Case 3:17-cv-05659-WHA Document 347-2 Filed 12/21/18 Page 1 of 13
`Case 3:17-cv-05659-WHA Document 347-2 Filed 12/21/18 Page 1 of 13
`
`
`
`
`
`EXHIBIT 1
`EXHIBIT 1
`
`
`
`
`
`
`
`
`
`
`
`
`
`

`

`Case 3:17-cv-05659-WHA Document 347-2 Filed 12/21/18 Page 2 of 13
`
`cose Sarovosesowsa, osmaTiTATUE
`
`007418731B2
`
`a2) United States Patent (10) Patent No:=US 7,418,731 B2
`
`Touboul
`(45) Date of Patent:
`Aug. 26, 2008
`
`
`(54) METHOD AND SYSTEM FOR CACHING AT
`SECURE GATEWAYS
`(IL
`1
`-
`Shi
`Touboul. Kefar-Haim
`nventor:
`omo Touboul, Kefar-Haim (IL)
`(73) Assignee: Finjan Software, Ltd., Netanya (IL)
`
`(75)
`
`(*) Notice:
`
`Subject to any disclaimer, the term of this
`patent is extended or adjusted under 35
`U.S.C. 154(b) by 537 days.
`
`(21) Appl. No.: 10/838,889
`
`(22) Filed:
`
`May3, 2004
`
`(65)
`
`Prior Publication Data
`
`US 2005/0005107 Al
`
`Jan. 6, 2005
`
`Related U.S. Application Data
`(63) Continuation-in-part of application No. 09/539,667,
`filed on Mar. 30, 2000, nowPat. No. 6,804,780, which
`is a continuation of application No. 08/964,388, filed
`on Nov. 6, 1997, now Pat. No. 6,092,194.
`
`(51)
`
`Int. Cl.
`(2006.01)
`GO6F 21/00
`(2006.01)
`GO6F 15/16
`(52) US. C1.
`ieeeccceccccceecseessessssessssessnsseveesneesss 726/22
`(58) Field of Classification Search .........000000.. None
`See application file for complete search history.
`.
`References Cited
`U.S. PATENT DOCUMENTS
`
`(56)
`
`5,077,677 A
`5,359,659 A
`5,361,359 A
`5,485,409 A
`5,485,575 A
`5,572,643 A
`5,579,509 A
`5,606,668 A
`5,623,600 A
`5,638,446 A
`5,692,047 A
`
`12/1991 Murphyet al.
`10/1994 Rosenthal
`11/1994 Tajalli et al.
`1/1996 Guptaetal.
`1/1996 Chessetal.
`11/1996 Judson
`11/1996 Furtney et al.
`2/1997 Shwed
`4/1997 Jietal.
`6/1997 Rubin
`11/1997 McManis
`
`5,692,124 A
`5,720,033 A
`5,724,425 A
`5,740,248 A
`5,761,421 A
`§,765,205 A
`
`11/1997 Holden et al.
`2/1998 Deo
`3/1998 Changet al.
`4/1998. Fieres etal.
`6/1998 van Hoff et al.
`6/1998 Breslau et al.
`
`(Continued)
`FOREIGN PATENT DOCUMENTS
`
`EP
`
`1091276 Al
`
`4/2001
`
`(Continued)
`OTHER PUBLICATIONS
`Ug, Appl. No. 10/838,889,filed Oct. 26, 1999, Golan , G.
`
`(Continued)
`
`Primary Examiner—Christopher A Revak
`(74) Attorney, Agent, or Firm—Perkins Coie LI.P
`
`(57)
`
`ABSTRACT
`
`Acomputer gatewayfor an intranet ofcomputers, including a
`scanner for scanning incoming files from the Internet and
`deriving securityprofiles therefor, the security profiles being
`lists of computer commandsthatthefiles are programmedto
`perform,a file cache for storing files, a security profile cache
`for storing security profiles for files, and a security policy
`cache for storing security policies for client computers within
`an intranet, the security policies includinga list ofrestrictions
`for files that are transmitted to intranet computers. A method
`and a computer-readable storage medium are also described
`and claimed.
`
`22 Claims, 3 Drawing Sheets
`
`41) ==.
`
`[os[amancic
`
`FOR USER GROUP 1
`1D-1|SECURITY FOLICY a
`
`
`[pal|secunmy poucy | SECURMTYPOLICY
`i
`FORUSERGROUP2
`:
`CACHE
`iDg|
`SECURITY FOLICY
`FORUSER GROUP3
`
`
`UREP|IDF|WES PAGE P 10 \
`
`
`URLO4|ID-T WEB OBJECT 01 WEB CACHE
`
`
`UR-62 |10-2|WEBORJECTOZ LK a
`|urvas13_|weeomvecr cs
`LURO4 | D4|WEB OBIECTOF
`
`
` a |
`
`ae| IDP [SECURITY PROFILE
`
`
`i
`FORWEB PAGE 9
`
`
`|
`oe Fadesnice’t |—
`
`
`
`
`
`
`
`FINJAN-JN 340143
`
`

