`(Small Entity)
`
`Docket No.
`40492.00002
`
`TO THE ASSISTANT COMMISSIONER FOR PATENTS
`
`r~nsmitted herewith for filing under 35 U.S.C. 111 and 37 C.F.R. 1.53 is the patent application of:
`
`EM096316525US
`
`application.
`
`181 Unsigned.
`
`System and Method for Protecting a Computer and a Network from Hostile Downloadables
`Enclosed are:
`181 Certificate of Mailing with Express Mail Mailing Label No.
`sheets of drawings.
`181 10
`0
`A certified copy of a
`0 Signed.
`Declaration
`181
`181
`Power of Attorney
`0
`Information Disclosure Statement
`0
`Preliminary Amendment
`0
`Verified Statement(s) to Establish Small Entity Status Under 37 C.F.R. 1.9 and 1.27.
`0
`
`Other:
`
`For
`
`#Filed
`
`#Allowed
`
`#Extra
`
`CLAIMS AS FILED
`
`Total Claims
`
`lndep. Claims
`
`70
`
`5
`
`-20 =
`
`- 3 =
`
`50
`
`2
`
`X
`
`X
`
`Multiple Dependent Claims (check if applicable)
`
`0
`
`Rate
`
`$11.00
`
`$41.00
`
`BASIC FEE
`
`TOTAL FILING FEE
`
`~ A check in the amount of
`to cover the filing fee is enclosed.
`$1,027.00
`181 The Commissioner is hereby authorized to charge and credit Deposit Account No.
`as described below. A duplicate copy of this sheet is enclosed.
`0 Charge the amount of
`as filing fee.
`181 Credit any overpayment.
`181 Charge any additional filing fees required under 37 C.F.R. 1.16 and 1.17.
`0 Charge the issue fee set in 37 C.F.R. 1.18 at the maili7[g
`o the Notice1f llow
`pursuant to 37 C.F.R. 1.311 (b).
`
`05-0150
`
`Fee
`
`$550.00
`
`$82.00
`
`$0.00
`
`$395.00
`
`$1,027.00
`
`Dated:
`
`cc:
`
`~~----------~~------------~---
`Signature
`Marc Sockol, Reg. No. 40,823
`
`Graham & James LLP
`600 Hansen Way
`Palo Alto, CA 94304-1043
`
`P01 SMALUREV06
`
`Blue Coat Systems - Exhibit 1035 Page 1
`
`
`
`PATENT
`
`APPLICATION FOR
`
`UNITED STATES PATENT
`
`IN THE NAME OF
`
`Shlomo Touboul
`
`OF
`
`FINJAN SOFTWARE, LTD.
`
`SYSTEM AND METHOD FOR PROTECTING A COMPUTER AND A
`
`NETWORK FROM HOSTILE DOWNLOADABLES
`
`DOCKET NO. 40492.00002
`
`Please direct communications to:
`
`Intellectual Property Department
`Graham & James LLP
`600 Hansen Way
`Palo Alto, CA 94304-1 043
`(650) 856-6500
`
`Express Mail Number EM096316525US
`
`1311124834.01.00
`11 0697/1556/40492.00002
`
`1
`
`_fJ:109b316525US
`
`~---- --- ---"---~ ---
`
`Blue Coat Systems - Exhibit 1035 Page 2
`
`
`
`PATENT
`
`SYSTEM AND METHOD FOR PROTECTING A COMPUTER AND A NETWORK
`
`FROM HOSTILE DOWNLOADABLES
`
`5
`
`PRIORITY REFERENCE TO PROVISIONAL APPLICATION
`
`This application claims benefit of and hereby incorporates by reference
`
`provisional application serial number 60/030,639, entitled "System and Method for
`
`Protecting a Computer from Hostile Downloadables," filed on November 8, 1996, by
`
`inventor Shlomo Touboul.
`
`10
`
`15
`
`INCORPORATION BY REFERENCE TO RELATED APPLICATION
`
`This application hereby incorporates by reference related U.S. patent application
`
`serial number 08/790,097, entitled "System and Method for Protecting a Client from
`
`Hostile Downloadables," filed on January 29, 1997, by inventor Shlomo Touboul.
