Case 1:23-cv-00758-JLH-SRF Document 203-1 Filed 11/22/24 Page 1 of 580 PageID
`#: 5023
`
`Joint Appendix
`Exhibit 1
`
`

`

`Case 1:23-cv-00758-JLH-SRF Document 203-1 Filed 11/22/24 Page 2 of 580 PageID
`#: 5024
`I 1111111111111111 1111111111 111111111111111 IIIII 1111111111111111 IIII IIII IIII
`US011663031B2
`
`c12) United States Patent
`Shua
`
`(IO) Patent No.: US 11,663,031 B2
`(45) Date of Patent:
`May 30, 2023
`
`(54) TECHNIQUES FOR SECURING VIRTUAL
`CLOUD ASSETS AT REST AGAINST CYBER
`THREATS
`
`(71) Applicant: Orea Security LTD., Tel Aviv (IL)
`
`(72)
`
`Inventor: Avi Shua, Tel Aviv (IL)
`
`(73) Assignee: ORCA SECURITY LTD., Tel Aviv
`(IL)
`
`( *) Notice:
`
`Subject to any disclaimer, the term ofthis
`patent is extended or adjusted under 35
`U.S.C. 154(b) by O days.
`
`(21) Appl. No.: 17/400,364
`
`(22) Filed:
`
`Aug. 12, 2021
`
`(65)
`
`Prior Publication Data
`
`US 2021/0377287 Al
`
`Dec. 2, 2021
`
`(63)
`
`(60)
`
`(51)
`
`(52)
`
`Related U.S. Application Data
`
`Continuation of application No. 16/750,556, filed on
`Jan. 23, 2020.
`
`Provisional application No. 62/797,718, filed on Jan.
`28, 2019.
`
`(2022.01)
`(2018.01)
`(2019.01)
`(2006.01)
`
`Int. Cl.
`H04L 9/40
`G06F 9/455
`G06F 16111
`G06F 11114
`U.S. Cl.
`CPC ...... H04L 63/1416 (2013.01); G06F 9/45558
`(2013.01); G06F 1111464 (2013.01); G06F
`161128 (2019.01); H04L 63/1433 (2013.01);
`H04L 63/1441 (2013.01); G06F 2009/45562
`(2013.01); G06F 2009/45583 (2013.01); G06F
`2009/45587 (2013.01); G06F 2009/45591
`(2013.01); G06F 2009/45595 (2013.01); G06F
`2201/84 (2013.01)
`
`(58) Field of Classification Search
`CPC ............. H04L 63/1416; H04L 63/1433; H04L
`63/1441; G06F 9/45558; G06F
`2009/45562; G06F 2009/45591; G06F
`2009/45587; G06F 2201/84
`USPC .. .. ... ... ... ... ... .. ... ... ... ... .. ... ... ... ... ... .. ... ... .. 726/25
`See application file for complete search history.
`
`(56)
`
`References Cited
`
`U.S. PATENT DOCUMENTS
`
`9,092,625 Bl *
`9,177,145 B2
`9,519,781 B2
`9,563,777 B2
`9,798,885 B2
`
`7/2015 Kashyap ................. G06F 21/52
`11/2015 Todorovic
`12/2016 Golshan et al.
`2/2017 Deng et al.
`10/2017 Deng et al.
`(Continued)
`
`OTHER PUBLICATIONS
`
`NPL Search Terms (Year: 2021).*
`(Continued)
`
`Primary Examiner - Syed A Zaidi
`(74) Attorney, Agent, or Firm - Finnegan, Henderson,
`Farabow, Garrett & Dunner, LLP
`
`(57)
`
`ABSTRACT
`
`A method and system for securing virtual cloud assets at rest
`against cyber threats. The method comprises determining a
`location of a view of at least one virtual disk of a protected
`virtual cloud asset, wherein the virtual cloud asset is at rest
`and, when activated, instantiated in the cloud computing
`environment; accessing the view of the virtual disk based on
`the determined location; analyzing the view of the protected
`virtual cloud asset to detect potential cyber threats risking
`the protected virtual cloud asset, wherein the virtual cloud
`asset is inactive during the analysis; and alerting detected
`potential cyber threats based on a determined priority.
`
`16 Claims, 4 Drawing Sheets
`
`Start
`
`Receive a request to scan a VM at rest for vulnerabilities
`
`S210
`
`S220
`Determine a location of the virtual disk of the VM and its view
`
`S230
`
`S240
`
`S250
`
`S260
`
`Access a view of the VM at rest
`
`Analyze the view
`
`Report detected threats
`
`Trigger a mitigation action
`
`End
`
`