`

`Case 3:17-cv-05659-WHA Document 347-2 Filed 12/21/18 Page 3 of 13
`Case 3:17-cv-05659-WHA Document 347-2 Filed 12/21/18 Page 3 of 13
`
`US 7,418,731 B2
`
`Page 2
`
`U.S. PATENT DOCUMENTS
`
`5,784,459 A
`5,796,952 A
`5,805,829 A
`5,832,208 A
`§,832,274 A
`5,850,559 A
`5,859,966 A
`5,864,683 A
`5,892,904 A
`5,951,698 A
`5,956,481 A
`5,974,549 A
`5,978,484 A
`5,983,348 A
`6,092,194 A
`6,154,844 A
`6,167,520 A
`6,339,829 Bl
`6,480,962 Bl
`6,804,780 Bl
`6,917,953 B2*
`
`7/1998 Devarakondaet al.
`8/1998 Davis et al.
`9/1998 Cohenet al.
`11/1998 Chenet al.
`11/1998 Cutler et al.
`12/1998 Angeloet al.
`1/1999 Hayman etal.
`1/1999 Boebert et al.
`4/1999 Atkinsonet al.
`9/1999 Chenet al.
`9/1999 Walshetal.
`10/1999 Golan
`11/1999 Appersonet al.
`11/1999 Ji
`7/2000 ‘Touboul
`11/2000 Touboul
`12/2000 Touboul
`1/2002 Beadle et al.
`11/2002 Touboul
`10/2004 Touboul
`7/2005 Simon etal... 707/204
`
`
`
`FOREIGN PATENT DOCUMENTS
`
`EP
`
`1132796 Al
`
`9/2001
`
`OTHER PUBLICATIONS
`
`http://www.codeguru.com/Cpp/Cpp/cpp_mfc/parsing/article.php/
`c4093/.
`http://www.cs.may.ie/~jpower/Courses/compilers/notes/lexical pdf.
`http://www.mail-archive.com/kragen-tol@canonical.org/
`msg00097.htiml.
`http://www.owlnet.rice.edu/~comp4 | 2/Lectures/L06LexWrapup4.
`pdf.
`http://www.cs,odu.edu/~toida/nerzic/390teched/regular/fa/min-fa.
`html.
`http://rw4.cs.uni-sb.de/~ganimal/GANIFA/page16_e.htm.
`http://www.cs,msstate.edu/~hansen/classes/38 13fall0 1/slides/
`06Minimize.pdf.
`http://www.win.tue.nl/~watson/2R870/downloads/madfa_algs.pdf.
`http://www.cs.nyu.edu/web/Research/Theses/chang_chia-hsiang.
`pdf.
`“Products” Article published on the Internet, “Revolutionary Secu-
`rity for A New Computing Paradigm” regarding SurfinGate™ 7
`pages.
`“Release Notes for the Microsoft ActiveX DevelopmentKit’, Aug.
`13, 1996, activex.adsp.or.jp/inetsdk/readme.txt, pp. 1-10.
`Doyle et al., “Microsoft Press Computer Dictionary” 1993, Microsoft
`Press, 2"4 Edition, pp. 137-138.
`Finjan Software Ltd., “Powerful PC Security for the New World of
`Java™ and Downloadables, Surfin Shield™” Article published on
`the Internet by Finjan Software Ltd., 1996, 2 pages.
`
`Tinjan Software Ltd.. “Tinjan Announces a Personal Java™ Firewall
`For Web Browsers—the SurfinShield™ 1.6 (formerly known as
`SurfinBoard)’, Press Release of Finjan Releases SurfinShield. 1.6,
`Oct. 21, 1996, 2 pages.
`Finjan Software Ltd., “Finjan Announces Major Power Boost and
