Case 3:13-cv-00808-JRS Document 106-1 Filed 08/15/14 Page 1 of 41 PageID# 1790
`
`
`IN THE UNITED STATES DISTRICT COURT
`FOR THE EASTERN DISTRICT OF VIRGINIA
`RICHMOND DIVISION
`
` Civil Action No. 3:13-cv-00808-JRS
`THE TRUSTEES OF COLUMBIA
`
`UNIVERSITY IN THE CITY OF NEW
`
`YORK,
`
`
`JURY TRIAL DEMANDED
`
`Plaintiff
`
`vs.
`
`
`
`
`SYMANTEC CORPORATION,
`
`
`Defendant
`
`
`
`DECLARATION OF PROFESSOR DOUGLAS C. SZAJDA
`
`3109225
`
`
`
`
`
`
`
`
`Exhibit Page 1
`
`Columbia Ex. 2002
`Symantec v. Columbia
`IPR2015-00375
`
`

`

`Case 3:13-cv-00808-JRS Document 106-1 Filed 08/15/14 Page 2 of 41 PageID# 1791
`
`TABLE OF CONTENTS
`
`Page
`
`I. 
`
`II. 
`
`III. 
`
`IV. 
`
`V. 
`
`VI. 
`
`Background and Qualifications ......................................................................................... 1 
`
`Legal Standards Applied ................................................................................................... 2 
`
`Subject of the Declaration and Basis for Opinions ........................................................... 2 
`
`Background on Computer Security and Anti-Virus Technology ..................................... 3 
`
`Person Ordinary Skill in the Art ....................................................................................... 8 
`
`’544/’907 Patents .............................................................................................................. 9 
`
`B. 
`
`C. 
`
`Background on the Patents.................................................................................... 9 
`
`Creation of the Byte Sequence Feature ............................................................... 11 
`
`ii. 
`
`iii. 
`
`iv. 
`
`v. 
`
`vi. 
`
`vii. 
`
`Bits and Bytes ......................................................................................... 12 
`
`Byte Sequence ......................................................................................... 12 
`
`Byte Sequence Feature ............................................................................ 12 
`
`Extracting a Byte Sequence Feature by Creating a Byte
`String Representative of Resources ........................................................ 13 
`
`Instructions Executed by the Central Processing Unit Are
`Not the Only Source for Byte Sequence Features .................................. 13 
`
`The Use of Hexdump to Extract a Byte Sequence Feature Is
`Not Required ........................................................................................... 14 
`
`D. 
`
`Email Interface .................................................................................................... 15 
`
`VII. 
`
`’084/’306 Patents ............................................................................................................ 16 
`
`A. 
`
`B. 
`
`C. 
`
`D. 
`
`Background on the ’084/’306 Patents ................................................................. 16 
`
`Operating System Registry ................................................................................. 17 
`
`Anomaly .............................................................................................................. 20 
`
`Probabilistic Model of Normal Computer System Usage ................................... 21 
`
`VIII. 
`
`’115/’322 Patents ............................................................................................................ 25 
`
`A. 
`
`Background on the ’115/’322 Patents ................................................................. 26 
`
`3109225
`
`
`- i -
`
`
`
`
`
`Exhibit Page 2
`
`Columbia Ex. 2002
`Symantec v. Columbia
`IPR2015-00375
`
`

`

`Case 3:13-cv-00808-JRS Document 106-1 Filed 08/15/14 Page 3 of 41 PageID# 1792
`
`Page
`
`B. 
`
`C. 
`
`D. 
`
`E. 
`
`The Use of an Emulator ...................................................................................... 27 
`
`Application Community...................................................................................... 29 
`
`Use of a Model to Detect Potential Danger ........................................................ 30 
`
`Once an Anomaly Is Detected, Certain Embodiments in the Patents
`Allow for Additional Functions to Occur ........................................................... 31 
`
`Appendix A ................................................................................................................................. 35 
`
`Appendix B ................................................................................................................................. 37 
`
`
`
`3109225
`
`
`- ii -
`
`
`
`
`
`Exhibit Page 3
`
`Columbia Ex. 2002
`Symantec v. Columbia
`IPR2015-00375
`
`

