. ;
`
`' /
`
`Certificate
`_FEB 0 7 ZOOfi
`Q1 Correction
`
`...
`.
`•
`
`,..
`~ ·~-
`/
`
`t__
`
`-
`
`,.
`
`.
`
`.. ~
`
`--.......
`
`~ ·'
`
`• ' I t
`
`'
`
`• • •
`
`ISSUE
`BATCH
`Examiner NUMBER
`
`WARNIHG: The information disclosed heruin may be restricted. Unauthorized disclosunl may be prohibited
`
`by llle United S1ales -=- Title 35, Sections 122, 181 and 368. Posaessioo OU!Side llle U.S.
`
`Patent & Trademar1< Office is restricted to authorized employee& and contractors only.
`
`. f::·c·ur .. n lf·¥1 j r.:{=l
`VEi··.If . .l i~:i.'
`
`\{CS
`
`--- .S~ ---
`
`Label
`Area
`
`BLUE COAT SYSTEMS - Exhibit 1075 Page 1
`
`

`
`_j
`
`SEARCHED
`
`· -
`
`Class
`
`Sub.
`
`Date
`
`Exmr.
`se:
`
`31(
`364-
`
`;u..
`
`j\1
`
`Jfjl.
`
`1:-26-"'S
`
`~66-Y
`,,,.~
`8
`I C.'>
`
`SEARCH NOTES
`
`Date
`
`,SeA. laP{
`
`. ID. 4Pf (Q. VIA lo{e;f""(
`
`(.!)Ill~ ~ (AIC.J
`c8/~".b46
`D1/'7o1,6U.
`~~-- 119Ved (ll:tfiJ:I411'' •
`
`("C
`se-
`s-~-"'i"i 1
`S£
`
`<i-,Y-"06
`
`4--26-..,.,
`
`n-lD·'I'l
`
`t
`
`1Z1S l \
`
`t-78·1'1
`
`<;e
`
`~
`
`S-l-'1'\· --
`
`•.
`
`~ 4-
`S-4·'\"1
`
`I•S·~~"
`
`se
`
`l
`.
`oo/P/c~ ,.'1--/L
`
`~t£11
`~
`
`-1-
`·n:>
`-z.go.
`....
`z,o i
`~s vP·'iJ
`....
`-z,.o.S'\
`4-
`2'S
`
`!et=>:·
`
`u9DU>
`~ljo-'·
`<p-
`
`0i.~ ~1--c-J
`
`~·-
`
`'
`
`INTERFERENCE SEARCHED
`Exmr.
`Sub:
`Class
`Date
`leO
`"113
`J,
`.to I
`70'1
`&'t.2S
`
`'t'" P1'11_
`1
`
`BLUE COAT SYSTEMS - Exhibit 1075 Page 2
`
`

`
`Staple Issue Slip Here
`
`IDNO.
`
`. DATE
`
`~\\\I
`
`INDEX OF CLAIMS
`
`Date
`
`Claim
`
`..
`~ c:
`~
`0
`51
`52
`53
`54
`55
`56
`57
`56
`59
`60
`61
`62
`63
`64
`65
`66
`67
`66
`69
`70
`71
`72
`73
`74
`75
`76
`·n
`78
`79
`80
`81
`82
`63
`84.
`85
`86
`87
`88
`89
`·go
`
`91
`92
`93
`94
`95
`96
`97
`98
`99
`100
`
`'·
`
`POSmON
`CLASSIAER
`EXAMINER
`TYPIST
`VERIFIER
`CORPSCORR.
`SPEC. HAND
`ALEMAINT.
`DRAFTING
`
`Claim
`
`Date
`
`' ..
`
`v
`
`./
`
`J
`
`II
`
`"
`
`IJ v
`
`I
`
`.•· .. -
`:~ .•.
`
`-"!-~
`
`1
`1
`
`"
`J
`
`3
`
`,,
`
`".
`J \
`
`0
`
`....
`
`0
`
`-
`
`J -~
`
`"·
`0 =
`
`~ I}
`
`J
`
`\ ....
`
`?"'
`v
`~ v
`
`J
`J
`
`'
`
`'1
`
`"
`
`tiD V
`
`0
`
`o
`
`-
`
`-
`
`44
`45
`46
`47
`48
`49
`50
`
`...................... -
`
`SYMBOI.S
`......... Rojecled
`
`• (Throuull...-ral) c.nceloll
`+ ................................. Rtstllcted
`N ................................ Non-
`1 ................................. 1 ... ~-
`A ................................. Appal
`o ................................. O!>jedod
`
`(LEFT INSIDE)
`
`BLUE COAT SYSTEMS - Exhibit 1075 Page 3
`
`

