Orca Security Ltd.
`Exhibit 2149
`Wiz v. Orca
`IPR2024-01109, -01190, -01191
`Ex. 2149-001
`
`

`

`Doc Code: TR.PROV
`Document Description: Provisional Cover Sheet (SB16)
`
`PTO/SB/16 (02-18)
`Approved for use through 11/30/2020. OMB 0651-0032
`U.S. Patent and Trademark Office: U.S. DEPARTMENT OF COMMERCE
`Under the Paperwork Reduction Act of 1995, no persons are required to respondto a collection of information unless it displays a valid OMB control number
`
`Entity Status
`Applicant asserts small entity status under 37 CFR 1.27 or applicant certifies micro entity status under 37 CFR 1.29
`
`@) Applicant asserts small entity status under 37 CFR 1.27
`
`C) Applicant certifies micro entity status under 37 CFR 1.29. Applicant must attach form PTO/SB/15A or B or equivalent.
`
`
`
`Warning
`
`Petitioner/applicant is cautioned to avoid submitting personal information in documentsfiled in a patent application that may
`contribute to identity theft. Personal information such as social security numbers, bank account numbers, or credit card
`numbers (other than a check or credit card authorization form PTO-2038 submitted for payment purposes) is never required
`by the USPTO to support a petition or an application.
`If this type of personal information is included in documents submitted
`to the USPTO, petitioners/applicants should consider redacting such personal information from the documents before
`submitting them to USPTO. Petitioner/applicant is advised that the record of a patent application is available to the public
`after publication of the application (unless a non-publication request in compliance with 37 CFR 1.213(a) is made in the
`application) or issuance of a patent. Furthermore, the record from an abandoned application may also be available to the
`public if the application is referenced in a published application or an issued patent (see 37 CFR1.14}. Checks and credit
`card authorization forms PTO-2038 submitted for payment purposes are not retained in the application file and therefore are
`not publicly available.
`
`Signature
`
`Please see 37 CFR 1.4(d} for the form of the signature.
`
`Signature Date (YYYY-MM-DD) pors-o12|01-28Michael Ben-Shimon/
`
`
`
`First Name fer-stimon|fer-stimon|Registration Number feo|(If appropriate}Last Name
`
`
`This collection of information is required by 37 CFR 1.51. The information is required to obtain or retain a benefit by the public which is to
`file (and by the USPTOto process) an application. Confidentiality is governed by 35 U.S.C. 122 and 37 CFR 1.11 and 1.14. This collection
`is estimated to take 8 hours to complete, including gathering, preparing, and submitting the completed application form to the USPTO.
`Time will vary depending upon the individual case. Any comments on the amountof time you require to complete this form and/or
`suggestions for reducing this burden, should be sent to the Chief Information Officer, U.S. Patent and Trademark Office, U.S. Department
`of Commerce, P.O. Box 1450, Alexandria, VA 22313-1450. DO NOT SEND FEES OR COMPLETED FORMSTO THIS ADDRESS. This
`form can only be used when in conjunction with EFS-Web. If this form is mailed to the USPTO, it may cause delays in handling
`the provisional application.
`
`EFS - Web 1.0.2
`
`Ex. 2149-002
`
`Ex. 2149-002
`
`

