Case 3:17-cv-05659-WHA Document 183-3 Filed 08/21/18 Page 1 of 35
`
`
`
`
`
`
`
`
`
`Exhibit 3
`
`

`

`•
`
`i
`
`'
`
`I
`
`Case 3:17-cv-05659-WHA Document 183-3 Filed 08/21/18 Page 2 of 35
`
`liAR CODE LABEL
`
`111111100111!11111
`
`...
`
`-
`
`ruu~L: '-J ll u 1 ~f.~ 98
`
`U.S. PATENT APPLICATION ~y
`
`SERIAL NUMBER
`
`FILING DATE
`
`CLASS
`
`GROUP ART UNIT
`
`60/030,639
`PROVISIONAL
`
`11/08/96
`
`,_
`z
`~
`
`~
`
`SHLOHO TOUBOUL, U:FAR HAIM, ISRAEL.
`
`**CONTINUING DATA*********************
`VBRIPI!D
`
`REC'D 2 6 FEB 1998
`PCT
`WIPO
`
`**FOREIGN/PeT AF -ICATIONS************
`VBRIFI!D
`
`r
`
`r;::l "'"r"""-tT
`PRiO . ~ ·• uuv
`Ri~.q ~.~ -~u~\1~=-~-..
`.-1
`
`- '
`
`1 ~
`
`STATE OR
`COUNTRV
`
`SHEETS
`ORA WilliG
`
`TOTAL
`CLAIMS
`
`INDEPENDENT
`~LAIMS
`
`FILING FEE
`RECEIVED
`
`ATTORNEY DOCKET NO.
`
`ILX
`
`7
`
`EPPA HIT!
`CARTER DEFILIPPO & FERRELL
`SUIT! 200
`2225 EAST BAYSHORE ROAD
`PALO ALTO CA 94303
`
`$150.0D
`
`o-ssa
`
`Ill
`
`Ill ... a:
`
`Q
`Q
`~
`
`...
`_,
`~
`
`SYSTEM AND METHOD FOR PROTECTING A COMPUTER FROM HOSTILE
`DOWNLOAOABLES
`
`I
`
`1
`
`;· '·
`
`This is to cen1fJ: that annexed hereto is a true co~y from the records of the United States
`Patent and Tra _emark Office of the application w 1ch is identified above.
`''"'~"m'M
`/ ~
`. /~ ~/T
`JAN 2 7 jC:O~
`
`Dele
`
`....,~....,.•.,_
`
`Certolvong Olheer
`
`COMMISSIONER OF PATENTS AND TRADEMARKS
`
`-
`
`-·
`
`-
`
`.. _-
`
`. '
`\
`.,, \
`I
`
`.A
`
`·)
`
`i'
`
`·.'
`
`,/
`
`-----------·- -- ~ ..,..._ ....... - ...... ._ .. __ ...
`..- .. ····----------~ ---~ .. - ----·: -- --·
`~.._ ---· ~ . t ... ·~-t. ·-· -•- .. ___ .._ ____ ·~-·-- _. __ ._ --~- _._ ____ ~---• .... •-- --~·---.__
`..
`.. .
`· ..
`...
`.. .... ~ .. :
`~ . .. . . - ...
`-~ .. ~ :~ .
`. ~.
`. . .., .
`. ..
`
`......
`
`,
`. .
`. -...
`
`•
`
`t .,..
`
`.~~
`
`~-
`
`.cr
`-~
`
`

`

`Case 3:17-cv-05659-WHA Document 183-3 Filed 08/21/18 Page 3 of 35
`
`PATBNT APPUCATION SERIAL N0.8 0 I 0 3 0 6 3 9
`
`....
`
`U.S. DEPARTMENT Of COMMERCE
`PATENT AND TRADEMARK OmCE
`FEE RECORD SHEET
`
`it-·
`
`•
`
`•--
`
`•
`
`-~
`-•
`
`•
`
`,.
`
`I
`
`·\
`
`PT0-1556
`(5/87)
`
`....... --- _____ .. _______________ _
`
`1: •• __ j
`
`.
`. J
`
`k
`
`~
`
`J
`
`' \--..
`
`' ---- ----· - ·-
`
`--
`.
`.
`- · - - · - - - · · · •
`
`- - -
`-
`
`·.
`
`.•
`
`•
`
`' •
`
`.,,I
`
`•
`
`•- ___ L__ ... __ . _ - _. ___ .. __ -•--- ._ --•- · - .
`
`-
`
`• •
`
`•-- ...
`• . - . •
`• • • • • • •· .
`
`

