Patent
`Attorney Docket No. 0079152-000017
`
`IN THE UNITED STATES PATENT AND TRADEMARK OFFICE
`
`UTILITY PATENT APPLICATION TRANSMITTAL LETTER
`FOR ELECTRONICALLY FILED UTILITY APPLICATION
`
`Commissioner for Patents
`P.O. Box 1450
`Alexandria, VA 22313-1450
`
`Customer Number 2 1 8 3 9
`
`Sir:
`
`D
`
`Enclosed for filing is the utility patent application entitled:
`
`System For and a Method of Cognitive Behavior Recognition
`
`by the following named inventor:
`
`Srinivas KUMAR
`
`Applicant(s) suggests Figure_ for inclusion on the front page of the patent application
`publication and patent.
`
`Applicant(s) requests that the published application include the following assignment information:
`TAASERA, INC., Erie, PA, USA.
`
`cg]
`
`Small entity status is claimed.
`
`Also enclosed are:
`
`1
`DRAWINGS:
`sheets of drawings
`DECLARATION: D will follow
`executed, is enclosed D unexecuted, is enclosed
`D will follow
`
`ASSIGNMENT:
`
`cg]
`
`cg]
`
`is being filed electronically concurrent with the
`electronic filing of the application.
`
`CLAIM FOR
`PRIORITY
`UNDER 35 USC D
`§ 119 and/or
`365:
`
`is hereby made as follows:
`
`Country
`
`Appl. No.
`
`Filing Date
`MM-DD-YYYY
`
`D Certified copy will follow.
`D
`Certified copy being paper filed concurrent with eFiling of this application.
`D
`Priority document exchange requested.
`
`Buchanan Ingersoll,~, Rooney Pc
`
`Attorneys & Government Relations Professionals
`
`{09/12)
`
`Palo Alto Networks - Exhibit 1002
`Palo Alto Networks v. Taasera - IPR2023-00704
`Page 1 of 234
`
`

`

`Utility Patent Application Transmittal Letter
`Application No. Unassigned
`Attorney's Docket No. 0079152-000017
`Page 2
`
`OTHER
`PAPERS:
`
`~ A General Authorization for Petitions for Extensions of Time and Payment
`of Fees
`~ An Information Disclosure Statement
`~ An Application Data Sheet
`~ Other: CERTIFICATION AND REQUEST FOR PRIORITIZED
`EXAMINATION with $2,400.00 fee.
`
`~ The filing fee has been calculated as follows:
`
`Basic Patent Application FilinQ Fee (1011)
`Examination Fee (1311)
`Search Fee (1111)
`
`No. of
`Claims
`
`Extra
`Claims
`
`Rate
`
`X $ 31.00 (1202)
`Minus 20=
`Total Claims
`4
`24
`Independent Claims
`Minus 3=
`2
`X $125.00 (1201)
`0
`If multiple dependent claims are presented, add $450.00 (1203)
`~pp. Size Fee (app + dwgs. exceeding 100 sheets)-$310.00 / each add'I. 50 sheets (1081)
`!TOTAL APPLICATION FEE DUE
`
`FEES
`$98.00
`$125.00
`$310.00
`
`124.00
`
`$657.00
`
`D
`
`This application is being filed without a filing fee. Issuance of a Notice to File Missing Parts of
`Application is respectfully requested.
`
`Charge $ 3,057.00
`application.
`
`to credit card. Filing fee is being paid electronically concurrent with filing of
`
`The Director is hereby authorized to charge any appropriate fees under 37 C. F. R. §§ 1.16, 1.17
`and 1.21 that may be required by this paper, and to credit any overpayment, to Deposit Account
`No. 02-4800.
`
`Please address all correspondence concerning this application to:
`
`Buchanan Ingersoll & Rooney PC
`Customer Number 2 1 8 3 9
`
`Date: January 15, 2013
`
`Customer Number 21839
`703.836.6620
`
`Buchanan h1gersoll ,~, Rooney Pc
`Attorneys & Government Relations Professionals
`
`Palo Alto Networks - Exhibit 1002
`Palo Alto Networks v. Taasera - IPR2023-00704
`Page 2 of 234
`
`

