`Case 4:18-cv-07229—YGR Document 194-2 Filed 05/04/21 Page 1 of 31
`
`
`
`
`
`
`
`
`
`
`
`
`
`EXHIBIT 13
`
`EXHIBIT 13
`
`
`
`
`
`Case 4:18-cv-07229-YGR Document 194-2 Filed 05/04/21 Page 2 of 31
`
`HIGHLY CONFIDENTIAL – ATTORNEYS EYES’ ONLY
`
`UNITED STATES DISTRICT COURT
`FOR THE NORTHERN DISTRICT OF CALIFORNIA
`
`OAKLAND DIVISION
`
`FINJAN LLC., a Delaware Limited
`
`Case No. 4:18-cv-07229-YGR (TSH)
`
`Liability Company,
`
`Plaintiff,
`
`v.
`
`QUALYS INC., a Delaware
`
`Corporation,
`
`Defendant.
`
`Hon. Yvonne Gonzalez Rogers
`
`EXPERT REPORT OF NENAD
`
`MEDVIDOVIĆ, PH.D.
`[HC-AEO]
`
`______________________
`Nenad Medvidovic, PH.D.
`December 1, 2020
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`1
`
`MEDVIDOVIC EXPERT REPORT
`Case No. 4:18-cv-07229-YGR (TSH)
`
`
`
`Case 4:18-cv-07229-YGR Document 194-2 Filed 05/04/21 Page 3 of 31
`
`HIGHLY CONFIDENTIAL – ATTORNEYS EYES’ ONLY
`
`change if the ’408 Patent is found to have a priority date differing from August 30,
`2004.
`
` Non-Infringing Alternatives
`
`I understand that a non-infringing alternative is a modification to an
`accused product that, if implemented, would render the accused product non-
`infringing. Further, I have been informed that a non-infringing alternative must be
`feasible (i.e. technically feasible and economically feasible), and commercially
`acceptable. I also understand that Qualys has the burden of establishing that there
`are, or were, at least one viable non-infringing alternatives that could be applied to
`the Accused Products. I understand that, to meet their burden of proof, Qualys must
`show that (i) the materials needed to implement the non-infringing alternative were
`readily available, (ii) the non-infringing alternative was well known in the field at
`the time of infringement, and (iii) all of the necessary equipment, know-how, and
`experience to use the non-infringing alternative were available at the time of
`infringement to establish a non-infringing alternative, where all of which are
`required to establish that a non-infringing alternative exists or existed.
`VI. Technology Background
` The Asserted Patent is directed to novel innovations pertaining to
`network security. I provide below a general tutorial on various aspects of network
`security.
` Computer Networks and High-Level Web Communication
` A computer network is formed when computing devices, such as PCs,
`laptops, end user devices, or servers are linked together in an arrangement that
`facilitates communication among them. Regardless of the arrangement of
`computing devices, the devices need to identify each other and communicate with
`each other within the bounds of the computer network. All of this is done using a
`common language that is called a communication protocol, examples of which
`include Bluetooth or Wi-Fi. Similar to communication among people, computing
`11
`
`MEDVIDOVIC EXPERT REPORT
`Case No. 4:18-cv-07229-YGR (TSH)
`
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`Case 4:18-cv-07229-YGR Document 194-2 Filed 05/04/21 Page 4 of 31
`
`HIGHLY CONFIDENTIAL – ATTORNEYS EYES’ ONLY
`
`devices need to speak the same language in order to engage in a dialogue. To this
`end, the languages used for communication, both within computer networks and
`across the Internet, are standardized to ensure that all devices can speak to and
`communicate with each other. The Internet facilitates communication between
`computing networks by linking these computer networks together using its own
`network. Thus, the Internet is actually a very large network of many computer
`networks.
` An Internet server is a computing device that exists on a computer
`network. The Internet server dialogues with computing devices external to its
`computer network using links provided by the Internet network. As an example, a
`website is a software program that runs on an Internet server. The website receives
`and transmits information accessible over the Internet using a high-level
`communication language, such as the HyperText Transfer Protocol (“HTTP”).
