`
`DECLARATION OF AVIEL D. RUBIN
`
`I, Aviel D. Rubin, declare as follows:
`
`I.
`
`INTRODUCTION
`
`1.
`
`I have been retained as an independent expert in this lawsuit by the law firm of
`
`Irell & Manella LLP on behalf of Juniper Networks, Inc. (“Juniper”).
`
`2.
`
`I submit this Declaration in support of Juniper’s Motion (the “Motion”) for
`
`Summary Judgment Regarding Claim 9 of U.S. Patent No. 6,804,780 Patent (“the ’780 Patent”)
`
`against Finjan, Inc. (“Finjan”). I previously submitted a declaration regarding Claim 1 of the ’780
`
`Patent, which I incorporate herein by reference in full, including all exhibits and references thereto.
`
`See Dkt. 95-10.
`
`3.
`
`I understand that Finjan has accused Juniper of infringing Claims 1 and 9 of the
`
`’780 Patent (Dkt. 171 ¶ 67), but this declaration is directed specifically to Claim 9. As discussed
`
`below, it is my opinion that the accused Juniper products do not infringe Claim 9.
`
`4.
`
`In addition to opinions outlined in this declaration, I may also provide testimony
`
`(1) in rebuttal to Finjan’s positions, including opinions of its experts and materials they discuss or
`
`rely upon, (2) based on any Orders from the Court, (3) based on documents, contentions, or other
`
`discovery that Finjan or others have not yet produced or were produced too late to be considered
`
`before my report was due, and/or (4) based on witness testimony which has not been given or was
`
`given too late to be considered before my declaration was due. I reserve the right to supplement or
`
`amend my opinions as further documentation and information is received.
`
`II.
`
`BACKGROUND AND QUALIFICATIONS
`
`5.
`
`I am being paid at my customary rate of $775 per hour for time spent on this case.
`
`I am also being reimbursed for reasonable and customary expenses. My compensation is not
`
`dependent in any way on the results of the lawsuit or the substance of my testimony.
`
`6.
`
`I provided an overview of my background and qualifications in my previous
`
`declaration, which I incorporate herein by reference. See Dkt. 95-10 at ¶¶ 6-17. Additional details
`
`of my education and employment history, professional service, patents, publications, and other
`
`10637011
`
`- 1 -
`
`DECL. OF AVIEL D. RUBIN ISO
`JUNIPER’S MOTION FOR SUMMARY JUDGMENT
`(Case No. 3:17-cv-05659-WHA)
`
`REDACTED VERSION OF DOCUMENT SOUGHT TO BE SEALED
`
`
`
`Case 3:17-cv-05659-WHA Document 370-5 Filed 02/14/19 Page 2 of 31
`
`
`
`testimony are set forth in my current curriculum vitae, which can be found here:
`
`http://avirubin.com/Avi_Rubins_home_page/Vita.html.
`
`III. MATERIALS CONSIDERED
`
`7.
`
`I have considered information from various sources in forming my opinions.
`
`Besides drawing from over two decades of experience in the computer industry, I also have
`
`reviewed the following documents: (a) the ’780 patent; (b) the file history (including IPRs);
`
`(c) Finjan’s Infringement Contentions and cited materials; (d) the parties’ summary judgment
`
`filings regarding Claim 1 of the ’780 Patent (including all declaration and exhibits) as well as the
`
`Court’s related Order; (e) the deposition transcripts of various Juniper engineers and Finjan’s
`
`expert; and (f) the other documents and references cited herein (not limited to the excerpts
`
`submitted with Juniper’s Motion). I have also reviewed the Declaration of Frank Jas (“Jas”), and
`
`I previously spoke with Raju Manthena and Yuly Tenorio about the accused products when
`
`preparing the declaration I submitted regarding Claim 1.
`
`IV.
`
`LEGAL STANDARDS
`
`8.
`
`I have been advised that patent claims are reviewed from the point of view of a
`
`hypothetical person of ordinary skill in the art (“POSITA”) at the time of the filing of the patent.
`
`9.
