Case 3:17-cv-05659-WHA Document 371-9 Filed 02/14/19 Page 1 of 8
`Case 3:17-cv-05659-WHA Document 371-9 Filed 02/14/19 Page 1of8
`
`EXHIBIT 5
`EXHIBIT 5
`
`
`
`
`
`
`
`
`
`
`
`
`
`

`

`Case 3:17-cv-05659-WHA Document 371-9 Filed 02/14/19 Page 2 of 8
`
`
`Vandelay-ThreatAssessment-2015 (emphasis added) (showing fetching an
`component and creating a hash value for that dropped file).
`
`
`Claim 9
`
`9a. A system for generating a
`Downloadable ID to identify
`a Downloadable, comprising:
`
`Cyphort DataSheet (showing MD5, SHA1, and SHA256 hashes).
`
`
`
`
`
`ATP Appliance meets the recited claim language they provide a system for
`generating a Downloadable ID to identify a Downloadable.
`
`ATP Appliance meet the recited claim language because ATP Appliance is a
`system which generates a Downloadable ID by creating malware attack profiles
`which include a hash to identify a Downloadable such as malware. The analysis
`includes scanning the Downloadables which include references to software
`
`7
`
`

`

`Case 3:17-cv-05659-WHA Document 371-9 Filed 02/14/19 Page 3 of 8
`
`components required to be executed by the Downloadable (e.g., suspicious web
`page content containing HTML, PDFs, JavaScript, drive-by downloads,
`obfuscated code, or other blended web malware).
`
`ATP Appliance is a system which obtains a Downloadable then generates a
`profile that includes generating a Downloadable ID (e.g., the SHA-256 hash) to
`identify a Downloadable and to determine whether it is malicious and to return a
`risk score or verdict.
`
`
`
`
`Vandelay-ThreatAssessment-2015 (emphasis added) (showing fetching an
`component and creating a Downloadable ID for that dropped file).
`
`
`Cyphort DataSheet (showing MD5, SHA1, and SHA256 hashes).
`
`
`
`
`8
`
`

`

`Case 3:17-cv-05659-WHA Document 371-9 Filed 02/14/19 Page 4 of 8
`
`9b. a communications engine
`for obtaining a Downloadable
`that includes one or more
`references to software
`components required to be
`executed by the
`Downloadable; and
`
`ATP Appliance meets the recited claim language because they provide a
`communications engine for obtaining a Downloadable that includes one or more
`references to software components required to be executed by the Downloadable.
`
`ATP Appliance meet the recited claim language because ATP Appliance is a
`system which includes a communications engine (e.g., network interface and
`corresponding proxy software) which obtains suspicious traffic flows for analysis
`that include Downloadables such as web page content and/or email attachments.
`These Downloadables include references to software components required to be
`executed by the Downloadable (e.g., suspicious web page content containing
`HTML, PDFs, JavaScript, drive-by downloads, obfuscated code, or other blended
`web malware).
`
`Downloadables that includes one or more references to software components
`required to be executed by the Downloadable include a web page that includes
`references to JavaScript, visual basic script, ActiveX, injected iframes; and a PDF
`that includes references to JavaScript, swf files or other executables. Typically,
`Juniper characterizes them as drive-by-downloads or droppers as such
`Downloadables are usually programmed to take advantage of a browser,
`application, or OS that is out of date and has a security flaw. The initial
`downloaded code is often small enough that it wouldn’t be noticed, since its job is
`often simply to contact another computer where it can pull down the rest of the
`code on to the computer. In particular, such software components are usually
`programmed to be downloaded and run in the background in a manner that is
`invisible to the user - and without the user taking any conscious actions as just the
`act of viewing a web-page that harbors this malicious code is typically enough for
`the download and execution to occur.
`
`ATP Appliance includes a communications engine (e.g., network interface and
`corresponding proxy software) to obtain Downloadables for scanning. ATP
`appliance scans Downloadables that may include malware embedded in images,
`JavaScript, text and Flash files. As shown below, ATP Appliance obtains and
`conducts analysis on Downloadables such as Executable files (e.g., “.bin, .com,
`.dat, .exe, .msi, .msm, .mst”), PDF files, Java (e.g., “.class, .ear, .jar, .war”), MS
`Office file types, Flash and Silverlight applications, Script files, and installer files
`through an application program interface.
`
`The ATP Appliance performs behavioral analysis such as potential dropper
`infection for Downloadables. Potential dropper infections are references to
`software components required to be executed by the Downloadable. As shown
`below, the ATP Appliance uses behavior inspection and dynamic detection to find
`dropper files and to perform hashing functions on them.
`
`9
`
`

