Case 3:17-cv-05659-WHA Document 442-2 Filed 04/19/19 Page 1 of 46
`Case 3:17-cv-05659-WHA Document 442-2 Filed 04/19/19 Page 1 of 46
`
`
`
`
`
`EXHIBIT 1
`EXHIBIT 1
`
`
`
`
`
`
`
`
`
`
`
`
`
`

`

`Case 3:17-cv-05659-WHA Document 442-2 Filed 04/19/19 Page 2 of 46
`Case 3:17-cv-05659-WHA Document 442-2 Filed 04/19/19 Page 2 of 46
`
`
`
`
`
`
`
`
`
`APPENDIX F-1
`APPENDIX F-1
`
`
`
`

`

`
`
`Case 3:17-cv-05659-WHA Document 442-2 Filed 04/19/19 Page 3 of 46
`
`Juniper’s SRX Series Services Gateways
`8,677,494
`The statements and documents cited below are based on information available to Finjan, Inc. at the time this chart
`was created. Finjan reserves its right to supplement this chart as additional information becomes known to it.
`
`For purposes of this chart, “SRX Gateways” include at least the following appliance models listed in Exhibit A. For
`purposes of this chart, “SRX Gateways” are SRX Series Services Gateway appliances, either alone, or when used in
`conjunction with other products or services as a system. For example, SRX Gateways perform the infringing
`procedures in combination with Juniper Sky Advanced Threat Prevention (“Sky ATP”)1, the Advanced Threat
`Prevention Appliance (“ATP Appliance”)2, and/or the Space Security Director3 as an integrated distributed system,
`as will be described in greater detail herein. Based on public information, SRX Gateways all operate identically
`with respect to the identified claims and only vary based on software specifications and/or deployment options.
`
`As identified and described element by element below, the one or more of the SRX Series Services Gateways
`infringe at least claims 10, 14, 16, and 18 of the ‘494 Patent.
`
`Claim 10
`
`10a. A system for managing
`Downloadables, comprising:
`
`
`
`
`
`SRX Series Services Gateways meet the recited claim language because they
`include a system for managing Downloadables.
`As used herein, and throughout these contentions, Downloadable is “an
`executable application program, which is downloaded from a source computer
`and run on the destination computer.”
`
`SRX Series Services Gateways meet the recited claim language because they
`selectively determine whether files received from a source computer
`(Downloadables), that were inspected for malware by an SRX Series Services
`Gateway, should be communicated to Sky ATP as a destination computer
`(management system).
`
`In another scenario, SRX Series Services Gateways, in combination with Sky
`ATP, meet the recited claim language because they provide a distributed
`computer system that that uses a pipeline of technologies to detect malware on
`Downloadables received from SRX Service Series Gateways. The distributed
`system of SRX Series Services Gateways and Sky ATP manage the distribution
`of Downloadables within a given computer network (management system) by
`providing the computer network with malware determinations (“verdicts”) that
`enable the computer network to determine whether a web client or Internet
`application should receive a particular Downloadable that is requested. Notably,
`Internet applications include web browsers, FTP or file download clients,
`messaging clients, and email client applications.
`
`In another scenario, SRX Series Services Gateways, in combination with ATP
`Appliance, meet the recited claim language because they provide a distributed
`
`
`1 Sky ATP includes the components and services in Exhibit A.
`2 ATP Appliance includes the appliance models listed in Exhibit A.
`3 Space Security Director includes the appliance models listed in Exhibit A.
`
`1
`
`

`

`Case 3:17-cv-05659-WHA Document 442-2 Filed 04/19/19 Page 4 of 46
`
`computer system to detect malware on Downloadables received from SRX
`Service Series Gateways, which are used as “collectors” that are dispersed across
`different points within a given network. The distributed system of SRX Series
`Services Gateways and ATP Appliance manage the distribution of
`Downloadables within a given computer network (management system) by
`providing the computer network with malware determinations.
`
`The details of these operations are set for in greater detail below:
`
`For instance, as discussed in the excerpt below, SRX Series Services Gateways
`manage Downloadables because, they each receive downloaded content and
`perform security functions related to that content within a security system when
`they provide “perimeter security, content security, application visibility, tracking
`and policy enforcement, user role-based control, threat intelligence through
`integration with Juniper Networks Spotlight Secure, and network-wide threat
`visibility and control.” The content such files is a “Downloadable” because it is
`of the type that is downloaded from a source computer (e.g. web server) to be
`run on a destination computer (e.g., web client or Internet application). Notably,
`Internet applications include web browsers, FTP or file download clients,
`messaging clients, and email client applications.
`
`SRX Series Service Gateways For the Branch.pdf at page 1.
`
`As shown in the figure below, SRX Series Services Gateways manage
`Downloadables when they operate with Sky ATP because they identify
`suspicious computer operations by extracting malicious objects and blocks them
`from being communicated as part of outbound C&C traffic.
`
`2
`
`

