Case 3:17-cv-05659-WHA Document 391-3 Filed 03/14/19 Page 1 of 19
`Case 3:17-cv-05659-WHA Document 391-3 Filed 03/14/19 Page 1 of 19
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`EXHIBIT 1
`EXHIBIT 1
`
`
`
`
`
`
`
`
`

`

`Case 3:17-cv-05659-WHA Document 391-3 Filed 03/14/19 Page 2 of 19
`
`Juniper’s SRX Gateways
`8,141,154
`The statements and documents cited below are based on information available to Finjan at the time this
`chart was created. Finjan reserves its right to supplement this chart as additional information becomes
`known to it.
`
`For purposes of this chart, “SRX Gateways” include at least the following appliance models listed in
`Exhibit A. For purposes of this chart, “SRX Gateways” are SRX Series Services Gateway appliances,
`either alone, or when used in conjunction with other products or services as a system. For example, SRX
`Gateways perform the infringing procedures in combination with Juniper Sky Advanced Threat
`Prevention (“Sky ATP”)1 or the Advanced Threat Prevention Appliance (“ATP Appliance”)2 as an
`integrated distributed system, as will be described in greater detail herein. Based on public information,
`SRX Gateways all operate identically with respect to the identified claims and only vary based on
`software specifications and/or deployment options.
`
`As identified and described element by element below, the one or more of the SRX Gateways infringe at
`least claim 1 of the ‘154 Patent.
`
`
`
`
`
`Claim 1
`1a. A system for protecting a
`computer from dynamically
`generated malicious content,
`comprising: a content
`processor (i) for processing
`content received over a
`network, the content
`including a call to a first
`function, and the call
`including an input, and (ii)
`for invoking a second
`function with the input, only
`if a security computer
`indicates that such invocation
`is safe;
`
`SRX Gateways meet the recited claim language because they provide a
`system with a content processor for processing content received over a
`network, the content including a call to a first function, and the call
`including an input, and for invoking a second function with the input,
`only if a security computer indicates that such invocation is safe.
`
`SRX Gateways meet the recited claim language because they protect
`computers from dynamically generated malicious content delivered
`through the web, email, and lateral threats (e.g. Drive-by-download;
`Zero-day Vulnerabilities that serve ransomware; backdoors by
`exploiting Browser and Adobe vulnerabilities; Web attack toolkits
`utilizing JavaScript; URL Malware propagating through websites and
`email; and Trojans that connect to URLs to download potentially
`malicious files) using behavior based technologies for processing
`content received over a network; with the content including a call to a
`first function (such as script function call, actions in PDF files, iFrames,
`as discussed in more detail below) and the call including an input (such
`as obfuscated content, the arguments of the JavaScript function or the
`PDF action, and can include a URL, URI, or IP address of a
`compromised website); and for invoking a second function (such as
`script function call, actions in PDF files, iFrames, as discussed in more
`detail below) with the input only if a security computer of Sky ATP or
`an ATP Appliance indicates that such invocation is safe.
`
`The figure below shows that SRX Gateways protect one or more client
`computers because they process received content that is received over a
`network that was sent to that are protected by the SRX Gateways.
`
`
`1 Sky ATP includes the components and services in Exhibit A.
`2 ATP Appliance includes the appliance models listed in Exhibit A.
`
`1
`
`

`

`Case 3:17-cv-05659-WHA Document 391-3 Filed 03/14/19 Page 3 of 19
`
`
`
`
`
`SRX Series Services Gateways for the Branch.pdf
`
`Examples of the first functions are JavaScript and iframes that can be
`embedded in HTTP communications and are used to obfuscate or hide
`redirects to download malicious code/shellcode/payloads from a
`compromised webpage, such as “drive-by downloads.” An example of
`first functions in the form of JavaScript functions include eval, unescape
`and document.write functions. For example, eval functions such as
`eval(base64_decode…) and eval(gzinflate…) are used to obfuscate or
`conceal automatic downloads of malware from a suspicious link or URI
`(e.g. malicious JavaScript, shellcode, drive-bydownload, droppers,
`installers, malicious binary). Typically, the shellcode is staged where the
`first small payload is inserted into the exploit and is designed to then
`download the larger second stage payload to extend the functionality of
`the shellcode. This web or HTTP content can include a call to a first
`function, where the call to a first function can be a number of different
`function calls written in JavaScript (e.g. eval, unescape, document.write,
`OnLoad, OnClick, OnMouseover, OnChange), and other functions that
`are used for obfuscation, redirection, heap spraying (e.g. NOP slide),
`payload (e.g. ROP, download execute malware).
`
`
`
`
`
`2
`
`

