`
`IN THE UNITED STATES PATENT AND TRADEMARK OFFICE
`
`In the Inter Partes Review of:
`
`Trial Number: To Be Assigned
`
`
`
`U.S. Patent No. 6,715,084
`
`Filed: March 26, 2002
`
`Issued: March 30, 2004
`
`Inventor(s): Jeffrey A. Aaron, Thomas
`Anschutz
`
`Assignee: Intellectual Ventures II LLC
`
`Title: Firewall System and Method via
`Feedback from Broad-Scope
`Monitoring for Intrusion Detection
`
`
`
`
`
`
`
`
`
`
`
`Panel: To Be Assigned
`
`Mail Stop Inter Partes Review
`Commissions for Patents
`P.O. Box 1450
`Alexandria, VA 22313-1450
`
`
`
`
`
`
`
`DECLARATION OF STEVEN M. BELLOVIN UNDER 37 C.F.R. § 1.68 IN
`SUPPORT OF PETITION FOR INTER PARTES REVIEW OF
`U.S. PATENT NO. 6,715,084
`
`IBM Ex. 1001
`
`

`

`Declaration of Steven M. Bellovin Under 37 C.F.R. § 1.68 in Support of
`Petition for Inter Partes Review of U.S. Patent No. 6,715,084
`
`Table of Contents
`
`I.
`
`Introduction ...................................................................................................... 1
`
`II.
`
`Background and Qualifications ....................................................................... 3
`
`III. Understanding of Patent Law .......................................................................... 8
`
`IV. Background .................................................................................................... 11
`
`A.
`
`Background of the Field Relevant to the ’084 Patent ......................... 11
`
`B.
`
`C.
`
`Summary of the ’084 Patent ................................................................ 13
`
`Summary of the Prosecution History .................................................. 19
`
`V.
`
`Level of Ordinary Skill in the Pertinent Art .................................................. 20
`
`VI. Broadest Reasonable Interpretation ............................................................... 21
`
`VII. Detailed Invalidity Analysis .......................................................................... 22
`
`A.
`
`Background on Prior Art References .................................................. 24
`
`1.
`
`2.
`
`3.
`
`4.
`
`5.
`
`Background on Porras ............................................................... 25
`
`Background on Graham ............................................................ 26
`
`Background on NetRanger ........................................................ 28
`
`Background on Cheswick & Bellovin ...................................... 30
`
`Background on Snapp ............................................................... 30
`
`B.
`
`The Challenged Claims are Invalid over the Combination of
`Porras and Cheswick & Bellovin ........................................................ 31
`
`1.
`
`2.
`
`3.
`
`Claims 19 and 26–27 are Obvious in View of the
`Combination of Porras and Cheswick & Bellovin ................... 31
`
`Claims 20 and 28 are Obvious in View of the
`Combination of Porras and Cheswick & Bellovin ................... 46
`
`Claims 22 and 30 are Obvious in View of the
`Combination of Porras and Cheswick & Bellovin ................... 49
`
`
`
`i
`
`

`

`Declaration of Steven M. Bellovin Under 37 C.F.R. § 1.68 in Support of
`Petition for Inter Partes Review of U.S. Patent No. 6,715,084
`
`4.
`
`5.
`
`6.
`
`7.
`
`Claims 23 and 31 are Obvious in View of the
`Combination of Porras and Cheswick & Bellovin ................... 51
`
`Claims 24 and 32 are Obvious in View of the
`Combination of Porras and Cheswick & Bellovin ................... 53
`
`Claims 25 and 33 are Obvious in View of the
`Combination of Porras and Cheswick & Bellovin ................... 55
`
`Claim 29 is Obvious in View of the Combination of
`Porras and Cheswick & Bellovin .............................................. 57
`
`C.
`
`The Challenged Claims are Invalid over Graham ............................... 60
`
`1.
`
`2.
`
`3.
`
`4.
`
`5.
`
`6.
`
`Claims 19 and 26–27 are Anticipated by Graham .................... 61
`
`Claims 20 and 28 are Anticipated by Graham .......................... 70
`
`Claims 22 and 30 are Anticipated by Graham .......................... 72
`
`Claims 23 and 31 are Anticipated by Graham .......................... 75
`
`Claims 24 and 32 are Anticipated by Graham .......................... 76
`
`Claims 25 and 33 are Obvious in View of the
`Combination of Graham and Snapp .......................................... 78
`
`7.
`
`Claim 29 is Anticipated by Graham ......................................... 82
`
`D.
`
`The Challenged Claims are Invalid over NetRanger .......................... 84
`
`1.
`
`2.
`
`3.
`
`4.
`
`5.
`
`6.
`
`Claims 19 and 26–27 are Anticipated by NetRanger ............... 85
`
`Claims 20 and 28 are Anticipated by NetRanger ..................... 96
`
`Claims 22 and 30 are Anticipated by NetRanger ................... 100
`
`Claims 23 and 31 are Anticipated by NetRanger ................... 102
`
`Claims 24 and 32 are Anticipated by NetRanger ................... 103
`
`Claims 25 and 33 are Obvious in View of the
`Combination of NetRanger and Snapp ................................... 106
`
`7.
`
`Claim 29 is Anticipated by NetRanger ................................... 109
`
`
`
`ii
`
`

