Case 3:17-cv-05659-WHA Document 91-5 Filed 05/31/18 Page 1 of 13
`Case 3:17-cv-05659-WHA Document 91-5 Filed 05/31/18 Page 1 of 13
`
`
`
`
`
`EXHIBIT 3
`EXHIBIT 3
`
`
`
`
`
`
`
`
`
`
`
`
`
`

`

`USOO7418731B2
`
`(12) United States Patent
`Touboul
`
`(10) Patent No.:
`(45) Date of Patent:
`
`US 7418,731 B2
`Aug. 26, 2008
`
`(54) METHOD AND SYSTEM FOR CACHING AT
`SECURE GATEWAYS
`
`(75) Inventor: Shlomo Touboul, Kefar-Haim (IL)
`(73) Assignee: Finjan Software, Ltd., Netanya (IL)
`
`(*) Notice:
`
`Subject to any disclaimer, the term of this
`patent is extended or adjusted under 35
`U.S.C. 154(b) by 537 days.
`(21) Appl. No.: 10/838,889
`(22) Filed:
`May 3, 2004
`
`(65)
`
`Prior Publication Data
`US 2005/OOO5107 A1
`Jan. 6, 2005
`
`Related U.S. Application Data
`(63) Continuation-in-part of application No. 09/539,667,
`filed on Mar. 30, 2000, now Pat. No. 6,804,780, which
`is a continuation of application No. 08/964.388, filed
`on Nov. 6, 1997, now Pat. No. 6,092,194.
`(51) Int. Cl.
`(2006.01)
`G06F2L/00
`(2006.01)
`G06F 5/16
`(52) U.S. Cl. ........................................................ 726/22
`(58) Field of Classification Search ....................... None
`See application file for complete search history.
`References Cited
`U.S. PATENT DOCUMENTS
`5,077,677 A 12/1991 Murphy et al.
`5,359,659 A 10, 1994 Rosenthal
`5,361,359 A 1 1/1994 Tajalli et al.
`5,485.409 A
`1/1996 Gupta et al.
`5,485,575 A
`1/1996 Chess et al.
`5,572,643 A 11/1996 Judson
`5,579,509 A 1 1/1996 Furtney et al.
`5,606,668 A
`2, 1997 Shwed
`5,623,600 A
`4, 1997 Ji et al.
`5,638,446 A
`6, 1997 Rubin
`5,692,047 A 11/1997 McManis
`
`(56)
`
`5,692,124. A 1 1/1997 Holden et al.
`5,720,033 A
`2/1998 Deo
`5,724.425. A
`3/1998 Chang et al.
`5,740,248 A
`4/1998 Fieres et al.
`5,761,421 A
`6/1998 van Hoffet al.
`5,765,205 A
`6/1998 Breslau et al.
`
`(Continued)
`FOREIGN PATENT DOCUMENTS
`
`EP
`
`109 1276 A1
`
`4/2001
`
`(Continued)
`OTHER PUBLICATIONS
`U.S. Appl. No. 10/838,889, filed Oct. 26, 1999, Golan, G.
`(Continued)
`Primary Examiner Christopher A Revak
`(74) Attorney, Agent, or Firm Perkins Coie LLP
`
`(57)
`
`ABSTRACT
`
`A computer gateway for an intranet of computers, including a
`scanner for Scanning incoming files from the Internet and
`deriving security profiles therefor, the security profiles being
`lists of computer commands that the files are programmed to
`perform, a file cache for storing files, a security profile cache
`for storing security profiles for files, and a security policy
`cache for storing security policies for client computers within
`an intranet, the security policies including a list of restrictions
`for files that are transmitted to intranet computers. A method
`and a computer-readable storage medium are also described
`and claimed.
`
`22 Claims, 3 Drawing Sheets
`
`Case 3:17-cv-05659-WHA Document 91-5 Filed 05/31/18 Page 2 of 13
`
`to
`
`SAEWAY -
`DP secuRITY PROFILE
`FoRWEs PAGEP
`ID SEE: -
`or gif
`
`SECRITYPOLICY
`For user group
`pa SECURITYPicy l-
`FORSERSROP2
`is security policy
`For usERGROUP
`
`i
`
`5
`sury Polic
`ACHE
`
`
`
`8
`
`40
`
`J-
`
`Rp
`wES PAGEP
`188
`y
`WE30s.JET
`WA:
`Furcada wesoelecto: N-h.
`o 13 WEBSC3
`uR-04 ld-4
`WEBOBIECrok
`
`
`
`

