PTO/SB/05 (08-08)
`Approved for use through 06/30/2010. OMB 0651-0032
`U.S. Patent and Trademark Office. U.S. DEPARTMENT OF COMMERCE
`Under the Paperwork Reduction Act of 1995, no persons are required to respond to a collection of information unless~ displays a valid OMB control number.
`
`r
`
`UTILITY
`PATENT APPLICATION
`TRANSMITTAL
`'-(Only for new non provisional applications under 37 C.F.R. 1.53(b))
`
`APPLICATION ELEMENTS
`See MPEP chapter 600 concerning utility patent application contents.
`
`1.0 Fee Transmittal Form (e.g., PTO/SB/17)
`(Submit an original and a duplicate for fee processing)
`2.0 Applicant claims small entity status.
`See 37 CFR 1.27.
`3.~ Specification
`[Total Pages 37
`Both the claims and abstract must start on a new page
`(For information on the preferred arrangement, see MPEP 608.01(a))
`4. 1:8] Drawing(s) (35 U.S.C.113)
`l
`[Total Sheets .§
`
`l
`
`l
`
`[Total Sheets §.
`5. Oath or Declaration
`a. 0 Newly executed (original or copy)
`b. ~ A copy from a prior application (37 CFR 1.63 (d))
`(for a continuation/divisional with Box 18 completed)
`i. 0 DELETION OF INVENTOR(S)
`Signed statement attached deleting inventor(s)
`named in the prior application, see 37 CFR
`1.63(d)(2) and 1.33(b).
`
`6. 0
`
`Application Data Sheet. See 37 CFR 1.76
`
`1. 0 CD-ROM or CD-R in duplicate, large table or
`Computer Program (Appendix)
`D Landscape Table on CD
`
`8. Nucleotide and/or Amino Acid Sequence Submission
`(if applicable, items a.-c. are required)
`a. 0 Computer Readable Form (CRF)
`b.
`Specification Sequence Listing on:
`i. D CD-ROM or CD-R (2 copies); or
`ii. D Paper
`c. 0 Statements verifying identity of above copies
`
`Attorney Docket No.
`
`FIN0008-DIV1
`
`First Inventor
`
`David GRUZMAN, et al.
`
`Title
`
`System and Method for Inspecting Dynamically Generated
`Executable code
`
`Express Mail Label No.
`
`""""
`
`.I
`
`ADDRESS TO:
`
`Commissioner for Patents
`P.O. Box 1450
`Alexandria VA 22313-1450
`
`ACCOMPANYING APPLICATIONS PARTS
`
`9. ~ Assignment Papers (cover sheet & document(s))
`Name of Assignee Finjan, Inc.
`
`10. ~ 37 C.F.R. 3.73(b) Statement ~ Power of
`(when there is an assignee)
`Attorney
`
`11.0
`
`English Translation Document (if applicable)
`
`12. ~ Information Disclosure Statement (PTO/SB/08 or PT0-1449)
`0 Copies of citations attached
`
`13. 0
`
`Preliminary Amendment
`
`14. 0
`
`15. 0
`
`16. 0
`
`Return Receipt Postcard (MPEP 503)
`(Should be specifically itemized)
`
`Certified Copy of Priority Document(s)
`(if foreign priority is claimed)
`
`Nonpublication Request under 35 U.S.C. 122(b)(2)(B)(i).
`Applicant must attach form PTO/SB/35 or equivalent.
`
`17. ~ Other: Filed Electronically
`
`18. If a CONTINUING APPLICATION, check appropriate box, and supply the requisite information below and in the first sentence ofthe
`specification following the title, or in an Application Data Sheet under 37 CFR 1. 76:
`D Continuation
`D Continuation-in-part (CIP)
`181 Divisional
`Prior application information:
`Examiner Ponnoreal£ Pich
`
`of prior application No: 11 I 298 475
`Art Unit: 2435
`
`19. CORRESPONDENCE ADDRESS
`
`D The address associated with Customer Number
`
`174877
`
`I OR D Correspondence address below
`
`Name
`
`Address
`
`City
`
`Country
`
`Signature
`
`Name
`(Print/Type)
`
`I State I
`I Telephone
`
`I
`
`/Dawn-Marie Bey/
`
`Dawn-Marie Bey
`
`Zip Code
`
`Email
`
`I Date
`
`June 9' 2010
`Registration No.
`144,442
`(Attorney/Agent)
`
`This collection of information is required by 37 CFR 1.53(b). The information is required to obtain or retain a benefit by the public which is to file (and by the USPTO to
`process) an application. Confidentiality is governed by 35 U.S.C. 122 and 37 CFR 1.11 and 1.14. This collection is estimated to take 12 minutes to complete, including
`gathering, preparing, and submitting the completed application form to the USPTO. Time will vary depending upon the individual case. Any comments on the amount of
`lime you require to complete this form and/or suggestions for reducing this burden, should be sent to the Chief Information Officer, U.S. Patent and Trademark Office,
`U.S. Department of Commerce, P.O. Box 1450, Alexandria, VA 22313-1450. DO NOT SEND FEES OR COMPLETED FORMS TO THIS ADDRESS. SEND TO: Mail
`Stop Patent Application, Commissioner for Patents, P.O. Box 1450, Alexandria, VA 22313-1450.
`If you need assistance in completing the form, call 1-800-PT0-9199 and select option 2.
`
`Juniper Ex. 1002-p. 1
`Juniper v Finjan
`
`

