, the
`·5· ·same answer.· If you're giving questions on specific
`·6· ·dates when specific things occurred, I would have to
`·7· ·go back and check and verify.
`·8· ·BY MS. CARSON:
`·9· · · · · Q.· ·When did you get out of school?
`10· · · · · A.· ·The reason I'm laughing, I always
`11· ·believe in improving education.· So if you ask for a
`12· ·specific degree, but I still go back to school. I
`13· ·still take classes.· So I don't believe you should
`14· ·ever get out of school, so...· (laugh).
`15· · · · · Q.· ·What -- what kind of degree do you
`16· ·have?
`17· · · · · A.· ·I have a bachelor's and master's in
`18· ·computer science and a doctorate in computer science
`19· ·with an emphasis in cybersecurity.
`20· · · · · Q.· ·Okay.· When did you receive your
`21· ·doctorate?
`22· · · · · A.· ·I would have to check my CV.· I think
`
`
`800.211.DEPO (3376)800.211.DEPO (3376)
`
`EsquireSolutions.comYVer1fEsquireSolutions.comYVer1f
`
`
`
`Case 3:17-cv-05659-WHA Document 126-8 Filed 06/28/18 Page 5 of 19
`REDACTED VERSION OF DOCUMENT SOUGHT TO BE SEALED
`
`
`DR. ERIC B. COLEDR. ERIC B. COLE
`
`FINJAN, INC. V JUNIPER NETWORKS, INCFINJAN, INC. V JUNIPER NETWORKS, INC
`Page 65
`·1· ·Finjan invention, they did invent the whole element
`·2· ·of receiving an incoming Downloadable, a scanner
`·3· ·coupled with deriving a security profile with
`·4· ·suspicious operations, and storing in the database
`·5· ·manager.
`·6· ·BY MS. CARSON:
`·7· · · · · Q.· ·Is Claim 10 limited to something
`·8· ·occurring on a network gateway as opposed to an end
`·9· ·user computer?
`10· · · · · · · · · · ·MR. KASTENS:· Objection.· Form.
`11· · · · · · · · · · ·THE WITNESS:· ·Sorry.· I missed
`12· ·the one word.
`13· ·BY MS. CARSON:
`14· · · · · Q.· ·Is Claim 10 limited to something
`15· ·occurring on a network gateway as opposed to an end
`16· ·user computer?
`17· · · · · A.· ·(Reviews document).
`18· · · · · · · ·It absolutely includes a gateway
`19· ·computer, but is not limited to just a gateway
`20· ·computer.
`21· · · · · Q.· ·So could it be implemented on an end
`22· ·user's computer?
`
`
`June 21, 2018June 21, 2018
`
`65–6865–68
`Page 67
`
`·1· ·(Laugh).
`·2· · · · · A.· ·Okay.
`·3· · · · · Q.· ·Claim 10 doesn't require any specific
`·4· ·type of hardware.· The scanning code could be
`·5· ·implemented on -- on any type of computer?
`·6· · · · · · · · · · ·MR. KASTENS:· Objection.· Form.
`·7· · · · · · · · · · ·THE WITNESS:· ·All right.· So the
`·8· ·claim is a system for managing a Downloadable.· So
`·9· ·there needs to be a system for doing that, but
`10· ·there's nothing in the claim language that restricts
`11· ·or specifies certain types of hardware that it can
`12· ·only run on.
`13· ·BY MS. CARSON:
`14· · · · · Q.· ·You mentioned earlier that a dynamic
`15· ·analysis engine is one example of a scanner;
`16· ·correct?
`17· · · · · · · · · · ·MR. KASTENS:· Objection.· Form.
`18· · · · · · · · · · ·THE WITNESS:· ·That is one
`19· ·example.
`20· ·BY MS. CARSON:
`21· · · · · Q.· ·Are all dynamic analysis engines
`22· ·scanners?
`
`
`DR. ERIC B. COLEDR. ERIC B. COLE
`
`FINJAN, INC. V JUNIPER NETWORKS, INCFINJAN, INC. V JUNIPER NETWORKS, INC
`
`Page 66
`·1· · · · · · · · · · ·MR. KASTENS:· Objection.· Form.
`·2· · · · · · · · · · ·THE WITNESS:· ·There is nothing in
`·3· ·the claim language that limits it from being only on
`·4· ·a gateway.· So it could also be on an end user
`·5· ·computer.
