Case 3:17-cv-05659-WHA Document 432-6 Filed 04/11/19 Page 1 of 12
`Case 3:17-cv-05659-WHA Document 432-6 Filed 04/11/19 Page 1 of 12
`
`
`
`
`
`EXHIBIT 5
`EXHIBIT 5
`
`
`
`
`
`
`
`
`
`
`
`
`
`

`

`Case 3:17-cv-05659-WHA Document 432-6 Filed 04/11/19 Page 2 of 12
`
`Case Clip(s) Detailed Report
`Saturday, December 08, 2018, 4:43:50 PM
`
`Finjan v. Juniper
`
`Nagarajan, Chandra (Vol. 01) - 05/31/2018
`1 CLIP (RUNNING 00:31:58.496)
`
`Plaintiff's Deposition Designations for Chandra Nagarajan - Accepted Counters, Juniper's Counters,
`and Finjan's Counters (05-31-
`
`72 SEGMENTS (RUNNING 00:31:58.496)
`CN0531-CC
`1. PAGE 10:05 TO 10:20 (RUNNING 00:00:47.877)
` 05 CHANDRA NAGARAJAN,
` 06 the witness herein, having been first duly sworn, was
` 07 examined and testified as follows:
` 08 EXAMINATION
` 09 BY MR. LEE:
` 10 Q Where do you work?
` 11 A I work in Juniper Networks.
` 12 Q What's your position at Juniper Networks?
` 13 A My position is a senior director in the
` 14 security business group.
` 15 Q What are your responsibilities?
` 16 A I manage a team of engineers and -- I'm
` 17 responsible for the engineering delivery of the product.
` 18 So I ensure we get the right specifications for the
` 19 product, and then we execute the schedule we come up
` 20 with for the features requested.
`2. PAGE 11:21 TO 12:20 (RUNNING 00:01:32.753)
` 21 Q What is Sky ATP?
` 22 A Sky ATP is a cloud-delivered advanced threat
` 23 prevention service. It -- it works directly with SRX
` 24 and then try -- it tries to get files out of the
` 25 network, whatever is going through the network and makes
` 00012:01 a determination, to the best of its ability, what the
` 02 threat level of those files are. And it's -- it's
` 03 basically a SAS type of product where the most of the
` 04 functionalities reside in the cloud and the user itself
` 05 logs into the cloud and most of the input -- input on
` 06 the user interface is on the cloud site.
` 07 Q What does Sky ATP stand for?
` 08 A Sky is, I guess, is just a brand name, and the
` 09 A. T. P. is for advanced threat prevention.
` 10 Q What is advanced threat prevention?
` 11 A What is advanced -- so the advanced threat
` 12 prevention, the name mainly comes because in the market,
` 13 there are a lot of AVs which can detect if something
` 14 is -- is good or bad based on what they know. But
` 15 advanced threat prevention is something even if you get
` 16 a file, which it doesn't know about, it tries to
` 17 evaluate to the best of its capability and determines
` 18 the threat level.
` 19 Q So advanced threat prevention is for unknown
` 20 threats?
`3. PAGE 12:22 TO 12:23 (RUNNING 00:00:06.646)
` 22 A Advanced threat protection is both for known
` 23 threats and also for unknown threats.
`4. PAGE 12:24 TO 12:24 (RUNNING 00:00:03.404)
` 24 Q What are the key components of Sky ATP?
`
`CONFIDENTIAL
`
`page 1
`
`

