Case 3:17-cv-05659-WHA Document 98-5 Filed 06/07/18 Page 1 of 19
`Case 3:17-cv-05659-WHA Document 98-5 Filed 06/07/18 Page 1 of 19
`
`
`
`
`
`EXHIBIT 2
`EXHIBIT 2
`
`
`
`
`
`
`
`
`
`
`
`
`
`

`

`Case 3:17-cv-05659-WHA Document 98-5 Filed 06/07/18 Page 2 of 19
`seeeeSSTTA
`
`US006804780B1
`
`US 6,804,780 B1
`(10) Patent No:
`a2) United States Patent
`Touboul
`(45) Date of Patent:
`*Oct. 12, 2004
`
`
`(54) SYSTEM AND METHOD FOR PROTECTING
`A COMPUTER AND A NETWORK FROM
`HOSTILE DOWNLOADABLES
`
`11/1996 Judson
`5,572,643 A
`5,579,509 A * 11/1996 Furtney et al. ww 703/27
`5,606,668 A
`2/1997 Shwed
`5,623,600 A
`4/1997 Ji et al.
`5,638,446 A
`6/1997 Rubin
`hal
`.
`5692047 A
`Shlomo Touboul, Kefar-haim (IL)
`Inventor:
`(75)
`11/1997 McManis
`
`: 11/1997 Holdenetal.ee 5,692,124 A
`
`
`(73) Assignee: Finjan Software, Ltd., Netanya (IL)
`5.720.033 A
`2/1998 Deo en era
`(*) Notice:
`Subjectto any disclaimer, the term ofthis
`2F408 ‘
`Fi008 chang sa
`parent “sacb)by0 or adjusted under 35
`5,761,421 A
`{1998 van Hoff etal.
`S.C, by0days.‘b) . .
`
`
`
`
`(List continued on next page.)
`
`This patent is subject to a terminal dis-
`claimer.
`
`No.:
`
`No.:
`
`(1) Appl.
`ppl.
`(22)
`Filed:
`
`09/539,667
`,
`Mar. 30, 2000
`
`Related U.S. Application Data
`(63) Continuation of application No. 08/964,388,filed on Nov.6,
`1997, now Pat. No. 6,092,194,
`60)
`Prov:
`1
`licati
`No. 60/030,639,
`filed
`Nov. 8
`2.
`tye
`(69) 1906. application
`No.
`60/030,639,
`filed
`on
`Nov.
`8,
`(51)
`Int. CW?
`HO4L 9/00; GO6F 11/30
`beet eeeeeeceeeeeseneeeneene
`nt.
`8
`5
`(52) U.S. Cheee 713/181; 713/201; 713/176;
`T17/178
`(58) Field of SerSeIRLSOGbSSaos.oe 0.
`me
`?
`/223,
`7Ur763 73
`oe
`
`(56)
`
`:
`References Cited
`U.S. PATENT DOCUMENTS
`SOT7677 A
`12/1991 Murphy
`et
`al
`Atel
`lpiy et al.
`oe “
`L194 Typlllotal
`5,485,409 A
`1/1996 Gupta et al.
`5,485,575 A
`1/1996 Chessetal.
`
`EP
`EP
`
`FOREIGN PATENT DOCUMENTS
`1091276 Al *
`4/2001 owe GO06F/1/00
`
`1132796 Al *
`9/2001
`«.» GO6F/1/00
`OTHER PUBLICATIONS
`
`Khare, “Microsoft Authenticode Analyzed” Jul. 22, 1996,
`xent.com/FoRK-—archive/summer96/0338.html, p. 1—2.*
`(List continued on next page.)
`:
`.
`:
`.
`Primary Examiner—Ayaz Sheikh
`Assistant Examiner—Christopher Revak
`(74) Attorney, Agent,
`or Firm—Squire, Sanders &
`Dempsey, LLP.
`
`(57)
`ABSTRACT
`A computer-based method for generating a Downloadable
`ID to identify a Downloadable, including obtaining a Down-
`loadable that includes one or more references to software
`components required by the Downloadable, fetching at least
`one software component
`identified by the one or more
`references, and performing a function on the Downloadable
`and the fetched software components to generate a Down-
`loadable ID. A system and a computer-readable storage
`medium are also described and claimed.
`18 Claims, 10 Drawing Sheets
`
`800
`a
`
`Start
`
`
`Receive a Downloadable
`So
`820
`Fe:ch Downloadable
`
`Components
`
`810
`
`830
`
`
`
`
`sin
`Include Fetched Component:
`The Downloacable
`
`
`840
`
`on
`Perform a Hashing Function
`the Downloadable to Generate
`i
`a Downloadable ID
`
`¥
`Store the Downloadable ID
`
`FINJAN-JN 000443
`
`

