Case 3:17-cv-05659-WHA Document 424-21 Filed 04/11/19 Page 1 of 107
`Case 3:17-cv-05659-WHA Document 424-21 Filed 04/11/19 Page 1 of 107
`REDACTED VERSION OF DOCUMENT SOUGHT TO BE SEALED
`
`DKT. 238-6
`DKT. 238-6
`(REDACTED)
`(REDACTED)
`
`REDACTED VERSION OF DOCUMENT SOUGHT TO BE SEALED
`
`

`

`Case 3:17-cv-05659-WHA Document 424-21 Filed 04/11/19 Page 2 of 107
`Case 3:17-cv-05659-WHA Document 424-21 Filed 04/11/19 Page 2 of 107
`
`
`
`
`EXHIBIT 1
`EXHIBIT 1
`
`UNREDACTED VERSION OF
`UNREDACTED VERSION OF
`DOCUMENT SOUGHT TO BE
`DOCUMENT SOUGHT TO BE
`SEALED
`SEALED
`
`
`
`
`
`

`

`Case 3:17-cv-05659-WHA Document 424-21 Filed 04/11/19 Page 3 of 107
`
`
`
`PAUL ANDRE (State Bar No. 196585)
`pandre@kramerlevin.com
`LISA KOBIALKA (State Bar No. 191404)
`lkobialka@kramerlevin.com
`JAMES HANNAH (State Bar No. 237978)
`jhannah@kramerlevin.com
`KRISTOPHER KASTENS (State Bar No. 254797)
`kkastens@kramerlevin.com
`KRAMER LEVIN NAFTALIS & FRANKEL LLP
`990 Marsh Road
`Menlo Park, CA 94025
`Telephone: (650) 752-1700
`Facsimile: (650) 752-1800
`
`Attorneys for Plaintiff
`FINJAN, INC.
`
`
`IN THE UNITED STATES DISTRICT COURT
`
`FOR THE NORTHERN DISTRICT OF CALIFORNIA
`
`SAN FRANCISCO DIVISION
`
`FINJAN, INC., a Delaware Corporation,
`
`
`
`
`
`
`Plaintiff,
`
`v.
`
`
`JUNIPER NETWORKS, INC., a Delaware
`Corporation,
`
`
`Defendant.
`
`
`
`Case No.: 3:17-cv-05659-WHA
`
`EXPERT REPORT OF DR. ERIC COLE
`
`HIGHLY CONFIDENTIAL – SOURCE CODE
`
`
`
`
`
`
`
`COLE EXPERT REPORT
`HIGHLY CONFIDENTIAL – SOURCE CODE
`
`CASE NO. 3:17-cv-05659-WHA
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`