`

`Case 3:17-cv-05659-WHA Document 432-6 Filed 04/11/19 Page 3 of 12
`
`Case Clip(s) Detailed Report
`Saturday, December 08, 2018, 4:43:50 PM
`
`Finjan v. Juniper
`
`5. PAGE 13:01 TO 13:19 (RUNNING 00:01:16.038)
` 00013:01 A So the key components of Sky ATP is there is a
` 02 module in SRX which -- which analyzes a protocol, and if
` 03 there is a -- is a particular file is fetched by the
` 04 client, it determines the file category of it. And then
` 05 if the user has configured that category to be analyzed,
` 06 it takes the file, sends it to the cloud. Okay. And
` 07 that's the first part of it.
` 08 And then the action mostly moves the cloud
` 09 where we have a set of adapters which inspects these
` 10 files and -- there are a series of adapters which
` 11 inspects these files, tries to get the behaviors of
` 12 these files, and then it tries, to the best of its
` 13 ability, to determine the threat level to this file.
` 14 And the threat level can be -- the user can choose to do
` 15 what with the threat level. They can try -- they can
` 16 configure policies to let it go or just -- just log or
` 17 they can configure policies to block it, or they can
` 18 even configure to just to analyze these files without
` 19 doing anything.
`6. PAGE 17:02 TO 17:14 (RUNNING 00:00:45.557)
` 02 Q All right. In the collection of behaviors and
` 03 the threat levels, are they stored anywhere?
` 04 A The collection of behaviors is -- for a
` 05 particular file is stored in -- in a file in S3, and --
` 06 but the mapping of the behavior to the threat level is
` 07 not stored. It's -- it's on a machine-learning
` 08 algorithm. Even we don't -- even we're not able to
` 09 clearly explain how that maps to the threat level. It's
` 10 something which is a learned behavior by the machines.
` 11 Q Is there -- strike that.
` 12 Did you say the collection of behaviors is
` 13 stored in S3?
` 14 A Yes.
`7. PAGE 17:24 TO 18:14 (RUNNING 00:01:05.733)
` 24 How do you know which file performed the
` 25 collection of behaviors?
` 00018:01 A Oh, I see. Okay.
` 02 So whenever each file is given to the Sky ATP,
` 03 we calculate a SHA-256. It's -- it's really a unique
` 04 identifier to identify that file. And the collection of
` 05 whatever behaviors of all the adapters which we store in
` 06 S3 is linked to that -- the SHA-256 ID.
` 07 Q How is it linked to the SHA-256 ID?
` 08 A So we store the ID in the DynamoDB of AWS, and
` 09 then from there, there's a link to the S3 for that
` 10 sample, which -- which has all this -- all the results
` 11 of the various adapters stored in a file in some
` 12 unstructured format. It's a JSON format, and it has
` 13 various sections where all the -- it has information of
` 14 the behaviors from various adapters.
`8. PAGE 18:16 TO 18:20 (RUNNING 00:00:15.892)
` 16 So the collection of behaviors is stored in
` 17 DynamoDB, and there's a -- a link --
` 18 A Not -- the collection of behaviors is not
` 19 stored in the DynamoDB. The collect -- the SHA ID and
` 20 the link to the behaviors are stored in the DynamoDB.
`9. PAGE 18:21 TO 19:01 (RUNNING 00:00:18.968)
` 21 Q When you say the "link to the behaviors," can
` 22 you elaborate? Is that two -- the SHA-256?
`
`CONFIDENTIAL
`
`page 2
`
`

