111111111111111111111111111111111111111111111111111111111111111111111111111
`US00723 7264 B 1
`
`c12) United States Patent
`Graham et al.
`
`(10) Patent No.:
`(45) Date of Patent:
`
`US 7,237,264 Bl
`Jun.26,2007
`
`(54) SYSTEM AND METHOD FOR PREVENTING
`NETWORK MISUSE
`
`(75)
`
`Inventors: Robert David Graham, Menlo Park,
`CA (US); Peter Kavaler, Castro Valley,
`CA (US)
`
`(73) Assignee: Internet Security Systems, Inc.,
`Atlanta, GA (US)
`
`( *) Notice:
`
`Subject to any disclaimer, the term of this
`patent is extended or adjusted under 35
`U.S.C. 154(b) by 674 days.
`
`(21) Appl. No.: 09/874,574
`
`(22) Filed:
`
`Jun. 4, 2001
`
`(51)
`
`Int. Cl.
`H04L 29100
`(2006.01)
`(52) U.S. Cl. ........................................... 726/23; 726/25
`(58) Field of Classification Search ................ 709/225,
`709/223; 713/201, 200; 726/25, 23
`See application file for complete search history.
`
`(56)
`
`References Cited
`
`U.S. PATENT DOCUMENTS
`
`4,223,380 A
`4,400,769 A
`4,672,609 A
`4,773,028 A
`4,819,234 A
`4,975,950 A
`5,032,979 A
`5,121,345 A
`5,204,966 A
`5,210,704 A
`5,274,824 A
`5,278,901 A
`5,309,562 A
`5,311,593 A
`5,345,595 A
`5,347,450 A
`
`9/1980 Antonaccio et a!.
`8/1983 Kaneda et al.
`6/1987 Humphrey eta!.
`9/1988 Tallman
`4/1989 Huber
`12/1990 Lentz
`7/1991 Hecht eta!.
`6/1992 Lentz
`4/1993 Wittenberg et al.
`5/1993 Husseiny
`12/1993 Howarth
`111994 Shieh et al.
`5/1994 Li
`5/1994 Carmi
`9/1994 Johnson et al.
`9/1994 Nugent
`
`5,353,393 A
`5,359,659 A
`5,371,852 A
`5,398,196 A
`5,414,833 A
`5,440,723 A
`5,452,442 A
`5,454,074 A
`5,475,839 A
`5,511,184 A
`5,515,508 A
`
`10/1994 Bennett eta!.
`10/1994 Rosenthal
`12/1994 Attanasio et a!.
`3/1995 Chambers
`5/1995 Hershey et al.
`8/1995 Arnold et al.
`9/1995 Kephart
`9/1995 Hartel et al.
`12/1995 Watson et al.
`4/1996 Lin
`511996 Pettus et al.
`
`(Continued)
`
`FOREIGN PATENT DOCUMENTS
`
`EP
`EP
`wo
`wo
`wo
`
`0 636 977
`0 985 995
`wo 93/25024
`wo 98/41919
`wo 99/00720
`(Continued)
`
`5/2001
`8/2003
`12/1993
`9/1998
`111999
`
`OTHER PUBLICATIONS
`
`Detecting Backdoors, Yin Zhang and Vern Paxson, Feb. 19, 1998.*
`
`(Continued)
`
`Primary Examiner-Kambiz Zand
`Assistant Examiner-Andrew L. Nalven
`(74) Attorney, Agent, or Firm-King & Spalding LLP
`
`(57)
`
`ABSTRACT
`
`A system and method for preventing misuse conditions on a
`data network are described. Embodiments of the system and
`method evaluate potential network misuse signatures by
`analyzing variables such as the state of the network and/or
`target, the context in which the potential misuse signatures
`are detected, the response/reaction of the target and/or the
`fingerprint of the target. These and other variables may be
`factored in to the misuse determination, either alone, or in
`combination.
`
`52 Claims, 12 Drawing Sheets
`
`Commerce Bancshares, Inc., et al.
`Exhibit 1005
`Page 1
`
`

`

`US 7,237,264 Bl
`Page 2
`
`U.S. PATENT DOCUMENTS
`
`5,522,026 A
`5,539,659 A
`5,557,742 A
`5,586,260 A
`5,590,331 A
`5,606,668 A
`5,623,600 A
`5,623,601 A
`5,630,061 A
`5,649,095 A
`5,649,185 A
`5,675,711 A
`5,696,486 A
`5,696,822 A
`5,706,210 A
`5,715,395 A
`5,734,697 A
`5,745,692 A
`5,748,098 A
`5,761,504 A
`5,764,887 A
`5,764,890 A
`5,765,030 A
`5,774,727 A
`5,787,177 A
`5,790,799 A
`5,796,942 A
`5,798,706 A
`5,812,763 A
`5,815,574 A
`5,822,517 A
`5,826,013 A
`5,828,833 A
`5,832,208 A
`5,832,211 A
`5,835,726 A
`5,838,903 A
`5,842,002 A
`5,845,067 A
`5,848,233 A
`5,854,916 A
`5,857,191 A
`5,864,665 A
`5,864,803 A
`5,872,915 A
`5,872,978 A
`5,875,296 A
`5,878,420 A
`5,881,236 A
`5,884,033 A
`5,892,903 A
`5,899,999 A
`5,905,859 A
`5,907,834 A
`5,919,257 A
`5,919,258 A
`5,922,051 A
`5,925,126 A
`5,931,946 A
`5,940,591 A
`5,950,012 A
`5,961,644 A
`5,964,839 A
`5,964,889 A
`5,974,237 A
`5,974,457 A
`5,978,917 A
`5,983,270 A
`5,983,348 A
`5,983,350 A
`5,987,606 A
`
`5/1996 Records et a!.
