`
`I III IIIIIIII III iiui iiui 111!),1)111191011g1111111111111111111111111
`
`
`
`US007975305B2
`
`(12) United States Patent
`(12) United States Patent
`Rubin et al.
`Rubin et al.
`
`(10) Patent No.:
`(10) Patent No.:
`(45) Date of Patent:
`(45) Date of Patent:
`
`US 7,975,305 B2
`US 7,975,305 B2
`Jul. 5, 2011
`Jul. 5, 2011
`
`(54)
`METHOD AND SYSTEM FOR ADAPTIVE
`(54) METHOD AND SYSTEM FOR ADAPTIVE
`RULE-BASED CONTENT SCANNERS FOR
`RULE-BASED CONTENT SCANNERS FOR
`DESKTOP COMPUTERS
`DESKTOP COMPUTERS
`
`(75)
`(75)
`
`Inventors: Moshe Rubin, Jerusalem (IL); Moshe
`Inventors: Moshe Rubin, Jerusalem (IL); Moshe
`Matitya, Jerusalem (IL); Artem
`Matitya, Jerusalem (IL); Artem
`Melnick, Beit Shemesh (IL); Shlomo
`Melnick, Beit Shemesh (IL); Shlomo
`Touboul, Kefar-Haim (IL); Alexander
`Touboul, Kefar-Haim (IL); Alexander
`Yermakov, Beit Shemesh (IL); Amit
`Yermakov, Beit Shemesh (IL); Amit
`Shaked, Tel Aviv (IL)
`Shaked, Tel Aviv (IL)
`
`Assignee: Finjan, Inc., San Jose, CA (US)
`(73)
`(73) Assignee: Finjan, Inc., San Jose, CA (US)
`
`Notice:
`(*)
`( * ) Notice:
`
`Subject to any disclaimer, the term of this
`Subject to any disclaimer, the term of this
`patent is extended or adjusted under 35
`patent is extended or adjusted under 35
`U.S.C. 154(b) by 1016 days.
`U.S.C. 154(b) by 1016 days.
`
`Appl. No.: 11/009.437
`(21)
`(21) Appl. No.: 11/009,437
`
`(22)
`Filed:
`(22) Filed:
`
`Dec. 9, 2004
`Dec. 9, 2004
`
`(65)
`(65)
`
`Prior Publication Data
`Prior Publication Data
`US 2005/024O999 A1
`Oct. 27, 2005
`US 2005/0240999 Al
`Oct. 27, 2005
`
`Related U.S. Application Data
`Related U.S. Application Data
`Continuation-in-part of application No. 10/930,884,
`(63)
`(63) Continuation-in-part of application No. 10/930,884,
`filed on Aug. 30, 2004, which is a continuation-in-part
`filed on Aug. 30, 2004, which is a continuation-in-part
`of application No. 09/539,667, filed on Mar. 30, 2000,
`of application No. 09/539,667, filed on Mar. 30, 2000,
`now Pat. No. 6,804,780, which is a continuation of
`now Pat. No. 6,804,780, which is a continuation of
`application No. 08/964,388, filedon Nov. 6, 1997, now
`application No. 08/964,388, filed on Nov. 6, 1997, now
`Pat. No. 6,092,194.
`Pat. No. 6,092,194.
`
`(51)
`(51) Int. Cl.
`Int. C.
`(2006.01)
`G06F 11/00
`(2006.01)
`G06F II/00
`(2006.01)
`G06F2L/00
`(2006.01)
`G06F 21/00
`(52)
`U.S. Cl. ............................. 726/25; 726/22; 713/153
` 726/25; 726/22; 713/153
`(52) U.S. Cl.
`(58)
`(58) Field of Classification Search
`None
`Field of Classification Search ........................ None
`See application file for complete search history.
`See application file for complete search history.
`
`(56)
`(56)
`
`References Cited
`References Cited
`
`U.S. PATENT DOCUMENTS
`U.S. PATENT DOCUMENTS
`5,077,677 A 12/1991 Murphy et al. ................. TO6/62
`706/62
`5,077,677 A
`12/1991 Murphy et al.
`5,359,659 A
`10/1994 Rosenthal
`726/24
`5,359,659 A 10/1994 Rosenthal ....................... T26/24
`5,361,359 A 11/1994 Tajalliet al. .................... T26/23
`5,361,359 A
`11/1994 Tajalli et al.
`726/23
`5,414,833 A * 5/1995 Hershey et al. ................. 726/22
`5,414,833 A *
`5/1995 Hershey et al.
`726/22
`5,485.409 A
`1/1996 Gupta et al. .................... 726/25
`5,485,409 A
`1/1996 Gupta et al.
`726/25
`(Continued)
`(Continued)
`
`EP
`EP
`
`FOREIGN PATENT DOCUMENTS
`FOREIGN PATENT DOCUMENTS
`1091276
`4/2001
`109 1276
`4/2001
`(Continued)
`(Continued)
`
`OTHER PUBLICATIONS
`OTHER PUBLICATIONS
`DGrune, etal—Parsing Techniques: A Practical Guide, 2000—John
`D Grune, et al. Parsing Techniques: A Practical Guide, 2000—John
`Wiley & Sons, Inc. New York, NY, USA, p. 1-326.*
`Wiley & Sons, Inc. New York, NY, USA, p. 1-326.*
`(Continued)
`(Continued)
`Primary Examiner — Emmanuel L. Moise
`Primary Examiner — Emmanuel L Moise
`Assistant Examiner — Jeffery Williams
`Assistant Examiner — Jeffery Williams
`(74) Attorney, Agent, or Firm —Dawn-Marie Bey; King &
`(74) Attorney, Agent, or Firm — Dawn-Marie Bey; King &
`Spalding LLP
`Spalding LLP
`
`ABSTRACT
`(57)
`ABSTRACT
`(57)
`A security system for Scanning content within a computer,
`A security system for scanning content within a computer,
`including a network interface, housed within a computer, for
`including a network interface, housed within a computer, for
`receiving content from the Internet on its destination to an
`receiving content from the Internet on its destination to an
`Internet application running on the computer, a database of
`Internet application running on the computer, a database of
`rules corresponding to computer exploits, stored within the
`rules corresponding to computer exploits, stored within the
`computer, a rule-based content scanner that communicates
`computer, a rule-based content scanner that communicates
`with said database of rules, for Scanning content to recognize
`with said database of rules, for scanning content to recognize
`the presence of potential exploits therewithin, a network traf
`the presence of potential exploits therewithin, a network traf-
`fic probe, operatively coupled to the network interface and to
`fic probe, operatively coupled to the network interface and to
`the rule-based content scanner, for selectively diverting con
`the rule-based content scanner, for selectively diverting con-
`tent from its intended destination to the rule-based content
`tent from its intended destination to the rule-based content
`scanner, and a rule update manager that communicates with
`scanner, and a rule update manager that communicates with
`said database of rules, for updating said database of rules
`said database of rules, for updating said database of rules
`periodically to incorporate new rules that are made available.