`

`Privacy Act Statement
`
`The Privacy Act of 1974 (P.L. 93-579) requires that you be given certain information in connection with your submission of
`the attached form related to a patent application or paten. Accordingly, pursuant to the requirements of the Act, please be
`advised that :
`(1) the general authority for the collection of this information is 35 U.S.C. 2(b)(2); (2) furnishing of the
`information solicited is voluntary; and (3) the principal purpose for which the information is used by the U_S_. Patent and
`Trademark Office is to process and/or examine your submission related to a patent application or patent.
`If you do not
`furnish the requested information, the U.S. Patent and Trademark Office may not be able to process and/or examine your
`submission, which may result in termination of proceedings or abandonmentof the application or expiration of the patent.
`
`The information provided by you in this form will be subject to the following routine uses:
`
`1.
`
`The information on this form will be treated confidentially to the extent allowed under the Freedom of Information
`Act (5 U.S.C. 552) and the Privacy Act (5 U.S.C 552a). Records from this system of records may be disclosed to the
`Departmentof Justice to determine whether disclosure of these records is required by the Freedom of Information
`Act.
`
`A record from this system of records may be disclosed, as a routine use, in the course of presenting evidence to
`a court, magistrate, or administrative tribunal, including disclosures to opposing counsel in the course of settlement
`negotiations.
`A record in this system of records may be disclosed, as a routine use, to a Member of Congress submitting a
`requestinvolving an individual, to whom the record pertains, when the individual has requested assistance from the
`Member with respect to the subject matter of the record.
`A record in this system of records may be disclosed, as a routine use, to a contractor of the Agency having need
`for the information in order to perform a contract. Recipients of information shall be required to comply with the
`requirements of the Privacy Act of 1974, as amended, pursuant to 5 U.S.C. 552a(m).
`A record related to an International Application filed under the Patent Cooperation Treaty in this system of
`records may be disclosed, as a routine use, to the International Bureau of the World Intellectual Property
`Organization, pursuant to the Patent Cooperation Treaty.
`Arecordin this system of records may be disclosed, as a routine use, to an other federal agency for purposes
`of National Security review (35 U.S.C. 181) and for review pursuant to the Atomic Energy Act (42 U.S.C. 218(c)).
`A record from this system of records may be disclosed, as a routine use, to the Administrator, General Services,
`or his/her designee, during an inspection of records conducted by GSA aspart of that agency's responsibility to
`recommend improvements in records managementpractices and programs, under authority of 44 U.S.C. 2904 and
`2906. Such disclosure shall be made in accordance with the GSA requlations governing inspection of records for this
`purpose, and any other relevant(i-e., GSA or Commerce) directive. Such disclosure shall not be used to make
`determinations aboutindividuals.
`
`A record from this system of records may be disclosed, as a routine use, to the public after either publication of
`the application pursuant to 35 U.S.C. 122(b) or issuance of a patent pursuant to 35 U_S_C_ 151. Further, a record
`may be disclosed, subject to the limitations of 37 CFR 1.14, as a routine use, to the public if the record wasfiled in an
`application which became abandonedor in which the proceedings were terminated and which application is
`referenced by either a published application, an application open to public inspection or an
`issued patent.
`A record from this system of records may be disclosed, as a routine use, to a Federal, State, or local law
`enforcement agency,if the USPTO becomes awareof a violation or potential violation of law or regulation.
`
`Ex. 2149-003
`
`Ex. 2149-003
`
`

`

`ORCA P1414P
`
`TECHNIQUES FOR SECURING VIRTUAL MACHINES
`
`TECHNICAL FIELD
`
`[001] This disclosure relates generally to cyber-security systems and, more specifically,
`
`to techniques for securing virtual machines.
`
`BACKGROUND
`
`[002] Organizations have increasingly adapted their applications to be run from multiple
`
`cloud computing platforms. Some leading public cloud service providers include
`
`Amazon®, Microsoft®, Google®, and thelike.
`
`[003] Virtualization is a key role in a cloud computing, allowing multiple applications and
`
`users to share the same cloud computing infrastructure. For example, a cloud storage
`
`service can maintain data of multiple different users.
`
`[004]
`
`In one instance, virtualization can be achieved by means ofvirtual machines. A
`
`virtual machine emulates a number of “computers” or instances, all within a single
`
`physical device. In more detail, virtual machines provide the ability to emulate a separate
`
`operating system (OS), also referred to as a guest OS, and therefore a separate
`
`computer, from an existing OS (the host). This independentinstanceis typically isolated
`
`as a completely standalone environment.
`
`[005] Modernvirtualization technologies are also adapted by cloud computing platforms.
`
`Examples for such technologies include virtual machines, software container and
`
`serverless functions. With their computing advantages, applications and virtual machines
`
`running on top of virtualization technologies are also vulnerable to some cyber threats.
`
`For example, virtual machines can execute vulnerable software applications or infected
`
`operating systems.
`
`[006] Protection of a cloud computing infrastructure, and particularly of virtual machines
`
`is can be achieved via inspection oftraffic. Traditionally, traffic inspection is performed by
`
`a network device connected between a client and a server (deployed in a cloud computing
`
`platform or a data center) hosing virtual machines. Traffic inspection may not provide an
`
`accurate indication on the security status of the server due to inherent limitations, such
`
`as encryption and whether the necessary data is exposed in the communication.
`
`Furthermore,
`
`inspecting computing infrastructure may be performed by a network
`
`Page 1 of 15
`
`Ex. 2149-004
`
`Ex. 2149-004
`
`

