Case 3:17-cv-05659-WHA Document 171-7 Filed 07/27/18 Page 1 of 13
`Case 3:17-cv-05659-WHA Document 171-7 Filed 07/27/18 Page 1 of 13
`
`
`
`
`
`EXHIBIT 7
`EXHIBIT 7
`
`
`
`
`
`
`
`
`
`
`
`
`
`

`

`Case 3:17-cv-05659-WHA Document 171-7 Filed 07/27/18 Page 2 of 13
`eeeTATA
`
`US007418731B2
`
`US 7,418,731 B2
`(10) Patent No.:
`a2) United States Patent
`Touboul
`(45) Date of Patent:
`Aug. 26, 2008
`
`
`(54) METHOD AND SYSTEM FOR CACHING AT
`SECURE GATEWAYS
`(IL
`|
`Shi
`Touboul. Kefar-Haim
`nventor:
`emo Touboul, Kefar-Haim (IL)
`(73) Assignee: Finjan Software, Ltd., Netanya (IL)
`
`(75)
`
`(*) Notice:
`
`Subject to any disclaimer, the term ofthis
`patent is extended or adjusted under 35
`U.S.C. 154(b) by 537 days.
`
`(21) Appl. No.: 10/838,889
`
`(22)
`
`Filed:
`
`May3, 2004
`
`(65)
`
`Prior Publication Data
`
`US 2005/0005107 Al
`
`Jan. 6, 2005
`
`Related U.S. Application Data
`(63) Continuation-in-part of application No. 09/539,667,
`filed on Mar. 30, 2000, now Pat. No. 6,804,780, which
`is a continuation of application No. 08/964,388, filed
`on Nov.6, 1997, now Pat. No. 6,092,194.
`
`(51)
`
`Int. Cl.
`(2006.01)
`GO6F 21/00
`(2006.01)
`GO6F 15/16
`(52) US. CM.
`coeccecccecsesscseecsseecsseessnessesessuseessnecsanes 726/22,
`(58) Field of Classification Search «0.0.0.0... None
`See application file for complete search history.
`.
`References Cited
`U.S. PATENT DOCUMENTS
`
`(56)
`
`5,077,677 A
`5,359,659 A
`5,361,359 A
`5,485,409 A
`5,485,575 A
`5,572,643 A
`5,579,509 A
`5,606,668 A
`5,623,600 A
`5,638,446 A
`5,692,047 A
`
`12/1991 Murphyetal.
`10/1994 Rosenthal
`11/1994 Tajalli et al.
`1/1996 Guptaetal.
`1/1996 Chessetal.
`11/1996 Judson
`11/1996 Furtneyetal.
`2/1997 Shwed.
`4/1997 Jietal.
`6/1997 Rubin
`11/1997 McManis
`
`5,692,124 A
`5,720,033 A
`5,724,425 A
`5,740,248 A
`5,761,421 A
`5,765,205 A
`
`11/1997 Holden etal.
`2/1998 Deo
`3/1998 Changetal.
`4/1998. Fieres et al.
`6/1998 van Hoffet al.
`6/1998 Breslauet al.
`
`(Continued)
`FOREIGN PATENT DOCUMENTS
`
`EP
`
`1091276 Al
`
`4/2001
`
`(Continued)
`OTHER PUBLICATIONS
`—_[j.¢. Appl. No. 10/838,889,filed Oct. 26, 1999, Golan , G.
`
`(Continued)
`
`Primary Examiner—Christopher A Revak
`(74) Attorney, Agent, or Firm—Perkins Coie LLP
`
`(57)
`
`ABSTRACT
`
`A computer gatewayforan intranet ofcomputers, including a
`scanner for scanning incoming files from the Internet and
`deriving security profiles therefor, the security profiles being
`lists of computer commandsthatthefiles are programmed to
`perform,a file cache for storing files, a security profile cache
`for storing security profiles for files, and a security policy
`cache for storing security policies for client computers within
`an intranet, the security policies including a list ofrestrictions
`forfiles that are transmitted to intranet computers. A method
`and a computer-readable storage medium are also described
`and claimed.
`
`22 Claims, 3 Drawing Sheets
`
`
`
`
`
`GATEWAY or| ID-P [SECURITY PROFILE
`
`
`1
`FORWEB PAGE 9
`
`
`pa Vronwesrncea |
`
`|fesse
`FOR USER GROUP1
`
`
`{D-1|SECURITY POLICY “
`
`[ioe!scurry poucy |
`
`i
`FOR USER GROUP 2
`iD|SECURITY POLICY
`
`FORUSER GROUP3
`
`
`
`UREP|IDF |WESPAGE P
`
`
`
`= ID-4
`WEBOBJECTO71
`
`
`
`| urvoe 10-2|WEBOBJECTO2 bh nt
`
`|vse ID-3|WEBOBJECTOS
`LURK ID4|WEBOBJECTO4 |
`
`
`
`110 ==
`
`
`
`
`SECURITY PROFILE
`CACHE
`
`
`
`

