Case 3:17-cv-05659-WHA Document 350-3 Filed 01/10/19 Page 1 of 14
`
`Exhibit 3
`
`
`
`

`

`Case 3:17-cv-05659-WHA Document 350-3 Filed 01/10/19 Page 2 of 14
`
`Juniper’s ATP Appliance
`6,804,780
`The statements and documents cited below are based on information available to Finjan, Inc. at the time this chart
`was created. Finjan reserves its right to supplement this chart as additional information becomes known to it.
`
`For purposes of this chart, “ATP Appliance” includes at least the following models that are used individually, or in
`combination and identified in Exhibit A. Based on public information, ATP Appliances all operate identically with
`respect to the identified claims and only vary based on software specifications and/or deployment options. ATP
`Appliances perform the infringing procedures on their own or as a distributed system in combination with Juniper
`Sky Advanced Threat Prevention (“Sky ATP”)1, as will be described in greater detail herein. Based on public
`information, ATP Appliances all operate identically with respect to the identified claims and only vary based on
`software specifications and/or deployment options.
`
`As identified and described element by element below, the one or more of the ATP Appliance specifically listed
`above infringe at least claims 1and 9 of the ’780 Patent.
`
`Claim 1
`1a. A computer-based method
`for generating a
`Downloadable ID to identify
`a Downloadable, comprising:
`
`ATP Appliance meet the recited claim language because it provides a computer-
`based method for generating a Downloadable ID to identify a Downloadable.
`
`As used herein, and throughout these contentions, Downloadable is “an executable
`application program, which is downloaded from a source computer and run on the
`destination computer.”
`
`ATP Appliance meet the recited claim language because ATP Appliance
`generates a Downloadable ID by creating malware attack profiles which include a
`hash to identify a Downloadable, such as malware. The analysis includes
`scanning the Downloadables which include references to software components
`required to be executed by the Downloadable (e.g., suspicious web page content
`containing HTML, PDFs, JavaScript, drive-by downloads, obfuscated code, or
`other blended web malware).
`
`ATP Appliance obtains a Downloadable then generates a Downloadable ID (e.g.,
`a SHA-256 or a MD5 hash) to identify a Downloadable and to determine whether
`it is malicious and to return a risk score or verdict.
`
`
`1 “Sky ATP” includes all components and services described in Exhibit A.
`
`1
`
`

`

`Case 3:17-cv-05659-WHA Document 350-3 Filed 01/10/19 Page 3 of 14
`
`Vandelay-ThreatAssessment-2015 (emphasis added) (showing fetching an
`component and creating a Downloadable ID for that dropped file).
`
`
`
`
`1b. obtaining a Downloadable
`that includes one or more
`references to software
`components required to be
`executed by the
`Downloadable;
`
`
`
`Cyphort DataSheet (showing MD5, SHA1, and SHA256 hashes).
`
`ATP Appliance meets the recited claim language because it obtains a
`Downloadable that includes one or more references to software components
`required to be executed by the Downloadable.
`
`ATP Appliance meets the recited claim language because ATP Appliance obtains
`suspicious traffic flows for analysis through an application program interface, and
`the content in these traffic flows include Downloadables such as web page and/or
`email attachments. These Downloadables include references to software
`components required to be executed by the Downloadable (e.g. suspicious web
`page content containing HTML, PDFs, JavaScript, drive-by downloads,
`obfuscated code, or other blended web malware).
`
`2
`
`

`

`Case 3:17-cv-05659-WHA Document 350-3 Filed 01/10/19 Page 4 of 14
`
`Downloadables that includes one or more references to software components
`required to be executed by the Downloadable include a web page that includes
`references to JavaScript, visual basic script, ActiveX, injected iframes; and a PDF
`that includes references to JavaScript, swf files or other executables. Typically,
`Juniper characterizes them as drive-by-downloads or droppers as such
`Downloadables are usually programmed to take advantage of a browser,
`application, or OS that is out of date and has a security flaw. The initial
`downloaded code is often small enough that it wouldn’t be noticed, since its job is
`often simply to contact another computer where it can pull down the rest of the
`code on to the computer. In particular, such software components are usually
`programmed to be downloaded and run in the background in a manner that is
`invisible to the user and without the user taking any conscious actions as just the
`act of viewing a web-page that harbors this malicious code is typically enough for
`the download and execution to occur.
`
`ATP Appliance obtains and scans Downloadables that may include malware
`embedded in images, JavaScript, text and Flash files. As shown below, ATP
`appliance obtains and conducts analysis on Downloadables such as Executable
`files (e.g., “.bin, .com, .dat, .exe, .msi, .msm, .mst”), PDF files, Java (e.g., “.class,
`.ear, .jar, .war”), MS Office file types, Flash and Silverlight applications, Script
`files, and installer files through an application program interface.
`
`The ATP Appliance performs behavioral analysis such as potential dropper
`infection for Downloadables. Potential dropper infections are references to
`software components required to be executed by the Downloadable. As shown
`below, the ATP appliance uses behavior inspection and dynamic detection to find
`dropper files and to perform hashing functions on them.
`
`
`Cyphort Datasheet
`
`As shown below, ATP Appliance will obtain Downloadables, as well as
`components required to execute the Downloadables.
`
`
`
`3
`
`