`

`Case 3:13-cv-00808-JRS Document 106-1 Filed 08/15/14 Page 4 of 41 PageID# 1793
`
`
`I.
`
`Background and Qualifications
`
`1.
`
`I am a professor with tenure in the Department of Mathematics and Computer
`
`Science at the University of Richmond. I received my PhD in Mathematics and a Masters of
`
`Computer Science from the University of Virginia in 1999. I then held a post-doctoral
`
`fellowship in Computer Science at the University of Maryland Institute for Advanced Computer
`
`Studies. Exhibit A is a copy of my CV. All exhibits in my declaration are in the Declaration of
`
`Gavin Snyder (“Snyder Decl.”).
`
`2.
`
`Several aspects of my professional life are relevant to the subject of this
`
`declaration. First, I train computer scientists in aspects of computer security directly relevant to
`
`the three families of Columbia patents that I understand are issue in this case. I teach Computer
`
`Networks and Computer Security classes in my department. In addition, under the auspices of
`
`programs such as the National Science Foundation Cyber Trust program grant, I train computer
`
`security researchers in the laboratory. These students conduct research at the top universities and
`
`technology companies in the country, including Microsoft and Google. I also have been the
`
`coordinator of the University of Richmond’s System Security Group since 2002.
`
`3.
`
`Second, outside of the University I have devoted a large portion of my
`
`professional life to issues of computer security. I served as General Chair of the Internet
`
`Society’s Network and Distributed System Security (“NDSS”) Symposium from 2008–2011, as
`
`an NDSS steering group member since 2007, and as a member of the conference organizing
`
`committee from 2005–2007. I have served on program committees for NDSS and the security
`
`track of the International Conference on Security Data Services. I have also reviewed papers for
`
`both the IEEE Symposium on Security and Privacy and the USENIX Security Symposium.
`
`These are some of the most prominent conferences on computer security in the world.
`
`3109225
`
`
`- 1 -
`
`
`
`
`
`Exhibit Page 4
`
`Columbia Ex. 2002
`Symantec v. Columbia
`IPR2015-00375
`
`

`

`Case 3:13-cv-00808-JRS Document 106-1 Filed 08/15/14 Page 5 of 41 PageID# 1794
`
`
`4.
`
`Third, the research group I lead at the University of Richmond is focused on
`
`applying the same type of technology described in the three patent families at issue in this case:
`
`using machine learning techniques based on artificial intelligence to detect whether web pages
`
`contain malicious programs (e.g., via embedded scripts or through links that cause malicious
`
`scripts to be downloaded and executed). Indeed, we have a constructed a working platform that
`
`can perform real-time analysis of web pages to detect if they are hosting malicious programs.
`
`The platform has three parts: an instrumented web crawler for collecting candidate pages, an
`
`extraction unit to extract relevant features of the pages, and an analysis unit, which creates
`
`artificial intelligence models. The prototype is capable of mining virtually any data that is freely
`
`available over the Internet, and, with slight modification, can potentially perform analysis of any
`
`network transported malware.
`
`II.
`
`Legal Standards Applied
`
`5.
`
`Appendix A lists the legal standards I have been asked to apply in my analysis
`
`and discussion.
`
`III.
`
`Subject of the Declaration and Basis for Opinions
`
`6.
`
`I have been asked to provide background information on the technology in the
`
`three families of Columbia patents at issue in the case. As part of this process, I have also
`
`provided a summary of how a person of ordinary skill in the art of the patents would understand
`
`a number of the concepts that I understand are at issue in the proceedings. In preparing this
`
`declaration I have relied on my extensive experience in the field, as well the materials referenced
`
`in this declaration and certain material listed in Appendix B.
`
`3109225
`
`
`- 2 -
`
`
`
`
`
`Exhibit Page 5
`
`Columbia Ex. 2002
`Symantec v. Columbia
`IPR2015-00375
`
`

