`Case 3:17-cv-05659-WHA Document 435-18 Filed 04/12/19 Page 1 of 24
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`EXHIBIT 15
`EXHIBIT 15
`
`
`
`
`
`
`
`
`
`
`Case 3:17-cv-05659-WHA Document 435-18 Filed 04/12/19 Page 2 of 24
`Case 3:17-cv-05659-WHA Document 435-18 Filed 04/12/19 Page 2 of 24
`
`
`
`
`
`
`
`
`
`APPENDIX F-2
`APPENDIX F-2
`
`
`
`
`
`Case 3:17-cv-05659-WHA Document 435-18 Filed 04/12/19 Page 3 of 24
`
`Juniper’s Sky Advanced Threat Prevention
`8,677,494
`The statements and documents cited below are based on information available to Finjan at the time this chart was
`created. Finjan reserves its right to supplement this chart as additional information becomes known to it.
`
`For purposes of this chart, “Sky ATP” is the cloud service and all support infrastructure maintained by Juniper, and
`includes the services and components in Exhibit A, as will be described in greater detail herein. Based on public
`information, Sky ATP operates identically with respect to the identified claims and only vary based on software
`specifications and/or deployment options.
`
`As identified and described element by element below, Sky ATP infringes at least claims 10, 14, 16, and 18 of the
`‘494 Patent.
`Claim 10
`
`10a. A system for managing
`Downloadables, comprising:
`
`
`
`
`
`Sky ATP meets the recited claim language because it includes a system for
`managing Downloadables.
`
`As used herein, and throughout these contentions, Downloadable is “an
`executable application program, which is downloaded from a source computer
`and run on the destination computer.”
`
`Sky ATP meets the recited claim language because it provides a computer
`system that uses a pipeline of technologies to detect malware on Downloadables
`received from SRX Service Series Gateways. Sky ATP manages the distribution
`of Downloadables within a given computer network (management system) by
`providing the computer network with malware determinations that enable the
`computer network to determine whether a web client or Internet application
`should receive a particular Downloadable that is requested. Notably, Internet
`applications include web browsers, FTP or file download clients, messaging
`clients, and email client applications. The details of these operations are set forth
`in greater detail below:
`
`For instance, as shown in the figure below, Sky ATP identifies suspicious
`computer operations by extracting malicious objects and blocks them from being
`communicated as part of outbound C&C traffic.
`
`1
`
`
`
`Case 3:17-cv-05659-WHA Document 435-18 Filed 04/12/19 Page 4 of 24
`
`
`
`
`10b. a receiver for receiving
`an incoming Downloadable;
`
`
`Juniper Networks Sky Advanced Threat Prevention.pdf at page 1.
`
`
`
`Sky ATP meets the recited claim language because it includes a receiver for
`receiving an incoming Downloadable.
`
`Sky ATP meets the recited claim language because it includes software
`components (proxy software) that are configured to receive Downloadables from
`a SRX Series Services Gateway in order to detect malware. Downloadables are
`received by one or more computers within the cloud computing environment of
`Sky ATP where they can then be retrieved for malware detection purposes. The
`details of these operations are set forth in greater detail below:
`
`As shown in the figure below, software components (proxy software) resident
`within Sky ATP receive Downloadables for inspection when an SRX Series
`Services Gateway communicates the Downloadable to Sky ATP after inspection
`is performed by the SRX Series Services Gateway (see, e.g., Step 3 in the figure
`below). Downloadables received by Sky ATP are stored therein within a
`resident memory device where they are retrieved to perform file inspections.
`
`
`2
`
`
`
`Case 3:17-cv-05659-WHA Document 435-18 Filed 04/12/19 Page 5 of 24
`
`Juniper Networks Sky Advanced Threat Prevention.pdf at page 4.
