121205
`
`Am
`
`l
`5]m
`[C
`
`
`
`leagpe a plus sign (+) inside this box —i
`:0)
`-C
`
`PTOIS BI05 (05-05)
`Approved for use through 0713112006 OMB 0651-0032
`U 8 Patent and Trademark Office U.S DEPARTMENT OF COMMERCE
`Under the Paperwork Reduction Act of 1995. no persons are required to respond to a collection oi inlorrnation unless it displays a valid OMB control number
`
`3
`
`
` P-9216-UsAttorney DocketNo. ,.
`
`
`
`UTILITY
`.
`.
`.
`- t
`
`- PATENT APPLICATION
`First Inventor or Application Identifier
`GRUZMAN, David
`~ _‘
`Title
`SYSTEM AND METHOD FOR INSPECTENG DYNAMICALLY 3‘ -0
`TRANSMITTAL
`: GENERATED EXECUTABLE cooe
`0'
`\
`
`(Only for new nonpiovisional applications under 37 C F.R. § 1 53(b))
`Express MaiILebeINo-
`
`iiiiiiiiiiiiiiiliiiiiiii
`
`
`
`
`
`
`APPLlCATlON ELEMENTS
`See MPEP chapter 600 concerning patent application contents
`
`Commissioner for Patents
`
`
`P. O. Box 1450
`ADDRESS TO:
`
`Alexandria, VA 22313-1450
`
`
`
`
`
`ACCOMPANYING APPLICATION PARTS
`
`
`
`E’ Assignment Papers (cover sheet 8. document(s))
`
`Name omssignee‘ Finian software Ltd.
`
`
`
`Fee Transmittal Form (e.g, PTO/SB/17)
`Submit an original and a duplicate for fee processing)
`Applicant claims small entity status.
`See 37 CFR 1.27
`
`
`
`
`
`
`
`
`3
`
`[Total Pages 58]
`E Specification
`(prelened arrangement set forth below)
`Drawing(s) (35 U SC 113)
`[TataIPages 5]
`
`
`
`
`]
`
`10. [j 37 C.F.R.§3.73(b)Statement
`(when (here is an assignee)
` 1 1. B English Translation Document (ifapplicable)
`
`
`
`12 E information Disclosure Statement PTOISBIDB or PTo~1-149
`
`E] Copies of foreign patent documents
`publications and other information
`
`
`
`
`
`
`
`
`
`3
`
`
`
`5 Oath OI‘ Declaration
`[Total Pages
`a 4 E Unexecuted (original or copy)
`b
`E]
`Copy from a prior application (37 C F R § 1 63(d))
`(tor continuation/divisional with Box 16 completed)
`i
`B DELETION OF lNVENTOR(S)
`Signed statement attached deleting inventor(s)
`named in the prior application, see 37 CFR
`1 63(d)(2) and 1 33(b)
`6 E] Application Data Sheet See 37 CFR 1 76
`7 El CD-ROM or CD-R in duplicate, large table or
`Computer Program (Appendix)
`Nucleotide andlor Amino Acid Sequence Submission
`(if applicable, items a - c are required)
`E’
`Return Receipt Postcard (MPEP 5303)
`COMPWEV Readable FONT‘ (CRF)
`BA
`14 B (should be specifically itemized)
`C rtif d C
`1 P '
`It D
`t
`b. I: Specification Sequence Listing on:
`15 E (ifeforeliggn prtigiitygis crllaoilneyid) acumen (S)
`_ I:
`_
`Nonpublication Request under 35 U.S C. l22(b)(2)(B)(I)
`I
`CD-ROM or CD-R (2 copies); or
`16. D Appiicani must attach roim PTO/SB/35 or equivalent
`
`Postcard
`
`.ii El paper
`17.
`c E Statements verifying identity of above copies
`‘If a_ CONTINUING APPLICATION, check appropriate box, and supply the requisite infomiation below and in the first sentence of the
`_ 18.
`specification following the title, or in an Application Data Sheet under 37 CFR 1. 75:
`
` B Continuation-in-part (CIP)
`CI Divisional
`El Continuation
`
`Prior a - - lication infonnatlon:
`Examiner
`19. CORRESPONDENCE ADDRESS
`
`
`13 El Preliminary Amendment
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`of prior application No :
`
`Other:
`
`1:] CustomerNumberorBarCode
`
`Eltan Law Group
`clo Landon IP inc.
`
`Insert CuslomerNo. orAtiach bar code label here
`
`I
`
`or
`
`Correspondence address below
`
`1700 Diagonal Road
`
`Name
`
`Address
`
`
`
`
`
`
`Alexandria
`
`City
`Country
`Telephone
`I USA
`
`
`Virginia
`Zip Code
`
`(703) 4876-1150
`Fax
`
`'
`22314
`(703) 892-4510 ‘
`
`
`
`
`
`
`
`
`Registration No. (Attamey/Agent)
`/’ ,."'!