`

`PATENT
`
`DOCKET NO. FIN0008-DIV1
`
`SYSTEM AND METHOD FOR INSPECTING DYNAMICALLY GENERATED
`EXECUTABLE CODE
`
`FIELD OF THE INVENTION
`
`[0001]
`
`The present invention relates to computer security, and more particularly to
`
`protection against malicious code such as computer viruses.
`
`BACKGROUND OF THE INVENTION
`
`[0002] Computer viruses have been rampant for over two decades now. Computer viruses
`
`generally come in the form of executable code that performs adverse operations, such as
`
`modifying a computer's operating system or file system, damaging a computer's hardware or
`
`hardware interfaces, or automatically transmitting data from one computer to another.
`
`Generally, computer viruses are generated by hackers willfully, in order to exploit computer
`
`vulnerabilities. However, viruses can also arise by accident due to bugs in software
`
`applications.
`
`[0003] Originally computer viruses were transmitted as executable code inserted into files.
`
`As each new viruses was discovered, a signature of the virus was collected by anti-virus
`
`companies and used from then on to detect the virus and protect computers against it. Users
`
`began routinely scanning their file systems using anti-virus software, which regularly
`
`updated its signature database as each new virus was discovered.
`
`[0004]
`
`Such anti-virus protection is referred to as "reactive", since it can only protect in
`
`reaction to viruses that have already been discovered.
`
`[0005] With the advent of the Internet and the ability to run executable code such as
`
`scripts within Internet browsers, a new type of virus formed; namely, a virus that enters a
`
`computer over the Internet and not through the computer's file system. Such Internet viruses
`
`can be embedded within web pages and other web content, and begin executing within an
`
`Internet browser as soon as they enter a computer. Routine file scans are not able to detect
`
`such viruses, and as a result more sophisticated anti-virus tools had to be developed.
`
`WDC IMANAGE-1496219.1
`
`1 of31
`
`Juniper Ex. 1002-p. 2
`Juniper v Finjan
`
`

