Case 3:17-cv-05659-WHA Document 67-13 Filed 04/19/18 Page 1 of 14
`
`Case 3:17-cv-05659-WHA Document 67-13 Filed 04/19/18 Page 1 of 14
`
`EXHIBIT 11
`
`

`

`Case 3:17-cv-05659-WHA Document 67-13 Filed 04/19/18 Page 2 of 14
`Case 3:17-cv-05659-WHA Document 67-13 Filed 04/19/18 Page 2 of 14
`
`
`
`
`
`
`
`
`
`APPENDIX F-3
`APPENDIX F-3
`
`
`
`

`

`
`
`Case 3:17-cv-05659-WHA Document 67-13 Filed 04/19/18 Page 3 of 14
`
`Juniper’s Advanced Threat Prevention Appliance
`8,677,494
`The statements and documents cited below are based on information available to Finjan, Inc. at the time this chart
`was created. Finjan reserves its right to supplement this chart as additional information becomes known to it.
`
`For purposes of this chart, “ATP Appliance” includes at least the following models that are used individually, or in
`combination and identified in Exhibit A. Based on public information, ATP Appliances all operate identically with
`respect to the identified claims and only vary based on software specifications and/or deployment options. ATP
`Appliances perform the infringing procedures on their own or as a distributed system in combination with Juniper
`Sky Advanced Threat Prevention (“Sky ATP”)1, as will be described in greater detail herein. Based on public
`information, ATP Appliances all operate identically with respect to the identified claims and only vary based on
`software specifications and/or deployment options.
`
`As identified and described element by element below, ATP Appliance infringes at least claims 10, 14, 16, and 18
`of the ‘494 Patent.
`
`Claim 10
`
`10a. A system for managing
`Downloadables, comprising:
`
`
`
`
`
`ATP Appliance meets the recited claim language because it includes a system for
`managing Downloadables.
`
`As used herein, and throughout these contentions, Downloadable is “an
`executable application program, which is downloaded from a source computer
`and run on the destination computer.”
`
`ATP Appliance meets the recited claim language because it provides a computer
`system to detect malware on Downloadables received from “collectors,”
`including SRX Service Series Gateways, that are dispersed across different points
`within a given network. ATP Appliance manages the distribution of
`Downloadables within a given computer network (management system) by
`providing the computer network with malware determinations. The details of
`these operations are set forth in greater detail below:
`
`For instance, as shown in the excerpt below, collectors, including SRX Series
`Services Gateways, act as file collectors that upload “suspicious files” to the ATP
`Appliance for management. The content such files is a “Downloadable” because
`it is of the type that is downloaded from a source computer (e.g. web server) to be
`run on a destination computer (e.g., web client or Internet application). Notably,
`Internet applications include web browsers, FTP or file download clients,
`messaging clients, and email client applications.
`
`
`1 “Sky ATP” includes all components and services described in Exhibit A.
`
`1
`
`

`

`Case 3:17-cv-05659-WHA Document 67-13 Filed 04/19/18 Page 4 of 14
`
`
`10b. a receiver for receiving
`an incoming Downloadable;
`
`
`
`3510633-en.pdf at page 5.
`
`
`ATP Appliance meets the recited claim language because it includes a receiver
`for receiving an incoming Downloadable.
`
`ATP Appliance meets the recited claim language because it includes hardware
`and software components that are configured to receive Downloadables from
`multiple collectors, such as SRX Series Services Gateways used as receivers.
`Downloadables received from these collectors can be analyzed for malware
`detection purposes using an application programming interface in the ATP
`Appliance (a receiver). The details of these operations are set forth in greater
`detail below:
`
`For instance, files received by ATP Appliance (e.g., through a receiver at the
`SmartCore engine) are stored within a memory device resident on ATP
`Appliance. As shown in the figure below, the ATP Appliance architecture
`includes software receiver components that collect files (Downloadables) and/or
`log files transmitted over a computer network that can then be analyzed.
`
`2
`
`

