Case 4:18-cv-07229-YGR Document 42-6 Filed 02/10/20 Page 1 of 13
`
` 
`
` 
`
` 
`
` 
`
` 
`
` 
`
`Exhibit 5
`
`

`

`Case 4:18-cv-07229-YGR Document 42-6 Filed 02/10/20 Page 2 of 13
`“C“Tilllllllmillllflliilililfiilfiillllififlfllillilllfilll
`
`US007418731B2
`
`(12) United States Patent
`(10) Patent No.:
`US 7,418,731 B2
`
`Touboul
`(45) Date of Patent:
`Aug. 26, 2008
`
`(54) METHOD AND SYSTEM FOR CACHINGAT
`SECURE GATEWAYS
`
`(75)
`
`Inventor:
`
`Shlomo Touboul, Kefar—Haim (IL)
`
`(73) Assignee: Finjan Software, Ltd., Netanya (IL)
`
`( * ) Notice:
`
`Subject to any disclaimer, the term of this
`patent is extended or adjusted under 35
`U.S.C. 154(b) by 537 days.
`
`(21) Appl.No.: 10/838,889
`
`(22) Filed:
`
`May 3, 2004
`
`(65)
`
`Prior Publication Data
`
`US 2005/0005107 A1
`
`Jan. 6, 2005
`
`Related US. Application Data
`
`(63) Continuation-in-part of application No. 09/539,667,
`filed on Mar- 3.0: 2000, 119‘” Pat NO- 6:804:780sWh10h
`1s a contrnuatron of applrcatron No, 08/964,388, filed
`on NOV. 6, 1997, now Pat. No. 6,092,194.
`
`(51)
`
`Int. Cl.
`(2006.01)
`G06F 21/00
`(2006.01)
`G06F 15/16
`(52) us. Cl.
`........................................................ 726/22
`(58) Field of Classification Search ....................... None
`See application file for complete search history.
`
`(56)
`
`References Cited
`U.S. PATENT DOCUMENTS
`
`5,692,124 A
`5,720,033 A
`5,724,425 A
`5,740,248 A
`
`11/1997 1161116116111.
`2/1998 Deo
`3/1998 Chang et :11.
`4/1998 Fieres et al.
`
`5,761,421 A
`5,765,205 A
`
`6/1998 VMHOffet 31'
`6/1998 Breslau et al.
`
`(Continued)
`FOREIGN PATENT DOCUMENTS
`
`EP
`
`1091276 Al
`
`4/2001
`
`(Continued)
`OTHER PUBLICATIONS
`
`U.S.App1. No. 10/838,889, filed Oct. 26, 1999, Golan , G.
`
`(Continued)
`
`Primary ExamineriChristopherA Revak
`(74) Attorney, Agent, 0r FirmiPerkins Coie LIP
`
`(57)
`
`ABSTRACT
`
`.
`.
`.
`A computer gateway for an 1ntranet ofcomputers, 1nclud1ng a
`scanner for seaming incoming files from the Internet and
`deriving security profiles therefor, the security profiles being
`lists of computer commands that the files are programmed to
`perform, a file cache for storing files, a security profile cache
`for storing security profiles .for files, and a security policy
`cache for storrng securrty polrcres for clrent computers wrthrn
`an intranet, the security policies including a list ofrestrictions
`for files that are transmitted to intranet computers. A method
`and a computer-readable storage medium are also described
`and claimed.
`
`22 Claims, 3 Drawing Sheets
`
`550271677 A
`2:335:23 :
`5,485,409 A
`5,435, 575 A
`5,572,643 A
`5,579,509 A
`5,606,668 A
`5,623,600 A
`5,638,446 A
`5,692,047 A
`
`12/1991 Murphy et 31‘
`3/133: ¥:j:€llit2iliil.
`1/ 1996 Gupta et a1.
`1/1996 Chess et a1.
`11/1996 Judson
`“/1996 1“11111156’ 6t 31~
`2/1997 Shwed
`4/1997 Jr et 31.
`6/1997 Rubin
`11/1997 McManis
`“0 ~~
`
`
`
`
`FORwas PAGE P
`FM sscumrv PROFILE
`FORWEB PAGE Q
`‘ IM sEcumrv PROFILE
`
`113-1
`
`son ussn snow ISEWFITV PoLIcv
`, 1m secunrn/ Pmcv 7
`FOR USE)? GROUF 2
`i
`ma SECURITY Poucv
`F01:1856? GROUP a
`
`__
`
`1—
`um» Iw WEB PAGE P
`
`- was emu:
`URL-OI
`IIM
`WEI WELT L71
`
`uni—02 1 ID-Z we: DBJECT oz \#/__
`
`LURb-OJ : IN WEB Win 0!
`
`Luna» 1 IN was ween»
`
`sscunnvmama
`came
`
`SECURE” poucv
`was
`
`100
`
`
`
`
`
`‘
`
`
`
`
`
`
`: IN: SECURII'VPRDFILE 150
`son WEB BARE R
`
`
`
`
`
`
`
`
`INTRANET
`
`1m
`
`
`
`
`
`FINJAN-QUALYS 004173
`
`

