`
`TO THE COMMISSIONER FOR PATENTS:
`
`Transmitted herewith for filing under 35 U.S.C. 111 and 37 C.F.R. is the patent application of:
`
`Yigal Edery, Nimrod Vered and David Kroll
`
`FOR:
`
`Malicious Mobile Code Runtime Monitoring System and Methods:
`
`Certificate of Mailing with Express Mailing Label No.1 EL 701 364 462 US;
`
`10
`
`Informal Sheets of Drawings: FIGS la-lc; 2, 3, 4; 5, 6a and 6b; 7a-7b and 8; 9 10A-10B; 11; 12a-12b
`
`Unsigned Combined Declaration and Power of Attorney;
`
`General Authorization and Request to Petition for Extension of Time; and
`
`Return Receipt Postcard
`
`CLAIMS AS FILED
`
`
`
`r IMfi $ 355.00
`
`$ 320.00
`
`No additional fee is required for amendment.
`
`Please charge Deposit Account No. 05-0150 in the amount of $ 1,179.00
`The Commissioner is hereby authorized to charge and credit Deposit Account No. . 05-0150
`As described below. A duplicate copy of this sheet is enclosed.
`
`$1,179.00
`
`I
`
`I
`
`Charge the amount of $1,179.00 as filing fee.
`Credit any overpayment.
`Charge any additional filing fees required under 37 C.F.R. 1.16.
`Charge any patent application procesing fees under 37' C.F.R. 1.17.
`
`600 Hansen Way
`Palo Alto, CA 94304-1043
`Telephone: (650)856-6500
`Facsimile:
`(650) 856-3619
`
`SOPHOS
`EXHIBIT 1013 - PAGE 0001
`
`
`
`ATTORNEY DOCKET 4342600014
`
`APPLICATION FOR
`
`UNITED STATES PATENT
`
`IN THE NAME OF
`
`Yigal Edery, Nimrod Vered and David Kroll
`
`OF
`
`FINJAN SOFTWARE, LTD.
`
`MALICIOUS MOBILE CODE RUNTIME MONITORING
`
`SYSTEM AND METHODS
`
`DOCKET NO. 43426.000l4
`
`Please direct communications to:
`
`Intellectual Property Department
`Squire, Sanders & Dempsey L.L.P.
`600 Hansen Way
`Palo Alto, CA 94304-1043
`(650) 856-6500
`
`Express Mail Number EL 701 364 624
`
`illfinltllilllfillflwiflmtalttzll‘mansmlmammmammmamn“mun K
`
`1
`
`1.
`
`SOPHOS
`EXHIBIT 1013 - PAGE 0002
`
`
`
`ATTORNEY DOCKET 4342600014
`
`MALICIOUS MOBILE CODE RUNTIME MONITORING
`
`SYSTEM AND METHODS
`
`PRIORITY REFERENCE TO RELATED APPLICATIONS
`
`This application claims benefit of and hereby incorporates by reference
`
`provisional application serial number 60/205,591, entitled “Computer Network Malicious
`
`Code Run-time Monitoring,” filed on May 17, 2000 by inventors Nimrod Itzhak Vered, et
`
`al. This application is also a Continuation-In-Part of and hereby incorporates by
`
`reference patent application serial number 09/539,667, entitled “System and Method for
`
`Protecting a Computer and a Network From Hostile Downloadables” filed on March 30,
`
`2000 by inventor Shlomo Touboul. This application is also a Continuation-In—Part of and
`
`hereby incorporates by reference patent application serial number 09/551,302, entitled
`
`“System and Method for Protecting a Client During Runtime From Hostile
`
`Downloadables”, filed on April 18, 2000 by inventor Shlomo Touboul.
`
`BACKGROUND OF THE INVENTION
`
`Field of the Invention
`
`This invention relates generally to computer networks, and more particularly
`
`provides a system and methods for protecting network-connectable devices from
`
`undesirable downloadable operation.