`

`Case 3:17-cv-05659-WHA Document 67-13 Filed 04/19/18 Page 5 of 14
`
`Redimadrid_Journadas-Sky ATP Enhancements.pdf at page 14.
`
`Specifically, as shown in the excerpt below, the ATP Appliance architecture
`includes collectors (receivers) that are positioned at “critical points” within a
`network. The locations of these collectors include remote locations where they
`capture Web, e-mail, and lateral traffic data.
`
`
`
`3510633-en.pdf at page 4.
`
`To the extent that Juniper does not literally infringe this claim element, at
`minimum, Juniper infringes under the doctrine of equivalents. The above
`described functionality of ATP Appliance is at most insubstantially different
`from the claimed functionality and performs substantially the same function in
`substantially the same way to achieve substantially the same result. ATP
`Appliance performs the same function because it receives files that are incoming
`to ATP and/or were intercepted as incoming to a protected system. As such, at
`minimum, ATP Appliance performs the same function as receiving an incoming
`Downloadable. ATP Appliance perform this function same way because they
`utilize software and hardware to receive these incoming Downloadables through
`a network or other transmission mechanism. As such, at minimum, ATP
`Appliances performs this function the same way as receiving an incoming
`Downloadable. ATP Appliance achieves the same result as this element because
`it receives a downloadable that it incoming to the ATP Appliance and/or to a
`protected system. As such, at minimum, ATP Appliance achieves the same
`result as receiving an incoming Downloadable.
`
`
`
`3
`
`

`

`Case 3:17-cv-05659-WHA Document 67-13 Filed 04/19/18 Page 6 of 14
`
`10c. a Downloadable scanner
`coupled with said receiver, for
`deriving security profile data
`for the Downloadable,
`including a list of suspicious
`computer operations that may
`be attempted by the
`Downloadable; and
`
`ATP Appliance meets the recited claim language because they include a
`Downloadable scanner coupled with said receiver, for deriving security profile
`data for the Downloadable, including a list of suspicious computer operations
`that may be attempted by the Downloadable.
`
`ATP Appliance meets the recited claim language because it includes hardware
`and software components (Downloadable scanner) that scan a Downloadable,
`received from collectors that include SRX Series Services Gateways. ATP
`Appliance detects suspicious computer operations capable of being performed by
`the Downloadable using static analysis, payload analysis, dynamic analysis,
`behavioral analysis, machine learning, and SmartCore technology. ATP
`Appliance uses these technologies to derive security profile data for the
`Downloadable based on an aggregated set of malware analytics. ATP Appliance
`provides a list of suspicious operations in a report generated based in-part on the
`analysis provided by the aggregated set of malware analytics. The details of
`these operations are set forth in greater detail below:
`
`For instance, as shown in the excerpt below, the Downloadable scanner derives
`security profile data for the Downloadable based on data collected from SRX
`Series Services Gateways when it performs file inspections using procedures that
`include: (1) static analysis, (2) payload analysis, (3) machine learning and
`behavioral analysis, (4) malware reputation analysis, and (5) prioritization, risk
`analysis, correlation.
`
`
`
`
`
`1000627-en.pdf at page 2.
`
`Notably in the excerpt above, payload analysis includes the use of an “intelligent
`sandbox array” to gain a “deeper understanding of malware behavior by
`detonating suspicious Web and file content that would otherwise target
`Windows, OSX, or Android endpoint devices. Also, the “machine learning and
`behavioral analysis” performed by the Inspector produce security profile data by
`employing technologies that “recognize the latest threat behaviors (such as
`multicomponent attacks over time) and quickly detect previously unknown
`
`4
`
`

