Case 3:17-cv-05659-WHA Document 423-12 Filed 04/11/19 Page 1 of 29
`Case 3:17-cv-05659-WHA Document 423-12 Filed 04/11/19 Page 1 of 29
`REDACTED VERSION OF DOCUMENT SOUGHT TO BE SEALED
`
`DKT. 97-6
`DKT. 97-6
`(REDACTED)
`(REDACTED)
`
`REDACTED VERSION OF DOCUMENT SOUGHT TO BE SEALED
`
`

`

`Case 3:17-cv-05659-WHA Document 423-12 Filed 04/11/19 Page 2 of 29
`
`HIGHLY CONFIDENTIAL – SOURCE CODE
`
`PAUL ANDRE (State Bar No. 196585)
`pandre@kramerlevin.com
`LISA KOBIALKA (State Bar No. 191404)
`lkobialka@kramerlevin.com
`JAMES HANNAH (State Bar No. 237978)
`jhannah@kramerlevin.com
`KRISTOPHER KASTENS (State Bar No. 254797)
`kkastens@kramerlevin.com
`KRAMER LEVIN NAFTALIS & FRANKEL LLP
`990 Marsh Road
`Menlo Park, CA 94025
`Telephone: (650) 752-1700
`Facsimile: (650) 752-1800
`
`Attorneys for Plaintiff
`FINJAN, INC.
`
`
`IN THE UNITED STATES DISTRICT COURT
`
`FOR THE NORTHERN DISTRICT OF CALIFORNIA
`
`SAN FRANCISCO DIVISION
`
`FINJAN, INC., a Delaware Corporation,
`
`
`
`
`
`
`Plaintiff,
`
`v.
`
`
`JUNIPER NETWORKS, INC., a Delaware
`Corporation,
`
`
`Defendant.
`
`
`
`Case No.: 3:17-cv-05659-WHA
`
`DECLARATION OF DR. ERIC COLE IN
`SUPPORT OF PLAINTIFF FINJAN, INC.’S
`NOTICE OF MOTION AND MOTION FOR
`SUMMARY JUDGMENT OF INRINGEMENT
`OF CLAIM 10 OF U.S. PATENT NO. 8,677,494
`
`July 26, 2018
`Date:
`8:00 a.m.
`Time:
`Courtroom: Courtroom 12, 19th Floor
`Before:
`Hon. William Alsup
`
`
`
`
`HIGHLY CONFIDENTIAL – SOURCE CODE
`
`UNREDACTED VERSION OF DOCUMENT SOUGHT TO BE SEALED
`
`
`COLE DECL. IN SUPPORT FINJAN’S MTN. FOR SUM. JUDG. CASE NO. 3:17-cv-05659-WHA
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`

