`'" - '"
`r
`,
`~ ~
`"'
`·- (f)
`91 .z ~
`ui~t: •'
`~if - "'
`("')
`'" '"
`.t" 0
`
`I
`
`\1
`
`0'
`:;;...._ i i i
`
`'
`
`.~
`::.:C""')
`
`I
`
`.,..,
`
`PATENT NUMBER
`
`--~- --
`
`U S UTILITY Patent Application
`PATENT DATE
`
`l~l l z {;lJ.Ir
`~~T 1 z •··
`.:/".
`
`::: .. :·, __ . ::.!·';~:.
`
`•.::·; -:-! ; ..
`
`i .)·::: .•. :.-
`
`., ... , ; .. -,, ___
`
`1·
`
`.. · · -
`
`-------~------------'--· ------~-'---~-____:_.__c ...• ~.-
`
`PTb-2040
`12199
`
`1
`
`.'
`
`' '\
`
`'
`
`..
`
`ORIGINAL
`
`L
`
`CLASS
`
`SUBCLASS
`
`INTERNATIONAL CLASSIFICATION
`
`I
`
`"
`
`71/V/oJ:
`I )q{ TERMINAL
`I ~ISCLAIMER
`
`ISSUINGCLAfsiFICATION
`L
`CROSS REFERENCE(S)
`lf
`
`CLASS
`
`SUBCLASS (ONE SUBCLASS PER I!ILOCK)
`
`I
`I
`/
`l
`I
`
`f
`
`I
`
`CJ Continued on Issue Slip lnrside Fill} Jacket
`
`DRAWINGS
`
`.
`
`1'eets Drwg.
`
`\0
`
`Figs. Drwg.·
`.
`\0
`
`Print Fig.
`
`B
`
`(Date)
`
`CLAIMS ALLOWED
`
`Total Claims
`
`Print Claim for O.G.
`
`NOTICE OF ALLOWANCE MAILED
`
`.
`
`1
`l
`D The term of this patent
`~~:;u:~~~~la-im_e_d_. - - - (datey ('JA VI ~~,.m~ s)r~)~
`II ._,,...._ '21.
`'
`f
`~· Y 7
`The term of this patent shall~-
`AYAZ SHEIKH
`xte.nd beyond lJle ·~~~n i~
`I
`of u.s Patent. No. lA, U ~~,
`SUPERVISORY PATENT EXAMINER
`i
`TECHNOLOGY CENTER 21 00
`cim• ;E<a~iooc)
`----~+--
`tlrl/1;:1
`(0
`. ~ ·
`.
`i
`· - ·
`-
`___
`i] ~
`D The terminal .. __ mont:fi ··:of
`I
`· I )
`thispatenthavebeendiscla· ed. ~~ ~~'~-"·//f)4
`
`ISSUE FEE
`
`$1AB; D:t
`
`ISSUE BATCH NUMBER
`..
`
`·
`_ , ·-'~-1
`
`f/11-j~ -
`Jl{¥fl~ }
`-1
`I
`I
`I
`
`(Legal Instruments
`
`amlneO _
`
`_/(Date)
`
`.
`n~mG:
`The information disclosed her in may be restricted. Unauthorized disc!osure. rna~ be p"rohibited by the United States '9bde. Title 35, Sections 122, 181 and -36"8.
`Possession outside the U.S. atent & Trademark Office is restricted to authorized employees and contractors only.
`FILED WITH: 0 DISK (CRF) 0 FICHE C CC·RC'•M
`
`Form PT0-436A
`(Rev. 6/99)
`
`I
`
`I
`
`,,
`(FACE)
`
`(Attached in pocket on ciqrt im:>IO(, 1iap)
`
`__ __,:;::.
`
`FireEye - Exhibit 1005 Page 1
`
`
`
`/0. papers.
`.
`1 '. Application--
`
`INITIALS
`
`.
`
`'Amf2(fO 26
`
`Date Received
`(Incl. C. of~-)
`or .
`Date Mailed
`
`•
`
`ti~~-·cl:tl~~
`· .. :..:r:r.--___ 7 - -
`) :::_ -~~~~:~~ . - -
`
`116.
`' :n:
`18. _ ___ ~=-
`19. ___ _
`
`'·I,
`
`20. __ _ _
`
`;l. 21.
`.. 22.
`II 23. -----,---
`. l\.24. __ _
`1
`J
`.
`'\ 25 · - , - - - -
`·~ 26.
`
`j 27.
`
`-~
`
`- - -
`
`- - - .
`- -
`-~--.
`
`---,-------=-(cid:173)
`.,
`i --------==--
`
`: 28.