`
`••
`
`Case Docket No.:
`
`557
`
`Transmitted herewith for filing is the patent application of
`Applicant(s): Shlomo Touboul
`Title:
`System and Method for Protecting a Client from Hostile Downloadables
`
`Enclosed are:
`[x]
`...QQ._ pages of specification, claims and abstract.
`_z_ sheets of [x] informal [ ] formal drawing(s).
`[x]
`[x]
`A declaration and power of attorney.
`[x]
`An assignment transmittal.
`[x]
`An assignment of the invention to: Finjan Software, Ltd.
`Please record the assignment and return to the undersigned.
`A c;ertified copy of a
`application.
`'An associate power of attorney.
`A verified statement to establish small entity status under 37 CFR §§ 1.9 and 1.27.
`PTO Form-1449 and copies of cited art.
`
`[ ]
`[ ]
`[x]
`[ J
`
`d ate Thfir fhb e mg ee as eenca lcul
`
`
`
`For
`(Col. 1)
`No. Filed
`
`h
`ass own b I eow:
`(Col. 2)
`No. Extra
`
`Basic Fee
`Total Claims
`23
`43-20 =23
`Indep. Claims
`1
`4-3= 1
`Multiple Dependent Claims Present [ ]
`*If the difference in column 1 is less than
`zero, enter 0 in column 2
`
`Small Entity
`Rate
`Fee
`$385.00
`$253.00
`$40.00
`$0.00
`
`x$11 =
`x$40=
`+ $130 =
`
`or
`
`or
`
`Other Than a Small Entity
`Rate
`Fee
`$770.00
`$
`$
`$
`
`x$22=
`x$80=
`+$260=
`
`Total
`
`$678.00
`
`or
`
`Total
`
`$
`
`. [ ]
`
`Please charge my Deposit Account No. 06-0600 the amount of$ __ . A duplicate copy of this sheet is enclosed.
`
`[x]
`
`A check in the amount of$ 718.00 to cover the filing fee [x] and recording of assignment is enclosed.
`
`The Commissioner is hereby authorized to charge payment of the following fees during the pendency of this
`[x]
`application or credit any overpayment to Deposit Account No. 06-0600. A duplicate copy of this sheet is enclosed.
`[x]
`Any additional filing fees required under 37 CFR § 1.16.
`Any patent application processing fees under 37 CFR § 1.17.
`[x]
`The issue fee set in 37 CFR § 1.18 at or before mailing of the Notice of Allowance, pursuant to 37 CFR §
`[ ]
`1.311(b).
`
`Dated: _1+-/=-z_ 9--f/'---9 7'------
`
`1
`
`I
`
`BLUE COAT SYSTEMS - Exhibit 1075 Page 4
`
`

`
`•
`
`IN THE
`
`UNITED STATES PATENT AND TRADEMARK OFFICE
`
`APPLICANT(S):
`
`Shlomo Touboul
`
`SERIAL NO.:
`
`Unknown
`
`FILING DATE:
`
`On Even Date Herewith
`
`TITLE:
`
`Systeqt and Method for Protecting a Client from Hostile
`Downloadables
`
`EXAMINER:
`
`Unknown
`
`GROUP ART UNIT:
`
`Unknown
`
`ATTY.DKT.NO.:
`
`P-557
`
`ASSISTANT COMMISSIONER FOR PATENTS
`WASHINGTON, D.C. 20231
`
`CERTIFICATE OF EXPRESS MAIL
`
`SIR:
`
`"Express Mail" mailing label number __ ____.T~B~7~8~2~55~7~8::.=1~X,_U~S-
`
`Date of Deposit: ___ ---.J..!Ia=n=u=a"""ry~29 ........ '--'1"""9~9.._7 __ ___ __ _
`
`I hereby certify that this paper or fee is being deposited with the United States Postal
`Service "Express Mail Post Office to Addressee" service under 37 CFR 1.10 on the
`date indicated above and is addressed to Assistant Commissioner for Patents,
`Washington, D.C. 20231.
`
`Deposited by:_+--+------'"'I....,si~s ....... N"""'i"""e"""'to"---++----(cid:173)
`\.
`
`(Signatur of person mailing pap r or fee)
`.i
`
`BLUE COAT SYSTEMS - Exhibit 1075 Page 5
`
`

`
`•
`
`0
`o.
`
`C)
`
`r::-' -
`
`c,.p
`. <
`~
`
`~J . ' H
`
`:
`i
`0
`\
`C"i
`{--'
`\
`
`(j)
`
`BLUE COAT SYSTEMS - Exhibit 1075 Page 6
`
`

`
`•
`
`•
`
`-··\·-~·
`l
`\.1'!
`~
`
`"'
`;t
`
`-~
`
`
`
`,_
`. -----+ I
`I
`
`~
`
`BLUE COAT SYSTEMS - Exhibit 1075 Page 7
`
`

