Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 1 of 223 PageID
`#: 4713
`
` EXHIBIT A
`
`
`#: 4713
`
` EXHIBIT A
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 2 of 223 PageID
`#: 4714
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 3 of 223 PageID
`#: 4715
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 4 of 223 PageID
`#: 4716
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 5 of 223 PageID
`#: 4717
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 6 of 223 PageID
`#: 4718
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 7 of 223 PageID
`#: 4719
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 8 of 223 PageID
`#: 4720
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 9 of 223 PageID
`#: 4721
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 10 of 223
`PageID #: 4722
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 11 of 223
`PageID #: 4723
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 12 of 223
`PageID #: 4724
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 13 of 223
`PageID #: 4725
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 14 of 223
`PageID #: 4726
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 15 of 223
`PageID #: 4727
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 16 of 223
`PageID #: 4728
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 17 of 223
`PageID #: 4729
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 18 of 223
`PageID #: 4730
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 19 of 223
`PageID #: 4731
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 20 of 223
`PageID #: 4732
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 21 of 223
`PageID #: 4733
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 22 of 223
`PageID #: 4734
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 23 of 223
`PageID #: 4735
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 24 of 223
`PageID #: 4736
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 25 of 223
`PageID #: 4737
`
` EXHIBIT B
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 26 of 223
`PageID #: 4738
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 27 of 223
`PageID #: 4739
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 28 of 223
`PageID #: 4740
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 29 of 223
`PageID #: 4741
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 30 of 223
`PageID #: 4742
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 31 of 223
`PageID #: 4743
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 32 of 223
`PageID #: 4744
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 33 of 223
`PageID #: 4745
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 34 of 223
`PageID #: 4746
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 35 of 223
`PageID #: 4747
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 36 of 223
`PageID #: 4748
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 37 of 223
`PageID #: 4749
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 38 of 223
`PageID #: 4750
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 39 of 223
`PageID #: 4751
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 40 of 223
`PageID #: 4752
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 41 of 223
`PageID #: 4753
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 42 of 223
`PageID #: 4754
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 43 of 223
`PageID #: 4755
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 44 of 223
`PageID #: 4756
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 45 of 223
`PageID #: 4757
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 46 of 223
`PageID #: 4758
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 47 of 223
`PageID #: 4759
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 48 of 223
`PageID #: 4760
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 49 of 223
`PageID #: 4761
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 50 of 223
`PageID #: 4762
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 51 of 223
`PageID #: 4763
`
` EXHIBIT C
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 52 of 223
`PageID #: 4764
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 53 of 223
`PageID #: 4765
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 54 of 223
`PageID #: 4766
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 55 of 223
`PageID #: 4767
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 56 of 223
`PageID #: 4768
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 57 of 223
`PageID #: 4769
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 58 of 223
`PageID #: 4770
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 59 of 223
`PageID #: 4771
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 60 of 223
`PageID #: 4772
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 61 of 223
`PageID #: 4773
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 62 of 223
`PageID #: 4774
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 63 of 223
`PageID #: 4775
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 64 of 223
`PageID #: 4776
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 65 of 223
`PageID #: 4777
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 66 of 223
`PageID #: 4778
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 67 of 223
`PageID #: 4779
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 68 of 223
`PageID #: 4780
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 69 of 223
`PageID #: 4781
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 70 of 223
`PageID #: 4782
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 71 of 223
`PageID #: 4783
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 72 of 223
`PageID #: 4784
`
` EXHIBIT D
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 73 of 223
`PageID #: 4785
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 74 of 223
`PageID #: 4786
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 75 of 223
`PageID #: 4787
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 76 of 223
`PageID #: 4788
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 77 of 223
`PageID #: 4789
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 78 of 223
`PageID #: 4790
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 79 of 223
`PageID #: 4791
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 80 of 223
`PageID #: 4792
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 81 of 223
`PageID #: 4793
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 82 of 223
`PageID #: 4794
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 83 of 223
`PageID #: 4795
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 84 of 223
`PageID #: 4796
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 85 of 223
`PageID #: 4797
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 86 of 223
`PageID #: 4798
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 87 of 223
`PageID #: 4799
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 88 of 223
`PageID #: 4800
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 89 of 223
`PageID #: 4801
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 90 of 223
`PageID #: 4802
`
` EXHIBIT E
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 91 of 223
`PageID #: 4803
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 92 of 223
`PageID #: 4804
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 93 of 223
`PageID #: 4805
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 94 of 223
`PageID #: 4806
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 95 of 223
`PageID #: 4807
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 96 of 223
`PageID #: 4808
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 97 of 223
`PageID #: 4809
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 98 of 223
`PageID #: 4810
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 99 of 223
`PageID #: 4811
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 100 of 223
`PageID #: 4812
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 101 of 223
`PageID #: 4813
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 102 of 223
`PageID #: 4814
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 103 of 223
`PageID #: 4815
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 104 of 223
`PageID #: 4816
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 105 of 223
`PageID #: 4817
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 106 of 223
`PageID #: 4818
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 107 of 223
`PageID #: 4819
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 108 of 223
`PageID #: 4820
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 109 of 223
`PageID #: 4821
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 110 of 223
`PageID #: 4822
`
` EXHIBIT F
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 111 of 223
`PageID #: 4823
`
`US011431735B2
`
`( 12 ) United States Patent
`Shua
`
`( 10 ) Patent No .: US 11,431,735 B2
`( 45 ) Date of Patent :
`* Aug . 30 , 2022
`
`( 58 ) Field of Classification Search
`None
`See application file for complete search history .