`

`Case 3:17-cv-05659-WHA Document 98-5 Filed 06/07/18 Page 3 of 19
`Case 3:17-cv-05659-WHA Document 98-5 Filed 06/07/18 Page 3 of 19
`
`US 6,804,780 B1
`Page 2
`
`U.S. PATENT DOCUMENTS
`
`6/1998 Breslau et al.
`5,765,205 A
`7/1998 Devarakondaetal.
`5,784,459 A
`8/1998 Davis et al.
`5,796,952 A
`9/1998 Cohenetal.
`5,805,829 A
`11/1998 Chenet al.
`5,832,208 A
`5,832,274 A * 11/1998 Cutler et al. TATAT1
`5,850,559 A
`12/1998 Angeloetal.
`5,859,966 A
`1/1999 Haymanetal.
`5,864,683 A
`1/1999 Boebertetal.
`5,892,904 A
`4/1999 Atkinson et al.
`5,951,698 A
`9/1999 Chenetal.
`5,956,481 A
`9/1999 Walshetal.
`5,974,549 A
`10/1999 Golan
`5,978,484 A * 11/1999 Apperson et al. «0.0.0.0... 705/54
`5,983,348 A
`11/1999 Ji
`6,092,194 A *
`7/2000 Touboul oe. 713/200
`
`............. 713/201
`6,154,844 A * 11/2000 Touboul et al.
`6,339,829 B1 *
`1/2002 Beadle et al. 0... 713/201
`OTHER PUBLICALIONS
`
`“Release Notes for the Microsfot ActiveX Development
`Kit’, Aug. 13, 1996, activex.adsp.or.jp/inetsdk/readme.txt,
`p. 1-10.*
`“Microsoft ActiveX Software Development Kit” Aug. 12,
`1996, —activex.adsp.or.jp/inetsdk/help/overview.htm,
`p.
`1-6.*
`
`Doyle ct al, “Microsoft Press Computer Dictionary” 1993,
`Microsoft Press, 2nd Edition, p. 137-138.*
`Schmitt, “.EXE. files, OS—2 style” Nov. 1988, PC Tech
`Journal via dialog search, vol. 6, #11, p. 76-78.*
`Jim K. Omura, “Novel Applications of Cryptography in
`Digital Communications”, IEEE Communications Maga-
`zine, May, 1990; pp. 21-29.
`Okamoto, E. et al., “ID-Based Authentication System For
`Computer Virus Detection”, IEEE/IEE Electronic Library
`online, Electronics Letters, vol. 26, Issue 15, ISSN 0013/
`5194, Jul. 19, 1990, Abstract and pp. 1169-1170. URL:
`http://1el.ihs.com:80/cgi-bin/iel__cgi?se
`.
`.
`.
`2ehts%26ViewTemplate%3ddocview%5ifb%2ehts.
`IBM AntiVirus User’s Guide Version 2.4, International
`Business Machines Corporation, Nov. 15, 1995, pp. 6-7.
`
`Norvin Leachetal, “IE 3.0 Applets Will Earn Certification’,
`PC Week, vol. 13, No. 29, Jul. 22, 1996, 2 pages.
`“Finjan Software Releases SurfinBoard, Industry’s First
`JAVA Security Product For the World Wide Web”, Article
`published on the Internet by Finjan Softwre Ltd., Jul. 29,
`1996, 1 page.
`“Powerful PC Security for the New World of Java™ and
`Downloadables, Surfin Shicld™” Article published on the
`Internet by Finjan Software Ltd., 1996, 2 Pages.
`Microsoft® Authenticode Technology, “Ensuring Account-
`ability and Authenticity for Software Components on the
`Internet”, Microsoft Corporation, Oct. 1996,
`including
`Abstract, Contents, Introduction and pp. 1-10.
`“Finjan Announces a Personal Java™ Firewall Kor Web
`Browsers—the SurfinShield™ 1.6 (formerly knownas Surf-
`inBoard)”, Press Release of Finjan Releases SurfinShield
`1.6, Oct. 21, 1996, 2 pages.
`CompanyProfile “Finjan—Safe Surfing, The Java Security
`Solutions Provider”, Article published on the Internet by
`Finjan Software Ltd., Oct. 31, 1996, 3 pages.
`“Finjan Announces Major Power Boost and New Features
`for SurfinShield™ 2.0” Las Vegas Convention Center/Pa-
`vilion 5 P5551, Nov. 18, 1996, 3 pages.
`“Java Security: Issues & Solutions” Article published on the
`Internet by Finjan Software Ltd., 1996, 8 pages.
`“Products” Article published on the Internet, 7 pages.
`Mark LaDue, “Online Business Consulant: Java Security:
`Whose Business Is It?” Article published on the Internet,
`Home Page Press, Inc. 1996, 4 pages.
`Web Page Article “Frequently Asked Questions About
`Authenticode”, Microsoft Corporation, last updated Feb. 17,
`1997, Printed Dec. 23, 1998. URL: http:/Avww.microsoft.
`com/workshop/security/authcode/signfaq.asp#9, pp. 1-13.
`Zhang, X.N., “Secure Code Distribution”, IEEE/IEE Elec-
`tronic Library online, Computer,vol. 30, Issue 6, Jun., 1997,
`pp. 76-79.
`
`* cited by examiner
`
`FINJAN-JN 000444
`
`

