`
`IN THE UNITED STATES PATENT AND TRADEMARK OFFICE
`
`In the Inter Partes Review of:
`
`Trial Number: To Be Assigned
`
`
`
`U.S. Patent No. 6,715,084
`
`Filed: March 26, 2002
`
`Issued: March 30, 2004
`
`Inventor(s): Jeffrey A. Aaron, Thomas
`Anschutz
`
`Assignee: Intellectual Ventures II LLC
`
`Title: Firewall System and Method via
`Feedback from Broad-Scope
`Monitoring for Intrusion Detection
`
`
`
`
`
`
`
`
`
`
`
`Panel: To Be Assigned
`
`Mail Stop Inter Partes Review
`Commissions for Patents
`P.O. Box 1450
`Alexandria, VA 22313-1450
`
`
`
`
`
`
`
`DECLARATION OF STEVEN M. BELLOVIN UNDER 37 C.F.R. § 1.68 IN
`SUPPORT OF PETITION FOR INTER PARTES REVIEW OF
`U.S. PATENT NO. 6,715,084
`
`IBM Ex. 1001
`
`

`

`Declaration of Steven M. Bellovin Under 37 C.F.R. § 1.68 in Support of
`Petition for Inter Partes Review of U.S. Patent No. 6,715,084
`
`Table of Contents
`
`I.
`
`Introduction ...................................................................................................... 1
`
`II.
`
`Background and Qualifications ....................................................................... 3
`
`III. Understanding of Patent Law .......................................................................... 8
`
`IV. Background .................................................................................................... 10
`
`A.
`
`Background of the Field Relevant to the ’084 Patent ......................... 10
`
`B.
`
`C.
`
`Summary of the ’084 Patent ................................................................ 13
`
`Summary of the Prosecution History .................................................. 18
`
`V.
`
`Level of Ordinary Skill in the Pertinent Art .................................................. 18
`
`VI. Broadest Reasonable Interpretation ............................................................... 20
`
`VII. Detailed Invalidity Analysis .......................................................................... 21
`
`A.
`
`Background on Prior Art References .................................................. 23
`
`1.
`
`2.
`
`3.
`
`4.
`
`Background on Porras ............................................................... 23
`
`Background on Graham ............................................................ 25
`
`Background on NetRanger ........................................................ 26
`
`Background on Snapp ............................................................... 28
`
`B.
`
`The Challenged Claims are Invalid over Porras ................................. 29
`
`1.
`
`2.
`
`3.
`
`4.
`
`5.
`
`6.
`
`Porras Anticipates Claims 1 and 9 ............................................ 29
`
`Porras Anticipates Claim 2 ....................................................... 35
`
`Porras Anticipates Claim 3 ....................................................... 38
`
`Porras Anticipates Claims 4 and 12 .......................................... 39
`
`Porras Anticipates Claims 5 and 13 .......................................... 40
`
`Porras Anticipates Claims 6 and 14 .......................................... 42
`
`
`
`i
`
`

`

`Declaration of Steven M. Bellovin Under 37 C.F.R. § 1.68 in Support of
`Petition for Inter Partes Review of U.S. Patent No. 6,715,084
`
`7.
`
`8.
`
`9.
`
`Porras Anticipates Claim 7 ....................................................... 44
`
`Porras Anticipates Claims 8 and 18 .......................................... 45
`
`Porras Anticipates Claim 15 ..................................................... 48
`
`10.
`
`Porras Anticipates Claim 16 ..................................................... 50
`
`11.
`
`Porras Anticipates Claim 17 ..................................................... 51
`
`C.
`
`The Challenged Claims are Invalid over Graham ............................... 52
`
`1.
`
`2.
`
`3.
`
`4.
`
`5.
`
`6.
`
`7.
`
`8.
`
`Graham Anticipates Claims 1 and 9 ......................................... 53
`
`Graham Anticipates Claim 2 ..................................................... 59
`
`Graham Anticipates Claim 3 ..................................................... 61
`
`Graham Anticipates Claims 4 and 12 ....................................... 62
`
`Graham Anticipates Claims 5 and 13 ....................................... 63
`
`Graham Anticipates Claims 6 and 14 ....................................... 65
`
`Graham Anticipates Claim 7 ..................................................... 67
`
`Claims 8 and 18 are Obvious in View of the Combination
`of Graham and Snapp ................................................................ 68
`
`9.
`
`Graham Anticipates Claim 15 ................................................... 72
`
`10. Graham Anticipates Claim 16 ................................................... 75
`
`11. Graham Anticipates Claim 17 ................................................... 77
`
`D.
`
`The Challenged Claims are Invalid over NetRanger .......................... 78
`
`1.
`
`2.
`
`3.
`
`4.
`
`NetRanger Anticipates Claims 1 and 9 ..................................... 78
`
`NetRanger Anticipates Claim 2 ................................................ 86
`
`NetRanger Anticipates Claim 3 ................................................ 88
`
`NetRanger Anticipates Claims 4 and 12 ................................... 89
`
`
`
`ii
`
`