`7/1996 McKee eta!.
`9/1996 Smaha eta!.
`12/1996 Hu
`12/1996 Lewis et al.
`2/1997 Shwed
`4/1997 Ji eta!.
`4/1997 Vu
`5/1997 Richter et a!.
`7/1997 Cozza
`7/1997 Antognini et a!.
`10/1997 Kephart et a!.
`12/1997 Poliquin et a!.
`12/1997 Nachenberg
`111998 Kumano eta!.
`2/1998 Brabson et a!.
`3/1998 Jabbarnezhad
`4/1998 Lohmann, II et a!.
`5/1998 Grace
`6/1998 Corrigan et a!.
`6/1998 Kells eta!.
`6/1998 Glasser et a!.
`6/1998 Nachenberg eta!.
`6/1998 Walsh et al.
`7/1998 Leppek
`8/1998 Mogul
`8/1998 Esbensen
`8/1998 Kraemer et al.
`9/1998 Teng
`9/1998 Fortinsky
`10/1998 Do tan
`10/1998 Nachenberg
`10/1998 Belville et al.
`1111998 Chen eta!.
`1111998 Blakley, III et a!.
`1111998 Shwed eta!.
`1111998 Blakely, III et a!.
`1111998 Schnurer et a!.
`12/1998 Porter et al.
`12/1998 Radia eta!.
`12/1998 Nachenberg
`111999 Blackwell, Jr. et a!.
`111999 Tran
`111999 Nussbaum
`2/1999 Dykes eta!.
`2/1999 Hoskins
`2/1999 Shi et al.
`3/1999 de Ia Salle
`3/1999 Dickey
`3/1999 Duvall eta!.
`4/1999 Klaus
`5/1999 De Bonet
`5/1999 Holloway et a!.
`5/1999 Kephart et a!.
`7/1999 Trostle
`7/1999 Kayashima et a!.
`7/1999 Sidey
`7/1999 Hsieh
`8/1999 Terada eta!.
`8/1999 Boyle et al.
`9/1999 Shiell eta!.
`10/1999 Kurtzberg et a!.
`10/1999 Johnson et a!.
`10/1999 Nachenberg
`10/1999 Shurmer et a!.
`10/1999 Waclawsky et a!.
`1111999 Chi
`1111999 Abraham et a!.
`1111999 Ji
`1111999 Minear eta!.
`1111999 Cirasole et a!.
`
`1111999 Franczek et a!.
`5,987,610 A
`1111999 Freund
`5,987,611 A
`1111999 Spilo eta!.
`5,991,856 A
`5,991,881 A * 1111999 Conklin et a!. ............. 713/201
`5,999,711 A
`12/1999 Misra et al.
`5,999,723 A
`12/1999 Nachenberg
`6,003,132 A
`12/1999 Mann
`6,006,016 A
`12/1999 Faigon eta!.
`6,009,467 A
`12/1999 Ratcliff et al.
`6,014,645 A
`1/2000 Cunningham
`6,016,553 A
`1/2000 Schneider et a!.
`6,021,510 A
`212000 Nachenberg
`6,026,442 A
`212000 Lewis eta!.
`6,029,256 A
`212000 Kouznetsov
`6,035,323 A
`3/2000 Narayen eta!.
`3/2000 Hodges et al.
`6,035,423 A
`6,041,347 A
`3/2000 Harsham et a!.
`6,052,709 A
`4/2000 Paul
`5/2000 Dircks eta!.
`6,061,795 A
`6,067,410 A
`5/2000 Nachenberg
`6,070,190 A
`5/2000 Reps et al.
`6,070,244 A
`5/2000 Orchier et al.
`6,073,172 A
`6/2000 Frailong et a!.
`6,081,894 A
`6/2000 Mann
`6,085,224 A
`7/2000 Wagner
`6,088,803 A
`7/2000 Tso et al.
`6,088,804 A
`7/2000 Hill eta!.
`7/2000 Touboul
`6,092,194 A
`6,094,731 A
`7/2000 Waldin eta!.
`6,098,173 A
`8/2000 Elgressy et al.
`8/2000 DeFino
`6,104,783 A
`6,108,799 A
`8/2000 Boulay eta!.
`9/2000 Alexander, III et a!.
`6,118,940 A
`9/2000 Li et al.
`6,119,165 A
`6,119,234 A
`9/2000 Aziz eta!.
`6,122,738 A
`9/2000 Millard
`6,144,961 A
`1112000 de Ia Salle
`6,154,844 A
`1112000 Touboul et a!.
`6,161,109 A
`12/2000 Matamoros et al.
`6,167,520 A
`12/2000 Touboul
`6,173,413 B1
`1/2001 Slaughter et al.
`6,185,689 B1
`2/2001 Todd, Sr. et a!.
`6,195,687 B1
`2/2001 Greaves et a!.
`6,199,181 B1
`3/2001 Rechef eta!.
`6,205,552 B1
`3/2001 Fudge
`6,220,768 B1
`4/2001 Barroux
`6,226,372 B1
`5/2001 Beebe eta!.
`6,230,288 B1
`5/2001 Kuo eta!.
`6,266,773 B1
`7/2001 Kisor eta!.
`6,266,774 B1
`7/2001 Sampath et al.
`6,271,840 B1
`8/2001 F inseth et a!.
`6,272,641 B1
`8/2001 Ji
`6,275,938 B1
`8/2001 Bond eta!.
`6,275,942 B1 * 8/2001 Bernhard et a!.
`6,278,886 B1
`8/2001 Hwang
`6,279,113 B1 * 8/2001 Vaidya . ... ... ... ... .. ... ... ... 726/23
`8/2001 Gleichauf et a!.