`

`Case 4:18-cv-07229-YGR Document 42-6 Filed 02/10/20 Page 3 of 13
`Case 4:18-cv-07229—YGR Document 42-6 Filed 02/10/20 Page 3 of 13
`
`US 7,418,731 B2
`
`Page 2
`
`U.S. PATENT DOCUMENTS
`
`5,784,459 A
`5,796,952 A
`5,805,829 A
`5.832.208 A
`5,832,274 A
`5,850,559 A
`5,859,966 A
`5,864,683 A
`5,892,904 A
`5.951.698 A
`5,956,481 A
`5,974,549 A
`5,978,484 A
`5,983,348 A
`6,092,194 A
`6,154,844 A
`6,167,520 A
`6,339,829 B1
`6,480,962 B1
`6,804,780 B1
`6,917,953 152 *
`
`7/1998 Devarakonda et a1.
`8/1998 Davis et al.
`9/1998 Cohen et al.
`11/1998 Chen et al.
`11/1998 Cutler et al.
`12/1998 Angelo et 31.
`1/1999 Hayman et a1.
`1/1999 Boebert et al.
`4/1999 Atkinson et al.
`9/1999 Chen et al.
`9/1999 Walsh et al.
`10/1999 Golan
`11/1999 Apperson et a1.
`11/1999 Ji
`7/2000 Touboul
`11/2000 Touboul
`12/2000 Touboul
`1/2002 Beadle et al.
`11/2002 Touboul
`10/2004 Touboul
`7/2005 Simon et al.
`
`................ 707/204
`
`
`
`FOREIGN PATENT DOCUMENTS
`
`EP
`
`1132796 A1
`
`9/2001
`
`OTHER PUBLICATIONS
`
`http://www.codeguru.conflCpp/Cpp/cppimfc/parsing/a1ticle.php/
`c4093/.
`http://www.cs.may.ie/~jpower/Courses/compilers/notes/lexical.pdf.
`http://www.mail-archive.com/kragen-tol@canonical.org/
`msg00097.html.
`http://www.ow1net.rice.edu/~comp412/Lectures/L06LeXWrapup4.
`pdf.
`http://www.cs.odu.edu/~toida/nerzic/390teched/regular/fa/min-fa.
`html.
`http://rw4.cs.uni-sb.de/~ganimal/GANIFA/page16,e.htm.
`http://www.cs.msstate.edu/~hansen/classes/3813fallOl/slides/
`06Minimize.pdf
`http://www.win.tue.n1/~watson/2R870/downloads/madfaialgs.pdf.
`http://wwwcs.nyu.edu/web/Researclv'Theses/changichia-hsiang.
`pdf.
`“Products” Article published on the Internet, “Revolutionary Secu-
`rity for A New Computing Paradigm” regarding SurfinGateTM 7
`pages.
`“Release Notes for the Microsoft ActiveX Development Kit”, Aug.
`13, 1996, activex.adsp.or.jp/inetsdk/readme.txt, pp. 1-10.
`Doyle et al., “Micro soft Press Computer Dictionary” 1993, Microsoft
`Press, 2“d Edition, pp. 137-138.
`Finjan Software Ltd.. “Powerful PC Security for the New World of
`JavaTM and Downloadables, Surfin ShieldTM” Article published on
`the Internet by Finjan Software Ltd., 1996, 2 pages.
`
`Finjan Software Ltd., “Finjan Announces a Personal JavaTM Firewall
`For Web Browsersithe SurfinShieldTM 1.6 (formerly known as
`SurfinBoard)”, Press Release of Finjan Releases SurfinShield 1.6,
`Oct. 21, 1996, 2 pages.
`Finjan Software Ltd., “Finjan Announces Major Power Boost and