`

`Case 3:17-cv-05659-WHA Document 442-2 Filed 04/19/19 Page 5 of 46
`
`
`Juniper Networks Sky Advanced Threat Prevention.pdf at page 1.
`
`Additionally, as shown in the excerpt below, SRX Series Services Gateways and
`ATP Appliance act in combination as Downloadable managers because they act
`as file collectors that upload “suspicious files” to the ATP Appliance for
`management.
`
`
`3510633-en.pdf at page 5.
`
`Additionally, the distributed computer system of a SRX Series Services Gateway
`and Junos Space Security Director meets the recited claim language because it
`
`
`
`3
`
`

`

`Case 3:17-cv-05659-WHA Document 442-2 Filed 04/19/19 Page 6 of 46
`
`includes software components that are configured to receive Downloadables
`from a SRX Series Services Gateway in order to detect malware. For instance,
`as shown in the excerpt below, the SRX Series Services Gateway and Junos
`Space Security Director act in combination as Downloadable managers because
`they identify suspicious computer operations from files received by the SRX
`Series Services Gateway for management.
`
`
`
`10b. a receiver for receiving
`an incoming Downloadable;
`
`
`
`3510633-en.pdf at page 5.
`
`
`SRX Series Services Gateways meet the recited claim language because they
`include a receiver for receiving an incoming Downloadable.
`
`SRX Series Services Gateways meet the recited claim language because they
`include hardware (a network interface) and software components (proxy
`software) (receivers) that are configured to receive Downloadables from a source
`computer (e.g.., Internet) for inspection to detect malware.
`
`In another scenario, SRX Series Services Gateways, in combination with Sky
`ATP, meet the recited claim language because the distributed computer system
`of SRX Service Series Gateways and Sky ATP includes software components
`(proxy software) that are configured to receive Downloadables from a SRX
`Series Services Gateway in order to detect malware. Downloadables are
`received by one or more computers within the cloud computing environment of
`Sky ATP where they can then be retrieved for malware detection purposes.
`
` In another scenario, SRX Series Services Gateways, in combination with ATP
`Appliance, meet the recited claim language because the distributed computer
`system of SRX Service Series Gateways and ATP Appliance includes hardware
`and software components that are configured to receive Downloadables from
`multiple SRX Series Services Gateways used as collectors (as receivers).
`Downloadables received from these collectors can be analyzed for malware
`detection purposes using an application programming interface in the ATP
`Appliance (a receiver).
`
`4
`
`

`

`Case 3:17-cv-05659-WHA Document 442-2 Filed 04/19/19 Page 7 of 46
`
`
`The details of these operations are set for in greater detail below:
`
`SRX Series Services Gateways meet the recited claim language because they
`include hardware (a network interface) and software components (proxy
`software) that are configured to receive one or more files from a source
`computer (e.g.., Internet) for inspection to detect malware. Downloadables
`received by SRX Series Services Gateways are stored within resident memory,
`where they are then subsequently retrieved when performing file inspections.
`Memory devices used by SRX Series Services Gateways include, e.g., Random-
`Access Memory devices (“RAM”), hard disk storage devices (e.g., solid state
`drives (“SSD”)), and the like.
`
`As shown in the figure below, SRX Gateways operate as a gateway with
`hardware and software components resident within an SRX Series Services
`Gateway that act as receivers that receive Downloadables for inspection when a
`SRX Series Services Gateway intercepts the transmission of a Downloadable
`between a source computer (e.g., Internet) and a web client / Internet application
`(see, e.g., Step 2 in the figure below).
`
`Juniper Networks Sky Advanced Threat Prevention.pdf at page 4.
`
`
`5
`
`