`

`ORCA P1414P
`
`scanner deployed out of path. The scanner queries the server to determine if the server
`
`executes an application that possess a security threat, such as vulnerability in it. The
`
`disadvantage of such a scanner is that the server may not respond to all queries by the
`
`scanner, or not expose the necessary data in the response. Further, the network scanner
`
`usually communicates with the server, and the network configuration may prevent it. In
`
`addition, some types of queries may require credentials to access the server. Such
`
`credentials may not be available to the scanner.
`
`[007] Traffic inspection may also be performedbya traffic monitor that listens to traffic
`
`flows between clients and the server. The traffic monitor can detect some cyber threats,
`
`€.g., based on the volume oftraffic. However, the monitor can detect threats only based
`
`the monitoredtraffic. For example, misconfiguration of the server may not be detected by
`
`the traffic monitor. As such, traffic monitoring would not allow to detect vulnerabilities in
`
`software executed by the server.
`
`[008] To overcome the limitations of traffic inspection solutions, some cyber-security
`
`solutions, such as vulnerability management and security assessment solutions are
`
`based on agents installed in each server in a cloud computing platform or data center.
`
`Using agents is cumbersome solution for a number of reasons, including IT resources
`
`management, governance, and performance. For example, installing agents in a large
`
`data center may take months.
`
`[009]
`
`It would therefore be advantageous to provide a security solution that would
`
`overcome the deficiencies noted above.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`[0010] The foregoing and other objects, features, and advantages of the disclosed
`
`embodiments will be apparent from the following detailed description taken in conjunction
`
`with the accompanying drawings.
`
`[0011] Figures 1 are network diagrams utilized to describe the various embodiments.
`
`[0012]Figure 2 is a flowchart
`
`illustrating a method detecting cyber threats including
`
`potential vulnerabilities in virtual machines executed in a cloud computing platform
`
`according to some embodiments.
`
`Page 2 of 15
`
`Ex. 2149-005
`
`Ex. 2149-005
`
`

`

`ORCA P1414P
`
`[0013] Figure 3 is an example block diagram of the security system according to an
`
`embodiment.
`
`DETAILED DESCRIPTION
`[0014]It is important to note that the embodiments disclosed herein are only examples of
`
`the many advantageous uses of the innovative teachings herein. In general, statements
`
`made in the specification of the present application do not necessarily limit any of the
`
`various claimed embodiments. Moreover, some statements may apply to some inventive
`
`features but not to others. In general, unless otherwise indicated, singular elements may
`
`be in plural and vice versa with no loss of generality. In the drawings, like numerals refer
`
`to like parts through several views.
`
`[0015] Figs. 1A and 1B show an example network diagram 100 utilized to describe the
`
`various embodiments. A cloud computing platform 110 is communicably connected to a
`
`network 120. Examples of the cloud computing platform 110 mayinclude, but are not
`
`limited to, AWS® by Amazon®, Azure® Microsoft Azure®, Google Cloud Google®, and
`
`the like. The network 120 maybe the Internet, the world-wide-web (WWW), a local area
`
`network (LAN), a wide area network (WAN), and other networks.
`
`[0016] The arrangement of the example cloud computing platform 110 is shown in
`
`Fig. 1B. Asillustrated, the platform 110 includes a server 115 and a storage 117, serving
`
`as the storage space for the server 115. The server 115 is a physical device hosting at
`
`least one virtual machine (VM) 119. The storage 117 emulates virtual discs for the VMs
`
`executedin by the server 115. The storage 117 is typically connected to the server 115
`
`through a high-speed connection, such as optic fiber allowing fast retrieval of data.
`
`In
`
`other configurations, the storage 117 may be part of the server 115.
`
`In this example
`
`illustrated in Fig. 1B, virtual disc 118-1 is allocated for the VM 119. The server 115, and
`
`hence the VM 119 may be executed in a client environment 130 within the platform 110.
`
`[0017] The client environment 130 is an environment within the cloud computing platform
`
`110 utilized to execute cloud-hosted applications of the client. A client may belong to a
`
`specific tenant. In some example embodiment, the client environment 130 maybe part of
`
`a virtualized environment or on-premises virtualization solutions, such as VMware®
`
`based solution.
`
`Page 3 of 15
`
`Ex. 2149-006
`
`Ex. 2149-006
`
`