`

`Case 3:17-cv-05659-WHA Document 432-6 Filed 04/11/19 Page 4 of 12
`
`Case Clip(s) Detailed Report
`Saturday, December 08, 2018, 4:43:50 PM
`
`Finjan v. Juniper
`
` 23 A No. The -- the actual behaviors are stored in
` 24 the S3. Once you look up a SHA-256, somehow you were to
` 25 get to that file where all this information is stored.
` 00019:01 That's why I call it as a link.
`10. PAGE 19:02 TO 19:05 (RUNNING 00:00:16.312)
` 02 Q And you say a link. Is it like a hyperlink?
` 03 A I haven't exactly looked at the source code,
` 04 so I won't be able to authoritatively state how it looks
` 05 like. I think the answer should be in the source code.
`11. PAGE 19:06 TO 19:17 (RUNNING 00:00:46.087)
` 06 Q What is DynamoDB?
` 07 A The DynamoDB is an Amazon-provided service.
` 08 And it is a -- it is a new class of schema LS database
` 09 where you can store some key-value files in the -- in
` 10 the DynamoDB. And it's very -- very efficient. They
` 11 provide a higher availability in all those things.
` 12 Q What do you mean by key-value pairs?
` 13 A The key-values -- for example, the SHA-256,
` 14 that's a key for us to locate the -- all this
` 15 information of the various adapters. And the value I
` 16 would say what I would call is the link to get the
` 17 behaviors.
`12. PAGE 19:18 TO 19:19 (RUNNING 00:00:06.223)
` 18 Q Is anything else stored in DynamoDB other than
` 19 the SHA-256 and the link to the behaviors?
`13. PAGE 19:21 TO 20:01 (RUNNING 00:00:20.601)
` 21 A So I -- I would say since my involvement is at
` 22 the -- the secondary level, I haven't looked at the
` 23 source code. So I would say maybe the threat level is
` 24 stored, if I were to guess, here. I think the source
` 25 code would be the most authoritative. But I would --
` 00020:01 it's possible that the threat level is stored there.
`14. PAGE 23:07 TO 23:14 (RUNNING 00:00:29.248)
` 07 Q Are these characteristics stored anywhere?
` 08 A Again, the characteristics are stored in the
` 09 file, whatever we mentioned before. That is a file
` 10 where it's an unstructured format in JSON. It has the
` 11 results of the adapters. Whatever characteristics we --
` 12 we get out of this greyduckling is again stored as a
` 13 result in that file as a -- as an analysis of the
` 14 greyduckling adapter.
`15. PAGE 23:15 TO 23:16 (RUNNING 00:00:03.640)
` 15 Q Is there a name for this file that contains
` 16 the results?
`16. PAGE 23:18 TO 24:03 (RUNNING 00:00:34.043)
` 18 A So it is -- I'm not aware of any name. So
` 19 we -- we -- I think in the code maybe it is referred as
` 20 a results database, where it has the identifier with the
` 21 links we set to the results of all the adapters of the
` 22 file.
` 23 Q Just to be clear, I'm asking about the -- the
` 24 file that contains all the results.
` 25 A Uh-huh.
` 00024:01 Q You said it's a JSON file?
` 02 A Yes.
` 03 Q Is there a name for that file?
`
`CONFIDENTIAL
`
`page 3
`
`