`
`BACKGROUND OF THE INVENTION
`
`1.
`
`Field of the Invention
`
`This invention relates generally to computer networks, and more particularly
`
`provides a system and method for protecting a computer and a network from hostile
`
`20 Downloadables.
`
`131/124834.01.00
`110697/1556/40492.00002
`
`2
`
`Blue Coat Systems - Exhibit 1035 Page 3
`
`
`
`PATENT
`
`2.
`
`Description of the Background Art
`
`The Internet is currently a collection of over 100,000 individual computer
`
`networks owned by governments, universities, nonprofit groups and companies, and is
`
`5
`
`expanding at an accelerating rate. Because the Internet is public, the Internet has become
`
`a major source of many system damaging and system fatal application programs,
`
`commonly referred to as "viruses."
`
`Accordingly, programmers continue to design computer and computer network
`
`security systems for blocking these viruses from attacking both individual and network
`
`10
`
`computers. On the most part, these security systems have been relatively successful.
`
`However, these security systems are not configured to recognize computer viruses which
`
`have been attached to or configured as Downloadable application programs, commonly
`
`referred to as "Downloadables." A Downloadable is an executable application program,
`
`which is downloaded from a source computer and run on the destination computer.
`
`15 Downloadable is typically requested by an ongoing process such as by an Internet
`
`browser or web engine. Examples ofDownloadables include Java 1M applets designed for
`
`use in the Java 1M distributing environment developed by Sun Microsystems, Inc.,
`
`JavaScript scripts also developed by Sun Microsystems, Inc., ActiveX1M controls
`
`designed for use in the ActiveX1M distributing environment developed by the Microsoft
`
`20
`
`Corporation, and Visual Basic also developed by the Microsoft Corporation. Therefore, a
`
`system and method are needed to protect a network from hostile Downloadables.
`
`1311124834.01.00
`110697/1556/40492.00002
`
`3
`
`Blue Coat Systems - Exhibit 1035 Page 4
`
`
`
`PATENT
`
`SUMMARY OF THE INVENTION
`
`The present invention provides a system for protecting a network from suspicious
`
`Downloadables. The system comprises a security policy, an interface for receiving a
`
`Downloadable, and a comparator, coupled to the interface, for applying the security
`
`5
`
`policy to the Downloadable to determine if the security policy has been violated. The
`
`Downloadable may include a Java™ applet, an ActiveX™ control, a JavaScript™ script,
`
`or a Visual Basic script. The security policy may include a default security policy to be
`
`applied regardless of the client to whom the Downloadable is addressed, a specific
`
`security policy to be applied based on the client or the group to which the client belongs,
`
`10
`
`or a specific policy to be applied based on the client/group and on the particular
`
`Downloadable received. The system uses an ID generator to compute a Downloadable
`
`ID identifying the Downloadable, preferably, by fetching all components of the
`
`Downloadable and performing a hashing function on the Downloadable including the
`
`fetched components.
`
`15
`
`Further, the security policy may indicate several tests to perform, including (1) a
`
`comparison with known hostile and non-hostile Downloadables; (2) a comparison with
`
`Downloadables to be blocked or allowed per administrative override; (3) a comparison of
`
`the Downloadable security profile data against access control lists; (4) a comparison of a
`
`certificate embodied in the Downloadable against trusted certificates; and ( 5) a
`
`20
`
`comparison of the URL from which the Downloadable originated against trusted and
`
`untrusted URLs. Based on these tests, a logical engine can determine whether to allow or
`
`block the Downloadable.
`
`131/124834.01.00
`110697/1556/40492.00002
`
`4
`
`Blue Coat Systems - Exhibit 1035 Page 5
`
`
`
`PATENT
`
`The present invention further provides a method for protecting a computer from
`
`suspicious Downloadables. The method comprises the steps of receiving a
`
`Downloadable, comparing the Downloadable against a security policy to determine if the
`
`security policy has been violated, and discarding the Downloadable if the security policy
`
`5
`
`has been violated.