`
`( 56 )
`
`References Cited
`U.S. PATENT DOCUMENTS
`
`( 54 ) TECHNIQUES FOR SECURING VIRTUAL
`MACHINES
`( 71 ) Applicant : Orca Security LTD . , Tel Aviv ( IL )
`( 72 ) Inventor : Avi Shua , Tel Aviv ( IL )
`( 73 ) Assignee : Orca Security LTD . , Tel Aviv ( IL )
`( * ) Notice :
`Subject to any disclaim
`the term of this
`patent is extended or adjusted under 35
`U.S.C. 154 ( b ) by 381 days .
`This patent is subject to a terminal dis
`claimer .
`( 21 ) Appl . No .: 16 / 585,967
`Sep. 27 , 2019
`( 22 ) Filed :
`( 65 )
`Prior Publication Data
`US 2020/0244678 A1
`Jul . 30 , 2020
`Related U.S. Application Data
`( 60 ) Provisional application No. 62 / 797,718 , filed on Jan.
`28 , 2019 .
`( 51 ) Int . Cl .
`G06F 9/455
`H04L 9/40
`G06F 16/11
`GOOF 11/14
`( 52 ) U.S. CI .
`CPC
`
`( 2018.01 )
`( 2022.01 )
`( 2019.01 )
`( 2006.01 )
`
`H04L 63/1416 ( 2013.01 ) ; G06F 9/45558
`( 2013.01 ) ; G06F 11/1464 ( 2013.01 ) ; G06F
`16/128 ( 2019.01 ) ; H04L 63/1433 ( 2013.01 ) ;
`H04L 63/1441 ( 2013.01 ) ; G06F 2009/45562
`( 2013.01 ) ; G06F 2009/45583 ( 2013.01 ) ; G06F
`2009/45587 ( 2013.01 ) ; G06F 2009/45591
`( 2013.01 ) ; G06F 2009/45595 ( 2013.01 ) ; GOOF
`2201/84 ( 2013.01 )
`
`9,177,145 B2
`9,519,781 B2
`9,563,777 B2
`9,798,885 B2
`10,412,109 B2
`10,536,471 B1 *
`10,944,778 B1 *
`11,068,353 B1 *
`2007/0266433 Al
`2013/0191643 A1 *
`
`2014/0137190 A1
`
`11/2015 Todorovic
`12/2016 Golshan et al .
`2/2017 Deng et al .
`10/2017 Deng et al .
`9/2019 Loureiro et al .
`1/2020 Derbeko
`3/2021 Golan
`7/2021 Ved
`11/2007 Moore
`7/2013 Song
`5/2014 Carey et al .
`( Continued )
`Primary Examiner Joseph P Hirl
`Assistant Examiner - Hassan Saadoun
`( 74 ) Attorney , Agent , or Firm - Finnegan , Henderson ,
`Farabow , Garrett & Dunner LLP
`
`G06F 21/53
`HO4L 63/1491
`GOOF 9/45558
`H04L 9/3265
`713/176
`
`ABSTRACT
`( 57 )
`A system and method for securing virtual cloud assets in a
`cloud computing environment against cyber threats . The
`method includes : determining a location of a snapshot of at
`least one virtual disk of a protected virtual cloud asset ,
`wherein the virtual cloud asset is instantiated in the cloud
`computing environment ; accessing the snapshot of the vir
`tual disk based on the determined location ; analyzing the
`snapshot of the protected virtual cloud asset to detect
`potential cyber threats risking the protected virtual cloud
`asset ; and alerting detected potential cyber threats based on
`a determined priority .
