Case 3:17-cv-05659-WHA Document 96-8 Filed 06/07/18 Page 1 of 10
`Case 3:17-cv-05659-WHA Document 96-8 Filed 06/07/18 Page 1 of 10
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`EXHIBIT 4
`EXHIBIT 4
`
`
`Case 3:17-cv-05659-WHA Document 96-8 Filed 06/07/18 Page 1 of 10
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`EXHIBIT 4
`EXHIBIT 4
`
`
`
`Case 3:17-cv-05659-WHA Document 96-8 Filed 06/07/18 Page 2 of 10
`
`Juniper’s Sky Advanced Threat Prevention
`6,804,780
`The statements and documents cited below are based on information available to Finjan, Inc. at the time this chart
`was created. Finjan reserves its right to supplement this chart as additional information becomes known to it.
`
`For purposes of this chart, “Sky ATP” is the cloud service and all support infrastructure maintained by Juniper, and
`includes the services and components in Exhibit A, as will be described in greater detail herein. Based on public
`information, Sky ATP operates identically with respect to the identified claims and only vary based on software
`specifications and/or deployment options.
`
`As identified and described element by element below, the one or more of the Sky ATP specifically listed above
`infringe at least claims 1and 9 of the ’780 Patent.
`
`Claim 1
`1a. A computer-based method
`for generating a
`Downloadable ID to identify
`a Downloadable, comprising:
`
`
`
`Sky ATP meet the recited claim language because it provides a computer-based
`method for generating a Downloadable ID to identify a Downloadable.
`
`As used herein, and throughout these contentions, Downloadable is “an executable
`application program, which is downloaded from a source computer and run on the
`destination computer.”
`
`Sky ATP meet the recited claim language because Sky ATP generates a
`Downloadable ID by creating malware attack profiles which include a hash to
`identify a Downloadable, such as malware. The analysis includes scanning the
`Downloadables which include references to software components required to be
`executed by the Downloadable (e.g., suspicious web page content containing
`HTML, PDFs, JavaScript, drive-by downloads, obfuscated code, or other blended
`web malware).
`
`Sky ATP obtains a Downloadable then generates a profile that includes generating
`a Downloadable ID (e.g., a SHA-256 or a MD5 hash) to identify a Downloadable
`and whether it is malicious and to create a risk score or verdict.
`
`
`
`1
`
`
`
`Case 3:17-cv-05659-WHA Document 96-8 Filed 06/07/18 Page 3 of 10
`
`1b. obtaining a Downloadable
`that includes one or more
`references to software
`components required to be
`executed by the
`Downloadable;
`
`
`
`https://www.juniper.net/documentation/en_US/release-independent/sky-
`atp/information-products/topic-collections/sky-atp-open-apis.html (showing a
`SHA-256 generated for the downloadable to indentify the downloadable).
`
`Sky ATP meets the recited claim language because it obtains a Downloadable that
`includes one or more references to software components required to be executed
`by the Downloadable.
`
`Sky ATP meets the recited claim language because Sky ATP obtains suspicious
`traffic flows for analysis through a application program interface, and the content
`in these traffic flows include Downloadables such as web page and/or email
`attachments. These Downloadables include references to software components
`required to be executed by the Downloadable (e.g. suspicious web page content
`containing HTML, PDFs, JavaScript, drive-by downloads, obfuscated code, or
`other blended web malware).
`
`Downloadables that includes one or more references to software components
`required to be executed by the Downloadable include a web page that includes
`references to JavaScript, visual basic script, ActiveX, injected iframes; and a PDF
`that includes references to JavaScript, swf files or other executables. Typically,
`Juniper characterizes them as drive-by-downloads or droppers as such
`Downloadables are usually programmed to take advantage of a browser,
`application, or OS that is out of date and has a security flaw. The initial
`downloaded code is often small enough that it wouldn’t be noticed, since its job is
`often simply to contact another computer where it can pull down the rest of the
`code on to the computer. In particular, such software components are usually
`programmed to be downloaded and run in the background in a manner that is
`invisible to the user and without the user taking any conscious actions as just the
`act of viewing a web-page that harbors this malicious code is typically enough for
`the download and execution to occur.