`

`Case 1:23-cv-00758-JLH-SRF Document 203-1 Filed 11/22/24 Page 3 of 580 PageID
`#: 5025
`
`US 11,663,031 B2
`Page 2
`
`(56)
`
`References Cited
`
`U.S. PATENT DOCUMENTS
`
`10,339,011 Bl *
`10,412,109 B2
`10,536,471 Bl*
`10,552,610 Bl*
`2007 /0266433 Al
`2008/0155223 Al*
`
`7/2019 Bansal .................. G06F 16/188
`9/2019 Loureiro et al.
`1/2020 Derbeko ................. G06F 21/53
`2/2020 Vashisht ............... G06F 3/0619
`11/2007 Moore
`6/2008 Hiltgen ............... G06F 21/6218
`718/1
`2008/0263658 Al* 10/2008 Michael ................ G06F 21/562
`726/22
`
`2009/0007100 Al
`2010/0070726 Al *
`
`1/2009 Field
`3/2010 Ngo .................... G06F 11/1469
`711/162
`2013/0262801 Al* 10/2013 Sancheti ............. H04L 67/1095
`711/162
`2013/0268763 Al* 10/2013 Sweet ..................... G06F 21/56
`713/176
`
`2014/0137190 Al
`2014/0173723 Al
`
`5/2014 Carey et al.
`6/2014 Singla
`
`2015/0052520 Al
`2015/0161151 Al*
`
`2017/0011138 Al
`2017 /0076092 Al *
`2018/0255080 Al
`2018/0293374 Al
`
`2/2015 Crowell et al.
`6/2015 Koryakina .......... G06F 11/1451
`711/114
`
`1/2017 Venkatesh et al.
`3/2017 Kashyap ............... G06F 21/316
`9/2018 Paine
`10/2018 Chen
`
`OTHER PUBLICATIONS
`
`Pandey, Anjali, and Shashank Srivastava. "An approach for virtual
`machine image security." 2014 International Conference on Signal
`Propagation and Computer Technology (ICSPCT 2014). IEEE,
`2014. (Year: 2014).*
`NPL Search Terms (Year: 2022).*
`U.S. Patent and Trademark Office, Non-final Office Action, dated
`Jul. 21, 2022, 24 pp. for U.S. Appl. No. 16/750,556 (filing date Jan.
`23, 2020).
`
`* cited by examiner
`
`

`

`Case 1:23-cv-00758-JLH-SRF Document 203-1 Filed 11/22/24 Page 4 of 580 PageID
`#: 5026
`
`U.S. Patent
`
`May 30, 2023
`
`Sheet 1 of 4
`
`US 11,663,031 B2
`
`User Console
`180
`
`100
`_)
`
`External
`systems
`170
`
`Cloud Computing Platform
`110
`
`Management
`Console
`150
`
`FIG.1A
`
`

`

`Case 1:23-cv-00758-JLH-SRF Document 203-1 Filed 11/22/24 Page 5 of 580 PageID
`#: 5027
`
`U.S. Patent
`
`May 30, 2023
`
`Sheet 2 of 4
`
`US 11,663,031 B2
`
`,,-130
`I
`
`110
`
`Security System
`140
`
`115
`
`VM
`ii 9-1
`
`F!G.1B
`
`

