Case 3:17-cv-05659-WHA Document 502-3 Filed 05/31/19 Page 1 of 33
`
`HIGHLY CONFIDENTIAL – SOURCE CODE
`REDACTED VERSION OF DOCUMENT SOUGHT TO BE SEALED
`DECLARATION OF DR. MICHAEL MITZENMACHER
`I, Michael Mitzenmacher, hereby declare that:
`
`1.
`
`I have been asked by Plaintiff Finjan, Inc. to submit an expert declaration on whether
`
`Juniper, Inc.’s SRX Gateways, Sky ATP and ATP Appliance products infringe claim 1 of U.S. Patent
`No. 8,141,154 (the “’154 Patent”). Ex. 1.1 I relied on the documents cited herein, including the ’154
`Patent, the file history of the ’154 Patent, the source code, the deposition transcripts of Tenorio,
`
`Manthena, Nagarajan, and Manocha, the trial transcript for this case, exhibits thereto, Finjan’s
`
`Infringement Contentions, and Juniper’s Discovery Responses.
`
`I.
`
`EXPERIENCE AND QUALIFICATIONS
`
`2.
`
`I received a Ph.D degree in Computer Science from the University of California at
`
`Berkeley in 1996. I am currently employed as a Professor of Computer Science at Harvard University.
`
`I have published over 200 research papers in computer science conferences and journals, many of
`
`which have explored computer securities and computer networks, such as algorithms and data
`
`structures for communication networks and data transmission. I regularly serve on program
`
`committees for conferences in networking, algorithms, and communication, including SIGCOMM,
`
`NSDI, and CoNEXT. I have also taught graduate courses relating to computer networking.
`
`3.
`
`My rate of compensation for my work in this case is $750 per hour plus any direct
`
`expenses incurred. My compensation is based solely on the amount of time that I devote to activity
`
`related to this case and is in no way affected by any opinions that I render. I receive no other
`
`compensation from work on this action. My compensation is not dependent on the outcome of this case.
`
`II.
`
`LEGAL STANDARDS
`
`4.
`
`Counsel for Finjan has informed me of the following legal standards that I have used as
`
`a framework in forming my opinions contained herein.
`
`5.
`
`I have been informed that claim construction is a legal issue for the Court to decide. I
`
`also understand that the Court has not issued a claim construction order for the ’154 Patent in this case.
`
`As such, I considered both parties’ proposed constructions of disputed terms and applied the plain and
`
`ordinary meaning for all other terms.
`
`1 All “Ex.” citations are to the Declaration of Kristopher Kastens (“Kastens Decl.”) filed herewith.
`1
`MITZENMACHER DECL. IN SUPPORT OF FINJAN’S MSJ
`
`CASE NO. 3:17-cv-05659-WHA
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`

`

`Case 3:17-cv-05659-WHA Document 502-3 Filed 05/31/19 Page 2 of 33
`
`HIGHLY CONFIDENTIAL – SOURCE CODE
`REDACTED VERSION OF DOCUMENT SOUGHT TO BE SEALED
`I have been informed that infringement is determined on a claim by claim basis. A
`
`6.
`product may infringe a claim either literally or under the doctrine of equivalents.
`
`7.
`
`I have been further informed that literal infringement is found if an accused product,
`
`system or method meets each and every element of a single claim. Direct infringement is found if a
`
`party, or its agents, makes, uses, sells, or offers for sale a product or system that contains all elements
`
`of a claimed system or performs all of the steps of a claimed method. I have been informed that a party
`
`can be found to use the patented system even if that party does not exercise physical or direct control
`
`over every element of the system. I have been informed that for elements that are not subject to the
`
`physical or direct control of the party, that party is still deemed to be using that component or part of
`
`the patented system where the party (i) puts the component into service – that is, the party causes it to
`
`work for its intended purpose and (ii) receives the benefit of that purpose. I have been informed that
`
`direct infringement can be found in a multinational system claim where elements of such system are
`
`located in multiple countries, when the place where control of the accused system is exercised and
`
`where beneficial use of the system is obtained are both within the United States.
`
`8.
`
`I have been informed that infringement under the doctrine of equivalents is found if an
`
`accused product, system or process contains parts or steps that are identical or equivalent to each and
`
`every element of a single claim. A part or step is equivalent if a person of ordinary skill in the art
`
`(“POSITA”) would conclude that, at the time of infringement, the differences between the product or
`
`method step and the claim element were not substantial. One common test to determine if the difference
`
`between a component or method step and a claim element is not substantial is to determine whether the
`
`component or step performs substantially the same function, in substantially the same way, to achieve
`
`substantially the same result.
`
`9.
`
`Based on review of the Asserted Patents and consideration of the abovementioned
`
`factors, it is my opinion that a person of ordinary skill in the art at the time of the invention of the
`
`Asserted Patents would be someone with a bachelor’s degree in computer science or related field, and
`
`either (1) two or more years of industry experience and/or (2) an advanced degree in computer science
`
`or related field. I understand that claim 1 of the ’154 Patent claims a priority date of December 12,
`
`2005. But if the ’154 Patent is found to have another priority date it would not materially affect my
`
`2
`MITZENMACHER DECL. IN SUPPORT OF FINJAN’S MSJ
`
`CASE NO. 3:17-cv-05659-WHA
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`

