Case 3:17-cv-05659-WHA Document 369-3 Filed 02/14/19 Page 1 of 17
`
` 
`
` 
`
` 
`
` 
`
` 
`
` 
`
`Exhibit 1
`
`

`

`Case 3:17-cv-05659-WHA Document 369-3 Filed 02/14/19 Page 2 of 17
`Case 3:17-cv-05659-WHA Document 369-3 Filed 02/14/19 Page 2 of 17
`
`US008141154B2
`
`
`
`United States Patent
`(42)
`(10) Patent No.:
`US 8,141,154 B2
`Gruzmanetal.
`(45) Date of Patent:
`Mar. 20, 2012
`
`
`64) SYSTEM AND METHOD FOR INSPECTING
`DYNAMICALLY GENERATED EXECUTABLE
`CODE
`‘
`*
`"
`
`(75)
`
`6/2001 Albrecht0. 713/201
`2001/0005889 AL*
`
`8/2002 Sheymov ..
`ve T2624
`2002/0116635 Al
`7/2004 Cohen etal.
`..
`ws 726/24
`2004/0133796 Al
`
`8/2004 MeCorkendale et al... 713/156
`2004/0153644 Al
`713/190
`8/2004 SZOL veces
`2004/0158729 Al
`.
`a.
`
`§/2005 Khazan etal.
`726/23
`2005/0108562 Al
`Inventors: David Gruzman, Ramat Gan (IL),
`
`.
`7/2005 Van Brabant
`713/200
`2005/0149749 AL*
`Yuval Ben-Itzhak, Tel Aviv (IL)
`1/2006 Zamir ct al.
`726/22
`2006/0015940 Al
`...
`7/2006 Shethetal.
`726/22
`2006/0161981 Al
`Find
`(
`-
`Assi
`
`1/2007 Dubrovsky etal. ........... 726/22
`2007/0016948 Al
`(73) Assignee: Finjan, Inc. (IL)
`
`(*) Notice: Subject to any disclaimer, the term ofthis|* cited by examiner
`patent is extended or adjusted under 35
`:
`US.C. 154(b) by 0 days.
`Primary Examiner — Ponnoreay Pich
`(74) Attorney, Agent, or Firm — Dawn-Marie Bey; King &
`Spalding LLP
`
`(21) Appl. No.: 12/814,584
`
`ABSTRACT
`(57)
`A methodforprotecting a client computer from dynamically
`generated malicious content, including receivingat a gateway
`computer content being sentto a client computer for process-
`ing, the content including a call to an original function, and
`the call including an input, modifying the content at the
`gateway computer, including replacingthe call to the original
`function with a correspondingcall to a substitute function, the
`substitute function being operational to send the input to a
`security computer for inspection, transmitting the modified
`content from the gateway computer to the client computer,
`processing the modified contentat the client computer, trans-
`milling the inpul to the security compulerfor inspection when
`the substitute function is invoked, determining at the security
`computer whetherit is safe for the client computer to invoke
`the original function with the input, transmitting an indicator
`of whether it is safe for the client computer to invoke the
`original functionwith the input, from the security computerto
`the client computer, and invoking the original functionat the
`client computer with the input, only if the indicator received
`from the security computer indicates that such invocationis
`safe. A system and a computer-readable storage medium are
`also described and claimed.
`
`12 Claims, 5 Drawing Sheets
`
`(22)
`(65)
`
`Filed:
`
`Jun. 14, 2010
`Prior Publication Data
`US 2010/0251373 Al
`Sep. 30, 2010
`
`(51)
`
`Int. Cl.
`(2006.01)
`GO6F 11/00
`(82) US. CL ou... 726/22; 726/23; 726/24; 713/188
`(58) Field of Classification Search 0.0. None
`See application file for complete search history.
`
`References Cited
`U.S. PATENT DOCUMENTS
`sees 726/24
`10/1994 Rosenthal
`5,359,659
`10/1999
`fe
`» 726/23
`. 726/13 11/1999
`5,974,549
`
`5,983,348
`
`7/2000 °
`» 226224
`6,092,194
`. 726/23
`
`12/2000 Touboul
`6,167,520 A
`i
`Bi
`. 726/24
`8/200 Fi ow.
`6,272,641
`Bl
`8/2005 Bartleson et al.
`726/85
`6,934,857
`Bi
`TAL/L18
`11/2005 Touboul wo...
`6,965,968
`
`TAT/146
`4/2007 Souloglouet al.
`B2
`7,203,934
`
`» 726/23
`10/2007 Bertman etal.
`.
`7,287,279 B2
`» 726/24
`12/2007 Ben-Itzhak ..
`7,313,822 B2
`
`TAT/A7A
`6/2010 Badenell
`..
`7,739,682 BI*
`seve 726/24
`.....
`7,836,504 B2* 11/2010 Rayetal.
`
`AAAA
`
`(56)
`
`a
`a
`4
`=
`3S
`4
`4
`a
`z
`3
`a
`2
`5a
`5
`INDICATOR TO CLIENT
`)
`a
`
`
`a COMPUTEROFSAFE INPUT 2
`MODIFIEDCONTENT,
`g
`MODIFIED INPUT
`38
`g
`
`
`
`
`
`
`
`
`2
`;
`5
`&
`Zz
`g
`;
`4
`
`425
`
`INPUT, CLIENT ID
`
`
`
`3
`mn
`5 z
`25
`a3
`G
`
`3
`:
`&
`3
`2
`g
`a
`
`ORIGINAL INCOMING
`CONTENT
`420
`
`g
`3
`=
`a
`2
`a
`g
`
`
`
`
`
`GATEWAY COMPUTER
`
`405
`
`410-4
`
`FINJAN-JN 002025
`
`