`

`Attorney Docket No. 0079152-000017
`
`IN THE UNITED STATES PATENT AND TRADEMARK OFFICE
`
`In re Patent Application of
`
`Srinivas KUMAR
`
`Application No.: Unassigned
`
`Filed: January 15, 2013
`
`For:
`
`System For and a Method of Cognitive
`Behavior Recognition
`
`)
`)
`) Group Art Unit: Unassigned
`)
`) Confirmation No.: Unassigned
`)
`)
`)
`)
`)
`)
`)
`
`GENERAL AUTHORIZATION FOR PETITIONS
`FOR EXTENSIONS OF TIME AND PAYMENT OF FEES
`
`Commissioner for Patents
`P.O. Box 1450
`Alexandria, VA 22313-1450
`
`Sir:
`
`In accordance with 37 C.F.R. § 1.136(a)(3), the U.S. Patent and Trademark Office is
`hereby provided with a general authorization to treat any concurrent or future reply requiring a
`petition for an extension of time for its timely submission as containing a request therefor for the
`appropriate length of time.
`
`The Commissioner is hereby authorized to charge any appropriate fees that may be
`required by this paper, or any other submissions in this application, and to credit any
`overpayment, to Deposit Account No. 02-4800.
`
`Respectfully submitted,
`
`BUCHANAN INGERSOLL & ROONEY PC
`
`By: ""'=,..L:L-=:.c,;__,;_____..:._,;__----'=--"'=---,LL!::..~
`Charles F. Wieland JJV
`Registration No. 33,096
`
`Date:
`
`January 15, 2013
`
`Customer Number 21839
`703.836.6620
`
`Buchanan h1gersoll ,~, Rooney Pc
`
`Attorneys & Government Relations Professionals
`
`Palo Alto Networks - Exhibit 1002
`Palo Alto Networks v. Taasera - IPR2023-00704
`Page 3 of 234
`
`

`

`Doc Code: TRACK1.REQ
`Document Description: TrackOne Request
`
`PTO/AIA/424 (09-12)
`
`CERTIFICATION AND REQUEST FOR PRIORITIZED EXAMINATION
`UNDER 37 CFR 1.102(e) (Page 1 of 1)
`
`known):
`Kumar, Srinivas
`System for and a Method of Cognitive Behavior Recognition
`
`I Nonprovisional Application Number (if I
`
`,
`
`First Named
`Inventor:
`Title of
`Invention:
`
`APPLICANT HEREBY CERTIFIES THE FOLLOWING AND REQUESTS PRIORITIZED EXAMINATION FOR
`THE ABOVE-IDENTIFIED APPLICATION.
`
`1. The processing fee set forth in 37 CFR 1.17(i), the prioritized examination fee set forth in 37 CFR 1.17(c), and if
`not already paid, the publication fee set forth in 37 CFR 1.18(d) have been filed with the request. The basic filing
`fee, search fee, examination fee, and any required excess claims and application size fees are filed with the
`request or have been already been paid.
`
`2. The application contains or is amended to contain no more than four independent claims and no more than thirty
`total claims, and no multiple dependent claims.
`
`3. The applicable box is checked below:
`
`I. ~ Original Application (Track One) - Prioritized Examination under$ 1.102{e)(1)
`
`i.
`
`(a)
`
`The application is an original nonprovlslonal utility application filed under 35 U.S.C. 111 (a). This
`certification and request is being filed with the utility application via EFS-Web.
`
`---OR---
`
`(b)
`
`The application is an original nonprovisional plant application filed under 35 U.S.C. 111 (a). This
`certification and request is being filed with the plant application in paper.
`
`ii.
`
`An executed oath or declaration under 37 CFR 1.63 is filed with the application.
`
`II. □ Request for Continued Examination - Prioritized Examination under $1.102(e)(2)
`A request for continued examination has been filed with, or prior to, this form.
`i.
`If the application is a utility application, this certification and request is being filed via EFS-Web.
`ii.
`The application is an original nonprovisional utility application filed under 35 U.S.C. 111 (a), or is a
`iii.
`national stage entry under 35 U.S.C. 371.
`iv. This certification and request is being filed prior to the mailing of a first Office action responsive to the
`request for continued examination.
`No prior request for continued examination has been granted prioritized examination status under
`37 CFR 1.102(e)(2).
`
`V.
`
`,/-) j
`
`/
`
`J / /
`
`/l
`(/ ,:?;:;f;;::;;✓/~\/~///
`0::>/
`/ c- ///;rt:"'
`
`Signature
`'
`Name
`(Print/Typed) Charles F. Wieland Ill
`
`/
`
`C:'
`
`_,,..,.."'.,.
`/ '
`
`January 15, 2013
`Date
`Practitioner
`Registration 33,096
`
`Note: This form must be signed in accordance with 37 CFR 1.33. See 37 CFR 1.4(d) for signature requirements and certification.
`Submit multiple forms if more than one signature is required. See below*.
`forms are submitted.
`□ *Total of
`
`Palo Alto Networks - Exhibit 1002
`Palo Alto Networks v. Taasera - IPR2023-00704
`Page 4 of 234
`
`