`

`..,. .. ·
`~&~·,t·
`•
`
`Case 3:17-cv-05659-WHA Document 183-3 Filed 08/21/18 Page 4 of 35
`
`- •
`
`•
`
`•
`
`•
`
`•
`
`•
`
`60/(J2
`
`._ __ __. .... - . ~ -~-
`
`f; ~ ~
`
`I"TO·<.B:•~ 111·'~;\
`Patm! and Trademark Office. V S. DEPARThiENT OF C0MMERCE
`PROVISIONAL APPLICATION FOR PATENT COVER SHEET
`
`ul'St iur fiiinga PROVISIONAL APPLICATION FOR PATENT under 37CFk 1 5~ (b\(2) & 1 S1Ct\f2\Cil
`
`I Type a plus srgn (+J I
`
`in~id~ this box -->
`
`...
`
`I Docket No.D-558 I
`
`t
`
`LAST NAME
`
`FIRST NAME
`
`Touboul -- ~I
`
`~'!.
`
`INVENTORis)! APFLICA:'IiT1s)
`MIDDLE
`RESIDENCE (CITY AND EITHER STATE OR FOREIGN
`COUNTRY)
`INITIAL
`.. -
`
`_Kef~L!:!_:;i~_Israel
`
`I
`
`TITLE OF INVENTION 12!10 chuacters maxi
`~~~m and.Method for Protecting a Computer from Hostile Downloadables
`
`CORRESPONDENCE ADDRESS
`
`Tel.: (415) 812-3423
`Fax: (415) 312-3444
`
`~P.P~ J:iite __
`Carr~ Defilippo & ferrell.!Lf'_
`~~25 East Bay shore Road. Suite 200
`P<1lo.Alto
`STATF..:
`
`[ X 1 Specification
`
`[ X J Drawing(s)
`
`I
`LIP CODE: l~ COUNTRY:
`California
`EI\ClOSED APPLICAYION rARTS ~dreck all tlaat ae.e.t~)
`l
`NumbtT of Puges
`] Small Entity Statem~nt
`[ 23)
`
`I U.S.A.
`
`Number of Sheets [7]
`
`[ X) Other (s~ify): 9 page" &.rpendix"
`
`METHOD OF PAYMENT OF FiliNG FEES FOR TI-llS PROVISIONAL APPLICATION FOR PATENT
`( X) A check or mont-y order b enclosed to cover the filing fees.
`( 1 The Commissioner is hereby authorized to charge the filing fees and credit
`Filing Fee
`Deposit A~count No. llo'>-06(0.
`( X) The Commissioner i'> hereby authonzed to (Mrge payment of the following Amount($):
`fe~:s associated with this communication or credit any overpayment to Depo~it
`Account No. 06-0f,(XI. A duplicate capt• of this sheet is cttached.
`-
`The mven•t.m was made by an agency of the Un1ted Stat~:. L..nvernment or under a contract wtth ara agt:ncy ,,r the
`Uniteo State~ Government.
`[X) No.
`[
`) Y~. the narre of the US. Government agency and the Government wntract rrember a r t . ' : - - - - - - -
`
`$150.()()
`
`j
`
`... .J . \
`..J . ·.··
`.- ...•
`
`--~
`¥
`i
`t :.;
`
`·---~ .,
`
`•
`
`•
`
`'--·
`
`•
`
`•
`
`_1
`
`. ~
`
`•
`
`·-·
`•
`
`R~p~ctfully submitted,
`Shlumo Touboul ~ •
`
`d f, /fJLIV#
`
`Eppa Hie, Reg. No. 30,266
`Carr, L '.!Filippo & Ferrell LLP
`2225 East Bayshore Road, Suite 200
`Palo Alto, CA 94303
`Tel.: (415) Sti-3428
`Fax: (415) 812-3\44
`
`Send To:
`
`Date.~//_-r._[_' _:J (._
`
`Box Pruvbiunal Application
`A:.~i~tdnt Commr~:.wner for Patenb
`W.rshin:~tun, D.C. 20231
`
`Adnitional inventors are being named un :.t.'parately numbered ~heets attached ht.'r~to.
`
`..
`
`..
`
`..
`
`•
`
`... :
`
`. ---
`
`, . • .....__ ..... _____ - Aa
`
`-- -·- ·- -
`
`•
`-_________ ._
`..
`. -. • • -.. -- . • • • • • • • • • • •
`
`• • • •• • ...
`
`-·-
`
`• • • •
`
`•• • • • • •
`
`

`

`Case 3:17-cv-05659-WHA Document 183-3 Filed 08/21/18 Page 5 of 35
`
`--- ----- .. •
`
`·-· --- . -- --jj(J ,oo
`
`OOWNLQADABI FS
`
`BACKGROUND OF THE INVENTION
`
`5
`
`1.
`
`Field of the lnyention
`
`This invention relates generally to computer networks, and
`
`more pdrticularly to a system and method for protecting computers
`
`from hostile Downloadables.
`
`10
`
`2.
`
`Descrjptjon of the Ba.-;k~round An
`
`The Internet is a collection of currently over 100,000
`
`individual computer networks owned by governments, universities,
`
`nonprofit groups and companies, and is expanding at an accelerating
`
`rate. Because the Intel !let is public, the Internet has become a major
`
`15
`
`source of many system damaging and system fatal application
`
`progr:1ms. commonly referred to as "viruses."
`
`Accordingly, programmers continue to design computer
`
`security systems for blocking these viruses from attacking both
`
`indiviaual and network computers. On the most part, these security
`
`20
`
`systems have been relatively successful. However, these security
`
`systems are not configured to 1 ;cognize computer viruses which
`
`have been attached to Downloadable application programs,
`
`••
`
`.·
`
`......
`··- ~~ ..
`- t
`
`-t
`
`t __ --
`
`•
`·-
`
`-1-
`
`•
`
`-. :W ... -- :-----=:.._ -~w::;..;;. _ _._ --
`
`·- --- _.._ -
`
`•
`
`-
`
`-
`
`-
`
`..
`
`• • . _-··
`..I •
`----•- _____ ._ --- -• --.. --- ..__ -•-
`
`--- --
`
`---•-
`
`·--•
`
`..
`
`- -- - --
`
`..
`-· ..
`-· - ---
`• w
`. --
`..
`
`..
`--
`
`-~- • • • • • • •
`
`• .__
`
`- .fE
`
`...
`
`•----·-·- ---•----
`--
`.
`
`....
`
`~
`
`-
`-- •
`
`~
`
`.... .
`
`...···'
`
`.
`
`

