IN THE UNITED STATES DISTRICT COURT
`FOR THE EASTERN DISTRICT OF VIRGINIA
`RICHMOND DIVISION
`
`THE TRUSTEES OF COLUMBIA
`UNIVERSITY IN THE CITY OF NEW
`
`Civil Action No. 3: 13-cv-00808-JRS
`
`YORK,
`
`VS.
`
`Plaintzfi‘
`
`JURY TRIAL DEMANDED
`
`SYMANTEC CORPORATION,
`
`Defendant
`
`
`EXPERT REPORT OF
`
`PROFESSOR MICHAEL BAILEY
`
`CONTAINS HIGHLY CONFIDENTIAL —
`
`OUTSIDE COUNSEL ONLY INFORMATION
`
`Exhibit Page 1
`
`SYMC 1017
`
`Symantec V. Columbia
`IPR201 5-003 75
`
`
`Exhibit Page 1
`
`SYMC 1017
`Symantec v. Columbia
`IPR2015-00375
`
`
`FOR THE EASTERN DISTRICT OF VIRGINIA
`RICHMOND DIVISION
`
`THE TRUSTEES OF COLUMBIA
`UNIVERSITY IN THE CITY OF NEW
`
`Civil Action No. 3: 13-cv-00808-JRS
`
`YORK,
`
`VS.
`
`Plaintzfi‘
`
`JURY TRIAL DEMANDED
`
`SYMANTEC CORPORATION,
`
`Defendant
`
`
`EXPERT REPORT OF
`
`PROFESSOR MICHAEL BAILEY
`
`CONTAINS HIGHLY CONFIDENTIAL —
`
`OUTSIDE COUNSEL ONLY INFORMATION
`
`Exhibit Page 1
`
`SYMC 1017
`
`Symantec V. Columbia
`IPR201 5-003 75
`
`
`Exhibit Page 1
`
`SYMC 1017
`Symantec v. Columbia
`IPR2015-00375
`
`
`
`I.
`
`INTRODUCTION
`
`1.
`
`I have been retained as an independent expert witness by the law firm of Irell
`
`& Manella LLP, on behalf of The Trustees of Columbia University in the City of New York
`
`(“Columbia”), in connection with the patent litigation between Columbia and Defendant
`
`Symantec Corporation (“Symantec”). I have been asked to render opinions on two subject
`
`areas.
`
`2.
`
`First, I have been asked to render an opinion regarding the infringement of
`
`United States Patent Nos. 7,487,544 (the “‘544 patent”), 7,979,907 (the “‘907 patent”),
`
`7,448,084 (the “‘084 patent”), 7,913,306 (the “‘306 patent”), 8,074,115 (the “‘ 1 15 patent”),
`
`and 8,601,322 (the “‘322 patent”) (collectively, “the Columbia patents”).
`
`3.
`
`Second, I have also been asked to render an opinion regarding the
`
`inventorship of United States Patent No. 8,549,643 (the “‘643 patent”) and Columbia’s
`
`conception and disclosure to Symantec of the invention claimed in the ‘643 patent.
`
`4.
`
`My opinions and the bases for my opinions on these issues are contained in
`
`the remainder of this Expert Report, which I submit in accordance with the Court’s
`
`Scheduling Order of March 5, 2014, Dkt. 54.
`
`5.
`
`If Columbia calls me as a witness, I currently expect that my testimony will
`
`concern the subject matter of the Columbia patents, the function and operation of the
`
`accused products, and whether Symantec infringes the Columbia patents. My testimony will
`
`also concern the ‘643 patent and Columbia’s inventorship of the technology claimed therein.
`
`I also may testify regarding additional matters addressed herein and matters discussed in any
`
`supplemental reports of declarations that I may prepare for this litigation in the future.
`
`I also
`
`expect to testify at trial with respect to the matters addressed by any expert testifying on
`
`1
`SYMC 1017
`HIGHLY CONFIDl]23lzI(lF1lRiIl Ea eT2SIDE COUNSEL ONLY Symantec V" Cdumbia
`IPRZOI 5-003 75
`
`
`Exhibit Page 2
`
`SYMC 1017
`Symantec v. Columbia
`IPR2015-00375
`
`
`
`iv.
`
`“compares a function call made in the emulator to a model
`of function calls for the at least a part of the program;
`and”
`
`551. My analysis for this element is generally the same as the analysis I provided
`
`for the element “comparing a fi1l'lCtlOI1 call made in the emulator to a model of fi1l'lCtlOI1 calls
`
`for the at least a part of the program” of claim 1 of the ‘115 patent.