`

`Application Data Sheet 37 CFR 1.76
`
`Attorney Docket
`Number
`Application Number
`
`0079152-000017
`Unassigned
`
`Title of Invention
`
`SYSTEM FOR AND A METHOD OF COGNITIVE BEHAVIOR RECOGNITION
`
`Secrecy Order 37 CFR 5.2:
`
`Secrecy Order in Parent Appl.?::
`
`No
`
`Inventor Information:
`
`Inventor 1 - Legal Name
`
`Given Name::
`
`Middle Name::
`
`Family Name::
`
`Suffix::
`
`Srinivas
`
`KUMAR
`
`Residence Information (Select One)
`
`[8] US Residency D Non US Residency □Active US Military Service
`
`City::
`
`State/Province::
`
`Country::
`
`Mailing Address of Inventor
`
`Cupertino
`
`California
`
`USA
`
`Street::
`
`City::
`
`State/Province::
`
`Country::
`
`Postal/Zip Code::
`
`19930 Olivewood Street, Unit #C
`
`Cupertino
`
`California
`
`USA
`
`95014
`
`Page# 1
`
`2013-01-15
`
`Palo Alto Networks - Exhibit 1002
`Palo Alto Networks v. Taasera - IPR2023-00704
`Page 5 of 234
`
`

`

`Application Data Sheet 37 CFR 1.76
`
`Attorney Docket
`Number
`Application Number
`
`0079152-000017
`Unassiqned
`
`Title of Invention
`
`SYSTEM FOR AND A METHOD OF COGNITIVE BEHAVIOR RECOGNITION
`
`Correspondence Information:
`
`Correspondence Customer Number::
`
`21839
`
`Application Information:
`
`Title::
`
`System For and a Method of Cognitive Behavior
`Recognition
`
`Attorney Docket Number::
`
`0079152-000017
`
`Small Entity?::
`
`Application Type::
`
`Subject Matter::
`
`Suggested Class (if any)::
`
`Sub Class (if any)::
`
`Yes
`
`Nonprovisional
`
`Utility
`
`Suggested Technology Center (if any)::
`
`Total Number of Drawing Sheets (if any)::
`
`4
`
`Suggested Figure for Publication (if any)::
`
`Fig. 1
`
`Publication Information:
`
`Request for Early Publication?::
`
`Request for Non-Publication?::
`
`No
`
`No
`
`Representative Information:
`
`Representative Customer Number::
`
`21839
`
`Page# 2
`
`2013-01-15
`
`Palo Alto Networks - Exhibit 1002
`Palo Alto Networks v. Taasera - IPR2023-00704
`Page 6 of 234
`
`