`periodically to incorporate new rules that are made available.
`A method and a computer readable storage medium are also
`A method and a computer readable storage medium are also
`described and claimed.
`described and claimed.
`
`25 Claims, 14 Drawing Sheets
`25 Claims, 14 Drawing Sheets
`
`
`
`INTERNET
`
`NETWORK GATEWAY
`
`100
`
`110
`
`PRE-SCANNER
`
`130
`
`CCNTENT SCANNER
`
`CONTENT CACHE
`
`CORPORATE INTRANET
`
`WENT
`
`CLIENT
`
`WENT
`
`120
`
`CUB4T
`
`WENT
`
`WIZ, Inc. EXHIBIT - 1042
`WIZ, Inc. v. Orca Security LTD.
`
`
`
`US 7,975,305 B2
`US 7,975,305 B2
`Page 2
`Page 2
`
`
`
`U.S. PATENT DOCUMENTS
`U.S. PATENT DOCUMENTS
`5,485,575 A
`1/1996 Chess et al. ..................... T14? 38
` 714/38
`5,485,575 A
`1/1996 Chess et al.
`5,572,643 A 11, 1996 Judson ........
`709,218
`5,572,643 A
`11/1996 Judson
` 709/218
`5,579,509 A 1 1/1996 Furtney et al.
`703/27
`5,579,509 A
`11/1996 Furtney et al.
` 703/27
`5,606,668 A
`2f1997 Shwed .....
`T26, 13
`5,606,668 A
`2/1997 Shwed
` 726/13
`5,623,600 A
`4/1997 Ji et al. .
`... 726/24
`5,623,600 A
`4/1997 Ji et al.
` 726/24
`5,638,446 A
`6, 1997 Rubin .........
`705/51
`5,638,446 A
`6/1997 Rubin
` 705/51
`5,675,711 A * 10/1997 Kephartet al.
`... 706/12
`5,675,711 A * 10/1997 Kephart et al
` 706/12
`5,692,047 A 11/1997 McManis ....
`713, 167
`5,692,047 A
`11/1997 McManis
` 713/167
`5,692,124 A 11/1997 Holden et al. .................... 726/2
`5,692,124 A
`11/1997 Holden et al.
` 726/2
`5,720,033. A
`2f1998 Deo ............
`726/2
`5,720,033 A
`2/1998 Deo
` 726/2
`5,724.425. A
`3/1998 Chang et al.
`705/52
`5,724,425 A
`3/1998 Chang et al.
` 705/52
`5,740,248 A
`4, 1998 Fieres et al.
`713,156
`5,740,248 A
`4/1998 Fieres et al.
` 713/156
`5,740,441 A * 4, 1998 Yellin et al. ................... T17,134
`5,740,441 A * 4/1998 Yellin et al.
` 717/134
`5,761,421 A
`6, 1998 van Hoffetal. .............. 709,223
`5,761,421 A
`6/1998 van Hoff et al.
` 709/223
`5,765,205 A
`6, 1998 Breslau et al. ........
`711,203
`5,765,205 A
`6/1998 Breslau et al.
` 711/203
`5,784,459 A
`7, 1998 Devarakonda et al.
`713,165
`5,784,459 A
`7/1998 Devarakonda et al.
` 713/165
`5,796,952 A
`8, 1998 Davis et al. ........
`709,224
`5,796,952 A
`8/1998 Davis et al.
` 709/224
`5,805,829 A
`9, 1998 Cohen et al.
`709f2O2
`5,805,829 A
`9/1998 Cohen et al.
` 709/202
`5,832,208 A 11/1998 Chen et al. ..
`... 726/24
`5,832,208 A
`11/1998 Chen et al.
` 726/24
`5,832,274 A 11/1998 Cutler et al.
`717/171
`5,832,274 A
`11/1998 Cutler et al.
` 717/171
`5,850,559 A 12/1998 Angelo et al. .
`713,320
`5,850,559 A
`12/1998 Angelo et al.
` 713/320
`5,859,966 A
`1/1999 Hayman et al. ................. T26/23
`5,859,966 A
`1/1999 Hayman et al.
` 726/23
`5,864,683 A
`1/1999 Boebert et al. ................ TO9,249
`5,864,683 A
`1/1999 Boebert et al.
` 709/249
`5,881,151 A * 3/1999 Yamamoto .
`... 726/24
`5,881,151 A * 3/1999 Yamamoto
` 726/24
`5,884,033. A * 3/1999 Duvallet al. ..
`709/206
`5,884,033 A * 3/1999 Duvall et al.
` 709/206
`5,892,904 A
`4/1999 Atkinson et al.
`T26/22
`5,892,904 A
`4/1999 Atkinson et al.
` 726/22
`5,951,698 A
`9, 1999 Chen et al. .....
`... 714,38
`5,951,698 A
`9/1999 Chen et al.
` 714/38
`5,956.481 A
`9, 1999 Walsh et al.
`T26/23
`5,956,481 A
`9/1999 Walsh et al.
` 726/23
`5,963,742 A * 10/1999 Williams ...
`717/143
`5,963,742 A * 10/1999 Williams
` 717/143
`5,974,549 A 10, 1999 Golan .........
`T26/23
`5,974,549 A
`10/1999 Golan
` 726/23
`5,978.484 A 11/1999 Apperson et al. ............... 705/54
`5,978,484 A
`11/1999 Apperson et al.