`

`Case 3:17-cv-05659-WHA Document 502-3 Filed 05/31/19 Page 3 of 33
`
`HIGHLY CONFIDENTIAL – SOURCE CODE
`REDACTED VERSION OF DOCUMENT SOUGHT TO BE SEALED
`
`analysis.
`
`III.
`
`SUMMARY OF DECLARATION
`
`10.
`
`I have been asked by counsel for Finjan to consider if Juniper infringes claim 1 of the
`
`’154 Patent. I have assumed that claim 1 of the ’154 Patent is valid and enforceable. I have not
`
`considered damages related issues associated with this infringement.
`
`11.
`
`12.
`
`The language of claim 1 is set forth in the ’154 Patent at 17:31-44.
`
`I have been asked by counsel for Finjan to consider the following infringement scenarios
`
`with respect to claim 1 of the ’154 Patent: (1) SRX Gateways (“SRX”) by themselves, (2) SkyATP by
`
`itself, (3) ATP Appliance by itself. My opinion on the current product features is based on the
`
`information available, including source code, release notes, Juniper’s documents, and deposition
`
`testimonies of Juniper’s employees.
`
`IV.
`
`OVERVIEW OF THE ’154 PATENT
`
`13.
`
`The ’154 Patent describes protecting a computer system from dynamically generated
`
`malicious content. See ’154 Patent, Abstract. Many types of documents (such as PDF, Office, HTML)
`
`allow for generating content dynamically. As one example, a document may be embedded with a
`
`JavaScript (“JS”) script, which is able to call a link from which to download a file. As another example,
`
`an iFrame (which is another HTML document embedded into the main HTML page) inserts external
`
`content into the main HTML page, and thereby allows for dynamically generated malicious content. As
`
`a further example, an email or a document may include an HTTP link to a site. The HTTP link by
`
`default is associated with an HTTP function (such as an HTTP GET request), which allows a computer
`
`to automatically communicate with the site hosted by the HTTP link upon the activation of the HTTP
`
`link.
`
`14.
`
`The ability to dynamically generate content allows malicious code to evade detection
`
`through obfuscation. Obfuscation is a mechanism which allows malicious code to be encoded or
`
`reformatted in a string that it appears to be benign, but the encoded or reformatted string is later decoded
`
`or reformatted to generate the malicious code for execution. See ‘154 Patent at 3:31-64 (describing how
`
`dynamically generated content would result in malicious code being inserted). Obfuscation is one way
`
`in which activation of a seemingly benign link may result in malicious code being injected into a
`
`3
`MITZENMACHER DECL. IN SUPPORT OF FINJAN’S MSJ
`
`CASE NO. 3:17-cv-05659-WHA
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`

