`Case 3:17-cv-05659-WHA Document 391-4 Filed 03/14/19 Page 1 of 12
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`EXHIBIT 2
`EXHIBIT 2
`
`
`
`
`
`
`
`
`
`
`Case 3:17-cv-05659-WHA Document 391-4 Filed 03/14/19 Page 2 of 12
`
`Juniper’s Sky ATP
` 8,141,154
`The statements and documents cited below are based on information available to Finjan, Inc. at the time
`this chart was created. Finjan reserves its right to supplement this chart as additional information
`becomes known to it.
`
`For purposes of this chart, “Sky ATP” is the cloud service and all support infrastructure maintained by
`Juniper, and includes the services and components in Exhibit A, as will be described in greater detail
`herein. Based on public information, Sky ATP operates identically with respect to the identified claims
`and only vary based on software specifications and/or deployment options.
`
`As identified and described element by element below, the one or more of the Sky ATP infringes at least
`claim 1 of the ‘154 Patent.
`
`
`
`
`
`Claim 1
`1a. A system for protecting a
`computer from dynamically
`generated malicious content,
`comprising: a content
`processor (i) for processing
`content received over a
`network, the content
`including a call to a first
`function, and the call
`including an input, and (ii)
`for invoking a second
`function with the input, only
`if a security computer
`indicates that such invocation
`is safe;
`
`Sky ATP meets the recited claim language because it provide a system
`with a content processor for processing content received over a network,
`the content including a call to a first function, and the call including an
`input, and for invoking a second function with the input, only if a
`security computer indicates that such invocation is safe.
`
`Sky ATP meet the recited claim language because it includes a dynamic
`analysis content processor that protects computers from dynamically
`generated malicious content delivered through the web, email, and
`lateral threats (e.g. Drive-by-download; Zero-day Vulnerabilities that
`serve ransomware; backdoors by exploiting Browser and Adobe
`vulnerabilities; Web attack toolkits utilizing JavaScript; URL Malware
`propagating through websites and email; and Trojans that connect to
`URLs to download potentially malicious files) using behavior based
`technologies for processing content received over a network; with the
`content including a call to a first function (such as script function call,
`actions in PDF files, iFrames, as discussed in more detail below) and
`the call including an input (such as obfuscated content, the arguments of
`the JavaScript function or the PDF action, and can include an address,
`URL, URI, or IP address of a compromised website); and for invoking a
`second function (such as script function call, actions in PDF files,
`iFrames, as discussed in more detail below) with the input only if a
`security computer indicates that the invocation is safe.
`
`As shown, while processing content during dynamic analysis, Sky ATP
`includes software and/or hardware to transmit input to first functions to
`a security computer, including spotlight secure cloud service, C&C,
`GeoIP, cache, AV, or static analysis, to determine if the input direct to a
`compromised website or is a malicious dropped file, and returns a result
`that indicates whether the content is safe to invoke.
`
`1
`
`
`
`Case 3:17-cv-05659-WHA Document 391-4 Filed 03/14/19 Page 3 of 12
`
`Juniper Sky Advanced Threat Prevention.pdf
`
`As shown in the table below, Sky ATP submits inputs related to the
`location of C&C servers and infected cloud hosts, IP addresses for
`GeoIP location and black lists, extracted file content for analysis and
`C&C hits, content for malware analysis and threat detection, and content
`for internal compromise detection.
`
`
`
`
`
`2
`
`
`
`Case 3:17-cv-05659-WHA Document 391-4 Filed 03/14/19 Page 4 of 12
`
`
`
`
`
`sky-atp-admin-guide.pdf
`
`As shown, while processing content during dynamic analysis, Sky ATP
`includes software and/or hardware to transmit input to first functions to
`a security computer, including spotlight secure cloud service, C&C,
`GeoIP, cache, AV scanning, or static analysis, to determine if the input
`direct to a compromised website or is a malicious dropped file, and
`returns a result that indicates whether the content is safe to invoke.