`New Teatures for SurfinShield™ 2.0” Las Vegas Convention Center/
`Pavilion 5 P5551, Nov. 18, 1996, 3 pages.
`Finjan Software Ltd., “Finjan Software Releases SurfinBoard, Indus-
`try’s First Java Security Product For the World Wide Web”, Article
`published on the Internet by Finjan Software Ltd., Jul. 29, 1996, 1
`page.
`Finjan Software Ltd., “Java Security: Issues & Solutions” Article
`published on the Internet by Finjan Software Ltd., 1996. 8 pages.
`Finjan Software Ltd., CompanyProfile ““Finjan—Safe Surfing, The
`Java Security Solutions Provider” Article published on the Internet
`by Oct. 31, 1996, 3 pages.
`IBM AntiVirus User’s Guide Version 2.4, International Business
`Machines Corporation, Nov. 15, 1995, p. 6-7.
`Khare, R. “Microsoft Authenticod Analyzed” Jul. 22, 1996, xent.
`com/FoRK-archive/smmer96/0338.html, p. 1-2.
`LaDue, M., “Online Business Consultant: Java Security: Whose
`BusinessIs It?” Article published on the Internet, Home PagePress,
`Inc. 1996, 4 pages.
`Leach, Norvin et al., “IE 3.0 Applets Will Earn Certification”, PC
`Week,vol. 13, No. 29, Jul. 22, 1996, 2 pages.
`Moritz, R., “Why We Shouldn’t Fear Java” Java Report, Feb, 1997,
`pp. 51-56.
`Microsoft—“Microsoft ActiveX Software Development Kit” Aug.
`12, 1996, activex.adsp.or,jp/inetsdk/help/overview.htm, pp. 1-6.
`Microsoft Corporation, Web Page Article “Frequently Asked Ques-
`tions About Authenticode”, last updated Feb. 17, 1997, Printed Dec.
`23,
`1998. URL:
` http://www.microsoft.com/workshop’security/
`authcode/signfaq.asp#9, pp. 1-13.
`Microsoft® Authenticode Technology, “Ensuring Accountability
`and Authenticity for Software Components on the Internet”,
`Microsoft Corporation, Oct. 1996,
`including Abstract, Contents,
`Introduction and pp. 1-10.
`Okamoto, E. et al., “ID-Based Authentication System For Computer
`Virus Detection”, IEEE/IEE Electronic Library online, Electronics
`Letters, vol. 26, Issue 15, ISSN 0013-5194, Jul. 19, 1990, Abstract
`and pp. 1169-1170. URL: http://iel.ths.com:80/cgi-bin/iel__cgi?se...
`2ehts%26ViewTemplate%3 ddocview%5 fb%2ehts.
`Omura, J. K., “Novel Applications of Cryptography in Digital Com-
`munications”, IEEE Communications Magazine, May 1990; pp.
`21-29.
`
`Schmitt, D.A., “.EXE files, OS-2 style” PC Tech Journal, v6, n11, p.
`76 (13).
`Zhang. X.N., “Secure Code Distribution”, IEEE/IEE Electronic
`Library online, Computer, vol. 30, Issue 6, Jun. 1997, pp. 76-79.
`
`* cited by examiner
`
`FINJAN-JN 340144
`
`