`

`Case 3:17-cv-05659-WHA Document 432-6 Filed 04/11/19 Page 5 of 12
`
`Case Clip(s) Detailed Report
`Saturday, December 08, 2018, 4:43:50 PM
`
`Finjan v. Juniper
`
`17. PAGE 24:05 TO 24:10 (RUNNING 00:00:23.551)
` 05 A There's a -- is there a technical name? It's
` 06 just a -- it is just a -- it's -- you can call it
` 07 results -- adapter results file, but I don't think we
` 08 call it in -- a specific name for that file. Maybe the
` 09 file name is usually identified as a ID, dot, something,
` 10 the name of the file itself, the way it is stored.
`18. PAGE 24:11 TO 24:15 (RUNNING 00:00:17.963)
` 11 Q Is this JSON fail -- file stored in results
` 12 database?
` 13 A So the JSON file is stored in S3. And the --
` 14 the DynamoDB links the -- the identifier for the file to
` 15 the results file.
`19. PAGE 24:18 TO 24:23 (RUNNING 00:00:21.147)
` 18 Q Did you mention a results database?
` 19 A So in the -- in the -- technically internal to
` 20 the team, we refer to it as a results database. In the
` 21 code maybe there is reference to the results database,
` 22 but the -- the way it works is we're using the DynamoDB
` 23 and the JSON file.
`20. PAGE 24:24 TO 25:11 (RUNNING 00:00:56.249)
` 24 Q What is the results database?
` 25 A I'll -- I'll repeat one more time since the
` 00025:01 question is the same. So the results database, whatever
` 02 you see in the code is just your DynamoDB, which has a
` 03 key as the SHA-256 as an identifier. And from there you
` 04 can directly link to the JSON file, which has all the
` 05 behaviors of the adapter, and the JSON file is stored in
` 06 S3.
` 07 Q So the results database is a combination of
` 08 DynamoDB and S3?
` 09 A Yes. It's a combination of the -- the
` 10 DynamoDB and the -- and the information in S3.
` 11 Q What's the purpose of the results database?
`21. PAGE 25:13 TO 25:20 (RUNNING 00:00:35.438)
` 13 A The purpose of the -- the DynamoDB is -- is
` 14 when you get a file from the SRX, the cloud calculates
` 15 the ID using the SHA-256 column, and it looks up the
` 16 DynamoDB and then gets the threat level. And if the
` 17 file existed, you'll immediately get the threat level.
` 18 If it doesn't exist, then the code allows it to go
` 19 through the rest of the adapters to get the file -- file
` 20 analysis more.
`22. PAGE 32:17 TO 33:02 (RUNNING 00:00:41.285)
` 17 Q Previously, I asked you what are the key
` 18 components for Sky ATP. Do you recall that?
` 19 A Uh-huh.
` 20 Q I think you mentioned SRX adapters and
` 21 policies?
` 22 A Uh-huh. I -- okay. That's correct. There
` 23 are some modules in SRX to get the files.
` 24 Q So why are the adapters a key component?
` 25 A The adapters are a key component because the
` 00033:01 adapters determine the threat level for the file, which
` 02 is the primary -- primary goal of this ATP product.
`23. PAGE 35:20 TO 35:20 (RUNNING 00:00:02.751)
` 20 Q Why was Sky ATP developed?
`
`CONFIDENTIAL
`
`page 4
`
`

`

`Case 3:17-cv-05659-WHA Document 432-6 Filed 04/11/19 Page 6 of 12
`
`Case Clip(s) Detailed Report
`Saturday, December 08, 2018, 4:43:50 PM
`
`Finjan v. Juniper
`
`24. PAGE 35:22 TO 36:01 (RUNNING 00:00:20.780)
` 22 A So in the -- in the NG firewall, one of the --
` 23 one of the components of an NG firewall is advanced
` 24 threat prevention. And in order to -- to get that
` 25 functionality in an NG firewall, we started developing
` 00036:01 Sky ATP.
`25. PAGE 36:02 TO 36:10 (RUNNING 00:00:29.854)
` 02 Q What does NG firewall stand for?
` 03 A The next -- the next-generation firewall.
` 04 It's, typically, the -- the -- the firewalls previously
` 05 used have L3 services, and the next-generation firewalls
` 06 typically has -- tries to inspect the layer 4 to layer 7
` 07 services.
` 08 Q So in order for the SRX to qualify as an NG
` 09 firewall, it needs to have the functionality from Sky
` 10 ATP?
`26. PAGE 36:12 TO 36:16 (RUNNING 00:00:22.759)
` 12 A So ATP is one of the many functionalities of
` 13 NG firewall. And in order to get that one
` 14 functionality, an NG firewall Sky ATP was added.
` 15 Q How does Sky ATP help SRX qualify as an NG
` 16 firewall?
`27. PAGE 36:18 TO 36:21 (RUNNING 00:00:20.401)
` 18 A So, again, as I said, there are many features
` 19 for NG firewall. And one of them is ATP. And SRX
` 20 didn't have that ATP feature before. And in order to --
` 21 to get that functionality, we added Sky ATP.
`28. PAGE 36:24 TO 36:25 (RUNNING 00:00:09.752)
` 24 Q How does adding advanced threat protection
` 25 help SRX qualify as an NG firewall?
`29. PAGE 37:02 TO 37:08 (RUNNING 00:00:25.884)
` 02 A So there is no -- there's nobody who is
` 03 certifying if you are in an advanced threat prevention,
` 04 only then you can call it as NG firewall. It is -- it
` 05 is -- it is just that our product marketing felt that we
` 06 should -- we should have that advanced threat prevention
` 07 functionality since we are selling an NG firewall, and
` 08 that's why it got developed.
`30. PAGE 39:23 TO 39:24 (RUNNING 00:00:05.758)
` 23 Q Did you say that the results DB determines the
` 24 format in which the JSON results are stored?
`31. PAGE 40:01 TO 40:10 (RUNNING 00:00:43.981)
` 00040:01 A So the -- the results DB is really not a --
` 02 the database in -- it's a schema LS database. Okay? So
` 03 as I have explained multiple times before, the -- the --
` 04 all the adapter behaviors are stored in a JSON file in
` 05 an unstructured way, and then it -- that is linked to
` 06 the file identifier in the DynamoDB. All right? So
` 07 that's what it is. I -- is there anything new you want
` 08 to...
` 09 Q I thought you said that the results DB
` 10 determines the format in which the results are stored.
`32. PAGE 40:12 TO 40:16 (RUNNING 00:00:24.716)
` 12 A I never said the results DB determines the
`
`CONFIDENTIAL
`
`page 5
`
`