`

`Case 3:17-cv-05659-WHA Document 171-7 Filed 07/27/18 Page 3 of 13
`Case 3:17-cv-05659-WHA Document171-7 Filed 07/27/18 Page 3 of 13
`
`US 7,418,731 B2
`
`Page 2
`
`U.S. PATENT DOCUMENTS
`
`5,784,459 A
`5,796,952 A
`5,805,829 A
`5,832,208 A
`5,832,274 A
`5,850,559 A
`5,859,966 A
`5,864,683 A
`5,892,904 A
`5,951,698 A
`5,956,481 A
`5,974,549 A
`5,978,484 A
`5,983,348 A
`6,092,194 A
`6,154,844 A
`6,167,520 A
`6,339,829 Bl
`6,480,962 Bl
`6,804,780 Bl
`6,917,953 B2*
`
`7/1998 Devarakondaet al.
`8/1998 Daviset al.
`9/1998 Cohenetal.
`11/1998 Chenetal.
`11/1998 Cutler et al.
`12/1998 Angelo et al.
`1/1999 Hayman etal.
`1/1999 Boebert etal.
`4/1999 Atkinsonet al.
`9/1999 Chen et al.
`9/1999 Walsh et al.
`10/1999 Golan
`11/1999 Appersonet al.
`11/1999 Ji
`7/2000 Touboul
`11/2000 Touboul
`12/2000 Touboul
`1/2002 Beadle etal.
`11/2002 Touboul
`10/2004 Touboul
`7/2005 Simonet al... 707/204
`
`FOREIGN PATENT DOCUMENTS
`
`EP
`
`1132796 Al
`
`9/2001
`
`OTHER PUBLICATIONS
`
`http://www.codeguru.com/Cpp/Cpp/cpp_mfc/parsing/article.php/
`c4093/.
`http://www.cs.may.ie/~jpower/Courses/compilers/notes/lexical pdf.
`http://www.mail-archive.com/kragen-tol@canonical.org/
`msg00097 html.
`http://www.owlnet.rice.edu/~comp4 | 2/Lectures/L06LexWrapup4.
`pdf.
`http://www.cs.odu.edu/~toida/nerzic/390teched/regular/fa/min-fa.
`html.
`http://rw4.cs.uni-sb.de/~ganimal/GANIFA/page16_e.htm.
`http://www.cs.msstate.edu/~hansen/classes/38 13fall0 1/slides/
`06Minimize.pdf.
`http://www.win.tue.nl/~watson/2R870/downloads/madfa_algs.pdf.
`http://www.cs.nyu.edu/web/Research/Theses/chang__chia-hsiang.
`pdf.
`“Products” Article published on the Internet, “Revolutionary Secu-
`rity for A New Computing Paradigm” regarding SurfinGate™ 7
`pages.
`“Release Notes for the Microsoft ActiveX Development Kit’, Aug.
`13, 1996, activex.adsp.or.jp/inetsdk/readme.txt, pp. 1-10.
`Doyle et al., “Microsoft Press Computer Dictionary” 1993, Microsoft
`Press, 2"4 Edition, pp. 137-138.
`Finjan Software Ltd., “Powerful PC Security for the New World of
`Java™ and Downloadables, Surfin Shield™” Article published on
`the Internet by Finjan Software Ltd., 1996, 2 pages.
`
`Finjan Software Ltd., “Finjan Announces a Personal Java™Firewall
`For Web Browsers—the SurfinShield™ 1.6 (formerly known as
`SurfinBoard)”, Press Release of Finjan Releases SurfinShield 1.6,
`Oct. 21, 1996, 2 pages.
`Finjan Software Ltd., “Finjan Announces Major Power Boost and.
