`
`I III IIIIIIII I III IIIIIIII III iiui iiui 111!),1)111191III iiui iiui 111!),1)111191011g1111111111111111111111111 011g1111111111111111111111111
`
`
`
`
`
`
`
`
`
`US007975305B2
`
`(12) United States Patent
`(12) United States Patent
`(12) United States Patent
`Rubin et al.
`
`Rubin et al. Rubin et al.
`
`(10) Patent No.:
`
`(10) Patent No.: (10) Patent No.:
`(45) Date of Patent:
`
`(45) Date of Patent: (45) Date of Patent:
`
`US 7,975,305 B2
`US 7,975,305 B2
`US 7,975,305 B2
`Jul. 5, 2011
`
`Jul. 5, 2011 Jul. 5, 2011
`
`(54)
`METHOD AND SYSTEM FOR ADAPTIVE
`
`(54) METHOD AND SYSTEM FOR ADAPTIVE (54) METHOD AND SYSTEM FOR ADAPTIVE
`RULE-BASED CONTENT SCANNERS FOR
`
`RULE-BASED CONTENT SCANNERS FOR RULE-BASED CONTENT SCANNERS FOR
`DESKTOP COMPUTERS
`
`DESKTOP COMPUTERS DESKTOP COMPUTERS
`
`(75)
`(75) (75)
`
`
`Inventors: Moshe Rubin, Jerusalem (IL); Moshe
`
`Inventors: Moshe Rubin, Jerusalem (IL); Moshe Inventors: Moshe Rubin, Jerusalem (IL); Moshe
`Matitya, Jerusalem (IL); Artem
`
`Matitya, Jerusalem (IL); Artem Matitya, Jerusalem (IL); Artem
`Melnick, Beit Shemesh (IL); Shlomo
`
`Melnick, Beit Shemesh (IL); Shlomo Melnick, Beit Shemesh (IL); Shlomo
`Touboul, Kefar-Haim (IL); Alexander
`
`Touboul, Kefar-Haim (IL); Alexander Touboul, Kefar-Haim (IL); Alexander
`Yermakov, Beit Shemesh (IL); Amit
`
`Yermakov, Beit Shemesh (IL); Amit Yermakov, Beit Shemesh (IL); Amit
`Shaked, Tel Aviv (IL)
`
`Shaked, Tel Aviv (IL) Shaked, Tel Aviv (IL)
`
`Assignee: Finjan, Inc., San Jose, CA (US)
`(73)
`(73) Assignee: Finjan, Inc., San Jose, CA (US) (73) Assignee: Finjan, Inc., San Jose, CA (US)
`
`
`Notice:
`(*)
`( * ) Notice: ( * ) Notice:
`
`
`Subject to any disclaimer, the term of this
`
`Subject to any disclaimer, the term of this Subject to any disclaimer, the term of this
`patent is extended or adjusted under 35
`
`patent is extended or adjusted under 35 patent is extended or adjusted under 35
`U.S.C. 154(b) by 1016 days.
`
`U.S.C. 154(b) by 1016 days. U.S.C. 154(b) by 1016 days.
`
`Appl. No.: 11/009.437
`(21)
`(21) Appl. No.: 11/009,437 (21) Appl. No.: 11/009,437
`
`
`(22)
`Filed:
`(22) Filed:
`(22) Filed:
`
`Dec. 9, 2004
`Dec. 9, 2004
`Dec. 9, 2004
`
`(65)
`(65) (65)
`
`
`Prior Publication Data
`Prior Publication Data Prior Publication Data
`
`US 2005/024O999 A1
`Oct. 27, 2005
`US 2005/0240999 Al US 2005/0240999 Al
`
`Oct. 27, 2005 Oct. 27, 2005
`
`
`Related U.S. Application Data
`Related U.S. Application Data
`Related U.S. Application Data
`Continuation-in-part of application No. 10/930,884,
`(63)
`
`(63) Continuation-in-part of application No. 10/930,884, (63) Continuation-in-part of application No. 10/930,884,
`filed on Aug. 30, 2004, which is a continuation-in-part
`
`filed on Aug. 30, 2004, which is a continuation-in-part filed on Aug. 30, 2004, which is a continuation-in-part
`of application No. 09/539,667, filed on Mar. 30, 2000,
`
`of application No. 09/539,667, filed on Mar. 30, 2000, of application No. 09/539,667, filed on Mar. 30, 2000,
`now Pat. No. 6,804,780, which is a continuation of
`
`now Pat. No. 6,804,780, which is a continuation of now Pat. No. 6,804,780, which is a continuation of
`application No. 08/964,388, filedon Nov. 6, 1997, now
`
`application No. 08/964,388, filed on Nov. 6, 1997, now application No. 08/964,388, filed on Nov. 6, 1997, now
`Pat. No. 6,092,194.
`
`Pat. No. 6,092,194. Pat. No. 6,092,194.
`
`(51)
`
`(51) Int. Cl. (51) Int. Cl.
`Int. C.
`(2006.01)
`G06F 11/00
`(2006.01)
`G06F 11/00
`(2006.01)
`G06F II/00
`(2006.01)
`G06F2L/00
`
`(2006.01) (2006.01)
`
`G06F 21/00 G06F 21/00
`(52)
`U.S. Cl. ............................. 726/25; 726/22; 713/153
`
` 726/25; 726/22; 713/153 726/25; 726/22; 713/153
`
`(52) U.S. Cl. (52) U.S. Cl.
`(58)
`
`(58) Field of Classification Search (58) Field of Classification Search
`
`None None
`Field of Classification Search ........................ None
`See application file for complete search history.
`
`See application file for complete search history. See application file for complete search history.
`
`(56)
`(56) (56)
`
`
`References Cited
`References Cited References Cited
`
`
`U.S. PATENT DOCUMENTS
`U.S. PATENT DOCUMENTS
`U.S. PATENT DOCUMENTS
`5,077,677 A 12/1991 Murphy et al. ................. TO6/62
`
`
`5,077,677 A 5,077,677 A
`
`12/1991 Murphy et al. 12/1991 Murphy et al.
`706/62 706/62
`
`5,359,659 A 5,359,659 A
`
`10/1994 Rosenthal 10/1994 Rosenthal
`
`726/24 726/24
`5,359,659 A 10/1994 Rosenthal ....................... T26/24
`5,361,359 A 11/1994 Tajalliet al. .................... T26/23
`
`5,361,359 A 5,361,359 A
`
`11/1994 Tajalli et al. 11/1994 Tajalli et al.
`
`726/23 726/23
`5,414,833 A * 5/1995 Hershey et al. ................. 726/22
`
`5,414,833 A * 5,414,833 A *
`
`5/1995 Hershey et al. 5/1995 Hershey et al.