`6,282,546 B1
`6,298,445 B1
`10/2001 Shostack et a!.
`6,301,668 B1 * 10/2001 Gleichauf et a!.
`6,314,520 B1
`1112001 Schell eta!.
`6,314,525 B1
`1112001 Mahalingham et a!.
`6,321,338 B1
`1112001 Porras eta!.
`6,324,627 B1
`1112001 Kricheff et al.
`6,324,647 Bl
`1112001 Bowman-Amuah
`6,324,656 B1
`1112001 Gleichauf et a!.
`6,338,141 B1
`1/2002 Wells
`6,347,374 B1
`212002 Drake eta!.
`6,353,385 B1
`3/2002 Molini et al.
`6,357,008 B1
`3/2002 Nachenberg
`6,377,994 B1
`4/2002 Ault eta!.
`6,396,845 B1
`5/2002 Sugita
`6,397,242 B1
`5/2002 Devine eta!.
`6,397,245 B1
`5/2002 Johnson, II et al.
`
`........... 713/201
`
`.......... 713/201
`
`Commerce Bancshares, Inc., et al.
`Exhibit 1005
`Page 2
`
`

`

`US 7,237,264 Bl
`Page 3
`
`6/2002
`6,405,318 B1
`6/2002
`6,405,364 B1
`6/2002
`6,408,391 B1
`7/2002
`6,415,321 B1
`8/2002
`6,429,952 Bl
`8/2002
`6,434,615 B1
`8/2002
`6,438,600 B1
`9/2002
`6,445,822 B1
`9/2002
`6,453,345 B2
`9/2002
`6,453,346 B1
`6,460,141 B1 * 10/2002
`6,463,426 B1
`10/2002
`6,467,002 B1
`10/2002
`6,470,449 B1
`10/2002
`6,477,585 B1
`1112002
`6,477,648 B1
`1112002
`6,477,651 B1
`1112002
`6,484,203 B1
`1112002
`6,487,666 B1
`1112002
`6,493,752 B1
`12/2002
`6,496,858 B1
`12/2002
`6,499,107 B1
`12/2002
`6,510,523 B1
`112003
`6,517,587 B2
`2/2003
`6,519,647 B1
`2/2003
`6,519,703 B1
`2/2003
`6,530,024 B1
`3/2003
`6,535,227 B1
`3/2003
`6,546,493 B1
`4/2003
`6,563,959 B1
`5/2003
`6,574,737 B1
`6/2003
`6,578,147 B1
`6/2003
`6,584,454 B1
`6/2003
`6,601,190 B1
`7/2003
`6,606,744 B1
`8/2003
`6,618,501 B1
`9/2003
`6,628,824 B1
`9/2003
`6,647,139 B1
`1112003
`6,647,400 B1
`1112003
`6,661,904 B1
`12/2003
`6,668,082 B1
`12/2003
`6,668,084 B1
`12/2003
`6,681,331 B1
`112004
`6,691,232 B1
`2/2004
`6,704,874 B1
`3/2004
`6,708,212 B2
`3/2004
`6,711,127 B1
`3/2004
`6,711,615 B2
`3/2004
`6,718,383 B1
`4/2004
`6,721,806 B2
`4/2004
`6,725,377 B1
`4/2004
`6,725,378 B1
`4/2004
`6,728,886 B1 * 4/2004
`6,775,780 B1
`8/2004
`6,792,144 B1
`9/2004
`6,792,546 B1
`9/2004
`6,816,973 B1
`1112004
`6,839,850 B1
`112005
`6,851,057 B1
`2/2005
`6,871,284 B2
`3/2005
`6,886,102 B1
`4/2005
`6,889,168 B2
`5/2005
`6,912,676 B1
`6/2005
`200110034847 AI
`10/200 I
`2002/0032717 A1
`3/2002
`2002/0032793 A1
`3/2002
`2002/0032880 A1
`3/2002
`2002/0035698 A1
`3/2002
`2002/0083331 A1 * 6/2002
`6/2002
`2002/0083334 A1
`2002/0138753 A1
`9/2002
`2002/0144156 A1
`10/2002
`2003/0037136 A1
`2/2003
`
`Rowland
`Bowman-Amuah
`Huff eta!.
`Gleichauf et a!.
`Olbricht
`Dinh eta!.
`Greenfield et al.
`Crill eta!.
`Trcka et al.
`Garget a!.
`Olden ........................... 726/4
`Lipson et al.
`Yang
`Blandford
`Cohen eta!.
`Schell eta!.
`Teal
`Porras eta!.
`Shanklin et al.
`Lee eta!.
`F railong et a!.
`Gleichauf et a!.
`Perlman et a!.
`Satyavolu et a!.
`Howard eta!.
`Joyce
`Proctor
`Fox eta!.
`Magdych et a!.
`Troyanker
`Kingsford et a!.
`Shanklin et al.
`Hummel, Jr. et al.
`Meyer eta!.
`Mikurak
`Osawa eta!.
`Belanger
`Kunii eta!.
`Moran
`Sasich eta!.
`Davison et a!.
`Minami
`Munson eta!.
`Wood eta!.
`Porras eta!.
`Porras eta!.
`Gorman eta!.
`Porras eta!.
`Hebert
`Boyd eta!.
`Kouznetsov
`Schuba eta!.
`Ji et a!.
`...................... 713/201
`Muttik
`Yan eta!.
`Shanklin et al.
`Gleichauf et a!.
`Campbell et al.
`Nachenberg
`Cooper eta!.
`Lyle
`Hartley et a!.
`Gusler eta!.
`Gaul, Jr.
`Malan eta!.
`Malan eta!.
`Poletto et al.
`Malan eta!.