`

`Case 3:17-cv-05659-WHA Document 98-5 Filed 06/07/18 Page 4 of 19
`Case 3:17-cv-05659-WHA Document 98-5 Filed 06/07/18 Page 4 of 19
`
`U.S. Patent
`
`Oct. 12, 2004
`
`Sheet 1 of 10
`
`US6,804,780 B1
`
`100
`
`oe
`
`105
`
`External Computer Network
`
`Internal Network
`Security System
`
`Internal Computer Network
`
`
`
`
`
`120
`
`Security
`Management
`Console
`
`
`
`
`
`FIG.
`
`1
`
`FINJAN-JN 000445
`
`

`

`Case 3:17-cv-05659-WHA Document 98-5 Filed 06/07/18 Page 5 of 19
`Case 3:17-cv-05659-WHA Document 98-5 Filed 06/07/18 Page 5 of 19
`
`U.S. Patent
`
`Oct. 12, 2004
`
`Sheet 2 of 10
`
`US 6,804,780 B1
`
`¢Olas
`
`OSC
`
`
`
`AWND8S
`
`weiBold
`
`Bunessdo
`
`Wwaishs
`
`
`
`
`
`
`
`WVdaBeloysejeq
`
`
`OvzSUOHEOIUNWWOZ)
`092a]SLseswens|aseqejeq
` 7OLZ
`
`Jajndwoypeueyxy
`
`solAedjBUJeyU|
`
`
`Jayndwoy|euayxy
`
`aOLL
`
`SL?
`
`SO0e
`
`SZ
`
`woj4
`
`SOLOMJON
`
`jeUla}xy
`
`GE?OE?GC?
`
`
`
`aA
`
`
`
`SBdeHS}U}O/|SUOIJESIUNLULUO)ndd
`
`SoeLayul
`
`GSZAyinoesga0eHa}u|
`
`
`
`Bo]sjuaag
`
`sdasp)
`
`
`
`OL
`
`GLEOMION
`
`FINJAN-JN 000446
`
`
`
`
`
`
`
`
`

`

`Case 3:17-cv-05659-WHA Document 98-5 Filed 06/07/18 Page 6 of 19
`Case 3:17-cv-05659-WHA Document 98-5 Filed 06/07/18 Page 6 of 19
`
`U.S. Patent
`
`Oct. 12, 2004
`
`Sheet 3 of 10
`
`US 6,804,780 B1
`
`O0€
`
`
`
`aseqeyeqAyunoas
`
`aiqepeojumog;SNOIDIGSNSUON;
`
`cee
`
`
`
`JoyesedwogJauueag
`
`DVBpod
`
`jeolBo7
`
`euibug
`
`piovay
`
`Buldasy
`
`aulbug
`
`Joyeseduoy
`
`TWN
`
`SJESYINSO)
`
`Joyeseduuog
`
`BCOYIWSD
`
`JaUUBOS
`
`sii
`
`Joyeseduos
`
`Ad|Od
`
`Japuly
`
`WN
`
`
`
`‘dl4asn
`
`pealsoay
`
`ajqepeojumoq
`
`|I||
`
`||t
`
`;SOC
`
`OLE
`
`Beddsd
`
`Sald|logANIaS
`
`SO}COIILADUMOUY
`
`
`sojqepeo|umogUMOUY
`
`L0€
`
`FINJAN-JN 000447
`
`
`
`
`
`
`
`

`

`
`
`
`
`Trusted
`Certificate Lists
`
`
`
`410
`
`415
`
`420
`
`425
`
`Case 3:17-cv-05659-WHA Document 98-5 Filed 06/07/18 Page 7 of 19
`Case 3:17-cv-05659-WHA Document 98-5 Filed 06/07/18 Page 7 of 19
`
`U.S. Patent
`
`Oct. 12, 2004
`
`Sheet 4 of 10
`
`US6,804,780 B1
`
`Security Policies
`
`305
`
`Policy Selectors
`
`Access Control
`Lists
`
`ae
`405
`
`
`
`
`
`URL Rule Bases
`
`Lists of Downloadables
`to Allow or Block per
`Administrative Override
`
`
`FIG. 4
`
`FINJAN-JN 000448
`
`

`

`Case 3:17-cv-05659-WHA Document 98-5 Filed 06/07/18 Page 8 of 19
`Case 3:17-cv-05659-WHA Document 98-5 Filed 06/07/18 Page 8 of 19
`
`U.S. Patent
`
`Oct. 12, 2004
`
`Sheet 5 of 10
`
`US 6,804,780 B1
`
`120
`
`To/From
`Internal Computer
`Network
`
`135
`
`505
`510
`a
`
`Engine
`
`Security
`
`Policy Editor
`
`FIG. 5
`
`Event Log
`Analysts
`Engine
`
`
`
`User
`Notification
`
`FINJAN-JN 000449
`
`