`
`~ -
`
`• -----·-·l· '.
`
`·.' I
`j
`j
`
`-w
`
`\
`\
`
`BLUE COAT SYSTEMS - Exhibit 1075 Page 8
`
`

`
`-11 -
`
`•
`
`4 I i
`
`l
`I
`I
`f f
`
`i
`!
`
`I
`I
`
`J l t < l
`
`l
`
`f
`
`I i
`
`. \
`
`:J
`
`~· -
`
`LJ__
`
`i
`l
`' I
`I
`I
`\
`
`' I
`I
`I
`\
`
`BLUE COAT SYSTEMS - Exhibit 1075 Page 9
`
`

`
`• - YJ
`
`•
`
`i
`'
`
`!
`
`)
`I \
`
`-·--·--··---fl6. s
`
`BLUE COAT SYSTEMS - Exhibit 1075 Page 10
`
`

`
`~ oSM.9009
`j' .
`.
`
`--r---f-~'0
`1
`
`BLUE COAT SYSTEMS - Exhibit 1075 Page 11
`
`

`
`;
`I
`
`\ \ \
`
`I
`I
`
`)~~~os~
`t
`1
`I
`
`Fl6. 1
`
`BLUE COAT SYSTEMS - Exhibit 1075 Page 12
`
`

`
`••
`
`OOWNLOADABlES
`
`CROSS-REFERENCE TO RELATED APPLICATIONS
`
`5
`
`This application is related to co-pending provisional patent
`
`application filed on November 8, 1996, entitled "System and Method
`
`for Protecting a Computer from Hostile Downloadables," serial
`
`number 60/030,639, by inventor Shlomo Touboul, which subject
`
`matter is hereby incorporated by reference.
`
`10
`
`BACKGROUND OF THE INVENTION
`
`1 .
`
`Field of the Invention
`
`This invention relates generally to computer networks, and
`
`more particularly to a system and method for protecting clients from
`
`15
`
`hostile Downloadables.
`
`2.
`
`Description of the Back~round Art
`
`The Internet currently interconnects about 100,000 individual
`
`computer networks and several million computers. Because it is
`
`20
`
`public, the Internet has become a major source of many system
`
`damaging and system fatal application programs, commonly referred
`
`to as "viruses."
`
`-1-
`
`BLUE COAT SYSTEMS - Exhibit 1075 Page 13
`
`

`
`•
`
`• PATENT
`
`In response to the widespread generation and distribution of
`
`computer viruses, programmers continue to design and update
`
`security systems for blocking these viruses from attacking both
`
`individual and network computers. On the most part, these security
`
`5
`
`systems have been relatively successful. However, these security
`
`systems are typically not configured to recognize computer . viruses
`
`which have· been attached to or masked as harmless Downloadables
`
`(i.e., applets). A Downloadable is a small executable or interpretable
`
`application program which is downloaded from a source computer
`
`10
`
`and run on a destination computer. A Downloadable is used in a
`
`distributed environment such as in the Java™ distributed
`
`environment produced by Sun Microsystems or in the ActiveX™
`
`distributed environment produced by· Microsoft Corporation.
`
`Hackers have developed hostile Downloadables designed to
`
`15
`
`penetrate security holes in Downloadable interpreters.
`
`In response,
`
`Sun Microsystems, Inc. has developed a method of restricting
`
`Downloadable access to resources (file system resources, operating
`
`system resources, etc.) on the destination computer, which
`
`effectively limits Downloadable functionality at the Java™
`
`20
`
`interpreter. Sun Microsystems, Inc. has also provided access control
`
`management for basing Downloadable-accessible resources on
`
`Downloadable type. However, the above approaches are difficult for
`
`-2-
`
`BLUE COAT SYSTEMS - Exhibit 1075 Page 14
`
`

`
`•
`
`the ordinary web surfer to manage, severely limit Java™
`
`•
`
`PATENT
`
`performance and functionality, and insufficiently protect the
`
`destination computer.
`
`Other security system designers are currently considering
`
`5
`
`digital signature registration stamp techniques, wherein, before a
`
`web . browser will execute a Downloadable, the Downloadable must
`
`possess a digital signature registration stamp. Although a digital
`
`signature registration stamp will diminish the threat of
`
`Downloadables being intercepted, exchanged or corrupted, this
`
`10
`
`approach only partially addresses the problem. This method does
`
`not stop a hostile Downloadable from being stamped with a digital
`
`signature, and a digital signature does not guarantee that· a
`
`Downloadable is harmless. Therefore, a system and method are
`
`needed for protecting clients from hostile Downloadables.
`
`-3-
`
`BLUE COAT SYSTEMS - Exhibit 1075 Page 15
`
`