`__\_l,la}1f’i/I4 She/rrilan
`Name (Print/Type)
`
`
`This collection oi information is required by 37 CFR 1 53(1)) The information is required to obtain or retain a benellt by the public which is to file (and by the
`USPTO to process) an application Confidentiality is governed by 35 Us (2 I22 and 37 CFR 1.1 1 and 1.14 This collection is estimated to take 12 minutes to
`complete. including gathering. preparing. and submitting the completed application icirm to the USPTO Time will vary depending upon the individual case. Any
`comments on the amount at time you require to complete this iorrn andlor suggestions tor reducing this burden. should be sent to the Chief lnlonnation Officer.
`U.S. Patent and Trademark Office. U S. Department of Commerce. P O. Box 1450. Alexandria. VA 22313-1450 DO NOT SEND FEES OR COMPLETED
`FORMS TO THIS ADDRESS SEND TO: Commissioner for Patents, PO. Box 1450, Alexandria, VA 22313-1450..
`
`
`
`I! you need assistance in completing the lorrn. call 1-800-PTO-9199 and select option 2
`Patent Owner Finj an, Inc. - EXhil)it 2009, p.
`
`1
`
`Patent Owner Finjan, Inc. - Exhibit 2009, p. 1
`
`

`
`PTO/SBII7 (12-04 v2)
`Approved for use through 0713112006 OMB Oi35i»0032
`Patent and Trademark Office: U.S DEPARTMENT OF COMMERCE
`Under the Papenrvork Reduction Act oi 1995. no persons are required to respond to a collection of information unless it displays a valid OMB control number
`
`Lx
`
`:
`x:2L
`'\>
`
`_:
`(I)
`
`EE TRANSMTTAL '"”’°“””‘"°‘”"
`Filing Date
`for FY 2005
`.
`
`Errecrive 12/as/2004
`
` First Named Inventor
`
`E] Applicant claims small entity status See 37 CFR 1 27
`
`.
`Group I Art Unlt
`
`_
`
`.
`
`TOTAL AMOUNT OF PAYMENT
`
`($)585O
`
`Attorney Docket No.
`
`P_9216_US
`
`METHOD OF PAYMENT (check all that apply)
`I:] None C] Other (please specify):
`E] Check CI Credit Card D Money Order
`Deposit Account Name: Eitan Law Group
`E Deposit Account Number 50-3400
`For the above-identified deposit account. the Director is hereby authorized to: (check all that apply)
`8 Charge fee(s) indicated below
`[3 Charge lee(s) indicated below. except tor the filing fee
`Charge any additional leets) or underpayments ol lee(s)
`Credit any overpayments
`under 37 CFE1 16 and 1 17
`WAR NING: lnlormatlon on this form may become public. Credit card lnlormatlon should not be included on this form. Provide credit card
`0 information and authorization on PTO-2038.
`
`lulllliililllilllllilllllll
`
`FEE CALCULATION
`1. BASIC FILING, SEARCH, AND EXAMINATION FEES
`FILING FEES
`Small Entig
`150
`Fitfil
`1 00
`100
`150
`100
`
`-Application Type
`Utility
`Design
`Plant
`Reis sue
`Provisional
`2. EXCESS CLAIM FEES
`
`|’I=T<:)lt).$;l
`200
`200
`300
`200
`
`»
`
`v
`
`SEARCH FEES
`Small Entity
`Fee (§)
`250
`50
`150
`250
`O
`
`Fee [§)
`500
`100
`300
`- 500
`0
`
`EXAMINATION’ FEES
`Small Entity
`Fee |§)
`1 O0
`65
`
`Fee 5)
`200
`130
`160
`600
`O
`
`Fees Paid l§)
`1000
`
`80
`
`Small Entity
`Fee (S)
`Fee (§)
`25
`50
`100
`200
`1 80
`360
`Multiple Dependent Claims
`Fee (fit
`- Fee Paid (§)
`0
`
`Fee Description
`Each claim over 20 or, for Reissues, each claim over 20 and more than in the original patent
`Each independent claim over 3 or, for Reissues. each independent claim more than in the original patent
`Multiple dependent claims
`Extra Claims
`Total Claims
`x
`Q
`-20 or HP =
`Q
`HP = highest number of total claims paid for. if greater than 20
`Fee [§)
`lndeg. Claims
`Extra Claims
`x 1
`-3 or HP =
`1_5_
`13
`HP = highest number of independent claims paid lor. if greater than 3
`
`Fee Paid [Q
`2450
`
`Fee Paid (S)
`2400
`
`Fee (§)
`Q
`
`3. APPLICATION SIZE FEE
`if the specification and drawings exceed 100 sheets of paper. the application size tee due is $250 ($125 for small entity) for each
`additional 50 sheets or fraction thereof See 35 U S.C 41(a)(t)(G) and 37 CFR 1.t6(s).