`
`To the extent that Juniper does not literally infringe this claim element, at
`minimum, Juniper infringes under the doctrine of equivalents. The above
`described functionality of ATP is at most insubstantially different from the
`claimed functionality and performs substantially the same function in
`substantially the same way to achieve substantially the same result. ATP
`performs the same function because it receives files that are incoming to ATP
`and/or were intercepted as incoming to a protected system. As such, at
`minimum, ATP performs the same function as receiving an incoming
`Downloadable. ATP perform this function same way because they utilize
`software and hardware to receive these incoming Downloadables through a
`network or other transmission mechanism. As such, at minimum, ATP performs
`this function the same way as receiving an incoming Downloadable. ATP
`achieves the same result as this element because it receives a downloadable that
`it incoming to the ATP and/or to a protected system. As such, at minimum, ATP
`achieves the same result as receiving an incoming Downloadable.
`
`
`Sky ATP meets the recited claim language because it includes a Downloadable
`scanner coupled with said receiver, for deriving security profile data for the
`
`3
`
`
`
`
`10c. a Downloadable scanner
`coupled with said receiver, for
`
`
`
`Case 3:17-cv-05659-WHA Document 435-18 Filed 04/12/19 Page 6 of 24
`
`deriving security profile data
`for the Downloadable,
`including a list of suspicious
`computer operations that may
`be attempted by the
`Downloadable; and
`
`
`
`Downloadable, including a list of suspicious computer operations that may be
`attempted by the Downloadable.
`
`Sky ATP meets the recited claim language because it includes software
`components that scan a Downloadable (Downloadable Scanner) received from a
`SRX Series Services Gateway to detect suspicious computer operations capable
`of being performed by the Downloadable. Sky ATP derives security profile data
`for the Downloadable by (1) identifying behavioral characteristics of the
`Downloadable (including particular JavaScript functions, unusual instructions or
`code structures) through the use of cache lookups, static analysis, and dynamic
`analysis, and (2) providing a threat assessment report for the Downloadable that
`operates as a security profile that identifies each suspicious computer operation
`identified (list of suspicious computer operations that may be attempted by the
`Downloadable). Sky ATP provides a list of suspicious operations in a report.
`The details of these operations are set forth in greater detail below:
`
`Sky ATP meets the recited claim language because Sky ATP includes software
`components (Downloadable Scanner) that scan a Downloadable, received from a
`SRX Series Services Gateway, to detect suspicious computer operations capable
`of being performed by the Downloadable. The Downloadable Scanner derives
`security profile data for the Downloadable by (1) monitoring behavioral
`characteristics of the Downloadable (including particular JavaScript functions,
`unusual instructions or code structures) through the use of cache lookups, static
`analysis, and dynamic analysis, and (2) providing a threat assessment report for
`the Downloadable that operates as a security profile that identifies each
`suspicious computer operation identified (list of suspicious computer operations
`that may be attempted by the Downloadable). Sky ATP Appliance provides a list
`of suspicious operations in a report.
`
`For instance, as shown in the figure below, the Downloadable scanner scans
`Downloadables received from a SRX Series Services Gateway (see, e.g., Step 4
`in the figure below).
`
`
`4
`
`
`
`Case 3:17-cv-05659-WHA Document 435-18 Filed 04/12/19 Page 7 of 24
`
`Juniper Networks Sky Advanced Threat Prevention.pdf at page 4.
`
`As shown in the excerpt below, the Downloadable scanner derives security
`profile data for the Downloadable when it (1) monitors network traffic to identify
`behavioral “indicators” of compromise that signify the presence of suspicious
`computer operations, and (2) performs “deep inspection” procedures to identify
`suspicious computer operations.
`
`
`5
`
`
`
`Case 3:17-cv-05659-WHA Document 435-18 Filed 04/12/19 Page 8 of 24
`
` Juniper Sky Advanced Threat Prevention.pdf at 2.
`
`As shown in the figure below, the Downloadable Scanner, through its pipeline of
`technologies included within the distributed cloud-computing system, derives
`security profile data for the Downloadable when it performs file inspections
`using procedures that include: (1) cache lookup, (2) an anti-virus scan, (3) static
`analysis, and (4) dynamic analysis. Through the use of these technologies, the
`Downloadable Scanner generates a data structure in memory that indicates the
`presence of detected suspicious computer operations, including JavaScript
`functions and unusual instructions or structure.
