`
`FILE HISTORY
`60/030,639
`
`INVENTORS: SHLOMO TOUBOUL KEFAR HAIM, (IL)
`
`TITLE:
`
`SYSTEM AND METHOD FOR
`PROTECTING A COMPUTER FROM
`HOSTILE' DOWNLOADABLES
`
`FILED:
`
`08 NOV 1996
`
`COMPILED:
`
`11 MAR 2015
`
`SOPHOS
`EXHIBIT 1005 - PAGE 0001
`
`
`
`~9'
`
`I~'
`
`I.... f
`
`CLASS
`
`I wwLAss -
`
`GROUP ART UNrr
`
`I -
`
`I I'~*
`
`ii
`
`J
`
`.1
`
`l~Ii*l
`
`El*.'
`
`I.
`
`* CI
`
`I'
`
`*
`
`.
`
`*.
`
`,,.1
`
`2'
`
`2. .2
`4,~***.*'*
`
`* I,'
`
`'-I
`
`TIiN'5~ 2~ ~r Ii 'ji
`
`*2 ~t: $
`
`*
`
`~
`
`~*1
`
`I.
`
`*2
`
`andAdmomledge
`
`III
`
`--F-mp
`
`. , *I iI I I t
`
`* '1'.!
`
`! " I I 61J
`
`-'I
`
`FI-I1-4' .[P I1
`
`1r1Ii
`
`1 *t
`
`Jii v
`I:C
`
`I.f'
`
`iii ~
`
`U.& DEPT. OFPCONMWPAT,.A TM-PT0-436L f~24
`
`Form PTO-1 626
`(Rev. 5M95
`
`I,
`
`(FACE)
`
`SOPHOS
`EXHIBIT 1005 - PAGE 0002
`
`
`
`60/030,639
`
`SYSTEM AND METHOD FOR PROTECTING A COMPUTER FROM
`HOSTILE DOWNLOADABLES
`
`Transaction History
`
`Transaction Description
`Date
`12/3/1996 Initial Exam Team nn
`1/3/1997 Preexamination Location Change
`4/12/2001 Official Search Conducted
`4/12/2001 Case Reported Lost
`5/7/2001 Termination of Official Search
`5/23/2001 Termination of Official Search
`5/23/2001 Case Found
`9/21/2001 Set Application Status
`
`
`
`SOPHOS
`EXHIBIT 1005 - PAGE 0003
`
`
`
`rA I tN IrrL16A
`
`I
`
`00- APPROVED FOR LICENSE
`
`60030639
`
`INITIALS!
`
`CONTENTS,J
`
`____
`
`/-%i5- 6
`
`(FRONT)
`
`-9 arr
`
`10.
`
`91.
`
`12.
`
`14.,
`
`15. -
`
`17. -
`
`19. -
`
`-20.
`
`-
`
`.22. -
`
`23. -
`
`24.-
`
`25..-
`
`26.-
`
`27. -
`
`28. -
`
`29. -
`
`30.-
`
`-32.-
`
`SOPHOS
`EXHIBIT 1005 - PAGE 0004
`
`
`
`"r
`
`I
`
`ID NO.
`
`DATE,
`
`________
`
`____
`
`,2q1T
`
`'~m
`
`POSITION
`CLASSIFIER
`EXAMINER
`
`TYPIST
`VERIFIER
`
`__
`
`CORPS CORR.
`SPEC._HAND
`FILE MAINT__
`DRAFTING__
`
`_
`
`2,
`
`__
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_______
`
`_
`
`__
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`__
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`__
`
`_
`
`_
`
`_
`
`__
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`__
`
`(LEFT INSIDE)
`
`SOPHOS
`EXHIBIT 1005 - PAGE 0005
`
`
`
`in1
`
`L.hnlLu!
`
`trip.
`
`i~4
`
`BVkf
`
`WI'
`
`I',
`
`
`
`SOPHOS
`EXHIBIT 1005 - PAGE 0006
`
`SOPHOS
`EXHIBIT 1005 - PAGE 0006
`
`
`
`
`BAR CODE LABEL
`
`SERIAL NUMBER
`
`60/030,639
`PROVISIONAL
`
`-1"
`
`U*.S. PATENT APPLICATION
`
`FILING DATE
`
`CLASS
`
`GROUP ART UNIT
`
`11/08/96
`
`__________________________
`
`z SHLOMO TOUBOUL, KEFAR HAIM, ISRAEL.
`
`**CO(NTINUING DATA*********.*******
`VERIFIED
`
`**FOREIGN/PCT APPLICATIONS*,****** *****
`VERIFIED
`
`STATE OR
`COUNTRY
`
`SHEETS
`DRAWING
`
`TOTAL
`CLAIMS
`
`INDEPENDENT
`CLAIMS
`
`FILING FEE
`RECEIVED
`
`ATTORNEY DOCKET NO..
`
`ILX
`
`7.