`·6· ·BY MS. CARSON:
`·7· · · · · Q.· ·When you first -- when I first asked
`·8· ·you for your understanding of what a scanner is, you
`·9· ·said something along the lines of a piece of code
`10· ·that scans or looks for certain things.
`11· · · · · · · ·Is -- does the term "scanner" limit the
`12· ·hardware in any way?
`13· · · · · · · · · · ·MR. KASTENS:· Objection.· Form.
`14· · · · · · · · · · ·THE WITNESS:· ·Once again, in the
`15· ·claim language, there's nothing that specifies
`16· ·hardware or software.
`17· ·BY MS. CARSON:
`18· · · · · Q.· ·So Claim 10 doesn't even require, at
`19· ·least for the term "scanner," any type of hardware?
`20· · · · · · · · · · ·MR. KASTENS:· Objection.· Form.
`21· ·BY MS. CARSON:
`22· · · · · Q.· ·Strike that.· That was a bad question.
`
`
`
`June 21, 2018June 21, 2018
`
`Page 68
`
`
`800.211.DEPO (3376)800.211.DEPO (3376)
`
`EsquireSolutions.comEsquireSolutions.com
`
`·1· · · · · · · · · · ·MR. KASTENS:· Objection.· Form.
`·2· · · · · · · · · · ·THE WITNESS:· ·(Reviews document).
`·3· · · · · · · · · · ·Can you potentially rephrase that?
`·4· ·I'm having trouble understanding the question.
`·5· ·BY MS. CARSON:
`·6· · · · · Q.· ·I'm just trying to figure out if any
`·7· ·dynamic analysis engine would be a scanner or
`·8· ·whether there could be a dynamic analysis engine
`·9· ·that would not qualify as a scanner.
`10· · · · · · · · · · ·MR. KASTENS:· Objection.· Form.
`11· · · · · · · · · · ·THE WITNESS:· ·I guess I'm
`12· ·struggling with the -- the word "engine."· So -- so
`13· ·if you have an engine or component that does dynamic
`14· ·analysis of code, i.e. scanning the code, then that
`15· ·would be a dynamic analysis scanner.
`16· ·BY MS. CARSON:
`17· · · · · Q.· ·So let me rephrase.
`18· · · · · · · ·Would any code that does dynamic
`19· ·analysis be considered a scanner?
`20· · · · · · · · · · ·MR. KASTENS:· Objection.· Form.
`21· · · · · · · · · · ·THE WITNESS:· ·(Reviews document).
`22· · · · · · · · · · ·In specific light of Claim 10, if
`
`
`800.211.DEPO (3376)800.211.DEPO (3376)
`
`EsquireSolutions.comYVer1fEsquireSolutions.comYVer1f
`
`
`
`Case 3:17-cv-05659-WHA Document 126-8 Filed 06/28/18 Page 6 of 19
`REDACTED VERSION OF DOCUMENT SOUGHT TO BE SEALED
`
`
`DR. ERIC B. COLEDR. ERIC B. COLE
`
`FINJAN, INC. V JUNIPER NETWORKS, INCFINJAN, INC. V JUNIPER NETWORKS, INC
`Page 69
`·1· ·there was a piece of code that was doing dynamic
`·2· ·analysis and it was going in and deriving a security
`·3· ·profile for that, then that would absolutely fit the
`·4· ·criteria for Claim 10.
`·5· ·BY MS. CARSON:
`·6· · · · · Q.· ·Does dynamic analysis disassemble the
`·7· ·code?
`·8· · · · · · · · · · ·MR. KASTENS:· Objection.· Form.
`·9· · · · · · · · · · ·THE WITNESS:· ·There's a lot of
`10· ·different types of dynamic analysis.· So one method
`11· ·could potentially.· Typically it's associated with
`12· ·sandboxing where you're actually running the
`13· ·executable and looking at and observing the
`14· ·behavioral patterns.
`15· ·BY MS. CARSON:
`16· · · · · Q.· ·And when you do sandboxing, do you
`17· ·disassemble the code?
`18· · · · · · · · · · ·MR. KASTENS:· Objection.· Form.
