US007757289B2
`
`(12) United States Patent
`Gruzman et al.
`
`(10) Patent N0.2
`(45) Date of Patent:
`
`US 7,757,289 B2
`Jul. 13, 2010
`
`(54) SYSTEM AND METHOD FOR INSPECTING
`DYNAMICALLY GENERATED EXECUTABLE
`CODE
`
`2004/0158729 A1
`2005/0108562 A1 *
`
`8/2004 SZor ......................... .. 713/190
`5/2005 Khazan et a1. ............ .. 713/200
`
`(75) Inventors: David Gruzman, Ramat Gan (IL);
`Yuval Ben-Itzhak, Tel Aviv (IL)
`
`(Continued)
`
`(73) Assignee: Finjan, Inc., San Jose, CA (US)
`
`OTHER PUBLICATIONS
`
`( * ) Notice:
`
`Subject to any disclaimer, the term of this
`patent is extended or adjusted under 35
`U.S.C. 154(b) by 1247 days.
`
`Web Printout from httpM/WWW?hj-ahe°ITVC0I1teI1t~asPX?id:1456,
`Printed on Sell 10, 2009, 6 PageS~*
`(Continued)
`
`(21) Appl' NO‘: 11/298’475
`(22) Filed:
`Dec- 12, 2005
`
`Primary ExamineriPonnoreay Pich
`(74) Attorney, Agent, or FirmiKing & Spalding LLP
`
`(65)
`
`Prior Publication Data
`
`(57)
`
`ABSTRACT
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`US 2007/0136811A1
`
`Jun. 14,2007
`
`(51) Int. Cl.
`
`(200601)
`G06F 2 1/ 00
`US. Cl- .......................... ..
`(58) Field Of Classi?cation Search ................. .. 726/22,
`_
`_
`_ 726/24’ 25
`See apphcanon ?le for Complete Search hlstory'
`References Cited
`
`(56)
`
`U'S' PATENT DOCUMENTS
`5,359,659 A * 10/1994 Rosenthal .................. .. 726/24
`5,974,549 A * 10/1999 Golan ....................... .. 726/23
`5,983,348 A 11/1999 Ji .............................. .. 726/13
`6,092,194 A *
`7/2000 Touboul ,,
`726/24
`6,167,520 A 12/2000 Touboul .................... .. 726/23
`6,272,641 B1
`8/2001 Ji .............................. .. 726/24
`6,934,857 B1
`8/2005 Bartleson et a1.
`726/ 5
`6,965,968 B1
`11/200 5 Touboul _ _ _ _ _ _ _ _ _
`_ _ _ __ 711/113
`7,203,934 B2 *
`4/2007 souloglou et a1,
`717/146
`7,287,279 B2 * 10/2007 Bemnan et a1‘ _____________ __ 726/23
`7,313,822 B2 * 12/2007 Ben-Itzhak ................ .. 726/24
`
`A method for protecting a client computer from dynamically
`generated mal1c1ous content, 1nclud1ng rece1v1ng at a gateway
`computer content being sent to a client computer for process
`ing’ the Content including a can to an Original function’ and
`the can including an input’ modifying the Content at the
`gateWay computer, including replacing the call to the original
`function With a corresponding call to a substitute function, the
`substitute function being operational to send the input to a
`security computer for inspection, transmitting the modi?ed
`content from the gateWay computer to the client computer,
`Processing the modi?ed eehteht at the eheht eeIhPuter, trans
`mittihg the input to the seeurity eeIhPuter ferihspeetieh Wheh
`the substitute funetieh is invoked, detenhihihg at the seeurity
`computer Whether it is safe for the client computer to invoke
`the original function With the input, transmitting an indicator
`of Whether it is safe for the client computer to invoke the
`original function With the input, from the security computer to
`the client computer, and invoking the original function at the
`client computer With the input, only if the indicator received
`from the security computer indicates that such invocation is
`safe A system and a eemputer-readahle storage medium are
`
`2002/0116635 A1 *
`
`8/2002 Sheymov . . . . .
`
`. . . .. 713/200
`
`also described and Claimed
`
`2004/0133796 A1 *
`2004/0153644 A1 *
`
`7/2004 Cohen et a1. .............. .. 713/200
`8/2004 McCorkendale et a1.