` 705/54
`5,983,348 A * 1 1/1999 Ji .................................... T26.13
`5,983,348 A * 11/1999 Ji
` 726/13
`5,987,611 A * 1 1/1999 Freund ...
`... 726,4
`5,987,611 A * 11/1999 Freund
` 726/4
`6,088,801 A * 7/2000 Grecsek ...
`726, 1
`6,088,801 A *
`7/2000 Grecsek
` 726/1
`6,088,803 A * 7/2000 Tso et al. .
`T26/22
`6,088,803 A *
`7/2000 Tso et al.
` 726/22
`6,092,194 A
`7/2000 Touboul ......
`... 726/24
`6,092,194 A
`7/2000 Touboul
` 726/24
`6,154,844 A 11/2000 Toubouletal
`... 726/24
`6,154,844 A
`11/2000 Touboul et al.
` 726/24
`6,167,520 A 12/2000 Touboul ......
`T26/23
`6,167,520 A
`12/2000 Touboul
` 726/23
`6,339,829 B1
`1/2002 Beadle et al.
`T26, 15
`6,339,829 B1
`1/2002 Beadle et al.
` 726/15
`6.425,058 B1
`7/2002 Arimilli et al.
`711 (134
`6,425,058 B1
`7/2002 Arimilli et al.
` 711/134
`6,434,668 B1
`8, 2002 Arimilli et al.
`711,128
`6,434,668 B1
`8/2002 Arimilli et al.
` 711/128
`6,434,669 B1
`8, 2002 Arimillietal
`711,128
`6,434,669 B1
`8/2002 Arimilli et al.
` 711/128
`6,480,962 B1
`1 1/2002 Touboul .........
`T26/22
`6,480,962 B1
`11/2002 Touboul
` 726/22
`6,487,666 B1
`1 1/2002 Shanklin et al. ................ T26/23
`6,487,666 B1
`11/2002 Shanklin et al.
` 726/23
`6,519,679 B2
`2/2003 Devireddy et al. ........... 711 114
`6,519,679 B2
`2/2003 Devireddy et al.
`711/114
`6,598,033 B2 * 7/2003 Ross et al. ...
`... 706/46
`6,598,033 B2 *
`7/2003 Ross et al.
` 706/46
`6,732,179 B1
`5, 2004 Brown et al.
`709,229
`6,732,179 B1
`5/2004 Brown et al.
` 709/229
`6,804,780 B1
`10/2004 Touboul ......
`713, 181
`6,804,780 B1
`10/2004 Touboul
` 713/181
`6,917,953 B2
`7/2005 Simon et al.
`707,204
`6,917,953 B2
`7/2005 Simon et al.
` 707/204
`7,058,822 B2
`6/2006 Edery et al. .
`T26/22
`7,058,822 B2
`6/2006 Edery et al.
` 726/22
`7,143,444 B2 11/2006 Porras et al. ...
`T26/30
`7,143,444 B2
`11/2006 Porras et al.
` 726/30
`7.210,041 B1 * 4/2007 Gryaznov et al...
`713,188
`7,210,041 B1 *
`4/2007 Gryaznov et al.
` 713/188
`7,308.648 B1
`12/2007 Buchthal et al. .............. T15,234
`7,308,648 B1
`12/2007 Buchthal et al.
` 715/234
`7,343,604 B2
`3/2008 Grabarnik et al. ............ T19, 313
`7,343,604 B2
`3/2008 Grabarnik et al.
` 719/313
`7,418,731 B2
`8, 2008 Touboul .........
`T26/22
`7,418,731 B2
`8/2008 Touboul
` 726/22
`2002/0059157 A1* 5/2002 Spooner et al.
`TO6/45
`2002/0059157 Al *
`5/2002 Spooner et al.
` 706/45
`2002/0066024 A1* 5, 2002 Schmall et al. ....
`713,200
`2002/0066024 Al *
`5/2002 Schmall et al.
` 713/200
`2002/0073330 A1* 6/2002 Chandnani et al.
`713,200
`2002/0073330 Al *
`6/2002 Chandnani et al.
` 713/200
`2003, OO14662 A1
`1/2003 Gupta et al. ...
`T26/23
`2003/0014662 Al
`1/2003 Gupta et al.
` 726/23
`2003/0101358 A1
`5/2003 Porras et al. ...................... T26/4
`2003/0101358 Al
`5/2003 Porras et al.
` 726/4
`2004/0073811 A1* 4/2004 Sanin .............
`713,201
`2004/0073811 Al *
`4/2004 Sanin
` 713/201
`2004/0088425 A1
`5/2004 Rubinstein et al. ........... TO9/230
`2004/0088425 Al *
`5/2004 Rubinstein et al.
` 709/230
`2005/0050338 A1
`3/2005 Liang et al. ................... T13, 188
`2005/0050338 Al
`3/2005 Liang et al.
` 713/188
`2005/0172338 A1
`8, 2005 Sandu et al. ...
`T26/22
`2005/0172338 Al
`8/2005 Sandu et al.
` 726/22
`2006/0031207 A1
`2/2006 Bjarnestam et al. .............. 707/3
`2006/0031207 Al
`2/2006 Bjarnestam et al.
` 707/3
`2006,004.8224 A1
`3/2006 Duncan et al. .....
`726/22
`2006/0048224 Al
`3/2006 Duncan et al.
` 726/22
`2008/0066160 A1
`3/2008 Becker et al. ..................... T26/4
`2008/0066160 Al
`3/2008 Becker et al.
` 726/4
`2010/0195909 A1* 8, 2010 Wasson et al. ................ 382, 176
`2010/0195909 Al *
`8/2010 Wasson et al.
` 382/176
`
`
`
`EP
`EP
`
`FOREIGN PATENT DOCUMENTS
`FOREIGN PATENT DOCUMENTS
`1132796
`9, 2001
`1132796
`9/2001
`
`OTHER PUBLICATIONS
`OTHER PUBLICATIONS
`International Search Report for Application No. PCT/IL05/00915, 4
`International Search Report for Application No. PCT/IL05/00915, 4
`pp., dated Mar. 3, 2006.
`pp., dated Mar. 3, 2006.
`Zhong, et al., “Security in the Large: is Java's Sandbox Scalable?”
