UNITED STATES PATENT AND TRADEMARK OFFICE
`
`
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`
`
`
`Commerce Bancshares, Inc., Compass Bank, and First National Bank of Omaha
`Petitioners
`
`v.
`
`Intellectual Ventures II LLC
`Patent Owner
`
`
`
`
`Patent No. 6,715,084
`Filing Date: March 26, 2002
`Issue Date: March 30, 2004
`Title: FIREWALL SYSTEM AND METHOD VIA FEEDBACK FROM BROAD-
`SCOPE MONITORING FOR INTRUSION DETECTION
`
`
`
`
`Inter Partes Review No. Unassigned
`
`
`
`DECLARATION OF DR. GEORGE KESIDIS
`
`Commerce Bancshares, Inc., et al.
`Exhibit 1003
`Page 1
`
`

`

`TABLE OF CONTENTS
`
`INTRODUCTION AND QUALIFICATIONS ............................................... 5
`
`I.
`
`II. MATERIALS CONSIDERED ........................................................................ 7
`
`III. COMPENSATION .......................................................................................... 7
`
`IV. THE ‘084 PATENT ......................................................................................... 8
`
`A. General Background of the Technology of the ‘084 Patent .................... 8
`
`B. The ‘084 Patent ...................................................................................... 11
`
`V. ANTICIPATION AND OBVIOUSNESS STANDARDS ........................... 18
`
`VI. LEVEL OF ORDINARY SKILL IN THE ART ........................................... 20
`
`VII. CLAIM CONSTRUCTION AND THE BROADEST REASONABLE
`
`CONSTRUCTION ........................................................................................ 21
`
`VIII. PRIOR ART REFERENCES ........................................................................ 23
`
`A. Porras, “Live Traffic Analysis of TCP/IP Gateways” ........................... 23
`
`B. U.S. Patent No. 7,237,264 to Graham, et al. (“Graham”) ..................... 26
`
`IX. DETAILED UNPATENTABILITY ANALYSIS ........................................ 28
`
`A. Ground 1: Claims 1-9 and 12-18 are Anticipated by Live Traffic ....... 29
`
`1. Live Traffic Anticipates Claims 1 and 9 of the ‘084 Patent ............. 31
`
`i. Live Traffic discloses all elements of claim 1 .......................... 32
`
`2. Live Traffic Anticipates Claim 2 of the ‘084 Patent ........................ 48
`
`3. Live Traffic Anticipates Claim 3 of the ‘084 Patent ........................ 51
`
`Commerce Bancshares, Inc., et al.
`Exhibit 1003
`Page 2
`
`

`

`4. Live Traffic Anticipates Claims 4 and 12 of the ‘084 Patent ........... 53
`
`5. Live Traffic Anticipates Claims 5 and 13 of the ‘084 Patent ........... 56
`
`6. Live Traffic Anticipates Claims 6 and 14 of the ‘084 Patent ........... 60
`
`7. Live Traffic Anticipates Claim 7 of the ‘084 Patent ........................ 62
`
`8. Live Traffic Anticipates Claims 8 and 18 of the ‘084 Patent ........... 64
`
`9. Live Traffic Anticipates Claim 15 of the ‘084 Patent ...................... 67
`
`10. Live Traffic Anticipates Claim 16 of the ‘084 Patent .................... 69
`
`11. Live Traffic Anticipates Claim 17 of the ‘084 Patent .................... 70
`
`B. Ground 2: Claim 10 is Obvious in View of Live Traffic ..................... 72
`
`C. Ground 3: Claims 1-9 and 12-33 are Rendered Obvious by Live Traffic
`
`in View of Graham ................................................................................. 74
`
`1. Motivation to Combine ..................................................................... 74
`
`2. Claims 1-9 and 12-18 are Rendered Obvious by Live Traffic in
`
`View of Graham............................................................................... 76
`
`3. Claims 19-33 are Rendered Obvious by Live Traffic in View of
`
`Graham .................................................................................................117
`
`i. Live Traffic in View of Graham Renders
`Claim 19 Obvious ...........................................................................117
`
`ii. Live Traffic in View of Graham Renders
`
`Claim 20 Obvious ...........................................................................130
`
`iii. Live Traffic in View of Graham Renders
`
`
`
`Commerce Bancshares, Inc., et al.
`Exhibit 1003
`Page 3
`
`