`New Features for SurfinShieldTM 2.0” Las Vegas Convention Center/
`Pavilion 5 P5551, Nov. 18, 1996, 3 pages.
`Finjan Software Ltd.. “Finjan Software Releases SurfinBoard. Indus-
`try’s First Java Security Product For the World Wide We ”, Article
`published on the Internet by Finjan Software Ltd., Jul. 29, 1996, 1
`page.
`Finjan Software Ltd., “Java Security: Issues & Solutions” Article
`published on the Internet by Finjan Software Ltd. 1996. 8 pages.
`Finjan Software Ltd., Company Profile “Finjan7Safe Surfing, The
`Java Security Solutions Provider” Article published on the Internet
`by Oct. 31, 1996, 3 pages.
`IBM AntiVirus User’s Guide Version 2.4, International Business
`Machines Corporation, Nov. 15, 1995, p. 6-7.
`Khare, R. “Microsoft Authenticod Analyzed” Jul. 22, 1996, Kent.
`com/FORK-archive/smmer96/0338.htm1, p. 1-2.
`LaDue, M., “Online Business Consultant: Java Security: Whose
`Business Is It?” Article published on the Internet, Home Page Press,
`Inc. 1996, 4 pages.
`Leach, Norvin et al., “IE 3.0 Applets Will Earn Certification”, PC
`Week, vol. 13, No. 29, Jul. 22, 1996, 2 pages.
`Moritz, R., “Why We Shouldn’t Fear Java” Java Report, Feb. 1997,
`pp. 51-56.
`Microsofti“Microsoft ActiveX Software Development Kit” Aug.
`12. 1996. activex.adsp.or.jp/inetsdk/help/overview.htm. pp. 1-6.
`Microsoft Corporation, Web Page Article “Frequently Asked Ques—
`tions About Authenticode”, last updated Feb. 17, 1997, Printed Dec.
`23,
`1998. URL: http://www.microsoft.com/workshop/security/
`authcode/signfaq.asp#9, pp. 1-13.
`Microsoft® Authenticode Technology, “Ensuring Accountability
`and Authenticity for Software Components on the Internet”,
`Microsoft Corporation, Oct. 1996,
`including Abstract, Contents,
`Introduction and pp. 1-10.
`Okamoto, E. et al., “ID-Based Authentication System For Computer
`Virus Detection”, IEEE/IEE Electronic Library online, Electronics
`Letters, vol. 26, Issue 15, ISSN 0013—5194, Jul. 19, 1990, Abstract
`and pp. 1169-1170. URL: http://iel.ihs.con1:80/cgi-bin/ielicgi7seu.
`2ehts%26ViewTemplate%3ddocview%51b%2ehts.
`Omura, J. K., “Novel Applications of Cryptography in Digital Com-
`munications”, IEEE Communications Magazine, May 1990; pp.
`21—29.
`
`Schmitt, D.A., “.EXE files, OS-2 style” PC Tech Journal, v6, n11, p.
`76 (13).
`Zhang, X.N., “Secure Code Distribution”. IEEE/IEE Electronic
`Library online, Computer, vol. 30, Issue 6, Jun. 1997, pp. 76-79.
`
`* cited by examiner
`
`FINJAN-QUALYS 004174
`
`