`Krumel
`...................... 713/200
`Rogers eta!.
`Munson
`Copeland, III
`Labovitz et a!.
`
`2003/0088791 A1
`2003/0212903 A1
`2004/0010718 A1
`
`5/2003 Porras et a!.
`1112003 Porras et a!.
`112004 Porras et a!.
`
`wo
`wo
`wo
`wo
`wo
`wo
`wo
`wo
`wo
`wo
`wo
`wo
`wo
`wo
`wo
`wo
`wo
`wo
`
`FOREIGN PATENT DOCUMENTS
`wo 99/13427
`wo 99/15966
`wo 99/50734
`wo 99/53391
`wo 99/57626
`wo 00/02115
`wo 00/10278
`wo 00/25214
`wo 00/25527
`wo 00/34867
`wo 00/054458
`wo 00/54458
`wo 011084285
`wo 01184285
`wo 02/06928
`wo 02/006928
`wo 02/056152
`wo 02/101516
`
`3/1999
`4/1999
`10/1999
`10/1999
`1111999
`1/2000
`212000
`5/2000
`5/2000
`6/2000
`9/2000
`9/2000
`1112001
`1112001
`1/2002
`1/2002
`7/2002
`12/2002
`
`OTHER PUBLICATIONS
`
`Security Reality Check, Rik Farrow, Jul. 1, 1999, Network Maga(cid:173)
`zine.*
`Steve Steinke "Firewalls", http:/ /www.itarchitect.com/shared/ar(cid:173)
`ticle/show Article.jhtml ?articleld~8702843&pgno~ 1. *
`Using the CamNet BBS FAQ, http://www.cam.net.uk/manuals/
`bbsfaq!bbsfaq.htm, Jan. 17, 1997.
`Express Storehouse Ordering System, "Accessing ESOS through
`the Network", http://www-bfs.ucsd.edu/mss/esos/man3.htm, Sep. 3,
`1996.
`Nasire, NASIRC Bulletin #94-10, http://cs-www.ncsl.nist.gov/
`secalert/nasa9410.txt, Mar. 29, 1994.
`Packages in the net directory, http://linux4u.jinr.ru/usoft/WWW/
`www_debian.org/FTP/net.html, Mar. 20, 1997.
`Essex, David, E-Sleuths Make Net Safe for E-Commerce,
`Computerworld, Jun. 2000, pp. 1-2.
`Newman, David, Intrusion Detection Systems, Data Communica(cid:173)
`tions, 1998, pp. 1-9.
`International Search Report for PCT/US02/17161 of Dec. 31, 2002.
`Hyland, et al., Concentric Supervision of Security Applications: A
`New Security Management Paradigm Computer Security Applica(cid:173)
`tions Conference, 1998, pp. 59-68.
`Koilpillai eta!., Recon- A Tool for Incident Detection, Tracking and
`Response, Darpa Information Survivability Conference and Expo(cid:173)
`sition, 2000, pp. 199-206.
`Alves-Foss, J., An Overview of SNIF: A Tool for Surveying
`Network Information Flow, Network and Distributed System Secu(cid:173)
`rity, 1995, pp. 94-101.
`Mansouri-Samani et al., A Configurable Event Service for Distrib(cid:173)
`uted Systems Configurable Distributed Systems, 1996, pp. 210-217.
`International Search Report for PCT/US01113769 of March 8, 2002.
`Jagannathan et al., System Design Document: Next-Generation
`Intrusion Detection Expert Systems (NIDES), Internet Citation,
`Mar. 9, 1993, XP002136082, pp. 1-66.
`Koilpillai, Adaptive Network Security Management, DARPA NGI
`PI Conference, Oct. 1998, pp. 1-27.
`Hiverworld Continuous Adaptive Risk Management, Hiverworld,
`Inc., 1999-2000, pp. 1-14.
`International Search Report for PCT/US02/04989of Sep. 19, 2002.
`International Search Report for PCT/US02/02917 of Aug. 8, 2002.
`International Search Report for PCT/US03/00155 of May 15,2003.
`NXI Communications, Inc., White Paper, NTS Security Issues, Oct.
`15, 2001, pp. 1-12.
`Mounji eta!., Distributed Audit Trail Analysis, Proceedings of the
`Symposium of Network and Distributed System Security, San
`Diego, CA, Feb. 16-17, 1995, pp. 102-112.
`
`Commerce Bancshares, Inc., et al.
`Exhibit 1005
`Page 3
`
`

`

`US 7,237,264 Bl
`Page 4
`
`Wobber et a!., Authentication in the Taos Operating System, ACM
`Transactions on Computer Systems, vol. 12, No. 1, Feb. 1994, pp.
`3-32.
`Mayer eta!., The Design of the Trusted Workstation: A True Info sec
`Product, 13th National Computer Security Conference, Washing,
`DC, Oct. 1-4, 1990, pp. 827-839.
`Dawson, Intrusion Protection for Networks, Byte, Apr. 1995, pp.
`171-172.
`Buhkan, Checkpoint Charlie, PC Week Network, Nov. 27, 1995, pp.
`Nl, N6-N7.
`Process Software Technical Support Page, found on http://www.
`process.corn/techsupport/whitesec.html, printed off of the Process
`Software website on Feb. 26, 2003, pp. 1-5.
`Ganesan, BAfirewall: A Modern Firewall Design, Proceedings
`Internet Society Symposium on Network and Distributed System
`Security 1994, Internet Soc., 1994, pp. 99-108.
`Lee, Trusted Systems, Chapter II-1-6 of Handbook of Information
`Security Management, Ed. Zelia G. Ruthberg and Harold F. Tipton,
`Auerbach, Boston and New York, 1993, pp. 345-362.