`

`Case 3:17-cv-05659-WHA Document 502-3 Filed 05/31/19 Page 4 of 33
`
`HIGHLY CONFIDENTIAL – SOURCE CODE
`REDACTED VERSION OF DOCUMENT SOUGHT TO BE SEALED
`document or causing a malware to be downloaded. Dynamically generated malicious content typically
`
`comes in the form of a multi-stage attack such as a drive-by Download, or through a link on a webpage
`
`or email. Ex. 15, FINJAN-JN 045339 at 41 (describing the mechanism of a drive-by Download attack);
`
`FINJAN-JN 045326 at 29-30 (describing different ways ransomware infects a computing system). The
`
`dynamically generated malicious code cannot be detected by conventional reactive content inspection or
`
`gateway level analysis because the malicious code is not present in the content before runtime, which is
`
`when the malicious code is generated. ’154 Patent at 3:65-4:8. Claim 1 of the ’154 Patent describes the
`
`use of a content processor to process content which includes a call to a first function and the call has an
`
`input. See id., Claim 1. The ’154 Patent also recites sending the input to a security computer for
`
`inspection. See id. Claim 1 also recites invoking a second function with the input only if a security
`
`computer indicates that it is safe to invoke the second function. Id. By utilizing “behavioral analysis
`
`technologies,” Claim 1 of the ’154 Patent allows a security system to detect “day-zero” threats which
`
`escape the detections by traditional security technologies.
`V.
`OVERVIEW OF THE ACCUSED PRODUCTS
`
`A.
`
`15.
`
`SRX Gateways
`
`SRX is the next generation security gateway that provides essential capabilities to
`
`protect a network of computers such as a corporate network. The SRX Gateways operate as a gateway
`
`between the untrusted Internet and a trusted internal network. Ex. 9, JNPR-FNJN_29002_00173278 at
`
`84. It is my understanding that the SRX all operate using the Junos operating system. The SRX
`
`Gateways can receive content (such as network communications, downloaded files) from the Internet,
`
`can send objects such as files and URLs to Sky ATP or ATP appliance for analysis, can receive a result
`
`from Sky ATP or Appliance, and can take an action (such as blocking or allowing files or network
`
`communications) based on the result received from Sky ATP or ATP Appliance. Id.; see also Ex. 6,
`
`JNPR-FNJN_29018_00962784 at 91-92. This process allows the SRX to detect new viruses and zero-
`
`day threats before they harm the computers in the protected network.
`
`B.
`
`16.
`
`Sky ATP
`
`Juniper Sky ATP is a cloud-based scanning system that is part of Juniper’s Advanced
`
`Anti-Malware Solution “AAMW”. Ex. 9, JNPR-FNJN_29002_00173278 at 83. Sky ATP sometimes
`
`4
`MITZENMACHER DECL. IN SUPPORT OF FINJAN’S MSJ
`
`CASE NO. 3:17-cv-05659-WHA
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`