`

`Case 4:18-cv-07229-YGR Document 42-6 Filed 02/10/20 Page 4 of 13
`Case 4:18-cv-07229—YGR Document 42-6 Filed 02/10/20 Page 4 of 13
`
`U.S. Patent
`
`Aug. 26, 2008
`
`Sheet 1 of 3
`
`US 7,418,731 B2
`
`_mw>mww--mw>mmm_
`
`
`
`memommtifiomm
`
`mmc<amm;KOm
`
`
`
`Manama.C._m30mm”I”:
`
`n.m0<mmm>>m0“.
`
`
`
`m.=u_0mn.tEDOmwLA:
`
`wm
`
`
`
`
`
`>o_._0n_Emncmm
`
`mIO<U
`
`
`
`
`
`mgnomemmlwmfimo“.
`
`
`
` tinnvmm‘«A:7130mm«.memOm_|>030m>._._m30mw
`
`
`Nanomw«mm:MO“.0>USGQ
`
`
`5:8Emnommn9
`
`><>>mk<0
`.
`
`
` l_[firOS.
`
`___MM
`
`FINJAN-QUALYS 004175
`
`
`
`
`
`

`

`Case 4:18-cv-07229-YGR Document 42-6 Filed 02/10/20 Page 5 of 13
`Case 4:18-cv-07229—YGR Document 42-6 Filed 02/10/20 Page 5 of 13
`
`U.S. Patent
`
`uA
`
`0026.,
`
`hS
`
`0
`
`137,814|}
`
`2.BNO_n_
`
`
`
`7mzo<omxzomlSEmsommz.mofimm;momU550EEmaomm#65SN
`
`EN
`
`
`
`
`
`OFMWGMM‘mmwnu‘mmqumeomamomm;8268?
`
`mxo<omm;2.
`
`oz<memm;E053.“
`
`3EN02
`02¢.aage“!a,mag;%owzmmomsmE25m
`
`f>03855%;»84:65
`
`
`
`
`
`“tubal—200FZNEUkEDOwwMEN—mo
`
`
`
`
`
`2mmkaazooEmamo“.E5228mm>mmm
`
`
`
`0.58N>038Em8%Miami29¢35mm;m>m_E.mm
`
`m=._0<0
`
`8newEmaomwmméioowhomwmomm;magma
`
`
`
`
`
`EmaomaIt;mic”:$32.1:;omozmmmbm
`
`>022me
`
`
`
`
`
`m..=u_0mn.tumnomm20mm
`
`wmIO<Omm>>z.m..m<.=<><
`
`
`
`
`
`w0<n_mm>>m0“.m.=u0ma
`
`w0<amm>>
`
`owhmemew—mmNmFN
`
`
`
`EKDOwww>w_m....mm
`
`ovm
`
`
`
`wawomm>x0maw<OZ_._.0<
`
`
`
`50mmw0<n_mm>>mkwmacmm
`
`
`
`meDOmmkzwjo
`
`
`
`KNEE—200mm>mmm
`
`
`
`mmHDmEOO><~$wh<0
`
`
`
`meDQs—OOhzwjo
`
`mom
`
`
`
`
`
`mw>>ZIP—‘5Dmozwmwn—wm
`
`
`
`20m”.w0<amm>>wm>_m0wm
`
`
`
`mmtbaéoo><>>w._.<0
`
`
`
`mw5n=200szjo
`
`mNN
`
`”$235.00.2mjo
`
`
`
`whowwmomm;wkmmzdmm
`
`emu
`
`w0<n
`
`FINJAN-QUALYS 004176
`
`
`
`
`
`
`
`

`

`Case 4:18-cv-07229-YGR Document 42-6 Filed 02/10/20 Page 6 of 13
`Case 4:18-cv-07229—YGR Document 42-6 Filed 02/10/20 Page 6 of 13
`
`U.S. Patent
`
`Aug. 26, 2008
`
`Sheet 3 of 3
`
`US 7,418,731 B2
`
`._.Zm_n:0wma
`
`
` NQDOmOEmzomw ><>>m._.<mu
`EwéommFmacawEmaaum
`
`
`
`
`
`
`>o_._on_Emamwmom>039.Emaomm
`
`
`
`
`
`.rzm=._o.rzwjoHzmio
`
`
`
`
`
`mmDomO._.zw_m_0mm
`
`kaEam—m
`
`
`
`mOm>039”.FENSAUmm0-0.
`
`m.07.
`
`FINJAN-QUALYS 004177
`
`
`
`mo“.>039.
`
`own
`
`QNm
`
`
`
`