`When users want to communicate with a website, they may run an application
`program, such as Google Chrome, Safari or Internet Explorer on their computing
`devices, which could be a laptop, desktop, smartphone, tablet, or other device. This
`application program (often called a “browser”) uses a communication language or
`protocol to exchange information with the corresponding application running on the
`Internet server. Typical corresponding website applications running on the Internet
`server include, as non-exhaustive examples, Apache Web Server or Microsoft IIS.
` The underlying process that enables this communication requires the
`user to identify the unique name of the Internet server, along with the name of a file
`to be retrieved from the Internet server. For example, the text string
`“http://www.aubonpain.com/menu” identifies the unique name of the Internet server
`and the name of the file to be retrieved, as well as the language that will be used for
`this dialogue. This text string is called a Uniform Resource Locator (“URL”).
`Typically, the user enters the text string through a browser interface.
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`12
`
`
`MEDVIDOVIC EXPERT REPORT
`Case No. 4:18-cv-07229-YGR (TSH)
`
`
`
`Case 4:18-cv-07229-YGR Document 194-2 Filed 05/04/21 Page 5 of 31
`
`HIGHLY CONFIDENTIAL – ATTORNEYS EYES’ ONLY
`
` The browser decodes from the URL that is entered by the user the
`communication protocol to use for the communication (“http”), the Internet server
`that is the destination of the communication (“www.aubonpain.com”), and the
`resource (or file) to be retrieved from the Internet server (“menu”). The browser
`then sends a request (in the form of an HTTP Request message) to the Internet
`server to download the file (the menu in this example). When the server receives
`the request, it finds (and, in some cases, generates on the fly) the requested
`information and sends it back to the user’s browser (in the form of an HTTP
`response message). When the browser receives the response, it displays the
`information to the user. Each pair of such messages that request information and
`respond with the requested information can be considered independently.
` The interaction described above is an example of the simplest form of
`communication between a web client (e.g., the Safari browser) and a web server
`(e.g., the Apache Web Server).
` There are other more complicated communications that can also occur.
`For example, an Internet server can intercept the communication of information
`transferred back and forth between a web client and an Internet server. In this type
`of example, there is an intermediate server which is often called a web proxy server
`or intermediate host that establishes a communication link with the web browser and
`a separate communication link with the Internet server. In this case, instead of the
`browser communicating with the Internet server directly, it communicates instead
`with the web proxy server. Then, the web proxy server, in turn, communicates with
`the Internet server to retrieve the information requested in the URL from the Internet
`server on behalf of the browser. This information is then relayed back to the
`browser. Here, the endpoints of the communication are still the web browser and
`the Internet server, however, the web proxy server relays all communication in both
`directions.
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`13
`
`
`MEDVIDOVIC EXPERT REPORT
`Case No. 4:18-cv-07229-YGR (TSH)
`
`
`
`Case 4:18-cv-07229-YGR Document 194-2 Filed 05/04/21 Page 6 of 31
`
`HIGHLY CONFIDENTIAL – ATTORNEYS EYES’ ONLY
`
` Another example of complex Internet-based communications occurs
`when information is exchanged within a “session.” Even though each message pair
`can be considered independently, it is often the case that several message pairs are
`part of the same communication session.
` An example of this complex type of communication is when users log
`into their accounts on Target.com, browse for items to buy, put items in their carts,
`and then finally perform all the operations that are part of the checkout process.
`Each of these steps is carried out using one or more request/response message pairs.
`All of these interactions can be combined together to form a single session that lasts
`until the users log out of Target.com. One benefit of grouping these message pairs
`into a session is that it allows an Internet server to track user behavior and
`transactions through multi-step interactions.
` Yet another complex interaction in Internet communications is possible
`through the use of functionality in a browser program called “active content.”