`19· · · · · · · · · · ·THE WITNESS:· ·It would depend on
`20· ·the type of sandboxing what's specifically done.· It
`21· ·could potentially.· Typically it would just run the
`22· ·executable, but it's not limited to just doing that.
`
`
`June 21, 2018June 21, 2018
`
`69–7269–72
`Page 71
`·1· · · · · · · · · · ·THE WITNESS:· ·(Reviews document).
`·2· · · · · · · · · · ·Not offhand.
`·3· ·BY MS. CARSON:
`·4· · · · · Q.· ·Are you aware of any specific products
`·5· ·that do dynamic analysis that decompose the code?
`·6· · · · · · · · · · ·MR. KASTENS:· Objection.· Form.
`·7· · · · · · · · · · ·THE WITNESS:· ·Once again, I work
`·8· ·on a lot of products.· So nothing -- not -- not
`·9· ·offhand.· I'd have to go back and -- and check and
`10· ·look at the list.
`11· ·BY MS. CARSON:
`12· · · · · Q.· ·Are you aware of any specific products
`13· ·that do dynamic analysis that decompile the code?
`14· · · · · · · · · · ·MR. KASTENS:· Objection.· Form.
`15· · · · · · · · · · ·THE WITNESS:· ·Once again, not
`16· ·offhand.· I would have to go back and check.
`17· ·BY MS. CARSON:
`18· · · · · Q.· ·In performing your infringement
`19· ·analysis, what was your understanding of the meaning
`20· ·of "list of suspicious operations"?
`21· · · · · · · · · · ·MR. KASTENS:· Objection.· Form.
`22· · · · · · · · · · ·THE WITNESS:· ·(Reviews document).
`
`
`DR. ERIC B. COLEDR. ERIC B. COLE
`
`FINJAN, INC. V JUNIPER NETWORKS, INCFINJAN, INC. V JUNIPER NETWORKS, INC
`
`Page 70
`
`·1· ·BY MS. CARSON:
`·2· · · · · Q.· ·Does dynamic analysis typically use
`·3· ·parsing techniques?
`·4· · · · · · · · · · ·MR. KASTENS:· Objection.· Form.
`·5· · · · · · · · · · ·THE WITNESS:· ·Typically parsing
`·6· ·is associated more with static analysis.· Once
`·7· ·again, I'd have to look at specific examples.· It
`·8· ·could potentially parse also with dynamic, but
`·9· ·usually when you're talking about parsing, you more
`10· ·often see that on the static analysis side.
`11· ·BY MS. CARSON:
`12· · · · · Q.· ·Does dynamic analysis typically
`13· ·decompose the code?
`14· · · · · · · · · · ·MR. KASTENS:· Objection.· Form.
`15· · · · · · · · · · ·THE WITNESS:· ·Once again, it
`16· ·could.· It's not limited to that.· There's many
`17· ·different ways of doing dynamic analysis.
`18· ·BY MS. CARSON:
`19· · · · · Q.· ·Are you aware of any specific products
`20· ·that do dynamic analysis that use parsing
`21· ·techniques?
`22· · · · · · · · · · ·MR. KASTENS:· Objection.· Form.
`
`
`
`June 21, 2018June 21, 2018
`
`Page 72
`·1· · · · · · · · · · ·Those are operations that could be
`·2· ·suspicious of potentially causing harm on the
`·3· ·system.
`·4· ·BY MS. CARSON:
`·5· · · · · Q.· ·When you were performing your
`·6· ·infringement analysis, did you assume that the list
`·7· ·had to include all operations that could ever be
`·8· ·deemed potentially hostile?
`·9· · · · · · · · · · ·MR. KASTENS:· Objection.· Form.
`10· · · · · · · · · · ·THE WITNESS:· ·Sorry.· Could you
`11· ·repeat the question again?
`12· ·BY MS. CARSON:
`13· · · · · Q.· ·When you were performing your
`14· ·infringement analysis, did you assume that the list
`15· ·had to include all operations that could ever be
`16· ·deemed potentially hostile?
`17· · · · · A.· ·In doing my analysis, I'm always
`18· ·focused on the claim language.· So the claim
`19· ·language essentially says a security profile that
`20· ·includes a list of suspicious computer operations.