`NewFeatures for SurfinShield™2.0” Las Vegas Convention Center/
`Pavilion 5 P5551, Nov. 18, 1996, 3 pages.
`Finjan Software Ltd., “Finjan Software Releases SurfinBoard, Indus-
`try’s First Java Security Product For the World Wide Web”, Article
`published on the Internet by Finjan Software Ltd., Jul. 29, 1996, 1
`page.
`Finjan Software Ltd., “Java Security: Issues & Solutions” Article
`published on the Internet by Finjan Software Ltd., 1996, 8 pages.
`Finjan Software Ltd., Company Profile “Finjan—Safe Surfing, The
`Java Security Solutions Provider” Article published on the Internet
`by Oct. 31, 1996, 3 pages.
`IBM AntiVirus User’s Guide Version 2.4, International Business
`Machines Corporation, Nov. 15, 1995, p. 6-7.
`Khare, R. “Microsoft Authenticod Analyzed” Jul. 22, 1996, xent.
`com/FoRK-archive/smmer96/0338. html, p. 1-2.
`LaDue, M., “Online Business Consultant: Java Security: Whose
`BusinessIs It?” Article published on the Internet, Home Page Press,
`Inc. 1996, 4 pages.
`Leach, Norvin et al., “IE 3.0 Applets Will Earn Certification”, PC
`Week,vol. 13, No. 29, Jul. 22, 1996, 2 pages.
`Moritz, R., “Why We Shouldn’t Fear Java” Java Report, Feb. 1997,
`pp. 51-56.
`Microsoft—“Microsoft ActiveX Software Development Kit” Aug.
`12, 1996, activex.adsp.or.jp/inetsdk/help/overview.htm,pp. 1-6.
`Microsoft Corporation, Web Page Article “Frequently Asked Ques-
`tions About Authenticode”, last updated Feb. 17, 1997, Printed Dec.
`23,
`1998. URL:
` http://www.microsoft.com/workshop/security/
`authcode/signfaq.asp#9, pp. 1-13.
`Microsoft® Authenticode Technology, “Ensuring Accountability
`and Authenticity for Software Components on the Internet”,
`Microsoft Corporation, Oct. 1996,
`including Abstract, Contents,
`Introduction and pp. 1-10.
`Okamoto, E. et al., “ID-Based Authentication System For Computer
`Virus Detection”, IEEE/TEE Electronic Library online, Electronics
`Letters, vol. 26, Issue 15, ISSN 0013-5194, Jul. 19, 1990, Abstract
`and pp. 1169-1170. URL: http://iel.ihs.com:80/cgi-bin/iel__cgi?se...
`2ehts%26ViewTemplate%3ddocview%5 fb%2ehts.
`Omura, J. K., “Novel Applications of Cryptography in Digital Com-
`munications”, IEEE Communications Magazine, May 1990; pp.
`21-29,
`
`Schmitt, D.A., “.EXEfiles, OS-2 style” PC Tech Journal, v6, n11, p.
`76 (13).
`Zhang, X.N., “Secure Code Distribution”, IEEE/IEE Electronic
`Library online, Computer, vol. 30, Issue 6, Jun. 1997, pp. 76-79.
`
`* cited by examiner
`
`

