Case 3:17-cv-05659-WHA Document 96-7 Filed 06/07/18 Page 1 of 13
`Case 3:17-cv-05659-WHA Document 96-7 Filed 06/07/18 Page 1 of 13
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`EXHIBIT 3
`EXHIBIT 3
`
`

`

`Case 3:17-cv-05659-WHA Document 96-7 Filed 06/07/18 Page 2 of 13
`
`Juniper’s SRX Gateways
`6,804,780
`The statements and documents cited below are based on information available to Finjan at the time this chart was
`created. Finjan reserves its right to supplement this chart as additional information becomes known to it.
`
`For purposes of this chart, “SRX Gateways” include at least the following appliance models listed in Exhibit A.
`For purposes of this chart, “SRX Gateways” are SRX Series Services Gateway appliances, either alone, or when
`used in conjunction with other products or services as a system. For example, SRX Gateways perform the
`infringing procedures in combination with Juniper Sky Advanced Threat Prevention (“Sky ATP”)1 or the
`Advanced Threat Prevention Appliance (“ATP Appliance”)2 as an integrated distributed system, as will be
`described in greater detail herein. Based on public information, SRX Gateways all operate identically with respect
`to the identified claims and only vary based on software specifications and/or deployment options.
`
`As identified and described element by element below, the one or more of the SRX Gateways specifically listed
`above infringe at least claims 1and 9 of the ’780 Patent.
`
`Claim 1
`1a. A computer-based method
`for generating a
`Downloadable ID to identify
`a Downloadable, comprising:
`
`
`
`SRX Gateways meet the recited claim language because it provides a computer-
`based method for generating a Downloadable ID to identify a Downloadable.
`
`As used herein, and throughout these contentions, Downloadable is “an executable
`application program, which is downloaded from a source computer and run on the
`destination computer.”
`
`SRX Gateways (either alone or in combination with Sky ATP or ATP Appliance)
`meet the recited claim language because SRX Gateways generates a
`Downloadable ID by creating malware attack profiles which include a hash to
`identify a Downloadable, such as malware. The analysis includes scanning the
`Downloadables which include references to software components required to be
`executed by the Downloadable (e.g., suspicious web page content containing
`HTML, PDFs, JavaScript, drive-by downloads, obfuscated code, or other blended
`web malware). SRX Gateways use the Downloadable ID to perform a hash
`lookup to Sky ATP or the ATP Appliance. Alternatively, SRX Gateways in
`combination with Sky ATP or ATP appliance meets the claim language because
`SRX generates a Downloadable ID and then uses Sky ATP or ATP appliance to
`generate a Downloadable ID for components of the Downloadable, and then
`generate a combined Downloadable ID for the Downloadable and the related
`components.
`
`As shown below, the SRX Series Services Gateway includes both hardware and
`software components that perform the step of receiving a Downloadable.
`
`
`1 Sky ATP includes the components and services in Exhibit A.
`2 ATP Appliance includes the appliance models listed in Exhibit A.
`
`1
`
`

`

`Case 3:17-cv-05659-WHA Document 96-7 Filed 06/07/18 Page 3 of 13
`
`Juniper Networks Sky Advanced Threat Prevention.pdf at page 4.
`
`SRX Gateways obtain a Downloadable then generates a Downloadable ID (e.g., a
`SHA-256 or a MD5 hash) to identify a Downloadable and send it to Sky ATP or
`ATP appliance to determine whether it is malicious and to return a risk score or
`verdict.
`
`
`
`
`2
`
`

`

`Case 3:17-cv-05659-WHA Document 96-7 Filed 06/07/18 Page 4 of 13
`
`1b. obtaining a Downloadable
`that includes one or more
`references to software
`components required to be
`executed by the
`Downloadable;
`
`
`
`https://www.juniper.net/documentation/en_US/release-independent/sky-
`atp/information-products/topic-collections/sky-atp-open-apis.html (showing a
`SHA-256 generated for the downloadable to indentify the downloadable).
`
`
`SRX Gateways meets the recited claim language because it obtains a
`Downloadable that includes one or more references to software components
`required to be executed by the Downloadable.
`
`SRX Gateways (either alone or in combination with Sky ATP or ATP Appliance)
`meets the recited claim language because SRX Gateways obtain suspicious traffic
`flows for analysis through a application program interface, and the content in
`these traffic flows include Downloadables such as web page and/or email
`attachments. These Downloadables include references to software components
`required to be executed by the Downloadable (e.g. suspicious web page content
`containing HTML, PDFs, JavaScript, drive-by downloads, obfuscated code, or
`other blended web malware).
`
`Downloadables that includes one or more references to software components
`required to be executed by the Downloadable include a web page that includes
`references to JavaScript, visual basic script, ActiveX, injected iframes; and a PDF
`that includes references to JavaScript, swf files or other executables. Typically,
`Juniper characterizes them as drive-by-downloads or droppers as such
`Downloadables are usually programmed to take advantage of a browser,
`application, or OS that is out of date and has a security flaw. The initial
`downloaded code is often small enough that it wouldn’t be noticed, since its job is
`often simply to contact another computer where it can pull down the rest of the
`code on to the computer. In particular, such software components are usually
`programmed to be downloaded and run in the background in a manner that is
`invisible to the user and without the user taking any conscious actions as just the
`act of viewing a web-page that harbors this malicious code is typically enough for
`the download and execution to occur.
`
`SRX Gateways obtain and scan Downloadables that may include malware
`embedded in images, JavaScript, text and Flash files. As shown below, SRX
`
`3
`
`