`

`PATENT
`
`DOCKET NO. FIN0008-DIV1
`
`[0006]
`
`Two generic types of anti-virus applications that are currently available to protect
`
`against such Internet viruses are (i) gateway security applications, and (ii) desktop security
`
`applications. Gateway security applications shield web content before the content is
`
`delivered to its intended destination computer. Gateway security applications scan web
`
`content, and block the content from reaching the destination computer if the content is
`
`deemed by the security application to be potentially malicious. In distinction, desktop
`
`security applications shield against web content after the content reaches its intended
`
`destination computer.
`
`[0007] Moreover, in addition to reactive anti-virus applications, that are based on
`
`databases of known virus signatures, recently "proactive" antivirus applications have been
`
`developed. Proactive anti-virus protection uses a methodology known as "behavioral
`
`analysis" to analyze computer content for the presence of viruses. Behavior analysis is used
`
`to automatically scan and parse executable content, in order to detect which computer
`
`operations the content may perform. As such, behavioral analysis can block viruses that
`
`have not been previously detected and which do not have a signature on record, hence the
`
`name "proactive".
`
`[0008] Assignee's US Patent No. 6,092,194 entitled SYSTEM AND METHOD FOR
`
`PROTECTING A COMPUTER AND A NETWORK FROM HOSTILE
`
`DOWNLOADABLES, the contents of which are hereby incorporated by reference, describes
`
`gateway level behavioral analysis. Such behavioral analysis scans and parses content
`
`received at a gateway and generates a security profile for the content. A security profile is a
`
`general list or delineation of suspicious, or potentially malicious, operations that executable
`
`content may perform. The derived security profile is then compared with a security policy
`
`for the computer being protected, to determine whether or not the content's security profile
`
`violates the computer's security policy. A security policy is a general set of simple or
`
`complex rules, that may be applied logically in series or in parallel, which determine whether
`
`or not a specific operation is permitted or forbidden to be performed by the content on the
`
`computer being protected. Security policies are generally configurable, and set by an
`
`administrator of the computer that are being protected.
`
`WDC IMANAGE-1496219.1
`
`2 of31
`
`Juniper Ex. 1002-p. 3
`Juniper v Finjan
`
`

`

`PATENT
`
`DOCKET NO. FIN0008-DIV1
`
`[0009] Assignee's US Patent No. 6,167,520 entitled SYSTEM AND METHOD FOR
`
`PROTECTING A CLIENT DURING RUNTIME FROM HOSTILE DOWNLOADABLES,
`
`the contents of which are hereby incorporated by reference, describes desktop level
`
`behavioral analysis. Desktop level behavioral analysis is generally implemented during run(cid:173)
`
`time, while a computer's web browser is processing web content received over the Internet.
`
`As the content is being processed, desktop security applications monitor calls made to critical
`
`systems of the computer, such as the operating system, the file system and the network
`
`system. Desktop security applications use hooks to intercept calls made to operating system
`
`functions, and allow or block the calls as appropriate, based on the computer's security
`
`policy.
`
`[00010] Each ofthe various anti-virus technologies, gateway vs. desktop, reactive vs.
`
`proactive, has its pros and cons. Reactive anti-virus protection is computationally simple and
`
`fast; proactive virus protection is computationally intensive and slower. Reactive anti-virus
`
`protection cannot protect against new "first-time" viruses, and cannot protect a user ifhis
`
`signature file is out of date; proactive anti-virus protection can protect against new "first(cid:173)
`
`time" viruses and do not require regular downloading of updated signature files. Gateway
`
`level protection keeps computer viruses at a greater distance from a local network of
`
`computers; desktop level protection is more accurate. Desktop level protection is generally
`
`available in the consumer market for hackers to obtain, and is susceptible to reverse
`
`engineering; gateway level protection is not generally available to hackers.
`
`[00011] Reference is now made to FIG. 1, which is a simplified block diagram of prior art
`
`systems for blocking malicious content, as described hereinabove. The topmost system
`
`shown in FIG. 1 illustrates a gateway level security application. The middle system shown in
`
`FIG. 1 illustrates a desktop level security application, and the bottom system shown in FIG. 1
`illustrates a combined gateway + desktop level security application.
`
`[00012] The topmost system shown in FIG. 1 includes a gateway computer 105 that
`
`receives content from the Internet, the content intended for delivery to a client computer 110.
`
`Gateway computer 105 receives the content over a communication channel120, and gateway
`
`WDC IMANAGE-1496219.1
`
`3 of31
`
`Juniper Ex. 1002-p. 4
`Juniper v Finjan
`
`