`

`Application Data Sheet 37 CFR 1.76
`
`Attorney Docket
`Number
`Application Number
`
`0079152-000017
`Unassigned
`
`Title of Invention
`
`SYSTEM FOR AND A METHOD OF COGNITIVE BEHAVIOR RECOGNITION
`
`Authorization to Permit Access:
`
`~ Authorization to Permit Access to the Instant Application by the Participating Offices
`
`If checked, the undersigned hereby grants the USPTO authority to provide the European Patent Office (EPO), the Japan
`Patent Office (JPO), the Korean Intellectual Property Office (KIPO), the World Intellectual Property Office (WIPO), and any
`other intellectual property offices in which a foreign application claiming priority to the instant patent application is filed access
`to the instant patent application. See 37 CFR 1.14(c) and (h). This box should not be checked if the applicant does not wish the
`EPO, JPO, KIPO, WIPO, or other intellectual property office in which a foreign application claiming priority to the instant patent
`application is filed to have access to the instant patent application.
`
`In accordance with 37 CFR 1.14(h)(3), access will be provided to a copy of the instant patent application with respect to: 1) the
`instant patent application-as-filed; 2) any foreign application to which the instant patent application claims priority under 35
`U.S.C. 119(a)-(d) if a copy of the foreign application that satisfies the certified copy requirement of 37 CFR 1.55 has been filed
`in the instant patent application; and 3) any U.S. application-as-filed from which benefit is sought in the instant patent
`application.
`
`In accordance with 37 CFR 1.14(c), access may be provided to information concerning the date of filing this Authorization.
`
`Applicant Information:
`
`Providing assignment information in this section does not substitute for compliance with any requirement of part 3 of Title 37
`of CFR to have an assignment recorded by the Office.
`
`Applicant 1
`
`If the applicant is the inventor (or the remaining joint inventor or inventors under 37 CFR 1.45), this section should not be
`completed. The information to be provided in this section is the name and address of the legal representative who is the
`applicant under 37 CFR 1.43; or the name and address of the assignee, person to whom the Inventor is under an obligation to
`assign the invention, or person who otherwise shows sufficient proprietary interest in the matter who is the applicant under 37
`CFR 1.46. If the applicant is an applicant under 37 CFR 1.46 (assignee, person to whom the inventor is obligated to assign,
`or person who otherwise shows sufficient proprietary interest) together with one or more joint inventors, then the joint inventor
`or inventors who are also the applicant should be identified in this section.
`
`~ Assignee
`D Legal Representative under 35 U.S.C. 117
`D Person to whom the inventor is obligated to assign
`D Person who shows sufficient proprietary interest
`If applicant is the legal representative, indicate the authority to file the patent application, the inventor is:
`
`Name of the Deceased or Legally Incapacitated inventor:
`
`If the assignee is an Organization check here
`
`IS]
`
`Mailing Address Information:
`
`Assignee Name::
`
`Taasera, Inc.
`
`Page# 3
`
`2013-01-15
`
`Palo Alto Networks - Exhibit 1002
`Palo Alto Networks v. Taasera - IPR2023-00704
`Page 7 of 234
`
`

`

`Application Data Sheet 37 CFR 1. 76
`
`Attorney Docket
`Number
`Application Number
`
`0079152-000017
`Unassigned
`
`Title of Invention
`
`SYSTEM FOR AND A METHOD OF COGNITIVE BEHAVIOR RECOGNITION
`
`Street::
`
`City::
`
`State/Province::
`
`Country::
`
`Postal/Zip Code::
`
`Signature:
`
`1030 State Street
`
`Erie
`
`PA
`
`USA
`
`16501
`
`Si nature
`(
`Printed Name Charles F. Wieland Ill
`
`/
`
`Date YYYY-MM-DD
`
`2013-01-15
`
`Re istration No.
`
`33,096
`
`Page #4
`
`2013-01-15
`
`Palo Alto Networks - Exhibit 1002
`Palo Alto Networks v. Taasera - IPR2023-00704
`Page 8 of 234
`
`

`

`APPLICATION FOR
`
`UNITED STATES LETTERS PATENT
`
`FOR
`
`SYSTEM FOR AND A METHOD OF COGNITIVE BEHAVIOR
`
`RECOGNITION
`
`by
`
`Srinivas Kumar
`
`Attorney Docket No. 0079152-000017
`BUCHANAN INGERSOLL & ROONEY PC
`CUSTOMER No. 21839
`P.O. Box 1404
`Alexandria, VA 22313-1404
`
`Buchanan Ingerson,.;, Rooney Pc
`
`Attorneys,'>. Government Relations Professiona!s
`
`Palo Alto Networks - Exhibit 1002
`Palo Alto Networks v. Taasera - IPR2023-00704
`Page 9 of 234
`
`