`Lunt, Automated Intrusion Detection, Chapter II-4-4 of Handbook
`of Information Security Management, Ed. Zelia G. Ruthberg and
`Harold F. Tipton, Auerbach, Boston and New York, 1993, pp.
`551-563.
`Guha et al., Network Security via Reverse Engineering of TCP
`Code: Vulnerability Analysis and Proposed Solution, IEEE, Mar.
`1996, pp. 603-610.
`Garg et a!., High Level Communication Primatives for Concurrent
`Systems, IEEE, 1988, pp. 92-99.
`Hastings et a!., TCP/IP Spoofing Fundamentals, IEEE, May 1996,
`pp. 218-224.
`Snapp, Signature Analysis and Communication Issues in a Distrib(cid:173)
`uted Intrusion Detection System, Master Thesis, University of
`California, Davis, California, 1991, pp. 1-40.
`Guha et al., Network Security via Reverse Engineering of TCP
`Code: Vulnerability Analysis and Proposed Solutions, IEEE, Jul.
`1997, pp. 40-48.
`Djahandari et al., An MBone for an Application Gateway Firewall,
`IEEE, Nov. 1997, pp. 72-81.
`Kim et a!., Implementing a Secure Login Environment: A Case
`Study of Using a Secure Network Layer Protocol, Department of
`Computer Science, University of Alabama, Jun. 1995, pp. 1-9.
`Satyanarayanan, Integrating Security in a Large Distributed System,
`Acm Transaction on Computer Systems, vol. 7, No. 3, Aug. 1989,
`pp. 47-280.
`Sammons, Nathaniel, "Multi-platform, Interrogation and Reporting
`with Rscan," The Ninth Systems Administration Conference, LISA
`1995, Monterrey, California, Sep. 17-22, 1995, pp. 75-87.
`Dean et a!., "Java Security: From HotJava to Netscape and
`Beyond," Proceedings of the 1996 IEEE Symposium on Security
`and Privacy, May 6-8, 1996, Oakland, California, pp. 190-200.
`Fisch et a!., "The Design of an Audit Trail Analysis Tool," Pro(cid:173)
`ceedings of the lOth Annual Computer Security Applications Con(cid:173)
`ference, Dec. 5-9, 1994, Orlando, Florida, pp. 126-132.
`Safford eta!., "The TAMU Security Package: An Ongoing Response
`to Internet Intruders in an Academic Environment," USENIX Sym(cid:173)
`posium Proceedings, UNIX Security IV, Oct. 4-6, 1993, Santa
`Clara, California, pp. 91-118.
`Sugawara, Toshiharu, "A Cooperative LAN Diagnostic and Obser(cid:173)
`vation Expert System," Ninth Annual Phoenix Conference on
`Computers and Communications, 1990 Conference Proceedings,
`Mar. 21-23, 1990, Scottsdale, Arizona, pp. 667-674.
`Casella, Karen A., "Security Administration in an Open Networking
`Environment," The Ninth Systems Administration Conference,
`LISA 1995, Monterrey, California, Sep. 17-22, 1995, pp. 67-73.
`Burchell, Jonathan, "Vi-SPY: Universal NIM?" Virus Bulletin, Jan.
`1995, pp. 20-22.
`Benzel et a!., "Identification of Subjects and Objects in a Trusted
`Extensible Client Server Architecture," 18th National Information
`Systems Security Conference, Oct. 10-13, 1995, Baltimore, Mary(cid:173)
`land, pp. 83-99.
`Epstein et al., "Component Architectures for Trusted Netware," 18th
`National Information Systems Security Conference, Oct. 10-13,
`1995, Baltimore, Maryland, pp. 455-463.
`
`Varadarajan, Vijay, "Design and Management of a Secure
`Networked Administration System: A Practical Approach," 19th
`National Information Systems Security Conference, Oct. 22-25,
`1996, Baltimore, Maryland, pp. 570-580.
`Intrusion Detection
`Snapp
`et
`al.,
`"DIDS
`(Distributed
`System)-Motivation, Architecture, and An Early Prototype," 14th
`National Computer Security Conference, Oct. 1-4, 1991, Washing(cid:173)
`ton, DC, pp. 167-176.
`Broner et a!., "Intelligenti/0 Rule-Based Input/Output Processing
`for Operating Systems," Operating Systems Review, vol. 25, No.3,
`Jul. 1991, pp. 10-26.
`Drews et a!., "Special Delivery-Automatic Software Distribution
`Can Make You A Hero," Network Computing, Aug. 1, 1994, pp. 80,
`82-86, 89, 91-95.
`Morrissey, Peter, "Walls," Network Computing, Feb. 15, 1996, pp.
`55-59, 65-67.
`Harlander, Dr. Magnus, "Central System Administration in a
`Heterogenous Unix Environment: GeNUAdmin," Proceedings of
`the Eighth Systems Administration Conference (LISA VIII), Sep.
`19-23, 1994, San Diego, California, pp. 1-8.
`Shaddock eta!., "How to Upgrade 1500 Workstations on Saturday,
`and Still Have Time to Mow the Yard on Sunday," The Ninth
`Systems Administration Conference LISA '95, Sep. 17-22, 1995,
`Monterrey, California, pp. 59-65.
`Anderson, Paul, "Towards a High-Level Machine Configuration
`System," Proceedings of the Eighth Systems Administration Con(cid:173)
`ference (LISA VIII), Sep. 19-23, 1994, San Diego, California, pp.
`19-26.
`Cooper, Michael A., "Overhauling Rdist for the '90s," Proceedings
`of the Sixth Systems Administration Conference (LISA VI), Oct.
`19-23, 1992, Long Beach, California, pp. 175-188.
