(Only for new nonprovisiona/ applications under 37 CFR 1.53(b))
`
`Docket No.
`40492.00012
`
`Total Pages in this Submission
`
`TO THE ASSISTANT COMMISSIONER FOR PATENTS
`Box Patent Application
`Washington, D.C. 20231
`
`Transmitted herewith for filing under 35 U.S.C. 111 (a) and 37 C.F.R. 1.53(b) is a new utility patent application for
`invention entitled:
`
`app invented by:
`~tmoTouOO~
`
`f : i tL - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - '
`k¥a CONTINUATION APPLICATION, check appropriate box and supply the requisite information:
`f~ Continuation 0 Divisional 0 Continuation-in-part (CIP} of prior application No.: ___ .....___:_ __ _
`Which is a:
`
`~;rb Continuation 0 Divisional 0 Continuation-in-part (CIP} of prior application No.: - - - -
`
`~Which is a:
`Continuation 0 Divisional 0 Continuation-in-part (CIP) of prior application No.: ______ _
`
`Enclosed are:
`
`Application Elements
`
`1 .
`
`IZl Filing fee as calculated and transmitted as described below
`
`2.
`
`fZI Specification having
`
`26
`- - - - - - - - -
`
`pages and including the following:
`
`a. IZl
`
`b.
`
`IZl
`
`c. 0
`
`d. 0
`e. IZl
`
`f.
`
`IZl
`
`g.
`
`IZl
`
`h. IZl
`
`i.
`
`IZl
`
`j. IZl
`
`Descriptive Title of the Invention
`
`Cross References to Related Applications (if applicable)
`
`Statement Regarding Federally-sponsored Research/Development (if applicable)
`
`Reference to Microfiche Appendix (if applicable)
`
`Background of the Invention
`
`Brief Summary of the Invention
`
`Brief Description of the Drawings (if drawings filed)
`
`Detailed Description
`
`Claim(s) as Classified Below
`
`Abstract of the Disclosure
`
`Page I of3
`
`P01 USMUREV03
`
`BLUE COAT SYSTEMS - Exhibit 1072 Page 1
`
`

`
`UTILITY PATENT APPLICATION TRANSMITTAL
`(Small Entity)
`(Only for new nonprovisional applications under 37 CFR 1.53(b))
`
`Docket No.
`40492.00012
`
`Total Pages in this Submission
`
`Application Elements (Continued)
`
`3.
`
`IZl Drawing(s) (when necessary as prescribed by 35 USC 113)
`
`a. 0
`
`Formal
`
`b.
`
`IZl
`
`Informal
`
`Number of Sheets
`
`7
`-----------------
`
`4.
`
`IZJ Oath or Declaration
`
`a. 0 Newly executed (original or copy)
`
`0 Unexecuted
`
`b. 1Z1 Copy from a prior application (37 CFR 1.63(d)) (for continuation/divisional application only)
`
`c.
`
`IZI With Power of Attorney
`
`0 Without Power of Attorney
`
`d. 0 DELETION OF INVENTOR($)
`Signed statement attached deleting inventor(s) named in the prior application,
`see 37 C.F.R. 1.63(d)(2) and 1.33(b).
`
`5.
`
`IZl
`
`Incorporation By Reference (usable if Box 4b is checked)
`The entire disclosure of the prior application, from which a copy of the oath or declaration is supplied under
`Box 4b, is considered as being part of the disclosure of the accompanying application and is hereby
`incorporated by reference therein.
`
`6. 0 Computer Program in Microfiche
`
`7. 0 Genetic Sequence Submission (if applicable, all must be included}
`
`a. 0
`
`Paper Copy
`
`b. 0 Computer Readable Copy
`
`c. 0 Statement Verifying Identical Paper and Computer Readable Copy
`
`Accompanying Application Parts
`
`8.
`
`IZI Assignment Papers (cover sheet & documents)
`
`9. 0 37 CFR 3.73(b) Statement (when there is an assignee)
`
`10. 0 English Translation Document (if applicable)
`
`11. 0
`
`Information Disclosure Statement/PT0-1449
`
`0 Copies of IDS Citations
`
`12. 0 Preliminary Amendment
`
`13.
`
`1Z1 Acknowledgment postcard
`
`14.
`
`IZJ Certificate of Mailing
`
`0
`
`First Class
`
`IZI Express Mail (Specify Label No.): EL515156158US
`
`Page 2 of3
`
`P01USMUREV03
`
`BLUE COAT SYSTEMS - Exhibit 1072 Page 2
`
`