`
`
`
`3
`
`
`
`Case 3:17-cv-05659-WHA Document 391-4 Filed 03/14/19 Page 5 of 12
`
`
`
`Examples of the first functions are JavaScript and iframes that can be
`embedded in HTTP communications and are used to obfuscate or hide
`redirects to download malicious code/shellcode/payloads from a
`compromised webpage, such as “drive-by downloads.” An example of
`first functions in the form of JavaScript functions include eval, unescape
`and document.write functions. For example, eval functions such as
`eval(base64_decode…) and eval(gzinflate…) are used to obfuscate or
`conceal automatic downloads of malware from a suspicious link or URI
`(e.g. malicious JavaScript, shellcode, drive-bydownload, droppers,
`installers, malicious binary). Typically, the shellcode is staged where the
`first small payload is inserted into the exploit and is designed to then
`download the larger second stage payload to extend the functionality of
`the shellcode. This web or HTTP content can include a call to a first
`function, where the call to a first function can be a number of different
`function calls written in JavaScript (e.g. eval, unescape, document.write,
`OnLoad, OnClick, OnMouseover, OnChange), and other functions that
`are used for obfuscation, redirection, heap spraying (e.g. NOP slide),
`payload (e.g. ROP, download execute malware).
`
`Another example of first function is ‘unescape()’ with a large amount of
`escaped data is detected. Such activity is suspicious as it indicates the
`attempt to inject a large amount of shell code or malicious HTML and/or
`JavaScript for the purpose of taking control of a system through a
`browser vulnerability. An example of first functions in the form of a
`'document.write()' function include
`document.write(unescape([obfuscated code])), where the first function is
`a document.write(). For example, when the document.write function is
`executed the result is an iframe injection to download from link or URL
`hidden via 0x0 iframe.
`
`Other examples of first functions are functions within PDFs for
`specifying the action to be performed automatically when the document
`is viewed such as downloading malware from a suspicious link or URL
`(e.g. OpenAction); Embed or Launch SWF functions within a PDF for
`running an embedded video file; and functions for launching JavaScript
`within a PDF (e.g. Launch).
`
`
`
`
`
`
`
`4
`
`
`
`Case 3:17-cv-05659-WHA Document 391-4 Filed 03/14/19 Page 6 of 12
`
`Examples of second functions include recursive or suspicious scripts for
`obfuscating malicious links/URIs such as eval, unescape and
`document.write. In the following example,
`eval(base64_decode('ZXJyb3JfcmVwb3J0aW5nKDApOw0KJGJvdCA
`9IE…)) is a second function that is recursively decoding the obfuscated
`code "ZXJyb3JfcmVwb3J0aW5nKDApOw0KJGJvdCA9IE…"
`Indirect calls to eval referencing the local scope of the current function
`or of unimplemented features (e.g. the document.lastModified property)
`are further examples of second functions.
`
`In another example, the first functions (stated above) are used to
`conceal the intent to invoke second function with the input (e.g. scripts
`or embedded malicious iframe in order to obfuscate the malicious link
`or URI, such as document.write("<iframe src="http: //cool .cn/ in.cgi?"
`width=1 height=1 style="visibility: hidden"></iframe>"). In this
`example, the second function (e.g. injected iframe with the input as
`"http: //cool.cn/ in.cgi?") is obfuscated by document.write. Additional
`combinations of functions include document.write(unescape([input])),
`where the first function is a document.write and the second function is
`an unescape. Other examples include scripts or iframes for performing
`mouse or keyboard interaction with a partially hidden element.
`
`Another example is email with a link to a video about a news story, but
`another valid page, can be "hidden" on top or underneath the "PLAY"
`functionality of a video. When the apparent "play" function is
`attempted, it is actually another second function that is invoked. Such
`second functions are typically takes the form of embedded script which
`load another page over it in a transparent layer using a concealed link or
`URI.