`

`Case 3:17-cv-05659-WHA Document 423-12 Filed 04/11/19 Page 3 of 29
`
`HIGHLY CONFIDENTIAL – SOURCE CODE
`
`I, Eric Cole, hereby declare that:
`1.
`I have been asked by Plaintiff Finjan, Inc. to submit an expert declaration on whether
`Juniper, Inc.’s SRX Gateways1 and Sky ATP2 products infringe claim 10 of U.S. Patent No. 8,677,494
`(the “’494 Patent”). I relied on the documents cited herein, including the ‘494 Patent, the file history of
`
`the ’494 Patent, the source code review computer, source code printouts, the deposition transcripts of
`
`Tenorio, Manthena, Nagarajan, and Manocha, as well as exhibits thereto, Finjan’s Infringement
`
`Contentions, and Juniper’s Discovery Responses.
`I.
`
`EXPERIENCE AND QUALIFICATIONS
`2.
`
`I hold a master's degree in computer science and a doctorate in information security and
`
`have worked in the cyber and technical information security industry for over 25 years. I am a member
`
`of the European InfoSec Hall of Fame, a professional membership awarded by nomination and election
`
`by a panel of industry experts. I am the founder of Secure Anchor Consulting where I provide cyber
`
`security consulting services and am involved in advance information systems security. I am a Fellow
`
`and instructor with The SANS Institute, a research and education organization consisting of
`
`information security professionals. I am an author of several security courses such as SEC401-Security
`
`Essentials and SEC501-Enterprise Defender. I worked for the government for 8 years as an employee
`
`and have held various contracting jobs with government agencies, which involved working with
`
`1 SRX Gateways includes all SRX Gateways that are capable of interacting with Sky ATP, and includes
`SRX100, SRX110, SRX210, SRX220, SRX240, SRX300, SRX340, SRX345, SRX550, SRX550m,
`SRX650, SRX1400, SRX1500, SRX3400, SRX3600, SRX4000, SRX4100, SRX4200, SRX5400,
`SRX5600, SRX5800, vSRX Virtual Firewall, vSRX (including 10Mbps, 100Mps, 1000Mbps,
`2000Mbps, 4000Mbps version), Next Generation Firewall, cSRX Container Firewall. SRX Gateways
`include all supporting server or cloud infrastructure, feeds, and other components SRX Gateways utilize.
`2 Sky ATP includes the cloud infrastructure for Sky ATP, and includes the following service
`subscriptions Free Sky ATP, Basic Sky ATP (SRX340-THRTFEED-1, 3, 5; SRX345-THRTFEED-1, 3,
`5; SRX550-THRTFEED-1, 3, 5; SRX1500-THRTFEED-1, 3, 5; SRX4100THRTFEED-1, 3, 5;
`SRX4200-THRTFEED-1, 3, 5; SRX5400-THRTFEED-1, 3, 5; SRX5600-THRTFEED-1, 3, 5;
`SRX5800-THRTFEED-1, 3, 5; VSRX10MTHRTFEED-1, 3, 5; VSRX100MTHRTFEED-1, 3, 5;
`VSRX1GTHRTFEED-1, 3, 5; VSRX2GTHRTFEED-1, 3, 5; and VSRX4GTHRTFEED-1, 3, 5) and
`Premium Sky ATP (SRX340-ATP-1, 3, 5; SRX345-ATP-1, 3, 5; SRX550-ATP-1, 3, 5; SRX1500-ATP-
`1, 3, 5; SRX4100-ATP-1, 3, 5; SRX4200-ATP-1, 3, 5; SRX5400-ATP-1, 3, 5; SRX5600-ATP-1, 3, 5;
`SRX5800-ATP-1, 3, 5; VSRX10M-ATP-1, 3, 5; VSRX100M-ATP-1, 3, 5; VSRX1G-ATP-1, 3, 5;
`VSRX2G-ATP-1, 3, 5; and VSRX4G-ATP-1, 3, 5). Sky ATP includes all supporting server or cloud
`infrastructure, feeds, and other components utilized by Sky ATP including Spotlight Secure Threat
`Intelligence Platform. Sky ATP also includes all products that receive updates from the service.
`1
`COLE DECL. IN SUPPORT FINJAN’S MTN. FOR SUM. JUDG. CASE NO. 3:17-cv-05659-WHA
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`
`
`

`

`Case 3:17-cv-05659-WHA Document 423-12 Filed 04/11/19 Page 4 of 29
`
`HIGHLY CONFIDENTIAL – SOURCE CODE
`
`classified information. I held or hold various top-secret security clearances with Department of
`
`Defense, CIA, and Nuclear Regulatory Commission (NRC). I worked for a wide range of government
`
`organizations including the FBI, NSA, CIA, DOE, DOD, NRC, Treasury, and Secret Service. As
`
`former Chief Scientist and Senior Fellow for Lockheed Martin, I performed research and development
`
`in information systems security. At Lockheed Martin, I served as technical advisor in high-profile
`
`security projects for government clients including the Department of Defense, the FBI Sentinel case
`
`management systems, Department of Homeland Security Enterprise Acquisition Gateway for Leading
`
`Edge solutions, JetPropulsion Labs, Hanford Labs, and FBI Information Assurance Technology
`
`Infusion programs. As former CTO for McAfee I executed the technology strategy for technology
`
`platforms and external relationships to establish product vision and achieve McAfee’s goals. I am a
`
`contributing author of “Securing Cyberspace for the 44th President.” and served as a commissioner on
`
`cyber security for President Obama. My 8 books on cyber security include “Network Security Bible -
`
`2nd Edition,” “Advanced Persistent Threat,” and “Insider Threat,” which are recognized as industry-
`
`standard sources.
`A.
`3.
`
`Compensation
`
`My rate of compensation for my work in this case is $475 per hour plus any direct
`
`expenses incurred. My compensation is based solely on the amount of time that I devote to activity
`
`related to this case and is in no way affected by any opinions that I render. I receive no other
`
`compensation from work on this action. My compensation is not dependent on the outcome of this case.
`II.
`
`LEGAL STANDARDS
`4.
`
`Counsel for Finjan has informed me of the following legal standards that I have used as
`
`a framework in forming my opinions contained herein.
`5.
`
`I have been informed that claim construction is a legal issue for the Court to decide. I
`
`also understand that the Court has not issued a claim construction order in this case. As such, I have
`
`applied the plain and ordinary meaning of all terms, unless specifically identified below.
`6.
`
`I have been informed that infringement is determined on a claim by claim basis. I have
`
`been further informed that literal infringement is found if an accused product, system or method meets
`
`each and every element of a single claim. I have been informed that direct infringement is found if a
`2
`COLE DECL. IN SUPPORT FINJAN’S MTN. FOR SUM. JUDG. CASE NO. 3:17-cv-05659-WHA
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`