`
`•
`
`SUMMARY OF THE INVENTION
`
`• PATENT
`
`The present invention provides a system for protecting a client
`
`from hostile Downloadables. The system includes security rules
`
`defining suspicious actions such as WRITE operations to a system
`
`5
`
`configuration file, overuse of system memory, overuse of system
`
`processor time, etc. and security policies defining the appropriate
`
`responsive actions to rule · violations such as terminating the applet,
`
`limiting the memory or processor time available to the applet, etc.
`
`The system includes an interface, such as Java™ class extensions and
`
`10
`
`operating system probes, for receiving incoming Downloadable and
`
`requests made by the Downloadable. The system . still further
`
`includes a comparator coupled to the interface ·for examining the
`
`Downloadable, requests made by the Downloadable and runtime
`
`events to determine whether a security policy has been violated, and
`
`15
`
`a respon.se engine coupled to the comparator for performing the
`
`violation-based responsive action.
`
`The present invention further provides a method for protecting
`
`a client from hostile Downloadables. The method includes the steps
`
`of recognizing a request made by a Downloadable during runtime,
`
`20
`
`interrupting processing of the request, comparing information
`
`pertaining to the Downloadable against a predetermined ~ecurity
`
`5
`
`-4-
`
`BLUE COAT SYSTEMS - Exhibit 1075 Page 16
`
`

`
`r
`
`•
`
`policy, recording all rule violations in a log, and performing a
`
`•
`
`PATENT
`
`predetermined responsive action based on the comparison.
`
`It will be appreciated that the system and method of the
`
`present invention use at least three hierarchical level.s of security. A
`
`5
`
`first level examines the incoming Downloadables against known
`
`suspicious Downloadables. A second level examines runtime events.
`
`A third level examines the Downloadables operating system requests
`
`against predetermined suspicious actions. Thus, . the system and
`
`method of the invention are better able to locate hostile operations
`
`10
`
`before client resources are damaged.
`
`-5-
`
`lo
`
`BLUE COAT SYSTEMS - Exhibit 1075 Page 17
`
`

`
`•
`
`• PATENT
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`/
`FIG. 1 is a block diagram illustrating a network system in
`accordance ,_r£h the present invention;
`FIG. Z. a block diagram illustrating details of a security
`
`FIG. 2 is a block diagram illustrating details of the client;
`
`5
`
`system;
`
`FIG. 4 is a block diagram illustrating details of an alternative
`
`security system;
`/
`FIG. 5 is a flowchart illustrating a method for protecting a client
`
`10
`
`from suspicious Downloadables;
`
`I
`FIG. 6 is a flowchart illustrating the method for managing a
`/
`suspicious jwnloadable;. and
`
`FIG. 7 is a flowchart illustrating a supplementary method for
`
`protecting a client from suspicious Downloadables.
`
`-6-
`
`BLUE COAT SYSTEMS - Exhibit 1075 Page 18
`
`

`
`•
`
`• PATENT
`
`DETAIT .ED DESCRIPTION OF THE PREFERRED EMBODIMENT
`
`FIG. 1 is a block diagram illustrating a network system 100 in
`
`accordance with the present invention. Network system 100
`
`includes a server 110 coupled to a communications channel 120, e.g.,
`
`5
`
`an Internet or an Intranet. The communication~ channel 120 is in
`
`turn coupled to a client 130, e.g., an individual computer, a network
`
`computer, a kiosk workstation, etc., which includes a security system
`
`135 for protecting the client 130 from hostile (i.e., will adversely
`
`effect the operational characteristics of the client 130) or suspicious
`
`10
`
`(i.e., potentially hostile) downloadables.
`
`Server 110 forwards a Downloadable 140 across the
`
`communications channel 120 to the client 130. During runtime, the
`
`security system 135 examines each Downloadable 140 and the
`
`actions of each Downloadable 140 to monitor for hostile or suspicious
`
`15
`
`actions.
`
`FIG. 2 is a block diagram illustrating details of a client 130,
`
`which includes a Central Processing Unit (CPU) 205, such as a
`
`Motorola Power PC® microprocessor or an Intel Pentium®
`
`20 microprocessor, coupled to a signal bus 220. The client 130 further
`
`includes an input device 210 such as a keyboard and mouse, an
`
`output device 215 such as a Cathode Ray Tube (CRT) display, a data
`
`-7-
`
`BLUE COAT SYSTEMS - Exhibit 1075 Page 19
`
`

