Case 3:17-cv-05659-WHA Document 98-1 Filed 06/07/18 Page 1 of 28
`
`
`
`PAUL ANDRE (State Bar No. 196585)
`pandre@kramerlevin.com
`LISA KOBIALKA (State Bar No. 191404)
`lkobialka@kramerlevin.com
`JAMES HANNAH (State Bar No. 237978)
`jhannah@kramerlevin.com
`KRISTOPHER KASTENS (State Bar No. 254797)
`kkastens@kramerlevin.com
`KRAMER LEVIN NAFTALIS & FRANKEL LLP
`990 Marsh Road
`Menlo Park, CA 94025
`Telephone: (650) 752-1700
`Facsimile: (650) 752-1800
`
`Attorneys for Plaintiff
`FINJAN, INC.
`
`
`IN THE UNITED STATES DISTRICT COURT
`
`FOR THE NORTHERN DISTRICT OF CALIFORNIA
`
`SAN FRANCISCO DIVISION
`
`FINJAN, INC., a Delaware Corporation,
`
`
`
`
`
`
`Plaintiff,
`
`v.
`
`
`JUNIPER NETWORKS, INC., a Delaware
`Corporation,
`
`
`Defendant.
`
`
`
`Case No.: 3:17-cv-05659-WHA
`
`DECLARATION OF DR. ERIC COLE IN
`SUPPORT OF PLAINTIFF FINJAN, INC.’S
`NOTICE OF MOTION AND MOTION FOR
`SUMMARY JUDGMENT OF INRINGEMENT
`OF CLAIM 10 OF U.S. PATENT NO. 8,677,494
`
`July 26, 2018
`Date:
`8:00 a.m.
`Time:
`Courtroom: Courtroom 12, 19th Floor
`Before:
`Hon. William Alsup
`
`
`
`
`
`
`REDACTED VERSION OF DOCUMENT SOUGHT TO BE SEALED
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`
`
`
`COLE DECL. IN SUPPORT FINJAN’S MTN. FOR SUM. JUDG. CASE NO. 3:17-cv-05659-WHA
`
`