`

`Case 3:17-cv-05659-WHA Document 183-3 Filed 08/21/18 Page 6 of 35
`
`........ ~~---· -•·~-----··----·•a.-....... _ ....... •
`
`PATENT
`
`tommonly refr. Ted to as "applets'' or "Downloadables." A
`
`Downloadable is an executable application program which is
`
`a\'tomatically downloaded from a sourc,. computer and run on the
`
`destination computer. Examples of Downloadables include applets
`
`5
`
`designed for use in the Javan• distributing environment produced by
`
`Sun Microsystems or for use in the Active X distributing
`
`environment produced by Microsoft Corporation. Therefore, a
`
`system and method are needed to protect computers from viruses
`
`attached to these Downloadables.
`
`.. "
`
`"'
`
`... -
`
`~----
`
`•
`
`•
`
`•
`
`----~-~---'·---=-~·a.:.·-.:.·•===-.... -_.~. ___ .___ -------- _. • ..__ _ _..L.-.-~-L
`
`.L- ...
`I
`
`. ~~:::~
`
`-"--J
`.. w
`
`..
`
`- w .. -· •- .::-_~_- . t
`
`Jlll:d...,.~- __ ._ ____ -___ ~--- __ ._ -- _._- - L -- • -- - e.-
`
`~--· .. :.
`~r ~
`,.
`
`. . • .• · ..
`
`.·
`
`' ..
`
`••
`
`-.. -
`
`.. - . .. ____ .__- \
`
`.-
`
`·-
`
`

`

`Case 3:17-cv-05659-WHA Document 183-3 Filed 08/21/18 Page 7 of 35
`
`-·-'a... .
`
`•
`
`... . ... .. •.
`
`···-- ..._ .. ·-,~-·•-..a--....... ______ .__ - •
`
`PATENT
`
`SUMMARY OF THE INVENTION
`
`The present invention provides a system for protecting a
`
`computer from hostile Downloadables. The system compri ..:s an
`
`interface for receiving a Downloadable, a first memory portion
`
`S
`
`storing security policies and a second memory portion storing known
`
`hostile Downloadables. The system further comprises a first
`
`comparator, coupled to the interface and to the first memory portion,
`
`for discarding the received Downloadable when it matches one of the
`
`known hostile Downloadables. The system further comprises a
`
`10
`
`second comparator, coupled to the first comparator and to the second
`
`memory portion, for discarding the received Down!0adable if it
`
`violates one of security policies.
`
`The present invention further provides a method for protecting
`
`a computer from hostile Downloadables. The method comprises the
`
`15
`
`steps of receiving a Downloadable, discarding the received
`
`Downloadable when the received Downloadable matches a
`
`predetermined hostile Downloadable, obtaining Downloadable
`
`security profile data on the received Downloadable when the
`
`Downloadable does not match a predetermined hostile Downloadable
`
`20
`
`and discarding the received Download3hle when the Downloadable
`
`security profile data violates a predetermined security policy.
`
`--•... i
`
`"
`
`•
`
`•
`
`·3-
`
`1 · - - - - - - - - - - - - ·--~---.___;:;.---~....::LI=~--.... -_,_., ..... --- ------ ...__ ..
`
`•
`
`~
`
`•
`___ ...., __________ .__
`
`---. -. - . -.. --· . . ... . - •- . . . ...... . • ··------• ~
`
`... • ...
`
`:' . . . . ~
`
`.
`
`.. --------
`
`.·
`
`L •
`
`-.,...
`
`. .
`. · ...
`
`'
`
`1.
`
`. .. ' .....
`
`'
`
`•
`
`-...
`
`I,. •.·
`
`~
`
`-··
`l··
`:. ...
`,1..';··0:·:~
`
`t f
`
`'
`
`

`

`Case 3:17-cv-05659-WHA Document 183-3 Filed 08/21/18 Page 8 of 35
`
`PATE:-..IT
`
`The system and method of the present inventi\Jn provide
`
`computer protection from potentially hostile computer viruses which
`
`have been attached to Downloadables. The system and method of
`
`the present inven~ion advantageously identifies both known hostile
`
`Downloadables and identifies potentially hostile commands by
`
`5
`
`decomposing unknown Downloadables.
`
`.:...-....,.;..
`
`J~: ·~.><
`. :-·.:
`·~·
`f'
`.
`. 'i
`.
`
`,,
`
`-~
`
`'---.~ ~ - ' . 4
`-.· .
`
`'
`
`.·
`
`··-.
`
`.;__..
`
`·--
`•
`
`~tJ:·
`.. __
`
`. ,
`
`____ j ., .
`
`._.t-::~
`,·
`
`~
`
`~0 e ::_:::~
`~-.. ~ •. ~~
`
`.. ·
`~
`..... ~ . ~
`~-:
`
`=4-
`
`~.~-J ;- -··
`
`. •
`
`..
`
`--------~ ----.~--...:t.---.II•L.--=-::.~•-.:...· __.--=--- ... --~ -- --- -. -__ ...... __. __ ._
`
`. .
`
`., .... ,
`- ....
`
`k
`
`.. '
`
`,..
`
`~· '
`
`.. ... •.
`
`I
`
`.·
`
`. .
`
`...
`
`' ...
`
`..
`
`

