Case 3:17-cv-05659-WHA Document 230-6 Filed 11/12/18 Page 1 of 6
`Case 3:17-cv-05659-WHA Document 230-6 Filed 11/12/18 Page 1 of 6
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`EXHIBIT 4
`EXHIBIT 4
`
`
`
`
`
`
`
`
`

`

`Case 3:17-cv-05659-WHA Document 230-6 Filed 11/12/18 Page 2 of 6
`
`Sky Advanced Threat Prevention Administration
`Guide
`
`Modified: 2017-09-08
`
`Copyright © 2017, Juniper Networks, Inc.
`
`

`

`Case 3:17-cv-05659-WHA Document 230-6 Filed 11/12/18 Page 3 of 6
`
`Chapter 1: Sky Advanced Threat Prevention Overview
`
`Figure 5: Example Sky ATP Pipeline Approach for Analyzing Malware
`
`Cache Lookup
`
`Antivirus Scan
`
`Each analysis technique creates a verdict number, which is combined to create a final
`verdict number between 1 and 10. A verdict number is a score or threat level. The higher
`the number, the higher the malware threat. The SRX Series device compares this verdict
`number to the policy settings and either permits or denies the session. If the session is
`denied, a reset packet is sent to the client and the packets are dropped from the server.
`
`When a file is analyzed, a file hash is generated, and the results of the analysis are stored
`in a database. When a file is uploaded to the Sky ATP cloud, the first step is to check
`whether this file has been looked at before. If it has, the stored verdict is returned to the
`SRX Series device and there is no need to re-analyze the file. In addition to files scanned
`by Sky ATP, information about common malware files is also stored to provide faster
`response.
`
`Cache lookup is performed in real time. All other techniques are done offline. This means
`that if the cache lookup does not return a verdict, the file is sent to the client system while
`the Sky ATP cloud continues to examine the file using the remaining pipeline techniques.
`If a later analysis returns a malware verdict, then the file and host are flagged.
`
`The advantage of antivirus software is its protection against a large number of potential
`threats, such as viruses, trojans, worms, spyware, and rootkits. The disadvantage of
`antivirus software is that it is always behind the malware. The virus comes first and the
`patch to the virus comes second. Antivirus is better at defending familiar threats and
`known malware than zero-day threats.
`
`Sky ATP utilizes multiple antivirus software packages, not just one, to analyze a file. The
`results are then fed into the machine learning algorithm to overcome false positives and
`false negatives.
`
`Copyright © 2017, Juniper Networks, Inc.
`
`9
`
`

`

`Case 3:17-cv-05659-WHA Document 230-6 Filed 11/12/18 Page 4 of 6
`
`Sky Advanced Threat Prevention Administration Guide
`
`Static Analysis
`
`Dynamic Analysis
`
`Static analysis examines files without actually running them. Basic static analysis is
`straightforward and fast, typically around 30 seconds. The following are examples of
`areas static analysis inspects:
`
`• Metadata information—Name of the file, the vendor or creator of this file, and the
`original data the file was compiled on.
`
`• Categories of instructions used—Is the file modifying the Windows registry? Is it touching
`disk I/O APIs?.
`
`• File entropy—How random is the file? A common technique for malware is to encrypt
`portions of the code and then decrypt it during runtime. A lot of encryption is a strong
`indication a this file is malware.
`
`The output of the static analysis is fed into the machine learning algorithm to improve
`the verdict accuracy.
`
`The majority of the time spent inspecting a file is in dynamic analysis. With dynamic
`analysis, often called sandboxing, a file is studied as it is executed in a secure environment.
`During this analysis, an operating system environment is set up, typically in a virtual
`machine, and tools are started to monitor all activity. The file is uploaded to this
`environment and is allowed to run for several minutes. Once the allotted time has passed,
`the record of activity is downloaded and passed to the machine learning algorithm to
`generate a verdict.
`
`Sophisticated malware can detect a sandbox environment due to its lack of human
`interaction, such as mouse movement. Sky ATP uses a number of deception techniques
`to trick the malware into determining this is a real user environment. For example, Sky
`ATP can:
`
`• Generate a realistic pattern of user interaction such as mouse movement, simulating
`keystrokes, and installing and launching common software packages.
`
`• Create fake high-value targets in the client, such as stored credentials, user files, and
`a realistic network with Internet access.
`
`• Create vulnerable areas in the operating system.
`
`Deception techniques by themselves greatly boost the detection rate while reducing
`false positives. They also boosts the detection rate of the sandbox the file is running in
`because they get the malware to perform more activity. The more the file runs the more
`data is obtained to detect whether it is malware.
`
`Machine Learning Algorithm
`
`Sky ATP uses its own proprietary implementation of machine learning to assist in analysis.
`Machine learning recognizes patterns and correlates information for improved file analysis.
`The machine learning algorithm is programmed with features from thousands of malware
`
`10
`
`Copyright © 2017, Juniper Networks, Inc.
`
`