`

`Case 1:23-cv-00758-JLH-SRF Document 203-1 Filed 11/22/24 Page 6 of 580 PageID
`#: 5028
`
`U.S. Patent
`
`May 30, 2023
`
`Sheet 3 of 4
`
`US 11,663,031 B2
`
`Start
`
`l
`
`Receive a request to scan a VM at rest for vulnerabilities
`
`S210
`
`S220
`Determine a location of the virtual disk of the VM and its view
`
`l
`
`S230
`
`S240
`
`S250
`
`S260
`
`J
`
`Access a view of the VM at rest
`
`l
`
`Analyze the view
`
`l
`
`Report detected threats
`
`Trigger a mitigation action
`
`l
`l
`
`( __ End_ )
`
`FIG. 2
`
`

`

`Case 1:23-cv-00758-JLH-SRF Document 203-1 Filed 11/22/24 Page 7 of 580 PageID
`#: 5029
`
`U.S. Patent
`
`May 30, 2023
`
`Sheet 4 of 4
`
`US 11,663,031 B2
`
`140
`
`Memory
`320
`
`~
`
`-~
`
`r
`'-·
`Storage
`330
`
`_ _,,,
`
`'--
`
`I
`
`l_ 360
`
`Processing
`Circuitry
`310
`
`Network
`Interlace
`340
`
`FIG.3
`
`