`

`Case 3:17-cv-05659-WHA Document 369-3 Filed 02/14/19 Page 3 of 17
`Case 3:17-cv-05659-WHA Document 369-3 Filed 02/14/19 Page 3 of 17
`
`U.S. Patent
`
`Mar. 20, 2012
`
`Sheet 1 of 5
`
`US 8,141,154 B2
`
`CONTENT PROCESSOR
`
`
`
`ORIGINALINCOMING
`
`
`
`
`
`ORIGINALINCOMING
`
`CONTENT
`
`120
`
`105
`
`CONTENT PROCESSOR
`
`GATEWAY TRANSMITTER
`
`CONTENT INSPECTOR
`
`GATEWAY RECEIVER
`
`
`
`ORIGINALCONTENT
`
`
`
`
`
`
`ORIGINALINCOMING
`CONTENT
`
`FIG.1(PRIORART)
`
`FINJAN-JN 002026
`
`

`

`Case 3:17-cv-05659-WHA Document 369-3 Filed 02/14/19 Page 4 of 17
`Case 3:17-cv-05659-WHA Document 369-3 Filed 02/14/19 Page 4 of 17
`
`U.S. Patent
`
`Mar. 20, 2012
`
`Sheet 2 of 5
`
`US 8,141,154 B2
`
`
`
`
`
`
`
`
`INRUT, CLIENT IDBf :gggarennennnnnatpe
`
`perenne|7 SECURITY RECEIVER
`
`
`
` —|
`
`2
`B
`
`MODIFIED INPUT
`INDICATOR TO CLIENT
`COMPUTER OF SAFE INFUT
`
`___
`
`SECURITYCOMPUTER:
`
`
` DATABASEOFCLIENT
`
`SECURITYPOLICIES
` INPUT INSPECTOR
`
`INPUTMODIFIER
`
`
`SECURITY TRANSMITTER
`
`
`
`
`
`
`
`ORIGINALINCOMING
`
`
`
` CONTENT
`
`FIG.2
`
`FINJAN-JN 002027
`
`