`Active content allows an Internet Server to download a software program into a
`user’s browser where the software program is executed locally on the user’s
`computing device. Depending on the type of active content that the user’s
`computing device can support, this content can take several forms. For example,
`common forms of active content include JavaScript code, Java Applets, ActiveX
`controls, among many others. One of the benefits of active content is that it enables
`an improved user interface to the Internet server to be developed. The user only
`needs to remember to enter a URL text string, whereupon a graphic display of the
`information (which is sometimes animated by means of active content) is returned
`over the Internet.
` Furthermore, companies can setup servers that provide “applications”
`to specific users/employees. For example, a company can host applications on a
`server that can be used to provide Customer Management System (CMS)
`applications for its employees through a web-based interface. Because these
`14
`
`MEDVIDOVIC EXPERT REPORT
`Case No. 4:18-cv-07229-YGR (TSH)
`
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`Case 4:18-cv-07229-YGR Document 194-2 Filed 05/04/21 Page 7 of 31
`
`HIGHLY CONFIDENTIAL – ATTORNEYS EYES’ ONLY
`
`applications other are more complex than a typical static webpage, and can reach out
`to databases, functions and other webpages, they can create many types of security
`vulnerabilities that are subject to being exploited by malicious software and bad
`actors.
`
`
`
`Secure Communications
` Communications over the Internet using HTTP and SMTP are secured
`using the Transport Layer Security (“TLS”) protocol which is more commonly
`known by its predecessor, the Secure Sockets Layer (“SSL”).
` TLS is a transport layer protocol that provides for secure
`communications by requiring the following steps:
`
`(1) the client computer sends a request to a server computer to initiate
`a handshake procedure;
`(2) the server computer responds by sending a digital certificate,
`which typically includes the server’s name, a certificate authority, and
`a public key that will be used to encrypt the transmission of a random
`number;
`(3) the client may contact the certificate authority to validate the
`certificate;
`4) if the client is satisfied that the certificate is valid, it sends a random
`number encrypted with the server’s public key to the server computer;
`and
`(5) both the client computer and the server computer then generate a
`unique session key using this random number that is subsequently
`used for the encryption and decryption of all further communications
`between the client and the server.
`
`
`
` Although other variations to this method exist, this method is the
`typical procedure for initiating a secure communication by generating and
`exchanging a private session key. Because the communications are encrypted with
`this private key, it is very difficult (essentially impossible) to read the
`communications. The use of TLS to secure HTTP communications is known as
`HTTPS (also known as HTTP over TLS, HTTP over SSL, or HTTP Secure).
`15
`
`MEDVIDOVIC EXPERT REPORT
`Case No. 4:18-cv-07229-YGR (TSH)
`
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`Case 4:18-cv-07229-YGR Document 194-2 Filed 05/04/21 Page 8 of 31
`
`HIGHLY CONFIDENTIAL – ATTORNEYS EYES’ ONLY
`
`HTTPS is essentially encrypting the same HTTP data discussed above with a private
`key. Because TLS is a transport layer protocol, it can be used to secure other
`application layer protocols besides HTTP.
` Lower Level Internet Communication
`
`In the prior sections, I described how, at a high level, a web browser
`interacts with an Internet server and how this interaction occurs in terms of HTTP
`and SMTP request and response messages. Although browsers and Internet servers
`communicate using these messages, these messages and others are actually
`transported over the Internet using additional lower-level communication protocols.
`
`In particular, the Transmission Control Protocol (“TCP”) and the
`Internet Protocol (“IP”) are almost always used together to enable the
`communications of messages such as HTTP Requests, HTTP Responses, or SMTP
`communications over the Internet. These messages are the information content
`stored inside units of data called IP packets. Each IP packet is like a postcard that is
`sent from one destination to another, where the content of the postcard is analogous
`to the HTTP request, HTTP response message, or SMTP communications.