`

`Case 3:17-cv-05659-WHA Document 183-3 Filed 08/21/18 Page 9 of 35
`•
`a
`a
`a
`a
`
`PATENT
`
`BRIEf DESCRWDQN OF DJE DRAWINGS
`
`FIG. 1 is a block diagram illustrating a network system in
`
`accordance with the present invention~
`
`FIG. 2 is a block diagram i11ustrating the internal network
`
`5
`
`security system of FIG. 1 ~
`
`FIG. 3 is a block diagram illustrating the security program of
`
`FIG. 2;
`
`FIG. 4 is a flow chart illustrating an example security policy of
`
`FIG. 2;
`
`1/;
`
`,.
`
`lr.
`
`. .)
`" .. ··
`.·
`
`.,.
`~J
`
`10
`
`FIG. 5 is a block diagram illustrating the security mar.agement
`
`console of FIG. 1;
`
`FIG. 6 is a flowchart illustrating a method for protecting an
`
`internal computer network from hostile Downloadables; and
`
`FIG. 7 is a flowchart illustrating the FIG. 6 method for
`
`15
`
`decomposing a Downloadable.
`
`--•
`
`,_
`
`•
`
`(.
`
`j
`
`- ~
`
`-5-
`
`~--~----------~----------------------------------------------~--
`
`~ ....
`~-~;
`-.
`-· .... - --
`-· -·· .•..• -· .• ---.__. ____ e.:
`,.....,..... . .
`, .• . ~
`~~-· '·-
`~--·
`'t:' -;, ' .. :; ;, :·· ~"'
`
`,.i
`
`)
`
`j~
`
`•
`
`.
`
`•
`
`•
`
`.....
`
`, · . •' ... ,
`
`•
`
`• •
`
`•
`
`..
`
`•
`
`•
`
`..
`
`•
`
`f"'
`
`• •
`
`..
`
`•
`
`.
`. . . . .
`--~--
`.~. , ......
`
`• . . . .
`
`.
`
`• •• .__ ...
`
`- --.. -· ·-
`... - - .. - .
`.. -• ··--· -- ··---- •--- •--- •.
`.. .
`. ·
`..
`..
`
`~ .
`
`·.
`
`,.
`
`••••
`
`t
`
`. ......... .
`
`t
`
`•
`
`~
`
`

`

`Case 3:17-cv-05659-WHA Document 183-3 Filed 08/21/18 Page 10 of 35
`
`PATENT
`
`DETAD EP DESCRJPJ]ON Of TilE PREfERRED EMBODIMENT
`
`FIG. 1 is a block diagram illustrating a network system 100 in
`
`accordance with the present invention. Network system I 00
`
`includes an external comj)uter network I 05, such as the Wide Area
`
`5 Network (WAN) commonly referred to as the Internet, coupled via a
`
`signal bus 125 to an internal network security system 110. Network
`
`system I 00 further includes an internal computer network I J 5, such
`
`as a corporate Local Area Network (LAN), coupled via a signal bus
`
`130 to internal network computer system I 10 and coupled via a
`
`10
`
`signal bus 135 to a security management console 120.
`
`Internal network security system 110 examines Downloadables
`
`received from external computer network 105, and prevents all
`
`recognizably-hostile Downloadables from reaching internal computer
`
`network 115. A Downloadable is hostile if it threatens the integrity
`
`15
`
`of an internal computer network 115 component.
`
`Security
`
`management console 120 enables modification of internal network
`
`sec;.rity system II 0.
`
`-t. -
`
`~~
`
`-~ . ' ·1
`.----
`
`.· ~:
`·!
`.. · 1
`
`-~
`
`FlU. 2 is a block diagram of a internal network security system
`
`20
`
`J 10 which includes a Central Processing Unit (CPU) 205, such as a
`
`•
`
`Motorola P.ower PC$ microprocessor or an Intel Pentium.,
`
`microprocessor, coupled to a signal bus 220.
`
`lnt;:-rnal 1.etwork
`
`f :.-.i
`e
`¥··
`. - ..
`11'.~--~­
`..
`
`.J ...
`
`t
`
`•
`
`•
`
`•
`
`•
`
`•
`
`•
`
`· - · . -
`
`. . . . .
`
`• . . . . . .
`
`.. .
`·.' ..
`
`.·
`
`-· . . . . - .... - -.. _. --- •-
`
`. _ _ . . , . . _
`
`•-----• ·---·-·· . -. • .. ..__ .
`
`• • C ' - - -
`
`-
`
`.. -- ... - ----·_ ... .____.. __ __. • .____..a.._
`
`..
`
`,_, ..
`._.,
`'' " '...:.
`
`•
`
`,. .
`
`. .
`
`...
`
`...J ... _. ~ •
`
`"
`
`

`

`Case 3:17-cv-05659-WHA Document 183-3 Filed 08/21/18 Page 11 of 35
`
`·~"*d
`
`a·
`
`I
`
`...
`I
`.
`~~ .,._ :_.:-·
`
`it:
`~ r·: ...
`...
`' -,
`
`·- ...
`'\-· .. J
`
`10
`
`PATENT
`
`security system 110 fu'rther includes an external communications
`
`interface 210 coupled between signal bus 125 and signal bus 220
`
`for receiving the Downloadables from external computer network
`
`105, and an internal communications interface 225 coupled between
`
`5
`
`signal bus 220 and signal bus 130 for forwarding non-hostile
`
`Downloadables to internal corrputer network 115. Alternatively,
`
`external communications interface 210 and internal communications
`
`interface 225 may be functional components of an integral
`
`corrununications interface (not shown) for both receiving
`
`Downloadables from external computer network 105 and forwarding
`
`non-hostile Downloadables to internal computer network 115.
`
`Internal network security system 110 further includes
`
`Input/Output (1/0) interfaces 215 such as a keyboard, mouse and
`
`Cathode Ray Tube (CRT) display, a data storage device 230 such as
`
`d
`J
`l ___ jj .. ;,
`
`1
`·1
`' • t
`
`•-----
`
`·-
`
`·----
`
`•
`
`15
`
`Read Only Memory (ROM) or magnetic disk, and a Random-A~cess
`
`Memory (RAM) 235, each being coupled to signal bus 220. Data
`
`storage device 230 stores a security database 240 which includes
`
`security policies and Downloadable data on for determining whether
`
`a received Downloadat.le ;s hostile, and stores an events log 245
`
`.
`
`..J
`
`20
`
`whi~h includes the determination results for each Downloadable. An
`
`operating system 250 controls processing by CPU 205, and is
`
`typically stored data storage device 230 and loaded into RAM 235
`
`-7-
`
`.... -··· -- .. -- __ ...:...----- --- --· ---- --=--- ~...;;...,. ______ ..
`-.--- .. .-.. ----------
`............. . ... •--.
`--'-- -· •-- ........ _._ --.. --- ._ __ .-- •: ---•-- --•
`
`I
`..J
`
`. ..
`
`.·
`
`. . .
`
`...
`
`..
`
`r
`..
`
`. . '-
`... ·1 .• ·-~·, ..
`' ........
`...
`
`\
`
`" .....
`
`..;' ....
`
`____ . ._ .
`
`~~
`
`..
`. --
`
`cr
`
`•
`.· ..
`
`