`

`ORCA P1414P
`
`[0018]Also deployed in the cloud computing platform 110 is a security system 140
`
`configured to perform the various disclosed embodiments.
`
`In some embodiments, the
`
`system 140 may be part of the client environment 130.
`
`In an embodiment, the security
`
`system 140 may be realized as a physical machine configured to execute a plurality of
`
`virtual instances, such as, but notlimited to virtual machines. In yet another embodiment,
`
`the security system 140 maybe realized as a virtual machine executed by a host server.
`
`Such a host server is a physical machine (device) and may be either the server 115,
`
`dedicated server, a different shared server, or other virtualization-based compute entity,
`
`such as serverless functions.
`
`[0019]
`
`In an embodiment, the interface between the client environment 130 and the
`
`security system 140 can be realized using APls or services provided by the cloud
`
`computing platform 110. For example, in AWS, a cross account policy service can be
`
`utilized to allow interfacing the client environment 130 with the security system 140.
`
`[0020] In the deployment, illustrated in Fig. 1, the configuration of resources of the cloud
`
`computing platform 110 is performed by means of the management console 150. As such,
`
`the management console 150 may be queried on the current deployment and settings of
`
`resources in the cloud computing platform 110. Specifically, the management console
`
`150 may be queried, by the security system 140, about as the location (e.g., virtual
`
`address) of the virtual disc 118-1 in the storage 117. The system 140 is configured to
`
`interface with the management console 150 through, for example, an API.
`
`[0021] ln some example embodiments, the security system 140 mayfurther interface with
`
`the cloud computing platform 110 and external systems 170. The external systems may
`
`include intelligence systems, security information and event management
`
`(SIEM)
`
`systems, and mitigations tools. The external intelligence systems may include common
`
`vulnerabilities and exposures (CVE®) databases, reputation services, security systems
`
`(providing feeds on discovered threats), and so on. The information provided by the
`
`intelligence systems may detect certain known vulnerabilities identified in, for example, a
`
`CVE database.
`
`[0022] According to the disclosed embodiments, the security system 140 is configured to
`
`detect vulnerabilities and other cyber threats related to the execution VM 119. The
`
`detection is performed while the VM 119 is live, without using any agent installed in the
`
`Page 40f 15
`
`Ex. 2149-007
`
`Ex. 2149-007
`
`

`

`ORCA P1414P
`
`server 115 or the VM 119, and without relying on cooperation from VM 119 guest OS.
`
`Specifically, the security system 140 can scan and detect vulnerable software, non-
`
`secure configuration, exploitation attempts, compromised asserts, data leaks, data
`
`mining, and so on. The security system 140 may befurther utilized to provide security
`
`services, such as incident response, anti-ransomware, and cyber insurance by accessing
`
`the security posture.
`
`[0023]In some embodiment, the security system 140 is configured to query the cloud
`
`management console 150 as the address of the virtual disc 118-1 serving the VM 119
`
`and a location of the snapshot. Then, a snapshot of the VM 119 as savedofthe virtual
`
`disk 118-1 is accessed by the system 140.
`
`In an embodiment, the VM’s 119 snapshot
`
`may be copied to the system 140. If such a snapshot does not exist, the system 140 may
`
`take a new snapshot, or request for such an action. The snapshots may be taken at a
`
`predefined schedule or upon predefine events (e.g., a network event or abnormal event).
`
`Further, the snapshots may be accessor copied predefined schedule or upon predefine
`
`events.
`
`It should be noted that when the snapshotis taken or copied, the VM 119 still
`
`runs. It should be noted that the snapshotof the virtual disk 118-1 may not be necessary
`
`stored in the storage 117, but for ease of the discussion it is assumed that the snapshot
`
`is saved in the storage 117. It should be further noted that the snapshot is being accessed
`
`without cooperation of the guest, virtual OS of the virtual machine.
`
`[0024] The snapshot is parsed and analyzed by the security system 140 to detect
`
`vulnerabilities. This analysis of the snapshot does not require any interaction and/or
`
`information from the VM 119. As further demonstrated herein,
`
`the analysis of the
`
`snapshotby the system 140 does not require any agent installed on the server 115 or VM
`
`119.
`
`[0025] Various techniques can be utilized to analyze the snapshots, and depends on the
`
`type of vulnerability and cyber threats to be detected. Following are some example
`
`embodiments for techniques that may be implemented by the security system 140.
`
`[0026] In an embodiment, the security system 140 is configured to detect whether there
`
`is vulnerable code executed by the VM 119. To this end, the security system 140 is
`
`configured to match installed application list with their respective versions to a knownlist
`
`of vulnerable applications. Further, the security system 140 may be configured to match
`
`Page 50f 15
`
`Ex. 2149-008
`
`Ex. 2149-008
`
`