`

`Case 3:17-cv-05659-WHA Document 502-3 Filed 05/31/19 Page 5 of 33
`
`HIGHLY CONFIDENTIAL – SOURCE CODE
`REDACTED VERSION OF DOCUMENT SOUGHT TO BE SEALED
`is also referred to as Argon or Argon cloud. Id. Sky ATP can be used as a service by SRX Gateways.
`
`Id. (showing that AAMW solution integrates with SRX and Argon Cloud Server). SRX can submit
`
`files or URLs to Sky ATP for analysis and Sky ATP will return a verdict and threat intelligence data
`
`feeds including black/white lists. Id. at 83-84. The results are returned in the JSON format includes
`
`verdict information such as sample ID, malware info, malware among others,. See, e.g., Ex. 2, JNPR-
`
`FNJN_29017_00553620 at 74 (describing fields for malware event data and host threat level/status
`
`change data).
`
`17.
`
`In particular, Sky ATP provides advanced anti-malware and anti-ransom protection
`
`against sophisticated “zero-day” and unknown threats. See Ex. 13, FINJAN-JN 044887 at 905 (stating
`
`that Sky ATP protects against evolving security threats); Ex. 9, JNPR-FNJN_29002_00173278 at 83.
`
`Sky ATP generates “actionable intelligence” that can be used in a security network to take an action
`
`based on the threats discovered by Sky ATP. Ex. 9, JNPR-FNJN_29002_00173278 at 83-84. Sky ATP
`
`includes a malware pipeline manager; a file runs through the malware analysis pipeline, which
`
`includes adapters for performing a series of analyses, based on cached results, antivirus analysis, static
`
`analysis, and dynamic analysis. Ex. 13, FINJAN-JN 044887 at 907. The malware analysis includes an
`
`antivirus adapter, two static adapters, and a sandbox and deception adapters. Ex. 14, JNPR-
`
`FNJN_29017_00552908 at 909.
`
`18.
`
`Sky ATP performs static analysis to determine if unusual operations are used and
`
`dynamic analysis to identify behaviors of the file. Ex. 13, FINJAN-JN 044912. Sky ATP has a static
`
`analysis component that is run on the input it receives. See id. The static analysis in Sky ATP inspects
`
`file’s metadata and instruction categories to detect suspicious signs such as usual instructions. Id.
`
`Static analysis analyzes the metadata information, categories of instructions used, and file entropy (e.g.,
`
`encryptions in a file), feeds the outputs into a machine learning algorithm to generate a verdict. Id.
`
`Sky ATP performs dynamic analysis by executing the content in a sandboxed environment as if the file
`
`is run in a real computer system. Id. As part of the “detonation” of the file, the sandbox environment
`
`records the operations performed by content. Id. It is my understanding that Juniper internally refers to
`
`the dynamic analysis performed in the malware inspection pipeline as the combination of the
`
`“deception adapter” and a sandbox called “Joe Sandbox.”
`
`5
`MITZENMACHER DECL. IN SUPPORT OF FINJAN’S MSJ
`
`CASE NO. 3:17-cv-05659-WHA
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`

`

`Case 3:17-cv-05659-WHA Document 502-3 Filed 05/31/19 Page 6 of 33
`
`HIGHLY CONFIDENTIAL – SOURCE CODE
`REDACTED VERSION OF DOCUMENT SOUGHT TO BE SEALED
`As the file is running through the pipeline, SkyATP generates metadata and
`19.
`communicates with a verdict engine which provides a verdict score of the sample based on the new file
`
`information as received from the malware analysis pipeline at each stage of the malware analysis. Ex.
`
`14, JNPR-FNJN_29017_00552908 at 09; Ex. 11, JNPR-FNJN_29017_00552892 at 93. A file does not
`
`have to run through the entire malware analysis pipeline. Id. The scanning may stop at the end of a
`
`stage (without reaching to the end of the malware analysis pipeline) based a determination from the
`
`verdict engine, when the verdict engine has the sufficient confidence to determine that the file is
`
`malicious or safe. Ex. 14, JNPR-FNJN_29017_00552909. The Sky ATP returns a verdict to SRX
`
`which indicates a threat level a file, and the SRX Gateway uses the verdict to determine whether to
`
`allow the file or the communication with the site hosted by the URL/IP address. Ex. 9, JNPR-
`
`FNJN_29002_00173283-84.
`C.
`ATP Appliance
`
`20.
`
`ATP Appliance (also referred to as Cyphort) monitors network traffic, such as web
`
`content, emails and communications within a network, to identify threats such as exploits, malware
`
`downloads, communications with botnet servers among others. FINJAN-JN 045074 at 75. ATP
`
`Appliance receives network traffic through its “collectors”, an example of which is SRX. Id. at 78.
`
`The network traffic received by ATP appliance is subject to Smart Core’s Multi-Stage Threat Analysis
`
`pipeline. Id. at 77; Ex. 20, JNPR-FNJN_29018_00975646 at 53, 68-69. The analysis pipeline includes
`
`engines for performing, for example, network, static, reputation, and behavioral analyses. Ex. 12,
`
`JNPR-FNJN_29018_00971201 at 17. Specifically, as one example, the traffic received by ATP
`
`appliance would first go through a Network Analysis Pipeline which performs a snort rules analysis and
`
`a Chain Heuristics analysis. The Chain Heuristics Analysis flags and submits the suspicious traffic to a
`
`Browser Behavior Analysis Engine. Ex. 17, FINJAN-JN 045326 at 32; see also Ex. 15, FINJAN-JN
`
`045339 at 44. The Browser Behavior Analysis Engine simulates the entire HTTP session using a
`
`browser that runs in a sandbox environment. Id. The JATP appliance examines the activities in the
`
`HTTP session and download the files referenced in a web communication to determine whether there
`
`are any suspicious activities. Id. The ATP appliance also analyzes all files through object analysis
`
`engines including Static AV Engine (for signature-based virus detection), Reputation Engine (for
`
`6
`MITZENMACHER DECL. IN SUPPORT OF FINJAN’S MSJ
`
`CASE NO. 3:17-cv-05659-WHA
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`