`
`UTILITY PATENT APPLICATION TRANSMITTAL
`{Small Entity)
`(Only for new nonprovisional applications under 37 CFR 1.53(b))
`
`Lllld. 07 llllll ~ 2
`
`Total Pages in this Submission
`
`Accompanying Application Parts (Continued)
`
`15. 0 Certified Copy of Priority Document(s) (if foreign priority is claimed)
`
`16.
`
`IZI Small Entity Statement(s)- Specify Number of Statements Submitted:
`
`1
`
`17.
`
`IZI Additional Enclosures (please identify below):
`General Authorization/Request to Petition for Extensions of Time
`
`tn
`~"''
`.¥:g
`-:.
`
`For
`
`!i'i'
`
`,,,,
`"F-otal Claims
`',d.
`h;idep. Claims
`
`Fee Calculation and Transmittal
`
`CLAIMS AS FILED
`
`#Filed
`
`#Allowed
`
`#Extra
`
`47
`
`4
`
`-20 =
`
`- 3 =
`
`27
`
`1
`
`X
`
`X
`
`Rate
`
`$9.00
`
`$39.00
`
`~<=~
`
`~,~ltiple Dependent Claims (check if applicable)
`~;:i
`:::;:::2
`""'"
`
`0
`
`OTHER FEE (specify purpose)
`
`Fee
`
`$243.00
`
`$39.00
`
`$0.00
`
`$345.00
`
`$0.00
`
`BASIC FEE
`
`TOTAL FILING FEE
`
`$627.00
`
`IZI' A check in the amount of
`to cover the filing fee is enclosed.
`$627.00
`lZl The Commissioner is hereby authorized to charge and credit Deposit Account No.
`·as described below. A duplicate copy of this sheet is enclosed.
`0 Charge the amount of
`as filing fee.
`lZl Credit any overpayment.
`0 Charge any additional filing fees required under 37 C.F.R. 1.16 and 1. 17.
`0 Charge the issue fee set in 37 C.F .R. 1.18 at the mailing of the Notice of Allowance,
`pursuant to 37 C.F.R. 1.311(b).
`
`05-0150
`
`Dated: April18, 2000
`
`cc:
`
`L4flii
`
`Signature
`Marc A. Sockol, Reg. No. 40,823
`Attorney for Applicant
`Graham & James LLP
`600 Hansen Way
`Palo Alto, CA 94304-1043
`Tel: (650) 856-6500
`Fax: (650) 856-3619
`
`Page 3 of3
`
`P01 USML!REV03
`
`BLUE COAT SYSTEMS - Exhibit 1072 Page 3
`
`

`
`~9-JRN-1997 17:42
`
`FROM FINJRN SOFTWRRE
`~ ""'-.,.
`CPRESS MI\U I,ABEL NO: EI,515156158US
`
`TO
`
`a0141SB123444
`
`P.07
`
`Atty. Dkt.No. _______ c~w-..:a:.;s_sliollooz __
`
`Shlgmo Iouboul
`Applicant
`Unknown
`Serial No.:
`Herewith
`Filed:
`For:· System and Method £or Protecting a Client From Hostile Downlgad@les
`
`VERIFIED STATEMENT (DECLARA1ION) CI.AIMIN'G
`SMALL ENilTY STATtJS
`(37 CFR 1.9 (f) and 1.27 (c)) .. ~ BUSINESS CONCERN
`
`I hereby declare tha:t I am:
`
`. [ ] the owner of the small business concern identified. below:
`{x] an official of the small business cdncem empowered to
`act on behalf of the conc:e:m identified below:
`
`COPY
`
`NAME OF CONCERN F.,.i..,.DJ~~o~~·anllll\.oliiSoi:X&Iftw~are.....,L~~~.~t~d.::.... - - - - - - - - - -
`
`ADDRESS OF CONCERN K.:a;:;efar~....,. ... Ha~jm*-42~~.c.9450illll"-' ra~a,_e} __ ___ _ _
`
`I hereby declare that the above identified small business conce:r.n. q:ualifi.es as a
`Stnall business concetn as defined in 13 CF.R 121.2, and reproduced in 37 CPR 1.9
`(d), for puxposes oi paying reduc:ed fees to the United States ?atent and Trademark
`Office, in that the number of employees of the c:onc:er.n, indudil\g those of its
`affiliates, does not exceed 500 persons. For purposes of this statement, (1) the
`numbet of employees of the business concem is the average ovex the previous
`fiscal year of the concern of the person.S employed on a full .. t:im.e part--thn.e or
`tetnpora:cy l?a.sis during each of the' pay periods of the fiscal year, and (2) concems
`are affiliates of each other when either, directly or indirectly, one concem controls
`or.has the power to conirol the other, or a third party or parties controls or has the
`power to control both..
`
`I hereby declare that rights under contract ot law have been conveyed to and
`remain with the small business concern identified above with :regarcl to the
`i:nven~ entitled "System and method for Protecting a Client from Hostile
`Downloadables", by inventor Shlomo Touboul described. in ·
`[x] the spedfic:ation £ile4 herewith.
`( ] application serial no.
`flled - - - ·
`r ] patent no.
`issued---·
`
`BLUE COAT SYSTEMS - Exhibit 1072 Page 4
`
`

