Case 1:23-cv-00758-JLH Document 70-1 Filed 06/04/24 Page 1 of 114 PageID #: 1933
`Case 1:23-cv-00758-JLH Document 70-1 Filed 06/04/24 Page 1 of 114 PagelD #: 1933
`
`EXHIBIT A
`
` EXHIBIT A
`
`

`

`Case 1:23-cv-00758-JLH Document 70-1 Filed 06/04/24 Page 2 of 114 PageID #: 1934
`sessseTTTTATA
`
`US011722554B2
`
`US 11,722,554 B2
`(10) Patent No:
`a2) United States Patent
`Kerenet al.
`(45) Date of Patent:
`*Aug. 8, 2023
`
`
`(54) SYSTEM AND METHOD FOR ANALYZING
`NETWORK OBJECTS IN A CLOUD
`ENVIRONMENT
`
`(72)
`
`(71) Applicant: Wiz, Inc., Palo Alto, CA (US)
`,
`.
`Inventors: Shai Keren, Tel Aviv (IL); Danny
`Shemesh, Tel Aviv (IL); Roy Reznik,
`Tel Aviv (IL); Ami Luttwak,
`Binyamina (IL); Avihai Berkovitz, Tel
`Aviv (IL)
`
`.
`:
`(73) Assignee: WIZ, INC., New York, NY (US)
`.
`.
`.
`.
`.
`(*) Notice:
`Subject to any disclaimer, the term ofthis
`patent is extended or adjusted under 35
`U.S.C. 154(b) by 0 days.
`
`(58) Field of Classification Search
`CPC ... HO4L 67/10; HO4L 41/046; HO4L 41/5096;
`HO4L 49/70; HO4L 63/1433
`USPC ....... 709/201, 204, 205, 217, 218, 219, 223,
`709/224
`See application file for complete search history.
`
`(56)
`
`References Cited
`
`U.S. PATENT DOCUMENTS
`7,392,539 B2*
`6/2008 Brooks ........0..... HO4L 63/0263
`709/224
`1/2019 Eggen wo... HO4L 41/0896
`2/2021 Newian ee HO4L 47/12
`(Continued)
`
`10,171,300 B2*
`10,924,347 BL*
`
`This patent is subject to a terminal dis-
`claimer.
`(21) Appl. No.: 17/819,442
`R
`.
`No.:
`
`Primary Examiner — Liang Che A Wang
`Assistant Examiner — Liangche A Wang
`(74) Attorney, Agent, or Firm — M&B IP Analysts, LLC
`
`Filed:
`
`Aug. 12, 2022
`
`(57)
`
`ABSTRACT
`
`(22)
`
`(65)
`
`Prior Publication Data
`US 2022/0394082 Al
`Dec.
`8. 2022
`
`Related U.S. Application Data
`(63) Continuation of application No. 17/109,883,filedon
`Dec. 2, 2020, now Pat. No. 11,431,786.
`
`(51)
`
`Int. Cl.
`GO6F 15/173
`HOAL 67/10
`HOAL 49/00
`HOAL 9/40
`HOAL 41/50
`HOAL 41/046
`(52) U.S. Cl.
`CPC wee HOAL 67/10 (2013.01); HO4E 41/046
`(2013.01); HO4E 41/5096 (2013.01); HO4L
`49/70 (2013.01); HO4E 63/1433 (2013.01)
`
`(2006.01)
`(2022.01)
`(2022.01)
`(2022.01)
`(2022.01)
`(2022.01)
`
`A method and system for determining abnormal configura-
`tion of network objects deployed in a cloud computing
`environment are provided. The method includes collecting
`network object data on a plurality of network objects
`deployed in the cloud computing environment; constructing
`a network graph basedon the collected network object data,
`wherein the network graph includes a visual representation
`of network objects identified in the cloud computing envi-
`ronment; determining relationships between the identified
`network objects in the network graph, wherein the deter-
`mined relationships between the identified network objects
`includes descriptions of connections between the identified
`network objects; and analyzing the network graph and the
`determined relationships to generate insights, wherein the
`generated insights include at least a list of abnormal con-
`nections between the identified network objects.
`
`21 Claims, 6 Drawing Sheets
`
`200
`
`
`$210
`
`Identify and collect network object data
`$220
`
`
`
`
`
`
`Construct network graph
`
`$230
`
`Determine objectrelationships
`
`$240
`
`Generate insights
`
`v
`$250
`Tag objects
`
`End
`
`

