Case 4:18-cv-07229-YGR Document 44-10 Filed 02/28/20 Page 1 of 34
`Case 4:18-cv-07229—YGR Document 44-10 Filed 02/28/20 Page 1 of 34
`
`EXHIBIT I
`
`EXHIBIT I
`
`

`

`US007975305B2
`
`(12) United States Patent
`Rubin et al.
`
`(10) Patent No.:
`(45) Date of Patent:
`
`US 7,975,305 B2
`Jul. 5, 2011
`
`(54)
`
`(75)
`
`METHOD AND SYSTEM FOR ADAPTIVE
`RULE-BASED CONTENT SCANNERS FOR
`DESKTOP COMPUTERS
`
`Inventors: Moshe Rubin, Jerusalem (IL); Moshe
`Matitya, Jerusalem (IL); Artem
`Melnick, Beit Shemesh (IL); Shlomo
`Touboul, Kefar-Haim (IL); Alexander
`Yermakov, Beit Shemesh (IL); Amit
`Shaked, Tel Aviv (IL)
`
`(73)
`
`Assignee: Finjan, Inc., San Jose, CA (US)
`
`(*)
`
`Notice:
`
`Subject to any disclaimer, the term of this
`patent is extended or adjusted under 35
`U.S.C. 154(b) by 1016 days.
`
`(21)
`
`Appl. No.: 11/009.437
`
`(22)
`
`Filed:
`
`Dec. 9, 2004
`
`(65)
`
`Prior Publication Data
`US 2005/024O999 A1
`Oct. 27, 2005
`
`(63)
`
`Related U.S. Application Data
`Continuation-in-part of application No. 10/930,884,
`filed on Aug. 30, 2004, which is a continuation-in-part
`of application No. 09/539,667, filed on Mar. 30, 2000,
`now Pat. No. 6,804,780, which is a continuation of
`application No. 08/964,388, filedon Nov. 6, 1997, now
`Pat. No. 6,092,194.
`
`(51)
`
`(52)
`(58)
`
`Int. C.
`(2006.01)
`G06F II/00
`(2006.01)
`G06F2L/00
`U.S. Cl. ............................. 726/25; 726/22; 713/153
`Field of Classification Search ........................ None
`See application file for complete search history.
`
`
`
`(56)
`
`References Cited
`
`U.S. PATENT DOCUMENTS
`5,077,677 A 12/1991 Murphy et al. ................. TO6/62
`5,359,659 A 10/1994 Rosenthal ....................... T26/24
`5,361,359 A 11/1994 Tajalliet al. .................... T26/23
`5,414,833 A *
`5/1995 Hershey et al. ................. 726/22
`5,485.409 A
`1/1996 Gupta et al. .................... 726/25
`(Continued)
`
`EP
`
`FOREIGN PATENT DOCUMENTS
`109 1276
`4/2001
`(Continued)
`
`OTHER PUBLICATIONS
`DGrune, etal—Parsing Techniques: A Practical Guide, 2000—John
`Wiley & Sons, Inc. New York, NY, USA, p. 1-326.*
`(Continued)
`Primary Examiner — Emmanuel L. Moise
`Assistant Examiner — Jeffery Williams
`(74) Attorney, Agent, or Firm —Dawn-Marie Bey; King &
`Spalding LLP
`
`ABSTRACT
`(57)
`A security system for Scanning content within a computer,
`including a network interface, housed within a computer, for
`receiving content from the Internet on its destination to an
`Internet application running on the computer, a database of
`rules corresponding to computer exploits, stored within the
`computer, a rule-based content scanner that communicates
`with said database of rules, for Scanning content to recognize
`the presence of potential exploits therewithin, a network traf
`fic probe, operatively coupled to the network interface and to
`the rule-based content scanner, for selectively diverting con
`tent from its intended destination to the rule-based content
`scanner, and a rule update manager that communicates with
`said database of rules, for updating said database of rules
`periodically to incorporate new rules that are made available.
`A method and a computer readable storage medium are also
`described and claimed.
`
`25 Claims, 14 Drawing Sheets
`
`Case 4:18-cv-07229-YGR Document 44-10 Filed 02/28/20 Page 2 of 34
`
`