`

`Declaration of Steven M. Bellovin Under 37 C.F.R. § 1.68 in Support of
`Petition for Inter Partes Review of U.S. Patent No. 6,715,084
`
`VIII. Secondary Considerations of Non-Obviousness ......................................... 111
`
`IX. Conclusion ................................................................................................... 115
`
`
`
`iii
`
`

`

`Declaration of Steven M. Bellovin Under 37 C.F.R. § 1.68 in Support of
`Petition for Inter Partes Review of U.S. Patent No. 6,715,084
`
`I, Steven M. Bellovin, do hereby declare as follows:
`
`I.
`
`1.
`
`INTRODUCTION
`
`I have been retained as an expert witness on behalf of International Business
`
`Machines Corporation (“IBM”) for the above-captioned Petition for Inter
`
`Partes Review (“IPR”) of U.S. Patent No. 6,715,084 (“the ’084 Patent”). I
`
`am being compensated for my time in connection with this IPR at my
`
`standard consulting rate of $525 per hour. My compensation is not affected
`
`by the outcome of this matter.
`
`2.
`
`I have been asked to provide my opinions regarding whether Claims 19–20
`
`and 22–33 (“Challenged Claims”) of the ’084 Patent are invalid as
`
`anticipated or would have been obvious to a person having ordinary skill in
`
`the art at the time of the alleged invention.
`
`3.
`
`The ’084 Patent issued on March 30, 2004, from U.S. Patent Appl. No.
`
`10/108,078 (“the ’078 Application”), filed on March 26, 2002. (Ex. 1004,
`
`the ’084 Patent.) For the purposes of my Declaration, I have been asked to
`
`assume that the priority date of the alleged invention recited in the ’084
`
`Patent is March 26, 2002.
`
`4.
`
`The face of the ’084 Patent names Jeffrey A. Aaron and Thomas Anschutz
`
`as the purported inventors and identifies BellSouth Intellectual Property
`
`Corp. as the purported assignee of the ’084 Patent. (Ex. 1004.) I have
`
`
`
`1
`
`

`

`Declaration of Steven M. Bellovin Under 37 C.F.R. § 1.68 in Support of
`Petition for Inter Partes Review of U.S. Patent No. 6,715,084
`
`reviewed the Patent Office “Assignments on the Web” record for the ’084
`
`Patent. This record indicates that the named inventors assigned their
`
`interests in the ’078 Application to BellSouth Intellectual Property Corp. on
`
`or around March 22, 2002. Though a series of assignments, name changes,
`
`and mergers, the ’084 Patent was assigned to Intellectual Ventures II LLC
`
`(“IV”) on or around May 23, 2013. (Ex. 1014, Assignment Record.)
`
`5.
`
`In preparing this Declaration, I have reviewed the ’084 Patent, the file
`
`history of the ’084 Patent, numerous prior art references, technical
`
`references from the time of the alleged invention, and statements made
`
`regarding the alleged meaning and scope of terms and phrases recited in the
`
`Challenged Claims.
`
`6.
`
`I understand that claims in an IPR are given their broadest reasonable
`
`interpretation in view of the patent specification and the understandings of
`
`one having ordinary skill in the relevant art.
`
`7.
`
`In forming the opinions expressed in this Declaration, I relied upon my
`
`education and experience in the relevant field of the art, and have considered
`
`the viewpoint of a person having ordinary skill in the relevant art, as of the
`
`priority date of the ’084 Patent. My opinions are based, at least in part, on
`
`the following:
`
`
`
`2
`
`

