Case 3:17-cv-05659-WHA Document 349-9 Filed 01/04/19 Page 1 of 14
`Case 3:17-cv-05659-WHA Document 349-9 Filed 01/04/19 Page 1 of 14
`
`EXHIBIT 8
`EXHIBIT 8
`
`
`
`
`
`
`
`
`
`
`
`
`
`

`

`Case 3:17-cv-05659-WHA Document 349-9 Filed 01/04/19 Page 2 of 14
`se" TTTTATAAA
`as United States
`a2) Patent Application Publication (0) Pub. No.: US 2005/0005107 Al
`
` Touboul (43) Pub. Date: Jan. 6, 2005
`
`
`US 20050005107A1
`
`(54) METHOD AND SYSTEM FOR CACHING AT
`SECURE GATEWAYS
`
`Publication Classification
`
`(76)
`
`Inventor:
`
`Shlomo Touboul, Kefar-Haim (IL)
`
`inte C17 cacscsssscssssnssnsnsesentetnesnte GO6F 7/00
`(51)
`(52) US. Cd. ce ceceecccceeecsseecessnsecsnseeceneeecnnseesnnnseesnnsees 713/165
`
`Correspondence Address:
`SQUIRE, SANDERS & DEMPSEY L.L.P
`600 HANSEN WAY
`PALO ALTO, CA 94304-1043 (US
`,
`(US)
`
`(21) Appl. No.:
`
`10/838,889
`
`(22)
`
`Filed:
`
`May 3, 2004
`
`Related U.S. Application Data
`
`(63) Continuation-in-part of application No. 09/539,667,
`filed on Mar. 30, 2000, now Pat. No. 6,804,780,
`which is a continuation of application No. 08/964,
`388, filed on Nov. 6, 1997, now Pat. No. 6,092,194.
`
`(57)
`
`ABSTRACT
`
`Acomputer gateway for an intranet of computers, including
`a scanner for scanning incomingfiles from the Internet and
`deriving security profiles therefor, the security profiles being
`lists of computer commandsthat the files are programmed to
`perform,a file cache for storingfiles, a security profile cache
`for storing security profiles for files, and a security policy
`cache for storing security policies for client computers
`within an intranet, the security policies including a list of
`restrictions for files that are transmitted to intranet comput-
`ers. A method and a computer-readable storage medium are
`also described and claimed.
`
`
`
`FOR WEB PAGE P
`
`
`
`URI-O3|10-3.|WEB OBJECT 03
`
`
`
`
`
`
`
`
`INTERNET
`
`
`
`
`SECURITY PROFILE
`
`.
`CACHE
`SERVER
`FOR WEB PAGE R
`:
`|
`
`
`
`150
`~ominy|
`
`ip-4|
`SECURITY POLICY |
`
`
`I
`FOR USER GROUP1 |
`
` CODE SCANNER
`\
`SECURITY POLICY
`| 12) SECURITY POLICY |-—
`CACHE
`i 1
`FOR USER GROUP2
`
`i
`140
`170
`iD-3|SECURITY POLICY
`FORUSER GROUP3|
`
`
`
`
`UREP|1D-P WEB FAGE P
`160™
`
`
`
`UIRI-O1|ID-4 WEB OBJECT O01 WEB CACHE
`a
`>
`”
`oe
`URI-O2|
`ID-2
`WEB OBJECT OZ BH
`an
`
`
`
`
`
`URI-O4 |
`WEB OBJECT 04
`
`
`
`
`
`

`

`Case 3:17-cv-05659-WHA Document 349-9 Filed 01/04/19 Page 3 of 14
`Case 3:17-cv-05659-WHA Document 349-9 Filed 01/04/19 Page 3 of 14
`
`Patent Application Publication
`
`US 2005/0005107 Al
`
`
`
`AWsdOudALINOSS
`
`d30dGMHOS
`
`
`
`3WsONdALNDSS|ddl
`
`—~OL
`
`Jan. 6,2005 Sheet 1 of 3 LOLOSraO83M
` SHOVD*
`
`aHOVa
`
`
`AOMOdALTOSS
`,fienousYaSNuOs|AdMod
`ALinoas
`
`ADMIOdALINDSS|eal|
`
`d30vdSam
`
`
`
`
`
`
`