`

`Case 3:17-cv-05659-WHA Document 442-2 Filed 04/19/19 Page 8 of 46
`
`As shown in the figure below, SRX Series Services Gateways store data related
`to intercepted Downloadables within a computer (either as an appliance or as a
`virtual version running on a server computer) because they run on computer
`appliances with a processor, memory that includes RAM. SRX Series Services
`Gateways also include network interfaces in the form of hardware (Ethernet,
`USB ports, wireless interfaces) and/or software utilized for network connection
`for receiving content.
`
`
`
`SRX Series Services Gateways for the Branch.pdf at page 2.
`
`Additionally, the distributed computer system of SRX Series Services Gateways
`and Sky ATP includes software components (proxy software) that are configured
`to receive Downloadables, from a SRX Series Services Gateway, in order to
`detect malware. Downloadables received by Sky ATP are stored therein within
`a resident memory device where they are retrieved to perform file inspections.
`
`For instance, as shown in the figure below, software components (proxy
`software) resident within Sky ATP receive Downloadables for inspection when
`
`6
`
`

`

`Case 3:17-cv-05659-WHA Document 442-2 Filed 04/19/19 Page 9 of 46
`
`an SRX Series Services Gateway communicates the Downloadable to Sky ATP
`after inspection is performed by the SRX Series Services Gateway (see, e.g.,
`Step 3 in the figure above).
`
`Juniper Networks Sky Advanced Threat Prevention.pdf at page 4.
`
`Additionally, the distributed computer system of SRX Series Services Gateways
`and ATP Appliance includes hardware and software components that are
`configured to receive files, from file “collectors” (receivers) distributed across
`one or more computer networks, for inspection to detect malware. Files received
`by ATP Appliance (e.g., through a receiver at the SmartCore engine) are stored
`within a memory device resident on ATP Appliance. As shown in the figure
`below, the ATP Appliance architecture includes software receiver components
`that collect files and/or log files transmitted over a computer network that can
`then be analyzed.
`
`7
`
`

`

`Case 3:17-cv-05659-WHA Document 442-2 Filed 04/19/19 Page 10 of 46
`
`Redimadrid_Journadas-Sky ATP Enhancements.pdf at page 14.
`
`Specifically, as shown in the excerpt below, the ATP Appliance architecture
`includes collectors (receivers) that are positioned at “critical points” within a
`network. The locations of these collectors include remote locations where they
`capture Web, e-mail, and lateral traffic data.
`
`
`
`3510633-en.pdf at page 4.
`
`Additionally, the distributed computer system of a SRX Series Services Gateway
`and Junos Space Security Director meets the recited claim language because it
`includes software components that are configured to receive Downloadables
`from a SRX Series Services Gateway in order to detect malware. For instance,
`as shown in the figure below, the Junos Space Security Director architecture
`includes software receiver components that perform a method when they collect
`files received from an SRX Series Services Gateway that can then be analyzed
`by the Junos Space Security Director technology.
`
`
`
`Junos Space Security Director User Guide.pdf at page 67.
`
`
`
`
`8
`
`