`

`Case 4:18-cv-07229-YGR Document 42-6 Filed 02/10/20 Page 7 of 13
`Case 4:18-cv-07229-YGR Document 42-6 Filed 02/10/20 Page 7 of 13
`
`US 7,418,731 B2
`
`1
`METHOD AND SYSTEM FOR CACHING AT
`SECURE GATEWAYS
`
`CROSS REFERENCES TO RELATED
`APPLICATIONS
`
`This application is a continuation-in-part of assignee’s
`application U.S. Ser. No. 09/539,667 (now US. Pat. No.
`6,804,780), filed on Mar. 30, 2000, and entitled SYSTEM
`
`AND METHOD FOR PROTECTING A COMPUTERAND
`A NETWORK FROM HOSTILE DOWNLOADABLES,
`whichis a continuation ofUS. Ser. No. 08/964,388 (now US.
`Pat. No. 6,092,194), filed on NOV. 6, 1997 and entitled SYS-
`TEM AND METHOD FOR PROTECTINGA COMPUTER
`AND A NETWORK FROM HOSTILE DOWNLOAD-
`ABLES.
`
`FIELD OF THE INVENTION
`
`The present invention relates to computer security and
`network gateways.
`
`BACKGROUND OF THE INVENTION
`
`A network gateway computer conventionally serves as a
`proxy between a group of inter-connected computers,
`referred to as an intranet, such as a corporate intranet or
`customers of an Internet service provider, and the myriads of
`server computers on the Internet. The gateway computer is
`networked with the intranet computers in such a way that
`outgoing requests and responses from the intranet computers
`to the Internet, and incoming requests and responses from the
`Internet to the intranet computers are routed through the
`gateway computer.
`Typically, a request is issued as an HTTP protocol request
`that includes a URI for a file, such as an HTML page, a ]PEG
`image or a PDF document, residing on one or more server
`computers on the Internet. Similarly, a response is typically
`an HTTP response including a requested file, sent back to a
`client in response to a request.
`Network gateways are generally connected to an intranet
`with high-speed lines, so that the bandwidth between the
`intranet computers and the gateway computer is much higher
`than the bandwidth between the gateway computer and rest of
`the Internet.
`
`Two important functions of computer gateways are (i) to
`restrict outsiders from unauthorized access to a computer
`intranet, and (ii) to protect the intranet computers from soft-
`ware containing computer viruses and from spam. Computer
`gateways may contain conventional firewall software that
`restricts outside communication with the intranet, anti-virus
`software that identifies computer viruses residing within files
`retrieved from the Internet, and anti-spam software that filters
`out unwanted content.
`
`Current gateway systems cause latency because clients do
`not access websites directly, and because current gateway
`systems apply security protocols to protect intranet members.
`Accordingly, systems and methods for reducing network
`access latency without compromising network safety are
`needed.
`
`SUMMARY OF THE INVENTION
`
`The present invention provides a method and system for
`improving performance of gateway computers. Specifically,
`the present invention mitigates network latency caused by
`processing time at a gateway computer.
`
`10
`
`15
`
`20
`
`25
`
`30
`
`35
`
`4o
`
`45
`
`50
`
`55
`
`60
`
`65
`
`2
`There is thus provided in accordance with a preferred
`embodiment of the present invention a computer gateway for
`an intranet of computers, including a scanner for scanning
`incoming files from the Internet and deriving security profiles
`therefor, the security profiles being lists of computer com-
`mands that the files are programmed to perform, a file cache
`for storing files, a security profile cache for storing security
`profiles for files, and a security policy cache for storing secu-
`rity policies for intranet computers within an intranet, the
`security policies including a list of restrictions for files that
`are transmitted to intranet computers.
`There is further provided in accordance with a preferred
`embodiment of the present invention a method for operation
`of a network gateway for an intranet of computers, including
`receiving a request from an intranet computer for a file on the
`Internet, determining whether the requested file resides
`within a file cache at the network gateway, if the detemiining
`is afiirmative then retrieving a security profile for the
`requested file from a security profile cache at the network
`gateway, the security profile including a list of at least one
`computer command that the file is programmed to perform,
`and if the determining is not affirmative then retrieving the
`requested file from the Internet, scanning the rctricvcd file to
`determine computer commands that the file is programmed to
`perform, deriving a security profile for the retrieved file,
`storing the retrieved file within the file cache, and storing the
`security profile for the retrieved file within a security profile
`cache, retrieving a security policy for the intranet computer
`from a security policy cache at the network gateway, the
`security policy defining restrictions for transmitting files to
`the intranet computer, and comparing the security profile for
`the requested file vis a vis the security policy for the intranet
`computer, to determine whether transmission ofthe requested
`file to the intranet computer is to be restricted.
`There is yet further provided in accordance with a preferred
`embodiment of the present invention a computer-readable
`storage medium storing program code for causing a computer
`to perform the steps of receiving a request from an intranet
`computer for a file on the Internet, determining whether the
`requested filc resides within a file cachc at the network gatc-
`way, if the determining is affirmative then retrieving a secu-
`rity profile for the requested file from a security profile cache
`at the network gateway, the security profile including a list of
`at least one computer command that the file is programmed to
`perform, and ifthe determining is not affirmative then retriev-
`ing the requested file from the Internet, scanning the retrieved
`file to determine computer commands that the file is pro-
`grammed to perform, deriving a security profile for the
`retrieved file, storing the retrieved file within the file cache,
`and storing the security profile for the retrieved file within a
`security profile cache, retrieving a security policy for the
`intranet computer from a security policy cache at the network
`gateway, the security policy defining restrictions for transmit-
`ting files to the intranet computer, and comparing the security
`profile for the requested file vis a vis the security policy for the
`intranet computer, to determine whether transmission of the
`requested file to the intranet computer is to be restricted.
`There is moreover provided in accordance with a preferred
`embodiment of the present invention a method for operation
`of a network gateway for an intranet of computers, including
`receiving a request from an intranet computer for a file 011 the
`Internet, retrieving a security profile for the requested file
`from a security profile cache at the network gateway, the
`security profile including a list of at least one computer com-
`mand that the file is programmed to perform, retrieving a
`security policy for the intranet computer from a security
`policy cache at the network gateway, the security policy
`
`FINJAN-QUALYS 004178
`
`