`
`In my opinion, a POSITA for the ’780 patent would be a person with a Bachelor’s
`
`degree in computer science or related academic fields and three to four years of additional
`
`experience in the field of computer security or equivalent work experience. More education can
`
`substitute for work experience, and vice versa (e.g., a PhD without work experience outside of the
`
`university setting). In arriving at my opinions in this declaration, I have considered the issues from
`
`the perspective of a POSITA. This level of skill is approximate and my opinion would not change
`
`if a somewhat lower or higher level of skill were adopted; in particular, I note that Finjan’s expert
`
`Dr. Michael Mitzenmacher previously opined regarding a similar but slightly different level of
`
`ordinary skill (Dkt. 129-1 at ¶ 13), and my opinion would not change if Dr. Mitzenmacher’s level
`
`of ordinary skill were adopted.
`
`10637011
`
`
`- 2 -
`
`DECL. OF AVIEL D. RUBIN ISO
`JUNIPER’S MOTION FOR SUMMARY JUDGMENT
`(Case No. 3:17-cv-05659-WHA)
`
`
`
`REDACTED VERSION OF DOCUMENT SOUGHT TO BE SEALED
`
`
`
`Case 3:17-cv-05659-WHA Document 370-5 Filed 02/14/19 Page 3 of 31
`
`
`
`10.
`
`I am informed that patent infringement under 35 U.S.C. § 271(a) consists of
`
`making, using, offering to sell, or selling a patented invention within the United States, or
`
`importing a patented invention into the United States, without authorization.
`
`11.
`
`I further understand that determining whether there is infringement of a patent
`
`includes two steps. First, each asserted claim must be construed to determine its proper scope and
`
`meaning to a POSITA. Second, the construed claims are compared with the accused product or
`
`service to determine whether every limitation of the claims is found. Unless every limitation is
`
`present in the accused product or process, there is no infringement.
`
`12. With respect to construing claims, I understand that claim construction is an issue
`
`of law that the Court decides by interpreting claim terms as they would have been understood by
`
`a POSITA at the time of the invention. Under this standard, I understand that courts consider the
`
`specification, the prosecution history, and any extrinsic evidence regarding how a POSITA would
`
`interpret the claims in view of the intrinsic record. For purposes of my analysis in this case, I have
`
`interpreted the claims under this standard. I understand that a different standard, referred to as the
`
`broadest reasonable interpretation (“BRI”), has been applied in other forums, such as in an IPR
`
`proceeding. My opinions regarding the terms below may differ under the BRI standard.
`
`13.
`
`I also understand that if literal infringement cannot be established because one or
`
`more elements are not literally present in an accused product or process, a product or process may
`
`nevertheless be found to infringe under the doctrine of equivalents (“DOE”). For infringement
`
`under DOE, I understand that each accused product or process must contain an element at least
`
`equivalent to each and every limitation of the asserted claim. I also understand that one may, but
`
`is not required to, use the “function-way-result” test to determine equivalence. Under the function-
`
`way-result test, I understand that an inquiry is made into whether the accused product or service
`
`performs substantially the same function in substantially the same way to achieve the substantially
`
`same result as the claim element.
`
`10637011
`
`
`- 3 -
`
`DECL. OF AVIEL D. RUBIN ISO
`JUNIPER’S MOTION FOR SUMMARY JUDGMENT
`(Case No. 3:17-cv-05659-WHA)
`
`
`
`REDACTED VERSION OF DOCUMENT SOUGHT TO BE SEALED
`
`
`
`Case 3:17-cv-05659-WHA Document 370-5 Filed 02/14/19 Page 4 of 31
`
`
`V.
`
`STATE OF THE ART
`
`14.
`
`A “hashing function” is a mathematical operation that has been well-known since
`
`at least since the 1970s. See, e.g., Ex. 17 at, e.g., 507-08.1 At its most generic level, a hashing
`
`function is a mathematical operation used to deterministically map an input to an output of a given
`
`size, known as a “hash.” Typically, hashing functions are designed to minimize “collisions,”
`
`meaning that each input ideally hashes to a unique output. Additionally, in computer security
`
`applications, hash functions are generally expected to be non-invertible, meaning that it is
`
`computationally impractical to determine an input given only the corresponding hash. One
`
`corollary of this non-invertible property is that minor changes to an input produce drastically
`
`different hashes.