`713/156
`
`46 Claims, 5 Drawing Sheets
`
`Patent Owner Finjan, Inc. - Exhibit 2006, p. 1
`
`

`
`US 7,757,289 B2
`Page 2
`
`US. PATENT DOCUMENTS
`
`2006/0015940 A1
`2006/0l6l98l Al *
`2007/0016948 A1 *
`
`l/2006 Zamir et al. ................ .. 726/22
`7/2006 Sheth et a1.
`726/22
`1/2007 Dubrovsky et a1. ......... .. 726/22
`
`OTHER PUBLICATIONS
`
`Web printout from http://www.?njan.com/secureiwebigateway.
`aspX, printed on Sep. 10, 2009, 7 pages.*
`MarkLaDue, “Hostile Applets Home Page”, 6 pages, printed Sep. 10,
`2009.*
`Mark LaDue, “The Rube Goldberg Approach to Java Security”,
`1998, 9 pages.*
`
`Mark LaDue, “Drowning in the Surf: A Review of Finjan Software’s
`Sur?nShield 2.0”, 1997, 6 pages.*
`Mark LaDue, “With Trousers Down and Duke Exposed: How Finjan
`Software Handles Criticism”, 1997, 5 pages.*
`Huang et al, “Web Application Security Assessment by Fault Injec
`tion and Behavior Monitoring”, ACM, 2003, 12 pages.*
`“Vital Security Web Applicance”, unknown author, unknown date, 7
`pages.*
`International Search Report and Written Opinion for Application No.
`PCT/IL06/0 1430, dated Jul. 17, 2008, 9 pp.
`
`* cited by examiner
`
`Patent Owner Finjan, Inc. - Exhibit 2006, p. 2
`
`

`
`US. Patent
`
`Jul. 13, 2010
`
`Sheet 1 of5
`
`US 7,757,289 B2
`
`CONTENT PROCESSOR
`
`A v m A m M M. M
`
`R R
`
`at c m: m =3 e n: 0
`O u m D A
`
`2. m N 5581295 m E m m wz§8z3<z62o
`
`m m m o w R V M W 3*
`
`
`
`zmwkirmwwzwmu‘ mwSmsamwgmhwu
`
`E3 ~53:
`
`H .
`
`mi
`
`U
`
`R R m m m R
`
`w 9: l 4 R EwEouéEwEo T M EwEou
`C at m! m 3.
`
`m m w M 2: m @258; #2680
`m y w 7 m I W M IIFJ
`
`c E s C
`
`0 m C W M
`
`E m m M M cur
`
`R
`
`p a s w u n
`
`.. | 1 Y SE23
`
`[m2
`
`l2:
`
`CONTENT PROCESSOR
`
`A
`
`CLIENT RECEIVER
`
`GATEWAY TRANSMITTER
`
`3
`"
`
`E
`
`I comm INSPECTOR
`
`.3
`
`w
`
`\ m
`
`R
`
`M 3.
`
`M 53200
`
`
`
`c lkllll.
`
`
`
`
`
`7 . aw5mzoubmau .
`
`551mg???
`
`Inc v
`
`Patent Owner Finjan, Inc. - Exhibit 2006, p. 3
`
`

`
`U.S. Patent
`
`Jul. 13, 2010
`
`Sheet 2 of5
`
`US 7,757,289 B2
`
`cuEN'r TRANSMITTER
`
`mpuncusm‘m
`
`
`
`
`
`7 '- H I’ JI SECURITY RECEIVER I
`
`q I
`
`I
`
`of
`a
`
`A
`
`a N
`
`/
`CONTENT PROCESSOR
`“
`
`g
`N
`k
`CLIENT RECENER
`
`?
`E
`E
`5 D \m
`
`2
`&
`D
`D
`2
`
`N
`
`2 N
`
`1
`"
`INPUTINSPECTOR
`
`I E
`
`§
`g ‘ *
`5
`a
`E \ \n
`3
`is
`v
`“'
`\_
`SECURITYTRAN urn-nan
`s
`
`g
`
`MODIHEDINPUT
`INDICATOR TO CLIENT
`f COMPUTER 0F SAFE INPUT
`l
`2
`N
`
`I:
`5@ "U n.
