Case 3:17-cv-05659-WHA Document 350-2 Filed 01/10/19 Page 1 of 3
`
`Exhibit 2
`
`
`
`

`

`Case 3:17-cv-05659-WHA Document 350-2 Filed 01/10/19 Page 2 of 3
`111111
`1111111111111111111111111111111111111111111111111111111111111
`US006804 780B 1
`
`(12) United States Patent
`Touboul
`
`(10) Patent No.:
`(45) Date of Patent:
`
`US 6,804, 780 Bl
`*Oct. 12, 2004
`
`(54) SYSTEM AND METHOD FOR PROTECTING
`A COMPUTER AND A NETWORK FROM
`HOSTILE DOWNLOADABLES
`
`(75)
`
`Inventor: Shlomo Touboul, Kefar-haim (IL)
`
`(73) Assignee: Finjan Software, Ltd., Netanya (IL)
`
`( *) Notice:
`
`Subject to any disclaimer, the term of this
`patent is extended or adjusted under 35
`U.S.C. 154(b) by 0 days.
`
`This patent is subject to a terminal dis(cid:173)
`claimer.
`
`(21) Appl. No.: 09/539,667
`
`(22) Filed:
`
`Mar. 30, 2000
`
`Related U.S. Application Data
`
`( 63) Continuation of application No. 08/964,388, filed on Nov. 6,
`1997, now Pat. No. 6,092,194.
`(60) Provisional application No. 60/030,639, filed on Nov. 8,
`1996.
`
`Int. Cl? ............................ H04L 9/00; G06F 11/30
`(51)
`(52) U.S. Cl. ....................... 713/181; 713/201; 713/176;
`717/178
`(58) Field of Search ................................. 713/200, 201,
`713/176, 181; 709/223, 225, 227, 229;
`717/168-178
`
`(56)
`
`References Cited
`
`U.S. PATENT DOCUMENTS
`
`5,077,677 A
`5,359,659 A
`5,361,359 A
`5,485,409 A
`5,485,575 A
`
`12/1991 Murphy et a!.
`10/1994 Rosenthal
`11/1994 Tajalli et a!.
`1!1996 Gupta et a!.
`1!1996 Chess et a!.
`
`. . . . . . . . . . . . . . . 703/27
`
`5,572,643 A
`5,579,509 A
`5,606,668 A
`5,623,600 A
`5,638,446 A
`5,692,047 A
`5,692,124 A
`5,720,033 A
`5,724,425 A
`5,740,248 A
`5,761,421 A
`
`11/1996 Judson
`* 11/1996 Furtney et a!.
`2/1997 Shwed
`4/1997 Ji et a!.
`6/1997 Rubin
`11/1997 McManis
`11/1997 Holden et a!.
`2/1998 Deo
`3/1998 Chang eta!.
`4/1998 Fieres et a!.
`6/1998 van Hoff et a!.
`
`(List continued on next page.)
`
`FOREIGN PATENT DOCUMENTS
`1091276 A1 * 4/2001
`1132796 A1 * 9/2001
`
`............. G06F/1!00
`............. G06F/1!00
`
`EP
`EP
`
`OTHER PUBLICATIONS
`
`Khare, "Microsoft Authenticode Analyzed" Jul. 22, 1996,
`xent.com/FoRK-archive/summer96/0338.html, p. 1-2. *
`
`(List continued on next page.)
`
`Primary Examiner-Ayaz Sheikh
`Assistant Examiner-Christopher Revak
`(74) Attorney, Agent, or Firm-Squire,
`Dempsey, L.L.P.
`
`(57)
`
`ABSTRACT
`
`Sanders &
`
`A computer-based method for generating a Downloadable
`ID to identify a Downloadable, including obtaining a Down(cid:173)
`loadable that includes one or more references to software
`components required by the Downloadable, fetching at least
`one software component identified by the one or more
`references, and performing a function on the Downloadable
`and the fetched software components to generate a Down(cid:173)
`loadable ID. A system and a computer-readable storage
`medium are also described and claimed.
`
`18 Claims, 10 Drawing Sheets
`
`800
`
`~
`
`