`

`Declaration of Steven M. Bellovin Under 37 C.F.R. § 1.68 in Support of
`Petition for Inter Partes Review of U.S. Patent No. 6,715,084
`
`Reference
`
`Date of Public Availability
`
`Porras, et al., Live Traffic Analysis
`of TCP/IP Gateways (“Porras”)
`
`U.S. Pat. No. 7,237,264, to Graham,
`et al. (“Graham”)
`
`NetRanger User’s Guide, Version
`1.3.1 (“NetRanger”)
`
`Porras was published in the
`Proceedings of the 1998 ISOC
`Symposium on Network and
`Distributed Systems Security, Dec.
`12, 1997, and is attached as Ex.
`1005 to the Petition for IPR.
`
`Graham was filed on June 4, 2001,
`issued on June 26, 2007, and is
`attached as Ex. 1006 to the Petition
`for IPR.
`
`NetRanger was published by
`WheelGroup Corp. in 1997, and is
`attached as Ex. 1007 to the Petition
`for IPR.
`
`William R. Cheswick, et al.,
`Firewalls and Internet Security:
`Repelling the Wily Hacker
`(“Cheswick & Bellovin”)
`
`Cheswick & Bellovin was published
`by Addison Wesley in 1994, and
`excerpts of it are attached as Ex.
`1008 to the Petition for IPR.
`
`Snapp, et al., A System for
`Distributed Intrusion Detection
`(“Snapp”)
`
`Snapp was published in the Digest
`of Papers for Compcon Spring ’91
`on Feb. 25–Mar. 1, 1991, and is
`attached as Ex. 1009 to the Petition
`for IPR.
`
`
`II. BACKGROUND AND QUALIFICATIONS
`
`8.
`
`I am an expert in the fields of telecommunications and network security, and
`
`have been an expert in the field since prior to 1999. A copy of my
`
`curriculum vitae is provided as Appendix A to this Declaration (Ex. 1002)
`
`and provides a comprehensive description of my relevant experience,
`
`
`
`3
`
`

`

`Declaration of Steven M. Bellovin Under 37 C.F.R. § 1.68 in Support of
`Petition for Inter Partes Review of U.S. Patent No. 6,715,084
`
`including academic and employment history, publications, conference
`
`participation, and issued and pending U.S. patents.
`
`9.
`
`I received a B.A. degree—interdisciplinary between the departments of
`
`Mathematics and Mathematical Statistics—from Columbia University in
`
`1972, followed by a M.S. (1977) and Ph.D. (1982) in Computer Science
`
`from the University of North Carolina at Chapel Hill.
`
`10. My academic career began in 1977 when I served as an instructor in the
`
`Department of Computer Science at the University of North Carolina at
`
`Chapel Hill. Since then, I have served as an Adjunct Professor of Computer
`
`Science at the University of Pennsylvania from 2002 to 2004. Since 2005, I
`
`have served and continue to serve as a Professor of Computer Science at
`
`Columbia University.
`
`11. My experience with telecommunications and network security goes back
`
`more than 45 years. While in college, I worked as a systems programmer on
`
`various IBM systems. During my last two years in college, I was employed
`
`at the City College of New York (“CCNY”), which ran the entire computer
`
`network for the City University of New York (“CUNY”). CCNY was the
`
`central computing site for the entire CUNY, an organization comprising
`
`numerous two-year and four-year colleges. I caught my first hackers—two
`
`misbehaving CCNY students—in 1971.
`
`
`
`4
`
`