`
`15.
`
`Several hashing functions were well-known known by the 1990s, including the
`
`MD5 and SHA1 hashing functions. See, e.g., U.S. Patent No. 5,638,446 (filed Aug. 28, 1995) at
`
`4:59-61 (“a one-way hash function known in the art as MD-5 (Rivest, R., ‘The md5 message digest
`
`algorithm’, RFC 1321 (April 1992)”); U.S. Patent No. 5,815,709 (filed Apr. 23, 1996) at 7:39-40
`
`(“Secure hashing algorithms such as the NISTA SHA . . . ”). Another common hashing function
`
`is SHA256, developed by the U.S. National Security Agency, just like SHA1.
`
`16.
`
`All of these hashing functions were generally designed to perform the same
`
`function as described above. The table below shows the MD5 Hash result for the words “Example”
`
`and “example,” which produce entirely different hashes even though the change in the input is
`
`relatively minor:
`
`Input
`
`MD5 Hash
`
`Example
`
`0a52730597fb4ffa01fc117d9e71e3a9
`
`example
`
`1a79a4d60de6718e8e5b326e338ae533
`
`The table below illustrates that, even though different hashing functions may have similar
`
`functions and properties, their results can differ dramatically. I have compared the hash of the same
`
`input—the word “Example”—to two different hashing functions, the MD5 and SHA256:
`
`
`1 Citations to “Ex. __” refer to the Exhibits attached to the Declaration of Rebecca Carson.
`
`10637011
`
`
`- 4 -
`
`DECL. OF AVIEL D. RUBIN ISO
`JUNIPER’S MOTION FOR SUMMARY JUDGMENT
`(Case No. 3:17-cv-05659-WHA)
`
`
`
`REDACTED VERSION OF DOCUMENT SOUGHT TO BE SEALED
`
`
`
`Case 3:17-cv-05659-WHA Document 370-5 Filed 02/14/19 Page 5 of 31
`
`
`
`Hashing
`Function
`
`MD5
`
`Hash of “Example”
`
`0a52730597fb4ffa01fc117d9e71e3a9
`
`SHA256
`
`d029f87e3d80f8fd9b1be67c7426b4cc1ff47b4a9d0a8461c826a59d8c5eb6cd
`
`17.
`
`The table below shows the MD5 hash of the terms “Te,” “st,” and “Test”:
`
`Input
`
`MD5 Hash
`
`Te
`
`st
`
`2408730ad248ad4e4aa36fb14f5e0631
`
`627fcdb6cc9a5e16d657ca6cdef0a6bb
`
`Test
`
`0cbc6611f5540bd0809a388dc95a615b
`
`
`As illustrated by this table, the hashes for “Te” and “st” cannot be combined to recreate the hash
`
`of “Test”—i.e., the hash of the combination of the component inputs (“Test”) is different from the
`
`hashes of the components themselves (“Te” and “st”), and one cannot determine the hash of the
`
`combination by simply combining the hashes of the components.
`
`18.
`
`The useful properties of hashing functions led to their routine use in a number of
`
`different ways in computer science and security, including data integrity, authentication, and data
`
`fingerprinting (e.g., antivirus checks). With respect to authentication, for example, publication of
`
`a file’s hash allowed a user who downloaded the file to independently confirm that the file was
`
`downloaded correctly. If the hash of the file as calculated by the user did not match the published
`
`hash, then there had obviously been some error or other issue in transmission. See, e.g., U.S. Patent
`
`No. 5,638,446 at Abstract (teaching a process of using hashes wherein “If these two hash’s match,
`
`then the user is assured that the file did originate with the author and is uncorrupted”).
`
`19.
`
`In light of the authentication use case described above, the benefit of using a hash
`
`as a file’s ID was well-known before the earliest claimed priority date of the ’780 patent. In fact,
`
`the benefits of using a hash as a file’s ID were so well-known that hash identifiers were proposed
`
`as a candidate Uniform Resource Name as the Internet was being developed. See Ex. 16 at 5-6.
`
`20.