`29. __ _
`
`30;
`
`I 3 1 . - -
`i 32.
`\
`! 33. ---:--
`
`34.
`
`. 35.
`
`- - -
`
`- - - -
`
`___:___ __
`
`It 3 6 · - - - - , - - - -= -
`
`1 I 37._
`
`1 38.
`.:
`39.
`
`Jt 40._
`1 41.
`
`- - ' - - - - -
`
`"~--
`- - : - - - - - .
`
`51.
`
`52. _ . ! . . . . .__C_ _ __ =-
`
`53. __ _
`
`54.
`
`- - -
`
`55 . - - - - - -=__ ,
`56 . - - - . .
`57. __ _ - - -
`58. __ _ - - -
`
`59.-----:;----.---=-
`60. - - .
`61. __
`
`---'--:----
`
`62. __ - - -
`
`- - -
`
`63.
`64. __
`
`65."'_··- - - - - -
`___
`- - - ' - - - - -
`
`~6.-
`67._
`
`68. _ __ __ =-
`69. ----'--------==-
`
`70._
`
`71. - - - - -
`
`72.
`
`73.
`
`74.
`
`75.
`
`76.
`
`77 .
`
`78.
`
`0 79.
`
`. 80.
`
`81.
`
`82. - ' - - - - - - (cid:173)
`(LEFT OUTSIDE)
`
`,,
`
`•
`
`.
`
`. .
`,
`
`/
`
`"'
`,.,
`
`-
`
`-
`
`+/. ~~-
`
`_ :__
`
`FireEye - Exhibit 1005 Page 2
`
`
`
`·S
`
`r,
`
`UTILITY PATENT APPLICATION TRANSMITTAL
`(Small Entity)
`(Only for new nonprovisional applications under 37 CFR 1.53(b))
`
`Docket No.
`40492.00011
`
`Total Pages in this Submission
`
`Transmitted herewith for filing under 35 U.S.C. 111 (a) and 37 C.F.R. 1.53{b) is a new utility patent application fOOIIIIl:-,
`invention entitled:
`
`FOR
`
`AND A NETWORK FROM HOSTILE
`
`Box Patent Application
`Washington, D.C. 20231
`
`a CONTINUATION APPLICATION, check appropriate box and supply the requisite information:
`'
`Continuation 0 Divisional 0 Continuation-in-part (CIP) of prior application No.:
`
`08/964,388
`
`0 Divisional 0 Continuation-in-part (CIP) of prior application No.:
`
`0 Divisional 0 Continuation-in-part (CIP) of prior application No.:
`
`1 . C!SI Filing fee as calculated and transmitted as described below
`
`Application Elements
`
`2.
`
`C!SI Specification having ____ ..=2..:.6 ____ pages and including the following:
`
`a. C!SI
`
`b. C!SI
`
`c. 0
`
`d. 0
`
`e. C!SI
`
`f. C!SI
`
`g. C!SI
`
`h. C!SI
`
`i. C!SI
`
`j. C!SI
`
`Descriptive Title of the Invention
`
`Cross References to Related Applications (if applicable)
`
`Statement Regarding Federally-sponsored Research/Development (if applicable)
`
`Reference to Microfiche Appendix (if applicable)
`
`Background of the Invention
`
`Brief Summary of the Invention
`
`Brief Description of the Drawings (if drawings filed)
`
`Detailed Description
`
`Claim(s) as Classified Below
`
`Abstract of the Disclosure
`
`Page 1 of3
`
`P01 USMUREV03
`
`FireEye - Exhibit 1005 Page 3
`
`
`
`UTILITY PATENT APPLICATION TRANSMITTAL
`(Small Entity)
`(Only for new nonprovisional applications under 37 CFR 1.53{b}}
`
`Docket No.
`40492.00011
`
`Total Pages in this Submission
`
`3.
`
`IZI Drawing(s) {when necessary as prescribed by 35 USC 113)
`
`I
`
`a.
`
`IZI Formal
`
`b. 0
`
`Informal
`
`Number of Sheets
`
`10
`-----------------
`
`Application Elements (Continued)
`
`4.
`
`IZI Oath or Declaration
`
`a. 0 Newly executed (original or copy)
`
`0 Unexecuted
`
`b. 1Z1 Copy from a prior application (37 CFR 1.63(d)) (for continuation/divisional application only)
`
`c. 1Z1 With Power of Attorney
`
`0 Without Power of Attorney
`
`d. 0 DELETION OF INVENTOR($)
`Signed statement attached deleting inventor(s) named in the prior application,
`see 37 C.F.R. 1.63\d)(2) and 1.33(b).