`

`Case 3:17-cv-05659-WHA Document 347-2 Filed 12/21/18 Page 4 of 13
`Case 3:17-cv-05659-WHA Document 347-2 Filed 12/21/18 Page 4 of 13
`
`Aug. 26, 2008
`
`Sheet 1 of 3
`
`US 7,418,731 B2
`
`
`
`31d0udALIENS
`
`SHOVD*.
`
`ee
`
`aHOWo
`
`
`
`
`AOIMGdALYNOAS
` ALIMNDSS{2didNousY4aSNYOs[ADIWd
`
`ALINNOSS
`ZdNOUDSYASsod;ADNIOd
`rai|vor|601O3raoaam|eal]eo-tun
`
`
`aWsOwdALNDAS|ddl|
`£dNONSYESNuOs
`
`AdMOdALLHNOTS|°C
`
`2OLOSrPdOGam
`
`¥39Vd€3MYOs
`
`d39V¢d44M40d
`edi|cO-rdin
`—~ObL
`
`:wAAYAS:
`
`U.S. Patent vOiDSfdO83M
`
`ii
`
`
`
`FINJAN-JN 340145
`
`
`
`
`
`
`
`

`

`Case 3:17-cv-05659-WHA Document 347-2 Filed 12/21/18 Page 5 of 13
`Case 3:17-cv-05659-WHA Document 347-2 Filed 12/21/18 Page 5 of 13
`
`U.S. Patent
`
`Aug. 26, 2008
`
`Sheet 2 of 3
`
`US 7,418,731 B2
`
`082
`
`A0NOd
`
`0£zON
`
`Lz
`
`¢Ola
`
`
`
`BHOVO83MNI
`
`
`
`SHOVDayIdOud
`
`3HOVS
`
`
`
`coz3OVd83MGSLssnosHySI
`
`Ske
`
`Ore
`
`
`
`
`
`09zAON1OdALIMNDASSAAMLAYWOud39d93MSARINLay
`
`
`
`
`
`
`
`
`
`S92ALINND3SFYVdNOoSLOSraOg3MAASLae
`
`
`
`SVNOLLOVALVYNYALTYAVL
`
`ALINOZSAGGAgINOSaud
`
`SaAWOdd39Vd83M49078
`0.aeweiva1SLOSPaO83MCALVIOOSS¥
`
`ALIMND3SHLIM3UsOdd93MNIHLIMCS90N3¥34d3yN
`
`
`
`YALANMNODLN3MSYOsYALNAINODYAAMAS
`
`
`
`
`AUd0YddALYNIASWOU
`
`AOVdgamY¥Od31dOdd
`ALUNOASAAR
`
`tHaLNdWODLNAITD
`
`AdN0da9Vd
`
`SSAB03YAXOWdSVONILOV
`ALINNDASNI3OVvdGamYOs
`JUJOUdALIUNDASSNOLS|osz
`éSHOVOaMNISIEVIIVAV
`
`
`SNOIDITWWATIWILNALOdovz
`
`
`
`1sandayLN3I19YALNdWOOYAAUAS
`CONV39Vd93M3YOLSSve
`
`
`ALINNOASSAIGONY
`
`YSLNdINOOAVMALYD
`
`YOITYAHLSAWAONd
`
`CaNWS30SW3LINVOS
`
`WOdd39VddamSLSANDIY
`
`WOudS9Vd83MSSAIZ93e
`
`GSMNIKLIMG30N3e4343Y
`
`SLOardO83MSLSANOAY
`YSBLNdNOSAVMSLYD
`
`
`YAINdNOSIN3AND
`
`YaLNdWOdLN3MNd
`
`YALNdNOOLNAMND
`
`39Vd
`
`0d
`
`Sez
`
`0e%
`
`FINJAN-JN 340146
`
`
`
`
`
`
`
`
`
`
`
`

`

`
`
`ANAIdI93aLdNOUSLNAIdIOIY
`
`
`
`
`
`
`LN3IMT9LN3IT9LN3N9
`
`Case 3:17-cv-05659-WHA Document 347-2 Filed 12/21/18 Page 6 of 13
`Case 3:17-cv-05659-WHA Document 347-2 Filed 12/21/18 Page 6 of 13
`
`U.S. Patent
`
`Aug. 26, 2008
`
`Sheet3 of 3
`
`US 7,418,731 B2
`
`AN3IdJO3uJato
`
`AONOdALINNO3ZSYO4ADIIOdALINNDAS
`
`
`
`
`
`YOsADNOdALIMNDAS|&-Cl
`
`
`YOsADMOdALINNDZS
`€dNOYSLNAIdIO3ay
`
`
`édnOudLNaldioay
`
`
`
`
`
`€“Old
`
`Oe
`
`0ce
`
`FINJAN-JN 340147
`
`
`
`
`