`

`US 7418,731 B2
`Page 2
`
`U.S. PATENT DOCUMENTS
`
`7, 1998 Devarakonda et al.
`5,784,459 A
`8, 1998 Davis et al.
`5,796,952 A
`9, 1998 Cohen et al.
`5,805,829 A
`5,832,208 A 11/1998 Chen et al.
`5,832,274 A 11/1998 Cutler et al.
`5,850,559 A 12/1998 Angelo et al.
`5,859,966 A
`1/1999 Hayman et al.
`5,864,683 A
`1/1999 Boebert et al.
`5,892,904 A
`4/1999 Atkinson et al.
`5,951,698 A
`9, 1999 Chen et al.
`5,956.481 A
`9, 1999 Walsh et al.
`5,974,549 A 10, 1999 Golan
`5,978.484 A 11/1999 Apperson et al.
`5,983,348 A 11, 1999 Ji
`6,092,194 A
`7/2000 Touboul
`6,154,844 A 11/2000 Touboul
`6,167,520 A 12/2000 Touboul
`6,339,829 B1
`1/2002 Beadle et al.
`6,480,962 B1
`1 1/2002 Touboul
`6,804,780 B1
`10/2004 Touboul
`6,917,953 B2 *
`7/2005 Simon et al. ................ 707,204
`FOREIGN PATENT DOCUMENTS
`
`EP
`
`1132796 A1
`
`9, 2001
`
`OTHER PUBLICATIONS
`http://www.codeguru.com/Cpp/Cpp/cpp mfc.?parsing/article.php/
`c4093/.
`http://www.cs.imay.ief-power? Courses/compilers/notes/lexical.pdf.
`http://www.mail-archive.com/kiragen-tol(acanonical.org/
`msg00097.html.
`http://www.owlnet.rice.edu/~comp412/Lectures/L06Lex Wrapup4.
`pdf.
`http://www.cs.odu.edu/~toidainerzic/390teched/regular/fa?min-fa.
`html.
`http://rwa.cs.uni-sb.de/~ganimal/GANIFA/page 16 e.htm.
`http://www.cs.imsstate.edu/~hansen/classes/3813fall.01/slides
`06Minimize.pdf.
`http://www.win.tue.nl/~watson/2R870/downloads/madfa algs.pdf.
`http://www.cs.nyu.edu/web/Research. Theses/chang chia-hsiang.
`pdf.
`“Products' Article published on the Internet, “Revolutionary Secu
`rity for A New Computing Paradigm' regarding SurfinGateTM 7
`pageS.
`“Release Notes for the Microsoft ActiveX Development Kit'. Aug.
`13, 1996, activex.adsp.or.jp/inetsdk/readme.txt, pp. 1-10.
`Doyle et al., “Microsoft Press Computer Dictionary 1993, Microsoft
`Press, 2" Edition, pp. 137-138.
`Finjan Software Ltd., “Powerful PC Security for the New World of
`JavaTM and Downloadables, Surfin ShieldTM” Article published on
`the Internet by Finjan Software Ltd., 1996, 2 pages.
`
`Finjan Software Ltd., “Finjan Announces a Personal JavaTM Firewall
`For Web Browsers the SurfinShieldTM 1.6 (formerly known as
`SurfinBoard), Press Release of Finjan Releases SurfinShield 1.6,
`Oct. 21, 1996, 2 pages.
`Finjan Software Ltd., “Finjan Announces Major Power Boost and
`New Features for SurfinShieldTM 2.0” Las Vegas Convention Center/
`Pavilion 5 P5551, Nov. 18, 1996, 3 pages.