`
`Incorporation By Reference (usable if Box 4b is checked}
`The entire disclosure of the prior application, from which a copy of the oath or declaration is supplied under
`Box 4b, is considered as being part of the disclosure of the accompanying application and is hereby
`incorporated by reference therein.
`
`6. 0 Computer Program in Microfiche
`
`·~ p
`·~
`
`~ 7. 0 Genetic Sequence Submission (if applicable, all must be included)
`
`"" P-p
`k
`F p
`
`a. 0
`
`Paper Copy
`
`b. 0 Computer Readable Copy
`
`c. 0 Statement Verifying Identical Paper and Computer Readable Copy
`
`Accompanying Application Parts
`
`8.
`
`IZI Assignment Papers (cover sheet & documents)
`
`9. 0 37 CFR 3.73(b) Statement (when there is an assignee)
`
`10. 0 English Translation Document {if applicable}
`
`11 . 0
`
`Information Disclosure StatemenUPT0-1449
`
`0 Copies of IDS Citations
`
`12. 0 Preliminary Amendment
`
`13.
`
`1Z1 Acknowledgment postcard
`
`14.
`
`1Z1 Certificate of Mailing
`
`0
`
`First Class
`
`1Z1 Express Mail (Specify Label No.): EL515155991US
`
`Page 2 of3
`
`P01USMVREV03
`
`FireEye - Exhibit 1005 Page 4
`
`
`
`- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - .
`
`UTILITY PATENT APPLICATION TRANSMITTAL
`(Small Entity)
`(Only for new nonprovisional applications under 37 CFR 1.53(b))
`
`I
`
`Docket No.
`40492.00011
`
`I
`
`Total Pages in this Submission
`
`15. 0 Certified Copy of Priority Document(s) (ifforeign priority is claimed)
`
`Accompanying Application Parts (Continued)
`
`16.
`
`181 Small Entity Statement(s)- Specify Number of Statements Submitted:
`
`1
`
`17.
`
`181 Additional Enclosures (please identify below):
`k;eneral Authorization/Request to Petition for Extensions of Time
`
`Fee Calculation and Transmittal
`
`'
`
`CLAIMS AS FILED
`
`fJ
`i~
`
`For
`
`#Filed
`
`#Allowed
`-20 =
`'t_fotal Claims
`-~dep. Claims
`- 3 =
`4
`~ultiple Dependent Claims (check if applicable)
`
`22
`
`~
`
`I='
`~!.~OTHER FEE (specify purpose)
`
`#Extra
`
`2
`
`1
`
`X
`
`X
`
`Rate
`
`$9.00
`
`$39.00
`
`0
`
`Fee
`
`$18.00
`
`$39.00
`
`$0.00
`
`BASIC FEE I
`
`$345.00
`
`TOTAL FILING FEE
`
`$0.00
`
`$402.00
`
`w p
`l=i
`~® A check in the amount of
`to cover the filing fee is enclosed.
`$402.00
`181 The Commissioner is hereby authorized to charge and credit Deposit Account No.
`as described below. A duplicate copy of this sheet is enclosed.
`0 Charge the amount of
`as filing fee.
`181 Credit any overpayment.
`181 Charge any additional filing fees required under 37 C.F.R. 1.16 and 1.17.
`0 Charge the issue fee set in 37 C.F.R. 1.18 at the mailing of the Notice of Allowance,
`'""00""·" c.,.R. 1.3H(b).
`
`Dated:
`
`March 30, 2000
`
`cc:
`
`05-0150
`
`~ A ru
`
`,
`
`Signature
`Marc A. Sockol, Reg. No." 40,823
`Attorney for Applicant
`Graham & James LLP
`600 Hansen Way
`Palo Alto, CA 94304-1043
`Tel: (650) 856-6500
`Fax: (650) 856-3619
`
`Page 3 oC3
`
`P01 USMLIREV03
`
`FireEye - Exhibit 1005 Page 5
`
`
`
`APPLICATION FOR
`
`UNITED STATES PATENT
`
`IN THE NAME OF
`
`Shlomo Touboul
`
`OF
`
`FINJAN SOFTWARE, LTD.
`
`SYSTEM AND METHOD FOR PROTECTING A COMPUTER AND A
`
`NETWORK FROM HOSTILE DOWNLOADABLES
`
`DOCKET NO. 40492.00011
`
`Please direct communications to:
`
`Intellectual Property Department
`Graham & James LLP
`600 Hansen Way
`Palo Alto, CA 94304-1043
`( 650) 856-6500
`
`Express Mail Number EL515155991US
`
`FireEye - Exhibit 1005 Page 6
`
`
`
`SYSTEM AND METHOD FOR PROTECTING A COMPUTER AND A NETWORK
`
`FROM HOSTILE DOWNLOADABLES
`
`PRIQRITY REFERENCE TO RELATED APPLICATION
`
`5
`
`This application is a continuation of and hereby incorporates by reference U.S.