`
`••
`
`• PATENT
`
`storage device 230 such as Read Only Memory (ROM). or magnetic
`
`disk, and a Random-Access Memory (RAM) 235, each being coupled
`
`)
`
`to signal bus 220. A communications interface 225 is coupled
`
`between the communications channel 120 and the signal bus 220.
`
`5
`
`An operating system 260 controls processing by CPU 205, and
`
`is typically stored in data storage device 230 and loaded into RAM
`
`235 for execution. The operating system 260 includes a file
`
`management system 265, a network management system 270, a
`
`process system 275 for controlling CPU 205, and a memory
`
`10 management system 280 for controlling memory use and allocation.
`
`A communications engine 240 generates and transfers message
`
`packets to and from the communications channel 140 via the
`
`communications interface 225, and may also be stored in data
`
`storage device 230 and loaded into RAM 235 for execution.
`
`15
`
`The client 130 further includes a web browser 245, such as the
`
`N etscape TM web browser produced by the Netscape Corporation, the
`
`Internet Explorer™ web browser produced by the Microsoft
`
`Corporation, or the Java™ Developers Kit 1.0 web browser produced
`
`by Sun Microsystems, Inc., for communicating via the
`
`20
`
`communications channel 120. The web browser 245 includes a
`
`Downloadable engine 250 for managing and executing received
`
`Downloadables 140.
`
`q
`
`-8-
`
`BLUE COAT SYSTEMS - Exhibit 1075 Page 20
`
`

`
`•
`
`• PATENT
`
`The client 130 further includes the security system 135 as
`
`described with reference to FIG. 1. The security system 135 may be
`
`stored in data storage device 230 and loaded into RAM 235 for
`
`execution.
`
`·During runtime, the security system 135 intercepts and
`
`5
`
`examines Downloadables 140 and the actions of Downloadables 140
`
`to monitor for hostile or suspicious actions.
`
`If the ·security system .
`
`135 recognizes a suspicious Downloadable 140 or a suspicious
`
`request, then the security system 135 can perform an appropriate
`
`responsive action such as terminating execution of the Downloadable
`
`10
`
`140.
`
`FIG. 3 is a block diagram illustrating details of the security
`
`system 135a, which is a first embodiment of security system 135 of
`
`FIG. 2 when operating in conjunction with a Java™ virtual machine
`
`15
`
`250 (i.e., the Downloadable engine 250) that includes conventional
`
`Java ™ classes 302. Each of the Java™ classes 302 performs a
`
`particular service such as loading applets, managing the network,
`i)~o.;u_~~
`managing file access, etc. Although &f)plets are typicall-y described
`.0~~~~
`,.
`with reference to the Java™ distributed environment, -applets herein
`correspond to all downloadable executable or interpretable programs
`
`20
`
`for use in any distributed environment such as in the ActiveX™
`
`distributed environment.
`
`-9-
`
`BLUE COAT SYSTEMS - Exhibit 1075 Page 21
`
`

`
`r
`
`•
`
`• PATENT
`
`Examples of Java™ classes used in Netscape Navigator™ include
`
`AppletSecurity .class, EmbeddedAppletFrame.Class,
`
`AppletClassLoader.class, MozillaAppletContext.class,
`
`ServerSocket.class, SecurityException.class and
`
`5 SecurityManager.class, etc. Examples of JavaT·M classes used in
`
`Internet Explorer™ include AppletSecurity.class,
`
`BrowserAppletFrame.class, AppletClassLoader.class,
`
`ServerSocket.class, SecurityException.class and
`
`SecurityManager.class, etc. Other classes may include Broker.class,
`
`10 BCinterface.class, SocketConnection.class, queueManager.class,
`
`BrowserExtension.class, Message.class, MemoryMeter.class and
`
`AppletDescription.class.
`
`The security system 135a includes Java™ class extensions 304,
`
`wherein each extension 304 manages a respective one of the Java™
`
`15
`
`classes 302. When a new applet requests the service of a Java class
`
`302, the corresponding · Java ™ class extension 304 interrupts the
`
`request and generates a message to notify the request broker 306 of
`
`the Downloadable's request. The re_quest broker 306 uses TCPIIP
`
`message passing protocol to forward the message to the event router
`
`20
`
`308.
`
`The security system 135a further includes operating system
`
`probes 310, 312, 314 and 316. More particularly, a file management
`
`-10-
`
`( \
`
`BLUE COAT SYSTEMS - Exhibit 1075 Page 22
`
`

`
`•
`
`• PATENT
`
`system probe 310 rec'ognizes applet instructions sent to the file
`
`system 265 of operating system 260, a network system probe 312
`. ~ h
`k
`.
`1
`.
`recogmzes app et mstructwns ~ to t e networ, management
`
`system 270 of operating system 260, a process system probe 314
`
`5
`
`recognizes applet instructions sent to the process system 275 of
`
`operating system 260, and a memory management system probe 316
`
`recognizes applet instructions sent to the memory system 280 of
`
`operating system 260. When any of the probes 310-316 recognizes
`
`an applet instruction, the recognizing probe 310-3 i 6 sends a
`
`10 message to inform the event router 308.
`
`Upon· receipt of a message, the event router 308 accordingly
`
`forwards the message to a Graphical User Interface (GUI) 324 for
`
`notifying the user of the request, to an event log 322 for recording
`
`the message for subsequent analysis, and to a runtime environment
`
`15 monitor 320 for determining whether the request violates a security
`
`rule 330 stored in a security database 326. Security rules 330
`
`include a list of computer operations which are deemed suspicious.
`
`Suspicious operations may include READ/WRITE operations to a
`
`system configuration file, READ/WRITE operations to a document
`
`20
`
`containing trade secrets, overuse of system memory, overuse of
`
`system processor time, too many applets running concurrently, or · too
`
`mariy images being displayed concurrently. For example, the
`
`-11-
`
`BLUE COAT SYSTEMS - Exhibit 1075 Page 23
`
`

