Case 3:17-cv-05659-WHA Document 371-7 Filed 02/14/19 Page 1 of 13
`1 of 13
`Case 3:17-cv-05659-WHA Document 371-7 Filed 02/14/19 Page
`
`EXHIBIT 3
`EXHIBIT 3
`
`
`
`
`
`
`
`
`
`
`
`
`
`

`

`Case 3:17-cv-05659-WHA Document 371-7 Filed 02/14/19 Page 2 of 13
`
`Vandelay-ThreatAssessment-2015 (emphasis added) (showing fetching an
`component and creating a hash value for that dropped file).
`
`
`Cyphort DataSheet (showing MD5, SHA1, and SHA256 hashes).
`
`
`
`
`
`
`
`SRX Gateways meet the recited claim language they provide a system for
`generating a Downloadable ID to identify a Downloadable.
`
`SRX Gateways (either alone or in combination with Sky ATP or ATP Appliance)
`meet the recited claim language because SRX Gateways are systems which
`generates a Downloadable ID by creating malware attack profiles which include a
`hash to identify a Downloadable such as malware. The analysis includes
`
`13
`
`Claim 9
`
`9a. A system for generating a
`Downloadable ID to identify
`a Downloadable, comprising:
`
`

`

`Case 3:17-cv-05659-WHA Document 371-7 Filed 02/14/19 Page 3 of 13
`
`scanning the Downloadables which include references to software components
`required to be executed by the Downloadable (e.g., suspicious web page content
`containing HTML, PDFs, JavaScript, drive-by downloads, obfuscated code, or
`other blended web malware). SRX Gateways uses the Downloadable ID to
`perform a hash lookup to Sky ATP or the ATP Appliance. Alternatively, SRX
`Gateways in combination with Sky ATP or ATP Appliance meets the claim
`language because SRX Gateways generate a Downloadable ID and then uses Sky
`ATP or ATP Appliance to generate a Downloadable ID for components of the
`Downloadable, and then generate a combined Downloadable ID for the
`Downloadable and the related components.
`
`As shown below, the SRX Gateway includes both hardware and software
`components that perform the step of receiving a Downloadable.
`
`
`Juniper Networks Sky Advanced Threat Prevention.pdf at page 4.
`
`The SRX Gateway is a system which obtains a Downloadable then generates a
`profile that includes generating a Downloadable ID (e.g., the SHA-256 hash) to
`identify a Downloadable and send it to Sky ATP or ATP appliance to determine
`whether it is malicious and to return a risk score or verdict.
`
`
`
`
`14
`
`
`
`
`
`

`

`Case 3:17-cv-05659-WHA Document 371-7 Filed 02/14/19 Page 4 of 13
`
`9b. a communications engine
`for obtaining a Downloadable
`that includes one or more
`references to software
`components required to be
`executed by the
`Downloadable; and
`
`
`
`https://www.juniper.net/documentation/en_US/release-independent/sky-
`atp/information-products/topic-collections/sky-atp-open-apis.html (showing a
`SHA-256 generated for the downloadable to indentify the downloadable).
`
`SRX Gateways meets the recited claim language because they provide a
`communications engine for obtaining a Downloadable that includes one or more
`references to software components required to be executed by the Downloadable.
`
`SRX Gateways (either alone or in combination with Sky ATP or ATP Appliance)
`meet the recited claim language because SRX is a system which includes a
`communications engine (e.g., network interface and corresponding proxy
`software) which obtains suspicious traffic flows for analysis that include
`Downloadables such as web page content and/or email attachments. These
`Downloadables include references to software components required to be
`executed by the Downloadable (e.g., suspicious web page content containing
`HTML, PDFs, JavaScript, drive-by downloads, obfuscated code, or other blended
`web malware).
`
`Downloadables that includes one or more references to software components
`required to be executed by the Downloadable include a web page that includes
`references to JavaScript, visual basic script, ActiveX, injected iframes; and a PDF
`that includes references to JavaScript, swf files or other executables. Typically,
`Juniper characterizes them as drive-by-downloads or droppers as such
`Downloadables are usually programmed to take advantage of a browser,
`application, or OS that is out of date and has a security flaw. The initial
`downloaded code is often small enough that it wouldn’t be noticed, since its job is
`often simply to contact another computer where it can pull down the rest of the
`code on to the computer. In particular, such software components are usually
`programmed to be downloaded and run in the background in a manner that is
`invisible to the user - and without the user taking any conscious actions as just the
`act of viewing a web-page that harbors this malicious code is typically enough for
`the download and execution to occur.
`
`SRX Gateways include a communications engine (e.g., network interface and
`corresponding proxy software) to obtain Downloadables for scanning. SRX
`
`15
`
`