`
`Description of the Background Art
`
`Illsllitllllilfllflluzl1?iI~lllim\ii|I,r4ms:rI m-um.m,.e..n .i......... l
`
`., .......
`
`.
`
`.
`
`SOPHOS
`EXHIBIT 1013 - PAGE 0003
`
`
`
`ATTORNEY DOCKET 4342600014
`
`Advances in networking technology continue to impact an increasing number and
`
`diversity of users. The Internet, for example, already provides to expert, intermediate and
`
`even novice users the informational, product and service resources of over 100,000
`
`interconnected networks owned by governments, universities, nonprofit groups,
`
`companies, etc. Unfortunately, particularly the Internet and other public networks have
`
`also become a major source of potentially system-fatal or otherwise damaging computer
`
`code commonly referred to as “viruses.”
`
`Efforts to forestall viruses from attacking networked computers have thus far met
`
`with only limited success at best. Typically, a virus protection program designed to
`
`identify and remove or protect against the initiating of known viruses is installed on a
`
`network firewall or individually networked computer. The program is then inevitably
`
`surmounted by some new virus that often causes damage to one or more computers. The
`
`damage is then assessed and, if isolated, the new virus is analyzed. A corresponding new
`
`virus protection program (or update thereof) is then developed and installed to combat the
`
`new virus, and the new program operates successfully until yet another new virus appears
`
`— and so on. Of course, damage has already typically been incurred.
`
`To make matters worse, certain classes of viruses are not well recognized or
`
`understood, let alone protected against. It is observed by this inventor, for example, that
`
`Downloadable information comprising program code can include distributable
`
`components (e.g. JavaTM applets and JaVaScript scripts, ActiveXTM controls, Visual
`
`Basic, add-ins and/or others). It can also include, for example, application programs,
`
`Trojan horses, multiple compressed programs such as zip or meta files, among others.
`
`U.S. Patent 5,983,348 to Shuang, however, teaches a protection system for protecting
`
`3of59
`
`SOPHOS
`EXHIBIT 1013 - PAGE 0004
`
`
`
`ATTORNEY DOCKET 4342600014
`
`against only distributable components including “Java applets or ActiveX controls”, and
`
`further does so using resource intensive and high bandwidth static Downloadable content
`
`and operational analysis, and modification ofthe Downloadable component; Shuang
`
`further fails to detect or protect against additional program code included within a tested
`
`Downloadable. U.S. Patent 5,974,549 to Golan teaches a protection system that further
`
`focuses only on protecting against ActiveX controls and not other distributable
`
`components, let alone other Downloadable types. U.S. patent 6,167,520 to Touboul
`
`enables more accurate protection than Shuang or Golan, but lacks the greater flexibility
`
`and efficiency taught herein, as do Shuang and Golan.
`
`Accordingly, there remains a need for efficient, accurate and flexible protection of
`
`computers and other network connectable devices from malicious Downloadables.
`
`SUMMARY OF THE INVENTION
`
`The present invention provides protection systems and methods capable of
`
`protecting a personal computer (“PC”) or other persistently or even intermittently
`
`network accessible devices or processes from harmful, undesirable, suspicious or other
`
`“malicious” operations that might otherwise be effectuated by remotely operable code.
`
`While enabling the capabilities of prior systems, the present invention is not nearly so
`
`limited, resource intensive or inflexible, and yet enables more reliable protection. For
`
`example, remotely operable code that is protectable against can include downloadable
`
`application programs, Trojan horses and program code groupings, as well as software
`
`“components", such as Javam applets, ActiveXm controls, Javascriptm/Visual Basic
`
`scripts, add—ins, etc., among others. Protection can also be provided in a distributed
`
`ilmlmllirfliflllmmikuimimhunlnrmrvu mu uliilmnnim .. ..i.m ..n .
`
`.... .1.“
`
`,
`
`.