`

`US 7,975,305 B2
`Page 2
`
`U.S. PATENT DOCUMENTS
`5,485,575 A
`1/1996 Chess et al. ..................... T14? 38
`5,572,643 A 11, 1996 Judson ........
`709,218
`5,579,509 A 1 1/1996 Furtney et al.
`703/27
`5,606,668 A
`2f1997 Shwed .....
`T26, 13
`5,623,600 A
`4/1997 Ji et al. .
`... 726/24
`5,638,446 A
`6, 1997 Rubin .........
`705/51
`5,675,711 A * 10/1997 Kephartet al.
`... 706/12
`5,692,047 A 11/1997 McManis ....
`713, 167
`5,692,124 A 11/1997 Holden et al. .................... 726/2
`5,720,033. A
`2f1998 Deo ............
`726/2
`5,724.425. A
`3/1998 Chang et al.
`705/52
`5,740,248 A
`4, 1998 Fieres et al.
`713,156
`5,740,441 A * 4, 1998 Yellin et al. ................... T17,134
`5,761,421 A
`6, 1998 van Hoffetal. .............. 709,223
`5,765,205 A
`6, 1998 Breslau et al. ........
`711,203
`5,784,459 A
`7, 1998 Devarakonda et al.
`713,165
`5,796,952 A
`8, 1998 Davis et al. ........
`709,224
`5,805,829 A
`9, 1998 Cohen et al.
`709f2O2
`5,832,208 A 11/1998 Chen et al. ..
`... 726/24
`5,832,274 A 11/1998 Cutler et al.
`717/171
`5,850,559 A 12/1998 Angelo et al. .
`713,320
`5,859,966 A
`1/1999 Hayman et al. ................. T26/23
`5,864,683 A
`1/1999 Boebert et al. ................ TO9,249
`5,881,151 A * 3/1999 Yamamoto .
`... 726/24
`5,884,033. A * 3/1999 Duvallet al. ..
`709/206
`5,892,904 A
`4/1999 Atkinson et al.
`T26/22
`5,951,698 A
`9, 1999 Chen et al. .....
`... 714,38
`5,956.481 A
`9, 1999 Walsh et al.
`T26/23
`5,963,742 A * 10/1999 Williams ...
`717/143
`5,974,549 A 10, 1999 Golan .........
`T26/23
`5,978.484 A 11/1999 Apperson et al. ............... 705/54
`5,983,348 A * 1 1/1999 Ji .................................... T26.13
`5,987,611 A * 1 1/1999 Freund ...
`... 726,4
`6,088,801 A * 7/2000 Grecsek ...
`726, 1
`6,088,803 A * 7/2000 Tso et al. .
`T26/22
`6,092,194 A
`7/2000 Touboul ......
`... 726/24
`6,154,844 A 11/2000 Toubouletal
`... 726/24
`6,167,520 A 12/2000 Touboul ......
`T26/23
`6,339,829 B1
`1/2002 Beadle et al.
`T26, 15
`6.425,058 B1
`7/2002 Arimilli et al.
`711 (134
`6,434,668 B1
`8, 2002 Arimilli et al.
`711,128
`6,434,669 B1
`8, 2002 Arimillietal
`711,128
`6,480,962 B1
`1 1/2002 Touboul .........
`T26/22
`6,487,666 B1
`1 1/2002 Shanklin et al. ................ T26/23
`6,519,679 B2
`2/2003 Devireddy et al. ........... 711 114
`6,598,033 B2 * 7/2003 Ross et al. ...
`... 706/46
`6,732,179 B1
`5, 2004 Brown et al.
`709,229
`6,804,780 B1
`10/2004 Touboul ......
`713, 181
`6,917,953 B2
`7/2005 Simon et al.
`707,204
`7,058,822 B2
`6/2006 Edery et al. .
`T26/22
`7,143,444 B2 11/2006 Porras et al. ...
`T26/30
`7.210,041 B1 * 4/2007 Gryaznov et al...
`713,188
`7,308.648 B1
`12/2007 Buchthal et al. .............. T15,234
`7,343,604 B2
`3/2008 Grabarnik et al. ............ T19, 313
`7,418,731 B2
`8, 2008 Touboul .........
`T26/22
`2002/0059157 A1* 5/2002 Spooner et al.
`TO6/45
`2002/0066024 A1* 5, 2002 Schmall et al. ....
`713,200
`2002/0073330 A1* 6/2002 Chandnani et al.
`713,200
`2003, OO14662 A1
`1/2003 Gupta et al. ...
`T26/23
`2003/0101358 A1
`5/2003 Porras et al. ...................... T26/4
`2004/0073811 A1* 4/2004 Sanin .............
`713,201
`2004/0088425 A1
`5/2004 Rubinstein et al. ........... TO9/230
`2005/0050338 A1
`3/2005 Liang et al. ................... T13, 188
`2005/0172338 A1
`8, 2005 Sandu et al. ...
`T26/22
`2006/0031207 A1
`2/2006 Bjarnestam et al. .............. 707/3
`2006,004.8224 A1
`3/2006 Duncan et al. .....
`726/22
`2008/0066160 A1
`3/2008 Becker et al. ..................... T26/4
`2010/0195909 A1* 8, 2010 Wasson et al. ................ 382, 176
`
`
`
`Case 4:18-cv-07229-YGR Document 44-10 Filed 02/28/20 Page 3 of 34
`
`EP
`
`FOREIGN PATENT DOCUMENTS
`1132796
`9, 2001
`
`OTHER PUBLICATIONS
`International Search Report for Application No. PCT/IL05/00915, 4
`pp., dated Mar. 3, 2006.
`Zhong, et al., “Security in the Large: is Java's Sandbox Scalable?”
`
`Seventh IEEE Symposium on Reliable Distributed Systems, pp. 1-6,
`Oct. 1998.