`
`E2 =
`: + a; g
`‘2 E a
`f E 3 ::
`:8
`:a
`8 gm
`"
`N
`T
`I
`
`r
`‘m
`5
`
`FIG. 2
`
`3
`N
`
`9 N
`CONTENT MODIFIER I
`
`I
`
`M
`
`GATEWAY RECEIVER I
`
`
`
`, .WEWAYCQMPWER
`
`r
`205
`
`
`
`ORIGINAL INCOMING
`
`CONTENT
`
`220
`
`Patent Owner Finjan, Inc. - Exhibit 2006, p. 4
`
`

`
`US. Patent
`
`Jul. 13, 2010
`
`Sheet 3 of5
`
`US 7,757,289 B2
`
`11- GATEWAYCOMPUTER —>~{
`
`i<— CLIENTCOMF'UTER —>|
`
`Id- SECURITYCOMPUTER —>{
`
`Ngvngéi‘fsgzq'ég?gggmEm
`COMPUTER
`‘\
`I
`3°‘
`
`RECEIVE CONTENT FROM
`GATEWAY COMPUTER
`
`I
`
`Sam cONTENT FOR PRESENCE
`OF FUNCTION CALLS
`
`\ _’
`
`CONTINUE To PROCESS
`OONTENT
`
`N
`:24
`
`aza
`
`332
`
`A REcEIvE INPUT AND CLIENT ID
`' FROM CLIENT COMPUTER
`
`I
`
`\
`340
`
`scAN INPUT FOR PRESENCE OF
`FuNcTION CALLS
`
`\
`
`FUNCTION cALLs FOUND
`IN INPUT,
`
`344
`
`348
`
`REPLACE ORIGINAL FUNCTION
`CALLS IN INPUT wITH
`suDsTmITE FuNcTIoN CALLS \
`I
`352
`
`scAN INPUT TO DETERMINE
`SECURITY PROFILE
`I
`
`\
`ass
`
`RETRIEZLEIESETCEZ'ITAIIPITEOURCY F°R
`
`I
`COMPARE CONTENT sEcuRITv
`PRDF'LE w'rpgLLlgNT SECURITY \
`
`\
`360
`
`NO SAFE FOR cLIENT To INVOKE
`ORIGINAL FuNcTIoN WITH
`INF JT?
`YES
`
`SET INDICATOR " TRUE
`
`I 364
`
`360
`
`372
`
`SET INDICATOR = FALSE
`
`7
`TRANBMIT INDICATOR AND
`MODIFIED INPUT TO CLIENT
`COMPUTER
`
`’\
`
`FUNCTION CALLS FOUND
`IN CONTENT.’
`
`REPLACE ORIGINAL FUNCTION
`CALLS IN cONTENT wrTH
`SUBSTITUTE FUNCTION cAu.s
`I
`
`TRANSMIT DONTENT TO CUENT
`FOR PROCESSING
`
`son
`
`312
`
`316
`
`R'-
`320
`
`I
`
`INVOKE SUBSTITUTE FUNCTION
`
`l
`
`TRANsMrr INPUT AND CLIENT Io
`TO SECURITY COMPUTER FOR --
`INEPEcTIDN
`
`335
`
`RECEIVE SAFETY INDICATOR AND
`MOD’F‘ED mp“, FROM sEcuRm
`COMPUTER
`R
`384
`
`INDIcATDR = TRUE?
`
`"—
`
`INVOKE ORIGINAL I=uNcTION
`wrm MODIFIED INPUT
`
`aaa
`
`\
`
`392
`
`FIG. 3
`
`Patent Owner Finjan, Inc. - Exhibit 2006, p. 5
`
`

`
`U.S. Patent
`
`Jul. 13, 2010
`
`Sheet 4 of5
`
`US 7,757,289 B2
`
`CLIENT TRANSMITTER
`
`CONTENT PROCESSOR
`
`CLIENT RECEIVER
`
`5
`En.
`-‘HE.1
`vi‘:0:!)
`"u.
`mo
`0::
`"Lu<
`25on.
`22
`"0
`U
`
`MODIFIEDCONTENT.MODIFIED
`
`INPUT
`
`GATEWAY TRANSMITTER
`
`’
`
`
`
`INPUT.CLIENTID
`
`
`
`DATABASEOFSECURITYPOLICIES
`
`O CONTENTIINPUT
`TEWAYRECEIVER
`
`MODIFIER
`
`INPUT INSPECTOR
`
`
`
`GATEWAYCOMPUTER
`
`405
`
`
`
`ORlGlNALINCOMING
`
`CONTENT
`
`420
`
`Patent Owner Finj an, Inc. - Exhibit 2006, p. 6
`
`Patent Owner Finjan, Inc. - Exhibit 2006, p. 6
`
`

`
`US. Patent
`
`Jul. 13, 2010
`
`Sheet 5 of5
`
`US 7,757,289 B2
`
`‘4-— GATEWAY COMPUTER —>‘
`
`'1- CLIENT COMPUTER —>I
`
`RECEIVE CONTENT FRQM
`NETWORKINTENDED FOR CLIENT
`COMPUTER
`I
`
`\
`500
`
`SCAN CONTENTHNPUT FOR
`PRESENCE QF FUNCTION CAI-LS \\
`
`FUNCTION CALLS FOUND’?