`

`Case 3:17-cv-05659-WHA Document 432-6 Filed 04/11/19 Page 7 of 12
`
`Case Clip(s) Detailed Report
`Saturday, December 08, 2018, 4:43:50 PM
`
`Finjan v. Juniper
`
` 13 format. It is -- it is -- the format is, actually, is
` 14 in the JSON file where all the behaviors are stored, not
` 15 in the -- not in the database.
` 16 Q So what's the purpose of the results DB?
`33. PAGE 40:18 TO 40:21 (RUNNING 00:00:17.427)
` 18 A Again, the -- the database we have is a way to
` 19 link the identifier of the file to the place where all
` 20 the results are stored in the S3. That's the main
` 21 purpose of it.
`34. PAGE 40:22 TO 40:23 (RUNNING 00:00:05.668)
` 22 Q So the purpose of results DB has nothing to do
` 23 with storing results?
`35. PAGE 40:25 TO 41:24 (RUNNING 00:01:50.785)
` 25 A The purpose of results -- whatever the -- the
` 00041:01 data -- the results database -- right? -- is -- is to
` 02 retrieve, given an ID, what is a threat level. That is
` 03 the -- the purpose of that -- that lookup and database.
` 04 The -- again, it is -- the database should
` 05 qualify is a -- is a schema LS database, not a
` 06 relational database where the data is structured. It's
` 07 really an unstructured schema LS database.
` 08 Q What do you mean by unstructured?
` 09 A So there are -- there are a couple of database
` 10 kinds. All right? Till now most of the databases
` 11 are -- are structured in the typical fashion. When you
` 12 say database, it is a structured database. That is
` 13 you -- you have a key, you know what the datas are, what
` 14 is the order they come in, and what is the type of the
` 15 data they can store. All those are very predefined.
` 16 So -- so that is what I would call a schema-based
` 17 database. Right?
` 18 In a schema LS database like the one we use --
` 19 all right? -- the data -- I mean, you -- you can add a
` 20 data at any point of time without impacting the previous
` 21 data stored and other things. So the format, it's a
` 22 little like, it's an unstructured thing. We interpret
` 23 it at a later point of time for each -- for each of the
` 24 thing -- results, basically.
`36. PAGE 41:25 TO 42:02 (RUNNING 00:00:11.060)
` 25 Q There's no type of key used in DynamoDB?
` 00042:01 A The -- we have a key. The key is the SHA-256
` 02 ID.
`37. PAGE 42:06 TO 42:06 (RUNNING 00:00:03.497)
` 06 Q Sure. How is the key used in DynamoDB?
`38. PAGE 42:08 TO 42:12 (RUNNING 00:00:19.431)
` 08 A The key is like the typical key. Like you --
` 09 you want to get the link to the results stored, so
` 10 you -- if you want to get the results stored using the
` 11 key, you can get the threat level and also what the link
` 12 to the -- all the behaviors in a file.
`39. PAGE 53:17 TO 53:18 (RUNNING 00:00:04.019)
` 17 Q Does Juniper keep track of how many viruses
` 18 are caught by Sky ATP?
`
`CONFIDENTIAL
`
`page 6
`
`