`

`Case 3:17-cv-05659-WHA Document 369-3 Filed 02/14/19 Page 5 of 17
`Case 3:17-cv-05659-WHA Document 369-3 Filed 02/14/19 Page 5 of 17
`
`U.S. Patent
`
`Mar.20, 2012
`
`Sheet 3 of 5
`
`US 8,141,154 B2
`
`RECEIVE CONTENT FROM
`NETWORK INTENDEO FOR CLIENT
`COMPUTER
`
`OF FUNCTION CALLS 306
`
`SCAN CONTENT FOR PRESENCE
`
`RECEIVE CONTENT FROM
`GATEWAY COMPUTER
`
`FROM CLIENT COMPUTER
`
`j~— SECURITY COMPUTER —>|
`
`RECEIVE INPUT AND CLIENTID
`
`
`240
`324
`
`CONTINUE TO PROtESS
`SCAN INPUT FOR PRESENCE OF
`
`
`CONTENT
`FUNCTION CALLS
`
`aaa
`
`NO
`
`FUNCTION CALLS FOUND
`IN CONTENT?
`
`312
`YES
`REPLACE ORIGINAL FUNCTION
`
`
`CALLS IN CONTENT WITH
`SUBSTITUTE FUNCTION CALLS
`316
`
`TRANSMIT CONTENT TO CLIENT
`
`
`FOR PROCESSING
`
`320
`
`
`
`NO
`
`YES
`
`WITH MODIFIED INPUT
`
`388
`
`392
`
`360
`
`COMPARE CONTENT SECURITY
`PROFILE WITH CLIENT SECURITY
`POLICY
`
`
`NO/”
`
`SAFE FOR CLIENT TO INVOKE
`ORIGINAL FUNCTION WITH
`INPUT?
`YES
`
`8
`
`6
`
`
`INVOKE SUBSTITUTE FUNCTION
`FuNerionsatis FOUND
`ws
`348
`TRANSMIT INPLIT AND CLIENT 1D
`REPLACE ORIGINAL FUNCTION
`
`INSPECTION
`
`TO SECURITY COMPUTER FOR
`CALLS IN INPUT WITH
`SUBSTITUTE FUNCTION CALLS
`
`
` 352
`
`RECEIVE SAFETY INDICATOR AND
`
`
`SCAN INPUT TO DETERMINE
`
`MODIFIED INPUT FROM SECURITY
`
`
`SECURITY PROFILE
`
`COMPUTER
`
`
`RETRIEVE SECURITY POLICY FOR
`
`CLIENT COMPUTER
`
`
`
`
`SET INDICATOR©TRUE
`
`
`
`
`SET INDICATOR = FALSE
`
`
`
`
`TRANSMIT INDICATOR AND
`MODIFIED INPUT TO CUENT
`GOMPUTER
`
`FIG. 3
`
`37
`
`Z
`
`are
`
`380
`
`FINJAN-JN 002028
`
`

`

`Case 3:17-cv-05659-WHA Document 369-3 Filed 02/14/19 Page 6 of 17
`Case 3:17-cv-05659-WHA Document 369-3 Filed 02/14/19 Page 6 of 17
`
`U.S. Patent
`
`Mar. 20, 2012
`
`Sheet 4 of 5
`