`

`Case 1:23-cv-00758-JLH Document 70-1 Filed 06/04/24 Page 3 of 114 PageID #: 1935
`Case 1:23-cv-00758-JLH Document 70-1 Filed 06/04/24 Page 3 of 114 PagelD #: 1935
`
`US 11,722,554 B2
`
`Page 2
`
`(56)
`
`References Cited
`U.S. PATENT DOCUMENTS
`
`2004/0019803 Al
`2014/0157417 Al*
`
`2016/0044057 Al
`2016/0048556 AL*
`
`1/2004 Jahn
`6/2014 Grubel oe. HO4L 63/20
`726/25
`
`2/2016 Chenette et al.
`2/2016 Kelly we G06Q 10/10
`707/767
`. HO4L 63/1425
`2016/0359872 AL* 12/2016 Yadav ..
`2016/0373944 AL* 12/2016 Jain wee HO4L 43/08
`
`2017/0075981 Al*
`3/2017 Carlsson
`. HO4AL 41/0826
`1/2018 Kia wee GO6F 40/18
`2018/0024981 AL*
`715/215
`3/2019 Booker... GO6F 16/9024
`2019/0095530 AL*
`8/2020 Atighetchi et al.
`2020/0267175 Al
`2020/0322227 Al* 10/2020 Janakiraman ......... HO4L 41/147
`2020/0374343 Al* 11/2020 Novotny.....
`iraman2020/0382539 Al* 12/2020 Janakiraman
`
`
`* cited by examiner
`
` . GO6F 16/9024
`
`....... HO4L 63/0428
`
`

`

`Case 1:23-cv-00758-JLH Document 70-1 Filed 06/04/24 Page 4 of 114 PageID #: 1936
`Case 1:23-cv-00758-JLH Document 70-1 Filed 06/04/24 Page 4 of 114 PagelD #: 1936
`
`Sheet 1 of 6
`
`US 11,722,554 B2
`
`ddy
`
`901
`
`U.S. Patent
`
`Aug.8, 2023
`
`
`
`UNOReidPROD
`
`U-POL
`
`
`
`
`
`JUSWUOJIAUSPNOjD
`
` eOL
`
`cOL
`
`
`
`UNOPefdpnojyo
`
`tPOl
`
`
`
`pealqoyolgo
`
`
`
`
`
`U-GOLb-GOL
`
`Ayunses
`
`Wwa}shS
`
`OSL
`
`YIOMISN
`
`VESid
`
`sagh 801
`
`
`
`
`
`
`
`

`

`Case 1:23-cv-00758-JLH Document 70-1 Filed 06/04/24 Page 5 of 114 PageID #: 1937
`Case 1:23-cv-00758-JLH Document 70-1 Filed 06/04/24 Page 5 of 114 PagelD #: 1937
`
`U.S. Patent
`
`Aug.8, 2023
`
`Sheet 2 of 6
`
`US 11,722,554 B2
`
`YIOMION
`
`
`
`yelqouuosje|dpnojo
`
`yIOMION
`
`yoalgo
`
`YIOMION
`
`yoalgo
`
`
`
`OLE[-SOL
`
`ab“Sls
`
`YIOMION
`
`yoalgo
`
`e-SOL
`
`yougns
`
`L-OL
`
`YIOMJON
`
`palgo
`
`~-“caeasommeomwo
`
`.~soywenseuaQg/Yx.~
`
`
`
`
`
`
`
`
`
`