`
`726/22 726/22
`5,485.409 A
`1/1996 Gupta et al. .................... 726/25
`
`5,485,409 A 5,485,409 A
`
`1/1996 Gupta et al. 1/1996 Gupta et al.
`
`726/25 726/25
`(Continued)
`
`(Continued) (Continued)
`
`EP EP
`
`EP
`
`FOREIGN PATENT DOCUMENTS
`
`FOREIGN PATENT DOCUMENTS FOREIGN PATENT DOCUMENTS
`
`1091276 1091276
`
`4/2001 4/2001
`109 1276
`4/2001
`(Continued)
`
`(Continued) (Continued)
`
`OTHER PUBLICATIONS
`OTHER PUBLICATIONS OTHER PUBLICATIONS
`
`DGrune, etal—Parsing Techniques: A Practical Guide, 2000—John
`
`D Grune, et al. Parsing Techniques: A Practical Guide, 2000—John D Grune, et al. Parsing Techniques: A Practical Guide, 2000—John
`Wiley & Sons, Inc. New York, NY, USA, p. 1-326.*
`Wiley & Sons, Inc. New York, NY, USA, p. 1-326.*
`Wiley & Sons, Inc. New York, NY, USA, p. 1-326.*
`(Continued)
`(Continued) (Continued)
`
`Primary Examiner — Emmanuel L. Moise
`
`Primary Examiner — Emmanuel L Moise Primary Examiner — Emmanuel L Moise
`Assistant Examiner — Jeffery Williams
`Assistant Examiner — Jeffery Williams
`Assistant Examiner — Jeffery Williams
`(74) Attorney, Agent, or Firm —Dawn-Marie Bey; King &
`
`(74) Attorney, Agent, or Firm — Dawn-Marie Bey; King & (74) Attorney, Agent, or Firm — Dawn-Marie Bey; King &
`Spalding LLP
`
`Spalding LLP Spalding LLP
`
`ABSTRACT
`(57)
`
`
`(57) (57)
`ABSTRACT ABSTRACT
`A security system for Scanning content within a computer,
`A security system for scanning content within a computer,
`A security system for scanning content within a computer,
`including a network interface, housed within a computer, for
`
`including a network interface, housed within a computer, for including a network interface, housed within a computer, for
`receiving content from the Internet on its destination to an
`
`receiving content from the Internet on its destination to an receiving content from the Internet on its destination to an
`Internet application running on the computer, a database of
`Internet application running on the computer, a database of
`Internet application running on the computer, a database of
`rules corresponding to computer exploits, stored within the
`
`rules corresponding to computer exploits, stored within the rules corresponding to computer exploits, stored within the
`computer, a rule-based content scanner that communicates
`
`computer, a rule-based content scanner that communicates computer, a rule-based content scanner that communicates
`with said database of rules, for Scanning content to recognize
`
`with said database of rules, for scanning content to recognize with said database of rules, for scanning content to recognize
`the presence of potential exploits therewithin, a network traf
`
`the presence of potential exploits therewithin, a network traf-the presence of potential exploits therewithin, a network traf-
`fic probe, operatively coupled to the network interface and to
`
`fic probe, operatively coupled to the network interface and to fic probe, operatively coupled to the network interface and to
`the rule-based content scanner, for selectively diverting con
`
`the rule-based content scanner, for selectively diverting con-the rule-based content scanner, for selectively diverting con-
`tent from its intended destination to the rule-based content
`
`tent from its intended destination to the rule-based content tent from its intended destination to the rule-based content
`scanner, and a rule update manager that communicates with
`
`scanner, and a rule update manager that communicates with scanner, and a rule update manager that communicates with
`said database of rules, for updating said database of rules
`
`said database of rules, for updating said database of rules said database of rules, for updating said database of rules
`periodically to incorporate new rules that are made available.
`periodically to incorporate new rules that are made available.
`periodically to incorporate new rules that are made available.
`A method and a computer readable storage medium are also
`
`A method and a computer readable storage medium are also A method and a computer readable storage medium are also
`described and claimed.
`
`described and claimed. described and claimed.
`
`25 Claims, 14 Drawing Sheets
`25 Claims, 14 Drawing Sheets 25 Claims, 14 Drawing Sheets
`
`
`
`
`
`
`INTERNET INTERNET
`
`
`
`NETWORK GATEWAY NETWORK GATEWAY
`
`
`
`100 100
`
`
`
`110 110
`
`
`
`PRE-SCANNER PRE-SCANNER
`
`
`
`130 130
`
`
`
`CCNTENT SCANNER CCNTENT SCANNER
`
`
`
`CONTENT CACHE CONTENT CACHE
`
`
`
`CORPORATE INTRANET CORPORATE INTRANET
`
`WENT
`WENT
`
`
`
`CLIENT CLIENT
`
`WENT
`WENT
`
`
`
`120 120
`
`CUB4T
`CUB4T
`
`WENT
`WENT
`
`WIZ, Inc. EXHIBIT - 1042
`WIZ, Inc. v. Orca Security LTD.
`
`WIZ, Inc. EXHIBIT - 1042
`WIZ, Inc. v. Orca Security LTD.
`
`