`

`Case 1:23-cv-00758-JLH-SRF Document 203-1 Filed 11/22/24 Page 8 of 580 PageID
`#: 5030
`
`US 11,663,031 B2
`
`1
`TECHNIQUES FOR SECURING VIRTUAL
`CLOUD ASSETS AT REST AGAINST CYBER
`THREATS
`
`This application is a continuation of U.S. application Ser.
`No. 16/750,556, filed Jan. 23, 2020, now pending, which
`claims the benefit of U.S. Provisional Application No.
`62/797,718 filed on Jan. 28, 2019. Each of the above
`referenced applications are incorporated herein by reference
`in its entirety.
`
`TECHNICAL FIELD
`
`This disclosure relates generally to cyber-security systems
`and, more specifically, to techniques for securing virtual 15
`machines.
`
`BACKGROUND
`
`Organizations have increasingly adapted their applica- 20
`tions to be run from multiple cloud computing platforms.
`Some leading public cloud service providers include Ama(cid:173)
`zon®, Microsoft®, Google®, and the like.
`Virtualization plays a key role in a cloud computing,
`allowing multiple applications and users to share the same 25
`cloud computing infrastructure. For example, a cloud stor-
`age service can maintain data of multiple different users.
`In one instance, virtualization can be achieved by means
`of virtual machines. A virtual machine emulates a number of
`"computers" or instances, all within a single physical device.
`In more detail, virtual machines provide the ability to
`emulate a separate operating system (OS), also referred to as
`a guest OS, and, therefore, a separate computer, from an
`existing OS (the host). This independent instance is typically
`isolated as a completely standalone environment.
`Modem virtualization technologies are also adapted by
`cloud computing platforms. Examples for such technologies
`include virtual machines, software containers, and serverless
`functions. With their computing advantages, applications
`and virtual machines running on top of virtualization tech- 40
`nologies are also vulnerable to some cyber threats. For
`example, virtual machines can execute vulnerable software
`applications or infected operating systems.
`Protection of a cloud computing infrastructure, and, par(cid:173)
`ticularly, of virtual machines, can be achieved via inspection 45
`of traffic. Traditionally, traffic inspection is performed by a
`network device connected between a client and a server
`(deployed in a cloud computing platform or a data center)
`hosting virtual machines. Traffic inspection may not provide
`an accurate indication of the security status of the server due 50
`to inherent limitations, such as encryption and whether the
`necessary data is exposed in the communication.
`Furthermore, inspection of computing infrastructure may
`be performed by a network scanner deployed out of path.
`The scanner queries the server to determine if the server 55
`executes an application that possess a security threat, such as
`vulnerability in the application. The disadvantage of such a
`scanner is that the server may not respond to all queries by
`the scanner or that the server may not expose the necessary
`data in the response. Further, the network scanner usually 60
`communicates with the server, and the network configura(cid:173)
`tion may prevent such communication. In addition, some
`types of queries may require credentials to access the server.
`Such credentials may not be available to the scanner.
`Traffic inspection may also be performed by a traffic 65
`monitor that listens to traffic flows between clients and the
`server. The traffic monitor can detect some cyber threats,
`
`2
`e.g., based on the volume of traffic. However, the monitor
`can detect threats only based on the monitored traffic. For
`example, misconfiguration of the server may not be detected
`by the traffic monitor. As such, traffic monitoring would not
`5 allow for detection of vulnerabilities in software executed by
`the server.
`To overcome the limitations of traffic inspection solutions,
`some cyber-security solutions, such as vulnerability man(cid:173)
`agement and security assessment solutions, are based on
`10 agents installed in each server in a cloud computing platform
`or data center. Using agents is a cumbersome solution for a
`number of reasons, including IT resource management,
`governance, and performance. For example,
`installing
`agents in a large data center may take months.
`Further, traffic monitoring does not allow detection of
`vulnerabilities in data at rest. Data at rest, in information
`technology, means inactive data that is stored physically in
`any digital form. Data at rest may include data, services,
`and/or services that are inactive but can be accessed or
`executed as needed. Similarly, in cloud computing, some
`machines (e.g., virtual machines) may also be at rest. Some
`machines are configured with applications or services which
`are infrequently executed. For example, such a machine may
`be utilized during one month of the year and remain inactive
`for the rest in the year. While at rest, the machines are
`powered off, and are not inspected for vulnerabilities, simply
`because scanners and/or installed monitoring agents cannot
`operate on a powered-off machine.
`Another attempt would be to scan a machine at rest when
`30 the machine is powered on and preserving a log of its latest
`status. However, this would require keeping an updated log
`of the machine's configurations and all its applications.
`Further, as threats constantly evolve, scanning based on past
`information may not be relevant. As such, when data or a
`35 machine at rest becomes active, undetected vulnerabilities
`can pose cyber threats.
`It would therefore be advantageous to provide a security
`solution that would overcome the deficiencies noted above.
`
`SUMMARY
`
`A summary of several example embodiments of the
`disclosure follows. This summary is provided for the con(cid:173)
`venience of the reader to provide a basic understanding of
`such embodiments and does not wholly define the breadth of
`the disclosure. This summary is not an extensive overview
`of all contemplated embodiments, and is intended to neither
`identify key or critical elements of all embodiments nor to
`delineate the scope of any or all aspects. Its sole purpose is
`to present some concepts of one or more embodiments in a
`simplified form as a prelude to the more detailed description
`that is presented later. For convenience, the term "some
`embodiments" or "certain embodiments" may be used
`herein to refer to a single embodiment or multiple embodi(cid:173)
`ments of the disclosure.
`Certain embodiments disclosed herein include a method
`for securing virtual cloud assets at rest against cyber threats.
`The method comprises determining a location of a view of
`at least one virtual disk of a protected virtual cloud asset,
`wherein the virtual cloud asset is at rest and, when activated,
`instantiated in the cloud computing environment; accessing
`the view of the virtual disk based on the determined location;
`analyzing the view of the protected virtual cloud asset to
`detect potential cyber threats risking the protected virtual
`cloud asset, wherein the virtual cloud asset is inactive during
`the analysis; and alerting detected potential cyber threats
`based on a determined priority.
`
`