`

`Declaration of Steven M. Bellovin Under 37 C.F.R. § 1.68 in Support of
`Petition for Inter Partes Review of U.S. Patent No. 6,715,084
`
`5.
`
`6.
`
`7.
`
`8.
`
`NetRanger Anticipates Claims 5 and 13 ................................... 91
`
`NetRanger Anticipates Claims 6 and 14 ................................... 92
`
`NetRanger Anticipates Claim 7 ................................................ 95
`
`Claims 8 and 18 are Obvious in View of the Combination
`of NetRanger and Snapp ........................................................... 96
`
`9.
`
`NetRanger Anticipates Claim 15 .............................................. 99
`
`10. NetRanger Anticipates Claim 16 ............................................ 102
`
`11. NetRanger Anticipates Claim 17 ............................................ 103
`
`VIII. Secondary Considerations of Non-Obviousness ......................................... 104
`
`IX. Conclusion ................................................................................................... 107
`
`
`
`iii
`
`

`

`Declaration of Steven M. Bellovin Under 37 C.F.R. § 1.68 in Support of
`Petition for Inter Partes Review of U.S. Patent No. 6,715,084
`
`I, Steven M. Bellovin, do hereby declare as follows:
`
`I.
`
`1.
`
`INTRODUCTION
`
`I have been retained as an expert witness on behalf of International Business
`
`Machines Corporation (“IBM”) for the above-captioned Petition for Inter
`
`Partes Review (“IPR”) of U.S. Patent No. 6,715,084 (“the ’084 Patent”). I
`
`am being compensated for my time in connection with this IPR at my
`
`standard consulting rate of $525 per hour. My compensation is not affected
`
`by the outcome of this matter.
`
`2.
`
`I have been asked to provide my opinions regarding whether Claims 1–9 and
`
`12–18 (“Challenged Claims”) of the ’084 Patent are invalid as anticipated or
`
`would have been obvious to a person having ordinary skill in the art at the
`
`time of the alleged invention.
`
`3.
`
`The ’084 Patent issued on March 30, 2004, from U.S. Patent Appl. No.
`
`10/108,078 (“the ’078 Application”), filed on March 26, 2002. (Ex. 1005,
`
`the ’084 Patent.) For the purposes of my Declaration, I have been asked to
`
`assume that the priority date of the alleged invention recited in the ’084
`
`Patent is March 26, 2002.
`
`4.
`
`The face of the ’084 Patent names Jeffrey A. Aaron and Thomas Anschutz
`
`as the purported inventors and identifies BellSouth Intellectual Property
`
`Corp. as the purported assignee of the ’084 Patent. (Ex. 1005.) I have
`
`
`
`1
`
`