`

`US 7,975,305 B2
`US 7,975,305 B2
`Page 2
`Page 2
`
`
`
`U.S. PATENT DOCUMENTS
`U.S. PATENT DOCUMENTS
`5,485,575 A
`1/1996 Chess et al. ..................... T14? 38
` 714/38
`5,485,575 A
`1/1996 Chess et al.
`5,572,643 A 11, 1996 Judson ........
`709,218
`5,572,643 A
`11/1996 Judson
` 709/218
`5,579,509 A 1 1/1996 Furtney et al.
`703/27
`5,579,509 A
`11/1996 Furtney et al.
` 703/27
`5,606,668 A
`2f1997 Shwed .....
`T26, 13
`5,606,668 A
`2/1997 Shwed
` 726/13
`5,623,600 A
`4/1997 Ji et al. .
`... 726/24
`5,623,600 A
`4/1997 Ji et al.
` 726/24
`5,638,446 A
`6, 1997 Rubin .........
`705/51
`5,638,446 A
`6/1997 Rubin
` 705/51
`5,675,711 A * 10/1997 Kephartet al.
`... 706/12
`5,675,711 A * 10/1997 Kephart et al
` 706/12
`5,692,047 A 11/1997 McManis ....
`713, 167
`5,692,047 A
`11/1997 McManis
` 713/167
`5,692,124 A 11/1997 Holden et al. .................... 726/2
`5,692,124 A
`11/1997 Holden et al.
` 726/2
`5,720,033. A
`2f1998 Deo ............
`726/2
`5,720,033 A
`2/1998 Deo
` 726/2
`5,724.425. A
`3/1998 Chang et al.
`705/52
`5,724,425 A
`3/1998 Chang et al.
` 705/52
`5,740,248 A
`4, 1998 Fieres et al.
`713,156
`5,740,248 A
`4/1998 Fieres et al.
` 713/156
`5,740,441 A * 4, 1998 Yellin et al. ................... T17,134
`5,740,441 A * 4/1998 Yellin et al.
` 717/134
`5,761,421 A
`6, 1998 van Hoffetal. .............. 709,223
`5,761,421 A
`6/1998 van Hoff et al.
` 709/223
`5,765,205 A
`6, 1998 Breslau et al. ........
`711,203
`5,765,205 A
`6/1998 Breslau et al.
` 711/203
`5,784,459 A
`7, 1998 Devarakonda et al.
`713,165
`5,784,459 A
`7/1998 Devarakonda et al.
` 713/165
`5,796,952 A
`8, 1998 Davis et al. ........
`709,224
`5,796,952 A
`8/1998 Davis et al.
` 709/224
`5,805,829 A
`9, 1998 Cohen et al.
`709f2O2
`5,805,829 A
`9/1998 Cohen et al.
` 709/202
`5,832,208 A 11/1998 Chen et al. ..
`... 726/24
`5,832,208 A
`11/1998 Chen et al.
` 726/24
`5,832,274 A 11/1998 Cutler et al.
`717/171
`5,832,274 A
`11/1998 Cutler et al.
` 717/171
`5,850,559 A 12/1998 Angelo et al. .
`713,320
`5,850,559 A
`12/1998 Angelo et al.
` 713/320
`5,859,966 A
`1/1999 Hayman et al. ................. T26/23
`5,859,966 A
`1/1999 Hayman et al.
` 726/23
`5,864,683 A
`1/1999 Boebert et al. ................ TO9,249
`5,864,683 A
`1/1999 Boebert et al.
` 709/249
`5,881,151 A * 3/1999 Yamamoto .
`... 726/24
`5,881,151 A * 3/1999 Yamamoto
` 726/24
`5,884,033. A * 3/1999 Duvallet al. ..
`709/206
`5,884,033 A * 3/1999 Duvall et al.
` 709/206
`5,892,904 A
`4/1999 Atkinson et al.
`T26/22
`5,892,904 A
`4/1999 Atkinson et al.
` 726/22
`5,951,698 A
`9, 1999 Chen et al. .....
`... 714,38
`5,951,698 A
`9/1999 Chen et al.
` 714/38
`5,956.481 A
`9, 1999 Walsh et al.
`T26/23
`5,956,481 A
`9/1999 Walsh et al.
` 726/23
`5,963,742 A * 10/1999 Williams ...
`717/143
`5,963,742 A * 10/1999 Williams
` 717/143
`5,974,549 A 10, 1999 Golan .........
`T26/23
`5,974,549 A
`10/1999 Golan
` 726/23
`5,978.484 A 11/1999 Apperson et al. ............... 705/54
`5,978,484 A
`11/1999 Apperson et al.
` 705/54
`5,983,348 A * 1 1/1999 Ji .................................... T26.13
`5,983,348 A * 11/1999 Ji
` 726/13
`5,987,611 A * 1 1/1999 Freund ...
`... 726,4
`5,987,611 A * 11/1999 Freund
` 726/4
`6,088,801 A * 7/2000 Grecsek ...
`726, 1
`6,088,801 A *
`7/2000 Grecsek
` 726/1
`6,088,803 A * 7/2000 Tso et al. .
`T26/22
`6,088,803 A *
`7/2000 Tso et al.
` 726/22
`6,092,194 A
`7/2000 Touboul ......
`... 726/24
`6,092,194 A
`7/2000 Touboul
` 726/24
`6,154,844 A 11/2000 Toubouletal
`... 726/24
`6,154,844 A
`11/2000 Touboul et al.
` 726/24
`6,167,520 A 12/2000 Touboul ......
`T26/23
`6,167,520 A
`12/2000 Touboul
` 726/23
`6,339,829 B1
`1/2002 Beadle et al.
`T26, 15
`6,339,829 B1
`1/2002 Beadle et al.
` 726/15
`6.425,058 B1
`7/2002 Arimilli et al.
`711 (134
`6,425,058 B1
`7/2002 Arimilli et al.
` 711/134
`6,434,668 B1