`
`REPLACE ORIGINAL FUNCTION
`CALLS WITH SUBSTITUTE
`FUNCTION CALLS
`
`I
`
`{*3
`
`TRANSMIT CGNTENT TO CLIENT
`FOR PROCESSING
`
`\
`
`:
`
`RECEIVE CONTENT FROM
`GATEWAY COMPUTER
`
`RECEIVE INPUT AND CLIENT ID
`FROM CLIENT COMPUTER
`
`:
`
`SCAN INPUT TO DETERMINE
`SECURWY PROHLE
`
`¢
`
`52s:
`
`g/Ir
`
`55G
`
`.
`RETR'?g?Es?ggg‘rzgjfééw FOR
`\
`555
`
`¢
`
`I
`
`CONTINUE TO PRQCESS
`CONTENT
`I
`
`525
`
`530
`
`INVOKE SUBSTITUTE FUNCTION \
`
`l
`
`TRANSMIT INPUT AND CLIENT ID
`TO GATEWAY COMPUTER FOR
`INSPECTION
`
`535
`
`~\
`540
`
`COMPARE CQNTENT SECURITY
`PROFILE WITH CLIENT SECURITY
`POLTCY
`
`I
`"-F RECEIVE SAFE-TV INDICATOR
`FROM GATEWAY COMPUTER
`
`INDICATOR = TRUE‘?
`
`INVOKE ORIGINAL FUNCTION
`WITH INPUT
`
`569
`
`SAFE FOR CLIENT TO INVOKE
`ORIGINAL FUNCTION WITH
`INPUT?
`
`‘YES
`
`SET INDICATOR = TRUE
`
`SET INDICATOR = FALSE
`
`I
`
`575
`
`TRANSMIT INDICATOR TO CLIENT
`COMPUTER
`
`\
`
`588
`
`FIG. 5
`
`Patent Owner Finjan, Inc. - Exhibit 2006, p. 7
`
`

`
`US 7,757,289 B2
`
`1
`SYSTEM AND METHOD FOR INSPECTING
`DYNAMICALLY GENERATED EXECUTABLE
`CODE
`
`FIELD OF THE INVENTION
`
`The present invention relates to computer security, and
`more particularly to protection against malicious code such as
`computer viruses.
`
`BACKGROUND OF THE INVENTION
`
`2
`contents of Which are hereby incorporated by reference,
`describes gateWay level behavioral analysis. Such behavioral
`analysis scans and parses content received at a gateWay and
`generates a security pro?le for the content. A security pro?le
`is a general list or delineation of suspicious, or potentially
`malicious, operations that executable content may perform.
`The derived security pro?le is then compared With a security
`policy for the computer being protected, to determine
`Whether or not the content’ s security pro?le violates the com
`puter’s security policy. A security policy is a general set of
`simple or complex rules, that may be applied logically in
`series or in parallel, Which determine Whether or not a speci?c
`operation is permitted or forbidden to be performed by the
`content on the computer being protected. Security policies are
`generally con?gurable, and set by an administrator of the
`computer that is being protected.
`Assignee’s US. Pat. No. 6,167,520 entitled SYSTEM
`AND METHOD FOR PROTECTING A CLIENT DURING
`RUNTIME FROM HOSTILE DOWNLOADABLES, the
`contents of Which are hereby incorporated by reference,
`describes desktop level behavioral analysis. Desktop level
`behavioral analysis is generally implemented during run
`time, While a computer’s Web broWser is processing Web
`content received over the Internet. As the content is being
`processed, desktop security applications monitor calls made
`to critical systems of the computer, such as the operating
`system, the ?le system and the netWork system. Desktop
`security applications use hooks to intercept calls made to
`operating system functions, and alloW or block the calls as
`appropriate, based on the computer’s security policy.