`
`19 Claims , 4 Drawing Sheets
`
`Start
`
`200
`
`$ 210
`
`Receive a request to scan a VM for vulnerabilities
`
`S220
`Determine a location of the virtual disk of the VM and its snapshot
`
`S230
`
`$ 240
`
`S250
`
`S260
`
`Access a snapshot of virtual disk
`
`Analyze the snapshot
`
`Report detected threats
`
`Trigger a mitigation action
`
`End
`
`Exhibit F, Page 1
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 112 of 223
`PageID #: 4824
`
`US 11,431,735 B2
`Page 2
`
`G06F 3/0604
`711/162
`
`G06F 9/45558
`726/23
`
`GO6F 3/0619
`G06F 11/3664
`
`( 56 )
`
`References Cited
`U.S. PATENT DOCUMENTS
`2015/0052520 A1
`2016/0004449 A1 *
`
`2/2015 Crowell et al .
`1/2016 Lakshman
`
`2016/0094568 A1 *
`
`3/2016 Balasubramanian
`
`1/2017 Venkatesh et al .
`2017/0011138 Al
`4/2017 Deng
`2017/0103212 A1 *
`5/2018 Tannous
`2018/0137032 A1 *
`2018/0255080 A1
`9/2018 Paine
`10/2018 Chen
`2018/0293374 A1
`* cited by examiner
`
`Exhibit F, Page 2
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 113 of 223
`PageID #: 4825
`
`U.S. Patent
`
`Aug. 30 , 2022
`
`Sheet 1 of 4
`
`US 11,431,735 B2
`
`User Console
`180
`
`Network
`
`120
`
`100
`
`External
`systems
`170
`
`Management
`Console
`150
`
`Cloud Computing Platform
`110
`
`FIG . 1A
`
`Exhibit F, Page 3
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 114 of 223
`PageID #: 4826
`
`U.S. Patent
`
`Aug. 30 , 2022
`
`Sheet 2 of 4
`
`US 11,431,735 B2
`
`Security System
`140
`
`117
`
`115
`
`118-1
`
`VM
`719
`
`130
`
`110
`
`FIG . 1B
`
`Exhibit F, Page 4
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 115 of 223
`PageID #: 4827
`
`U.S. Patent
`
`Aug. 30 , 2022
`
`Sheet 3 of 4
`
`US 11,431,735 B2
`
`Start
`
`200
`
`S210
`
`Receive a request to scan a VM for vulnerabilities
`
`S220
`Determine a location of the virtual disk of the VM and its snapshot
`
`Access a snapshot of virtual disk
`
`Analyze the snapshot
`
`Report detected threats
`
`Trigger a mitigation action
`
`S230
`
`S240
`
`S250
`
`S260
`
`End
`
`FIG . 2
`
`Exhibit F, Page 5
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 116 of 223
`PageID #: 4828
`
`U.S. Patent
`
`Aug. 30 , 2022
`
`Sheet 4 of 4
`
`US 11,431,735 B2
`
`140
`
`Memory
`320
`
`Storage
`330
`
`Processing
`Circuitry
`310
`
`Network
`Interface
`340
`
`360
`
`FIG . 3
`
`Exhibit F, Page 6
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 117 of 223
`PageID #: 4829
`
`1
`TECHNIQUES FOR SECURING VIRTUAL
`MACHINES
`
`US 11,431,735 B2
`
`10
`
`2
`by the traffic monitor . As such , traffic monitoring would not
`allow detection of vulnerabilities in software executed by
`the server .
`To overcome the limitations of traffic inspection solutions ,
`This application claims the benefit of U.S. Provisional
`Application No. 62 / 797,718 filed on Jan. 28 , 2019 , the 5 some cyber - security solutions , such as vulnerability man
`contents of which are hereby incorporated by reference .
`agement and security assessment solutions are based on
`agents installed in each server in a cloud computing platform
`a
`or data center . Using agents is a cumbersome solution for a
`TECHNICAL FIELD
`number of reasons , including IT resources management ,
`governance , and performance . For example , installing
`agents in a large data center may take months .
`It would therefore be advantageous to provide a security
`solution that would overcome the deficiencies noted above .
`
`This disclosure relates generally to cyber - security systems
`and , more specifically , to techniques for securing virtual
`machines .