`
`4of59
`
`SOPHOS
`EXHIBIT 1013 - PAGE 0005
`
`
`
`ATTORNEY DOCKET 4342600014
`
`interactively, automatically or mixed configurable manner using protected client, server
`
`or other parameters, redirection, locaUremote logging, etc., and other server/client based
`
`protection measures can also be separately and/or interoperably utilized, among other
`
`examples.
`
`In one aspect, embodiments of the invention provide for determining, within one
`
`or more network “servers” (e.g. firewalls, resources, gateways, email relays or other
`
`devices/processes that are capable of receiving—and-transferring a Downloadable) whether
`
`received information includes executable code (and is a “Downloadable”). Embodiments
`
`also provide for delivering static, configurable and/or extensible remotely operable
`
`protection policies to a Downloadable-destination, more typically as a sandboxed package
`
`including the mobile protection code, downloadable policies and one or more received
`
`Downloadables. Further client-based or remote protection code/policies can also be
`
`utilized in a distributed manner. Embodiments also provide for causing the mobile
`
`protection code to be executed within a Downloadable-destination in a manner that
`
`enables various Downloadable operations to be detected, intercepted or fi.1rther responded
`
`to via protection operations. Additional server/information-destination device security or
`
`other protection is also enabled, among still further aspects.
`
`A protection engine according to an embodiment of the invention is operable
`
`within one or more network servers, firewalls or other network connectable information
`
`re-communicating devices (as are referred to herein summarily one or more “servers” or
`
`“re-communicators”). The protection engine includes an information monitor for
`
`monitoring information received by the server, and a code detection engine for
`
`determining whether the received information includes executable code. The protection
`
`50f 59
`
`SOPHOS
`EXHIBIT 1013 - PAGE 0006
`
`
`
`ATTORNEY DOCKET 4342600014
`
`engine also includes a packaging engine for causing a sandboxed package, typically
`
`including mobile protection code and downloadable protection policies to be sent to a
`
`Downloadable-destination in conjunction with the received information, if the received
`
`information is determined to be a Downloadable.
`
`A sandboxed package according to an embodiment of the invention is receivable
`
`by and operable with a remote Downloadable—destination. The sandboxed package
`
`includes mobile protection code (“MPC”) for causing one or more predetermined
`
`malicious operations or operation combinations of a Downloadable to be monitored or
`
`otherwise intercepted. The sandboxed package also includes protection policies (operable
`
`alone or in conjunction with further Downloadable—destination stored or received
`
`policies/MPCs) for causing one or more predetermined operations to be performed if one
`
`or more undesirable operations of the Downloadable is/are intercepted. The sandboxed
`
`package can also include a corresponding Downloadable and can provide for initiating the
`
`Downloadable in a protective “sandbox”. The MPC/policies can further include a
`
`communicator for enabling further MPC/policy information or “modules” to be utilized
`
`and/or for event logging or other purposes.
`
`A sandbox protection system according to an embodiment of the invention
`
`comprises an installer for enabling a received MPC to be executed within a
`
`Downloadable—destination (device/process) and further causing a Downloadable
`
`application program, distributable component or other received downloadable code to be
`
`received and installed within the Downloadable—destination. The protection system also
`
`includes a diverter for monitoring one or more operation attempts of the Downloadable,
`
`an operation analyzer for determining one or more responses to the attempts, and a
`
`umnunnlnmflilmalmrIrI:mmx1rmnzu II&stfliIrlu-Iii‘ atttlml IIH n rnnlm .
`
`.
`
`6of59
`
`SOPHOS
`EXHIBIT 1013 - PAGE 0007
`
`
`
`ATTORNEY DOCKET 4342600014
`
`security enforcer for effectuating responses to the monitored operations. The protection
`
`system can further include one or more security policies according to which one or more
`
`protection system elements are operable automatically (e.g. programmatically) or in
`
`conjunction with user intervention (e.g. as enabled by the security enforcer). The security
`
`policies can also be configurable/extensible in accordance with further downloadable
`
`and/or Downloadable-destination information.