` Each of these IP packets includes a source address and a destination
`address to identify the servers and browsers on the Internet, where the IP packet
`either originated, or where it is ultimately going. One could think of IP addresses as
`home addresses (e.g., 333 Middlefield Road, Suite 110, Menlo Park, CA) and of IP
`packets as postcards that are sent from one address to another address (e.g., from
`150 Fifth Avenue, Suite 1177, New York, NY, to 333 Middlefield Road Suite 110,
`Menlo Park, CA).
` As in the real world, IP packets, in most cases, are not sent directly
`between endpoints. The source host sends the IP packet to a router, which then
`decides if the IP packet can be sent directly to the destination host or needs to be
`sent to another router that is closer to the final destination. This is similar to what
`happens with postcards. The postcard is not delivered directly to the recipient, in
`16
`
`MEDVIDOVIC EXPERT REPORT
`Case No. 4:18-cv-07229-YGR (TSH)
`
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`Case 4:18-cv-07229-YGR Document 194-2 Filed 05/04/21 Page 9 of 31
`
`HIGHLY CONFIDENTIAL – ATTORNEYS EYES’ ONLY
`
`most cases. Instead, the postcard is given to a post office (e.g., in New York, NY),
`which then sends it to a series of intermediate distribution hubs (e.g., in Georgia and
`Arizona), until it reaches a post office near the destination (e.g., in Menlo Park, CA).
`At this point the post office delivers the postcard to the house specified in the
`destination address, i.e., 333 Middlefield Road, Suite 110, Menlo Park, CA.
` The algorithms that are used to forward IP packets through a network
`of routers to their final destination are called IP routing algorithms. Similar to how
`it takes place with the physical mailing of postcards, an IP packet can get lost, or
`even modified in a way that makes it unusable. In these cases, the IP packet needs
`to be retransmitted. Moreover, if a message is split into multiple IP packets (similar
`to splitting a long letter into multiple postcards), it is possible for the IP packets to
`be received at their final destination in the wrong order.
` TCP supports retransmission of lost IP packets and the reordering of IP
`packets received in the wrong order. It accomplishes this by adding additional
`information (in the form of a sequence number) to each IP packet. In the example
`of where a letter is split into multiple postcards, the sender of the postcards would
`need to number each postcard so the recipient could put them in the correct order
`before reading them. A sequence number works in a very similar way – that is, the
`recipient can (1) verify that the IP packets have all been received and (2) read them
`in the right order.
` Computer Network Security
` The goal of computer network security is to protect computing devices,
`network equipment, and servers linked to network equipment, in addition to the
`information that they store and exchange, from unauthorized access and
`modification. Computer network security is a very broad field, but I provide herein
`an oversimplified discussion for purposes of this Report.
` Generally speaking, there are two main classes of security mechanisms
`that are employed to provide computer network security. The first is network-based
`17
`
`MEDVIDOVIC EXPERT REPORT
`Case No. 4:18-cv-07229-YGR (TSH)
`
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`Case 4:18-cv-07229-YGR Document 194-2 Filed 05/04/21 Page 10 of 31
`
`HIGHLY CONFIDENTIAL – ATTORNEYS EYES’ ONLY
`
`security mechanisms that operate on network traffic – that is, on the communication
`between network endpoints. The second is client-based security mechanisms that
`operate within a network endpoint – that is, usually at the operating system level.
` E-mail security is typically a type of network-based security that
`protects against web threats (such as malicious links contained within an e-mail) or
`malicious attachments that can be downloaded and executed on a user’s computer.
` An example of a network-based security mechanism is a security
`gateway. The security gateway relays information between the network endpoints
`that it protects (e.g., on a local area network) and external networks, typically
`connected over the Internet. There are two main types of security gateways: (1) on-
`premises gateways and (2) hosted gateways also known as “gateways in the cloud.”
`On-premise gateways sit at the perimeter of a network and reside at the physical
`location of the individual or business that owns the gateway. Hosted gateways, or
`cloud gateways, reside the physical location of a security provider. They are called
`hosted gateways because the security provider rather than the customer hosts them.