`
`v.
`
`“identifies the function call as anomalous based on the
`
`comparison; and”
`
`552. My analysis for this element is generally the same as the analysis I provided
`
`for the element “identifying the function call as anomalous based on the comparison” of
`
`claim 1 of the ‘115 patent.
`
`vi.
`
`“upon identifying the anomalous function call, notifies an
`application community that includes a plurality of
`computers of the anomalous function call.”
`
`553. My analysis for this element is generally the same as the analysis I provided
`
`for the element “upon identifying the anomalous fimction call, notifying an application
`
`community that includes a plurality of computers of the anomalous function call” of claim 1
`
`of the ‘l 15 patent.
`
`22.
`
`‘115 Patent Claim 22
`
`554.
`
`This claim reads:
`
`22. A method for detecting anomalous program executions,
`comprising:
`
`modifying a program to include indicators of program-
`level function calls being made during execution of the
`program;
`
`comparing at least one of the indicators of program-
`level function calls made in an emulator to a model of
`
`function calls for at least a part of the program; and
`
`244
`SYMC 1017
`HIGHLY CONFIDl1Z3I2Idl“1iRiIE Ea eT3SIDE COUNSEL ONLY Symantec V" Cdumbia
`lPR20l 5-00375
`
`
`Exhibit Page 3
`
`SYMC 1017
`Symantec v. Columbia
`IPR2015-00375
`
`
`
`identifying a function call corresponding to the at least
`one of the indicators as anomalous based on the
`
`comparison.
`
`555.
`
`In my opinion, Symantec and its customers directly infringe this claim and its
`
`dependent claims via operation of the accused products. Customers directly infringe this
`
`claim and its dependent claims by operating the accused products. Symantec directly
`
`infringes by operating and testing MutantX on its servers, testing the accused products,
`
`running the accused products for malware detection purposes, and by consulting activities,
`
`including its Managed Security Services.
`
`i.
`
`“22. A method for detecting anomalous program
`executions, comprising:”
`
`556.
`
`I understand that Symantec has not contended that the preamble of this claim
`
`is limiting. My analysis for this claim is generally the same as the analysis I provided for
`
`the preamble of claim 1 of the ‘ 1 15 patent.
`
`ii.
`
`“modifying a program to include indicators of program-
`level function calls being made during execution of the
`program;’’
`
`557.
`
`I understand that the parties have agreed that “indicators of program-level
`
`function calls” means “indicators of which of the program’s functions are being called.”
`
`“[T]he program’s functions” applies to the function calls being made by the program,
`
`whether they are external (i.e. to an API) or internal (i.e. to a function that is compiled into
`
`the program). In my opinion, a person of ordinary skill in the art would agree that a
`
`program-level function call is not limited to an internal call.
`
`558.
`
`In paragraphs 177-185 above, which I incorporate by reference here, I
`
`reviewed the UMH system employed by SONAR. UMH modifies the programs that it
`
`emulates by injecting the UMEngx86.dll into the running process and modifying the import
`
`245
`SYMC 1017
`HIGHLY CONFID1133IzI(lF1iRiIEPa eT4SIDE COUNSEL ONLY Symantec V" Cdumbia
`IPRZOI 5-00375
`
`
`Exhibit Page 4
`
`SYMC 1017
`Symantec v. Columbia
`IPR2015-00375
`
`
`
`address table to allow additional function call hooks.757 This is exactly the type of
`
`modification of a program to include indicators of program-level function calls that the
`
`patent covers.758
`
`5 5 9.
`
`Similarly, in paragraphs 210-216, which I incorporate by reference here, I
`
`reviewed the RunningWater API tracing system used by MutantX. It uses similar hooking
`
`fimctionality to modify the programs to include indicators of program-level fimction calls
`
`being made during execution of the program.
`
`560.
`
`I understand that Symantec has argued that the “modification” required by
`
`this claim must involve “alter[ing] the program’s binary or source code.”759 I disagree with
`
`that interpretation. First, a person of ordinary skill in the art would not draw a distinction
`
`between the in-memory code and the on-disk code of a program in this manner. Second,
`
`Symantec’s interpretation is directly contrary to the “instrumented version” embodiment of
`
`the patent, as well as the debugger embodiment of the patent.76° By this, I do not contend
`
`that this limitation is an aspect of any particular embodiment. Instead, it is clear that
`
`multiple embodiments disclosed in the patent specification rewrote in-memory code of a
`
`program, so it would make no sense to exclude those, particularly where the plain and
`
`ordinary meaning of “modifying a program” includes modification of in-memory code.