`
`Using a hash ID for “fingerprinting” was also well-known, particularly with respect
`
`to antivirus analyzers that would typically compare a file’s unique hash (hence “fingerprint) to a
`
`list of hashes for known malware. See, e.g., U.S. Patent No. 5,685,875 (filed Oct. 21, 1994) at
`
`10637011
`
`
`- 5 -
`
`DECL. OF AVIEL D. RUBIN ISO
`JUNIPER’S MOTION FOR SUMMARY JUDGMENT
`(Case No. 3:17-cv-05659-WHA)
`
`
`
`REDACTED VERSION OF DOCUMENT SOUGHT TO BE SEALED
`
`
`
`Case 3:17-cv-05659-WHA Document 370-5 Filed 02/14/19 Page 6 of 31
`
`
`
`1:46-49 (“well-known method of detecting viruses calculates so-called ‘fingerprints’ of files
`
`containing executable programs. Such tests as . . . hash functions[] . . . .”).
`
`21.
`
`In time, however, some challenges arose with respect to relying on hashes for files.
`
`In particular, developers began distributing files in pieces rather than as complete, self-contained
`
`packages because, for example, the files were too big to be sent as one complete package. As a
`
`further example, a file might rely on certain common software components that the user would be
`
`presumed to already have, so the developer could conserve save space and bandwidth by simply
`
`identifying the necessary components by reference. As discussed below, the ’780 Patent applies to
`
`precisely such a scenario.
`
`22.
`
`Also relevant to the ’780 patent (discussed further below) is the concept of
`
`“fetching,”2 which is a fundamental computing concept. In the context of the ’780 Patent, fetching
`
`is used to retrieve the software components identified by references in a Downloadable. See, e.g.,
`
`’780 Patent, 4:56-63 (“The ID generator [] preferably prefetches all components embodied in or
`
`identified by the code for Downloadable ID generation. For example . . . the ID generator 315 may
`
`retrieve all components listed in the INF file for an ActiveX™ control to compute a Downloadable
`
`ID.”).3 Information retrieval is one of the key underpinnings of the Internet, for example, and has
`
`been a routine part of networked computer operation for decades. See, e.g., U.S. Patent No.
`
`5,694,546 (filed May 31, 1994) at 6:16-17 (teaching one method of “enabling information fetch
`
`operations to be easily executed by novice users”). By the time of the filing of the ’780 patent,
`
`executable software programs commonly included references to other software components, such
`
`as classes from the Java class library, that are required for execution but may not have been
`
`included in the code of the software program itself and thus needed to be fetched.
`
`23.
`
`The concept of hashing files together with fetched software components to generate
`
`a file ID was also known in the art. For example, “Location-Independent Naming for Virtual
`
`
`2 “Fetching” as discussed herein and in the context of the ‘780 Patent is a distinct usage
`from “fetching” instructions from memory to be executed at the processor level, a term used by
`those in the processor arts like Intel. See, e.g., U.S. Patent No. 6,079,014 (assigned to Intel
`Corporation) at 1:24-26 (“processor usually fetches an instruction stream from a memory, and
`executes each instruction in the instruction stream”).
`
`3 Unless indicated otherwise, all emphasis in this Declaration is added.
`
`10637011
`
`
`- 6 -
`
`DECL. OF AVIEL D. RUBIN ISO
`JUNIPER’S MOTION FOR SUMMARY JUDGMENT
`(Case No. 3:17-cv-05659-WHA)
`
`
`
`REDACTED VERSION OF DOCUMENT SOUGHT TO BE SEALED
`
`
`
`Case 3:17-cv-05659-WHA Document 370-5 Filed 02/14/19 Page 7 of 31
`
`
`
`Distributed Software Repositories” by Shirley Browne et al. (1995) (Dkt. 96-19, “Browne”) in
`
`view of, for example, U.S. Patent No. 5,835,777 (“Staelin”) taught a “Location Independent File
`
`Name” (LIFN) for the files in its system, where the LIFN comprised an MD5 hash of the file’s
`
`contents. See, e.g., Browne at 181-83. A POSITA would have understood that new files could also
`
`have incorporated publicly available software components that were intended to be reused, so in
`
`creating a complete software package, the prior art taught fetching those referenced software
`
`components and then calculating the MD5 to determine the LIFN for the complete package. See
`
`Browne at 179-184; Staelin at, e.g., columns 2-5.