`

`Case 3:17-cv-05659-WHA Document 391-3 Filed 03/14/19 Page 4 of 19
`
`Another example of first function is ‘unescape()’ with a large amount of
`escaped data is detected. Such activity is suspicious as it indicates the
`attempt to inject a large amount of shell code or malicious HTML and/or
`JavaScript for the purpose of taking control of a system through a
`browser vulnerability. An example of first functions in the form of a
`'document.write()' function include document.write(unescape([obfuscated
`code])), where the first function is a document.write(). For example,
`when the document.write function is executed the result is an iframe
`injection to download from link or URL hidden via 0x0 iframe.
`
`Other examples of first functions are functions within PDFs for
`specifying the action to be performed automatically when the document
`is viewed such as downloading malware from a suspicious link or URL
`(e.g. OpenAction); Embed or Launch SWF functions within a PDF for
`running an embedded video file; and functions for launching JavaScript
`within a PDF (e.g. Launch).
`
`Examples of second functions include recursive or suspicious scripts for
`obfuscating malicious links/URIs such as eval, unescape and
`document.write. In the following example,
`eval(base64_decode('ZXJyb3JfcmVwb3J0aW5nKDApOw0KJGJvdCA9
`IE…)) is a second function that is recursively decoding the obfuscated
`code "ZXJyb3JfcmVwb3J0aW5nKDApOw0KJGJvdCA9IE…" Indirect
`calls to eval referencing the local scope of the current function or of
`unimplemented features (e.g. the document.lastModified property) are
`further examples of second functions.
`
`In another example, the first functions (stated above) are used to conceal
`the intent to invoke second function with the input (e.g. scripts or
`embedded malicious iframe in order to obfuscate the malicious link or
`URI, such as document.write("<iframe src="http: //cool .cn/ in.cgi?"
`width=1 height=1 style="visibility: hidden"></iframe>"). In this
`example, the second function (e.g. injected iframe with the input as "http:
`//cool.cn/ in.cgi?") is obfuscated by document.write. Additional
`combinations of functions include document.write(unescape([input])),
`where the first function is a document.write and the second function is an
`unescape. Other examples include scripts or iframes for performing
`mouse or keyboard interaction with a partially hidden element.
`
`Another example is email with a link to a video about a news story, but
`another valid page, can be "hidden" on top or underneath the "PLAY"
`functionality (the first function) of a video. When the apparent "play"
`function is attempted, it is actually another second function that is
`invoked. Such second functions are typically takes the form of embedded
`script which load another page over it in a transparent layer using a
`concealed link or URI.
`
`Second functions are typically a subsequent function that causes a
`download from the same URL such as connecting to or download files
`from a remote command and control (“CnC” or “C&C”) server using
`HTTPSendRequest, InternetReadFile with the input (e.g. URL, IP, file).
`
`
`
`3
`
`

`

`Case 3:17-cv-05659-WHA Document 391-3 Filed 03/14/19 Page 5 of 19
`
`
`
`The content processor will invoke a second function (e.g. HTTPS file
`download) with the input (e.g. URL) if the security computer indicates
`that such invocation is safe.
`
`Second functions include sending results to a protected computer for
`automatically downloading from an obfuscated remote location and/or
`launching concealed input using certain combinations of JavaScript,
`iFrame injections and/or PDF (e.g. OpenAction or Launch). Such
`examples include JavaScript and OpenAction functions within PDFs for
`launching or downloading code for exploiting vulnerabilities within
`Adobe Reader and Adobe Acrobat such as malicious JavaScript,
`shellcode, drive-by download, droppers, installers and malicious binaries.
`Examples of such functions include URLDownloadToFile() for dropping
`malicious binaries; heap spraying functions including memory-related
`functions using PROCESS_MEMORY_COUNTERS; JavaScript
`functions in PDF for connecting to the Internet or making a network
`connection such as app.mailmsg() and app.launchURL(), as well as
`CONNECT-related and LISTEN-related functions; functions for
`executing malware via DLL injection such as CreateRemoteThread();
`and functions for executing dropped malware, such as NtCreateProcess().
`
`The content processor can block attempts to invoke a second function
`with the input such as subsequent call to download from the URL(e.g.,
`NetOpenURL, Connect/ConnectEx to URL, Send/Ex to URL/IP,
`URLDownloadToFileA, URLDownloadToFileW,
`URLDownloadToCacheFileA, and URLDownloadToCacheFileW).
`
`As shown, SRX Gateways include software and/or hardware to transmit
`an input to Sky ATP, which operates as a security computer that will
`inspect the input using a sandbox and/or static analysis and return a
`result that indicates whether the content is safe to invoke.
`
`Juniper Networks Sky Advanced Threat Prevention - Technical
`Documentation - Support - Juniper Networks.pdf
`
`As shown, SRX Gateways include software and/or hardware to transmit
`the input to Sky ATP, which operates as a security computer that will
`
`
`
`
`
`4
`
`