`
`
`
`
`6
`
`
`
`Case 3:17-cv-05659-WHA Document 435-18 Filed 04/12/19 Page 9 of 24
`
`How is Malware Analyzed and Detected.pdf at page 1.
`
`For example, as shown in the excerpt below, the Downloadable Scanner derives
`security profile data when it performs dynamic analysis that uses a sandbox to
`identify suspicious computer operations. Downloadables are studied by
`executing them in a secure environment to protect users in real-time. After
`inspecting a Downloadable within this secure environment, the Downloadable
`Scanner determines whether the behavior of the Downloadable during inspection
`is indicative of malware capable of performing suspicious computer operations.
`To make this determination, the Downloadable Scanner uses, e.g.,. deception
`techniques.
`
`
`How is Malware Analyzed and Detected.pdf at page 2.
`
`For instance, as described in the figure below, the dynamic analysis includes
`“behavioral analysis” that uses the sandbox to get a better understanding of
`“what a suspect file is trying to do” (i.e., identify suspicious operations capable
`of being performed by the Downloadable) before the Downloadable is executed /
`received by a destination computer. The results of the dynamic analysis are then
`stored as a report in memory that identifies the presence of one or more
`suspicious computer operations that can be potentially executed by the
`Downloadable. Also, as shown in the figures below, the results of the behavioral
`analysis enables the Downloadable Scanner to detect both “benign” behaviors
`and “malicious” behaviors. Malicious behaviors include suspicious computer
`operations that allocate large chunks of memory; cause unusually long sleep
`times; execute a document exploit, and the like.
`
`7
`
`
`
`Case 3:17-cv-05659-WHA Document 435-18 Filed 04/12/19 Page 10 of 24
`
`https://www.youtube.com/watch?v=K8Y0MkbJwcs&feature=youtu.be
`(“Lanworks & Juniper Sky ATP Lunch and Learn”).
`
`
`
`
`h
`ttps://www.youtube.com/watch?v=K8Y0MkbJwcs&feature=youtu.be (“Lanworks
`& Juniper Sky ATP Lunch and Learn”).
`
`The excerpt below shows examples of behavioral operations collected.
`
`8
`
`
`
`Case 3:17-cv-05659-WHA Document 435-18 Filed 04/12/19 Page 11 of 24
`
`
`
`Sky ATP - Behaviors Seen.png
`
`As shown in the figure below, the Downloadable Scanner derives security profile
`data when it uses deception and/or provocation techniques as part of the
`behavioral analysis in order to trick malware into activating and self-identifying.
`The deception and/or provocation techniques applied by the Downloadable
`Scanner in the sandbox include, e.g., attaching debuggers, running the malware
`multiple times, actively interfering with malware operations, and actively
`interfering with network communications, and so on. In this fashion, and as
`described in the figure below, the Downloadable Scanner’s behavioral analysis
`uses (1) deception techniques to convince the suspicious computer operations
`included in the Downloadable that it is on a valid target to “get a reaction” and
`(2) provocation techniques to see how the suspicious computer operations
`included in the Downloadable react. The results of the behavior analysis are then
`stored as a report in memory that identifies the presence of suspicious computer
`operations in the Downloadable.
`
`
`https://www.youtube.com/watch?v=K8Y0MkbJwcs&feature=youtu.be
`(“Lanworks & Juniper Sky ATP Lunch and Learn”).
`
`
`9
`
`
`
`Case 3:17-cv-05659-WHA Document 435-18 Filed 04/12/19 Page 12 of 24
`
`Also, as shown in the figure below, the Downloadable scanner derives security
`profile data for the Downloadable when it performs static analysis that breaks it
`apart to identify portions of code that are associated with benign applications and
`portions of code that are associated with suspicious computer operations. The
`static analysis includes extracting code from the Downloadable and determining
`whether the Downloadable is capable of performing suspicious computer
`operations based on behavioral indicators or features of the extracted code that
`“look like” malware. The results of the static analysis are then stored as a report
`in memory that identifies the presence of suspicious computer operations in the
`Downloadable.