`Finjan Software Ltd., “Finjan Software Releases SurfinBoard, Indus
`try's First Java Security Product For the World WideWeb”, Article
`published on the Internet by Finjan Software Ltd., Jul. 29, 1996, 1
`page.
`Finjan Software Ltd., “Java Security: Issues & Solutions' Article
`published on the Internet by Finjan Software Ltd., 1996, 8 pages.
`Finjan Software Ltd., Company Profile “Finjan Safe Surfing. The
`Java Security Solutions Provider” Article published on the Internet
`by Oct. 31, 1996, 3 pages.
`IBM AntiVirus User's Guide Version 24, International Business
`Machines Corporation, Nov. 15, 1995, p. 6-7.
`Khare, R. “Microsoft Authenticod Analyzed” Jul. 22, 1996, xent.
`com/FoRK-archive/Smmer96/0338.html, p. 1-2.
`LaDue, M.. “Online Business Consultant: Java Security: Whose
`Business Is It?” Article published on the Internet, Home Page Press,
`Inc. 1996, 4 pages.
`Leach, Norvin et al., “IE 3.0 Applets Will Earn Certification”, PC
`Week, vol. 13, No. 29, Jul. 22, 1996, 2 pages.
`Moritz, R., “Why We Shouldn't Fear Java” Java Report, Feb. 1997,
`pp. 51-56.
`Microsoft "Microsoft ActiveX Software Development Kit' Aug.
`12, 1996, activex.adsp.or.jp/inetsdk/help? overview.htm. pp. 1-6.
`Microsoft Corporation, Web Page Article “Frequently Asked Ques
`tions About Authenticode”, last updated Feb. 17, 1997, Printed Dec.
`23, 1998. URL: http://www.microsoft.com/workshop? security/
`authcode? signifacq.asp#9, pp. 1-13.
`Microsoft(R) Authenticode Technology, "Ensuring Accountability
`and Authenticity for Software Components on the Internet”,
`Microsoft Corporation, Oct. 1996, including Abstract, Contents,
`Introduction and pp. 1-10.
`Okamoto, E. et al., “ID-Based Authentication System For Computer
`Virus Detection', IEEE/IEE Electronic Library online, Electronics
`Letters, vol. 26, Issue 15, ISSN 0013-5 194, Jul. 19, 1990, Abstract
`and pp. 1169-1170. URL: http://ielihs.com:80/cgi-biniel cgi?se.
`2ehts%26ViewTemplate%3ddocview%5fb%2ehts.
`Omura, J. K., “Novel Applications of Cryptography in Digital Com
`munications', IEEE Communications Magazine, May 1990; pp.
`21-29.
`Schmitt, D.A., “.EXE files, OS-2 style” PC Tech Journal, v6, n11, p.
`76 (13).
`Zhang, X.N. "Secure Code Distribution', IEEE/IEE Electronic
`Library online, Computer, vol. 30, Issue 6, Jun. 1997, pp. 76-79.
`* cited by examiner
`
`Case 3:17-cv-05659-WHA Document 91-5 Filed 05/31/18 Page 3 of 13
`
`