`

`Case 1:23-cv-00758-JLH Document 70-1 Filed 06/04/24 Page 6 of 114 PageID #: 1938
`Case 1:23-cv-00758-JLH Document 70-1 Filed 06/04/24 Page 6 of 114 PagelD #: 1938
`
`U.S. Patent
`
`Aug.8, 2023
`
`Sheet 3 of6
`
`US 11,722,554 B2
`
`200
`
`RORQNOteiOiO
`aOoinNNNcnaNKoon)oOiO
`
`Start
`
`Identify and collect network object data
`
`Construct network graph
`
`Determine object relationships
`
`Generate insights
`
`Tag objects
`
`End
`
`FIG, 2
`
`

`

`Case 1:23-cv-00758-JLH Document 70-1 Filed 06/04/24 Page 7 of 114 PageID #: 1939
`Case 1:23-cv-00758-JLH Document 70-1 Filed 06/04/24 Page 7 of 114 PagelD #: 1939
`
`Sheet 4 of6
`
`US 11,722,554 B2
`
`340
`
`U.S. Patent
`
`315
`
`Aug.8, 2023
`
`FIG.3A
`
`

`

`Case 1:23-cv-00758-JLH Document 70-1 Filed 06/04/24 Page 8 of 114 PageID #: 1940
`Case 1:23-cv-00758-JLH Document 70-1 Filed 06/04/24 Page 8 of 114 PagelD #: 1940
`
`U.S. Patent
`
`Aug.8, 2023
`
`Sheet 5 of6
`
`US 11,722,554 B2
`
`
`
`:
`age
` nodePort/Mower-sve
`
` AES
`
`cortral-~i: 984 1859 187SSin
`
`gee Scab itetei bee regiyPeagoes
`
`£3
`byternest
`
`FIG. 3B
`
`

`

`Case 1:23-cv-00758-JLH Document 70-1 Filed 06/04/24 Page 9 of 114 PageID #: 1941
`Case 1:23-cv-00758-JLH Document 70-1 Filed 06/04/24 Page 9 of 114 PagelD #: 1941
`
`U.S. Patent
`
`Aug.8, 2023
`
`Sheet 6 of 6
`
`US 11,722,554 B2
`
`150
`
`Processing
`Circuitry
`
`Storage
`430
`
`410
`
`Network
`
`Interface
`
`440
`
`FIG, 4
`
`