`Each of the various anti-virus technologies, gateWay vs.
`desktop, reactive vs. proactive, has its pros and cons. Reactive
`anti-virus protection is computationally simple and fast; pro
`active virus protection is computationally intensive and
`sloWer. Reactive anti-virus protection cannot protect against
`neW “?rst-time” viruses, and cannot protect a user if his
`signature ?le is out of date; proactive anti-virus protection can
`protect against neW “?rst-time” viruses and do not require
`regular doWnloading of updated signature ?les. GateWay
`level protection keeps computer viruses at a greater distance
`from a local netWork of computers; desktop level protection is
`more accurate. Desktop level protection is generally available
`in the consumer market for hackers to obtain, and is suscep
`tible to reverse engineering; gateWay level protection is not
`generally available to hackers.
`Reference is noW made to FIG. 1, Which is a simpli?ed
`block diagram of prior art systems for blocking malicious
`content, as described hereinabove. The topmost system
`shoWn in FIG. 1 illustrates a gateWay level security applica
`tion. The middle system shoWn in FIG. 1 illustrates a desktop
`level security application, and the bottom system shoWn in
`FIG. 1 illustrates a combined gateWay+desktop level security
`application.
`The topmost system shoWn in FIG. 1 includes a gateWay
`computer 105 that receives content from the Internet, the
`content intended for delivery to a client computer 110. Gate
`Way computer 105 receives the content over a communication
`channel 120, and gateWay computer communicates With cli
`ent computer 110 over a communication channel 125. Gate
`Way computer 105 includes a gateWay receiver 135 and a
`gateWay transmitter 140. Client computer 110 includes a
`client receiver 145. Client computer generally also has a
`client transmitter, Which is not shoWn.
`Client computer 110 includes a content processor 170,
`such as a conventional Web broWser, Which processes Internet
`content and renders it for interactive vieWing on a display
`monitor. Such Internet content may be in the form of execut
`
`20
`
`25
`
`30
`
`35
`
`Computer viruses have been rampant for over tWo decades
`noW. Computer viruses generally come in the form of execut
`able code that performs adverse operations, such as modify
`ing a computer’s operating system or ?le system, damaging a
`computer’ s hardWare or hardWare interfaces, or automati
`cally transmitting data from one computer to another. Gener
`ally, computer viruses are generated by hackers Willfully, in
`order to exploit computer vulnerabilities. HoWever, viruses
`can also arise by accident due to bugs in softWare applica
`tions.
`Originally computer viruses Were transmitted as execut
`able code inserted into ?les. As each neW viruses Was discov
`ered, a signature of the virus Was collected by anti-virus
`companies and used from then on to detect the virus and
`protect computers against it. Users began routinely scanning
`their ?le systems using anti-virus softWare, Which regularly
`updated its signature database as each neW virus Was discov
`ered.
`Such anti-virus protection is referred to as “reactive”, since
`it can only protect in reaction to viruses that have already been
`discovered.
`With the advent of the Internet and the ability to run execut
`able code such as scripts Within Internet broWsers, a neW type
`of virus formed; namely, a virus that enters a computer over
`the Internet and not through the computer’s ?le system. Such
`Internet viruses can be embedded Within Web pages and other
`Web content, and begin executing Within an Internet broWser
`as soon as they enter a computer. Routine ?le scans are not
`able to detect such viruses, and as a result more sophisticated
`anti-virus tools had to be developed.
`TWo generic types of anti-virus applications that are cur
`rently available to protect against such Internet viruses are (i)
`gateWay security applications, and (ii) desktop security appli
`cations. GateWay security applications shield Web content
`before the content is delivered to its intended destination
`computer. GateWay security applications scan Web content,
`and block the content from reaching the destination computer
`if the content is deemed by the security application to be
`potentially malicious. In distinction, desktop security appli
`cations shield against Web content after the content reaches its
`intended destination computer.
`Moreover, in addition to reactive anti-virus applications,
`that are based on databases of knoWn virus signatures,
`recently “proactive” anti-virus applications have been devel
`oped. Proactive anti-virus protection uses a methodology
`knoWn as “behavioral analysis” to analyZe computer content
`for the presence of viruses. Behavior analysis is used to auto
`matically scan and parse executable content, in order to detect
`Which computer operations the content may perform. As
`such, behavioral analysis can block viruses that have not been
`previously detected and Which do not have a signature on
`record, hence the name “proactive”.