`

`Case 3:17-cv-05659-WHA Document 424-21 Filed 04/11/19 Page 4 of 107
`
`
`
`I, Eric Cole, hereby declare that:
`1.
`I have been asked by Plaintiff Finjan, Inc. to submit an expert report on whether Juniper,
`Inc.’s SRX Gateways1 and Sky ATP2 products (“Accused Products”) infringe claim 10 of U.S. Patent
`No. 8,677,494 (the “’494 Patent”). In particular, I have been asked to opine on whether the SRX
`
`Gateways and Sky ATP include a “database” as recited by the claim language. I understand that there
`
`was an order dated August 31, 2018 in which Finjan’s summary judgment was granted in part in
`
`connection with the ‘494 Patent. August 31, 2018 Order. I relied on the documents cited herein,
`
`including the ‘494 Patent (and incorporated disclosures), the file history of the ’494 Patent, the source
`
`code review computer, source code printouts, the deposition transcripts of Tenorio, Manthena,
`
`Nagarajan, and Manocha, as well as exhibits thereto, Finjan’s Infringement Contentions, Juniper’s
`
`Discovery Responses, and the summary judgment briefing, exhibits, and order related to the ‘494
`
`Patent. I found that every element of the Claim 10 of the ‘494 Patent is met by the Accused Products.
`I.
`EXPERIENCE AND QUALIFICATIONS
`
`2.
`
`I hold a master's degree in computer science and a doctorate in information security and
`
`have worked in the cyber and technical information security industry for over 25 years. A copy of by
`
`CV is attached as Appendix A. I am a member of the European InfoSec Hall of Fame, a professional
`
`
`1 SRX Gateways includes all SRX Gateways that are capable of interacting with Sky ATP, and includes
`SRX100, SRX110, SRX210, SRX220, SRX240, SRX300, SRX340, SRX345, SRX550, SRX550m,
`SRX650, SRX1400, SRX1500, SRX3400, SRX3600, SRX4000, SRX4100, SRX4200, SRX5400,
`SRX5600, SRX5800, vSRX Virtual Firewall, vSRX (including 10Mbps, 100Mps, 1000Mbps,
`2000Mbps, 4000Mbps version), Next Generation Firewall, cSRX Container Firewall. SRX Gateways
`include all supporting server or cloud infrastructure, feeds, and other components SRX Gateways utilize.
`2 Sky ATP includes the cloud infrastructure for Sky ATP, and includes the following service
`subscriptions Free Sky ATP, Basic Sky ATP (SRX340-THRTFEED-1, 3, 5; SRX345-THRTFEED-1, 3,
`5; SRX550-THRTFEED-1, 3, 5; SRX1500-THRTFEED-1, 3, 5; SRX4100THRTFEED-1, 3, 5;
`SRX4200-THRTFEED-1, 3, 5; SRX5400-THRTFEED-1, 3, 5; SRX5600-THRTFEED-1, 3, 5;
`SRX5800-THRTFEED-1, 3, 5; VSRX10MTHRTFEED-1, 3, 5; VSRX100MTHRTFEED-1, 3, 5;
`VSRX1GTHRTFEED-1, 3, 5; VSRX2GTHRTFEED-1, 3, 5; and VSRX4GTHRTFEED-1, 3, 5) and
`Premium Sky ATP (SRX340-ATP-1, 3, 5; SRX345-ATP-1, 3, 5; SRX550-ATP-1, 3, 5; SRX1500-ATP-
`1, 3, 5; SRX4100-ATP-1, 3, 5; SRX4200-ATP-1, 3, 5; SRX5400-ATP-1, 3, 5; SRX5600-ATP-1, 3, 5;
`SRX5800-ATP-1, 3, 5; VSRX10M-ATP-1, 3, 5; VSRX100M-ATP-1, 3, 5; VSRX1G-ATP-1, 3, 5;
`VSRX2G-ATP-1, 3, 5; and VSRX4G-ATP-1, 3, 5). Sky ATP includes all supporting server or cloud
`infrastructure, feeds, and other components utilized by Sky ATP including Spotlight Secure Threat
`Intelligence Platform. Sky ATP also includes all products that receive updates from the service.
`1
`
`COLE EXPERT REPORT
`HIGHLY CONFIDENTIAL – SOURCE CODE
`
`CASE NO. 3:17-cv-05659-WHA
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`