`

`Declaration of Steven M. Bellovin Under 37 C.F.R. § 1.68 in Support of
`Petition for Inter Partes Review of U.S. Patent No. 6,715,084
`
`12. While a graduate student, I was one of the inventors of Netnews, along with
`
`Tom Truscott, Jim Ellis, and Stephen Daniel, an early online “chat system,”
`
`i.e., Usenet news groups. Netnews is still used today and carries terabytes of
`
`data traffic per day. At its peak, Netnews comprised many tens of thousands
`
`of participating computers that regularly posted articles to more than 30,000
`
`different news groups. For this work, all of the inventors, including myself,
`
`received the 1995 Usenix Lifetime Achievement Award (“the Flame”).
`
`13. My professional career started in 1982 when I joined AT&T Bell
`
`Laboratories (“Bell Labs”). In my first role, I took sole responsibility for my
`
`technology center’s TCP/IP network and Ethernet cable, and
`
`joint
`
`responsibility for the cable that linked my center to the only other center in
`
`all of Bell Labs that used Ethernet.
`
`14. During the 1980s, I was one of the people who spearheaded the effort to
`
`bring TCP/IP to all of Bell Labs. In the late 1980s, TCP/IP security became
`
`my primary research area. I helped administer the Bell Labs’ link to the
`
`early Internet and also helped investigate some early hacker incidents.
`
`15.
`
`In 1989, I published one of the first papers on TCP/IP security, entitled
`
`“Security Problems in the TCP/IP Security Protocol Suite.” The paper was
`
`published in the ACM publication Computer Communication Review.
`
`
`
`5
`
`

`

`Declaration of Steven M. Bellovin Under 37 C.F.R. § 1.68 in Support of
`Petition for Inter Partes Review of U.S. Patent No. 6,715,084
`
`16.
`
`In 1992, I published one of the first papers on host and network intrusion
`
`detection, entitled “There Be Dragons” in the Proceedings of the Third
`
`USENIX Unix Security Symposium.
`
`17.
`
`In 1994, I co-authored “Firewalls and Internet Security: Repelling the Wily
`
`Hacker,” the first book on the subject of firewalls and internet security
`
`(“Cheswick & Bellovin”). The publisher sold more than 100,000 copies of
`
`the book around the world. This volume of sales is considered exceptionally
`
`high for a technical book.
`
`18.
`
`I was named an AT&T Fellow in 1998, was elected to the National
`
`Academy of Engineering in 2001, and received the National Computer
`
`Systems Security Award in 2007 from the National Institute of Standards
`
`and Technology and the National Security Agency.
`
`19. From 1996 to 2004, I worked for AT&T Labs Research as a result of AT&T
`
`spin-off of Lucent Technologies. From 2005 to 2012, I remained employed
`
`with AT&T Labs Research as a one-day per month employee.
`
`20. From 1993 to 2004, I was very active in the Internet Engineering Task Force
`
`(“IETF”). The IETF is the primary organization that develops Internet
`
`standards. From 1993 to 1994, I was a member of the “IPng Directorate”
`
`that selected the IPv6 architecture from multiple competing designs. Apart
`
`from chairing or co-chairing several technology working groups, including
`
`
`
`6
`
`

`

`Declaration of Steven M. Bellovin Under 37 C.F.R. § 1.68 in Support of
`Petition for Inter Partes Review of U.S. Patent No. 6,715,084
`
`the Intellectual Property Rights Working Group, I was a member of the
`
`Internet Architecture Board (“IAB”) from 1996 to 2002 and one of the
`
`Security Area directors on the Internet Engineering Standards Group
`
`(“IESG”) from 2002 to 2004. The IAB provides oversight of, and
`
`occasional commentary on, aspects of the architecture for the protocols and
`
`procedures used by the Internet. The IESG is responsible for technical
`
`management of IETF activities and the Internet standards process. It
`
`administers the process according to the rules and procedures that have been
`
`ratified by the Internet Society (“ISOC”) trustees. The IESG is directly
`
`responsible for the actions associated with entry into and movement along
`
`the Internet “standards track,” including final approval of specifications as
`
`Internet Standards prior to their publication as RFCs. All the Area directors,
`
`including myself in particular, are responsible for ensuring that all Internet
`
`protocols have suitable security mechanisms, such as encryption.
`
`21. From 2012 to 2013, I served as Chief Technologist for the Federal Trade
`
`Commission (“FTC”). My primary responsibility was advising the Chair
`
`about any FTC cases and policy involving technology or privacy. Among
`
`many others, I advised the Chair about standard-essential patents, an issue of
`
`great concern for the FTC.
`
`
`
`7
`
`