`
`~9-JAN-1997 17:43
`
`FROM FINJAN SOFTWARE
`
`TO
`
`0014158123444
`
`P.08
`
`If the rights held by the above identified small business concem are not exclusive,
`each individual, ~oncem or organization having rights in the invention is listed
`below"' and no rights to the invention are held by any person, other than the
`inventor, who would not qualify as an i:nd.ependent inventor under 37 en 1.9( c)
`if that person made the invention, or by any concem. which would not qualify as
`a sxnall business c:onc:ern under 37 CPR 1.9(d), or a n01'\.'FC£it oz:gaxdzation under
`37 CPR 1.9(e). •NOTE: Separate veri.6.ed statem.ents are required from eac:h
`named person, conc:er.n or organization having rights to the invention aver.r.i.ng
`to their status as small entities. {37 CPR 1.27)
`
`NAME -----------------------------------------(cid:173)
`ADD~S ------------------------~----~~~~-
`[ ]1NOMDUAL [ J SMALL BUSI.NFSS CONCERN [ l NONPROm ORGANIZAnON
`
`I ac:lcnowledge the duty to .file, in this application or patent, notification of any
`change in status resulting in loss of entitlement to small entity status priox to
`paying, or at the tb:ne of paying, the earllest of the issue fee or any maintenance
`. fee due after the da~ on which status as a Sltl3ll entity is no longer appropriate.
`(37 CFR 1..28 (b))
`
`I hereby declare that all statements made be.xein of my own knOwledge a:re tru.e
`and that all state:ments made on information and belief a:re believed to be true;
`and further that these statements were :made with the knowledge that willful
`false statements and the like so ma~ are pw:tishable by fine or impr.iso;ru::nent, or
`both, under section 1001 of the ntte 18 of the United States Code, and that such
`w:ill!ul fa1&e statements may jeopardize the validity of the application, any patent
`issuing thereon, or any patent to which this verified statement is dir~d.
`
`NA:ME OF PERSON SIGNING --.w.Sh~l~~~o~:o..,.m~o:....T.c.Joll'-3uub:.¥ou~l..._ _ _ __ _ _ _
`1TfLE OF PERSON IF OTHER THAN OWNER ....-Er-e:n.'d-=m~t - - - - -
`:Ke:fat·J:iaim 4294$~ Israel ·
`ADDRESS OF PERSON SIGNING .
`
`SIGNAn.JRE --~~~--DAlE ).1 j._ ') lft
`
`TOTAL P.08
`
`BLUE COAT SYSTEMS - Exhibit 1072 Page 5
`
`

`
`APPLICATION FOR
`UNITED STATES PATENT
`IN THE NAME
`
`of
`
`SHLOMO TOUBOUL
`
`for
`
`SYSTEM AND METHOD FOR PROTECTING A CLIENT DURING
`
`RUNTIME FROM HOSTILE DOWNLOADABLES
`
`DOCKET NO. 40492.00012
`
`Please direct communications to:
`GRAHAM & JAMES LLP
`600 Hansen Way
`Palo Alto, CA 94304-1043
`(650) 856-6500
`Express Mail Number: EL515156158US
`
`BLUE COAT SYSTEMS - Exhibit 1072 Page 6
`
`