`Assignee’s US. Pat. No. 6,092,194 entitled SYSTEM
`65
`AND METHOD FOR PROTECTING A COMPUTER AND
`A NETWORK FROM HOSTILE DOWNLOADABLES, the
`
`40
`
`45
`
`50
`
`55
`
`60
`
`Patent Owner Finjan, Inc. - Exhibit 2006, p. 8
`
`

`
`US 7,757,289 B2
`
`3
`able code, JavaScript, VBScript, Java applets, ActiveX con
`trols, Which are supported by Web browsers.
`Gateway computer 105 includes a content inspector 174
`Which may be reactive or proactive, or a combination of
`reactive and proactive. Incoming content is analyzed by con
`tent inspector 174 before being transmitted to client computer
`110. If incoming content is deemed to be malicious, then
`gateWay computer 105 preferably prevents the content from
`reaching client computer 110. Alternatively, gateWay com
`puter 105 may modify the content so as to render it harmless,
`and subsequently transmit the modi?ed content to client com
`puter 110.
`Content inspector 174 can be used to inspect incoming
`content, on its Way to client computer 110 as its destination,
`and also to inspect outgoing content, being sent from client
`computer 110 as its origin.
`The middle system shoWn in FIG. 1 includes a gateWay
`computer 105 and a client computer 110, the client computer
`110 including a content inspector 176. Content inspector 176
`may be a conventional signature-based anti-virus application,
`or a run-time behavioral based application that monitors run
`time calls invoked by content processor 170 to operating
`system, ?le system and netWork system functions.
`The bottom system shoWn in FIG. 1 includes both a content
`inspector 174 at gateWay computer 105, and a content inspec
`tor 176 at client computer 110. Such a system can support
`conventional gateWay level protection, desktop level protec
`tion, reactive anti-virus protection and proactive anti-virus
`protection.
`As the hacker vs. anti-virus protection battle continues to
`Wage, a neWer type of virus has sprung forWard; namely,
`dynamically generated viruses. These viruses are themselves
`generated only at run-time, thus thWarting conventional reac
`tive analysis and conventional gateWay level proactive behav
`ioral analysis. These viruses take advantage of features of
`dynamic HTML generation, such as executable code or
`scripts that are embedded Within HTML pages, to generate
`themselves on the ?y at run-time.
`For example, consider the folloWing portion of a standard
`HTML page:
`
`<!DOCTYPE HTML PUBLIC “-//W3C//DTD HTML 4.0
`Transitional//EN”>
`
`<SCRIPT LANGUAGE=“JavaScript”>
`
`document.Write(“<hl>text that is generated at 1u_n—time</hl>”);
`
`</SCRIPT>
`<BODY>
`
`</BODY>
`</HTML>
`
`The text Within the <SCRIPT> tags is JavaScript, and
`includes a call to the standard function document.Write( ),
`Which generates dynamic HTML. In the example above, the
`function document.Write( ) is used to generate HTML header
`text, With a text string that is generated at run-time. If the text
`string generated at run-time is of the form
`
`<SCRIPT>malicious JavaScript</SCRIPT>
`
`then the document.Write( ) function Will insert malicious
`JavaScript into the HTML page that is currently being ren
`
`4
`dered by a Web broWser. In turn, When the Web broWser
`processes the inserted text, it Will perform malicious opera
`tions to the client computer.
`Such dynamically generated malicious code cannot be
`detected by conventional reactive content inspection and con
`ventional gateWay level behavioral analysis content inspec
`tion, since the malicious JavaScript is not present in the con
`tent prior to run-time. A content inspector Will only detect the
`presence of a call to Document.Write( ) With input text that is
`yet unknoWn. If such a content inspector Were to block all
`calls to Document.Write( ) indiscriminately, then many harm
`less scripts Will be blocked, since most of the time calls to
`Document.Write( ) are made for dynamic display purposes
`only.
`US. Pat. Nos. 5,983,348 and 6,272,641, both to Ji, describe
`reactive client level content inspection, that modi?es doWn
`loaded executable code Within a desktop level anti-virus
`application. HoWever, such inspection can only protect
`against static malicious content, and cannot protect against
`dynamically generated malicious content.