`
`
`
`2
`
`
`
`Case 3:17-cv-05659-WHA Document 96-8 Filed 06/07/18 Page 4 of 10
`
`Sky ATP obtains and scans Downloadables that may include malware embedded
`in images, JavaScript, text and Flash files. As shown below, Sky ATP obtains
`and conducts analysis on Downloadables such as Executable files (e.g., “.bin,
`.com, .dat, .exe, .msi, .msm, .mst”), PDF files, Java (e.g., “.class, .ear, .jar, .war”),
`MS Office file types, Flash and Silverlight applications, Script files, and installer
`files through an application program interface.
`
`
`
`
`
`
`https://www.juniper.net/documentation/en_US/release-independent/sky-
`atp/topics/reference/general/sky-atp-profile-overview.html.
`
`
`
`As shown below, Sky ATP performs behavioral analysis such as potential dropper
`infection for Downloadables. Potential dropper infections “Drop PE” (e.g.,
`references to software components required to be executed by the Downloadable).
`
`3
`
`
`
`Case 3:17-cv-05659-WHA Document 96-8 Filed 06/07/18 Page 5 of 10
`
`
`As shown below, Sky ATP a cache lookup of a file and its components using a
`hash value to prevent rescanning of known files and their components.
`
`
`1c. fetching at least one
`software component
`identified by the one or more
`references; and
`
`
`
`https://www.juniper.net/documentation/en_US/release-independent/sky-
`atp/topics/concept/sky-atp-malware-analyze.html
`
`Sky ATP meet the recited claim language because it fetches at least one software
`component identified by the one or more references.
`
`Sky ATP meet the recited claim language because Sky ATP perform analysis on
`malware containing multiple software components and capture traffic containing
`malware for analysis, including suspicious web page content containing HTML,
`scripts, applets, ActiveX and drive-by downloads. As part of this analysis, Sky
`ATP includes components which fetch the software components identified in
`references in the Downloadable such as potential dropper infections, dropped
`files, multiple infected files, and object streams within PDF’s.
`
`
`
`4
`
`
`
`Case 3:17-cv-05659-WHA Document 96-8 Filed 06/07/18 Page 6 of 10
`
`As shown below, Sky ATP analyzes a Downloadable and fetches the software
`components identified by the one or more references (e.g., “Drop PE”) within to
`determine whether it is suspicious or not. Sky ATP also performs dynamic
`analysis on the Downloadable and allows it to download additional referenced
`components.
`
`
`
`Sky ATP includes components which fetch software components identified by the
`one or more references (e.g., dropped files). Dropped files are captured by Sky
`ATP during sandboxing analysis as well as identified during static analysis. As
`shown below, static analysis will break down code and look for suspicious code
`and/or operations that include dropping files. Sky ATP includes components
`which fetch software components identified by the one or more references. SHA-
`256 hashes are generated together for the parent (dropper) and target (dropped)
`files.
`
`
`
`
`To the extent Juniper argues that Sky ATP do not literally satisfy this element,
`Juniper meets this element under the doctrine of equivalents.
`
`
`
`
`5
`
`
`
`Case 3:17-cv-05659-WHA Document 96-8 Filed 06/07/18 Page 7 of 10
`
`As described below, Sky ATP will detonate downloadable files using dynamic
`analysis, which requires fetching referenced components.
`
` Juniper Sky Advanced Threat Prevention .pdf at page 2.
