`Case 4:18-cv-07229—YGR Document 198-5 Filed 05/18/21 Page 1 of 6
`
`EXHIBIT D
`
`EXHIBIT D
`
`
`
`Case 4:18-cv-07229-YGR Document 198-5 Filed 05/18/21 Page 2 of 6
`Case 4:18-cv-07229—YGR Document 198-5 Filed 05/18/21 Page 2 of 6
`
`APPENDIX F
`
`
`
`
`APPENDIX F
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Case 4:18-cv-07229-YGR Document 198-5 Filed 05/18/21 Page 3 of 6
`
`US Patent No. 8,225,408
`Method and System for Adaptive Rule-based Content Scanners
`Claim 1
`
`1
`
`The Qualys Accused Products perform a multi‐lingual method for scanning incoming
`program code that a user attempts to download from the Internet. The program
`code is diverted to the Accused Products for analysis if the program code appears
`suspicious or is of a certain file type. Each Accused Product performs static,
`dynamic and behavioral analysis of received downloaded program code to identify
`exploits, and uses internal databases (as described below) to parse and analyze
`program code to detect exploits indicating that the program code is suspicious or
`malicious.
`
`1a. A computer processor‐based multi‐lingual method for scanning
`incoming program code, comprising:
`
`1b. receiving, by a computer, an incoming stream of program
`code;
`
`1c. determining, by the computer, any specific one of a plurality of
`programming languages in which the incoming stream is written;
`
`1d. instantiating, by the computer, a scanner for the specific
`programming language, in response to said determining, the
`scanner comprising parser rules and analyzer rules for the specific
`programming language, wherein the parser rules define certain
`patterns in terms of tokens, tokens being lexical constructs for the
`specific programming language, and wherein the analyzer rules
`identify certain combinations of tokens and patterns as being
`indicators of potential exploits, exploits being portions of program
`code that are malicious;
`
`1e. identifying, by the computer, individual tokens within the
`incoming stream;
`
`1f. dynamically building, by the computer while said receiving
`receives the incoming stream, a parse tree whose nodes represent
`tokens and patterns in accordance with the parser rules;
`
`1g. dynamically detecting, by the computer while said dynamically
`building builds the parse tree, combinations of nodes in the parse
`tree which are indicators of potential exploits, based on the
`analyzer rules; and
`
`1h. indicating, by the computer, the presence of potential exploits
`within the incoming stream, based on said dynamically detecting.
`
`1
`
`© 2018 Finjan, Inc. ALL RIGHTS RESERVED
`Subject to FRE 408
`
`
`
`Case 4:18-cv-07229-YGR Document 198-5 Filed 05/18/21 Page 4 of 6
`
`US Patent No. 8,225,408
`Method and System for Adaptive Rule-based Content Scanners
`Claim 1
`1a. A computer processor‐based multi‐lingual method for scanning
`incoming program code, comprising:
`
`1b. Contention 1 – The Accused Products, each resident on the Qualys Cloud,
`receive an incoming stream of computer code
`
`2
`
`1b. receiving, by a computer, an incoming stream of program
`code;
`
`1c. determining, by the computer, any specific one of a plurality of
`programming languages in which the incoming stream is written;
`
`1d. instantiating, by the computer, a scanner for the specific
`programming language, in response to said determining, the
`scanner comprising parser rules and analyzer rules for the specific
`programming language, wherein the parser rules define certain
`patterns in terms of tokens, tokens being lexical constructs for the
`specific programming language, and wherein the analyzer rules
`identify certain combinations of tokens and patterns as being
`indicators of potential exploits, exploits being portions of program
`code that are malicious;
`
`1e. identifying, by the computer, individual tokens within the
`incoming stream;
`
`1f. dynamically building, by the computer while said receiving
`receives the incoming stream, a parse tree whose nodes represent
`tokens and patterns in accordance with the parser rules;
`
`1g. dynamically detecting, by the computer while said dynamically
`building builds the parse tree, combinations of nodes in the parse
`tree which are indicators of potential exploits, based on the
`analyzer rules; and
`
`1h. indicating, by the computer, the presence of potential exploits
`within the incoming stream, based on said dynamically detecting.