`The functionality of on-premise and hosted gateways is largely the same. Notably,
`both on-premise and hosted gateways typically contain multiple computers to
`perform the various security functions, and on-premise gateways can off-load
`processing to the cloud. While there may be architectural differences, the
`functionality is the same in that the computers work together as a gateway to
`analyze in-bound and out-bound traffic for malicious content. This in-bound and
`out-bound traffic includes a variety of traffic, including web traffic and e-mail
`traffic.
`
` Security gateways that are on-premise work very similarly to proxy
`servers. In particular, the on-premise security gateway can intercept the outbound
`request of the webpage and analyze it for suspicious attributes. If the request passes
`the security policy then the on-premise gateway can forward the request to the web
`server. This analysis may include checking a URL of the webpage against a local
`18
`
`MEDVIDOVIC EXPERT REPORT
`Case No. 4:18-cv-07229-YGR (TSH)
`
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`Case 4:18-cv-07229-YGR Document 194-2 Filed 05/04/21 Page 11 of 31
`
`HIGHLY CONFIDENTIAL – ATTORNEYS EYES’ ONLY
`
`database, checking the URL against a database in the cloud, analyzing the request
`and generating a profile of the request in conjunction with other information, or
`sending characteristics of the request to the cloud for inspection.
` On inbound traffic, the flow is similar. For a webpage, the gateway
`will receive the webpage from a server on the web and analyze it for suspicious
`content. Examples of this analysis can include performing traditional signature
`detection on the webpage, detecting suspicious behavior by analyzing the operations
`of the content and generating a profile, or sending the webpage or characteristics of
`the webpage for further analysis in the cloud where the cloud could perform the
`same or additional tasks.
`
`In order to provide protection to the user, the system could allow or
`block the webpage based on whether it triggered a known malicious attack, or
`whether its behavior was suspicious as determined by its profile for an unknown
`malicious attack. As mentioned above, this analysis can be performed on the
`endpoint, the gateway, the cloud, or a combination of these products working
`together to provide a robust security solution. Furthermore, the results of the
`analysis, including the profile, can be stored in a local database, an offsite database
`in the cloud, or forwarded to another computer for further processing.
`
`In a slightly different architecture with the same functionality, the
`webpage can be sent from the gateway to the cloud. The webpage is then analyzed
`in the cloud. If the cloud determines that the content is safe, the cloud may allow
`the gateway to forward the webpage to the client. The cloud can perform a variety
`of analyses on the webpage, including signature detection or behavior detection.
`For example, the cloud is a gateway because it is analyzing the traffic before it is
`made available to the web client. In different architectures with the same
`functionality, there may be a combination of an on-premise device and a cloud to
`perform security processing. Here, the on-premise device and the cloud together
`form a gateway because they analyze traffic before it is made available to the client.
`19
`
`MEDVIDOVIC EXPERT REPORT
`Case No. 4:18-cv-07229-YGR (TSH)
`
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`Case 4:18-cv-07229-YGR Document 194-2 Filed 05/04/21 Page 12 of 31
`
`HIGHLY CONFIDENTIAL – ATTORNEYS EYES’ ONLY
`
`In another architecture, there may be multiple devices at the perimeter that
`communicate with each other when analyzing requested webpages. This
`combination of the multiple on-premise devices, which can each perform discrete
`tasks – including signature scanning or behavior scanning– are a gateway because
`they analyze incoming traffic that the client has requested.
` Typically when the cloud is discussed in the industry, it refers to a large
`group of servers that perform a variety of tasks. These servers are typically hosted
`in data centers across the country. From a security perspective, the cloud can
`perform the same functions that on-premise devices can perform. In order to take
`advantage of the cloud, Internet traffic is routed through the hosted devices in the
`cloud, including the request for a webpage and the response. The request and the
`response are analyzed in the same manner as they would be if the devices were
`local. The cloud is advantageous because customers do not have to install and
`maintain servers on their premise. The disadvantage is cost and a perceived lack of
`control as the customer does not physically have the appliance on site. In addition, a
`customer may choose a combination of hosted products and on-premise products.