`

`Case 3:17-cv-05659-WHA Document 98-1 Filed 06/07/18 Page 2 of 28
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`
`
`I, Eric Cole, hereby declare that:
`
`I have been asked by Plaintiff Finjan, Inc. to submit an expert declaration on whether
`1.
`Juniper, Inc.’s SRX Gateways1 and Sky ATP2 products infringe claim 10 of U.S. Patent No. 8,677,494
`(the “’494 Patent”). I relied on the documents cited herein, including the ‘494 Patent, the file history of
`
`the ’494 Patent, the source code review computer, source code printouts, the deposition transcripts of
`
`Tenorio, Manthena, Nagarajan, and Manocha, as well as exhibits thereto, Finjan’s Infringement
`
`Contentions, and Juniper’s Discovery Responses.
`I.
`
`EXPERIENCE AND QUALIFICATIONS
`
`2.
`
`I hold a master's degree in computer science and a doctorate in information security and
`
`have worked in the cyber and technical information security industry for over 25 years. I am a member
`
`of the European InfoSec Hall of Fame, a professional membership awarded by nomination and election
`
`by a panel of industry experts. I am the founder of Secure Anchor Consulting where I provide cyber
`
`security consulting services and am involved in advance information systems security. I am a Fellow
`
`and instructor with The SANS Institute, a research and education organization consisting of
`
`information security professionals. I am an author of several security courses such as SEC401-Security
`
`Essentials and SEC501-Enterprise Defender. I worked for the government for 8 years as an employee
`
`and have held various contracting jobs with government agencies, which involved working with
`
`1 SRX Gateways includes all SRX Gateways that are capable of interacting with Sky ATP, and includes
`SRX100, SRX110, SRX210, SRX220, SRX240, SRX300, SRX340, SRX345, SRX550, SRX550m,
`SRX650, SRX1400, SRX1500, SRX3400, SRX3600, SRX4000, SRX4100, SRX4200, SRX5400,
`SRX5600, SRX5800, vSRX Virtual Firewall, vSRX (including 10Mbps, 100Mps, 1000Mbps,
`2000Mbps, 4000Mbps version), Next Generation Firewall, cSRX Container Firewall. SRX Gateways
`include all supporting server or cloud infrastructure, feeds, and other components SRX Gateways utilize.
`2 Sky ATP includes the cloud infrastructure for Sky ATP, and includes the following service
`subscriptions Free Sky ATP, Basic Sky ATP (SRX340-THRTFEED-1, 3, 5; SRX345-THRTFEED-1, 3,
`5; SRX550-THRTFEED-1, 3, 5; SRX1500-THRTFEED-1, 3, 5; SRX4100THRTFEED-1, 3, 5;
`SRX4200-THRTFEED-1, 3, 5; SRX5400-THRTFEED-1, 3, 5; SRX5600-THRTFEED-1, 3, 5;
`SRX5800-THRTFEED-1, 3, 5; VSRX10MTHRTFEED-1, 3, 5; VSRX100MTHRTFEED-1, 3, 5;
`VSRX1GTHRTFEED-1, 3, 5; VSRX2GTHRTFEED-1, 3, 5; and VSRX4GTHRTFEED-1, 3, 5) and
`Premium Sky ATP (SRX340-ATP-1, 3, 5; SRX345-ATP-1, 3, 5; SRX550-ATP-1, 3, 5; SRX1500-ATP-
`1, 3, 5; SRX4100-ATP-1, 3, 5; SRX4200-ATP-1, 3, 5; SRX5400-ATP-1, 3, 5; SRX5600-ATP-1, 3, 5;
`SRX5800-ATP-1, 3, 5; VSRX10M-ATP-1, 3, 5; VSRX100M-ATP-1, 3, 5; VSRX1G-ATP-1, 3, 5;
`VSRX2G-ATP-1, 3, 5; and VSRX4G-ATP-1, 3, 5). Sky ATP includes all supporting server or cloud
`infrastructure, feeds, and other components utilized by Sky ATP including Spotlight Secure Threat
`Intelligence Platform. Sky ATP also includes all products that receive updates from the service.
`1
`COLE DECL. IN SUPPORT FINJAN’S MTN. FOR SUM. JUDG. CASE NO. 3:17-cv-05659-WHA
`
`

`

`Case 3:17-cv-05659-WHA Document 98-1 Filed 06/07/18 Page 3 of 28
`
`
`
`classified information. I held or hold various top-secret security clearances with Department of
`
`Defense, CIA, and Nuclear Regulatory Commission (NRC). I worked for a wide range of government
`
`organizations including the FBI, NSA, CIA, DOE, DOD, NRC, Treasury, and Secret Service. As
`
`former Chief Scientist and Senior Fellow for Lockheed Martin, I performed research and development
`
`in information systems security. At Lockheed Martin, I served as technical advisor in high-profile
`
`security projects for government clients including the Department of Defense, the FBI Sentinel case
`
`management systems, Department of Homeland Security Enterprise Acquisition Gateway for Leading
`
`Edge solutions, JetPropulsion Labs, Hanford Labs, and FBI Information Assurance Technology
`
`Infusion programs. As former CTO for McAfee I executed the technology strategy for technology
`
`platforms and external relationships to establish product vision and achieve McAfee’s goals. I am a
`
`contributing author of “Securing Cyberspace for the 44th President.” and served as a commissioner on
`
`cyber security for President Obama. My 8 books on cyber security include “Network Security Bible -
`
`2nd Edition,” “Advanced Persistent Threat,” and “Insider Threat,” which are recognized as industry-
`
`standard sources.
`A.
`3.
`
`Compensation
`
`My rate of compensation for my work in this case is $475 per hour plus any direct
`
`expenses incurred. My compensation is based solely on the amount of time that I devote to activity
`
`related to this case and is in no way affected by any opinions that I render. I receive no other
`
`compensation from work on this action. My compensation is not dependent on the outcome of this case.
`II.
`
`LEGAL STANDARDS
`
`4.
`
`Counsel for Finjan has informed me of the following legal standards that I have used as
`
`a framework in forming my opinions contained herein.
`
`5.
`
`I have been informed that claim construction is a legal issue for the Court to decide. I
`
`also understand that the Court has not issued a claim construction order in this case. As such, I have
`
`applied the plain and ordinary meaning of all terms, unless specifically identified below.
`
`6.
`
`I have been informed that infringement is determined on a claim by claim basis. I have
`
`been further informed that literal infringement is found if an accused product, system or method meets
`
`each and every element of a single claim. I have been informed that direct infringement is found if a
`2
`COLE DECL. IN SUPPORT FINJAN’S MTN. FOR SUM. JUDG. CASE NO. 3:17-cv-05659-WHA
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`
`
`