`

`Case 3:17-cv-05659-WHA Document 67-13 Filed 04/19/18 Page 7 of 14
`
`threats.” Moreover, as described in the excerpt above, the security profile data
`includes “risk scores” assigned to suspicious code that is identified by the
`Inspector. The results of the described procedures perform by the Inspector,
`using Downloadables collected by SRX Service Series Gateways, are then stored
`as a report in memory that identifies the presence of suspicious code in one or
`more Downloadables. Additionally, using described procedures, the Inspector
`generates a data structure in memory that indicates the presence of detected
`suspicious computer operations, including JavaScript functions and unusual
`instructions or structure.
`
`Notably, the ATP Appliance protects users in “real time” by performing its
`analysis of the Downloadable prior to the web client device actually receiving the
`Downloadable. Using the above described techniques, the Downloadable
`Scanner generates DSPs by collecting Downloadables for inspection and storing
`their respective DSP mechanisms (e.g., “honeypot” techniques) to detect and
`counter unauthorized attempts to execute suspicious code.
`
`As shown in the figure below, the Downloadable scanner generates a list of
`suspicious computer operations that may be attempted by a Downloadable when
`it provides a report (i.e., security profile for a Downloadable) that is based on the
`various types of analysis it performs for inspected Downloadables. For instance,
`as shown in the figure below, an event timeline report is generated by the
`Downloadable scanner uses security profile data generated from the
`Downloadables provided by SRX Series Services Gateways. As depicted in the
`event timeline, detected behaviors, such as phishing attempts, are provide for
`each type of suspicious computer operation identified by the Downloadable
`scanner.
`
`
`
`
`1000627-en.pdf at page 2.
`
`Other forms of suspicious computer operationsidentified within the
`Downloadable include operations that: load suspicious DLLs; executes
`ShellExecute, UrlDownloadToFile, and/or CreateProcess for suspicious
`purposes; cause outbound connection(s) to a C&C server; cause suspicious
`computer operations such as the suspicious use of Javascript replace, unescape,
`document.write or eval functions, openAction, document.getElementsByName,
`launch, document.write, openPlayer(asx), document.createElement, Unescape
`NOP, obfuscation using unescape, document.write or eval, HTML Javascript
`redirects such as document.write used to write redirect to URL; causes JavaScript
`that appears to alter its own content; causes JavaScript link(s) that have the
`ability to alter itself; cause MouseOver function to run arbitrary code; cause
`Keystroke logging/screen capture behavior; cause Zero area and/or off-screen
`
`5
`
`

`

`Case 3:17-cv-05659-WHA Document 67-13 Filed 04/19/18 Page 8 of 14
`
`windows behavior; and cause suspicious behaviors from Downloaders, Injectors,
`Hijackers and other downloadables such as JavaScript, PDFs, SWF, EXEs and
`other web content including executable code.
`
`As shown below, ATP Appliance can generate detailed profiles on
`Downloadables that includes behavioral, reputation, network, and static triggers
`that are part of the generated security profile.
`
`
`As shown in the excerpt below, the Downloadable scanner generates a list of
`suspicious computer operations that may be attempted when it provides the
`security profile data to Juniper Networks Junos® Space Security Director for
`creating a report.
`
`
`
`
`
`
`3510633-en.pdf at page 5.
`
`To the extent that Juniper does not literally infringe this claim element, Juniper
`infringes under the doctrine of equivalents. The above described functionality of
`ATP Appliance is at most insubstantially different from the claimed functionality
`and performs substantially the same function in substantially the same way to
`
`6
`
`

`

`Case 3:17-cv-05659-WHA Document 67-13 Filed 04/19/18 Page 9 of 14
`
`achieve substantially the same result.
`
`ATP Appliance performs the same function because it has a Downloadable
`scanner (operable within a sandboxed environment) to scan Downloadables in
`order to derive security profile data for the Downloadable that includes a list of
`suspicious computer operations that may be attempted by the Downloadable. For
`example, ATP Appliance includes a sandbox Downloadable scanner, which
`carries out substantially the same function as the element because it performs
`dynamic analysis to identify suspicious computer operations in the
`Downloadable. The sandbox Downloadable scanner performs dynamic analysis
`by running the Downloadable in a simulated user environment and recording the
`different suspicious computer operations that the Downloadable attempts in
`memory. The suspicious computer operations identified include, e.g., file
`read/writes, registry modifications, and starting or stopping a process. ATP
`Appliance performs this function same way because it utilizes a scanner
`(operable within a sandboxed environment) which scans Downloadables and
`derives security profile data for the Downloadable, including a list of suspicious
`computer operations that the Downloadable may attempt. For example, ATP
`Appliance with its sandbox Downloadable scanner, performs this function the
`same way because it runs the Downloadable in a simulated user environment and
`record the different suspicious computer operations that the Downloadable
`attempts in memory. ATP Appliance achieves the same result as this element
`because a list of suspicious computer operations that may be attempted by the
`Downloadable are included in the derived security profile data for the
`Downloadable. For example, ATP Appliance achieves the same result as this
`element with the sandbox Downloadable scanner because it results in the
`generation of security profile data when it analyzes Downloadables using a
`dynamic analysis module / engine. The results are the same because the sandbox
`Downloadable scanner records suspicious computer operations that the
`Downloadable attempts (file read/writes, registry modifications, and starting or
`stopping a process) in memory when the Downloadable is run in a simulated user
`environment.
`
`ATP Appliance meets the recited claim language because it includes a database
`manager coupled with said Downloadable scanner, for storing the Downloadable
`security profile data in a database.
`
`As used herein, and throughout these contentions, database is “a collection of
`interrelated data organized according to a database schema to serve one or more
`applications.”
`
`ATP Appliance meets the recited claim language because it includes software
`components that make determinations whether to store the results of the analysis
`in a database. The results or the analysis, reports, and verdict are stored in
`databases in ATP Appliance in a structured format for later retrieval. The
`database stores the Downloadable security profile data that was generated by
`ATP Appliance, including whether a detection was made and the results of that
`detection. The details of these operations are set forth in greater detail below:
`
`For instance, as shown in the excerpt below, the ATP Appliance includes a
`
`
`
`
`
`7
`
`
`10d. a database manager
`coupled with said
`Downloadable scanner, for
`storing the Downloadable
`security profile data in a
`database.
`
`