`

`SYSTEM FOR AND A METHOD OF COGNITIVE BEHAVIOR RECOGNITION
`
`Attorney Docket No. 0079152-000017
`Page 1 of 26
`
`FIELD
`
`[0001]The present disclosure relates to cognitive behavior recognition, specifically
`
`assessing the runtime risk of an application or device in a computer system using
`
`cognitive behavior recognition.
`
`BACKGROUND
`
`[0002] With the prevalence of computers and other computing systems in the daily
`
`lives of both companies and individuals, computer and cyber security has become
`
`increasingly important. A variety of programs and approaches have been developed
`
`to provide security and protect end users from harmful threats. Such programs that
`
`have been developed include antivirus programs, firewalls, and intrusion
`
`detection/prevention systems (IDSs/lPSs). These programs can be beneficial in
`
`protecting a computing system and its end user from a number of threats.
`
`[0003] However, as technology in the computing devices themselves is developing, so
`
`is the technology behind the threats against those same computing device. Emerging
`
`cyber threats, commonly referred to as advanced persistent threats (APT), often
`
`remain undetected using traditional security programs and approaches. As a result,
`
`many harmful threats and infections can attack a system that includes these security
`
`programs unbeknownst to the user and system operator, which could have
`
`devastating results. For example, it can place companies at risk for the theft of
`
`Palo Alto Networks - Exhibit 1002
`Palo Alto Networks v. Taasera - IPR2023-00704
`Page 10 of 234
`
`

`

`Attorney Docket No. 0079152-000017
`Page 2 of 26
`
`proprietary information, such as confidential information, trade secrets, etc., and
`
`individuals at risk for identify theft.
`
`[0004] Thus, there is a need for a technical solution to properly detect and prevent
`
`attacks by advanced persistent threats undetected using traditional security programs
`
`and approaches.
`
`SUMMARY
`
`[0005] The present disclosure provides a description of a system and method for the
`
`assessing of a runtime risk of an application or device.
`
`[0006]A method for assessing runtime risk for an application or device includes:
`
`storing, in a rules database, a plurality of rules, wherein each rule identifies an action
`
`sequence; storing, in a policy database, a plurality of assessment policies, wherein
`
`each assessment policy includes at least one rule of the plurality of rules; identifying,
`
`using at least one assessment policy, a runtime risk for an application or device,
`
`wherein the identified runtime risk identifies and predicts a specific type of threat; and
`
`identifying, by a processing device, a behavior score for the application or device
`
`based on the identified runtime risk, wherein the action sequence is a sequence of at
`
`least two performed actions, and each performed action is at least one of: a user
`
`action, an application action, and a system action.
`
`[0007]A system for assessing runtime risk for an application or device includes a rules
`
`database, a policy database, and a processing device. The rules database is
`
`configured to store a plurality of rules, wherein each rule identifies an action sequence.
`
`The policy database is configured to store a plurality of assessment policies, wherein
`
`Palo Alto Networks - Exhibit 1002
`Palo Alto Networks v. Taasera - IPR2023-00704
`Page 11 of 234
`
`

`

`Attorney Docket No. 0079152-000017
`Page 3 of 26
`
`each assessment policy includes at least one rule of the plurality of rules. The
`
`processing device is configured to identify, using at least one assessment policy, a
`
`runtime risk for an application or device, wherein the identified runtime risk identifies
`
`and predicts a specific type of threat, and identify a behavior score for the application
`
`or device based on the identified runtime risk, wherein the action sequence is a
`
`sequence of at least two performed actions, and each performed action is at least one
`
`of: a user action, an application action, and a system action.
`
`BRIEF DESCRIPTION OF THE DRAWING FIGURES
`
`[0008] The scope of the present disclosure is best understood from the following
`
`detailed description of exemplary embodiments when read in conjunction with the
`
`accompanying drawings. Included in the drawings are the following figures:
`
`[0009] FIG. 1 is a high level architecture illustrating a system for assessing the runtime
`
`risk for an application or device in accordance with exemplary embodiments.
`
`[0010] FIG. 2 is a flow diagram illustrating a method for identifying an action sequence
`
`and assessing a runtime risk and subsequent behavior score based on the identified
`
`action sequence in accordance with exemplary embodiments.
`
`[0011] FIGS. 3A and 3B are a diagram illustrating performed actions and action
`
`sequences identified using the method of FIG. 2 in accordance with exemplary
`
`embodiments.
`
`[0012] FIG. 4 is a flow diagram illustrating a method for creating a transaction record in
`
`accordance with exemplary embodiments.
`
`Palo Alto Networks - Exhibit 1002
`Palo Alto Networks v. Taasera - IPR2023-00704
`Page 12 of 234
`
`