`

`Case 3:17-cv-05659-WHA Document 424-21 Filed 04/11/19 Page 5 of 107
`
`
`
`membership awarded by nomination and election by a panel of industry experts. I am the founder of
`
`Secure Anchor Consulting where I provide cyber security consulting services and am involved in
`
`advance information systems security. I am a Fellow and instructor with The SANS Institute, a
`
`research and education organization consisting of information security professionals. I am an author of
`
`several security courses such as SEC401-Security Essentials and SEC501-Enterprise Defender. I
`
`worked for the government for 8 years as an employee and have held various contracting jobs with
`
`government agencies, which involved working with classified information. I held or hold various top-
`
`secret security clearances with Department of Defense, CIA, and Nuclear Regulatory Commission
`
`(NRC). I worked for a wide range of government organizations including the FBI, NSA, CIA, DOE,
`
`DOD, NRC, Treasury, and Secret Service. As former Chief Scientist and Senior Fellow for Lockheed
`
`Martin, I performed research and development in information systems security. At Lockheed Martin, I
`
`served as technical advisor in high-profile security projects for government clients including the
`
`Department of Defense, the FBI Sentinel case management systems, Department of Homeland Security
`
`Enterprise Acquisition Gateway for Leading Edge solutions, JetPropulsion Labs, Hanford Labs, and
`
`FBI Information Assurance Technology Infusion programs. As former CTO for McAfee I executed the
`
`technology strategy for technology platforms and external relationships to establish product vision and
`
`achieve McAfee’s goals. I am a contributing author of “Securing Cyberspace for the 44th President.”
`
`and served as a commissioner on cyber security for President Obama. My 8 books on cyber security
`
`include “Network Security Bible - 2nd Edition,” “Advanced Persistent Threat,” and “Insider Threat,”
`
`which are recognized as industry-standard sources.
`A.
`Compensation
`3.
`My rate of compensation for my work in this case is $475 per hour plus any direct
`
`expenses incurred. My compensation is based solely on the amount of time that I devote to activity
`
`related to this case and is in no way affected by any opinions that I render. I receive no other
`
`compensation from work on this action. My compensation is not dependent on the outcome of this case.
`II.
`LEGAL STANDARDS
`
`4.
`
`Counsel for Finjan has informed me of the following legal standards that I have used as
`
`COLE EXPERT REPORT
`HIGHLY CONFIDENTIAL – SOURCE CODE
`
`
`2
`
`CASE NO. 3:17-cv-05659-WHA
`
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`

`

`Case 3:17-cv-05659-WHA Document 424-21 Filed 04/11/19 Page 6 of 107
`
`
`
`a framework in forming my opinions contained herein.
`5.
`
`I have been informed that claim construction is a legal issue for the Court to decide. I
`
`also understand that the Court has not issued a claim construction order in this case. However, I
`
`understand that the Court has made certain findings in his summary judgement order and I have applied
`
`those findings. For the remaining terms, I have applied the plain and ordinary meaning, unless
`
`identified below.
`6.
`
`I have been informed that infringement is determined on a claim by claim basis. I have
`
`been further informed that literal infringement is found if an accused product, system or method meets
`
`each and every element of a single claim. I have been informed that direct infringement is found if a
`
`party or its agents make, use, sell, or offer to sell a product or system that contains all elements of a
`
`claimed system or perform all of the steps of a claimed method.
`7.
`
`I have been informed that in the case of direct infringement of a system claim, a party
`
`can be found to use a patented system even if the party does not exercise physical or direct control over
`
`every element of the system. For elements that are not subject to the physical or direct control of the
`
`party, I have been informed that the party is still deemed to be using that component or part of the
`
`patented system when (1) it puts the component into service, i.e., causes it to work for its intended
`
`purpose and (2) receives the benefit of that purpose. For example, if a company queries a third-party's
`
`database, thereby causing the database to run a query and return a result to the company, the company
`
`is deemed to have used the database for infringement purposes by putting it into service (causing it to
`
`run the query) and receiving the benefit of that operation (the result of the query), even though the
`
`company does not own or control the database.
`8.
`
`I have been informed that infringement under the doctrine of equivalents is found if an
`
`accused product, system or process contains parts or steps that are identical or equivalent to each and
`
`every element of a single claim. A part or step is equivalent if a person of ordinary skill in the art
`
`would conclude that the differences between the product or method step and the claim element were not
`
`substantial at the time of infringement. I have been further informed that one common test to determine
`
`if the difference between a component or method step and a claim element is not substantial is asking if
`3
`
`COLE EXPERT REPORT
`HIGHLY CONFIDENTIAL – SOURCE CODE
`
`
`CASE NO. 3:17-cv-05659-WHA
`
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`