`Rubin, et al., “Mobile Code Security.” IEEE Internet, pp. 30-34. Dec.
`1998.
`Schmid, et al. "Protecting Data From Malicious Software.” Proceed
`ing of the 18" Annual Computer Security Applications Conference,
`pp. 1-10, 2002.
`Corradi, et al., “A Flexible Access Control Service for Java Mobile
`Code.” IEEE, pp. 356-365, 2000.
`International Search Report for Application No. PCT/IB97/01626, 3
`pp., May 14, 1998 (mailing date).
`Written Opinion for Application No. PCT/IL05/00915, 5 pp., dated
`Mar. 3, 2006 (mailing date).
`International Search Report for Application No. PCT/IB01/01138, 4
`pp., Sep. 20, 2002 (mailing date).
`International Preliminary Examination Report for Application No.
`PCT/IB01/01138, 2 pp., dated Dec. 19, 2002.
`Gerzic, Amer, “Write Your Own Regular Expression Parser.” Nov.
`17, 2003, 18 pp., Retrieved from the Internet: http://www.codeguru.
`com/Cpp/Cpp/cpp mfc/parsing/article.php/c4093/.
`Power, James, “Lexical Analysis,” 4 pp., May 14, 2006, Retrieved
`from the Internet: http://www.cs.imay.ief-power Courses/compil
`erS/notes/lexical.pdf.
`Sitaker, Kragen, “Rapid Genetic Evolution of Regular Expressions'
`online). The Mial Archive, Apr. 24, 2004 (retrieved on Dec. 7, 2004),
`5 pp., Retrieved from the Internet: http://www.mail-archive.com/
`kragen-tol(acanonical.org/msg00097.html.
`“Lexical Analysis: DFA Minimization & Wrap Up' online). Fall,
`2004 retrieved on Mar. 2, 2005, 8 pp., Retrieved from the Internet:
`http://www.owlnet.rice.edu/~comp412/Lectures/L06Lex Wrapup4.
`pdf.
`“Minimization of DFA' online), retrieved on Dec. 7, 2004), 7 pp.
`Retrieved from the Internet: http://www.cs.odu.edu/~toidanerzic?
`390teched/regular/famin-fa.html.
`“Algorithm: NFS -> DFA' online), Copyright 1999-2001 retrieved
`on Dec. 7, 2004), 4 pp., Retrieved from the Internet: http://rwa.cs.
`uni-sb.de/-ganimal/GANIFA/page16 e.htm.
`“CS 3813: Introduction to Formal Languages and Automata—State
`Minimization and Other Algorithms for Finite Automata.”3 pp., May
`11, 2003, Retrieved from the Internet: http://www.cs.imsstate.edu/~
`hansen/classes/3813 fall 01/slides/06Minimize.pdf.
`Watson, Bruce W. “Constructing Minimal Acyclic Deterministic
`Finite Automata.” retrieved on Mar. 20, 2005), 38 pp., Retrieved
`from the Internet: http://www.win.tue.nl/~watson/2R870/down
`loads/madfa algs.pdf.
`Chang, Chia-Hsiang, “From Regular Expressions to DFA's Using
`Compressed NFA's.” Oct. 1992, 243 pp. http://www.cs.nyu.edu/
`web/Research. Theses/chang chia-hsiang.pdf.
`“Products.” Articles published on the Internet, “Revolutionary Secu
`rity for a New Computing Paradigm' regarding SurfinGateTM, 7 pp.
`“Release Notes for the Microsoft ActiveX Development Kit,” Aug.
`13, 1996, activex.adsp.or.jp/inetsdk/readme.txt, pp. 1-10.
`Doyle, et al., “Microsoft Press Computer Dictionary.” Microsoft
`Press, 2d Edition, pp. 137-138, 1993.
`Finjan Software Ltd., “Powerful PC Security for the New World of
`JavaTM and Downloadables, Surfin ShieldTM.” Article published on
`the Internet by Finjan Software Ltd., 2 pp. 1996.
`Finjan Sofrtware Ltd., “Finjan Announces a Personal JavaTM Firewall
`for Web Browsers the SurfinShieldTM 1.6 (formerly known s
`SurfinBoard).” Press Release of Finjan Releases SurfinShield 1.6, 2
`pp., Oct. 21, 1996.
`Finjan Software Ltd., “Finjan Announces Major Power Boost and
`New Features for SurfinShieldTM 2.0.” Las Vegas Convention Center?
`Pavillion 5 P5551, 3 pp., Nov. 18, 1996.
`Finjan Software Ltd., “Finjan Software Releases SurfinBoard, Indus
`try's First JAVA Security Product for the World WideWeb.” Article
`published on the Internet by Finjan Software Ltd., 1 p., Jul. 29, 1996.
`Finjan Software Ltd., “Java Security: Issues & Solutions.” Article
`published on the Internet by Finjan Software Ltd., 8 pp. 1996.
`Finjan Software Ltd., Company Profile, “Finjan Safe Surfing. The
`Java Security Solutions Provider.” Article published on the Internet
`by Finjan Software Ltd., 3 pp., Oct. 31, 1996.
`
`