`

`Case 3:17-cv-05659-WHA Document 349-9 Filed 01/04/19 Page 4 of 14
`Case 3:17-cv-05659-WHA Document 349-9 Filed 01/04/19 Page 4 of 14
`
`Patent Application Publication
`
`Jan. 6,2005 Sheet 2 of 3
`
`US 2005/0005107 Al
`
`082
`
`aHOvo
`
`
`
`
`
`SVNOLLOVALYNYALTYJnNVL
`
`ALINNOZSABGAGNOSadd
`
`AONOd
`
`0£zZON
`
`
`
`AONOdaDvd
`
`30Vvd
`
`
`
`GSWSWALINVOS
`
`
`
`yOAaNANLSSWsOdd
`
`Sie
`
`
`YALAUNODLNAI
`$LO3°dOdamGAaLVIOOSsS¥
`
`3HOVO3MNI
`
`ONY49¥d84MAYOLS
`
`¢Sls
`
`ALIMNDZSNI3OVd@aMYOs
`
`
`
`JHOVSayIdOud
`
`
`
`
`
`IWsACHdALMNSDASJYOLSOsz
`
`
`
`
`$9zALINNOASSHvVdWOOSLOSraO83MAASatoaoez
`
`
`
`
`
`SBAWOud39Vd82MNOOT8SNOIDIIVWATIVILNSLOdorz
`
`
`
`
`
`
`
`ose3OVd94MNOsS14ONdJOVdB3MGSLSSNO3ySI
`ALINNOSSHLIMS1sOud3MNIHLIMOSON3MadaYaeROSomStoenbaet
`
`
`
`YALNdWOOLN3ITOYOsUALNdWODHaANSSWorlddoveGaheer
`
`
`
`
`
`O139VdGSMLINSNVSLSee
`
`34OUdALIUNDASWOUZSHOVOBaMNITIaVIIVAY
`
`ALNOASSASMLSYgiz
`
`
`
`EYaLNdWODINAI19ALINNODASFAAGNV
`
`
`
`S3NSOIYAXOUdSYONLLOWWOud3OVd84MSLS3NOFY
`
`
`
`YALNdINODAVMALWDY3LNdWODLNSTIOsoz
`
`cog|ADMIOdALRINOASSASRILTWows3OVd83MSASIMISYSeonnenaozz
`
`O12
`
`
`
`
`
`
`
`Lsano3yLN3I19YALNdWODHSANIS
`
`
`
`
`
`
`
`
`

`

`Case 3:17-cv-05659-WHA Document 349-9 Filed 01/04/19 Page 5 of 14
`Case 3:17-cv-05659-WHA Document 349-9 Filed 01/04/19 Page 5 of 14
`
`Patent Application Publication
`
`Jan. 6,2005 Sheet 3 of 3
`
`US 2005/0005107 Al
`
`
`
`ANAIdiO34|dNOUSLNaldIosY
`
`
`
`OSADMOdALLINDAS
`
`
`
`
`
`AdMNOdALINODZSMOADITOdALINNDSS
`
`
`
`
`
`¢€dNOYSLNAldIOaY
`
`ANSIdID34
`
`IN3IdiS3Hy
`
`
`
`OdAOMOdALIMNDAS
`
`
`
`€dNONSLNAldloay
`
`€Old AN3ITS
`
`AN3IT9LN3I1D
`
`Oce
`
`
`
`
`