`
`Second functions are typically a subsequent function that causes a
`download from the same URL such as connecting to or download files
`from a remote command and control (CnC) server using
`HTTPSendRequest, InternetReadFile with the input (e.g. URL, IP, file).
`The content processor will invoke a second function (e.g. HTTPS file
`download) with the input (e.g. URL) if the security computer indicates
`that such invocation is safe.
`
`Second functions include sending results to a protected computer for
`automatically downloading from an obfuscated remote location and/or
`launching concealed input using certain combinations of JavaScript,
`iFrame injections and/or PDF (e.g. OpenAction or Launch). Such
`examples include JavaScript and OpenAction functions within PDFs for
`launching or downloading code for exploiting vulnerabilities within
`Adobe Reader and Adobe Acrobat such as malicious JavaScript,
`shellcode, drive-by download, droppers, installers and malicious
`binaries. Examples of such functions include URLDownloadToFile()
`for dropping malicious binaries; heap spraying functions including
`memory-related functions using PROCESS_MEMORY_COUNTERS;
`JavaScript functions in PDF for connecting to the Internet or making a
`network connection such as app.mailmsg() and app.launchURL(), as
`
`
`
`5
`
`
`
`Case 3:17-cv-05659-WHA Document 391-4 Filed 03/14/19 Page 7 of 12
`
`
`
`well as CONNECT-related and LISTEN-related functions; functions for
`executing malware via DLL injection such as CreateRemoteThread();
`and functions for executing dropped malware, such as
`NtCreateProcess().
`
`The content processor can block attempts to invoke a second function
`with the input such as subsequent call to download from the URL(e.g.,
`NetOpenURL, Connect/ConnectEx to URL, Send/Ex to URL/IP,
`URLDownloadToFileA, URLDownloadToFileW,
`URLDownloadToCacheFileA, and URLDownloadToCacheFileW).
`
`As shown below, Sky ATP will process content using its “malware
`analysis pipeline,” which will perform dynamic analysis that utilizes
`security computers to determine if content is malicious, including
`spotlight secure cloud service, C&C, GeoIP, cache, AV, or static
`analysis, additional dynamic analysis, and/or YARA to determine if the
`input direct to a compromised website or is a malicious dropped file,
`and returns a result that indicates whether the content is safe to invoke.
`
`
`
`
`
`Sky ATP meets this element under the doctrine of equivalents. Sky ATP
`performs the same function because it receives incoming content inspect
`the content using an engine, such as antivirus, static analysis, and
`dynamic analysis, for scanning, and proceed with the function calls of the
`content is determined safe. This is the same function as the claim
`element, which receives content, uses a security computer to determine if
`the invocation is safe, and invokes a second function with the input. In
`this way, the function of having the content received, inspected by the
`engine and determined safe, the second function with the input can be
`invoked.
`
`Sky ATP performs the same function the same way because it receives
`incoming content that include a call to a first function and an input, and
`an engine, as antivirus, static analysis, and dynamic analysis, for
`scanning incoming content to determine whether the content is safe, and
`for invoking the second function with the input. This is the same way as
`the claim element, which receives content, uses a security computer to
`determine if the invocation is safe, and invokes a second function with
`
`
`
`6
`
`
`
`Case 3:17-cv-05659-WHA Document 391-4 Filed 03/14/19 Page 8 of 12
`
`
`
`the input. Sky ATP performs this same way because it receives
`incoming content with a call to a first function and an input, use scanners
`to determine whether the input is safe using an engine, and invoking the
`second function with the input. In this way, the way of receiving the
`content with a first function and an input and the invocation of the
`second function after a security computer has inspected the input has
`been accomplished.
`
`Sky ATP achieves the same results because it modifies content that they
`receiving incoming content inspect the content using an engine, as
`antivirus, static analysis, and dynamic analysis, for scanning, and
`proceed with the function calls of the content is determined safe. This
`is the same result as the claim element, which receives content, uses a
`security computer to determine if the invocation is safe, and invokes a
`second function with the input. Sky ATP achieves this same result
`because it invokes the second function with the input after scanning
`determines the first function call with input is safe. In this way, the
`results of receiving the content with a first function and an input and the
`invocation of the second function after a security computer has
`inspected the input has been accomplished.