`US 8,141,154 B2
`
`CONTENT PROCESSOR
`
`445
`
`CLIENT RECEIVER
`
`CeeTREEEGEGeceRET
`
`CLIENTCOMPUTER
`
`
`
`iCOMPUTEROFSAFEINPUT
`
`INDICATORTOCLIENT
` 440
`
`ODIFIEDCONTENT,MODIFIED
`
`INPUT,CLIENTID
`INPUT
`FIG.4
`¢ 7]
`
`DATABASEOFSECURITYPOLICIES
`
` GATEWAY TRANSMITTER
`
`MODIFIER _ GATEWAYCOMPUTER
` CONTENTINPUT
`
`& i
`
`Re
`
`$4 i i
`
`‘
`
`»
`
`
`
`.
`
`425
`
`
`
`
`
`GATEWAY RECEIVER
`
`Oo
`405
`Zz
`Bt=
`SG
`22
`Z3\|
`ox
`oO
`
`a
`*
`
`FINJAN-JN 002029
`
`

`

`
`
`
`
`REPLACE ORIGINAL FUNCTION
`
`
`CALLS YATH SUBSTITUTE
`FUNCTION CALLS
`
`TRANSMIT CONTENT TO CLIENT
`FOR PROCESSING
`
`RECEIVE INPUT AND CLIENT ID
`
`
`FROM CUENT COMPUTER
`
`
`
`
`Case 3:17-cv-05659-WHA Document 369-3 Filed 02/14/19 Page 7 of 17
`Case 3:17-cv-05659-WHA Document 369-3 Filed 02/14/19 Page 7 of 17
`
`U.S. Patent
`
`Mar.20, 2012
`
`Sheet 5 of 5
`
`US 8,141,154 B2
`
`j— GATEWAYCOMPUTER —|
`
`}— CLIENT COMPUTER —|
`
`RECEIVE CONTENT FROM
`
`
`NETWORK INTENDED FOR CLIENT
`COMPUTER
`
`
`
`SCAN CONTENTHNPUT FOR
`
`} PRESENCE OF FUNCTION CALLS
`
`
`
`RECEIVE GONTENT FROM
`
`CONTINUE TO PROCESS
`
`GATEWAY COMPUTER
`GGNTENT B30)
`INVOKE SUBSTITUTE FUNCTION
`INSPECTION
`
`TRANSMIT INPUT AND OLIENT ID
`TO GATEWAY COMPLITER FOR
`
`
`SCAN INPUT TO DETERMINE
`
`
`SECURITY PROFILE
`
`g_7
`RETRIEVE SECURITY POLICY FOR
`
`CLIENT COMPUTER
`
`COMPARE GONTENT SECURITY
`RECEIVE SAFETY ININCATOR
`
`
`PROFILE WITH CLIENT SECURITY
`
`FROM GATEWAY COMPUTER
`
`POLICY
`
`
`SAFE FOR CUENT TO INVOKE
`INDICATOR = TRUE?
`ORIGINAL FUNCTION WITH
`
`INPUT?
`58S
`YES
`YES
`
`INVOKE ORIGINAL FUNCTION
`WITH INPUT
`
`SET INDICATOR = TRUE
`
`
`
`
`
`SET INDICATOR = FALSE
`
`
`TRANSMIT INDICATOR TO CLIENT
`COMPUTER
`
`wiDcy
`
`FIG. 5
`
`FINJAN-JN 002030
`
`