`

`Case 3:17-cv-05659-WHA Document 442-2 Filed 04/19/19 Page 11 of 46
`
`
`10c. a Downloadable scanner
`coupled with said receiver, for
`deriving security profile data
`for the Downloadable,
`including a list of suspicious
`computer operations that may
`be attempted by the
`Downloadable; and
`
`
`SRX Series Services Gateways meet the recited claim language because they
`include a Downloadable scanner coupled with said receiver, for deriving security
`profile data for the Downloadable, including a list of suspicious computer
`operations that may be attempted by the Downloadable.
`
`SRX Series Services Gateways meet the recited claim language because they
`include an antivirus (AV) scan engine (Downloadable scanner) that derives
`behavioral security profile data for a Downloadable undergoing inspection when
`it parses content and identifies behavioral patterns that correspond to
`polymorphic viruses, worms, Trojans, and malware (suspicious computer
`operations) when scanning a Downloadables such as JavaScript, PDFs, SWF,
`EXEs and other web content including executable code.
`
`In another scenario, SRX Series Services Gateways operate as a distributed
`computer system with Sky ATP and meets the recited claim language because
`SRX Gateways with Sky ATP includes software components that scan a
`Downloadable (Downloadable Scanner) received from a SRX Series Services
`Gateway to detect suspicious computer operations capable of being performed by
`the Downloadable. SRX Gateways with Sky ATP derives security profile data
`for the Downloadable by (1) identifying behavioral characteristics of the
`Downloadable (including particular JavaScript functions, unusual instructions or
`code structures) through the use of cache lookups, static analysis, and dynamic
`analysis, and (2) providing a threat assessment report for the Downloadable that
`operates as a security profile that identifies each suspicious computer operation
`identified (list of suspicious computer operations that may be attempted by the
`Downloadable). The SRX Service Series Gateways and Sky ATP provides a list
`of suspicious operations in a report.
`
`In another scenario, SRX Series Services Gateways operate as a distributed
`computer system in combination with an ATP Appliance and meets the recited
`claim language because it includes hardware and software components
`(Downloadable scanner) that scan a Downloadable, received from collectors that
`include SRX Series Services Gateways. SRX Gateways and ATP Appliances
`detect suspicious computer operations capable of being performed by the
`Downloadable using static analysis, payload analysis, dynamic analysis,
`behavioral analysis, machine learning, and SmartCore technology. SRX
`Gateways with ATP Appliances use these technologies to derive security profile
`data for the Downloadable based on an aggregated set of malware analytics. The
`SRX Service Series Gateways and ATP Appliance provides a list of suspicious
`operations in a report generated based in-part on the analysis provided by the
`aggregated set of malware analytics.
`
`The details of these operations are set forth for these scenarios in greater detail
`below:
`
`SRX Series Services Gateways meet the recited claim language because they
`include an antivirus (AV) scan engine (Downloadable scanner) that derives a
`behavioral security profile for a Downloadable undergoing inspection when it
`parses content and identifies behavioral patterns that correspond to malware like
`a polymorphic viruses, worms, Trojans, and malware (suspicious computer
`
`9
`
`

`

`Case 3:17-cv-05659-WHA Document 442-2 Filed 04/19/19 Page 12 of 46
`
`operations) when scanning a Downloadable. Notably, other suspicious computer
`operations capable of being identified by the scan engine include suspicious
`computer operations that: load suspicious DLLs; execute ShellExecute,
`UrlDownloadToFile, and/or CreateProcess for suspicious purposes; cause
`outbound connection(s) to a C&C server; cause suspicious computer operations
`such as the suspicious use of Javascript replace, unescape, document.write or
`eval functions, openAction, document.getElementsByName, launch,
`document.write, openPlayer(asx), document.createElement, Unescape NOP,
`obfuscation using unescape, document.write or eval, HTML Javascript redirects
`such as document.write used to write redirect to URL; causes JavaScript that
`appears to alter its own content; causes JavaScript link(s) that have the ability to
`alter itself; cause MouseOver function to run arbitrary code; cause Keystroke
`logging/screen capture behavior; cause Zero area and/or off-screen windows
`behavior; and cause suspicious behaviors from Downloaders, Injectors, Hijackers
`and other downloadables such as JavaScript, PDFs, SWF, EXEs and other web
`content including executable code.
`
`As shown in the figure below, SRX Series Services Gateways derive security
`profile data when they perform inspection on Downloadables received.
`Furthermore, SRX Series Services Gateways generate security policies based on
`the security data stored in a memory structure based on data gathered from the
`full packet inspection.
`
`
`SRX Series Service Gateways for the Branch.pdf at page 3.
`
`For instance, as shown in the table below, SRX Series Services Gateways use
`Unified Threat Management (“UTM”) technology to configure the security
`
`
`
`10
`
`

`

`Case 3:17-cv-05659-WHA Document 442-2 Filed 04/19/19 Page 13 of 46
`
`features of the Downloadable scanner:
`
`
`
`
`Feature Support Reference for SRX Series and J Series Devices.pdf at page 55.
`
`As shown in the excerpt below, the Downloadable scanner scans content
`included in a Downloadable and derives security profile data for the file based on
`detected behavioral patterns that signify the presence of polymorphic viruses
`(obfuscated code), worms, Trojans, and malware (suspicious computer
`operations) within the file. Polymorphic viruses, worms, Trojans, and malware
`are suspicious computer operations because they are portions of program code,
`included in a file, that are capable of performing undesirable actions (suspicious
`computer operations) on a destination computer upon receipt / execution by a
`destination computer (portions of program code that are malicious).
`
`Understanding the Full Antivirus Scan Engine - Technical Documentation -
`Support - Juniper Networks.pdf at page 1.
`
`As shown in the excerpt below, the Downloadable scanner derives security
`profile data based on detected behavioral patterns found in embedded scripts,
`such as those typically included in Web pages (e.g., Javascript, Visual Basic), as
`well as email messages and FTP downloads / uploads.
`
`
`
`11
`
`