`

`Case 3:17-cv-05659-WHA Document 171-7 Filed 07/27/18 Page 4 of 13
`Case 3:17-cv-05659-WHA Document 171-7 Filed 07/27/18 Page 4 of 13
`
`U.S. Patent
`
`Aug. 26, 2008
`
`Sheet 1 of 3
`
`US 7,418,731 B2
`
`:AAMAS:
`
`
`
`3m1d0u8dALINNOSS
`
`SHOVo*
`
`ee.
`
`ii
`
`
`
`
`
`
`
`ALIMNSDSS|;ed!idNowsdYasnYOs|ADI1Od
`ALINNDAS
`ZdnOudwasnYyOs:AOHIOd
`
`3AMWsONdALNDAS|dA|
`€dnOudYasNYOs
`ADIMOdALIUNOZS|£-C!
`¥39VdGamYOs
`-OLOArdO84M
`d39VdaMds
`d39Vdgam
`Avinavo|NXOu
`
`
`
`
`
`aHOWa
`
`
`
`YANNVIS3009AOMOdALNOAS
`
`
`
`
`
`
`

`

`Case 3:17-cv-05659-WHA Document 171-7 Filed 07/27/18 Page 5 of 13
`Case 3:17-cv-05659-WHA Document171-7 Filed 07/27/18 Page 5 of 13
`
`U.S. Patent
`
`Aug. 26, 2008
`
`Sheet 2 of 3
`
`US 7,418,731 B2
`
`
`
`SVNOILOVALVNYALTYAVL
`
`
`
`
`
`
`
`O3W330SW3LINVOS
`
`
`
`SNOIONIVWATIVILNSLOd
`
`OZON
`
`
`
`ALIMNOASJAIGGNV
`
`
`
`yOAaNaHLS3WdOUd
`
`
`
`Ol39VedGSMLINSNVELSee
`
`ONY39Vd84MSYOLS
`
`
`YSLAdWOSLNSMND
`
`$LOSPdO€4MGAaLVIOOSsy
`
`Sic
`
`¢Ola
`
`ALINNDASNI3OVdGamOs
`
`
`
`SHOVSSyIdOud
`
`
`
`
`
`JWdOudALIMNDSASAYOLSOse
`
`
`
`SHOVOg3MNI
`
`ALINOSSAGQasidOS3aud
`
`éYaLNdWODLNAI
`
`WOudd39Vd83M49018Oz
`
`
`
`
`
`
`
`AOI1OdALIMNDASJARMLAYWOud39Vd93MSASLAY
`
`3HOVD
`
`d9VddAM80d31dOdd
`
`J9OVddamGS1S3n03uySI
`
`FUdA0ddALIWNDASWOU
`
`éS3HOVOGSMNIFIVIIVAV
`
`
`
`ALYNOASSAaMLaY
`
`She
`
`
`
`YaLACWOSDLNAIYOsYALNdNODYAAUSS
`
`
`
`
`
`
`
`
`
`
`
`ALIMNDASFYVdWODSLOSrdO83MSASL
`
`Ore
`
`
`
`YELNdWOOAVMALVS
`
`
`
`YSLNdWOOLN3ND
`
`SSAIB03YAXOddSVONILOV
`
`
`WOdd39VdgamSLSANDIY
`
`
`
`1sandayLN3I1DYaLNdWOSYSIANAS
`
`
`
`
`
`
`
`ALINNOASHLIM31sdOdd85MNIK.LIMOSON3Y3dd3yN
`
`
`
`
`
`AONOdavd
`
`@3MNIHLIMG30N34343uY
`
`
`
`WOudd39Vd83MS3SAIS93uY
`
`
`
`YALNdNOOAVM3ALYD
`
`
`
`YALNdNOSLNAND
`
`
`
`SLO3rdOS3aMSLSANOaY
`
`YaLNdWOOLNA
`
`39Vd
`
`
`
`
`
`
`
`
`
`
`
`
`
`

`

`Case 3:17-cv-05659-WHA Document 171-7 Filed 07/27/18 Page 6 of 13
`Case 3:17-cv-05659-WHA Document 171-7 Filed 07/27/18 Page 6 of 13
`
`U.S. Patent
`
`Aug. 26, 2008
`
`Sheet 3 of 3
`
`US 7,418,731 B2
`
`LINAlIdIO3Y
`
`
`
`ANaIdIO3YLdNOHDLNaldIDay
`
`
`
`
`
`LNAITOLN3IT9LN3119
`
`€Sls
`
`jamasoas|
`
`AONOdALISNOSSYO4ADIIOdALINNDSS
`
`
`
`
`
`OsAOMOdALINNDAS|€-Cl
`
`
`YOdADITOdALINNODSS
`€dNOYSLNaldiOay
`
`
`édNOwSLNaldioaY
`
`
`
`AVM3LVD
`
`0ce
`
`
`
`
`
`