`
`It will be appreciated that the system and method of the present invention may
`
`provide computer protection from known hostile Downloadables. The system and
`
`method of the present invention may identify Downloadables that perform operations
`
`deemed suspicious. The system and method of the present invention may examine the
`
`10 Downloadable code to determine whether the code contains any suspicious operations,
`
`and thus may allow or block the Downloadable accordingly.
`
`131/124834.01.00
`11 0697/1556/40492.00002
`
`5
`
`Blue Coat Systems - Exhibit 1035 Page 6
`
`
`
`PATENT
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`FIG. 1 is a block diagram illustrating a network system, in accordance with the
`
`present invention;
`
`FIG. 2 is a block diagram illustrating details of the internal network security
`
`5
`
`system ofFIG. 1;
`
`FIG. 3 is a block diagram illustrating details of the security program and the
`
`security database ofFIG. 2;
`
`FIG. 4 is a block diagram illustrating details of the security policies ofFIG. 3;
`
`FIG. 5 is a block diagram illustrating details of the security management console
`
`10
`
`ofFIG. 1;
`
`FIG. 6A is a flowchart illustrating a method of examining for suspicious
`
`Downloadables, in accordance with the present invention;
`
`FIG. 6B is a flowchart illustrating details of the step for finding the appropriate
`
`security policy of FIG. 6A;
`
`15
`
`FIG. 6C is a flowchart illustrating a method for determining whether an incoming
`
`Downloadable is to be deemed suspicious;
`
`FIG. 7 is a flowchart illustrating details of the FIG. 6 step of decomposing a
`
`Downloadable; and
`
`FIG. 8 is a flowchart illustrating a method 800 for generating a Downloadable ID
`
`20
`
`for identifying a Downloadable.
`
`1311124834.01.00
`110697/1556/40492.00002
`
`6
`
`Blue Coat Systems - Exhibit 1035 Page 7
`
`
`
`PATENT
`
`DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT
`
`FIG. 1 is a block diagram illustrating a network system 100, in accordance with
`
`the present invention. The network system 100 includes an external computer network
`
`105, such as the Wide Area Network (WAN) commonly referred to as the Internet,
`
`5
`
`coupled via a communications channel125 to an internal network security system 110.
`
`The network system 100 further includes an internal computer network 115, such as a
`
`corporate Local Area Network (LAN), coupled via a communications channel 130 to the
`
`internal network computer system 110 and coupled via a communications channel135 to
`
`a security management console 120.
`
`10
`
`The internal network security system 110 examines Downloadables received from
`
`external computer network 105, and prevents Downloadables deemed suspicious from
`
`reaching the internal computer network 115. It will be further appreciated that a
`
`Downloadable is deemed suspicious if it performs or may perform any undesirable
`
`operation, or if it threatens or may threaten the integrity of an internal computer network
`
`15
`
`115 component. It is to be understood that the term "suspicious" includes hostile,
`
`potentially hostile, undesirable, potentially undesirable, etc. Security management
`
`console 120 enables viewing, modification and configuration of the internal network
`
`security system 110.
`
`20
`
`FIG. 2 is a block diagram illustrating details of the internal network security
`
`system 110, which includes a Central Processing Unit (CPU) 205, such as an Intel
`
`Pentium® microprocessor or a Motorola Power PC® microprocessor, coupled to a signal
`
`bus 220. The internal network security system 110 further includes an external
`7
`1311124834.01.00
`110697/1556/40492.00002
`
`Blue Coat Systems - Exhibit 1035 Page 8
`
`
`
`PATENT
`
`communications interface 210 coupled between the communications channel 125 and the
`
`signal bus 220 for receiving Downloadables from external computer network 105, and
`
`an internal communications interface 225 coupled between the signal bus 220 and the
`
`communications channel130 for forwarding Downloadables not deemed suspicious to
`
`5
`
`the internal computer network 115. The external communications interface 210 and the
`
`internal communications interface 225 may be functional components of an integral
`
`communications interface (not shown) for both receiving Downloadables from the
`
`external computer network 105 and forwarding Downloadables to the internal computer
`
`network 115.