`
`Sky ATP meets the recited claim language because it includes a
`transmitter for transmitting the input to the security computer for
`inspection, when the first function is invoked.
`
`Sky ATP meets this claim element because its dynamic analysis content
`processor includes software and/or hardware components (a transmitter)
`for transmitting an input (such as an address, URL, URI, IP, or dropped
`files) to a security computer including spotlight secure cloud service,
`C&C, GeoIP, cache, AV, or static analysis, additional dynamic analysis,
`and/or YARA.
`
`The figure below shows that Sky ATP includes a transmitter for sending
`an input to a including spotlight secure cloud service, C&C, GeoIP,
`cache, AV, or static analysis, additional dynamic analysis, and/or
`YARA. The Sky ATP includes software and/or hardware to transmit
`the input to lookups on URLs, URIs, IPs, and dropped files for
`indications of a C&C or an otherwise compromised website, or that a
`dropped file is malicious or suspicious.
`
`a transmitter for transmitting
`the input to the security
`computer for inspection,
`when the first function is
`invoked; and
`
`
`
`7
`
`
`
`Case 3:17-cv-05659-WHA Document 391-4 Filed 03/14/19 Page 9 of 12
`
`Juniper Sky Advanced Threat Prevention.pdf
`
`As shown in the screenshot of Sky ATP, it performs dynamic analysis
`that will look up information on network connections, obfuscated
`content, and dropped files.
`
`
`
`
`
`
`
`
`8
`
`
`
`Case 3:17-cv-05659-WHA Document 391-4 Filed 03/14/19 Page 10 of 12
`
`a receiver for receiving an
`indicator from the security
`computer whether it is safe to
`invoke the second function
`with the input.
`
`
`Sky ATP meets the recited claim language because it includes a receiver
`for receiving an indicator from the security computer whether it is safe
`to invoke the second function with the input.
`
`Sky ATP meets this claim element because its dynamic analysis content
`processor includes software and/or hardware components (a receiver)
`for receiving the results of submitting an input to a security computer
`including spotlight secure cloud service, C&C, GeoIP, cache, AV, or
`static analysis, additional dynamic analysis, and/or YARA. The results
`include a verdict on whether it is safe to invoke the second function
`with the input.
`
`The figure below shows that Sky ATP includes a receiver for receiving
`an indicator from a security computer, including spotlight secure cloud
`service, C&C, GeoIP, cache, AV, or static analysis, additional dynamic
`analysis, and/or YARA whether it is safe to invoke the second function
`with the input. Sky ATP includes software and/or hardware to receive
`results from a C&C/C&C Events, GeoIP, Identified malware, or
`analytics security components, which operates as a security computer
`that will inspect the input to determine if it is safe to invoke with a
`second function.
`
`
`
`9
`
`
`
`Case 3:17-cv-05659-WHA Document 391-4 Filed 03/14/19 Page 11 of 12
`
`Juniper Sky Advanced Threat Prevention.pdf
`
`As shown in the screenshot of Sky ATP below, it performs dynamic
`analysis that will receive information on network connections,
`obfuscated content, and dropped files to determine if it relates to a
`suspicious input.
`
`
`
`
`
`
`
`10
`
`
`
`
`
`
`eg
`
`alessit]
`
`eR
`
`RTUs)
`
`Email Attachments
`
`Manual Uptoacd
`
`Email Quarantine
`
`
`
`Case 3:17-cv-05659-WHA Document 391-4 Filed 03/14/19 Page 12 of 12
`Case 3:17-cv-05659-WHA Document 391-4 Filed 03/14/19 Page 12 of 12
`
`
`
`
`
`
`
`11
`11
`
`