`
`EPPA HITE
`S CARTER DEFILIPPO& FERRELL
`SUITE 200
`S 2225,EAST BAYSHORE ROAD
`PALO.ALTO CA 94303
`
`$150.00
`
`D-558
`
`SYSTEM AND-METHOD FOR PROTECTING A COMPUTER FROM HOSTILE
`DOWNLOADABLES
`
`This is to certify that annexed hereto is a true copy from the records of the United States
`Patent and Trademark.Off ice of the'application wbich is.identified above.
`By authority of the
`COMMISSIONER OF PATENTS AND TRADEMARKS
`
`Dati
`
`Certifying Officer:
`
`SOPHOS
`EXHIBIT 1005 - PAGE 0007
`
`
`
`PATENT APPLICATION SERIAL NO. 6 0/03 08f) ol
`
`U.S. DEPARTMENT OF COMMERCE
`PATENT AND TRADEMARK OFFICE
`FEE RECORD SHEET
`
`PM701556
`(5/87).
`
`SOPHOS
`EXHIBIT 1005 - PAGE 0008
`
`
`
`60/'030639
`'4'Patent and TrademaTk Office, U.S. DEPARTMENT OF~ COMMERCE.
`
`PROVISIONAL APPLICATION FOR PATENT COVER SHEET
`
`PTO/SB/16 (11-95)
`
`___________INVENTOR(s)
`
`a request for.filing a PROVISIONAL APPLICATION FOR PATENT under 37 CPR 1.53 (b)(2) &-1.51(a)()()
`Type a plus sign ()
`1Docket No.D-558
`l inside this box -
`IAPPLICANT(s)
`[RESIDENCE (CITY AND EITHER STATE OR FOREIGN
`COUNTRY)
`
`LAST NAME
`
`FIRST NAME
`
`____________________
`
`MIDDLE
`INITIAL
`
`Touboul
`
`Shlomo
`
`Kefar Haim, Israel
`
`TITLE OF INVENTION (280 characters max)
`System and Method for Protecting A Computer from Hostile Downloadables
`
`CORRESPONDENCE ADDRESS
`
`Eppa Hite
`Carr, DeFilippo & Ferrell LLP
`2225 East Bayshore Road, Suite 200
`Palo Alto
`
`Tel.: (415) 812-3428
`Faxk: (415) 812-3444
`
`[X Specification
`
`ENCLOSED APPLICATION PARTS (check all that Mplyi
`1] Small Entity Statement
`[231
`Number of Pages
`
`[XI Drawing(s)
`
`Number of Sheets
`
`[7]1
`
`IX.] Other (specify): 9 page "Appendix"
`
`METHOD OF PAYMENT OF HUNG FEES FOR THIS PROVISIONAL APPLICATION, FOR PATENT
`[lA check or money order is enclosed to cover the filing fees.
`[tJThe Commissioner is hereby authorized to charge the filing fees and credit
`Filing Fee
`rDeposit Account No. 06-060.
`[ IcThe Commissioner is hereby authorized to charge payment of the following Amount ()
`fees.associated with this communication or credit any overpayment to Deposit
`Account No. 06-0600. A d uce
`o this sheet is attached.
`The invention was made by an agency of the United States Government or under a contract with an agency of the
`United States Government.
`XI No.
`Yes, the name of the US. Government agency and the Government contract member are:_ ______
`V
`
`$150.00
`
`Respectfully submitted,
`Siomo Touboul
`
`Eppa fhfi, Rg. No. 30,266
`Carr, DeFilippo & Ferrell LLP
`2225 East Bayshore Road, Suite 200.
`Palo Alto, CA 94303
`Tel.: (415) 812-3428
`Fax: (415) 812-3444
`
`Send To:
`
`Date:
`
`-
`
`9'
`
`Box Provisional Application,
`Assistant CommTIssioner for Patents
`Washington, D.C. 20231
`
`I JAdditional inventors are being named on separately numbered sheets attached hereto.
`
`SOPHOS
`EXHIBIT 1005 - PAGE 0009
`
`
`
`60/03 OBR,q
`
`IN THE
`
`UNITED STATES PATENT AND TRADEMARK OFFICE'
`
`APPLICANT:
`
`SERIAL NO.:
`
`Touboul, Shlomo
`
`Unknown
`
`
`
`FILING DATIlE:
`
`On Even Date Herewith
`
`TITLE:
`
`System and Method fro protecting a.Computer from
`Hostile Downloadables
`
`EXAMINER:
`
`Unknown
`
`GROUJP ART
`
`UNIT:
`
`Unknown
`
`ATTY.DKT-N
`
`J0.:
`
`PA-558
`
`ASSISTANT COMMISSIONER FOR PATENTS
`WASHINGTON, D.C. 20231
`
`SIR:
`
`CERT IFICATE OF EXPRESS MAIL
`EM383068528US.