`21· · · · · · · ·Your question I think was covering all
`22· ·comprehensive, and that is not language in the -- in
`
`
`800.211.DEPO (3376)800.211.DEPO (3376)
`
`EsquireSolutions.comEsquireSolutions.com
`
`
`800.211.DEPO (3376)800.211.DEPO (3376)
`
`EsquireSolutions.comYVer1fEsquireSolutions.comYVer1f
`
`
`
`Case 3:17-cv-05659-WHA Document 126-8 Filed 06/28/18 Page 7 of 19
`REDACTED VERSION OF DOCUMENT SOUGHT TO BE SEALED
`
`
`DR. ERIC B. COLEDR. ERIC B. COLE
`
`FINJAN, INC. V JUNIPER NETWORKS, INCFINJAN, INC. V JUNIPER NETWORKS, INC
`Page 73
`
`
`June 21, 2018June 21, 2018
`
`73–7673–76
`Page 75
`·1· ·either restate or rephrase?· I guess I'm not sure
`·2· ·what you're asking.
`·3· ·BY MS. CARSON:
`·4· · · · · Q.· ·Would you agree that there is no
`·5· ·settled understanding as to what constitutes a
`·6· ·suspicious computer operation?
`·7· · · · · · · · · · ·MR. KASTENS:· Objection.· Form.
`·8· · · · · · · · · · ·THE WITNESS:· ·In some of the
`·9· ·suspicious operations listed here, reading and
`10· ·writing files, sending data, I think POSITA would
`11· ·definitely see those as suspicious.
`12· · · · · · · · · · ·There could be degrees of
`13· ·suspicious and maybe a comprehensive list of every
`14· ·suspicious operation might not be available, but I
`15· ·believe that if you ask a computer security
`16· ·professional or someone skilled in the art whether
`17· ·these activities could be suspicious, I believe they
`18· ·would all agree.
`19· ·BY MS. CARSON:
`20· · · · · Q.· ·So it's your understanding that all
`21· ·computer security professionals would agree that
`22· ·reading a file is suspicious?
`
`·1· ·the claim.· So I'm looking solely at the claim
`·2· ·language and making sure it meets all elements of
`·3· ·that claim language.
`·4· · · · · Q.· ·You looked at the claim language in
`·5· ·light of the prosecution history; correct?
`·6· · · · · A.· ·Correct.
`·7· · · · · Q.· ·And so your understanding in view of
`·8· ·the claim language and the prosecution history is
`·9· ·that there's no requirement that the list includes
`10· ·all operations that could ever be deemed potentially
`11· ·hostile --
`12· · · · · · · · · · ·MR. KASTENS:· Objection.· Form.
`13· ·BY MS. CARSON:
`14· · · · · Q.· ·-- correct?
`15· · · · · A.· ·My understanding is it does not have to
`16· ·be a complete comprehensive list of every possible
`17· ·operation that could ever be deemed suspicious.
`18· · · · · Q.· ·Now, in paragraph 16, you -- of your
`19· ·declaration, you list some examples of suspicious
`20· ·operations.
`21· · · · · · · ·Can you think of any others that are
`22· ·not included there?
`
`
`DR. ERIC B. COLEDR. ERIC B. COLE
`
`FINJAN, INC. V JUNIPER NETWORKS, INCFINJAN, INC. V JUNIPER NETWORKS, INC
`
`Page 74
`·1· · · · · · · · · · ·MR. KASTENS:· Objection.· Form.
`·2· · · · · · · · · · ·THE WITNESS:· ·(Reviews document).
`·3· · · · · · · · · · ·Some other suspicious operations
`·4· ·could be modifying a file, executing a file,
`·5· ·modifying other files on the system.
`·6· ·BY MS. CARSON:
`·7· · · · · Q.· ·What makes a computer operation
`·8· ·suspicious?
`·9· · · · · · · · · · ·MR. KASTENS:· Objection.· Form.
`10· · · · · · · · · · ·THE WITNESS:· ·What makes it
`11· ·suspicious is that it has the potential or could be
`12· ·tied to potentially malicious activity.
`13· ·BY MS. CARSON:
`14· · · · · Q.· ·What does it mean for a computer
`15· ·operation to be "potentially malicious"?
`16· · · · · A.· ·That means it could potentially cause
`17· ·harm or cause damage.
`18· · · · · Q.· ·Would you agree that there is no a
`19· ·priori understanding of what constitutes a
`20· ·suspicious computer operation?