`

`Case 3:17-cv-05659-WHA Document 502-3 Filed 05/31/19 Page 7 of 33
`
`HIGHLY CONFIDENTIAL – SOURCE CODE
`REDACTED VERSION OF DOCUMENT SOUGHT TO BE SEALED
`reputation lookup based on a file’s metadata), Behavioral Engine (for performing a dynamic analysis in
`
`a sandboxed environment), Emulation Engine (which emulates files containing scripts), and Yara
`
`Engine (which allows Yara rules to files and memory dumps obtained during the behavioral analysis).
`
`Ex. 17, FINJAN-JN 045326 at 31-32.
`
`VI.
`
`ANALYSIS OF CLAIM 1 OF THE ’154 PATENT
`
`A.
`
`21.
`
`Overview of Juniper’s Infringement
`
`Juniper sells, builds, and tests SRX, Sky ATP, and ATP appliance in the United States.
`
`Juniper infringes Claim 1 of the ’154 Patent because SRX, SkyATP, and ATP appliance each meets
`
`every element of the claim.
`
`22.
`
`SRX includes a content processor which processes network communications. The
`
`network communications include an URL/IP address or a file (such as a webpage or an executable file)
`
`received from the Internet , both of which are “content” that includes a call to a first function where the
`
`call includes an input. As one example, the URL/IP address is a call to the first function where the call
`
`is the denoted by “http://” prefix and input is the address of a site (such as
`
`“example.com/malware.exe”) as indicated through an URL or IP address or the file hosted at the
`
`URL/IP address. The URL/IP address is associated with a HTTP function for communication with the
`
`URL/IP address (such as an HTTP.GET request). As another example, the file received over a
`
`network can have a script that includes a call to a first function (e.g., a unescape(), eval(), or
`
`document.write() function) that would inject code into a file. The injected code may involve
`
`communications or a download from a compromised site. The call includes an input which is the
`
`URL/IP address (or a file referenced by the injected code) associated with the compromised site.
`
`Because processing a webpage involves a series of communications between internal and external
`
`computers and the SRX is situated in between internal and external computers, the SRX can process a
`
`request by an internal computer to download a file from a link while the internal computer is
`
`assembling a webpage. Because the webpage includes a link or a script, such a request to SRX is a
`
`result of an internal computer’s invocation of the webpage. The SRX includes a transmitter that can
`
`submit the link or the content for analysis by SkyATP or the ATP appliance. The SRX is also able to
`
`detect the presence of certain functions (such as the presence of an unescape function in an HTML file)
`
`7
`MITZENMACHER DECL. IN SUPPORT OF FINJAN’S MSJ
`
`CASE NO. 3:17-cv-05659-WHA
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`

