Case 3:17-cv-05659-WHA Document 371-8 Filed 02/14/19 Page 1 of 10
`Case 3:17-cv-05659-WHA Document 371-8 Filed 02/14/19 Page 1 of 10
`
`EXHIBIT 4
`EXHIBIT 4
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Case 3:17-cv-05659-WHA Document 371-8 Filed 02/14/19 Page 1 of 10
`
`EXHIBIT 4
`EXHIBIT 4
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Case 3:17-cv-05659-WHA Document 371-8 Filed 02/14/19 Page 2 of 10
`
`See https://www.juniper.net/documentation/en_US/release-independent/sky-
`atp/topics/reference/general/sky-atp-filescan-overview.html (showing a SHA256
`and MD5 hash of a downloadable).
`
`Claim 9
`
`9a. A system for generating a
`Downloadable ID to identify
`a Downloadable, comprising:
`
`See
`https://www.juniper.net/documentation/en_US/junos/topics/reference/command-
`summary/security-file-checksum-sha1.html (showing a SHA-1 hash of a
`downloadable).
`
`
`
`
`
`Sky ATP meets the recited claim language they provide a system for generating a
`Downloadable ID to identify a Downloadable.
`
`Sky ATP meet the recited claim language because Sky ATP is a system which
`generates a Downloadable ID by creating malware attack profiles which include a
`hash to identify a Downloadable such as malware. The analysis includes
`scanning the Downloadables which include references to software components
`required to be executed by the Downloadable (e.g., suspicious web page content
`containing HTML, PDFs, JavaScript, drive-by downloads, obfuscated code, or
`other blended web malware).
`
`Sky ATP is a system which obtains a Downloadable then generates a profile that
`includes generating a Downloadable ID (e.g., the SHA-256 hash) to identify a
`Downloadable and whether it is malicious and to create a risk score or verdict.
`
`
`
`9
`
`
`
`Case 3:17-cv-05659-WHA Document 371-8 Filed 02/14/19 Page 3 of 10
`
`
`
`9b. a communications engine
`for obtaining a Downloadable
`that includes one or more
`references to software
`components required to be
`executed by the
`Downloadable; and
`
`
`
`https://www.juniper.net/documentation/en_US/release-independent/sky-
`atp/information-products/topic-collections/sky-atp-open-apis.html (showing a
`SHA-256 generated for the downloadable to indentify the downloadable).
`
`Sky ATP meets the recited claim language because they provide a
`communications engine for obtaining a Downloadable that includes one or more
`references to software components required to be executed by the Downloadable.
`
`Sky ATP meet the recited claim language because Sky ATP is a system which
`includes a communications engine (e.g., network interface and corresponding
`proxy software) which obtains suspicious traffic flows for analysis that include
`Downloadables such as web page content and/or email attachments. These
`Downloadables include references to software components required to be
`executed by the Downloadable (e.g., suspicious web page content containing
`HTML, PDFs, JavaScript, drive-by downloads, obfuscated code, or other blended
`web malware).
`
`Downloadables that includes one or more references to software components
`required to be executed by the Downloadable include a web page that includes
`references to JavaScript, visual basic script, ActiveX, injected iframes; and a PDF
`that includes references to JavaScript, swf files or other executables. Typically,
`Juniper characterizes them as drive-by-downloads or droppers as such
`
`10
`
`
`
`Case 3:17-cv-05659-WHA Document 371-8 Filed 02/14/19 Page 4 of 10
`
`Downloadables are usually programmed to take advantage of a browser,
`application, or OS that is out of date and has a security flaw. The initial
`downloaded code is often small enough that it wouldn’t be noticed, since its job is
`often simply to contact another computer where it can pull down the rest of the
`code on to the computer. In particular, such software components are usually
`programmed to be downloaded and run in the background in a manner that is
`invisible to the user - and without the user taking any conscious actions as just the
`act of viewing a web-page that harbors this malicious code is typically enough for
`the download and execution to occur.
`
`Sky ATP include a communications engine (e.g., network interface and
`corresponding proxy software) to obtain Downloadables for scanning. Sky ATP
`scans Downloadables that may include malware embedded in images, JavaScript,
`text and Flash files. As shown below, Sky ATP obtains and conducts analysis on
`Downloadables such as Executable files (e.g., “.bin, .com, .dat, .exe, .msi, .msm,
`.mst”), PDF files, Java (e.g., “.class, .ear, .jar, .war”), MS Office file types, Flash
`and Silverlight applications, Script files, and installer files through an application
`program interface.
`
`
`
`
`
`https://www.juniper.net/documentation/en_US/release-independent/sky-
`atp/topics/reference/general/sky-atp-profile-overview.html.
`
`11
`
`
`
`Case 3:17-cv-05659-WHA Document 371-8 Filed 02/14/19 Page 5 of 10
`
`
`
`Sky ATP includes a communications engine (e.g., network interface and
`corresponding proxy software) to obtain Downloadables for analysis. As shown
`below, Sky ATP performs behavioral analysis such as potential dropper infection
`for Downloadables. Potential dropper infections “Drop PE” (e.g., references to
`software components required to be executed by the Downloadable).
`
`
`As shown below, Sky ATP a cache lookup of a file and its components using a
`hash value to prevent rescanning of known files and their components.
`
`
`
`
`https://www.juniper.net/documentation/en_US/release-independent/sky-
`atp/topics/concept/sky-atp-malware-analyze.html
`
`Sky ATP meets the recited claim language because they provide an ID generator
`coupled to the communications engine that fetches at least one software
`component identified by the one or more references, and for performing a hashing
`function on the Downloadable and the fetched software components to generate a
`Downloadable ID.