`

`Case 3:17-cv-05659-WHA Document 391-3 Filed 03/14/19 Page 6 of 19
`
`inspect the input using a security computer, including spotlight secure
`cloud service, C&C, GeoIP, cache, AV, or static analysis, dynamic
`analysis, and/or YARA and return a result that indicates whether the
`content is safe to invoke.
`
`
`
`Juniper Sky Advanced Threat Prevention.pdf
`
`As shown in the table below, the SRX Gateways interface with Sky
`ATP to submit inputs related to the location of C&C servers and
`infected cloud hosts, IP addresses for GeoIP location and black lists,
`extracted file content for analysis and C&C hits, content for malware
`analysis and threat detection, and content for internal compromise
`detection.
`
`
`
`5
`
`

`

`Case 3:17-cv-05659-WHA Document 391-3 Filed 03/14/19 Page 7 of 19
`
`
`
`
`
`sky-atp-admin-guide.pdf
`
`As shown, SRX Gateways include software and/or hardware to transmit
`the input to a ATP Appliance, which operates as a security computer
`that will inspect the input using static analysis, YARA, payload
`analysis, machine learning an behavioral analysis, malware reputation
`analysis, and SmartCore technology and return a result that indicates
`whether the content is safe to invoke.
`
`
`
`
`
`
`
`6
`
`

`

`Case 3:17-cv-05659-WHA Document 391-3 Filed 03/14/19 Page 8 of 19
`
`7
`
`
`
`
`
`

`

`Case 3:17-cv-05659-WHA Document 391-3 Filed 03/14/19 Page 9 of 19
`
`
`As described below, SRX Gateways can also be used with an ATP
`Appliance to determine whether it is safe to automatically invoke a
`callback that may be to a C&C server.
`
`
`
`
`
`8
`
`

`

`Case 3:17-cv-05659-WHA Document 391-3 Filed 03/14/19 Page 10 of 19
`
`
`
`
`SRX Gateways meet this element under the doctrine of equivalents.
`SRX Gateways perform the same function because they receiving
`incoming content inspect the content using an engine, such as antivirus,
`static analysis, and dynamic analysis, for scanning, and proceed with the
`function calls of the content is determined safe. This is the same
`function as the claim element, which receives content, uses a security
`computer to determine if the invocation is safe, and invokes a second
`function with the input. In this way, the function of having the content
`received, inspected by the engine and determined safe, the second
`function with the input can be invoked.
`
`SRX Gateways perform the same function the same way because they
`receive incoming content that include a call to a first function and an
`input, and an engine, as antivirus, static analysis, and dynamic analysis,
`for scanning incoming content to determine whether the content is safe,
`and for invoking the second function with the input. This is the same
`ways as the claim element, which receives content, uses a security
`computer to determine if the invocation is safe, and invokes a second
`function with the input. SRX Gateways products perform this way
`because they receive incoming content with a call to a first function and
`an input, use scanners to determine whether the input is safe using an
`engine, and invoking the second function with the input. In this way, the
`way of receiving the content with a first function and an input and the
`invocation of the second function after a security computer has inspected
`the input has been accomplished.
`
`SRX Gateways achieve the same results because they modify content
`that they receiving incoming content inspect the content using an engine,
`as antivirus, static analysis, and dynamic analysis, for scanning, and
`
`
`
`9
`
`