`

`Case 4:18-cv-07229-YGR Document 42-6 Filed 02/10/20 Page 8 of 13
`Case 4:18-cv-07229—YGR Document 42-6 Filed 02/10/20 Page 8 of 13
`
`US 7,418,731 B2
`
`3
`defining restrictions on files that can be transmitted to the
`intranet computer, and comparing the security profile for the
`requested file vis a Vis the security policy for the intranet
`computer, to determine whether transmission ofthe requested
`file to the intranet computer is to be restricted
`There is additionally provided in accordance with a pre-
`ferred embodiment of the present invention a computer-read-
`able storage medium storing program code for causing a
`computer to perform the steps of receiving a request from an
`intranet computer for a file on the Internet, retrieving a secu-
`rity profile for the requested file from a security profile cache
`at the network gateway, the security profile including a list of
`at least one computer command that the file is programmed to
`perform, retrieving a security policy for the intranet computer
`from a security policy cache at the network gateway, the
`security policy defining restrictions on files that can be trans—
`mitted to the intranet computer, and comparing the security
`profile for the requested file vis a vis the security policy for the
`intranet computer, to determine whether transmission of the
`requested file to the intranet computer is to be restricted.
`There is further provided in accordance with a preferred
`embodiment of the present invention a method for operation
`of a network gateway for an intranet of computers, including
`retrieving a requested file from the Internet, scanning the
`retrieved file to determine computer commands that the file is
`programmed to perform, deriving a security profile for the
`retrieved file, the security profile including a list ofat least one
`computer command that the retrieved file is programmed to
`perform, storing the retrieved file within a file cache, and
`storing the security profile for the retrieved file within a secu-
`rity profile cache.
`There is yet further provided in accordance with a preferred
`embodiment of the present invention a computer—readable
`storage medium storing program code for causing a computer
`to perform the steps of retrieving a requested file from the
`Internet, scanning the retrieved file to determine computer
`commands that the file is programmed to perform, deriving a
`security profile for the retrieved file, the security profile
`including a list of at least one computer command that the
`retrieved file is programmed to perform, storing the retrieved
`file within a file cache, and storing the security profile for the
`retrieved file within a security profile cache.
`There is moreover provided in accordance with a preferred
`embodiment of the present invention a computer gateway for
`an intranet of computers, including a file cache for storing
`files, a security profile cache for storing security profiles for
`files, the security profiles being lists of computer commands
`that the files are programmed to perform, and a security policy
`cache for storing security policies for intranet computers
`within an intranet, the security policies including a list of
`restrictions for files that are transmitted to intranet computers.
`There is additionally provided in accordance with a pre-
`ferred embodiment of the present invention a method for
`operation of a network gateway for an intranet of computers,
`including receiving a request from an intranet computer for a
`file on the Internet, determining whether the requested file
`resides within a file cache at the network gateway, if the
`determining is affirmative retrieving a security profile for the
`requested file from a security profile cache at the network
`gateway, the security profile including a list of at least one
`computer command that the file is programmed to perform,
`and if the determining is not afiirmative retrieving the
`requested file from the Internet, storing the retrieved file
`within the file cache, and storing a security profile for the
`retrieved file within a security profile cache, retrieving a secu-
`rity policy for the intranet computer from a security policy
`cache at the network gateway, the security policy defining
`
`10
`
`15
`
`20
`
`25
`
`30
`
`35
`
`4o
`
`45
`
`50
`
`55
`
`60
`
`65
`
`4
`restrictions for transmitting files to the intranet computer, and
`comparing the security profile for the requested file vis a vis
`the security policy for the intranet computer, to detemiine
`whether transmission of the requested file to the intranet
`computer is to be restricted.
`There is further provided in accordance with a preferred
`embodiment of the present invention a computer—readable
`storage medium storing program code for causing a computer
`to perform the steps of receiving a request from an intranet
`computer for a file on the Internet, determining whether the
`requested file resides within a file cache at the network gate-
`way, if the determining is affirmative retrieving a security
`profile for the requested file from a security profile cache at
`the network gateway. the security profile including a list of at
`least one computer command that the file is programmed to
`perform, and if the determining is not affirmative retrieving
`the requested file from the Internet, storing the retrieved file
`within the file cache, and storing a security profile for the
`retrieved file within a security profile cache, retrieving a secu-
`rity policy for the intranet computer from a security policy
`cache at the network gateway, the security policy defining
`restrictions for transmitting files to the intranet computer, and
`comparing the security profile for the requested file vis a vis
`the security policy for the intranet computer, to determine
`whether transmission of the requested file to the intranet
`computer is to be restricted.
`There is moreover provided in accordance with a preferred
`embodiment of the present invention a computer gateway for
`an intranet of computers, including a scanner for scanning
`outgoing files from an intranet to the Internet and deriving
`security profiles therefor, the security profiles being lists of
`computer commands that the files are programmed to per-
`form, a security policy cache for storing security policies for
`recipient computers within the Internet, the security policies
`including a list of restrictions for files that are transmitted to
`recipient computers.
`There is additionally provided in accordance with a pre-
`ferred embodiment of the present invention a method for
`operation of a network gateway for an intranet of computers,
`including receiving a file from an intranet computer for trans-
`mission to a recipient computer on the Internet, scanning the
`received file to derive a security profile for the received file,
`the security profile including a list of at least one computer
`command that the file is programmed to perform, retrieving a
`security policy from a security policy cache at the network
`gateway, the security policy defining restrictions for transmit-
`ting files to recipient computers, and comparing the security
`profile for the received file vis a vis the security policy, to
`determine whether transmission of the requested file to the
`recipient computer is to be restricted.
`There is further provided in accordance with a preferred
`embodiment of the present invention a computer-readable
`storage medium storing program code for causing a computer
`to perform the steps of receiving a file from an intranet com—
`puter for transmission to a recipient computer on the Internet,
`scanning the received file to derive a security profile for the
`received file, the security profile including a list of at least one
`computer command that the file is programmed to perform,
`retrieving a security policy from a security policy cache at the
`network gateway, the security policy defining restrictions for
`transmitting files to recipient computers, and comparing the
`security profile for the received file vis a vis the security
`policy, to detemiine whether transmission of the requested
`file to the recipient computer is to be restricted.
`
`FINJAN-QUALYS 004179
`
`