`
`"Express Mail" mailing label number EM383068528US-
`
`Date of Deposit:
`
`NOVEMB5ER 8. 1996
`
`I hereby certify that this paper or fee is being deposited with the United States Postal
`Service "Express Mail Post Office to Addressee" service under 37 CFR 1.10 on the
`date indicated above,and is addressed to Assistant Comrmissioner for Patents,
`Washington, D.C. 20231.
`
`Depo sited by:-
`
`.Theresa Sueoka
`
`I
`
`(Sinture
`
`f pesnNalgppr
`
`or.fee)
`
`SOPHOS
`EXHIBIT 1005 - PAGE 0010
`
`
`
`/660
`
`//t o 4r
`
`5
`
`1.
`
`Feld ofthePAnentio
`
`44
`
`Th FedIn tnv
`
`a ection ofcrety vr10,0
`
`individual computer networks owned by governments, universities,
`
`nonprofit groups and companies, and is expanding. at an adccelerating
`
`rate. Because the Internet is public,. the Internet has become 'a major,
`
`15
`
`source -of many system damaging and system fatal application
`
`programs, commonly referred to as "viruses."
`
`Accordingly,- programmers continue
`
`to design computer
`
`security systems for blocking these viruses from attacking both
`
`individual and network computers. On the most part, these security
`
`20
`
`system's have been relatively successful. However,
`
`these security
`
`systems are not configured
`
`to recognize -computer viruses which
`
`have been attached
`
`to DownJoadable application programs,
`
`-1-
`
`SOPHOS
`EXHIBIT 1005 - PAGE 0011
`
`
`
`PATENT
`
`commonly referred to as "applets" Or "Downloadables." A
`
`Downloadable is an executable application program which
`
`is''
`
`automatically downloaded from a source computer and run on the
`
`destination computer. Examples of Downloadables include applets
`
`5
`
`designed for 'use in the JavaT'
`
`distributing environment produced by
`
`Sun Microsystems or for use in the Active X distribu ting
`
`environment produced by Microsoft Corporation. Therefore, a
`
`system and method are needed
`
`to protect' computers from. viruses*
`
`attached to
`
`these Downloadables.
`
`-2-
`
`SOPHOS
`EXHIBIT 1005 - PAGE 0012
`
`
`
`PATENT
`
`SUMMARY OF THE* INVENTION
`
`The present invention provides a system for protecting a
`
`computer from'hostile Downloadables. The system comprises an-
`
`interface for receiving a Downloadable, a first memory portion
`
`5
`
`storing security policies and a second memory portion storing known
`
`hostile Downloadables. The system further comprises a first
`
`comparator, coupled to the interface and to the first memory portion,
`
`for discarding
`
`the received Downloadable when -it matches one, of the
`
`known hostile Downloadables.
`
`The system further comprises a
`
`10-
`
`second comparator, coupled -to the first comparator and to the second
`
`memory portion, for discarding the received Downloadable if it
`
`violates one. of security policies.
`
`The present invention further provides a method for. protecting
`
`a computer from hostile Downloadables.
`
`'The method comprises
`
`the
`
`15
`
`steps of receiving a Downloadable, discarding
`
`the received
`
`Downloadable when the received Downloadable matches a
`
`predetermined hostile Downloadable, obtaining Downloadable
`
`security profile data on 'the received Downloadable when the
`
`Downloadable does not match a predetermined hostile Downloadable
`
`20 and 'discarding
`
`the received Downloadable when
`
`the Downloadable
`
`security profile data,'violates
`
`'a predetermined security policy.
`
`-3-
`
`SOPHOS
`EXHIBIT 1005 - PAGE 0013
`
`
`
`PATENT
`
`The system and method of the present invention provide
`
`computer protection from potentially hostile computer viruses which
`
`have,been attached
`
`to Downloadables. The system and method of
`
`the present invention advantageously
`
`identifies both known hostile
`
`5 Downloadables and identifies potentially hostile commands, by
`
`decomposing unknown Downloadables.
`
`SOPHOS
`EXHIBIT 1005 - PAGE 0014
`
`
`
`PATENT
`
`FIG. 1 is a block diagram illustrating a network system in
`
`accord ance with
`
`the present invention;
`
`FIG. 2 is a block diagram illustrating
`
`the internal network
`
`5
`
`security system of FIG. 1;
`
`FIG. 3 is a block diagram illustrating. the security program of
`
`FIG. 2;
`
`FIG. 4 is a flow 'chart illustrating an 'example security policy of
`
`FIG. 2;
`
`10
`
`FIG. 5 ;is a block diagram illustrating the security management.
`
`console of FIG. 1;
`
`FIG. 6 is. a flowchart illustrating a method for protecting. an
`
`internal computer network from hostile Downloadables; and
`
`FIG. 7 is a flowchart illustrating the FIG. 6 method'for
`
`15
`
`decomposing a Downloadable.