`

`Claim 21 Obvious ...........................................................................134
`iv. Live Traffic in View of Graham Renders
`Claim 22 Obvious ...........................................................................137
`
`v. Live Traffic in View of Graham Renders
`Claim 23 Obvious ...........................................................................141
`
`vi. Live Traffic in View of Graham Renders
`Claim 24 Obvious ...........................................................................143
`
`vii. Live Traffic in View of Graham Renders
`Claim 25 Obvious ...........................................................................145
`
`viii. Live Traffic in View of Graham Renders
`Claim 26 Obvious ...........................................................................148
`
`ix. Live Traffic in View of Graham Renders
`Claim 27 Obvious ...........................................................................154
`
`x. Live Traffic in View of Graham Renders
`Claim 28 Obvious ...........................................................................157
`
`xi. Live Traffic in View of Graham Renders
`Claim 29 Obvious ...........................................................................159
`
`xii. Live Traffic in View of Graham Renders
`Claim 30 Obvious ...........................................................................162
`
`xiii. Live Traffic in View of Graham Renders
`Claim 31 Obvious ...........................................................................164
`
`xiv. Live Traffic in View of Graham Renders
`Claim 32 Obvious ...........................................................................166
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`xv. Live Traffic in View of Graham Renders
`Claim 33 Obvious ...........................................................................168
`
`
`X. SECONDARY CONSIDERATIONS OF NON-OBVIOUSNESS ............170
`
`XI. CONCLUSION ............................................................................................171
`
`Commerce Bancshares, Inc., et al.
`Exhibit 1003
`Page 4
`
`

`

`I, Dr. George Kesidis, declare as follows:
`
`I.
`
`INTRODUCTION AND QUALIFICATIONS
`
`1.
`
`I am a tenured professor in both the Computer Science & Engineering
`
`and Electrical Engineering departments at Pennsylvania State University. I have
`
`been in this position since 2000. Before accepting the position at Pennsylvania
`
`State University, I was a tenured professor of Electrical and Computer Engineering
`
`at the University of Waterloo from June 1992 to April 2000.
`
`2.
`
`In 1988, I earned my B.A.Sc. from the University of Waterloo in
`
`Electrical Engineering. I then earned my M.S. from the University of California at
`
`Berkeley in Electrical Engineering and Computer Science (EECS). I continued my
`
`education at Berkeley and earned my Ph.D. in 1992 in EECS.
`
`3.
`
`A copy of my Curriculum Vitae is being filed as Exhibit 1007.1 My
`
`CV includes a list of books, papers, and other publications that I have authored or
`
`co-authored, including the short books: “An Introduction to Analysis of
`
`Communication Networks,” published by Wiley-Interscience & IEEE Press in
`
`2007, and “ATM Network Performance,” published by Kluwer Academic
`
`Publishers in 1999. I am an expert in computer/communication networking,
`
`network security, and intrusion detection. During my career, I have taught both
`
`undergraduate and graduate courses in communication networks and security of
`
`1 References to exhibits are to those exhibits being filed with the Petition for Inter
`Partes Review.
`
`Commerce Bancshares, Inc., et al.
`Exhibit 1003
`Page 5
`
`