`
`SYSTEM AND METHOD FOR PROTECTING A CLIENT DURING RUNTIME
`
`FROM HOSTILE DOWNLOADABLES
`
`CROSS-REFERENCE TO RELATED APPLICATIONS
`
`5
`
`This application is related to co-pending provisional patent application filed
`
`on November 8, 1996, entitled "System and Method for Protecting a Computer
`
`from Hostile Downloadables," serial number 60/030,639, by inventor Shlomo
`
`Touboul, and U.S. patent application filed on January 29, 1997, entitled "System
`
`and Method for Protecting a Computer During Runtime From Hostile
`
`10 Download bales," serial number 08/790,097, by inventor Shlomo Touboul, which
`
`subject matters are hereby incorporated by reference herein.
`
`BACKGROUND OF THE INVENTION
`
`1.
`
`Field of the Invention
`
`15
`
`This invention relates generally to computer networks, and more
`
`particularly to a system and method for protecting clients from hostile
`
`Downloadables.
`
`2.
`
`Description of the Background Art
`
`20
`
`The Internet currently interconnects about 100,000 individual computer
`
`networks and several million computers. Because it is public, the Internet has
`
`become a major source of many system damaging and system fatal application
`
`programs, commonly referred to as "viruses."
`
`In response to the widespread generation and distribution of computer
`
`25
`
`viruses, programmers continue to design and update security systems for
`
`131/202041.01
`041800/1521/40492.00001
`
`1
`
`BLUE COAT SYSTEMS - Exhibit 1072 Page 7
`
`

`
`blocking these viruses from attacking both individual and network computers. On
`
`the most part, these security systems have been relatively successful. However,
`
`these security systems are typically not configured to recognize computer viruses
`
`which have been attached to or masked as harmless Downloadables (i.e.,
`
`5
`
`applets ). A Downloadable is a small executable or interpretable application
`
`program which is downloaded from a source computer and run on a destination
`
`computer. A Downloadable is used in a distributed environment such as in the
`
`Java TM distributed environment produced by Sun Microsystems or in the
`
`ActiveX™ distributed environment produced by Microsoft Corporation.
`
`10
`
`Hackers have developed hostile Downloadables designed to penetrate
`
`security holes in Downloadable interpreters. In response, Sun Microsystems,
`
`Inc. has developed a method of restricting Downloadable access to resources
`
`(file system resources, operating system resources, etc.) on the destination
`
`computer, which effectively limits Downloadable functionality at the Java ™
`
`15
`
`interpreter. Sun Microsystems, Inc. has also provided access control
`
`management for basing Downloadable-accessible resources on Downloadable
`
`type. However, the above approaches are difficult for the ordinary web surfer to
`
`manage, severely limit Java ™ performance and functionality, and insufficiently
`
`protect the destination computer.
`
`20
`
`Other security system designers are currently considering digital signature
`
`registration stamp techniques, wherein, before a web browser will execute a
`
`Downloadable, the Downloadable must possess a digital signature registration
`
`stamp. Although a digital signature registration stamp will diminish the threat of
`
`131/202041.01
`041800/1521/40492.00001
`
`2
`
`BLUE COAT SYSTEMS - Exhibit 1072 Page 8
`
`

`
`Downloadables being intercepted, exchanged or corrupted, this approach only
`
`partially addresses the problem. This method does not stop a hostile
`
`Downloadable from being stamped with a digital signature, and a digital signature
`
`does not guarantee that a Downloadable is harmless. Therefore, a system and
`
`5 method are needed for protecting clients from hostile Downloadables.
`
`131/202041.01
`041800/1521/40492.00001
`
`3
`
`BLUE COAT SYSTEMS - Exhibit 1072 Page 9
`
`

`
`SUMMARY OF THE INVENTION
`
`The present invention provides a system for protecting a client from hostile
`
`Downloadables. The system includes security rules defining suspicious actions
`
`such as WRITE operations to a system configuration file, overuse of system
`
`5 memory, overuse of system processor time, etc. and security policies defining
`
`the appropriate responsive actions to rule violations such as terminating the
`
`applet, limiting the memory or processor time available to the applet, etc. The
`
`system includes an interface, such as Java ™ class extensions and operating
`
`system probes, for receiving incoming Downloadable and requests made by the
`
`10 Downloadable. The system still further includes a comparator coupled to the
`
`interface for examining the Downloadable, requests made by the Downloadable
`
`and runtime events to determine whether a security policy has been violated, and
`
`a response engine coupled to the comparator for performing the violation~based
`
`responsive action.
`
`15
`
`The present invention further provides a method for protecting a client
`
`from hostile Downloadables. The method includes the steps of recognizing a
`
`request made by a Downloadable during runtime, interrupting processing of the
`
`request, comparing information pertaining to the Downloadable against a
`
`predetermined security policy, recording all rule violations in a log, and
`
`20
`
`performing a predetermined responsive action based on the comparison.
`
`It will be appreciated that the system and method of the present invention
`
`use at least three hierarchical levels of security. A first level examines the
`
`incoming Downloadables against known suspicious Downloadables. A second
`
`131/202041.01
`041800/1521/40492.00001
`
`4
`
`BLUE COAT SYSTEMS - Exhibit 1072 Page 10
`
`