`Desktop level run-time behavioral analysis has a chance of
`shielding a client computer against dynamically generated
`malicious code, since such code Will ultimately make a call to
`an operating system function. HoWever, desktop anti -virus
`protection has a disadvantage of being Widely available to the
`hacker community, Which is alWays eager to ?nd vulnerabili
`ties. In addition, desktop anti-virus protection has a disadvan
`tage of requiring installation of client softWare.
`As such, there is a need for a neW form of behavioral
`analysis, Which can shield computers from dynamically gen
`erated malicious code Without running on the computer itself
`that is being shielded.
`
`SUMMARY OF THE DESCRIPTION
`
`The present invention concerns systems and methods for
`implementing neW behavioral analysis technology. The neW
`behavioral analysis technology affords protection against
`dynamically generated malicious code, in addition to conven
`tional computer viruses that are statically generated.
`The present invention operates through a security com
`puter that is preferably remote from a client computer that is
`being shielded While processing netWork content. During
`run-time, While processing the netWork content, but before
`the client computer invokes a function call that may poten
`tially dynamically generate malicious code, the client com
`puter passes the input to the function to the security computer
`for inspection, and suspends processing the netWork content
`pending a reply back from the security computer. Since the
`input to the function is being passed at run-time, it has already
`been dynamically generated and is thus readily inspected by
`a content inspector. Referring to the example above, Were the
`input to be passed to the security computer prior to run-time,
`it Would take the form of indeterminate text; Whereas the
`input passed during run-time takes the determinate form
`
`<SCRIPT>malicious JavaScript</SCRIPT>
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`Which can readily be inspected. Upon receipt of a reply from
`the security computer, the client computer resumes process
`ing the netWork content, and knoWs Whether to by-pass the
`function call invocation.
`To enable the client computer to pass function inputs to the
`security computer and suspend processing of content pending
`replies from the security computer, the present invention
`operates by replacing original function calls With substitute
`
`65
`
`Patent Owner Finjan, Inc. - Exhibit 2006, p. 9
`
`

`
`US 7,757,289 B2
`
`5
`function calls Within the content, at a gateway computer, prior
`to the content being received at the client computer.
`The present invention also provides protection against
`arbitrarily many recursive levels of dynamic generation of
`malicious code, Whereby such code is generated via a series
`of successive function calls, one Within the next.
`By operating through the medium of a security computer,
`the present invention overcomes the disadvantages of desktop
`anti-virus applications, Which are available to the hacker
`community for exploit. Security applications embodying the
`present invention are concealed securely Within managed
`computers.
`There is thus provided in accordance With a preferred
`embodiment of the present invention a method for protecting
`a client computer from dynamically generated malicious con
`tent, including receiving at a gateWay computer content being
`sent to a client computer for processing, the content including
`a call to an original function, and the call including an input,
`modifying the content at the gateWay computer, including
`replacing the call to the original function With a correspond
`ing call to a substitute function, the substitute function being
`operational to send the input to a security computer for
`inspection, transmitting the modi?ed content from the gate
`Way computer to the client computer, processing the modi?ed
`content at the client computer, transmitting the input to the
`security computer for inspection When the substitute function
`is invoked, determining at the security computer Whether it is
`safe for the client computer to invoke the original function
`With the input, transmitting an indicator of Whether it is safe
`for the client computer to invoke the original function With the
`input, from the security computer to the client computer, and
`invoking the original function at the client computer With the
`input, only if the indicator received from the security com
`puter indicates that such invocation is safe.
`There is further provided in accordance With a preferred
`embodiment of the present invention a system for protecting
`a client computer from dynamically generated malicious con
`tent, including a gateWay computer, including a gateWay
`receiver for receiving content being sent to a client computer
`for processing, the content including a call to an original
`function, and the call including an input, a content modi?er
`for modifying the received content by replacing the call to the
`original function With a corresponding call to a substitute
`function, the substitute function being operational to send the
`input to a security computer for inspection, and a gateWay
`transmitter for transmitting the modi?ed content from the
`gateWay computer to the client computer, a security com
`puter, including a security receiver for receiving the input
`from the client computer, an input inspector for determining
`Whether it is safe for the client computer to invoke the original
`function With the input, and a security transmitter for trans
`mitting an indicator of the determining to the client computer,
`and a client computer communicating With the gateWay com
`puter and With the security computer, including a client
`receiver for receiving the modi?ed content from the gateWay
`computer, and for receiving the indicator from the security
`computer, a content processor for processing the modi?ed
`content, and for invoking the original function only if the
`indicator indicates that such invocation is safe; and a client
`transmitter for transmitting the input to the security computer
`for inspection, When the substitute function is invoked.