`

`US 7,975,305 B2
`Page 3
`
`“IBM AntiVirus User's Guide, Version 2.4.”. International Business
`Machines Corporation, pp. 6-7, Nov. 15, 1995.
`Khare, R., “Microsoft Authenticode Analyzed” online, Jul. 22.
`1996 retrieved on Jun. 25, 2003), 2 pp., Retrieved from the Internet:
`http://www.xent.com/FoRK-archive/Smmer96/0338.html.
`LaDue, M. Online Business Consultant: Java Security: Whose Busi
`ness is It?. Article published on the Internet, Home Page Press, Inc.,
`4 pp., 1996.
`Leach, Norvin, et al., “IE 3.0 Applets Will Earn Certification.” PC
`Week, vol. 13, No. 29, 2 pp., Jul 22, 1996.
`Moritz, R., “Why We Shouldn't Fear Java.” Java Report, pp. 51-56,
`Feb. 1997.
`Microsoft, “Microsoft ActiveX Software Development Kit' online).
`Aug. 12, 1996 retrieved on Jun. 25, 2003), pp. 1-6. Retrieved from
`the Internet: activeX.adsp.or.jp/inetsdk/help? overview.htm.
`Microsoft(R) Authenticode Technology, "Ensuring Accountability
`and Authenticity for Software Components on the Internet.”
`Microsoft Corporation, Oct. 1996, including Abstract, Contents,
`Introduction, and pp. 1-10.
`
`Microsoft Corporation, Web Page Article “Frequently Asked Ques
`tions About Authenticode.” last updated Feb. 17, 1997, printed Dec.
`23, 1998, URL: http://www.microsoft.com/workshop? security/
`authcode? signifacq.asp#9, pp. 1-13.
`Okamoto, E., et al., “ID-Based Authentication System for Computer
`Virus Detection.” IEEE/IEEElectronic Library online, Electronics
`Letters, vol. 26, Issue 15, ISSN 0013-5 194, Jul. 19, 1990, Abstract
`and pp. 1169-1170, URL: http://ielihs.com:80/cgi-biniel cgi?se.
`2ehts%26ViewTemplate%3ddocview%5fb%2ehts.
`Omura, J. K., “Novel Applications of Cryptography in Digital Com
`munications.” IEEE Communications Magazine, pp. 21-29, May
`1990.
`Schmitt, D.A., “.EXE files, OS-2 style.” PC Tech Journal, vol. 6, No.
`11, p. 76(13), Nov. 1988.
`Zhang, X. N. “Secure Code Distribution.” IEEE/IEE Electronic
`Library online, Computer, vol. 30, Issue 6, pp. 76-79, Jun. 1997.
`Power, James, “Notes on Formal Language Theory and Parsing.”
`National University of Ireland, pp. 1-40, 1999.
`* cited by examiner
`
`Case 4:18-cv-07229-YGR Document 44-10 Filed 02/28/20 Page 4 of 34
`
`

`

`U.S. Patent
`
`Jul. 5, 2011
`
`Sheet 1 of 14
`
`US 7,975,305 B2
`
`
`
`t
`
`:
`8
`
`Case 4:18-cv-07229-YGR Document 44-10 Filed 02/28/20 Page 5 of 34
`
`

`

`U.S. Patent
`
`Jul. 5, 2011
`
`Sheet 2 of 14
`
`US 7,975,305 B2
`
`MBIZATYNy
`
`012
`
`
`
`Case 4:18-cv-07229-YGR Document 44-10 Filed 02/28/20 Page 6 of 34
`
`
`
`SEITñ8 MESMYJ
`
`