`
`level examines runtime events. A third level examines the Downloadables
`
`operating system requests against predetermined suspicious actions. Thus, the
`
`system and method of the invention are better able to locate hostile operations
`
`before client resources are damaged.
`
`131/202041.01
`041800/1521/40492.00001
`
`5
`
`BLUE COAT SYSTEMS - Exhibit 1072 Page 11
`
`

`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`FIG. 1 is a block diagram illustrating a network system in accordance with
`
`the present invention;
`
`FIG. 2 is a block diagram illustrating details of the client;
`
`5
`
`FIG. 3 is a block diagram illustrating details of a security system;
`
`FIG. 4 is a block diagram illustrating details of an alternative security
`
`system;
`
`FIG. 5 is a flowchart illustrating a method for protecting a client from
`
`suspicious Downloadables;
`
`10
`
`FIG. 6 is a flowchart illustrating the method for managing a suspicious
`
`Downloadable; and
`
`FIG. 7 is a flowchart illustrating a supplementary method for protecting a
`
`client from suspicious Downloadables.
`
`1311202041.01
`041800/1521/40492.00001
`
`6
`
`BLUE COAT SYSTEMS - Exhibit 1072 Page 12
`
`

`
`DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT
`
`FIG. 1 is a block diagram illustrating a network system 100 in accordance
`
`with the present invention. Network system 100 includes a server 110 coupled to
`
`a communications channel120, e.g., an Internet or an Intranet. The
`
`5
`
`communications channel120 is in turn coupled to a client 130, e.g., an individual
`
`computer, a network computer, a kiosk workstation, etc., which includes a
`
`security system 135 for protecting the client 130 from hostile (i.e., will adversely
`
`effect the operational characteristics of the client 130) or suspicious (i.e.,
`
`f'i'
`
`potentially hostile) downloadables.
`
`10
`
`Server 110 forwards a Downloadable 140 across the communications
`
`channel120 to the client 130. During runtime, the security system 135 examines
`
`each Downloadable 140 and the actions of each Downloadable 140 to monitor
`
`for hostile or suspicious actions.
`
`15
`
`FIG. 2 is a block diagram illustrating details of a client 130, which includes
`
`a Central Processing Unit (CPU) 205, such as a Motorola Power PC®
`
`microprocessor or an Intel Pentium® microprocessor, coupled to a signal bus
`
`220. The client 130 further includes an input device 210 such as a keyboard and
`
`mouse, an output device 215 such as a Cathode Ray Tube (CRT) display, a data
`
`20
`
`storage device 230 such as Read Only Memory (ROM) or magnetic disk, and a
`
`Random-Access Memory (RAM) 235, each being coupled to signal bus 220. A
`
`communications interface 225 is coupled between the communications channel
`
`120 and the signal bus 220.
`
`131/202041.01
`041800/1521/40492.00001
`
`7
`
`BLUE COAT SYSTEMS - Exhibit 1072 Page 13
`
`