`

`Case 3:17-cv-05659-WHA Document 67-13 Filed 04/19/18 Page 10 of 14
`
`database in memory resident on ATP Appliance that stores signatures of detected
`threats, including those “that may have eluded inline devices.” The database also
`stores security profile data for inspected Downloadables so that the
`Downloadable scanner can perform “malware reputation analysis.”
`
`Moreover, as described in the excerpt below, the security profile data produced
`by the Downloadable scanner includes risk scores assigned to each suspicious
`computer operation identified thereby providing further evidence that ATP
`Appliance stores Downloadable security profile data in a database. The results
`of the analyses described in the excerpt below are performed by ATP Appliance,
`using Downloadables collected by different collectors, are then stored as a report
`in memory that identifies the presence of suspicious computer operations a
`Downloadable. Additionally, using the described analysis already performed, the
`Downloadable scanner generates a data structure in memory that indicates the
`presence of detected suspicious computer operations, including JavaScript
`functions and unusual instructions or structure.
`
`
`
`1000627-en.pdf at page 2.
`
`
`
`As shown in the excerpt below, the database manager accesses security profile
`data, used to generate a report for an inspected file, within a database in resident
`memory using a file hash associated with the Downloadable. In one example,
`during “reputation-based detection” procedures performed by the Downloadable
`scanner to detect suspicious computer operations capable of being perform by an
`inspected file, the Downloadable scanner attempts to determine whether the file
`undergoing inspection already has a file hash, signers, or other meta-data stored
`in the database.
`
` Cyphort-ransomware-white-paper.pdf at page 6.
`
`To the extent that Juniper does not literally infringe this claim element, Juniper
`
`8
`
`