`

`Case 3:17-cv-05659-WHA Document 432-6 Filed 04/11/19 Page 8 of 12
`
`Case Clip(s) Detailed Report
`Saturday, December 08, 2018, 4:43:50 PM
`
`Finjan v. Juniper
`
`40. PAGE 53:20 TO 54:01 (RUNNING 00:00:27.658)
` 20 A Yeah. We -- we do -- we do -- we don't -- we
` 21 do a monthly -- we view monthly how many files are
` 22 analyzed, how many are caught, how many are false
` 23 positives, true positives. We try to do that analysis
` 24 every month.
` 25 Q Can you give an average of how many files are
` 00054:01 caught?
`41. PAGE 54:03 TO 54:06 (RUNNING 00:00:20.977)
` 03 A I'm not able to recollect for all the month.
` 04 At least for the month of March 2018, I would say
` 05 around -- roughly, 700 to 800 malware files.
` 06 Q About how many files are analyzed?
`42. PAGE 54:07 TO 54:08 (RUNNING 00:00:07.767)
` 07 A We are -- probably, I would say in the range
` 08 of 10 -- 10 million files a month.
`43. PAGE 59:17 TO 59:25 (RUNNING 00:00:44.728)
` 17 Q Can Sky ATP be used for any other products
` 18 other than SRX?
` 19 A So Sky ATP -- no. The -- the -- it is
` 20 developed basically to -- to provide ATP functionality
` 21 in SRX. And in -- in theory, there are APIs to Sky ATP,
` 22 so you can also submit files through APIs, so if
` 23 somebody wants to -- has a set of files they want
` 24 analyzed, they can use the APIs. We provide RESTful
` 25 APIs to sub-end files for analysis.
`44. PAGE 60:25 TO 61:10 (RUNNING 00:00:45.165)
` 25 Q How many customers does Sky ATP have?
` 00061:01 A So I mean, again, it's a rough number. It's
` 02 not an exact number. So we have seen around 300 to 500
` 03 customers as what -- what I would say. So how many are
` 04 active, how many are not active, we don't know.
` 05 Basically, we -- there are -- there are, say, thousand
` 06 accounts, but most of the accounts are created by
` 07 Juniper. We are not able to distinguish between what is
` 08 a Juniper account. Exactly how many people have bought
` 09 a license, I think the finance team will be able to tell
` 10 how many licenses are purchased.
`45. PAGE 63:04 TO 63:08 (RUNNING 00:00:18.745)
` 04 Q Do you recall earlier we were discussing why
` 05 Sky ATP was added?
` 06 A Yes. There was a question about that.
` 07 Q And you mentioned that it was to give SRX this
` 08 next-generation capability, correct?
`46. PAGE 63:10 TO 63:13 (RUNNING 00:00:16.332)
` 10 A So -- so the -- the -- ATP is one of the
` 11 functionalities of NG firewall, and one of the many
` 12 functionalities of it has evolved. Since that piece was
` 13 missing in SRX, the Sky ATP was developed.
`47. PAGE 63:14 TO 63:19 (RUNNING 00:00:17.004)
` 14 Q When you say that piece is missing, what do
` 15 you mean?
` 16 A The ATP, as a functionality, is missing in
` 17 SRX.
` 18 Q So does the ATP contribute to the
`
`CONFIDENTIAL
`
`page 7
`
`