`

`Case 3:17-cv-05659-WHA Document 183-3 Filed 08/21/18 Page 12 of 35
`
`PATENT
`
`for execution. A security program 255 ~ontrols operations of
`
`internal network security system 110, and also may be stored in
`
`data storage device 230 and loaded into RAM 235 for execu;ion by
`
`..•
`
`• s
`
`5
`
`CPU 205 .
`
`FIG. 3 is a block diagram illustrating details of security
`
`program 255. Security program 255 includes an ID generator 315, a
`
`first comparator 320 coupled to 10 genetittor 315, a code s-:anner
`
`coupled to first comparator 320, a second comparator 330 coupled to
`
`10
`
`code scanner 325 and to first comparator 320, and a record-keeping
`
`engine 335 coupled to first comparator 320 and to second
`
`coMparator . 330.
`
`Security program 255 operates in conju 1ction wi•h security
`
`database 240 and events log 245. Security database 240 stores
`
`15
`
`~ecurity policies 305 in a first data storage device 230 portion,
`
`known Downloadables .:;07 in a second data storage device 230
`
`portion and Downloadaole Security Profiles (DSPs) data
`
`corresponding to the known Downloadables 310 in a third data
`
`storage device 230 portion. Security polide:> 305 include a list of
`
`20
`
`computer operations which an.: del!mec1 to be potentially hostile to
`
`the integrity of internal computer network 115.
`
`Potentially hostile
`
`operations may include READ/WRITE operations on a sy:.tem
`
`•
`
`•
`
`.~-·
`
`•
`
`•
`
`--
`
`~-
`
`-•- -
`
`• ........ -=-
`
`.. -=- --
`
`-8-
`
`. - ...
`
`J • • •
`
`• . ·--· ---------
`_._ __ . ___ .. . ___ .. _.____ .. -- ..
`.. . .. ... ..
`
`. ·
`
`•' .
`
`... ,
`..
`
`...,. .
`,.
`....
`
`•
`
`- - -· -- _____________ ._
`. .. .. -·
`.. • • ••• ••
`.. _
`• •
`. . . . . ...
`
`..
`
`•
`
`••
`
`•- - +
`
`•
`
`.. • • • Ill
`
`-
`
`.
`
`•
`
`...a.-
`
`...
`
`;..
`.. '
`
`~; .. ;:i.~:.~:/:1·-~:f:it~:;;:-;- -\·;f;~: ~;:_ -:: .. l. _.:\''.t -' _;;.--:_ .. ::'~A;":~-~-:-:-~ .. _,•.::!:.~.;;~~~_,_;: ;.,~~:·,f:.~~ ;;-,"!:_; ?:· ~~-:~ :.:--.-:':'~;~;.;}.;;::~-~::J:;:::~~-~~--
`
`-- -· ...... ~- ~ -· .. •-
`
`

`

`Case 3:17-cv-05659-WHA Document 183-3 Filed 08/21/18 Page 13 of 35
`
`PATENT
`
`configuration fiJe, READ/WRITE operations on a document cofltaining
`
`trade secrets, or any other operation that a user deems potentially
`
`hostile. Known Downloadables 307 may include Downloadables
`
`which Original Equipment Manufacturers (OEMs) know to be hostile.
`
`5
`
`DownloadabJes which OEMs know to be non-hostile, Downloadables
`
`which second comparator 330 (described below) has previously
`
`determined to be hostile, and Downloadables which second
`
`comparator 330 (described below) has previously determi.1ed to be
`
`non-hostile. DSP data 3 I 0 includes the fundamental compllter
`
`10
`
`operations included in each known Downloadable 307, and may
`
`include READs, WRITEs, file management operations, system
`
`,
`
`manager.Jent operations, memory management operations and CPU
`
`allocation operations.
`
`ID gent:rator 315 receives Downloadables from external
`
`15
`
`computer network 105 via external communications interface 210.
`
`and which generates a digital signature for each Downloadable. A
`
`digital signature may include a Downloadable identificltion number.
`
`the Downloadable type. the Downloadable source and the
`
`Downloadable destinJtion.
`
`20
`
`First comparator 320 receives and bit-wise compares the
`
`DownloaJables from ID generator 315 with known Do·.vnloadables
`
`307 store1 in security database 240.
`
`Jf first comparator 320
`
`·9·
`
`.. . . .. . • ... ·.- --
`-.-- . -..:~ .. - --~-:-.. --- -.:..
`------ ..
`'· __ ._ ___ ... --······ .... -
`..
`
`...
`
`• •
`
`• • ..
`..
`.. .
`..
`
`, .
`
`..
`• • • • • • •
`.. • •· •
`•
`... _- -
`·-. . .
`. ...
`
`:L
`
`"
`
`'
`
`a
`
`e
`
`• . ·.·
`
`.
`
`~ '
`i .
`-.=.·-------• i
`
`•
`
`__ __.:..-.
`
`• • •
`
`l __ ._
`
`• ••
`
`•
`
`.. -.......
`. . . - .
`
`. ..
`
`. •
`
`... .......
`
`