`

`Case 3:17-cv-05659-WHA Document 424-21 Filed 04/11/19 Page 7 of 107
`
`
`
`the component or step performs substantially the same function, in substantially the same way, to
`
`achieve substantially the same result.
`9.
`
`I have been informed that in the case of direct infringement of a multinational system
`
`claim where elements of such system are located in multiple countries, a party can be found to use the
`
`patented system in the United States if the place where control of the accused system is exercised and
`
`where beneficial use of the system is obtained are both within the United States. For example, if the
`
`accused system is controlled by a device in the United States that generates requests sent to the accused
`
`system and the benefit of the accused system is obtained by the company or person using the device in
`
`the United States, the company is deemed to have used the accused system for infringement purposes in
`
`the United States even though the accused system has some elements located outside the United States.
`A.
`Person of Ordinary Skill in the Art
`10.
`Based on review of the Asserted Patents and consideration of the abovementioned
`
`factors, it is my opinion that a person of ordinary skill in the art at the time of the invention of the
`
`Asserted Patents would be someone with a bachelor’s degree in computer science or related field, and
`
`either (1) two or more years of industry experience and/or (2) an advanced degree in computer science
`
`or related field. I understand that claim 10 of the ‘494 Patent claims a priority date of November 8,
`
`1996. But if the ‘494 Patent is found to have another priority date it would not materially affect my
`
`analysis.
`III.
`SUMMARY OF OPINION
`
`11.
`
`I have been asked by counsel for Finjan to consider if Juniper infringes claim 10 of the
`
`‘494 Patent. The material I relied on is set forth in my report and attached as Appendix B. I assumed
`
`that claim 10 of the ‘494 Patent is valid and enforceable. I also assumed, based on the Court’s August
`
`31 Order, that all elements of Claim 10 of the ‘494 Patent have already been found to be infringed
`
`except whether the SRX Gateways and Sky ATP meet the “database” limitation of the claim. I provide
`
`my analysis for all elements below and focus on the database limitation.
`12.
`
`The language of Claim 10 of the ‘494 Patent is set forth below.
`
`COLE EXPERT REPORT
`HIGHLY CONFIDENTIAL – SOURCE CODE
`
`
`4
`
`CASE NO. 3:17-cv-05659-WHA
`
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`

`

`Case 3:17-cv-05659-WHA Document 424-21 Filed 04/11/19 Page 8 of 107
`
`
`
`10. A system for managing Downloadables, comprising:
`
`(10a) a receiver for receiving an incoming Downloadable;
`
`(10b) a Downloadable scanner coupled with said receiver, for deriving security
`
`profile data for the Downloadable, including a list of suspicious computer
`
`operations that may be attempted by the Downloadable; and
`
`(10c) a database manager coupled with said Downloadable scanner, for storing
`
`the Downloadable security profile data in a database.
`
`13.
`
`I have considered whether the SRX Gateways operating with Sky ATP and Sky ATP
`
`alone infringe claim 10 of the ‘494 Patent. I have confirmed that the functionality that I describe was
`
`available and in use before January 29, 2017. I confirmed this with the source code and release notes
`
`that the products currently operate in the same manner as what is set forth in those documents. See, for
`
`example, JNPR-FNJN_29006_00162260 at 60-64. The following description of the products is
`
`undisputed based on Juniper’s products and testimony.
`14.
`
`Notably, Joe Sandbox is a modular architecture that consists of a controller machine and
`
`multiple connected analysis machines hosted by virtualization products such as VMare or Virtual
`
`Box. Files and URLs are uploaded for analysis which are first analyzed statically followed by dynamic
`
`analysis. After dynamic analysis is run on the file, a malware similarity report is generated that
`
`describes the results of the analysis.
`15.
`
` In addition, OPSWAT uses multi-scanning and multiple anti-malware engines to detect
`
`threats. OPSWAT utilizes signature heuristic scanning and machine learning. It includes data
`
`sanitization which sanitizes common file types and rebuilds them. It also includes vulnerability
`
`assessment, archive extraction, file type verification and customized security policies to process files.
`
`
`IV. DEMONSTRATIVES
`
`16.
`
`I have a created certain illustrative demonstratives produced with this report and intend
`
`to create similar demonstrative for trial, including demonstratives that show the claim at issue, as well
`
`as displaying my background information. I also intend to create demonstratives showing an overview
`5
`
`COLE EXPERT REPORT
`HIGHLY CONFIDENTIAL – SOURCE CODE
`
`
`CASE NO. 3:17-cv-05659-WHA
`
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`