`

`Case 3:17-cv-05659-WHA Document 347-2 Filed 12/21/18 Page 7 of 13
`Case 3:17-cv-05659-WHA Document 347-2 Filed 12/21/18 Page 7 of 13
`
`US 7,418,731 B2
`
`1
`METHOD AND SYSTEM FOR CACHING AT
`SECURE GATEWAYS
`
`CROSS REFERENCES TO RELATED
`APPLICATIONS
`
`This application is a continuation-in-part of assignee’s
`application U.S. Ser. No. 09/539,667 (now U.S. Pat. No.
`6,804,780), filed on Mar. 30, 2000, and entitled SYSTEM
`
`AND METHODFOR PROTECTING A COMPUTER AND
`A NETWORK FROM HOSTILE DOWNLOADABLES,
`whichis a continuation ofU.S. Ser. No. 08/964,388 (now U.S.
`Pat. No. 6,092,194), filed on Nov. 6, 1997 and entitled SYS-
`TEM AND METHODFOR PROTECTING A COMPUTER
`AND A NETWORK FROM HOSTILE DOWNTOAD-
`ABLES.
`
`FIELD OF THE INVENTION
`
`The present invention relates to computer security and
`network gateways.
`
`BACKGROUNDOF THE INVENTION
`
`A network gateway computer conventionally serves as a
`proxy between a group of inter-connected computers,
`referred to as an intranet, such as a corporate intranet or
`customers of an Internet service provider, and the myriads of
`server computers on the Internet. The gateway computeris
`networked with the intranet computers in such a way that
`outgoing requests and responsesfromthe intranet computers
`to the Internet, and incoming requests and responses from the
`Internet to the intranet computers are routed through the
`gateway computer.
`Typically, a request is issued as an HTTP protocol request
`that includes a URI fora file, such as an HTMLpage, a JPEG
`image or a PDF document, residing on one or more server
`computers on the Internet. Similarly, a responseis typically
`an HTTPresponse including a requested file, sent back to a
`client in response to a request.
`Network gateways are generally connected to an intranet
`with high-speed lines, so that the bandwidth between the
`intranet computers and the gateway computer is much higher
`than the bandwidth between the gateway computerandrest of
`the Internet.
`
`Two important functions of computer gatewaysare (i) to
`restrict outsiders from unauthorized access to a computer
`intranet, and (ii) to protect the intranet computers from soft-
`ware containing computer viruses and from spam. Computer
`gateways may contain conventional firewall software that
`restricts outside communication with the intranet, anti-virus
`sottware that identifies computer viruses residing within files
`retrieved from the Internet, and anti-spam softwarethatfilters
`out unwanted content.
`
`Current gateway systems cause latency because clients do
`not access websites directly, and because current gateway
`systems apply security protocols to protect intranet members.
`Accordingly, systems and methods for reducing network
`access latency without compromising network safety are
`needed.
`
`SUMMARYOF THE INVENTION
`
`The present invention provides a method and system for
`improving performance of gateway computers. Specifically,
`the present invention mitigates network latency caused by
`processing time at a gateway computer.
`
`2
`There is thus provided in accordance with a preferred
`embodimentofthe present invention a computer gatewayfor
`an intranet of computers, including a scanner for scanning
`incomingfiles from the Internet and deriving security profiles
`therefor, the security profiles being lists of computer com-
`mandsthat thefiles are programmedto perform,a file cache
`for storing files, a security profile cache for storing security
`profiles forfiles, anda security policy cache for storing secu-
`rity policies for intranet computers within an intranet, the
`security policies including a list of restrictions for files that
`are transmitted to intranet computers.
`There is further provided in accordance with a preferred
`embodimentofthe present invention a method for operation
`of a network gateway for an intranet of computers, including
`receiving a request from an intranet computerfor a file on the
`Internet, determining whether the requested file resides
`withina file cache at the network gateway, if the determining
`is affirmative then retrieving a security profile for the
`requested file from a security profile cache at the network
`gateway, the security profile including a list of at least one
`computer commandthat the file is programmed to perform,
`and if the determining is not affirmative then retrieving the
`requested file from the Internet, scanning the retrievedfile to
`determine computer commandsthatthefile is programmedto
`perform, deriving a security profile for the retrieved file,
`storing the retrieved file within the file cache, and storing the
`security profile for the retrieved file within a security profile
`cache, retrieving a security policy for the intranet computer
`from a security policy cache at the network gateway, the
`security policy defining restrictions for transmitting files to
`the intranet computer, and comparing the security profile for
`the requestedfile vis a vis the security policy for the intranet
`computer, to determine whether transmission ofthe requested
`file to the intranet computeris to berestricted.
`Thereis yetfurther provided in accordancewith a preferred
`embodiment of the present invention a computer-readable
`storage mediumstoring programcode for causing a computer
`to perform the steps of receiving a request from an intranet
`computer for a file on the Internet, determining whether the
`requested file resides within a file cache at the network gate-
`way, if the determining is affirmative then retrieving a secu-
`rity profile for the requested file from a security profile cache
`at the network gateway, the security profile including a list of
`atleast one computer commandthatthe file is programmed to
`perform,and ifthe determiningis notaffirmative thenretriev-
`ing the requested file from the Internet, scanningtheretrieved
`file to determine computer commandsthat the file is pro-
`grammed to perform, deriving a security profile for the
`retrievedfile, storing the retrieved file within the file cache,
`and storing the security profile for the retrieved file within a
`security profile cache, retrieving a security policy for the
`intranet computer from a security policy cacheat the network
`gateway, the security policy definingrestrictions for transmit-
`ting files to the intranet computer, and comparingthe security
`profile for the requested file vis a vis the security policy for the
`intranet computer, to determine whether transmission of the
`requestedfile to the intranet computeris to be restricted.
`There is moreover provided in accordance with a preferred
`embodimentofthe present invention a method for operation
`of a network gateway for an intranet of computers, including
`receiving a request from anintranet computerfora file on the
`Internet, retrieving a security profile for the requested file
`from a security profile cache at the network gateway, the
`security profile including a list of at least one computer com-
`mandthat the file is programmed to perform, retrieving a
`security policy for the intranet computer from a security
`policy cache at the network gateway, the security policy
`
`a
`
`5
`
`20
`
`25
`
`40
`
`45
`
`60
`
`65
`
`FINJAN-JN 340148
`
`