`

`communication networks. My research has focused on several areas, including
`
`network security, anomaly detection, and traffic engineering.
`
`4.
`
`I have served in a number of capacities on government, academic, and
`
`industry committees that give advice on network communication and security.
`
`While performing these duties, I have read and authored many academic
`
`conference and journal articles and have been awarded research grants on network
`
`security from both government and industry. These grants have supported
`
`graduate students that I have supervised, some of whom now work in the cyber
`
`security industry. I recently (from 2012-2014) served as an Intermittent Expert for
`
`the Secure and Trustworthy Cyberspace Program for the National Science
`
`Foundation, in which role I helped run panels of experts examining research
`
`proposals in the network security area.
`
`5.
`
`I have been asked to consider whether the methods and systems
`
`described in claims 1-10 and 12-33 of U.S. Patent No. 6,715,084 to Aaron et al.
`
`(“the ‘084 patent”) cover any new approaches to network intrusion detection that
`
`were not already known by, or obvious to, those having ordinary skill in the field
`
`before the named inventors on the ‘084 patent conceived and developed the subject
`
`matter of the claims filed in their patent application. I was asked to provide my
`
`opinion as to whether these claims were “anticipated” or “obvious” in light of
`
`certain earlier published papers and patents (“prior art”).
`
`Commerce Bancshares, Inc., et al.
`Exhibit 1003
`Page 6
`
`

`

`II. MATERIALS CONSIDERED
`
`6.
`
`In forming the opinions expressed in this Declaration, I relied upon
`
`my education and experience in the relevant field of the art and have considered
`
`the viewpoint of a person having ordinary skill in the relevant art, as of March 26,
`
`2002.
`
`7.
`
`I have reviewed the specification, claims, and file history of the ‘084
`
`patent. I have also reviewed and understand the following references:
`
`A.
`
`Porras, et al. “Live Traffic Analysis of TCP/IP Gateways”
`(“Live Traffic,” Ex. 1004), which was published at least as
`early as December 12, 1997;
`B. U.S. Patent No. 7,237,264, entitled “System and Method for
`Preventing Network Misuse,” and filed by Robert David
`Graham, et al., on June 4, 2001 (“Graham,” Ex. 1005).
`These references anticipate or render obvious the subject matter
`
`8.
`
`defined in claims 1-10 and 12-33 of the ‘084 patent. These references form the
`
`grounds for challenging the patentability of the ‘084 patent claims set forth in the
`
`corresponding petition for inter partes review.
`
`9.
`
`I reserve the right to supplement my opinions to address any
`
`information obtained, or positions taken, based on any new information that comes
`
`to light throughout the inter partes review proceeding.
`
`III. COMPENSATION
`
`
`Commerce Bancshares, Inc., et al.
`Exhibit 1003
`Page 7
`
`

`

`10.
`
`I am being compensated at my normal consulting rate for my work.
`
`My compensation is not dependent on and in no way affects the substance of my
`
`statements in this Declaration.
`
`11. To the best of my knowledge, I have no financial interest in
`
`Petitioners Compass Bank, Commerce Bancshares, Inc., and First National Bank
`
`of Omaha or with the real parties in interest: Commerce Bancshares, Inc.,
`
`Commerce Bank, BBVA Compass Bancshares, Inc., Compass Bank, First National
`
`Bank of Omaha, and First National of Nebraska, Inc. I have been informed that
`
`Intellectual Ventures II LLC (“IV”) purports to own the ‘084 patent. To the best of
`
`my knowledge, I have no financial interest in IV, and I have had no contact with
`
`IV. To the best of my knowledge, I similarly have no financial interest in the ‘084
`
`patent and have had no contact with the named inventors of the ‘084 patent.
`
`12. As reflected on the first page of the ‘084 patent, the application that
`
`matured into the ‘084 patent was filed on March 26, 2002. The ‘084 patent issued
`
`to Jeffrey A. Aaron and Thomas Anschutz on March 30, 2004.
`
`IV. THE ‘084 PATENT
`
`A. General Background of the Technology of the ‘084 Patent
`
`13. The ‘084 patent discloses a system and method of broad-scope
`
`intrusion detection that monitors and analyzes traffic from multiple hosts at a
`
`“separately maintained data collection and processing center.”
`
`Commerce Bancshares, Inc., et al.
`Exhibit 1003
`Page 8
`
`