`
`An operating system 260 controls processing by CPU 205, and is typically
`
`stored in data storage device 230 and loaded into RAM 235 for execution. The
`
`operating system 260 includes a file management system 265, a network
`
`management system 270, a process system 275 for controlling CPU 205, and a
`
`5 memory management system 280 for controlling memory use and allocation. A
`
`communications engine 240 generates and transfers message packets to and
`
`from the communications channel140 via the communications interface 225, and
`
`may also be stored in data storage device 230 and loaded into RAM 235 for
`
`execution.
`
`10
`
`The client 130 further includes a web browser 245, such as the
`
`Netscape™ web browser produced by the Netscape Corporation, the Internet
`
`Explorer™ web browser produced by the Microsoft Corporation, or the Java ™
`
`Developers Kit 1.0 web browser produced by Sun Microsystems, Inc., for
`
`communicating via the communications channel 120. The web browser 245
`
`15
`
`includes a Downloadable engine 250 for managing and executing received
`
`Downloadables 140.
`
`The client 130 further includes the security system 135 as described with
`
`reference to FIG. 1. The security system 135 may be stored in data storage
`
`device 230 and loaded into RAM 235 for execution. During runtime, the security
`
`20
`
`system 135 intercepts and examines Downloadables 140 and the actions of
`
`Downloadables 140 to monitor for hostile or suspicious actions. If the security
`
`system 135 recognizes a suspicious Downloadable 140 or a suspicious request,
`
`131/202041.01
`041800/1521/40492.00001
`
`8
`
`BLUE COAT SYSTEMS - Exhibit 1072 Page 14
`
`

`
`then the security system 135 can perform an appropriate responsive action such
`
`as terminating execution of the Downloadable 140.
`
`FIG. 3 is a block diagram illustrating details of the security system 135a,
`
`5 which is a first embodiment of security system 135 of FIG. 2 when operating in
`
`conjunction with a Java™ virtual machine 250 (i.e., the Downloadable engine
`
`250) that includes conventional Java ™ classes 302. Each of the Java ™ classes
`
`'"iJ
`
`302 performs a particular service such as loading applets, managing the network,
`
`managing file access, etc. Although applets are typically described with
`
`10
`
`reference to the Java ™ distributed environment, applets herein correspond to all
`
`downloadable executable or interpretable programs for use in any distributed
`
`environment such as in the ActiveX™ distributed environment.
`
`Examples of Java ™ classes used in Netscape Navigator™ include
`
`AppletSecurity.class, EmbeddedAppletFrame.class, AppletCiassloader.class,
`
`15 MozillaAppletContext.class, ServerSocket.class, SecurityException.class and
`
`SecurityManager.class, etc. Examples of Java TM classes used in Internet
`
`Explorer™ include AppletSecurity.class, BrowserAppletFrame.class,
`
`AppletCiassloader.class, ServerSocket.class, SecurityException.class and
`
`SecurityManager.class, etc. Other classes may include Broker.class,
`
`20
`
`BCinterface.class, SocketConnection.class, queueManager.class,
`
`BrowserExtension.class, Message.class, MemoryMeter.class and
`
`AppletDescription .class.
`
`The security system 135a includes Java ™ class extensions 304, wherein
`
`each extension 304 manages a respective one of the Java ™ classes 302. When
`
`1311202041.01
`041800/1521/40492.00001
`
`9
`
`BLUE COAT SYSTEMS - Exhibit 1072 Page 15
`
`

`
`a new applet requests the service of a Java class 302, the corresponding Java TM
`
`class extension 304 interrupts the request and generates a message to notify the
`
`request broker 306 of the Downloadable's request. The request broker 306 uses
`
`TCP/IP message passing protocol to forward the message to the event router
`
`5
`
`308.
`
`The security system 135a further includes operating system probes 310,
`
`312, 314 and 316. More particularly, a file management system probe 310
`
`recognizes applet instructions sent to the file system 265 of operating system
`
`260, a network system probe 312 recognizes applet instructions set to the
`
`10
`
`network management system 270 of operating system 260, a process system
`
`"
`
`probe 314 recognizes applet instructions sent to the process system 275 of
`
`operating system 260, and a memory management system probe 316 recognizes
`
`applet instructions sent to the memory system 280 of operating system 260.
`
`When any of the probes 310-316 recognizes an applet instruction, the
`
`15
`
`recognizing probe 310-316 sends a message to inform the event router 308.
`
`Upon receipt of a message, the event router 308 accordingly forwards the
`
`message to a Graphical User Interface (GUI) 324 for notifying the user of the
`
`request, to an event log 322 for recording the message for subsequent analysis,
`
`and to a runtime environment monitor 320 for determining whether the request
`
`20
`
`violates a security rule 330 stored in a security database 326. Security rules 330
`
`include a list of computer operations which are deemed suspicious. Suspicious
`
`operations may include READ/WRITE operations to a system configuration file,
`
`READ/WRITE operations to a document containing trade secrets, overuse of
`
`131/202041.01
`041800/1521/40492.00001
`
`10
`
`BLUE COAT SYSTEMS - Exhibit 1072 Page 16
`
`