`As noted above, these various architectures do not change the security functionality
`of the products.
` The cloud can perform a variety of tasks and can be updated in the
`same way as on-premise devices. For example, if a file appears dangerous, the
`cloud may be used to check the file against a cloud database that is populated using
`signature and behavior based techniques. In the same way, the on-premised device
`can hold a database and can be populated with results from other on-premise devices
`within the same corporate environment, different customers devices, or from
`analysis or updates provided from the cloud. Further, in the hosted architecture, the
`cloud may intercept all web traffic and check the traffic against its databases for
`security decisions where the databases are populated based on signatures and
`behavioral results.
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`20
`
`
`MEDVIDOVIC EXPERT REPORT
`Case No. 4:18-cv-07229-YGR (TSH)
`
`
`
`Case 4:18-cv-07229-YGR Document 194-2 Filed 05/04/21 Page 13 of 31
`
`HIGHLY CONFIDENTIAL – ATTORNEYS EYES’ ONLY
`
` Viruses and Malware
` Viruses and malware are harmful programs (or program fragments) that
`are downloaded or transferred by recordable media (i.e., floppy disk or USB flash
`drive) and installed on a user computer, often without their knowledge. The
`behavior of a virus or malware ranges from simply making a copy of itself, to
`annoying the user with strange computer problems, to invading the user’s privacy by
`stealing sensitive personal or private information, to using the user’s computer as a
`platform to attack other computers (as in denial-of-service attacks).
` Once successfully installed on a target system, many viruses and
`malware programs will attempt to communicate with the person who deployed them
`by sending messages to that person indicating that they have been successfully
`deployed. Such messages come in many forms, and are often referred to as a
`“beacon.” The messages may also be inserted into messages that a server sends out.
`Some viruses and malware, once deployed, will “exfiltrate” data from the targeted
`system to their user. Others all the user to gain access to the infected system, such
`as through a remote command shell interface that allows the user to perform actions
`within the system and to “pivot” to gain access to other servers and computers
`within the network.
` To prevent these harmful programs from infecting a user’s computer,
`anti-malware tools can be installed and executed on a security gateway. For
`example, a security tool in a security gateway may intercept a virus or malware
`before it reaches the user’s computer.
` Traditionally, an anti-virus software program compares a representation
`of the malware to the malware itself. This representation is often formed based on a
`pattern of bytes in the computer code that is unique to the virus program, and is
`called a “signature.” For example, a signature could be the bytes “08 201 251 A T
`M.” This six-byte sequence (three integers and three ASCII characters) may be
`present in a virus program but not observed in any other benign program (such as,
`21
`
`MEDVIDOVIC EXPERT REPORT
`Case No. 4:18-cv-07229-YGR (TSH)
`
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`Case 4:18-cv-07229-YGR Document 194-2 Filed 05/04/21 Page 14 of 31
`
`HIGHLY CONFIDENTIAL – ATTORNEYS EYES’ ONLY
`
`Microsoft Word). Therefore, by looking for this string, one might identify the
`malware, without the risk of flagging benign programs as malicious.
` A traditional anti-virus software program maintains a list of such
`signatures, one for each malicious program that it can detect, and may be installed
`on the security gateway. In this case, the anti-virus program looks for a particular
`set of bytes in the representation of the code, and takes action based on whether or
`not a match has been found. For example, a security gateway that identifies a mail
`attachment as a virus may discard the message and notify the client that the message
`was designed to damage the computer.
` These signature-based approaches suffer from a number of problems.
`First, the approaches only detect malware after the fact. These approaches do not
`identify or block the vulnerabilities that were exploited to introduce the malware
`into the system in the first place. Such vulnerabilities can often be exploited to
`introduce any number of malware programs into a system until they are remediated.