`
`A method according to an embodiment of the invention includes receiving
`
`downloadable information, determining whether the downloadable information includes
`
`executable code, and causing a mobile protection code and security policies to be
`
`communicated to a network client in conjunction with security policies and the
`
`downloadable information if the downloadable information is determined to include
`
`executable code. The determining can fiirther provide multiple tests for detecting, alone
`
`or together, whether the downloadable information includes executable code.
`
`A fiirther method according to an embodiment of the invention includes forming a
`
`sandboxed package that includes mobile protection code (“MPC”), protection policies,
`
`and a received, detected-Downloadable, and causing the sandboxed package to be
`
`communicated to and installed by a receiving device or process (“user device”) for
`
`responding to one or more malicious operation attempts by the detected-Downloadable
`
`from within the user device. The MPC/policies can further include a base “module” and
`
`a “communicator” for enabling further up/downloading of one or more further “modules”
`
`or other information (e. g. events, user/user device information, etc.).
`
`Another method according to an embodiment of the invention includes installing,
`
`within a user device, received mobile protection code (“MPC”) and protection policies in
`
`7of59
`
`SOPHOS
`EXHIBIT 1013 - PAGE 0008
`
`
`
`ATTORNEY DOCKET 4342600014
`
`conjunction with the user device receiving a downloadable application program,
`
`component or other Downloadable(s). The method also includes determining, by the
`
`MPC, a resource access attempt by the Downloadable, and initiating, by the MPC, one or
`
`more predetermined operations corresponding to the attempt. (Predetermined operations
`
`can, for example, comprise initiating user, administrator, client, network or protection
`
`system determinable operations, including but not limited to modifying the Downloadable
`
`operation, extricating the Downloadable, notifying a user/another, maintaining a
`
`local/remote log, causing one or more MPCS/policies to be downloaded, etc.)
`
`Advantageously, systems and methods according to embodiments of the invention
`
`enable potentially damaging, undesirable or otherwise malicious operations by even
`
`unknown mobile code to be detected, prevented, modified and/or otherwise protected
`
`against without modifying the mobile code. Such protection is further enabled in a
`
`manner that is capable of minimizing server and client resource requirements, does not
`
`require pre-installation of security code within a Downloadable-destination, and provides
`
`for client specific or generic and readily updateable security measures to be flexibly and
`
`efficiently implemented. Embodiments further provide for thwarting efforts to bypass
`
`security measures (e.g. by "hiding" undesirable operation causing information within
`
`apparently inert or otherwise "friendly" downloadable information) and/or dividing or
`
`combining security measures for even greater flexibility and/or efficiency.
`
`Embodiments also provide for determining protection policies that can be
`
`downloaded and/or ascertained from other security information (e.g. browser settings,
`
`administrative policies, user input, uploaded information, etc.). Different actions in
`
`response to different Downloadable operations, clients, users and/or other criteria are also
`
`uuuuuuuamulmflnflmuamtmmiiuntlunmunuumuuunuummnunnmm:urn-mmnv:
`
`>
`
`:-
`
`M r
`
`8 of 59
`
`SOPHOS
`EXHIBIT 1013 - PAGE 0009
`
`
`
`ATTORNEY DOCKET 4342600014
`
`enabled, and embodiments provide for implementing other security measures, such as
`
`verifying a downloadable source, certification, authentication, etc. Appropriate action
`
`can also be accomplished automatically (e.g. programmatically) and/or in conjunction
`
`with alerting one or more users/administrators, utilizing user input, etc. Embodiments
`
`further enable desirable Downloadable operations to remain substantially unaffected,
`
`among other aspects.