`

`Case 3:17-cv-05659-WHA Document 98-5 Filed 06/07/18 Page 9 of 19
`Case 3:17-cv-05659-WHA Document 98-5 Filed 06/07/18 Page 9 of 19
`
`U.S. Patent
`
`Oct. 12, 2004
`
`Sheet 6 of 10
`
`US 6,804,780 B1
`
`600
`
`—
`
`602
`
`Receive Downloadable
`
`
`
`
`
`
`Generate Downloadable ID
`
` Find Security Policy
`
`
` 508
`
`Downloadable
`allowed?
`
`
`
`
`Downloadable
`blocked?
`
`614
`
`
`
`
`
`No
`
`616
`
`Compare URL
`
`
`
` URL
`
`
`comparison
`618
`required?
`
`
`
`ACL
`
`comparison
`required?
`
`
`No
`
`Yes
`
`626
`
`
` Previously
`decomposed
`
`
`
`Decompose Downloadable
`into DSP data
`
`620
`
`
`
` TCL
`camparison
`
`
`
`
`required?
`
`622
`
`Yes
`
`Scan Certificate
`
`
`
`
`
`
`Compare Certificate
`with TCL
`
`7
`Compare DSP with ACL
`
`630
`
`FIG. 6A
`
`624
`Logical Engine
`
`Send results to
`
`
`
`
`
`FINJAN-JN 000450
`
`

`

`Case 3:17-cv-05659-WHA Document 98-5 Filed 06/07/18 Page 10 of 19
`Case 3:17-cv-05659-WHA Document 98-5 Filed 06/07/18 Page 10 of 19
`
`U.S. Patent
`
`Oct. 12, 2004
`
`Sheet 7 of 10
`
`US6,804,780 B1
`
`606
`
`a
`
`Security policy defined
`for User-ID and
`Downloadable?
`
`
`
`
`
`Fetch the policy
`
`Fetch the generic
`for
`security policy for
`
`
`User ID and
`User ID
`
`Downloadable
`
`
`
`
`End
`
`FIG. 6B
`
`FINJAN-JN 000451
`
`

`

`Case 3:17-cv-05659-WHA Document 98-5 Filed 06/07/18 Page 11 of 19
`Case 3:17-cv-05659-WHA Document 98-5 Filed 06/07/18 Page 11 of 19
`
`U.S. Patent
`
`Oct. 12, 2004
`
`Sheet 8 of 10
`
`US6,804,780 B1
`
`655
`
`
`
`Comparator, ACL
`Comparator, Certificate
`Comparator and URL
`Comparator
`
`662
`
`
`
`
`Compare Results with
`Security Policies
`
`Confirm Pass?
`
`Pass Downloadable
`
`Stop Downloadable
`
`670
`
`672
`
`
`
`668
`
`Send Substitute
`Downloadble to
`
`Inform The User
`
`
`
`
`
`ya Receive Results from First
`
`
`
` Security Policies
`
`
`
`
`
`Record Findings
`
`FIG. 6C
`
`FINJAN-JN 000452
`
`

`

`Case 3:17-cv-05659-WHA Document 98-5 Filed 06/07/18 Page 12 of 19
`Case 3:17-cv-05659-WHA Document 98-5 Filed 06/07/18 Page 12 of 19
`
`U.S. Patent
`
`Oct. 12, 2004
`
`Sheet 9 of 10
`
`US 6,804,780 B1
`
`628
`
`ao
`
`Disassemble the Machine
`
`Code
`
`705
`
`710
`
`Resolve a Respective
`Command in The Code
`
`
`
`
`Is The Resolved
`Command Suspect?
`
`
`715
`
`No
`
`Yes
`
`Decode and Register The
`
`720
`
`Command and The
`Command Parameters as
`DSP Data
`
`
`No
`
`725
`
`FIG. 7
`
`FINJAN-JN 000453
`
`

`

`Case 3:17-cv-05659-WHA Document 98-5 Filed 06/07/18 Page 13 of 19
`Case 3:17-cv-05659-WHA Document 98-5 Filed 06/07/18 Page 13 of 19
`
`U.S. Patent
`
`Oct. 12, 2004
`
`Sheet 10 of 10
`
`US6,804,780 B1
`
`800
`
`o
`
`
`
`810
`
`Receive a Downloadable
`
`
`
`
`Fetch Downloadable
`Components
`
`
`
`Include Fetched Componerts in
`The Downloadable
`
`
`
`820
`
`830
`
`
`
`
`
`Perform a Hashing Function on
`the Downloadable to Generate
`a Downloadable ID
`
`
`
`Store the Downloadable ID
`
`
`840
`
`850
`
`FIG. 8
`
`FINJAN-JN 000454
`
`