`

`Declaration of Steven M. Bellovin Under 37 C.F.R. § 1.68 in Support of
`Petition for Inter Partes Review of U.S. Patent No. 6,715,084
`
`22.
`
`I am listed as an inventor on 20 U.S. patents covering inventions in the areas
`
`of networking, cryptography, and network security. I am also named as an
`
`inventor on a number of currently-pending U.S. patent applications. I have
`
`published numerous technical articles and papers in major conference
`
`proceedings and journals, and have served on several National Academies
`
`study panels. I am currently serving on two such committees as well as on
`
`the National Academies’ Computer Science and Telecommunications Board.
`
`I am also currently serving on or acting as a subject matter expert for two
`
`U.S. government advisory committees: Department of Homeland Security,
`
`Science and Technology Advisory Committee; and Data Privacy and
`
`Integrity Advisory Committee.
`
`III. UNDERSTANDING OF PATENT LAW
`
`23.
`
`I understand that prior art to the ’084 Patent includes patents and printed
`
`publications in the relevant art that predate the priority date of the ’084
`
`Patent.
`
`24.
`
`I understand that a claim is invalid if it is anticipated or obvious.
`
`Anticipation of a claim requires that every element of a claim be disclosed
`
`expressly or inherently in a single prior art reference, arranged in the prior
`
`art reference as arranged in the claim. Obviousness of a claim requires that
`
`the claim be obvious from the perspective of a person having ordinary skill
`
`
`
`8
`
`

`

`Declaration of Steven M. Bellovin Under 37 C.F.R. § 1.68 in Support of
`Petition for Inter Partes Review of U.S. Patent No. 6,715,084
`
`in the relevant art at the time of the alleged invention. I understand that a
`
`claim may be obvious from a combination of two or more prior art
`
`references.
`
`25.
`
`I understand that an obviousness analysis requires an understanding of the
`
`scope and content of the prior art, any differences between the alleged
`
`invention and the prior art, and the level of ordinary skill in evaluating the
`
`pertinent art.
`
`26.
`
`I further understand that certain factors may support or rebut the obviousness
`
`of a claim. I understand that such secondary considerations include, among
`
`other things, commercial success of the alleged invention, skepticism of
`
`those having ordinary skill in the art at the time of the alleged invention,
`
`unexpected results of the alleged invention, any long-felt but unsolved need
`
`in the art that was satisfied by the alleged invention, the failure of others to
`
`make the alleged invention, praise of the alleged invention by those having
`
`ordinary skill in the art, and copying of the alleged invention by others in the
`
`field. I understand that there must be a nexus—a connection—between any
`
`such secondary considerations and the alleged invention. I also understand
`
`that contemporaneous and independent invention by others is a secondary
`
`consideration tending to show obviousness.
`
`
`
`9
`
`

`

`Declaration of Steven M. Bellovin Under 37 C.F.R. § 1.68 in Support of
`Petition for Inter Partes Review of U.S. Patent No. 6,715,084
`
`27.
`
`I further understand that a claim is obvious if it unites old elements with no
`
`change to their respective functions, or alters prior art by mere substitution
`
`of one element for another known in the field and that combination yields
`
`predictable results. While it may be helpful to identify a reason for this
`
`combination, common sense should guide and no rigid requirement of
`
`finding a teaching, suggestion, or motivation to combine is required. When
`
`a product is available, design incentives and other market forces can prompt
`
`variations of it, either in the same field or different one. If a person having
`
`ordinary skill in the relevant art can implement a predictable variation,
`
`obviousness likely bars its patentability. For the same reason, if a technique
`
`has been used to improve one device and a person having ordinary skill in
`
`the art would recognize that it would improve similar devices in the same
`
`way, using the technique is obvious. I understand that a claim may be
`
`obvious if common sense directs one to combine multiple prior art
`
`references or add missing features to reproduce the alleged invention recited
`
`in the claims.
`
`
`
`10
`
`