`

`Case 3:17-cv-05659-WHA Document 171-7 Filed 07/27/18 Page 7 of 13
`Case 3:17-cv-05659-WHA Document171-7 Filed 07/27/18 Page 7 of 13
`
`US 7,418,731 B2
`
`1
`METHOD AND SYSTEM FOR CACHING AT
`SECURE GATEWAYS
`
`CROSS REFERENCES TO RELATED
`APPLICATIONS
`
`2
`There is thus provided in accordance with a preferred
`embodimentofthe present invention a computer gateway for
`an intranet of computers, including a scanner for scanning
`incomingfiles from the Internet and deriving security profiles
`therefor, the security profiles being lists of computer com-
`mandsthatthe files are programmedto perform,a file cache
`for storing files, a security profile cache for storing security
`profiles for files, and a security policy cache for storing secu-
`rity policies for intranet computers within an intranet, the
`security policies including a list of restrictions for files that
`are transmitted to intranet computers.
`There is further provided in accordance with a preferred
`embodimentof the present invention a method for operation
`of a network gateway for an intranet of computers, including
`receiving a request from an intranet computerfora file on the
`Internet, determining whether the requested file resides
`within a file cache at the network gateway,if the determining
`is affirmative then retrieving a security profile for the
`requested file from a security profile cache at the network
`gateway, the security profile including a list of at least one
`computer commandthatthe file is programmedto perform,
`and if the determining is not affirmative then retrieving the
`requestedfile from the Internet, scanningthe retrievedfile to
`determine computer commandsthatthefile is programmedto
`perform, deriving a security profile for the retrieved file,
`storing the retrievedfile within the file cache, and storing the
`security profile for the retrieved file within a security profile
`cache, retrieving a security policy for the intranet computer
`from a security policy cache at the network gateway, the
`security policy defining restrictions for transmitting files to
`the intranet computer, and comparing the security profile for
`the requestedfile vis a vis the security policy for the intranet
`computer, to determine whethertransmission ofthe requested
`file to the intranet computeris to be restricted.
`There is yet further provided in accordance with a preferred
`embodiment of the present invention a computer-readable
`storage medium storing program code for causing a computer
`to perform the steps of receiving a request from an intranet
`computerfor a file on the Internet, determining whether the
`requested file resides within a file cache at the network gate-
`way, if the determining is affirmative then retrieving a secu-
`rity profile for the requested file from a security profile cache
`at the network gateway, the security profile including a list of
`at least one computer commandthatthefile is programmedto
`perform, and ifthe determining 1s notaffirmative thenretriev-
`ing the requestedfile from the Internet, scanning the retrieved
`file to determine computer commandsthat the file is pro-
`grammed to perform, deriving a security profile for the
`retrieved file, storing the retrieved file within the file cache,
`and storing the security profile for the retrieved file within a
`security profile cache, retrieving a security policy for the
`intranet computer from a security policy cache at the network
`gateway, the security policy definingrestrictionsfor transmit-
`ting files to the intranet computer, and comparing the security
`profile for the requestedfile vis a vis the security policy for the
`Current gateway systems cause latency because clients do
`intranet computer, to determine whether transmission of the
`not access websites directly, and because current gateway
`requested file to the intranet computeris to be restricted.
`systemsapply security protocols to protect intranet members.
`
`Accordingly, systems and methods for reducing network There is moreover provided in accordance withapreferred
`access latency without compromising network safety are
`embodimentof the present invention a method for operation
`needed.
`of a network gateway for an intranet of computers, including
`receiving a request from an intranet computerfora file on the
`Internet, retrieving a security profile for the requested file
`from a security profile cache at the network gateway, the
`security profile including a list of at least one computer com-
`mandthat the file is programmed to perform, retrieving a
`security policy for the intranet computer from a security
`policy cache at the network gateway, the security policy
`
`This application is a continuation-in-part of assignee’s
`application U.S. Ser. No. 09/539,667 (now U.S. Pat. No.
`6,804,780), filed on Mar. 30, 2000, and entitled SYSTEM
`AND METHODFOR PROTECTING A COMPUTER AND
`A NETWORK FROM HOSTILE DOWNLOADABLES,
`which is a continuation ofU.S. Ser. No. 08/964,388 (now U.S.
`Pat. No. 6,092,194), filed on Nov. 6, 1997 and entitled SYS-
`TEM AND METHODFOR PROTECTING A COMPUTER
`AND A NETWORK FROM HOSTILE DOWNLOAD-
`ABLES.
`
`FIELD OF THE INVENTION
`
`The present invention relates to computer security and
`network gateways.
`
`BACKGROUND OF THE INVENTION
`
`A network gateway computer conventionally serves as a
`proxy between a group of inter-connected computers,
`referred to as an intranet, such as a corporate intranet or
`customers of an Internet service provider, and the myriads of
`server computers on the Internet. The gateway computeris
`networked with the intranet computers in such a way that
`outgoing requests and responses from the intranet computers
`to the Internet, and incoming requests and responses from the
`Internet to the intranet computers are routed through the
`gateway computer.
`Typically, a request is issued as an HTTPprotocol request
`that includes a URIfora file, such as an HTML page, a JPEG
`image or a PDF document, residing on one or more server
`computers on the Internet. Similarly, a responseis typically
`an HTTP response including a requestedfile, sent back to a
`client in response to a request.
`Network gateways are generally connected to an intranet
`with high-speed lines, so that the bandwidth between the
`intranet computers and the gateway computer is much higher
`than the bandwidth between the gateway computerand rest of
`the Internet.
`
`Two important functions of computer gatewaysare (i) to
`restrict outsiders from unauthorized access to a computer
`intranet, and (ii) to protect the intranet computers from soft-
`ware containing computer viruses and from spam. Computer
`gateways may contain conventional firewall software that
`restricts outside communication with the intranet, anti-virus
`softwarethat identifies computerviruses residing within files
`retrieved from the Internet, and anti-spam softwarethatfilters
`out unwanted content.
`
`SUMMARYOF THE INVENTION
`
`The present invention provides a method and system for
`improving performance of gateway computers. Specifically,
`the present invention mitigates network latency caused by
`processing time at a gateway computer.
`
`10
`
`15
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`