`

`U.S. Patent
`
`Jul. 5, 2011
`
`Sheet 3 of 14
`
`US 7,975,305 B2
`
`
`
`Case 4:18-cv-07229-YGR Document 44-10 Filed 02/28/20 Page 7 of 34
`
`

`

`U.S. Patent
`
`Jul. 5, 2011
`
`Sheet 4 of 14
`
`US 7,975,305 B2
`
`
`
`epsilon
`
`Case 4:18-cv-07229-YGR Document 44-10 Filed 02/28/20 Page 8 of 34
`
`

`

`U.S. Patent
`
`Jul. 5, 2011
`
`Sheet 5 of 14
`
`US 7,975,305 B2
`
`FIG. 4A-2
`
`
`
`epsilon
`
`epsilon
`
`Case 4:18-cv-07229-YGR Document 44-10 Filed 02/28/20 Page 9 of 34
`
`epsilon
`
`

`

`U.S. Patent
`
`Jul. 5, 2011
`
`Sheet 6 of 14
`
`US 7,975,305 B2
`
`
`
`Case 4:18-cv-07229-YGR Document 44-10 Filed 02/28/20 Page 10 of 34
`
`

`

`U.S. Patent
`
`Jul. 5, 2011
`
`Sheet 7 of 14
`
`US 7,975,305 B2
`
`
`
`NUMBER
`
`Case 4:18-cv-07229-YGR Document 44-10 Filed 02/28/20 Page 11 of 34
`
`

`

`U.S. Patent
`
`Jul. 5, 2011
`
`Sheet 8 of 14
`
`US 7,975,305 B2
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`CATOKENIZERTO RETRIEVE NEXT
`TOKEN
`
`AOD TOKEN TO PARSE TREE
`
`600
`
`810
`
`STHERE A PATTERN
`MATCH WITHA
`PARSERRULEP
`
`DOES THE RULE
`HAVEANONODE
`AT TREUTE
`
`
`
`
`
`
`
`PERFORMACTIONASSOCATED WITH
`MATCHED PARSERRULE:
`CREATE ANEW NODE, CALLED RULE
`NAME AND PLACE THE MATCHING
`NODES UNDER THE NEW NODE
`
`
`
`
`
`DOES THE RULE
`HAVE A NOANALYZE
`ATRIBUTEP
`
`CAANALYZERO DETERMINE FA
`POENA EXPLOIT IS PRESEN
`
`DOES ANALY2ER FIND
`AN ANALYZERRULE
`MATCH
`
`PERFORMACTIONASSOCATED WITH
`MATCHED ANALYZERRULE:
`RECORDANALYZERRULE AT CURRENT
`NODE, ASLEVELO
`
`PROPAGATE ANALYZERRULE UPWARO
`THROUGH NODE PARENTS, AS
`SUCCESSMELY INCREASINGEME
`
`FIG. 6
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Case 4:18-cv-07229-YGR Document 44-10 Filed 02/28/20 Page 12 of 34
`
`

`

`U.S. Patent
`
`US 7,975,305 B2
`
`
`
`
`
`Case 4:18-cv-07229-YGR Document 44-10 Filed 02/28/20 Page 13 of 34
`
`

`

`U.S. Patent
`
`Jul. 5, 2011
`
`Sheet 10 of 14
`
`US 7,975,305 B2
`
`ARBSCANNER FACTORY
`
`SCANNER REPOSTORY
`
`ARB SCANNER
`HTML
`
`
`
`ARB SCANNER
`AVASCRIPT
`
`ARS SCANNER
`UR
`
`OKENIZER
`
`TOKENZER
`
`TOKENZER
`
`PARSER
`
`PARSER
`
`PARSER
`
`Case 4:18-cv-07229-YGR Document 44-10 Filed 02/28/20 Page 14 of 34
`
`FIG. 8
`
`

`

`U.S. Patent
`
`Jul. 5, 2011
`
`Sheet 11 of 14
`
`US 7,975,305 B2
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Case 4:18-cv-07229-YGR Document 44-10 Filed 02/28/20 Page 15 of 34
`
`NEEEN
`
`

`

`U.S. Patent
`
`Jul. 5, 2011
`
`Sheet 12 of 14
`
`US 7,975,305 B2
`
`
`
`
`
`s
`
`
`
`s' i
`
`Case 4:18-cv-07229-YGR Document 44-10 Filed 02/28/20 Page 16 of 34
`
`