`
`•
`
`• PATENT
`
`runtime environment monitor 320 may determine that a security
`
`rule 330 has been violated when it determines that an applet uses
`
`more than two megabytes of RAM 235 or when the Java™ virtual
`
`machine 250 runs more than five applets concurrently:
`
`5
`
`Upon recognition of a security rule 330 violation, the runtime
`
`environment monitor 320 records the violation with the event log
`
`322, informs the user of the violation via the GUI 324 and forwards a
`
`message to inform the response engine 318 of the violation. The
`
`response engine 318 analyzes security policies 332 stored in the
`
`10
`
`security database 326 to determine the appropriate responsive
`
`action to the rule 330 violation. Appropriate responsive actions may
`
`include terminating the applet, limiting the memory or processor
`
`time available to the applet, etc. For example, the response engine
`
`318 may determine that a security policy 332 dictates that when
`
`15 more than five applets are executed concurrently, operation of the
`
`applet using the greatest amount of RAM 235 should be terminated.
`
`Further, a security policy 332 may dictate that when an applet or a
`
`combination of applets violates a security policy 332, the response
`
`. engine 318 must add information pertaining to the applet or applets
`
`20
`
`to the suspicious Downloadables database 328. Thus, when the
`
`applet or applets are encountered again, the response engine 318 can
`
`stop them earlier.
`
`-12-
`
`I~
`
`BLUE COAT SYSTEMS - Exhibit 1075 Page 24
`
`

`
`•
`
`• PATENT
`
`The GUI 324 enables a user to add or modify the rules 330 of
`
`the security database 326, the policies 332 of the security database
`
`326 and the suspicious applets of the suspicious Downloadables
`
`database 328. For· example, a user can use the GUI 324 to add to the
`
`5
`
`suspicious Downloadables database 328 applets generally known to
`
`be hostile, applets deemed to be hostile by the other clients 130 (not
`
`shown), applets deemed to be hostile by network MIS managers, etc.
`
`Furthe~, a user can use the GUI 324 to add to the rules 330 actions
`
`generally known to be hostile, actions deemed to be hostile by
`
`10
`
`network MIS managers, etc.
`
`It will be appreciated that the embodiment illustrated in FIG. 3 ·
`
`includes· three levels of security. The first level examines the
`
`incoming Downloadables 140 against known suspicious
`
`Downloadables. The second level examines the Downloadables' access
`
`15
`
`to the Java ™ classes 302. The third level examines the
`
`Downloadables requests to the operating system 260. Thus, the
`
`security system 135a is better apt to locate a hostile operation before
`
`an operation damages client 130 resources.
`
`20
`
`FIG. 4 is a block diagram illustrating details of a security
`
`system 135b, which is a second embodiment of security system 135
`
`when operating in conjunction with the ActiveX™ platform (i.e., the
`
`-13-
`
`BLUE COAT SYSTEMS - Exhibit 1075 Page 25
`
`

`
`•
`
`Downloadable engine 250) which uses message 401 calls, Dynamic-
`
`PATENT
`
`Data-Exchange (DDE) 402 calls and Dynamically-Linked-Library
`
`(DLL) 403 calls. Thus, instead of having Java™ class extensimis 304,
`
`the security system 135 has a messages extension 401 for
`
`5
`
`recognizing message 401 calls, a DDE extension 405 for recognizing
`
`DDE 402 calls and a DLL extension 406 for recognizing DLL calls.
`
`Upon recognition of a call, each of the messages extension 404, the
`
`DDE extension 405 and the DLL extension 406 send a message to
`
`inform the request broker 306. The request broker 306 and the
`
`10
`
`remaining elements . operate similarly to the elements described with
`
`reference to FIG. 3.
`
`FIG. 5 is a flowchart illustrating a method 500 for protecting a
`
`client 130 from hostile and suspicious Downloadables 140. Method
`
`15
`
`500 begins with the extensions 304, 404, 405 or 406 in step 505
`
`waiting to recognize the receipt of a request made by a Downloadable
`
`· 140. Upon recognition of a request, the recognizing extension 304,.
`
`404, 405 or 406 in step 506 interrupts processing of the request and
`
`in step 508 generates and forwards a message identifying the
`
`20
`
`incoming Downloadable 140 to the request broker 306, which
`
`forwards the message to the event router 308.
`
`-14-
`
`BLUE COAT SYSTEMS - Exhibit 1075 Page 26
`
`