`

`Declaration of Steven M. Bellovin Under 37 C.F.R. § 1.68 in Support of
`Petition for Inter Partes Review of U.S. Patent No. 6,715,084
`
`reviewed the Patent Office “Assignments on the Web” record for the ’084
`
`Patent. This record indicates that the named inventors assigned their
`
`interests in the ’078 Application to BellSouth Intellectual Property Corp. on
`
`or around March 22, 2002. Though a series of assignments, name changes,
`
`and mergers, the ’084 Patent was assigned to Intellectual Ventures II LLC
`
`(“IV”) on or around May 23, 2013. (Ex. 1016, Assignment Record.)
`
`5.
`
`In preparing this Declaration, I have reviewed the ’084 Patent, the file
`
`history of the ’084 Patent, numerous prior art references, technical
`
`references from the time of the alleged invention, and statements made
`
`regarding the alleged meaning and scope of terms and phrases recited in the
`
`Challenged Claims.
`
`6.
`
`I understand that claims in an IPR are given their broadest reasonable
`
`interpretation in view of the patent specification and the understandings of
`
`one having ordinary skill in the relevant art.
`
`7.
`
`In forming the opinions expressed in this Declaration, I relied upon my
`
`education and experience in the relevant field of the art, and have considered
`
`the viewpoint of a person having ordinary skill in the relevant art, as of the
`
`priority date of the ’084 Patent. My opinions are based, at least in part, on
`
`the following:
`
`
`
`2
`
`

`

`Declaration of Steven M. Bellovin Under 37 C.F.R. § 1.68 in Support of
`Petition for Inter Partes Review of U.S. Patent No. 6,715,084
`
`Reference
`
`Date of Public Availability
`
`Porras, et al., Live Traffic Analysis
`of TCP/IP Gateways (“Porras”)
`
`U.S. Pat. No. 7,237,264, to Graham,
`et al. (“Graham”)
`
`NetRanger User’s Guide, Version
`1.3.1 (“NetRanger”)
`
`Snapp, et al., A System for
`Distributed Intrusion Detection
`(“Snapp”)
`
`Porras was published in the
`Proceedings of the 1998 ISOC
`Symposium on Network and
`Distributed Systems Security, Dec.
`12, 1997, and is attached as Ex.
`1006 to the Petition for IPR.
`
`Graham was filed on June 4, 2001,
`issued on June 26, 2007, and is
`attached as Ex. 1007 to the Petition
`for IPR.
`
`NetRanger was published by
`WheelGroup Corp. in 1997, and is
`attached as Ex. 1008 to the Petition
`for IPR.
`
`Snapp was published in the Digest
`of Papers for Compcon Spring ’91
`on Feb. 25–Mar. 1, 1991, and is
`attached as Ex. 1009 to the Petition
`for IPR.
`
`
`II. BACKGROUND AND QUALIFICATIONS
`
`8.
`
`I am an expert in the fields of telecommunications and network security, and
`
`have been an expert in the field since prior to 1999. A copy of my
`
`curriculum vitae is provided as Appendix A to this Declaration (Ex. 1002)
`
`and provides a comprehensive description of my relevant experience,
`
`including academic and employment history, publications, conference
`
`participation, and issued and pending U.S. patents.
`
`
`
`3
`
`

`

`Declaration of Steven M. Bellovin Under 37 C.F.R. § 1.68 in Support of
`Petition for Inter Partes Review of U.S. Patent No. 6,715,084
`
`9.
`
`I received a B.A. degree—interdisciplinary between the departments of
`
`Mathematics and Mathematical Statistics—from Columbia University in
`
`1972, followed by a M.S. (1977) and Ph.D. (1982) in Computer Science
`
`from the University of North Carolina at Chapel Hill.
`
`10. My academic career began in 1977 when I served as an instructor in the
`
`Department of Computer Science at the University of North Carolina at
`
`Chapel Hill. Since then, I have served as an Adjunct Professor of Computer
`
`Science at the University of Pennsylvania from 2002 to 2004. Since 2005, I
`
`have served and continue to serve as a Professor of Computer Science at
`
`Columbia University.
`
`11. My experience with telecommunications and network security goes back
`
`more than 45 years. While in college, I worked as a systems programmer on
`
`various IBM systems. During my last two years in college, I was employed
`
`at the City College of New York (“CCNY”), which ran the entire computer
`
`network for the City University of New York (“CUNY”). CCNY was the
`
`central computing site for the entire CUNY, an organization comprising
`
`numerous two-year and four-year colleges. I caught my first hackers—two
`
`misbehaving CCNY students—in 1971.
`
`12. While a graduate student, I was one of the inventors of Netnews, along with
`
`Tom Truscott, Jim Ellis, and Stephen Daniel, an early online “chat system,”
`
`
`
`4
`
`