`8, 2002 Arimilli et al.
`711,128
`6,434,668 B1
`8/2002 Arimilli et al.
` 711/128
`6,434,669 B1
`8, 2002 Arimillietal
`711,128
`6,434,669 B1
`8/2002 Arimilli et al.
` 711/128
`6,480,962 B1
`1 1/2002 Touboul .........
`T26/22
`6,480,962 B1
`11/2002 Touboul
` 726/22
`6,487,666 B1
`1 1/2002 Shanklin et al. ................ T26/23
`6,487,666 B1
`11/2002 Shanklin et al.
` 726/23
`6,519,679 B2
`2/2003 Devireddy et al. ........... 711 114
`6,519,679 B2
`2/2003 Devireddy et al.
`711/114
`6,598,033 B2 * 7/2003 Ross et al. ...
`... 706/46
`6,598,033 B2 *
`7/2003 Ross et al.
` 706/46
`6,732,179 B1
`5, 2004 Brown et al.
`709,229
`6,732,179 B1
`5/2004 Brown et al.
` 709/229
`6,804,780 B1
`10/2004 Touboul ......
`713, 181
`6,804,780 B1
`10/2004 Touboul
` 713/181
`6,917,953 B2
`7/2005 Simon et al.
`707,204
`6,917,953 B2
`7/2005 Simon et al.
` 707/204
`7,058,822 B2
`6/2006 Edery et al. .
`T26/22
`7,058,822 B2
`6/2006 Edery et al.
` 726/22
`7,143,444 B2 11/2006 Porras et al. ...
`T26/30
`7,143,444 B2
`11/2006 Porras et al.
` 726/30
`7.210,041 B1 * 4/2007 Gryaznov et al...
`713,188
`7,210,041 B1 *
`4/2007 Gryaznov et al.
` 713/188
`7,308.648 B1
`12/2007 Buchthal et al. .............. T15,234
`7,308,648 B1
`12/2007 Buchthal et al.
` 715/234
`7,343,604 B2
`3/2008 Grabarnik et al. ............ T19, 313
`7,343,604 B2
`3/2008 Grabarnik et al.
` 719/313
`7,418,731 B2
`8, 2008 Touboul .........
`T26/22
`7,418,731 B2
`8/2008 Touboul
` 726/22
`2002/0059157 A1* 5/2002 Spooner et al.
`TO6/45
`2002/0059157 Al *
`5/2002 Spooner et al.
` 706/45
`2002/0066024 A1* 5, 2002 Schmall et al. ....
`713,200
`2002/0066024 Al *
`5/2002 Schmall et al.
` 713/200
`2002/0073330 A1* 6/2002 Chandnani et al.
`713,200
`2002/0073330 Al *
`6/2002 Chandnani et al.
` 713/200
`2003, OO14662 A1
`1/2003 Gupta et al. ...
`T26/23
`2003/0014662 Al
`1/2003 Gupta et al.
` 726/23
`2003/0101358 A1
`5/2003 Porras et al. ...................... T26/4
`2003/0101358 Al
`5/2003 Porras et al.
` 726/4
`2004/0073811 A1* 4/2004 Sanin .............
`713,201
`2004/0073811 Al *
`4/2004 Sanin
` 713/201
`2004/0088425 A1
`5/2004 Rubinstein et al. ........... TO9/230
`2004/0088425 Al *
`5/2004 Rubinstein et al.
` 709/230
`2005/0050338 A1
`3/2005 Liang et al. ................... T13, 188
`2005/0050338 Al
`3/2005 Liang et al.
` 713/188
`2005/0172338 A1
`8, 2005 Sandu et al. ...
`T26/22
`2005/0172338 Al
`8/2005 Sandu et al.
` 726/22
`2006/0031207 A1
`2/2006 Bjarnestam et al. .............. 707/3
`2006/0031207 Al
`2/2006 Bjarnestam et al.
` 707/3
`2006,004.8224 A1
`3/2006 Duncan et al. .....
`726/22
`2006/0048224 Al
`3/2006 Duncan et al.
` 726/22
`2008/0066160 A1
`3/2008 Becker et al. ..................... T26/4
`2008/0066160 Al
`3/2008 Becker et al.
` 726/4
`2010/0195909 A1* 8, 2010 Wasson et al. ................ 382, 176
`2010/0195909 Al *
`8/2010 Wasson et al.
` 382/176
`
`
`
`EP
`EP
`
`FOREIGN PATENT DOCUMENTS
`FOREIGN PATENT DOCUMENTS
`1132796
`9, 2001
`1132796
`9/2001
`
`OTHER PUBLICATIONS
`OTHER PUBLICATIONS
`International Search Report for Application No. PCT/IL05/00915, 4
`International Search Report for Application No. PCT/IL05/00915, 4
`pp., dated Mar. 3, 2006.
`pp., dated Mar. 3, 2006.
`Zhong, et al., “Security in the Large: is Java's Sandbox Scalable?”
`Zhong, et al., "Security in the Large: is Java's Sandbox Scalable?,"
`
`Seventh IEEE Symposium on Reliable Distributed Systems, pp. 1-6,
`Seventh IEEE Symposium on Reliable Distributed Systems, pp. 1-6,
`Oct. 1998.
`Oct. 1998.
`Rubin, et al., “Mobile Code Security.” IEEE Internet, pp. 30-34. Dec.
`Rubin, et al., "Mobile Code Security,"IEEE Internet, pp. 30-34, Dec.
`1998.
`1998.
`Schmid, et al. "Protecting Data From Malicious Software.” Proceed
`Schmid, et al. "Protecting Data From Malicious Software," Proceed-
`ing of the 18" Annual Computer Security Applications Conference,