`
`VI.
`
`BRIEF OVERVIEW OF THE ʼ780 PATENT
`
`24.
`
`The ’780 patent, entitled “System and Method for Protecting a Computer and a
`
`Network from Hostile Downloadables,” issued on October 12, 2004 from U.S. Patent Application
`
`No. 09/539,667 (“the ’667 application”), which was filed on March 30, 2000.
`
`25.
`
`Claim 9 of the ’780 patent is directed to a system for generating an ID for a
`
`“Downloadable,” which the patent defines as “an executable application program, which is
`
`downloaded from a source computer and run on the destination computer.” ’780 Patent, 1:50-53.
`
`The patent explains that a Downloadable is typically requested by running a process, such as a
`
`web browser, and provides several examples of Downloadables, specifically Java applets,
`
`JavaScript, ActiveX controls, and Visual Basic Script. ’780 Patent, 1:55-2:6.
`
`26. While the ’780 Patent is part of a larger patent family that generally relates to a
`
`system for protecting computers from suspicious Downloadables, the claims of the ’780 patent are
`
`directed to very narrow part of that system—i.e., generating a unique ID for Downloadables. This
`
`is a simple concept that is not limited to the field of computer security applications.
`
`VII. PROSECUTION HISTORY
`
`27.
`
`The ’780 patent was prosecuted as the ’667 application. The Examiner rejected the
`
`claims in two rounds of office actions. In a non-final rejection, the Examiner found certain claims
`
`anticipated by U.S. Patent No. 5,978,484 (“Apperson”) (Dkt. 152-2 at 1) and the remaining claims
`
`were rendered obvious by Apperson in view of “Microsoft Authenticode Analyzed” (“Khare”).
`
`10637011
`
`
`- 7 -
`
`DECL. OF AVIEL D. RUBIN ISO
`JUNIPER’S MOTION FOR SUMMARY JUDGMENT
`(Case No. 3:17-cv-05659-WHA)
`
`
`
`REDACTED VERSION OF DOCUMENT SOUGHT TO BE SEALED
`
`
`
`Case 3:17-cv-05659-WHA Document 370-5 Filed 02/14/19 Page 8 of 31
`
`
`
`28.
`
`The applicant amended the independent claims to add the requirement that the
`
`Downloadable “includes one or more references to software components required by the
`
`Downloadable.” Dkt. 96-6 at 2. In attempting to distinguish the amended claims from Apperson
`
`and Khare, the applicant stated (Ex. 2 at 6):
`
`The present invention concerns generation of an ID for mobile code
`downloaded to a client computer, referred to as a Downloadable.
`Specifically, the present invention fetches software components
`required by the Downloadable, and performs a hashing function on
`the Downloadable together with its fetched components (original
`specification I page 3, lines II 14; page 15, lines 21- 24; page 19,
`line 21- page 20, line 6; FIG. 8). Thus, for a Java applet, the present
`invention fetches Java classes identified by the applet bytecode, and
`generates the Downloadable ID from the applet and the fetched Java
`classes; and for an ActiveX™ control, the present invention fetches
`components listed in its .INF file, and generates a Downloadable ID
`from the ActiveX™ control and the fetched components (original
`specification I page 9, lines 15 -18).
`
`An advantage of the present invention is that it produces the same
`ID for a Downloadable, regardless of which software components
`are
`included with
`the Downloadable and which software
`components are only referenced (original specification I page 9,
`lines 18- 20; page 20, lines 5 and 6). The same Downloadable may
`be delivered with some required software components included and
`others missing, and in each case the generated Downloadable ID
`will be the same. Thus the same Downloadable is recognized
`through many equivalent guises.
`
`29.
`
`The Examiner issued a final rejection finding all claims obvious in view of the same
`
`two references. Thereafter, the applicant amended the claims further to require that the software
`
`components are required “to be executed” by the Downloadable. Dkt. 96-6 at 5.
`
`30.
`
`The Examiner also entered an Examiner’s Amendment to require the use of a
`
`“hashing” function rather than any type of function that could be used to generate an identifier.
`
`Dkt. 96-6 at 8.
`
`VIII. CLAIM CONSTRUCTION
`
`A.