`Zhong, et al., "Security in the Large: is Java's Sandbox Scalable?,"
`
`Seventh IEEE Symposium on Reliable Distributed Systems, pp. 1-6,
`Seventh IEEE Symposium on Reliable Distributed Systems, pp. 1-6,
`Oct. 1998.
`Oct. 1998.
`Rubin, et al., “Mobile Code Security.” IEEE Internet, pp. 30-34. Dec.
`Rubin, et al., "Mobile Code Security,"IEEE Internet, pp. 30-34, Dec.
`1998.
`1998.
`Schmid, et al. "Protecting Data From Malicious Software.” Proceed
`Schmid, et al. "Protecting Data From Malicious Software," Proceed-
`ing of the 18" Annual Computer Security Applications Conference,
`ing of the 18th Annual Computer Security Applications Conference,
`pp. 1-10, 2002.
`pp. 1-10, 2002.
`Corradi, et al., “A Flexible Access Control Service for Java Mobile
`Corradi, et al., "A Flexible Access Control Service for Java Mobile
`Code.” IEEE, pp. 356-365, 2000.
`Code," IEEE, pp. 356-365, 2000.
`International Search Report for Application No. PCT/IB97/01626, 3
`International Search Report for Application No. PCT/IB97/01626, 3
`pp., May 14, 1998 (mailing date).
`pp., May 14, 1998 (mailing date).
`Written Opinion for Application No. PCT/IL05/00915, 5 pp., dated
`Written Opinion for Application No. PCT/IL05/00915, 5 pp., dated
`Mar. 3, 2006 (mailing date).
`Mar. 3, 2006 (mailing date).
`International Search Report for Application No. PCT/IB01/01138, 4
`International Search Report for Application No. PCT/IB01/01138, 4
`pp., Sep. 20, 2002 (mailing date).
`pp., Sep. 20, 2002 (mailing date).
`International Preliminary Examination Report for Application No.
`International Preliminary Examination Report for Application No.
`PCT/IB01/01138, 2 pp., dated Dec. 19, 2002.
`PCT/IB01/01138, 2 pp., dated Dec. 19, 2002.
`Gerzic, Amer, “Write Your Own Regular Expression Parser.” Nov.
`Gerzic, Amer, "Write Your Own Regular Expression Parser," Nov.
`17, 2003, 18 pp., Retrieved from the Internet: http://www.codeguru.
`17, 2003, 18 pp., Retrieved from the Internet: http://www.codeguru.
`com/Cpp/Cpp/cpp mfc/parsing/article.php/c4093/.
`com/Cpp/Cpp/cppmfc/parsing/article.php/c4093/.
`Power, James, “Lexical Analysis,” 4 pp., May 14, 2006, Retrieved
`Power, James, "Lexical Analysis," 4 pp., May 14, 2006, Retrieved
`from the Internet: http://www.cs.imay.ief-power Courses/compil
`from the Internet: http://www.cs.maysie/Hpower/Courses/compil-
`erS/notes/lexical.pdf.
`ers/notes/lexical.pdf.
`Sitaker, Kragen, “Rapid Genetic Evolution of Regular Expressions'
`Sitaker, Kragen, "Rapid Genetic Evolution of Regular Expressions"
`online). The Mial Archive, Apr. 24, 2004 (retrieved on Dec. 7, 2004),
`[online], The Mial Archive, Apr. 24, 2004 (retrieved on Dec. 7, 2004),
`5 pp., Retrieved from the Internet: http://www.mail-archive.com/
`5 pp., Retrieved from the Internet: http://www.mail-archive.com/
`kragen-tol(acanonical.org/msg00097.html.
`kragen-tol@canonical.org/msg00097.html.
`“Lexical Analysis: DFA Minimization & Wrap Up' online). Fall,
`"Lexical Analysis: DFA Minimization & Wrap Up" [online], Fall,
`2004 retrieved on Mar. 2, 2005, 8 pp., Retrieved from the Internet:
`2004 [retrieved on Mar. 2, 2005], 8 pp., Retrieved from the Internet:
`http://www.owlnet.rice.edu/~comp412/Lectures/L06Lex Wrapup4.
`http://www.owlnet.ricesedu/—comp412/Lectures/L06LexWrapup4.
`pdf.
`pdf.
`“Minimization of DFA' online), retrieved on Dec. 7, 2004), 7 pp.
`"Minimization of DFA" [online], [retrieved on Dec. 7, 2004], 7 pp.,
`Retrieved from the Internet: http://www.cs.odu.edu/~toidanerzic?
`Retrieved from the Internet: http://www.cs.odusedu/—toida/nerzic/
`390teched/regular/famin-fa.html.
`390teched/regular/fa/min-fa.html.
`“Algorithm: NFS -> DFA' online), Copyright 1999-2001 retrieved
`"Algorithm: NFS -> DFA" [online], Copyright 1999-2001 [retrieved
`on Dec. 7, 2004), 4 pp., Retrieved from the Internet: http://rwa.cs.
`on Dec. 7, 2004], 4 pp., Retrieved from the Internet: http://rw4.cs.
`uni-sb.de/-ganimal/GANIFA/page16 e.htm.
`uni-sb.de/—ganimal/GANIFA/pagel6 e.htm.
`“CS 3813: Introduction to Formal Languages and Automata—State
`"CS 3813: Introduction to Formal Languages and Automata State
`Minimization and Other Algorithms for Finite Automata.”3 pp., May
`Minimization and Other Algorithms for Finite Automata," 3 pp., May
`11, 2003, Retrieved from the Internet: http://www.cs.imsstate.edu/~
`11, 2003, Retrieved from the Internet: http://www.cs.msstatesedu/—
`hansen/classes/3813 fall 01/slides/06Minimize.pdf.
`hansen/classes/3813fal101/slides/06Minimize.pdf.
`Watson, Bruce W. “Constructing Minimal Acyclic Deterministic
`Watson, Bruce W., "Constructing Minimal Acyclic Deterministic
`Finite Automata.” retrieved on Mar. 20, 2005), 38 pp., Retrieved
`Finite Automata," [retrieved on Mar. 20, 2005], 38 pp., Retrieved
`from the Internet: http://www.win.tue.nl/~watson/2R870/down
`from the Internet: http://www.win.tue.n1/—watson/2R870/down-
`loads/madfa algs.pdf.
