`Case 5:17-cv-04467-BLF Document 313-2 Filed 11/24/20 Page 1 of 8
`
`EXHIBIT A
`
`EXHIBIT A
`
`
`
`Case 5:17-cv-04467-BLF Document 313-2 Filed 11/24/20 Page 2 of 8
`Case 5:17-cv-04467-BLF Document 313-2 Filed 11/24/20 Page 2 of 8
`
`
`
`
`
`
`
`
`
`
`
`
`
`APPENDIX G-2
`
`APPENDIX G-2
`
`
`
`
`
`Case 5:17-cv-04467-BLF Document 313-2 Filed 11/24/20 Page 3 of 8
`
`7,975,305
`
`
`
`SonicWall Capture Advanced Threat Prevention (“Capture ATP”)
`The statements and documents cited below are based on information available to Finjan, Inc. at the time this chart
`was created. Finjan reserves its right to supplement this chart as additional information becomes known to it.
`
`For purposes of this chart, “Capture ATP” is the cloud service and all support infrastructure maintained by
`SonicWall, and includes the services and components in Exhibit A, as will be described in greater detail herein.
`Based on public information, Capture ATP operates identically with respect to the identified claims and only vary
`based on software specifications and/or deployment options.
`
`As identified and described element by element below, Capture ATP infringes at least claims 1, 2, 5, 6, 7, 8, 9, 10,
`11, 12, and 13 of the of the ’305 Patent.
`
`Claim 1
`1a. A security system for
`scanning content within a
`computer, comprising:
`a network interface, housed
`within a computer, for
`receiving incoming content
`from the Internet on its
`destination to an Internet
`application running on the
`computer;
`
`
`Capture ATP meets the recited claim language because it provides a security
`system for scanning content within a computer, comprising: a network interface,
`housed within a computer, for receiving incoming content from the Internet on its
`destination to an Internet application running on the computer.
`
`Capture ATP meets the recited claim language because it includes both hardware
`(such as a network interface) and software (proxy software) components that can
`receive content included in files (incoming content from the Internet on its
`destination to an Internet application running on the computer) for inspection to
`detect the presence of malware (a security system). The manner in which Capture
`ATP meets this claim element is described in more detail below. Internet
`application include web browsers, FTP or file download clients, messaging
`clients, and email client applications.
`
`As depicted in the figure below, Capture ATP meets the recited claim language
`because it includes both hardware and security software components that act as
`network interface components within a security system in a computer because, as
`shown below, they each receive downloaded content and perform security
`functions related to that content within a security system when they provide
`content security, application control, and network-wide threat
`detection/prevention operations.
`
`
`
`
`1
`
`
`
`Case 5:17-cv-04467-BLF Document 313-2 Filed 11/24/20 Page 4 of 8
`
`
`
`
`
`
`SonicWall Deep Packet Inspection over SSL.pdf at page 7.
`
`
`
`Doctrine of Equivalents
`
`To the extent that SonicWall contends that it does not literally infringe this claim
`element, SonicWall infringes under the doctrine of equivalents. The above
`described functionality of Capture ATP is at most insubstantially different from
`the claimed functionality and performs substantially the same function in
`substantially the same way to achieve substantially the same result.
`
`The same function is performed by Capture ATP because it parses different types
`of files that are constructed in accordance with different program code languages
`in order to identify threats as suspicious code and exploits.
`
`The same function is performed the same way because Capture ATP accesses a
`set of that rules stored in a database that enable it parse program code written in
`any number of different programming languages and identify threats as suspicious
`code and exploits.
`
`The same results are achieved because suspicious code and exploits are identified
`as threats based on procedures performed by a content scanner that communicates
`with a database that stores parser and analyzer rules.
`
`
`Capture ATP meets the recited claim language because it includes a network
`traffic probe, operatively coupled to said network interface and to said rule-based
`content scanner, for selectively diverting incoming content from its intended
`destination to said rule-based content scanner.
`
`Capture ATP meets the recited claim language because it includes a network
`traffic probe that scans the content included in files transmitted between a source
`computer (e.g., Internet) and a destination computer (e.g., web client or
`application) over a computer network. In this fashion, Capture ATP acts as a
`
`1d. a network traffic probe,
`operatively coupled to said
`network interface and to said
`rule-based content scanner,
`for selectively diverting
`incoming content from its
`intended destination to said
`rule-based content scanner;
`and
`
`
`
`10
`
`
`
`Case 5:17-cv-04467-BLF Document 313-2 Filed 11/24/20 Page 5 of 8
`
`network interface when it selectively facilitates the exchange of data between the
`source and destination computers over the computer network while monitoring
`network traffic.
`
`For instance, as shown in the excerpt below, Capture ATP selectively diverts
`incoming content from its intended destination when it inspects email traffic for
`suspicious code and halts the transmission of a file between source and
`destination computers based on the identification of suspicious content included
`in the file being transmitted over the computer network. The file is
`communicated to the AV scan engine (rule-based content scanner) for inspection
`in order to identify the presence of any malicious code.
`
`Selectively Divert- SonicWall Email Security 9.0 with Capture ATP to Detect
`Zero-Day.pdf at page 2.