`
`Downloadable
`
`31.
`
`I understand that Finjan has taken the position that “Downloadable” should be
`
`construed as “an executable application program downloaded from a source computer and run on
`
`10637011
`
`
`- 8 -
`
`DECL. OF AVIEL D. RUBIN ISO
`JUNIPER’S MOTION FOR SUMMARY JUDGMENT
`(Case No. 3:17-cv-05659-WHA)
`
`
`
`REDACTED VERSION OF DOCUMENT SOUGHT TO BE SEALED
`
`
`
`Case 3:17-cv-05659-WHA Document 370-5 Filed 02/14/19 Page 9 of 31
`
`
`
`the destination computer,” and that Juniper does not dispute this construction. See Dkt. 129 at 2. I
`
`have applied this construction in my analysis.
`
`B.
`
`32.
`
`“Performing a hashing function . . .”
`
`I understand that, in the context of Claim 1, the Court construed the term
`
`“performing a hashing function on the Downloadable and the fetched software components to
`
`generate a Downloadable ID” as “performing a hashing function on the Downloadable together
`
`with its fetched software components to generate a single hash value that identifies the contents of
`
`both the Downloadable and the fetched components.” Dkt. 180 at 10. The Court clarified that this
`
`construction requires that “the hashing function must operate across both the Downloadable and
`
`fetched components melded together,” which, in turn, “necessarily means that ‘Downloadable ID’
`
`entails one hash on the Downloadable and fetched components, not a collection of separate
`
`hashes.” Id. at 9 (emphasis in original). This same claim term also appears in Claim 9, and I have
`
`applied the Court’s construction in my analysis.
`
`C.
`
`33.
`
`“fetching at least one software component . . .”
`
`A POSITA would understand this term to mean “retrieving at least one software
`
`component that is referenced but not included in the content of the Downloadable” in view of the
`
`specification and prosecution history.
`
`34.
`
`In the past, Finjan has taken the position that “fetch” in the context of the claims
`
`means to “retrieve.” See, e.g., Finjan, Inc. v. Bitdefender Inc., Case No. 4:17-cv-04790-HSG, Dkt.
`
`76 at 11 (N.D. Cal. May 4, 2018). This meaning is consistent with the specification, which appears
`
`to use the terms interchangeably. See ’780 Patent, 4:56-63 (“[T]he ID generator 315 may retrieve
`
`all components listed in the INF file for an ActiveX™ control to compute a Downloadable ID.”).
`
`It is also consistent with the way that a POSITA would have understood the term in the context of
`
`the claim.
`
`35. With regard to the rest of the term, Finjan described the “software components” as
`
`follows during prosecution: “[t]he same Downloadable may be delivered with some required
`
`software components included and others missing.” Ex. 2 at 6; see also id. (“An advantage of the
`
`present invention is that it produces the same ID for a Downloadable, regardless of which software
`
`10637011
`
`
`- 9 -
`
`DECL. OF AVIEL D. RUBIN ISO
`JUNIPER’S MOTION FOR SUMMARY JUDGMENT
`(Case No. 3:17-cv-05659-WHA)
`
`
`
`REDACTED VERSION OF DOCUMENT SOUGHT TO BE SEALED
`
`
`
`Case 3:17-cv-05659-WHA Document 370-5 Filed 02/14/19 Page 10 of 31
`
`
`
`components are included with the Downloadable and which software components are only
`
`referenced.”). Finjan also stated during prosecution that one of the benefits of the invention was
`
`that “the Downloadable ID may be used to recognize the ‘same’ Downloadable regardless of how
`
`the Downloadable is subdivided and/or downloaded.” Ex. 2 at 11. Based on these statements, a
`
`POSITA would understand that the software components to be fetched refer to pieces of the
`
`Downloadable that were not included (i.e., “missing”) in the content of the Downloadable.4
`
`36.
`
`The specification supports this interpretation, in that it teaches the inclusion of the
`
`fetched software components within the Downloadable itself prior to hashing. See, e.g., Fig. 8
`
`(“Include Fetched Components in The Downloadable”). A POSITA would understand that one
`
`would only “include” components “in” the code if they were part of the same file, not disparate
`
`files. The specification therefore makes clear that the software components to be fetched are the
`
`missing components that are “referenced” but not included in the content of the Downloadable.