`

`Declaration of Steven M. Bellovin Under 37 C.F.R. § 1.68 in Support of
`Petition for Inter Partes Review of U.S. Patent No. 6,715,084
`
`i.e., Usenet news groups. Netnews is still used today and carries terabytes of
`
`data traffic per day. At its peak, Netnews comprised many tens of thousands
`
`of participating computers that regularly posted articles to more than 30,000
`
`different news groups. For this work, all of the inventors, including myself,
`
`received the 1995 Usenix Lifetime Achievement Award (“the Flame”).
`
`13. My professional career started in 1982 when I joined AT&T Bell
`
`Laboratories (“Bell Labs”). In my first role, I took sole responsibility for my
`
`technology center’s TCP/IP network and Ethernet cable, and
`
`joint
`
`responsibility for the cable that linked my center to the only other center in
`
`all of Bell Labs that used Ethernet.
`
`14. During the 1980s, I was one of the people who spearheaded the effort to
`
`bring TCP/IP to all of Bell Labs. In the late 1980s, TCP/IP security became
`
`my primary research area. I helped administer the Bell Labs’ link to the
`
`early Internet and also helped investigate some early hacker incidents.
`
`15.
`
`In 1989, I published one of the first papers on TCP/IP security, entitled
`
`“Security Problems in the TCP/IP Security Protocol Suite.” The paper was
`
`published in the ACM publication Computer Communication Review.
`
`16.
`
`In 1992, I published one of the first papers on host and network intrusion
`
`detection, entitled “There Be Dragons” in the Proceedings of the Third
`
`USENIX Unix Security Symposium.
`
`
`
`5
`
`

`

`Declaration of Steven M. Bellovin Under 37 C.F.R. § 1.68 in Support of
`Petition for Inter Partes Review of U.S. Patent No. 6,715,084
`
`17.
`
`In 1994, I co-authored “Firewalls and Internet Security: Repelling the Wily
`
`Hacker,” the first book on the subject of firewalls and internet security
`
`(“Bellovin Firewalls and Internet Security”). The publisher sold more than
`
`100,000 copies of the book around the world. This volume of sales is
`
`considered exceptionally high for a technical book.
`
`18.
`
`I was named an AT&T Fellow in 1998, was elected to the National
`
`Academy of Engineering in 2001, and received the National Computer
`
`Systems Security Award in 2007 from the National Institute of Standards
`
`and Technology and the National Security Agency.
`
`19. From 1996 to 2004, I worked for AT&T Labs Research as a result of AT&T
`
`spin-off of Lucent Technologies. From 2005 to 2012, I remained employed
`
`with AT&T Labs Research as a one-day per month employee.
`
`20. From 1993 to 2004, I was very active in the Internet Engineering Task Force
`
`(“IETF”). The IETF is the primary organization that develops Internet
`
`standards. From 1993 to 1994, I was a member of the “IPng Directorate”
`
`that selected the IPv6 architecture from multiple competing designs. Apart
`
`from chairing or co-chairing several technology working groups, including
`
`the Intellectual Property Rights Working Group, I was a member of the
`
`Internet Architecture Board (“IAB”) from 1996 to 2002 and one of the
`
`Security Area directors on the Internet Engineering Standards Group
`
`
`
`6
`
`

`

`Declaration of Steven M. Bellovin Under 37 C.F.R. § 1.68 in Support of
`Petition for Inter Partes Review of U.S. Patent No. 6,715,084
`
`(“IESG”) from 2002 to 2004. The IAB provides oversight of, and
`
`occasional commentary on, aspects of the architecture for the protocols and
`
`procedures used by the Internet. The IESG is responsible for technical
`
`management of IETF activities and the Internet standards process. It
`
`administers the process according to the rules and procedures that have been
`
`ratified by the Internet Society (“ISOC”) trustees. The IESG is directly
`
`responsible for the actions associated with entry into and movement along
`
`the Internet “standards track,” including final approval of specifications as
`
`Internet Standards prior to their publication as RFCs. All the Area directors,
`
`including myself in particular, are responsible for ensuring that all Internet
`
`protocols have suitable security mechanisms, such as encryption.
`
`21. From 2012 to 2013, I served as Chief Technologist for the Federal Trade
`
`Commission (“FTC”). My primary responsibility was advising the Chair
`
`about any FTC cases and policy involving technology or privacy. Among
`
`many others, I advised the Chair about standard-essential patents, an issue of
`
`great concern for the FTC.
`
`22.
`
`I am listed as an inventor on 20 U.S. patents covering inventions in the areas
`
`of networking, cryptography, and network security. I am also named as an
`
`inventor on a number of currently-pending U.S. patent applications. I have
`
`published numerous technical articles and papers in major conference
`
`
`
`7
`
`