`

`Case 3:17-cv-05659-WHA Document 349-9 Filed 01/04/19 Page 6 of 14
`Case 3:17-cv-05659-WHA Document 349-9 Filed 01/04/19 Page 6 of 14
`
`US 2005/0005107 Al
`
`Jan. 6, 2005
`
`METHOD AND SYSTEM FOR CACHING AT
`SECURE GATEWAYS
`
`CROSS REFERENCES TO RELATED
`APPLICATIONS
`
`[0009] There is thus provided in accordance with a pre-
`ferred embodiment of the present
`invention a computer
`gatewayfor an intranet of computers, including a scannerfor
`scanning incoming files from the Internet and deriving
`security profiles therefor, the security profiles being lists of
`[0001] This application is a continuation-in-part of assign-
`computer commandsthat the files are programmed to per-
`ee’s pending U.S. patent application Ser. No. 09/539,667,
`form,a file cache for storing files, a security profile cache for
`filed on Mar. 30, 2000, and entitled SYSTEM AND
`storing security profiles forfiles, and a security policy cache
`METHOD FOR PROTECTING A COMPUTER AND A
`for storing security policies for intranet computers within an
`NETWORK FROM HOSTILE DOWNLOADABLES,
`intranet, the security policies includingalist of restrictions
`which is a continuation of U.S. patent application Ser. No.
`for files that are transmitted to intranet computers.
`08/964,388 (now U.S. Pat. No. 6,092,194), filed on Nov.6,
`1997 and entitled SYSTEM AND METHOD FOR PRO-
`TECTING A COMPUTER AND A NETWORK FROM
`HOSTILE DOWNLOADABLES.
`
`FIELD OF THE INVENTION
`
`[0002] The present invention relates to computer security
`and network gateways.
`BACKGROUND OF THE INVENTION
`
`[0003] A network gateway computer conventionally
`serves aS a proxy between a group of inter-connected
`computers, referred to as an intranet, such as a corporate
`intranet or customers of an Internet service provide, and the
`myriads of server computers on the Internet. The gateway
`computer is networked with the intranet computers in such
`a way that outgoing requests and responsesfrom the intranet
`computers to the Internet, and incoming requests and
`responses from the Internet to the intranet computers are
`routed through the gateway computer.
`
`[0004] Typically, a request is issued as an HTTP protocol
`request that includes a URIfora file, such as an HTML page,
`a JPEG image or a PDF document, residing on one or more
`server computers on the Internet. Similarly, a response is
`typically an HTTP response including a requestedfile, sent
`back to a client in response to a request.
`
`[0005] Network gateways are generally connected to an
`intranet with high-speed lines,
`so that
`the bandwidth
`between the intranet computers and the gateway computer is
`much higher than the bandwidth between the gateway
`computer and rest of the Internet.
`
`[0006] Two important functions of computer gateways are
`(i) to restrict outsiders from unauthorized access to a com-
`puter intranet, and (ii) to protect the intranet computers from
`software containing computer viruses and from spam. Com-
`puter gateways may contain conventional firewall software
`that restricts outside communication with the intranet, anti-
`virus software that
`identifies computer viruses residing
`within files retrieved from the Internet, and anti-spam soft-
`warethat filters out unwanted content.
`
`[0007] Current gateway systems cause latency because
`clients do not access websites directly, and because current
`gateway systems apply security protocols to protect intranet
`members. Accordingly, systems and methods for reducing