`21· · · · · · · · · · ·MR. KASTENS:· Objection.· Form.
`22· · · · · · · · · · ·THE WITNESS:· ·Sorry.· Can you
`
`Page 76
`
`
`
`June 21, 2018June 21, 2018
`
`
`800.211.DEPO (3376)800.211.DEPO (3376)
`
`EsquireSolutions.comEsquireSolutions.com
`
`·1· · · · · · · · · · ·MR. KASTENS:· Objection.· Form.
`·2· · · · · · · · · · ·THE WITNESS:· ·If they do -- if
`·3· ·they are a true POSITA that understands how a
`·4· ·malicious code works and operates, that component is
`·5· ·suspicious.· Now, they might debate the level of
`·6· ·suspicious, but having the ability to read and write
`·7· ·could have -- could be suspicious, depending on what
`·8· ·other components and what other functions are around
`·9· ·it.
`10· ·BY MS. CARSON:
`11· · · · · Q.· ·But just on its own, reading a file,
`12· ·security professionals could disagree about whether
`13· ·just reading a file on its own is suspicious or not;
`14· ·is that true?
`15· · · · · · · · · · ·MR. KASTENS:· Objection.· Form.
`16· · · · · · · · · · ·THE WITNESS:· ·I've worked in this
`17· ·field for 30 years and found that security
`18· ·professionals can disagree on just about anything.
`19· ·So I would not conclusively say that -- that you
`20· ·couldn't find somebody out there that would disagree
`21· ·on a given topic or subject.
`22· ·BY MS. CARSON:
`
`
`800.211.DEPO (3376)800.211.DEPO (3376)
`
`EsquireSolutions.comYVer1fEsquireSolutions.comYVer1f
`
`
`
`Case 3:17-cv-05659-WHA Document 126-8 Filed 06/28/18 Page 8 of 19
`REDACTED VERSION OF DOCUMENT SOUGHT TO BE SEALED
`
`
`DR. ERIC B. COLEDR. ERIC B. COLE
`
`FINJAN, INC. V JUNIPER NETWORKS, INCFINJAN, INC. V JUNIPER NETWORKS, INC
`Page 77
`
`·1· · · · · Q.· ·Including whether reading files is
`·2· ·suspicious?
`·3· · · · · · · · · · ·MR. KASTENS:· Objection.· Form.
`·4· · · · · · · · · · ·THE WITNESS:· ·Once again, in my
`·5· ·expert opinion in 30 years of working in malicious
`·6· ·code, that is clearly a suspicious operation, but
`·7· ·I'm not going to debate whether you could find
`·8· ·somebody out there that maybe looks at things
`·9· ·differently or less experience that could
`10· ·potentially disagree.
`11· ·BY MS. CARSON:
`12· · · · · Q.· ·How about sending data or just sending
`13· ·in general?· Is sending always suspicious?
`14· · · · · · · · · · ·MR. KASTENS:· Objection.· Form.
`15· · · · · · · · · · ·THE WITNESS:· ·Once again, if
`16· ·you're looking at it at the light of how adversaries
`17· ·work, how malicious code operates and functions on
`18· ·the system, then those are absolutely suspicious
`19· ·because those are methods that have been used by
`20· ·adversaries and malicious activity to cause harm and
`21· ·cause damage.
`22· ·BY MS. CARSON:
`
`
`June 21, 2018June 21, 2018
`
`77–8077–80
`Page 79
`
`·1· · · · · Q.· ·You said at least as of now, you're
`·2· ·aware of different lists out there; is that right?
`·3· · · · · · · · · · ·MR. KASTENS:· Objection.· Form.
`·4· ·BY MS. CARSON:
`·5· · · · · Q.· ·Of potentially suspicious operations?
`·6· · · · · A.· ·Yes, there's various lists and a lot of
`·7· ·analysis that has been done.
`·8· · · · · Q.· ·Do the various lists that are out there
`·9· ·all have the same identical operations on them?
`10· · · · · A.· ·There are different lists.· So -- so
`11· ·they would have different things listed on them.
`12· · · · · Q.· ·Do you have any specific lists in mind
`13· ·when you use that as an example?
`14· · · · · A.· ·Based on the cases I've worked on and
`15· ·my experience, I do have lists I've generated that
`16· ·do have the items referenced in the examples I gave
`17· ·listed as suspicious operations.