`

`Attorney Docket No. 0079152-000017
`Page 4 of 26
`
`[0013] Further areas of applicability of the present disclosure will become apparent
`
`from the detailed description provided hereinafter. It should be understood that the
`
`detailed description of exemplary embodiments are intended for illustration purposes
`
`only and are, therefore, not intended to necessarily limit the scope of the disclosure.
`
`DETAILED DESCRIPTION
`
`System for Assessing Runtime Risk for an Application or Device
`
`[0014] FIG. 1 is a high level architecture illustrating a computing system 100
`
`configured to assess the runtime risk of an application or device and identify a
`
`behavior score based on the assessed runtime risk. It will be apparent to persons
`
`having skill in the relevant art that methods and processes disclosed herein may be
`
`implemented in the computing system 100 using hardware, software, firmware, non(cid:173)
`
`transitory computer readable media having instructions stored therein, or a
`
`combination thereof, and may be implemented in more than one computing systems or
`
`other processing systems. It will be further apparent to persons having skill in the
`
`relevant art that the configuration of the computing system 100 as illustrated in FIG. 1
`
`is provided as an illustration, and other configurations and systems for performing the
`
`functions disclosed may be suitable.
`
`[0015] The computing system 100 may include a processing unit 102. The processing
`
`unit 102 may include a single processor or a plurality of processor, each of which may
`
`include one or more processor cores. The processing unit 102 may be a general
`
`purpose processing unit or a special purpose processing unit, such as a general
`
`purpose processing unit programmed for performing a specific purpose, such as the
`
`Palo Alto Networks - Exhibit 1002
`Palo Alto Networks v. Taasera - IPR2023-00704
`Page 13 of 234
`
`

`

`Attorney Docket No. 0079152-000017
`Page 5 of 26
`
`identification of the runtime risk of an application or program. The processing unit 102
`
`may be configured to connect to a communications infrastructure 110 for
`
`communication with additional components of the computing system 100.
`
`[0016] The communications infrastructure 110 may be a bus, message queue,
`
`network, multi-core message-passing scheme, a combination thereof, or any other
`
`suitable type or configuration of communications infrastructure as will be apparent to
`
`persons having skill in the relevant art. The computing system 100 may further include
`
`a display unit 104. The display unit 104 may be configured to control a display device
`
`106, which may be connected to the computing system 100 physically (e.g., via a
`
`cable, such as a VGA, DVI, or HDMI cable) or wirelessly (e.g., via Bluetooth, etc.).
`
`The display unit 104 may be a video card, video adapter, graphics card, display card,
`
`graphics board, display adapter, graphics adapter, video controller, graphics controller,
`
`etc. and may be integrated into the computing system 100 or may be removable.
`
`[0017]The display device 106 may be configured to display information (e.g., data,
`
`graphics, output from an application program, etc.) transmitted to the display device
`
`106 via the display unit 104. Suitable types of display devices for use as the display
`
`device 106 will be apparent to persons having skill in the relevant art and may include
`
`a liquid crystal display (LCD), light-emitting diode (LED) display, thin film transistor
`
`(TFT) LCD, capacitive touch display, etc.
`
`[0018] The computing system 100 may further include a memory unit 106. The
`
`memory unit 106 may be any type of memory suitable for the storage of data and
`
`performing of the functions disclosed herein, such as a hard disk drive, floppy disk
`
`drive, magnetic tape drive, optical disk drive, solid state drive, or other non-transitory
`
`Palo Alto Networks - Exhibit 1002
`Palo Alto Networks v. Taasera - IPR2023-00704
`Page 14 of 234
`
`