`

`Case 3:17-cv-05659-WHA Document 98-1 Filed 06/07/18 Page 4 of 28
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`
`
`party or its agents make, use, sell, or offer to sell a product or system that contains all elements of a
`
`claimed system or perform all of the steps of a claimed method.
`
`7.
`
`I have been informed that in the case of direct infringement of a system claim, a party
`
`can be found to use a patented system even if the party does not exercise physical or direct control over
`
`every element of the system. For elements that are not subject to the physical or direct control of the
`
`party, I have been informed that the party is still deemed to be using that component or part of the
`
`patented system when (1) it puts the component into service, i.e., causes it to work for its intended
`
`purpose and (2) receives the benefit of that purpose. For example, if a company queries a third-party's
`
`database, thereby causing the database to run a query and return a result to the company, the company
`
`is deemed to have used the database for infringement purposes by putting it into service (causing it to
`
`run the query) and receiving the benefit of that operation (the result of the query), even though the
`
`company does not own or control the database.
`
`8.
`
`I have been informed that infringement under the doctrine of equivalents is found if an
`
`accused product, system or process contains parts or steps that are identical or equivalent to each and
`
`every element of a single claim. A part or step is equivalent if a person of ordinary skill in the art
`
`would conclude that the differences between the product or method step and the claim element were not
`
`substantial at the time of infringement. I have been further informed that one common test to determine
`
`if the difference between a component or method step and a claim element is not substantial is asking if
`
`the component or step performs substantially the same function, in substantially the same way, to
`
`achieve substantially the same result.
`
`9.
`
`I have been informed that in the case of direct infringement of a multinational system
`
`claim where elements of such system are located in multiple countries, a party can be found to use the
`
`patented system in the United States if the place where control of the accused system is exercised and
`
`where beneficial use of the system is obtained are both within the United States. For example, if the
`
`accused system is controlled by a device in the United States that generates requests sent to the accused
`
`system and the benefit of the accused system is obtained by the company or person using the device in
`
`the United States, the company is deemed to have used the accused system for infringement purposes in
`
`the United States even though the accused system has some elements located outside the United States.
`3
`COLE DECL. IN SUPPORT FINJAN’S MTN. FOR SUM. JUDG. CASE NO. 3:17-cv-05659-WHA
`
`