`

`Case 3:17-cv-05659-WHA Document 424-21 Filed 04/11/19 Page 9 of 107
`
`
`
`of my opinion and the material I relied on in preparing my opinion. I may also create demonstrative
`
`which show the testimony of different Juniper employees. Furthermore, for the sake of clarity I may
`
`create demonstratives identifying relevant information in evidence such as documents and source code.
`17.
`
`I intend to create demonstratives demonstrating the operation of the Accused Products.
`
`For example, I will create demonstratives that show how the SRX Gateway can submit a Downloadable
`
`to Sky ATP, how Sky ATP will store this Downloadable and then begin to process the data using its
`
`Pipeline Manager, and then how the results that are generated from the Pipeline Manager are stored in
`
`the ResultsDB Database using the ResultsDB Manager software. The figures I will create will be
`
`generally consistent with what Juniper provides in its public and/or internal documents, such as at
`
`FINJAN-JN044737, FINJAN-JN044735, JNPR-FNJN_29017_00553620 at 659, and JNPR-
`
`FNJN_29018_00963203 at 3210; JNPR_FNJN_29008_00514106 at 137;
`
`JNPR_FNJN_29008_00514106 at174. However, in the interest of clarity I may simplify the figures,
`
`including by removing components that are not relevant to the analysis, or by including call-outs
`
`describing the different elements.
`18.
`
`I intend to create a demonstrative to demonstrate how hackers and other malicious actors
`
`typically target computer systems, and the type of counter-measures companies can take to protect
`
`themselves from attack. I intend to give examples of how well-known public websites are vulnerable to
`
`attack, and the various vectors attackers use to target these websites.
`V.
`OVERVIEW OF THE ‘494 PATENT
`
`19.
`
`The technology of the ‘494 Patent generally relates to protecting against a potentially
`
`malicious “Downloadable.” ‘494 Patent at Col. 1, ll. 60-63. At the time of the invention claimed in the
`
`‘494 Patent, a Downloadable was a new type threat in the form of executables, JavaScript, PDFs, etc.
`
`Id. at Col. 2, ll. 59-64. In a typical scenario, a Downloadable is delivered to a computer from another
`
`computer on the Internet (sometimes called a server) where there is not a sufficient level of trust and is a
`
`common avenue for adversaries to deliver malicious code to a system. Id. at Col. 2, ll. 51- Col. 3, ll. 2.
`
`This code often comes from untrusted sites or persons on the Internet and could run without the user’s
`
`knowledge or permission. Id. at Col. 2, ll. 51- Col. 3, ll. 2. Claim 10 of the ‘494 Patent describes a
`6
`
`COLE EXPERT REPORT
`HIGHLY CONFIDENTIAL – SOURCE CODE
`
`
`CASE NO. 3:17-cv-05659-WHA
`
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`