`

`Case 3:17-cv-05659-WHA Document 502-3 Filed 05/31/19 Page 8 of 33
`
`HIGHLY CONFIDENTIAL – SOURCE CODE
`REDACTED VERSION OF DOCUMENT SOUGHT TO BE SEALED
`when it receives a file. The SRX can flag a file in which it found the obfuscated content, and send the
`
`link or the content to SkyATP or ATP appliance. Based on the score received from SkyATP or the ATP
`
`appliance, SRX can decide whether to invoke the second function associated with the inspected URL/IP
`
`address, such as forwarding the file to an internal computer or otherwise allow communications with
`
`the inspected site.
`23.
`The Sky ATP also includes a malware analysis pipeline which is a content processor that
`is able to process network traffic through a series of adapters. The Sky ATP is able to protect an
`
`internal computer from dynamically generated malicious content including: (1) when the network
`
`communications include an URL/IP address as metadata of a sample (i.e. URL/IP address indicating
`
`the source of the sample); and (2) when the sample has a reference to malicious content such as a
`
`malicious link or code that is able to inject malicious links/content. In the first example, the content
`
`includes a call to open the link denoted by the “http://” prefix, where the link is naturally associated
`
`with an HTTP function for communication with the URL/IP address (such as an HTTP.GET request).
`
`The input associated with the call is the address of a site (such as “example.com/malware.exe”) as
`
`indicated through an URL or IP address. In the second example, the content includes a call to a
`
`function such as an unescape(), eval(), or document.write() function or iframe code (e.g., the form of
`
`“<iframe src="URL"></iframe>”). The function may refer to an URL/IP address in an obfuscated
`
`form. The URL/IP address (regardless of whether it is in its obfuscated or original form) is considered
`
`as an “input” associated with the call. Continuing with the first example, the malware analysis pipeline
`
`invokes the link by sending the input (i.e. a sample) to a verdict engine (i.e. a security computer) which
`
`the verdict engine will return a score and malware information for the sample. The input can be sent in
`
`the form of a link to the sample or a hash of the sample. The input is sent by the malware analysis
`
`pipeline (which includes a transmitter) when the first function is invoked through downloading the
`
`sample from the link. Based on the verdict returned from the verdict engine, the malware analysis
`
`pipeline determines whether to continue with a subsequent processing of the sample (i.e. invoking a
`
`second function with the sample). With reference to the second example, the malware analysis pipeline
`
`is able to extract features from a sample, such as links, functions, scripts, or other code; sends such
`
`features to the verdict engine (i.e. transmitting an input to the security computer); and receives a score
`
`8
`MITZENMACHER DECL. IN SUPPORT OF FINJAN’S MSJ
`
`CASE NO. 3:17-cv-05659-WHA
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`

`

`Case 3:17-cv-05659-WHA Document 502-3 Filed 05/31/19 Page 9 of 33
`
`HIGHLY CONFIDENTIAL – SOURCE CODE
`REDACTED VERSION OF DOCUMENT SOUGHT TO BE SEALED
`from the verdict engine. The transmission of the input occurs when the first function is invoked as part
`
`of the dynamic analysis of simulating the execution of the sample, or through de-obfuscation of the
`
`code. In both examples above, the malware analysis pipeline determines whether to continue with a
`
`subsequent processing of the sample or to add the sample (or its features) to a whitelist (i.e. invoking a
`
`second function with the input) based on the verdict returned from the verdict engine. Furthermore, in
`
`an alternative scenario, the malware analysis pipeline (such as its DeceptionAdapters) can send an
`
`URL/IP address in the sample or the sample’s URL/IP address to a reputation server for a reputation
`
`lookup, which returns a reputation score to the malware analysis pipeline. The URL/IP address or the
`
`hash of the file hosted by the URL/IP address can be added to a whitelist based on the result of the
`
`reputation lookup.
`24.
`perform a multi-staged analysis on network traffic and objects. As explained in the overview section,
`
`ATP appliance has a similar mechanism as SkyATP. The ATP appliance is able to
`
`ATP Appliance’s Smart Core (also referred to as Cyphort Core) is a content processor that analyzes the
`
`network traffic and files through a series of engines in the analysis pipeline. The network traffic and
`
`files include a call to a first function and the call has an input for reasons mentioned above with
`
`reference to Sky ATP. The Smart Core sends the input to a reputation engine/server or an analysis
`
`pipeline (or an engine in the analysis pipeline) for analysis. The transmission of the input can be
`
`performed by the ATP appliance, an engine in the Smart Core analysis pipeline, or the pipeline Agent.
`
`The transmission occurs when the first function is invoked as part of the activating a link to download a
`
`file or through de-obfuscation. As one example, the Chain Heuristics analysis and submits suspicious
`
`traffic to a browser based dynamic analysis environment which is able to detect obfuscated malicious
`
`code (or malicious communications). As another example, the analysis pipeline is able to activate or
`
`extract a link (invoking a first function) in the suspicious traffic, and send input associated with the link
`
`to a reputation engine where the reputation engine sends input to a server for reputation lookup. The
`
`SmartCore decides whether to invoke a second function with the input, only if the security computer
`
`indicates that such invocation is safe by moving the analyzed object to an END state, market the object
`
`as “clean” or otherwise allow the communications based on the reputation look up or based on the
`
`result from the pipeline analysis.
`
`9
`MITZENMACHER DECL. IN SUPPORT OF FINJAN’S MSJ
`
`CASE NO. 3:17-cv-05659-WHA
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`