`

`Declaration of Steven M. Bellovin Under 37 C.F.R. § 1.68 in Support of
`Petition for Inter Partes Review of U.S. Patent No. 6,715,084
`
`proceedings and journals, and have served on several National Academies
`
`study panels. I am currently serving on two such committees as well as on
`
`the National Academies’ Computer Science and Telecommunications Board.
`
`I am also currently serving on or acting as a subject matter expert for two
`
`U.S. government advisory committees: Department of Homeland Security,
`
`Science and Technology Advisory Committee; and Data Privacy and
`
`Integrity Advisory Committee.
`
`III. UNDERSTANDING OF PATENT LAW
`
`23.
`
`I understand that prior art to the ’084 Patent includes patents and printed
`
`publications in the relevant art that predate the priority date of the ’084
`
`Patent.
`
`24.
`
`I understand that a claim is invalid if it is anticipated or obvious.
`
`Anticipation of a claim requires that every element of a claim be disclosed
`
`expressly or inherently in a single prior art reference, arranged in the prior
`
`art reference as arranged in the claim. Obviousness of a claim requires that
`
`the claim be obvious from the perspective of a person having ordinary skill
`
`in the relevant art at the time of the alleged invention. I understand that a
`
`claim may be obvious from a combination of two or more prior art
`
`references.
`
`
`
`8
`
`

`

`Declaration of Steven M. Bellovin Under 37 C.F.R. § 1.68 in Support of
`Petition for Inter Partes Review of U.S. Patent No. 6,715,084
`
`25.
`
`I understand that an obviousness analysis requires an understanding of the
`
`scope and content of the prior art, any differences between the alleged
`
`invention and the prior art, and the level of ordinary skill in evaluating the
`
`pertinent art.
`
`26.
`
`I further understand that certain factors may support or rebut the obviousness
`
`of a claim. I understand that such secondary considerations include, among
`
`other things, commercial success of the alleged invention, skepticism of
`
`those having ordinary skill in the art at the time of the alleged invention,
`
`unexpected results of the alleged invention, any long-felt but unsolved need
`
`in the art that was satisfied by the alleged invention, the failure of others to
`
`make the alleged invention, praise of the alleged invention by those having
`
`ordinary skill in the art, and copying of the alleged invention by others in the
`
`field. I understand that there must be a nexus—a connection—between any
`
`such secondary considerations and the alleged invention. I also understand
`
`that contemporaneous and independent invention by others is a secondary
`
`consideration tending to show obviousness.
`
`27.
`
`I further understand that a claim is obvious if it unites old elements with no
`
`change to their respective functions, or alters prior art by mere substitution
`
`of one element for another known in the field and that combination yields
`
`predictable results. While it may be helpful to identify a reason for this
`
`
`
`9
`
`

`

`Declaration of Steven M. Bellovin Under 37 C.F.R. § 1.68 in Support of
`Petition for Inter Partes Review of U.S. Patent No. 6,715,084
`
`combination, common sense should guide and no rigid requirement of
`
`finding a teaching, suggestion, or motivation to combine is required. When
`
`a product is available, design incentives and other market forces can prompt
`
`variations of it, either in the same field or different one. If a person having
`
`ordinary skill in the relevant art can implement a predictable variation,
`
`obviousness likely bars its patentability. For the same reason, if a technique
`
`has been used to improve one device and a person having ordinary skill in
`
`the art would recognize that it would improve similar devices in the same
`
`way, using the technique is obvious. I understand that a claim may be
`
`obvious if common sense directs one to combine multiple prior art
`
`references or add missing features to reproduce the alleged invention recited
`
`in the claims.
`
`IV. BACKGROUND
`
`A. Background of the Field Relevant to the ’084 Patent
`
`28. There are generally three different types of technologies, in the prior art, for
`
`performing intrusion detection: (1) signature detection; (2) anomaly
`
`detection; and (3) expert systems.
`
`29. Signature detection is the simplest intrusion detection technique. Signature
`
`systems require all known patterns of abnormal behaviors to be defined in a
`
`list, i.e., a rule list. Traffic is then compared against the rule list and certain
`
`
`
`10
`
`