`network access latency without compromising network
`safety are needed.
`SUMMARYOF THE INVENTION
`
`[0010] There is further provided in accordance with a
`preferred embodimentof the present invention a method for
`operation of a network gatewayfor an intranet of computers,
`including receiving a request from an intranet computer for
`a file on the Internet, determining whether the requestedfile
`resides within a file cache at the network gateway, if the
`determining is affirmative then retrieving a security profile
`for the requested file from a security profile cache at the
`network gateway, the security profile including a list of at
`least one computer commandthatthe file is programmed to
`perform, and if the determining is not affirmative then
`retrieving the requested file from the Internet, scanning the
`retrieved file to determine computer commandsthatthe file
`is programmedto perform, deriving a security profile for the
`retrieved file, storing the retrieved file within the file cache,
`and storing the security profile for the retrieved file within a
`security profile cache, retrieving a security policy for the
`intranet computer from a security policy cache at the net-
`work gateway, the security policy defining restrictions for
`transmitting files to the intranet computer, and comparing
`the security profile for the requestedfile vis a vis the security
`policy for
`the intranet computer,
`to determine whether
`transmission of the requestedfile to the intranet computer is
`to be restricted.
`
`{0011] There is yet further provided in accordance with a
`preferred embodimentof the present invention a computer-
`readable storage medium storing program code for causing
`a computer to perform the steps of receiving a request from
`an intranet computer for a file on the Internet, determining
`whether the requested file resides within a file cache at the
`network gateway,
`if the determining is affirmative then
`retrieving a security profile for the requested file from a
`security profile cache at the network gateway, the security
`profile including a list of at least one computer command
`that the file is programmed to perform, and if the determin-
`ing is notaffirmative then retrieving the requested file from
`the Internet, scanning the retrieved file to determine com-
`puter commandsthat the file is programmed to perform,
`deriving a security profile for the retrieved file, storing the
`retrieved file within the file cache, and storing the security
`profile for the retrieved file within a security profile cache,
`retrieving a security policy for the intranet computer from a
`security policy cache at the network gateway, the security
`policy defining restrictions for transmitting files to the
`intranet computer, and comparing the security profile for the
`requested file vis a vis the security policy for the intranet
`computer,
`to determine whether
`transmission of
`the
`requested file to the intranet computer is to be restricted.
`
`[0008] The present invention provides a method and sys-
`tem for
`improving performance of gateway computers.
`Specifically, the present invention mitigates network latency
`caused by processing time at a gateway computer.
`
`[0012] There is moreover provided in accordance with a
`preferred embodimentof the present invention a method for
`operation of a network gatewayfor an intranet of computers,
`including receiving a request from an intranet computer for
`
`