`

`Case 3:17-cv-05659-WHA Document 67-13 Filed 04/19/18 Page 11 of 14
`
`infringes under the doctrine of equivalents. The above described functionality of
`ATP Appliance is at most insubstantially different from the claimed functionality
`and performs substantially the same function in substantially the same way to
`achieve substantially the same result.
`
`ATP Appliance performs the same function because it acts as a database
`manager, coupled with a downloadable scanner that stores the Downloadable
`security profile data in the database. For example, ATP Appliance carries out the
`same function as the element because the Downloadable scanner stores the
`results of the dynamic analysis in a data repository for future use by applications.
`ATP Appliance stores the results of the dynamic analysis in standard markup
`language formats such as Google Protocol Buffer, JSON, and XML. In another
`example, the verdict from the dynamic analysis is stored as an integer. ATP
`Appliance performs the same way because they act as a database manager,
`coupled with a downloadable scanner that stores the Downloadable security
`profile data in the database. For example, ATP Appliance performs the same way
`because the Downloadable scanner sends dynamic analysis results to a data
`repository for future use by applications. ATP Appliance stores the results of the
`dynamic analysis in standard markup language formats such as Google Protocol
`Buffer, JSON, and XML. In another example, the verdict from the dynamic
`analysis is stored as an integer. ATP Appliance achieves the same result as this
`element because Downloadable security profile data is stored in the database
`from data derived from the Downloadable scanner. For example, ATP Appliance
`achieves the same result as this element because their Downloadable scanner
`generates profile data that is stored in a data repository with a defined structure
`and for future use by applications. In another example, the verdict from the
`dynamic analysis is stored as an integer.
`
`
`ATP Appliance meets the recited claim language because, in addition to
`satisfying all of the elements of Claim 10 as described above, the Downloadable
`includes program script.
`
`ATP Appliance meets the recited claim language because, in addition to
`satisfying all of the elements of Claim 10 as described above, files undergoing
`inspection by the Downloadable scanner include a number of different file
`categories including Flash and Silverlight applications, archive files, source code,
`configuration files, documents, executable binaries, java applications, dynamic
`and static libraries including kernel modules, mobile applications, operating
`system packages, scripting files, PDFs, email, and mbox files.
`
`For instance, as shown below, as shown in the figure below, the Downloadable
`scanner used by ATP Appliance scans the content of files during file inspection,
`including files written in JavaScript (“.js” files) , Visual Basic (“.vbs” files),
`HTML, and the like.
`
`9
`
`Claim 14
`
`
`
`
`The system of claim
`10 wherein the Downloadable
`includes program script.
`
`

`

`Case 3:17-cv-05659-WHA Document 67-13 Filed 04/19/18 Page 12 of 14
`
`Claim 16
`
`
`
`The system of claim 10
`wherein the Downloadable
`security profile data includes a
`URL from where the
`Downloadable originated.
`
`Cyphort-ransomware-white-paper.pdf at page 7.
`
`ATP Appliance meets the recited claim language because, in addition to
`satisfying all of the elements of Claim 10 as described above, the Downloadable
`security profile data includes a URL from where the Downloadable originated.
`
`ATP Appliance meets the recited claim language because, in addition to
`satisfying all of the elements of Claim 10 as described above, a report, generated
`by ATP Appliance for an inspected file, includes Downloadable origin
`information.
`
`For instance, as shown in the figure below, security profile data generated by the
`Downloadable scannere (Cyphort) includes URL information regarding where
`the file originated (i.e., http://voperforseanx.top/site/chorme_update.html”) . The
`URL information is provided through reports generated by ATP Appliance.
`
`10
`
`

`

`Case 3:17-cv-05659-WHA Document 67-13 Filed 04/19/18 Page 13 of 14
`
`Claim 18
`
`
`
`The system of claim 10
`wherein said Downloadable
`scanner comprises a
`disassembler for disassembling
`the incoming Downloadable.
`
`
`Cyphort-ransomware-white-paper.pdf at page 9.
`
`
`
`
`ATP Appliance meets the recited claim language because, in addition to
`satisfying all of the elements of Claim 10 as described above, the Downloadable
`scanner comprises a disassembler for disassembling the incoming Downloadable.
`ATP Appliance meets the recited claim language because, in addition to
`satisfying all of the elements of Claim 10 as described above, the Downloadable
`scanner disassembles the incoming Downloadable when it parses through the
`content of files written in accordance with different programing code constructs /
`formats.
`
`For instance, as shown in the excerpt below, the Downloadable scanner scans a
`Downloadable when it processes sequences of characters that are formed in
`accordance with the syntactical constructs of program code such as executables,
`DLL, mach-o, dmg, PDF, Office, Flash, ISO, ELF, RTF, APK, Silverlight,
`Archive, JAR, and the like.
`
`1000627-en.pdf at page 3.
`
`11
`
`
`
`

`

`Case 3:17-cv-05659-WHA Document 67-13 Filed 04/19/18 Page 14 of 14
`
`
`As shown in the excerpt below, the Downloadable scanner scans a Downloadable
`when it processes sequences of characters that are formed in accordance with the
`syntactical constructs of program code such as JavaScript (“.js” files) , Visual
`Basic (“.vbs” files), HTML, and the like.
`
`
`
`
`Cyphort-ransomware-white-paper.pdf at page 7.
`
`
`
`12
`
`