`

`Declaration of Steven M. Bellovin Under 37 C.F.R. § 1.68 in Support of
`Petition for Inter Partes Review of U.S. Patent No. 6,715,084
`
`actions are taken if the traffic matches one of the rules. Signature detection
`
`systems very rarely have false positives, but, by definition, are unable to
`
`detect new types of attacks before a rule is created for the attack. For
`
`example, web servers are generally known to have bugs. Attempts to exploit
`
`these bugs are ipso facto malicious. One such well known bug is described
`
`in CERT Advisory, CA-2001-19, which defines a particular traffic pattern
`
`indicating that an intruder is attempting to hack the server. (See generally
`
`Ex. 1017, CERT Advisory, CA-2001-19.)
`
`30. Anomaly detection is based on learning a “normal” pattern of behavior of a
`
`particular system or network and then detecting significant variations from
`
`this “normal” pattern. Anomaly detection can best be explained by building
`
`on the example provided in connection with signature detection. Assuming
`
`most URLs are around 100 bytes long, URLs that are significantly longer
`
`may be flagged as anomalous. For example, the URL to the Patent Trial and
`
`Appeal Board is 104 bytes long and is thus only “slightly” unusual:
`
`https://ptabtrials.uspto.gov/prweb/PRServlet/oO9O9iMsc
`
`yJc_fy6LnBDXO9xEtRpDxfL3At36r8Aw8k%5B*/!STA
`
`NDARD?
`
`31. The URL described in CERT Advisory, CA-2001-19, on the other hand, is at
`
`least 380 bytes long and is thus “more” unusual:
`
`
`
`11
`
`

`

`Declaration of Steven M. Bellovin Under 37 C.F.R. § 1.68 in Support of
`Petition for Inter Partes Review of U.S. Patent No. 6,715,084
`
`/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNN
`NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
`NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
`NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
`NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
`NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
`NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
`NNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u
`6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%
`u9090%u9090%u8190%u00c3%u0003%u8b00%u531b
`%u53ff%u0078%u0000%u00=a
`
`(Ex. 1017 at 3, CERT Advisory, CA-2001-19.) This URL is not “bad” per
`
`se. It is, however, anomalous because it deviates from the “standard” URL
`
`length for a given server.
`
`32. Expert systems analyze multiple types of anomalies, certain combinations of
`
`which may indicate an attack. Such systems receive reports of anomalies
`
`from anomaly detectors distributed throughout a monitored network, which
`
`were commonly used in the art at the time of the priority date of the ’084
`
`Patent. Expert systems detected patterns in network traffic and then
`
`simulated analysis that would be performed by a system administrator to
`
`determine whether or not an identified anomaly indicated an actual attack.
`
`33. Continuing to build on the example provided for signature detection, while a
`
`long URL is, in and of itself, not an attack per se, a long URL combined
`
`with multiple outbound connections may indicate that the system is infected
`
`by a worm. (See generally Ex. 1017, CERT Advisory, CA-2001-19.)
`
`
`
`12
`
`