`
`a
`
`15
`
`20
`
`40
`
`BACKGROUND
`SUMMARY
`Organizations have increasingly adapted their applica
`A summary of several example embodiments of the
`tions to be run from multiple cloud computing platforms .
`disclosure follows . This summary is provided for the con
`Some leading public cloud service providers include Ama-
`zon® , Microsoft® , Google® , and the like .
`venience of the reader to provide a basic understanding of
`such embodiments and does not wholly define the breadth of
`Virtualization is a key role in a cloud computing , allowing
`multiple applications and users to share the same cloud
`the disclosure . This summary is not an extensive overview
`of all contemplated embodiments , and is intended to neither
`computing infrastructure . For example , a cloud storage
`service can maintain data of multiple different users .
`identify key or critical elements of all embodiments nor to
`In one instance , virtualization can be achieved by means 25 delineate the scope of any or all aspects . Its sole purpose is
`of virtual machines . A virtual machine emulates a number of
`to present some concepts of one or more embodiments in a
`" computers ” or instances , all within a single physical device .
`simplified form as a prelude to the more detailed description
`that is presented later . For convenience , the term “ some
`In more detail , virtual machines provide the ability to
`emulate a separate operating system ( OS ) , also referred to as
`embodiments ” or “ certain embodiments ” may be used
`a guest OS , and therefore a separate computer , from an 30 herein to refer to a single embodiment or multiple embodi
`existing OS ( the host ) . This independent instance is typically
`ments of the disclosure .
`isolated as a completely standalone environment .
`Certain embodiments disclosed herein include a method
`Modern virtualization technologies are also adapted by
`for securing virtual cloud assets in a cloud computing
`cloud computing platforms . Examples for such technologies
`environment against cyber threats , comprising : determining
`include virtual machines , software containers , and serverless 35 a location of a snapshot of at least one virtual disk of a
`functions . With their computing advantages , applications
`protected virtual cloud asset , wherein the virtual cloud asset
`and virtual machines running on top of virtualization tech
`is instantiated in the cloud computing environment ; access
`nologies are also vulnerable to some cyber threats . For
`ing the snapshot of the virtual disk based on the determined
`example , virtual machines can execute vulnerable software
`location ; analyzing the snapshot of the protected virtual
`applications or infected operating systems .
`cloud asset to detect potential cyber threats risking the
`Protection of a cloud computing infrastructure , and par
`ticularly of virtual machines can be achieved via inspection
`protected virtual cloud asset ; and alerting detected potential
`of traffic . Traditionally , traffic inspection is performed by a
`cyber threats based on determined priority .
`network device connected between a client and a server
`Certain embodiments disclosed herein also include a
`( deployed in a cloud computing platform or a data center ) 45 non - transitory computer readable medium having stored
`hosting virtual machines . Traffic inspection may not provide
`thereon instructions for causing a processing circuitry to
`an accurate indication of the security status of the server due
`execute a process , the process comprising : determining a
`to inherent limitations , such as encryption and whether the
`location of a snapshot of at least one virtual disk of a
`necessary data is exposed in the communication .
`protected virtual cloud asset , wherein the virtual cloud asset
`Furthermore , inspection of computing infrastructure may 50 is instantiated in the cloud computing environment ; access
`be performed by a network scanner deployed out of path .
`ing the snapshot of the virtual disk based on the determined
`The scanner queries the server to determine if the server
`location ; analyzing the snapshot of the protected virtual
`executes an application that possess a security threat , such as
`cloud asset to detect potential cyber threats risking the
`vulnerability in the application . The disadvantage of such a
`protected virtual cloud asset ; and alerting detected potential
`scanner is that the server may not respond to all queries by 55 cyber threats based on a determined priority .
`the scanner , or not expose the necessary data in the response .
`Certain embodiments disclosed herein also include a
`Further , the network scanner usually communicates with the
`system for securing virtual cloud assets in a cloud comput
`server , and the network configuration may prevent it . In
`ing environment against cyber threats , comprising : a pro
`addition , some types of queries may require credentials to
`access the server . Such credentials may not be available to 60 cessing circuitry ; and a memory , the memory containing
`instructions that , when executed by the processing circuitry ,
`the scanner .