`

`ORCA P1414P
`
`the application files, either directly (using binary comparison) or by computing a
`
`cryptographic hash against databaseof files in vulnerable applications. The matching
`
`may be also on sub-modules of an application. Alternatively, the security system 140 may
`
`read installation logs of package managers usedto install the packages of the application.
`
`[0027] In yet another embodiment, the security system 140 is configured to verify whether
`
`the vulnerability is relevant to the VM 119. For example, if there is a vulnerable version
`
`or module not being in used. The priority of that issue is reduced dramatically.
`
`[0028] To this end, security system 140 may be configured to check the configuration files
`
`of the applications and operation system of the VM 119; verify accesstimes to files by the
`
`operating system; analyzing the active application and/or system logs in order to deduce
`
`what applications and modules are running.
`
`[0029] In yet another embodiment, the security system 140 mayinstantiate a copy of the
`
`VM 119 or a subset of applications of the VM 119 on the server 115 or a separate server
`
`and monitor all activity performed by the instance of the VM. The execution of the instance
`
`of the VM is an isolated sandbox, which can be a full VM or subsetofit, such as docker.
`
`[0030]In order to determine if the vulnerability is relevant to the VM 119, the security
`
`system 140 is configured to analyze the machine memory, as reflected in the page file.
`
`The page file is saved in the snapshot and extends how much system-committed memory
`
`(also known as “virtual memory”) a system can back.
`
`In an embodiment, analyzing the
`
`page file allows to deduce running applications and modules by the VM 119.
`
`[0031]In an embodiment,
`
`the security system 140 is configured to read process
`
`identification number (PID) files and check their accessor write times, which are matched
`
`against process descriptors. The PID can be used to deduce which processes are
`
`running, and hence the priority of vulnerabilities detected in processes existing on the
`
`disk. It should be noted the PID files are also maintained in the snapshot.
`
`[0032] In yet another embodiment, the security system 140 is configured to detect cyber
`
`threats that do not represent vulnerabilities. For example, the security system 140 may
`
`detect and alert on sensitive data not being encrypted on the logical disk, private keys
`
`found on the disks, system credentials stored clearly on the disk, risky application features
`
`(e.g., support of weak cipher suites or authentication methods), weak passwords, weak
`
`encryption schemes, a disable address space layout randomization (ASLR) feature,
`
`Page 6 of 15
`
`Ex. 2149-009
`
`Ex. 2149-009
`
`

`

`ORCA P1414P
`
`suspicious manipulation to a boot record, and suspicious PATH, LD_LIBRARY_PATH, or
`
`LD_PRELOAD definitions, services running on startup, and the like.
`
`[0033] In an embodiment, the security system 140 may further monitoring for changes in
`
`sensitive machine areas, and alert on unexpected changes (e.g., added or changed
`
`application file without installation). In an example embodiment, this can be achieved by
`
`computing a cryptographic hashof the sensitive areasin the virtual disk and checking for
`
`differences over time.
`
`[0034] In some embodiment, the all detected cyber threats (including vulnerabilities) are
`
`reported to a user console 180 and/or a security information and event management
`
`(SIEM) system (not shown). The reported cyber threats may be filtered or prioritized
`
`based in part on their determinedrisk. Further, the reported cyber threats may befiltered
`
`or prioritized basedin part on the risk level of the machine. This also to reduce the number
`
`of alerts reported to the user.
`
`[0035] In an embodiment, any detected cyber threats related to sensitive data (including
`
`personally identifiable information, PIl) is reported at a higher priority. In an embodiment,
`
`such data is determined by searching for the PIl, analyzing the application logs to
`
`determine whether the machine accessed PII/PII containing servers, or whether the logs
`
`themselves contain Pll, and searching the machine memory, as reflected in the page file,
`
`for PIl.
`
`[0036] In an embodiment, the security system 140 may determine the risk of the VM 119
`
`based on communication with an untrusted network. This can be achieved by analyzing
`
`the VM’s 119 logs as saved in the virtual disk and can be derived from the snapshot.
`
`[0037] In an example embodiment, the security system 140 may cause an execution of
`
`one or more mitigation actions. Example for such actions may include blocking traffic from
`
`untrusted networks, halting the operation of the VM, quarantining an infected VM, and the
`
`like. The mitigation actions may be performed by a mitigation tool and not the system 140.
`
`[0038] It should be noted that the example implementation shownin Fig.
`
`1
`
`is described
`
`with respect to a single cloud computing platform 110 hosting a single VM 119 in a single
`
`server 115, merely for simplicity purposes and without
`
`limitation on the disclosed
`
`embodiments. Typically, virtual machines are deployed and executedin a single cloud
`
`computing platform or data center and maybe protected without departing from the scope
`
`Page 7 of 15
`
`Ex. 2149-010
`
`Ex. 2149-010
`
`