`
`37.
`
`I understand that Finjan has previously argued that one can “fetch” software
`
`components already included within the content of the Downloadable. As support, Finjan has
`
`pointed to the portion of the specification that states that the ID generator “may prefetch all classes
`
`embodied in or identified by the Java™ applet bytecode.” ’780 Patent, 4:59-60. Finjan’s attempt
`
`to equate “embodied in” with “included” / “embedded” / “internal to” is unsupported, as the
`
`specification elsewhere uses the term “embodied” to refer to things that are not included within
`
`the Downloadable itself. For example, the ’780 Patent teaches first checking the “URL embodied
`
`in the incoming Downloadable” and only afterwards “decompos[ing] the Downloadable”; the
`
`URL could not be internal to the Downloadable because the Downloadable’s contents have not yet
`
`been decomposed to even know what an internal URL would be. See, e.g., ’780 Patent at 8:25-38.
`
`Additionally, “embodied” is not a standard term that a POSITA would use to refer to components
`
`embedded within a Downloadable. In view of the specification and prosecution history, a POSITA
`
`would not understand the specification’s use of the term “embodied” to suggest that one could
`
`
`4 This analysis is in the context of the ’780 Patent. In computer science, a POSITA would
`understand that one could “fetch” specific instructions for execution, but that interpretation of
`“fetch” is irrelevant in the context of the ’780 Patent.
`
`10637011
`
`
`- 10 -
`
`DECL. OF AVIEL D. RUBIN ISO
`JUNIPER’S MOTION FOR SUMMARY JUDGMENT
`(Case No. 3:17-cv-05659-WHA)
`
`
`
`REDACTED VERSION OF DOCUMENT SOUGHT TO BE SEALED
`
`
`
`Case 3:17-cv-05659-WHA Document 370-5 Filed 02/14/19 Page 11 of 31
`
`
`
`“fetch” software components embedded within the original Downloadable, including because it
`
`would make no sense to “prefetch” something that was already included within the Downloadable.
`
`38.
`
`In the event that the Court determines that the specification’s reference to software
`
`components “embodied in” a Downloadable means something distinct from those that are
`
`“identified” by reference, I note that the language of Claim 9 is expressly limited to the
`
`embodiment where an ID generator fetches software components “identified by the one or more
`
`references,” not references that are “embodied in” the Downloadable. Therefore, if “embodied in”
`
`captures situations different from when components are only “identified,” then it is my opinion
`
`that such an embodiment was not claimed in Claim 9.
`
`39.
`
`I further note that Finjan’s interpretation of the “fetching” limitation as including
`
`situations where components are somehow fetched from within the file would essentially make the
`
`“fetching” limitation superfluous. Given the relevant context, it does not make sense to “fetch” a
`
`software component that is already included within the Downloadable.
`
`40. Moreover, if the contents of the software components that were being fetched were
`
`already included within the Downloadable, then any “fetching” would not change the content of
`
`the Downloadable, so the hashing function would produce the very same hash ID as it would have
`
`produced without any alleged “fetching.”
`
`IX. OVERVIEW OF THE ACCUSED PRODUCTS
`
`41.
`
`The SRX is a secure router that can be used for security (i.e., firewall) (S), routing
`
`(R) and switching (X). Dkt. 338 (Trial Tr. Vol. 4) at 666:19-667:3. The SRX can act as a network
`
`gateway, which is like a gatekeeper located between a customer and the public Internet to protect
`
`users within the customer’s network from the malicious parts of the Internet. When used as a
`
`firewall, the SRX will, among other things, look at certain data in the information being sent over
`
`the Internet, such as the IP address from which it is being sent, and block data coming from
`
`prohibited IP addresses.
`
`42.
`
`Sky ATP is a cloud-based service that is sold as an add-on to the SRX. Only a small
`
`percentage of Juniper’s SRX customers configured their device to interface with Sky ATP before
`
`the ’780 Patent expired in November 2017. Dkt. 125-8 at ¶¶ 5-6.