`

`Case 3:17-cv-05659-WHA Document 96-7 Filed 06/07/18 Page 5 of 13
`
`Gateways obtain and conducts analysis on Downloadables such as Executable
`files (e.g., “.bin, .com, .dat, .exe, .msi, .msm, .mst”), PDF files, Java (e.g., “.class,
`.ear, .jar, .war”), MS Office file types, Flash and Silverlight applications, Script
`files, and installer files through an application program interface.
`
`
`
`
`
`(showing SRX intercepting downloadables and sending them to Sky ATP)
`see also https://www.juniper.net/documentation/en_US/release-independent/sky-
`atp/topics/reference/general/sky-atp-profile-overview.html.
`
`In infringement scenarios involving SRX Gatway with Sky ATP, Sky ATP
`performs behavioral analysis such as potential dropper infection for
`Downloadables. Potential dropper infections “Drop PE” (e.g., references to
`software components required to be executed by the Downloadable).
`
`
`
`
`
`4
`
`

`

`Case 3:17-cv-05659-WHA Document 96-7 Filed 06/07/18 Page 6 of 13
`
`As shown below, SRX Gateways use a cache lookup of a file and its components
`using a hash value to prevent rescanning of known files and their components.
`
`
`
`
`https://www.juniper.net/documentation/en_US/release-independent/sky-
`atp/topics/concept/sky-atp-malware-analyze.html
`
`In infringement scenarios involving SRX Gateways with the ATP Appliance, the
`ATP Appliance performs behavioral analysis such as potential dropper infection
`for Downloadables. Potential dropper infections are references to software
`components required to be executed by the Downloadable. As shown below, the
`ATP appliance uses behavior inspection and dynamic detection to find dropper
`files and to perform hashing functions on them.
`
`
`Cyphort Datasheet
`
`As shown below, ATP Appliance will obtain Downloadables, as well as
`components required to execute the Downloadables.
`
`
`
`5
`
`

`

`Case 3:17-cv-05659-WHA Document 96-7 Filed 06/07/18 Page 7 of 13
`
`Redimadrid_Journadas-Sky ATP Enhancements.pdf at page 14.
`
`
`Cyphort WP Security 2.0
`
`
`
`
`
`Cyphort WP Drive by Downloads (describing how the ATP appliances captures
`dropper files and perofrms “static analysis, behavior analysis and reputaiton
`analysis to identify if it is a malware.”).
`
`SRX Gateways meet the recited claim language because it fetches at least one
`software component identified by the one or more references.
`
`
`
`
`1c. fetching at least one
`software component
`identified by the one or more
`
`6
`
`

`

`Case 3:17-cv-05659-WHA Document 96-7 Filed 06/07/18 Page 8 of 13
`
`references; and
`
`SRX Gateways (either alone or in combination with Sky ATP or ATP Appliance)
`meet the recited claim language because SRX Gateways perform analysis on
`malware containing multiple software components and capture traffic containing
`malware for analysis, including suspicious web page content containing HTML,
`scripts, applets, ActiveX and drive-by downloads. As part of this analysis, SRX
`Gateways include components which fetch the software components identified in
`references in the Downloadable such as potential dropper infections, dropped
`files, multiple infected files, and object streams within PDF’s.
`
`In infringement scenarios involving SRX Gateways with Sky ATP, Sky ATP
`analyzes a Downloadable and fetches the software components identified by the
`one or more references (e.g., “Drop PE”) within to determine whether it is
`suspicious or not. The Sky ATP also performs dynamic analysis on the
`Downloadable and allows it to download additional referenced components.
`
`
`
`
`SRX Gateways with Sky ATP include components which fetch software
`components identified by the one or more references (e.g., dropped files).
`Dropped files are captured by Sky ATP during sandboxing analysis as well as
`identified during static analysis. As shown below, static analysis will break down
`code and look for suspicious code and/or operations that include dropping files.
`SRX Gateways include components which fetch software components identified
`by the one or more references. SHA-256 hashes are generated together for the
`parent (dropper) and target (dropped) files.
`
`7
`
`