`

`Case 3:17-cv-05659-WHA Document 424-21 Filed 04/11/19 Page 10 of 107
`
`
`
`system addressing this problem, and which downloads content, inspects content that is downloaded,
`
`determines if the downloaded content may perform malicious or suspicious operations, and stores this
`
`security profile in a database. Id. at Claim 10.
`20.
`
`The ‘494 Patent (through its incorporation of the ‘780 Patent as a parent application),
`
`includes a description of the operations that are “suspicious.” ‘780 Patent, Col. 6, ll. 1-16.
`21.
`
`Suspicious operations described include operations for reading and writing files, sending
`
`or sending data over a network, and changing the registry.
`22.
`
`The system in Claim 10 of the ‘494 Patent uses a malware scanning approach that was
`
`pioneered by Finjan. Deriving or generating Downloadable security profile data is quite different than
`
`the traditional signature based detection that was used before Finjan’s inventions. The traditional
`
`signature based system could only detect known malware. The Downloadable security profile
`
`approach permits the system to detect potentially suspicious malware based on the potential behavior of
`
`the malware. The generation of new data in the form of the Downloadable security profile data can be
`
`used to make decisions on what actions, if any, the system can take with respect to the Downloadable.
`
`The system in Claim 10 sets forth a number of ways that the security profile can be used to protect
`
`against threats. In one example, the security profile may be used in real-time to make a decision of
`
`what action would be allowed to be taken. In other instances, the profile could be analyzed by other
`
`processes as part of a security system used to classify malicious content. In further instances, the
`
`profile could be used to provide information to a customer regarding the types of threats that are
`
`observed on the network.
`23.
`
`Claim 10 of the ‘494 Patent includes an ordered combination of elements that were
`
`novel in 1996. At this time, viruses had not reached their current pandemic stage, and traditional,
`
`signature-based detection was considered sufficient protection. However, Claim 10 of the ‘494 Patent
`
`anticipated a new mechanism, where a profile would be derived based on the actual suspicious
`
`operations that may be performed by the particular downloadable based on an ordered combination.
`
`This allowed for more generalized protection, including protection against viruses that had never been
`
`seen before, but was typically at the expense of increased processing costs related to each particular
`7
`
`COLE EXPERT REPORT
`HIGHLY CONFIDENTIAL – SOURCE CODE
`
`
`CASE NO. 3:17-cv-05659-WHA
`
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`

`

`Case 3:17-cv-05659-WHA Document 424-21 Filed 04/11/19 Page 11 of 107
`
`
`
`Downloadable. However, this mechanism in Claim 10 was particularly prescient, and was found to
`
`allow for protection against new viruses and malware that had not yet been “captured” for analysis.
`24.
`
`The system in Claim 10 provides for a database manager that is utilized for storing the
`
`Downloadable security profile data in a database. Once the new Downloadable security profile data is
`
`generated by the system, it is important to store the new data in a database so it can be used for future
`
`use. This allows for significant efficiency in the system. The component of “database manager” use
`
`within the claim is novel because it allows for the reuse of Downloadable security profile data in a
`
`manner that allows it to be used is a security system context where it can be managed for better use
`
`because there is a program that is controlling the database for the storage and access of this
`
`information.
`25.
`
`The system claimed in Claim 10 of the ‘494 Patent provide tangible benefits over then-
`
`existing malware detection technology. For example, by teaching detection based on a list of
`
`suspicious operations, these claims make it possible to detect malicious software without having
`
`previously identified the software as dangerous. In contrast, then-conventional technology was based
`
`on signature matching, which required previously identifying software as potentially malicious and
`
`looking for known signatures, but was unable to identify new threats as malicious until after the fact
`
`and could not protect against Downloadables. Furthermore, Claim 10 all require storing the
`
`downloadable security profile in the database, which has a number of benefits, including allowing
`
`information to be shared across different processing stages, or to be stored for future access to avoid
`
`duplication.
`VI.
`BENEFITS OF THE ‘494 PATENT
`26.
`As discussed above, the ‘494 Patent focuses on inspecting content, generating a profile
`
`for the content, and storing the profile in a database. This profile can be used in a number of ways to
`
`protect against threats. In on example, the profile may be used in real-time to make a decision of what
`
`action would be allowed to be taken. In other instances, the profile could be analyzed by other processes
`
`as part of a security system used to classify malicious content. In further instances, the profile could be
`
`COLE EXPERT REPORT
`HIGHLY CONFIDENTIAL – SOURCE CODE
`
`
`8
`
`CASE NO. 3:17-cv-05659-WHA
`
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`