`

`lualud 'ST1
`
`VI Jo £1 WIN
`
`Zll 50£`51,6` L Sfl
`
`Case 4:18-cv-07229-YGR Document 44-10 Filed 02/28/20 Page 17 of 34
`
`1110
`
`1110 --"•-•.\
`
`1120
`
`ARB SCANNER
`
`1120
`
`ARB SCANNER
`
`LOCAL SECURITY
`PROFILE CACHE
`
`1140
`
`1130
`
`LOCAL SECURITY
`PROFILE CACHE
`
`CENTRAL SECURITY
`PROFILE CACHE
`
`1110 ----.•
`
`1110 ------N\
`
`11c
`
`ARB SCANNER
`
`1131:1%\' LOCAL SECURITY
`PROFILE CACHE
`
`ARB SCANNER
`
`1120
`
`LOCAL SECURITY
`PROFILE CACHE
`
`1130
`
`
`
`FIG. 11
`
`

`

`U.S. Patent
`
`Jul. 5, 2011
`
`Sheet 14 of 14
`
`US 7,975,305 B2
`
`Ållè? OES
`
`
`
`C?EII-IICJOWA LIRITYOES
`
`
`
`}}ENN\/OS XOGONYS
`
`OZZ!
`
`ÅA LIMIT OES T\/OOT
`
`
`
`EHOVO ETI-JO?-jd
`
`
`
`LNEJ NOO SDNJWOONI
`
`
`
`
`
`
`
`
`
`
`
`
`
`Case 4:18-cv-07229-YGR Document 44-10 Filed 02/28/20 Page 18 of 34
`
`

`

`US 7,975,305 B2
`
`1.
`METHOD AND SYSTEM FOR ADAPTIVE
`RULE-BASED CONTENT SCANNERS FOR
`DESKTOP COMPUTERS
`
`CROSS REFERENCES TO RELATED
`APPLICATIONS
`
`This application is a continuation-in-part of assignee's
`pending application U.S. Ser. No. 10/930,884, filed on Aug.
`30, 2004, entitled “Method and System for Adaptive Rule
`Based Content Scanners,” which is a continuation-in-part of
`assignee's application U.S. Ser. No. 09/539,667, filed on Mar.
`30, 2000, now U.S. Pat. No. 6,804,780, entitled “System and
`Method for Protecting a Computer and a Network from Hos
`tile Downloadables, which is a continuation of assignee's
`patent application U.S. Ser. No. 08/964,388, filed on 6 Nov.
`1997, now U.S. Pat. No. 6,092,194, also entitled “System and
`Method for Protecting a Computer and a Network from Hos
`tile Downloadables.”
`
`10
`
`15
`
`FIELD OF THE INVENTION
`
`The present invention relates to network security, and in
`particular to scanning of mobile content for exploits.
`
`25
`
`BACKGROUND OF THE INVENTION
`
`Conventional anti-virus Software scans a computer file sys
`tem by searching for byte patterns, referred to as signatures
`that are present within known viruses. If a virus signature is
`discovered within a file, the file is designated as infected.
`Content that enters a computer from the Internet poses
`additional security threats, as such content executes upon
`entry into a client computer, without being saved into the
`computer's file system. Content such as JavaScript and
`VBScript is executed by an Internet browser, as soon as the
`content is received within a web page.
`Conventional network security Software also scans such
`mobile content by searching for heuristic virus signatures.
`However, in order to be as protective as possible, virus sig
`natures for mobile content tend to be over-conservative,
`which results in significant over-blocking of content. Over
`blocking refers to false positives; i.e., in addition to blocking
`of malicious content, prior art technologies also block a sig
`nificant amount of content that is not malicious.
`Another drawback with prior art network security software
`is that it is unable to recognize combined attacks, in which an
`exploit is split among different content streams. Yet another
`drawback is that prior art network security software is unable
`to scan content containers, such as URI within JavaScript.
`All of the above drawbacks with conventional network
`security software are due to an inability to diagnose mobile
`code. Diagnosis is a daunting task, since it entails understand
`ing incoming byte source code. The same malicious exploit
`can be encoded in an endless variety of ways, so it is not
`Sufficient to look for specific signatures.
`Nevertheless, in order to accurately block malicious code
`with minimal over-blocking, a thorough diagnosis is
`required.
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`SUMMARY OF THE DESCRIPTION
`
`The present invention enables behavioral analysis of con
`tent. As distinct from prior art approaches that search for byte
`patterns, the approach of the present invention is to analyze
`incoming content in terms of its programmatic behavior.