`.
`Total Sheets
`Extra Sheets
`Number of each additional 50 or fraction thereof
`(round up to a whole number)
`x
`
`-100
`
`I 50 =
`
`Fee (§)
`
`Fee Paid ($1
`
`4. OTHER FEE(S)
`Non-English Specification. $130 fee (no small entity discount)
`
`Fee Paid (Q
`
`Comlete ilalicable
`,
`SUBMITTED BY
`/I
`egistration No
`_
`/
`.
`Name(Pnnt/Type)
`vIanyr€ s e
`an
`1
`meme Men” E Telephone
`(7o3)48611so
`
`
` i °°°e"“=°"2«2°°5
`This collection oi lnlormation is required by 37
`' 1 136 The lnlormalion is required to obtain or retain a benelit by the public which is to tile (and by the
`USPTO to process) an application. confidentiality is governed by 35 U.S.C 122 and 37 CFR 1.14 This collection is estimated to take 30 minutes to complete.
`including gathering. preparing, and submitting the completed application torm to the USPTO Time will vary depending upon the individual case. Any comments
`on the amount of time you require to complete this lonn andlor suggestions for reducing this burden. should be sent to the Chiel Information Otticer. US Patent
`and Trademark Otrrce, U .5 Department ol Commerce, P 0. Box 1450. Alexandria, VA 22313-1450 DO NOT SEND FEES OR COMPLETED FORMS To THlS
`ADDRESS SEND TO: Commissioner for Patents, P.O. Box 1450, Alexandria, VA 22313-1450.
`
`’
`
`"
`
`.r‘I
`
`If you need assistance in completing the form. call 1-800-PTO-9199 and select option 2
`
`Patent Owner Finj an, Inc. - Exhibit 2009, p. 2
`
`Patent Owner Finjan, Inc. - Exhibit 2009, p. 2
`
`

`
` 121205
`
`Am
`
`l
`5]m
`[C
`
`
`
`leagpe a plus sign (+) inside this box —i
`:0)
`-C
`
`PTOIS BI05 (05-05)
`Approved for use through 0713112006 OMB 0651-0032
`U 8 Patent and Trademark Office U.S DEPARTMENT OF COMMERCE
`Under the Paperwork Reduction Act of 1995. no persons are required to respond to a collection oi inlorrnation unless it displays a valid OMB control number
`
`3
`
`
` P-9216-UsAttorney DocketNo. ,.
`
`
`
`UTILITY
`.
`.
`.
`- t
`
`- PATENT APPLICATION
`First Inventor or Application Identifier
`GRUZMAN, David
`~ _‘
`Title
`SYSTEM AND METHOD FOR INSPECTENG DYNAMICALLY 3‘ -0
`TRANSMITTAL
`: GENERATED EXECUTABLE cooe
`0'
`\
`
`(Only for new nonpiovisional applications under 37 C F.R. § 1 53(b))
`Express MaiILebeINo-
`
`iiiiiiiiiiiiiiiliiiiiiii
`
`
`
`
`
`
`APPLlCATlON ELEMENTS
`See MPEP chapter 600 concerning patent application contents
`
`Commissioner for Patents
`
`
`P. O. Box 1450
`ADDRESS TO:
`
`Alexandria, VA 22313-1450
`
`
`
`
`
`ACCOMPANYING APPLICATION PARTS
`
`
`
`E’ Assignment Papers (cover sheet 8. document(s))
`
`Name omssignee‘ Finian software Ltd.
`
`
`
`Fee Transmittal Form (e.g, PTO/SB/17)
`Submit an original and a duplicate for fee processing)
`Applicant claims small entity status.
`See 37 CFR 1.27
`
`
`
`
`
`
`
`
`3
`
`[Total Pages 58]
`E Specification
`(prelened arrangement set forth below)
`Drawing(s) (35 U SC 113)
`[TataIPages 5]
`
`
`
`
`]
`
`10. [j 37 C.F.R.§3.73(b)Statement
`(when (here is an assignee)
` 1 1. B English Translation Document (ifapplicable)
`
`
`
`12 E information Disclosure Statement PTOISBIDB or PTo~1-149
`
`E] Copies of foreign patent documents
`publications and other information
`
`
`
`
`
`
`
`
`
`3
`
`
`
`5 Oath OI‘ Declaration
`[Total Pages
`a 4 E Unexecuted (original or copy)
`b
`E]
`Copy from a prior application (37 C F R § 1 63(d))
`(tor continuation/divisional with Box 16 completed)
`i
`B DELETION OF lNVENTOR(S)
`Signed statement attached deleting inventor(s)
`named in the prior application, see 37 CFR
`1 63(d)(2) and 1 33(b)
`6 E] Application Data Sheet See 37 CFR 1 76
`7 El CD-ROM or CD-R in duplicate, large table or
`Computer Program (Appendix)
`Nucleotide andlor Amino Acid Sequence Submission
`(if applicable, items a - c are required)
`E’
`Return Receipt Postcard (MPEP 5303)
`COMPWEV Readable FONT‘ (CRF)
`BA
`14 B (should be specifically itemized)
`C rtif d C
`1 P '
`It D
`t
`b. I: Specification Sequence Listing on:
`15 E (ifeforeliggn prtigiitygis crllaoilneyid) acumen (S)
`_ I:
`_
`Nonpublication Request under 35 U.S C. l22(b)(2)(B)(I)
`I
`CD-ROM or CD-R (2 copies); or
`16. D Appiicani must attach roim PTO/SB/35 or equivalent
`
`Postcard
`
`.ii El paper
`17.