`

`Case 3:17-cv-05659-WHA Document 98-5 Filed 06/07/18 Page 14 of 19
`Case 3:17-cv-05659-WHA Document 98-5 Filed 06/07/18 Page 14 of 19
`
`US 6,804,780 B1
`
`1
`SYSTEM AND METHOD FOR PROTECTING
`A COMPUTER AND A NETWORK FROM
`HOSTILE DOWNLOADABLES
`
`PRIORITY REFERENCE TO RELATED
`APPLICATION
`
`This application is a continuation of and hereby incorpo-
`rates by reference U.S. patent application Ser. No. 08/964,
`388, entitled “System and Method for Protecting a Com-
`puter and a Network from Hostile Downloadables,” filed
`Nov. 6, 1997, which is now U.S. Pat. No. 6,092,194, which
`claimspriority to provisional application Serial No. 60/030,
`639, entitled “System and Method for Protecting a Com-
`puter from Hostile Downloadables,”filed on Nov. 8, 1996,
`by inventor Shlomo Touboul.
`INCORPORATION BY REFERENCE TO
`RELATED APPLICATIONS
`
`This application hereby incorporates by reference related
`US. patent application Ser. No. 08/790,097, entitled “Sys-
`tem and Method for Protecting a Clicnt from Hostile
`Downloadables,” filed on Jan. 29, 1997, which is now US.
`Pat. No. 6,167,520, by inventor Shlomo Touboul; and
`hereby incorporates by reference provisional application
`Ser. No. 60/030,639, entitled “System and Method for
`Protecting a Computer from Hostile Downloadables,” filed
`on Nov. 8, 1996, by inventor Shlomo Touboul.
`BACKGROUND OF THE INVENTION
`1. Field of the Invention
`
`‘This invention relates generally to computer networks,
`and more particularly provides a system and method for
`protecting a computer and a network from hostile Down-
`loadables.
`
`2. Description of the Background Art
`The Internet is currently a collection of over 100,000
`individual computer networks owned by governments,
`universities, nonprofit groups and companies, and is expand-
`ing at an accelerating rate. Because the Internet is public, the
`Internet has become a major source of many system dam-
`aging and system fatal application programs, commonly
`referred to as “viruses.”
`
`Accordingly, programmers continue to design computer
`and computer network security systems for blocking these
`viruses from attacking both individual and network com-
`puters. On the mostpart, these security systems have been
`relatively successful. However, these security systems are
`not configured to recognize computer viruses which have
`been attached to or configured as Downloadable application
`programs, commonly referred to as “Downloadables.” A
`Downloadable is an executable application program, which
`is downloaded from a source computer and run on the
`destination computer. Downloadable is typically requested
`by an ongoing process such as by an Internet browser or web
`engine. Examples of Downloadables include Java™ applets
`designed for use in the Java™ distributing environment
`developed by Sun Microsystems, Inc., JavaScript scripts
`also developed by Sun Microsystems, Inc., ActiveX™ con-
`trols designed for use in the ActiveX™ distributing envi-
`ronment developed by the Microsoft Corporation, and
`Visual Basic also developed by the Microsoft Corporation.
`Therefore, a system and method are needed to protect a
`network from hostile Downloadables.
`
`SUMMARYOF THE INVENTION
`
`The present invention provides a system for protecting a
`network from suspicious Downloadables. The system com-
`
`10
`
`15
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`2
`prises a security policy, an interface for receiving a
`Downloadable, and a comparator, coupled to the interface,
`for applying the security policy to the Downloadable to
`determine if the security policy has been violated. The
`Downloadable may include a Java™ applet, an ActiveX™
`control, a JavaScript™ script, or a Visual Basic script. The
`security policy may include a default security policy to be
`applied regardless of the client to whom the Downloadable
`is addressed, a specific security policy to be applied based on
`the client or the group to which the client belongs, or a
`specific policyto be applied based on the client/group and on
`the particular Downloadable received. The system uses an
`ID generator to compute a Downloadable ID identifying the
`Downloadable, preferably, by fetching all componentsof the
`Downloadable and performing a hashing function on the
`Downloadable including the fetched components.
`Further, the security policy may indicate several tests to
`perform, including (1) a comparison with known hostile and
`non-hostile Downloadables; (2) a comparison with Down-
`loadables to be blocked or allowed per administrative over-
`ride; (3) a comparison of the Downloadable security profile
`data against access control
`lists; (4) a comparison of a
`certificate embodied in the Downloadable against trusted
`certificates; and (5) a comparison of the URL from whichthe
`Downloadable originated against
`trusted and untrusted
`URLs.Based onthese tests, a logical engine can determine
`whether to allow or block the Downloadable.
`
`invention further provides a method for
`The present
`protecting a computer from suspicious Downloadables. The
`method comprises the steps of receiving a Downloadable,
`comparing the Downloadable against a security policy to
`determine if the security policy has been violated, and
`discarding the Downloadable if the security policy has been
`violated.
`
`It will be appreciated that the system and method of the
`present invention may provide computer protection from
`known hostile Downloadables. The system and method of
`the present
`invention may identify Downloadables that
`perform operations deemed suspicious. The system and
`method of the present invention may examine the Down-
`loadable code to determine whether the code contains any
`suspicious operations, and thus may allow or block the
`Downloadable accordingly.
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`FIG. 1 is a block diagram illustrating a network system,
`in accordance with the present invention;
`FIG. 2 is a block diagram illustrating details of the
`internal network security system of FIG. 1;
`FIG. 3 is a block diagram illustrating details of the
`security program and the security database of FIG. 2;
`FIG. 4 is a block diagram illustrating details of the
`security policies of FIG. 3;
`FIG. 5 is a block diagram illusirating details of the
`security management console of FIG. 1;
`FIG. 6A is a flowchart illustrating a method of examining
`for suspicious Downloadables,
`in accordance with the
`present invention;
`FIG. 6B is a flowchartillustrating details of the step for
`finding the appropriate security policy of FIG. 6A;
`FIG. 6C is a flowchart illustrating a method for determin-
`ing whether an incoming Downloadable is to be deemed
`suspicious;
`FIG. 7 is a flowchart illustrating details of the FIG. 6 step
`of decomposing a Downloadable; and
`
`FINJAN-JN 000455
`
`