`

`Case 3:17-cv-05659-WHA Document 424-21 Filed 04/11/19 Page 12 of 107
`
`
`
`used to provide information to a customer regarding the types of threats that are observed on the
`
`network.
`
`27.
`
`More specifically, the technology focuses on protecting a system against a potentially
`
`malicious Downloadable. A Downloadable is typically delivered to a computer from another computer
`
`where there is not a sufficient level of trust and is a common avenue for hackers to deliver malicious
`
`code to a system. This code often comes from untrusted sites or persons on the Internet and could run
`
`without the user’s knowledge or permission. The Downloadable is often in the form of Java applets,
`
`ActiveX controls, JavaScript, Visual Basic scripts, HTML, PDFs, etc. Users often visit websites that
`
`they believe are legitimate and are inadvertently tricked into having code downloaded to their system
`
`that causes harm. Since the code can be very stealthy and bypass traditional security controls, additional
`
`protection that is provided in the ‘494 Patent is needed in order to minimize that damage that can be
`
`caused by this code.
`
`28.
`
`The technology protects a computer system using a system for managing
`
`Downloadables. This system includes a receiver for receiving incoming Downloadables -whereas
`
`conventional anti-virus software searches for viruses already resident in a client’s file system which
`
`exposes the client computer to additional security threats, as such as JavaScript and VBScript content
`
`which may be executed upon entry into a client computer by the client’s Internet browser. The system
`
`reviews the incoming Downloadable and creates a security profile that verifies and validates the actions
`
`that the code is going to take on the system. The system stores the profile in a database and can use the
`
`results of the analysis to allow code to run or prevent it from running on the system.
`
`29.
`
`SRX Gateways and Sky ATP acts as a receiver of incoming Downloadables intended for
`
`client computers. SRX Gateways and Sky ATP generate a security profile that includes a list of
`
`suspicious operations for Downloadables and stores the profiles in a database. SRX Gateways and Sky
`
`COLE EXPERT REPORT
`HIGHLY CONFIDENTIAL – SOURCE CODE
`
`
`9
`
`CASE NO. 3:17-cv-05659-WHA
`
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`

`

`Case 3:17-cv-05659-WHA Document 424-21 Filed 04/11/19 Page 13 of 107
`
`
`
`ATP further stores the results in, for example, the ResultsDB. The databases include database schemas
`
`to organize the data and serve one or more other applications.
`
`30.
`
`This system provides a number of technical benefits for the customers of Juniper. By
`
`collecting profiles in database, intelligence is gathered and distributed across the entire Juniper network
`
`and allows customers to proactively block threats and reduce samples that lead to false positives. This
`
`allows Juniper and its customers to respond to the most potentially destructive threats while also
`
`reducing costs. Additional evidence of the importance of this technology is the fact that Juniper has
`
`devoted additional resources to increase its use. In fact, Juniper made a strategic decision to purchase
`
`Cyphort to strengthen its focus in this area. Thus, the increased use of this technology demonstrates that
`
`it is an important technology for Juniper and its customers.
`
`31.
`
`Moreover, the technology provides many benefits for the customers of Juniper,
`
`including accuracy as having a database of the results that allows Juniper and its customers to more
`
`accurately identify and neutralize malware designed to evade detection technology.
`
`32.
`
`Users of this system will also see an increase in speed and efficiency because once the
`
`system generates a profile for a given Web page it does not have to undergo this operation again.
`
`Instead, the system can retrieve the stored DSP from the database. This saves on computation time for
`
`having to reanalyze the downloadable via Sky ATP, but also on bandwidth because the system does not
`
`have to send the downloadable to Sky ATP to re-analyze it if the downloadable was already scanned.
`
`33.
`
`Furthermore, the SRX Gateways and Sky ATP allow customers better protection as
`
`malware can be stopped before it reaches the file system of the client computer. This is because the
`
`Internet poses additional security threats, as such content may execute upon entry into a client
`
`computer. Content such as JavaScript and VBScript may be executed by an Internet browser, as soon as
`
`the content is received within a web page. This technology allows the malware you identify to be
`
`blocked at the gateway.
`
`COLE EXPERT REPORT
`HIGHLY CONFIDENTIAL – SOURCE CODE
`
`
`10
`
`CASE NO. 3:17-cv-05659-WHA
`
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`