`

`Case 3:17-cv-05659-WHA Document 349-9 Filed 01/04/19 Page 7 of 14
`Case 3:17-cv-05659-WHA Document 349-9 Filed 01/04/19 Page 7 of 14
`
`US 2005/0005107 Al
`
`Jan. 6, 2005
`
`computers, including receiving a request from an intranet
`a file on the Internet, retrieving a security profile for the
`
`requested file from a security profile cache at the network computer forafile on the Internet, determining whether the
`gateway, the security profile including a list of at least one
`requested file resides within a file cache at
`the network
`computer commandthatthe file is programmed to perform,
`gateway, if the determining is affirmative retrieving a secu-
`retrieving a security policy for the intranet computer from a
`rity profile for the requestedfile from a security profile cache
`security policy cache at the network gateway, the security
`at the network gateway, the security profile including a list
`policy defining restrictions onfiles that can be transmitted to
`of at least one computer command that
`the file is pro-
`the intranet computer, and comparing the security profile for
`grammed to perform, and if the determining is not affirma-
`the requested file vis a vis the security policy for the intranet
`tive retrieving the requested file from the Internet, storing
`computer,
`to determine whether
`transmission of
`the
`the retrieved file within thefile cache, and storing a security
`requested file to the intranet computeris to be restricted.
`profile for the retrieved file within a security profile cache,
`retrieving a security policy for the intranet computer from a
`security policy cache at the network gateway, the security
`policy defining restrictions for transmitting files to the
`intranet computer, and comparing the security profile for the
`requested file vis a vis the security policy for the intranet
`computer,
`to determine whether
`transmission of
`the
`requested file to the intranet computer is to be restricted.
`
`[0013] There is additionally provided in accordance with
`a preferred embodimentofthe present invention a computer-
`readable storage medium storing program code for causing
`a computer to perform the steps of receiving a request from
`an intranet computer for a file on the Internet, retrieving a
`security profile for the requested file from a security profile
`cache at the network gateway, the security profile including
`a list of at least one computer command that the file is
`programmed to perform,retrieving a security policy for the
`intranet computer from a security policy cache at the net-
`work gateway, the security policy defining restrictions on
`files that can be transmitted to the intranet computer, and
`comparing the security profile for the requested file vis a vis
`the security policy for the intranet computer, to determine
`whether transmission of the requested file to the intranet
`computer is to be restricted.
`
`[0014] There is further provided in accordance with a
`preferred embodimentof the present invention a method for
`operation of a network gateway for an intranet of computers,
`including retrieving a requested file from the Internet, scan-
`ning the retrievedfile to determine computer commandsthat
`the file is programmedto perform, deriving a security profile
`for the retrieved file, the security profile including a list of
`at least one computer command that the retrieved file is
`programmed to perform, storing the retrieved file within a
`file cache, and storing the security profile for the retrieved
`file within a security profile cache.
`
`[0015] There is yet further provided in accordance with a
`preferred embodimentof the present invention a computer-
`readable storage medium storing program code for causing
`a computer to perform the steps of retrieving a requestedfile
`from the Internet, scanning the retrieved file to determine
`computer commandsthatthe file is programmedto perform,
`deriving a security profile for the retrieved file, the security
`profile including a list of at least one computer command
`that the retrieved file is programmed to perform, storing the
`retrieved file within a file cache, and storing the security
`profile for the retrieved file within a security profile cache.
`
`[0016] There is moreover provided in accordance with a
`preferred embodiment of the present invention a computer
`gateway for an intranet of computers, including a file cache
`for storing files, a security profile cache for storing security
`profiles forfiles, the security profiles being lists of computer
`commandsthat the files are programmed to perform, and a
`security policy cache for storing security policies for intranet
`computers within an intranet, the security policies including
`a list of restrictions for files that are transmitted to intranet
`computers.
`
`[0017] There is additionally provided in accordance with
`a preferred embodiment of the present invention a method
`for operation of a network gateway for an intranet of
`
`[0018] There is further provided in accordance with a
`preferred embodimentof the present invention a computer-
`readable storage medium storing program code for causing
`a computer to perform the steps of receiving a request from
`an intranet computer for a file on the Internet, determining
`whether the requested file resides within a file cache at the
`network gateway, if the determiningisaffirmative retrieving
`a security profile for the requestedfile from a security profile
`cache at the network gateway, the security profile including
`a list of at least one computer command that the file is
`programmed to perform, and if the determining is not
`affirmative retrieving the requested file from the Internet,
`storing the retrieved file within the file cache, and storing a
`security profile for the retrieved file within a security profile
`cache, retrieving a security policy for the intranet computer
`from a security policy cache at the network gateway, the
`security policy defining restrictions for transmitting files to
`the intranet computer, and comparingthe security profile for
`the requested file vis a vis the security policy for the intranet
`computer,
`to determine whether
`transmission of
`the
`requested file to the intranet computer is to be restricted.
`
`[0019] There is moreover provided in accordance with a
`preferred embodiment of the present invention a computer
`gatewayfor an intranet of computers, including a scannerfor
`scanning outgoing files from an intranet to the Internet and
`deriving security profiles therefor, the security profiles being
`lists of computer commandsthatthefiles are programmed to
`perform, a security policy cache for storing security policies
`for recipient computers within the Internet,
`the security
`policies including a list of restrictions for files that are
`transmitted to recipient computers.
`
`[0020] There is additionally provided in accordance with
`a preferred embodiment of the present invention a method
`for operation of a network gateway for an intranet of
`computers, including receiving a file from an intranet com-
`puter for transmission to a recipient computer on the Inter-
`net, scanning the receivedfile to derive a security profile for
`the received file, the security profile including a list of at
`least one computer commandthatthe file is programmed to
`perform,retrieving a security policy from a security policy
`cache at the network gateway, the security policy defining
`restrictions for transmitting files to recipient computers, and
`comparing the security profile for the received file vis a vis
`the security policy, to determine whethertransmission of the
`requested file to the recipient computeris to be restricted.
`
`