`

`Case 3:17-cv-05659-WHA Document 391-3 Filed 03/14/19 Page 11 of 19
`
`a transmitter for transmitting
`the input to the security
`computer for inspection,
`when the first function is
`invoked; and
`
`proceed with the function calls of the content is determined safe. This is
`the same result as the claim element, which receives content, uses a
`security computer to determine if the invocation is safe, and invokes a
`second function with the input. SRX Gateways achieve this results
`because they invoke the second function with the input after scanning
`determines the first function call with input is safe. In this way, the
`results of receiving the content with a first function and an input and the
`invocation of the second function after a security computer has inspected
`the input has been accomplished.
`
`SRX Gateways meet the recited claim language because they include a
`transmitter for transmitting the input to the security computer for
`inspection, when the first function is invoked.
`
`SRX Gateways meet this claim element because they include software
`and/or hardware components that maintain a network connection (a
`transmitter) for transmitting an input to either Sky ATP or an ATP
`Appliance for security evaluation for the input. In one scenario, the
`SRX Gateways uses this transmitter to send the input over the network
`connection to the Internet to Sky ATP using a predefined application
`program interface for submitting input (as described above and
`incorporated herein by reference) to Sky ATP. Sky ATP operates as a
`security computer because it analyzes input (including spotlight secure
`cloud service, C&C, GeoIP, cache, AV, or static analysis, dynamic
`analysis, and/or YARA) to determine if it performs malicious or
`suspicious operations, or for some other reason poses a security risk. In
`another scenario, the SRX Gateways uses a transmitter to send the input
`over the network connection to the ATP Appliance, which would
`typically be installed on the same network as the SRX Gateways. The
`ATP Appliance operates as a security computer because it analyzes
`(using its static analysis, YARA, payload analysis, machine learning an
`behavioral analysis, malware reputation analysis, and/or SmartCore
`technology) the input (as described above and incorporated herein by
`reference) to determine if it performs malicious or suspicious
`operations, or for some other reason poses a security risk. The input is
`transmitted when the first function is invoked because SRX Gateways
`transmit inputs such as obfuscated content, the arguments of the
`JavaScript function or the PDF action, and can include a URL or URI to
`a compromised website.
`
`The figure below shows that SRX Gateways include a transmitter for
`sending an input to Sky ATP. As shown, the SRX Gateways include
`software and/or hardware to transmit the input to Sky ATP, which
`operates as a security computer that will inspect the input using a
`sandbox and static analysis.
`
`
`
`10
`
`

`

`Case 3:17-cv-05659-WHA Document 391-3 Filed 03/14/19 Page 12 of 19
`
`
`Juniper Networks Sky Advanced Threat Prevention - Technical
`Documentation - Support - Juniper Networks.pdf
`
`The figure below shows that SRX Gateways include a transmitter for
`sending an input to Sky ATP. As shown, the SRX Gateways include
`software and/or hardware to transmit the input to Sky ATP, which
`operates as a security computer that will inspect the input using a cache,
`antivirus, static analysis, YARA, dynamic analysis and with internal
`compromise detection databases.
`
`
`
`Juniper Sky Advanced Threat Prevention.pdf
`
`The figure below shows that SRX Gateways (used as collectors with the
`ATP Appliance) include a transmitter for sending an input to an ATP
`Appliance. As shown, the SRX Gateways include software and/or
`hardware to transmit the input to an ATP Appliance, which operates as
`a security computer that will inspect the input using static analysis,
`YARA, payload analysis, machine learning an behavioral analysis,
`malware reputation analysis, and SmartCore technology.
`
`
`
`11
`
`

`

`on
`
`
`
`
`
`
`
`
`¥
`Fabric
`Collector
`
`—
`
`
`
`otherwise target Windows, O54, or Android and point aevices.
`
`collectors, the ATP Appliance also ingests logs from other identity
`and security products such as Active Directory, endpaint antivirus,
`firewalls, secure Web gateways, intrusion detection systems, and
`
`Case 3:17-cv-05659-WHA Document 391-3 Filed 03/14/19 Page 13 of 19
`Case 3:17-cv-05659-WHA Document 391-3 Filed 03/14/19
`
`Firewall
`
`Headquarters
`
`
`
`
`
`
`Collector
`
`
`
`Lateral Detection
`
`of
`SmartCore
`= Lateral Spread
`Colle
`GO:
`=
`_
`
`
`
`The architecture of the ATP Appliance consists of collectors
`
`deployed at critical points in the network, including remote
`loca tions. These collectors act like sensors, capturing information
`about Web, a-mail, and lateral traffic. Data and related
`
`executables collected across the fabric are delivered to the
`
`Smartlore analytics engine. Along with traffic from the native
`
`endpoint detection and response tools. The logs can be ingested
`directly from third-party devices, ar they canbe forwarded fram
`existing SIEM/syslog servers.
`
`Armed with data collected from various sources, the SmartCore
`
`analytics engine performs the following multistage threat
`
`analysis processes:
`
`- Static analysis: Applies continuously updated rules and
`signatures to find known threats that may have eluded
`inline devices.
`
`Payload analysis: Leverages an intelligent sandbox array
`
`to gain a deeper understanding of malware behavior by
`detonating suspicious Web and file content that would
`
`
`
`
`
`12
`
`