`

`Case 1:23-cv-00758-JLH Document 70-1 Filed 06/04/24 Page 10 of 114 PageID #: 1942
`Case 1:23-cv-00758-JLH Document 70-1 Filed 06/04/24 Page 10 of 114 PagelD #: 1942
`
`US 11,722,554 B2
`
`1
`SYSTEM AND METHOD FOR ANALYZING
`NETWORK OBJECTS IN A CLOUD
`ENVIRONMENT
`
`CROSS-REFERENCE TO RELATED
`APPLICATIONS
`
`This application is a continuation of U.S. patent applica-
`tion Ser. No. 17/109,883 filed Dec. 2, 2020, the contents of
`which are hereby incorporated by reference.
`
`TECHNICAL FIELD
`
`The present disclosure relates generally to network
`administration,
`in particular,
`to systems and methods for
`analyzing networks.
`
`BACKGROUND
`
`As businesses, governments, and other organizations
`expand and increase their digital presence through various
`computer, network, and web technologies, the sameparties
`may be increasingly vulnerable to developing cyber-threats.
`While updated solutions provide for management of prior
`cyber-threats, the same systems may include new vulner-
`abilities, which attackers may seek to identify and exploit to
`gain access to sensitive systems and data. Specifically, as
`organizationstransition into multi-level computing systems,
`implementing computing solutions at the individual, group,
`team, and cloudlevels, these systems, and the links between
`the elements of the layers, as well as the links between
`elements of different layers, include vulnerabilities which
`prior solutions fail to address.
`Due to the distributed nature of large, multi-layered
`network systems, management of network access and use
`may be difficult or impossible for lone administrators or
`teams of administrators. Managementof such code-to-cloud
`systems, and protection of the same, may require monitoring
`of large numbers of devices, systems, and components.
`Further, as each device, system, or component of a network
`system may be variously connected with the other elements
`of the system,
`including connections with multiple other
`devices via multiple protocols, management and monitoring
`of individual devices and connections may be untenable.
`To address the need to managelarge, distributed network
`systems, operators and administrators may employ various
`solutions to provide for network analysis. Certain network
`analysis solutions include manual review of devices, con-
`nections, and networks, providing for thorough, specific
`analysis of individual elements of a network. However, such
`manual solutions may require prohibitive outlays of time
`and effort
`to successfully review every component and
`connection of a large, multi-layer network, thus failing to
`provide a solution for analysis of modern network systems.
`In addition, various analysis solutions include solutions
`directed to the monitoring of specific device types, such as,
`for example, firewall control systems, which may provide
`for managementofall firewalls installed in a given network.
`Sunilarly, protocol-specific analysis solutions may provide
`for monitoring ofall traffic occurring over given protocols,
`within the network. However, such specialized solutions
`may fail to provide for streamlined monitoring and man-
`agement of all components and connections of a network,
`where the network includes multiple types of devices com-
`municating via multiple protocols. Further, protocol-agnos-
`tic solutions may provide for overall traffic management,
`providing monitoring and management solutions for all
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`2
`traffic arising within a network. However, such protocol-
`agnostic solutions may be over-broad, providing irrelevant
`or redundant information, and may require specification of
`connections to monitor, reducing efficacy in network-man-
`agement contexts, while failing to provide device-specific
`insights, thereby failing to provide for integrated device and
`connection analysis within a complex, multi-layer network.
`In addition, certain solutions providing for the manage-
`ment of large, distributed network systems may fail
`to
`provide for agentless management, non-logging solutions,
`and the like. Agentless management, whereby such large,
`distributed network systems are managed without the use of
`a dedicated management agent system or device, may pro-
`vide for reduced maintenance requirements, as a manage-
`ment agent may require operation and maintenance in addi-
`tion to the efforts required by the remainder of the network.
`In addition to failing to provide for agentless management,
`various solutions for the management of large, distributed
`network systems fail to provide for non-logging manage-
`ment of the same. Non-logging management, where network
`analyses and other management processes are executed
`withoutreference to netflow logs, provides for reductions in
`management computing requirements and resource depen-
`dency when compared with logging solutions, which may
`require, without limitation, the execution of additional pro-
`cessing steps or tasks to analyze or process netflow logs, the
`dependency of the management solution or process on
`various netflow log resources or repositories, and thelike. In
`addition to the shortcomings described above, current solu-
`tions for managementof large, distributed network systems
`mayfail to provide for agentless, non-logging management.
`It would therefore be advantageousto provide a solution
`that would overcome the challenges noted above.
`
`SUMMARY
`
`A summary of several example embodiments of the
`disclosure follows. This summary is provided for the con-
`venience of the reader to provide a basic understanding of
`such embodiments and does not wholly define the breadth of
`the disclosure. This summary is not an extensive overview
`of all contemplated embodiments and is intended to neither
`identify key or critical elements of all embodiments nor to
`delineate the scope of anyor all aspects. Its sole purpose is
`to present some concepts of one or more embodiments in a
`simplified form as a prelude to the more detailed description
`that is presented later. For convenience, the terms “some
`embodiments” or “certain embodiments” may be used
`herein to refer to a single embodiment or multiple embodi-
`ments of the disclosure.
`Certain embodiments disclosed herein include a for deter-
`mining abnormal configuration of network objects deployed
`in a cloud computing environment. The method comprising:
`collecting network object data on a plurality of network
`objects deployed in the cloud computing environment; con-
`structing a network graph based on the collected network
`object data, wherein the network graph includes a visual
`representation of network objects identified in the cloud
`computing environment; determining relationships between
`the identified network objects in the network graph, wherein
`the determined relationships between the identified network
`objects includes descriptions of connections between the
`identified network objects; and analyzing the network graph
`and the determined relationships to generate insights,
`wherein the generated insights include at least a list of
`abnormal connections between the identified network
`
`objects.
`
`