`
`•
`
`• PATENT
`
`The event router 308 in step 510 forwards· the message to the
`
`GUI 324 for informing the user and in step 515 to the event log 322
`
`for recording the event. Further, the event router 308 in step 520
`
`determines whether any of the incoming Down1oadables 140 either
`
`5
`
`alone or in combination are known or previously determined to be
`
`suspicious.
`
`If so, then method 500 jumps to step 530. Otherwise, the.
`
`runtime environment monitor 320 and the response engine 318 in
`
`step 525 determine whether any of the executing Downloadables 140
`
`either alone or in combination violate a security rule 330 stored in
`
`10
`
`the security database 332.
`
`If a rule 330 has been violated, then the response engine 318
`
`-'
`
`in step 530 manages the suspicious Downloadable 140. Step 530 is
`
`described in greater detail with reference to FIG. 6. Otherwise, if a
`
`policy has not been violated, then response engine 318 in step 540
`
`15
`
`resumes operation of the Downloadable 140.
`
`In step 535, a
`
`determination is made whether to end method 500. For example, if
`
`the user disconnects the client 130 from the server 110, method 500
`
`ends.
`
`If a request to end is made, then method 500 ends. Otherwise,
`
`method 500 returns to step 505.
`
`20
`
`FIG. 6 is a fl?wchart illustrating details of step 530. Since
`
`multiple rule 330 violations may amount to a more serious violation
`
`-15-
`
`(lo
`
`BLUE COAT SYSTEMS - Exhibit 1075 Page 27
`
`

`
`•
`
`• PATENT
`
`and thus require a stricter response by the response engine 318, step
`
`53 0 begins with the response engine 318 in step 610 compiling all
`
`rule 330 violations currently occurring. The response engine 318 in
`
`step 620 compares the compiled rule 330 violations with the security
`
`5
`
`policies 332 to determine the appropriate responsive action for
`
`managing the suspicious Downloadable 140 or Downloadables 140,
`
`and in step 630 the response engine 318 performs a predetermined
`
`responsive action.
`
`Predetermined responsive actions may include
`
`sending a message via the GUI 324 to inform the user, recording the
`
`10 message in the event log 322, stopping execution .of a suspicious
`
`Downloadable .140, storing a Downloadable 140 or c·ombination of
`
`Downloadables 140 in the suspicious Downloadable database 328,
`
`limiting memory available to the Downloadable 140, limiting
`
`processor time available to the Downloadable 140, etc.
`
`15
`
`FIG. 7 is a flowchart illustrating a supplementary method 700
`
`for protecting a client 130 from suspicious Downloadables 140.
`
`Method 700 begins with operating system probes 310, 312, 314 and
`
`316 in step 705 monitoring the operating system 260 for Operating
`
`20
`
`System (OS) requests from Downloadables 140. As illustrated by
`
`step 710, when one of the probes 310-316 recognizes receipt of an
`
`OS request, the recognizing probe 310-316 in step 715 interrupts the
`
`-16-
`
`\'1
`
`BLUE COAT SYSTEMS - Exhibit 1075 Page 28
`
`

`
`•
`
`• PATENT
`
`request and in step 720 forwards a message to inform the event
`
`router 308.
`
`The event router 308 in step 725 routes the information to
`
`each of the components of the security engine 135 as described with
`
`5
`
`reference to FIG. 5. That is, the event router 308 forwards the
`
`information to the GUI 324 for informing the user, to the event log
`
`322 for recordation and to the runtime environment monitor 320 for
`
`determining if the OS request violates a rule 330. The response
`
`engine 318 compares the OS request alone or in combination with
`
`10
`
`other violations against security policies 332 to determine the
`
`appropriate responsive actions.
`
`It will be appreciated that, based on
`
`the security policies 332, the response engine 318 may determine
`
`that an OS request violation in combination with other OS request
`
`violations, in combination with rule 330 violations, or in combination
`
`15 with ·both other OS request violations and rule 330 violations merits
`
`a stricter responsive action.
`
`If the OS request does not violate a security rule 330, then the
`
`response engine 318 in step 730 instructs the operating system 260
`
`via the recognizing probe 310-316 to resume operation of the OS
`
`20
`
`request. Otherwise, if the OS request violates a security rule 330,
`
`. then the response engine 318 in step 730 manages the suspicious
`
`Downloadable by performing
`
`the appropriate predetermined
`
`-17-
`
`BLUE COAT SYSTEMS - Exhibit 1075 Page 29
`
`