`

`Case 3:17-cv-05659-WHA Document 98-1 Filed 06/07/18 Page 5 of 28
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`
`
`A.
`10.
`
`Person of Ordinary Skill in the Art
`
`Based on review of the Asserted Patents and consideration of the abovementioned
`
`factors, it is my opinion that a person of ordinary skill in the art at the time of the invention of the
`
`Asserted Patents would be someone with a bachelor’s degree in computer science or related field, and
`
`either (1) two or more years of industry experience and/or (2) an advanced degree in computer science
`
`or related field. I understand that claim 10 of the ‘494 Patent claims a priority date of November 8,
`
`1996. But if the ‘494 Patent is found to have another priority date it would not materially affect my
`
`analysis.
`III.
`
`SUMMARY OF DECLARATION
`
`11.
`
`I have been asked by counsel for Finjan to consider if Juniper infringes claim 10 of the
`
`‘494 Patent. I assumed that claim 10 of the ‘494 Patent is valid and enforceable. I have not considered
`
`any issues related to damages associated with this infringement.
`
`12.
`
`The language of Claim 10 of the ‘494 Patent is set forth below.
`
`10. A system for managing Downloadables, comprising:
`
`(10a) a receiver for receiving an incoming Downloadable;
`
`(10b) a Downloadable scanner coupled with said receiver, for deriving security
`
`profile data for the Downloadable, including a list of suspicious computer
`
`operations that may be attempted by the Downloadable; and
`
`(10c) a database manager coupled with said Downloadable scanner, for storing
`
`the Downloadable security profile data in a database.
`
`13.
`
`I have been asked by counsel for Finjan to consider whether the SRX Gateways
`
`operating with Sky ATP and Sky ATP alone infringe claim 10 of the ‘494 Patent. I have confirmed
`
`that the functionality that I describe was available and in use before January 29, 2017. I confirmed this
`
`with the source code and release notes that the products currently operate in the same manner as what is
`set forth in those documents. See, for example, Ex. 24,3 JNPR-FNJN_29006_00162260 at 60-64. The
`following description of the products is undisputed based on Juniper’s products and testimony.
`
`
`3 All “Ex.” citations are to the Declaration of Kristopher Kastens (“Kastens Decl.”) filed herewith.
`4
`COLE DECL. IN SUPPORT FINJAN’S MTN. FOR SUM. JUDG. CASE NO. 3:17-cv-05659-WHA
`
`

`

`Case 3:17-cv-05659-WHA Document 98-1 Filed 06/07/18 Page 6 of 28
`
`
`
`IV. OVERVIEW OF THE ‘494 PATENT
`The technology of the ‘494 Patent generally relates to protecting against a potentially
`14.
`
`malicious “Downloadable.” Ex. 1, ‘494 Patent at Col. 1, ll. 60-63. A Downloadable is often in the form
`
`of executables, JavaScript, PDFs, etc. Id. at Col. 2, ll. 59-64. In a typical scenario, a Downloadable is
`
`delivered to a computer from another computer on the Internet (sometimes called a server) where there
`
`is not a sufficient level of trust and is a common avenue for adversaries to deliver malicious code to a
`
`system. Id. at Col. 2, ll. 51- Col. 3, ll. 2. This code often comes from untrusted sites or persons on the
`
`Internet and could run without the user’s knowledge or permission. Id. at Col. 2, ll. 51- Col. 3, ll. 2.
`
`Claim 10 of the ‘494 Patent describes a system addressing this problem, and which downloads content,
`
`inspects content that is downloaded, determines if the downloaded content may perform malicious or
`
`suspicious operations, and stores this security profile in a database. Id. at Claim 10.
`
`15.
`
`The ‘494 Patent (through its incorporation of the ‘780 Patent as a parent application),
`
`includes a description of the operations that are “suspicious.” Ex. 2, ‘780 Patent, Col. 6, ll. 1-16.
`
`16.
`
`Suspicious operations described include operations for reading and writing files, sending
`
`or sending data over a network, and changing the registry.
`
`17.
`
`The system in Claim 10 of the ‘494 Patent sets forth a number of ways that the security
`
`profile can be used to protect against threats. In one example, the security profile may be used in real-
`
`time to make a decision of what action would be allowed to be taken. In other instances, the profile
`
`could be analyzed by other processes as part of a security system used to classify malicious content. In
`
`further instances, the profile could be used to provide information to a customer regarding the types of
`
`threats that are observed on the network.
`V.
`
`SRX Gateways
`
`OVERVIEW OF THE ACCUSED PRODUCTS
`A.
`18.
`
`Juniper SRX Gateways are next generation security gateways that provides essential
`
`capabilities to secure a workforce. The SRX Gateways all operate using the Junos operating system.
`
`The SRX Gateways operate as a gateway between the untrusted Internet and a trusted internal network.
`
`Ex. 7, FINJAN-JN 005382 at 85. The SRX Gateways receive content (such as Downloaded files) from
`
`the Internet, and depending on what type of content is received, can send the file to Sky ATP for
`5
`COLE DECL. IN SUPPORT FINJAN’S MTN. FOR SUM. JUDG. CASE NO. 3:17-cv-05659-WHA
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`
`
`