`

`Case 3:13-cv-00808-JRS Document 106-1 Filed 08/15/14 Page 6 of 41 PageID# 1795
`
`
`IV.
`
`Background on Computer Security and Anti-Virus Technology
`
`7.
`
`Computing devices have steadily increased in utility and prevalence since their
`
`introduction in the mid-20th century. The first computers were expensive, large mainframes.
`
`Personal computers were introduced in the 1970s and 1980s. Today, the frontier of computing
`
`technologies is smartphones and tablets augmented by computing done at remote locations on
`
`the Internet (cloud computing). Wearable devices, ubiquitous computing in everyday objects,
`
`and robotics are on the near horizon. It is not an exaggeration to say that the use of computing
`
`devices has become a hallmark of our modern lives.
`
`8.
`
`However, since personal computers became widespread, a major issue with the
`
`safety and security of computing devices has been intentionally malicious programs, also known
`
`by various other names such as “viruses” or “malware.” These programs can do many different
`
`undesirable things, including damaging the devices they run on, causing programs to crash or not
`
`run properly, causing data to be lost, capturing confidential personal information (such as
`
`passwords or financial records), or enabling the device to be controlled by a remote “botmaster,”
`
`which is to say, a remote entity. These are just some examples.
`
`9.
`
`The growth of the Internet has created additional challenges by providing a
`
`platform for malicious programs to take on additional strengths and capabilities. For example, if
`
`a malicious program takes over a device, it can duplicate itself across a network, and introduce
`
`the infection to even more devices. The growth of email communication further compounds the
`
`problem. In particular, a malicious program could be delivered as an executable email
`
`attachment. A user might receive a benign-looking email, such as an email appearing to be from
`
`a friend, with a malicious email attachment. When the user opens the attachment, the attachment
`
`attacks the user’s computer and compromises its security. Then, the malicious program
`
`3109225
`
`
`- 3 -
`
`
`
`
`
`Exhibit Page 6
`
`Columbia Ex. 2002
`Symantec v. Columbia
`IPR2015-00375
`
`

`

`Case 3:13-cv-00808-JRS Document 106-1 Filed 08/15/14 Page 7 of 41 PageID# 1796
`
`
`replicates its code and sends out even more malicious emails with itself as an email attachment,
`
`perhaps to everyone in the user’s address book. Email attachments present an especially
`
`dangerous method of malicious program distribution because of the ease with which malware
`
`can be distributed, at low cost, to millions of potential victims.
`
`10.
`
`The economic loss from malicious programs can be enormous, and the threat
`
`increases every year. In 2000, the ILOVEYOU virus executable directed the victim’s computer
`
`to send to his or her entire contact list the same executable that infected the original user’s
`
`computer. In this way, the virus spread to over 420,000 Internet hosts during the first day it was
`
`reported. More recently, Ukrainian hackers used a malicious program to infiltrate the retailer
`
`Target’s point-of-sale terminals in 2013 and were able to steal over 40 million credit card
`
`numbers. See Ex. B to Snyder Decl., Michael Riley, Ben Elgin, Dune Lawrence & Carol
`
`Matlack, Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew It,
`
`Bloomberg Businessweek (Mar. 13, 2014), http://www.businessweek.com/articles/2014-03-
`
`13/target-missed-alarms-in-epic-hack-of-credit-card-data.
`
`11.
`
`The potential (and actual) damage from malware has fueled a growing security
`
`and anti-virus industry, as well as extensive academic research, often supported by government
`
`funding, into ways to protect computing devices. Numerous security companies offer many
`
`different types of security products to protect end user computers, servers (such as those which
`
`manage email), and other network equipment.
`
`12.
`
`One of the major problems in computer security is how to distinguish malicious
`
`programs from benign ones. To the operating system, a malicious program is not intrinsically
`
`different from a benign program. If a program replicates itself without changing the host device
`
`in a way that would be apparent to the user, the user may not know that his or her device has
`
`3109225
`
`
`- 4 -
`
`
`
`
`
`Exhibit Page 7
`
`Columbia Ex. 2002
`Symantec v. Columbia
`IPR2015-00375
`
`

`

`Case 3:13-cv-00808-JRS Document 106-1 Filed 08/15/14 Page 8 of 41 PageID# 1797
`
`
`been compromised. If malicious programs cannot be distinguished from benign programs, then
`
`malicious programs cannot be stopped or quarantined.
`
`13.
`
`One method for detecting malicious programs is the use of signatures. Typically,
`
`an anti-virus analyst makes a manual identification of a malicious program. A signature
`
`identifying the virus is then created and that signature is used to detect copies of the malicious
`
`program should it appear. Typically, the signature is compared to every new file on a computing
`
`device. If the signature matches the file, the file is flagged as malicious.
`
`14.
`
`Signatures have various shortcomings. For example, if a variant of a particular
`
`virus is developed, the old signature cannot detect the new variant. A new signature needs to be
`
`developed. In addition to being unable to detect variants of existing viruses, signatures cannot
`
`detect new threats, often called “zero-day1 attacks,” that have never been seen before—because
`
`no signature existed for the zero-day attack. Another problem with signatures is apparent when
`
`one considers the rate at which new malicious programs are created and disseminated. The
`
`number of new malicious programs created every day has been steadily increasing. Because
`
`signatures typically rely on a human identifying a piece of code as malicious before a signature is
`
`created, the number of new viruses could overwhelm a limited staff of anti-virus analysts.
`
`15.
`
`The patents at issue in this case concern a newer method of detecting a malicious
`
`program, different from signatures. This approach uses a technique called machine learning.
`
`Machine learning is a sub-field of computer science and artificial intelligence in which systems
`
`are constructed to learn from data. The first step in the machine learning process is to collect a
`
`
`1 The attacks are referred to as “zero day” because there are zero days to prepare for the
`attacks and develop a patch that would remove the vulnerability.
`
`3109225
`
`
`- 5 -
`
`
`
`
`
`Exhibit Page 8
`
`Columbia Ex. 2002
`Symantec v. Columbia
`IPR2015-00375
`
`