`

`Case 3:17-cv-05659-WHA Document 96-7 Filed 06/07/18 Page 9 of 13
`
`
`
`As described below, Sky ATP will detonate downloadable files using
`dynamic analysis, which requires fetching referenced components.
`
`
`
`
`
`
`Juniper Sky Advanced Threat Prevention .pdf at page 2.
`
`
`In infringement scenarios involving SRX Gateways with the ATP appliance, the
`ATP appliance performs behavioral analysis such as potential dropper infection
`for Downloadables. Potential dropper infections are references to software
`components required to be executed by the Downloadable. As shown below, the
`ATP appliance uses behavior inspection and dynamic detection to find dropper
`files and to perform hashing functions on them.
`
`8
`
`

`

`Case 3:17-cv-05659-WHA Document 96-7 Filed 06/07/18 Page 10 of 13
`
`Vandelay-ThreatAssessment-2015 (emphasis added) (showing fetching an
`component and creating a Downloadable ID for that dropped file).
`
`As shown below, ATP Appliance will obtain Downloadables, as well as
`components required to execute the Downloadables.
`
`
`
`
`Redimadrid_Journadas-Sky ATP Enhancements.pdf at page 14.
`
`
`9
`
`

`

`Case 3:17-cv-05659-WHA Document 96-7 Filed 06/07/18 Page 11 of 13
`
`
`
`Cyphort DataSheet (showing MD5, SHA1, and SHA256 hashes).
`
`To the extent Juniper argues that SRX Gateways do not literally satisfy this
`element, Juniper meets this element under the doctrine of equivalents.
`
`SRX Gateways perform the same function as this claim element because they
`receive downloaded content, such as HTML or JavaScript, that have referenced
`components that are also downloaded by SRX Gateways, and create an identity
`for downloaded content. This is the same function as this element because this an
`identification of a downloaded content, including referenced components that are
`downloaded.
`
`SRX Gateways perform this function in the same way as this claim element
`because they download components that are used to create an identity for
`downloaded content such as HTML or JavaScript. SRX Gateways perform this
`element the same way because the identity created can be used to identify
`downloaded content that reference multiple components that are used by the
`downloaded content.
`
`SRX Gateways achieve the same result as this claim element because they have
`components that result in the creation of an identification in downloaded content,
`such as HTML or JavaScript, and downloads multiple components referenced.
`This is the same result as this claim element because SRX Gateways use this
`identity to identify the downloaded content and its referenced components for
`security decisions.
`
`SRX Gateways meet the recited claim language because they perform a hashing
`function on the Downloadable and the fetched software components to generate a
`Downloadable ID.
`
`SRX Gateways (either alone or in combination with Sky ATP or ATP Appliance)
`meet the recited claim language because SRX Gateways include components
`which create a dynamically generated signature and/or a malware attack profile
`for the Downloadable by performing a hashing function using SHA256, MD5,
`and/or SHA-1 on Downloadables (e.g., HTML, JavaScript, and/or email) together
`
`10
`
`1d. performing a hashing
`function on the Downloadable
`and the fetched software
`components to generate a
`Downloadable ID.
`
`

`

`Case 3:17-cv-05659-WHA Document 96-7 Filed 06/07/18 Page 12 of 13
`
`with other web-based files/executables fetched (e.g., potential dropper infections,
`multiple infected files, and object streams within PDF’s).
`
`SRX Gateways obtain a Downloadable then generates a profile that includes
`generating a Downloadable ID (e.g., the SHA-256 hash) to identify a
`Downloadable. As shown below, the profile is then stored in Juniper’s cloud for
`further identification of Downloadables, including whether it is malicious and to
`create a risk score.
`
`
`
`
`
`See
`https://www.juniper.net/documentation/en_US/junos/topics/reference/command-
`summary/security-file-checksum-sha-256.html (showing that the SRX performs
`SHA256, MD5, and SHA1 hashing functions).
`
`In the infringement scenario with SRX Gateways in combination with Sky ATP,
`Sky ATP obtains a Downloadable then generates a Downloadable ID (e.g., the
`SHA-256, SHA-1, and/or MD5 hashes) to identify a Downloadable (e.g., the exe
`file) together with the fetched software components using hashes for both the file
`and the “parent” file.
`
`
`See https://www.juniper.net/documentation/en_US/release-independent/sky-
`atp/topics/reference/general/sky-atp-filescan-overview.html (showing a SHA256
`and MD5 hash of a downloadable).
`
`
`
`11
`
`

`

`Case 3:17-cv-05659-WHA Document 96-7 Filed 06/07/18 Page 13 of 13
`
`
`See
`https://www.juniper.net/documentation/en_US/junos/topics/reference/command-
`summary/security-file-checksum-sha1.html (showing a SHA-1 hash of a
`downloadable).
`
`In infringement scenarios involving SRX Gateways with the ATP appliance, the
`ATP appliance performs MD5, SHA-1, and SHA256 hashes on downloadables.
`
`
`
`12
`
`