`loads/madfaalgs.pdf.
`Chang, Chia-Hsiang, “From Regular Expressions to DFA's Using
`Chang, Chia-Hsiang, "From Regular Expressions to DFA's Using
`Compressed NFA's.” Oct. 1992, 243 pp. http://www.cs.nyu.edu/
`Compressed NFA's," Oct. 1992, 243 pp., http://www.cs.nyu.edu/
`web/Research. Theses/chang chia-hsiang.pdf.
`web/Research/Theses/chang chia-hsiang.pdf.
`“Products.” Articles published on the Internet, “Revolutionary Secu
`"Products," Articles published on the Internet, "Revolutionary Secu-
`rity for a New Computing Paradigm' regarding SurfinGateTM, 7 pp.
`rity for a New Computing Paradigm" regarding SurfinGateTM 7 pp.
`“Release Notes for the Microsoft ActiveX Development Kit,” Aug.
`"Release Notes for the Microsoft ActiveX Development Kit," Aug.
`13, 1996, activex.adsp.or.jp/inetsdk/readme.txt, pp. 1-10.
`13, 1996, activex.adsp.orjp/inetsdk/readme.bct, pp. 1-10.
`Doyle, et al., “Microsoft Press Computer Dictionary.” Microsoft
`Doyle, et al., "Microsoft Press Computer Dictionary," Microsoft
`Press, 2d Edition, pp. 137-138, 1993.
`Press, 2d Edition, pp. 137-138, 1993.
`Finjan Software Ltd., “Powerful PC Security for the New World of
`Finjan Software Ltd., "Powerful PC Security for the New World of
`JavaTM and Downloadables, Surfin ShieldTM.” Article published on
`JavaTM and Downloadables, Surfin ShieldTm," Article published on
`the Internet by Finjan Software Ltd., 2 pp. 1996.
`the Internet by Finjan Software Ltd., 2 pp. 1996.
`Finjan Sofrtware Ltd., “Finjan Announces a Personal JavaTM Firewall
`Finj an Sofrtware Ltd., "Finjan Announces a Personal JavaTM Firewall
`for Web Browsers the SurfinShieldTM 1.6 (formerly known s
`for Web Browsers—the SurfinShieldTM 1.6 (formerly known s
`SurfinBoard).” Press Release of Finjan Releases SurfinShield 1.6, 2
`SurfinBoard)," Press Release of Finjan Releases SurfinShield 1.6, 2
`pp., Oct. 21, 1996.
`pp., Oct. 21, 1996.
`Finjan Software Ltd., “Finjan Announces Major Power Boost and
`Finjan Software Ltd., "Finjan Announces Major Power Boost and
`New Features for SurfinShieldTM 2.0.” Las Vegas Convention Center?
`New Features for SurfinShieldTM 2.0," Las Vegas Convention Center/
`Pavillion 5 P5551, 3 pp., Nov. 18, 1996.
`Pavillion 5 P5551, 3 pp., Nov. 18, 1996.
`Finjan Software Ltd., “Finjan Software Releases SurfinBoard, Indus
`Finj an Software Ltd., "Finjan Software Releases SurfinBoard, Indus-
`try's First JAVA Security Product for the World WideWeb.” Article
`try's First JAVA Security Product for the World Wide Web," Article
`published on the Internet by Finjan Software Ltd., 1 p., Jul. 29, 1996.
`published on the Internet by Finj an Software Ltd., 1 p., Jul. 29, 1996.
`Finjan Software Ltd., “Java Security: Issues & Solutions.” Article
`Finjan Software Ltd., "Java Security: Issues & Solutions," Article
`published on the Internet by Finjan Software Ltd., 8 pp. 1996.
`published on the Internet by Finjan Software Ltd., 8 pp. 1996.
`Finjan Software Ltd., Company Profile, “Finjan Safe Surfing. The
`Finjan Software Ltd., Company Profile, "Finjan—Safe Surfing, The
`Java Security Solutions Provider.” Article published on the Internet
`Java Security Solutions Provider," Article published on the Internet
`by Finjan Software Ltd., 3 pp., Oct. 31, 1996.
`by Finjan Software Ltd., 3 pp., Oct. 31, 1996.
`
`
`
`US 7,975,305 B2
`US 7,975,305 B2
`Page 3
`Page 3
`
`“IBM AntiVirus User's Guide, Version 2.4.”. International Business
`"IBM AntiVirus User's Guide, Version 2.4,", International Business
`Machines Corporation, pp. 6-7, Nov. 15, 1995.
`Machines Corporation, pp. 6-7, Nov. 15, 1995.
`Khare, R., “Microsoft Authenticode Analyzed” online, Jul. 22.
`Khare, R., "Microsoft Authenticode Analyzed" [online], Jul. 22,
`1996 retrieved on Jun. 25, 2003), 2 pp., Retrieved from the Internet:
`1996 [retrieved on Jun. 25, 2003], 2 pp., Retrieved from the Internet:
`http://www.xent.com/FoRK-archive/Smmer96/0338.html.
`http://www.xent sc om/FoRK-archive/smmer96/0338 .html .
`LaDue, M. Online Business Consultant: Java Security: Whose Busi
`LaDue, M., Online Business Consultant: Java Security: Whose Busi-
`ness is It?. Article published on the Internet, Home Page Press, Inc.,
`ness is It?, Article published on the Internet, Home Page Press, Inc.,
`4 pp., 1996.
`4 pp., 1996.
`Leach, Norvin, et al., “IE 3.0 Applets Will Earn Certification.” PC
`Leach, Norvin, et al., "IE 3.0 Applets Will Earn Certification," PC
`Week, vol. 13, No. 29, 2 pp., Jul 22, 1996.
`Week, vol. 13, No. 29, 2 pp., Jul. 22, 1996.
`Moritz, R., “Why We Shouldn't Fear Java.” Java Report, pp. 51-56,
`Moritz, R., "Why We Shouldn't Fear Java," Java Report, pp. 51-56,
`Feb. 1997.
`Feb. 1997.
`Microsoft, “Microsoft ActiveX Software Development Kit' online).