`
`-5-
`
`SOPHOS
`EXHIBIT 1005 - PAGE 0015
`
`
`
`PATENT
`
`FIG. 1 is a block diagram illustrating.'a network system 100 -in
`
`accordance with' the present invention. Network system 100
`
`includes an external computer network 105,- such as, the 'Wide Area
`
`5Network (WAN) commonly referred to as the Internet,, coupled via. a
`
`signal bus 125 to an internal network security- system 110. Network
`
`system 100 further includes an internal computer network 115, such
`
`as a corporate Local Area Network (LAN), coupled via a signal bus
`
`130 to internal network computer system 110 and coupled via a
`
`10
`
`signal bus 135 to a security management console 120.
`
`Internal network security system 1.10 examines Downloadables
`
`received from external compu ter network 105, and prevents all
`
`recogni zably- hos tile Downloadables, from reaching
`
`internal computer
`
`network 115. A Downloadable
`
`is hostile if it threatens the' integrity
`
`15
`
`of an internal computer network 115'component.
`
`Security
`
`management console 120 enables modification of internal network.
`
`security. system 110.
`
`FIG. 2 is a block diagram of a internal network security system
`
`20
`
`110 which includes a Central Processing Unit. (CPU) 205, such as. a
`
`Motorola Power PCO microprocessor or an Intel Pentium'
`
`microprocessor, coupled
`
`to a signal bus 220.
`
`Internal network
`
`-6-
`
`SOPHOS
`EXHIBIT 1005 - PAGE 0016
`
`
`
`PATENT
`
`security system 110 further
`
`includes an external communications
`
`interface 210 coupled between signal bus 125 and 'signal bus. 220
`
`for receiving, the. Downloadables from external computer network.
`
`105, and an internal 'communications
`
`interface -225 coupled between'
`
`5
`
`signal bus 220 and signal bus 130 for forwarding non-hostile
`
`Downloadables
`
`to internal computer. network '115. Alternatively,
`
`external communications
`
`interface 210 'and
`
`internal communications
`
`interface 225. may be functional components
`
`'of an integral
`
`communications interface .(not shown). for -both receiving
`
`10
`
`Downloadables 'from external computer network 105
`
`'and forwarding
`
`non-hostile Downloadables
`
`to 'internal computer network 115.
`
`Internal network security sygtem..110 further includes
`
`Input/Output (I/O)
`
`interfaces 215 such as, a keyboard,: mouse and
`
`.Cathode Ray Tube -(CRT) display, a data storage device 230.such. as
`
`15
`
`Read Only Memory (ROM) or magnetic. disk,, and a Random-Access
`
`Memory (RAM) 235, each being coupled to signal bus 220. Data
`
`storage device 230 stores a security database 240, which includes
`
`security policies and Downloadable data on for determining whether
`
`a received. Downloadable
`
`is hostile, and stores an events log. 245
`
`20
`
`which includes
`
`the determination results for each Downloadable. An
`
`operating system 250 controls. processing by CPU 205,'and is
`
`typically stored data storage device 230 and loaded into RAM 235
`
`SOPHOS
`EXHIBIT 1005 - PAGE 0017
`
`
`
`PATENT
`
`for execution. A security program .255 controls operations of
`
`internal network security system 110, and.also may 'be stored in
`
`data storage device 230 and loaded into RAM 235 for execution by
`
`CPU 205.
`
`FIG. 3 is a block diagram illustrating details of security
`
`program 255.
`
`'Security program..255 includes an ID generator 315, a
`
`first comparator 320 coupled to, ID. generator 315, a code scanner
`
`coupled to first comparator 320, a second comparator 330 coupled to
`
`10
`
`code scanner 325 and to first comparator,- 320, and- a record-keeping
`
`engine 335 coupled to first comparator 320'aud to -second
`
`comparator 330.
`
`S ecurity. program 255 operates
`
`in conjunction with security
`
`database 240 and events
`
`log 245. Security database 240 stores
`
`15
`
`secur ity policies 305, in a first data storage device 230 portion,
`
`known Downloadables 307 in a second data storage device 230
`
`portion and Downloadable Security Profiles (DSPs) data
`
`corresponding
`
`to the-known Downloadables 310 in a third-data.
`
`storage device 230 portion. Security policies 305 include'a list of
`
`20
`
`computer operations which, are. deemed to be'potentially hostile
`
`to
`
`the integrity of internal
`
`'computer network 115. Potentially hostile
`
`operations- may include READ/WRITE operations on a system
`
`SOPHOS
`EXHIBIT 1005 - PAGE 0018
`
`
`
`PATENT
`
`configuration file, READ/WRITE operations on a document containing
`
`trade secrets, or any other operation that a user deems potentially
`
`hostile. Known Downloadables 307 may include Downloadables
`
`which Original Equipment Manufacturers (OEMs) know
`
`to be hostile,
`
`5
`
`Downloadables which OEMs know to be non-hostile, Downloadables
`
`which second comparator 330 (described below) has previously.