`
`10
`
`Internal network security system 110 further includes Input/Output (I/0)
`
`interfaces 215 (such as a keyboard, mouse and Cathode Ray Tube (CRT) display), a data
`
`storage device 230 such as a magnetic disk, and a Random-Access Memory (RAM) 235,
`
`each coupled to the signal bus 220. The data storage device 230 stores a security
`
`database 240, which includes security information for determining whether a received
`
`15
`
`Downloadable is to be deemed suspicious. The data storage device 230 further stores a
`
`users list 260 identifying the users within the internal computer network 115 who may
`
`receive Downloadables, and an event log 245 which includes determination results for
`
`each Downloadable examined and runtime indications of the internal network security
`
`system 110. An operating system 250 controls processing by CPU 205, and is typically
`
`20
`
`stored in data storage device 230 and loaded into RAM 235 (as illustrated) for execution.
`
`A security program 255 controls examination of incoming Downloadables, and also may
`
`be stored in data storage device 230 and loaded into RAM 235 (as illustrated) for
`
`execution by CPU 205.
`1311124834.01.00
`110697/1556/40492.00002
`
`8
`
`Blue Coat Systems - Exhibit 1035 Page 9
`
`
`
`PATENT
`
`FIG. 3 is a block diagram illustrating details of the security program 255 and the
`
`security database 240. The security program 255 includes an ID generator 315, a policy
`
`finder 317 coupled to the ID generator 315, and a first comparator 320 coupled to the
`
`5
`
`policy finder 317. The first comparator 320 is coupled to a logical engine 333 via four
`
`separate paths, namely, via Path 1, via Path 2, via Path 3 and via Path 4. Path 1 includes
`
`a direct connection from the first comparator 320 to the logical engine 333. Path 2
`
`includes a code scanner coupled to the first comparator 320, and an Access Control List
`
`(ACL) comparator 330 coupling the code scanner 325 to the logical engine 333. Path 3
`
`10
`
`includes a certificate scanner 340 coupled to the first comparator 320, and a certificate
`
`comparator 345 coupling the certificate scanner 340 to the logical engine 333. Path 4
`
`includes a Uniform Resource Locator (URL) comparator 350 coupling the first
`
`comparator 320 to the logical engine 3330. A record-keeping engine 335 is coupled
`
`between the logical engine 333 and the event log 245.
`
`15
`
`The security program 255 operates in conjunction with the security database 240,
`
`which includes security policies 305, known Downloadables 307, known Certificates
`
`309 and Downloadable Security Profile (DSP) data 310 corresponding to the known
`
`Downloadables 307. Security policies 305 includes policies specific to particular users
`
`260 and default (or generic) policies for determining whether to allow or block an
`
`20
`
`incoming Downloadable. These security policies 305 may identify specific
`
`Downloadables to block, specific Downloadables to allow, or necessary criteria for
`
`allowing an unknown Downloadable. Referring to FIG. 4, security policies 305 include
`
`131/124834.01.00
`11 0697/1556/40492.00002
`
`9
`
`Blue Coat Systems - Exhibit 1035 Page 10
`
`
`
`PATENT
`
`policy selectors 405, access control lists 410, trusted certificate lists 415, URL rule bases
`
`420, and lists 425 ofDownloadables to allow or to block per administrative override.
`
`Known Downloadables 307 include lists ofDownloadables which Original
`
`Equipment Manufacturers (OEMs) know to be hostile, ofDownloadables which OEMs
`
`5
`
`know to be non-hostile, and of Downloadables previously received by this security
`
`program 255. DSP data 310 includes the list of all potentially hostile or suspicious
`
`computer operations that may be attempted by each known Downloadable 307, and may
`
`also include the respective arguments of these operations. An identified argument of an
`
`operation is referred to as "resolved." An unidentified argument is referred to as
`
`10
`
`"unresolved." DSP data 310 is described below with reference to the code scanner 325.
`
`The ID generator 315 receives a Downloadable (including the URL from which it
`
`came and the useriD of the intended recipient) from the external computer network 105
`
`via the external communications interface 210, and generates a Downloadable ID for
`
`identifying each Downloadable. The Downloadable ID preferably includes a digital
`
`15
`
`hash ofthe complete Downloadable code. The ID generator 315 preferably prefetches
`
`all components embodied in or identified by the code for Downloadable ID generation.
