Case 5:17-cv-04467-BLF Document 313-9 Filed 11/24/20 Page 1 of 13
`Case 5:17-cv-04467-BLF Document 313-9 Filed 11/24/20 Page 1 of 13
`
`EXHIBIT H
`
`EXHIBIT H
`
`

`

`Case 5:17-cv-04467-BLF Document 313-9 Filed 11/24/20 Page 2 of 13
`Case 5:17-cv-04467-BLF Document 313-9 Filed 11/24/20 Page 2 of 13
`
`
`
`
`
`
`
`
`
`
`APPENDIX D-2
`
`APPENDIX D-2
`
`
`
`

`

`Case 5:17-cv-04467-BLF Document 313-9 Filed 11/24/20 Page 3 of 13
`
`(cid:3)(cid:25),804,780 (cid:3)SonicWall Capture Advanced Threat Protection (“ATP”)
`The statements and documents cited below are based on information available to Finjan, Inc. at the time
`this chart was created. Finjan reserves its right to supplement this chart as additional information becomes
`known to it.
`
`For purposes of this chart, “Capture ATP” means Capture Advanced Threat Protection (“ATP”). As
`identified and described element by element below, Capture ATP infringes at least claims 1, 2, 9, 13, 14,
`17, and 18 of the ’780 Patent.
`
`Claim 1
`1a. A computer-based method
`for generating a Downloadable
`ID to identify a Downloadable,
`comprising:
`
`
`
`Capture ATP meets the recited claim language because it performs a computer-
`based method for generating a Downloadable ID to identify a Downloadable.
`
`Capture ATP meets the recited claim language because Capture ATP performs a
`method which generates a Downloadable ID by creating malware attack profiles
`which include a hash to identify a Downloadable such as malware. The analysis
`includes scanning the Downloadables which include references to software
`components required to be executed by the Downloadable (e.g., suspicious web
`page content containing HTML, PDFs, JavaScript, drive-by downloads,
`obfuscated code, or other blended web malware). Capture ATP uses the
`Downloadable ID to perform a hash lookup. Capture ATP also meets the claim
`language because it generates a Downloadable ID for the Downloadable and
`components of the Downloadable, and then generate a combined Downloadable
`ID for the Downloadable and the related components.
`
`As shown below, Capture ATP includes both hardware and software components
`that receive a Downloadable through network traffic and generating a
`Downloadable ID to identify the Downloadable.
`
`FINJAN-SW 007657-60
`
`
`
`1
`
`
`
`

`

`Case 5:17-cv-04467-BLF Document 313-9 Filed 11/24/20 Page 4 of 13
`
`As shown below, Capture ATP generates a Downloadable ID to identify a
`Downloadable. The Downloadable ID is then provided to other SonicWall
`Gateways and Cloud AV to protect all SonicWall products.
`
`
`
`9b. a communications engine
`for obtaining a Downloadable
`that includes one or more
`references to software
`components required to be
`executed by the
`
`FINJAN-SW 005949-51
`
`
`
`Capture ATP meets the recited claim language because it provides a
`communications engine for obtaining a Downloadable that includes one or more
`references to software components required to be executed by the Downloadable.
`
`
`Capture ATP meets the recited claim language because Capture ATP includes
`software components or proxy software that is a communications engine that
`
`18
`
`

`

`Case 5:17-cv-04467-BLF Document 313-9 Filed 11/24/20 Page 5 of 13
`
`Downloadable; and
`
`obtains suspicious traffic flows for analysis through an application program
`interface, and the content in these traffic flows include Downloadables such as
`web page and/or email attachments. These Downloadables include references to
`software components required to be executed by the Downloadable (e.g.
`suspicious web page content containing HTML, PDFs, JavaScript, drive-by
`downloads, obfuscated code, or other blended web malware).
`
`Downloadables that include one or more references to software components
`required to be executed by the Downloadable include a web page that includes
`references to JavaScript, visual basic script, ActiveX, injected iframes, and a PDF
`that includes references to JavaScript, swf files or other executables. Typically,
`SonicWall characterizes them as drive-by-downloads or droppers as such
`Downloadables are usually programmed to take advantage of a browser,
`application, or OS that is out of date and has a security flaw. The initial
`downloaded code is often small enough that it wouldn’t be noticed, since its job is
`often simply to contact another computer where it can pull down the rest of the
`code on to the computer. In particular, such software components are usually
`programmed to be downloaded and run in the background in a manner that is
`invisible to the user and without the user taking any conscious actions as just the
`act of viewing a web-page that harbors this malicious code is typically enough for
`the download and execution to occur.
`
`Capture ATP includes a communications engine to obtain and scan
`Downloadables that may include malware embedded in images, JavaScript, text,
`and Flash files. As shown below, Capture ATP obtains and conducts analysis on
`Downloadables such as Executable files (e.g., PE, Mach-O, DMG, bin, .com, .dat,
`.exe, .msi, .msm, .mst) PDF files, Java (e.g., .class, .ear, .jar, .war), MS Office file
`types, Flash and Silverlight applications, Script files, and installer files through an
`application program interface.
`
`
`FINJAN-SW 007657-60
`
`As shown below, Capture ATP includes a communications engine for obtaining a
`Downloadable that includes one or more references to software components
`required to be executed by the Downloadable. Capture ATP analysis files
`
`
`
`19
`
`