`

`14. Before the filing date of the ‘084 patent, end-systems communicating
`
`over the Internet, and the Internet infrastructure itself, had been subjected to many
`
`and various types of attacks. Large-scale network “enterprises” had been set up by
`
`private companies, universities, and government agencies, and their need for
`
`effective security services was already keenly felt, as it was felt in the public
`
`commodity Internet. As new types of attacks were proliferating, approaches were
`
`being proposed to mitigate or prevent them once detected. Security technology
`
`operating in the end-systems (e.g., anti-virus software) and in the network (e.g.,
`
`firewalls) existed and was becoming ubiquitous.
`
`15.
`
` One approach to detecting and preventing attacks on a network is
`
`based on signatures of known malicious activity. Malicious activity could be
`
`anomalies in the network such as intrusions, attempted intrusions, or
`
`reconnaissance activity, such as port scanning, to test the security of a network. A
`
`firewall deployed in the network monitors a packet flow-aggregate and, e.g.,
`
`conducts certain checks to determine whether the packets contain
`
`signatures/patterns of known attack behavior (the patterns are stored in memory
`
`associated with the firewall) and, if attack behavior is thus detected, the packet can
`
`be filtered/dropped by the firewall. Additional responsive behavior, such as
`
`alerting the network’s system or security administrator, may be taken.
`
`Commerce Bancshares, Inc., et al.
`Exhibit 1003
`Page 9
`
`

`

`16.
`
` Some known malicious activity at the time involved the transmission
`
`of viruses and Trojan software (malware). Antivirus software running in the
`
`targeted host was available and could check for receipt of known malware and
`
`attempt to block its execution and remove it from the host. Inherently, network-
`
`deployed defenses examined the activity of a plurality of end-systems (that are
`
`networked together), particularly packet traffic exchanged by them. Ways to deal
`
`with malware and other types of attacks (e.g., denial of service) using network-
`
`deployed devices were investigated to eliminate threats “in flight” before one or
`
`more potentially vulnerable hosts are affected.
`
`17.
`
` Before the filing date of the ‘084 patent, existing approaches to the
`
`significantly more challenging task of quickly detecting new attacks were
`
`developed. Network-based intrusion-detection systems identified merely
`
`suspicious (or “anomalous”) activity and issued alerts. Alerts were correlated and
`
`fused into meta-alerts to increase confidence in determining the existence of a new
`
`attack. Given that a new attack was detected, these systems were often able to
`
`readily determine the target of the attack, e.g., a common application, protocol or
`
`operating system associated with the alerts.
`
`18. When such a target of an emerging threat was identified, e.g., through
`
`an alert or meta-alert, it was natural to focus other parts of the network where the
`
`same target exists. For example, many end-hosts may run the same application, or
`
`Commerce Bancshares, Inc., et al.
`Exhibit 1003
`Page 10
`
`

`

`have the same operating system, or interact with each other according to a given
`
`protocol, i.e., “monocultures.” If one end-host is deemed to be under attack
`
`through an exploited vulnerability associated with some (inter-host) protocol X,
`
`then it is natural to consider other end-hosts also interacting through protocol X for
`
`which the attack has not as yet been detected. Network-based intrusion-detection
`
`systems may quickly react to prevent the spread of the attack by, e.g., instructing
`
`firewalls to filter packets associated with protocol X in areas/domains of the
`
`network in which the network-based intrusion-detection systems operates where
`
`the attack has not yet been detected. The effect may be a temporary quarantine, or
`
`“denial of service” involving protocol X, until an administrator can further
`
`investigate, possibly eventually leading to identification of a precise
`
`signature/pattern of the attack (through more detailed forensics) that is
`
`subsequently deployed in the network firewalls and/or end-host antivirus systems.
`
`B.
`
`The ‘084 Patent
`
`19. The ‘084 patent is titled “Firewall System And Method Via Feedback
`
`From Broad-Scope Monitoring For Intrusion Detection.” Ex. 1001 at Title Page.
`
`Generally, the ‘084 patent discloses a system and method of broad-scope intrusion
`
`detection of “traffic coming into multiple hosts or other customers’ computers or
`
`sites.” Id. at 5:46-48. The ‘084 patent states that a problem with the prior-art
`
`intrusion detection systems was that they were “plagued by false positive events”
`
`Commerce Bancshares, Inc., et al.
`Exhibit 1003
`Page 11
`
`

