`Case 3:17-cv-05659-WHA Document 371-2 Filed 02/14/19 Page 1 of 2
`
`DECLARATION OF FRANK JAS
`
`I, Frank Jas, declare as follows:
`
`1.
`
`I have personal knowledgeofthe facts set forth in this declaration, and I could and
`
`would testify competently thereto if called upon to do so.
`
`A
`
`I am a Distinguished Engineer with Juniper Networks, Inc. (“Juniper”). Prior to
`
`working at Juniper, I was Chief Technology Officer with Cyphort Inc. (“Cyphort”). Cyphort was
`
`acquired by Juniper in September 2017 and the Cyphort product catalog was rebranded in March
`
`2018 to Juniper Advanced Threat Protection Appliance (collectively, “ATP Appliance”). During
`my time with Juniper and Cyphort, I have been responsible for the development ofvarious different
`
`components of the ATP Appliance, and I understand how the ATP Appliance operates.
`
`3.
`
`The ATP Applianceis a passive device that connects to a network to observetraffic.
`
`To dothis, the ATP Appliancesets up “collectors” at various points in the network either virtually
`
`or physically (such as a gateway or switch). The ATP Appliance does not interrupt or block
`
`networktraffic, but instead analyzes copies files have been sent to it while those files continue on
`to their destination.
`|
`
`4,
`
`During collection, the ATP Appliance performs MD5, SHA], and SHA256 hashes
`
`on the copiedfiles as they are received to perform a hash look up. The ATP Appliance does not
`
`inspect the file to identify whether there are any referenced software components contained in it.
`
`Nordoesit fetch or retrieve any components that are referenced in the file before the file is hashed.
`
`The ATP Appliance also does not wait to receive anything that is referenced in the file before it
`
`processesthefile. If the ATP Appliance wereto separately receive a file’s referenced components
`
`(because, for example, the end user clicked on them orinitiated a separate request for them), it
`
`would treat them as a separate file sample. Thus, ATP Appliance hashes thefile by itself and not
`
`together with any otherfile or component. Nowhere in ATP Appliance is there any function that
`
`hashesthe contents ofa file together with the contents of any otherfiles.
`
`5.
`
`After a file is copied and hashed at the collection point, the copied file is sent to
`
`ATP Appliance’s pipeline analysis, which includes, among other things: (1) static analysis, and
`
`(2) dynamic analysis.
`
`DECL. OF FRANK JAS ISO
`JUNIPER’S MOTION FOR SUMMARY JUDGMENT
`
`«| =
`
`Case No, 3:17-cv-05659-WHA
`
`
`
`Case 3:17-cv-05659-WHA Document 371-2 Filed 02/14/19 Page 2 of 2
`Case 3:17-cv-05659-WHA Document 371-2 Filed 02/14/19 Page 2 of 2
`
`6.
`
`As part of static analysis, ATP Appliance uses rules and signatures to identify
`
`known threats and malware. During static analysis, ATP Appliance does not identify a file’s
`
`referenced software components; nor doesit fetch any referenced components.
`
`In addition, the
`
`static analysis engine does not perform any hashing functions.
`
`7.
`
`Aspart of dynamic analysis, a file is executed in a sandbox environment for ATP
`
`Appliance to observe its behavior. During this analysis, the file is unaltered.
`
`If the file being
`
`analyzed is programmedto doso,it is allowed to obtain componentsreferencedin thefile as part
`
`of its execution, although ATP Applianceitself does not fetch or retrieve those components.
`
`In
`
`the eventthat a file obtains any referenced software components during execution in the sandbox,
`
`those software components are not hashed. The dynamic analysis engine does not perform any
`
`hashing functions.
`
`8.
`
`I understand that Finjan cites to a documenttitled Vandelay-ThreatAssessment-
`
`2015 in its infringement contentions to support an allegation that ATP Appliance fetches and
`
`generates the hash value for dropped files that are detected during dynamic analysis. ATP
`
`Appliance has no such functionality. The Vandelay-ThreatAssesment-2015 document does not
`
`describe the functionality of ATP Appliance. Rather, this document is an exemplary report that
`
`the Threat Research team at Cyphort would manually assemble to describe threat detections at
`
`customer deployments. !
`
`H/
`
`.
`Executed this
`
`.
`S
`;
`i Ahk
`day of February, 2019,at MA wire
`
`vi
`
`] declare under penalty of perjury under the laws of the United States of America that the
`
`foregoing is true and correct.
`
`Frank Jas
`
`'«Vandelay Industries”is actually a reference to a fictional company in the sitcom Seinfeld
`where George Costanza pretends to have interviewed at “Vandelay Industries”as a latex salesman.
`DECL. OF FRANK JAS ISO
`JUNIPER’S MOTION FOR SUMMARY JUDGMENT
`Case No. 3:17-cv-05659-WHA
`
`7 2 -
`
`
Accessing this document will incur an additional charge of $.
After purchase, you can access this document again without charge.
Accept $ Charge
Still Working On It
This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.
Give it another minute or two to complete, and then try the refresh button.
A few More Minutes ... Still Working
It can take up to 5 minutes for us to download a document if the court servers are running slowly.
Thank you for your continued patience.
This document could not be displayed.
We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.
Your account does not support viewing this document.
You need a Paid Account to view this document. Click here to change your account type.
Your account does not support viewing this document.
Set your membership
status to view this document.
With a Docket Alarm membership, you'll
get a whole lot more, including:
- Up-to-date information for this case.
- Email alerts whenever there is an update.
- Full text search for other cases.
- Get email alerts whenever a new case matches your search.
One Moment Please
The filing “” is large (MB) and is being downloaded.
Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.
Your document is on its way!
If you do not receive the document in five minutes, contact support at support@docketalarm.com.
Sealed Document
We are unable to display this document, it may be under a court ordered seal.
If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.
Access Government Site