`

`Case 3:17-cv-05659-WHA Document 350-2 Filed 01/10/19 Page 3 of 3
`
`US 6,804,780 Bl
`
`5
`
`9
`FIG. 6B is a flowchart illustrating details of step 606 of
`FIG. 6A (referred to herein as method 606). Method 606
`begins with the policy finder 317 in step 650 determining
`whether security policies 305 include a specific security
`policy corresponding to the useriD and the Downloadable.
`If so, then the policy finder 317 in step 654 fetches the
`corresponding specific policy 305. If not, then the policy
`finder 317 in step 652 fetches the default or generic security
`policy 305 corresponding to the useriD. Method 606 then
`ends.
`FIG. 6C is a flowchart illustrating details of a method 655
`for determining whether to allow or to block the incoming
`Downloadable. Method 655 begins with the logical engine
`333 in step 660 receiving the results from the first compara-
`tor 320, from the ACL comparator 330, from the certificate 15
`comparator 345 and from the URL comparator 350. The
`logical engine 333 in step 662 compares the results with the
`policy selector 405 embodied in the security policy 305, and
`in step 664 determines whether the policy selector 405
`confirms the pass. For example, the policy selector 405 may 20
`indicate that the logical engine 333 pass the Downloadable
`if it passes one of the tests of Path 1, Path 2, Path 3 and Path
`4. If the policy selector 405 indicates that the Downloadable
`should pass, then the logical engine 333 in step 666 passes
`the Downloadable to the intended recipient. In step 668, the 25
`logical engine 333 sends the results to the record-keeping
`engine 335, which in turn stores the results in the event log
`245 for future review. Method 655 then ends. Otherwise, if
`the policy selector 405 in step 664 indicates that the Down(cid:173)
`loadable should not pass, then the logical engine 333 in step 30
`670 stops the Downloadable and in step 672 sends a non(cid:173)
`hostile substitute Downloadable to inform the user that the
`incoming Downloadable has been blocked. Method 655 then
`jumps to step 668.
`FIG. 7 is a flowchart illustrating details of step 628 of 35
`FIG. 6A(referred to herein as method 628) for decomposing
`a Downloadable into DSP data 310. Method 628 begins in
`step 705 with the code scanner 325 disassembling the
`machine code of the Downloadable. The code scanner 325
`in step 710 resolves a respective command in the machine
`code, and in step 715 determines whether the resolved
`command is suspicious (e.g., whether the command is one of
`the operations identified in the list described above with
`reference to FIG. 3). If not, then the code scanner 325 in step
`725 determines whether it has completed decomposition of 45
`the Downloadable, i.e., whether all operations in the Down(cid:173)
`loadable code have been resolved. If so, then method 628
`ends. Otherwise, method 628 returns to step 710.
`Otherwise, if the code scanner 325 in step 71 determines
`that the resolved command is suspect, then the code scanner 50
`325 in step 720 decodes and registers the suspicious com(cid:173)
`mand and its command parameters as DSP data 310. The
`code scanner 325 in step 720 registers the commands and
`command parameters into a format based on command class
`(e.g., file operations, network operations, registry 55
`operations, operating system operations, resource usage
`thresholds). Method 628 then jumps to step 725.
`FIG. 8 is a flowchart illustrating a method 800 for
`generating a Downloadable ID for identifying a Download(cid:173)
`able. Method 800 begins with the ID generator 315 in step 60
`810 receiving a Downloadable from the external computer
`network 105. The ID generator 315 in step 820 may fetch
`some or all components referenced in the Downloadable
`code, and in step 830 includes the fetched components in the
`Downloadable code. The ID generator 315 in step 840 65
`performs a hashing function on at least a portion of the
`Downloadable code to generate a Downloadable ID. The ID
`
`10
`generator 315 in step 850 stores the generated Download(cid:173)
`able ID in the security database 240 as a reference to the
`DSP data 310. Accordingly, the Downloadable ID will be the
`same for the identical Downloadable each time it is encoun-
`tered.
`The foregoing description of the preferred embodiments
`of the invention is by way of example only, and other
`variations of the above-described embodiments and methods
`are provided by the present invention. For example,
`10 although the invention has been described in a system for
`protecting an internal computer network, the invention can
`be embodied in a system for protecting an individual com(cid:173)
`puter. Components of this invention may be implemented
`using a programmed general purpose digital computer, using
`application specific integrated circuits, or using a network of
`interconnected conventional components and circuits. The
`embodiments described herein have been presented for
`purposes of illustration and are not intended to be exhaustive
`or limiting. Many variations and modifications are possible
`in light of the foregoing teaching. The system is limited only
`by the following claims.
`What is claimed is:
`1. A computer-based method for generating a Download(cid:173)
`able ID to identify a Downloadable, comprising:
`obtaining a Downloadable that includes one or more
`references to software components required to be
`executed by the Downloadable;
`fetching at least one software component identified by the
`one or more references; and
`performing a hashing function on the Downloadable and
`the fetched software components to generate a Down(cid:173)
`loadable ID.
`2. The method of claim 1, wherein the Downloadable
`includes an applet.
`3. The method of claim 1, wherein the
`includes an active software control.
`4. The method of claim 1, wherein the
`includes a plugin.
`5. The method of claim 1, wherein the Downloadable
`40 includes HTML code.
`6. The method of claim 1, wherein the Downloadable
`includes an application program.
`7. The method of claim 1, wherein said fetching includes
`fetching a first software component referenced by the Down(cid:173)
`loadable.
`8. The method of claim 1, wherein said fetching includes
`fetching all software components referenced by the Down(cid:173)
`loadable.
`9. A system for generating a Downloadable ID to identify
`a Downloadable, comprising:
`a communications engine for obtaining a Downloadable
`that includes one or more references to software com(cid:173)
`ponents required to be executed by the Downloadable;
`and
`an ID generator coupled to the communications engine
`that fetches at least one software component identified
`by the one or more references, and for performing a
`hashing function on the Downloadable and the fetched
`software components to generate a Downloadable ID.
`10. The system of claim 9, wherein the Downloadable
`includes an applet.
`11. The system of claim 9, wherein the Downloadable
`includes an active software control.
`12. The system of claim 9, wherein the Downloadable
`includes a plugin.
`13. The system of claim 9, wherein the Downloadable
`includes HTML code.
`
`Downloadable
`
`Downloadable
`
`