`
`SOPHOS
`EXHIBIT 1013 - PAGE 0010
`
`
`
`ATTORNEY DOCKET 4342600014
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`FIG. la is a block diagram illustrating a network system in accordance with an
`
`embodiment of the present invention;
`
`FIG. lb is a block diagram illustrating a network subsystem example in
`
`accordance with an embodiment of the invention;
`
`FIG. 1c is a block diagram illustrating a further network subsystem example in
`
`accordance with an embodiment of the invention;
`
`FIG. 2 is a block diagram illustrating a computer system in accordance with an
`
`embodiment of the invention;
`
`FIG. 3 is a flow diagram broadly illustrating a protection system host according to
`
`an embodiment of the invention;
`
`FIG. 4 is a block diagram illustrating a protection engine according to an
`
`embodiment of the invention;
`
`FIG. 5 is a block diagram illustrating a content inspection engine according to an
`
`embodiment of the invention;
`
`FIG. 6a is a block diagram illustrating protection engine parameters according to
`
`an embodiment of the invention;
`
`FIG. 6b is a flow diagram illustrating a linking engine use in conjunction with
`
`ordinary, compressed and distributable sandbox package utilization, according to an
`
`embodiment of the invention;
`
`FIG. 7a is a flow diagram illustrating a sandbox protection system operating
`
`Within a destination system, according to an embodiment of the invention;
`
`SOPHOS
`EXHIBIT 1013 - PAGE 0011
`
`
`
`ATTORNEY DOCKET 4342600014
`
`FIG. 7b is a block diagram illustrating memory allocation usable in conjunction
`
`with the protection system of FIG. 7a, according to an embodiment of the invention;
`
`FIG. 7c is a block diagram illustrating a mobile protection code according to an
`
`embodiment of the invention;
`
`FIG. 8 is a flowchart illustrating a method for examining a Downloadable in
`
`accordance with the present invention;
`
`FIG. 9 is a flowchart illustrating a server based protection method according to an
`
`embodiment of the invention;
`
`FIG. 10a is a flowchart illustrating method for determining if a potential-
`
`Downloadable includes or is likely to include executable code, according to an
`
`embodiment of the invention;
`
`FIG. 10b is a flowchart illustrating a method for forming a protection agent,
`
`according to an embodiment of the invention;
`
`FIG. 11 is a flowchart illustrating a method for protecting a Downloadable
`
`destination according to an embodiment of the invention;
`
`FIG. 12a is a flowchart illustrating a method for forming a Downloadable access
`
`interceptor according to an embodiment of the invention; and
`
`FIG. 12b is a flowchart illustrating a method for implementing mobile protection
`
`policies according to an embodiment of the invention.
`
`SOPHOS
`EXHIBIT 1013 - PAGE 0012
`
`
`
`ATTORNEY DOCKET 4342600014
`
`DETAILED DESCRIPTION
`
`In providing malicious mobile code runtime monitoring systems and methods,
`
`embodiments of the invention enable actually or potentially undesirable operations of
`
`even unknown malicious code to be efficiently and flexibly avoided. Embodiments
`
`provide, within one or more “servers” (e.g. firewalls, resources, gateways, email relays or
`
`other information re-communicating devices), for receiving downloadab1e—information
`
`and detecting whether the downloadable-information includes one or more instances of
`
`executable code (e.g. as with a Trojan horse, zip/meta file etc.). Embodiments also
`
`provide for separately or interoperably conducting additional security measures Within the
`
`server, within a Downloadable-destination of a detected-Downloadable, or both.
`
`Embodiments further provide for causing mobile protection code (“MPC”) and
`
`downloadable protection policies to be communicated to, installed and executed within
`
`one or more received information destinations in conjunction with a detected-
`
`Downloadable. Embodiments also provide, within an information-destination, for
`
`detecting malicious operations of the detected-Downloadable and causing responses
`
`thereto in accordance with the protection policies (which can correspond to one or more
`
`user, Downloadable, source, destination, or other parameters), or further downloaded or
`
`downloadable-destination based policies (which can also be configurable or extensible).
`
`(Note that the term “or”, as used herein, is generally intended to mean “and/or” unless
`
`otherwise indicated.)