`

`U.S. Patent
`
`US 7418,731 B2
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Case 3:17-cv-05659-WHA Document 91-5 Filed 05/31/18 Page 4 of 13
`
`:awawel
`
`4. NB!TO
`
`--------
`
`

`

`U.S. Patent
`
`Aug. 26, 2008
`
`Sheet 2 of 3
`
`US 7418,731 B2
`
`AOPTIOd
`
`992
`
`992
`
`SHA
`
`EHOVO
`
`§ 12
`
`Case 3:17-cv-05659-WHA Document 91-5 Filed 05/31/18 Page 5 of 13
`
`SUZ
`
`09:2
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`

`

`U.S. Patent
`
`Aug. 26, 2008
`
`Sheet 3 of 3
`
`US 7418,731 B2
`
`
`
`
`
`
`
`Case 3:17-cv-05659-WHA Document 91-5 Filed 05/31/18 Page 6 of 13
`
`1NEHTO1NEITOLNEHTIO
`
`

`

`US 7,418,731 B2
`
`1.
`METHOD AND SYSTEM FOR CACHING AT
`SECURE GATEWAYS
`
`CROSS REFERENCES TO RELATED
`APPLICATIONS
`
`This application is a continuation-in-part of assignee's
`application U.S. Ser. No. 09/539,667 (now U.S. Pat. No.
`6,804,780), filed on Mar. 30, 2000, and entitled SYSTEM
`AND METHOD FOR PROTECTING ACOMPUTER AND
`10
`A NETWORK FROM HOSTILE DOWNLOADABLES,
`which is a continuation of U.S. Ser. No. 08/964,388 (now U.S.
`Pat. No. 6,092,194), filed on Nov. 6, 1997 and entitled SYS
`TEMAND METHOD FOR PROTECTING ACOMPUTER
`AND A NETWORK FROM HOSTILE DOWNLOAD
`15
`ABLES
`
`FIELD OF THE INVENTION
`
`The present invention relates to computer security and
`network gateways.
`
`BACKGROUND OF THE INVENTION
`
`2
`There is thus provided in accordance with a preferred
`embodiment of the present invention a computer gateway for
`an intranet of computers, including a scanner for scanning
`incoming files from the Internet and deriving security profiles
`therefor, the security profiles being lists of computer com
`mands that the files are programmed to perform, a file cache
`for storing files, a security profile cache for storing security
`profiles for files, and a security policy cache for storing Secu
`rity policies for intranet computers within an intranet, the
`security policies including a list of restrictions for files that
`are transmitted to intranet computers.
`There is further provided in accordance with a preferred
`embodiment of the present invention a method for operation
`of a network gateway for an intranet of computers, including
`receiving a request from an intranet computer for a file on the
`Internet, determining whether the requested file resides
`within a file cache at the networkgateway, if the determining
`is affirmative then retrieving a security profile for the
`requested file from a security profile cache at the network
`gateway, the security profile including a list of at least one
`computer command that the file is programmed to perform,
`and if the determining is not affirmative then retrieving the
`requested file from the Internet, scanning the retrieved file to
`determine computer commands that the file is programmed to
`perform, deriving a security profile for the retrieved file,
`storing the retrieved file within the file cache, and storing the
`security profile for the retrieved file within a security profile
`cache, retrieving a security policy for the intranet computer
`from a security policy cache at the network gateway, the
`security policy defining restrictions for transmitting files to
`the intranet computer, and comparing the security profile for
`the requested file vis a vis the security policy for the intranet
`computer, to determine whether transmission of the requested
`file to the intranet computer is to be restricted.
`There is yet further provided in accordance with a preferred
`embodiment of the present invention a computer-readable
`storage medium storing program code for causing a computer
`to perform the steps of receiving a request from an intranet
`computer for a file on the Internet, determining whether the
`requested file resides within a file cache at the network gate
`way, if the determining is affirmative then retrieving a secu
`rity profile for the requested file from a security profile cache