`

`Case 3:17-cv-05659-WHA Document 98-5 Filed 06/07/18 Page 15 of 19
`Case 3:17-cv-05659-WHA Document 98-5 Filed 06/07/18 Page 15 of 19
`
`US 6,804,780 B1
`
`3
`illustrating a method 800 for
`FIG. 8 is a flowchart
`generating a Downloadable ID for identifying a Download-
`able.
`
`DETAILED DESCRIPTION OF THE
`PREFERRED EMBODIMENT
`
`FIG. 1 is a block diagram illustrating a network system
`100, in accordance with the present invention. The network
`system 100 includes an cxtcrnal computer network 105,
`such as the Wide Area Network (WAN) commonly referred
`to as the Internet, coupled via a communications channel
`125 to an internal network security system 110. The network
`system 100 further includes an internal computer network
`115, such as a corporate Local Area Network (LAN),
`coupled via a communications channel 130 to the internal
`network computer system 110 and coupled via a communi-
`cations channel 135 to a security managementconsole 120.
`The internal network security system 110 examines
`Downloadables received from external computer network
`105, and prevents Downloadables deemed suspicious from
`reaching the internal computer network 115.
`It will be
`further appreciated that a Downloadable is deemed suspi-
`cious if it performs or may perform any undesirable
`operation, or if it threatens or may threaten the integrity of
`an internal computer network 115 component. It is to be
`understood that
`the term “suspicious” includes hostile,
`potentially hostile, undesirable, potentially undesirable, etc.
`Security management console 120 enables viewing, modi-
`fication and configuration of the internal network security
`system 110.
`FIG. 2 is a block diagram illustrating details of the
`internal network security system 110, which includes a
`Central Processing Unit (CPU) 205, such as an Intel Pen-
`tium® microprocessor or
`a Motorola Power PC®
`microprocessor, coupled to a signal bus 220. The internal
`network security system 110 further includes an external
`communications interface 210 coupled between the com-
`munications channel 125 and the signal bus 220 for receiv-
`ing Downloadables from external computer network 105,
`and an internal communications interface 225 coupled
`between the signal bus 220 and the communications channel
`130 for forwarding Downloadables not deemed suspicious
`to the internal computer network 115. The external commu-
`nications interface 210 and the internal communications
`
`interface 225 may be functional components of an integral
`communications interface (not shown) for both receiving
`Downloadables from the external computer network 105 and
`forwarding Downloadablesto the internal computer network
`115.
`
`Internal network security system 110 further includes
`Input/Output (I/O) interfaces 215 (such as a keyboard,
`mouse and Cathode Ray Tube (CRT) display), a data storage
`device 230 such as a magnetic disk, and a Random-Access
`Memory (RAM) 235, each coupled to the signal bus 220.
`The data storage device 230 stores a security database 240,
`which includes security information for determining
`whether a received Downloadable is to be deemed suspi-
`cious. The data storage device 230 further stores a userslist
`260 identifying the users within the internal computernet-
`work 115 who may receive Downloadables, and an event log
`245 which includes determination results for each Down-
`loadable examined and runtime indications of the internal
`
`network security system 110. An operating system 250
`controls processing by CPU 205, and is typically stored in
`data storage device 230 and loaded into RAM 235 (as
`illustrated) for execution. A security program 255 controls
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`4
`examination of incoming Downloadables, and also may be