`

`Case 5:17-cv-04467-BLF Document 313-9 Filed 11/24/20 Page 6 of 13
`
`including Executables (PE, Mach-O, DMG), PDFs, Office 97-2003, Office, and
`Archives (.jar, .apk, .rar, .gz, .zip).
`
`FINJAN-SW 005969-98
`
`As shown below, Capture ATP includes a communications engine for obtaining
`a Downloadable that includes one or more references to software components
`required to be executed by the Downloadable. For instance, SonicWall detected
`“Dropper.A_4743”, which was a top exploitation attempt captured by
`SonicWall. Dropper files are references to software components required to
`be executed by the Downloadable.
`
`
`
`SonicWall Capture Threat Assessment.pdf
`
`As shown below, Capture ATP detects “drive-by downloads” which are
`references contained in Downloadables that are required to be executed by the
`Downloadable.
`
`
`
`
`Drive by downloads.pdf
`
`
`
`20
`
`
`
`

`

`Case 5:17-cv-04467-BLF Document 313-9 Filed 11/24/20 Page 7 of 13
`
`As shown below, the Capture ATP allows executable, scripts, and DLLs to
`detonate in a sandboxed environment. Capture ATP uses behavioral
`inspection to find dropper files embedded in executable code and performs
`hashing functions on them.
`
`9c. an ID generator coupled to
`the communications engine
`that fetches at least one
`software component
`identified by the one or more
`references, and for
`performing a hashing function
`on the Downloadable and the
`fetched software components
`to generate a Downloadable
`ID.
`
`
`
`FINJAN-SW 005964-68
`
`
`Capture ATP meets the recited claim language because it provides a ID generator
`coupled to the communications engine that fetches at least one software
`component identified by the one or more references, and for performing a hashing
`function on the Downloadable and the fetched software components to generate a
`Downloadable ID.
`
`Capture ATP meets the recited claim language because Capture ATP is a system
`that includes an ID generator (e.g., software coupled to the communications
`engine) that performs multi-protocol capture of HTML, JavaScript, files and
`EXEs and then performs a hash of the Downloadable and fetched software
`components. Capture ATP creates a dynamically generated signature and/or a
`malware attack profile for the Downloadable by performing a hashing function
`using SHA-256, MD5, and/or SHA-1 on Downloadables (e.g., HTML, JavaScript
`and other web-based files/executables), thereby performing a hashing function on
`the Downloadable together with the fetched software components to generate a
`Downloadable ID.
`
`As shown below, Capture ATP includes an ID generator which analyzes a
`Downloadable (e.g., PDF) and fetches software components identified by the one
`or more references (e.g., a dropped file) within to determine whether it is
`suspicious or not.
`
`
`21
`
`

`

`Case 5:17-cv-04467-BLF Document 313-9 Filed 11/24/20 Page 8 of 13
`
`SonicWall Capture Threat Assessment.pdf
`
`As shown below, Capture ATP is an ID generator that fetches a software
`component identified by the one or more references in a Downloadable, and for
`performing a hashing function on the Downloadable and the fetched software
`components to generate a Downloadable ID. SonicWall detects “drive-by
`downloads” which are references to software components in a Downloadable.
`
`
`
`
`
`Drive by downloads.pdf
`
`As shown below, Capture ATP obtains a Downloadable then generates a
`Downloadable ID (e.g., the SHA-256, SHA-1, and/or MD5 hashes) to identify a
`Downloadable (e.g., the exe file) together with the fetched software components
`using hashes for both the file and the “parent” file. The ID generator is the
`software running on a system that generates the hash value of the component and
`the dropped file.
`
`
`22
`
`