`at the network gateway, the security profile including a list of
`at least one computer command that the file is programmed to
`perform, and if the determining is not affirmative then retriev
`ing the requested file from the Internet, Scanning the retrieved
`file to determine computer commands that the file is pro
`grammed to perform, deriving a security profile for the
`retrieved file, storing the retrieved file within the file cache,
`and storing the security profile for the retrieved file within a
`security profile cache, retrieving a security policy for the
`intranet computer from a security policy cache at the network
`gateway, the security policy defining restrictions for transmit
`ting files to the intranet computer, and comparing the security
`profile for the requested file vis a vis the security policy for the
`intranet computer, to determine whether transmission of the
`requested file to the intranet computer is to be restricted.
`There is moreover provided in accordance with a preferred
`embodiment of the present invention a method for operation
`of a network gateway for an intranet of computers, including
`receiving a request from an intranet computer for a file on the
`Internet, retrieving a security profile for the requested file
`from a security profile cache at the network gateway, the
`security profile including a list of at least one computer com
`mand that the file is programmed to perform, retrieving a
`security policy for the intranet computer from a security
`policy cache at the network gateway, the security policy
`
`25
`
`30
`
`35
`
`A network gateway computer conventionally serves as a
`proxy between a group of inter-connected computers,
`referred to as an intranet, such as a corporate intranet or
`customers of an Internet service provider, and the myriads of
`server computers on the Internet. The gateway computer is
`networked with the intranet computers in Such a way that
`outgoing requests and responses from the intranet computers
`to the Internet, and incoming requests and responses from the
`Internet to the intranet computers are routed through the
`gateway computer.
`Typically, a request is issued as an HTTP protocol request
`that includes a URI for a file, such as an HTML page, a JPEG
`image or a PDF document, residing on one or more server
`computers on the Internet. Similarly, a response is typically
`an HTTP response including a requested file, sent back to a
`client in response to a request.
`Network gateways are generally connected to an intranet
`with high-speed lines, so that the bandwidth between the
`intranet computers and the gateway computer is much higher
`than the bandwidth between the gateway computer and rest of
`the Internet.
`45
`Two important functions of computer gateways are (i) to
`restrict outsiders from unauthorized access to a computer
`intranet, and (ii) to protect the intranet computers from Soft
`ware containing computer viruses and from spam. Computer
`gateways may contain conventional firewall Software that
`restricts outside communication with the intranet, anti-virus
`software that identifies computer viruses residing within files
`retrieved from the Internet, and anti-spam software that filters
`out unwanted content.
`Current gateway systems cause latency because clients do
`not access websites directly, and because current gateway
`systems apply security protocols to protect intranet members.
`Accordingly, systems and methods for reducing network
`access latency without compromising network safety are
`needed.
`
`40
`
`50
`
`55
`
`60
`
`SUMMARY OF THE INVENTION
`
`The present invention provides a method and system for
`improving performance of gateway computers. Specifically,
`the present invention mitigates network latency caused by
`processing time at a gateway computer.
`
`65
`
`Case 3:17-cv-05659-WHA Document 91-5 Filed 05/31/18 Page 7 of 13
`
`