`ing of the 18th Annual Computer Security Applications Conference,
`pp. 1-10, 2002.
`pp. 1-10, 2002.
`Corradi, et al., “A Flexible Access Control Service for Java Mobile
`Corradi, et al., "A Flexible Access Control Service for Java Mobile
`Code.” IEEE, pp. 356-365, 2000.
`Code," IEEE, pp. 356-365, 2000.
`International Search Report for Application No. PCT/IB97/01626, 3
`International Search Report for Application No. PCT/IB97/01626, 3
`pp., May 14, 1998 (mailing date).
`pp., May 14, 1998 (mailing date).
`Written Opinion for Application No. PCT/IL05/00915, 5 pp., dated
`Written Opinion for Application No. PCT/IL05/00915, 5 pp., dated
`Mar. 3, 2006 (mailing date).
`Mar. 3, 2006 (mailing date).
`International Search Report for Application No. PCT/IB01/01138, 4
`International Search Report for Application No. PCT/IB01/01138, 4
`pp., Sep. 20, 2002 (mailing date).
`pp., Sep. 20, 2002 (mailing date).
`International Preliminary Examination Report for Application No.
`International Preliminary Examination Report for Application No.
`PCT/IB01/01138, 2 pp., dated Dec. 19, 2002.
`PCT/IB01/01138, 2 pp., dated Dec. 19, 2002.
`Gerzic, Amer, “Write Your Own Regular Expression Parser.” Nov.
`Gerzic, Amer, "Write Your Own Regular Expression Parser," Nov.
`17, 2003, 18 pp., Retrieved from the Internet: http://www.codeguru.
`17, 2003, 18 pp., Retrieved from the Internet: http://www.codeguru.
`com/Cpp/Cpp/cpp mfc/parsing/article.php/c4093/.
`com/Cpp/Cpp/cppmfc/parsing/article.php/c4093/.
`Power, James, “Lexical Analysis,” 4 pp., May 14, 2006, Retrieved
`Power, James, "Lexical Analysis," 4 pp., May 14, 2006, Retrieved
`from the Internet: http://www.cs.imay.ief-power Courses/compil
`from the Internet: http://www.cs.maysie/Hpower/Courses/compil-
`erS/notes/lexical.pdf.
`ers/notes/lexical.pdf.
`Sitaker, Kragen, “Rapid Genetic Evolution of Regular Expressions'
`Sitaker, Kragen, "Rapid Genetic Evolution of Regular Expressions"
`online). The Mial Archive, Apr. 24, 2004 (retrieved on Dec. 7, 2004),
`[online], The Mial Archive, Apr. 24, 2004 (retrieved on Dec. 7, 2004),
`5 pp., Retrieved from the Internet: http://www.mail-archive.com/
`5 pp., Retrieved from the Internet: http://www.mail-archive.com/
`kragen-tol(acanonical.org/msg00097.html.
`kragen-tol@canonical.org/msg00097.html.
`“Lexical Analysis: DFA Minimization & Wrap Up' online). Fall,
`"Lexical Analysis: DFA Minimization & Wrap Up" [online], Fall,
`2004 retrieved on Mar. 2, 2005, 8 pp., Retrieved from the Internet:
`2004 [retrieved on Mar. 2, 2005], 8 pp., Retrieved from the Internet:
`http://www.owlnet.rice.edu/~comp412/Lectures/L06Lex Wrapup4.
`http://www.owlnet.ricesedu/—comp412/Lectures/L06LexWrapup4.
`pdf.
`pdf.
`“Minimization of DFA' online), retrieved on Dec. 7, 2004), 7 pp.
`"Minimization of DFA" [online], [retrieved on Dec. 7, 2004], 7 pp.,
`Retrieved from the Internet: http://www.cs.odu.edu/~toidanerzic?
`Retrieved from the Internet: http://www.cs.odusedu/—toida/nerzic/
`390teched/regular/famin-fa.html.
`390teched/regular/fa/min-fa.html.
`“Algorithm: NFS -> DFA' online), Copyright 1999-2001 retrieved
`"Algorithm: NFS -> DFA" [online], Copyright 1999-2001 [retrieved
`on Dec. 7, 2004), 4 pp., Retrieved from the Internet: http://rwa.cs.
`on Dec. 7, 2004], 4 pp., Retrieved from the Internet: http://rw4.cs.
`uni-sb.de/-ganimal/GANIFA/page16 e.htm.
`uni-sb.de/—ganimal/GANIFA/pagel6 e.htm.
`“CS 3813: Introduction to Formal Languages and Automata—State
`"CS 3813: Introduction to Formal Languages and Automata State
`Minimization and Other Algorithms for Finite Automata.”3 pp., May
`Minimization and Other Algorithms for Finite Automata," 3 pp., May
`11, 2003, Retrieved from the Internet: http://www.cs.imsstate.edu/~
`11, 2003, Retrieved from the Internet: http://www.cs.msstatesedu/—