`

`Case 3:17-cv-05659-WHA Document 349-9 Filed 01/04/19 Page 8 of 14
`Case 3:17-cv-05659-WHA Document 349-9 Filed 01/04/19 Page 8 of 14
`
`US 2005/0005107 Al
`
`Jan. 6, 2005
`
`[0021] There is further provided in accordance with a
`preferred embodimentof the present invention a computer-
`readable storage medium storing program code for causing
`a computer to perform the steps of receiving a file from an
`intranet computer for transmission to a recipient computer
`on the Internet, scanning the receivedfile to derive a security
`profile for the received file, the security profile including a
`list of at
`least one computer command that
`the file is
`programmed to perform,retrieving a security policy from a
`security policy cache at the network gateway, the security
`policy defining restrictions for transmitting files to recipient
`computers, and comparing the security profile for
`the
`received file vis a vis the security policy,
`to determine
`whether transmission of the requested file to the recipient
`computer is to be restricted.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`[0022] The present invention will be more fully under-
`stood and appreciated from the following detailed descrip-
`tion, taken in conjunction with the drawings in which:
`
`FIG.1 is a simplified block diagram for a network
`[0023]
`gateway, in accordance with a preferred embodimentof the
`present invention;
`
`FIG.2 is a simplified flowchart for operation of a
`[0024]
`network gateway, in accordance with a preferred embodi-
`ment of the present invention; and
`
`FIG.3 is a simplified block diagram for a network
`[0025]
`gateway that control outgoing traffic, in accordance with a
`preferred embodiment of the present invention.
`
`DETAILED DESCRIPTION OF A PREFERRED
`EMBODIMENT
`
`invention provides a system and
`[0026] The present
`method for optimizing performance of network gateways
`that perform security-based functions.
`
`[0027] Reference is now made to FIG. 1, which is a
`simplified block diagram for a network gateway, in accor-
`dance with a preferred embodimentof the present invention.
`Shown in FIG.1 is a network gateway computer 110, which
`serves as a proxy between an intranet of clients and servers,
`and the Internet. Specifically in FIG. 1, gateway computer
`110 intervenes between requests for web pages originating
`from an intranet 120 of clients 123, 125 and 127, and
`responses originating from Internet servers 133, 135 and
`137.
`
`[0028] Typically, web pages include text, executable
`scripts and one or more links to web objects that must be
`
`retrieved in order to completely render the web page. Such
`web objects include inter alia images, sounds, multimedia
`presentations, video clips and also active code that runs on
`the client computer. Executable scripts and active code
`components are a security concern, since they may contain
`computer viruses that maliciously harm client computers. In
`fact, most viruses today are transmitted as active web objects
`or as e-mail attachments.
`
`[0029] Preferably, gateway computer 110 includes a code
`scanner 140, for scanning incoming web pages and web
`objects in order to detect the presence of malicious execut-
`able scripts or active code. Preferably when gateway 110
`receives a web page,
`it also retrieves the web objects
`referenced by the web page, and scanner 140 scans the web
`page and the web objects that may be malicious. For
`example, a web page, P, requested by a client computer, may
`contain references to web objects O1, 02, O3 and O4.
`Generally, the web page, P, and the web objectsit references,
`O1, 02, 03 and 04are stored as files within the Internet.
`
`[0030] When the web page, P, first arrives at gateway
`computer 110, gateway computer 110 preferably retrieves
`objects O1, 02, O3 and O4. Gateway computer 110 then
`decides which of web page P and objects O1, 02, 03 and 04
`may potentially be malicious, and scanner 140 scans each of
`the potentially malicious files. Determination of whichfiles
`may be potentially malicious may be based on numerous
`criteria—for example, multimedia objects such as images
`and video clips may be deemed safe, whereas Visual Basic
`scripts and Java applets may be deemed potentially mali-
`cious.
`
`In accordance with a preferred embodimentof the
`[0031]
`present invention, scanner 140 analyzes eachfile it scans to
`determine the nature of computer operations that the file is
`programmed to perform, and derives a security profile
`therefor,
`summarizing potentially malicious
`computer
`operations. Thus scanner 140 may determine inter alia that
`a file is programmed to access a computerfile system, or a
`computer operating system, or open a network socket.
`
`[0032] Table I below indicates a typical scan analysis, in
`accordance with a preferred embodiment of the present
`invention. As can be seen from Table I, web page P and web
`objects O1 and O4 are deemed potentially malicious. Web
`objects O2 and O3 are deemed safe. The security profile for
`web page P includessecurity profiles for JavaScript within
`page P, and for web objects O1 and O04referenced by page
`P. Web objects O2 and O3 are not scanned, since they are
`deemed to besafe.
`
`TABLEI
`
`Security Profile for Web Page P
`
`Security Profile
`
`Malicious?—File System Operating System Network
`
`
`Potentially|Commands Commands Commands
`
`
`None
`
`Issue HTTP request;
`
`Web Page P
`References objects
`O1, 02, 03 and O04
`Includes JavaScript
`
`
`
`‘Yes
`
`None
`
`Web Object O1 Open file Fl;|Openregistry;Yes None
`
`
`
`