`
`Each of the Accused Products, executed on a node that is part of the Qualys Cloud
`computing environment, includes a receiver component on a node that receives
`content based on a client device requesting the content from a source computer,
`such as the Internet. As shown below, the content is received by each Accused
`Product, (via the receiver) when a particular client device requests content provided
`by a source computer.
`
`2
`
`© 2018 Finjan, Inc. ALL RIGHTS RESERVED
`Subject to FRE 408
`
`
`
`Case 4:18-cv-07229-YGR Document 198-5 Filed 05/18/21 Page 5 of 6
`
`US Patent No. 8,225,408
`Method and System for Adaptive Rule-based Content Scanners
`Claim 1
`
`3
`
`1a. A computer processor‐based multi‐lingual method for scanning
`incoming program code, comprising:
`
`1b. Contention 2 – The Accused Products, each resident on Appliance Scanners,
`receive an incoming stream of computer code
`
`1b. receiving, by a computer, an incoming stream of program
`code;
`
`1c. determining, by the computer, any specific one of a plurality of
`programming languages in which the incoming stream is written;
`
`1d. instantiating, by the computer, a scanner for the specific
`programming language, in response to said determining, the
`scanner comprising parser rules and analyzer rules for the specific
`programming language, wherein the parser rules define certain
`patterns in terms of tokens, tokens being lexical constructs for the
`specific programming language, and wherein the analyzer rules
`identify certain combinations of tokens and patterns as being
`indicators of potential exploits, exploits being portions of program
`code that are malicious;
`
`1e. identifying, by the computer, individual tokens within the
`incoming stream;
`
`1f. dynamically building, by the computer while said receiving
`receives the incoming stream, a parse tree whose nodes represent
`tokens and patterns in accordance with the parser rules;
`
`1g. dynamically detecting, by the computer while said dynamically
`building builds the parse tree, combinations of nodes in the parse
`tree which are indicators of potential exploits, based on the
`analyzer rules; and
`
`1h. indicating, by the computer, the presence of potential exploits
`within the incoming stream, based on said dynamically detecting.
`
`Each of the Accused Products executed on Appliance Scanners, dispersed over a
`computer network, includes a receiver component that receives content based on a
`client device requesting the content from a source computer, such as the Internet.
`As shown below, the content is received by each Accused Product (via the receiver
`of the Appliance Scanner) when a particular client device requests content provided
`by a source computer.
`
`3
`
`© 2018 Finjan, Inc. ALL RIGHTS RESERVED
`Subject to FRE 408
`
`
`
`Case 4:18-cv-07229-YGR Document 198-5 Filed 05/18/21 Page 6 of 6
`
`US Patent No. 8,225,408
`Method and System for Adaptive Rule-based Content Scanners
`Claim 1
`1a. A computer processor‐based multi‐lingual method for scanning
`incoming program code, comprising:
`
`1b. Contention 2 – The Accused Products, each resident on Appliance Scanners,
`receive an incoming stream of computer code (continued)
`
`4
`
`1b. receiving, by a computer, an incoming stream of program
`code;
`
`1c. determining, by the computer, any specific one of a plurality of
`programming languages in which the incoming stream is written;
`
`1d. instantiating, by the computer, a scanner for the specific
`programming language, in response to said determining, the
`scanner comprising parser rules and analyzer rules for the specific
`programming language, wherein the parser rules define certain
`patterns in terms of tokens, tokens being lexical constructs for the
`specific programming language, and wherein the analyzer rules
`identify certain combinations of tokens and patterns as being
`indicators of potential exploits, exploits being portions of program
`code that are malicious;
`
`1e. identifying, by the computer, individual tokens within the
`incoming stream;
`
`1f. dynamically building, by the computer while said receiving
`receives the incoming stream, a parse tree whose nodes represent
`tokens and patterns in accordance with the parser rules;
`
`1g. dynamically detecting, by the computer while said dynamically
`building builds the parse tree, combinations of nodes in the parse
`tree which are indicators of potential exploits, based on the
`analyzer rules; and
`
`1h. indicating, by the computer, the presence of potential exploits
`within the incoming stream, based on said dynamically detecting.
`
`As shown below, Scanner Appliances dispersed as endpoints throughout a
`computer network, receive content based on a client device requesting the content
`from a source computer, such as the Internet.
`
`receiver
`
`4
`
`© 2018 Finjan, Inc. ALL RIGHTS RESERVED
`Subject to FRE 408
`
`