`

`Case 3:17-cv-05659-WHA Document 371-7 Filed 02/14/19 Page 5 of 13
`
`Gateways can Downloadables that may include malware embedded in images,
`JavaScript, text and Flash files. As shown below, SRX Gateways obtain and
`conducts analysis on Downloadables such as Executable files (e.g., “.bin, .com,
`.dat, .exe, .msi, .msm, .mst”), PDF files, Java (e.g., “.class, .ear, .jar, .war”), MS
`Office file types, Flash and Silverlight applications, Script files, and installer files
`through an application program interface.
`
`
`
`
`
`
`(showing SRX intercepting downloadables and sending them to Sky ATP)
`see also https://www.juniper.net/documentation/en_US/release-independent/sky-
`atp/topics/reference/general/sky-atp-profile-overview.html.
`
`SRX Gateways include a communications engine (e.g., network interface and
`corresponding proxy software) to obtain Downloadables for analysis as shown
`above via its connections to the Internet, endpoints, and to Sky ATP or ATP
`Appliance.
`
`In infringement scenarios involving SRX Gateways with Sky ATP, Sky ATP
`performs behavioral analysis such as potential dropper infection for
`Downloadables. Potential dropper infections “Drop PE” (e.g., references to
`software components required to be executed by the Downloadable).
`
`
`16
`
`

`

`Case 3:17-cv-05659-WHA Document 371-7 Filed 02/14/19 Page 6 of 13
`
`
`As shown below, SRX Gateways include a cache lookup of a file and its
`components using a hash value to prevent rescanning of known files and their
`components.
`
`
`
`
`https://www.juniper.net/documentation/en_US/release-independent/sky-
`atp/topics/concept/sky-atp-malware-analyze.html
`
`In infringement scenarios involving SRX Gateways with the ATP Appliance, the
`ATP Appliance performs behavioral analysis such as potential dropper infection
`for Downloadables. Potential dropper infections are references to software
`components required to be executed by the Downloadable. As shown below, the
`ATP Appliance uses behavior inspection and dynamic detection to find dropper
`files and to perform hashing functions on them.
`
`17
`
`

`

`Case 3:17-cv-05659-WHA Document 371-7 Filed 02/14/19 Page 7 of 13
`
`
`
`
`
`Cyphort Datasheet
`
`As shown below, ATP Appliance will obtain Downloadables, as well as
`components required to execute the Downloadables.
`
`Redimadrid_Journadas-Sky ATP Enhancements.pdf at page 14.
`
`
`Cyphort WP Security 2.0
`
`
`18
`
`

`

`Case 3:17-cv-05659-WHA Document 371-7 Filed 02/14/19 Page 8 of 13
`
`9c. an ID generator coupled to
`the communications engine
`that fetches at least one
`software component
`identified by the one or more
`references, and for
`performing a hashing function
`on the Downloadable and the
`fetched software components
`to generate a Downloadable
`ID.
`
`
`Cyphort WP Drive by Downloads (describing how the ATP appliances captures
`dropper files and perofrms “static analysis, behavior analysis and reputaiton
`analysis to identify if it is a malware.”).
`
`SRX Gateways meet the recited claim language because they provide an ID
`generator coupled to the communications engine that fetches at least one software
`component identified by the one or more references, and for performing a hashing
`function on the Downloadable and the fetched software components to generate a
`Downloadable ID.
`
`SRX Gateways (either alone or in combination with Sky ATP or ATP Appliance)
`meet the recited claim language because SRX Gateways are systems that include
`an ID generator (e.g., software coupled to the communications engine) that
`performs multi-protocol capture of HTML, JavaScript, files and EXEs and then
`performs a hash of the Downloadable and fetched software components. SRX
`Gateways create a dynamically generated signature and/or a malware attack
`profile for the Downloadable by performing a hashing function using SHA-256,
`MD5, and/or SHA-1 on Downloadables (e.g., HTML, JavaScript and other web-
`based files/executables), thereby performing a hashing function on the
`Downloadable together with the fetched software components to generate a
`Downloadable ID.
`
`As shown below, SRX Gateways include an ID generator which analyzes a
`Downloadable (e.g., PDF) and fetches software components identified by the one
`or more references (e.g., a dropped file) within to determine whether it is
`suspicious or not.
`
`19
`
`