`
`10637011
`
`
`- 11 -
`
`DECL. OF AVIEL D. RUBIN ISO
`JUNIPER’S MOTION FOR SUMMARY JUDGMENT
`(Case No. 3:17-cv-05659-WHA)
`
`
`
`REDACTED VERSION OF DOCUMENT SOUGHT TO BE SEALED
`
`
`
`Case 3:17-cv-05659-WHA Document 370-5 Filed 02/14/19 Page 12 of 31
`
`
`
`43.
`
`The following diagram illustrates at a high level the configuration of the system
`
`when a Juniper customer configures its SRX to work with Sky ATP:
`
`
`See Dkt. 96-13 at 2. In Step 1, a client requests a file from a Web server, and such request is
`
`
`
`forward from the SRX to the appropriate Web server. In Step 2, the Web server returns the
`
`requested file, which is intercepted by the SRX. In Step 3, the SRX submits the file to Sky ATP
`
`for analysis.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
` In Step 4, Sky
`
`ATP returns a Threat Level verdict (discussed further below). In Step 5, the SRX compares the
`
`verdict returned by Sky ATP with the user-defined security policy; if the verdict is within the range
`
`set by the customer, the file is forwarded to the user by the SRX (as illustrated above); otherwise,
`
`if the verdict exceeds the threshold set by the user-defined policy, the file is blocked.
`
`44.
`
`The path described above assumes Sky ATP has analyzed the file before and has
`
`already determined a Threat Level verdict for the file. If the file has not previously been analyzed,
`
`then an indication that no verdict for the file exists is returned to the SRX, which then releases the
`
`file to the client. Sky ATP then undertakes its analysis pipeline (described below) to generate a
`
`verdict for the file that will be applied the next time a client attempts to download the same file.
`
`45.
`
`The Threat Level verdict generated by Sky ATP is calculated by Sky ATP’s Verdict
`
`Engine, which accepts as an input the results of various different analysis engines.
`
`10637011
`
`
`- 12 -
`
`DECL. OF AVIEL D. RUBIN ISO
`JUNIPER’S MOTION FOR SUMMARY JUDGMENT
`(Case No. 3:17-cv-05659-WHA)
`
`
`
`REDACTED VERSION OF DOCUMENT SOUGHT TO BE SEALED
`
`
`
`Case 3:17-cv-05659-WHA Document 370-5 Filed 02/14/19 Page 13 of 31
`
`
`
`46.
`
`The first5 analysis engine in the pipeline is a conventional antivirus check that
`
`compares the hash of the file to a list of hashes of known malicious files. The next analysis
`
`engine is “static” analysis, which means analysis of the file without actually executing the code.
`
`
`
`
`
`
`
` Other types of files may be subject to an additional
`
`step of “dynamic” analysis, which means that the code is actually executed6 in a safe, simulated
`
`environment known as a “sandbox” that tracks the results to determine what the file actually
`
`does. See, e.g., Dkt. 96-13 at 3. Each step of the analysis returns results that are fed into the
`
`Verdict Engine, which calculates a Threat Level verdict assessing risk on a scale of 0 to 10. See
`
`id. at 4.
`
`47.
`
`Juniper’s own source code does not itself perform much of the analysis that is fed
`
`into the Verdict Engine. Instead, Sky ATP uses a series of “adapters” that serve as interfaces to
`
`allow the files to be processed by third-party engines. For example, Sky ATP uses an antivirus
`
`“adapter” to send the hash of files to OPSWAT’s Metadefender’s antivirus product. Dkt. 95-8 ¶ 6.
`
`One benefit of the use of this “adapter” interface architecture is that third party vendors can be
`
`substituted without materially disrupting operation. For example, Sky ATP used to use third party
`
`VirusTotal’s antivirus check prior to Metadefender, and the use of an “adapter” meant that Sky
`
`ATP could leverage prior work in collecting required information and formatting information in
`
`quickly swapping third party vendors. See Dkt. 95-8 ¶ 6. Similarly, Sky ATP uses a “Deception”7
`
`
`5 The analysis steps do not necessarily proceed in the illustrative order described herein,
`and the actual order of analysis is determined by Sky ATP’s Pipeline Manager.
`
`6 Running a potentially malicious file in a sandbox is sometimes called “detonati