`

`Case 1:23-cv-00758-JLH-SRF Document 203-1 Filed 11/22/24 Page 9 of 580 PageID
`#: 5031
`
`US 11,663,031 B2
`
`3
`Certain embodiments disclosed herein also include a
`system for securing virtual cloud assets at rest against cyber
`threats, comprising: a processing circuitry; and a memory,
`the memory containing instructions that, when executed by
`the processing circuitry, configure the system to: determine 5
`a location of a view of at least one virtual disk of a protected
`virtual cloud asset, wherein the virtual cloud asset is at rest
`and, when activated, instantiated in a cloud computing
`environment; access the view of the virtual disk based on the
`determined location; analyze the view of the protected 10
`virtual cloud asset to detect potential cyber threats risking
`the protected virtual cloud asset, wherein the virtual cloud
`asset is inactive during the analysis; and alert detected
`potential cyber threats based on a determined priority.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`4
`embodiments may be operable in on-premises virtual
`machine environments. The network 120 may be the Inter(cid:173)
`net, the world-wide-web (WWW), a local area network
`(LAN), a wide area network (WAN), and other networks.
`The arrangement of the example cloud computing plat(cid:173)
`form 110 is shown in FIG. 1B. As illustrated, the platform
`110 includes a server 115 and a storage 117, serving as the
`storage space for the server 115. The server 115 is a physical
`device hosting one or more virtual machines (VMs). In the
`example FIG. 1B, two VMs 119-1 and 119-2 are shown, and
`both are protected entities. It should be noted that such a
`protected entity may be any virtual cloud asset including, but
`not limited to, a software container, a micro-service, a
`serverless function, and the like. For the sake of the discus-
`15 sion and without limiting the scope of the disclosed embodi(cid:173)
`ments, VM-119-1 is an active machine and VM 119-2 is a
`machine at rest. That is, VM 119-2 is mostly in an inactive
`state ( e.g., being execute a day in a month, a month in a year,
`and remains inactive otherwise.
`The storage 117 emulates virtual discs for the VMs 119-1
`and 119-2 executed in by the server 115. The storage 117 is
`typically connected to the server 115 through a high-speed
`connection, such as optical fiber, allowing fast retrieval of
`data. In other configurations, the storage 117 may be part of
`25 the server 115. In this example, illustrated in FIG. 1B, a
`virtual disk 118-1 is allocated for the VM 119-1 and the
`virtual disk 118-2 is allocated for the VM 119-2. The server
`115, and, hence, the VMs 119-1 and 119-2, may be executed
`in a client environment 130 within the platform 110.
`The client environment 130 is an environment within the
`cloud computing platform 110 utilized to execute cloud(cid:173)
`hosted applications of the client. A client may belong to a
`specific tenant. In some example embodiments, the client
`environment 130 may be part of a virtualized environment
`or on-premises virtualization environment, such as a
`VMware® based solution.
`Also deployed in the cloud computing platform 110 is a
`security system 140 configured to perform the various
`disclosed embodiments. In some embodiments, the system
`140 may be part of the client environment 130. In an
`embodiment, the security system 140 may be realized as a
`physical machine configured to execute a plurality of virtual
`instances, such as, but not limited to virtual machines
`executed by a host server. In yet another embodiment, the
`security system 140 may be realized as a virtual machine
`executed by a host server. Such a host server is a physical
`machine (device) and may be either the server 115, a
`dedicated server, a different shared server, or another virtu(cid:173)
`alization-based computing entity, such as a serverless func(cid:173)
`tion.
`In an embodiment, the interface between the client envi(cid:173)
`ronment 130 and the security system 140 can be realized
`using APis or services provided by the cloud computing
`platform 110. For example, in AWS, a cross account policy
`service can be utilized to allow interfacing the client envi(cid:173)
`ronment 130 with the security system 140.
`In the deployment, illustrated in FIGS. lA and 1B, the
`configuration of resources of the cloud computing platform
`110 is performed by means of the management console 150.
`60 As such, the management console 150 may be queried on the
`current deployment and settings of resources in the cloud
`computing platform 110. Specifically, the management con(cid:173)
`sole 150 may be queried, by the security system 140, about
`the location ( e.g., virtual address) of the virtual disk 118-1
`65 in the storage 117. The system 140 is configured to interface
`with the management console 150 through, for example, an
`APL
`
`The subject matter disclosed herein is particularly pointed
`out and distinctly claimed in the claims at the conclusion of
`the specification. The foregoing and other objects, features, 20
`and advantages of the disclosed embodiments will be appar-
`ent from the following detailed description taken in con(cid:173)
`junction with the accompanying drawings.
`FIGS. lA and 1B are network diagrams utilized to
`describe the various embodiments.
`FIG. 2 is a flowchart illustrating a method detecting cyber
`threats,
`including potential vulnerabilities
`in virtual
`machines executed in a cloud computing platform according
`to some embodiments.
`FIG. 3 is an example block diagram of the security system 30
`according to an embodiment.
`
`DETAILED DESCRIPTION
`
`It is important to note that the embodiments disclosed 35
`herein are only examples of the many advantageous uses of
`the innovative teachings herein. In general, statements made
`in the specification of the present application do not neces(cid:173)
`sarily limit any of the various claimed embodiments. More(cid:173)
`over, some statements may apply to some inventive features 40
`but not to others. In general, unless otherwise indicated,
`singular elements may be in plural and vice versa with no
`loss of generality. In the drawings, like numerals refer to like
`parts through several views.
`Various techniques disclosed herein include techniques 45
`for securing data at rest or machines at rest ( collectively
`referred to as "machines at rest"). Data at rest may include
`inactive data that is stored physically in any digital form.
`Machines at rest may include a virtual machine configured
`service(s) and/or application(s) that are inactive but can be 50
`accessed or executed as needed. The applications and/or
`services in such machines at rest are infrequently executed.
`The disclosed techniques are utilized to scan for embedded
`vulnerabilities in machines at rest, when the machine is
`powered off. For example, a machine at rest may be utilized 55
`during one month of the year and remain inactive for the rest
`in the year. According to the disclosed embodiments, the
`machine is scanned for vulnerabilities when it is in its
`inactive step.
`FIGS. lA and 1B show an example network diagram 100
`utilized to describe the various embodiments. A cloud com(cid:173)
`puting platform 110 is communicably connected to a net(cid:173)
`work 120. Examples of the cloud computing platform 110
`may include a public cloud, a private cloud, a hybrid cloud,
`and the like. Examples of a public cloud include, but are not
`limited to, AWS® by Amazon®, Microsoft Azure®, Google
`Cloud®, and the like. In some configurations, the disclosed
`
`