`
`For example, the ID generator 315 may prefetch all classes embodied in or identified by
`
`the Java™ applet bytecode to generate the Downloadable ID. Similarly, the ID generator
`
`315 may retrieve all components listed in the .INF file for an ActiveX™ control to
`
`20
`
`compute a Downloadable ID. Accordingly, the Downloadable ID for the Downloadable
`
`will be the same each time the ID generator 315 receives the same Downloadable. The
`
`ID generator 315 adds the generated Downloadable ID to the list ofknown
`
`1311124834.01.00
`110697/1556/40492.00002
`
`10
`
`Blue Coat Systems - Exhibit 1035 Page 11
`
`
`
`PATENT
`
`Downloadables 307 (if it is not already listed). The ID generator 315 then forwards the
`
`Downloadable and Downloadable ID to the policy finder 317.
`
`The policy finder 317 uses the useriD of the intended user and the Downloadable
`
`ID to select the specific security policy 305 that shall be applied on the received
`
`5
`
`Downloadable. If there is a specific policy 305 that was defined for the user (or for one
`
`of its super groups) and the Downloadable, then the policy is selected. Otherwise the
`
`generic policy 305 that was defined for the user (or for one of its super groups) is
`
`selected. The policy finder 317 then sends the policy to the first comparator 320.
`
`The first comparator 320 receives the Downloadable, the Downloadable ID and
`
`10
`
`the security policy 305 from the policy finder 317. The first comparator 320 examines
`
`the security policy 305 to determine which steps are needed for allowing the
`
`Downloadable. For example, the security policy 305 may indicate that, in order to allow
`
`this Downloadable, it must pass all four paths, Path 1, Path 2, Path 3 and Path 4.
`
`Alternatively, the security policy 305 may indicate that to allow the Downloadable, the it
`
`15
`
`must pass only one of the paths. The first comparator 320 responds by forwarding the
`
`proper information to the paths identified by the security policy 305.
`
`In path 1, the first comparator 320 checks the policy selector 405 of the security
`
`20
`
`policy 305 that was received from the policy finder 317. If the policy selector 405 is
`
`either "Allowed" or "Blocked," then the first comparator 3 20 forwards this result
`
`directly to the logical engine 333. Otherwise, the first comparator 320 invokes the
`
`comparisons in path2 and/or path 3 and/or path 4 based on the contents of policy selector
`11
`1311124834.01.00
`11 0697/1556/40492.00002
`
`Blue Coat Systems - Exhibit 1035 Page 12
`
`
`
`PATENT
`
`405. It will be appreciated that the first comparator 320 itself compares the
`
`Downloadable ID against the lists ofDownloadables to allow or block per administrative
`
`override 425. That is, the system security administrator can define specific
`
`Downloadables as "Allowed" or "Blocked."
`
`5
`
`Alternatively, the logical engine 333 may receive the results of each of the paths
`
`and based on the policy selector 405 may institute the final determination whether to
`
`allow or block the Downloadable. The first comparator 320 informs the logical engine
`
`3 3 3 of the results of its comparison.
`
`10
`
`Path 2
`
`In path 2, the first comparator 320 delivers the Downloadable, the Downloadable
`
`ID and the security policy 305 to the code scanner 325. Ifthe DSP data 310 of the
`
`received Downloadable is known, the code scanner 325 retrieves and forwards the
`
`information to the ACL comparator 330. Otherwise, the code scanner 325 resolves the
`
`15
`
`DSP data 310. That is, the code scanner 325 uses conventional parsing techniques to
`
`decompose the code (including all prefetched components) of the Downloadable into the
`
`DSP data 310. DSP data 310 includes the list of all potentially hostile or suspicious
`
`computer operations that may be attempted by a specific Downloadable 307, and may
`
`also include the respective arguments ofthese operations. For example, DSP data 310
`
`20
`
`may include a READ from a specific file, a SEND to an unresolved host, etc. The code
`
`scanner 325 may generate the DSP data 310 as a list of all operations in the
`
`Downloadable code which could ever be deemed potentially hostile and a list of all files
`
`to be accessed by the Downloadable code. It will be appreciated that the code scanner
`12
`1311124834.01.00
`110697/1556/40492.00002
`
`Blue Coat Systems - Exhibit 1035 Page 13
`
`
`
`325 may search the code for any pattern, which is undesirable or suggests that the code
`
`was written by a hacker.