`

`Case 3:17-cv-05659-WHA Document 423-12 Filed 04/11/19 Page 5 of 29
`
`HIGHLY CONFIDENTIAL – SOURCE CODE
`
`party or its agents make, use, sell, or offer to sell a product or system that contains all elements of a
`
`claimed system or perform all of the steps of a claimed method.
`7.
`
`I have been informed that in the case of direct infringement of a system claim, a party
`
`can be found to use a patented system even if the party does not exercise physical or direct control over
`
`every element of the system. For elements that are not subject to the physical or direct control of the
`
`party, I have been informed that the party is still deemed to be using that component or part of the
`
`patented system when (1) it puts the component into service, i.e., causes it to work for its intended
`
`purpose and (2) receives the benefit of that purpose. For example, if a company queries a third-party's
`
`database, thereby causing the database to run a query and return a result to the company, the company
`
`is deemed to have used the database for infringement purposes by putting it into service (causing it to
`
`run the query) and receiving the benefit of that operation (the result of the query), even though the
`
`company does not own or control the database.
`8.
`
`I have been informed that infringement under the doctrine of equivalents is found if an
`
`accused product, system or process contains parts or steps that are identical or equivalent to each and
`
`every element of a single claim. A part or step is equivalent if a person of ordinary skill in the art
`
`would conclude that the differences between the product or method step and the claim element were not
`
`substantial at the time of infringement. I have been further informed that one common test to determine
`
`if the difference between a component or method step and a claim element is not substantial is asking if
`
`the component or step performs substantially the same function, in substantially the same way, to
`
`achieve substantially the same result.
`9.
`
`I have been informed that in the case of direct infringement of a multinational system
`
`claim where elements of such system are located in multiple countries, a party can be found to use the
`
`patented system in the United States if the place where control of the accused system is exercised and
`
`where beneficial use of the system is obtained are both within the United States. For example, if the
`
`accused system is controlled by a device in the United States that generates requests sent to the accused
`
`system and the benefit of the accused system is obtained by the company or person using the device in
`
`the United States, the company is deemed to have used the accused system for infringement purposes in
`
`the United States even though the accused system has some elements located outside the United States.
`3
`COLE DECL. IN SUPPORT FINJAN’S MTN. FOR SUM. JUDG. CASE NO. 3:17-cv-05659-WHA
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`