`

`Case 3:17-cv-05659-WHA Document 369-3 Filed 02/14/19 Page 8 of 17
`Case 3:17-cv-05659-WHA Document 369-3 Filed 02/14/19 Page 8 of 17
`
`US 8,141,154 B2
`
`1
`SYSTEM AND METHOD FOR INSPECTING
`DYNAMICALLY GENERATED EXECUTABLE
`CODE
`
`FIELD OF THE INVENTION
`
`The present invention relates to computer security, and
`moreparticularly to protection against malicious code suchas
`computer viruses.
`BACKGROUNDOF THE INVENTION
`
`Computerviruses have been rampant for over two decades
`now. Computer viruses generally come in the formof execut-
`able code that performs adverse operations, such as modify-
`ing a computer's operating systemorfile system, damaging a
`computer’s hardware or hardware interfaces, or automati-
`cally transmitting data from one computerto another. Gener-
`ally, computer viruses are generated by hackers willfully, in
`order to exploit computer vulnerabilities. However, viruses
`can also arise by accident due to bugs in software applica-
`tions.
`Originally computer viruses were transmitted as execut-
`able code inserted into files. As each new virus was discov-
`ered, a signature of the virus was collected by anti-virus
`companies and used from then on to detect the virus and
`protect computers against it. Users began routinely scanning
`their file systems using anti-virus software, which regularly
`updated its signature database as each new virus was discov-
`ered.
`Such anti-virus protection is referred to as “reactive”, since
`it can only protect in reaction to viruses that have already been
`discovered.
`With the adventofthe Internet and the ability to run execut-
`able code such as scripts within Internet browsers, a new type
`ofvirus formed; namely, a virus thal enters a computer over
`the Internet and not through the computer’s file system. Such
`Internet viruses can be embedded within web pages and other
`web content, and begin executing within an Internet browser
`as soon as they enter a computer. Routine file scans are not
`able to detect suchviruses, and as a result more sophisticated
`anti-virus tools had to be developed.
`Two generic types of anti-virus applications that are cur-
`rently available to protect against such Internet virusesare (i)
`gatewaysecurity applications, and (ii) desktop security appli-
`cations. Gateway security applications shield web content
`before the content is delivered to its intended destination
`computer. Gateway security applications scan web content,
`and block the content from reaching the destination computer
`if the content is deemed by the security application to be
`potentially malicious. In distinction, desktop security appli-
`cationsshield against web content after the content reachesits
`intended destination computer.
`Moreover, in addition to reactive anti-virus applications,
`that are hased on databases of known virus signatures,
`recently “proactive” antivirus applications have been devel-
`oped. Proactive anti-virus protection uses a methodology
`knownas “beliavioral analysis” to analyze computer content
`for the presence ofviruses. Behavior analysis is used to auto-
`matically scan and parse executable content, in order to detect
`which computer operations the content may perform. As
`such, behavioral analysis can block viruses that have not been
`previously detected and which do not have a signature on
`record, hence the name “proactive”.
`Assignee’s U.S. Pat. No. 6,092,194 entitled SYSTEM
`AND METHOD FOR PROTECTING A COMPUTER AND
`ANETWORK FROM HOSTILE DOWNLOADABLES,the
`
`30
`
`2
`contents of which are hereby incorporated by reference,
`describes gateway level behavioral analysis. Such behavioral
`analysis scans and parses content received at a gateway and
`generates a security profile for the content. A security profile
`is a general list or delineation of suspicious, or potentially
`imalicious, operations that executable content may perform.
`The derived security profile is then compared witha security
`policy for the computer being protected,
`to determine
`whether or not the content’s security profile violates the com-
`puter’s security policy. A security policy is a general set of
`simple or complex rules, that may be applied logically in
`series or in parallel, which determine whetheror not a specific
`operation is permitted or forbidden to be performed by the
`content on the computer being protected. Security policies are
`generally configurable, and set by an administrator of the
`computerthat is being protected.
`Assignee’s U.S. Pat. No. 6,167,520 entitled SYSTEM
`AND METHOD FOR PROTECTINGA CLIENT DURING
`RUNTIME FROM HOSTILE DOWNLOADABLES,the
`contents of which are hereby incorporated by reference,
`describes desktop level behavioral analysis. Desktop level
`behavioral analysis is generally implemented during run-
`time, while a computer’s web browser is processing web
`content received over the Internet. As the content is being
`5 processed, desktop security applications monitor calls made
`to critical systems of the computer, such as the operating
`system, the file system and the network system. Desktop
`security applications use hooks to intercept calls made to
`operating system functions, and allow or block the calls as
`appropriate, based on the computer's security policy.
`Each of the various anti-virus technologies, gateway vs.
`desktop, reactive vs. proactive, has its pros and cons. Reactive
`anti-virus protection is computationally simple and fast; pro-
`active virus protection is computationally intensive and
`slower. Reactive anti-virus protection cannot protect against
`new “first-time” viruses, and cannot protect a user if his
`signature file is out ofdate; proactive anti-virus protection can
`protect against new “first-time” viruses and do not require
`regular downloading of updated signature files. Gateway
`level protection keeps computer viruses at a greater distance
`froma local network ofcomputers; desktop level protectionis
`more accurate. Desktop level protection is generally available
`in the consumer market for hackers to obtain, and is suscep-
`tible to reverse engineering; gateway level protection is not
`generally available to hackers.
`Reference is now made to FIG. 1, which is a simplified
`block diagram of prior art systems for blocking malicious
`content, as described hereinabove. The topmost system
`shownin FIG. 1 illustrates a gateway level security applica-
`tion. The middle system shownin T'IG. 1 illustrates a desktop
`level security application, and the bottom system shown in
`FIG.1 illustrates a combined gateway+desktop level security
`application.
`The topmost system shown in FIG. 1 includes a gateway
`weor
`Ss computer 105 that receives content from the Internet, the
`content intended for delivery to a client computer 110. Gate-
`way computer 105 receives the content over a communication
`channel 120, and gateway computer communicates withcli-
`ent computer 110 over a communication channel 125. Gate-
`way computer 105 includes a gateway receiver 135 and a
`gateway transmitter 140. Client computer 110 includes a
`client receiver 145. Client computer generally also has a
`client transmitter, which is not shown.
`Client computer 110 includes a content processor 170,
`5 suchas aconventional web browser, which processes Internet
`content and renders it for interactive viewing on a display
`monitor. Such Internet content may be in the formofexecut-
`
`AD
`
`45
`
`FINJAN-JN 002031
`
`