`
`Sky ATP perform the same function as this claim element because they receive
`downloaded content, such as HTML or JavaScript, that have referenced
`components that are also downloaded by Sky ATP, and create an identity for
`downloaded content. This is the same function as this element because this an
`identification of a downloaded content, including referenced components that are
`downloaded. Sky ATP perform this function in the same way as this claim
`element because they download components that are used to create an identity for
`downloaded content such as HTML or JavaScript. Sky ATP perform this element
`the same way because the identity created can be used to identify downloaded
`content that reference multiple components that are used by the downloaded
`content. Sky ATP achieve the same result as this claim element because they
`have components that result in the creation of an identification in downloaded
`content, such as HTML or JavaScript, and downloads multiple components
`referenced. This is the same result as this claim element because Sky ATP use
`this identity to identify the downloaded content and its referenced components for
`security decisions.
`
`
`Sky ATP meet the recited claim language because they perform a hashing
`function on the Downloadable and the fetched software components to generate a
`Downloadable ID.
`
`
`6
`
`1d. performing a hashing
`function on the Downloadable
`and the fetched software
`components to generate a
`Downloadable ID.
`
`
`
`Case 3:17-cv-05659-WHA Document 96-8 Filed 06/07/18 Page 8 of 10
`
`Sky ATP meet the recited claim language because Sky ATP include components
`which create a dynamically generated signature and/or a malware attack profile
`for the Downloadable by performing a hashing function using SHA256, MD5,
`and/or SHA-1 on Downloadables (e.g., HTML, JavaScript, and/or email) together
`with other web-based files/executables fetched (e.g., potential dropper infections,
`multiple infected files, and object streams within PDF’s).
`
`Sky ATP obtains a Downloadable then generates a profile that includes
`generating a Downloadable ID (e.g., the SHA-256 hash) to identify a
`Downloadable. As shown below, the profile is then stored in Juniper’s cloud for
`further identification of Downloadables, including whether it is malicious and to
`create a risk score.
`
`
`
`
`7
`
`
`
`Case 3:17-cv-05659-WHA Document 96-8 Filed 06/07/18 Page 9 of 10
`
`See https://www.juniper.net/documentation/en_US/release-independent/sky-
`atp/information-products/topic-collections/sky-atp-open-apis.html
`
`Sky ATP obtains a Downloadable then generates a Downloadable ID (e.g., the
`SHA-256, SHA-1, and/or MD5 hashes) to identify a Downloadable (e.g., the exe
`file) together with the fetched software components using hashes for both the file
`and the “parent” file.
`
`
`
`
`
`8
`
`
`
`
`
`Case 3:17-cv-05659-WHA Document 96-8 Filed 06/07/18 Page 10 of 10
`
`See https://www.juniper.net/documentation/en_US/release-independent/sky-
`atp/topics/reference/general/sky-atp-filescan-overview.html (showing a SHA256
`and MD5 hash of a downloadable).
`
`See
`https://www.juniper.net/documentation/en_US/junos/topics/reference/command-
`summary/security-file-checksum-sha1.html (showing a SHA-1 hash of a
`downloadable).
`
`
`
`
`9
`
`
Accessing this document will incur an additional charge of $.
After purchase, you can access this document again without charge.
Accept $ Charge
Still Working On It
This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.
Give it another minute or two to complete, and then try the refresh button.
A few More Minutes ... Still Working
It can take up to 5 minutes for us to download a document if the court servers are running slowly.
Thank you for your continued patience.
This document could not be displayed.
We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.
Your account does not support viewing this document.
You need a Paid Account to view this document. Click here to change your account type.
Your account does not support viewing this document.
Set your membership
status to view this document.
With a Docket Alarm membership, you'll
get a whole lot more, including:
- Up-to-date information for this case.
- Email alerts whenever there is an update.
- Full text search for other cases.
- Get email alerts whenever a new case matches your search.
One Moment Please
The filing “” is large (MB) and is being downloaded.
Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.
Your document is on its way!
If you do not receive the document in five minutes, contact support at support@docketalarm.com.
Sealed Document
We are unable to display this document, it may be under a court ordered seal.
If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.
Access Government Site