`
`patent application serial no. 08/964,388, entitled "System and Method for Protecting a
`
`Computer and a Network from Hostile Downloadables," filed November 6, 1997, which
`.
`.
`A
`Cl
`claims priority to provisional application serial number 60/030,639, entitled "System and
`
`Method for Protecting a Computer from Hostile Downloadables," filed on November 8,
`
`to
`
`1996, by inventor Shlomo Touboul.
`
`INCORPORATION BY REFERENCE TO RELATED APPLICATIONS
`
`This application hereby incorporates by reference related U.S. patent application
`
`serial number 08/790,097, entitled "System and Method for Protecting a Client from
`
`Hostile Downloadables," filed on January 29, 1997, by inventor Shlomo Touboul; and
`£"~-
`hereby incorporates by reference provisional application serial number 60/030,639,
`
`6!
`
`entitled "System and Method for Protecting a Computer from Hostile Downloadables,"
`
`filed on November 8, 1996, by inventor Shlomo Touboul.
`
`20
`
`BACKGROUND OF THE INVENTION
`
`1.
`
`Field of the Invention
`
`This invention relates generally to computer networks, and more particularly
`
`provides a system and method for protecting a computer and a network from hostile
`
`Downloadables.
`
`25
`
`2.
`
`Description of the Background Art
`
`1311201271.02
`03300011635140492.00011
`
`1
`
`FireEye - Exhibit 1005 Page 7
`
`
`
`The Internet is currently a collection of over I 00,000 individual computer
`
`networks owned by governments, universities, nonprofit groups and companies, and is
`
`expanding at an accelerating rate. Because the Internet is public, the Internet has become
`
`a major source of many system damaging and system fatal application programs,
`
`5
`
`commonly referred to as "viruses."
`
`Accordingly, programmers continue to design computer and computer network
`
`security systems for blocking these viruses from attacking both individual and network
`
`computers. On the most part, these security systems have been relatively successful.
`
`However, these securit-y systems are not configured to recognize computer viruses which
`
`10
`
`have been attached to or configured as Downloadable application programs, commonly
`
`referred to as "Downloadables." A Downloadable is an executable application program,
`
`which is downloaded from a source computer and run on the destination computer.
`
`Downloadable is typically requested by an ongoing process such as by an Internet
`
`browser or web engine. Examples ofDownloadables include Java™ applets designed for
`
`15
`
`use in the Java™ distributing environment developed by Sun Microsystems, Inc.,
`
`J avaScript scripts also developed by Sun Micro systems, Inc., ActiveX ™ controls
`
`designed for use in the ActiveX™ distributing environment developed by the Microsoft
`
`Corporation, and Visual Basic also developed by the Microsoft Corporation. Therefore, a
`
`system and method are needed to protect a network from hostile Downloadables.
`
`131/201271.02
`033000/1S35/40492.00011
`
`2
`
`FireEye - Exhibit 1005 Page 8
`
`
`
`S1 JMMARY OF THE INVENTION
`
`The present invention provides a system for protecting a network from suspicious
`
`Downloadables. The system comprises a security policy, an interface for receiving a
`
`Downloadable, and a comparator, coupled to the interface, for applying the security
`
`5
`
`policy to the Downloadable to determine if the security policy has been violated. The
`
`Downloadable may include a Java™ applet, an ActiveX™ control, a JavaScript™ script,
`
`or a Visual Basic script. The security policy may include a default security policy to be
`
`applied regardless oft~e client to whom the Downloadable is addressed, a specific
`
`security policy to be applied based on the client or the group to which the client belongs,
`
`10
`
`or a specific policy to be applied based on the client/group and on the particular
`
`Downloadable received. The system uses an ID generator to compute a Downloadable
`
`ID identifying the Downloadable, preferably, by fetching all components of the
`
`'"-,)
`
`:;::
`
`Downloadable and performing a hashing function on the Downloadable including the
`
`fetched components.
`
`15
`
`Further, the security policy may indicate several tests to perform, including (1) a
`
`comparison with known hostile and non-hostile Downloadables; (2) a comparison with
`
`Downloadables to be blocked or allowed per administrative override; (3) a comparison of
`
`the Downloadable security profile data against access control lists; (4) a comparison of a
`
`certificate embodied in the Downloadable against trusted certificates; and ( 5) a
`
`20
`
`comparison of the URL from which the Downloadable originated against trusted and
`
`untrusted URL&. Based on these tests, a logical engine can determine whether to allow or
`
`block the Downloadable.