`

`Case 1:23-cv-00758-JLH Document 70-1 Filed 06/04/24 Page 11 of 114 PageID #: 1943
`Case 1:23-cv-00758-JLH Document 70-1 Filed 06/04/24 Page 11 of 114 PagelD #: 1943
`
`US 11,722,554 B2
`
`3
`In addition, certain embodiments disclosed herein include
`a system for determining abnormal configuration of network
`objects deployed in a cloud computing environment, com-
`prising: a processing circuitry; and a memory, the memory
`containing instructions that, when executed by the process-
`ing circuitry, configure the system to: collect network object
`data on a plurality of network objects deployed in the cloud
`computing environment; construct a network graph based on
`the collected network object data, wherein the network
`graph includes a visual representation of network objects
`identified in the cloud computing environment; determine
`relationships between the identified network objects in the
`network graph, wherein the determined relationships
`between the identified network objects includes descriptions
`of connections between the identified network objects; and
`analyze the network graph and the determinedrelationships
`to generate insights, wherein the generated insights include
`at least a list of abnormal connections between the identified
`
`network objects.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`The subject matter disclosed herein is particularly pointed
`out and distinctly claimed in the claimsat the conclusion of
`the specification. The foregoing and other objects, features,
`and advantagesof the disclosed embodiments will be appar-
`ent from the following detailed description taken in con-
`junction with the accompanying drawings.
`FIG. 1A is a diagram of a cloud environmentutilized to
`describe the various embodiments.
`
`FIG.1B is a network diagram depicting a network system
`and various associated network and external objects, accord-
`ing to an embodiment.
`FIG.2 is a flowchart depicting a method for constructing
`a network graph for a network system, according to an
`embodiment.
`FIG. 3A is an example network graph schema, according
`to an embodiment.
`FIG. 3B is a network graph object list, configured to
`provide information describing object-to-object
`routing
`within a network graph, according to an embodiment.
`FIG. 4 is a hardware block diagram depicting a code
`compliance system, according to an embodiment.
`
`DETAILED DESCRIPTION
`
`It is important to note that the embodiments disclosed
`herein are only examples of the many advantageous uses of
`the innovative teachings herein.In general, statements made
`in the specification of the present application do not neces-
`sarily limit any of the various claimed embodiments. More-
`over, some statements may apply to someinventive features
`but not to others. In general, unless otherwise indicated,
`singular elements may be in plural and vice versa with no
`loss of generality. In the drawings, like numeralsreferto like
`parts through several views.
`The systems and methods described herein may beappli-
`cable to various systems, devices, networks, environments,
`layers, and the like, as well as cross-connections or multi-
`entity connections as may be established therebetween. The
`disclosed systems and methods maybeapplicable to provide
`support for various network features including, without
`limitation, application-layer communications, cloud-native
`constructs, cross-cloud and Kubernetes-to-cloud communi-
`cations, third-party features, such as third-party containers
`and objects, container-management systems, such as Kuber-
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`4
`netes, as may be virtualized as cloud objects, and thelike, as
`well as any combination thereof.
`FIG. 1A is an example diagram 100 of a cloud environ-
`ment 103 utilized to describe the various embodiments. A
`cloud environment 103 represents an organization’s cloud-
`based resources, and the various connections between such
`resources. The cloud environment 103 may include a num-
`ber of cloud computing platforms, 104-1 through 104-n
`(hereinafter, “cloud platforms” 104 or “cloud platform”
`104), where a cloud platform may include multiple network
`objects, 105-1 through 105-7 (hereinafter, “network objects”
`105 or “network object” 105), one or more applications
`(collectively referred to as applications or apps 106), and the
`like, as well as any combination thereof. Further, the cloud
`environment may be configured to connect, via a network
`108, with a cyber-security system 150 for one or more
`purposesincluding, without limitation, those described here-
`inbelow. As is applicable to the cloud platforms 104 and
`network objects 105, “n”is an integer having a value greater
`than or equal to two. Further, it may be understood that,
`while a single configuration of a cloud environment 103 is
`shown for purposes of simplicity, a cloud environment 103
`may include various combinationsof platforms 104, objects
`105, applications 106, and the like, as well as any combi-
`nation thereof, without loss of generality or departure from
`the scope of the disclosure.
`A cloud platform 104 is a platform, architecture, or other,
`like, configuration providing for connectivity of the various
`objects 106, applications 106, and other,
`like, elements
`included in a cloud platform 104, as well as the execution of
`various processes, instructions, and the like. A cloud plat-
`form 104 may be a commercially-available cloud system,
`provided on a service basis, such as, as examples and
`without limitation, Amazon AWS®, Microsoft Azure®, and
`the like. A cloud platform 104 may be a private cloud, a
`public cloud, a hybrid cloud, and the like. In addition, a
`cloud platform 104 may include, without limitation, con-
`tainer orchestration or management systems or platforms
`such as, as an example and without limitation, a Kuber-
`netes® deployment, andthe like, as well as any combination
`thereof.
`A cloudplatform 104 may be implemented as a physical
`network of discrete, interconnected objects, and the like, a
`virtual network, providing for interconnection of various
`virtual systems and devices, as well as a hybrid physical-
`virtual network,
`including both physical and virtualized
`components. A cloud platform 104 may be, or may replicate
`or otherwise simulate or emulate, as examples, and without
`limitation, a local area network, a wide area network, the
`Internet, the World-Wide Web (WWW), andthelike, as well
`as any combination thereof. Further, a cloud platform 104
`mayinclude one or more subnets, such as the subnets, 130,
`of FIG. 1B, below, wherein each subnet may be configured
`to serve as a cloud platform 104 for the various network
`objects which maybeincludedin the subnet, while retaining
`the connectivity and functionalities provided by the cloud
`platform 104.
`Network objects 105, as may be included in a cloud
`platform 104, are objects, systems, devices, components,
`applications, entities, and the like, configured to operate
`within the cloud platform 104 and provide various function-
`alities therein. Specifically, the network objects 105 may be
`objects configured to send, receive, or both send andreceive,
`network data. The network objects 105 may be configured to
`connect with various other network objects 105, various
`external objects, and the like, as well as any combination
`thereof, for purposes including, without limitation, sending
`
`