`18· · · · · Q.· ·Are you aware of any lists other than
`19· ·the ones that you generated?
`20· · · · · · · · · · ·MR. KASTENS:· Objection.· Form.
`21· · · · · · · · · · ·THE WITNESS:· ·I do a lot of
`22· ·research.· Not specifically, but I know in going
`
`
`DR. ERIC B. COLEDR. ERIC B. COLE
`
`FINJAN, INC. V JUNIPER NETWORKS, INCFINJAN, INC. V JUNIPER NETWORKS, INC
`
`Page 78
`
`·1· · · · · Q.· ·Is there an industry list or an
`·2· ·industry standard of suspicious computer operations?
`·3· · · · · · · · · · ·MR. KASTENS:· Objection.· Form.
`·4· · · · · · · · · · ·THE WITNESS:· ·I do not believe
`·5· ·there is one set comprehensive list, but there are
`·6· ·different lists out there of in working on different
`·7· ·cases that different security professionals have
`·8· ·deemed suspicious.
`·9· · · · · · · · · · ·There's also various lists known
`10· ·as IOCs, or indicators of compromise, that would
`11· ·also be suspicious activity.· And once again, things
`12· ·like reading and writing and sending data over
`13· ·networks are often appearing on those lists.
`14· ·BY MS. CARSON:
`15· · · · · Q.· ·Do you know if at the time of the '494
`16· ·invention whether there was any industry standard
`17· ·list of suspicious computer operations?
`18· · · · · · · · · · ·MR. KASTENS:· Objection.· Form.
`19· · · · · · · · · · ·THE WITNESS:· ·Once again, with
`20· ·anything with dates or things like that, I would
`21· ·have to go back and check.
`22· ·BY MS. CARSON:
`
`
`
`June 21, 2018June 21, 2018
`
`
`800.211.DEPO (3376)800.211.DEPO (3376)
`
`EsquireSolutions.comEsquireSolutions.com
`
`Page 80
`·1· ·through -- and I'm always validating my research and
`·2· ·my teaching and my slides -- that those are on many
`·3· ·of the lists.
`·4· ·BY MS. CARSON:
`·5· · · · · Q.· ·If we took the lists that you have
`·6· ·generated in the past and compared them, would there
`·7· ·be differences between the lists?
`·8· · · · · · · · · · ·MR. KASTENS:· Objection.· Form.
`·9· · · · · · · · · · ·THE WITNESS:· ·I haven't
`10· ·specifically done that, but it wouldn't surprise me
`11· ·if there were some difference.· There's always
`12· ·different ways of looking at problems.· There would
`13· ·be definite commonalities.· Might be a few
`14· ·differences.
`15· ·BY MS. CARSON:
`16· · · · · Q.· ·Are you aware of any generally accepted
`17· ·list of suspicious computer operations that's used
`18· ·by security professionals?
`19· · · · · · · · · · ·MR. KASTENS:· Objection.· Form.
`20· · · · · · · · · · ·THE WITNESS:· ·Once again, there's
`21· ·a lot of professionals that put out the information,
`22· ·but from my understanding, there's not an industry
`
`
`800.211.DEPO (3376)800.211.DEPO (3376)
`
`EsquireSolutions.comYVer1fEsquireSolutions.comYVer1f
`
`
`
`Case 3:17-cv-05659-WHA Document 126-8 Filed 06/28/18 Page 9 of 19
`REDACTED VERSION OF DOCUMENT SOUGHT TO BE SEALED
`
`
`DR. ERIC B. COLEDR. ERIC B. COLE
`
`FINJAN, INC. V JUNIPER NETWORKS, INCFINJAN, INC. V JUNIPER NETWORKS, INC
`Page 81
`
`·1· ·standard.
`·2· ·BY MS. CARSON:
`·3· · · · · Q.· ·Would you agree that an operation like
`·4· ·read a file could be suspicious in some context and
`·5· ·not suspicious in other context?
`·6· · · · · · · · · · ·MR. KASTENS:· Objection.· Form.
`·7· · · · · · · · · · ·THE WITNESS:· ·I would probably
`·8· ·state it a little differently.· That reading or
`·9· ·writing a file would be suspicious, but there would
`10· ·be some