`

`Case 3:17-cv-05659-WHA Document 171-7 Filed 07/27/18 Page 8 of 13
`Case 3:17-cv-05659-WHA Document171-7 Filed 07/27/18 Page 8 of 13
`
`US 7,418,731 B2
`
`10
`
`15
`
`20
`
`25
`
`35
`
`40
`
`45
`
`3
`4
`restrictions for transmitting files to the intranet computer, and
`defining restrictions on files that can be transmitted to the
`intranet computer, and comparing the security profile for the
`comparing the security profile for the requestedfile vis a vis
`requested file vis a vis the security policy for the intranet
`the security policy for the intranet computer, to determine
`computer, to determine whethertransmission ofthe requested
`whether transmission of the requested file to the intranet
`file to the intranet computeris to berestricted.
`computeris to berestricted.
`There is additionally provided in accordance with a pre-
`There is further provided in accordance with a preferred
`ferred embodimentof the present invention a computer-read-
`embodiment of the present invention a computer-readable
`able storage medium storing program code for causing a
`storage medium storing program code for causing a computer
`computer to perform the steps of receiving a request from an
`to perform the steps of receiving a request from an intranet
`intranet computerfor a file on the Internet, retrieving a secu-
`computerfor a file on the Internet, determining whether the
`rity profile for the requested file from a security profile cache
`requested file resides within a file cache at the network gate-
`at the network gateway,the security profile includinga list of
`way, if the determining is affirmative retrieving a security
`at least one computer commandthatthefile is programmedto
`profile for the requested file from a security profile cache at
`perform,retrieving a security policy for the intranet computer
`the network gateway, the security profile including a list of at
`from a security policy cache at the network gateway, the
`least one computer commandthatthe file is programmed to
`security policy defining restrictions onfiles that can be trans-
`perform, and if the determining is not affirmative retrieving
`mitted to the intranet computer, and comparing the security
`the requested file from the Internet, storing the retrievedfile
`profile for the requestedfile vis a vis the security policy for the
`intranet computer, to determine whether transmission of the
`within the file cache, and storing a security profile for the
`requested file to the intranet computeris to berestricted.
`retrievedfile within a security profile cache, retrieving a secu-
`There is further provided in accordance with a preferred
`rity policy for the intranet computer from a security policy
`embodimentof the present invention a method for operation
`cache at the network gateway, the security policy defining
`of a network gateway for an intranet of computers, including
`restrictions for transmitting files to the intranet computer, and
`retrieving a requested file from the Internet, scanning the
`comparing the security profile for the requestedfile vis a vis
`retrievedfile to determine computer commandsthatthefile is
`the security policy for the intranet computer, to determine
`programmed to perform, deriving a security profile for the
`whether transmission of the requested file to the intranet
`retrievedfile, the security profile includingalist ofat least one
`computeris to berestricted.
`computer commandthat the retrieved file is programmed to
`There is moreover provided in accordance withapreferred
`perform, storing the retrieved file within a file cache, and
`30
`embodimentofthe present invention a computer gateway for
`storing the security profile for the retrieved file within a secu-
`an intranet of computers, including a scanner for scanning
`rity profile cache.
`outgoing files from an intranet to the Internet and deriving
`There is yet further provided in accordance withapreferred
`security profiles therefor, the security profiles being lists of
`embodiment of the present invention a computer-readable
`computer commands that the files are programmedto per-
`storage medium storing program code for causing a computer
`to perform the steps of retrieving a requested file from the
`form,a security policy cache for storing security policies for
`Internet, scanning the retrieved file to determine computer
`recipient computers within the Internet, the security policies
`commandsthatthe file is programmedto perform,deriving a
`including a list of restrictions forfiles that are transmitted to
`security profile for the retrieved file, the security profile
`recipient computers.
`including a list of at least one computer commandthat the
`There is additionally provided in accordance with a pre-
`retrievedfile is programmedto perform,storing the retrieved
`ferred embodiment of the present invention a method for
`file within a file cache, and storing the security profile for the
`operation of a network gatewayfor an intranet of computers,
`retrieved file within a security profile cache.
`including receivingafile from an intranet computer for trans-
`There is moreover provided in accordance with a preferred
`mission to a recipient computer on the Internet, scanning the
`embodimentofthe present invention a computer gateway for
`receivedfile to derive a security profile for the receivedfile,
`an intranet of computers, including a file cache for storing
`the security profile including a list of at least one computer
`files, a security profile cache for storing security profiles for
`commandthatthe file is programmedto perform,retrieving a
`files, the security profiles being lists of computer commands
`security policy from a security policy cache at the network
`that thefiles are programmed to perform, anda security policy
`gateway, the security policy definingrestrictionsfor transmit-
`cache for storing security policies for intranet computers
`ting files to recipient computers, and comparing the security
`within an intranet, the security policies including a list of
`profile for the received file vis a vis the security policy, to
`restrictionsforfiles that are transmitted to intranet computers.
`determine whether transmission of the requested file to the
`There is additionally provided in accordance with a pre-
`recipient computeris to be restricted.
`ferred embodiment of the present invention a method for
`operation of a network gatewayfor an intranet of computers,
`There is further provided in accordance with a preferred
`including receiving a request from an intranet computerfor a
`embodiment of the present invention a computer-readable
`file on the Internet, determining whether the requested file
`storage medium storing program code for causing a computer
`resides within a file cache at the network gateway, if the
`to perform the steps of receiving a file from an intranet com-
`determiningis affirmative retrieving a security profile for the
`puter for transmissionto a recipient computeron theInternet,
`requested file from a security profile cache at the network
`scanning the receivedfile to derive a security profile for the
`60
`
`gateway, the security profile including a list of at least one receivedfile, the security profile includingalist of at least one
`computer commandthatthe file is programmedto perform,
`computer commandthatthe file is programmedto perform,
`and if the determining is not affirmative retrieving the
`retrieving a security policy from a security policy cache at the
`requested file from the Internet, storing the retrieved file
`network gateway, the security policy defining restrictions for
`within the file cache, and storing a security profile for the
`transmitting files to recipient computers, and comparing the
`retrievedfile within a security profile cache, retrieving a secu-
`security profile for the received file vis a vis the security
`rity policy for the intranet computer from a security policy
`policy, to determine whether transmission of the requested
`cache at the network gateway, the security policy defining
`file to the recipient computeris to be restricted.
`
`50
`
`55
`
`65
`
`