`configure the system to : determine a location of a snapshot
`Traffic inspection may also be performed by a traffic
`monitor that listens to traffic flows between clients and the
`of at least one virtual disk of a protected virtual cloud asset ,
`wherein the virtual cloud asset is instantiated in the cloud
`server . The traffic monitor can detect some cyber threats ,
`e.g. , based on the volume of traffic . However , the monitor 65 computing environment ; access the snapshot of the virtual
`can detect threats only based on the monitored traffic . For
`disk based on the determined location ; analyze the snapshot
`example , misconfiguration of the server may not be detected
`of the protected virtual cloud asset to detect potential cyber
`
`Exhibit F, Page 7
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 118 of 223
`PageID #: 4830
`
`US 11,431,735 B2
`
`3
`threats risking the protected virtual cloud asset ; and alert
`detected potential cyber threats based on a determined
`priority .
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`4
`Also deployed in the cloud computing platform 110 is a
`security system 140 configured to perform the various
`disclosed embodiments . In some embodiments , the system
`140 may be part of the client environment 130. In an
`5 embodiment , the security system 140 may be realized as a
`physical machine configured to execute a plurality of virtual
`The foregoing and other objects , features , and advantages
`instances , such as , but not limited to virtual machines
`of the disclosed embodiments will be apparent from the
`executed by a host server . In yet another embodiment , the
`following detailed description taken in conjunction with the
`security system 140 may be realized as a virtual machine
`accompanying drawings .
`executed by a host server . Such a host server is a physical
`FIGS . 1A and 1B are network diagrams utilized to
`machine ( device ) and may be either the server 115 , a
`describe the various embodiments .
`dedicated server , a different shared server , or another virtu
`FIG . 2 is a flowchart illustrating a method detecting cyber
`alization - based computing entity , such as a serverless func
`threats , including potential vulnerabilities in virtual
`tion .
`machines executed in a cloud computing platform according 15
`In an embodiment , the interface between the client envi
`to some embodiments .
`ronment 130 and the security system 140 can be realized
`FIG . 3 is an example block diagram of the security system
`using APIs or services provided by the cloud computing
`according to an embodiment .
`platform 110. For example , in AWS , a cross account policy
`20 service can be utilized to allow interfacing the client envi
`DETAILED DESCRIPTION
`ronment 130 with the security system 140 .
`In the deployment , illustrated in FIG . 1 , the configuration
`It is important to note that the embodiments disclosed
`of resources of the cloud computing platform 110 is per
`herein are only examples of the many advantageous uses of
`formed by means of the management console 150. As such ,
`the innovative teachings herein . In general , statements made
`in the specification of the present application do not neces- 25 the management console 150 may be queried on the current
`sarily limit any of the various claimed embodiments . More-
`deployment and settings of resources in the cloud computing
`over , some statements may apply to some inventive features
`platform 110. Specifically , the management console 150
`but not to others . In general , unless otherwise indicated ,
`may be queried , by the security system 140 , about as the
`singular elements may be in plural and vice versa with no
`location ( e.g. , virtual address ) of the virtual disk 118-1 in the
`loss of generality . In the drawings , like numerals refer to like 30 storage 117. The system 140 is configured to interface with
`parts through several views .
`the management console 150 through , for example , an API .
`FIGS . 1A and 1B show an example network diagram 100
`In some example embodiments , the security system 140
`utilized to describe the various embodiments . A cloud com-
`may further interface with the cloud computing platform 110
`puting platform 110 is communicably connected to a net-
`and external systems 170. The external systems may include
`work 120. Examples of the cloud computing platform 110 35 intelligence systems , security information and event man
`may include a public cloud , a private cloud , a hybrid cloud ,
`agement ( SIEM ) systems , and mitigation tools . The external
`and the like . Examples for a public cloud , but are not limited
`intelligence systems may include common vulnerabilities
`to , AWS® by Amazon® , Microsoft Azure® , Google
`and exposures ( CVE? ) databases , reputation services , secu
`Cloud® , and the like . In some configurations , the disclosed
`rity systems ( providing feeds on discovered threats ) , and so
`embodiments operable in on premise virtual machines envi- 40 on . The information provided by the intelligence systems
`ronments . The network 120 may be the Internet , the world-
`may detect certain known vulnerabilities identified in , for
`wide - web ( WWW ) , a local area network ( LAN ) , a wide area
`example , a CVE database .
`According to the disclosed embodiments , the security
`network ( WAN ) , and other networks .
`The arrangement of the example cloud computing plat-
`system 140 is configured to detect vulnerabilities and other
`form 110 is shown in FIG . 1B . As illustrated , the platform 45 cyber threats related to the execution VM 119. The detection
`110 includes a server 115 and a storage 117 , serving as the
`is performed while the VM 119 is live , without using any
`storage space for the server 115. The server 115 is a physical
`agent installed in the server 115 or the VM 119 , and without
`device hosting at least one virtual machine ( VM ) 119. The
`relying on cooperation from VM 119 guest OS . Specifically ,
`VM 119 is a protected VM , which may be any virtual cloud
`the security system 140 can scan and detect vulnerable
`asset including , but not limited to , a software container , a 50 software , non - secure configuration , exploitation attempts ,
`compromised asserts , data leaks , data mining , and so on . The
`micro - service , a serverless function , and the like .