`
`65
`
`Case 4:18-cv-07229-YGR Document 44-10 Filed 02/28/20 Page 19 of 34
`
`2
`Behavioral analysis is an automated process that parses and
`diagnoses a software program, to determine if Such program
`can carry out an exploit.
`The present invention provides a method and system for
`scanning content that includes mobile code, to produce a
`diagnostic analysis of potential exploits within the content.
`The present invention is preferably used within a network
`gateway or proxy, to protect an intranet against viruses and
`other malicious mobile code.
`The content scanners of the present invention are referred
`to as adaptive rule-based (ARB) scanners. An ARB scanner is
`able to adapt itself dynamically to scan a specific type of
`content, such as inter alia JavaScript, VBScript, URI, URL
`and HTML. ARB scanners differ from prior art scanners that
`are hard-coded for one particular type of content. In distinc
`tion, ARB Scanners are data-driven, and can be enabled to
`scan any specific type of content by providing appropriate
`rule files, without the need to modify source code. Rule files
`are text files that describe lexical characteristics of a particu
`lar language. Rule files for a language describe character
`encodings, sequences of characters that form lexical con
`structs of the language, referred to as tokens, patterns of
`tokens that form syntactical constructs of program code,
`referred to as parsing rules, and patterns of tokens that corre
`spond to potential exploits, referred to as analyzer rules.
`Rules files thus serve as adaptors, to adapt an ARB content
`scanner to a specific type of content.
`The present invention also utilizes a novel description lan
`guage for efficiently describing exploits. This description
`language enables an engineer to describe exploits as logical
`combinations of patterns of tokens.
`Thus it may be appreciated that the present invention is able
`to diagnose incoming content for malicious behavior. As
`Such, the present invention achieves very accurate blocking of
`content, with minimal over-blocking as compared with prior
`art Scanning technologies.
`There is thus provided in accordance with a preferred
`embodiment of the present invention a security system for
`scanning content within a computer, including a network
`interface, housed within a computer, for receiving content
`from the Internet on its destination to an Internet application
`running on the computer, a database of rules corresponding to
`computer exploits, stored within the computer, a rule-based
`content scanner that communicates with said database of
`rules, for scanning content to recognize the presence of poten
`tial exploits therewithin, a network traffic probe, operatively
`coupled to the network interface and to the rule-based content
`scanner, for selectively diverting content from its intended
`destination to the rule-based content Scanner, and a rule
`update manager that communicates with said database of
`rules, for updating said database of rules periodically to incor
`porate new rules that are made available.
`There is moreover provided in accordance with a preferred
`embodiment of the present invention a method for scanning
`content within a computer, including receiving content from
`the Internet on its destination to an Internet application, selec
`tively diverting the received content from its intended desti
`nation, Scanning the selectively diverted content to recognize
`potential exploits therewithin, based on a database of rules
`corresponding to computer exploits, and updating the data
`base of rules periodically to incorporate new rules that are
`made available.
`There is further provided in accordance with a preferred
`embodiment of the present invention a computer-readable
`storage medium storing program code for causing a computer
`to perform the steps of receiving content from the Internet on
`its destination to an Internet application, selectively diverting
`
`