`

`US 7,418,731 B2
`
`10
`
`15
`
`25
`
`30
`
`35
`
`40
`
`45
`
`3
`defining restrictions on files that can be transmitted to the
`intranet computer, and comparing the security profile for the
`requested file vis a vis the security policy for the intranet
`computer, to determine whether transmission of the requested
`file to the intranet computer is to be restricted.
`There is additionally provided in accordance with a pre
`ferred embodiment of the present invention a computer-read
`able storage medium storing program code for causing a
`computer to perform the steps of receiving a request from an
`intranet computer for a file on the Internet, retrieving a secu
`rity profile for the requested file from a security profile cache
`at the network gateway, the security profile including a list of
`at least one computer command that the file is programmed to
`perform, retrieving a security policy for the intranet computer
`from a security policy cache at the network gateway, the
`security policy defining restrictions on files that can be trans
`mitted to the intranet computer, and comparing the security
`profile for the requested file vis a vis the security policy for the
`intranet computer, to determine whether transmission of the
`requested file to the intranet computer is to be restricted.
`There is further provided in accordance with a preferred
`embodiment of the present invention a method for operation
`of a network gateway for an intranet of computers, including
`retrieving a requested file from the Internet, Scanning the
`retrieved file to determine computer commands that the file is
`programmed to perform, deriving a security profile for the
`retrieved file, the security profile including a list of at least one
`computer command that the retrieved file is programmed to
`perform, storing the retrieved file within a file cache, and
`storing the security profile for the retrieved file within a secu
`rity profile cache.
`There is yetfurther provided in accordance with a preferred
`embodiment of the present invention a computer-readable
`storage medium storing program code for causing a computer
`to perform the steps of retrieving a requested file from the
`Internet, Scanning the retrieved file to determine computer
`commands that the file is programmed to perform, deriving a
`security profile for the retrieved file, the security profile
`including a list of at least one computer command that the
`retrieved file is programmed to perform, storing the retrieved
`file within a file cache, and storing the security profile for the
`retrieved file within a security profile cache.
`There is moreover provided in accordance with a preferred
`embodiment of the present invention a computer gateway for
`an intranet of computers, including a file cache for storing
`files, a security profile cache for storing security profiles for
`files, the security profiles being lists of computer commands
`that the files are programmed to perform, and a security policy
`cache for storing security policies for intranet computers
`within an intranet, the security policies including a list of
`restrictions for files that are transmitted to intranet computers.
`There is additionally provided in accordance with a pre
`ferred embodiment of the present invention a method for
`operation of a network gateway for an intranet of computers,
`including receiving a request from an intranet computer for a
`file on the Internet, determining whether the requested file
`resides within a file cache at the network gateway, if the
`determining is affirmative retrieving a security profile for the
`requested file from a security profile cache at the network
`gateway, the security profile including a list of at least one
`computer command that the file is programmed to perform,
`and if the determining is not affirmative retrieving the
`requested file from the Internet, storing the retrieved file
`within the file cache, and storing a security profile for the
`retrieved file within a security profile cache, retrieving a secu
`rity policy for the intranet computer from a security policy
`cache at the network gateway, the security policy defining
`
`Case 3:17-cv-05659-WHA Document 91-5 Filed 05/31/18 Page 8 of 13
`
`50
`
`55
`
`60
`
`65
`
`4
`restrictions for transmitting files to the intranet computer, and
`comparing the security profile for the requested file vis a Vis
`the security policy for the intranet computer, to determine
`whether transmission of the requested file to the intranet
`computer is to be restricted.
`There is further provided in accordance with a preferred
`embodiment of the present invention a computer-readable
`storage medium storing program code for causing a computer
`to perform the steps of receiving a request from an intranet
`computer for a file on the Internet, determining whether the
`requested file resides within a file cache at the network gate
`way, if the determining is affirmative retrieving a security
`profile for the requested file from a security profile cache at
`the network gateway, the security profile including a list of at
`least one computer command that the file is programmed to
`perform, and if the determining is not affirmative retrieving
`the requested file from the Internet, storing the retrieved file
`within the file cache, and storing a security profile for the
`retrieved file within a security profile cache, retrieving a secu
`rity policy for the intranet computer from a security policy
`cache at the network gateway, the security policy defining
`restrictions for transmitting files to the intranet computer, and
`comparing the security profile for the requested file vis a Vis
`the security policy for the intranet computer, to determine
`whether transmission of the requested file to the intranet
`computer is to be restricted.
`There is moreover provided in accordance with a preferred
`embodiment of the present invention a computer gateway for
`an intranet of computers, including a scanner for scanning
`outgoing files from an intranet to the Internet and deriving
`security profiles therefor, the security profiles being lists of
`computer commands that the files are programmed to per
`form, a security policy cache for storing security policies for
`recipient computers within the Internet, the security policies
`including a list of restrictions for files that are transmitted to
`recipient computers.
`There is additionally provided in accordance with a pre
`ferred embodiment of the present invention a method for
`operation of a network gateway for an intranet of computers,
`including receiving a file from an intranet computer for trans
`mission to a recipient computer on the Internet, Scanning the
`received file to derive a security profile for the received file,
`the security profile including a list of at least one computer
`command that the file is programmed to perform, retrieving a
`security policy from a security policy cache at the network
`gateway, the security policy defining restrictions for transmit
`ting files to recipient computers, and comparing the security
`profile for the received file vis a vis the security policy, to
`determine whether transmission of the requested file to the
`recipient computer is to be restricted.
`There is further provided in accordance with a preferred
`embodiment of the present invention a computer-readable
`storage medium storing program code for causing a computer
`to perform the steps of receiving a file from an intranet com
`puter for transmission to a recipient computer on the Internet,
`scanning the received file to derive a security profile for the
`received file, the security profile including a list of at least one
`computer command that the file is programmed to perform,
`retrieving a security policy from a security policy cache at the
`network gateway, the security policy defining restrictions for
`transmitting files to recipient computers, and comparing the
`security profile for the received file vis a vis the security
`policy, to determine whether transmission of the requested
`file to the recipient computer is to be restricted.
`
`