`

`Case 3:17-cv-05659-WHA Document 349-9 Filed 01/04/19 Page 9 of 14
`Page 9 of 14
`Case 3:17-cv-05659-WHA Document 349-9 Filed 01/04/19
`
`US 2005/0005107 Al
`
`Jan. 6, 2005
`
`TABLEI-continued
`
`Security Profile for Web Page P
`
`Security Profile
`
`Operating System Network
`File System
`Malicious?
`
`Potentially©Commands Commands Commands
`
`
`
`
`Java applet Write file F2;—Edit registry
`Delete file F1
`
`Web Object O2
`Still image
`Web Object O3
`Audio clip
`Web Object O04 Open file F1;|NoneYes Open socket;
`
`
`FTP send
`ActiveX Control
`Copyfile F1
`
`No
`
`No
`
`
`
`In accordance with a preferred embodimentof the
`[0033]
`present invention, web page security profiles are stored in a
`security profile cache 150, and the web page and the web
`objects that the page references are stored in a web cache
`160. Security profile cache 150 preferably includesa table as
`indicated in TableII.
`
`TABLEII
`
`Structure of Security Profile Cache 150
`
`Web Content ID
`
`Web Content Security Profile
`
`[0034] Web content ID is preferably a has ID that serves
`as a key for Table II. Similarly, web content cache 160
`preferably includes a table as indicated in Table III.
`
`TABLEIII
`
`Structure of Web Content Cache 160
`
`Web Content URI
`
`Web Content ID
`
`Web Content
`
`[0035] Web content URI serves as a key for Table III, and
`Web Content ID is a foreign key that can be used to join
`Table II with TableIII.
`
`It may be appreciated that the same web page or
`[0036]
`web object may be stored at multiple locations and, as such,
`multiple URIs may correspond to the same web content. In
`a preferred embodimentof the present invention, web cache
`160 is managed so as to avoid caching duplicate web
`content. Use of a hash ID for web pages and web objects
`serves to identify web content duplicates, and to determine
`if web content on the Internet has changed since it was
`earlier cached within web content cache 160. In case web
`
`content has changed, then preferably the more recent web
`content is cached instead of the older web content, and the
`newer web content is scanned by code scanner 140,in order
`to update its security profile within security profile cache
`150.
`
`[0037] Preferably, when a client computer requests a web
`page, P, from a server computer, the request is first trans-
`mitted to gateway computer 110, which checks whether or
`not the web pageis already resident within web cache 160.
`If not, then computer gateway forwards the request to the
`server computer, which in turn sends the requested web
`
`to gateway computer 110 within a response.
`page, P,
`Requests and responsesare typically formatted according to
`the HTTP protocol. Uponreceipt of the requested web page,
`gateway computer 110 (i) fetches the web objects referenced
`by page P, such as web objects O1, 02, O03 and O4
`hereinabove; (ii) determines which files to scan; (iii) deter-
`mines security profiles for the scannedfiles; (iv) caches the
`security profiles for web page P in security profile cache
`150; and (v) caches web page P and web objects O1, 02, O03
`and O4 in web cache 160.
`
`[0038] After gateway computer 110 has stored web page P
`in web cache 160, and hasstored its corresponding security
`profile in security profile cache 150, it determines whether
`or not
`to send web page P to the client computer that
`requested it. If web page P may perform malicious opera-
`tions to the client computer, then gateway computer 110 may
`not transmit web pageP.
`
`[0039] The decision whether or not to transmit web page
`P to the requesting client computer is preferably based on a
`security policy for the client computer. A security policy
`indicates suspicious operations that are to be blocked from
`a client computer. Thus by comparing the operations within
`a security profile for a web page, P, vis a vis the operations
`listed within a security policy that are to be blocked, a
`determination can be made whether or not to transmit web
`
`page P to a client computer. Preferably, security policies are
`stored within a security policy cache 170 on gateway
`computer 110.
`
`[0040] Use of security profiles and security policies are
`described in applicant’s U.S. Pat. No. 6,092,194 entitled
`SYSTEM AND METHOD FOR PROTECTING A COM-
`PUTER AND A NETWORK FROM HOSTILE DOWN-
`LOADABLES,USS. Pat. No. 6,154,844 entitled SYSTEM
`AND METHOD FOR ATTACHING A DOWNLOAD-
`ABLE SECURITY PROFILE TO A DOWNLOADABLE,
`USS. Pat. No. 6,167,520 entitled SYSTEM AND METHOD
`FOR PROTECTING A CLIENT DURING RUNTIME
`FROM HOSTILE DOWNLOADABLES, and U’S. Pat. No.
`6,480,962 entitled SYSTEM AND METHOD FOR PRO-
`TECTING A CLIENT DURING RUNTIME FROM HOS-
`TILE DOWNLOADABLES.
`
`the various caches
`It may be appreciated that
`[0041]
`within gateway computer 110—-security profile cache 150,
`web cache 160 and security policy cache 170, must be
`managed in order to be kept current as files on the Internet
`
`