`

`Declaration of Steven M. Bellovin Under 37 C.F.R. § 1.68 in Support of
`Petition for Inter Partes Review of U.S. Patent No. 6,715,084
`
`34. There are generally two types of IDSs: host-based and network-based. The
`
`relevant art distinguishes between host-based and network-based intrusion
`
`detection. Host-based intrusion detection analyzes behavior on one
`
`computer. Network-based intrusion detection, on the other hand, analyzes
`
`behavior of network traffic as a whole. A network-based intrusion detection
`
`monitor could be located anywhere in the monitored network, including on
`
`either side of the firewall or within individual domains or LANs.
`
`B.
`
`Summary of the ’084 Patent
`
`35. The ’084 Patent is directed to a “broad-scope” intrusion detection system
`
`(“IDS”). (Ex. 1005 at 5:45–46.) The IDS analyzes network traffic “coming
`
`into multiple hosts or other customers’ computers or sites.” (Ex. 1005 at
`
`5:46–47.) This allegedly provides the IDS “additional data for analysis as
`
`compared to systems that just analyze the traffic coming into one customer’s
`
`site . . ..” (Ex. 1005 at 5:48–51.) The network data is analyzed by the IDS
`
`for “patterns that would otherwise be difficult or impossible to recognize
`
`with just a single customer detector.” (Ex. 1005 at 5:51–54.) “Standard
`
`signature detection” or “new signatures and methods/algorithms can be
`
`used.” (Ex. 1005 at 5:54–56.) Fig. 2 shows an exemplar IDS:
`
`
`
`13
`
`

`

`Declaration of Steven M. Bellovin Under 37 C.F.R. § 1.68 in Support of
`Petition for Inter Partes Review of U.S. Patent No. 6,715,084
`
`(Ex. 1005 at Fig. 2, the ’084 Patent) (emphasis added)
`
`
`36. Fig. 2 shows a network with the claimed IDS. (Ex. 1005 at 6:50–52.) The
`
`
`
`network includes a “plurality of network devices such as hosts, servers, and
`
`personal computers attached within customer site networks (shown here as
`
`customer site networks 220, 230, 240, 250) . . ..” (Ex. 1005 at 6:52–57.)
`
`37. A data collection and processing center (205 and 210) is shown coupled to
`
`the network. (Ex. 1005 at 7:18–20.) The data collection and processing
`
`center monitors traffic sent to a number of hosts, servers, and personal
`
`computers (220, 230, 240, 250). (Ex. 1005 at 7:35–44.) Various network
`
`devices “can be used as sensors to sense data traffic and pass their findings
`
`on to the data collection and processing center . . ..” (Ex. 1005 at 7:45–52.)
`
`38. The IDS of the ’084 Patent monitors traffic for unauthorized access, referred
`
`to as “an anomaly.” (Ex. 1005 at 5:57–60.) An anomaly is detected by
`
`“analyzing a plurality of data packets with respect to predetermined
`
`patterns.” (Ex. 1005 at 6:9–11.) An anomaly “can be an intrusion, or an
`
`
`
`14
`
`

`

`Declaration of Steven M. Bellovin Under 37 C.F.R. § 1.68 in Support of
`Petition for Inter Partes Review of U.S. Patent No. 6,715,084
`
`intrusion attempt or reconnaissance activity.” (Ex. 1005 at 5:64–65.) If an
`
`anomaly is detected, the IDS can alert a device by “alerting a firewall
`
`associated with the device that an anomaly has been detected.” (Ex. 1005 at
`
`6:15–17.) The device may also be “controlled (e.g., have its firewall
`
`adjusted).” (Ex. 1005 at 6:17–19.) The IDS identifies devices affected by
`
`the anomaly as well as those anticipated to be affected. (Ex. 1005 at Abs.)
`
`39. The Challenged Claims cover very similar subject matter. Elements [a]-[c]
`
`of claim 1 are nearly identical to elements [a]-[c] of claim 9. The table
`
`below compares claims 1 and 9, with all differences underlined, and shows
`
`the minor differences between claims 1 and 9 to be form, not substance:
`
`Claim 1
`
`Claim 9
`
`1. A method of alerting at least one
`device in a networked computer
`system comprising a plurality of
`devices to an anomaly, at least one of
`the plurality of devices having a
`firewall, comprising:
`
`9. A method of alerting a device in a
`networked
`computer
`system
`comprising a plurality of devices to
`an anomaly, comprising:
`
`[a] detecting an anomaly in the
`networked computer system using
`network-based
`intrusion detection
`techniques
`comprising
`analyzing
`data entering into a plurality of hosts,
`servers, and computer sites in the
`networked computer system;
`
`[a] detecting an anomaly at a first
`device in the computer system using
`network-based
`intrusion detection
`techniques
`comprising
`analyzing
`data entering into a plurality of hosts,
`servers, and computer sites in the
`networked computer system;
`
`the
`[b] determining which of
`plurality of devices are anticipated to
`be affected by the anomaly by using
`
`[b] determining a device that is
`anticipated to be affected by the
`anomaly
`by
`using
`pattern
`
`
`
`15
`
`