`

`US 7,975,305 B2
`
`3
`the received content from its intended destination, Scanning
`the selectively diverted content to recognize potential exploits
`therewithin, based on a database of rules corresponding to
`computer exploits, and updating the database of rules peri
`odically to incorporate new rules that are made available.
`There is yet further provided in accordance with a preferred
`embodiment of the present invention, a method for network
`security, including scanning content received overa computer
`network for potential malicious code, the intended destina
`tion of the content being a software application, including
`deriving a hash value for the received content, querying a
`local security cache for the presence of the hash value, the
`local security cache storing hash values for content and cor
`responding security profiles, whereby security profiles iden
`tify potentially malicious code within content, and if the
`querying is affirmative, then retrieving a security policy for
`the content from the local security cache, else if the querying
`is not affirmative, then deriving a security profile for the
`received content, storing the hash value and the derived secu
`rity policy in the local security cache, and transmitting the
`hash value and the security policy to a central security cache,
`and periodically updating the local security cache with hash
`values and corresponding security profiles from the central
`security cache.
`There is additionally provided in accordance with a pre
`ferred embodiment of the present invention a network secu
`rity system including a plurality of inter-connected comput
`ers within a network, each of the plurality of computers
`including a local security cache that stores hash values for
`content and corresponding content security profiles, whereby
`security profiles identify potentially malicious code within
`content, a scanner that communicates bi-directionally with
`the local security cache, for (i) examining incoming content
`and deriving a hash value therefor, the intended destination of
`the content being a software application; (ii) querying the
`35
`local security cache for the presence of the derived hash
`value; and (iii) examining incoming content and deriving a
`security profile therefor, and a central security cache storing
`hash values for content and corresponding content security
`profiles, to which hash values and corresponding security
`profiles are received from the plurality of inter-connected
`computers, and from which updated hash values and corre
`sponding security profiles are transmitted to the plurality of
`local security caches.
`There is moreover provided in accordance with a preferred
`embodiment of the present invention a computer-readable
`storage medium storing program code for causing a computer
`to perform the steps of Scanning content received over a
`computer network for potential malicious code, the intended
`destination of the content being a software application,
`including deriving a hash value for the received content,
`querying a local security cache for the presence of the hash
`value, the local security cache storing hash values for content
`and corresponding security profiles, whereby security pro
`files identify potentially malicious code within content, and if
`the querying is affirmative, then retrieving a security policy
`for the content from the local security cache, else if the
`querying is not affirmative, then deriving a security profile for
`the received content, storing the hash value and the derived
`security policy in the local security cache, and transmitting
`the hash value and the security policy to a central Security
`cache, and periodically updating the local security cache with
`hash values and corresponding security profiles from the
`central security cache.
`There is further provided in accordance with a preferred
`embodiment of the present invention a network security sys
`tem including a first scanner that analyzes incoming content
`
`4
`under general operational conditions, without executing the
`content, and derives a security profile for the content that
`identifies conditionally malicious code therein, which is
`malicious or non-malicious depending upon values of opera
`tional data, and a second scanner, connected in series with the
`first scanner, that analyzes the content under specific opera
`tional conditions corresponding to specific values of the
`operational data, by executing the content, and modifies the
`security profile for the content if the conditionally malicious
`code identified in the security profile is found to be malicious
`for the specific values of the operational data.
`There is yet further provided in accordance with a preferred
`embodiment of the present invention a method for network
`security, including analyzing incoming content under general
`operational conditions, without executing the content, deriv
`ing a security profile for the content that identifies condition
`ally malicious code therein, which is malicious or non-mali
`cious depending upon values of operational data, if the
`security profile identifies conditionally malicious code within
`the content, then further analyzing the content under specific
`operational conditions corresponding to specific values of the
`operational data, by executing the content, and modifying the
`security profile for the content if the conditionally malicious
`code identified in the security profile is found to be malicious
`for the specific values of the operational data, so as to identify
`the conditionally malicious code as being malicious.
`There is yet further provided in accordance with a preferred
`embodiment of the present invention a computer-readable
`storage medium storing program code for causing a computer
`to perform the steps of analyzing incoming content under
`general operational conditions, without executing the con
`tent, deriving a security profile for the content that identifies
`conditionally malicious code therein, which is malicious or
`non-malicious depending upon values of operational data, if
`the security profile identifies conditionally malicious code
`within the content, then further analyzing the content under
`specific operational conditions corresponding to specific val
`ues of the operational data, by executing the content, and
`modifying the security profile for the content if the condition
`ally malicious code identified in the security profile is found
`to be malicious for the specific values of the operational data,
`So as to identify the conditionally malicious code as being
`malicious.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`The present invention will be more fully understood and
`appreciated from the following detailed description, taken in
`conjunction with the drawings in which:
`FIG. 1 is a simplified block diagram of an overall gateway
`security system that uses an adaptive rule-based (ARB) con
`tent Scanner, in accordance with a preferred embodiment of
`the present invention;
`FIG. 2 is a simplified block diagram of an adaptive rule
`based content Scanner system, in accordance with a preferred
`embodiment of the present invention;
`FIG.3 is an illustration of a simple finite state machine for
`detecting tokens “a” and “ab', used in accordance with a
`preferred embodiment of the present invention;
`FIG. 4A is an example of a non-deterministic finite
`automaton (NFA) for matching a pattern of tokens;
`FIG. 4B is an example of a deterministic finite automaton
`(DFA) which is equivalent to the NFA of FIG. 4A:
`FIG. 5 is an illustration of a simple finite state machine for
`a pattern, used in accordance with a preferred embodiment of
`the present invention;
`
`10
`
`15
`
`25
`
`30
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`Case 4:18-cv-07229-YGR Document 44-10 Filed 02/28/20 Page 20 of 34
`
`

`

`5
`FIG. 6 is a simplified flowchart of operation of a parser for
`a specific content language within an ARB content Scanner, in
`accordance with a preferred embodiment of the present
`invention;
`FIG. 7 is a simplified block diagram of a system for seri
`alizing binary instances of ARB content scanners, transmit
`ting them to a client site, and regenerating them back into
`binary instances at the client site, in accordance with a pre
`ferred embodiment of the present invention;
`FIG. 8 illustrates a representative hierarchy of objects cre
`ated by a builder module, in accordance with a preferred
`embodiment of the present invention;
`FIG.9 is a simplified block diagram of a desktop computer
`implementation of an ARB content scanner, in accordance
`with a preferred embodiment of the prese