`

`Case 3:17-cv-05659-WHA Document 423-12 Filed 04/11/19 Page 6 of 29
`
`HIGHLY CONFIDENTIAL – SOURCE CODE
`
`A.
`10.
`
`Person of Ordinary Skill in the Art
`
`Based on review of the Asserted Patents and consideration of the abovementioned
`
`factors, it is my opinion that a person of ordinary skill in the art at the time of the invention of the
`
`Asserted Patents would be someone with a bachelor’s degree in computer science or related field, and
`
`either (1) two or more years of industry experience and/or (2) an advanced degree in computer science
`
`or related field. I understand that claim 10 of the ‘494 Patent claims a priority date of November 8,
`
`1996. But if the ‘494 Patent is found to have another priority date it would not materially affect my
`
`analysis.
`III.
`
`SUMMARY OF DECLARATION
`11.
`
`I have been asked by counsel for Finjan to consider if Juniper infringes claim 10 of the
`
`‘494 Patent. I assumed that claim 10 of the ‘494 Patent is valid and enforceable. I have not considered
`
`any issues related to damages associated with this infringement.
`12.
`
`The language of Claim 10 of the ‘494 Patent is set forth below.
`
`10. A system for managing Downloadables, comprising:
`
`(10a) a receiver for receiving an incoming Downloadable;
`
`(10b) a Downloadable scanner coupled with said receiver, for deriving security
`
`profile data for the Downloadable, including a list of suspicious computer
`
`operations that may be attempted by the Downloadable; and
`
`(10c) a database manager coupled with said Downloadable scanner, for storing
`
`the Downloadable security profile data in a database.
`
`13.
`
`I have been asked by counsel for Finjan to consider whether the SRX Gateways
`
`operating with Sky ATP and Sky ATP alone infringe claim 10 of the ‘494 Patent. I have confirmed
`
`that the functionality that I describe was available and in use before January 29, 2017. I confirmed this
`
`with the source code and release notes that the products currently operate in the same manner as what is
`set forth in those documents. See, for example, Ex. 24,3 JNPR-FNJN_29006_00162260 at 60-64. The
`following description of the products is undisputed based on Juniper’s products and testimony.
`
`
`3 All “Ex.” citations are to the Declaration of Kristopher Kastens (“Kastens Decl.”) filed herewith.
`4
`COLE DECL. IN SUPPORT FINJAN’S MTN. FOR SUM. JUDG. CASE NO. 3:17-cv-05659-WHA
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`

`

`Case 3:17-cv-05659-WHA Document 423-12 Filed 04/11/19 Page 7 of 29
`
`HIGHLY CONFIDENTIAL – SOURCE CODE
`
`IV. OVERVIEW OF THE ‘494 PATENT
`14.
`The technology of the ‘494 Patent generally relates to protecting against a potentially
`
`malicious “Downloadable.” Ex. 1, ‘494 Patent at Col. 1, ll. 60-63. A Downloadable is often in the form
`
`of executables, JavaScript, PDFs, etc. Id. at Col. 2, ll. 59-64. In a typical scenario, a Downloadable is
`
`delivered to a computer from another computer on the Internet (sometimes called a server) where there
`
`is not a sufficient level of trust and is a common avenue for adversaries to deliver malicious code to a
`
`system. Id. at Col. 2, ll. 51- Col. 3, ll. 2. This code often comes from untrusted sites or persons on the
`
`Internet and could run without the user’s knowledge or permission. Id. at Col. 2, ll. 51- Col. 3, ll. 2.
`
`Claim 10 of the ‘494 Patent describes a system addressing this problem, and which downloads content,
`
`inspects content that is downloaded, determines if the downloaded content may perform malicious or
`
`suspicious operations, and stores this security profile in a database. Id. at Claim 10.
`15.
`
`The ‘494 Patent (through its incorporation of the ‘780 Patent as a parent application),
`
`includes a description of the operations that are “suspicious.” Ex. 2, ‘780 Patent, Col. 6, ll. 1-16.
`16.
`
`Suspicious operations described include operations for reading and writing files, sending
`
`or sending data over a network, and changing the registry.
`17.
`
`The system in Claim 10 of the ‘494 Patent sets forth a number of ways that the security
`
`profile can be used to protect against threats. In one example, the security profile may be used in real-
`
`time to make a decision of what action would be allowed to be taken. In other instances, the profile
`
`could be analyzed by other processes as part of a security system used to classify malicious content. In
`
`further instances, the profile could be used to provide information to a customer regarding the types of
`
`threats that are observed on the network.
`V.
`
`SRX Gateways
`
`OVERVIEW OF THE ACCUSED PRODUCTS
`A.
`18.
`
`Juniper SRX Gateways are next generation security gateways that provides essential
`
`capabilities to secure a workforce. The SRX Gateways all operate using the Junos operating system.
`
`The SRX Gateways operate as a gateway between the untrusted Internet and a trusted internal network.
`
`Ex. 7, FINJAN-JN 005382 at 85. The SRX Gateways receive content (such as Downloaded files) from
`
`the Internet, and depending on what type of content is received, can send the file to Sky ATP for
`5
`COLE DECL. IN SUPPORT FINJAN’S MTN. FOR SUM. JUDG. CASE NO. 3:17-cv-05659-WHA
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`