`

`Declaration of Steven M. Bellovin Under 37 C.F.R. § 1.68 in Support of
`Petition for Inter Partes Review of U.S. Patent No. 6,715,084
`
`IV. BACKGROUND
`
`A. Background of the Field Relevant to the ’084 Patent
`
`28. There are generally three different types of technologies, in the prior art, for
`
`performing intrusion detection: (1) signature detection; (2) anomaly
`
`detection; and (3) expert systems.
`
`29. Signature detection is the simplest intrusion detection technique. Signature
`
`systems require all known patterns of abnormal behaviors to be defined in a
`
`list, i.e., a rule list. Traffic is then compared against the rule list and certain
`
`actions are taken if the traffic matches one of the rules. Signature detection
`
`systems very rarely have false positives, but, by definition, are unable to
`
`detect new types of attacks before a rule is created for the attack. For
`
`example, web servers are generally known to have bugs. Attempts to exploit
`
`these bugs are ipso facto malicious. One such well known bug is described
`
`in CERT Advisory, CA-2001-19, which defines a particular traffic pattern
`
`indicating that an intruder is attempting to hack the server. (See generally
`
`Ex. 1015, CERT Advisory, CA-2001-19.)
`
`30. Anomaly detection is based on learning a “normal” pattern of behavior of a
`
`particular system or network and then detecting significant variations from
`
`this “normal” pattern. Anomaly detection can best be explained by building
`
`on the example provided in connection with signature detection. Assuming
`
`
`
`11
`
`

`

`Declaration of Steven M. Bellovin Under 37 C.F.R. § 1.68 in Support of
`Petition for Inter Partes Review of U.S. Patent No. 6,715,084
`
`most URLs are around 100 bytes long, URLs that are significantly longer
`
`may be flagged as anomalous. For example, the URL to the Patent Trial and
`
`Appeal Board is 104 bytes long and is thus only “slightly” unusual:
`
`https://ptabtrials.uspto.gov/prweb/PRServlet/oO9O9iMsc
`
`yJc_fy6LnBDXO9xEtRpDxfL3At36r8Aw8k%5B*/!STA
`
`NDARD?
`
`31. The URL described in CERT Advisory, CA-2001-19, on the other hand, is at
`
`least 380 bytes long and is thus “more” unusual:
`
`/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNN
`NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
`NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
`NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
`NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
`NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
`NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
`NNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u
`6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%
`u9090%u9090%u8190%u00c3%u0003%u8b00%u531b
`%u53ff%u0078%u0000%u00=a
`
`(Ex. 1015 at 3, CERT Advisory, CA-2001-19.) This URL is not “bad” per
`
`se. It is, however, anomalous because it deviates from the “standard” URL
`
`length for a given server.
`
`32. Expert systems analyze multiple types of anomalies, certain combinations of
`
`which may indicate an attack. Such systems receive reports of anomalies
`
`from anomaly detectors distributed throughout a monitored network, which
`
`were commonly used in the art at the time of the priority date of the ’084
`
`
`
`12
`
`

`

`Declaration of Steven M. Bellovin Under 37 C.F.R. § 1.68 in Support of
`Petition for Inter Partes Review of U.S. Patent No. 6,715,084
`
`Patent. Expert systems detected patterns in network traffic and then
`
`simulated analysis that would be performed by a system administrator to
`
`determine whether or not an identified anomaly indicated an actual attack.
`
`33. Continuing to build on the example provided for signature detection, while a
`
`long URL is, in and of itself, not an attack per se, a long URL combined
`
`with multiple outbound connections may indicate that the system is infected
`
`by a worm. (See generally Ex. 1015, CERT Advisory, CA-2001-19.)
`
`34. There are generally two types of IDSs: host-based and network-based. The
`
`relevant art distinguishes between host-based and network-based intrusion
`
`detection. Host-based intrusion detection analyzes behavior on one
`
`computer. Network-based intrusion detection, on the other hand, analyzes
`
`behavior of network traffic as a whole. A network-based intrusion detection
`
`monitor could be located anywhere in the monitored network, including on
`
`either side of the firewall or within individual domains or LANs.
`
`B.
`
`Summary of the ’084 Patent
`
`35. The ’084 Patent is directed to a “broad-scope” intrusion detection system
`
`(“IDS”). (Ex. 1004 at 5:45–46.) The IDS analyzes network traffic “coming
`
`into multiple hosts or other customers’ computers or sites.” (Ex. 1004 at
`
`5:46–47.) This allegedly provides the IDS “additional data for analysis as
`
`compared to systems that just analyze the traffic coming into one customer’s
`
`
`
`13
`
`