`

`Case 3:13-cv-00808-JRS Document 106-1 Filed 08/15/14 Page 9 of 41 PageID# 1798
`
`
`large amount of data. From there, a machine learning algorithm2 can be applied to the data to
`
`recognize patterns or distinguish between different types (or “classes”) of data in the collection.
`
`The system “learns” rules that it can apply to new inputs. The rules are combined and
`
`encapsulated in machine learning “models.” The process of providing the system with data and
`
`the subsequent learning is referred to as “training.” After a machine learning model has been
`
`trained, new input can be compared to the model. The system applies the rules in the model to
`
`the new input and renders a verdict on the input. For example, the system could predict that the
`
`new input is a member of a particular class of data that was observed in the training stage.
`
`16.
`
`Consider a machine learning system for apples. The system starts with a set of
`
`training data: a basket of apples and oranges. By studying the example fruit in the basket, the
`
`system learns rules to effectively distinguish between apples and oranges. For example, one rule
`
`could be that oranges have orange skin. Another rule could be that apples have hard cores. With
`
`these rules in place, when the machine learning system encounters a new piece of fruit, the
`
`system can determine that the fruit is an apple.
`
`17.
`
`The patents at issue in this case relate to the work of Professor Salvatore Stolfo
`
`and others in his Intrusion Detection Systems (“IDS”) Lab at Columbia University, as well as the
`
`work of Professor Angelos Keromytis and his students. Professors Stolfo and Keromytis are
`
`well-known in the field. I have reviewed a number of the publications from their laboratories.
`
`At the turn of the century, Professor Stolfo was applying machine learning based on artificial
`
`intelligence to computer security and malware detection. He assembled a team of graduate and
`
`
`2 For our purposes, an algorithm is a step by step procedure for data processing
`performed by a computer.
`
`3109225
`
`
`- 6 -
`
`
`
`
`
`Exhibit Page 9
`
`Columbia Ex. 2002
`Symantec v. Columbia
`IPR2015-00375
`
`

`

`Case 3:13-cv-00808-JRS Document 106-1 Filed 08/15/14 Page 10 of 41 PageID# 1799
`
`
`undergraduate students to work in the IDS Lab on a comprehensive suite of security strategies
`
`involving the use of machine learning based on artificial intelligence techniques.
`
`18.
`
`Professor Stolfo’s research teams then performed the work that resulted in the
`
`patents at issue in the case. As discussed in the relevant patents, one team worked on a system to
`
`detect malicious executable email attachments using a model derived from an analysis of
`
`programs. Using the model, the system could detect with high accuracy whether new programs
`
`in email attachments were malicious or not. This work served as a basis for United States
`
`Patents 7,487,544 and 7,979,907. Ex. C to Snyder Decl. (’544 patent); Ex. D to Snyder Decl.
`
`(’907 patent).
`
`19.
`
`As discussed in the relevant patents, another team worked on understanding
`
`patterns of access to the operating system registry. The team used machine learning techniques
`
`to develop models of registry activity. The operating system registry is utilized by Windows. It
`
`consists of a hierarchical database used to store configuration information, in the form of keys
`
`and values. Programs running on Windows systems can use the registry to store their
`
`configuration information and other information necessary for the program to run. But programs
`
`may also access portions of the registry that belong to the operating system or to other programs.
`
`The team realized that patterns of registry access could indicate whether the program accessing
`
`the registry was acting in an anomalous manner, and therefore potentially malicious. The team
`
`also realized that the techniques that worked with the Windows registry could be extended to the
`
`file system of a computer. This was a basis for United States Patents 7,448,084 and 7,913,306.
`
`Ex. E to Snyder Decl. (’084 patent); Ex. F to Snyder Decl. (’306 patent).
`
`20.
`
`The last family of patents at issue in this case, United States Patents 8,074,115
`
`and 8,601,322, represents a combination of machine learning based on artificial intelligence
`
`3109225
`
`
`- 7 -
`
`
`
`
`
`Exhibit Page 10
`
`Columbia Ex. 2002
`Symantec v. Columbia
`IPR2015-00375
`
`