`

`Case 3:17-cv-05659-WHA Document 369-3 Filed 02/14/19 Page 9 of 17
`Case 3:17-cv-05659-WHA Document 369-3 Filed 02/14/19 Page 9 of 17
`
`US 8,141,154 B2
`
`3
`able code, JavaScript, VBScript, Java applets, ActiveX con-
`trols, which are supported by web browsers.
`Gateway computer 105 includes a content inspector 174
`which may be reactive or proactive, or a combination of
`reactive and proactive. Incoming content is analyzed bycon-
`tent inspector 174 before being transmitted to client computer
`110. If incoming content is deemed to be malicious, then
`gateway computer 105 preferably prevents the content from
`reaching client computer 110. Alternatively, gateway com-
`puter 105 may modify the content so as to render it harmless,
`and subsequently transmit the modified contentto client com-
`puter 110.
`Content inspector 174 can be used. to inspect incoming
`content, on its way to client computer 110 as its destination,
`and also to inspect outgoing content, being sent from client
`computer 110 asits origin.
`The middle system shown in FIG. 1 includes a gateway
`computer 105 and a client computer 110, the client computer
`110 including a content inspector 176. Contentinspector 176
`may be a conventional Signature-based. anti-virus applica-
`tion, or a run-time behavioral based application that monitors
`run-time calls invoked by content processor 170 to operating
`system, file system and network system functions.
`The bottom system shownin FIG. 1 includes botha content
`inspector 174 at gateway computer 105, and a content inspec-
`tor 176 at client computer 110. Such a system can support
`conventional gateway level protection, desktop level protec-
`tion, reactive anti-virus protection and proactive anti-virus
`protection.
`Asthe hacker vs. anti-virus protection battle continues to
`wage, a newer type of virus has sprung forward; namely,
`dynamically generated viruses. These viruses are themselves
`generated only at run-time, thus thwarting conventional reac-
`tive analysis and conventional gateway level proactive behav-
`ioral analysis. These viruses take advantage of features of
`dynamic HTML generation, such as executable code or
`scripts that are embedded within HTMLpages, to generate
`themselves onthe fly at runtime.
`For example, consider the following portion of a standard
`HTMLpage:
`
`
`<!IDOCTYPE HTML PUBLIC “-/W3C/DTD HTML 4.9
`Transitional//EN?>
`<HTML>
`<SCRIPT LANGUAGE="JavaScript’>
`document.write(“<h1>text that is generated at run-time</hl>"};
`</SCRIPT>
`<BODY>
`</BODY>
`SHTML>
`
`The text within the <SCRIPT> tags is JavaScript, and
`includes a call to the standard function document.write( ),
`which generates dynamic HTML... In the example above, the
`function document.write( ) is used to generate HTML header
`text, with a text string that is gencrated at run-time.Ifthe text
`string, generated at run-time is of the form
`<SCRIPT>malicious JavaScript</SCRIPT>
`then the document.write( ) function will insert malicious
`JavaScript into the HTML page that is currently being ren-
`dered by a web browser. In turn, when the web browser
`processes the inserted text, it will perform malicious opera-
`tions to the client computer.
`Such dynamically generated malicious code cannot be
`detected by conventional reactive content inspection and con-
`ventional gateway level behavioral analysis content inspec-
`
`ws
`
`10
`
`is
`
`20
`
`30
`
`35
`
`4)
`
`60
`
`4
`tion, since the malicious JavaScript is not present in the con-
`tent prior to run-time. A content inspector will only detect the
`presence ofa call to Document.write( ) with input text that is
`yet unknown. If such a content inspector were to blockall
`calls to Document.write() indiscriminately, then many harm-
`less scripts will be blocked, since most of the time calls to
`Document.write( ) are made for dynamic display purposes
`only.
`USS. Pat. Nos. 5,983,348 and 6,272,641, both to Ji, describe
`reactive client level content inspection, that modifies down-
`loaded executable code within a desktop level anti-virus
`application. However, such inspection can only protect
`against static malicious content, and cannot protect against
`dynamically generated malicious content.
`Desktop level run-time behavioral analysis has a chance of
`shielding a client computer against dynamically generated
`malicious code, since such codewill ultimately make a call to
`an operating system function. However, desktop anti-virus
`protection has a disadvantage ofbeing widely available to the
`hacker community, whichis always eager to find vulnerabili-
`ties. In addition, desktop anti-virus protection has a disadvan-
`tage ofrequiring installation ofclient software.
`As such, there is a need for a new form of behavioral
`analysis, which can shield computers from dynamically gen-
`erated malicious code without running on the computeritself
`that is being shielded.
`
`SUMMARY OF THE DESCRIPTION
`
`The present invention concerns systems and methods for
`implementing new behavioral analysis technology. The new
`behavioral analysis technology affords protection against
`dynamically generated malicious code, in addition to conven-
`tional computer viruses that are statically generated.
`The present invention operates through a security com-
`puter that is preferably remote froma client computer that is
`being shielded while processing network content. During
`run-time, while processing the network content, but before
`the client computer invokes a function call that may poten-
`tially dynamically generate malicious code, the client com-
`puter passes the input to the functionto the security computer
`for inspection, and suspends processing the network content
`pending a reply back fromthe security computer. Since the
`input to the functionis being passed at run-time,it has already
`been dynamically generated and is thus readily inspected by
`a content inspector. Referring to the example above, were the
`input to be passed to the security computerprior to run-time,
`it would take the form of indeterminate text; whereas the
`input passed during run-time takes the determinate form
`<SCRIPT>malicious JavaScript</SCRIPT>,
`which can readily be inspected. Uponreceipt ofa reply from
`the security computer, the client computer resumes process-
`ing the network content, and knows whether to by-pass the
`function call invocation.
`To enable the client computerto pass functioninputs to the
`security computer and suspend processing ofcontent pending
`replics from the security computer, the present invention
`operates by replacing original function calls with substitute
`function calls within the content, at a gateway computer, prior
`to the content being received at the client computer.
`The present invention also provides protection against
`arbitrarily many recursive levels of dynamic generation of
`malicious code, whereby such code is generated via a series
`of successive function calls, one within the next.
`By operating through the mediumof a security computer,
`the present invention overcomesthe disadvantages ofdesktop
`anti-virus applications, which are available to the hacker
`
`FINJAN-JN 002032
`
`