`

`Declaration of Steven M. Bellovin Under 37 C.F.R. § 1.68 in Support of
`Petition for Inter Partes Review of U.S. Patent No. 6,715,084
`
`site . . ..” (Ex. 1004 at 5:48–51.) The network data is analyzed by the IDS
`
`for “patterns that would otherwise be difficult or impossible to recognize
`
`with just a single customer detector.” (Ex. 1004 at 5:51–54.) “Standard
`
`signature detection” or “new signatures and methods/algorithms can be
`
`used.” (Ex. 1004 at 5:54–56.) Fig. 2 shows an exemplar IDS:
`
`(Ex. 1004 at Fig. 2, the ’084 Patent) (emphasis added)
`
`
`36. Fig. 2 shows a network with the claimed IDS. (Ex. 1004 at 6:50–52.) The
`
`
`
`network includes a “plurality of network devices such as hosts, servers, and
`
`personal computers attached within customer site networks (shown here as
`
`customer site networks 220, 230, 240, 250) . . ..” (Ex. 1004 at 6:52–57.)
`
`37. A data collection and processing center (205 and 210) is shown coupled to
`
`the network. (Ex. 1004 at 7:18–20.) The data collection and processing
`
`center monitors traffic sent to a number of hosts, servers, and personal
`
`computers (220, 230, 240, 250). (Ex. 1004 at 7:35–43.) Various network
`
`
`
`14
`
`

`

`Declaration of Steven M. Bellovin Under 37 C.F.R. § 1.68 in Support of
`Petition for Inter Partes Review of U.S. Patent No. 6,715,084
`
`devices “can be used as sensors to sense data traffic and pass their findings
`
`on to the data collection and processing center . . ..” (Ex. 1004 at 7:45–52.)
`
`38. The IDS of the ’084 Patent monitors traffic for unauthorized access, referred
`
`to as “an anomaly.” (Ex. 1004 at 5:57–60.) An anomaly is detected by
`
`“analyzing a plurality of data packets with respect to predetermined
`
`patterns.” (Ex. 1004 at 6:9–14.) An anomaly “can be an intrusion, or an
`
`intrusion attempt or reconnaissance activity.” (Ex. 1004 at 5:64–65.) If an
`
`anomaly is detected, the IDS can alert a device by “alerting a firewall
`
`associated with the device that an anomaly has been detected.” (Ex. 1004 at
`
`6:15–17.) The device may also be “controlled (e.g., have its firewall
`
`adjusted).” (Ex. 1004 at 6:17–19.) The IDS identifies devices affected by
`
`the anomaly as well as those anticipated to be affected. (Ex. 1004 at Abs.)
`
`39. The Challenged Claims cover very similar subject matter. Elements [d]-[h]
`
`of claim 19 are nearly identical to the preamble and elements [a]-[b] of claim
`
`26 and elements [a]-[b] of claim 27. The table below compares claim 19 to
`
`claims 26–27, with all differences underlined, and shows the minor
`
`differences between claim 19 and claims 26–27 to be form, not substance:
`
`Claim 19
`
`Claims 26 and 27
`
` An intrusion detection and
`19.
`alerting system
`for a computer
`network comprising:
`
`//
`
`
`
`15
`
`