`Vangala et a!., "Software Distribution and Management in a
`Networked Enviroment," Proceedings of the Sixth Systems Admin(cid:173)
`istration Conference, Oct. 19-23, 1992, Long Beach, California, pp.
`163-170.
`Kim eta!., "The Design Implementation of Tripwire: A File System
`Integrity Checker," 2nd ACM Conference on Computer and Com(cid:173)
`munications Security, Nov. 2-4, 1994, Fairfax, Virgina, pp. 18-29.
`Winn Schwartau, "e.Security™ -Solving 'Dumb Days' With Secu(cid:173)
`rity Visualization," e-Security, Inc., Naples, FL 34103, 2000.
`Anita D'Amico, Ph.D., "Assessment of Open e-Security Platform ™
`: Vendor-Independent Central Management of Computer Security
`Resource," Applied Visions, Inc., 1999.
`"e.Security™ -Open Enterprise Security Management: Delivering
`an integrated, automated, centrally Managed Solution You Can
`Leverage Today and Tomorrow," e-Security, Inc., Naples, FL
`34102, 1999.
`"e.Security™ -Vision," e-Security, Inc., Naples, Fl, 1999.
`"e.Security™ -Administrator Workbench™
`," e-Security, Inc.
`Naples, FL, 1999.
`"e.Security™ -Fact Sheet," e-Security, Inc., Naples, FL, 1999.
`"e.Security™ -Open e-Security Platform™
`," e-Security, Inc.
`Naples, FL, 1999.
`Babcock, "E-Security Tackles The Enterprise," Jul. 28, 1999;
`Inter@ctive Week, www.Zdnet.com.
`Kay Blough, "In Search of More-Secure Extranets," Nov. 1, 1999,
`www.Information Week.com.
`Paul H. Desmond, "Making Sense of Your Security Tools," Soft(cid:173)
`ware Magazine and Wiesner Publishing, www.softwaremag.com,
`1999.
`Kay Blough, "Extra Steps Can Protect Extranets," Nov. 1, 1999,
`www. InformationWeek.com.
`Sean Hao, "Software protects e-commerce---e-Security's product
`alerts networks when hackers attack," Florida Today, Florida.
`Scott Weiss, "Security Strategies-E-Security, Inc.," product brief,
`Hurwitz Group, Inc., Mar. 24, 2000.
`Sean Adee, CISA, "Managed Risk, Enhanced Response-The Posi(cid:173)
`tive Impact of Real-Time Security Awareness," Information Sys(cid:173)
`tems Control Journal, vol. 2, 2000.
`"Reprint Review-The Information Security Portal--Dpen e-Secu(cid:173)
`rity Platform Verison 1.0", Feb. 2000, West Coast Publishing, SC
`Magazine, 1999.
`
`Commerce Bancshares, Inc., et al.
`Exhibit 1005
`Page 4
`
`

`

`US 7,237,264 Bl
`Page 5
`
`"e.Security-Introducing the First Integrated, Automated, and Cen(cid:173)
`tralized Enterprise Security Management System," white paper,
`e-Security, Inc., Naples, FL 34102, 1999.
`Ann Harrison, "Computerworld-Integrated Security Helps Zap
`Bugs," Feb. 21, 2000, Computerworld, vol. 34, No.8, Framingham,
`MA
`Shruti Date, "Justice Department Will Centrally Monitor Its Sys(cid:173)
`tems For Intrusions," Apr. 3, 2000, Post-Newsweek Business Infor(cid:173)
`mation, Inc., www.gcn.com.
`e.Security™ , website pages (pp. 1-83), www.esecurityinc.com,
`e-Security, Inc., Naples, FL 34103, Sep. 14, 2000.
`Peter Sommer, "Intrusion Detection Systems as Evidence," Com(cid:173)
`puter Security Research Centre, United Kingdom.
`Musman et a!., System or Security Managers Adaptive Response
`Tool, DARPA Information Survivability Conference and Exposi(cid:173)
`tion, Jan. 25, 2000, pp. 56-68.
`Gibson Research Corporation Web Pages, Shields Up!-Internet
`Connection Security Analysis, grc.com/default.htrn, Laguna Hills,
`California, 2000.
`Rouse eta!., Design and Evaluation of an Onboard Computer-Based
`Information System fro Aircraft, IEEE Transactions of Systems,
`Man, and Cybernetics, vol. SMC-12, No. 4, Jul./Aug. 1982, pp.
`451-463.
`Hammer, An Intelligent Flight-Management Aid for Procedure
`Execution, IEEE Transactions on Systems, Man, and Cybernetics,
`vol. SMC-14, No. 6, Nov./Dec. 1984, pp. 885-888.
`Mann et al., Analysis of User Procedural Compliance in Controlling
`a Simulated Process, IEEE Transactions on Systems, Man, and
`Cybernetics, vol. SMC-16, No.4, Jul./Aug. 1986.
`Todd, Signed and Delivered: An Introduction to Security and
`Authentication, Find Out How the Jave Security API Can Help you
`Secure your Code, Java world, Web Publishing, Inc., San Francisco,
`Dec. 1, 1998, pp. 1-5.
`Arvind, Secure This. Inform, Association for Information and Image
`Management, Silver Spring, Sep./Oct. 1999, pp. 1-4.
`Stevens, TCP/IP Illustrated, vol. 1, 1994, pp. 247.
`Lee eta!., A Generic Virus Detection Agent on the Internet, IEEE,
`30th Annual Hawaii International Conference on System Sciences,
`1997, vol. 4.
`Cutler, Inside Windows NT, 1993, Microsoft Press.
`Duncan, Advanced MS-Dos, 1986, Microsoft Press.
`McDaniel, IBM Dictionary of Computing, 1994, International Busi(cid:173)
`ness Machines Corporation.