`

`Case 4:18-cv-07229-YGR Document 42-6 Filed 02/10/20 Page 9 of 13
`Case 4:18-cv-07229—YGR Document 42-6 Filed 02/10/20 Page 9 of 13
`
`US 7,418,731 B2
`
`5
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`The present invention will be more fully understood and
`appreciated from the following detailed description, taken in
`conjunction with the drawings in which:
`FIG. 1 is a simplified block diagram for a network gateway,
`in accordance with a preferred embodiment of the present
`invention;
`FIG. 2 is a simplified flowchart for operation of a network
`gateway, in accordance with a preferred embodiment of the 10
`present invention; and
`FIG. 3 is a simplified block diagram for a network gateway
`that control outgoing traffic, in accordance with a preferred
`embodiment of the present invention.
`
`15
`
`DETAILED DESCRIPTION OF A PREFERRED
`EMBODIMENT
`
`The present invention provides a system and method for
`optimizing performance of network gateways that perform 20
`security-based functions.
`Reference is now made to FIG. 1, which is a simplified
`block diagram for a network gateway, in accordance with a
`preferred embodiment of the present invention. Shown in
`FIG. 1 is a network gateway computer 110, which serves as a 25
`proxy between an intranet of clients and servers, and the
`Internet. Specifically in FIG. 1, gateway computer 110 inter-
`venes between requests for web pages originating from an
`intranet 120 of clients 123, 125 and 127, and responses origi-
`nating from Internet servers 133, 135 and 137.
`Typically, web pages include text, executable scripts and
`one or more links to web objects that must be retrieved in
`
`30
`
`6
`page, and scanner 140 scans the web page and the web objects
`that may be malicious. For example, a web page, P, requested
`by a client computer, may contain references to web objects
`01, 02, O3 and O4. Generally, the web page, P, and the web
`objects it references, 01, O2, O3 and O4 are stored as files
`within the Internet.
`
`When the web page, P, first arrives at gateway computer
`110, gateway computer 110 preferably retrieves objects 01,
`OZ, O3 and O4. Gateway computer 110 then decides which of
`web page P and objects 01, OZ, O3 and 04 may potentially be
`malicious, and scanner 140 scans each of the potentially
`malicious files. Determination of which files may be poten-
`tially malicious may be based on numerous criteriaifor
`example, multimedia objects such as images and video clips
`may be deemed safe, whereas Visual Basic scripts and Java
`applets may be deemed potentially malicious.
`In accordance with a preferred embodiment of the present
`invention, scanner 140 analyzes each file it scans to detemiine
`the nature of computer operations that the file is programmed
`to perform, and derives a security profile therefor, summariz-
`ing potentially malicious computer operations. Thus scanner
`140 may determine inter alia that a file is programmed to
`access a computer file system, or a computer operating sys-
`tem, or open a network socket.
`Table I below indicates a typical scan analysis, in accor-
`dance with a preferred embodiment of the present invention.
`As can be seen from Table I, web page P and web objects 01
`and O4 are deemed potentially malicious. Web objects O2
`and 03 are deemed safe. The security profile for web page P
`includes security profiles for JavaScript within page P, and for
`web objects OI and O4 referenced by page P. Web objects 02
`and O3 are not scanned, since they are deemed to be safe.
`
`TABLE I
`
`Security Profile for Web Page P
`
`Securifl Profile
`
`Potentially
`Malicious?
`
`File System
`Commands
`
`Operating System Network
`Commands
`Commands
`
`Web Page P
`References objects
`01,02, 03 and 04
`Includes IavaScript
`Web Object 01
`Java applet
`
`Web Object 02
`Still image
`Web Object 03
`Audio clip
`Web Object 04
`ActiveX Control
`
`Yes
`
`Yes
`
`No
`
`No
`
`Yes
`
`None
`
`None
`
`Issue HTTP request;
`
`Open file Fl;
`Write file F2;
`Delete file F1
`
`Open registry;
`Edit registry
`
`None
`
`Open file Fl;
`Copy file Fl
`
`None
`
`Open socket;
`FTP send
`
`order to completely render the web page. Such web objects
`include inter alia images, sounds, multimedia presentations,
`video clips and also active code that runs on the client com-
`puter. Executable scripts and active code components are a
`security concern, since they may contain computer viruses
`that maliciously harm client computers. In fact, most viruses
`today are transmitted as active web objects or as e-mail
`attachments.
`
`Preferably, gateway computer 110 includes a code scanner
`140, for scanning incoming web pages and web objects in
`order to detect the presence ofmalicious executable scripts or 65
`active code. Preferably when gateway 110 receives a web
`page, it also retrieves the web objects referenced by the web
`
`55
`
`In accordance with a preferred embodiment of the present
`invention, web page security profiles are stored in a security
`profile cache 150, and the web page and the web objects that
`the page references are stored in a web cache 160. Security
`profile cache 150 preferably includes a table as indicated in
`60 Table II.
`
`TABLE II
`
`Structure of Security Profile Cache 150
`
`Web Content ID
`
`Web Content Security Profile
`
`FINJAN-QUALYS 004180
`
`