`

`Case 3:13-cv-00808-JRS Document 106-1 Filed 08/15/14 Page 11 of 41 PageID# 1800
`
`
`technology and emulation technology that could monitor and selectively execute all or a part of a
`
`program. Ex. G to Snyder Decl. (’115 patent); Ex. H to Snyder Decl. (’322 patent). The
`
`combination of these technologies could be used to monitor a program and compare its activity
`
`to a model of activity to determine if there was an anomaly indicative of a malicious program or
`
`an attack. If an anomaly was detected, other members of an application community could be
`
`notified by the system.
`
`V.
`
`Person Ordinary Skill in the Art
`
`21.
`
`I understand that claim interpretation is from the perspective of a person of
`
`ordinary skill in the art at the time of the invention. In my opinion a person of ordinary skill in
`
`the art in the three patent families would have an undergraduate degree in computer science or
`
`mathematics, and one to two years of experience in the field of computer security.3 I believe this
`
`is an appropriate definition of ordinary skill for two reasons. First, in the academic environment,
`
`a person of this level of experience could be beginning to enter the research phase of their PhD.
`
`At this point they would be beginning to design security systems that they would then study and
`
`analyze. Second, in the commercial environment, a person with this level of experience would
`
`be part of the group making design decisions for code in security systems.
`
`22.
`
`Other facts that influence my opinion include the following: although the
`
`technology at issue is complex and evolves rapidly, there are instances in which unique workers
`
`who lack a college degree have made important contributions in the field. For example, of the
`
`inventors in the three families of patents, I understand that the following were undergraduate
`
`
`3 For purposes of construing the meaning of the claims to a person of skill in the art, no
`opinion I give changes if a higher or slightly lower level of skill is assumed. This is because the
`concepts discussed in the patent do not have different meanings depending on the amount of
`experience (above a minimum) that one possesses in this space.
`
`3109225
`
`
`- 8 -
`
`
`
`
`
`Exhibit Page 11
`
`Columbia Ex. 2002
`Symantec v. Columbia
`IPR2015-00375
`
`

`

`Case 3:13-cv-00808-JRS Document 106-1 Filed 08/15/14 Page 12 of 41 PageID# 1801
`
`
`students during at least some of their work in the IDS lab: Matthew Schultz, Manasi
`
`Bhattacharyya, Frank Apap, and Andrew Honig. In addition, I understand the following were
`
`PhD students: Eleazar Eskin, Erez Zadok, Shlomo Hershkop, and Stelios Sidiroglou-Douskos.
`
`Placing the level of ordinary skill too high would exclude some of the very individuals who
`
`invented the technology we are discussing.
`
`23.
`
`All of my opinions about a patent family are given from the standpoint of a
`
`person of ordinary skill in the art as the of the invention date of the patent family.
`
`VI.
`
`’544/’907 Patents
`
`24.
`
`United States Patent Nos. 7,487,544 and 7,979,907 share a common parent
`
`application filed on July 30, 2002, based on a provisional application filed on July 30, 2001. I
`
`understand that I am to provide my opinions on the understanding of concepts by a person of
`
`ordinary skill as of the filing date of the application. No opinion I give changes if the date
`
`selected is July 2002 or July 2001.
`
`B.
`
`25.
`
`Background on the Patents
`
`To understand the ’544/’907 patents, it is important to have some context on the
`
`issues the inventors were facing when they did their work. The most traditional approach to
`
`preventing malicious email attachments is a signature-based approach. In a signature-based
`
`approach, the distributor of anti-virus software would first identify malicious executables, and
`
`then “create a unique tag for each malicious program” encountered. Ex. C to Snyder Decl., ’544
`
`patent at 1:54–57. Then, when that exact tag is encountered in the future, the anti-virus software
`
`can accurately identify the file as malicious. Because even a slight change in an executable can
`
`potentially evade detection, signature-based methods “do not generalize well to detect new
`
`malicious binaries [or programs].” Id. at 1:57–59.
`
`3109225
`
`
`- 9 -
`
`
`
`
`
`Exhibit Page 12
`
`Columbia Ex. 2002
`Symantec v. Columbia
`IPR2015-00375
`
`