`
`•
`
`responsive actions as described with reference to FIGs. 5 and 6.
`
`• PATENT
`
`In
`
`step 740, a determination is made whether to end method 700 .. If a
`
`request to end the method is made, then method 700 ends.
`
`Otherwise, method 700 returns to step 705.
`
`5
`
`The foregoing description of the preferred embodiments of the
`
`invention is by way of example only, and other variations of the
`
`above-described embodiments and methods are provided by the
`
`present invention. For example, although the invention has been
`
`10
`
`described in a system for protecting an internal . computer network,
`
`the invention can be embodied in a system for protecting an
`
`individual computer. Components of this invention may be
`
`implemented using a programmed general purpose digital computer,
`
`using application specific integrated circuits, or using a network of
`
`15
`
`interconnected conventional components and circuits. The
`
`embodiments described herein have been presented for purposes of
`
`illustration and are not intended to be exhaustive or limiting. Many
`
`variations and modifications are possible in light of the foregoing
`
`teaching. The system is ·limited only by the following claims.
`
`-18-
`
`BLUE COAT SYSTEMS - Exhibit 1075 Page 30
`
`

`
`•
`
`••
`
`PATENT
`
`WHAT IS CLAIMED IS:
`
`\
`
`A computer-based method, comprising
`
`recognizing a request made by a
`
`during . runtime;
`
`interrupting processing
`
`comparing information
`
`to the Downloadable against
`
`a predetermined
`
`performing
`
`action based on the
`
`4
`
`5
`
`6
`
`7
`
`1
`
`2.
`
`The method of claim 1, wherein the step
`
`includes
`
`2 monitoring a request sent to a Downloadable
`
`1
`
`2
`
`3.
`
`The method of claim 2,
`
`wherein the Downloada
`
`a Java™ virtual
`
`3 machine having . Java ™
`
`4
`
`5
`
`Java ™ class for eceipt of the request.
`
`1
`
`4.
`
`-19-
`
`BLUE COAT SYSTEMS - Exhibit 1075 Page 31
`
`

`
`PATENT
`
`2
`
`3
`
`4
`
`5
`
`wherein the Downloadable ·engine includes an ApQ etX™
`
`platform hav~ng a message engine, a dyriamic-data-e change and a
`
`dynamically-linked
`
`library; and
`
`wherein the step of recognizing includes
`
`6 message engine, the dynamic-data-exchange
`
`7
`
`linked library for receipt of the request.
`
`1
`
`2
`
`5.
`
`The method of claim 1, further
`
`the step of
`
`determining whether information p rtaining to the Downloadable
`
`· 3
`
`violates a security rule.
`
`1
`
`2
`
`3
`
`6.
`
`The method of claim 5
`
`comprising the step of
`
`determining whether
`
`security policy.
`
`of the
`
`ecurity 1ule violates the
`1
`
`1 7.
`
`e steps of:
`
`pertaining to the Downloadable with
`
`information
`
`predetermined suspicious Downloadable;
`
`and
`
`a pred-etermined responsive action based on the
`
`..
`the information pertaining to the predetermined
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`-20-
`
`BLUE COAT SYSTEMS - Exhibit 1075 Page 32
`
`

`
`i~· The
`
`. C, L
`
`•
`
`• PATENT
`
`1, wherein the predetermined responsive
`
`(
`
`:ction
`
`results of the comparison in an event log.
`
`1
`
`9.
`
`2
`
`3
`
`, wher~ predetermined responsive
`
`the user ~e . security policy has- been
`
`The method of
`
`pred~termined responsive
`
`a suspicious
`
`1
`
`2
`
`4
`
`5
`
`6
`
`11 . The method of
`
`predetermined responsive
`
`~- A system, comprisi4
`
`a security polic/
`
`an interface
`
`recognizing a request made by a Downloadable;
`
`a first co parator coupled to the interface for comparing
`
`information
`
`ertaining to the received Downloadable with the
`
`olicy; and
`
`-21-
`
`BLUE COAT SYSTEMS - Exhibit 1075 Page 33
`
`

`
`•
`
`a response engine coupled
`
`• PATENT
`
`performing a predetermined
`
`action based on the
`
`13. The system of claim 12, wherein the interfac
`
`includes a Java ™
`
`class extension for monitoring a Java ™ class in
`
`Java™ virtual
`
`7
`
`8
`
`1
`
`2
`
`3 machine for receipt of a request.
`
`1
`
`14. The system of claim 12, wherein
`
`interface includes an
`
`2 AppletX™ extension for monitoring a
`
`essage engine, a dynamic-
`'
`
`data-exchange and a dynamically-lin ed library in an AppletX™
`
`environment for receipt of a req st.
`
`15. The system of claim
`
`a security rule; and
`
`response engine, for tletermining whether information pertaining to
`
`the Downloadable
`
`iolates the security Tule.
`
`3
`
`4
`
`1
`
`2
`
`4
`
`5
`
`1
`
`2
`
`3
`
`16. The syst m of claim 15, wherein the first comparator
`
`determines
`
`security l
`
`violation of the