`

`Case 3:17-cv-05659-WHA Document 98-1 Filed 06/07/18 Page 7 of 28
`
`
`
`analysis, and generates a profile which is stored in a database, which includes information such as
`
`whether it is likely to perform suspicious or malicious operations.
`B.
`19.
`
`Sky ATP
`
`Juniper Sky ATP is a cloud-based scanning system used by Juniper that
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`20.
`
`In particular, Sky ATP provides advanced anti-malware and anti-ransom protection
`
`against sophisticated “zero-day” and unknown threats. Ex. 9, FINJAN-JN 005438. Sky ATP generates
`
`“actionable intelligence” that can be used in a security network. Ex. 16, FINJAN-JN 044832 at 51.
`
`Sky ATP includes a malware inspection pipeline with cached results, antivirus, static analysis, and
`
`dynamic analysis. Ex. 9, FINJAN-JN 005438. The Sky ATP malware inspection pipeline for
`
`analyzing and detecting malware and describes how it performs static and dynamic analysis on files to
`
`determine whether they perform suspicious operations.
`
`
`
`
`
`
`
`21.
`
`Sky ATP performs static analysis to determine if unusual operations are used and
`
`dynamic analysis to identify behaviors of the file. Ex. 11, FINJAN-JN 044744 at 62. Sky ATP has a
`
`static analysis component that is run on the content it receives using scanners. Ex. 11, FINJAN-JN
`
`044744 at 63. The static analysis in Sky ATP detects different “features” found in the file, which
`
`includes the detection of suspicious operations. Ex. 16, FINJAN-JN 044832 at 46. After the static
`
`analysis component has finished scanning, it returns the features detected as a result and also behaviors
`
`observed. Ex. 11, FINJAN-JN 044744 at 62-63. The features returned from static analysis are stored
`6
`COLE DECL. IN SUPPORT FINJAN’S MTN. FOR SUM. JUDG. CASE NO. 3:17-cv-05659-WHA
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`
`
`

`

`Case 3:17-cv-05659-WHA Document 98-1 Filed 06/07/18 Page 8 of 28
`
`
`
`in a database of the results, which is internally referred to as the
`
`
`
`
`
`
`
`22.
`
`Sky ATP also performs dynamic analysis through its sandbox with deception
`
`environment, which “detonates” content by running it in a controlled environment. Ex. 9, FINJAN-JN
`
`005438 at 39. The sandbox is a secure environment that allows the file to run as if it is in a real
`
`computer systems. Ex. 11, FINJAN-JN 044744 at 63. As part of the “detonation” of the file, the
`
`sandbox environment records the operations performed by content, and then identifies suspicious
`
`behaviors that were performed. Ex. 9, FINJAN-JN 005438 at 39. Sky ATP creates a profile that
`
`includes a list of suspicious computer operations that are detected and related to suspicious activity, like
`
`allocating memory, performing a long sleep operation, and starting a process with exploit code.
`
`Kastens Decl., ¶ 31, https://www.youtube.com/watch?v=K8Y0MkbJwcs&feature=youtu.be
`
`(“Lanworks & Juniper Sky ATP Lunch and Learn”) (FINJAN-JN 317958). Juniper internally refers to
`
`the dynamic analysis performed in the malware inspection pipeline as
`
`
`
` Ex. 8, Tenorio Tr. at 51:15-21; 71:9-72:18.
`
`
`
`
`
`
`
`
`
`
`
`VI. ANALYSIS OF CLAIM 10 OF THE ‘494 PATENT
`Overview of Juniper’s Infringement
`A.
`23.
`
`Juniper sells, builds, and operates SRX Gateways and the Sky ATP in the United States.
`
`Juniper infringes Claim 10 of the ‘494 Patent because the combination of the SRX Gateways and Sky
`
`ATP meet every element of the claim and Sky ATP on its own meets every element of the claim. The
`
`SRX Gateways are receivers that receive incoming executable files that an internal computer is
`
`attempting to download (the Downloadable), and based on the file type detected for the file, can submit
`
`the file to Sky ATP for analysis. The software in Sky ATP is also a receiver because it receives files
`7
`COLE DECL. IN SUPPORT FINJAN’S MTN. FOR SUM. JUDG. CASE NO. 3:17-cv-05659-WHA
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`
`
`