`

`Case 3:17-cv-05659-WHA Document 424-21 Filed 04/11/19 Page 14 of 107
`
`
`
`34.
`
`This technology also provides many benefits for Juniper. For example, integrating the
`
`data resulting from the Sky ATP analysis allows this data to be used for Juniper research and analysis of
`
`the threat picture which can be fed into the Juniper network. It is important for Juniper to have a
`
`continuously updated threat picture because it is must be able to defend and protect its customers. The
`
`integration of cloud technology that stores results of the sandboxing analysis reduces total cost of
`
`security for the customer and allows them to more effectively block threats. It also dramatically reduces
`
`advanced threat payloads resulting in lower capacity and capital costs required for malware inspection
`
`using sandboxing solutions.
`
`35.
`
`Juniper’s Sky ATP includes sandboxing that is used to identify the “zero day threats”
`
`that are seen. FINJAN-JN 005438 at 5439 (“Patent pipeline of technologies to analyze sophisticated
`
`malware, “detonate” files in a controlled sandboxing environment, and identify zero day threats.”).
`
`Based on Juniper’s documentation, I understand that it takes approximately 6-7 minutes for the Sky
`
`ATP sandbox to perform its analysis on a suspect file. FINJAN-JN 044844; FINJAN-JN044744 at
`
`4763-764 (“The majority of the time spent inspecting a file is in dynamic analysis … The file is
`
`uploaded to this environment and is allowed to run for several minutes.”).
`
`
`COLE EXPERT REPORT
`HIGHLY CONFIDENTIAL – SOURCE CODE
`
`
`11
`
`CASE NO. 3:17-cv-05659-WHA
`
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`

`

`Case 3:17-cv-05659-WHA Document 424-21 Filed 04/11/19 Page 15 of 107
`
`
`
`
`
`
`
`
`
`
`
`
`
`COLE EXPERT REPORT
`HIGHLY CONFIDENTIAL – SOURCE CODE
`
`
`12
`
`CASE NO. 3:17-cv-05659-WHA
`
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`

`

`Case 3:17-cv-05659-WHA Document 424-21 Filed 04/11/19 Page 16 of 107
`
`
`
`
`
`JNPR_FNJN_29008_00514106 at 137; Id. at174. This analysis includes creating the security profile of
`
`the suspect file. If the data security profile is already in the database because Sky ATP has already seen
`
`the file, then the Sky ATP less than 1 second to make that determination. FINJAN-JN 044844. As
`
`described, the number of servers that would be required to process a file for sandboxing would be 360-
`
`420 times greater (6-7 minutes * 60 seconds) than what is required to serve the file from the database of
`
`results (1 second). This is because the server that would be utilized for only 1 second to serve a
`
`response, will now be occupied for an additional 359-419 seconds. Furthermore, if the file is not
`
`previously known it will also run through the infringing static analysis processing performed in Sky
`
`ATP (in addition to the infringing Sandboxing) meaning that the amount of processing power required
`
`by the Sky ATP would be actually more than 360-420 times what is required using the database look-
`
`up. FINJAN-JN 044844; FINJAN-JN044744 at 4763 (“Basic static analysis is … around 30 seconds”).
`
`Based on my analysis of the Sky ATP system, Juniper enjoys great technical benefits based on its use
`
`of a system that infringes Claim 10 of the ‘494 Patent.
`36.
`
`Juniper uses Amazon Web services (“AWS”) for much of the Sky ATP analysis
`
`conducted in the US West, EU West, APAC, and Canada regions. For Joe Sandbox, Juniper uses
`
`Servers from (1) Iweb in Canada, Santa Clara (United States), and Amsterdam (European Union) and
`
`(2) IBM in Tokyo, Japan. [Resp. to Rog 11]. However, in response to a request for “All Documents,
`
`including contracts, agreements, and invoices associated with the purchase, implementation,