`
`FIGS. la through lc illustrate a computer network system 100 according to an
`
`embodiment of the invention. FIG. la broadly illustrates system 100, while FIGS. lb and
`
`SOPHOS
`EXHIBIT 1013 - PAGE 0013
`
`
`
`ATTORNEY DOCKET 4342600014
`
`10 illustrate exemplary protectable subsystem implementations corresponding with
`
`system 104 or 106 of FIG. 1a.
`
`Beginning with FIG. 1a, computer network system 100 includes an external
`
`computer network 101, such as a Wide Area Network or “WAN” (e.g. the Internet),
`
`which is coupled to one or more network resource servers (summarily depicted as
`
`resource server-1 102 and resource server-N 103). Where external network 101 includes
`
`the Internet, resource servers 1-N (102, 103) might provide one or more resources
`
`including web pages, streaming media, transaction-facilitating information, program
`
`updates or other downloadable information, summarily depicted as resources 121, 131
`
`and 132. Such information can also include more traditionally viewed “Downloadables”
`
`or “mobile code” (i.e. distributable components), as well as downloadable application
`
`programs or other further Downloadables, such as those that are discussed herein. (It will
`
`be appreciated that interconnected networks can also provide various other resources as
`
`well.)
`
`Also coupled via external network 101 are subsystems 104-106. Subsystems 104-
`
`106 can, for example, include one or more servers, personal computers (“PCS”), smart
`
`appliances, personal information managers or other devices/processes that are at least
`
`temporarily or otherwise intermittently directly or indirectly connectable in a wired or
`
`wireless manner to external network 101 (e.g. using a dialup, DSL, cable modem,
`
`cellular connection, IR/RF, or various other suitable current or future connection
`
`alternatives). One or more of subsystems 104-106 might further operate as user devices
`
`that are connectable to external network 101 via an internet service provider (“ISP”) or
`
`SOPHOS
`EXHIBIT 1013 - PAGE 0014
`
`
`
`ATTORNEY DOCKET 4342600014
`
`local area network (“LAN”), such as a corporate intranet, or home, portable device or
`
`smart appliance network, among other examples.
`
`FIG. la also broadly illustrates how embodiments of the invention are capable of
`
`selectively, modifiably or extensibly providing protection to one or more determinable
`
`ones of networked subsystems 104-106 or elements thereof (not shown) against
`
`potentially harmful or other undesirable (“malicious”) effects in conjunction with
`
`receiving downloadable information. “Protected” subsystem 104, for example, utilizes a
`
`protection in accordance with the teachings herein, while “unprotected” subsystem-N 105
`
`employs no protection, and protected subsystem-M 106 might employ one or more
`
`protections including those according to the teachings herein, other protection, or some
`
`combination.
`
`System 100 implementations are also capable of providing protection to redundant
`
`elements 107 of one or more of subsystems 104-106 that might be utilized, such as
`
`backups, failsafe elements, redundant networks, etc. Where included, such redundant
`
`elements are also similarly protectable in a separate, combined or coordinated manner
`
`using embodiments of the present invention either alone or in conjunction with other
`
`protection mechanisms. In such cases, protection can be similarly provided singly, as a
`
`composite of component operations or in a backup fashion. Care should, however, be
`
`exercised to avoid potential repeated protection engine execution corresponding to a
`
`single Downloadable; such “chaining” can cause a Downloadable to operate incorrectly
`
`or not at all, unless a subsequent detection engine is configured to recognize a prior
`
`packaging of the Downloadable.
`
`SOPHOS
`EXHIBIT 1013 - PAGE 0015
`
`
`
`ATTORNEY DOCKET 4342600014
`
`‘FIGS. lb and 1c further illustrate, by way of example, how protection systems
`
`according to embodiments of the invention can be utilized in conjunction with a wide
`
`variety of different system implementations. In the illustrated examples, system elements
`
`are generally configurable in a manner commonly referred to as a “client-server”
`
`configuration, as is typically utilized for accessing Internet and many other network
`
`resources. For clarity sake, a simple client—server configuration will be presumed unless
`
`otherwise indicated. It will be appreciated, however, that other configurations of
`
`interconnected elements might also be utilized (e.g. peer—peer, routers, proxy servers,
`
`networks, converters, gateways, services, network reconfiguring elements, etc.) in
`
`accordance with a particular application.