`

`Attorney Docket No. 0079152-000017
`Page 6 of 26
`
`computer readable medium. In some embodiments, the memory unit 106 may be
`
`removable storage (e.g., flash memory, a compact disc, digital versatile disc, Blu-ray
`
`disc, etc.) or a combination of non-removable and removable storage. In one
`
`embodiment, the memory unit 106 may be external to the computing system 100 and
`
`accessed via a network by a communications interface 108, discussed in more detail
`
`below, such as cloud storage. The memory unit 106 may include random access
`
`memory (RAM), read-only memory (ROM), or a combination thereof. Suitable types
`
`and configurations of the memory unit 106 will be apparent to persons having skill in
`
`the relevant art.
`
`[0019] The memory unit 106 may include at least a runtime monitor 108, a rules
`
`database 110, and a policy database 112. The memory unit 106 may include
`
`additional data, applications, programs, etc. as will be apparent to persons having skill
`
`in the relevant art, such as an operating system, drivers for components of the system
`
`100, etc. The runtime monitor 108 may be an application program stored on the
`
`memory unit 106 including program code executable by the processing unit 102,
`
`configured to assess the runtime risk of an application (e.g., stored in the memory unit
`
`106 and executed by the processing unit 102) or device (e.g., connected to the
`
`computing system 100 externally (e.g., via the communications interface 108) or
`
`internally (e.g., via the communications infrastructure 110), as discussed in more detail
`
`below. In some embodiments, the runtime monitor 108 may be further configured to
`
`identify a behavior score for an action sequence of at least two performed actions
`
`executed by (e.g., by components or programs included in) the computing system 100.
`
`Palo Alto Networks - Exhibit 1002
`Palo Alto Networks v. Taasera - IPR2023-00704
`Page 15 of 234
`
`

`

`Attorney Docket No. 0079152-000017
`Page 7 of 26
`
`[0020] The runtime monitor 108 may be configured to perform additional functions in
`
`the computing system 100, such as those described in U.S. Patent No. 8,372,441,
`
`filed as U.S. Application No. 13/399,065, entitled "System and Method for Application
`
`Attestation," filed on February 17, 2012; U.S. Application No. 13/559,707, entitled
`
`"Systems and Methods for Orchestrating Runtime Operational Integrity" and filed on
`
`July 27, 2012; U.S. Application No. 13/559,766, entitled "Systems and Methods for
`
`Threat Identification and Remediation" and filed on July 27, 2012; U.S. Application No.
`
`13/559,665, entitled "Systems and Methods for Providing Mobile Security Based on
`
`Dynamic Attestation" and filed on July 27, 2012; U.S. Application No. 13/559,692,
`
`entitled "Systems and Methods for Using Reputation Scores in Network Services and
`
`Transactions to Calculate Security Risks to Computer Systems and Platforms" and
`
`filed on July 27, 2012; and U.S. Application No. 13/559,732, entitled "Systems and
`
`Methods for Network Flow Remediation Based on Risk Correlation" and filed on July
`
`27, 2012, which are herein incorporated by reference in their entirety. Additional
`
`functions that may be performed by the runtime monitor 108 will be apparent to
`
`persons having skill in the relevant art.
`
`[0021] The rules database 110 may be configured to store a plurality of rules, wherein
`
`each rule identifies an action sequence. An action sequence, discussed in more detail
`
`below, may include a sequence of at least two performed actions, wherein the
`
`performed actions may be one of a user action, an application action, and a system
`
`action. The policy database 112 may be configured to store a plurality of assessment
`
`policies, wherein each assessment policy includes at least one rule of the plurality of
`
`rules stored in the rules database 112. The runtime monitor 108 may be configured to
`
`Palo Alto Networks - Exhibit 1002
`Palo Alto Networks v. Taasera - IPR2023-00704
`Page 16 of 234
`
`