`

`Case 3:17-cv-05659-WHA Document 502-3 Filed 05/31/19 Page 10 of 33
`
`HIGHLY CONFIDENTIAL – SOURCE CODE
`REDACTED VERSION OF DOCUMENT SOUGHT TO BE SEALED
`Preamble of Claim 1 of the ’154 Patent
`
`The preamble of claim 1 of the ’154 Patent recites “[a] system for protecting a computer
`
`B.
`
`25.
`
`from dynamically generated malicious content, comprising:”. While I understand that a preamble is not
`
`typically limiting, it is my opinion that the preamble of claim 1 is met by SRX, SkyATP, and ATP
`
`Appliance. I incorporate by reference my summary of the products for this section.
`
`26.
`
`SRX is a system for protecting a computer from dynamically generated malicious
`
`content because this system acts as a gateway system for analyzing network communications to protect
`
`one or more internal computers. See Ex. 9, JNPR-FNJN_29002_00173283-84. As explained above,
`
`SRX is able to detect malicious code in a file or malicious URLs, and thereby protecting an internal
`
`computer from dynamically generated content through the malicious code or URLs. SRX sends a
`
`URL/IP address associated with a sample or the sample itself to Sky ATP or ATP appliance which
`
`returns a result (such as a score). Ex. 9, JNPR-FNJN_29002_00173283-84. SRX determines whether
`
`to block or allow the sample (or the URL/IP address) based on the result. Id. The SRX Gateways can
`
`examine JavaScript payload of a sample to determine if the JavaScript script is obfuscated or
`
`potentially malicious. Ex. 4, JNPR-FNJN_29040_01042912 at 13-14; Ex. 3, JNPR-
`
`FNJN_29017_00552579 at 89. The SRX Gateways can also extract potentially malicious objects (e.g.,
`
`links) or files from the sample (such as a webpage), and send the malicious objects and files to SkyATP
`
`or ATP appliance, which perform analysis and determine the reputation of the link or the sample. Id.
`
`SRX receives a result of the analysis in the form of a verdict which SRX uses to allows a file to an
`
`internal computer. Ex. 13, FINJAN-JN 044887 at 907, 956; JNPR-FNJN_29002_00173278-79. SRX
`
`also receives the threat intelligence data feeds (which include C&C feeds and infected hosts feeds) from
`
`Sky ATP or ATP appliance, which SRX uses to allow or block a communication with an infected
`
`internal computer or with an external computer that serves as a command and control server. Ex. 13,
`
`FINJAN-JN 044887 at 907; JNPR-FNJN_29002_00173278-79; JNPR-FNJN 29032_00590643 at 65;
`
`see also Ex. 16, Juniper Source Code at 342-344,
`
`27.
`
`Sky ATP on its own meets this element because it receives and analyzes web objects and
`
`10
`MITZENMACHER DECL. IN SUPPORT OF FINJAN’S MSJ
`
`CASE NO. 3:17-cv-05659-WHA
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`