`

`Case 3:17-cv-05659-WHA Document 98-1 Filed 06/07/18 Page 9 of 28
`
`
`
`submitted from SRX Gateways to Sky ATP using the SRX API. Sky ATP includes a Downloadable
`
`scanner in the form of a malware inspection pipeline with static and dynamic analysis components.
`
`Sky ATP uses the malware inspection pipeline to scan a Downloadable and generate a profile for it.
`
`This security profile generated by the malware inspection pipeline includes results from the static and
`
`dynamic analysis that includes a list of suspicious computer operations like creating files, dynamically
`
`determining API calls, and contacting remote servers. Sky ATP stores the results of this scanning in a
`
`database, which includes software for managing this database to store and retrieve information.
`B.
`24.
`
`The preamble of claim 10 of the ‘494 Patent is “[a] system for managing
`
`Preamble of Claim 10 of the ‘494 Patent
`
`Downloadables, comprising:”. While I understand that a preamble is only limiting on a claim in certain
`
`specific circumstances, I found that the preamble of Claim 10 is met. I incorporate by reference my
`
`summary of the products for this section.
`
`25.
`
`The SRX Gateways, when used in combination with Sky ATP, acts as a system for
`
`managing Downloadables because this system acts as a distributed system for analyzing downloaded
`
`executable files, and then allowing the management of downloaded files based on the generated
`
`information. In particular, the SRX Gateways will send executable files to Sky ATP for static and
`
`dynamic analysis in its malware analysis pipeline, which manages the file during analysis, as well as
`
`the results that are generated during analysis. Sky ATP on its own is a system for managing
`
`Downloadables because it receives Downloadables that are submitted to it from SRX Gateways, as well
`
`as through a web interface. Sky ATP performs static and dynamic analysis in its analysis pipeline,
`
`which manages the file during analysis, as well as the results that are generated during analysis. Sky
`
`ATP accepts a large range of executable files for analysis, which includes files like Java, PDF and
`
`HTML with JavaScript (JS), and executables. Ex. 11, FINJAN-JN 044744 at 86.
`C.
`26.
`
`Element 10(a) of the ‘494 Patent
`
`The Accused Products include “a receiver for receiving an incoming Downloadable”. I
`
`understand that Juniper has admitted that both the SRX Gateways and Sky ATP include “a receiver for
`
`receiving an incoming Downloadable.” Further, for the term Downloadable, I have used the
`
`construction of “an executable application program, which is downloaded from a source computer and
`8
`COLE DECL. IN SUPPORT FINJAN’S MTN. FOR SUM. JUDG. CASE NO. 3:17-cv-05659-WHA
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`
`
`

`

`Case 3:17-cv-05659-WHA Document 98-1 Filed 06/07/18 Page 10 of 28
`
`
`
`run on the destination computer.” I understand that Juniper admitted this was the correct construction
`
`and it has also been adopted in other Courts. Further, I have reviewed Juniper’s response to Finjan’s
`
`Interrogatory No. 10, and Juniper did not identify a different understanding that would lead to a non-
`
`infringement position related to this term.
`
`27.
`
`SRX Gateways are a “receiver” under Claim 10 of the ‘494 Patent because SRX
`
`Appliances receive files incoming from the Internet and to be downloaded to a destination, such as a
`
`computer. Ex. 6, JNPR-FNJN_29002_00173278 at 83
`
`
`
`
`
`
`
` This content includes content like an “executable
`
`application program,” which as explicitly set forth in the ‘494 Patent includes portable executables and
`
`files containing JavaScript. Ex. 7, FINJAN-JN 005382 at 84. Computers on the internal network
`
`request these Downloadables from a server so that it can run them. As such, the SRX Appliances are
`
`“receivers” under Claim 10 of the ‘449 Patent. The SRX Gateways operate as a gateway with
`
`components resident within the SRX Gateways that receive files downloaded (a “Downloadable”) from
`
`servers on the Internet. The SRX Gateway intercepts the transmission of these Downloadables between
`
`a source computer (typically a server on the Internet) and a destination computer (like an employee’s
`
`computer on a company’s internal network). Ex. 7, FINJAN-JN 005382 at 85.
`
`28.
`
`The Sky ATP service in SRX Gateway
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`
`
`9
`COLE DECL. IN SUPPORT FINJAN’S MTN. FOR SUM. JUDG. CASE NO. 3:17-cv-05659-WHA
`
`