`

`Case 3:17-cv-05659-WHA Document 371-9 Filed 02/14/19 Page 5 of 8
`
`
`
`
`
`Cyphort Datasheet
`
`As shown below, ATP Appliance will obtain Downloadables, as well as
`components required to execute the Downloadables.
`
`Redimadrid_Journadas-Sky ATP Enhancements.pdf at page 14.
`
`
`Cyphort WP Security 2.0
`
`
`10
`
`

`

`Case 3:17-cv-05659-WHA Document 371-9 Filed 02/14/19 Page 6 of 8
`
`9c. an ID generator coupled to
`the communications engine
`that fetches at least one
`software component
`identified by the one or more
`references, and for
`performing a hashing function
`on the Downloadable and the
`fetched software components
`to generate a Downloadable
`ID.
`
`
`Cyphort WP Drive by Downloads (describing how the ATP appliances captures
`dropper files and perofrms “static analysis, behavior analysis and reputaiton
`analysis to identify if it is a malware.”).
`
`ATP Appliance meets the recited claim language because they provide an ID
`generator coupled to the communications engine that fetches at least one software
`component identified by the one or more references, and for performing a hashing
`function on the Downloadable and the fetched software components to generate a
`Downloadable ID.
`
`ATP Appliance meet the recited claim language because ATP Appliance is a
`system that includes an ID generator (e.g., software coupled to the
`communications engine) that performs multi-protocol capture of HTML,
`JavaScript, files and EXEs and then performs a hash of the Downloadable and
`fetched software components. ATP Appliance create a dynamically generated
`signature and/or a malware attack profile for the Downloadable by performing a
`hashing function using SHA-256, MD5, and/or SHA-1 on Downloadables (e.g.,
`HTML, JavaScript and other web-based files/executables), thereby performing a
`hashing function on the Downloadable together with the fetched software
`components to generate a Downloadable ID.
`
`ATP Appliance obtains a Downloadable then generates a profile that includes
`generating a Downloadable ID (e.g., the SHA-256 hash) to identify a
`Downloadable. As shown below, the profile is then stored in Juniper’s cloud for
`further identification of Downloadables, including whether it is malicious and to
`create a risk score.
`
`The ATP Appliance performs behavioral analysis such as potential dropper
`infection for Downloadables. Potential dropper infections are references to
`software components required to be executed by the Downloadable. As shown
`below, the ATP Appliance uses behavior inspection and dynamic detection to find
`dropper files and to perform hashing functions on them. The ID generator is the
`software running on a system that generates the hash value of the component and
`the dropped file.
`
`11
`
`

`

`Case 3:17-cv-05659-WHA Document 371-9 Filed 02/14/19 Page 7 of 8
`
`
`Vandelay-ThreatAssessment-2015 (emphasis added) (showing fetching an
`component and creating a Downloadable ID for that dropped file).
`
`
`Cyphort DataSheet (showing MD5, SHA1, and SHA256 hashes).
`
`As shown below, ATP Appliance will obtain Downloadables, as well as
`components required to execute the Downloadables.
`
`
`
`12
`
`

`

`Case 3:17-cv-05659-WHA Document 371-9 Filed 02/14/19 Page 8 of 8
`
`Redimadrid_Journadas-Sky ATP Enhancements.pdf at page 14.
`
`To the extent Juniper argues that ATP Appliances do not literally satisfy this
`element, Juniper meets this element under the doctrine of equivalents. ATP
`Appliances perform the same function as this claim element because they receive
`downloaded content, such as HTML or JavaScript, that have referenced
`components that are also downloaded by ATP Appliances, and create an identity
`for downloaded content. This is the same function as this element because this an
`identification of a downloaded content, including referenced components that are
`downloaded. ATP Appliances perform this function in the same way as this claim
`element because they download components that are used to create an identity for
`downloaded content such as HTML or JavaScript. ATP Appliances perform this
`element the same way because the identity created can be used to identify
`downloaded content that reference multiple components that are used by the
`downloaded content. ATP Appliances achieve the same result as this claim
`element because they have components that result in the creation of an
`identification in downloaded content, such as HTML or JavaScript, and
`downloads multiple components referenced. This is the same result as this claim
`element because ATP Appliances use this identity to identify the downloaded
`content and its referenced components for security decisions.
`
`
`
`
`13
`
`