`

`Case 3:17-cv-05659-WHA Document 347-2 Filed 12/21/18 Page 8 of 13
`Case 3:17-cv-05659-WHA Document 347-2 Filed 12/21/18 Page 8 of 13
`
`US 7,418,731 B2
`
`a
`
`20
`
`25
`
`4
`3
`restrictions for transmittingfiles to the intranet computer, and
`defining restrictions on files that can be transmitted to the
`intranet computer, and comparingthe security profile for the
`comparing the security profile for the requestedfile vis a vis
`requested file vis a vis the security policy for the intranet
`the security policy for the intranet computer, to determine
`computer, to determine whethertransmission ofthe requested
`whether transmission of the requested file to the intranet
`file to the intranet computeris to be restricted.
`computer is to berestricted.
`There is additionally provided in accordance with a pre-
`There is further provided in accordance with a preferred
`ferred embodimentofthe present invention a computer-read-
`embodiment of the present invention a computer-readable
`able storage medium storing program code for causing a
`storage medium storing program code for causing a computer
`computer to perform the steps of receiving a request from an
`to perform the steps of receiving a request from an intranet
`intranet computerfor a file on the Internet, retrieving a secu-
`computerfora file on the Internet, determining whether the
`rity profile for the requestedfile from a security profile cache
`requested file resides within a file cache at the network gate-
`at the network gateway,the security profile including a list of
`way, if the determining is affirmative retrieving a security
`at least one computer commandthatthefile is programmed to
`profile for the requested file from a security profile cache at
`perform,retrieving a security policy for the intranet computer
`5
`the network gateway, the security profile includingalist of at
`from a security policy cache at the network gateway, the
`least one computer commandthatthe file is programmed to
`security policy definingrestrictions onfiles that canbe trans-
`perform, and if the determiningis not affirmative retrieving
`mitted to the intranet computer, and comparing the security
`profile for the requestedfile vis a vis the security policy for the
`the requested file from the Internet, storing the retrievedfile
`intranet computer, to determine whether transmission of the
`within the file cache, and storing a security profile for the
`requested file to the intranet computer is to be restricted.
`retrievedfile within a security profile cache,retrieving a secu-
`There is further provided in accordance with a preferred
`rity policy for the intranet computer from a security policy
`embodimentof the present invention a method. for operation
`cache at the network gateway, the security policy defining
`ofa network gatewayfor an intranct of computers, including
`restrictions for transmitting files to the intranet computer, and
`retrieving a requested file from the Internet, scanning the
`comparing the security profile for the requested file vis a vis
`retrieved file to determine computer commandsthatthefile is
`the security policy for the intranet computer, to determine
`programmed to perform, deriving a security profile for the
`whether transmission of the requested file to the intranet
`retrieved file, the securily profile includingalist ofatleast one
`computeris to berestricted.
`computer commandthat the retrieved file is programmed to
`There is moreover provided in accordance with a preferred
`perform, storing the retrieved file within a file cache, and
`embodimentofthe present invention a computer gatewayfor
`storing the security profile for the retrievedfile within a secu-
`an intranet of computers, including a scanner for scanning
`rity profile cache.
`outgoing files from an intranet to the Internet and deriving
`Thereis yet further provided in accordance with a preferred
`security profiles therefor, the security profiles being lists of
`embodiment of the present invention a computer-readable
`computer commands that the files are programmed to per-
`storage medium storing program code for causing a computer
`to perform the steps of retrieving a requested file from the
`form, a security policy cache for storing security policies for
`Internet, scanning the retrieved file to determine computer
`recipient computers within the Internet, the security policies
`commandsthatthe file is programmedto perform, deriving a
`includinga list of restrictionsforfiles that are transmitted to
`security profile for the retrieved file, the security profile
`recipient computers.
`including a list of at least one computer command that the
`There is additionally provided in accordance with a pre-
`retrieved file is programmedto perform, storing the retrieved
`ferred embodiment of the present invention a method for
`file within a file cache, and storing the security profile for the
`operation of a network gateway for an intranet of computers,
`retrieved file within a security profile cache.
`including receivinga file from an intranet computerfortrans-
`There is moreover provided in accordance witha preferred
`mission to a recipient computer on the Internet, scanning the
`embodimentofthe present invention 4 compuler gateway for
`received file to derive a security profile for the receivedfile,
`an intranet of computers, including a file cache for storing
`the security profile including a list of at least one computer
`files, a security profile cache for storing security profiles for
`commandthatthe file is programmedto perform,retrieving a
`files, the security profiles being lists of computer commands
`security policy from a security policy cache at the network
`thatthe files are programmedto perform, anda security policy
`gateway, the security policy definingrestrictions for transmit-
`cache for storing security policies for intranet computers
`ting files to recipient computers, and comparing the security
`within an intranet, the security policies including a list of
`profile for the received file vis a vis the security policy, to
`restrictionsforfiles that are transmittedto intranet computers.
`determine whether transmission of the requested file to the
`There is additionally provided in accordance with a pre-
`recipient computeris to be restricted.
`ferred embodiment of the present invention a method for
`operation of a network gateway for an intranet of computers,
`There is further provided in accordance with a preferred
`including receiving a request from an intranet computerfor a
`embodiment of the present invention a computer-readable
`file on the Internet, determining whether the requested file
`storage mediumstoring program codefor causing a computer
`
`resides within a file cache at the network gateway, if the to perform the steps of receivingafile from an intranet com-
`determiningis affirmative retrieving a security profile for the
`puter for transmission to a recipient computeron the Internet,
`requested file from a security profile cache at the network
`scanning the receivedfile to derive a security profile for the
`gateway, the security profile including a list of at least one
`receivedfile, the security profile including a list of at least one
`computer commandthatthe file is programmedto perform,
`computer commandthat the file is programmed to perform,
`and if the determining is not affirmative retrieving the
`retrieving a security policy from a security policycacheat the
`requested file from the Internet, storing the retrieved file
`network gateway, the security policy definingrestrictions for
`within the file cache, and storing a security profile for the
`transmitting files to recipient computers, and comparing the
`retrieved file within a security profile cache, retrieving asecu-
`security profile for the received file vis a vis the security
`rity policy for the intranet computer from a security policy
`policy, to determine whether transmission of the requested
`cache at the network gateway, the security policy defining
`file to the recipient computeris to be restricted.
`
`40
`
`45
`
`60
`
`65
`
`FINJAN-JN 340149
`
`