`
`system memory, overuse of system processor time, too many applets running
`
`concurrently, or too many images being displayed concurrently. For example,
`
`the runtime environment monitor 320 may determine that a security rule 330 has
`
`been violated when it determines that an applet uses more than two megabytes
`
`5
`
`of RAM 235 or when the Java TM virtual machine 250 runs more than five applets
`
`concurrently.
`
`Upon recognition of a security rule 330 violation, the runtime environment
`
`monitor 320 records the violation with the event log 322, informs the user of the
`
`violation via the GUI 324 and forwards a message to inform the response engine
`
`10
`
`318 of the violation. The response engine 318 analyzes security policies 332
`
`stored in the security database 326 to determine the appropriate responsive
`
`action to the rule 330 violation. Appropriate responsive actions may include
`
`terminating the applet, limiting the memory or processor time available to the
`
`applet, etc. For example, the response engine 318 may determine that a security
`
`15
`
`policy 332 dictates that when more than five a.pplets are executed concurrently,
`
`operation of the applet using the greatest amount of RAM 235 should be
`
`terminated. Further, a security policy 332 may dictate that when an applet or a
`
`combination of applets violates a security policy 332, the response engine 318
`
`must add information pertaining to the applet or applets to the suspicious
`
`20 Downloadables database 328. Thus, when the applet or applets are
`
`encountered again, the response engine 318 can stop them earlier.
`
`The GUI 324 enables a user to add or modify the rules 330 of the security
`
`database 326, the policies 332 of the security database 326 and the suspicious
`
`131/202041.01
`041800/1521/40492.00001
`
`11
`
`BLUE COAT SYSTEMS - Exhibit 1072 Page 17
`
`

`
`applets of the suspicious Downloadables database 328. For example, a user
`
`can use the GUt 324 to add to the suspicious Downloadables database 328
`
`applets generally known to be hostile, applets deemed to be hostile by the other
`
`clients 130 (not shown), applets deemed to be hostile by network MIS managers,
`
`5
`
`etc. Further, a user can use the GUt 324 to add to the rules 330 actions
`
`generally known to be hostile, actions deemed to be hostile by network MIS
`
`managers, etc.
`
`It will be appreciated that the embodiment illustrated in FIG. 3 includes
`
`three levels of security. The first level examines the incoming Downloadables
`
`10
`
`140 against known suspicious Downloadables. The second level examines the
`
`Downloadables' access to the Java ™ classes 302. The third level examines the
`
`Downloadables requests to the operating system 260. Thus, the security system
`
`135a is better apt to locate a hostile operation before an operation damages
`
`client 130 resources.
`
`15
`
`FIG. 4 is a block diagram illustrating details of a security system 135b,
`
`which is a second embodiment of security system 135 when operating in
`
`conjunction with the ActiveX™ platform (i.e., the Downloadable engine 250)
`
`which uses message 401 calls, Dynamic-Data-Exchange (DOE) 402 calls and
`
`20 Dynamically-Linked-Library (DLL) 403 calls. Thus, instead of having Java ™
`
`class extensions 304, the security system 135 has a messages extension 401 for
`
`recognizing message 401 calls, a DOE extension 405 for recognizing ODE 402
`
`calls and a DLL extension 406 for recognizing DLL calls. Upon recognition of a
`
`call, each of the messages extension 404, the DOE extension 405 and the DLL
`
`131/202041.01
`041800/1521/40492.00001
`
`12
`
`BLUE COAT SYSTEMS - Exhibit 1072 Page 18
`
`

`
`extension 406 send a message to inform the request broker 306. The request
`
`broker 306 and the remaining elements operate similarly to the elements
`
`described with reference to FIG. 3.
`
`5
`
`FIG. 5 is a flowchart illustrating a method 500 for protecting a client 130
`
`from hostile and suspicious Downloadables 140. Method 500 begins with the
`
`extensions 304, 404, 405 or 406 in step 505 waiting to recognize the receipt of a
`
`request made by a Downloadable 140. Upon recognition of a request, the
`
`recognizing extension 304, 404, 405 or 406 in step 506 interrupts processing of
`
`~,:, 10
`
`the request and in step 508 generates and forwards a message identifying the
`
`incoming Downloadable 140 to the request broker 306, which forwards the
`
`message to the event router 308.
`
`The event router 308 in step 510 forwards the message to the GUI 324 for
`
`informing the user and in step 515 to the event log 322 for recording the event.
`
`15
`
`Further, the event router 308 in step 520 determines whether any of the incoming
`
`Downloadables 140 either alone or in combination are known or previously
`
`determined to be suspicious. If so, then method 500 jumps to step 530.
`
`Otherwise, the runtime environment monitor 320 and the response engine 318 in
`
`step 525 determine whether any of the executing Downloadables 140 either
`
`20
`
`alone or in combination violate a security rule 330 stored in the security database
`
`332.
`
`If a rule 330 has been violated, then the response engine 318 in step 530
`
`manages the suspicious Downloadable 140. Step 530 is described in greater
`
`detail with reference to FIG. 6. Otherwise, if a policy has not been violated, then
`
`131/202041.01
`041800/1521/40492.00001
`
`13
`
`BLUE COAT SYSTEMS - Exhibit 1072 Page 19
`
`