`stored in data storage device 230 and loaded into RAM 235
`(as illustrated) for execution by CPU 205.
`FIG. 3 is a block diagram illustrating details of the
`security program 255 and the security database 240. The
`security program 255 includes an ID generator 315, a policy
`finder 317 coupled to the ID gencrator 315, and a first
`comparator 320 coupled to the policy finder 317. The first
`comparator 320 is coupled to a logical engine 333 via four
`separate paths, namely, via Path 1, via Path 2, via Path 3 and
`via Path 4. Path 1 includes a direct connection from thefirst
`comparator 320 to the logical engine 333. Path 2 includes a
`code scanner coupled to the first comparator 320, and an
`Access Control List (ACL) comparator 330 coupling the
`code scanner 325 to the logical engine 333. Path 3 includes
`a certificate scanner 340 coupled to the first comparator 320,
`and a certificate comparator 345 coupling the certificate
`scanner 340 to the logical engine 333. Path 4 includes a
`Uniform Resource Locator (URL) comparator 350 coupling
`the first comparator 320 to the logical engine 3330. A
`record-keeping engine 335 is coupled between the logical
`engine 333 and the event log 245.
`The security program 255 operates in conjunction with
`the security database 240, which includes security policies
`305, known Downloadables 307, known Certificates 309
`and Downloadable Security Profile (DSP) data 310 corre-
`sponding to the known Downloadables 307. Security poli-
`cies 305 includespolicies specific to particular users 260 and
`default (or generic) policies for determining whether to
`allow or block an incoming, Downloadable. These security
`policies 305 may identify specific Downloadables to block,
`specific Downloadables to allow, or necessary criteria for
`allowing an unknown Downloadable. Referring to FIG. 4,
`security policies 305 include policy selectors 405, access
`controllists 410, trusted certificate lists 415, URL rule bases
`420, and lists 425 of Downloadables to allow orto block per
`administrative override.
`Known Downloadables 307 include lists of Download-
`ables which Original Equipment Manufacturers (OEMs)
`know to be hostile, of Downloadables which OEMs knowto
`be non-hostile, and of Downloadables previously received
`by this security program 255. DSP data 310 includesthelist
`of all potentially hostile or suspicious computer operations
`that may be attempted by each known Downloadable 307,
`and may also include the respective arguments of these
`operations. An identified argument of an operation is
`referred to as “resolved.” An unidentified argument
`is
`referredto as “unresolved.” DSP data 310 is described below
`with reference to the code scanner 325.
`
`The ID generator 315 receives a Downloadable (including
`the URL from which it came and the userID of the intended
`recipient) from the external computer network 105 via the
`external communications interface 210, and generates a
`Downloadable ID for identifying each Downloadable. The
`Downloadable ID preferably includes a digital hash of the
`complete Downloadable code. The ID generator 315 pref-
`erably prefetches all components embodied in or identified
`by the code for Downloadable ID generation. For example,
`the ID generator 315 mayprefetch all classes embodied in
`or identified by the Java™ applet bytecode to generate the
`Downloadable ID. Similarly,
`the ID generator 315 may
`retrieve all components listed in the INF file for an
`ActiveX™ control
`to compute a Downloadable ID.
`Accordingly, the Downloadable ID for the Downloadable
`will be the same each time the ID generator 315 receives the
`same Downloadable. The ID generator 315 adds the gener-
`ated Downloadable ID to the list of known Downloadables
`
`FINJAN-JN 000456
`
`