`Burd, Systems Architecture, 1998, Course Technology, Second
`Edition.
`Programmer's Guide PowerJ, 1997, Sybase.
`Swimmer et a!., Dynamic detection and classification of computer
`viruses using general behavior patterns, 1995, Proceedings of the
`Fifth International Virus Bulletin Conference, Boston.
`Advanced Virus Detection Technology for the Next Millenium,
`Aug. 1999, Network Associates, A Network Associates Executive
`White Paper, pp. 1-14.
`Enterprise-Grade Anti-Virus Automation in the 21th Century, Jun.
`2000, Symantec, Technology Brief, pp. 1-17.
`Kephart et a!., Blueprint for a Computer Immune System, 1997,
`Internet, URL: http//www.research.ibm.com/
`Retrieved
`from
`antivirus/scipapers/kephartNB97, pp. 1-15.
`Richardson, Enterprise Antivirus Software, Feb. 2000, Retrieved
`from
`Internet, URL: http://www.networkrnagazine.com/article/
`nmg20000426S0006, pp. 1-6.
`Understanding and Managing Polymorphic Viruses, 1996,
`Symantec, The Symantec Enterprise Papers, vol. XXX, pp. 1-13.
`Gong, JavaTM Security Architecture (JDK1.2), Oct. 2, 1998, Sun
`Microsystems, Inc., Version 1.0, pp. i-iv, 1-62.
`Softworks Limited VBVM Whitepaper, Nov. 3, 1998, Retrieved
`URL:
`http://web.archive.org/web/
`from
`the
`Internet,
`199812031 05455/http:/ /softworksltd.com/vbvm.html, pp. 1-4.
`Kephart, A Biologically Inspired Immune System for Computers,
`1994, Artificial Life IV, pp. 130-139.
`International Search Report for PCT/USOl/26804 of March 21,
`2002.
`Kosoresow eta!., Intrusion Detection via System Call Traces, IEEE
`Software, pp. 35-42, Sep./Oct. 1997.
`
`Veldman, Heuristic Anti-Virus Technology, Proceedings, 3'd Inter(cid:173)
`national Virus Bulletin Conference, pp. 67-76, Sep. 1993.
`Symantec, Understanding Heuristics: Symantec's Bloodhound
`Technology, Symantec White Paper Series, vol. XXXIV, pp. 1-14,
`Sep. 1997.
`Nachenberg, A New Technique for Detecting Polymorphic Com(cid:173)
`puter Viruses, A thesis submitted in partial satisfaction of the
`requirements for the degree Master of Science in Computer Science,
`University of California Los Angeles, pp. 1-127, 1995.
`Microsoft P-Code Technology, http://msdn.microsoft.com/archive/
`default.asp?url~/archive/en-us/dnarvc/html/msdn_c7pcode2.asp,
`pp. 1-6, Apr. 1992.
`DJFPP COFF Spec, http://delorie.com/digpp/doc/coff/, pp. 1-15,
`Oct. 1996.
`Natvig, Sandbox Technology Inside AV Scanners, Virus Bulletin
`Conference, Sep. 2001, pp. 475-488.
`Norman introduces a new technique for eliminating new computer
`viruses, found on Norman's website, file://c:/documents%20and
`%20settings\7489\local%20settings\temporary%20internet
`%20files\olk, pp. 1-2 published Oct. 25, 2001, printed from website
`Dec. 27, 2002.
`International Search Report for PCT/USOl/19142 of Jan. 17,2003.
`Using the CarnNet BBS FAQ, http://www.cam.net.uk/manuals/
`bbsfaq!bbsfaq.htm, Jan. 17, 1997.
`NASIRE, NASIRC Bulletin #94-10, http://cs-www.ncsl.nist.gov/
`secalert/nasa/nasa9410.txt, Mar. 29, 1994.
`Packages in the net directory, http://linux4u.jinr.ru/usoft!WWW/
`www_debian.org/FTP/net.htrnl, Mar. 20 1997.
`Sundaram, An Introduction to Intrusion Detection, Copyright 1996,
`published at www.acm.org/crossroads/xrds2-4/intrus.html, pp.
`1-12.
`Samfat, IDAMN: An Intrusion Detection Architecture for Mobile
`Networks, IEEE Journal on Selected Areas in Communications, vol.
`15, No. 7, Sep. 1997, pp. 1373-1380.
`INFO: Visual Basic Supports P-Code and Native Code Compilation
`(Q229415), http:/ I support.microsoft.com/support/kb/ articles/Q229/
`4/15.ASP, pp. 1-2, Apr. 28, 1999.
`International Search Report for PCT/US99/29117 of May 2, 2000.
`Nordin, U of MN OIT Security and Assurance, Feb. 9, 2000.
`Internet Security Systems, RealSecure SiteProtector, SAFEsuite
`Decisions to SiteProtector Migration, Aug. 8, 2003, pp. 1-42.
`Internet Security Systems, SAFEsuite Enterprise, SAFEsuite Deci(cid:173)
`sions, 1998.
`Internet Security Systems, SAFEsuite Enterprise, Recognizing the
`Need for Enterprise Security: An Introduction to SAFEsuite Deci(cid:173)
`sions, Aug. 1998, pp. 1-9.
`Internet Security Systems, SAFEsuite Decisions 2.6, Frequently
`Asked Questions, Feb. 21, 2001, pp. 1-10.
`Internet Security Systems, SAFEsuite Decisions Version 1.0, User's
`Guide, 1998, pp. 1-78.
`Porras et a!., Emerald: Event Monitoring Enabling Reponses to
`Anomalous Live Disturbances, Computer Science Laboratory, SRI
`International, Menlo Park, CA, Oct. 1997, pp. 353-365.