`
`
`9c. an ID generator coupled to
`the communications engine
`that fetches at least one
`software component
`identified by the one or more
`references, and for
`
`12
`
`
`
`Case 3:17-cv-05659-WHA Document 371-8 Filed 02/14/19 Page 6 of 10
`
`performing a hashing function
`on the Downloadable and the
`fetched software components
`to generate a Downloadable
`ID.
`
`Sky ATP meet the recited claim language because Sky ATP is a system that
`includes an ID generator (e.g., software coupled to the communications engine)
`that performs multi-protocol capture of HTML, JavaScript, files and EXEs and
`then performs a hash of the Downloadable and fetched software components. Sky
`ATP create a dynamically generated signature and/or a malware attack profile for
`the Downloadable by performing a hashing function using SHA-256, MD5,
`and/or SHA-1 on Downloadables (e.g., HTML, JavaScript and other web-based
`files/executables), thereby performing a hashing function on the Downloadable
`together with the fetched software components to generate a Downloadable ID.
`
`As shown below, Sky ATP includes an ID generator which analyzes a
`Downloadable (e.g., PDF) and fetches software components identified by the one
`or more references (e.g., “Drop PE”) within to determine whether it is suspicious
`or not.
`
`
`
`Sky ATP includes an ID generator (e.g., component coupled to the
`communications engine) which fetch software components identified by the one
`or more references (e.g., dropped files). Dropped files are captured by Sky ATP
`during sandboxing analysis as well as identified during static analysis. As shown
`below, static analysis will break down code and look for suspicious code and/or
`operations that include dropping files. Sky ATP includes components which fetch
`software components identified by the one or more references. SHA-256 hashes
`are generated together for the parent (dropper) and target (dropped) files.
`
`
`
`13
`
`
`
`Case 3:17-cv-05659-WHA Document 371-8 Filed 02/14/19 Page 7 of 10
`
`
`Sky ATP obtains a Downloadable then generates a profile that includes
`generating a Downloadable ID (e.g., the SHA-256 hash) to identify a
`Downloadable. As shown below, the profile is then stored in Juniper’s cloud for
`further identification of Downloadables, including whether it is malicious and to
`create a risk score.
`
`
`
`
`
`
`14
`
`
`
`Case 3:17-cv-05659-WHA Document 371-8 Filed 02/14/19 Page 8 of 10
`
`See https://www.juniper.net/documentation/en_US/release-independent/sky-
`atp/information-products/topic-collections/sky-atp-open-apis.html
`
`Sky ATP obtains a Downloadable then generates a Downloadable ID (e.g., the
`SHA-256, SHA-1, and/or MD5 hashes) to identify a Downloadable (e.g., the exe
`file) together with the fetched software components using hashes for both the file
`and the “parent” file.
`
`
`
`See https://www.juniper.net/documentation/en_US/release-independent/sky-
`atp/topics/reference/general/sky-atp-filescan-overview.html (showing a SHA256
`and MD5 hash of a downloadable).
`
`
`
`15
`
`
`
`Case 3:17-cv-05659-WHA Document 371-8 Filed 02/14/19 Page 9 of 10
`
`
`
`
`See
`https://www.juniper.net/documentation/en_US/junos/topics/reference/command-
`summary/security-file-checksum-sha1.html (showing a SHA-1 hash of a
`downloadable).
`
`As described below, Sky ATP will detonate downloadable files using dynamic
`analysis, which requires fetching referenced components.
`
`
`
`16
`
`
`
`Case 3:17-cv-05659-WHA Document 371-8 Filed 02/14/19 Page 10 of 10
`
`
`Juniper Sky Advanced Threat Prevention .pdf at page 2.
`
`To the extent Juniper argues that Sky ATP do not literally satisfy this element,
`Juniper meets this element under the doctrine of equivalents.
`
`Sky ATP perform the same function as this claim element because they receive
`downloaded content, such as HTML or JavaScript, that have referenced
`components that are also downloaded by Sky ATP, and create an identity for
`downloaded content. This is the same function as this element because this an
`identification of a downloaded content, including referenced components that are
`downloaded. Sky ATP perform this function in the same way as this claim
`element because they download components that are used to create an identity for
`downloaded content such as HTML or JavaScript. Sky ATP perform this element
`the same way because the identity created can be used to identify downloaded
`content that reference multiple components that are used by the downloaded
`content. Sky ATP achieve the same result as this claim element because they
`have components that result in the creation of an identification in downloaded
`content, such as HTML or JavaScript, and downloads multiple components
`referenced. This is the same result as this claim element because Sky ATP use
`this identity to identify the downloaded content and its referenced components for
`security decisions.
`
`
`17
`
`
`
`
Accessing this document will incur an additional charge of $.
After purchase, you can access this document again without charge.
Accept $ Charge
Still Working On It
This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.
Give it another minute or two to complete, and then try the refresh button.
A few More Minutes ... Still Working
It can take up to 5 minutes for us to download a document if the court servers are running slowly.
Thank you for your continued patience.
This document could not be displayed.
We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.
Your account does not support viewing this document.
You need a Paid Account to view this document. Click here to change your account type.
Your account does not support viewing this document.
Set your membership
status to view this document.
With a Docket Alarm membership, you'll
get a whole lot more, including:
- Up-to-date information for this case.
- Email alerts whenever there is an update.
- Full text search for other cases.
- Get email alerts whenever a new case matches your search.
One Moment Please
The filing “” is large (MB) and is being downloaded.
Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.
Your document is on its way!
If you do not receive the document in five minutes, contact support at support@docketalarm.com.
Sealed Document
We are unable to display this document, it may be under a court ordered seal.
If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.
Access Government Site