`

`PATENT
`
`DOCKET NO. FIN0008-DIV1
`
`computer communicates with client computer 110 over a communication channel 125.
`
`Gateway computer 105 includes a gateway receiver 135 and a gateway transmitter 140.
`
`Client computer 110 includes a client receiver 145. Client computer generally also has a
`
`client transmitter, which is not shown.
`
`[00013] Client computer 110 includes a content processor 170, such as a conventional web
`
`browser, which processes Internet content and renders it for interactive viewing on a display
`
`monitor. Such Internet content may be in the form of executable code, JavaScript, VB Script,
`
`Java applets, ActiveX controls, which are supported by web browsers.
`
`[00014] Gateway computer 105 includes a content inspector 174 which may be reactive or
`
`proactive, or a combination of reactive and proactive. Incoming content is analyzed by
`
`content inspector 17 4 before being transmitted to client computer 110. If incoming content
`
`is deemed to be malicious, then gateway computer 105 preferably prevents the content from
`
`reaching client computer 110. Alternatively, gateway computer 105 may modify the content
`
`so as to render it harmless, and subsequently transmit the modified content to client computer
`
`110.
`
`[00015] Content inspector 174 can be used to inspect incoming content, on its way to client
`
`computer 110 as its destination, and also to inspect outgoing content, being sent from client
`
`computer 110 as its origin.
`
`[00016] The middle system shown in FIG. 1 includes a gateway computer 105 and a client
`
`computer 110, the client computer 110 including a content inspector 176. Content inspector
`
`176 may be a conventional Signature-based anti-virus application, or a run-time behavioral
`
`based application that monitors run-time calls invoked by content processor 170 to operating
`
`system, file system and network system functions.
`
`[00017] The bottom system shown in FIG. 1 includes both a content inspector 174 at
`
`gateway computer 105, and a content inspector 176 at client computer 110. Such a system
`
`can support conventional gateway level protection, desktop level protection, reactive anti(cid:173)
`
`virus protection and proactive anti-virus protection.
`
`WDC IMANAGE-1496219.1
`
`4 of31
`
`Juniper Ex. 1002-p. 5
`Juniper v Finjan
`
`

`

`PATENT
`
`DOCKET NO. FIN0008-DIV1
`
`[00018] As the hacker vs. anti-virus protection battle continues to wage, a newer type of
`
`virus has sprung forward; namely, dynamically generated viruses. These viruses are
`
`themselves generated only at run-time, thus thwarting conventional reactive analysis and
`
`conventional gateway level proactive behavioral analysis. These viruses take advantage of
`
`features of dynamic HTML generation, such as executable code or scripts that are embedded
`
`within HTML pages, to generate themselves on the fly at runtime.
`
`[00019] For example, consider the following portion of a standard HTML page:
`
`<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional/lEN">
`
`<HTML>
`
`<SCRIPT LANGUAGE="JavaScript">
`
`document.write("<hl>text that is generated at run-time</hl>");
`
`</SCRIPT>
`
`<BODY>
`
`</BODY>
`
`</HTML>
`
`The text within the <SCRIPT> tags is JavaScript, and includes a call to the standard function
`
`document. writeQ, which generates dynamic HTML. In the example above, the function
`
`document. writ eO is used to generate HTML header text, with a text string that is generated at
`
`run-time. Ifthe text string generated at run-time is ofthe form
`
`<SCRIPT>malicious J avaScript</SCRIPT>
`
`then the document. writ eO function will insert malicious J avaScript into the HTML page that
`
`is currently being rendered by a web browser. In tum, when the web browser processes the
`
`inserted text, it will perform malicious operations to the client computer.
`
`WDC IMANAGE-1496219.1
`
`5 of31
`
`Juniper Ex. 1002-p. 6
`Juniper v Finjan
`
`

`

`PATENT
`
`DOCKET NO. FIN0008-DIV1
`
`[0020]
`
`Such dynamically generated malicious code cannot be detected by conventional
`
`reactive content inspection and conventional gateway level behavioral analysis content
`
`inspection, since the malicious JavaScript is not present in the content prior to run-time. A
`
`content inspector will only detect the presence of a call to Document. writ eO with input text
`
`that is yet unknown. If such a content inspector were to block all calls to Document. writeO
`
`indiscriminately, then many harmless scripts will be blocked, since most of the time calls to
`
`Document. writeO are made for dynamic display purposes only.
`
`[0021] US Patent Nos. 5,983,348 and 6,272,641, both to Ji, describe reactive client level
`
`content inspection, that modifies downloaded executable code within a desktop level anti(cid:173)
`
`virus application. However, such inspection can only protect against static malicious
`
`content, and cannot protect against dynamically generated malicious content.
`
`[0022] Desktop level run-time behavioral analysis has a chance of shielding a client
`
`computer against dynamically generated malicious code, since such code will ultimately
`
`make a call to an operating system function. However, desktop anti-virus protection has a
`
`disadvantage of being widely available to the hacker community, which is always eager to
`
`find vulnerabilities. In addition, desktop anti-virus protection has a disadvantage of requiring
`
`installation of client software.
`
`[0023] As such, there is a need for a new form ofbehavioral analysis, which can shield
`
`computers from dynamically generated malicious code without running on the computer
`
`itself that is being shielded.
`
`SUMMARY OF THE DESCRIPTION
`
`[0024]
`
`The present invention concerns systems and methods for implementing new
`
`behavioral analysis technology. The new behavioral analysis technology affords protection
`
`against dynamically generated malicious code, in addition to conventional computer viruses
`
`that are statically generated.
`
`[0025]
`
`The present invention operates through a security computer that is preferably
`
`remote from a client computer that is being shielded while processing network content.
`
`WDC IMANAGE-1496219.1
`
`6 of31
`
`Juniper Ex. 1002-p. 7
`Juniper v Finjan
`
`