`
`response engine 318 in step 540 resumes operation of the Downloadable 140.
`
`In step 535, a determination is made whether to end method 500. For example,
`
`if the user disconnects the client 130 from the server 110, method 500 ends. If a
`
`request to end is made, then method 500 ends. Otherwise, method 500 returns
`
`5
`
`to step 505.
`
`FIG. 6 is a flowchart illustrating details of step 530. Since multiple rule
`
`330 violations may amount to a more serious violation and thus require a stricter
`
`response by the response engine 318, step 530 begins with the response engine
`
`~,;, 10
`
`318 in step 610 compiling all rule 330 violations currently occurring. The
`
`response engine 318 in step 620 compares the compiled rule 330 violations with
`
`the security policies 332 to determine the appropriate responsive action for
`
`managing the suspicious Downloadable 140 or Downloadables 140, and in step
`
`~:i
`
`630 the response engine 318 performs a predetermined responsive action.
`
`15 Predetermined responsive actions may include sending a message via the GUI
`
`324 to inform the user, recording the message in the event log 322, stopping
`
`execution of a suspicious Downloadable 140, storing a Downloadable 140 or
`
`combination of Downloadables 140 in the suspicious Downloadable database
`
`328, limiting memory available to the Downloadable 140, limiting processor time
`
`20
`
`available to the Downloadable 140, etc.
`
`FIG. 7 is a flowchart illustrating a supplementary method 700 for
`
`protecting a client 130 from suspicious Downloadables 140. Method 700 begins
`
`with operating system probes 310, 312, 314 and 316 in step 705 monitoring the
`
`131/202041.01
`041800/1521/40492.00001
`
`14
`
`BLUE COAT SYSTEMS - Exhibit 1072 Page 20
`
`

`
`operating system 260 for Operating System (OS) requests from Downloadables
`
`140. As illustrated by step 710, when one of the probes 310-316 recognizes
`
`receipt of an OS request, the recognizing probe 310-316 in step 715 interrupts
`
`the request and in step 720 f01wards a message to inform the event router 308.
`
`5
`
`The event router 308 in step 725 routes the information to each of the
`
`components of the security engine 135 as described with reference to FIG. 5.
`
`That is, the event router 308 forwards the information to the GUI 324 for
`
`informing the user, to the event log 322 for recordation and to the runtime
`
`environment monitor 320 for determining if the OS request violates a rule 330.
`
`~::1 10
`
`The response engine 318 compares the OS request alone or in combination with
`
`other violations against security policies 332 to determine the appropriate
`
`responsive actions. It will be appreciated that, based on the security policies
`
`332, the response engine 318 may determine that an OS request violation in
`
`combination with other OS request violations, in combination with rule 330
`
`15
`
`violations, or in combination with both other OS request violations· and rule 330
`
`violations merits a stricter responsive action.
`
`If the OS request does not violate a security rule 330, then the response
`
`engine 318 in step 730 instructs the operating system 260 via the recognizing
`
`probe 31 0-316 to resume operation of the OS request. Otherwise, if the OS
`
`20
`
`request violates a security rule 330, then the response engine 318 in step 730
`
`manages the suspicious Downloadable by performing the appropriate
`
`predetermined responsive actions as described with reference to FIGs. 5 and 6.
`
`In step 740, a determination is made whether to end method 700. If a request to
`
`131/202041.01
`041800/1521/40492.00001
`
`15
`
`BLUE COAT SYSTEMS - Exhibit 1072 Page 21
`
`

`
`end the method is made, then method 700 ends. Otherwise,