`c E Statements verifying identity of above copies
`‘If a_ CONTINUING APPLICATION, check appropriate box, and supply the requisite infomiation below and in the first sentence of the
`_ 18.
`specification following the title, or in an Application Data Sheet under 37 CFR 1. 75:
`
` B Continuation-in-part (CIP)
`CI Divisional
`El Continuation
`
`Prior a - - lication infonnatlon:
`Examiner
`19. CORRESPONDENCE ADDRESS
`
`
`13 El Preliminary Amendment
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`of prior application No :
`
`Other:
`
`1:] CustomerNumberorBarCode
`
`Eltan Law Group
`clo Landon IP inc.
`
`Insert CuslomerNo. orAtiach bar code label here
`
`I
`
`or
`
`Correspondence address below
`
`1700 Diagonal Road
`
`Name
`
`Address
`
`
`
`
`
`
`Alexandria
`
`City
`Country
`Telephone
`I USA
`
`
`Virginia
`Zip Code
`
`(703) 4876-1150
`Fax
`
`'
`22314
`(703) 892-4510 ‘
`
`
`
`
`
`
`
`
`Registration No. (Attamey/Agent)
`/’ ,."'!
`__\_l,la}1f’i/I4 She/rrilan
`Name (Print/Type)
`
`
`This collection oi information is required by 37 CFR 1 53(1)) The information is required to obtain or retain a benellt by the public which is to file (and by the
`USPTO to process) an application Confidentiality is governed by 35 Us (2 I22 and 37 CFR 1.1 1 and 1.14 This collection is estimated to take 12 minutes to
`complete. including gathering. preparing. and submitting the completed application icirm to the USPTO Time will vary depending upon the individual case. Any
`comments on the amount at time you require to complete this iorrn andlor suggestions tor reducing this burden. should be sent to the Chief lnlonnation Officer.
`U.S. Patent and Trademark Office. U S. Department of Commerce. P O. Box 1450. Alexandria. VA 22313-1450 DO NOT SEND FEES OR COMPLETED
`FORMS TO THIS ADDRESS SEND TO: Commissioner for Patents, PO. Box 1450, Alexandria, VA 22313-1450..
`
`
`
`I! you need assistance in completing the lorrn. call 1-800-PTO-9199 and select option 2
`Patent Owner Finj an, Inc. - EXhil)it 2009, p. 3
`
`Patent Owner Finjan, Inc. - Exhibit 2009, p. 3
`
`

`
`PTO/SBII7 (12-04 v2)
`Approved for use through 0713112006 OMB Oi35i»0032
`Patent and Trademark Office: U.S DEPARTMENT OF COMMERCE
`Under the Papenrvork Reduction Act oi 1995. no persons are required to respond to a collection of information unless it displays a valid OMB control number
`
`Lx
`
`:
`x:2L
`'\>
`
`_:
`(I)
`
`EE TRANSMTTAL '"”’°“””‘"°‘”"
`Filing Date
`for FY 2005
`.
`
`Errecrive 12/as/2004
`
` First Named Inventor
`
`E] Applicant claims small entity status See 37 CFR 1 27
`
`.
`Group I Art Unlt
`
`_
`
`.
`
`TOTAL AMOUNT OF PAYMENT
`
`($)585O
`
`Attorney Docket No.
`
`P_9216_US
`
`METHOD OF PAYMENT (check all that apply)
`I:] None C] Other (please specify):
`E] Check CI Credit Card D Money Order
`Deposit Account Name: Eitan Law Group
`E Deposit Account Number 50-3400
`For the above-identified deposit account. the Director is hereby authorized to: (check all that apply)
`8 Charge fee(s) indicated below
`[3 Charge lee(s) indicated below. except tor the filing fee
`Charge any additional leets) or underpayments ol lee(s)
`Credit any overpayments
`under 37 CFE1 16 and 1 17
`WAR NING: lnlormatlon on this form may become public. Credit card lnlormatlon should not be included on this form. Provide credit card
`0 information and authorization on PTO-2038.