`

`Case 3:17-cv-05659-WHA Document 371-7 Filed 02/14/19 Page 9 of 13
`
`
`
`See
`https://www.juniper.net/documentation/en_US/junos/topics/reference/command-
`summary/security-file-checksum-sha-256.html (showing that the SRX performs
`SHA256, MD5, and SHA1 hashing functions (e.g., the ID generator)).
`
`In the infringement scenario with SRX Gateways in combination with Sky ATP,
`Sky ATP obtains a Downloadable then generates a Downloadable ID (e.g., the
`SHA-256, SHA-1, and/or MD5 hashes) to identify a Downloadable (e.g., the exe
`file) together with the fetched software components using hashes for both the file
`and the “parent” file. The ID generator is the software running on a system that
`generates the hash value of the component and the dropped file.
`
`
`
`
`
`
`In the infringement scenario with SRX Gateways in combination with Sky ATP,
`Sky ATP includes an ID generator (e.g., component coupled to the
`communications engine) which fetch software components identified by the one
`or more references (e.g., dropped files). Dropped files are captured by Sky ATP
`during sandboxing analysis as well as identified during static analysis. As shown
`below, static analysis will break down code and look for suspicious code and/or
`operations that include dropping files. SRX includes components which fetch
`software components identified by the one or more references. SHA-256 hashes
`are generated together for the parent (dropper) and target (dropped) files.
`
`20
`
`

`

`Case 3:17-cv-05659-WHA Document 371-7 Filed 02/14/19 Page 10 of 13
`
`
`
`
`SRX Gateways obtain a Downloadable then generates a profile that includes
`generating a Downloadable ID (e.g., the SHA-256 hash) to identify a
`Downloadable. As shown below, the profile is then stored in Juniper’s cloud for
`further identification of Downloadables, including whether it is malicious and to
`create a risk score.
`
`In the infringement scenario with SRX Gateways in combination with Sky ATP,
`Sky ATP obtains a Downloadable then generates a Downloadable ID (e.g., the
`SHA-256, SHA-1, and/or MD5 hashes) to identify a Downloadable (e.g., the exe
`file) together with the fetched software components using hashes for both the file
`and the “parent” file.
`
`
`See https://www.juniper.net/documentation/en_US/release-independent/sky-
`atp/topics/reference/general/sky-atp-filescan-overview.html (showing a SHA256
`and MD5 hash of a downloadable).
`
`As described below, Sky ATP will detonate downloadable files using dynamic
`analysis, which requires fetching referenced components.
`
`
`
`21
`
`

`

`Case 3:17-cv-05659-WHA Document 371-7 Filed 02/14/19 Page 11 of 13
`
`Juniper Sky Advanced Threat Prevention .pdf at page 2.
`
`In infringement scenarios involving SRX Gateways with the ATP Appliance, the
`ATP Appliance performs behavioral analysis such as potential dropper infection
`for Downloadables. Potential dropper infections are references to software
`components required to be executed by the Downloadable. As shown below, the
`ATP Appliance uses behavior inspection and dynamic detection to find dropper
`files and to perform hashing functions on them. The ID generator is the software
`running on a system that generates the hash value of the component and the
`dropped file.
`
`22
`
`

`

`Case 3:17-cv-05659-WHA Document 371-7 Filed 02/14/19 Page 12 of 13
`
`
`Vandelay-ThreatAssessment-2015 (emphasis added) (showing fetching an
`component and creating a Downloadable ID for that dropped file).
`
`
`Cyphort DataSheet (showing MD5, SHA1, and SHA256 hashes).
`
`As shown below, ATP Appliance will obtain Downloadables, as well as
`components required to execute the Downloadables.
`
`
`
`23
`
`

`

`Case 3:17-cv-05659-WHA Document 371-7 Filed 02/14/19 Page 13 of 13
`
`Redimadrid_Journadas-Sky ATP Enhancements.pdf at page 14.
`
`To the extent Juniper argues that SRX Gateways do not literally satisfy this
`element, Juniper meets this element under the doctrine of equivalents.
`
`SRX Gateways perform the same function as this claim element because they
`receive downloaded content, such as HTML or JavaScript, that have referenced
`components that are also downloaded by SRX Gateway, and create an identity for
`downloaded content. This is the same function as this element because this an
`identification of a downloaded content, including referenced components that are
`downloaded.
`
`SRX Gateways perform this function in the same way as this claim element
`because they download components that are used to create an identity for
`downloaded content such as HTML or JavaScript. SRX Gateways perform this
`element the same way because the identity created can be used to identify
`downloaded content that reference multiple components that are used by the
`downloaded content.
`
`SRX Gateways achieve the same result as this claim element because they have
`components that result in the creation of an identification in downloaded content,
`such as HTML or JavaScript, and downloads multiple components referenced.
`This is the same result as this claim element because SRX Gateways use this
`identity to identify the downloaded content and its referenced components for
`security decisions.
`
`
`24
`
`
`
`