`

`PATENT
`
`DOCKET NO. FIN0008-DIV1
`
`During run-time, while processing the network content, but before the client computer
`
`invokes a function call that may potentially dynamically generate malicious code, the client
`
`computer passes the input to the function to the security computer for inspection, and
`
`suspends processing the network content pending a reply back from the security computer.
`
`Since the input to the function is being passed at run-time, it has already been dynamically
`
`generated and is thus readily inspected by a content inspector. Referring to the example
`
`above, were the input to be passed to the security computer prior to run-time, it would take
`
`the form of indeterminate text; whereas the input passed during run-time takes the
`
`determinate form
`
`<SCRIPT>malicious J avaScript</SCRIPT>,
`
`which can readily be inspected. Upon receipt of a reply from the security computer, the
`
`client computer resumes processing the network content, and knows whether to by-pass the
`
`function call invocation.
`
`[0026]
`
`To enable the client computer to pass function inputs to the security computer and
`
`suspend processing of content pending replies from the security computer, the present
`
`invention operates by replacing original function calls with substitute function calls within
`
`the content, at a gateway computer, prior to the content being received at the client computer.
`
`[0027]
`
`The present invention also provides protection against arbitrarily many recursive
`
`levels of dynamic generation of malicious code, whereby such code is generated via a series
`
`of successive function calls, one within the next.
`
`[0028] By operating through the medium of a security computer, the present invention
`
`overcomes the disadvantages of desktop anti-virus applications, which are available to the
`
`hacker community for exploit. Security applications embodying the present invention are
`
`concealed securely within managed computers.
`
`[0029]
`
`There is thus provided in accordance with a preferred embodiment of the present
`
`invention a method for protecting a client computer from dynamically generated malicious
`
`content, including receiving at a gateway computer content being sent to a client computer
`
`WDC IMANAGE-1496219.1
`
`7 of31
`
`Juniper Ex. 1002-p. 8
`Juniper v Finjan
`
`

`

`PATENT
`
`DOCKET NO. FIN0008-DIV1
`
`for processing, the content including a call to an original function, and the call including an
`
`input, modifying the content at the gateway computer, including replacing the call to the
`
`original function with a corresponding call to a substitute function, the substitute function
`
`being operational to send the input to a security computer for inspection, transmitting the
`
`modified content from the gateway computer to the client computer, processing the modified
`
`content at the client computer, transmitting the input to the security computer for inspection
`
`when the substitute function is invoked, determining at the security computer whether it is
`
`safe for the client computer to invoke the original function with the input, transmitting an
`
`indicator of whether it is safe for the client computer to invoke the original function with the
`
`input, from the security computer to the client computer, and invoking the original function
`
`at the client computer with the input, only if the indicator received from the security
`
`computer indicates that such invocation is safe.
`
`[0030]
`
`There is further provided in accordance with a preferred embodiment of the present
`
`invention a system for protecting a client computer from dynamically generated malicious
`
`content, including a gateway computer, including a gateway receiver for receiving content
`
`being sent to a client computer for processing, the content including a call to an original
`
`function, and the call including an input, a content modifier for modifying the received
`
`content by replacing the call to the original function with a corresponding call to a substitute
`
`function, the substitute function being operational to send the input to a security computer for
`
`inspection, and a gateway transmitter for transmitting the modified content from the gateway
`
`computer to the client computer, a security computer, including a security receiver for
`
`receiving the input from the client computer, an input inspector for determining whether it is
`
`safe for the client computer to invoke the original function with the input, and a security
`
`transmitter for transmitting an indicator of the determining to the client computer, and a
`
`client computer communicating with the gateway computer and with the security computer,
`
`including a client receiver for receiving the modified content from the gateway computer,
`
`and for receiving the indicator from the security computer, a content processor for processing
`
`the modified content, and for invoking the original function only if the indicator indicates
`
`WDC IMANAGE-1496219.1
`
`8 of31
`
`Juniper Ex. 1002-p. 9
`Juniper v Finjan
`
`