`

`Case 5:17-cv-04467-BLF Document 313-9 Filed 11/24/20 Page 9 of 13
`
`
`
`FINJAN-SW 005952-63
`
`As shown below, Capture ATP includes an ID generator (e.g., component coupled
`to the communications engine) which fetch software components identified by the
`one or more references (e.g., dropped files). Dropped files are captured by
`Capture ATP during sandboxing analysis as well as identified during static
`analysis. As shown below, static analysis will break down code and look for
`suspicious code and/or operations that include dropping files. Capture ATP
`includes components which fetch software components identified by the one or
`more references. SHA-256 hashes are generated together for the parent (dropper)
`and target (dropped) files.
`
`
`Dropper hash.pdf
`
`Capture ATP obtains a Downloadable then generates a profile that includes
`generating a Downloadable ID (e.g., the SHA-256 hash) to identify a
`
`
`
`23
`
`

`

`Case 5:17-cv-04467-BLF Document 313-9 Filed 11/24/20 Page 10 of 13
`
`Downloadable. As shown below, the profile is then stored in SonicWalls’s cloud
`for further identification of Downloadables, including whether it is malicious and
`to create a risk score.
`
`
`
`
`FINJAN-SW 007636-650
`
`As shown below, Capture ATP includes an ID generator that fetches at least one
`software component identified by the one or more references, and performs a
`hashing function on the Downloadable and the fetched software components to
`generate a Downloadable ID. SonicWall Capture ATP generates Downloadable
`ID (e.g., the SHA-256, SHA-1, and/or MD5 hashes) to identify a Downloadable
`(e.g., the exe file) together with the fetched software components using hashes for
`both the file and the “parent” file.
`
`
`24
`
`

`

`Case 5:17-cv-04467-BLF Document 313-9 Filed 11/24/20 Page 11 of 13
`
`FINJAN-SW 005952-63 (showing a SHA256, MD5, and SHA1 hash a
`Downloadable.
`
`As shown below, the Capture ATP fetchs components of a Downloadable during
`dynamic analysis in a sandbox received through internet traffic.
`
`
`
`FINJAN-SW 007657-60
`
`As shown below, when Capture ATP discovers a malicious file, it creates a hash
`function of the malicious file along with fetched components and send the hash to
`Capture ATP cloud databases and SonicWall Gateways.
`
`
`
`25
`
`

`

`Case 5:17-cv-04467-BLF Document 313-9 Filed 11/24/20 Page 12 of 13
`
`FINJAN-SW 007657-60
`
`As shown below, Capture ATP includes an ID generator that fetches at least one
`software component identified by a reference in a file. Capture ATP detects files
`that “connect[] to a command and control (c2) server and downloads additional
`code.”
`
`
`
`
`
`FINJAN-SW 005964-98
`
`To the extent SonicWall argues that Capture ATP does not literally satisfy this
`element, SonicWall meets this element under the doctrine of equivalents.
`
`Capture ATP performs the same function as this claim element because they
`receive downloaded content, such as HTML or JavaScript, that have referenced
`components that are also downloaded by Capture ATP, and create an identity for
`downloaded content. This is the same function as this element because this is an
`identification of a downloaded content, including referenced components that are
`downloaded.
`
`Capture ATP performs this function in the same way as this claim element
`because they download components that are used to create an identity for
`downloaded content such as HTML or JavaScript. Capture ATP performs this
`element the same way because the identity created can be used to identify
`downloaded content that reference multiple components that are used by the
`downloaded content.
`
`
`26
`
`

`

`Case 5:17-cv-04467-BLF Document 313-9 Filed 11/24/20 Page 13 of 13
`
`Claim 13
`13. The system of claim 9,
`wherein the Downloadable
`includes HTML code.
`
`Capture ATP achieves the same result as this claim element because they have
`components that result in the creation of an identification in downloaded content,
`such as HTML or JavaScript, and downloads multiple components referenced.
`This is the same result as this claim element because Capture ATP uses this
`identification to identify the downloaded content and its referenced components
`for security decisions.
`
`
`
`Capture ATP meets the recited claim language because in addition to satisfying all
`of the elements of Claim 9 as described above, the Downloadable includes HTML
`code.
`
`Capture ATP meets the recited claim language because Capture ATP performs the
`functionality described in claim 9 on HTML.
`
`For example, Capture ATP analyzes HTML code to determine whether it includes
`applets, JavaScript, or other executable code. As shown below, Capture ATP
`analyzes the HTML code for malicious attacks.
`
`
`
`File Types Capture Supports _ Knowledge Base _ SonicWall.pdf at page 2.
`
`
`FINJAN-SW 005969-98
`
`
`27
`
`
`
`