`
`PATENT
`
`An Example List of Operations Deemed Potentially Hostile
`
`5
`
`• File operations: READ a file, WRITE a file;
`
`• Network operations: LISTEN on a socket, CONNECT to a socket, SEND data,
`
`RECEIVE data, VIEW INTRANET;
`
`• Registry operations: READ a registry item, WRITE a registry item;
`
`• Operating system operations: EXIT WINDOWS, EXIT BROWSER, START
`
`10
`
`PROCESS/THREAD, KILL PROCESS/THREAD, CHANGE PROCESS/THREAD
`
`PRIORITY, DYNAMICALLY LOAP A CLASS/LIBRARY, etc.; and
`
`• Resource usage thresholds: memory, CPU, graphics, etc.
`
`In the preferred embodiment, the code scanner 325 performs a full-content inspection.
`
`15
`
`However, for improved speed but reduced security, the code scanner 325 may examine
`
`only a portion of the Downloadable such as the Downloadable header. The code scanner
`
`325 then stores the DSP data into DSP data 310 (corresponding to its Downloadable ID),
`
`and sends the Downloadable, the DSP data to the ACL comparator 330 for comparison
`
`with the security policy 305.
`
`20
`
`The ACL comparator 330 receives the Downloadable, the corresponding DSP
`
`data and the security policy 305 from the code scanner 325, and compares the DSP data
`
`against the security policy 305. That is, the ACL comparator 330 compares the DSP data
`
`131/124834.01.00
`. 11 0697/1556/40492.00002
`
`13
`
`Blue Coat Systems - Exhibit 1035 Page 14
`
`
`
`PATENT
`
`of the received Downloadable against the access control lists 41 0 in the received security
`
`policy 305. The access control list 410 contains criteria indicating whether to pass or fail
`
`the Downloadable. For example, an access control list may indicate that the
`
`Downloadable fails if the DSP data includes a WRITE command to a system file. The
`
`5
`
`ACL comparator 330 sends its results to the logical engine 333.
`
`Path 3:
`
`In path 3, the certificate scanner 340 determines whether the received
`
`Downloadable was signed by a certificate authority, such as VeriSign, Inc., and scans for
`
`10
`
`a certificate embodied in the Downloadable. The certificate scanner 340 forwards the
`
`found certificate to the certificate comparator 345. The certificate comparator 345
`
`retrieves known certificates 309 that were deemed trustworthy by the security
`
`administrator and compares the found certificate with the known certificates 309 to
`
`determine whether the Downloadable was signed by a trusted certificate. The certificate
`
`15
`
`comparator 345 sends the results to the logical engine 333.
`
`Path4:
`
`In path 4, the URL comparator 350 examines the URL identifying the source of
`
`the Downloadable against URLs stored in the URL rule base 420 to determine whether
`
`20
`
`the Downloadable comes from a trusted source. Based on the security policy 305, the
`
`URL comparator 350 may deem the Downloadable suspicious if the Downloadable
`
`comes from an untrustworthy source or if the Downloadable did not come from a trusted
`
`source. For example, if the Downloadable comes from a known hacker, then the
`14
`1311124834.01.00
`11 0697/1556/40492.00002
`
`Blue Coat Systems - Exhibit 1035 Page 15
`
`
`
`Downloadable may be deemed suspicious and presumed hostile. The URL comparator
`
`350 sends its results to the logical engine 333.