`

`Case 3:17-cv-05659-WHA Document 183-3 Filed 08/21/18 Page 14 of 35
`
`determines a received Downloadable is identicaJ to a known hostile
`
`Downloadable 307, then first comparator 320 Jiscards the received
`
`Downloadable, and forwards a non-hostile ,....,w;-Joadable to the
`
`intended destination to inform the user that internal network
`
`5
`
`security system II 0 di!tcarded the [)ownloadable.
`
`!f first
`
`comparator 320 determines that the received Downloadable is
`
`identical to a known non-hostile Downloadable 307, then fir1tt
`
`comparator 320 forwards the received Downloadable and the
`
`corresponding DSP data 3 JO to second comparator 330.
`
`If first
`
`10
`
`comparator 320 determines that ti-e received Downloadable does
`
`not match a known Downloadable (i.e., an "unknown Downloadable")
`
`then first comparator 3~0 forwards the received Downloadable to
`
`code scanner 325 (dt>scribed below).
`
`In any case. first comparator
`
`320 then sends e status :-:port to record-keeping engine 335
`
`IS
`
`(described below).
`
`Code scanner 325 rece1ves unknown Downloadabtes from first
`
`comparator 320 and uses ~:onventional parsing techniques to
`
`decompo:;e the byte code of the unknown Downloadable into DSP
`
`data. Code sc:mner 325 then sendll the Downloadable and the
`
`2"1
`
`corresponding DSP data to seconrl comparator 330.
`
`Second ccmparator j30 recc::ives the Down!oadable and the
`
`corresponding uSP data ~ither from code scanner 325 ur from first
`
`-~ ... '
`~ .. · .. -~-"
`.. ·.: ~ ...
`. · .. ·.·
`
`.
`(
`~...
`
`f
`
`le
`f
`l • -.·- j
`
`f t . I
`..
`f: -:;
`~ ~j
`~·
`
`. J
`
`• •
`·--•---.
`i. ----. --
`
`•
`
`-•
`
`..
`-\. . . .,
`. ' ..
`
`' 1 ""I •
`
`-10-
`
`.•.
`
`•
`
`..•
`
`• •••
`
`•
`
`"·
`
`•.. •·;~" ~ .
`
`'}
`
`. .
`.._ ___ ·- . .. w-- ___ •• ...__ •• _
`
`....:--=---. • ... .. - -
`. . ... .._ _____ . • • • • • • • • • • •
`..
`•· --· e . -
`
`-
`
`n
`
`... _. _______ ... ~---· ' •
`
`.. .-- .
`
`•
`... : .
`
`...
`
`.. .....
`
`

`

`Case 3:17-cv-05659-WHA Document 183-3 Filed 08/21/18 Page 15 of 35
`....... -, ..... ~. _ ....... - ..... ~ ..
`
`~ ' .
`1
`
`~ J
`
`\ '
`
`. 1
`
`~ J
`.. '
`~ '."'-
`
`~
`-j
`
`......
`~
`
`-.
`
`r:-"!
`
`-· -
`
`--.
`
`.I
`
`•'
`
`I
`f
`
`PATENT
`
`comparator 320, and compares the DSP data against security policies
`
`305 stored in security database 305.
`
`If, from the DSP ~ata. second
`
`comparator 330 determines that the Downloadable includes a
`
`host!le operation, then second comparator 330 prevents the
`
`5
`
`Downloadable from passmg to internal computer network I 15 .
`
`Similarly to first comparator 320, second comparator 330 forwards a
`
`non-hostile Downloadable to the intended destination to inform the
`
`user that internal network security system II 0 discarded the
`
`Downloadable.
`
`(f second comparator 330 determines that the
`
`10
`
`received Downloadable does not violate any security policy 305,
`
`then second comparator 330 forwards the received non-hostile
`
`Downloadable to internal computer network 115. Further, if second
`
`comparator 330 received the nor.-ho~tile Downloada~le from code
`
`scanner 325, then the non-hostile Dow!lloadable is storeJ in known
`
`15
`
`Downlo2'dables 307 and its corresponding DSP data is stored in DSP
`
`data 310.
`
`In any case, second comparator 330 sends a status report
`
`to record· keeping engi.1e 335 (described below).
`
`Recc..J-keeping engine 335 receives status reports from first
`
`comparatN 320 and from second comparator 330, and stores the
`
`20
`
`reports in events log 245 in data storage device 230.
`
`·r._.,
`
`'.-
`
`·::·: ~ .. :·
`- .;.__
`·-·
`
`~-
`
`.... ~ •-
`
`•
`
`L •
`
`•
`
`_j
`---
`
`.. - ·-- -. -·.:: ------- _ .. ·---~---..w..._...:.-
`
`-==:-
`
`-
`
`-----
`
`- .. --~-- - - - •• ..___.. _______ ..
`
`-11-
`
`_...__._ ____ .. - ..• --- •. ·-· _._ ___ • ____ ..... ---. -·- t. • •-
`
`..
`
`,.
`
`••
`
`·--... •-.=:-·- .... - - -·--
`
`. - - -· --- ... --
`
`• • • •• •
`
`