`

`ORCA P1414P
`
`of the disclosure. It should be further noted that the disclosed embodiments can operate
`
`using multiple security systems 140, each of which may operate in a different client
`
`environment.
`
`[0039] Fig. 2 shows an example flowchart 200 illustrating a method for detecting cyber
`
`threats including potential vulnerabilities in virtual machines executed in a cloud
`
`computing platform according to some embodiments. The method may be performed by
`
`the security system 140.
`
`[0040] At S210, a request, for example, to scan a VM for vulnerabilities is received. The
`
`request may be received, or otherwise triggered every predefined time interval or upon
`
`detection of an external event. The request mayat least designate an identifier of the VM
`
`to be scanned.
`
`[0041] At S220, a location of a snapshot of a virtual disk of the VM to be scannedis
`
`determined. In an embodiment, S220 may include determining the virtual disk allocated
`
`for the VM, prior to determining the location of the snapshot. As noted above, this can be
`
`achieved by querying a cloud management console.
`
`[0042] At S230, a snapshotof the virtual disk is accessed, or otherwise copied.
`
`[0043] At S240,
`
`the snapshot
`
`is analyzed to detect cyber
`
`threats and potential
`
`vulnerabilities.
`
`In an embodiment, S240 may include comparing the snapshot to some
`
`baseline (e.g.,
`
`list of applications, pervious snapshots), analyzing logs of the VMs,
`
`instantiating a copy of the VM and executing the instance or applications executed by the
`
`VM in a sandbox, analyzing the machine memory, as reflected in the page file, or any
`
`combination of
`
`these techniques. Some example embodiments for analyzing the
`
`snapshots and the types of detected vulnerabilities and threats are provided above.
`
`[0044] At S250, the detected threats and vulnerabilities are reported, for example, as
`
`alerts. In an embodiment, S250 mayincludefiltering and prioritizing the reported alerts.
`
`[0045] At optional S260, a mitigation action may be triggered to mitigate a detected threat
`
`or vulnerability. A mitigation action may be executed by a mitigation tool and triggered by
`
`the system 140. Such an action may include blocking traffic from untrusted networks,
`
`halting the operation of the VM, quarantining an infected VM, and the like.
`
`[0046] Fig. 3 is an example block diagram of the security system 140 according to an
`
`embodiment. The security system 140 includes a processing circuitry 310 coupled to a
`
`Page 8 of 15
`
`Ex. 2149-011
`
`Ex. 2149-011
`
`