`
`PATENT
`
`The logical engine 333 examines the results of each of the paths and the policy
`
`5
`
`selector 405 in the security policy 305 to determine whether to allow or block the
`
`Downloadable. The policy selector 405 includes a logical expression of the results
`
`received from each of the paths. For example, the logical engine 333 may block a
`
`Downloadable if it fails any one ofthe paths, i.e., ifthe Downloadable is known hostile
`
`(Path 1), if the Downloadable may request suspicious operations (Path 2), if the
`
`10
`
`Downloadable was not signed by a trusted certificate authority (Path 3), or if the
`
`Downloadable did came from an untrustworthy source (Path 4). The logical engine 333
`
`may apply other logical expressions according to the policy selector 405 embodied in the
`
`security policy 305. If the policy selector 405 indicates that the Downloadable may pass,
`
`then the logical engine 333 passes the Downloadable to its intended recipient.
`
`15
`
`Otherwise, if the policy selector 405 indicates that the Downloadable should be blocked,
`
`then the logical engine 333 forwards a non-hostile Downloadable to the intended
`
`recipient to inform the user that internal network security system 11 0 discarded the
`
`original Downloadable. Further, the logical engine 333 forwards a status report to the
`
`record-keeping engine 335, which stores the reports in event log 245 in the data storage
`
`20
`
`device 230 for subsequent review, for example, by the MIS director.
`
`FIG. 5 is a block diagram illustrating details of the security management console
`
`120, which includes a security policy editor 505 coupled to the communications channel
`15
`1311124834.01.00
`110697/1556/40492.00002
`
`Blue Coat Systems - Exhibit 1035 Page 16
`
`
`
`PATENT
`
`135, an event log analysis engine 510 coupled between communications channel135 and
`
`a user notification engine 515, and a Downloadable database review engine 520 coupled
`
`to the communications channel135. The security management console 120 further
`
`includes computer components similar to the computer components illustrated in FIG. 2.
`
`5
`
`The security policy editor 505 uses an I/0 interface similar to I/0 interface 215
`
`for enabling authorized user modification of the security policies 305. That is, the
`
`security policy editor 505 enables the authorized user to modify specific security policies
`
`305 corresponding to the users 260, the default or generic security policy 305, the
`
`Downloadables to block per administrative override, the Downloadables to allow per
`
`10
`
`administrative override, the trusted certificate lists 415, the policy selectors 405, the
`
`access control lists 410, the URLs in the URL rule bases 420, etc. For example, ifthe
`
`authorized user learns of a new hostile Downloadable, then the user can add the
`
`Downloadable to the Downloadables to block per system override.
`
`The event log analysis engine 510 examines the status reports contained in the
`
`15
`
`event log 245 stored in the data storage device 230. The event log analysis engine 510
`
`determines whether notification of the user (e.g., the security system manager or MIS
`
`director) is warranted. For example, the event log analysis engine 510 may warrant user
`
`notification whenever ten (10) suspicious Downloadables have been discarded by
`
`internal network security system 110 within a thirty (30) minute period, thereby flagging
`
`20
`
`a potential imminent security threat. Accordingly, the event log analysis engine 510
`
`instructs the user notification engine 515 to inform the user. The user notification engine
`
`515 may send an e-mail via internal communications interface 220 or via external
`
`131/124834.01.00
`11 0697/1556/40492.00002
`
`16
`
`Blue Coat Systems - Exhibit 1035 Page 17
`
`
`
`communications interface 21 0 to the user, or may display a message on the user's
`
`display device (not shown).
`
`PATENT
`
`FIG. 6A is a flowchart illustrating a method 600 for protecting an internal
`
`5
`
`computer network 115 from suspicious Downloadables. Method 600 begins with the ID
`
`generator 315 in step 602 receiving a Downloadable. The ID generator 315 in step 604
`
`generates a Downloadable ID identifying the received Downloadable, preferably, by
`
`generating a digital hash of the Downloadable code (including prefetched components).
`
`The policy finder 317 in step 606 finds the appropriate security policy 305
`
`10
`
`corresponding to the useriD specifying intended recipient (or the group to which the
`
`intended recipient belongs) and the Downloadable. The selected security policy 305
`
`may be the default security policy 305. Step 606 is described in greater detail below
`
`with reference to FIG. 6B.