`hansen/classes/3813 fall 01/slides/06Minimize.pdf.
`hansen/classes/3813fal101/slides/06Minimize.pdf.
`Watson, Bruce W. “Constructing Minimal Acyclic Deterministic
`Watson, Bruce W., "Constructing Minimal Acyclic Deterministic
`Finite Automata.” retrieved on Mar. 20, 2005), 38 pp., Retrieved
`Finite Automata," [retrieved on Mar. 20, 2005], 38 pp., Retrieved
`from the Internet: http://www.win.tue.nl/~watson/2R870/down
`from the Internet: http://www.win.tue.n1/—watson/2R870/down-
`loads/madfa algs.pdf.
`loads/madfaalgs.pdf.
`Chang, Chia-Hsiang, “From Regular Expressions to DFA's Using
`Chang, Chia-Hsiang, "From Regular Expressions to DFA's Using
`Compressed NFA's.” Oct. 1992, 243 pp. http://www.cs.nyu.edu/
`Compressed NFA's," Oct. 1992, 243 pp., http://www.cs.nyu.edu/
`web/Research. Theses/chang chia-hsiang.pdf.
`web/Research/Theses/chang chia-hsiang.pdf.
`“Products.” Articles published on the Internet, “Revolutionary Secu
`"Products," Articles published on the Internet, "Revolutionary Secu-
`rity for a New Computing Paradigm' regarding SurfinGateTM, 7 pp.
`rity for a New Computing Paradigm" regarding SurfinGateTM 7 pp.
`“Release Notes for the Microsoft ActiveX Development Kit,” Aug.
`"Release Notes for the Microsoft ActiveX Development Kit," Aug.
`13, 1996, activex.adsp.or.jp/inetsdk/readme.txt, pp. 1-10.
`13, 1996, activex.adsp.orjp/inetsdk/readme.bct, pp. 1-10.
`Doyle, et al., “Microsoft Press Computer Dictionary.” Microsoft
`Doyle, et al., "Microsoft Press Computer Dictionary," Microsoft
`Press, 2d Edition, pp. 137-138, 1993.
`Press, 2d Edition, pp. 137-138, 1993.
`Finjan Software Ltd., “Powerful PC Security for the New World of
`Finjan Software Ltd., "Powerful PC Security for the New World of
`JavaTM and Downloadables, Surfin ShieldTM.” Article published on
`JavaTM and Downloadables, Surfin ShieldTm," Article published on
`the Internet by Finjan Software Ltd., 2 pp. 1996.
`the Internet by Finjan Software Ltd., 2 pp. 1996.
`Finjan Sofrtware Ltd., “Finjan Announces a Personal JavaTM Firewall
`Finj an Sofrtware Ltd., "Finjan Announces a Personal JavaTM Firewall
`for Web Browsers the SurfinShieldTM 1.6 (formerly known s
`for Web Browsers—the SurfinShieldTM 1.6 (formerly known s
`SurfinBoard).” Press Release of Finjan Releases SurfinShield 1.6, 2
`SurfinBoard)," Press Release of Finjan Releases SurfinShield 1.6, 2
`pp., Oct. 21, 1996.
`pp., Oct. 21, 1996.
`Finjan Software Ltd., “Finjan Announces Major Power Boost and
`Finjan Software Ltd., "Finjan Announces Major Power Boost and
`New Features for SurfinShieldTM 2.0.” Las Vegas Convention Center?
`New Features for SurfinShieldTM 2.0," Las Vegas Convention Center/
`Pavillion 5 P5551, 3 pp., Nov. 18, 1996.
`Pavillion 5 P5551, 3 pp., Nov. 18, 1996.
`Finjan Software Ltd., “Finjan Software Releases SurfinBoard, Indus
`Finj an Software Ltd., "Finjan Software Releases SurfinBoard, Indus-
`try's First JAVA Security Product for the World WideWeb.” Article
`try's First JAVA Security Product for the World Wide Web," Article
`published on the Internet by Finjan Software Ltd., 1 p., Jul. 29, 1996.
`published on the Internet by Finj an Software Ltd., 1 p., Jul. 29, 1996.
`Finjan Software Ltd., “Java Security: Issues & Solutions.” Article
`Finjan Software Ltd., "Java Security: Issues & Solutions," Article
`published on the Internet by Finjan Software Ltd., 8 pp. 1996.
`published on the Internet by Finjan Software Ltd., 8 pp. 1996.
`Finjan Software Ltd., Company Profile, “Finjan Safe Surfing. The
`Finjan Software Ltd., Company Profile, "Finjan—Safe Surfing, The
`Java Security Solutions Provider.” Article published on the Internet
`Java Security Solutions Provider," Article published on the Internet
`by Finjan Software Ltd., 3 pp., Oct. 31, 1996.
`by Finjan Software Ltd., 3 pp., Oct. 31, 1996.
`
`