`

`Case 3:17-cv-05659-WHA Document 423-12 Filed 04/11/19 Page 8 of 29
`
`HIGHLY CONFIDENTIAL – SOURCE CODE
`
`analysis, and generates a profile which is stored in a database, which includes information such as
`
`whether it is likely to perform suspicious or malicious operations.
`B.
`19.
`
`Sky ATP
`
`Juniper Sky ATP is a cloud-based scanning system used by Juniper that is critical to
`t is critical to
`
`Juniper’s differentiation from competitors and to prevent Juniper’s products from commoditization.
`Juniper’s differentiation from competitors and to prevent Juniper’s products from commoditization.
`
`Ex. 6, JNPR-FNJN_29002_00173278 at 83. Juniper sometimes refers to Sky ATP using its code-
`Ex. 6, JNPR-FNJN_29002_00173278 at 83. Juniper sometimes refers to Sky ATP using its code-
`
`names, which include “Argon” and “Advanced Anti-Malware Solution” (“AAMW”). Id. Sky ATP can
`names, which include “Argon” and “Advanced Anti-Malware Solution” (“AAMW”). Id.dd Sky ATP can
`
`be used as a service by SRX Gateways. Ex. 9, FINJAN-JN 005438. SRX Gateways can submit files to
`be used as a service by SRX Gateways. Ex. 9, FINJAN-JN 005438. SRX Gateways can submit files to
`
`Sky ATP for analysis and Sky ATP will return results that include a profile on the file and describe
`Sky ATP for analysis and Sky ATP will return results that include a profile on the file and describe
`
`whether the file is considered suspicious or safe. Ex. 6, JNPR-FNJN_29002_00173278 at 83. Sky
`whether the file is considered suspicious or safe. Ex. 6, JNPR-FNJN_29002_00173278 at 83. Sky
`
`ATP forms a system with the SRX Gateways and its cloud components. Ex. 16, FINJAN-JN 044832 at
`ATP forms a system with the SRX Gateways and its cloud components. Ex. 16, FINJAN-JN 044832 at
`
`38 (dated April 2016).
`38 (dated April 2016).
`
`20.
`
`In particular, Sky ATP provides advanced anti-malware and anti-ransom protection
`
`against sophisticated “zero-day” and unknown threats. Ex. 9, FINJAN-JN 005438. Sky ATP generates
`
`“actionable intelligence” that can be used in a security network. Ex. 16, FINJAN-JN 044832 at 51.
`
`Sky ATP includes a malware inspection pipeline with cached results, antivirus, static analysis, and
`
`dynamic analysis. Ex. 9, FINJAN-JN 005438. The Sky ATP malware inspection pipeline for
`
`analyzing and detecting malware and describes how it performs static and dynamic analysis on files to
`
`determine whether they perform suspicious operations. Internally, the inspection pipeline component is
` Internally, the inspection pipeline component is
`
`internally referred to as the “pipeline manager.” Ex. 8, Tenorio Tr. at 28:1-28:13; Ex. 11, FINJAN-JN
`internally referred to as the “pipeline manager.” Ex. 8, Tenorio Tr. at 28:1-28:13; Ex. 11, FINJAN-JN
`
`044744 at 762.
`044744 at 762.
`
`21.
`
`Sky ATP performs static analysis to determine if unusual operations are used and
`
`dynamic analysis to identify behaviors of the file. Ex. 11, FINJAN-JN 044744 at 62. Sky ATP has a
`
`static analysis component that is run on the content it receives using scanners. Ex. 11, FINJAN-JN
`
`044744 at 63. The static analysis in Sky ATP detects different “features” found in the file, which
`
`includes the detection of suspicious operations. Ex. 16, FINJAN-JN 044832 at 46. After the static
`
`analysis component has finished scanning, it returns the features detected as a result and also behaviors
`
`observed. Ex. 11, FINJAN-JN 044744 at 62-63. The features returned from static analysis are stored
`6
`COLE DECL. IN SUPPORT FINJAN’S MTN. FOR SUM. JUDG. CASE NO. 3:17-cv-05659-WHA
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`