`
`
`https://www.youtube.com/watch?v=K8Y0MkbJwcs&feature=youtu.be
`(“Lanworks & Juniper Sky ATP Lunch and Learn”).
`
`As shown in the figure below, the Downloadable scanner identifies suspicious
`computer operations and stores identifiers associated with them as part of “a list
`of malware” (suspicious computer operations) that can be referenced for future
`malware scan operations.
`
`10
`
`
`
`Case 3:17-cv-05659-WHA Document 435-18 Filed 04/12/19 Page 13 of 24
`
`
`
`Juniper Networks Sky Advanced Threat Prevention.pdf at page 1.
`
`As shown in the table below, the Downloadable scanner generates a list of
`suspicious computer operations that may be attempted by a Downloadable when
`it provides a report (i.e., security profile for a Downloadable) that is based on
`analysis information and behavioral summaries created for an inspected
`Downloadable. For instance, as shown in the figure below, a report generated by
`the Downloadable scanner, using security profile data generated from the
`techniques described herein, includes a “behavior summary” that includes
`detected behaviors such as data obfuscation, hooking, and anti-debugging that
`are each included in the inspected Downloadable.
`
`
`pw-sky-advanced-threat-prevention-guide-2016.pdf at 32.
`
`As shown in the table below, a report generated by the Downloadable scanner
`includes a “threat level” field that is attributed to the inspected Downloadable.
`Threat levels range from 0 to 10 and are used to indicate the level of harm that
`the inspected Downloadable could potentially cause to a web client or Internet
`application upon receipt / execution. The report also includes any actions taken
`by the Downloadable scanner in response to a detection of suspicious computer
`
`11
`
`
`
`Case 3:17-cv-05659-WHA Document 435-18 Filed 04/12/19 Page 14 of 24
`
`operations identified. The report also includes the frequency in which the
`inspected Downloadable has been seen across different computers as well as a
`“file type” associated with the inspected Downloadable (e.g., .PDF, .exe, .doc,
`and the like). Notably, as shown in the figure below, the report includes a
`Downloadable ID in the form of a filename, hash value (e.g., Sha235, md5) and
`the like, for use in identifying the inspected Downloadable for which the report is
`generate for. Additionally, the report includes details that include, but are not
`limited to, the last time an inspected Downloadable was scanned, file size,
`operating system in which the inspected Downloadable typically operates within,
`malware name, malware type, and malware strain.
`
`
`
`
`HTTP File Download Details. Pdf at page 2.
`
`Also, as shown in the table below, the Downloadable ID includes a SHA-256
`hash computed for the inspected Downloadable. Notably, as depicted in the
`figure below, the report includes additional identifiers such as “tenant_id,”
`“client_ip,” “client_username,” as well as “client_hostname.” Moreover, as
`depicted in the figure below, the report can include details that include, but are
`not limited to, a malware score, malware name, host status, policy information
`that caused the Downloadable scanner to enforce a particular action, host threat
`level, infected host status, reason, and details.
`
`
`12
`
`
`
`Case 3:17-cv-05659-WHA Document 435-18 Filed 04/12/19 Page 15 of 24
`
`
`
`sky-atp-admin-guide.pdf at page 98.