`There is yet further provided in accordance With a preferred
`embodiment of the present invention a computer-readable
`storage medium storing program code for causing at least one
`computing device to receive content including a call to an
`original function, and the call including an input, replace the
`call to the original function With a corresponding call to a
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`6
`substitute function, the substitute function being operational
`to send the input for inspection, thereby generating modi?ed
`content, process the modi?ed content, transmit the input for
`inspection, When the substitute function is invoked While
`processing the modi?ed content, and suspend processing of
`the modi?ed content, determine Whether it is safe to invoke
`the original function With the input, transmit an indicator of
`Whether it is safe for a computer to invoke the original func
`tion With the input, and resume processing of the modi?ed
`content after receiving the indicator, and invoke the original
`function With the input only if the indicator indicates that such
`invocation is safe.
`There is additionally provided in accordance With a pre
`ferred embodiment of the present invention a method for
`protecting a client computer from dynamically generated
`malicious content, including receiving content being sent to a
`client computer for processing, the content including a call to
`an original function, and the call including an input, modify
`ing the content, including replacing the call to the original
`function With a corresponding call to a substitute function, the
`substitute function being operational to send the input to a
`security computer for inspection, and transmitting the modi
`?ed content to the client computer for processing.
`There is moreover provided in accordance With a preferred
`embodiment of the present invention a system for protecting
`a client computer from dynamically generated malicious con
`tent, including a receiver for receiving content being sent to a
`client computer for processing, the content including a call to
`an original function, and the call including an input, a content
`modi?er for modifying the received content by replacing the
`call to the original function With a corresponding call to a
`substitute function, the substitute function being operational
`to send the input to a security computer for inspection, and a
`transmitter for transmitting the modi?ed content to the client
`computer.
`There is further provided in accordance With a preferred
`embodiment of the present invention a computer-readable
`storage medium storing program code for causing a comput
`ing device to receive content including a call to an original
`function, and the call including an input, and replace the call
`to the original function With a corresponding call to a substi
`tute function, the substitute functionbeing operational to send
`the input for inspection.
`There is yet further provided in accordance With a preferred
`embodiment of the present invention a method for protecting
`a client computer from dynamically generated malicious con
`tent, including receiving content being sent to a client com
`puter for processing, the content including a call to an original
`function, and the call including an input, modifying the con
`tent, including replacing the call to the original function With
`a corresponding call to a substitute function, the substitute
`function being operational to send the input for inspection,
`transmitting the modi?ed content to the client computer for
`processing, receiving the input from the client computer,
`determining Whether it is safe for the client computer to
`invoke the original function With the input, and transmitting
`to the client computer an indicator of Whether it is safe for the
`client computer to invoke the original function With the input.
`There is additionally provided in accordance With a pre
`ferred embodiment of the present invention a system for
`protecting a client computer from dynamically generated
`malicious content, including a receiver (i) for receiving con
`tent being sent to a client computer for processing, the content
`including a call to an original function, and the call including
`an input, and (ii) for receiving the input from the client com
`puter, a content modi?er for modifying the received content
`by replacing the call to the original function With a corre
`
`Patent Owner Finjan, Inc. - Exhibit 2006, p. 10
`
`

`
`US 7,757,289 B2
`
`7
`sponding call to a substitute function, the substitute function
`being operational to send the input for inspection, an input
`inspector for determining Whether it is safe for the client
`computer to invoke the original function With the input, and a
`transmitter (i) for transmitting the modi?ed content to the
`client computer, and (ii) for transmitting an indicator of the
`determining to the client computer.
`There is moreover provided in accordance With a preferred
`embodiment of the present invention a computer-readable
`storage medium storing program code for causing a comput
`ing device to receive content including a call to an original
`function, and the call including an input, replace the call to the
`original function With a corresponding call to a substitute
`function, the substitute function being operational to send the
`input for inspection, and determine Whether it is safe for a
`computer to invoke the original function With the input.
`There is further provided in accordance With a preferred
`embodiment of the present invention a method for protecting
`a computer from dynamically generated malicious content,
`including processing content received over a netWork, the
`content including a call to a ?rst function, and the call includ
`ing an input, transmitting the input to a security computer for
`inspection, When the ?rst function is invoked, receiving from
`the security computer an indicator of Whether it is safe to
`invoke a second function With the input, an