`

`Case 3:17-cv-05659-WHA Document 423-12 Filed 04/11/19 Page 9 of 29
`
`HIGHLY CONFIDENTIAL – SOURCE CODE
`
`in a database of the results, which is internally referred to as the “ResultsDB”. Ex. 8, Tenorio Tr. at
` “ResultsDB”. Ex. 8, Tenorio Tr. at
`
`59:2-24. The results from the analysis are stored in the database of results and are linked and indexed
`59:2-24. The results from the analysis are stored in the database of results and are linked and indexed
`
`using the SHA-256 or Sample ID for the file. Ex. 8, Tenorio Tr. at 11:22-12:4, 28:1-13.
`using the SHA-256 or Sample ID for the file. Ex. 8, Tenorio Tr. at 11:22-12:4, 28:1-13.
`
`22.
`
`Sky ATP also performs dynamic analysis through its sandbox with deception
`
`environment, which “detonates” content by running it in a controlled environment. Ex. 9, FINJAN-JN
`
`005438 at 39. The sandbox is a secure environment that allows the file to run as if it is in a real
`
`computer systems. Ex. 11, FINJAN-JN 044744 at 63. As part of the “detonation” of the file, the
`
`sandbox environment records the operations performed by content, and then identifies suspicious
`
`behaviors that were performed. Ex. 9, FINJAN-JN 005438 at 39. Sky ATP creates a profile that
`
`includes a list of suspicious computer operations that are detected and related to suspicious activity, like
`
`allocating memory, performing a long sleep operation, and starting a process with exploit code.
`
`Kastens Decl., ¶ 31, https://www.youtube.com/watch?v=K8Y0MkbJwcs&feature=youtu.be
`
`(“Lanworks & Juniper Sky ATP Lunch and Learn”) (FINJAN-JN 317958). Juniper internally refers to
`
`the dynamic analysis performed in the malware inspection pipeline as the combination of the
` the combination of the
`
`“deception adapter” and a sandbox called “Joe Sandbox.” Ex. 8, Tenorio Tr. at 51:15-21; 71:9-72:18.
`“deception adapter” and a sandbox called “Joe Sandbox.”
`
`The sandbox will record the activity of the file (the Downloadable), and will then identify suspicious
`The sandbox will record the activity of the file (the Downloadable), and will then identify suspicious
`
`operations that were performed with the file executed in the sandbox environment. Ex. 8, Tenorio Tr.
`operations that were performed with the file executed in the sandbox environment. Ex. 8, Tenorio Tr.
`
`at 72:5-73:8. The deception adapter identifies results that are relevant to determining whether the file is
`at 72:5-73:8. The deception adapter identifies results that are relevant to determining whether the file is
`
`suspicious or malicious, and returns these for storage in the ResultsDB, a database that stores the results
`suspicious or malicious, and returns these for storage in the ResultsDB, a database that stores the results
`
`for the processing in Sky ATP. Ex. 8, Tenorio Tr. at 56:22-57:9.
`for the processing in Sky ATP. Ex. 8, Tenorio Tr. at 56:22-57:9.
`VI. ANALYSIS OF CLAIM 10 OF THE ‘494 PATENT
`A.
`Overview of Juniper’s Infringement
`23.
`
`Juniper sells, builds, and operates SRX Gateways and the Sky ATP in the United States.
`
`Juniper infringes Claim 10 of the ‘494 Patent because the combination of the SRX Gateways and Sky
`
`ATP meet every element of the claim and Sky ATP on its own meets every element of the claim. The
`
`SRX Gateways are receivers that receive incoming executable files that an internal computer is
`
`attempting to download (the Downloadable), and based on the file type detected for the file, can submit
`
`the file to Sky ATP for analysis. The software in Sky ATP is also a receiver because it receives files
`7
`COLE DECL. IN SUPPORT FINJAN’S MTN. FOR SUM. JUDG. CASE NO. 3:17-cv-05659-WHA
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`