`

`Case 3:17-cv-05659-WHA Document 432-6 Filed 04/11/19 Page 9 of 12
`
`Case Clip(s) Detailed Report
`Saturday, December 08, 2018, 4:43:50 PM
`
`Finjan v. Juniper
`
` 19 next-generation capability at all?
`48. PAGE 63:21 TO 63:23 (RUNNING 00:00:08.008)
` 21 A The ATP is one of the many functionalities in
` 22 NG firewall. To that extent, the ATP functionality is
` 23 missing.
`49. PAGE 63:25 TO 64:03 (RUNNING 00:00:12.707)
` 25 A To NG firewall, and to that extent, it's --
` 00064:01 it's a missing functionality.
` 02 Q How does ATP contribute to the next-generation
` 03 capability?
`50. PAGE 64:05 TO 64:11 (RUNNING 00:00:34.560)
` 05 A So -- this is basically the market demands,
` 06 right? There's no general definition of what an NG
` 07 firewall is. So it all depends on what your competition
` 08 offers in -- in NG firewall and what are all the various
` 09 functionalities which are missing against the
` 10 competition, and that is to the extent...
` 11 Q What did SRX have before it had Sky ATP?
`51. PAGE 64:13 TO 64:23 (RUNNING 00:00:47.899)
` 13 A So before Sky ATP -- before Sky ATP was added,
` 14 there was a AV engine functionality in SRX, which --
` 15 which is -- which detects malwares. But it -- it only
` 16 detects known -- known malwares.
` 17 Q What do you mean by it only detects known
` 18 malware?
` 19 A So whatever is known to the AV -- AV software
` 20 we use, it detects those malwares.
` 21 Q And Sky ATP detects unknown malware, right?
` 22 A Sky ATP can -- can detect malwares which were
` 23 not previously known to others.
`52. PAGE 114:07 TO 114:10 (RUNNING 00:00:22.146)
` 07 Q You've been handed a exhibit marked as
` 08 Exhibit Number 42. Exhibit -- Exhibit Number 42 is
` 09 Bates labeled JNPR-FNJN_29030-00553835 to 3872.
` 10 A Uh-huh.
`53. PAGE 114:15 TO 114:21 (RUNNING 00:00:29.413)
` 15 Q What's your understanding -- what's your
` 16 understanding of Exhibit Number 42?
` 17 A It looks like the logs from the sample
` 18 submitter, which is -- which is a component which works
` 19 when the file -- incoming file comes in for analysis
` 20 from SRX. At least the first page. I don't know what
` 21 all -- the other pages.
`54. PAGE 114:22 TO 115:06 (RUNNING 00:00:41.358)
` 22 Q On the first page ending in 835, do you see on
` 23 the fourth line, it says, "Read from RDB"?
` 24 A Uh-huh.
` 25 Q What is RDB?
` 00115:01 A The RDB in the code in this case is a
` 02 shortened form of what we call as a results database,
` 03 and, which as I explained before, is a combination of
` 04 the DynamoDB and the -- the JSON schema LS format we use
` 05 to store adapter results. This particular -- yeah, so
` 06 this -- this basically we -- that's right.
`
`CONFIDENTIAL
`
`page 8
`
`