`
`131/201271.02
`033000/1635/40492.00011
`
`3
`
`1/
`
`FireEye - Exhibit 1005 Page 9
`
`
`
`The present invention further provides a method for protecting a computer from
`
`suspicious Downloadables. The method comprises the steps ofreceiving a
`
`Downloadable, comparing the Downloadable against a security policy to determine if the
`
`security policy has been violated, and discarding the Downloadable if the security policy
`
`5
`
`has been violated.
`
`It will be appreciated that the system and method of the present invention may
`
`provide computer protection from known hostile Downloadables. The system and
`
`method of the present invention may identify Downloadables that perform operations
`'
`deemed suspicious. The system and method of the present invention may examine the
`
`10
`
`Downloadable code to determine whether the code contains any suspicious operations,
`
`and thus may allow or block the Downloadable accordingly.
`
`131/201271.02
`033000/1635/40492.00011
`
`4
`
`FireEye - Exhibit 1005 Page 10
`
`
`
`BRIEF DESCRlPTIQN OF THE DRAWINGS
`
`FIG. I is a block diagram illustrating a network system, in accordance with the
`
`present invention;
`
`FIG. 2 is a block diagram illustrating details of the internal network security
`
`5
`
`system of FIG. 1;
`
`FIG. 3 is a block diagram illustrating details of the security program and the
`
`security database of FIG. 2;
`
`· FIG. 4 is a block diagram illustrating details of the security policies of FIG. 3;
`
`FIG. 5 is a block diagram illustrating details of the security management console
`
`10
`
`ofFIG. 1;
`
`FIG. 6A is a flowchart illustrating a method of examining for suspicious
`
`~
`
`Downloadables, in accordance with the present invention;
`
`FIG. 6B is a flowchart illustrating details of the step for finding the appropriate
`
`security policy of FIG. 6A;
`
`15
`
`FIG. 6C is a flowchart illustrating a method for determining whether an incoming
`
`Downloadable is to be deemed suspicious;
`
`FIG. 7 is a flowchart illustrating details of the FIG. 6 step of decomposing a
`
`Downloadable; and
`
`FIG. 8 is a flowchart illustrating a method 800 for generating a Downloadable ID
`
`20
`
`for identifying a Downloadable.
`
`131/201271.02
`03300011635140492.00011
`
`5
`
`FireEye - Exhibit 1005 Page 11
`
`
`
`DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT
`
`FIG. I is a block diagram illustrating a network system I 00, in accordance with
`
`the present invention. The network system I 00 includes an external computer network
`
`I 05, such as the Wide Area Network (WAN) commonly referred to as the Internet,
`
`5
`
`coupled via a communications channel 125 to an internal network security system II 0.
`
`The network system I 00 further includes an internal computer network 115, such as a
`
`corporate Local Area Network (LAN), coupled via a communications channel 130 to the
`
`internal network computer system II 0 and coupled via a communications channel 135 to
`
`a security management console 120.
`
`10
`
`The internal network security system II 0 examines Downloadables received from
`
`!;!J
`
`0
`
`external computer network I 05, and prevents Downloadables deemed suspicious from
`
`reaching the internal computer network 115: It will be further appreciated that a
`
`Downloadable is deemed suspicious if it performs or may perform any undesirable
`
`operation, or if it threatens or may threaten the integrity of an internal computer network
`
`15
`
`115 component. It is to be understood that the term "suspicious" includes hostile,
`
`potentially hostile, undes.irable, potentially undesirable, etc. Security management
`
`console 120 enables viewing, modification and configuration of the internal network
`
`security system II 0.
`
`FIG. 2 is a block diagram illustrating details of the internal network security
`
`20
`
`system II 0, which includes a Central Processing Unit (CPU) 205, such as an Intel
`
`Pentium® microprocessor or a Motorola Power PC® microprocessor, coupled to a signal
`
`bus 220. The internal network security system II 0 further includes an external
`
`communications interface 210 coupled between the communications channel 125 and
`
`1311201271.02
`03300011635140492.00011
`
`6
`
`7
`
`FireEye - Exhibit 1005 Page 12
`
`
`
`the signal bus 220 for receiving Downloadables from external computer network 105,
`
`and an internal communications interface 225 coupled between the signal bus 220 and
`
`the communications channel 130 for forwarding Downloadables not deemed suspicious
`
`to the internal computer network 115. The external communications interface 21 0 and
`
`5
`
`the internal comniunications interface 225 may be functional components of an integral
`
`communications interface (not shown) for both receiving Downloadables from the
`
`external computer network 105 and forwarding Downloadables to the internal computer
`
`network ll5.