`

`Case 3:17-cv-05659-WHA Document 171-7 Filed 07/27/18 Page 9 of 13
`Case 3:17-cv-05659-WHA Document171-7 Filed 07/27/18 Page 9 of 13
`
`US 7,418,731 B2
`
`5
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`The present invention will be more fully understood and
`appreciated from the following detailed description, taken in
`conjunction with the drawings in which:
`FIG. 1 is a simplified block diagram for a network gateway,
`in accordance with a preferred embodiment of the present
`invention;
`FIG.2 is a simplified flowchart for operation of a network
`gateway, in accordance with a preferred embodiment of the
`present invention; and
`FIG.3 is a simplified block diagram for a network gateway
`that control outgoingtraffic, in accordance with a preferred
`embodimentof the present invention.
`
`DETAILED DESCRIPTION OF A PREFERRED
`EMBODIMENT
`
`The present invention provides a system and method for
`optimizing performance of network gateways that perform
`security-based functions.
`Reference is now made to FIG. 1, which is a simplified
`block diagram for a network gateway, in accordance with a
`preferred embodiment of the present invention. Shown in
`FIG.1 is a network gateway computer 110, which serves as a
`proxy between an intranet of clients and servers, and the
`Internet. Specifically in FIG. 1, gateway computer 110 inter-
`venes between requests for web pages originating from an
`intranet 120 of clients 123, 125 and 127, and responsesorigi-
`nating from Internet servers 133, 135 and 137.
`Typically, web pages include text, executable scripts and
`one or more links to web objects that must be retrieved in
`
`6
`page, and scanner 140 scans the web page andthe web objects
`that may be malicious. For example, a web page, P, requested
`by a client computer, may contain references to web objects
`O01, 02, O3 and O4. Generally, the web page, P, and the web
`objects it references, O1, O02, 03 and O4are storedasfiles
`within the Internet.
`When the web page, P,first arrives at gateway computer
`110, gateway computer 110 preferably retrieves objects O1,
`02, O03 and O4. Gateway computer 110 then decides which of
`web pageP and objects O1, 02, O3 and O04 maypotentially be
`malicious, and scanner 140 scans each of the potentially
`malicious files. Determination of which files may be poten-
`tially malicious may be based on numerous criteria—for
`example, multimedia objects such as images and videoclips
`may be deemed safe, whereas Visual Basic scripts and Java
`applets may be deemedpotentially malicious.
`In accordance with a preferred embodimentofthe present
`invention, scanner 140 analyzes eachfile it scans to determine
`the nature of computer operationsthatthe file is programmed
`to perform, and derives a security profile therefor, summariz-
`ing potentially malicious computer operations. Thus scanner
`140 may determine inter alia that a file is programmed to
`access a computerfile system, or a computer operating sys-
`tem, or open a network socket.
`Table I below indicates a typical scan analysis, in accor-
`dance with a preferred embodimentofthe present invention.
`As can be seen from Table I, web page P and web objects O1
`and O4 are deemed potentially malicious. Web objects O2
`and O3 are deemedsafe. The security profile for web page P
`includessecurity profiles for JavaScript within page P, and for
`webobjects O1 and 04referenced by page P. Web objects O2
`and O3 are not scanned, since they are deemedto besafe.
`
`10
`
`15
`
`20
`
`25
`
`30
`
`TABLE!
`
`Security Profile for Web Page P
`
`Security Profile
`
`Potentially
`Malicious?
`
`File System
`Commands
`
`Operating System Network
`Commands
`Commands
`
`Web Page P
`References objects
`Ol, 02, O3 and 04
`Includes JavaScript
`Web Object O1
`Java applet
`
`‘Yes
`
`Yes
`
`None
`
`None
`
`Issue HTTP request;
`
`Openfile F1;
`Write file F2;
`Delete file F1
`
`Openregistry;
`Edit registry
`
`None
`
`Web Object O02
`Still image
`Web Object 03
`Audio clip
`Web Object O04 Open file Fl;=NoneYes Open socket;
`
`
`ActiveX Control
`Copy file Fl
`FTP send
`
`No
`
`No
`
`
`
`order to completely render the web page. Such web objects
`includeinter alia images, sounds, multimedia presentations,
`video clips and also active code that runs on the client com-
`puter. Executable scripts and active code components are a
`security concern, since they may contain computer viruses
`that maliciously harm client computers. In fact, most viruses
`today are transmitted as active web objects or as e-mail
`attachments.
`
`Preferably, gateway computer 110 includes a code scanner
`140, for scanning incoming web pages and web objects in
`order to detect the presence ofmalicious executable scripts or
`active code. Preferably when gateway 110 receives a web
`page, it also retrieves the web objects referenced by the web
`
`55
`
`60
`
`65
`
`In accordance with a preferred embodimentofthe present
`invention, web pagesecurity profiles are stored in a security
`profile cache 150, and the web page and the web objects that
`the page references are stored in a web cache 160. Security
`profile cache 150 preferably includesa table as indicated in
`Table II.
`
`TABLEII
`
`Structure of Security Profile Cache 150
`
`Web Content ID
`
`Web Content Security Profile
`
`