`

`Case 3:17-cv-05659-WHA Document 502-3 Filed 05/31/19 Page 11 of 33
`
`HIGHLY CONFIDENTIAL – SOURCE CODE
`REDACTED VERSION OF DOCUMENT SOUGHT TO BE SEALED
`files. JNPR-FNJN_29002_00173278 at 78-79; Ex. 4, JNPR-FNJN_29040_01042912. Sky ATP
`
`performs static and dynamic analysis in its analysis pipeline, whose pipeline manager manages the
`
`analyses, as well as the results that are generated during analyses. Ex. 11, JNPR-
`
`FNJN_29017_00552892 at 93 (showing results from greyduck (i.e. static anlaysis) and deception (i.e.
`
`dynamic analysis). Sky ATP accepts a large range of executable files for analysis, such as HTML with
`
`JS scripts, which is able to dynamically generate malicious content. See, e.g., Ex. 4, JNPR-
`
`FNJN_29040_01042912 (which shows Sky ATP accepts network objects from SRX). Sky ATP also
`
`performs reputation lookups for a file hash and/or an URL/IP address which is associated with
`
`dynamically generated malicious content. Ex. 10, JNPR-FNJN_29017_00552634 at 36; JNPR-
`
`FNJN_29008_00528472 at 541-542.
`28.
`ATP appliance is a system for protecting a computer from dynamically generated
`malicious content because it processes malicious content such as a webpage or an executable file. Ex.
`
`17, FINJAN-JN 045332; FINJANJN 045333-36 (which describes the use cases of ATP appliance).
`
`ATP appliance has a Smart Core (also referred to as Cyphort Core or JATP Core) which obtains files
`
`submitted from web collectors (including SRX) and analyzes the files through analysis pipeline. Ex. 6,
`
`JNPR-FNJN_29018_00962784 at 91-92, 97-98; Ex. 7, FINJAN-JN 045069 at 70; Ex. 17, FINJAN-JN
`
`045331-32; Ex. 12, JNPR-FNJN_29018_00971201 at 19. ATP appliance detects threats from
`
`dynamically generated malicious content, such as execution of malicious code, exploits, malicious
`
`URLs, etc. See Ex. 12, JNPR-FNJN_29018_00971201 at 20 (describing files types and threats
`
`analyzed by ATP appliance); Ex. 17 at FINJAN-JN 045331; FINJAN-JN 045329-30; Ex. 15, FINJAN-
`
`JN 045339 at 44. ATP appliance extracts payloads and deliver the network objects for a multi-staged
`
`analysis in Smart Core’s detection engine. Ex. 12, JNPR-FNJN_29018_00971201 at 25 (“Cyphort
`
`detonation engines fully execute suspicious traffic objects: code, attachments, files, and URLs”).
`1.
`Element 1(a) of the ’154 Patent
`
`29.
`
`The Accused Products include “a content processor (i) for processing content received
`
`over a network, the content including a call to a first function, and the call including an input, and (ii)
`
`for invoking a second function with the input, only if a security computer indicates that such invocation
`
`is safe.” It is my opinion that SRX, SkyATP, and ATP Appliance each includes a content processor
`
`11
`MITZENMACHER DECL. IN SUPPORT OF FINJAN’S MSJ
`
`CASE NO. 3:17-cv-05659-WHA
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`

`

`Case 3:17-cv-05659-WHA Document 502-3 Filed 05/31/19 Page 12 of 33
`
`HIGHLY CONFIDENTIAL – SOURCE CODE
`REDACTED VERSION OF DOCUMENT SOUGHT TO BE SEALED
`which performs the claimed functions. I incorporate by reference my summary of the products for this
`
`section.
`
`a)
`
`SRX By Itself Infringes Element 1(a) of the ’154 Patent.
`
`30.
`
`The SRX appliance or its software includes “a content processor [] for processing
`
`content received over a network” because SRX is a gateway system for processing a network traffic.
`
`Ex. 9, JNPR-FNJN_29002_00173278 at 83 (“SRX inspects both ingress and egress network traffic);
`
`id. at 84 (The SRX Gateway intercepts the file t