`

`Case 3:17-cv-05659-WHA Document 391-3 Filed 03/14/19 Page 14 of 19
`
`
`As described below, SRX Gateways can also be used with an ATP
`Appliance to check for an input that is a callback to malicious C&C
`servers showing that it is not safe to contact these servers.
`
`
`
`
`
`13
`
`

`

`Case 3:17-cv-05659-WHA Document 391-3 Filed 03/14/19 Page 15 of 19
`
`a receiver for receiving an
`indicator from the security
`computer whether it is safe to
`invoke the second function
`with the input.
`
`
`SRX Gateways meet the recited claim language because they include a
`receiver for receiving an indicator from the security computer whether it
`is safe to invoke the second function with the input.
`
`SRX Gateways meet this claim element because they include software
`and/or hardware components that maintain a network connection (a
`receiver) for receiving and indicator from Sky ATP in one scenario or
`an ATP Appliance in another scenario. In one scenario, the SRX
`Gateways uses this receiver to receive over the network connection to
`the Internet the results from the Sky ATP using a predefined application
`program interface for receiving the security results from Sky ATP. Sky
`ATP includes information on whether it is safe to invoke the second
`function (as described above and incorporated herein by reference) with
`the input because it identifies malicious or suspicious operations,
`including through a verdict on the input. The SRX Gateways uses this
`receiver to receive over the network connection to the Internet the
`results from the ATP Appliance using a predefined interface for
`receiving the security results from the ATP Appliance. The ATP
`Appliance includes information on whether it is safe to invoke the
`second function with the input because it identifies malicious or
`suspicious operations.
`
`The figure below shows that SRX Gateways include a receiver for
`receiving an indicator from Sky ATP on whether it is safe to invoke the
`second function with the input. As shown, the SRX Gateways include
`software and/or hardware to receive results from Sky ATP, which
`operates as a security computer that will inspect the input using a
`sandbox and static analysis to determine if it is safe to invoke.
`
`
`
`14
`
`

`

`Case 3:17-cv-05659-WHA Document 391-3 Filed 03/14/19 Page 16 of 19
`
`
`Juniper Networks Sky Advanced Threat Prevention - Technical
`Documentation - Support - Juniper Networks.pdf
`
`The figure below shows that SRX Gateways include a receiver for
`receiving an indicator from Sky ATP on whether it is safe to invoke the
`second function with the input. As shown, the SRX Gateways include
`software and/or hardware to receive results from Sky ATP, which
`operates as a security computer that will inspect the input using a cache,
`antivirus, static analysis, YARA, dynamic analysis and with internal
`compromise detection databases to determine if it is safe to invoke.
`
`Juniper Sky Advanced Threat Prevention.pdf
`
`The figure below shows that SRX Gateways (used for enforcement)
`include a receiver for receiving an indicator from ATP Appliance on
`whether it is safe to invoke the second function with the input. As
`shown, the SRX Gateways include software and/or hardware to receive
`results from an ATP Appliance, which operates as a security computer
`
`
`
`
`
`15
`
`

`

`Case 3:17-cv-05659-WHA Document 391-3 Filed 03/14/19 Page 17 of 19
`
`that will inspect the input using static analysis, YARA, payload
`analysis, machine learning and behavioral analysis, malware reputation
`analysis, and SmartCore technology.
`
`
`
`
`
`
`
`
`
`16
`
`

`

`Case 3:17-cv-05659-WHA Document 391-3 Filed 03/14/19 Page 18 of 19
`
`
`As described below, SRX Gateways can also be used with an ATP
`Appliance to indicate callbacks to malicious C&C servers showing that
`it is not safe to contact these servers.
`
`
`
`
`
`17
`
`

`

`ppliance
`ollecto
`
`hen usin
`
`Appliance
`
`aré planning to dep
`
`s that have already deployed, or
`firewalls in their environment
`
`solution for
`for an on-premise
`nandana
`Unlike standalone mod
`
`ore analytics
`
`engine
`
`are optional and can be deploy
`
`IN conjunc
`
`e running onthe 5
`
`In this mode, the AT
`
`’ Anoliance alsopro
`
`quarantine
`
`
`curity policies can be
`
`
`
`Case 3:17-cv-05659-WHA Document 391-3 Filed 03/14/19 Page 19 of 19
`
`curity Director to
`
`
`
`
`
`18
`
`