`
`To the extent that Juniper does not literally infringe this claim element, Juniper
`infringes under the doctrine of equivalents. The above described functionality of
`Sky ATP is at most insubstantially different from the claimed functionality and
`performs substantially the same function in substantially the same way to achieve
`substantially the same result. Sky ATP performs the same function because it
`has a Downloadable scanner (operable within a sandboxed environment) to scan
`Downloadables in order to derive security profile data for the Downloadable that
`includes a list of suspicious computer operations that may be attempted by the
`Downloadable. For example, Sky ATP includes a sandbox Downloadable
`scanner, which carries out the same function as the element because it performs
`dynamic analysis to identify suspicious computer operations in the
`Downloadable. The sandbox Downloadable scanner performs dynamic analysis
`by running the Downloadable in a simulated user environment and recording the
`different suspicious computer operations that the Downloadable attempts in
`memory. The suspicious computer operations identified include, e.g., file
`read/writes, registry modifications, and starting or stopping a process. Sky ATP
`performs this function same way because it utilizes a scanner (operable within a
`sandboxed environment) which scans Downloadables and derives security profile
`data for the Downloadable, including a list of suspicious computer operations
`that the Downloadable may attempt. For example, Sky ATP with its sandbox
`Downloadable scanner, performs this function the same way because they run the
`Downloadable in a simulated user environment and record the different
`suspicious computer operations that the Downloadable attempts in memory. Sky
`ATP achieves the same result as this element because a list of suspicious
`computer operations that may be attempted by the Downloadable are included in
`the derived security profile data for the Downloadable. For example, Sky ATP
`achieves the same result as this element with the sandbox Downloadable scanner
`because it results in the generation of security profile data when it analyzes
`
`13
`
`
`
`Case 3:17-cv-05659-WHA Document 435-18 Filed 04/12/19 Page 16 of 24
`
`
`
`
`10d. a database manager
`coupled with said
`Downloadable scanner, for
`storing the Downloadable
`security profile data in a
`database.
`
`Downloadables using a dynamic analysis module / engine. The results are the
`same because the sandbox Downloadable scanner records suspicious computer
`operations that the Downloadable attempts (file read/writes, registry
`modifications, and starting or stopping a process) in memory when the
`Downloadable is run in a simulated user environment.
`
`Sky ATP meets the recited claim language because it includes a database
`manager coupled with said Downloadable scanner, for storing the Downloadable
`security profile data in a database.
`
`As used herein, and throughout these contentions, database is “a collection of
`interrelated data organized according to a database schema to serve one or more
`applications.”
`
`Sky ATP meets the recited claim language because it includes software
`components that make determinations regarding whether to store the results of
`the analysis. The results or the analysis, reports, and verdict are stored in
`databases in ATP Appliance in a structured format for later retrieval. The
`database stores the Downloadable security profile data that was generated by Sky
`ATP, including whether a detection was made and the results of that detection.
`The details of these operation are set forth in greater detail below:
`
`Sky ATP meets the recited claim language because Sky ATP includes software
`components (database manager) that make determinations regarding whether
`security profile data has been previously generated for a Downloadable
`undergoing inspection. The database manager makes these determinations by
`locating security profile data stored in a database in memory resident on Sky
`ATP’s distributed cloud-computing system. Provided security profile data has
`already been generated for the Downloadable undergoing inspection, the
`database manager retrieves that security profile data using, e.g., a file hash
`(Downloadable ID) associated with the Downloadable.
`
`As shown in the excerpt below, the database manager includes logic to determine
`whether security profile data has been previously generated for a Downloadable
`undergoing inspection. The database manager accesses security profile data,
`used to generate a report for an inspected Downloadable, within a database in
`memory resident on Sky ATP’s distributed cloud-computing system. The
`database manager retrieves the security profile data for a Downloadable using a
`file hash associated with the Downloadable. In one example, during “cache
`lookup” procedures performed to detect suspicious computer operations, the
`database manager first attempts to determine whether the Downloadable
`undergoing inspection already has a file hash stored in the database. Provided a
`corresponding file hash is located within the database, the database manager then
`proceeds to return a previously determined verdict for the Downloadable.
`
`
`14
`
`
`
`
`
`Case 3:17-cv-05659-WHA Document 435-18 Filed 04/12/19 Page 17 of 24
`
`sky-atp-admin-guide.pdf at page 98.
`
`As shown in the table below, file hash data for a security profile can be retrieved
`by the database manager, from the database, via application program interface
`(API) calls. As illustrated in the table below, the “hash_string” request
`parameter is used to identify files inspected by the Downloadable scanner during
`scans through a hash identifier computed and stored within the database for an
`inspected Downloadable. Moreover, as depicted below, the “full_report”
`parameter is used by the database manager to return scan reports concerning
`inspected Downloadables that can be identified via a hash identifier that is
`stored in the database.
`
`
` Sky ATP Open API.pdf at page 2.