`

`Case 3:17-cv-05659-WHA Document 350-3 Filed 01/10/19 Page 5 of 14
`
`Redimadrid_Journadas-Sky ATP Enhancements.pdf at page 14.
`
`
`Cyphort WP Security 2.0
`
`
`
`
`
`
`
`Cyphort WP Drive by Downloads (describing how the ATP appliances captures
`dropper files and perofrms “static analysis, behavior analysis and reputaiton
`analysis to identify if it is a malware.”).
`
`ATP Appliance meet the recited claim language because it fetches at least one
`software component identified by the one or more references.
`
`
`1c. fetching at least one
`software component
`identified by the one or more
`
`4
`
`

`

`Case 3:17-cv-05659-WHA Document 350-3 Filed 01/10/19 Page 6 of 14
`
`references; and
`
`ATP Appliance meet the recited claim language because ATP Appliance perform
`analysis on malware containing multiple software components and capture traffic
`containing malware for analysis, including suspicious web page content
`containing HTML, scripts, applets, ActiveX and drive-by downloads. As part of
`this analysis, ATP Appliance includes components which fetch the software
`components identified in references in the Downloadable such as potential
`dropper infections, dropped files, multiple infected files, and object streams
`within PDF’s.
`
`The ATP Appliance performs behavioral analysis such as potential dropper
`infection for Downloadables. Potential dropper infections are references to
`software components required to be executed by the Downloadable. As shown
`below, the ATP Appliance uses behavior inspection and dynamic detection to find
`dropper files and to perform hashing functions on them.
`
`
`
`Vandelay-ThreatAssessment-2015 (emphasis added) (showing fetching an
`component and creating a Downloadable ID for that dropped file).
`
`
`5
`
`

`

`Case 3:17-cv-05659-WHA Document 350-3 Filed 01/10/19 Page 7 of 14
`
`
`
`Cyphort DataSheet (showing MD5, SHA1, and SHA256 hashes).
`
`To the extent Juniper argues that ATP Appliances do not literally satisfy this
`element, Juniper meets this element under the doctrine of equivalents. ATP
`Appliances perform the same function as this claim element because they receive
`downloaded content, such as HTML or JavaScript, that have referenced
`components that are also downloaded by ATP Appliances, and create an identity
`for downloaded content. This is the same function as this element because this an
`identification of a downloaded content, including referenced components that are
`downloaded. ATP Appliances perform this function in the same way as this claim
`element because they download components that are used to create an identity for
`downloaded content such as HTML or JavaScript. ATP Appliances perform this
`element the same way because the identity created can be used to identify
`downloaded content that reference multiple components that are used by the
`downloaded content. ATP Appliances achieve the same result as this claim
`element because they have components that result in the creation of an
`identification in downloaded content, such as HTML or JavaScript, and
`downloads multiple components referenced. This is the same result as this claim
`element because ATP Appliances use this identity to identify the downloaded
`content and its referenced components for security decisions.
`
`ATP Appliance meet the recited claim language because they perform a hashing
`function on the Downloadable and the fetched software components to generate a
`Downloadable ID.
`
`ATP Appliance meet the recited claim language because ATP Appliance include
`components which create a dynamically generated signature and/or a malware
`attack profile for the Downloadable by performing a hashing function using
`SHA256, MD5, and/or SHA-1 on Downloadables (e.g., HTML, JavaScript,
`and/or email) together with other web-based files/executables fetched (e.g.,
`potential dropper infections, multiple infected files, and object streams within
`PDF’s).
`
`The ATP Appliance performs MD5, SHA-1, and SHA256 hashes on
`Downloadables.
`
`6
`
`1d. performing a hashing
`function on the Downloadable
`and the fetched software
`components to generate a
`Downloadable ID.
`
`