`

`Case 3:17-cv-05659-WHA Document 442-2 Filed 04/19/19 Page 14 of 46
`
`
`Antivirus for Branch SRX Series and J Series.pdf at page 4.
`
`As shown in the figure below, the Downloadable scanner derives security profile
`data based on detected behavioral patterns found in a file after it performs file
`reassembly on the file. For instance, the Downloadable scanner caches an entire
`file in memory resident on an SRX Series Service Gateway and scans it at least
`once in order to generate security profile data produced during behavioral
`analysis / static analysis of the file undergoing inspection.
`
`Antivirus for Branch SRX Series and J Series.pdf at page 2.
`
`As shown in the excerpt below and in addition to the Downloadable scanner, the
`Junos Operating System, included within SRX Series Services Gateways, adds
`functionality to the Downloadable scanner to derive security profile data on
`Downloadables undergoing inspection. For instance, security profile data is
`generated based on detected behavioral patterns found in the actual content of
`Downloadables associated with applications that are transmitted over a computer
`network (e.g., LAN, WAN, and the like).
`
`Application Firewall - Technical Documentation - Support - Juniper
`Networks.pdf at 1.
`
`As shown in the excerpt below, SRX Series Services Gateways generate a list of
`suspicious computer operations that may be attempted by a Downloadable when
`they provide a report (e.g., WELF logs) using security profile data generated
`from the behavioral / static analysis performed by the Downloadable scanner.
`The report is stored within resident memory on SRX Series Services Gateways.
`
`12
`
`

`

`Case 3:17-cv-05659-WHA Document 442-2 Filed 04/19/19 Page 15 of 46
`
`Understanding WELF Logging for UTM Features - Technical Documentation -
`Support - Juniper Networks.pdf at page 1.
`
`As shown in the example below, SRX Series Services Gateways generate a list of
`suspicious computer operations that may be attempted by a Downloadable using
`a report that identifies detected suspicious computer operations (operations
`associated with the virus “EICAR-AV-TEST”) within the file (“eicar.com”). In
`this fashion, the results of behavior / static analysis is stored as a report within
`resident memory on SRX Series Services Gateways.
`
`
`https://www.youtube.com/watch?v=dOF6n-V7P00&t=752s (“Juniper vSRX:
`Advanced Security Feature Demo”)
`
`Additionally, SRX Series Services Gateways, in combination with Sky ATP,
`meet the recited claim language because the distributed computer system of SRX
`Series Services Gateways and Sky ATP includes software components
`(Downloadable Scanner) that scan a Downloadable, received from a SRX Series
`Services Gateway, to detect suspicious computer operations capable of being
`performed by the Downloadable. For instance, as shown in the figure below, the
`Downloadable scanner scans Downloadables received from a SRX Series
`Services Gateway (see, e.g., Step 4 in the figure below).
`
`
`13
`
`

`

`Case 3:17-cv-05659-WHA Document 442-2 Filed 04/19/19 Page 16 of 46
`
`Juniper Networks Sky Advanced Threat Prevention.pdf at page 4.
`
`As shown in the excerpt below, the Downloadable scanner derives security
`profile data for the Downloadable when it (1) monitors network traffic to identify
`behavioral “indicators” of compromise that signify the presence of suspicious
`computer operations, and (2) performs “deep inspection” procedures to identify
`suspicious computer operations.
`
`14
`
`

`

`Case 3:17-cv-05659-WHA Document 442-2 Filed 04/19/19 Page 17 of 46
`
`
`
`Juniper Sky Advanced Threat Prevention.pdf at 2.
`
`As shown in the figure below, the Downloadable Scanner, through its pipeline of
`technologies included within the distributed cloud-computing system, derives
`security profile data for the Downloadable when it performs file inspections
`using procedures that include: (1) cache lookup, (2) an anti-virus scan, (3) static
`analysis, and (4) dynamic analysis. Through the use of these technologies, the
`Downloadable Scanner generates a data structure in memory that indicates the
`presence of detected suspicious computer operations, including JavaScript
`functions and unusual instructions or structure.
`
`How is Malware Analyzed and Detected.pdf at page 1.
`
`
`
`15
`
`