`

`Case 3:17-cv-05659-WHA Document 230-6 Filed 11/12/18 Page 5 of 6
`
`Chapter 1: Sky Advanced Threat Prevention Overview
`
`samples and thousands of goodware samples. It learns what malware looks like, and is
`regularly re-programmed to get smarter as threats evolve.
`
`Threat Levels
`
`Sky ATP assigns a number between 0-10 to indicate the threat level of files scanned for
`malware and the threat level for infected hosts. See Table 4 on page 11.
`
`Table 4: Threat Level Definitions
`
`Threat Level
`
`Definition
`
`0
`
`1 - 3
`
`4 - 6
`
`7 -10
`
`Clean; no action is required.
`
`Low threat level.
`
`Medium threat level.
`
`High threat level.
`
`For more information on threat levels, see the Sky ATP Web UI online help.
`
`Juniper Networks Sky Advanced Threat Prevention on page 3
`
`Dashboard Overview
`
`• •
`
`Related
`Documentation
`
`• Sky Advanced Threat Prevention License Types
`
`Sky Advanced Threat Prevention License Types
`
`Sky ATP has three service levels:
`
`• Free—The free model solution is available on all supported SRX Series devices (see
`the Supported Platforms Guide) and for customers that have a valid support contract,
`but only scans executable file types (see “Sky Advanced Threat Prevention Profile
`Overview” on page 77). Based on this result, the SRX Series device can allow the traffic
`or perform inline blocking.
`
`• Basic—Includes executable scanning and adds filtering using the following threat feed
`types: Command and Control, GeoIP, Custom Filtering, and Threat Intel feeds. Threat
`Intel feeds use APIs that allow you to injects feeds into Sky ATP.
`
`• Premium—Includes all features provided in the Free and Basic-Threat Feeds licenses,
`but provides deeper analysis. All file types are examined using several analysis
`techniques to give better coverage. Full reporting provides details about the threats
`found on your network.
`
`NOTE: You do not need to download any additional software to run Sky ATP.
`
`Table 5 on page 12 shows a comparison between the free model and the premium model.
`
`Copyright © 2017, Juniper Networks, Inc.
`
`11
`
`

`

`Case 3:17-cv-05659-WHA Document 230-6 Filed 11/12/18 Page 6 of 6
`
`CHAPTER 2
`
`Installing Sky Advanced Threat Prevention
`
`• Sky Advanced Threat Prevention Installation Overview on page 15
`
`• Managing the Sky Advanced Threat Prevention License on page 15
`
`• Registering a Sky Advanced Threat Prevention Account on page 19
`
`• Downloading and Running the Sky Advanced Threat Prevention Script on page 23
`
`Sky Advanced Threat Prevention Installation Overview
`
`Although Sky ATP is a free add-on to an SRX Series device, you must still enable it prior
`to using it. To enable Sky ATP, perform the following tasks:
`
`1. (Optional) Obtain a Sky ATP premium license. See Obtaining the Sky Advanced Threat
`Prevention License.
`
`2. Register an account on the Sky ATP cloud Web portal. See “Registering a Sky Advanced
`Threat Prevention Account” on page 19.
`
`3. Download and run the Sky ATP script on your SRX Series device. See “Downloading
`and Running the Sky Advanced Threat Prevention Script” on page 23.
`
`The following sections describe these steps in more detail.
`
`Managing the Sky Advanced Threat Prevention License
`
`This topic describes how to install the Sky ATP premium license onto your SRX Series
`devices and vSRX deployments. You do not need to install the Sky ATP free license as
`these are included your base software. Note that the free license has a limited feature
`set (see “Sky Advanced Threat Prevention License Types” on page 11 and “Sky Advanced
`Threat Prevention File Limitations” on page 13).
`
`When installing the license key, you must use the license that is specific your device type.
`For example, the Sky ATP premium license available for the SRX Series device cannot
`be used on vSRX deployments.
`
`• Obtaining the Premium License Key on page 16
`
`• License Management and SRX Series Devices on page 16
`
`Copyright © 2017, Juniper Networks, Inc.
`
`15
`
`