`

`Case 1:23-cv-00758-JLH-SRF Document 203-1 Filed 11/22/24 Page 10 of 580
`PageID #: 5032
`
`US 11,663,031 B2
`
`5
`In some example embodiments, the security system 140
`may further interface with the cloud computing platform 110
`and external systems 170. The external systems may include
`intelligence systems, security information and event man(cid:173)
`agement (STEM) systems, and mitigation tools. The exter(cid:173)
`nal intelligence systems may include common vulnerabili-
`ties and exposures (CVE®) databases, reputation services,
`security systems (providing feeds on discovered threats),
`and so on. The information provided by the intelligence
`systems may detect certain known vulnerabilities identified 10
`in, for example, a CVE database.
`In an embodiment, the security system 140 is configured
`to detect vulnerabilities and other cyber threats related to the
`execution VM 119-1. The detection is performed while the 15
`VM 119-1 is live, without using any agent installed in the
`server 115 or the VM 119-1, and without relying on coop(cid:173)
`eration from the guest OS of the VM 119-1.
`According to another embodiment, the security system
`140 is configured to detect vulnerabilities and other cyber 20
`threats related to the execution VM 119-2. i.e., the machine
`at rest. The detection is performed while the VM 119-2 is
`powered off.
`In both embodiments, the security system 140 can scan
`and detect vulnerable software, non-secure configurations, 25
`exploitation attempts, compromised assets, data leaks, data
`mining, and so on. The security system 140 may be further
`utilized to provide security services, such as
`incident
`response, anti-ransomware, and cyber-insurance, by access(cid:173)
`ing the security posture.
`In some embodiments, the security system 140 is config(cid:173)
`ured to query the cloud management console 150 for the
`address of the virtual disks 118-1 and 118-2, respectively
`serving the VM 119-1, VM 119-2, and a location of the
`snapshot. A VM's snapshot is a copy of the machine's virtual 35
`disk ( or disk file) at a given point in time. Snapshots provide
`a change log for the virtual disk and are used to restore a VM
`to a particular point in time when a failure error occurs.
`Typically, any data that was writable on a VM becomes
`read-only when the snapshot is taken. Multiple snapshots of 40
`a VM can be created at multiple possible point-in-time
`restore points. When a VM reverts to a snapshot, current
`disk and memory states are deleted and the snapshot
`becomes the new parent snapshot for that VM.
`In an embodiment, a view, or a materialized view, of the 45
`virtual disk 118-2 associated with the VM 119-2 is accessed.
`A view is a stored query that consumes limited-to-no space,
`consuming only the space required to store the text of the
`query in the data dictionary. A materialized view is a both a
`stored query and a segment. That is, a stored query is
`executed, and the results are materialized into the segment.
`For the sake of simplicity, but without limiting the scope of
`the disclosed embodiments, the inspection of VM (VM
`119-2) is based on a view stored in the virtual disk 118-2,
`while the inspection of the active (VM 119-1) is based on a
`snapshot stored in the virtual disk 118-1.
`The snapshot of the VM 119-1 is located and may be
`saved from the virtual disk 118-1 for access by the security
`system 140. In an embodiment, the VM's 119-1 snapshot
`may be copied to the system 140. If such a snapshot does not
`exist, the system 140 may take a new snapshot or request
`such an action. The snapshots may be taken on a predefined
`schedule or upon predefined events ( e.g., a network event or
`abnormal event). Further, the snapshots may be accessed or
`copied on a predefined schedule or upon predefined events.
`It should be noted that when the snapshot is taken or copied,