`
`·~
`
`·.'
`"'\;';
`
`=
`"" .:-;".
`
`Internal network security system 110 further includes Input/Output (I/0)
`
`10
`
`interfaces 215 (such as a keyboard, mouse and Cathode Ray Tube (CRT) display), a data
`
`storage device 230 such as a magnetic disk, and a Random-Access Memory (RAM) 235,
`
`each coupled to the signal bus 220. The data storage device 230 stores a security
`
`database 240, which includes security information for determining whether a received
`
`Downloadable is to be deemed suspicious. The data storage device 230 further stores a
`
`15
`
`users list 260 identifying the users within the internal computer network 115 who may
`
`receive Downloadables, and an event log 245 which includes determination results for
`
`each Downloadable examined and runtime indications of the internal network security
`
`system 110. An operating system 250 controls processing by CPU 205, and is typically
`
`stored in data storage device 230 and loaded into RAM 235 (as illustrated) for execution.
`
`20
`
`A security program 255 controls examination of incoming Downloadables, and also may
`
`be stored in data storage device 230 and loaded into RAM 235 (as illustrated) for
`
`execution by CPU 205.
`
`1311201271.02
`033000/1635/40492.00011
`
`FireEye - Exhibit 1005 Page 13
`
`
`
`FIG. 3 is a block diagram illustrating details of the security program 255 and the
`
`security database 240. The security program 255 includes an ID generator 315, a policy
`
`finder 317 coupled to the ID generator 315, and a first comparator 320 coupled to the
`
`policy finder 317. The first comparator 320 is coupled to a logical engine 333 via four
`
`5
`
`separate paths, namely, via Path 1, via Path 2, via Path 3 and via Path 4. Path 1 includes
`
`a direct connection from the first comparator 320 to the logical engine 333. Path 2
`
`includes a code scanner coupled to the first comparator 320, and an Access Control List
`
`(ACL) comparator 330 coupling the code scanner 325 to the logical engine 333. Path 3
`
`includes a certificate scanner 340 coupled to the first comparator 320, and a certificate
`
`10
`
`comparator 345 coupling the certificate scanner 340 to the logical engine 333. Path 4
`
`includes a Uniform Resource Locator (URL) comparator 350 coupling the first
`
`comparator 320 to the logical engine 3330.' A record-keeping engine 335 is coupled
`
`between the logical engine 333 and the event log 245.
`
`The security program 255 operates in conjunction with the security database 240,
`
`15
`
`which includes security policies 305, known Downloadables 307, known Certificates
`
`309 and Downloadable Security Profile (DSP) data 310 corresponding to the known
`
`Downloadables 307. Security policies 305 includes policies specific to particular users
`
`260 and default (or generic) policies for determining whether to allow or block an
`
`incoming Downloadable. These security policies 305 may identify specific
`
`20
`
`Downloadables to block, specific Downloadables to allow, or necessary criteria for
`
`allowing an unknown Downloadable. Referring to FIG. 4, security policies 305 include
`
`policy selectors 405, access control lists 410, trusted certificate lists 415, URL rule bases
`
`420, and lists 425 ofDownloadables to allow or to block per administrative override.
`
`1311201271.02
`033000/1635/40492.00011
`
`8
`
`7
`
`FireEye - Exhibit 1005 Page 14
`
`
`
`Known Downloadables 307 include lists ofDownloadables which Original
`
`Equipment Manufacturers (OEMs) know to be hostile, ofDownloadables which OEMs
`
`know to be non-hostile, and of Downloadables previously received by this security
`
`program 255. DSP data 310 includes the list of all potentially hostile or suspicious
`
`5
`
`computer operations that may be attempted by each known Downloadable 307, and may
`
`also include the respective arguments of these operations. An identified argument of an
`
`operation is referred to as "resolved." An unidentified argument is referred to as
`
`"unresolved." DSP data 310 is described below with reference to the code scanner 325.
`
`The ID generator 315 receives a Downloadable (including the URL from which
`
`\
`
`10
`
`it came and the useriD of the intended recipient) from the external computer network
`
`105 via the external communications interface 210, and generates a Downloadable ID
`
`for identifying each Downloadable. The Downloadable ID preferably includes a digital
`
`hash of the complete Downloadable code. The ID generator 315 preferably prefetches
`
`all components embodied in or identified by the code for Downloadable ID generation.