`

`Attorney Docket No. 0079152-000017
`Page 8 of 26
`
`identify the runtime risk of the application or device using at least one of the
`
`assessment policies stored in the policy database 112 based on, for example,
`
`matching rules and probabilistic weights and scores. Methods for identifying runtime
`
`risk using an assessment policy comprised of one or more rules is discussed in more
`
`detail below.
`
`[0022] The rules database 110 and the policy database 112 may be configured in any
`
`type of suitable database configuration, such as a relational database, a structured
`
`query language (SQL) database, a distributed database, an object database, etc.
`
`Suitable configurations and database storage types will be apparent to persons having
`
`skill in the relevant art. The databases may each be a single database, or may
`
`comprise multiple databases which may be interfaced together, such as physically
`
`(e.g., internally via the communications infrastructure 110 or externally via the
`
`communications interface 108) or wirelessly (e.g., via Bluetooth), and may include one
`
`or more databases included within the computing system 100 and one or more
`
`databases external to the computing system 100, such as an external hard disk drive
`
`or storage accessed via a network (e.g., in the cloud).
`
`[0023] The communications interface 108 may be configured to allow software and
`
`data to be transmitted between the computing system 100 and external networks and
`
`devices. The communications interface 108 may be a modem, network interface card
`
`(e.g., an Ethernet card), a communications port, a Personal Computer Memory Card
`
`International Association (PCMCIA) card, or other type of communications interface
`
`suitable for performing the functions disclosed herein as will be apparent to persons
`
`having skill in the relevant art. Software and data transmitted to or from the computing
`
`Palo Alto Networks - Exhibit 1002
`Palo Alto Networks v. Taasera - IPR2023-00704
`Page 17 of 234
`
`

`

`Attorney Docket No. 0079152-000017
`Page 9 of 26
`
`system 100 may be in the form of signals, which may be electronic, electromagnetic,
`
`optical, etc. The signals may travel via a communications path 114, which may be
`
`configured to carry the signals physically or wirelessly via a network. For example, the
`
`communications path 114 may carry signals from the communications interface 108 to
`
`a network such as a local area network (LAN), a wide area network (WAN), a wireless
`
`network (e.g., WiFi), a mobile communication network, a satellite network, the Internet,
`
`fiber optic, coaxial cable, infrared, radio frequency (RF), or any combination thereof.
`
`Other suitable network types and configurations will be apparent to persons having
`
`skill in the relevant art.
`
`[0024] The communications interface 108 may be further configured to connect the
`
`computing system 100 with a plurality of input devices, which may enable a user of the
`
`computing system 100 to control the system. In some instances, the communications
`
`interface 108 may include multiple interfaces or connections, for connecting to a
`
`variety of external devices or networks. For example, the communications interface
`
`108 may include a plurality of universal serial bus (USB) connectors, an Ethernet
`
`connector, audio connectors, video connectors, etc. Suitable types of input devices
`
`that may be used with the computing system 100 for providing input will be apparent to
`
`persons having skill in the relevant art and may include a keyboard, mouse, touch
`
`screen, tablet, click wheel, trackball, microphone, camera, etc.
`
`Method for Identifying Runtime Risk and Behavior Score for an Application or Device
`
`[0025] FIG. 2 is a flow diagram illustrating a method for identifying an action sequence
`
`of actions performed in the computing system 100 and identifying the corresponding
`
`runtime risk and a behavior score for an application or device involved in the action
`
`Palo Alto Networks - Exhibit 1002
`Palo Alto Networks v. Taasera - IPR2023-00704
`Page 18 of 234
`
`

`

`Attorney Docket No. 0079152-000017
`Page 10 of 26
`
`sequence. It will be apparent to persons having skill in the relevant art that the action
`
`sequences identified using the method illustrated in FIG. 2 are provided as means of
`
`illustration only and are not exhaustive as to action sequences that may be suitable for
`
`use in identifying the runtime risk of an application or device by the runtime monitor
`
`108 of the computing system 100.
`
`[0026] In step 202, the runtime monitor 108 may monitor the computing system 100 for
`
`performed actions, which may include user actions, application actions, and system
`
`actions, each of which are discussed in more detail below with respect to FIG. 3.
`
`Once an action is detected by the runtime monitor 108, in step 204 the runtime monitor
`
`may (e.g., via the processing unit 102) identify the type of action performed. If the type
`
`of action performed is a system action, then, in step 206, the runtime monitor 108 may
`
`attempt to identify an action preceding the system action. Then, the process may
`
`return to step 204 to identify the type of action of the preceding action, such that an
`
`action sequence including only system actions may not be used to identify a runtime
`
`risk of an application or device, as no action involving the application or device may be
`
`performed.
`
`[0027] If the identified action is an application action, then, in step 208, the runtime
`
`monitor 108 may monitor for a subsequent system action, which may be identified by
`
`the processing unit 102. The application action followed by the system action may be
`
`an action sequence, as discussed in more detail below, which may be used to identify
`
`the runtime risk of an application or de