`
`lulllliililllilllllilllllll
`
`FEE CALCULATION
`1. BASIC FILING, SEARCH, AND EXAMINATION FEES
`FILING FEES
`Small Entig
`150
`Fitfil
`1 00
`100
`150
`100
`
`-Application Type
`Utility
`Design
`Plant
`Reis sue
`Provisional
`2. EXCESS CLAIM FEES
`
`|’I=T<:)lt).$;l
`200
`200
`300
`200
`
`»
`
`v
`
`SEARCH FEES
`Small Entity
`Fee (§)
`250
`50
`150
`250
`O
`
`Fee [§)
`500
`100
`300
`- 500
`0
`
`EXAMINATION’ FEES
`Small Entity
`Fee |§)
`1 O0
`65
`
`Fee 5)
`200
`130
`160
`600
`O
`
`Fees Paid l§)
`1000
`
`80
`
`Small Entity
`Fee (S)
`Fee (§)
`25
`50
`100
`200
`1 80
`360
`Multiple Dependent Claims
`Fee (fit
`- Fee Paid (§)
`0
`
`Fee Description
`Each claim over 20 or, for Reissues, each claim over 20 and more than in the original patent
`Each independent claim over 3 or, for Reissues. each independent claim more than in the original patent
`Multiple dependent claims
`Extra Claims
`Total Claims
`x
`Q
`-20 or HP =
`Q
`HP = highest number of total claims paid for. if greater than 20
`Fee [§)
`lndeg. Claims
`Extra Claims
`x 1
`-3 or HP =
`1_5_
`13
`HP = highest number of independent claims paid lor. if greater than 3
`
`Fee Paid [Q
`2450
`
`Fee Paid (S)
`2400
`
`Fee (§)
`Q
`
`3. APPLICATION SIZE FEE
`if the specification and drawings exceed 100 sheets of paper. the application size tee due is $250 ($125 for small entity) for each
`additional 50 sheets or fraction thereof See 35 U S.C 41(a)(t)(G) and 37 CFR 1.t6(s).
`.
`Total Sheets
`Extra Sheets
`Number of each additional 50 or fraction thereof
`(round up to a whole number)
`x
`
`-100
`
`I 50 =
`
`Fee (§)
`
`Fee Paid ($1
`
`4. OTHER FEE(S)
`Non-English Specification. $130 fee (no small entity discount)
`
`Fee Paid (Q
`
`Comlete ilalicable
`,
`SUBMITTED BY
`/I
`egistration No
`_
`/
`.
`Name(Pnnt/Type)
`vIanyr€ s e
`an
`1
`meme Men” E Telephone
`(7o3)48611so
`
`
` i °°°e"“=°"2«2°°5
`This collection oi lnlormation is required by 37
`' 1 136 The lnlormalion is required to obtain or retain a benelit by the public which is to tile (and by the
`USPTO to process) an application. confidentiality is governed by 35 U.S.C 122 and 37 CFR 1.14 This collection is estimated to take 30 minutes to complete.
`including gathering. preparing, and submitting the completed application torm to the USPTO Time will vary depending upon the individual case. Any comments
`on the amount of time you require to complete this lonn andlor suggestions for reducing this burden. should be sent to the Chiel Information Otticer. US Patent
`and Trademark Otrrce, U .5 Department ol Commerce, P 0. Box 1450. Alexandria, VA 22313-1450 DO NOT SEND FEES OR COMPLETED FORMS To THlS
`ADDRESS SEND TO: Commissioner for Patents, P.O. Box 1450, Alexandria, VA 22313-1450.
`
`’
`
`"
`
`.r‘I
`
`If you need assistance in completing the form. call 1-800-PTO-9199 and select option 2
`
`Patent Owner Finj an, Inc. - Exhibit 2009, p. 4
`
`Patent Owner Finjan, Inc. - Exhibit 2009, p. 4
`
`

`
`SYSTEM AND METHOD FOR INSPECTING
`
`DYNAMICALLYA GENERATED EXECUTABLE CODE
`
`FIELD OF THE INVENTION
`
`[0001]
`
`The present invention relates to computer security, and more
`
`particularly to protection against malicious code such as computer
`
`viruses.
`
`BACKGROUND OF THE INVENTION
`
`[0002]
`
`Computer viruses have been rampant for over two decades now.
`
`Computer viruses generally come in the form of executable code that
`
`performs adverse operations, such as modifying a computer's operating
`
`system-or file system, damaging a computer's hardware or hardware
`
`interfaces, or automatically transmittingfdata from one computer to
`
`another. Generally, computer viruses are generated by hackers willfully,
`
`in order to exploit computer vulnerabilities. However, viruses can also
`
`arise by accident due to bugs in software applications.
`
`[0003]
`
`Originally computer viruses were transmitted as executable code
`
`inserted into files. As each new viruses was discovered, a signature of
`
`the virus was collected by anti-virus companies and used from then on to
`
`detect the virus and protect computers against it. Users began routinely
`scanning their file systems using anti-virus software, which regularly
`
`updated its signature database as each new virus was discovered.