`

`Case 1:23-cv-00758-JLH Document 70-1 Filed 06/04/24 Page 12 of 114 PageID #: 1944
`Case 1:23-cv-00758-JLH Document 70-1 Filed 06/04/24 Page 12 of 114 PagelD #: 1944
`
`US 11,722,554 B2
`
`5
`data, receiving data, monitoring data transmissions, moni-
`toring network status and activity, and the like, as well as
`any combination thereof.
`Examples of network objects 105, as may be relevant to
`the methods, processes, and descriptions provided herein
`include, without limitation, objects providing support for
`application-layer communications and systems,
`including
`application-layer communications and systems relevant to
`layer seven of the open systems interconnection (OSI)
`model. Further examples of network objects 105, relevant to
`the methods, processes, and descriptions provided herein,
`include, without limitation, cloud-native constructs, such as
`private endpoints, transit gateways, tag-based rulesets and
`objects configured to apply such rules, Kubernetes Istio and
`Calico services and applications, and the like. In addition,
`examples of network objects 105 may include, without
`limitation, third-party containers and images, such as Nginx,
`web-access firewall (WAF), and firewall implementations,
`multi-object or cross-object connections, such as cross-
`cloud connections and Kubernetes-to-cloud connections, as
`well as container managers, such as Kubernetes, and con-
`nections therewith. It may also be understood that network
`objects 105 may include other objects similar to those
`described hereinabove, as well as any combination thereof.
`As another example, network objects may include virtual
`entities, devices, and the like, to process layer-7 (application
`layer) traffic, such as objects relevant to Amazon AWS®
`layer seven services and applications, Amazon Load Bal-
`ancer® (ALB) layer seven services and applications, Kuber-
`netes ingress, and thelike.
`The network objects 105 may be configured to include
`one or more communication ports, where the included
`communication ports provide for connection of various
`objects according to one or more protocols, and at different
`communication layers of the OSI model.
`In an example configuration, the network objects 105 are
`virtual entities or instances of systems, devices, or compo-
`nents, including virtual systems, devices, or components, or
`any combination thereof. Examples of network objects 105
`include, without limitation, virtual networks, firewalls, net-
`work interface cards, proxies, gateways, containers, con-
`tainer management objects, virtual machines, subnets 130,
`hubs, virtual private networks (VPNs), and the like, as well
`as any combination thereof.
`The applications 106, as may be executed in one or more
`cloud platforms 104, are services, processes, and the like,
`configured to provide one or more functionalities by execu-
`tion of various commandsandinstructions. The applications
`106 maybe part of a software project of an enterprise or
`organization. The applications 160 may interact or commu-
`nicate with other applications, regardless of the platform 104
`in which the applications 106 are deployed. It should be
`understood that a single application,
`including the same
`application, may be both present and executed in multiple
`cloud platforms 104, including multiple cloud platforms 104
`of the same cloud environment 103, without loss of gener-
`ality or departure from the scope of the disclosure.
`The network 108 is a communication system providing
`for the connection of the cloud environment 103, and its
`various components and sub-parts, with a cyber-security
`system 150, as well as other,
`like, systems, devices, and
`components, and any combination thereof. The network 108
`may be implemented as a physical network of discrete,
`systems, devices, components, objects, andthe like, a virtual
`network, providing for interconnection of various virtual
`systems and devices, as well as a hybrid physical-virtual