`

`Case 3:17-cv-05659-WHA Document 423-12 Filed 04/11/19 Page 10 of 29
`
`HIGHLY CONFIDENTIAL – SOURCE CODE
`
`submitted from SRX Gateways to Sky ATP using the SRX API. Sky ATP includes a Downloadable
`
`scanner in the form of a malware inspection pipeline with static and dynamic analysis components.
`
`Sky ATP uses the malware inspection pipeline to scan a Downloadable and generate a profile for it.
`
`This security profile generated by the malware inspection pipeline includes results from the static and
`
`dynamic analysis that includes a list of suspicious computer operations like creating files, dynamically
`
`determining API calls, and contacting remote servers. Sky ATP stores the results of this scanning in a
`
`database, which includes software for managing this database to store and retrieve information.
`B.
`24.
`
`The preamble of claim 10 of the ‘494 Patent is “[a] system for managing
`
`Preamble of Claim 10 of the ‘494 Patent
`
`Downloadables, comprising:”. While I understand that a preamble is only limiting on a claim in certain
`
`specific circumstances, I found that the preamble of Claim 10 is met. I incorporate by reference my
`
`summary of the products for this section.
`25.
`
`The SRX Gateways, when used in combination with Sky ATP, acts as a system for
`
`managing Downloadables because this system acts as a distributed system for analyzing downloaded
`
`executable files, and then allowing the management of downloaded files based on the generated
`
`information. In particular, the SRX Gateways will send executable files to Sky ATP for static and
`
`dynamic analysis in its malware analysis pipeline, which manages the file during analysis, as well as
`
`the results that are generated during analysis. Sky ATP on its own is a system for managing
`
`Downloadables because it receives Downloadables that are submitted to it from SRX Gateways, as well
`
`as through a web interface. Sky ATP performs static and dynamic analysis in its analysis pipeline,
`
`which manages the file during analysis, as well as the results that are generated during analysis. Sky
`
`ATP accepts a large range of executable files for analysis, which includes files like Java, PDF and
`
`HTML with JavaScript (JS), and executables. Ex. 11, FINJAN-JN 044744 at 86.
`C.
`26.
`
`Element 10(a) of the ‘494 Patent
`
`The Accused Products include “a receiver for receiving an incoming Downloadable”. I
`
`understand that Juniper has admitted that both the SRX Gateways and Sky ATP include “a receiver for
`
`receiving an incoming Downloadable.” Further, for the term Downloadable, I have used the
`
`construction of “an executable application program, which is downloaded from a source computer and
`8
`COLE DECL. IN SUPPORT FINJAN’S MTN. FOR SUM. JUDG. CASE NO. 3:17-cv-05659-WHA
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`