`

`ORCA P1414P
`
`memory 320, a storage 330, and a network interface 340.
`
`In an embodiment,
`
`the
`
`components of the security system 140 may be communicatively connected via a bus
`
`360.
`
`[0047] The processing circuitry 310 may be realized as one or more hardware logic
`
`components and circuits. For example, and without
`
`limitation,
`
`illustrative types of
`
`hardware logic components that can be used include field programmable gate arrays
`
`(FPGAs), application-specific integrated circuits (ASICs), application-specific standard
`
`products
`
`(ASSPs),
`
` system-on-a-chip
`
`systems
`
`(SOCs),
`
`general-purpose
`
`microprocessors, microcontrollers, digital signal processors (DSPs), and the like, or any
`
`other hardware logic components that can perform calculations or other manipulations of
`
`information.
`
`[0048] The memory 310 maybevolatile (e.g., RAM, etc.), non-volatile (e.g., ROM, flash
`
`memory, etc.), or a combination thereof.
`
`In one configuration, computer readable
`
`instructions to implement one or more embodiments disclosed herein may be stored in
`
`the storage 330.
`
`[0049] In another embodiment, the memory 320 is configured to store software. Software
`
`shall be construed broadly to mean any type of instructions, whether referred to as
`
`software, firmware, middleware, microcode, hardware description language, or otherwise.
`
`Instructions may include code (e.g.,
`
`in source code format, binary code format,
`
`executable code format, or any other suitable format of code). The instructions, when
`
`executed by the one or more processors, cause the processing circuitry 310 to perform
`
`the various processes described herein. Specifically, the instructions, when executed,
`
`cause the processing circuitry 310 to determine over-privileged roles vulnerabilities in
`
`serverless functions.
`
`[0050] The storage 330 may be magnetic storage, optical storage, and the like, and may
`
`be realized, for example, as flash memory or other memory technology, CD-ROM, Digital
`
`Versatile Disks (DVDs), hard-drives, SSD, or any other medium which can be used to
`
`store the desired information. The storage 330 may store communication consumption
`
`patterns associated with one or more communications devices.
`
`Page 9 of 15
`
`Ex. 2149-012
`
`Ex. 2149-012
`
`

`

`ORCA P1414P
`
`[0051] The networkinterface 340 allows the security system 140 to communicate with the
`
`external systems, such asintelligence systems, SIEM systems, mitigation systems, a
`
`cloud management console, a user console, and the like.
`
`[0052] It should be understood that the embodiments described herein are notlimited to
`
`the specific architecture illustrated in Fig. 3, and other architectures may be equally used
`
`without departing from the scope of the disclosed embodiments.
`
`[0053] The various embodiments disclosed herein can be implemented as hardware,
`
`firmware, software, or any combination thereof. Moreover, the software is preferably
`
`implemented as an application program tangibly embodied on a program storage unit or
`
`computer readable medium consisting of parts, or of certain devices and/or a combination
`
`of devices. The application program may be uploaded to, and executed by, a machine
`
`comprising any suitable architecture. Preferably,
`
`the machine is implemented on a
`
`computer platform having hardware such as one or more central processing units
`
`(“CPUs”), amemory, and input/output interfaces. The computer platform may also include
`
`an operating system and microinstruction code. The various processes and functions
`
`described herein maybeeither part of the microinstruction code or part of the application
`
`program, or any combination thereof, which may be executed by a CPU, whether or not
`
`such a computer or processor is explicitly shown.
`
`In addition, various other peripheral
`
`units may be connected to the computer platform such as an additional data storage unit
`
`and a printing unit. Furthermore, a non-transitory computer readable medium is any
`
`computer readable medium exceptfor a transitory propagating signal.
`
`[0054] As used herein, the phrase “at least one of” followed byalisting of items means that
`
`any of the listed items can be utilized individually, or any combination of two or more of
`
`the listed items can be utilized. For example, if a system is described as including “at least
`
`one of A, B, and C,” the system can include A alone; B alone; C alone; A andBin
`
`combination; B and C in combination; A and C in combination; or A, B, and C in
`
`combination.
`
`[0055] All examples and conditional language recited herein are intended for pedagogical
`
`purposes to aid the reader in understanding the principles of the disclosed embodiment
`
`and the concepts contributed by the inventor to furthering the art, and are to be construed
`
`as being without limitation to such specifically recited examples and conditions. Moreover,
`
`Page 10 of 15
`
`Ex. 2149-013
`
`Ex. 2149-013
`
`

`

`ORCA P1414P
`
`all statements herein reciting principles, aspects, and embodiments of the disclosed
`
`embodiments, as well as specific examples thereof, are intended to encompass both
`
`structural and functional equivalents thereof. Additionally,
`
`it
`
`is intended that such
`
`equivalents include both currently known equivalents as well as equivalents developed in
`
`the future, i.e., any elements developed that perform the same function, regardless of
`
`structure.
`
`Page 11 of 15
`
`Ex. 2149-014
`
`Ex. 2149-014
`
`

`

`ORCA P1414P
`
`100
`
`User Console
`
` External
`systems
`170
`
`180
`
`
`
`Management
`Console
`
`150
`
`
`Cloud Computing Platform
`110
`
`
`
`FIG. 1A
`
`Page 12 of 15
`
`Ex. 2149-015
`
`Ex. 2149-015
`
`

`

`ORCA P