`

`Case 3:17-cv-05659-WHA Document 98-1 Filed 06/07/18 Page 11 of 28
`
`
`
`29.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Doctrine of Equivalents (“DOE”)
`
`1.
`In the unlikely event Juniper argues that it does not literally meet the elements of this
`
`30.
`
`claim, then it certainly meets the elements under DOE, because the SRX Gateways with Sky ATP, and
`
`Sky ATP alone, both perform the same function the same way to achieve the same result. To the extent
`
`Juniper raises new non-infringement positions in response to my analysis, I reserve the right to respond,
`
`as the SRX Gateway with Sky ATP and Sky ATP alone both include components that perform the same
`
`function of receiving an incoming Downloadable, do this the same way, and achieve the same results.
`D.
`31.
`
`The Accused Products include “a Downloadable scanner coupled with said receiver, for
`
`Element 10(b) of the ‘494 Patent
`
`deriving security profile data for the Downloadable, including a list of suspicious computer operations
`
`that may be attempted by the Downloadable.” I have reviewed Juniper’s response to Finjan’s
`
`Interrogatory No. 10, and Juniper did not identify any constructions of terms that would lead to a non-
`
`infringement position. SRX Gateways in combination with Sky ATP includes a Downloadable scanner
`
`in the malware analysis pipeline in Sky ATP, such as the static analysis scanner and the dynamic
`10
`COLE DECL. IN SUPPORT FINJAN’S MTN. FOR SUM. JUDG. CASE NO. 3:17-cv-05659-WHA
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`
`
`

`

`Case 3:17-cv-05659-WHA Document 98-1 Filed 06/07/18 Page 12 of 28
`
`
`
`analysis (sandboxing) scanner. Similarly, Sky ATP individually includes the Downloadable scanner in
`
`the malware analysis pipeline, which includes the static analysis scanner and the dynamic analysis
`
`scanner. These scanners are “coupled” to the receivers discussed above because the aforementioned
`
`receivers pass the Downloadable to the scanners for analysis. These scanners all derive a security
`
`profile data because they analyze the file and provide assessments on the security of the file, which
`
`includes specific suspicious, malicious, or potentially malicious operations the Downloadable may
`
`perform, including creating files and contacting remote servers, among many others described below.
`
`32.
`
`The “malware analysis pipeline” in Sky ATP acts as a “Downloadable scanner” coupled
`
`to the SRX Gateway that submits a Downloadable through its proxy software that implements the SRX
`
`API.
`
`33.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
` The pipeline manager in Sky ATP coordinates the malware analysis pipeline that uses
`
`both static and dynamic analysis components, and operates as “Downloadable scanners.” Ex. 11,
`
`FINJAN-JN 044744 at 62-64. The malware analysis pipeline processes the Downloadable and
`
`generates a security profile for the Downloadable that includes a list of different suspicious operations
`
`that can be performed by the file, as described in further detail below.
`
`34.
`
`The security profile data associated with identified suspicious computer operations is
`
`provided via reports that provide “rich detail on malware behaviors.” Ex. 11, FINJAN-JN 044744 at
`
`65. This “rich detail” is provided by accessing the information from Sky ATP’s database of analysis
`11
`COLE DECL. IN SUPPORT FINJAN’S MTN. FOR SUM. JUDG. CASE NO. 3:17-cv-05659-WHA
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`
`
`