`
`15
`
`For example, the ID generator 315 may prefetch all classes embodied in or identified by
`
`the Java™ applet bytecode to generate the Downloadable ID. Similarly, the ID
`
`generator 315 may retrieve all components listed in the .INF file for an ActiveX™
`
`control to compute a Downloadable ID. Accordingly, the Downloadable ID for the
`
`Downloadable will be the same each time the ID generator 315 receives the same
`
`20
`
`Downloadable. The ID generator 315 adds the generated Downloadable ID to the list of
`
`known Downloadables 307 (if it is not already listed). The ID generator 315 then
`
`forwards the Downloadable and Downloadable ID to the policy finder 317.
`
`(ii
`
`'-.,j
`
`=
`~
`
`131/201271.02
`033000/1635140492.00011
`
`9
`j()
`
`FireEye - Exhibit 1005 Page 15
`
`
`
`The policy finder 317 uses the useriD of the intended user and the Downloadable
`
`ID to select the specific security policy 305 that shall be applied on the received
`
`Downloadable. If there is a specific policy 305 that was defined for the user (or for one
`
`of its super groups) and the Downloadable, then the policy is selected. Otherwise the
`
`5
`
`generic policy 305 that was defined for the user (or for one of its super groups) is
`
`selected. The policy finder 317 then sends the policy to the first comparator 320.
`
`The first comparator 320 receives .the Downloadable, the Downloadable ID and
`
`the security policy 305 from the policy finder 317. The first comparator 320 examines
`
`the security policy 305 to determine which steps are needed for allowing the
`'
`Downloadable. For example, the security policy 305 may indicate that, in order to allow
`
`10
`
`this Downloadable, it must pass all four paths, Path 1, Path 2, Path 3 and Path 4.
`
`;;J1
`
`Alternatively, the security policy 305 may indicate that to allow the Downloadable, the it
`
`must pass only one of the paths. The first comparator 320 responds by forwarding the
`
`proper information to the paths identified by the security policy 305.
`
`15
`
`In path I, the first comparator 320 checks the policy selector 405 of the security
`
`policy 305 that was received from the policy finder 317. If the policy selector 405 is
`
`either "Allowed" or "Blocked," then the first comparator 320 forwards this result
`
`directly to the logical engine 333. Otherwise, the first comparator 320 invokes the
`
`20
`
`comparisons in path2 and/or path 3 and/or path 4 based on the contents of policy selector
`
`405. It will be appreciated that the first comparator 320 itself compares the
`
`Downloadable ID against the lists ofDown!oadables to allow or block per administrative
`
`131/201271.02
`033000/1635/40492.00011
`
`10
`;/
`
`FireEye - Exhibit 1005 Page 16
`
`
`
`override 425. That is, the system security administrator can define specific
`
`Downloadables as "Allowed" or "Blocked."
`
`Alternatively, the logical engine 333 may receive the results of each of the paths
`
`and based on the policy selector 405 may institute the final determination whether to
`
`5
`
`. allow or block the Downloadable. The first comparator 320 informs the logical engine
`
`333 of the results of its comparison.
`
`In path 2, the first comparator 320 delivers the Downloadable, the Downloadable
`
`10
`
`ID and the security policy 305 to the code scanner 325. If the DSP data 310 of the
`
`received Downloadable is known, the code scanner 325 retrieves and forwards the
`
`information to the ACL comparator 330. Otherwise, the code scanner 325 resolves the
`
`DSP data 310. That is, the code scanner 325 uses conventional parsing techniques to
`
`decompose the code (including all prefetched components) of the Downloadable into the
`
`15
`
`DSP data 310. DSP data 310 includes the list of all potentially hostile or suspicious
`
`computer operations that may be attempted by a specific Downloadable 307, and may
`
`also include the respective arguments of these operations. For example, DSP data 310
`
`may include a READ from a specific file, a SEND to an unresolved host, etc. The code
`
`scanner 325 may generate the DSP data 310 as a list of all operations in the
`
`20
`
`Downloadable code which could ever be deemed potentially hostile and a list of all files
`
`to be accessed by the Downloadable code. I twill be appreciated that the code scanner
`
`325 may search the code for any pattern, which is undesirable or suggests that the code
`
`was written by a hacker.
`
`1311201271.02
`03300011635/40492.00011
`
`11
`jJ
`
`FireEye - Exhibit 1005 Page 17
`
`
`
`An ExaJJJ.Ple List of Qperations Deemed Potentially Hostile
`
`File operations:. READ a file, WRITE a file;
`
`Network operations: LISTEN on a socket, CONNECT to a socket, SEND data,
`
`5
`
`RECEIVE data, VIEW INTRANET;
`
`Registry operations: READ a registry item, WRITE a registry item;
`
`Operating system operations: EXIT WINDOWS, EXIT BROWSER, START
`
`PROCESS/THREAD, KILL PROCESS/THREAD, CHANGE PROCESS/THREAD
`
`PRIORITY, DYNAMICALLY LOAD A CLASS!LffiRARY, etc.; and
`
`'
`Resource usage thresholds: memory, CPU, graphics, etc.