`
`As shown in the excerpt below, Sky ATP is part of a “scalable cloud
`infrastructure” that shares details regarding suspicious computer operations to
`other computers, over a computer network, using data gathered from the
`database.
`
`
`Juniper Sky Advanced Threat Prevention.pdf at page 2.
`
`As shown in the table below, security profile data, generated by the
`Downloadable scanner, can be communicated to / received from the database
`manager via application program interface (API) calls. For example, as
`illustrated below, “MaliciousBehavior” object information can be communicated
`
`
`
`15
`
`
`
`Case 3:17-cv-05659-WHA Document 435-18 Filed 04/12/19 Page 18 of 24
`
`to / from the database manager to gather information about behaviors identified
`during scans. Also, “Malwareinfo” object information can be communicated to /
`from the database manager to describe information regarding suspicious
`computer operations such as malware type, platform for which the malware is
`intended to execute on, group(s) that the malware belongs to, the compiler used
`to compile program code for the malware, and malware location and identify
`information.
`
`
`Sky ATP Open API.pdf at page 24.
`
`As shown in the table below, security profile data, generated by the
`Downloadable scanner, concerning hash values and/or threat scores computed for
`identified suspicious computer operations can be communicated to / from the
`database manager.
`
`
`
`16
`
`
`
`Case 3:17-cv-05659-WHA Document 435-18 Filed 04/12/19 Page 19 of 24
`
`Sky ATP Open API.pdf at page 25.
`
`As shown in the table below, security profile data associated with identified
`suspicious computer operations is provided via reports that provide “rich detail
`on malware behaviors.”
`
`
`
`
`
`pw-sky-advanced-threat-prevention-guide-2016.pdf at page 22.
`
`To the extent that Juniper does not literally infringe this claim element, Juniper
`infringes under the doctrine of equivalents. The above described functionality of
`Sky ATP is at most insubstantially different from the claimed functionality and
`performs substantially the same function in substantially the same way to achieve
`substantially the same result.
`
`Sky ATP performs the same function because it acts as a database manager,
`coupled with a downloadable scanner that stores the Downloadable security
`profile data in the database. For example, Sky ATP carries out the same function
`as the element because the Downloadable scanner stores the results of the
`dynamic analysis in a data repository for future use by applications. Sky ATP
`stores the results of the dynamic analysis in standard markup language formats
`such as Google Protocol Buffer, JSON, and XML. In another example, the
`verdict from the dynamic analysis is stored as an integer. SRX Series Services
`Gateways, either alone or in combination with Sky ATP and/or ATP Appliance,
`
`17
`
`
`
`Case 3:17-cv-05659-WHA Document 435-18 Filed 04/12/19 Page 20 of 24
`
`perform substantially the same way because they act as a database manager,
`coupled with a downloadable scanner that stores the Downloadable security
`profile data in the database. For example, SRX Series Services Gateways, either
`alone or in combination with Sky ATP and/or ATP Appliance, perform
`substantially the same way because the Downloadable scanner sends dynamic
`analysis results to a data repository for future use by applications. SRX Series
`Services Gateways, either alone or in combination with Sky ATP and/or ATP
`Appliance, store the results of the dynamic analysis in standard markup language
`formats such as Google Protocol Buffer, JSON, and XML. In another example,
`the verdict from the dynamic analysis is stored as an integer. Sky ATP achieves
`the same result as this element because Downloadable security profile data is
`stored in the database from data derived from the Downloadable scanner. For
`example, Sky ATP achieves substantially the same result as this element because
`their Downloadable scanner generates profile data that is stored in a data
`repository with a defined structure and for future use by applications. In another
`example, the verdict from the dynamic analysis is stored as an integer.
`
`
`Sky ATP meets the recited claim language because, in addition to satisfying all
`of the elements of Claim 10 as described above, the Downloadable includes
`program script.
`
`Sky ATP meets the recited claim language because, in addition to satisfying all
`of the elements of Claim 10 as described above, Downloadables undergoing
`inspection by Sky ATP include a number of different file categories including
`Flash and Silverlight applications, archive files, source code, configuration files,
`documents, executable binaries, java applications, dynamic and static libraries
`including kernel modules, mobile applications, operating system packages,
`scripting files, PDFs, email, and mbox files.