`

`Case 3:17-cv-05659-WHA Document 98-1 Filed 06/07/18 Page 13 of 28
`
`
`
`results. Id. Suspicious operations listed include those for “extensive use of GetProcAddress”,
`
`“contains functionality to register its own exception handler,” “contains functionality to query system
`
`information”, and Networking operations. Id. at 75 (dated 08/02/2016).
`
`35.
`
`The malware analysis pipeline in Sky ATP performs static analysis scanning on the
`
`Downloadable to break the Downloadable down to generate different “features” and static analysis
`
`results, which include a list of suspicious operations that the Downloadable may attempt, including the
`
`types of operations used within the content. These features include those that are deemed suspicious as
`
`part of static analysis and profile the Downloadable to determine if the Downloadable has suspicious,
`
`malicious, or potentially malicious attributes that correspond to suspicious behaviors or “operations”.
`
`Ex. 16, FINJAN-JN 044832 at 46 (dated April 2016). These features correlate to operations deemed
`
`suspicious because they are explicitly look for those that are suspicious signs. Ex. 11, FINJAN-JN
`
`044744 at 62 (dated 08/02/2016). Juniper further explains that this static analysis includes identifying
`
`behavioral signatures showing suspicious operations, such as whether it performs suspicious operations
`
`like modifying the windows registry or performing read or write (disk I/O) operations. Ex. 11,
`
`FINJAN-JN 044744 at 63 (dated 08/02/2016).
`
`36.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`
`
`12
`COLE DECL. IN SUPPORT FINJAN’S MTN. FOR SUM. JUDG. CASE NO. 3:17-cv-05659-WHA
`
`

`

`Case 3:17-cv-05659-WHA Document 98-1 Filed 06/07/18 Page 14 of 28
`
`
`
`37.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`38.
`
`Sky ATP performs dynamic analysis on the content with the assistance of a “sandbox,”
`
`which is a Downloadable scanner because it will scan the file by running the file and studying it as it is
`
`executed. Sky ATP generates a list of the different malicious and suspicious behaviors that are detected
`
`and deemed suspicious while the Downloadable is running the sandbox. Kastens Decl., ¶ 31,
`
`https://www.youtube.com/watch?v=K8Y0MkbJwcs&feature=youtu.be (“Lanworks & Juniper Sky ATP
`
`Lunch and Learn”) (FINJAN-JN 317958); Ex. 16, FINJAN-JN 044832 at 48 (dated April 2016).
`
`Sky ATP stores the results of the dynamic analysis to derive a list of suspicious operations performed
`
`by the content. Ex. 8, Tenorio Tr. at 72:5-18, 236:8-237:23. Sky ATP stores suspicious information
`
`that lists operations like “Check hosts file and opens for reading” and “Contains evasive sleep loops to
`13
`COLE DECL. IN SUPPORT FINJAN’S MTN. FOR SUM. JUDG. CASE NO. 3:17-cv-05659-WHA
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`
`
`

`

`Case 3:17-cv-05659-WHA Document 98-1 Filed 06/07/18 Page 15 of 28
`
`
`
`bypass analysis.” These behaviors are each given a specific “Impact” score that indicates the
`
`suspiciousness of the behavior. The impact score is used to determine how suspicious a Downloadable
`
`is. Ex. 26, FINJAN-JN 046082; Ex. 11, FINJAN-JN 044744 at 75 (dated 08/02/2016).
`
`39.
`
`Additional operations that are recorded through dynamic analysis, including creating
`
`files, modifying the host file, creating evasive sleep loops, checking for debuggers, or modifying
`
`operating system aspects like proxy settings. Ex. 18, FINJAN-JN 317942.
`
`40.
`
`41.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`42.
`
`“Behavior Signatures” are matched during an example analysis in the sandbox used by
`
`Sky ATP and show operations deemed suspicious. These “Behavior Signatures” list operations that
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`
`
`14
`COLE DECL. IN SUPPORT FINJAN’S MTN. FOR SUM. JUDG. CASE NO. 3:17-cv-05659-WHA
`
`

`

`Case 3:17-cv-05659-WHA Document 98-1 Filed 06/07/18 Page 16