`

`Case 3:17-cv-05659-WHA Document 423-12 Filed 04/11/19 Page 11 of 29
`
`HIGHLY CONFIDENTIAL – SOURCE CODE
`
`run on the destination computer.” I understand that Juniper admitted this was the correct construction
`
`and it has also been adopted in other Courts. Further, I have reviewed Juniper’s response to Finjan’s
`
`Interrogatory No. 10, and Juniper did not identify a different understanding that would lead to a non-
`
`infringement position related to this term.
`27.
`
`SRX Gateways are a “receiver” under Claim 10 of the ‘494 Patent because SRX
`
`Appliances receive files incoming from the Internet and to be downloaded to a destination, such as a
`
`computer. Ex. 6, JNPR-FNJN_29002_00173278 at 83 (“SRX inspects both ingress and egress network
` (“SRX inspects both ingress and egress network
`
`traffic, extracts the interested file content and passes it to Argon cloud server. Argon cloud analyzes
`traffic, extracts the interested file content and passes it to Argon cloud server. Argon cloud analyzes
`
`the file input from SRX through [a] series of advanced detection technologies and returns a verdict of
`the file input from SRX through [a] series of advanced detection technologies and returns a verdict of
`
`the file indicating if the file is malicious.”). This content includes content like an “executable
`the file indicating if the file is malicious.”).
`
`application program,” which as explicitly set forth in the ‘494 Patent includes portable executables and
`
`files containing JavaScript. Ex. 7, FINJAN-JN 005382 at 84. Computers on the internal network
`
`request these Downloadables from a server so that it can run them. As such, the SRX Appliances are
`
`“receivers” under Claim 10 of the ‘449 Patent. The SRX Gateways operate as a gateway with
`
`components resident within the SRX Gateways that receive files downloaded (a “Downloadable”) from
`
`servers on the Internet. The SRX Gateway intercepts the transmission of these Downloadables between
`
`a source computer (typically a server on the Internet) and a destination computer (like an employee’s
`
`computer on a company’s internal network). Ex. 7, FINJAN-JN 005382 at 85.
`28.
`
`The Sky ATP service in SRX Gateway receive and pass “incoming files to the Cloud for
`y receive and pass “incoming files to the Cloud for
`
`analysis.” Ex. 16, FINJAN-JN 044832 at 38. Sky ATP also includes proxy software components that
`analysis.” Ex. 16, FINJAN-JN 044832 at 38. Sky ATP also includes proxy software components that
`
`act as a receiver for incoming Downloadables from SRX Gateways. Specifically, Sky ATP includes a
`act as a receiver for incoming Downloadables from SRX Gateways. Specifically, Sky ATP includes a
`
`SRX API interface for receiving files that are uploaded to Sky ATP through a SRX Gateway using a
`SRX API interface for receiving files that are uploaded to Sky ATP through a SRX Gateway using a
`
`connection. The Sky ATP includes proxy software that implements an SRX API that acts as a
`connection. The Sky ATP includes proxy software that implements an SRX API that acts as a
`
`“receiver” to download and receive files that an SRX Appliance has submitted for processing. The
`“receiver” to download and receive files that an SRX Appliance has submitted for processing. The
`
`SRX Appliance can submit downloaded files for processing to Sky ATP through an API. Sky ATP
`SRX Appliance can submit downloaded files for processing to Sky ATP through an API. Sky ATP
`
`includes proxy software that implements an SRX API interface on Sky ATP which is a receiver as
`includes proxy software that implements an SRX API interface on Sky ATP which is a receiver as
`
`stated in the claims because it downloads executable content that is submitted from the SRX Gateway
`stated in the claims because it downloads executable content that is submitted from the SRX Gateway
`
`to Sky ATP for analysis and resulting security information. Ex. 7, FINJAN-JN 005382 at 85.
`to Sky ATP for analysis and resulting security information. Ex. 7, FINJAN-JN 005382 at 85.
`9
`COLE DECL. IN SUPPORT FINJAN’S MTN. FOR SUM. JUDG. CASE NO. 3:17-cv-05659-WHA
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`

`

`Case 3:17-cv-05659-WHA Document 423-12 Filed 04/11/19 Page 12 of 29
`
`HIGHLY CONFIDENTIAL – SOURCE CODE
`
`29.
`
`Juniper confidential internal documents also confirm that the SRX Gateways and the
`Juniper confidential internal documents also confirm that the SRX Gateways and the
`
`SRX API module of Sky ATP are receivers that receive incoming Downloadables. The SRX API uses
`SRX API module of Sky ATP are receivers that receive incoming Downloadables. The SRX API uses
`
`the Kookaburra software module as a mechanism as part of the SRX API. Ex. 15, JNPR-
`the Kookaburra software module as a mechanism as part of the SRX API. Ex. 15, JNPR-
`
`FNJN_29017_00552691. The SRX Gateways include the Juniper Advanced Anti-Malware Solution,
`FNJN_29017_00552691. The SRX Gateways include the Juniper Advanced Anti-Malware Solution,
`
`which allows the SRX Gateways to integrate with Sky ATP, which is hosted as part of the “Argon
`which allows the SRX Gateways to integrate with Sky ATP, which is hosted as part of the “Argon
`
`Cloud.” The SRX Gateways use their proxy software to receive Downloadables incoming to the web
`Cloud.” The SRX Gateways use their proxy software to receive Downloadables incoming to the web
`
`clients on the end users, and then submits the file through the “Data Plane” to Sky ATP. The SRX
`clients on the end users, and then submits the file through the “Data Plane” to Sky ATP. The SRX
`
`Gateways begin transfer after the file in the stream has been identified. Sky ATP uses its proxy
`Gateways begin transfer after the file in the stream has been identified. Sky ATP uses its proxy
`
`software to implement an API that receives the Downloadable. Sky ATP can then return a verdict
`software to implement an API that receives the Downloadable. Sky ATP can then retu