`Microsoft, "Microsoft ActiveX Software Development Kit" [online],
`Aug. 12, 1996 retrieved on Jun. 25, 2003), pp. 1-6. Retrieved from
`Aug. 12, 1996 [retrieved on Jun. 25, 2003], pp. 1-6, Retrieved from
`the Internet: activeX.adsp.or.jp/inetsdk/help? overview.htm.
`the Internet: activex.adsp.orsjp/inetsdk/help/overview.htm.
`Microsoft(R) Authenticode Technology, "Ensuring Accountability
`Microsoft® Authenticode Technology, "Ensuring Accountability
`and Authenticity for Software Components on the Internet.”
`and Authenticity for Software Components on the Internet,"
`Microsoft Corporation, Oct. 1996, including Abstract, Contents,
`Microsoft Corporation, Oct. 1996, including Abstract, Contents,
`Introduction, and pp. 1-10.
`Introduction, and pp. 1-10.
`
`Microsoft Corporation, Web Page Article “Frequently Asked Ques
`Microsoft Corporation, Web Page Article "Frequently Asked Ques-
`tions About Authenticode.” last updated Feb. 17, 1997, printed Dec.
`tions About Authenticode," last updated Feb. 17, 1997, printed Dec.
`23, 1998, URL: http://www.microsoft.com/workshop? security/
`23, 1998, URL: http://www.microsoft.com/workshop/security/
`authcode? signifacq.asp#9, pp. 1-13.
`authcode/signfaq.asp#9, pp. 1-13.
`Okamoto, E., et al., “ID-Based Authentication System for Computer
`Okamoto, E., et al., "ID-Based Authentication System for Computer
`Virus Detection.” IEEE/IEEElectronic Library online, Electronics
`Virus Detection," IEEE/IEE Electronic Library online, Electronics
`Letters, vol. 26, Issue 15, ISSN 0013-5 194, Jul. 19, 1990, Abstract
`Letters, vol. 26, Issue 15, ISSN 0013-5194, Jul. 19, 1990, Abstract
`and pp. 1169-1170, URL: http://ielihs.com:80/cgi-biniel cgi?se.
`and pp. 1169-1170, URL: http://iel.ihs.com:80/cgi-bin/iel cgi?se...
`2ehts%26ViewTemplate%3ddocview%5fb%2ehts.
`2ehts%26ViewTemplate%3ddocview%5fb%2ehts.
`Omura, J. K., “Novel Applications of Cryptography in Digital Com
`Omura, J. K., "Novel Applications of Cryptography in Digital Com-
`munications.” IEEE Communications Magazine, pp. 21-29, May
`munications," IEEE Communications Magazine, pp. 21-29, May
`1990.
`1990.
`Schmitt, D.A., “.EXE files, OS-2 style.” PC Tech Journal, vol. 6, No.
`Schmitt, D.A., ".EXE files, OS-2 style," PC Tech Journal, vol. 6, No.
`11, p. 76(13), Nov. 1988.
`11, p. 76(13), Nov. 1988.
`Zhang, X. N. “Secure Code Distribution.” IEEE/IEE Electronic
`Zhang, X. N., "Secure Code Distribution," IEEE/IEE Electronic
`Library online, Computer, vol. 30, Issue 6, pp. 76-79, Jun. 1997.
`Library online, Computer, vol. 30, Issue 6, pp. 76-79, Jun. 1997.
`Power, James, “Notes on Formal Language Theory and Parsing.”
`Power, James, "Notes on Formal Language Theory and Parsing,"
`National University of Ireland, pp. 1-40, 1999.
`National University of Ireland, pp. 1-40, 1999.
`* cited by examiner
`* cited by examiner
`
`
`
`lualud *Sil
`U.S. Patent
`
`Jul. 5, 2011
`
`171 JO I JaM1S
`Sheet 1 of 14
`
`Zll SO£`51,6`1, Sf1
`US 7,975,305 B2
`
`FIG. 1
`
`120
`
`120
`
`CLIENT
`
`CLIENT
`
`120
`
`CLIENT
`
`CLIENT
`
`CUENT
`
`120
`
`120
`
`CORPORATE INTRANET
`
`:
`8
`
`t
`
`CONTENT CACHE
`
`CONTENT SCANNER
`
`130
`
`PRE-SCANNER
`
`14
`
`INTERNET
`
`
`
`o- 110
`
`r 150
`
`NETWORK GATEWAY
`
`
`
`U.S. Patent
`Iwo(' •STI
`
`Jul. 5, 2011
`
`171 JO Z WIN
`Sheet 2 of 14
`
`Zll SOC`CL6`L Sfl US 7,975,305 B2
`
`230
`
`FIG. 2
`
`260
`
`PATTERN MATCHING ENGINE
`
`SUB-SCANNER
`
`27v
`
`ANALYZER RULES
`
`y
`
`
`
`T
`
`Y
`
`N
`
`M
`
`B
`
`I
`
`Z
`
`A
`
`ANALYZER
`
`PARSER RULES
`
`
`
`SEITñ8 MESMYJ
`
`PARSE TREE
`
`DECODER
`
`BYTE SOURCE
`
`S
`
`NORMALIZER
`
`240
`
`PARSER
`
`TOKENIZER
`
`210
`
`012
`
`
`
`200
`
`
`
`lualud *Sil
`U.S. Patent
`
`Jul. 5, 2011
`
`171 JO £ WIN
`Sheet 3 of 14
`
`Zll SO£`51,6`1, Sfl US 7,975,305 B2
`
`
`