`

`Declaration of Steven M. Bellovin Under 37 C.F.R. § 1.68 in Support of
`Petition for Inter Partes Review of U.S. Patent No. 6,715,084
`
`[a] a plurality of devices coupled to
`the computer network, each device
`adapted to at least one of:
`
`[b] (1) sense data and provide the
`data
`to a data collection and
`processing center, and
`
`[c] (2) be adjustable; and
`
`//
`
`//
`
`//
`
`[d] the data collection and processing
`center comprising a computer with a
`firewall coupled to the computer
`network,
`
`26. A data collection and processing
`center comprising a computer with a
`firewall coupled
`to a computer
`network,
`
`[e] the data collection and processing
`center
`monitoring
`data
`communicated to at least a portion of
`the plurality of devices coupled to
`the network,
`
`[a] the data collection and processing
`center
`monitoring
`data
`communicated to the network,
`
`[f] detecting an anomaly in the
`network
`using
`network-based
`intrusion
`detection
`techniques
`comprising analyzing data entering
`into a plurality of hosts, servers, and
`computer sites
`in the networked
`computer system,
`
`[b] and detecting an anomaly in the
`network
`using
`networked-based
`intrusion
`detection
`techniques
`comprising analyzing data entering
`into a plurality of hosts, servers, and
`computer sites
`in the networked
`computer system.
`
`[g] determining which of the devices
`are anticipated to be affected by the
`anomaly
`by
`using
`pattern
`correlations across the plurality of
`hosts, servers, and computer sites,
`and
`
`27. [a] The data collection and
`processing center of claim 26, further
`comprising determining which of a
`plurality
`of
`devices
`that
`are
`connected
`to
`the network are
`anticipated to be affected by the
`anomaly
`by
`using
`pattern
`correlations across the plurality of
`hosts, servers, and computer sites,
`and
`
`
`
`16
`
`

`

`Declaration of Steven M. Bellovin Under 37 C.F.R. § 1.68 in Support of
`Petition for Inter Partes Review of U.S. Patent No. 6,715,084
`
`[h] alerting the devices.
`
`[b] alerting the devices.
`
`
`40. For purposes of efficiency, and to avoid repetition, my invalidity analysis in
`
`this Declaration will begin with claim 19 and apply equally to claims 26–27.
`
`I will separately address any differences between the claims.
`
`41. The dependent claims do not contain any elements that one having ordinary
`
`skill in the art would consider novel or non-obvious. The following table
`
`shows dependencies of the Challenged Claims:
`
`Independent Claims Dependent Claims
`
`Claim 19
`
`Claim 26
`
`Claim 20
`Claim 22
`Claim 23
`Claim 24
`Claim 25
`
`Claim 27
`Claim 28
`Claim 29
`Claim 30
`Claim 31
`Claim 32
`Claim 33
`
`
`42. Claims 20 and 28, claims 22 and 30, claims 23 and 31, claims 24 and 32,
`
`and claims 25 and 33 add very similar elements to independent claims 19
`
`and 26, respectively. The table below compares the dependent claims, with
`
`all differences underlined, and shows the minor differences between the
`
`claims to be form, not substance:
`
`
`
`17
`
`

`

`Declaration of Steven M. Bellovin Under 37 C.F.R. § 1.68 in Support of
`Petition for Inter Partes Review of U.S. Patent No. 6,715,084
`
`Dependent Claims from Claim 19 Dependent Claims from Claim 26
`
`20. The system of claim 19, wherein
`the data collection and processing
`center further determines which of
`the devices have been affected by the
`anomaly and alerts the devices.
`
`
`
`22. The system of claim 19, wherein
`the anomaly comprises one of an
`intrusion, an intrusion attempt, and
`reconnaissance activity.
`
`and
`collection
`data
`28. The
`processing center of claim 26,
`wherein
`the data collection and
`processing center further determines
`which of a plurality of devices that
`are connected to the network have
`been affected by the anomaly and
`alerts the devices.
`
`and
`collection
`data
`30. The
`processing of claim 26, wherein the
`anomaly comprises one of an
`intrusion, an intrusion attempt, and
`reconnaissance activity.
`
`23. The system of claim 19, wherein
`the data collection and processing
`center detects
`the anomaly by
`analyzing a plurality of data packets
`with
`respect
`to
`predetermined
`patterns.
`
` The data collection and
`31.
`processing of claim 26, wherein the
`data collection and processing center
`detects the anomaly by analyzing a
`plurality of data packets with respect
`to predetermined patterns.
`
`24. The system of claim 23, wherein
`the data collection and processing
`center analyzes data packets that
`have been received by at least two of
`the plurality of devices.
`
`25. The system of claim 19, wherein
`the data collection and processing
`center adjusts anomaly detection
`sensitivity and alarm
`thresholds
`based on the detected anomaly.
`
` The data collection and
`32.
`processing of claim 31, wherein the
`data collection and processing center
`ana