`
`determined
`
`to be hostile, and Downloadables which second
`
`comparator 330 (described below) has previously determined
`
`to be
`
`non-hostile. DSP data 310 includes
`
`the fundamental computer
`
`10.
`
`operations
`
`included in each known Downloadable 307, and may
`
`include, READs, WIRITEs, file management operations, system
`
`management operations, memory management operations and CPU
`
`allocation operations.
`
`ID generator 315 receives Downloadables from external
`
`15
`
`computer network 105 via external communications
`
`interface 210,
`
`and which generates a digital signature for each Downloadable. A
`
`digital signature may include a Downloadable identification' number,
`
`the Downloadable type, the Downloadable source and
`
`the
`
`Downloadable destination.
`
`20-
`
`First comparator 320 receives. and bit-wise compares
`
`the,
`
`Downloadables from ID generator 315 with known Downloadables
`
`307 stored- in security database 240.
`
`If first comparator 320
`
`-9-
`
`SOPHOS
`EXHIBIT 1005 - PAGE 0019
`
`
`
`PATENT
`
`determines a received Downloadable is identical to a known hostile
`
`Downloadable 307, then. first comparator. 320 discards
`
`the received
`
`Downloadable, and forwards a non-hostile Download able to the
`
`ititended destination
`
`to inform the user that internal network
`
`5
`
`security system 110 discarded
`
`the Downloadable.
`
`If first
`
`comparator 320 determines 'that
`
`the received Downloadable
`
`is
`
`identical
`
`to -a known non-hostile Downloadable 307,
`
`then first
`
`comparator 320 forwards
`
`the received Downloadable and the
`
`corresponding DSP data 310 to second comparator 330.
`
`If first
`
`10
`
`comparator 320'determines
`
`that the received Downloadable d oes
`
`not match a known Downloadable (i.e., an "unknown Downloadable"),
`
`then first comparator 320 forwards
`
`the received Downloadable
`
`to
`
`code scanner 32 .5 (described below).
`
`In any case,'first comparator
`
`320 then sends a* status report to record-keeping engine 335
`
`15
`
`(described below).
`
`Code scanner 325 receives unknown Downloadables from first
`
`comparator 320 and uses conventional parsing' techniques
`
`to
`
`decompose the byte code of the unknown Downloadable into DSP'
`
`data. Code scanner 325 then sends the Downloadable and the
`
`20
`
`corresponding 'DSP data to. second comparator 330.
`
`Second comparator 330 receives
`
`the Downloadable and the
`
`corresponding, DSP data either from code scanner 325 or. from first
`
`-10-
`
`SOPHOS
`EXHIBIT 1005 - PAGE 0020
`
`
`
`PATENT
`
`comparator 320, and compares
`
`the DSP data against security policies
`
`305 stored in security database 305.
`
`If, from the DSP data, second
`
`comparator 330 determines that the Downloadable
`
`includes a
`
`hostile operation,
`
`then second comparator 330 prevents
`
`the
`
`5
`
`Downloadable
`
`from, passing to internal computer network 115.
`
`Similarly to first comparator 320, second comparator 330 forwards a
`
`non-hostile Downloadable
`
`to the intended. destination
`
`to inform the
`
`user that internal network. security, system. 110 discarded
`
`the
`
`Downloadable..
`
`If second comparator 330 determines that'-the
`
`10
`
`received Downloadable. does not violate. any securiVy policy, 305,
`
`then second comparator 330 forwards
`
`the received non-hostile
`
`Downloadable to internal computer network 115.
`
`Further, if second
`
`comparator 330 received
`
`the non-hostile Downloadable from code
`
`scanner .325,
`
`then the non-hostile Downloadable
`
`is stored in known
`
`15
`
`Downloadable's 307 and its corresponding DSP data is stored in DSP
`
`data 3 10.
`
`In any case, second comparator 330 sends a status r eport
`
`to record-keeping, engine 335 (described below).
`
`Record-keeping engine 335 receives status reports from first
`
`comparator 320 and from second comparator 330, and stores
`
`the
`
`20
`
`reports in events log 245 in data storage device 230.
`
`-11-
`
`SOPHOS
`EXHIBIT 1005 - PAGE 0021
`
`
`
`FIG. 4 is a block diagram illustrating an example security policy
`
`305.
`
`PATENT
`
`FIG. 5 is a block diagram illustrating details' of security
`
`5 management console 120, which includes a security policy generator
`
`505 coupled to signal bus 135, an event log analysis engine 510
`
`coupled to signal bus 135, a user notification engine 515 coupled to.
`
`event log analysis engine 510 and a Downloadable database review
`
`engine 520 coupled to signal bus 135. Security management console
`
`10
`
`120 further includes computer components similar to the computer
`
`components illustrated in FIG. 2.
`
`Security policy generator 505 uses, an I/0
`
`interface similar to
`
`1/0
`
`interface 215 for enabling user modification of security policies
`
`305.