`network,
`including both physical and virtualized compo-
`
`5
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`6
`nents. The network 108 may be, as examples, and without
`limitation, a local area network, a wide area network, the
`Internet, the World-Wide Web (WWW), andthelike, as well
`as any combination thereof.
`The cyber-security system 150 is a system, device, or
`component, configured to provide one or more network
`analysis functionalities including, without limitation, net-
`work analysis, traffic analysis, object querying, graph gen-
`eration, and the like, as well as any combination thereof. The
`cyber-security system 150 may be configured to execute one
`or more instructions, methods, processes, and the like,
`including, without limitation,
`the process described with
`respect to FIG.2, other, like, processes, and any combination
`thereof.
`
`The cyber-security system 150 may be configured as a
`physical system, device, or component, as a virtual system,
`device, or component, or in a hybrid physical-virtual con-
`figuration. A detailed description of a cyber-security system,
`150, according to an embodiment, is provided with respect
`to FIG. 4, below. It may be understood that, while the
`cyber-security system 150 is depicted in FIG. 1A as a
`discrete element external to the cloud environment 103, the
`cyber-security system 150 maybe included within any of the
`various elements of the network system 102, including the
`cloud environment 103, the various cloud platforms 104,
`and subparts thereof, and the network 108, without loss of
`generality or departure from the scope of the disclosure.
`FIG. 1B is an example diagram depicting a network
`system 100 and various associated network and external
`objects, according to an embodiment. The depicted network
`system 100 includes a cloud platform 110, where the cloud
`platform 110 may be a cloud platform similar or identical to
`a cloud platform, 104, of FIG. 1A, above. The cloud
`platform 110 includes various subnets, 130-1 through 130-n
`(hereinafter, “subnets” 130 or “subnet” 130), and various
`network objects, 105-1 through 105-m (hereinafter, “net-
`work objects” 105 or “network object” 105). As applicable
`to the subnets 130, “n” is an integer having a value greater
`than or equal to two. Further, as applicable to the network
`objects 105, “m”is an integer having a value greater than or
`equal to five. In addition, while the network system 100 of
`FIG. 1B includes certain elements and combinations of
`
`elements, as well as connections therebetween, it may be
`understood that the depiction is provided for illustrative
`purposes, and that other,
`like, elements, combinations of
`elements, and connections therebetween may be imple-
`mented without loss of generality or departure from the
`scope of the disclosure. Other, like, network systems 100
`may further include multiple cloud platforms 110, including
`variously-interconnected cloud platforms 110, and other,
`like, variations and configurations, without loss of generality
`or departure from the scope of the disclosure.
`As described with respect to FIG. 1A, above, the cloud
`platform 110 is a platform, architecture, or other,
`like,
`configuration providing for connectivity of the various sys-
`tems, devices, and components described with respect to
`FIG. 1B. The cloud platform 110 may be a commercially-
`available cloud system, provided on a service basis, such as,
`as examples and without
`limitation, Amazon AWS®,
`Microsoft Azure®, andthe like. The cloud platform 110 may
`be a private cloud, a public cloud, a hybrid cloud, and the
`like. The cloud platform 110 may be implemented as a
`physical networkof discrete, interconnected objects, and the
`like, a virtual network, providing for interconnection of
`various virtual systems and devices, as well as a hybrid
`physical-virtual network, including both physical and virtu-
`alized components. The cloud platform 110 may be, or may
`
`