`the VM 119 still runs.
`
`6
`The view of the VM 119-2 is located and may be saved
`from the virtual disk 118-2 for access by the system 140. In
`an embodiment, the VM's 119-2 view may be copied to the
`system 140. If such a view does not exist, the system 140
`5 may generate a query to create a new VM 119-2. The view
`may be taken when the VM 119-2 is about to transition into
`an inactive state or when the same VM 119-2 is at rest. It
`should be noted that when the view is taken or copied, the
`VM 119-2 may be at rest (i.e., inactive and powered off).
`It should be noted that the snapshots and/or views of the
`virtual disk 118-1 and/or 118-2 may not necessarily be
`stored in the storage 117, but, for ease of discussion, it is
`assumed that the snapshot is saved in the storage 117. It
`should be further noted that the snapshots and/or views are
`accessed without cooperation of the guest, virtual OS of the
`virtual machine.
`The snapshot is parsed and analyzed by the security
`system 140 to detect vulnerabilities. This analysis of the
`snapshot does not require any interaction and/or information
`from the VM 119-1. As further demonstrated herein, the
`analysis of the snapshot by the system 140 does not require
`any agent installed on the server 115 or VM 119-1.
`Further, the view is parsed and analyzed by the security
`system 140 to detect vulnerabilities. This analysis of the
`views does not require any interaction and/or information
`from the VM 119-2. In fact, the VM 119-2 is in its inactive
`state (at rest) during the analysis. As further demonstrated
`herein, the analysis of the view by the system 140 does not
`require any agent installed on the server 115 or VM 119-2.
`Various techniques can be utilized to analyze the views
`and snapshots, depending on the type of vulnerability and
`cyber threats to be detected. Following are some example
`embodiments for techniques that may be implemented by
`the security system 140.
`In an embodiment, the security system 140 is configured
`to detect whether there is vulnerable code executed by the
`VMs 119-1 and 119-2. In an embodiment, the VM 119-2
`being analyzed is shut down, being, therefore, at rest. The
`VM 119-1 may be rumiing or paused. In an embodiment, to
`detect vulnerabilities existing in the VM 119-2, the security
`system 140 is configured to match installed application lists,
`with their respective versions, to a known list of vulnerable
`applications. Further, the security system 140 may be con(cid:173)
`figured to match the application files, either directly, using
`binary comparison, or by computing a cryptographic hash
`against database of files in vulnerable applications. The
`matching may be also on sub-modules of an application.
`Alternatively, the security system 140 may read installation
`logs of package managers used to install the packages of the
`50 application.
`In yet another embodiment, the security system 140 is
`configured to verify whether the vulnerability is relevant to
`the VM 119-2. For example, if there is a vulnerable version
`or module not in use, the priority of that issue is reduced
`55 dramatically.
`To this end, the security system 140 may be configured to
`check the configuration files of the applications and oper(cid:173)
`ating system of the VM 119-2 to verify access times to files
`by the operating system and/or to analyze the application
`60 and/or system logs in order to deduce what applications and
`modules are running.
`In yet another embodiment, the security system 140 may
`instantiate a copy of the VM 119-2 and/or a subset of
`applications of the VM 119-2 on the server 115 or a separate
`65 server and monitor all activity performed by the instance of
`the VM. The execution of the instance of the VM is an
`isolated sandbox, which can be a full VM or subset of it,
`
`30
`
`