`

`Case 3:17-cv-05659-WHA Document 350-3 Filed 01/10/19 Page 8 of 14
`
`
`Vandelay-ThreatAssessment-2015 (emphasis added) (showing fetching an
`component and creating a hash value for that dropped file).
`
`
`Claim 9
`
`9a. A system for generating a
`Downloadable ID to identify
`a Downloadable, comprising:
`
`Cyphort DataSheet (showing MD5, SHA1, and SHA256 hashes).
`
`
`
`
`
`ATP Appliance meets the recited claim language they provide a system for
`generating a Downloadable ID to identify a Downloadable.
`
`ATP Appliance meet the recited claim language because ATP Appliance is a
`system which generates a Downloadable ID by creating malware attack profiles
`which include a hash to identify a Downloadable such as malware. The analysis
`includes scanning the Downloadables which include references to software
`
`7
`
`

`

`Case 3:17-cv-05659-WHA Document 350-3 Filed 01/10/19 Page 9 of 14
`
`components required to be executed by the Downloadable (e.g., suspicious web
`page content containing HTML, PDFs, JavaScript, drive-by downloads,
`obfuscated code, or other blended web malware).
`
`ATP Appliance is a system which obtains a Downloadable then generates a
`profile that includes generating a Downloadable ID (e.g., the SHA-256 hash) to
`identify a Downloadable and to determine whether it is malicious and to return a
`risk score or verdict.
`
`
`
`
`Vandelay-ThreatAssessment-2015 (emphasis added) (showing fetching an
`component and creating a Downloadable ID for that dropped file).
`
`
`Cyphort DataSheet (showing MD5, SHA1, and SHA256 hashes).
`
`
`
`
`8
`
`

`

`Case 3:17-cv-05659-WHA Document 350-3 Filed 01/10/19 Page 10 of 14
`
`9b. a communications engine
`for obtaining a Downloadable
`that includes one or more
`references to software
`components required to be
`executed by the
`Downloadable; and
`
`ATP Appliance meets the recited claim language because they provide a
`communications engine for obtaining a Downloadable that includes one or more
`references to software components required to be executed by the Downloadable.
`
`ATP Appliance meet the recited claim language because ATP Appliance is a
`system which includes a communications engine (e.g., network interface and
`corresponding proxy software) which obtains suspicious traffic flows for analysis
`that include Downloadables such as web page content and/or email attachments.
`These Downloadables include references to software components required to be
`executed by the Downloadable (e.g., suspicious web page content containing
`HTML, PDFs, JavaScript, drive-by downloads, obfuscated code, or other blended
`web malware).
`
`Downloadables that includes one or more references to software components
`required to be executed by the Downloadable include a web page that includes
`references to JavaScript, visual basic script, ActiveX, injected iframes; and a PDF
`that includes references to JavaScript, swf files or other executables. Typically,
`Juniper characterizes them as drive-by-downloads or droppers as such
`Downloadables are usually programmed to take advantage of a browser,
`application, or OS that is out of date and has a security flaw. The initial
`downloaded code is often small enough that it wouldn’t be noticed, since its job is
`often simply to contact another computer where it can pull down the rest of the
`code on to the computer. In particular, such software components are usually
`programmed to be downloaded and run in the background in a manner that is
`invisible to the user - and without the user taking any conscious actions as just the
`act of viewing a web-page that harbors this malicious code is typically enough for
`the download and execution to occur.
`
`ATP Appliance includes a communications engine (e.g., network interface and
`corresponding proxy software) to obtain Downloadables for scanning. ATP
`appliance scans Downloadables that may include malware embedded in images,
`JavaScript, text and Flash files. As shown below, ATP Appliance obtains and
`conducts analysis on Downloadables such as Executable files (e.g., “.bin, .com,
`.dat, .exe, .msi, .msm, .mst”), PDF files, Java (e.g., “.class, .ear, .jar, .war”), MS
`Office file types, Flash and Silverlight applications, Script files, and installer files
`through an application program interface.
`
`The ATP Appliance performs behavioral analysis such as potential dropper
`infection for Downloadables. Potential dropper infections are references to
`software components required to be executed by the Downloadable. As shown
`below, the ATP Appliance uses behavior inspection and dynamic detection to find
`dropper files and to perform hashing functions on them.
`
`9
`
`