`

`and were unable to “detect the earliest stages of network attacks.” Id. at 4:51-53.
`
`The reason for this, according to the ‘084 patent, is that the prior art intrusion
`
`detection methods monitored only a single customer’s data and thus lacked the
`
`“capability to perform broad-scope intrusion analysis/detection” on multiple hosts.
`
`Id. at 4:64-67. The alleged advantage of the ‘084 patent’s intrusion detection
`
`system is that it allowed for analysis of additional data entering into multiple hosts
`
`or computers, rather than analyzing traffic entering just one site. This cut down on
`
`false positive events and allowed for “near-real time parameter adjustments for
`
`firewalls.” Id. at 11:63-67. Figure 2 of the ‘084 patent depicts the claimed
`
`invention:
`
`
`
`Commerce Bancshares, Inc., et al.
`Exhibit 1003
`Page 12
`
`

`

`External customer site networks 220, 230, 240, and 250 are coupled to an
`
`intervening network (i.e. the internet) 204 via known firewalls 221, 231, 241, and
`
`251. Id. at 6:50-7:5. The “separately maintained data collection and processing
`
`center,” the heart of the ‘084 patent, is made up of a computer or server 205 and a
`
`firewall 210. Id. at 7:18-20 (highlighted above). Broad-scope intrusion detection
`
`is performed on the various networks 220, 230, 240, and 250, and the data
`
`collection and processing center receives and collects information from these
`
`various network components. Id. at 7:35-43. Thus, “the data collection and
`
`processing center receives all communications (i.e. the data) originating from a
`
`user on the computer network 204 and flowing to host 220 (or vice versa), for
`
`example.” Id. “Certain devices can be used as sensors to sense data traffic and
`
`pass their findings on to the data collection and processing center or other central
`
`processing system.” Id. at 7:44-47.
`
`20. The central processing system of the ‘084 patent monitors the network
`
`traffic from the various network components for anomalies. Id. at 5:57-60.
`
`Detection of an anomaly requires “analyzing a plurality of data packets with
`
`respect to predetermined patterns.” Id. at 6:8-13. The ‘084 patent states that an
`
`“anomaly” can be “an intrusion, or an intrusion attempt or reconnaissance
`
`activity.” Id. at 5:64-65. Because the data collection and processing center is
`
`Commerce Bancshares, Inc., et al.
`Exhibit 1003
`Page 13
`
`

`

`collecting information from multiple hosts, instead of just one host, it is allegedly
`
`better able to predict and detect anomalies in the network. Id. at 8:45-65.
`
`21. After the events are collected and forwarded to a central database, the
`
`central database “uses pattern correlations across multiple customers’ events in
`
`order to better determine the occurrence and sources of suspected intrusion-
`
`oriented activity.” Id. at 8:23-30. Once an intrusion, intrusion attempt, or
`
`reconnaissance activity is detected, the central processing system can alert the
`
`relevant administrators of the hosts or the affected devices on the network that a
`
`certain system is either affected or anticipated to be affected. Id. at 10:15-21.
`
`Additionally, when an intrusion is detected, the broad-scope matching parameters
`
`can be adjusted to deal with the attack. Id. at 8:31-44. The central processing
`
`system can determine that a device is anticipated to be affected by an anomaly by
`
`“polling” the devices on the network in a “predetermined sequential order.” Thus
`
`“an intrusion attempt that is detected at an earlier, already polled sensor, can be
`
`determined, and administrators of other hosts, that have not yet been hit by the
`
`intrusion attempt, can be alerted about the possibility of such an intrusion attempt.”
`
`Id. at 11:3-13 and 13:3-7.
`
`22. The ‘084 patent includes thirty-three claims, thirty-two of which are
`
`being challenged by the Petitioners. A representative independent claim, claim 1,
`
`states:
`
`Commerce Bancshares, Inc., et al.
`Exhibit 1003
`Page 14
`
`