`

`PATENT
`
`DOCKET NO. FIN0008-DIV1
`
`that such invocation is safe; and a client transmitter for transmitting the input to the security
`
`computer for inspection, when the substitute function is invoked.
`
`[0031]
`
`There is yet further provided in accordance with a preferred embodiment of the
`
`present invention a computer-readable storage medium storing program code for causing at
`
`least one computing device to receive content including a call to an original function, and the
`
`call including an input, replace the call to the original function with a corresponding call to a
`
`substitute function, the substitute function being operational to send the input for inspection,
`
`thereby generating modified content, process the modified content, transmit the input for
`
`inspection, when the substitute function is invoked while processing the modified content,
`
`and suspend processing of the modified content, determine whether it is safe to invoke the
`
`original function with the input, transmit an indicator of whether it is safe for a computer to
`
`invoke the original function with the input, and resume processing of the modified content
`
`after receiving the indicator, and invoke the original function with the input only if the
`
`indicator indicates that such invocation is safe.
`
`[0032]
`
`There is additionally provided in accordance with a preferred embodiment of the
`
`present invention a method for protecting a client computer from dynamically generated
`
`malicious content, including receiving content being sent to a client computer for processing,
`
`the content including a call to an original function, and the call including an input, modifying
`
`the content, including replacing the call to the original function with a corresponding call to a
`
`substitute function, the substitute function being operational to send the input to a security
`
`computer for inspection, and transmitting the modified content to the client computer for
`
`processmg.
`
`[0033]
`
`There is moreover provided in accordance with a preferred embodiment of the
`
`present invention a system for protecting a client computer from dynamically generated
`
`malicious content, including a receiver for receiving content being sent to a client computer
`
`for processing, the content including a call to an original function, and the call including an
`
`input, a content modifier for modifying the received content by replacing the call to the
`
`original function with a corresponding call to a substitute function, the substitute function
`
`WDC IMANAGE-1496219.1
`
`9 of31
`
`Juniper Ex. 1002-p. 10
`Juniper v Finjan
`
`

`

`PATENT
`
`DOCKET NO. FIN0008-DIV1
`
`being operational to send the input to a security computer for inspection, and a transmitter for
`
`transmitting the modified content to the client computer.
`
`[0034]
`
`There is further provided in accordance with a preferred embodiment of the present
`
`invention a computer-readable storage medium storing program code for causing a
`
`computing device to receive content including a call to an original function, and the call
`
`including an input, and replace the call to the original function with a corresponding call to a
`
`substitute function, the substitute function being operational to send the input for inspection.
`
`[0035]
`
`There is yet further provided in accordance with a preferred embodiment of the
`
`present invention a method for protecting a client computer from dynamically generated
`
`malicious content, including receiving content being sent to a client computer for processing,
`
`the content including a call to an original function, and the call including an input, modifying
`
`the content, including replacing the call to the original function with a corresponding call to a
`
`substitute function, the substitute function being operational to send the input for inspection,
`
`transmitting the modified content to the client computer for processing, receiving the input
`
`from the client computer, determining whether it is safe for the client computer to invoke the
`
`original function with the input, and transmitting to the client computer an indicator of
`
`whether it is safe for the client computer to invoke the original function with the input.
`
`[0036]
`
`There is additionally provided in accordance with a preferred embodiment of the
`
`present invention a system for protecting a client computer from dynamically generated
`
`malicious content, including a receiver (i) for receiving content being sent to a client
`
`computer for processing, the content including a call to an original function, and the call
`
`including an input, and (ii) for receiving the input from the client computer, a content
`
`modifier for modifying the received content by replacing the call to the original function with
`
`a corresponding call to a substitute function, the substitute function being operational to send
`
`the input for inspection, an input inspector for determining whether it is safe for the client
`
`computer to invoke the original function with the input, and a transmitter (i) for transmitting
`
`the modified content to the client computer, and (ii) for transmitting an indicator of the
`
`determining to the client computer.
`
`WDC IMANAGE-1496219.1
`
`10 of 31
`
`Juniper Ex. 1002-p. 11
`Juniper v Finjan
`
`