`

`Case 3:17-cv-05659-WHA Document 347-2 Filed 12/21/18 Page 9 of 13
`Case 3:17-cv-05659-WHA Document 347-2 Filed 12/21/18 Page 9 of 13
`
`US 7,418,731 B2
`
`5
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`The present invention will be more fully understood and
`appreciated trom the following detailed description, taken in
`conjunction with the drawings in which:
`FIG. 1is a simplified block diagram for a network gateway,
`in accordance with a preferred embodiment of the present
`invention;
`FIG.2 is a simplified flowchart for operation of a network
`gateway, in accordance with a preferred embodiment of the
`present invention; and
`FIG.3 is asimplified block diagram for a network gateway
`that control outgoingtraffic, in accordance with a preferred
`embodimentof the present invention.
`
`DETAILED DESCRIPTION OF A PREFERRED
`EMBODIMENT
`
`The present invention provides a system and method for
`optimizing performance of network gateways that perform
`security-based functions.
`Reference is now made to FIG. 1, which is a simplified
`block diagram for a network gateway, in accordance with a
`preferred embodiment of the present invention. Shown in
`FIG.1 is anetwork gateway computer 110, which serves as a
`proxy between an intranet of clients and servers, and the
`Internet. Specifically in FIG. 1, gateway computer 110 inter-
`venes between requests for web pages originating from an
`intranet 120 of clients 123, 125 and 127, and responsesorigi-
`nating from Internet servers 133, 135 and 137,
`Typically, web pages include text, executable scripts and
`one or more links to web objects that must be retrieved in
`
`6
`page, and scanner 140 scans the web page and the web objects
`that maybe malicious. For example, a web page,P, requested
`by a client computer, may contain references to web objects
`O1, O02, O3 and O4. Generally, the web page, P, and the web
`objects it references, O01, O02, O03 and O4are stored asfiles
`within the Internet.
`
`When the web page, P,first arrives at gateway computer
`110, gateway computer 110 preferably retrieves objects O1,
`02,03 and O4. Gateway computer 110 then decides which of
`web page P and objects O1, O02, O3 and O4 maypotentially be
`malicious, and scanner 140 scans each of the potentially
`malicious files. Determination of which files may be poten-
`tially malicious may be based on numerous criteria—for
`example, multimedia objects such as images and video clips
`may be deemedsafe, whereas Visual Basic scripts and Java
`applets may be deemedpotentially malicious.
`In accordance with a preferred embodimentofthe present
`invention, scanner 140 analyzeseachfile it scans to determine
`the nature of computer operationsthatthefile is programmed
`to perform, and derives a security profile therefor, summariz-
`ing potentially malicious computer operations. Thus scanner
`140 may determine inter alia that a file is programmed to
`access a computerfile system, or a computer operating sys-
`tem, or open a network socket.
`Table I below indicates a typical scan analysis, in accor-
`dance with a preferred embodimentof the present invention.
`As canbe seen from Table I, web page P and web objects O1
`and O4 are deemedpotentially malicious. Web objects O2
`and O3 are deemed safe. The security profile for web page P
`includes security profiles for JavaScript within page P, and for
`webobjects Ol and 04 referenced by page P. Web objects O2
`and O3 are not scanned, since they are deemedto be safe.
`
`a
`
`10
`
`20
`
`25
`
`30
`
`TABLE I
`
`Security Profile for Web Page P
`
`Security Profile
`
`Potentially
`Malicious?
`
`File System
`Commands
`
`Operating System Network
`Commands
`Commands
`
`Web Page P
`References objects
`O1, 02, 03 and 04
`Includes JavaScript
`Web Object O1
`Java applet
`
`Web Object 02
`Still image
`Web Object 03
`Audio clip
`Web Object 04
`ActiveX Control
`
`‘Yes
`
`Yes
`
`No
`
`No
`
`Yes
`
`None
`
`None
`
`Issue HTTP request;
`
`OpenfileF1;
`Write file F2;
`Delete file F1
`
`Open registry;
`Edit registry
`
`None
`
`Openfile F1;
`Copyfile F1
`
`None
`
`Open socket;
`FTP send
`
`order to completely render the web page. Such web objects 55
`include inter alia images, sounds, multimedia presentations,
`video clips and also active code that runs on the client com-
`puter. Executable scripts and active code components are a
`security concern, since they may contain computer viruses
`that maliciously harm client computers. In fact, most viruses
`today are transmitted as active web objects or as e-mail
`allachments.
`
`60
`
`Preferably, gateway computer 110 includes a cade scanner
`140, for scanning incoming web pages and web objects in
`order to detect the presence ofmalicious executablescripts or
`active code. Preferably when gateway 110 receives a web
`page,it also retrieves the web objects referenced by the web
`
`65
`
`In accordance with a preferred embodimentofthe present
`invention, web page security profiles are stored in a security
`profile cache 150, and the web page and the web objects that
`the page references are stored in a web cache 160. Security
`profile cache 150 preferably includesa table as indicated in
`Table II.
`
`TABLEII
`
`Structure of Security Profile Cache 150
`
`Web Content ID
`
`Web Content Security Profile
`
`FINJAN-JN 340150
`
`