`

`US 7,975,305 B2
`US 7,975,305 B2
`Page 3
`Page 3
`
`“IBM AntiVirus User's Guide, Version 2.4.”. International Business
`"IBM AntiVirus User's Guide, Version 2.4,", International Business
`Machines Corporation, pp. 6-7, Nov. 15, 1995.
`Machines Corporation, pp. 6-7, Nov. 15, 1995.
`Khare, R., “Microsoft Authenticode Analyzed” online, Jul. 22.
`Khare, R., "Microsoft Authenticode Analyzed" [online], Jul. 22,
`1996 retrieved on Jun. 25, 2003), 2 pp., Retrieved from the Internet:
`1996 [retrieved on Jun. 25, 2003], 2 pp., Retrieved from the Internet:
`http://www.xent.com/FoRK-archive/Smmer96/0338.html.
`http://www.xent.com/FoRK-archive/smmer96/0338.html.
`LaDue, M. Online Business Consultant: Java Security: Whose Busi
`LaDue, M., Online Business Consultant: Java Security: Whose Busi-
`ness is It?. Article published on the Internet, Home Page Press, Inc.,
`ness is It?, Article published on the Internet, Home Page Press, Inc.,
`4 pp., 1996.
`4 pp., 1996.
`Leach, Norvin, et al., “IE 3.0 Applets Will Earn Certification.” PC
`Leach, Norvin, et al., "IE 3.0 Applets Will Earn Certification," PC
`Week, vol. 13, No. 29, 2 pp., Jul 22, 1996.
`Week, vol. 13, No. 29, 2 pp., Jul. 22, 1996.
`Moritz, R., “Why We Shouldn't Fear Java.” Java Report, pp. 51-56,
`Moritz, R., "Why We Shouldn't Fear Java," Java Report, pp. 51-56,
`Feb. 1997.
`Feb. 1997.
`Microsoft, “Microsoft ActiveX Software Development Kit' online).
`Microsoft, "Microsoft ActiveX Software Development Kit" [online],
`Aug. 12, 1996 retrieved on Jun. 25, 2003), pp. 1-6. Retrieved from
`Aug. 12, 1996 [retrieved on Jun. 25, 2003], pp. 1-6, Retrieved from
`the Internet: activeX.adsp.or.jp/inetsdk/help? overview.htm.
`the Internet: activex.adsp.orsjp/inetsdk/help/overview.htm.
`Microsoft(R) Authenticode Technology, "Ensuring Accountability
`Microsoft® Authenticode Technology, "Ensuring Accountability
`and Authenticity for Software Components on the Internet.”
`and Authenticity for Software Components on the Internet,"
`Microsoft Corporation, Oct. 1996, including Abstract, Contents,
`Microsoft Corporation, Oct. 1996, including Abstract, Contents,
`Introduction, and pp. 1-10.
`Introduction, and pp. 1-10.
`
`Microsoft Corporation, Web Page Article “Frequently Asked Ques
`Microsoft Corporation, Web Page Article "Frequently Asked Ques-
`tions About Authenticode.” last updated Feb. 17, 1997, printed Dec.
`tions About Authenticode," last updated Feb. 17, 1997, printed Dec.
`23, 1998, URL: http://www.microsoft.com/workshop? security/
`23, 1998, URL: http://www.microsoft.com/workshop/security/
`authcode? signifacq.asp#9, pp. 1-13.
`authcode/signfaq.asp#9, pp. 1-13.
`Okamoto, E., et al., “ID-Based Authentication System for Computer
`Okamoto, E., et al., "ID-Based Authentication System for Computer
`Virus Detection.” IEEE/IEEElectronic Library online, Electronics
`Virus Detection," IEEE/IEE Electronic Library online, Electronics
`Letters, vol. 26, Issue 15, ISSN 0013-5 194, Jul. 19, 1990, Abstract
`Letters, vol. 26, Issue 15, ISSN 0013-5194, Jul. 19, 1990, Abstract
`and pp. 1169-1170, URL: http://ielihs.com:80/cgi-biniel cgi?se.
`and pp. 1169-1170, URL: http://iel.ihs.com:80/cgi-bin/iel cgi?se...
`2ehts%26ViewTemplate%3ddocview%5fb%2ehts.
`2ehts%26ViewTemplate%3ddocview%5fb%2ehts.
`Omura, J. K., “Novel Applications of Cryptography in Digital Com
`Omura, J. K., "Novel Applications of Cryptography in Digital Com-
`munications.” IEEE Communications Magazine, pp. 21-29, May
`munications," IEEE Communications Magazine, pp. 21-29, May
`1990.
`1990.
`Schmitt, D.A., “.EXE files, OS-2 style.” PC Tech Journal, vol. 6, No.
`Schmitt, D.A., ".EXE files, OS-2 style," PC Tech Journal, vol. 6, No.
`11, p. 76(13), Nov. 1988.
`11, p. 76(13), Nov. 1988.
`Zhang, X. N. “Secure Code Distribution.” IEEE/IEE Electronic
`Zhang, X. N., "Secure Code Distribution," IEEE/IEE Electronic
`Library online, Computer, vol. 30, Issue 6, pp. 76-79, Jun. 1997.
`Library online, Computer, vol. 30, Issue 6, pp. 76-79, Jun. 1997.
`Power, James, “Notes on Formal Language Theory and Parsing.”
`Power, James, "Notes on Formal Language Theory and Parsing,"
`National University of Ireland, pp. 1-40, 1999.
`National University of Ireland, pp. 1-40, 1999.
`* cited by examiner
`* cited by examiner
`
`

`

`lualud *S11
`U.S. Patent
`
`Jul. 5, 2011
`
`II JO I lamIS
`Sheet 1 of 14
`
`US 7,975,305 B2
`Zil SO£`SL6`L, Sfl
`
`NETWORK GATEWAY
`
`r
`
`150
`
`r-110
`
`
`
`
`INTERNET
`
`ill
`
`PRE-SCANNER
`
`130
`
`CONTENT SCANNER
`
`CONTENT CACHE
`
`140
`
`t
`
`:
`8
`
`CORPORATE INTRANET
`
`120
`
`120
`
`CLIENT
`
`CLIENT
`
`CLIENT
`
`120
`
`CLIENT
`
`CLIENT
`
`120
`
`120
`
`FIG. 1
`
`

`

`U.S. Patent
`lualud 'ST1
`
`Jul. 5, 2011
`
`ti JO Z WIN
`Sheet 2 of 14
`
`Zll SOE'SL6`1, Sfl US 7,975,305 B2
`
`M
`
`B
`
`I
`
`Z
`
`A
`
`T
`
`Y
`
`200
`
`
`
`
`TOKENIZER
`
`220
`
`PARSER
`
`012
`
`24O
`
`NORMALIZER
`
`S
`
`BYTE SOUR
`
`
`
`DECODER
`
`PARSE TREE
`
`ANALYZER
`
`N
`
`y
`
`
`
`ANALYZER RULES
`
`PARSER RULED
`
`SEITñ8
`MESMYJ
`
`270
`
`SUB-SCANNER
`
`PATTERN MATCHING ENGINE
`
`FIG. 2
`
`

`

`U.S. Patent
`1ualud *S11
`
`Jul. 5, 2011
`
`Sheet 3 of 14
`ri Jo £ WIN
`
`Zit SOC`SL6`L SII US 7,975,305 B2
`
`
`
`
`["a], ["punctuation]
`
`1
`
`a
`
`tI
`
`["punctuation] 2
`
`3
`
`punctuation
`
`4 punctuation
`
`14621.
`ki)04,60_.
`gcley
`
`5
`
`b
`
`9
`
`punctuation
`
`FIG. 3
`
`