`
`For instance, as shown below, as shown in the figure below, the Downloadable
`scanner used by Sky ATP scans the content of files during file inspection
`including files written in JavaScript (“.js” files) , Visual Basic (“.vbs” files),
`HTML, and the like.
`
`Claim 14
`
`The system of claim
`10 wherein the Downloadable
`includes program script.
`
`
`
`
`
`18
`
`
`
`Case 3:17-cv-05659-WHA Document 435-18 Filed 04/12/19 Page 21 of 24
`
`
`
`
`Claim 16
`
`The system of claim 10
`wherein the Downloadable
`security profile data includes a
`URL from where the
`Downloadable originated.
`
`
`
`https://www.juniper.net/documentation/en_US/release-independent/sky-
`atp/topics/reference/general/sky-atp-profile-overview.html
`
`
`Sky ATP meets the recited claim language because, in addition to satisfying all
`of the elements of Claim 10 as described above, the Downloadable security
`profile data includes a URL from where the Downloadable originated.
`
`Sky ATP meet the recited claim language because, in addition to satisfying all of
`the elements of Claim 10 as described above, a report, generated by Sky ATP for
`an inspected file, includes file origin information.
`
`
`19
`
`
`
`Case 3:17-cv-05659-WHA Document 435-18 Filed 04/12/19 Page 22 of 24
`
`For instance, as shown in the table below, security profile data generated by the
`Downloadable scanner includes URL information regarding where the
`Downloadable originated. The URL information is provided through reports
`generated by Sky ATP.
`
`
`Claim 18
`
`
`
`
`The system of claim 10
`wherein said Downloadable
`scanner comprises a
`disassembler for disassembling
`the incoming Downloadable.
`
`sky-atp-admin-guide.pdf at page 112 .
`
`As shown in the table below, security profile data generated by the
`Downloadable scanner can be retrieved via application program interface (API)
`calls. As illustrated in the table below, the “sample_url” parameter is used to
`provide information regarding where the inspected Downloadable originated.
`
`
`
`
`Sky ATP Open API.pdf at page 5.
`
`
`
`
`Sky ATP meets the recited claim language because, in addition to satisfying all
`of the elements of Claim 10 as described above, the Downloadable scanner
`comprises a disassembler for disassembling the incoming Downloadable.
`
`Sky ATP meets the recited claim language because, in addition to satisfying all
`of the elements of Claim 10 as described above, the Downloadable scanner
`disassembles the incoming Downloadable when it parses through the content of
`files written in accordance with different programing code constructs / formats.
`
`For instance, as shown in the figure below, the Downloadable scanner scans a
`Downloadable when it processes sequences of characters that are formed in
`accordance with the syntactical constructs of program code such as Java (“.java”
`files), JavaScript (“.js” files) , Visual Basic (“.vbs” files), HTML, and the like.
`
`
`
`20
`
`
`
`Case 3:17-cv-05659-WHA Document 435-18 Filed 04/12/19 Page 23 of 24
`
`
`https://www.juniper.net/documentation/en_US/release-independent/sky-
`atp/topics/reference/general/sky-atp-profile-overview.html
`
`Also, as shown in the figure below, the Downloadble scanner disassembles the
`incoming Downloadable when it performs static analysis that breaks apart a
`Downloadable to identify portions of code that are associated with benign
`applications and portions of code that are associated with malware. The static
`analysis includes extracting code from the Downloadable and determining
`whether the Downloadable is capable of performing suspicious computer
`operations based on behavioral indicators or features of the extracted code that
`“look like” malware. The results of the static analysis are then stored as a report
`in memory that identifies the presence of suspicious computer operations in the
`Downloadable.
`
`
`21
`
`
`
`Case 3:17-cv-05659-WHA Document 435-18 Filed 04/12/19 Page 24 of 24
`
`
`
`https://www.youtube.com/watch?v=K8Y0MkbJwcs&feature=youtu.be
`(“Lanworks & Juniper Sky ATP Lunch and Learn”)
`
`
`22
`
`