`
`The FIG. lb example shows how a suitable protected system 104a (which can
`
`correspond to subsystem-1 104 or subsystem-M 106 of FIG. 1) can include a protection-
`
`initiating host “server” or “re—communicator” (e.g. ISP server140a), one or more user
`
`devices or "Downloadable-destinations" 145, and zero or more redundant elements
`
`(which elements are summarily depicted as redundant client device/process 145a). In this
`
`example, ISP server 140a includes one or more email, Internet or other servers l4la, or
`
`other devices or processes capable of transferring or otherwise “re-communicating”
`
`downloadable information to user devices 145. Server l4la fiirther includes protection
`
`engine or “PE” 142a, which is capable of supplying mobile protection code (“MPC”) and
`
`protection policies for execution by client devices 145. One or more of user devices 145
`
`can further include a respective one or more clients 146 for utilizing information received
`
`via server 140a, in accordance with which MPC and protection policies are operable to
`
`SOPHOS
`EXHIBIT 1013 - PAGE 0016
`
`
`
`ATTORNEY DOCKET 4342600014
`
`protect user devices 145 from detrimental, undesirable or otherwise “malicious”
`
`operations of downloadable information also received by user device 145.
`
`The FIG. 1c example shows how a further suitable protected system lO4b can
`
`include, in addition to a “re—communicator”, such as server l42b, a firewall l43c (e.g. as
`
`is typically the case with a corporate intranet and many existing or proposed home/smart
`
`networks.) In such cases, a server l4lb or firewall 143 can operate as a suitable
`
`protection engine host. A protection engine can also be implemented in a more
`
`distributed manner among two or more protection engine host systems or host system
`
`elements, such as both of server l4lb and firewall 143, or in a more integrated manner,
`
`for example, as a standalone device. Redundant system or system protection elements
`
`can also be similarly provided in a more distributed or integrated manner (see above).
`
`System 104b also includes internal network 144 and user devices 145. User
`
`devices 145 further include a respective one or more clients 146 for utilizing information
`
`received via server 140a, in accordance with which the MPCS or protection policies are
`
`operable. (As in the previous example, one or more of user devices 145 can also include
`
`or correspond with similarly protectable redundant system elements, which are not
`
`shown.)
`
`It will be appreciated that the configurations of FIGS la-lc are merely exemplary.
`
`Alternative embodiments might, for example, utilize other suitable connections, devices
`
`or processes. One or more devices can also be configurable to operate as a network
`
`server, firewall, smart router, a resource server servicing deliverable third-
`
`party/manufacturer postings, a user device operating as a firewall/server, or other
`
`information-suppliers or intermediaries (i.e. as a “re-communicator” or “server”) for
`
`16 of 59
`
`SOPHOS
`EXHIBIT 1013 - PAGE 0017
`
`
`
`ATTORNEY DOCKET 4342600014
`
`servicing one or more further interconnected devices or processes or interconnected levels
`
`of devices or processes. Thus, for example, a suitable protection engine host can include
`
`one or more devices or processes capable of providing or supporting the providing of
`
`mobile protection code or other protection consistent with the teachings herein. A
`
`suitable information-destination or “user device” can further include one or more devices
`
`or processes (such as email, browser or other clients) that are capable of receiving and
`
`initiating or otherwise hosting a mobile code execution.
`
`FIG. 2 illustrates an exemplary computing system 200, that can comprise one or
`
`more of the elements of FIGS. la through 1c. While other application-specific
`
`alternatives might be utilized, it will be presumed for clarity sake that system 100
`
`elements (FIGS. 1a—c) are implemented in hardware, software or some combination by
`
`one or more processing systems consistent therewith, unless otherwise indicated.