`

`US 7,418,731 B2
`
`5
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`The present invention will be more fully understood and
`appreciated from the following detailed description, taken in
`conjunction with the drawings in which:
`FIG. 1 is a simplified block diagram for a networkgateway,
`in accordance with a preferred embodiment of the present
`invention;
`FIG. 2 is a simplified flowchart for operation of a network
`gateway, in accordance with a preferred embodiment of the
`present invention; and
`FIG.3 is a simplified block diagram for a network gateway
`that control outgoing traffic, in accordance with a preferred
`embodiment of the present invention.
`
`DETAILED DESCRIPTION OF A PREFERRED
`EMBODIMENT
`
`10
`
`15
`
`The present invention provides a system and method for
`optimizing performance of network gateways that perform
`security-based functions.
`Reference is now made to FIG. 1, which is a simplified
`block diagram for a network gateway, in accordance with a
`preferred embodiment of the present invention. Shown in
`FIG. 1 is a networkgateway computer 110, which serves as a
`proxy between an intranet of clients and servers, and the
`Internet. Specifically in FIG. 1, gateway computer 110 inter
`venes between requests for web pages originating from an
`intranet 120 of clients 123,125 and 127, and responses origi
`nating from Internet servers 133, 135 and 137.
`Typically, web pages include text, executable Scripts and
`one or more links to web objects that must be retrieved in
`
`25
`
`30
`
`6
`page, and scanner 140 scans the web page and the web objects
`that may be malicious. For example, a web page, P, requested
`by a client computer, may contain references to web objects
`O1, O2, O3 and O4. Generally, the web page, P, and the web
`objects it references, O1, O2, O3 and O4 are stored as files
`within the Internet.
`When the web page, P. first arrives at gateway computer
`110, gateway computer 110 preferably retrieves objects O1,
`O2, O3 and O4. Gateway computer 110 then decides which of
`web page Pandobjects O1, O2, O3 and O4 may potentially be
`malicious, and Scanner 140 scans each of the potentially
`malicious files. Determination of which files may be poten
`tially malicious may be based on numerous criteria—for
`example, multimedia objects such as images and video clips
`may be deemed safe, whereas Visual Basic scripts and Java
`applets may be deemed potentially malicious.
`In accordance with a preferred embodiment of the present
`invention, Scanner 140 analyzes each file it scans to determine
`the nature of computer operations that the file is programmed
`to perform, and derives a security profile therefor, Summariz
`ing potentially malicious computer operations. Thus scanner
`140 may determine inter alia that a file is programmed to
`access a computer file system, or a computer operating sys
`tem, or open a network Socket.
`Table I below indicates a typical scan analysis, in accor
`dance with a preferred embodiment of the present invention.
`As can be seen from Table I, web page P and web objects O1
`and O4 are deemed potentially malicious. Web objects O2
`and O3 are deemed safe. The security profile for web page P
`includes security profiles for JavaScript within page P. and for
`web objects O1 and O4 referenced by page P. Web objects O2
`and O3 are not scanned, since they are deemed to be safe.
`
`TABLE I
`
`Security Profile for Web Page P
`
`Security Profile
`
`Potentially
`Malicious?
`
`File System
`Commands
`
`Operating System Network
`Commands
`Commands
`
`Yes
`
`None
`
`None
`
`Issue HTTP request:
`
`Yes
`
`No
`
`No
`
`Yes
`
`Open file F1:
`Write file F2:
`Delete file F1
`
`Open registry;
`Edit registry
`
`None
`
`Open file F1:
`Copy file F1
`
`None
`
`Open socket;
`FTP send
`
`Web Page P
`References objects
`O1, O2, O3 and O4
`Includes JavaScript
`Web Object O1
`Java applet
`
`Web Object O2
`Still image
`Web Object O3
`Audio clip
`Web Object O4
`ActiveX Control
`
`Case 3:17-cv-05659-WHA Document 91-5 Filed 05/31/18 Page 9 of 13
`
`order to completely render the web page. Such web objects
`include interalia images, Sounds, multimedia presentations,
`Video clips and also active code that runs on the client com
`puter. Executable Scripts and active code components are a
`security concern, since they may contain computer viruses
`that maliciously harm client computers. In fact, most viruses
`today are transmitted as active web objects or as e-mail
`attachments.
`Preferably, gateway computer 110 includes a code scanner
`140, for Scanning incoming web pages and web objects in
`order to detect the presence of malicious executable scripts or
`active code. Preferably when gateway 110 receives a web
`page, it also retrieves the web objects referenced by the web
`
`55
`
`60
`
`65
`
`In accordance with a preferred embodiment of the present
`invention, web page security profiles are stored in a security
`profile cache 150, and the web page and the web objects that
`the page references are stored in a web cache 160. Security
`profile cache 150 preferably includes a table as indicated in
`Table II.
`
`TABLE II
`
`Structure of Security Profile Cache 150
`Web Content ID
`Web Content Security Profile
`
`