`

`PATENT
`
`DOCKET NO. FIN0008-DIV1
`
`[0037]
`
`There is moreover provided in accordance with a preferred embodiment of the
`
`present invention a computer-readable storage medium storing program code for causing a
`
`computing device to receive content including a call to an original function, and the call
`
`including an input, replace the call to the original function with a corresponding call to a
`
`substitute function, the substitute function being operational to send the input for inspection,
`
`and determine whether it is safe for a computer to invoke the original function with the input.
`
`[0038]
`
`There is further provided in accordance with a preferred embodiment ofthe present
`
`invention a method for protecting a computer from dynamically generated malicious content,
`
`including processing content received over a network, the content including a call to a first
`
`function, and the call including an input, transmitting the input to a security computer for
`
`inspection, when the first function is invoked, receiving from the security computer an
`
`indicator of whether it is safe to invoke a second function with the input, and invoking the
`
`second function with the input, only if the indicator indicates that such invocation is safe.
`
`[0039]
`
`There is yet further provided in accordance with a preferred embodiment of the
`
`present invention a system for protecting a computer from dynamically generated malicious
`
`content, including a content processor (i) for processing content received over a network, the
`
`content including a call to a first function, and the call including an input, and (ii) for
`
`invoking a second function with the input, only if a security computer indicates that such
`
`invocation is safe, a transmitter for transmitting the input to the security computer for
`
`inspection, when the first function is invoked, and a receiver for receiving an indicator from
`
`the security computer whether it is safe to invoke the second function with the input.
`
`[0040]
`
`There is additionally provided in accordance with a preferred embodiment of the
`
`present invention a computer-readable storage medium storing program code for causing a
`
`computing device to process content received over a network, the content including a call to
`
`a first function, and the call including an input, transmit the input for inspection, when the
`
`first function is invoked, and suspend processing of the content, receive an indicator of
`
`whether it is safe to invoke a second function with the input, and resume processing of the
`
`WDC IMANAGE-1496219.1
`
`11 of 31
`
`Juniper Ex. 1002-p. 12
`Juniper v Finjan
`
`

`

`PATENT
`
`DOCKET NO. FIN0008-DIV1
`
`content after receiving the indicator, and invoke the second function with the input only if the
`
`indicator indicates that such invocation is safe.
`
`[0041]
`
`There is moreover provided in accordance with a preferred embodiment of the
`
`present invention a method for protecting a client computer from dynamically generated
`
`malicious content, including receiving an input from a client computer, determining whether
`
`it is safe for the client computer to invoke a function with the input, and transmitting an
`
`indicator of the determining to the client computer.
`
`[0042]
`
`There is further provided in accordance with a preferred embodiment of the present
`
`invention a system for protecting a client computer from dynamically generated malicious
`
`content, including a receiver for receiving an input from a client computer, an input inspector
`
`for determining whether it is safe for the client computer to invoke a function with the input,
`
`and a transmitter for transmitting an indicator of the determining to the client computer.
`
`[0043]
`
`There is further provided in accordance with a preferred embodiment of the present
`
`invention a computer-readable storage medium storing program code for causing a
`
`computing device to receive an input from a computer, determine whether it is safe for the
`
`computer to invoke a function with the input, and transmit an indicator of the determination
`
`to the computer.
`
`[0044]
`
`The following definitions are employed throughout the specification and claims.
`
`SECURITY POUCY - a set of one or more rules that determine whether or not a requested
`
`operation is permitted. A security policy may be explicitly configurable by a computer
`
`system administrator, or may be implicitly determined by application defaults.
`
`SECURITY PROFILE - information describing one or more suspicious operations
`
`performed by executable software.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`[0045]
`
`The present invention will be more fully understood and appreciated from the
`
`fol