`
`Computer system 200 comprises elements coupled via communication charmels
`
`(e. g. bus 201) including one or more general or special purpose processors 202, such as a
`
`Pentium® or Power PC®, digital signal processor (“DSP”), etc. System 200 elements
`
`also include one or more input devices 203 (such as a mouse, keyboard, microphone, pen,
`
`etc.), and one or more output devices 204, such as a suitable display, speakers, actuators,
`
`etc., in accordance with a particular application.
`
`System 200 also includes a computer readable storage media reader 205 coupled
`
`to a computer readable storage medium 206, such as a storage/memory device or hard or
`
`removable storage/memory media; such devices or media are further indicated separately
`
`as storage device 208 and memory 209, which can include hard disk variants,
`
`floppy/compact disk Variants, digital versatile disk (“DVD”) variants, smart cards, read
`
`17 of 59
`
`SOPHOS
`EXHIBIT 1013 - PAGE 0018
`
`
`
`ATTORNEY DOCKET 4342600014
`
`only memory, random access memory, cache memory, etc., in accordance with a
`
`particular application. One or more suitable communication devices 207 can also be
`
`included, such as a modem, DSL, infrared or other suitable transceiver, etc. for providing
`
`inter-device communication directly or via one or more suitable private or public
`
`networks that can include but are not limited to those already discussed.
`
`Working memory further includes operating system (“OS”) elements and other
`
`programs, such as application programs, mobile code, data, etc. for implementing system
`
`100 elements that might be stored or loaded therein during use. The particular OS can
`
`vary in accordance with a particular device, features or other aspects in accordance with a
`
`particular application (e.g. Windows, Mac, Linux, Unix or Palm OS Variants, a
`
`proprietary OS, etc.). Various programming languages or other tools can also be utilized,
`
`such as C++, Java, Visual Basic, etc. As will be discussed, embodiments can also include
`
`a network client such as a browser or email client, e. g. as produced by Netscape,
`
`Microsoft or others, a mobile code executor such as an OS task manager, Java Virtual
`
`Machine (“JVM”), etc., and an application program interface (“API”), such as a
`
`Microsoft Windows or other suitable element in accordance with the teachings herein. (It
`
`will also become apparent that embodiments might also be implemented in conjunction
`
`with a resident application or combination of mobile code and resident application
`
`components.)
`
`One or more system 200 elements can also be implemented in hardware, software
`
`or a suitable combination. When implemented in software (e.g. as an application
`
`program, object, downloadable, servlet, etc. in whole or part), a system 200 element can
`
`be communicated transitionally or more persistently from local or remote storage to
`
`18 of 59
`
`SOPHOS
`EXHIBIT 1013 - PAGE 0019
`
`
`
`ATTORNEY DOCKET 4342600014
`
`memory (or cache memory, etc.) for execution, or another suitable mechanism can be
`
`utilized, and elements can be implemented in compiled or interpretive form. Input,
`
`intermediate or resulting data or functional elements can further reside more transitionally
`
`or more persistently in a storage media, cache or more persistent volatile or non—volatile
`
`memory, (e.g. storage device 207 or memory 208) in accordance with a particular
`
`application.
`
`FIG. 3 illustrates an interconnected re-communicator 300 generally consistent
`
`with system 140b of FIG. 1, according to an embodiment of the invention. As with
`
`system 140b, system 300 includes a server 301, and can also include a firewall 302. In
`
`this implementation, however, either server 301 or firewall 302 (if a firewall is used) can
`
`further include a protection engine (310 or 320 respectively). Thus, for example, an
`
`included firewall can process received information in a conventional manner, the results
`
`of which can be further processed by protection engine 310 of server 301, or information
`
`processed by protection engine 320 of an included firewall 302 can be processed in a
`
`conventional manner by server 301. (For clarity sake, a server including a singular
`
`protection