`
`In the preferred embodiment, the code scanner 325 performs a full-content inspection.
`
`·;bJ
`
`However, for improved speed but reduced security, the code scanner 325 may examine
`only a portion of the Downloadable such as the Downloadable header. The code scanner
`
`325 then stores the DSP data into DSP data 310 (corresponding to its Downloadable ID),
`
`15
`
`and sends the Downloadable, the DSP data to the ACL comparator 330 for comparison
`
`with the security policy 305.
`
`The ACL comparator 330 receives the Downloadable, the corresponding DSP
`
`data and the security policy 305 from the code scanner 325, and compares the DSP data
`
`against the security policy 305, That is, the ACL comparator 330 compares the DSP data
`
`20
`
`of the received Downloadable against the access control lists 410 in the received security
`
`policy 305. The access control list 410 contains criteria indicating whether to pass or
`
`fail the Downloadable. For example, an access control list may indicate that the
`
`Downloadable fails if the DSP data includes a WRITE command to a system file. The
`
`ACL comparator 330 sends its results to the logical engine 333.
`
`1311201271.02
`03300011635140492.00011
`
`12
`
`FireEye - Exhibit 1005 Page 18
`
`
`
`In path 3, the certificate scanner 340 determines whether the received
`
`Downloadable was signed by a certificate authority, such as VeriSign, Inc., and scans for
`
`5
`
`a certificate embodied in the Downloadable. The certificate scanner 340 forwards the
`
`found certificate to the certificate comparator 345. The certificate comparator 345
`
`retrieves known certificates 309 that were deemed trustworthy by the security
`
`administrator and compares the found certificate with the known certificates 309 to
`
`determine whether the, Downloadable was signed by a trusted certificate. The certificate
`
`10
`
`comparator 345 sends the results to the logical engine 333.
`
`Path 4:
`
`In path 4, the URL comparator 350. examines the URL identifYing the source of
`
`the Downloadable against URLs stored in the URL rule base 420 to determine whether
`
`15
`
`the Downloadable comes from a trusted source. Based on the security policy 305, the
`
`URL comparator 350 may deem the Downloadable suspicious if the Downloadable
`
`comes from an untrustworthy source or if the Downloadable did not come from a trusted
`
`source. For example, if the Downloadable comes from a known hacker, then the
`
`Downloadable may be deemed suspicious and presumed hostile. The URL comparator
`
`20
`
`350 sends its results to the logical engine 333.
`
`The logical engine 333 examines the results of each of the paths and the policy
`
`selector 405 in the security policy 305 to determine whether to allow or block the
`
`Downloadable. The policy selector 405 includes a logical expression of the results
`
`25
`
`received from each of the paths. For example, the logical engine 333 may block a
`
`131/201271.02
`033000/1635140492.00011
`
`13
`r I.'/
`'
`
`FireEye - Exhibit 1005 Page 19
`
`
`
`Downloadable if it fails any one of the paths, i.e., if the Downloadable is known hostile
`
`(Path 1), if the Downloadable may request suspicious operations (Path 2), if the
`
`Downloadable was not signed by a trusted certificate authority (Path 3), or if the
`
`Downloadable did came from an untrustworthy source (Path 4). The logical engine 333
`
`5
`
`may apply other logical expressions according to the policy selector 405 embodied in the
`
`security policy 305. If the policy selector 405 indicates that the Downloadable may
`
`pass, then the logical engine 333 passes the Downloadable to its intended recipient.
`
`Otherwise, if the policy selector 405 indicates that the Downloadable should be blocked,
`
`then the logical engine 333 forwards a non-hostile Downloadable to the intended
`'
`recipient to inform the user that internal network security system 110 discarded the
`
`10
`
`original Downloadable. Further, the logical engine 333 forwards a status report to the
`
`record-keeping engine 33 5, which stores the reports in event log 245 in the data storage
`
`device 230 for subsequent review, for example, by the MIS director.
`
`fj§
`
`\4
`
`15 ·
`
`FIG. 5 is a block diagram illustrating details of the security management console
`
`120, which includes a security policy editor 505 coupled to the communications channel
`
`135, an event log analysis engine 510 coupled between communications channell35
`
`and a user notification engine 515, and a Downloadable database review engine 520
`
`coupled to the communications channel135. The security management console 120
`
`20
`
`further includes computer components similar to the computer components illustrated in
`
`FIG. 2.
`
`The security policy editor 505 uses an I/0 interface similar to I/0 interface 215
`
`for enabling a