`

`Case 3:17-cv-05659-WHA Document 183-3 Filed 08/21/18 Page 16 of 35
`
`- - -- -~ ····- - ·---- ·-~----.AI·a-.,_ ................. ___ ....__.____.
`
`PATENT
`
`FIG. 4 is a block diagram illustrating an example security policy
`
`305.
`
`FIG. 5 is a block diagram illustrating details. of security
`
`5
`
`management console 120, which includes a secur;ty policy generator
`
`505 coupled to signal bus 135, l~ event log analy..,is engine 510
`
`coupled to signal bus 135. a user notification engine 515 coupled to
`
`event log analysis engine 510 and a Downloadable database review
`
`engine 520 coupled to signal b~s 135. Security management console
`
`10
`
`120 further includes computer components stmilar to the compu1er
`
`components illustrated in FIG. 2.
`
`Security polky genaator 505 uses an 1/0 interface similar to
`
`1/0 interfac~ 215 for enabling us·.;.r modification of security policies
`
`305. Further, security policy generator 505 enables the user to
`
`15
`
`provide multiple sel':urity levels, i.e., enables the storage of multiple
`
`sets ot security policies 305 (wherein second comparator 330 can
`
`use only a particular set of security policies 305 based on the
`
`destination of a re:.e!ved Downloaciable). For example, security
`
`policies 305 may enable a corporate manager to recei\'e selected
`
`20
`
`Downloadables but may prevent the corporate manager's secretary
`
`'---
`
`~·--·
`
`•
`·--
`
`'--
`
`•--
`
`•
`
`.• i
`
`.· . . -
`-~ -/:~
`. • ....
`
`·.'
`.. ·"
`.....
`, . :-· ..
`.. •
`lit':';j
`·· ... ·'
`.·.·
`, .•
`.· ..
`
`j
`
`,
`t
`/
`. ·~-·:: ...
`
`....
`
`.,. .....
`J
`~
`'
`"&.
`-r:: .
`~t
`,~ .. '
`
`. ·
`
`from receiving those Downloadables .
`
`-1 '!-
`
`j
`. . . . . 7"· ·: . • ~- - - - -...... ~---- -~---==--.-··-...;:-::c•a.=:-=-= .... -....1----"---- . --- -----
`
`..... _______ .. ___ ._
`
`• • • . . ··- .
`
`• •
`
`-.
`.,...:...-.. --·. -- .. - .:.._ ... --- -- --- ....
`
`- - ~- - -
`
`.. -- . .. ----- -- ---- -- .
`
`.
`
`r------··-···· .. ·------·-- -- t_ ___ ·--- • . . _._ __ .... . •
`...
`
`·'
`
`...
`
`. . ··
`
`

`

`•.sr-....
`,. \.'.~:· s
`
`...... ·
`
`,..,. .. : . ::
`
`.·. -'·
`;.;:J . . .
`· .... . ·. •.· .. ·
`
`~.::-~
`-~·: ~
`.
`
`..
`..
`':
`
`Case 3:17-cv-05659-WHA Document 183-3 Filed 08/21/18 Page 17 of 35
`
`-- .. - .. .......... _"" . .. ..
`
`•···--· -..~ ... _. .... _ .. _ .. ho-_~--..-~ .... ••· ·- -.
`
`PATENT
`
`Event log analysis engine 510 examines the status reports
`
`stored in events log 245 of data storage device 230. Event log
`
`analysis engine 510 determines if notification of the user (e.g., the
`
`se~urity system manager) is warranted. For exam pit-, event log
`
`5
`
`analysis engine 510 may warran• us:;r notification whenever ten
`
`( l 0) hostile Downloadables have been discarded by internal network
`
`security system 1 10 within a thirty (30) minute period, thereby
`
`flagging a possible security threat. Accordingly, event log analysis
`
`engine 510 instructs user notification engine 515 to inform the U!'er.
`
`10
`
`For example, user notification engine 515 may send an e-mail via
`
`internal communications interface 220 or via external
`
`communications interface 210 to the user, or may display a message
`
`on the user's display device (not shown) .
`
`Downloadable database review engine 520 enables a user (e.g.,
`
`15
`
`a network security manager) to examine and modify known
`
`Downloadables 307 and DSP data 3 I 0. Thus, if for example a user
`
`learns of new hostile Downloadables, the user can add them to
`
`known Downloadables 307 and the corresponding DSP tiata to DSP
`
`data 310 .. Similarly, tt-.;: user can add new non-hostile
`
`20
`
`Downloadables to known Downloadables 307 and corresponding DSP
`
`data to DSP data 310.
`
`•
`
`.-
`
`•' -
`
`--
`
`. -
`•
`
`••
`
`,_ . J
`~ ~: • • . -
`
`~ . • - - - - - - - !a._:~ •
`
`, _ • W"!
`
`.li•L...,.-=-:.~~•L:·-..::..~~:::;:;_,_lii•L---a -· - .. _____ ,. • .___.. __ _,. __ _,e._
`
`-13-
`
`:..--~----·--· -------·-. -- --~----- ---
`
`-·· .. -~ ... •- • •
`
`. --··-- -·
`
`;,f;f
`
`..
`
`. ~ .
`
`..
`
`...--•-----•---·-'-----•--- .. ---•-----•--- ,. ___ -•--
`.. .
`-·
`..
`
`. ·
`
`.....
`
`r .•
`
`