`

`1. A method of alerting at least one device in a networked computer
`system comprising a plurality of devices to an anomaly, at least one of
`the plurality of devices having a firewall, comprising:
`
`[a] detecting an anomaly in the networked computer system using
`network-based intrusion detection techniques comprising analyzing
`data entering into a plurality of hosts, servers, and computer sites in
`the networked computer system;
`
`[b] determining which of the plurality of devices are anticipated to be
`affected by the anomaly by using pattern correlations across the
`plurality of hosts, servers, and computer sites; and
`
`[c] alerting the devices that are anticipated to be affected by the
`anomaly.
`Ex. 1001 at Claim 1.
`
`
`23. Method claims 1 and 9, both independent claims, are substantially
`
`similar with only minor differences.
`
`24. Additionally, claims 4-6 and 8, which depend from claim 1, and
`
`claims 12-14 and 18, which depend from claim 9, are substantially similar,
`
`respectively. The below table compares the claims:
`
`Dependent Claims from Claim 1
`4. The method of claim 1, wherein the
`
`Dependent Claims from Claim 9
`12. The method of claim 9, wherein the
`
`anomaly comprises one of an intrusion
`
`anomaly comprises one of an intrusion
`
`Commerce Bancshares, Inc., et al.
`Exhibit 1003
`Page 15
`
`

`

`and an intrusion attempt.
`
`and an intrusion attempt.
`
`5. The method of claim 1, wherein
`
`13. The method of claim 9, wherein
`
`detecting the anomaly comprises
`
`detecting the anomaly comprises
`
`analyzing a plurality of data packets
`
`analyzing a plurality of data packets
`
`with respect to predetermined patterns.
`
`with respect to predetermined patterns.
`
`6. The method of claim 5, wherein
`
`14. The method of claim 13, wherein
`
`analyzing data packets comprises
`
`analyzing data packets comprises
`
`analyzing data packets that have been
`
`analyzing data packets that have been
`
`received at at least two of the plurality
`
`received at at least two of the plurality
`
`of devices.
`
`of devices including the first device.
`
`8. The method of claim 1, further
`
`18. The method of claim 9, further
`
`comprising adjusting anomaly detection
`
`comprising adjusting anomaly detection
`
`sensitivity and alarm thresholds based
`
`sensitivity and alarm thresholds based
`
`on the detected anomaly.
`
`on the detected anomaly.
`
`
`25.
`
`It is my opinion that all thirty-two challenged claims of the ‘084
`
`patent are unpatentable based on the following grounds:
`
`Ground
`
`1
`
`2
`
`Basis for Rejection
`
`Claims 1-9 and 12-18 are anticipated by Live Traffic.
`
`Claim 10 is rendered obvious by Live Traffic.
`
`Commerce Bancshares, Inc., et al.
`Exhibit 1003
`Page 16
`
`