`

`Case 3:17-cv-05659-WHA Document 171-7 Filed 07/27/18 Page 10 of 13
`Case 3:17-cv-05659-WHA Document171-7 Filed 07/27/18 Page 10 of 13
`
`US 7,418,731 B2
`
`TABLEIII
`
`Structure ofWeb Content Cache 160
`
`Web Content URI
`
`Web Content ID
`
`Web Content
`
`8
`7
`A CLIENT DURING RUNTIME FROM HOSTILE DOWN-
`Webcontent ID is preferably a has ID that serves as a key for
`LOADABLES, USS. Pat. No. 6,480,962 entitled SYSTEM
`Table IJ. Similarly, web content cache 160 preferably
`AND METHODFOR PROTECTING A CLIENT DURING
`includesatable as indicated in Table II].
`RUNTIME FROM HOSTILE DOWNLOADABLES. USS.
`Pat. No. 6,804,780 entitled SYSTEM AND METHOD FOR
`PROTECTING A COMPUTER AND A NETWORK FROM
`HOSTILE DOWNLOADABLES, USS. Pat. No. 6,965,968
`entitled POLICY-BASED CACHING, and U:S. Pat. No.
`7,058,822 entitled MALICIOUS MOBILE CODE RUNT-
`IME MONITORING SYSTEM AND METHODS.
`
`10
`
`Web content URI serves as a key for Table III, and Web
`Content ID is a foreign key that can be used to join Table I
`with Table III.
`
`Tt may be appreciatedthat the same web page or web object
`may be stored at multiple locations and, as such, multiple
`URIs maycorrespondto the same web content. In a preferred
`embodimentof the present invention, web cache 160 is man-
`aged so as to avoid caching duplicate web content. Use of a
`hash ID for web pages and web objects serves to identify web
`content duplicates, and to determine if web content on the
`Internet has changedsince it was earlier cached within web
`content cache 160. In case web content has changed, then
`preferably the more recent web content is cached instead of
`the older web content, and the newer web content is scanned
`by code scanner 140, in order to update its security profile
`within security profile cache 150.
`Preferably, when a client computer requests a web page,P,
`from a server computer, the request is first transmitted to
`gateway computer 110, which checks whetheror not the web
`page is already resident within web cache 160. If not, then
`computer gateway forwards the request to the server com-
`puter, which in turn sends the requested web page, P, to
`gateway computer 110 within a response. Requests and
`responses are typically formatted according to the HTTP
`protocol. Upon receipt of the requested web page, gateway
`computer 110 (4) fetches the web objects referenced by page
`P, such as web objects O1, 02, O3 and O4 hereinabove; (11)
`determines which files to scan; (iii) determines security pro-
`files for the scannedfiles; (tv) caches the security profiles for
`web pageP in security profile cache 150; and (v) caches web
`page P and web objects O1, 02, O03 and O4 in web cache 160