`
`[0004]
`
`Such anti-virus protection is referred to as “reactive”, since it
`
`can only protect in reaction to viruses that have already been discovered.
`
`[0005]
`
`- With the advent of the Internet and the ability to run executable
`
`code such as scripts within Internet browsers, a new type of virus
`
`formed; namely, a virus that enters a computer over the Internet and not
`
`Atty. Docket No. P-9216—LlS
`
`-1-
`
`_
`.
`.
`_
`Patent Owner Fm] an, Inc. - Exhibit 2009, p. 5
`
`Patent Owner Finjan, Inc. - Exhibit 2009, p. 5
`
`

`
`through the computer's file system. Such Internet viruses can be
`
`embedded within web pages and other web content, and begin executing.
`
`within an Internet browser as soon as they enter a computer. Routine file
`
`scans are not able to detect such viruses, and as a result more
`
`sophisticated anti-virus tools had to be developed.
`[0006]
`Two generic types of anti-virus applications that are currently
`
`available to protect against such Internet viruses are (i) gateway security
`
`"applications, and (ii) desktop security applications. Gateway security
`
`applications shield web content before the content is delivered to its
`
`intended destination computer. Gateway security applications scan web
`
`content, and block the content from reaching the destination computer if
`the content is deemed by the security application to be potentially
`
`malicious.
`
`In distinction, desktop security applications shield against web
`
`content after the content reaches its intended destination computer.
`
`[0007] Moreover, in addition to reactive anti-virus applications, that are
`
`based on databases of known virus signatures, recently.“proactive” anti-
`
`virus applications have been developed. Proactive anti-virus protection
`
`uses a methodology known as “behavioral analysis” to analyze computer
`
`content for the presence of viruses. Behavior analysis is used to
`
`automatically scan and parse executable content, in order to detect which
`
`computer operations the content may perform. As such, behavioral
`analysis can block viruses that have not been previously detected and
`which do not have a signature on record, hence the name “proactive”.
`
`[0008]
`
`Assignee’srUS Patent No. 6,092,194 entitled SYSTEM AND
`
`METHOD FOR PROTECTING A COMPUTER AND A NETWORK FROM
`
`. HOSTILE DOWNLOADABLES, the contents of which are hereby
`
`incorporated by reference, describes gateway level behavioral analysis.
`
`Atty. Docket ND. P-9216-US
`
`-2-
`
`>
`.
`.
`,
`,
`Patent Owner Fin] an, Inc. - Exhibit 2009, p. 6
`
`Patent Owner Finjan, Inc. - Exhibit 2009, p. 6
`
`

`
`Such behavioral analysis scans and parses content received at a gateway
`
`and generates a security profile for the content. A security profile is a
`
`general list or delineation of suspicious, or potentially malicious,
`
`operations that executable content may perform. The derived security
`
`profile is then compared with a security policy for the computer being
`
`protected, to determine whetheror not the content’s security profile
`violates the computer's security policy. A security policy is a general set I
`of simple or complex rules, that may be applied logically in series or in
`parallel, which determine whether or not a specific operation is permitted
`
`or forbidden to be performed by the content on the computer being
`protected. Security policies are generally configurable, and set by an
`
`administrator of the computer that are being protected.
`
`[0009]
`
`Assignee’s US Patent No. 6,167,520 entitled SYSTEM AND
`
`METHOD FOR PROTECTING A CLIENT DURING RUNTIME FROM HOSTILE
`
`DOWNLOADABLES, the contents of which are hereby incorporated by
`
`reference, describes desktop level behavioral analysis. Desktop level
`
`behavioral analysis is generally implemented during run‘-time, while a
`
`computer's web browser is processing web content received over the
`
`Internet. As the content is being processed, desktop securi_ty a-pplicagtions
`monitor callsnmlade "to'c_ritical_ systems of the computer, such'as the
`
`operating system, the file system and the network system. Desktop
`
`security applications use hooks to intercept calls made to operating
`
`system functions, and allow or block the calls as appropriate, based on
`
`the computer's security policy.
`
`_
`
`Each of the various anti—virus_t_echnologies, gateway vs. desktop,
`[0010]
`reactive vsfproactive, has its pros and cons.‘ Reactive anti-virus
`
`protection is computationally simple and fast; proactive virus protection is
`
`Atty. Docket No. P-9216-US
`'
`
`-3-
`
`.
`.