`

`Case 4:18-cv-07229-YGR Document 42-6 Filed 02/10/20 Page 10 of 13
`Case 4:18-cv-07229—YGR Document 42-6 Filed 02/10/20 Page 10 of 13
`
`US 7,418,731 B2
`
`7
`Web content ID is preferably a has ID that serves as a key for
`Table II. Similarly, web content cache 160 preferably
`includes a table as indicated in Table III.
`
`TABLE HI
`
`Structure ofWeb Content Cache 160
`
`Web Content URI
`
`Web Content ID
`
`Web Content
`
`Web content URI serves as a key for Table III, and Web
`Content ID is a foreign key that can be used to join Table II
`with Table III.
`
`It may be appreciated that the same web page or web object
`may be stored at multiple locations and, as such, multiple
`URIs may correspond to the same web content. In a preferred
`embodiment of the present invention, web cache 160 is man-
`aged so as to avoid caching duplicate web content. Use of a
`hash ID for web pages and web objects serves to identify web
`content duplicates, and to determine if web content on the
`Internet has changed since it was earlier cached within web
`content cache 160. In case web content has changed, then
`preferably the more recent web content is cached instead of
`the older web content, and the newer web content is scanned
`by code scanner 140, in order to update its security profile
`within security profile cache 150.
`Preferably, when a client computer requests a web page, P,
`from a server computer, the request is first transmitted to
`gateway computer 110, which checks whether or not the web
`page is already resident within web cache 160. If not, then
`computer gateway forwards the request to the server com-
`puter, which in turn sends the requested web page, P, to
`gateway computer 110 within a response. Requests and
`responses are typically formatted according to the HTTP
`protocol. Upon receipt of the requested web page, gateway
`computer 110 (i) fetches the web objects referenced by page
`P, such as web objects 01, 02, O3 and O4 hereinabove; (ii)
`determines which files to scan; (iii) determines security pro-
`files for the scanned files; (iv) caches the security profiles for
`web page P in security profile cache 150; and (V) caches web
`page P and web objects 01, 02, O3 and O4 in web cache 160.
`After gateway computer 110 has stored web page P in web
`cache 160, and has stored its corresponding security profile in
`security profile cache 150, it determines whether or not to
`send web page P to the client