`Cisco Systems, Empowering the Internet Generation, 1998.
`Messmer, Start-Up Puts Hackers on BlackiCE, Network World
`Fusion, http://www.nwfusion.com/cgi-bin/mailto/x/cgi, Apr. 21,
`1999, pp. 1-2.
`NetworkiCE Corporation, Can You Explain How Your Product Can
`Protect a Remote User with a VPN Client?, 1998-1999, pp. 1-2,
`http://www. webarchive.org/web/20000304071415/advice.
`networkice.com/advice/support/kb/q000003/default.
`Yasin, Start-Up Puts Network Intruders on Ice, http://www.
`internetweek.com/story/INW19990505S0001, May 5, pp. 1-2.
`Morency, NetworkWorldFusion,
`http:/ /nwfusion.com/cgi-bin/
`mailto/x.cgi, Jun. 28, 1999, pp. 1-2.
`Rogers, Network ICE Touts Security Wares, Apr. 23, 1999, San
`Mateo,
`California,
`http:/ /www.crn.corn/show Article.
`jhtrnl?articleiD~ 188291 06&flatPage~true, pp. 1-2.
`Rogers, Network ICE Signs Resellers, May 26, 1999, San Mateo,
`California,
`http:/ /www.crn.com/show Article.
`jhtrnl?articleiD~ 18805302&flatPage~true, pp. 1-2.
`
`Commerce Bancshares, Inc., et al.
`Exhibit 1005
`Page 5
`
`

`

`US 7,237,264 Bl
`Page 6
`
`Internet Security Systems, I've Been Attacked! Now What?, Aug.
`27, 1999, http:/ /www.iss.net/security_center/advice/Support/KB/
`q000033/default.htrn, pp. 1-2.
`Internet Security Systems, What is the Format of "Attack-List.
`CSV"?, Aug. 21, 1999, http:/ /www.iss.net/security _center/advice/
`Support/KB/qOOOO 18/default.htrn, pp. 1-2.
`Neumann eta!., Experience with Emerald to Date, Apr. 11-12, 1999,
`1 '' USENIX Workshop on Intrusion Detection and Network Moni(cid:173)
`toring, Santa Clara, California, pp. 1-9.
`Lindqvist eta!., Detecting Computer and Network Misuse Through
`the Production-Based Expert System Toolset (P-BEST), May 9-12,
`1999, Proceedings of the 1999 IEEE Symposium on Security and
`Privacy, Oakland, California, pp. 1-16.
`Kendall, A Database of Computer Attacks for the Evaluation of
`Intrusion Detection Systems, Jun. 1999, Department of Defense
`Advanced Research Projects Agency, pp. 1-124.
`Neumann, Computer Security and the U.S. Infrastructure, Nov. 6,
`1997, Congressional Testimony, pp. 1-11.
`Porras et a!., Life Traffic Analysis of TCP/IP Gateways, Nov. 10,
`1997, Internet Society's Networks and Distributed Systems Security
`Systems Symposium, Mar. 1998, http://www.sdl.sri.com/projects/
`emerald!live-traffic.html, pp. 1-16.
`Raynaud et a!., Integrated Network Management IV; 1995, Pro(cid:173)
`ceedings of the 4th International Symposium on Integrated Network
`Management, pp. 1-2 and 5-16.
`Heberlein et a!., A Method to Detect Intrusive Activity in a
`Networked Environment, Oct. 1-4, 1991, 14th National Computer
`Security Conference, Washington, D.C., pp. 362-363 and 365-371.
`Ko et al., Execution Monitoring of Security-Critical Programs in
`Distributed Systems: A Specification-Based Approach, 1997, Pro(cid:173)
`ceedings of the 1997 IEEE Symposium on Security and Privacy, pp.
`175-187.
`Crosbie et al., Active Defense of a Computer System Using Autono(cid:173)
`mous Agents, Technical Report No. 95-008, Feb. 15, 1995, Purdue
`University, West Lafayette, Indiana, pp. 1-14.
`Mansouri-Samani et al., Monitoring Distributed Systems, Nov.
`1993, IEEE Network, pp. 20-30.
`Jakobson eta!., Alarm Correlation, Nov. 1993, IEEE Network, pp.
`52-59.
`Anderson et a!., Next-Generation Intrusion Detection Expert
`(NIDES), A Summary, May 1995, SRI International, pp. 1-37.
`Vertias Software, Press Release, Robust Enhancements in Verison
`6.0 Maintain Seagate WI as the De Facto Standard for Software
`Distribution, Oct. 6, 1997, Press Release, pp. 1-4, http:/1216.239.
`39.1 04/search?q~cache :HS9kmK 1m2QoJ:www. veritas.com/us/
`aboutus/pressroom/ 199 ..
`Yasin, Network-Based IDS are About to Stop Crying Wolf, Security
`Mandate: Silence False Alarms, Apr. 9, 1999, http://lists.jannned.
`com/ISN/1999/04/002l.htrnl, pp. 1-3.
`Internet Security Systems, Press Release, ISS Reports Record
`Revenues and Net Income for Second Quarter, Jul. 19, 1999,
`http:/ /byliveO 1.iss.netlissEn/delivery/prdetail.isp?type~ Financial
`&oid~14515, pp. 1-5.
`LaPadula, State of the Art in CyberSecurity Monitoring, A Supple(cid:173)
`ment, Sep. 2001, Mitre Corporation, pp. 1-15.
`Balasubramaniyan et al., An Architecture for Intrusion Detection
`Using Automomous Agents, Jun. 11, 1998, Purdue University, West
`Lafayette, Indiana, pp. 1-4, http://gunther.smeal.psu.edu/images/b9/
`f3/bb