`4 punctuation
`
`punctuation
`
`a
`
`3
`
`illinettlation
`
`FIG. 3
`
`punctuation
`
`b
`
`a
`
`5
`
`CV)/
`
`11°445W
`
`de"\
`
`1
`
`["a], ["punctuation]
`
`1161
`
`11
`
`("punctuation 2
`
`tiz"‘I
`
`
`
`U.S. Patent
`U.S. Patent
`
`Jul. 5, 2011
`Jul. 5, 2011
`
`Sheet 4 of 14
`Sheet 4 of 14
`
`US 7,975,305 B2
`US 7,975,305 B2
`
`
`
`FIG. 4A-1
`
`1001
`
`39
`epsilon
`epsilon
`3
`
`epsilon
`
`5
`epsilon
`6
`epsilon
`
`epsilon
`
`4
`epsilon
`17
`epsilon
`19
`epsilon
`
`epsilon
`26
`
`1004
`
`20
`epsilon
`
`epsilon
`
`1003
`
`1002
`
`0
`0
`0 epsilon
`
`24
`epsilon
`
`epsilon
`
`28
`
`epsilon
`
`epsilon
`
`
`
`U.S. Patent
`U.S. Patent
`
`Jul. 5, 2011
`Jul. 5, 2011
`
`Sheet 5 of 14
`Sheet 5 of 14
`
`US 7,975,305 B2
`US 7,975,305 B2
`
`FIG. 4A-2
`FIG. 4A -2
`
`
`
`_ - i
`
`_ -
`
`29
`epsilon
`
`30
`epsilon
`
`epsilon
`
`epsilon
`
`36
`
`1004
`
`epsilon
`epsilon
`
`epsilon
`
`1003
`
`1002
`
`0
`0
`0 epsilon
`
`34
`epsilon
`
`epsilon
`
`epsilon
`epsilon
`
`38
`
`epsilon
`
`o
`
`epsilon
`epsilon
`
`40
`
`
`
`U.S. Patent
`U.S. Patent
`
`Jul. 5, 2011
`Jul. 5, 2011
`
`Sheet 6 of 14
`Sheet 6 of 14
`
`US 7,975,305 B2
`US 7,975,305 B2
`
`
`
`1
`
`001
`
`1004
`
`1003
`
`2
`
`001
`
`1002
`
`1004
`
`003
`
`002
`
`5: (2)
`
`4: ( 2)
`
`3: ( 2)
`
`002
`
`1002
`
`03
`
`7: (2)
`
`1002
`
`003
`
`1003
`
`1004
`
`1004
`
`1002
`
`003
`
`1004
`
`1002
`
`8: (2)
`
`003
`
`1003
`
`1004
`
`9: (2)
`
`1004
`
`FIG. 4B
`
`
`
`U.S. Patent
`U.S. Patent
`
`Jul. 5, 2011
`Jul. 5, 2011
`
`Sheet 7 of 14
`Sheet 7 of 14
`
`US 7,975,305 B2
`US 7,975,305 B2
`
`
`
`IDENT
`
`Val==`foo"
`
`matchr):Rule 1
`
`EQUALS
`
`NUMBER
`NUMBER
`
`4
`
`6
`
`7
`
`FIG. 5
`
`
`
`U.S. Patent
`U.S. Patent
`
`Jul. 5, 2011
`Jul. 5, 2011
`
`Sheet 8 of 14
`Sheet 8 of 14
`
`US 7,975,305 B2
`US 7,975,305 B2
`
`CALL TOKENIZER TO RETRIEVE NEXT
`CATOKENIZERTO RETRIEVE NEXT
`TOKEN
`TOKEN
`
`AOD TOKEN TO PARSE TREE
`ADD TOKEN TO PARSE TREE
`
`620
`
`NO
`
`IS THERE A PATTERN
`STHERE A PATTERN
`MATCH WITH A
`MATCH WITHA
`PARSERRULEP
`PARSER RULE?
`
`YES
`
`YES
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`600
`600
`
`610
`810
`
`640
`
`660
`
`
`
`DOES THE RULE
`DOES THE RULE
`HAVEANONODE
`HAVE A NONODE
`ATTRIBUTE?
`AT TREUTE
`fNO
`PERFORM ACTION ASSOCIATED WITH
`PERFORMACTIONASSOCATED WITH
`MATCHED PARSERRULE:
`MATCHED PARSER RULE:
`CREATE ANEW NODE, CALLED RULE
`CREATE A NEW NODE, CALLED [RULE-
`NAME] AND PLACE THE MATCHING
`NAME AND PLACE THE MATCHING
`NODES UNDER THE NEW NODE
`NODES UNDER THE NEW NODE
`650
`
`
`
`
`
`DOES THE RULE
`DOES THE RULE
`HAVE A NOANALYZE
`HAVE A NOANALYZE
`ATTRIBUTE?
`ATRIBUTEP
`
`YES
`
`CALL ANALYZER TO DETERMINE IF A
`CAANALYZERO DETERMINE FA
`POTENTIAL EXPLOIT IS PRESENT
`POENA EXPLOIT IS PRESEN
`
`670
`
`NO
`
`DOES ANALYZER FIND
`DOES ANALY2ER FIND
`AN ANALYZER RULE
`AN ANALYZERRULE
`MATCH?
`MATCH
`
`YES
`PERFORM ACTION ASSOCIATED WITH
`PERFORMACTIONASSOCATED WITH
`MATCHED ANALYZER RULE:
`MATCHED ANALYZERRULE:
`RECORD ANALYZER RULE AT CURRENT
`RECORDANALYZERRULE AT CURRENT
`NODE, ASLEVELO
`
`NODE, AS LEVEL 0 r
`
`PROPAGATE ANALYZER RULE UPWARD
`PROPAGATE ANALYZERRULE UPWARO
`THROUGH NODE PARENTS, AS
`THROUGH NODE PARENTS, AS
`SUCCESSMELY INCREASINGEME
`SUCCESSIVELY INCREASING LEVEL
`
`680
`
`690
`
`FIG. 6
`FIG. 6
`
`
`
`U.S. Patent
`lualud 'S'll
`
`171 JO 6 WIN
`
`Zll COE'S L6` L Sfl US 7,975,305 B2
`
`.........
`.......
`RULE DATA
`SERIALIZF_D.%.
`. ..............
`
`URI
`
`JS
`
`HTML
`
`740
`I
`,...
`
`730
`
`r REPOSITORY
`
`ARS SCANNER
`
`SCANNER
`FACTORY
`
`BUILDER
`
`
`
`
`
`MAIN
`
`770r
`
`- ................... .
`DOCUMENTS;
`..,
`" ....XML .... *
`
`CONVERTER
`RULE-TO-XML
`
`....
`...
`.. .................... ....
`
`..••
`•.•...
`RULE FILES
`
`720
`
`URI
`
`JS
`
`..............
`%. RULE DATA
`. .
`...... .
`...