`

`Case 3:17-cv-05659-WHA Document 349-9 Filed 01/04/19 Page 10 of 14
`Case 3:17-cv-05659-WHA Document 349-9 Filed 01/04/19 Page 10 of 14
`
`US 2005/0005107 Al
`
`Jan. 6, 2005
`
`a group of client computers and the Internet. Thus at step
`210 a network gateway computer receives the client request.
`
`are replaced with newer versions, and in order to appropri-
`ately purge items from cache when cache memoryis full and
`new itemsarrive for storage. Typically, web cache 160 is the
`[0054] At step 215 the gateway computer determines
`cache that fills up, since web objects such as applets and
`whether or not the requested web page is already resident
`multimedia files tend to be very large. In accordance with a
`within its web cache. Preferably, the web cache is indexed
`preferred embodimentof the present invention, caches 150
`by URI, so that the gateway computer can readily determine
`and 160 are synchronized, so that whenafile is purged from
`whether or not the requested web page is available. If the
`web cache 160, its corresponding security profile is purged
`requested web page is already available in the web cache,
`from cache 170.
`processing continues at step 255. Otherwise, at step 220 the
`gateway computerretrieves the requested web page from the
`Internet, using the web page’s URIto determineits location.
`At step 225 the client computer receives the requested web
`page from the gateway computer, and at step 230 the client
`computer identifies the web objects referenced within the
`web page it receives and requests them from the gateway
`computer.
`
`[0042] Methodologies for keeping caches 150 and 160
`current include inter alia:
`
`replacing cached files regularly on a periodic
`[0043]
`basis, such as every 24 hours, and re-scanning them
`to derive updated security profiles;
`
`replacing files based on expiration dates and
`[0044]
`times included within the file headers, and re-scan-
`ning them to derive updated security profiles; and
`
`checking the Internet to determine whether
`[0045]
`cachedfiles are current wheneverthey are requested
`by an intranet computer.
`
`[0046] Methodologies for purging files when cache 160 is
`full include inter alia:
`
`[0047]
`
`purging the oldest files;
`
`[0048]
`
`purging the least accessed files; and
`
`[0055] Typically, web objects are referenced by individual
`URIs. Thus web objects O1, 02, 03 and O4 abovetypically
`each have their own URIs, say, URI1, URI2, URI3 and
`URI4. At step 235 the gateway computer retrieves the
`referenced web objects from the Internet, using their indi-
`vidual URIs to determine their locations. It may be appre-
`ciated that although the requested web pageis not available
`in the web cacheat step 215, it is possible that one or more
`of the web objectsit references are nevertheless available in
`cache. As such, the gateway computer may not be required
`to retrieve all of the referenced web objects at step 235.
`
`purging the files that have not been accessed
`[0049]
`for the longest time; i.e., last recently used (LRU).
`
`[0056] At step 240 the gateway computer determines
`which of the web page and its referenced web objects are
`deemed potentially malicious, and scans those files that are
`It may be appreciated that although web contentis
`[0050]
`so deemed. In accordance with a preferred embodimentof
`purged from cache 160 in order to free up memory,
`the
`the present invention, the scans operate to identify computer
`security profile of the purged content need not be purged
`commandsthata file is programmedto carry out, and record
`from security profile cache 150. In such a case, if the purged
`potentially malicious commands inalist that serves as a
`webcontent is subsequently re-cached and has not changed,
`security profile. Typically, the list includes commandsthat
`then code scanner 140 need not re-scan the content. Pref-
`operate on a computerfile system or operating system, and
`commandsthat perform network operations such as opening
`of a network socket or transmission of data.
`
`the web content ID is used to determine if web
`erably,
`content re-entering