`
`As shown in the figure below, Capture ATP selectively diverts incoming content
`from its intended destination when it inspects email traffic for suspicious code and
`halts the transmission of a file between source and destination computers based on
`the identification of suspicious content included in the file being transmitted over
`the computer network. The file is communicated to the AV scan engine (rule-
`based content scanner) for inspection in order to identify the presence of any
`malicious code.
`
`SonicWall Deep Packet Inspection over SSL.pdf at page 7.
`
`
`
`
`11
`
`
`
`
`
`
`
`Case 5:17-cv-04467-BLF Document 313-2 Filed 11/24/20 Page 6 of 8
`
`Doctrine of Equivalents
`
`To the extent that SonicWall contends that it does not literally infringe this claim
`element, SonicWall infringes under the doctrine of equivalents. The above
`described functionality of Capture ATP is at most insubstantially different from
`the claimed functionality and performs substantially the same function in
`substantially the same way to achieve substantially the same result.
`
`The same function is performed by Capture ATP because it selectively sends
`identified content to SonicWall AV scan engines, static analysis, and dynamic
`analysis for processing in order to identify threats as suspicious code and exploits.
`
`The same function is performed the same way because Capture ATP uses
`software proxies and/or network interfaces to selectively send identified content to
`SonicWall AV scan engines, static analysis, and dynamic analysis for processing
`in order to identify threats as suspicious code and exploits.
`
`The same results are achieved because suspicious code and exploits are identified
`as threats based on procedures performed by a file scanner that selectively
`receives files to perform file inspections.
`
`
`
`Capture ATP meet the recited claim language because it includes a rule update
`manager that communicates with said database of parser and analyzer rules, for
`updating said database of parser and analyzer rules periodically to incorporate
`new parser and analyzer rules that are made available.
`
`Capture ATP meet the recited claim language because it includes an update
`engine (a rule update manager) that enables communications modules utilized by
`Capture ATP to communicate with an AV database (database of parser and
`analyzer rules) in order to periodically update the parser and analyzer rules so that
`newer parser and analyzer rules are made available. The manner in which Capture
`ATP meet this claim element is described in more detail below.
`
`As shown below, the AV scan engine of Capture ATP includes, or is
`communicatively coupled to, an updating engine (rule update manager) that can
`be configured to enable the AV database (database of parser and analyzer rules)
`to receive periodic updates for antivirus, anti-spam, and anti-phishing updates
`every minute (incorporate new parser and analyzer rules that are made available).
`
`
`1e. a rule update manager that
`communicates with said
`database of parser and
`analyzer rules, for updating
`said database of parser and
`analyzer rules periodically to
`incorporate new parser and
`analyzer rules that are made
`available.
`
`
`
`2c097755-495f-425b-8033-0415fb959ce8.pdf at page 3.
`
`
`
`
`12
`
`
`
`Case 5:17-cv-04467-BLF Document 313-2 Filed 11/24/20 Page 7 of 8
`
`
`
`Claim 13
`13a. a method for scanning
`content within a computer,
`comprising:
`receiving, at the computer,
`incoming content from the
`Internet on its destination to
`an Internet application;
`
`
`
`SonicWall Capture Advanced Threat Protection Service.pdf at page 2.
`
`
`
`
`Capture ATP meets the recited claim language because it provides a method for
`scanning content within a computer, comprising: receiving, at the computer,
`incoming content from the Internet on its destination to an Internet application.
`
`Capture ATP meet the recited claim language because it provides a method for
`scanning content with a computer whey then perform the step of receiving
`incoming content through its use of receiving components. Capture ATP includes
`both hardware (such as a network interface) and software (proxy software)
`components that can receive content included in files (incoming content from the
`Internet on its destination to an Internet application running on the computer) for
`inspection to detect the presence of malware (a security system). The manner in
`which Capture ATP meets this claim element is described in more detail below.
`Internet application include web browsers, FTP or file download clients,
`messaging clients, and email client applications.
`
`As depicted in the figure below, Capture ATP meets the recited claim language
`because Capture ATP performs a method for scanning when it performs the step
`of receiving incoming content from the Internet through its use of both hardware
`and security software components that act as network interface components within
`a security system in a computer. As shown below, they each receive downloaded
`content and perform security functions related to that content within a security
`system when they provide content security, application control, and network-wide
`threat detection/prevention operations.
`
`
`
`
`18
`
`
`
`Case 5:17-cv-04467-BLF Document 313-2 Filed 11/24/20 Page 8 of 8
`
`
`
`
`SonicWall Deep Packet Inspection over SSL.pdf at page 7.
`
`In one scenario, as shown in the figure above, Capture ATP includes software
`and/or hardware to communicate with SonicWall Gateways and SonicWall GRID
`Network Data Center and include the functionality to retrieve and store data in
`databases resident therein.
`
`With further reference to the figure above, Capture ATP includes a network
`interface housed within a computer because it includes both hardware and
`software components that scan content included in files transmitted between a
`source computer (e.g., Internet) and a destination computer (e.g., web client or
`application) over a computer network. In this fashion, Capture ATP acts as a
`network interface when it facilitates the exchange of data between the source and
`destination computers over the computer network (using, e.g., a communications
`bus or application programming interfaces (APIs)).
`
`
`
`
`19
`
`