`
`The first comparator 320 in step 608 examines the lists ofDownloadables to allow
`
`15
`
`or to block per administrative override 425 against the Downloadable ID of the incoming
`
`Downloadable to determine whether to allow the Downloadable automatically. If so,
`
`then in step 612 the first comparator 320 sends the results to the logical engine 333. If
`
`not, then the method 600 proceeds to step 610. In step 610, the first comparator 620
`
`examines the lists ofDownloadables to block per administrative override 425 against the
`
`20
`
`Downloadable ID of the incoming Downloadable for determining whether to block the
`
`Downloadable automatically. If so, then the first comparator 420 in step 612 sends the
`
`results to the logical engine 333. Otherwise, method 600 proceeds to step 614.
`
`1311124834.01.00
`110697/1556/40492.00002
`
`17
`
`Blue Coat Systems - Exhibit 1035 Page 18
`
`
`
`PATENT
`
`In step 614, the first comparator 320 determines whether the security policy 305
`
`indicates that the Downloadable should be tested according to Path 4. If not, then
`
`method 600 jumps to step 618. If so, then the URL comparator 350 in step 616
`
`compares the URL embodied in the incoming Downloadable against the URLs of the
`
`5
`
`URL rules bases 420, and then method 600 proceeds to step 618.
`
`In step 618, the first comparator 320 determines whether the security policy 305
`
`indicates that the Downloadable should be tested according to Path 2. If not, then
`
`method 600 jumps to step 620. Otherwise, the code scanner 235 in step 626 examines
`
`the DSP data 310 based on the Downloadable ID of the incoming Downloadable to
`
`10
`
`determine whether the Downloadable has been previously decomposed. If so, then
`
`method 600 jumps to step 630. Otherwise, the code scanner 325 in step 628 decomposes
`
`the Downloadable into DSP data. Downloadable decomposition is described in greater
`
`detail with reference to FIG. 7. In step 630, the ACL comparator 330 compares the DSP
`
`data of the incoming Downloadable against the access control lists 410 (which include
`
`15
`
`the criteria necessary for the Downloadable to fail or pass the test).
`
`In step 620, the first comparator 320 determines whether the security policy 305
`
`indicates that the Downloadable should be tested according to Path 3. If not, then
`
`method 600 returns to step 612 to send the results of each of the test performed to the
`
`logical engine 333. Otherwise, the certificate scanner 622 in step 622 scans the
`
`20
`
`Downloadable for an embodied certificate. The certificate comparator 345 in step 624
`
`retrieves trusted certificates from the trusted certificate lists (TCL) 415 and compares the
`
`embodied certificate with the trusted certificates to determine whether the Downloadable
`
`has been signed by a trusted source. Method 600 then proceeds to step 612 by the
`18
`131/124834.01.00
`110697/1556/40492.00002
`
`Blue Coat Systems - Exhibit 1035 Page 19
`
`
`
`PATENT
`
`certificate scanner 345 sending the results of each of the paths taken to the logical engine
`
`333. The operations of the logical engine 333 are described in greater detail below with
`
`reference to FIG. 6C. Method 600 then ends.
`
`One skilled in the art will recognize that the tests may be performed in a different
`
`5
`
`order, and that each of the tests need not be performed. Further, one skilled in the art
`
`will recognize that, although path 1 is described in FIG. 6A as an automatic allowance or
`
`blocking, the results of Path 1 may be another predicate to be applied by the logical
`
`engine 333. Further, although the tests are shown serially in FIG. 6A, the tests may be
`
`performed in parallel as illustrated in FIG. 3.
`
`10
`
`FIG. 6B is a flowchart illustrating details of step 606 of FIG. 6A (referred to
`
`herein as method 606). Method 606 begins with the policy finder 317 in step 650
`
`determining whether security policies 305 include a specific security policy
`
`corresponding to the useriD and the Downloadable. If so, then the policy finder 317 in
`
`15
`
`step 654 fetches the corresponding specific policy 305. If not, then the policy finder 317
`
`in step 652 fetches the default or generic security policy 305 corresponding to the
`
`useriD. Method 606 then ends.
`
`FIG. 6C is a flowchart illustrati