`

`Case 3:17-cv-05659-WHA Document 183-3 Filed 08/21/18 Page 18 of 35
`
`. . -·
`
`•
`
`•·· . ·-· . . .
`
`--~-- ·---------~~~~·---... .__, ........... _-... --..
`
`. . . r-y"'•
`
`m-··
`
`. . .· .
`
`·' '• ~
`
`I • ... :
`
`PATENT
`
`FIG. 6 is a flowchart illustrating a method 600 for ;>rotecting an
`
`internal computer network 115 from hostile Downloadables.
`
`Method 600 begins with step 605 by ID generator 3 ~5 receiving a
`
`5
`
`Downloadable.
`
`{D generator 315 in step 610 generates a signature
`
`representing the received Downloadable.
`
`First comparator 320 in
`
`step 615 compares the received Downloadable with known
`
`Downloadables 307 previously-stored in security database 240.
`
`If
`
`first comparator 320 in step 620 determines that the received
`
`10
`
`Downloadable is the same as a known hostile Dowrloadable 307,
`
`then first comparator 320 in step 625 discards the received
`
`Downloadable and in step 630 forwards a substitute non-hosf:.:
`
`Downloadable to the intended destination to inform the user. First
`
`comparator 320 in step 635 instructs record-keeping engine 335 to
`
`15
`
`record the findings, i.e., a status report, in events log 245. Method
`
`600 then ends.
`
`If first comparator 320 in step 620 did not recognize the
`
`received Downloadable as a hostile Downloadable 307, then first
`
`comparator 320 in step 640 determines whl!ther the received
`
`·--
`
`.--
`
`, __
`
`•-
`
`•
`
`•
`
`.... ·-....:.
`
`20
`
`Downloadable is a known non-hostile Downloadable 307.
`
`If so, then
`
`first comparator 320 in step 645 retrievl!s the DSP data 310
`
`corresponding to the known non-hostile Downloadable and jumps to
`
`-14-
`
`I
`·--~
`
`·--- ···- - ._ --. -..·.:::: · - --- ....__ _:.~ ....~-----=-:..~~•L-.........:-:.~~=r-=::;.;:-.,._,_-... -L---------- --~----~------------~
`._ ______ . -· -- 4.-- ... ---
`... --- -----·-:..-.··~-.....
`-•-----•- ---~ --•.- ····· ···- ...
`. . ··
`. ·
`...
`. . . ..
`
`-·· .. -.. • •
`
`. ·- .
`
`•• ••• • •--- ~·
`
`•
`
`

`

`Case 3:17-cv-05659-WHA Document 183-3 Filed 08/21/18 Page 19 of 35
`
`... -..
`
`. ----------· ----- ·-----··· ..... -··---· ..... ---- -···· .
`
`·--
`
`..
`. •'
`~.
`::. ·. ~~: ~
`••• i
`
`'"•
`
`step 655. Otherwise, first comparator 320 forwards the received
`
`Downloadable to code scanner 325, which in step 650 decomposes
`
`the received Downloadable into DSP data and then jumps to step
`
`PATENT
`
`655.
`
`5
`
`In step 655, second comparator "330 compares the DSP data,
`
`either retrieved by first comparator 320 from security database 240
`
`or generated by code scanner 325, with security policies 310 stored
`
`in security database 240.
`
`If second comparator 330 in step 660
`
`determines that the DSP data violates a security policy 310, then
`
`10
`
`second comparator 330 proceeds to step 625. Otherwise, second
`
`comparator 330 in step 665 passes the received Downloadable to
`
`imemal computer network 115 as a non-hostile Downloadable, and
`
`proceeds to step 635.
`
`15
`
`FIG. 7 is a flowchart illustrating details of method 650 for
`
`decomposing a Downloadable. Method 650 begins in step 705 with
`
`code scanner 325 disassembling the machine code of the
`
`Do.vnloadable. Code scanner 325 in step 710 resolves a respective
`
`command in the machine code. Code scanner 325 in step 715
`
`20
`
`determines whether the resolved command is a suspect command .
`
`Examples of suspect commands include :l memory allocation
`
`-15-
`
`• •. ••• . '• . ::J
`
`..
`·.·.·
`.·.
`
`{
`,\.1
`
`; ..
`_.··.·:
`1
`"'· ....
`!· .•· .:
`1 ::.;_-.
`4 ~;;:~
`. . .
`:~- J
`
`4
`
`'
`
`...
`
`-~
`
`:.:._:..;
`.,..._~
`
`t
`
`·-
`.--
`
`•-;-...
`
`.. ·.· •· .·
`-· •
`
`•
`
`-
`.... - -:-•-----==-'IlL--- - . --=----- --=-:.~•L---::-:.~~ ............ --............ .._____.. ___ _,_L-_____ ,____._ · - - - - - - - ·
`
`..
`
`·--
`
`.
`
`..
`
`--
`
`. . .
`•' \ .
`
`•• • ••
`
`•
`
`--- •--- 4
`1!"
`
`.~
`
`~~-~:~~~-~-
`~--:
`/ ~-7 .._ __ -· •.. -~-•-. ·- -.:.:. •. ·: .. ·• -- • . --·~ . • --- ... •-....
`~·------------------.-. . -~- ..... --- --
`.....
`. . .. .
`. .
`. .. ,•
`..
`~ ; . .:· .. ~:-:~ -· : .. ., . .. . .
`' 0 ~.' t
`~ oo
`..
`.•
`~ __._......... ............ ..
`
`I
`
`' •
`
`. . . . .
`
`••
`
`t
`
`'
`
`'
`
`I
`
`..
`
`~·
`
`(
`
`I
`
`

`

`Case 3:17-cv-05659-WHA Document 183-3 Filed 08/21/18 Page 20 of 35
`.... _ _. • ..__00--..•._ _ _..IL.-
`
`a
`
`PATENT
`
`command, a loop command such as .. goto", .. while'', .. if", .. than" or the
`
`like.
`
`If not, then code scanner 325 returns to step 710.
`
`Otherwise, code scanner 325 in step 720 decodes and registers
`
`the command l'nd the command parameters as DSP data. Code
`
`5
`
`scanner 325 in step 720 registers commands and command
`
`parameters into a format based on command class, e.g., file system
`
`class, network system class, memory system class and CPU system
`
`class). Code scanner 325 in step 725 determines whether the
`
`machine code includes another command.
`
`If so, then code scanner
`
`10
`
`325 returns to step 710. Otherwise, method 650 ends.
`
`. :;;1
`. · . . · ... ·
`.. · ....... •'
`
`•
`?
`·w:.;.~
`:----:--)
`·. ~ .
`
`•---
`
`'--
`
`.. •
`
`•
`
`~.J}-::_j
`
`,_. -~ .._ --- --
`
`·16-
`
`-- • --- ·- -- -:--~ ... :,___.1---_.;-::,J•--~=--= .... · ~-----"-L---