` Additionally, if a new malware threat is created, the anti-virus program
`will not have a signature that detects this new malware until its list of signatures is
`updated to include an identification of the new malware threat. During the period
`between updates, the user is vulnerable to an infection until a signature is created
`and distributed to the anti-virus tool. Therefore, this approach can only identify
`previously known malware samples for which a signature has been developed and
`added to the list of signatures. As the number of malware programs grows, the list
`of signatures will also grow. Therefore, signature-based approaches are difficult to
`manage (e.g., distributing large lists of signatures becomes complicated) and slow
`(looking for all the signatures in every file downloaded can take a long time). In the
`computer industry, using virus signatures to check files for viruses is called a
`reactive technology, because the system has to be informed of a new malware
`program in order to protect against a virus program infection. The bottom line is that
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`22
`
`
`MEDVIDOVIC EXPERT REPORT
`Case No. 4:18-cv-07229-YGR (TSH)
`
`
`
`Case 4:18-cv-07229-YGR Document 194-2 Filed 05/04/21 Page 15 of 31
`
`HIGHLY CONFIDENTIAL – ATTORNEYS EYES’ ONLY
`
`signature-based anti-virus tools are only effective after a virus has been identified
`and, therefore, after it has done its harm.
` An alternative, more proactive, approach is to identify and close
`vulnerabilities before malware is event introduced into a system. Because a large,
`complex system often has many potential points of access it can have a large
`number of potential vulnerabilities. It is important then to prioritize which potential
`vulnerabilities are most likely to actually permit malware into the system, so that the
`network operator can prioritize using the limited available resources to remediating
`the most pressing vulnerabilities. One way to prioritize potential vulnerabilities is to
`use a penetration testing tool that attempts to exploit potential vulnerabilities. When
`a potential vulnerability is successfully exploited by the penetration testing tool,
`then the vulnerability is validated and can be prioritized.
` To understand how behavior might be leveraged in order to detect
`viruses and malware, consider a scenario where a user inadvertently attempts to
`download a malware program via an HTTP request. The security gateway intercepts
`the program or webpage before it reaches the user’s computer. The content of this
`malware program is then analyzed to determine which operations might be
`performed. This analysis can be performed by analyzing the file itself to look at
`operations within the file. These operations can then compared to a security policy
`to determine whether the operations might signal malicious behavior. If the
`malware program is detected, the security gateway can block the program from ever
`reaching the user’s computer.
` Vulnerability Management
` Vulnerability management refers to the concept within the computer
`security field of identifying and remediating vulnerabilities. A vulnerability is a
`weakness in security that is subject to being exploited, which is when malicious
`software or a bad actor uses to vulnerability to harm or attack a computer or
`network. To illustrate the concept by analogy to a non-computer context, a
`23
`
`MEDVIDOVIC EXPERT REPORT
`Case No. 4:18-cv-07229-YGR (TSH)
`
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`Case 4:18-cv-07229-YGR Document 194-2 Filed 05/04/21 Page 16 of 31
`
`HIGHLY CONFIDENTIAL – ATTORNEYS EYES’ ONLY
`
`vulnerability would be leaving the back door to a house unlocked, and an exploit
`would be opening the unlocked back door to sneak into a house and steal valuable
`items from the house. There are many kinds of vulnerabilities and many kinds of
`exploits.
`
` Detecting vulnerabilities can involve scanning computers, web
`applications, and files on computers to identify vulnerabilities that leave the
`computers open to attack. Some vulnerabilities are caused by failing to “patch” or
`update software on computers, by using commands and web links that expose the
`computer to risk, or even through errors in the configuration settings or software.
` One way to identify and validate potential vulnerabilities is through
`penetration testing. Penetration testing refers to intentionally attacking a system to
`probe for weaknesses, including vulnerabilities that may be exploited. When
`conducted f