`

`It may be appreciated that the various caches within gate-
`way computer 110 security profile cache 150, web cache 160
`and security policy cache 170, must be managedinorderto be
`kept currentas files on the Internet are replaced with newer
`versions, and in order to appropriately purge items from cache
`when cache memory is full and newitemsarrive for storage.
`Typically, web cache 160 is the cachethatfills up, since web
`objects such as applets and multimedia files tend to be very
`large. In accordance with a preferred embodiment of the
`present invention, caches 150 and 160 are synchronized, so
`that when a file is purged from web cache 160, its correspond-
`ing security profile is purged from cache 150.
`Mcthodologics for keeping caches 150 and 160 current
`include interalia:
`
`
`
`20
`
`25
`
`45
`
`Case 3:17-cv-05659-WHA Document 347-2 Filed 12/21/18 Page 10 of 13
`Case 3:17-cv-05659-WHA Document 347-2 Filed 12/21/18 Page 10 of 13
`
`US 7,418,731 B2
`
`7
`Web contentID is preferably a has ID that serves as a key for
`Table II. Similarly, web content cache 160 preferably
`includesa table as indicated in TableIII.
`
`TABLEIII
`
`Structure ofWeb Content Cache 160
`
`Web Content URI
`
`Web Content ID
`
`Web Content
`
`8
`A CLIENT DURING RUNTIME FROM HOSTILE DOWN-
`LOADABLES, USS. Pat. No. 6,480,962 entitled SYSTEM
`AND METHODFOR PROTECTING A CLIENT DURING
`RUNTIME FROM HOSTILE DOWNLOADABLES. USS.
`Pat. No. 6,804,780 entitled SYSTEM AND METHOD FOR
`PROTECTING A COMPUTER AND A NETWORK FROM
`
`HOSTILE DOWNLOADABLES, USS. Pat. No. 6,965,968
`entitled POLICY-BASED CACHING, and US. Pat. No.
`7,058,822 entitled MALICIOUS MOBILE CODE RUNT-
`IME MONITORING SYSTEM AND METHODS.
`
`
`
`a
`
`10
`
`Web content URI serves as a key for Table III, and Web
`Content ID is a foreign keythat can be used to join Table II
`with Table III.
`
`It maybe appreciated that the same web page or web object
`may bestored al multiple locations and, as such, multiple
`URIs may correspondto the same web content. In a preferred
`embodimentofthe present invention, web cache 160 is man-
`aged so as to avoid caching duplicate web content. Use of a
`hash ID for web pages and web objects servesto identify web
`content duplicates, and to determine if web content on the
`Internet has changed since it was earlier cached within web
`content cache 160. In case web content has changed, then
`preferably the more recent web content is cached instead of
`the older web content, and the newer web content is scanned
`replacing cachedfiles regularly on a periodic basis, suc