`

`3
`
`Claims 1-9 and 12-33 are obvious in view of Live Traffic and
`
`Graham.
`
`
`
`26. With respect to Grounds 1 and 2, Live Traffic discloses a distributed
`
`IDS in which a number of surveillance modules are used to analyze network traffic
`
`in several interconnected local network domains (e.g., LANs). These local domain
`
`surveillance modules then forward the results of their analysis to an enterprise-
`
`layer surveillance module that further analyzes the collective analysis results. In
`
`my opinion, Live Traffic discloses every element of claims 1-9 and 12-18 of the
`
`‘084 patent, anticipating such claims. In my opinion, Live Traffic also renders
`
`claim 10 obvious in view of the knowledge of one of ordinary skill in the art at the
`
`time of the alleged invention.
`
`27. With respect to Ground 3, Graham teaches an intrusion detection
`
`system in which a single node may be designated to monitor and control
`
`communications in a local area network (“LAN”). Graham differs from Live
`
`Traffic in that Graham provides additional detail regarding certain aspects of
`
`network-based intrusion detection that are claimed in the ‘084 patent, and is thus
`
`not redundant with Live Traffic.
`
`28. For example, while Live Traffic discloses every element of claims 1-9
`
`and 12-18, Graham provides significant additional detail regarding certain
`
`elements of independent claims 1 and 9, such as how it may be determined that a
`
`Commerce Bancshares, Inc., et al.
`Exhibit 1003
`Page 17
`
`

`

`device is “anticipated to be affected” by an anomaly. As such, Ground 3 is not
`
`redundant with Ground 1. Similarly, with respect to claims 19-33, Graham
`
`expressly discloses or provides significant additional detail regarding certain claim
`
`elements for which Live Traffic contains a more general disclosure (e.g., “a
`
`computer with a firewall coupled to a computer network.”). In my opinion,
`
`because, as further discussed below, a person of ordinary skill in the art would
`
`have been motivated to combine Live Traffic and Graham, Live Traffic and
`
`Graham render claims 1-9 and 12-33 obvious.
`
`V. ANTICIPATION AND OBVIOUSNESS STANDARDS
`
`29.
`
`I have been informed and understand that for the purposes of this
`
`proceeding, prior art to the ‘084 patent includes patents and printed publications in
`
`the relevant art.
`
`30.
`
`I have been informed and understand that a claim is not patentable if it
`
`is anticipated or obvious. In other words, claimed subject matter is only patentable
`
`if it is new and not obvious in light of the work of others that came before—which
`
`is usually reflected in published papers and patents. Anticipation of a claim
`
`requires that every element of a claim be disclosed expressly or inherently in a
`
`single prior art reference. Obviousness of a claim requires that the claim be
`
`obvious from the perspective of a person of ordinary skill in the art at the time the
`
`Commerce Bancshares, Inc., et al.
`Exhibit 1003
`Page 18
`
`

`

`alleged invention was made. I understand that a claim may be obvious from a
`
`combination of two or more prior art references.
`
`31.
`
`I have been informed and understand that certain factors may support
`
`or rebut the obviousness of a claim. Such secondary considerations include,
`
`among other things, commercial success of the patented invention, skepticism of
`
`those having ordinary skill in the art at the time of invention, unexpected results of
`
`the invention, long –felt need in the art that was satisfied by the alleged invention,
`
`and the failure of others to make the alleged invention.
`
`32.
`
`I have been informed and understand that a claim is obvious if it
`
`simply combines old elements with no change to their respective functions, or
`
`alters prior art by mere substitution of one element for another known in the field,
`
`in a manner that yields predictable results.
`
`33.
`
`I have been informed and understand that a person of ordinary skill in
`
`the art is presumed to have knowledge of all of the relevant prior art at the time of
`
`the claimed invention, and that if the available prior art shows each of the elements
`
`of the asserted claims, I should determine whether it then would have been obvious
`
`to combine or coordinate these elements in the same manner as in the claim at
`
`issue.
`
`34.
`
`I have been informed and understand that a patent composed of
`
`several elements is not proved obvious merely by demonstrating that each of its
`
`Commerce Bancshares, Inc., et al.
`Exhibit 1003
`Page 19
`
`