`~
`,
`,
`Patent Owner Fm} an, Inc. - Exhibit 2009, p. 7
`
`Patent Owner Finjan, Inc. - Exhibit 2009, p. 7
`
`

`
`computationally intensive and slower. Reactive anti-virus protection
`
`cannot protect -against new “first-time” viruses, and cannot protect a user
`
`if his signature file is out of date; proactive anti—virus protection can
`protect against new “first-time” viruses and do not require regular
`
`downloading of updated signature files. Gateway level protection keeps
`
`computer viruses at a greater distance from a local network of
`
`computers; desktop level protection is more accurate. Desktop level
`protection is generally available in the consumer market for hackers to
`
`obtain,-and is susceptible to reverse engineering; gateway level
`
`protection is not generally available to hackers.
`
`[0011]
`
`Reference is now made to FIG. 1, which is a simplified. block
`
`diagram of prior art systems for blocking malicious content, as described
`
`hereinabove. The topmost system shown in .FIG.1 illustrates a gateway
`
`level security application. The middle system shown in FIG. 1 illustrates
`
`a desktop level security application, and the bottom system shown in
`
`. FIG. 1 illustrates a combined gateway + desktop level security
`
`application.
`
`[0012]
`
`The topmost system shown in FIG. 1 includes a gateway
`
`computer 105 that receives content from the Internet, the content
`
`intended for delivery to a client computer 110. Gateway computer 105
`
`receives the content over a communication channel 120, and gateway
`
`computer communicates with client computer 110 over a communication
`
`channel 125. Gateway computer 105 includes a gateway receiver 135
`
`' and a gateway transmitter 140. Client computer 110 includes a client
`
`receiver 145. Client computer generally also has a client transmitter, A
`
`which is not shown.
`
`Atty. Docket No. P-9216—US
`‘
`
`‘
`
`-4-
`
`.
`.
`.
`.
`Patent Owner Fm} an, Inc. - Exhibit 2009, p. 8
`
`Patent Owner Finjan, Inc. - Exhibit 2009, p. 8
`
`

`
`[0013]
`
`Client computer 110 includes a content processor 170, such as
`
`a conventional web browser, which processes Internet content and
`re_nders it for interactive viewing on a display monitor. Such Internet
`
`content may be in the form of executable code, Javascript, VBScript, Java
`applets, Activex controls, which are supported by web browsers.
`[0014]
`Gateway computer 105 includes a content inspector 174 which
`
`may be reactive or proactive, or a combination of reactiveand proactive.
`
`Incoming content is analyzed by content inspector 174 before being
`
`transmitted to client computer 110.
`
`If incoming content is deemed to be
`
`malicious, then gateway computer 105 preferably prevents the content
`
`.
`
`from reaching client computer 110. Alternatively, gateway computer
`
`105_may modify the content so as to render it harmless, and
`
`subsequently transmit the modified content to client computer 110. ‘
`
`[0015]
`Content inspector 174 can be used to inspect incoming content,
`on its way to client computer 110 as its destination, and also to inspect
`
`outgoing content, being sent from client computer 110 as its origin.
`[0016]
`The middle system shown in FIG. 1 includes a gateway
`
`computer 105 and a client computer 110, the client computer 110
`
`including a content inspector 176. Content inspector 176 may be a
`
`conventional signature-based anti—virus application, or a runwtime
`
`behavioral based application that monitors run~time calls invoked by
`
`content processor 170 to operating system, file system and network
`
`system functions.
`
`I
`
`_
`
`[0017]
`
`The bottom system shown in FIG. 1 includes both a content
`
`inspector 174 at gateway computer 105, and a content inspector 176 at
`
`client computer 110. Such a system can support conventional gateway
`
`Atty. Docket No. P-9216-us
`
`-5-
`
`,
`,
`,
`,
`Patent Owner Fm] an, Inc. - Exhibit 2009, p. 9
`
`Patent Owner Finjan, Inc. - Exhibit 2009, p. 9
`
`

`
`level protection, desktop level protection, reactive anti—virus protection
`
`and proactive anti-virus protection.
`
`[0018]
`As the hacker vs. anti—virus protection battle continues to wage,
`a newer type of virus has sprung forward_;_ namely, dynamically generated
`
`viruses. These viruses are themselves generated only at run-time, thus
`
`thwarting-conventional reactive analysis and conventional gateway level
`
`proactive behavioral analysis. These viruses take advantage of features
`
`° of dynamic HTML generation, such as executable code or scripts that are
`
`embedded within HTML pages, to generate themselves on the fly at run-
`
`time.
`
`[0019]
`
`For example, consider the following portion of astandard HTML
`
`page:
`
`<!DOCTYPE HTML PUBLIC “—//w3c//own HTML 4.0 Transitional//EN”>
`
`7
`<HTML>
`<SCRIPT LANGUAGE="JavaScript”>
`
`document.write(“<h1>text that is generated at run—time</h1>”);
`
`Q/SCRIPT>
`<BODY>
`
`2/BODY>
`</HTML>
`
`The text within the <SCRIPT> tags is Javascript, and includes a call to
`
`the standard function document. write(), which generates dynamic HTML.
`
`In the example above, the function document.write() is used to generate
`
`HTML header text, with a text string that is generated at run—time.