`

`Case 1:23-cv-00758-JLH Document 70-1 Filed 06/04/24 Page 13 of 114 PageID #: 1945
`Case 1:23-cv-00758-JLH Document 70-1 Filed 06/04/24 Page 13 of 114 PagelD #: 1945
`
`US 11,722,554 B2
`
`7
`replicate or otherwise simulate or emulate, as examples, and
`without limitation, a local area network, a wide area net-
`work, the Internet, the World-Wide Web (WWW), and the
`like, as well as any combination thereof. Further, as
`described with respect to FIG. 1A, above, the cloud platform
`110 may include one or more subnets 130, wherein each
`subnet 130 may be configured to serve as a cloud platform
`110 for the various network objects 105 included in the
`subnet 130, while retaining the connectivities and function-
`alities provided by the cloud platform 110.
`The cloud platform 110 may be configured to include an
`orchestrator 115. The orchestrator 115 is configured to
`provide for management of the cloud platform 110. The
`orchestrator 115 may be configured to provide one or more
`functionalities including, without limitation, monitoring of
`elements or components of the cloud platform 110, logging
`and reporting data relating to the cloud platform 110, man-
`aging cloud platform 110 updates and maintenance, gener-
`ating cloud platform 110 alerts, as well as other,
`like,
`functionalities, and any combination thereof. The orchestra-
`tor 115 may be configured to report one or more data
`features related to the cloud platform 110, such as may be
`requested during the execution of network analysis pro-
`cesses, such as those described hereinbelow.
`The network objects 105 are network objects similar or
`identical to those network objects, 105, of FIG. 1A, above.
`As described with respect to FIG. 1A, the network objects
`105 are virtual entities or instances of systems, devices, or
`components, including virtual systems, devices, or compo-
`nents, or any combination thereof. Examples of network
`objects 105 include, without limitation, virtual networks,
`firewalls, network interface cards, proxies, gateways, con-
`tainers, container management objects, virtual machines,
`subnets 130, hubs, virtual private networks (VPNs), peering
`connections, load balancers, route tables, and the like, as
`well as any combination thereof.
`External objects, as may be adjacentor relevant to a cloud
`platform 110, are objects similar or identical to the network
`objects 105. The external objects may be configured to
`communicate with one or more network objects 105, with
`other, various, external objects, and the like, as well as any
`combination thereof.
`
`FIG.2 is an example flowchart 200 depicting a method for
`constructing a network graph for a network system, accord-
`ing to an embodiment.
`At S210, network objects are identified, and network
`object data is collected. In one embodiment, network objects
`maybe identified by querying a cloud platform, through, for
`example, an orchestrator (e.g., orchestrator 115, of FIG. 1B,
`above), and the like. In an embodiment, $210 may include
`submitting one or more requests to each cloud platform and
`collecting responses therefrom. The requests may include
`instructions directing the orchestrator to report information
`including, without limitation, the number of devices con-
`nected to or included in the cloud platform, the names of
`such devices, the types of such devices, other, like, infor-
`mation, and any combination thereof.
`In an embodiment, identification of network objects and
`collection of network object data at S210 includes querying
`each cloud platform, where such querying may include
`generation of one or more queries through an application
`programming interface (API), such asa REST API. Through
`the API, network objects’ identities and description data are
`provided in response to such API queries. API queries may
`be pre-configured data requests, specified in the API, and
`configured to cause, for example, an orchestrator to return
`the one or more data features described herein. API queries
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`8
`may be generated based on one or more APIs, or the like,
`including generic APIs, such as REST, as well as platform-
`specific APIs, where such platform-specific APIs may be
`configured to provide for one or more predefined interac-
`tions with a cloud platform, such as Amazon AWS®,
`Microsoft Azure®, and the like, where such predefined
`interactions may include, wit