`

`elements was independently known in the art, but that I must determine whether a
`
`person of ordinary skill has simply implemented a predictable (and therefore
`
`obvious) variation of prior art elements or, conversely, whether he or she has made
`
`an improvement that is more than the predictable use of prior art elements
`
`according to their established functions and therefore non-obvious.
`
`35.
`
`I have further been informed and understand that a claimed invention
`
`can be rendered obvious by a combination of multiple references, as long as there
`
`is a reason to combine disclosed in the references or a person of skill in the art
`
`would have otherwise had a motivation to combine those references in solving a
`
`problem addressed by the claimed invention.
`
`VI. LEVEL OF ORDINARY SKILL IN THE ART
`
`36.
`
`I understand that anticipation and obviousness are to be analyzed from
`
`the perspective of one of ordinary skill in the art who would be involved in the
`
`same field as the ‘084 patent.
`
`37. The field of the ‘084 patent is described as “intrusion detection
`
`systems for computer systems and, more particularly, to network-based intrusion
`
`detection systems.” I understand that the application that matured into the ‘084
`
`patent was filed on March 26, 2002, and that it is this time period that is relevant
`
`for assessing the level of ordinary skill in the art.
`
`Commerce Bancshares, Inc., et al.
`Exhibit 1003
`Page 20
`
`

`

`38.
`
`I have been informed that there are many factors relevant to
`
`determining the level of ordinary skill in the pertinent art, including the educational
`
`level of workers in the field at the time of the alleged invention, the sophistication
`
`of the technology, the type of problems encountered in the art, and the prior art
`
`solutions to those problems.
`
`39. Based on these factors, it is my opinion that a person of ordinary skill
`
`in the art at the time of the alleged invention of the ‘084 patent would have had at
`
`least a Bachelor of Science degree in Computer Science or similar degree, and one
`
`to two years of work experience in developing security applications or with
`
`network security.
`
`40. Based on my qualifications, I consider myself qualified to provide
`
`opinions from the perspective of one of ordinary skill in the art for the ‘084 patent.
`
`VII. CLAIM CONSTRUCTION AND THE BROADEST REASONABLE
`CONSTRUCTION
`
`41.
`
`I have been informed and understand that a primary step in
`
`determining patentability is to properly construe the claims to determine claim
`
`scope and meaning.
`
`42.
`
`I have been informed and understand that for purposes of this
`
`proceeding, the claim terms should be given their “broadest reasonable
`
`construction in light of the specification.”
`
`Commerce Bancshares, Inc., et al.
`Exhibit 1003
`Page 21
`
`

`

`43.
`
`I have been informed and understand that the claim terms, unless a
`
`special and particular definition is provided, should be afforded their ordinary and
`
`accustomed meaning that they would have to a person of ordinary skill in the art. I
`
`have thus interpreted the claim terms following these guidelines.
`
`44.
`
`I have reviewed the constructions proposed by Petitioners in the
`
`Petition for inter partes review as well as the constructions adopted by IV in
`
`concurrent litigation. It is my opinion that the claims are invalid under the
`
`construction laid out in the Petition or under any reasonable construction of the
`
`claim terms. The table below represents my understanding of the proper
`
`construction of several of the claim terms when given their “broadest reasonable
`
`construction in light of the specification.”
`
`Term(s)
`
`Broadest Reasonable Construction
`
`an anomaly in the
`
`an irregularity in the network indicative of misuse of
`
`network
`
`network systems or resources
`
`network-based
`
`techniques for detecting an intrusion by analyzing
`
`intrusion detection
`
`network communications
`
`techniques
`
`alerting the
`
`notifying the device, associated firewall, or
`
`device/alerts the
`
`administrator, which are responsible for protecting the
`
`devices
`
`device by responding to identified threats
`
`Commerce Bancshares, Inc., et al.
`Exhibit 1003
`Page 22
`
`

`

`adjusting the
`
`reconfiguring or adjusting pertinent parameters (of the
`
`firewall/controlling the
`
`firewall/of the device)
`
`device
`
`
`VIII. PRIOR ART REFERENCES
`
`45. The following is my understandin