`
`Further, security 'policy generator 505 enables the user to
`
`15
`
`provide, multiple security levels, i.e., enables the storage of multiple
`
`sets of 'security policies 305 (wherein second comparator 330 can
`
`use only a particular set of security policies 305 based on the
`For example, security
`
`destination of a. received Downloadable).
`
`policies 305 may enable a corporate manager
`
`to receive. selected
`
`20, Downloadables but may prevent
`
`the corporate 'manager's secretary
`
`from receiving those Downloadables.
`
`12-
`
`SOPHOS
`EXHIBIT 1005 - PAGE 0022
`
`
`
`PATENT
`
`Event log analysis engine 510 examines the, status reports.
`
`stored in events log .245 of data storage device 230. Event -log
`
`analysis engine 510 determines. if notification of the user (e.g., the-
`
`security system. manager) is warranted.
`
`For example, event l.og
`
`5
`
`analysis engine 510 may warrant user notification whenever
`
`ten
`
`(10) hostile Download ables have -been discarded by
`
`internal network
`
`security system 110 within a Ahirty, (30) minute:period,
`
`thereby
`
`flagging a possible security threat.. Accordingly, event log analysis
`
`engine 510 instructs user notification engine 515
`
`to' inform the: user.
`
`10
`
`For example, user notification engine. 515 may send an e-mail, via
`
`internal communications
`
`interface 220 or via external
`
`communication's interface 210 to the user, or may display a message.
`
`on the user's display device (not shown).
`
`Downloadable database review engine 520 enables. a user (e.g.,.
`
`15
`
`a network security, manager)
`
`to examine and modify known
`
`Downloadables 307. and DSP data 310. Thus, if for example a user
`
`learns of new hostile Downloadables,
`
`the user can add them to
`
`known Downloadables 307 and the corresponding DSP data' to DSP
`
`data 310. Similarly, the user, can add new non-hostile
`
`20
`
`Downloadables
`
`to known Downlloadables 307 and corresponding DSP
`
`data to DSP data' 310.
`
`-13-
`
`SOPHOS
`EXHIBIT 1005 - PAGE 0023
`
`
`
`PATENT
`
`FIG. 6 is a flowchart illustrating -a method 600 for protecting an
`
`internal computer network 115 from hostile iDownloadables.
`
`Method 600-begins with step 605 by ID generator 315 receiving a
`
`5
`
`Downloadable.
`
`ID generator 315 in step 610 generates a signature
`
`representing the received Downloadable.
`
`First comparator,320 in
`
`step 615 'compares
`
`the received Downloadable with known
`
`Downloadables 307 previously- stored 'in security database 240.
`
`If
`
`first comparator 320 in step 620 determines -that the received
`
`10
`
`Downloadable is the same -as a known hostile Downloadable. 307,
`
`then first comparator 320 in step 625 discards
`
`the rec5eived
`
`Downloadable and in step 630 forwards a substitute non-hostile
`
`Downloadable -to the intended destination to inform the user. First
`
`comparator 320 in step 635 instructs record-keeping engine 335
`
`to
`
`15
`
`record the findings, i.e., a status report, in events log 245. Method'
`
`600 then ends.
`
`If first comparator 320 in step 620 did not recognize the
`
`received Downloadable as a hostile Downloadable 307, then first
`
`comparator 320 in step 640 determines. whether the received
`
`20DownloadAble
`
`is a known non-hostile Downloadable 307..
`
`If so, then
`
`first comparator 320 in step 645 retrieves the DSP data 310
`
`corresponding
`
`to the known non-hostile Do'wnloadable and jumps
`
`to
`
`-14-
`
`SOPHOS
`EXHIBIT 1005 - PAGE 0024
`
`
`
`PATENT
`
`step 655. Otherwise, first comparator 320 forwards
`
`the received
`
`Downloadable to code scanner 325, -which in' step 650 decomposes
`
`the received Downloadable into DSP data and then jumps* to 'step
`
`5
`
`In step 655, 'second comparator 330 compares the DSP data,
`
`either retrieved by first comparator 320 fromi, security database 240
`
`or -generated by code scanner 325, with security policies 310' stored
`
`in security database 240.
`
`If second comparator .330 in step 660
`
`determines that the DSP data violates a security policy 310,' then
`
`10
`
`second comparator 330 proceeds
`
`to step. 625. Otherwise, second
`
`comparator 330 in step .665" passes,the received Downloadable 'to
`
`internal computer network 115 as a non-hostile Down loadable, and
`
`Proceeds
`
`to, step 635.
`
`15FIG.
`
`7 is a flowchart, illustrating details of method 650 for
`
`decomposing a Downloadable. Method'.650 begins in step 705 with,
`
`code scanner 325 disassembling
`
`the machine code of the
`
`Downloadable. Code scanner 325 in.step 710. resolves a respective
`
`command in the machine code.- Code scanner 325 in step 715
`
`20
`
`determines whether the resolved command
`
`is a suspect. command.