`

`U.S. Patent
`U.S. Patent
`
`Jul. 5, 2011
`Jul. 5, 2011
`
`Sheet 4 of 14
`Sheet 4 of 14
`
`US 7,975,305 B2
`US 7,975,305 B2
`
`
`
`FIG. 4A-1
`
`1001
`
`39
`epsilon
`epsilon
`3
`
`epsilon
`
`5
`epsilon
`6
`epsilon
`
`epsilon
`
`4
`epsilon
`17
`epsilon
`19
`epsilon
`
`epsilon
`26
`
`1004
`
`20
`epsilon
`
`epsilon
`
`1003
`
`1002
`
`0
`0
`0 epsilon
`
`24
`epsilon
`
`epsilon
`
`28
`
`epsilon
`
`epsilon
`
`

`

`U.S. Patent
`U.S. Patent
`
`Jul. 5, 2011
`Jul. 5, 2011
`
`Sheet 5 of 14
`Sheet 5 of 14
`
`US 7,975,305 B2
`US 7,975,305 B2
`
`FIG. 4A-2
`FIG. 4A -2
`
`
`
`_ - i
`
`_ -
`
`29
`epsilon
`
`30
`epsilon
`
`epsilon
`
`epsilon
`
`36
`
`1004
`
`epsilon
`epsilon
`
`epsilon
`
`1003
`
`1002
`
`0
`0
`0 epsilon
`
`34
`epsilon
`
`epsilon
`
`epsilon
`epsilon
`
`38
`
`epsilon
`
`o
`
`epsilon
`epsilon
`
`40
`
`

`

`U.S. Patent
`U.S. Patent
`
`Jul. 5, 2011
`Jul. 5, 2011
`
`Sheet 6 of 14
`Sheet 6 of 14
`
`US 7,975,305 B2
`US 7,975,305 B2
`
`
`
`1
`
`001
`
`1004
`
`1003
`
`2
`
`001
`
`1002
`
`1004
`
`003
`
`002
`
`5: (2)
`
`4: ( 2)
`
`3: ( 2)
`
`002
`
`1002
`
`03
`
`7: (2)
`
`1002 1003
`
`1003
`
`1004
`
`1004
`
`1002
`
`003
`
`1004
`
`1002
`
`8: (2)
`
`003
`
`1003
`
`1004
`
`9: (2)
`
`1004
`
`FIG. 4B
`
`

`

`U.S. Patent
`U.S. Patent
`
`Jul. 5, 2011
`Jul. 5, 2011
`
`Sheet 7 of 14
`Sheet 7 of 14
`
`US 7,975,305 B2
`US 7,975,305 B2
`
`
`
`IDENT
`
`Val==`foo"
`
`matchr):Rule 1
`
`EQUALS
`
`NUMBER
`NUMBER
`
`4
`
`6
`
`7
`
`FIG. 5
`
`

`

`U.S. Patent
`U.S. Patent
`
`Jul. 5, 2011
`Jul. 5, 2011
`
`Sheet 8 of 14
`Sheet 8 of 14
`
`US 7,975,305 B2
`US 7,975,305 B2
`
`CALL TOKENIZER TO RETRIEVE NEXT
`CATOKENIZERTO RETRIEVE NEXT
`TOKEN
`TOKEN
`
`AOD TOKEN TO PARSE TREE
`ADD TOKEN TO PARSE TREE
`
`620
`
`NO
`
`IS THERE A PATTERN
`STHERE A PATTERN
`MATCH WITH A
`MATCH WITHA
`PARSERRULEP
`PARSER RULE?
`
`YES
`
`YES
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`600
`600
`
`610
`810
`
`640
`
`660
`
`
`
`DOES THE RULE
`DOES THE RULE
`HAVEANONODE
`HAVE A NONODE
`ATTRIBUTE?
`AT TREUTE
`fNO
`PERFORM ACTION ASSOCIATED WITH
`PERFORMACTIONASSOCATED WITH
`MATCHED PARSERRULE:
`MATCHED PARSER RULE:
`CREATE ANEW NODE, CALLED RULE
`CREATE A NEW NODE, CALLED [RULE-
`NAME] AND PLACE THE MATCHING
`NAME AND PLACE THE MATCHING
`NODES UNDER THE NEW NODE
`NODES UNDER THE NEW NODE
`650
`
`
`
`
`
`DOES THE RULE
`DOES THE RULE
`HAVE A NOANALYZE
`HAVE A NOANALYZE
`ATTRIBUTE?
`ATRIBUTEP
`
`YES
`
`CALL ANALYZER TO DETERMINE IF A
`CAANALYZERO DETERMINE FA
`POTENTIAL EXPLOIT IS PRESENT
`POENA EXPLOIT IS PRESEN
`
`670
`
`NO
`
`DOES ANALYZER FIND
`DOES ANALY2ER FIND
`AN ANALYZER RULE
`AN ANALYZERRULE
`MATCH?
`MATCH
`
`YES
`PERFORM ACTION ASSOCIATED WITH
`PERFORMACTIONASSOCATED WITH
`MATCHED ANALYZER RULE:
`MATCHED ANALYZERRULE:
`RECORD ANALYZER RULE AT CURRENT
`RECORDANALYZERRULE AT CURRENT
`NODE, ASLEVELO
`
`NODE, AS LEVEL 0 r
`
`PROPAGATE ANALYZER RULE UPWARD
`PROPAGATE ANALYZERRULE UPWARO
`THROUGH NODE PARENTS, AS
`THROUGH NODE PARENTS, AS
`SUCCESSMELY INCREASINGE