`

`Case 3:17-cv-05659-WHA Document 350-3 Filed 01/10/19 Page 11 of 14
`
`
`
`
`
`Cyphort Datasheet
`
`As shown below, ATP Appliance will obtain Downloadables, as well as
`components required to execute the Downloadables.
`
`Redimadrid_Journadas-Sky ATP Enhancements.pdf at page 14.
`
`
`Cyphort WP Security 2.0
`
`
`10
`
`

`

`Case 3:17-cv-05659-WHA Document 350-3 Filed 01/10/19 Page 12 of 14
`
`9c. an ID generator coupled to
`the communications engine
`that fetches at least one
`software component
`identified by the one or more
`references, and for
`performing a hashing function
`on the Downloadable and the
`fetched software components
`to generate a Downloadable
`ID.
`
`
`Cyphort WP Drive by Downloads (describing how the ATP appliances captures
`dropper files and perofrms “static analysis, behavior analysis and reputaiton
`analysis to identify if it is a malware.”).
`
`ATP Appliance meets the recited claim language because they provide an ID
`generator coupled to the communications engine that fetches at least one software
`component identified by the one or more references, and for performing a hashing
`function on the Downloadable and the fetched software components to generate a
`Downloadable ID.
`
`ATP Appliance meet the recited claim language because ATP Appliance is a
`system that includes an ID generator (e.g., software coupled to the
`communications engine) that performs multi-protocol capture of HTML,
`JavaScript, files and EXEs and then performs a hash of the Downloadable and
`fetched software components. ATP Appliance create a dynamically generated
`signature and/or a malware attack profile for the Downloadable by performing a
`hashing function using SHA-256, MD5, and/or SHA-1 on Downloadables (e.g.,
`HTML, JavaScript and other web-based files/executables), thereby performing a
`hashing function on the Downloadable together with the fetched software
`components to generate a Downloadable ID.
`
`ATP Appliance obtains a Downloadable then generates a profile that includes
`generating a Downloadable ID (e.g., the SHA-256 hash) to identify a
`Downloadable. As shown below, the profile is then stored in Juniper’s cloud for
`further identification of Downloadables, including whether it is malicious and to
`create a risk score.
`
`The ATP Appliance performs behavioral analysis such as potential dropper
`infection for Downloadables. Potential dropper infections are references to
`software components required to be executed by the Downloadable. As shown
`below, the ATP Appliance uses behavior inspection and dynamic detection to find
`dropper files and to perform hashing functions on them. The ID generator is the
`software running on a system that generates the hash value of the component and
`the dropped file.
`
`11
`
`

`

`Case 3:17-cv-05659-WHA Document 350-3 Filed 01/10/19 Page 13 of 14
`
`
`Vandelay-ThreatAssessment-2015 (emphasis added) (showing fetching an
`component and creating a Downloadable ID for that dropped file).
`
`
`Cyphort DataSheet (showing MD5, SHA1, and SHA256 hashes).
`
`As shown below, ATP Appliance will obtain Downloadables, as well as
`components required to execute the Downloadables.
`
`
`
`12
`
`

`

`Case 3:17-cv-05659-WHA Document 350-3 Filed 01/10/19 Page 14 of 14
`
`Redimadrid_Journadas-Sky ATP Enhancements.pdf at page 14.
`
`To the extent Juniper argues that ATP Appliances do not literally satisfy this
`element, Juniper meets this element under the doctrine of equivalents. ATP
`Appliances perform the same function as this claim element because they receive
`downloaded content, such as HTML or JavaScript, that have referenced
`components that are also downloaded by ATP Appliances, and create an identity
`for downloaded content. This is the same function as this element because this an
`identification of a downloaded content, including referenced components that are
`downloaded. ATP Appliances perform this function in the same way as this claim
`element because they download components that are used to create an identity for
`downloaded content such as HTML or JavaScript. ATP Appliances perform this
`element the same way because the identity created can be used to identify
`downloaded content that reference multiple components that are used by the
`downloaded content. ATP Appliances achieve the same result as this claim
`element because they have components that result in the creation of an
`identification in downloaded content, such as HTML or JavaScript, and
`downloads multiple components referenced. This is the same result as this claim
`element because ATP Appliances use this identity to identify the downloaded
`content and its referenced components for security decisions.
`
`
`
`
`13
`
`