`
`Examples of suspect commands
`
`include a memory allocation
`
`-15-
`
`SOPHOS
`EXHIBIT 1005 - PAGE 0025
`
`
`
`PATENT
`
`command, a ioop command such as "goto", "while",f, "than" or the
`
`like.
`
`If not, then code scanner 325 returns to step 7 10.
`
`Otherwise, code scanner 325 in step 720 decodes and registers
`
`the command and 'the command parameters as DSP data. Code
`
`5
`
`scanner 325
`
`in step 720 registers commands and Command
`
`parameters- into a format based on command, class, e.g., file system
`
`class, network. system class, memory'system class. and CPU system
`
`class). Code scanner 325 in step 725 determines whether,the
`
`machine code includes another command.
`
`If so, then code scanner
`
`10
`
`.325
`
`returns
`
`to step* 710. Otherwise, method -650 ends.
`
`-16-
`
`SOPHOS
`EXHIBIT 1005 - PAGE 0026
`
`
`
`PATENT
`
`The foregoing description of the preferred embodiments of the
`
`invention is by way, of example only, and other variations of the
`
`above-described embodiments and methods are provided by
`
`the
`
`present invention.
`
`For example, although the invention has been
`
`5
`
`described in'a system for protecting an internal computer network,
`
`the invention can be embodied in a system for protecting an
`
`individual computer. Components of this invention may be
`
`implemented using a programmed general purpose digital computer,
`
`using application specific integrated circuits, or using a network of
`
`10
`
`interconnected conventional components. and circuits. The
`
`embodiments described herein have been presented for purposes of
`
`illustration and are not intended
`
`to be exhaustive or limiting. Many
`
`variations and modifications are possible in light of the foregoing.
`
`teaching. The system is limited only by* the following claims.
`
`-17-
`
`SOPHOS
`EXHIBIT 1005 - PAGE 0027
`
`
`
`PATENT
`
`WHAT IS CLAIMED IS:
`
`1
`
`1.
`
`A computer-based method' for determining whethera
`
`2 DownloadAble
`
`is hostile, comprising the steps of:
`
`3
`
`4
`
`receiving a Downloadable;
`
`decomposing
`
`the, Downloadable
`
`into Downloadable -security
`
`5 profile data;
`
`6
`
`7
`
`8
`
`9
`
`comparing
`
`the Downloadable security profile data against
`
`predetermined. security policies to determine if a security policy has
`
`been. violated; and
`
`discarding the received- Downloadable when a security policy
`
`10
`
`has been violated.
`
`1 2.
`
`A computer-based method for protecting a computer from
`
`2
`
`3.
`
`4
`
`hostile Downloadables, comprising
`
`the -steps of:
`
`receiving a Downloadable;
`
`'discarding
`
`the' received Downloadable when
`
`the received
`
`5 Downloadable. matches a -predetermined hostile Downloadable;
`
`6
`
`obtaining Downloadable security profile data on the received
`
`7 Downloadable when the Downloadable does not match a
`
`8
`
`predetermined hostile Downloadable; and
`
`-18-1
`
`SOPHOS
`EXHIBIT 1005 - PAGE 0028
`
`
`
`9
`
`10'
`
`discarding
`
`the received Downloadable. when the' Downlo'adable'
`
`security profile data violates a predetermined security policy.'
`
`?ATENT
`
`1
`
`3.
`
`A system for determining whether',a Downloadable is hostile,
`
`2 comprising:
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`a security database storing security -policies;
`
`an interface for receiving a current Downloadable,,
`
`a code scanner, coupled to the interface, for decomposing
`
`the
`
`current Downloadable into Downloadable security profile data; 'and-
`
`a comparator, coupled to the code scanner and to the security
`
`database, for comparing
`
`the security 'policies* against the
`
`9 Downloadable security profile data to determine if a security policy
`
`10
`
`has been violated.
`
`1
`
`4.
`
`A system for protecting a computer from hostile
`
`2, Downloadables, comprising:
`
`3
`
`5a
`
`an interface for receiving a Downloadable;
`
`4afirst
`
`memory portion storing security. policies;
`
`second memory portion storing known hostile Download'ables;
`
`6a
`
`first comparator, coupled to the interface and to the first
`
`7 memory portion, for discarding the received, Downloadable when -it
`
`8 matches one of the knoWn hostile Downloadables;, and
`
`-19-
`
`SOPHOS
`EXHIBIT 1005 - PAGE 0029
`
`
`
`9
`
`10
`
`11
`
`a second comparator, coupled to the first comparator and to the
`
`second memory'portion, for -discarding the received Downloadable
`
`if
`
`it violates one,of security policies.
`
`PATENT
`
`1 5.
`
`A system for determining whether a ,Downloadable is hostile,
`
`3
`
`4
`
`5
`
`6
`
`7
`
`means for receiving a Downloadable;
`
`means for decomposing
`
`the. Downloadable
`
`into Downloadable
`
`security profile data;
`
`means for comparing the Downloadable security profile data
`
`'against predetermined security .policies
`
`to determine if a security
`
`8 policy has been violated; and
`
`9
`
`means for discarding
`
`the received Downloadable when a
`
`10
`
`security policy has been violated.