`
`If the
`
`text string generated at run-time is of the form
`
`<SCRIPT>malicious JavaScript</SCRIPT>
`
`then the document. write() function will insert malicious Javascript into
`
`the HTML page that is currently being rendered by a web browser.
`
`In
`
`Att. D
`y
`
`k t|V .P-9216-US
`9C e
`0
`
`-6-
`
`.
`.
`..
`Patent Owner Flnjan, Inc. - EXh1b1t2009, p. 10
`
`Patent Owner Finjan, Inc. - Exhibit 2009, p. 10
`
`

`
`turn, when the web browser processes the inserted text, it will perform
`
`malicious ope_rations to the client computer.
`
`[0020]
`
`Such dynamically generated malicious code cannot be detected
`
`by conventional reactive content inspection and conventional gateway
`
`level behavioral analysis content inspection, since the malicious “
`
`Javascript is not present in the content prior to run-time. A content
`
`inspector will only detect the presence of a call to Document. write() with
`
`- input text that is yet unknown.
`If such a content inspector were to block
`all calls to Document.write() indiscriminately, then many harmless scripts ,
`
`will be blocked, since most of the time calls to Document. write() are
`
`made for dynamic display purposes only.
`
`[0021j
`
`US Patent Nos. 5,983,348 and 6,272,641, both to Ji, describe
`
`reactive client level content inspection, that modifies downloaded
`
`executable code within a desktop level anti-virus application. However,
`
`such inspection can only protect against static malicious content, and
`
`cannot protect against dynamically generated malicious content.
`
`[0022]
`
`Desktop level run—tirne behavioral analysis has a chance of
`
`shielding a client computer against dynamically generated malicious code,
`
`since such code will ultimately make a call to an operating system
`
`function. However, desktop anti-virus protection has a disadvantage of
`
`being widely available to the hacker community, which is always eager to
`
`ofind vulnerabilities.
`
`In addition, desktop anti-virus protection has a
`
`disadvantage of requiring installation of client software.
`
`[0023]
`
`As such, there is a need for a new form of behavioral analysis,
`
`which can shield computers from dynamically generated malicious code
`
`without running on the computer itself that is being shielded.
`
`Atty. Docket No. P-9216-US
`
`-7-
`
`.
`.
`.
`.
`Patent Owner Fm} an, Inc. - Exhibit 2009, p. 11
`
`Patent Owner Finjan, Inc. - Exhibit 2009, p. 11
`
`

`
`SUMMARY OF THE DESCRIPTION
`
`[0024]
`
`The present invention concerns systems and methods for
`
`implementing new behavioral analysis technology. The new behavioral
`
`analysis technology affords protection against dynamically generated
`
`malicious code,_ in addition to conventional computer viruses that are
`
`statically generated.
`
`[0025]
`
`The present invention operates through a security computer that
`
`is preferably remote from a client computer that is being shielded while
`
`processing network content. During run—time, while processing the
`
`network content, but before the client computer invokes a function call
`that may potentially dynamically generate malicious code, the client
`
`computer passes the input to the function to the security computer for
`
`inspection, and suspends processing the network content pending a reply
`
`back from the security computer. Since the input to the function‘"is ‘being
`
`passed at run—time, it has already been dynamically generated and is
`thus readily inspected by a content inspector. Referring to the example
`
`above, were the input to be passed to the security computer prior to run-
`
`.:time,_ it" would take -the form of indeterminate text; whereas the input"
`passed during run—time takes the determinate form
`
`<SCRIPT>malicious JavaScript</SCRIPT> ,
`
`A
`
`which can readily be inspected. Upon receipt of a reply from the security
`
`computer, the client computer resumes processing the network content,
`
`and knows whether to by-pass the function call invocation.
`
`[0026]
`
`To enable the client computer to pass function inputs to the
`
`security computer and suspend processing of, content pending replies
`
`from the security computer, the present invention operates by replacing
`
`original function calls with substitute function calls within the content, at
`
`Att
`
`. D k t N . P-9216-US
`0c e
`0
`
`Y
`
`-8-
`
`'
`,
`,
`.
`,
`Patent Owner‘F1n]an, Inc. - Exhibit 2009, p. 12
`
`Patent Owner Finjan, Inc. - Exhibit 2009, p. 12
`
`

`
`a gateway computer, prior to the content being received at the client
`
`computer.
`[0027]
`The present invention also provides protection against arbitrarily
`
`many recursive levels of dynamic generation of malicious code, whereby
`
`such code is generated via a series of successive function calls, one within
`the next.
`I
`[0028]
`By operating through the medium of a securitycomputer, the
`
`present invention overcomesthe disadvantages of desktop anti—virus
`
`applications, which are available to the hacker community for exploit.
`
`Security applications embodying the present invention are concealed
`
`securely within managed computers.
`
`[0029]
`
`There is t