Case 3:17-cv-05659-WHA Document 98-15 Filed 06/07/18 Page 1 of 3
`
`Case 3:17-cv-05659-WHA Document 98-15 Filed 06/07/18 Page 1 of 3
`
`EXHIBIT 12
`
`

`

`Case 3:17-cv-05659-WHA Document 98-15 Filed 06/07/18 Page 2 of 3
`Case 3:17-cv-05659-WHA Document 98-15 Filed 06/07/18 Page 2 of 3
`
`TechLibrary > Sky Advanced Threat Prevention > Sky Advanced Threat Prevention Administration Guide
`
`How is Malware Analyzed and Detected?
`
`Sky ATPuses a pipeline approach to analyzing and detecting malware. If an analysis reveals that the file is absolutely
`
`malware,it is not necessary to continue the pipeline to further examine the malware. See Figure 1.
`
`Figure 1: Exarnple SkyATP Pipeline Approach forAnalyzing Malware
`
`pdf
`
`exe
`
`Cache Lookup
`Have weseenthisfile before, and do we already knowif it’s bad?
`
`Antivirus Scanning
`Whatdo a few popular antivirus scanners say aboutthefile?
`
`Static Analysis
`Doesthefile contain suspicious signs, like unusual instructions or structure?
`
`Dynamic Analysis
`What happens when we executethefile in a real environment?
`
`g042984.
`
`
`
`
`
`
`
`
`
`Each analysis technique creates a verdict number, which is combined to create a final verdict number between 1 and
`10. A verdict number is a score or threat level. The higher the number, the higher the malware threat. The SRX Series
`device comparesthis verdict number to the policy settings and either permits or denies the session. If the session is
`denied, a reset packet is sent to the client and the packets are dropped from the server.
`
`Cache Lookup
`
`When a file is analyzed, a file hash is generated, and the results of the analysis are stored ina database. When a file is
`Uploaded to the Sky ATPcloud, the first step is to check whether this file has been looked at before. If it has, the
`stored verdict is returned to the SRX Series device and there is no need to re-analyze the file. In addition to files
`scanned by Sky ATP,information about common malwarefiles is also stored to provide faster response.
`
`Cache lookup is performed in real time. All other techniques are done offline. This means that if the cache lookup
`does not return a verdict,the file is sent to the client system while the Sky ATP cloud continues to examine the file
`using the remaining pipeline techniques. If a later analysis returns a malware verdict, then the file and host are
`flagged.
`
`Antivirus Scan
`
`The advantageof antivirus softwareis its protection against a large number of potential threats, such as viruses,
`trojans, worms, spyware, and rootkits. The disadvantage of antivirus softwareis that it is always behind the malware.
`The virus comesfirst and the patch to the virus comes second. Antivirus is better at defending familiar threats and
`known malware than zero-day threats.
`
`Sky ATPutilizes multiple antivirus software packages, not just one, to analyze a file. The results are then fed into the
`machine learning algorithm to overcome false positives and false negatives.
`
`Static Analysis
`
`Static analysis examinesfiles without actually running them. Basic static analysis is straightforward and fast,
`typically around 30 seconds. The following are examples of areas static analysis inspects:
`aL.8 ee at dt Ltt
`6 Metadata information—Nae—- -***- *-
`'4-+- +“ file was compiled on.
`
`
`\PIs?.
`
`e Categories of instructions |
`
`FINJAN-JN 005387
`
`

`

`Case 3:17-cv-05659-WHA Document 98-15 Filed 06/07/18 Page 3 of 3
`Case 3:17-cv-05659-WHA Document 98-15 Filed 06/07/18 Page 3 of 3
`e~—File entropy—How randomis the file? A common technique for malwareis to encrypt portions of the code and then decryptit
`during runtime. A lot of encryption is a strong indicationathis file is malware.
`
`The output of the static analysis is fed into the machine learning algorithm to improve the verdict accuracy.
`
`Dynamic Analysis
`
`The majority of the time spent inspecting a file is in dynamic analysis. With dynamic analysis, often called
`sandboxing, a file is studied as it is executed in a secure environment. During this analysis, an operating system
`environmentis set up, typically in a virtual machine, and tools are started to monitor all activity. The file is uploaded
`to this environment and is allowed to run for several minutes. Once the allotted time has passed, the record of activity
`is downloaded and passed to the machine learning algorithm to generate a verdict.
`
`Sophisticated malware can detect a sandbox environment due toits lack of human interaction, such as mouse
`movement. Sky ATP uses a number of deception techniques to trick the malware into determining this is a real user
`environment. For example, Sky ATP can:
`
`e Generate arealistic pattern of User interaction such as mouse movement, simulating keystrokes, and installing and launching
`common software packages.
`
`e Create fake high-value targets in the client, such as stored credentials, user files, and a realistic network with Internet access.
`
`e Create vulnerable areas in the operating system.
`
`Deception techniques by themselves greatly boost the detection rate while reducing false positives. They also boosts
`the detection rate of the sandboxthe file is running in because they get the malware to perform more activity. The
`morethe file runs the more data is obtained to detect whether it is malware.
`
`Machine Learning Algorithm
`
`Sky ATPusesits own proprietary implementation of machine learning to assist in analysis. Machine learning
`recognizes patterns and correlates information for improved file analysis. The machine learning algorithm is
`programmedwith features from thousands of malware samples and thousands of goodware samples. It learns what
`malwarelookslike, and is regularly re-programmedto get smarter as threats evolve.
`
`Threat Levels
`
`Sky ATPassigns a number between 0-10 to indicate the threat level of files scanned for malware and the threat level
`
`for infected hosts. See Table 1.
`
`Table I: Threat Level Definitions
`
`Threat Level
`
`Definition
`
`0
`
`1-3
`
`4-6
`
`7-10
`
`Clean; no action is required.
`
`Low threatlevel.
`
`Medium threatlevel.
`
`High threatlevel.
`
`For more information on threat levels, see the Sky ATP Web UI online help.
`
`Modified: 2017-06-07
`
`
`
`FINJAN-JN 005388
`
`