`
`1
`
`6.
`
`A system. for protecting a computer from hostile
`
`2 Downloadables,. comprising:
`
`3
`
`4
`
`5
`
`means for,,receiving a Downloadable;
`
`means for discarding the received Download able when the
`
`received Download able matches a predetermined hostile
`
`6Downloadable;
`
`-20-
`
`SOPHOS
`EXHIBIT 1005 - PAGE 0030
`
`
`
`PATENT
`
`7
`
`8
`
`9
`
`10
`
`means for obtaining Downloadable security profile data on the
`
`received Downloadable when the Downloadable does. not match a
`
`predetermined hostile Downloadable; and
`
`means for discarding
`
`the received Downloadable when the
`
`11 Downloadable security profile data violates a predetermined security
`
`12
`
`policy.*
`
`1
`
`2
`
`3
`
`4
`
`6
`
`7
`
`8
`
`9
`
`7.
`
`'A computer-re ad able storage medium storing program code for
`
`causing a -computer to perform the steps of:
`
`receiving, a Downloadable;
`
`decomposing
`
`the Downloadable into Downloadabte security,
`
`5profile data;
`
`comparing
`
`the Downloadable* security profile data. against
`
`predetermined security policies to determine if a security policy has
`
`been violated; and
`
`discarding the received Downloadable when a secuirity 'policy
`
`10
`
`has, been violated.
`
`1
`
`2
`
`3
`
`8.
`
`A computer-readable .storage medium storing program code* for
`
`causing a computer to perform the steps of:
`
`receiving a Downloadable;
`
`-21-
`
`SOPHOS
`EXHIBIT 1005 - PAGE 0031
`
`
`
`PATENT
`
`4
`
`discarding
`
`the received. Downloadable. when
`
`the received
`
`5 Down1oadable matches a predetermined hostile' Dowhloadable;
`
`6
`
`-obtaining Downloadable security profile data on the. received
`
`7 Downloadable when the Downloadable does not match a
`
`8
`
`9
`
`predetermined hostile Downloadable; and
`
`discarding
`
`the' received Downloadable, when
`
`the Downloadable
`
`10
`
`security profile data violates a. predetermined security policy.
`
`-22-
`
`SOPHOS
`EXHIBIT 1005 - PAGE 0032
`
`
`
`p4
`
`31-OCT-19%6 20:46
`
`FROM ;'INJAN SOFTWARE
`
`TO
`
`001 4 c8123444 ----
`
`P. 0?
`
`APP L1\)DK
`
`Gateway Level Corporate Security for the
`New World of JavaT ."and,Downloadables
`
`SurfinGate"M Means Business
`
`New downloadable, technologies including JavaTM and ActiveXTm present today's enterprises with
`expanded Irntranet capabilities, but they also expose corporate 'computer resourees to new kinds of
`security attacks SurinCraterm addresses the new computing paradigm with corporate-level security at
`the gateway level for safe usc of Java and other Internct downloadahles. An intelligent security solution
`l'or companies With access to the Intcrnet, SurfinGatc functions* at the corp orate gateway, where it
`intelligently scans, digitally signs, and controls all downloadables before they access the network.
`SurfinGatc's powerful entcrprise7Wide',security is combined with efficient, centralized control of the
`company's Intranet computer users.
`
`SurfinGate offers corporate security managers the ability tW:
`
`*Establish a secunity policy for use of Java applets and other Internet dawniloadables,
`a Prevent loading of suspicious Java applets or ActiveX entities at the gateway level
`* rvd oprte users wth safe Internet access without having to disable downloadable technology
`such as Java or ActiveX
`the corporate resources from damage or unauthorized access by downloada?Qles
`*Protect
`
`SurfinGate addresses a new computing paradigm, where mini-applications called downloadables are
`automatically pUshed into.corporate [ntranets unbeknownst to users. As -Intranet users access the on-
`line resources they need, the buisiness enterprise is exposed to downloadable -transmitted risks like
`corporate espionage, e-mailI fraud, or resource attacks. For the corporate security manager, the new
`paradigm's Java applets and ActiveX technologies represent serious new security threats that are
`simply not addressed,by built-in security systems like theJava Security Manager. SurinGate offers
`sophisticated security att the outermost gateway level, keeping potentially problematic appiets
`completely outside of the corporate env ironment.
`
`Surl"inGate functions:
`
`*IntelOigently scans, analyzes.,'and controls automatically downloaded Java applets. or ActiveX entities
`*Specifically executes corporate security policy as defined by the security manager via Security
`Management Console (SIVI), kncluding:
`0 blocking out any applet that meets a suspicious applet profile
`0 positively identifying applets before allowing them into the system
`scanning applets for unauthorized acftions and assigning appr