`

`Case 3:17-cv-05659-WHA Document 432-6 Filed 04/11/19 Page 10 of 12
`
`Case Clip(s) Detailed Report
`Saturday, December 08, 2018, 4:43:50 PM
`
`Finjan v. Juniper
`
`55. PAGE 117:07 TO 117:14 (RUNNING 00:00:23.594)
` 07 Q Do you recognize any of the information in
` 08 Exhibit Number 43?
` 09 A Yeah, from that time.
` 10 Q What's your understanding of Exhibit
` 11 Number 43?
` 12 A It does look like it is a presentation done by
` 13 our product management and TME in -- in a security
` 14 summit of Juniper.
`56. PAGE 120:18 TO 120:19 (RUNNING 00:00:05.945)
` 18 Q Do you know why Sky ATP was chosen to be
` 19 located in the cloud?
`57. PAGE 120:21 TO 121:05 (RUNNING 00:00:36.165)
` 21 A So there are some technical reasons. One is
` 22 the cloud -- the SRX has limited resource power,
` 23 resources at their disposal. This advanced threat
` 24 prevention needs a lot memory, lot more analysis, a lot
` 25 more computing power, so this is something only can be
` 00121:01 done outside the box. And then cloud services are
` 02 mixed -- makes it easy for the customers to -- to deploy
` 03 a solution, any solution.
` 04 Q Are there any efficiencies gained by having
` 05 Sky ATP in the cloud?
`58. PAGE 121:07 TO 121:11 (RUNNING 00:00:21.652)
` 07 A There are efficiencies you can gain from
` 08 running it in the cloud. One is you share the -- if --
` 09 you share the resources. The other one is you can also
` 10 share the threat levels of files from different various
` 11 customers.
`59. PAGE 121:16 TO 121:19 (RUNNING 00:00:14.635)
` 16 So if a customer in the U.S. uses Sky ATP and
` 17 the Sky ATP generates adapter results, those adapter
` 18 results can be used for detecting malware for customers
` 19 outside the U.S.?
`60. PAGE 121:21 TO 121:24 (RUNNING 00:00:16.086)
` 21 A You -- you can -- you can use the threat level
` 22 of the file in any production location to be used in
` 23 another location.
` 24 Q Does Sky ATP regularly do this?
`61. PAGE 122:01 TO 122:20 (RUNNING 00:01:15.326)
` 00122:01 A So the way it is implemented as it is, some of
` 02 the -- the threat level results of sample IDs is synced
` 03 between the production instances of various locations.
` 04 Q Can you elaborate? What do you mean by
` 05 synced?
` 06 A The syncing, some of the -- you take the
` 07 DynamoDB results and then populate that into the -- into
` 08 the -- into the DynamoDB of the second production
` 09 instance.
` 10 Q So the DynamoDB located in the U.S., those
` 11 results will have synced with ones outside the U.S.?
` 12 A That's correct. The threat level and...
` 13 Q The threat levels? And that's so that if a
` 14 customer outside the U.S. sees that same file again,
` 15 that you don't have to do the same --
` 16 A That's true.
` 17 Q -- analysis?
`
`CONFIDENTIAL
`
`page 9
`
`

`

`Case 3:17-cv-05659-WHA Document 432-6 Filed 04/11/19 Page 11 of 12
`
`Case Clip(s) Detailed Report
`Saturday, December 08, 2018, 4:43:50 PM
`
`Finjan v. Juniper
`
` 18 A That's true. Basically we -- analysis is done
` 19 once, and if another customer be -- sees the same file,
` 20 we use the threat level.
`62. PAGE 123:17 TO 124:02 (RUNNING 00:00:44.645)
` 17 Q You also mentioned that Sky ATP also saves on
` 18 resources.
` 19 A Sky -- yeah, Sky ATP saves on resources
` 20 because we don't analyze the files, the same files a
` 21 second time.
` 22 Q Is there any other cost benefit from Sky ATP?
` 23 A And we also share the resources for multiple
` 24 customers.
` 25 Q What type of resources are shared?
` 00124:01 A We share the compute -- basically it's compute
` 02 memory, and those are the two things that...
`63. PAGE 124:03 TO 124:07 (RUNNING 00:00:18.402)
` 03 Q Do customers outside the U.S. share resources
` 04 with customers in the U.S.?
` 05 A The -- the production instances are all
` 06 designed to operate as self-contained. The resources
` 07 are not shared across production instances.
`64. PAGE 124:08 TO 124:13 (RUNNING 00:00:17.564)
` 08 Q So what's the resources that are shared other
` 09 than the data?
` 10 A It is just the meta -- some of the metadata,
` 11 not the file -- file itself. Meta resources. We --
` 12 the -- each production instance is self-contained and
` 13 the files stay within that region.
`65. PAGE 124:14 TO 124:16 (RUNNING 00:00:07.129)
` 14 Q So it's only the results