`

`Case 3:17-cv-05659-WHA Document 98-5 Filed 06/07/18 Page 16 of 19
`Case 3:17-cv-05659-WHA Document 98-5 Filed 06/07/18 Page 16 of 19
`
`US 6,804,780 B1
`
`6
`An Example List of Operations Deemed Potentially
`Hostile
`
`5
`307 (if it is not already listed). The ID generator 315 then
`forwards the Downloadable and Downloadable ID to the
`policy finder 317.
`File operations: READafile, WRITEafile;
`The policyfinder 317 uses the userID of the intended user
`and the Downloadable ID to select the specific security
`Network operations: LISTEN on a socket, CONNECTto
`a sockct, SEND data, RECEIVE data, VIEW INTRA-
`policy 305 that shall be applied on the received Download-
`NET;
`able. If there is a specific policy 305 that was defined for the
`user (or for one of its super groups) and the Downloadable,
`Registry operations: READaregistry item, WRITE a
`then the policy is selected. Otherwise the generic policy 305
`registry item;
`that was definedfor the user(or for one of its super groups)
`Operating system operations: EXIT WINDOWS, EXIT
`is selected. The policy finder 317 then sends the policyto the
`BROWSER, START PROCESS/THREAD, KILL
`first comparator 320.
`PROCESS/THREAD, CHANGE PROCESS/
`The first comparator 320 receives the Downloadable, the
`THREAD PRIORITY, DYNAMICALLY LOAD A
`Downloadable ID and the security policy 305 from the
`CLASS/LIBRARY, etc.; and
`policy finder 317. The first comparator 320 examines the
`security policy 305 to determine which steps are needed for
`Resource usage thresholds: memory, CPU,graphics,etc.
`allowing the Downloadable. For example,
`the security
`In the preferred embodiment, the code scanner 325 performs
`policy 305 may indicate that,
`in order to allow this
`a full-content inspection. However, for improved speed but
`Downloadable, it must pass all four paths, Path 1, Path 2,
`reduced security, the code scanner 325 may examine only a
`Path 3 and Path 4. Alternatively, the security policy 305 may
`portion of the Downloadable such as the Downloadable
`header. The code scanner 325 then stores the DSP data into
`indicate that to allow the Downloadable, the it must pass
`only one of the paths. The first comparator 320 responds by
`DSPdata 310 (corresponding to its Downloadable ID), and
`forwarding the proper information to the paths identified by
`sends the Downloadable, the DSP data to the ACL com-
`the security policy 305.
`parator 330 for comparison with the security policy 305.
`The ACL comparator 330 receives the Downloadable, the
`corresponding DSPdata and the security policy 305 from the
`code scanner 325, and compares the DSP data against the
`security policy 305. That
`is,
`the ACL comparator 330
`compares the DSP data of the received Downloadable
`against the access control lists 410 in the received security
`policy 305. The access control list 410 contains criteria
`indicating whether to pass or fail the Downloadable. [or
`example, an access control list may indicate that the Down-
`loadable fails if the DSP data includes a WRITE command
`
`10
`
`20
`
`25
`
`30
`
`35
`
`to a system file. The ACL comparator 330 sendsits results
`to the logical engine 333.
`
`Path 3
`
`Path 1
`
`the first comparator 320 checks the policy
`In path 1,
`selector 405 of the security policy 305 that was received
`from the policy finder 317. If the policy selector 405is either
`“Allowed” or “Blocked,” then the first comparator 320
`forwards this result directly to the logical engine 333.
`Otherwise, the first comparator 320 invokes the comparisons
`in path2 and/or path 3 and/or path 4 based on the contents
`of policy selector 405. It will be appreciated that the first
`comparator 320 itself compares the Downloadable ID
`against the lists of Downloadables to allow or block per
`administrative override 425. That is, the system security
`administrator can define specific Downloadables as
`“Allowed” or “Blocked.”
`
`In path 3, the certificate scanner 340 determines whether
`the received Downloadable was signed by a certificate
`authority, such as VeriSign, Inc., and scans for a certificate
`embodied in the Downloadable. The certificate scanner 340
`forwards the found certificate to the certificate comparator
`345. The certificate comparator 345 retrieves knowncertifi-
`cates 309 that were deemed trustworthy by the security
`administrator and compares the found certificate with the
`the first comparator 320 delivers the
`In path 2,
`knowncertificates 309 to determine whether the Download-
`Downloadable, the Downloadable ID and the security policy
`305 to the code scanner 325. If the DSP data 310 of the
`able was signed byatrusted certificate. The certificate
`comparator 345 sends the results to the logical engine 333.
`received Downloadable is known,
`the code scanner 325
`retrieves and forwards the information to the ACL compara-
`Path 4
`tor 330. Otherwise, the code scanner 325 resolves the DSP
`In path 4, the URL comparator 350 examines the URL
`data 310. That is, the code scanner 325 uses conventional
`identifying the source of the Downloadable against URLs
`parsing techniques to decompose the code (including all
`stored in the URL rule base 420 to determine whether the
`prefetched components) of the Downloadable into the DSP
`Downloadable comes from a trusted source. Based on the
`data 310. DSP data 310 includes the list of all potentially
`security policy 305, the URL comparator 350 may deem the
`hostile or suspicious computer operations that may be
`Downloadable suspicious if the Downloadable comes from
`attempted by a specific Downloadable 307, and may also
`an untrustworthy source or if the Downloadable did not
`ioclude the respective arguments of these operations. For
`come from a trusted source. For example, if the Download-
`example, DSP data 310 may include a READ from a specific
`able comes from a known hacker, then the Downloadable
`file, a SEND to an unresolved host, etc. The code scanner
`may be deemedsuspicious and presumed hostile. The URL
`325 may generate the DSP data 310 asa list ofall operations
`in the Downloadable code which could ever be deemed
`comparator 350 sendsits results to the logical engine 333.
`
`potentially hostile andalist of all files to be accessed by the The logical engine 333 examinesthe results of each of the
`Downloadable code. It will be appreciated that the code
`paths and the policy selector 405 in the security policy 305
`to determine whether to allow or block the Downloadable.
`scanner 325 may search the code for any pattern, which is
`undesirable or suggests that
`the code was written by a
`hacker.
`
`the logical engine 333 may receive the
`Alternatively,
`results of each of the paths and based on the policy selector
`405 mayinstitute the final determination whetherto allow or
`block the Downloadable. The first comparator 320 informs
`the logical engine 333 of the results of its comparison.
`Path 2
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`The policy selector 405 includes a logical expression of the
`results received from each of the paths.