`

`Case 3:17-cv-05659-WHA Document 369-3 Filed 02/14/19 Page 10 of 17
`Case 3:17-cv-05659-WHA Document 369-3 Filed 02/14/19 Page 10 of 17
`
`US 8,141,154 B2
`
`5
`community for exploit. Security applications embodying the
`present invention are concealed securely within managed
`computers.
`There is thus provided in accordance with a preferred
`embodimentofthe present invention a method for protecting
`aclient computer from dynamically generated malicious con-
`tent, including receiving at a gateway computer content being
`sent to aclient computer for processing, the content including
`a call to an original function,and the call including an input,
`modifying the content at the gateway computer, including
`replacing the call to the original function with a correspond-
`ing call to a substitute function,the substitute function being
`operational to send the input to a security computer for
`inspection, transmitting the modified content from the gate-
`way computerto the client computer, processing the modified
`content at the client computer, transmitting the input to the
`security computer for inspection whenthe substitute function
`is invoked, determining at the security computer whetherit is
`safe for the client computer to invoke the original function
`with the input, transmitting an indicator of whetherit is safe
`for the client computer to invoke the original function with the
`input, from the security computerto the client computer, and
`invoking the original functionat the client computer with the
`input, only if the indicator received from the security com-
`puterindicates that such invocation is safe.
`There is further provided in accordance with a preferred
`embodiment ofthe present invention a system for protecting
`aclient computer from dynamically generated malicious con-
`tent,
`including a gateway computer, including a gateway
`receiver for receiving content being sent to a client computer
`for processing, the content including a call to an original
`function, and the call including an input, a content modifier
`for modifying the received content byreplacingthe call to the
`original function with a corresponding call to a substitute
`function, the substitute function being operational to send the
`inpul to a security computer for inspection, and 4 gateway
`transmitter for transmitting the modified content from the
`gateway computer to the client computer, a security com-
`puter, including a security receiver for receiving the input
`from the client computer, an input inspector for determining
`whetherit is safe for the client computer to invoke the original
`function with the input, and a security transmitter for trans-
`mitting an indicator ofthe determining to the client computer,
`and a client computer communicating with the gateway com-
`puter and with the security computer,
`including a client
`receiver for receiving the modified content from the gateway
`computer, and for receiving the indicator from the security
`computer, a content processor for processing the modified
`content, and for invoking the original function onlyif the
`indicator indicates that such invocation is safe; and a client
`transmitter for transmitting the input to the security computer
`for inspection, when the substitute function is invoked.
`There is yet further provided in accordance with a preferred
`embodiment of the present invention a computer-readable
`storage mediumstoring program codefor causing at least one
`computing device to receive content including a call to an
`original function, and the call including an input, replace the
`call to the original function with a corresponding call to a
`substitute function, the substitute function being operational
`to send the input for inspection, thereby generating modified
`content, process the modified content, transmit the input for
`inspection, when the substitute function is invoked while
`processing the modified content, and suspend processing of
`the modified content, determine whetherit is safe to invoke
`the original function with the input, transmit an indicator of
`whether it is safe for a computer to invoke the original func-
`tion with the input, and resume processing of the modified
`
`ws
`
`10
`
`15
`
`20
`
`30
`
`4)
`
`45
`
`wo
`
`60
`
`6
`contentafter receiving the indicator, and invoke the original
`function with the input only ifthe indicator indicates that such
`invocation is safe.
`There is additionally provided in accordance with a pre-
`ferred embodiment of the present invention a method for
`protecting a client computer from dynamically generated
`malicious content, including receiving content being sent to a
`client computer for processing, the content including a call to
`an original function, and the call including an input, modify-
`ing the content, including replacing the call to the original
`function with a correspondingcall to a substitute function,the
`substitute function being operational to send the input to a
`security computerfor inspection, and transmitting the modi-
`fied content to the client computer for processing.
`There is moreover provided in accordance witha preferred
`embodimentofthe present invention a system for protecting
`a client computer from dynamically generated malicious con-
`tent, including a receiver for receiving content being sent to a
`client computer for processing, the contentincluding a call to
`an original function, and the call including an input, a content
`modifier for modifying the received content by replacing the
`call to the original function with a corresponding call to a
`substitute function, the substitute function being operational
`to send the input to a security computer for inspection, and a
`transmitter for transmitting the modified content to the client
`computer.
`There is further provided in accordance with a preferred
`embodiment of the present invention a computer-readable
`storage mediumstoring program code for causing a comput-
`ing device to receive content including a call to an original
`function, and the call including an input, and replacethe call
`to the original function with a correspondingcall to a substi-
`tute fiction, the substitute fimctionbeing operationalto send
`the input for inspection.
`There is yet furtherprovidedin accordance with a preferred
`embodiment of the presen! invention a method for protecting
`a client computer from dynamically generated malicious con-
`tent, including receiving content being sent to a client com-
`puter for processing, the contentincluding acall to an original
`function, and the call including an input, modifying the con-
`tent, including replacing thecall to the original function with
`a corresponding call to a substitute function, the substitute
`function being operational to send the input for inspection,
`transmitting the modified content to the client computer for
`processing, receiving the input from the client computer,
`determining whether it is safe for the client computer to
`invokethe original function with the input, and transmitting
`to the client computeran indicator ofwhetherit is safe for the
`client computer to invoke the original function with the input.
`There is additionally provided in accordance with a pre-
`ferred embodiment of the present invention a system for
`protecting a client computer from dynamically generated
`malicious content, including a receiver (i) for receiving con-
`tent being senttoa client computerfor processing, the content
`including a call to an original function, andthe call including
`an input, and (ii) for receiving the input from the client com-
`puter, a content modifier for modifying the reccived content
`by replacing the call to the orginal function with a corre-
`sponding call to a substitute function, the substitute function
`being operational to send the input for inspection, an input
`inspector for determining whether it is safe for the client
`computerto invoke the original function withthe input, and a
`transmitter (@) for transmitting the modified content to the
`client computer, and (ii) for transmitting an indicator of the
`determining to the client computer.
`There is moreover provided in accordance with a preferred
`embodiment of the present invention a computer-readable
`
`FINJAN-JN 002033
`
`