`The storage 117 emulates virtual discs for the VMs
`security system 140 may be further utilized to provide
`executed in by the server 115. The storage 117 is typically
`security services , such as incident response , anti - ransom
`connected to the server 115 through a high - speed connec-
`ware , and cyber insurance by accessing the security posture .
`tion , such as optic fiber allowing fast retrieval of data . In 55
`In some embodiments , the security system 140 is config
`other configurations , the storage 117 may be part of the
`ured to query the cloud management console 150 for the
`server 115. In this example illustrated in FIG . 1B , virtual
`address of the virtual disk 118-1 serving the VM 119 and a
`disk 118-1 is allocated for the VM 119. The server 115 , and
`location of the snapshot . A VM's snapshot is a copy of the
`hence the VM 119 , may be executed in a client environment
`machine's virtual disk ( or disk file ) at a given point in time .
`60 Snapshots provide a change log for the virtual disk and are
`130 within the platform 110 .
`The client environment 130 is an environment within the
`used to restore a VM to a particular point in time when a
`cloud computing platform 110 utilized to execute cloud-
`failure error occurs . Typically , any data that was writable on
`hosted applications of the client . A client may belong to a
`a VM becomes read - only when the snapshot is taken .
`specific tenant . In some example embodiment , the client
`Multiple snapshots of a VM can be created at multiple
`environment 130 may be part of a virtualized environment 65 possible point - in - time restore points . When a VM reverts to
`or on - premises virtualization environment , such as
`a snapshot , current disk and memory states are deleted and
`the snapshot becomes the new parent snapshot for that VM .
`VMware based solution .
`
`10
`
`a
`
`a
`
`a
`
`Exhibit F, Page 8
`
`
`
`Case 1:23-cv-00758-JLH-SRF Document 201-1 Filed 11/22/24 Page 119 of 223
`PageID #: 4831
`
`US 11,431,735 B2
`
`5
`6
`legitimate communicate and / or attack attempts , to assess its
`The snapshot of the VM 119 is located and may be saved
`posture and by that deriving the security posture of the entire
`from the virtual disk 118-1 is accessed by the system 140. In
`an embodiment , the VM's 119 snapshot may be copied to the
`VM 119 .
`In order to determine if the vulnerability is relevant to the
`system 140. If such a snapshot does not exist , the system 140
`may take a new snapshot , or request such an action . The 5 VM 119 , the security system 140 is configured to analyze the
`machine memory , as reflected in the page file . The page file
`snapshots may be taken at a predefined schedule or upon
`is saved in the snapshot and extends how much system
`predefined events ( e.g. , a network event or abnormal event ) .
`committed memory ( also known as “ virtual memory ” ) a
`Further , the snapshots may be accessed or copied on a
`system can back . In an embodiment , analyzing the page file
`predefined schedule or upon predefined events . It should be
`noted that when the snapshot is taken or copied , the VM 119 10 allows deduction of running applications and modules by the
`VM 119 .
`still runs .
`In an embodiment , the security system 140 is configured
`It should be noted that the snapshot of the virtual disk
`to read process identi
Accessing this document will incur an additional charge of $.
After purchase, you can access this document again without charge.
Accept $ Charge
Still Working On It
This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.
Give it another minute or two to complete, and then try the refresh button.
A few More Minutes ... Still Working
It can take up to 5 minutes for us to download a document if the court servers are running slowly.
Thank you for your continued patience.
This document could not be displayed.
We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.
Your account does not support viewing this document.
You need a Paid Account to view this document. Click here to change your account type.
Your account does not support viewing this document.
Set your membership
status to view this document.
With a Docket Alarm membership, you'll
get a whole lot more, including:
- Up-to-date information for this case.
- Email alerts whenever there is an update.
- Full text search for other cases.
- Get email alerts whenever a new case matches your search.
One Moment Please
The filing “” is large (MB) and is being downloaded.
Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.
Your document is on its way!
If you do not receive the document in five minutes, contact support at support@docketalarm.com.
Sealed Document
We are unable to display this document, it may be under a court ordered seal.
If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.
Access Government Site