`

`Case 1:23-cv-00758-JLH-SRF Document 203-1 Filed 11/22/24 Page 11 of 580
`PageID #: 5033
`
`US 11,663,031 B2
`
`7
`such as a software container (e.g., Docker® container) or
`another virtualized instance. The monitored activity may be
`further analyzed to determine abnormality. Such analysis
`may include monitoring of API activity, process creation,
`file activity, network communication, registry changes, and 5
`active probing of said subset in order to assess its security
`posture. This may include, but is not limited to, actively
`communicating with the VM 119-2 and using either legiti(cid:173)
`mate communication and/or attack attempts to assess pos(cid:173)
`ture and, by that, deriving the security posture of the entire 10
`VM 119-2.
`In order to determine if the vulnerability is relevant to the
`VM 119-2, the security system 140 is configured to analyze
`the machine memory, as reflected in the page file. The page
`file is saved in the snapshot and extends how much system(cid:173)
`committed memory ( also known as "virtual memory") a
`system can back. In an embodiment, analyzing the page file
`allows deduction of running applications and modules by the
`VM 119-2. It should be noted that analyzing pages would be
`available only when VM 119-2 hibernates.
`In yet another embodiment, the security system 140 is
`configured to detect cyber threats that do not represent
`vulnerabilities. For example, the security system 140 may
`detect and alert on sensitive data not being encrypted on the
`logical disk, private keys found on the disks, system ere- 25
`dentials stored clearly on the disk, risky application features
`(e.g., support of weak cipher suites or authentication meth(cid:173)
`ods), weak passwords, weak encryption schemes, a disabled
`address space layout randomization (ASLR) feature, suspi(cid:173)
`cious manipulation to a boot record, suspicious PATH, 30
`LD_LIBRARY_PATH, or LD_PRELOAD definitions, ser(cid:173)
`vices running on startup, and the like.
`In an embodiment, the security system 140 may further
`monitor changes in sensitive machine areas, and alert on
`unexpected changes, such as added or changed application 35
`files without installation. In an example embodiment, this
`can be achieved by computing a cryptographic hash of the
`sensitive areas in the virtual disk and checking for differ(cid:173)
`ences over time.
`In some embodiments, the detected cyber threats (includ(cid:173)
`ing vulnerabilities) are reported to a user console 180 and/or
`a security information and event management (SEM) system
`(not shown). The reported cyber threats may be filtered or
`prioritized based, in part, on their determined risk. Further,
`the reported cyber threats may be filtered or prioritized 45
`based, in part, on the risk level of the machine. This also
`reduces the number of alerts reported to the user.
`In an embodiment, any detected cyber threats related to
`sensitive data, including personally identifiable information,
`or PII, is reported at a higher priority. In an embodiment,
`such data is determined by searching for the PII, analyzing
`the application logs to determine whether the machine
`accessed PH/PH-containing servers, or whether the logs
`themselves contain PII, and searching the machine memory,
`as reflected in the page file, for PII.
`In an embodiment, the security system 140 may deter(cid:173)
`mine the risk of the VM 119 based on communication with
`an untrusted network. This can be achieved by analyzing the
`VM's 119-2 logs as saved in the virtual disk, and can be
`derived from the view.
`In an example embodiment, the security system 140 may
`cause an execution of one or more mitigation actions.
`Examples for such actions may include disabling the VM
`119-2 from execution, updating the VM 119-2 with recent
`patches, and so on.
`The above examples for detecting vulnerabilities may be
`applicable also for a VM 119-1 and may be performed when
`
`8