`

`Case 3:17-cv-05659-WHA Document 369-3 Filed 02/14/19 Page 11 of 17
`Case 3:17-cv-05659-WHA Document 369-3 Filed 02/14/19 Page 11 of 17
`
`US 8,141,154 B2
`
`8
`SECURITY POLICY—aset ofone or more rulesthat deter-
`mine whether or not a requested operation is permitted. A
`security policy may be explicitly configurable by a computer
`system administraior, or may be implicitly determined by
`application defaults.
`SECURITY PROFILE—intormation describing one or more
`suspicious operations performed by executable software.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`ws
`
`10
`
`is
`
`7
`storage mediumstoring program code for causing a comput-
`ing device to receive content including a call to an original
`function, and the call including an input, replace the call to the
`original function with a corresponding call to a substitute
`function, the substitute function being operational to send the
`input for inspection, and determine whetherit is safe for a
`computer to invoke the original function with the input.
`There is further provided in accordance with a preferred
`embodimentofthe present invention a method for protecting
`a coniputer from dynamically generated malicious content,
`The present invention will be more fully understood and
`including processing content received over a network, the
`appreciated fromthe following detailed description, taken in
`content including a call to a first function, and the call includ-
`conjunction with the drawings in which:
`ing an input, transmitting the input to a security computer for
`FIG.1 isa simplified block diagram ofprior art systems for
`inspection, when the first function is invoked, receiving from
`blocking malicious content;
`the security computer an indicator of whether it is safe to
`FIG. 2 is a simplified block diagram of a systemfor pro-
`invoke a second function with the input, and invoking the
`tecting a computer from dynamically generated malicious
`second function with the input, only ifthe indicator indicates
`that such invocationis safe.
`executable code, in accordance witha preferred embodiment
`of the present invention;
`There is yet further provided in accordance withapreferred
`FIG.3 is a simplified flowchart of a method forprotecting
`emb