`
`REPOSITORY
`
`SCANNER
`FACTORY
`
`SCANNER
`
`ARB
`
`FIG. 7
`
`Instance()
`
`OBJECT
`THREAD
`
`FACTORY
`ARB SUB-
`
`760
`
`750
`
`
`
`U.S. Patent
`U.S. Patent
`
`Jul. 5, 2011
`Jul. 5, 2011
`
`Sheet 10 of 14
`Sheet 10 of 14
`
`US 7,975,305 B2
`US 7,975,305 B2
`
`BUILDER
`
`ARBSCANNER FACTORY
`ARB SCANNER FACTORY
`
`SCANNER REPOSTORY
`SCANNER REPOSITORY
`
`ARB SCANNER
`ARB SCANNER
`HTML
`HTML
`
`
`
`ARB SCANNER
`ARB SCANNER
`JAVASCRIPT
`AVASCRIPT
`
`ARS SCANNER
`ARB SCANNER
`URI
`UR
`
`TOKENIZER
`OKENIZER
`
`H_ TOKENIZER
`
`TOKENZER
`
`TOKENIZER
`TOKENZER
`
`PARSER
`PARSER
`
`PARSER
`PARSER
`
`PARSER
`PARSER
`
`ANALYZER
`
`ANALYZER
`
`ANALYZER
`
`FIG. 8
`FIG. 8
`
`
`
`U.S. Patent
`wawa •s11
`
`Jul. 5, 2011
`
`Sheet 11 of 14
`171 JO H WIN
`
`US 7,975,305 B2
`Zll SOC`SL6`L Sfl
`
`
`
`OTHER INTERNET APPLICATIONS
`TO BROWSER, MAIL CUENT AND
`
`,---...
`
`
`
`
`
`
`
`b. NETWORK TRAFFIC PROBE
`
` o
`
`NETWORK INTERFACE
`
`
`
`920 -N
`
`c"- 910
`
`
`
`
`
`
`
`FIG. 9
`
`CONTENT BLOCKER
`
`RULES UPDATE MANAGER
`
`RULES UPDATE TO DESKTOP
`
`1
`
`FOUND
`MATCH
`
`960"N
`
`/--- NO
`
`MATCH NOT FOUND
`
`ARB SCANNER
`
`EXPLOIT RULES DATABASE
`
`.,------
`
`INTERNET TRAFFIC TO DESKTOP OVER TCP/IP
`
`HTTP, MIPS, FTP, SMTP, POPS, etc.
`
`
`
`NEEEN
`
`
`
`lualud 'ST1
`U.S. Patent
`
`Jul. 5, 2011
`
`Sheet 12 of 14
`VI Jo Z1 WIN
`
`Zll 50£`51,6` L Sfl
`US 7,975,305 B2
`
`INTERNET TRAFFIC TO DESKTOP OVER TCP/IP
`
`
`
`HTTP, HTTPS, FTP, SMTP, POP3, etc.
`
`
`
`FIG. 10
`
`RULES UPDATE TO DESKTOP
`
`m
`m
`
`RULES UPDATE SERVER
`
`.... ..... UPDATED RULE
`.. -*
`.... ......... ' ..... iiiiE . i ......... ...
`
`1010
`
`s
`
`1020
`
`RULES COMPILER
`
`s' i
`
`••••.....•
`...• '''''''''' NEWi '''''''''
`
` D
`
`
`
`ESCRIPTION .......... -**
`
`
`
`lualud 'ST1
`
`VI Jo £1 WIN
`
`Zll 50£`51,6` L Sfl
`
`FIG. 11
`
`
`
`1130
`
`PROFILE CACHE
`LOCAL SECURITY
`
`1120
`
`ARB SCANNER
`
`PROFILE CACHE
`1131:1%\' LOCAL SECURITY
`
`ARB SCANNER
`
`11c
`
`1110 ------N\
`
`1110 ----.•
`
`CENTRAL SECURITY
`
`PROFILE CACHE
`
`PROFILE CACHE
`LOCAL SECURITY
`
`1130
`
`1140
`
`PROFILE CACHE
`LOCAL SECURITY
`
`113PC"
`
`ARB SCANNER
`
`1120
`
`ARB SCANNER
`
`1120
`
`1110 --"•-•.\
`
`1110
`
`
`
`U.S. Patent
`1ualud *Sil
`
`Jul. 5, 2011
`
`Sheet 14 of 14
`ti JO ri WIN
`
`US 7,975,305 B2
`Zll SOC`CL6`L Sfl
`
`1230
`
`OZZ!
`
`1220
`
`FIG. 12
`
`SANDBOX SCANNER
`
`
`}XOGONYS
`
`S
`O
`/
`\
`N
`N
`E
`}
`
`PROFILE
`SECURITY
`MODIFIED
`
`
`
`Ållè? OES
`
`C?EII-IICJOWA
`
`S
`E
`O
`Y
`T
`I
`R
`I
`L
`
`PROFILE
`SECURITY
`
`ÅA LIMIT
`
`OES T\/OOT
`
`EHOVO ETI-JO?-jd
`
`PROFILE CACHE
`LOCAL SECURITY
`
`PROFILE
`SECURITY
`
`ARB SCANNER
`
`INCOMING CONTENT
`
`LNEJ NOO SDNJWOONI
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`US 7,975,305 B2
`US 7,975,305 B2
`
`1
`1.
`METHOD AND SY
Accessing this document will incur an additional charge of $.
After purchase, you can access this document again without charge.
Accept $ Charge
Still Working On It
This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.
Give it another minute or two to complete, and then try the refresh button.
A few More Minutes ... Still Working
It can take up to 5 minutes for us to download a document if the court servers are running slowly.
Thank you for your continued patience.
This document could not be displayed.
We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.
Your account does not support viewing this document.
You need a Paid Account to view this document. Click here to change your account type.
Your account does not support viewing this document.
Set your membership
status to view this document.
With a Docket Alarm membership, you'll
get a whole lot more, including:
- Up-to-date information for this case.
- Email alerts whenever there is an update.
- Full text search for other cases.
- Get email alerts whenever a new case matches your search.
One Moment Please
The filing “” is large (MB) and is being downloaded.
Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.
Your document is on its way!
If you do not receive the document in five minutes, contact support at support@docketalarm.com.
Sealed Document
We are unable to display this document, it may be under a court ordered seal.
If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.
Access Government Site