`

`Case 3:17-cv-05659-WHA Document 442-2 Filed 04/19/19 Page 18 of 46
`
`
`For example, as shown in the excerpt below, the Downloadable Scanner derives
`security profile data when it performs dynamic analysis that uses a sandbox to
`identify suspicious computer operations. Downloadables are studied by
`executing them in a secure environment to protect users in real-time. After
`inspecting a Downloadable within this secure environment, the Downloadable
`Scanner determines whether the behavior of the Downloadable during inspection
`is indicative of malware capable of performing suspicious computer operations.
`To make this determination, the Downloadable Scanner uses, e.g.,. deception
`techniques.
`
`How is Malware Analyzed and Detected.pdf at page 2.
`
`For instance, as described in the figure below, the dynamic analysis includes
`“behavioral analysis” that uses the sandbox to get a better understanding of
`“what a suspect file is trying to do” (i.e., identify suspicious operations capable
`of being performed by the Downloadable) before the Downloadable is executed /
`received by a destination computer. The results of the dynamic analysis are then
`stored as a report in memory that identifies the presence of one or more
`suspicious computer operations that can be potentially executed by the
`Downloadable. Also, as shown in the figures below, the results of the behavioral
`analysis enables the Downloadable Scanner to detect both “benign” behaviors
`and “malicious” behaviors. Malicious behaviors include suspicious computer
`operations that allocate large chunks of memory; cause unusually long sleep
`times; execute a document exploit, and the like.
`
`16
`
`

`

`Case 3:17-cv-05659-WHA Document 442-2 Filed 04/19/19 Page 19 of 46
`
`https://www.youtube.com/watch?v=K8Y0MkbJwcs&feature=youtu.be
`(“Lanworks & Juniper Sky ATP Lunch and Learn”).
`
`
`
`
`https://www.youtube.com/watch?v=K8Y0MkbJwcs&feature=youtu.be
`(“Lanworks & Juniper Sky ATP Lunch and Learn”).
`
`The excerpt below shows examples of behavioral operations collected.
`
`17
`
`

`

`Case 3:17-cv-05659-WHA Document 442-2 Filed 04/19/19 Page 20 of 46
`
`
`
`Sky ATP - Behaviors Seen.png.
`
`As shown in the figure below, the Downloadable Scanner derives security profile
`data when it uses deception and/or provocation techniques as part of the
`behavioral analysis in order to trick malware into activating and self-identifying.
`The deception and/or provocation techniques applied by the Downloadable
`Scanner in the sandbox include, e.g., attaching debuggers, running the malware
`multiple times, actively interfering with malware operations, and actively
`interfering with network communications, and so on. In this fashion, and as
`described in the figure below, the Downloadable Scanner’s behavioral analysis
`uses (1) deception techniques to convince the suspicious computer operations
`included in the Downloadable that it is on a valid target to “get a reaction” and
`(2) provocation techniques to see how the suspicious computer operations
`included in the Downloadable react. The results of the behavior analysis are then
`stored as a report in memory that identifies the presence of suspicious computer
`operations in the Downloadable.
`
`https://www.youtube.com/watch?v=K8Y0MkbJwcs&feature=youtu.be
`(“Lanworks & Juniper Sky ATP Lunch and Learn”).
`
`Also, as shown in the figure below, the Downloadable scanner derives security
`
`18
`
`

`

`Case 3:17-cv-05659-WHA Document 442-2 Filed 04/19/19 Page 21 of 46
`
`profile data for the Downloadable when it performs static analysis that breaks it
`apart to identify portions of code that are associated with benign applications and
`portions of code that are associated with suspicious computer operations. The
`static analysis includes extracting code from the Downloadable and determining
`whether the Downloadable is capable of performing suspicious computer
`operations based on behavioral indicators or features of the extracted code that
`“look like” malware. The results of the static analysis are then stored as a report
`in memory that identifies the presence of suspicious computer operations in the
`Downloadable.
`
`https://www.youtube.com/watch?v=K8Y0MkbJwcs&feature=youtu.be
`(“Lanworks & Juniper Sky ATP Lunch and Learn”).
`
`As shown in the figure below, the Downloadable scanner identifies suspicious
`computer operations and stores identifiers associated with them as part of “a list
`of malware” (suspicious computer operations) that can be referenced for future
`malware scan operations.
`
`19
`
`