`

`Declaration of Steven M. Bellovin Under 37 C.F.R. § 1.68 in Support of
`Petition for Inter Partes Review of U.S. Patent No. 6,715,084
`
`Claim 1
`
`Claim 9
`
`the
`across
`correlations
`pattern
`plurality of hosts, servers, and
`computer sites; and
`
`correlations across the plurality of
`hosts, servers, and computer sites;
`and
`
`[c] alerting the devices that are
`anticipated to be affected by the
`anomaly.
`
`is
`that
`the device
`[c] alerting
`anticipated to be affected by the
`anomaly.
`
`
`40. For purposes of efficiency, and to avoid repetition, my invalidity analysis in
`
`this Declaration will begin with claim 1 and apply equally to claim 9. I will
`
`separately address any differences between the claims.
`
`41. The dependent claims do not contain any elements that one having ordinary
`
`skill in the art would consider novel or non-obvious. The following table
`
`shows dependencies of the Challenged Claims:
`
`Independent Claims Dependent Claims
`
`Claim 1
`
`Claim 9
`
`Claim 2
`Claim 3
`Claim 4
`Claim 5
`Claim 6
`Claim 7
`Claim 8
`
`Claim 12
`Claim 13
`Claim 14
`Claim 15
`Claim 16
`Claim 17
`Claim 18
`
`
`
`
`
`16
`
`

`

`Declaration of Steven M. Bellovin Under 37 C.F.R. § 1.68 in Support of
`Petition for Inter Partes Review of U.S. Patent No. 6,715,084
`
`42. Claims 4 and 12, claims 5 and 13, claims 6 and 14, and claims 8 and 18 add
`
`very similar elements to independent claims 1 and 9, respectively. The table
`
`below compares the dependent claims, with all differences underlined, and
`
`shows the minor differences between the claims to be form, not substance:
`
`Dependent Claims from Claim 1
`
`Dependent Claims from Claim 9
`
`4. The method of claim 1, wherein
`the anomaly comprises one of an
`intrusion and an intrusion attempt.
`
`12. The method of claim 9, wherein
`the anomaly comprises one of an
`intrusion and an intrusion attempt.
`
`5. The method of claim 1, wherein
`detecting
`the anomaly comprises
`analyzing a plurality of data packets
`with
`respect
`to
`predetermined
`patterns.
`
`13. The method of claim 9, wherein
`detecting
`the anomaly comprises
`analyzing a plurality of data packets
`with
`respect
`to
`predetermined
`patterns.
`
`6. The method of claim 5, wherein
`analyzing the data packets comprises
`analyzing data packets that have
`been received at at least two of the
`plurality of devices.
`
` The method of claim 13,
`14.
`wherein analyzing the data packets
`comprises analyzing data packets
`that have been received at at least
`two of
`the plurality of devices
`including the first device.
`
`8. The method of claim 1, further
`comprising
`adjusting
`anomaly
`detection
`sensitivity
`and
`alarm
`thresholds based on the detected
`anomaly.
`
`18. The method of claim 9, further
`comprising
`adjusting
`anomaly
`detection
`sensitivity
`and
`alarm
`thresholds based on the detected
`anomaly.
`
`
`43. For purposes of efficiency, my Declaration will address claims 4 and 12,
`
`claims 5 and 13, claims 6 and 14, and claims 8 and 18 together. I will
`
`separately address any differences between the claims.
`
`
`
`17
`
`

`

`Declaration of Steven M. Bellovin Under 37 C.F.R. § 1.68 in Support of
`Petition for Inter Partes Review of U.S. Patent No. 6,715,084
`
`C.
`
`Summary of the Prosecution History
`
`44.
`
`In a June 23, 2003, Office Action, the Examiner rejected all then-pending
`
`claims, claims 8–21, as obvious over several prior art references. (Ex