`
`757 SEP 12.1.2 User Mode Hooking, SYMCOL00023145; BASH 7.1 UMH Design
`Document, SYMCOL00150480; Uri Mann Dep. Tr. at 3624-20; 76:19-77:14; 77: 15-18;
`77:19-78:11; 118:18-23.
`
`758 See, e.g., ‘ 1 15 patent at 1323-25 (describing an “instrumented version” of an
`application that isolates and montiors sensitive parts of a program).
`
`759 Defendant Symantec Corporation’s Claim Chart Pursuant to Dkt. 56 at 27.
`
`7“ ‘115 patent at 133-25; 1426-15.
`
`246
`SYMC 1017
`HIGHLY CONFID1133IzI'lllRiIEPa CTSSIDE COUNSEL ONLY Symantec V" Cdumbia
`IPRZOI 5-00375
`
`
`Exhibit Page 5
`
`SYMC 1017
`Symantec v. Columbia
`IPR2015-00375
`
`
`
`iii.
`
`“comparing at least one of the indicators of program-level
`function calls made in an emulator to a model of function
`
`calls for at least a part of the program; and”
`
`561.
`
`I incorporate my analysis of the element “comparing a fimction call made in
`
`the emulator to a model of function calls for the at least a part of the program” in claim 1 of
`
`the ‘ 1 15 patent here. The same function calls that were “made in the emulator” have
`
`associated indicators that are visible to the SONAR and MutantX infrastructure and were
`
`included in the previous claim step.
`
`iv.
`
`“identifying a function call corresponding to the at least
`one of the indicators as anomalous based on the
`
`comparison.”
`
`562. My analysis for this element is generally the same as the analysis I provided
`
`for the element “identifying the function call as anomalous based on the comparison” of
`
`claim 1 of the ‘115 patent.
`
`23.
`
`‘115 Patent Claim 23
`
`563.
`
`This claim reads: “23. The method of claim 22, fiirther comprising creating a
`
`combined model from at least two models created using different computers.”
`
`564. My analysis for this claim is generally the same as the analysis I provided for
`
`claim 2 of the ‘l 15 patent.
`
`24.
`
`‘115 Patent Claim 24
`
`565.
`
`This claim reads: “24. The method of claim 22, further comprising creating a
`
`combined model from at least two models created at different times.”
`
`566. My analysis for this claim is generally the same as the analysis I provided for
`
`claim 3 of the ‘l 15 patent.
`
`247
`SYMC 1017
`HIGHLY CONFIDllZ3I2IT1iRiIE Ea eT6SIDE COUNSEL ONLY Symantec V" Cdumbia
`IPRZOI 5-00375
`
`
`Exhibit Page 6
`
`SYMC 1017
`Symantec v. Columbia
`IPR2015-00375
`
`
`
`October 17, 2014
`
`®"‘§O
`
`Professor Michael Bailey
`
`Exhibit Page 7
`
`SYMC 1017
`
`Symantec V. Columbia
`IPR201 5-003 75
`
`
`Exhibit Page 7
`
`SYMC 1017
`Symantec v. Columbia
`IPR2015-00375
Accessing this document will incur an additional charge of $.
After purchase, you can access this document again without charge.
Accept $ Charge
Still Working On It
This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.
Give it another minute or two to complete, and then try the refresh button.
A few More Minutes ... Still Working
It can take up to 5 minutes for us to download a document if the court servers are running slowly.
Thank you for your continued patience.
This document could not be displayed.
We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.
Your account does not support viewing this document.
You need a Paid Account to view this document. Click here to change your account type.
Your account does not support viewing this document.
Set your membership
status to view this document.
With a Docket Alarm membership, you'll
get a whole lot more, including:
- Up-to-date information for this case.
- Email alerts whenever there is an update.
- Full text search for other cases.
- Get email alerts whenever a new case matches your search.
One Moment Please
The filing “” is large (MB) and is being downloaded.
Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.
Your document is on its way!
If you do not receive the document in five minutes, contact support at support@docketalarm.com.
Sealed Document
We are unable to display this document, it may be under a court ordered seal.
If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.
Access Government Site