`

`Case 3:17-cv-05659-WHA Document 442-2 Filed 04/19/19 Page 22 of 46
`
`
`
`Juniper Networks Sky Advanced Threat Prevention.pdf at page 1.
`
`As shown in the table below, the Downloadable scanner generates a list of
`suspicious computer operations that may be attempted by a Downloadable when
`it provides a report (i.e., security profile for a Downloadable) that is based on
`analysis information and behavioral summaries created for an inspected
`Downloadable. For instance, as shown in the figure below, a report generated by
`the Downloadable scanner, using security profile data generated from the
`techniques described herein, includes a “behavior summary” that includes
`detected behaviors such as data obfuscation, hooking, and anti-debugging that
`are each included in the inspected Downloadable.
`
`pw-sky-advanced-threat-prevention-guide-2016.pdf at 32.
`
`As shown in the table below, a report generated by the Downloadable scanner
`includes a “threat level” field that is attributed to the inspected Downloadable.
`Threat levels range from 0 to 10 and are used to indicate the level of harm that
`the inspected Downloadable could potentially cause to a web client or Internet
`application upon receipt / execution. The report also includes any actions taken
`by the Downloadable scanner in response to a detection of suspicious computer
`operations identified. The report also includes the frequency in which the
`
`20
`
`

`

`Case 3:17-cv-05659-WHA Document 442-2 Filed 04/19/19 Page 23 of 46
`
`inspected Downloadable has been seen across different computers as well as a
`“file type” associated with the inspected Downloadable (e.g., .PDF, .exe, .doc,
`and the like). Notably, as shown in the figure below, the report includes a
`Downloadable ID in the form of a filename, hash value (e.g., Sha235, md5) and
`the like, for use in identifying the inspected Downloadable for which the report is
`generate for. Additionally, the report includes details that include, but are not
`limited to, the last time an inspected Downloadable was scanned, file size,
`operating system in which the inspected Downloadable typically operates within,
`malware name, malware type, and malware strain.
`
`
`
`HTTP File Download Details. Pdf at page 2.
`
`Also, as shown in the table below, the Downloadable ID includes a SHA-256
`hash computed for the inspected Downloadable. Notably, as depicted in the
`figure below, the report includes additional identifiers such as “tenant_id,”
`“client_ip,” “client_username,” as well as “client_hostname.” Moreover, as
`depicted in the figure below, the report can include details that include, but are
`not limited to, a malware score, malware name, host status, policy information
`that caused the Downloadable scanner to enforce a particular action, host threat
`level, infected host status, reason, and details.
`
`21
`
`
`
`

`

`Case 3:17-cv-05659-WHA Document 442-2 Filed 04/19/19 Page 24 of 46
`
`sky-atp-admin-guide.pdf at page 98.
`
`Additionally, SRX Series Services Gateways in combination with ATP
`Appliance as a distributed computer system meets the recited claim language
`because it includes software components (Downloadable scanner) that scan a
`Downloadable, received from collectors that include SRX Series Services
`Gateways, to detect suspicious computer operations capable of being performed
`by the Downloadable.
`
`For instance, as shown in the excerpt below, the Downloadable scanner derives
`security profile data for the Downloadable based on data collected from SRX
`Series Services Gateways when it performs file inspections using procedures that
`include: (1) static analysis, (2) payload analysis, (3) machine learning and
`behavioral analysis, (4) malware reputation analysis, and (5) prioritization, risk
`analysis, correlation. Notably, payload analysis includes the use of an
`“intelligent sandbox array” to gain a “deeper understanding of malware behavior
`by detonating suspicious Web and file content that would otherwise target
`Windows, OSX, or Android endpoint devices. Also, the “machine learning and
`behavioral analysis” performed by the Downloadable scanner produce security
`profile data by employing technologies that “recognize the latest threat behaviors
`(such as multicomponent attacks over time) and quickly detect previously
`unknown threats.” Moreover, as described in the excerpt below, the s