`

`US 7,418,731 B2
`
`7
`Web content ID is preferably a has ID that serves as a key for
`Table II. Similarly, web content cache 160 preferably
`includes a table as indicated in Table III.
`
`TABLE III
`
`Structure of Web Content Cache 160
`
`Web Content URI
`
`Web Content ID
`
`Web Content
`
`10
`
`8
`ACLIENT DURINGRUNTIME FROMHOSTILE DOWN
`LOADABLES, U.S. Pat. No. 6,480,962 entitled SYSTEM
`AND METHOD FOR PROTECTING ACLIENT DURING
`RUNTIME FROM HOSTILE DOWNLOADABLES. U.S.
`Pat. No. 6,804,780 entitled SYSTEMAND METHOD FOR
`PROTECTING ACOMPUTER AND ANETWORK FROM
`HOSTILE DOWNLOADABLES, U.S. Pat. No. 6,965,968
`entitled POLICY-BASED CACHING, and U.S. Pat. No.
`7,058,822 entitled MALICIOUS MOBILE CODE RUNT
`IME MONITORING SYSTEMAND METHODS.
`It may be appreciated that the various caches within gate
`way computer 110 security profile cache 150, web cache 160
`and security policy cache 170, must be managed in order to be
`kept current as files on the Internet are replaced with newer
`versions, and in order to appropriately purge items from cache
`when cache memory is full and new items arrive for storage.
`Typically, web cache 160 is the cache that fills up, since web
`objects such as applets and multimedia files tend to be very
`large. In accordance with a preferred embodiment of the
`present invention, caches 150 and 160 are synchronized, so
`that when a file is purged from web cache 160, its correspond
`ing security profile is purged from cache 150.
`Methodologies for keeping caches 150 and 160 current
`include interalia:
`replacing cached files regularly on a periodic basis, such as
`every 24 hours, and re-scanning them to derive updated
`security profiles;
`replacing files based on expiration dates and times
`included within the file headers, and re-scanning them to
`derive updated security profiles; and
`checking the Internet to determine whether cached files are
`current whenever they are requested by an intranet com
`puter.
`Methodologies for purging files when cache 160 is full
`include interalia:
`purging the oldest files;
`purging the least accessed files; and
`purging the files that have not been accessed for the longest
`time; i.e., last recently used (LRU).
`It may be appreciated that although web content is purged
`from cache 160 in order to free up memory, the security
`profile of the purged content need not be purged from security
`profile cache 150. In such a case, if the purged web content is
`Subsequently re-cached and has not changed, then code scan
`ner 140 need not re-scan the content. Preferably, the web
`contentID is used to determine if web content re-entering the
`cache is identical to previously cached web content.
`Security policies are typically specified by a system admin
`istrator and, as such, security policy cache 170 is controlled
`by the system administrator.
`It may be appreciated by those skilled in the art that code
`scanner 140 may be updated from time to time. In accordance
`with a preferred embodiment of the present invention, when
`code scanner 140 is updated, cached web content is
`re-scanned to update the corresponding security profiles, in
`order to maintain synchronization between security profile
`cache 150 and web content cache 160.
`Reference is now made to FIG. 2, which is a simplified
`flowchart for operation of a network gateway, in accordance
`with a preferred embodiment of the present invention. All of
`the steps shown in FIG.2 are performed by a networkgateway
`computer, except for steps 205, 225 and 230, which are per
`formed by an intranet client computer. As shown in FIG. 2, at
`step 205 an intranet client computer requests an Internet web
`page. Typically, the web page is designated by a Un