`

`Case 3:13-cv-00808-JRS Document 106-1 Filed 08/15/14 Page 13 of 41 PageID# 1802
`
`
`26.
`
`Other approaches had also been attempted, but were either highly inefficient or
`
`only applicable to certain types of executables. Id. at 1:63–66, 2:26–29.
`
`27.
`
`The inventors recognized these shortcomings of the prior art, and recognized that
`
`a security system could be trained using data mining techniques to better recognize and prevent
`
`zero-day attacks (attacks by programs that have not been encountered before). Id. at 1:34–2:65
`
`(Background of the Invention).
`
`28.
`
`One example of how the inventors solved these shortcomings is disclosed in the
`
`claim 1 of the ’544 patent:
`
`1. A method for classifying an executable attachment in an email received at
`an email processing application of a computer system comprising:
`a. filtering said executable attachment from said email;
`b. extracting a byte sequence
`attachment; and
`c. classifying said executable attachment by comparing said byte
`sequence
`feature of
`said executable attachment with a
`classification rule set derived from byte sequence features of a set
`of executables having a predetermined class in a set of classes to
`determine the probability whether said executable attachment is
`malicious, wherein extracting said byte sequence features from
`said executable attachment comprises creating a byte string
`representative of
`resources
`referenced by said executable
`attachment.
`
`from said executable
`
`feature
`
`29.
`
`In this claim, a byte sequence feature is extracted from a potentially suspicious
`
`executable attached to an email. This byte sequence feature comprises a specific type of
`
`information: “a byte string representative of resources referenced by said executable
`
`attachment.” This concept will be discussed in detail below.
`
`30.
`
`After a byte sequence feature is extracted, it is compared to a model created
`
`utilizing machine learning techniques: “a classification rule set derived from byte sequence
`
`features of a set of executables having a predetermined class in a set of classes.” From the
`
`comparison, the model predicts whether the executable is malicious.
`
`3109225
`
`
`- 10 -
`
`
`
`
`
`Exhibit Page 13
`
`Columbia Ex. 2002
`Symantec v. Columbia
`IPR2015-00375
`
`

`

`Case 3:13-cv-00808-JRS Document 106-1 Filed 08/15/14 Page 14 of 41 PageID# 1803
`
`
`31.
`
`Although I cannot address each embodiment or technique claimed by the
`
`’544/’907 patents in this short declaration, I can discuss some fundamental concepts that are
`
`most relevant to the issues presented to the Court in the claim construction process.
`
`C.
`
`32.
`
`Creation of the Byte Sequence Feature
`
`As noted above, claims of the ’544/’907 patents require extracting a byte
`
`sequence feature from an executable. E.g., Ex. C to Snyder Decl.,’544 claims 1, 28; Ex. D to
`
`Snyder Decl., ’907 claims 1, 10. Some claims of the ’544/’907 patents (e.g., ’544 patent claim 1,
`
`above) contain the further limitation: “wherein the byte sequence features include a byte string
`
`representative of resources referenced by the executable attachment.”
`
`33.
`
`First, I will give an example of how a person of ordinary skill in the art would
`
`understand this claim language works in practice and then, second, I will discuss the claim
`
`language generally from the standpoint of a person of ordinary skill in the art.
`
`34.
`
`The patent gives as an example of resources from which a byte string can be
`
`generated as “[t]he list of DLLs used by the binary.” Ex. C to Snyder Decl., ’544 patent at 6:59–
`
`61. A DLL (“Dynamic Link Library”) is a shared library of information that can be accessed by
`
`many different programs on a computer. Different DLLs allow their calling programs to do
`
`different things—for example, to send a network packet or perform advanced math. As a result,
`
`understanding what DLLs an executable uses can reveal how the executable behaves. In one
`
`example in the specification, an executable accesses GDI32.DLL, a DLL that relates to the
`
`creation of two-dimensional information on the computer screen, and WINNM.DLL, which
`
`relates to the user interface process. Id. at 7:4–11. These are examples of “resources” accessed
`
`by the executable. A string of bytes is generated which represents the fact that the executable
`
`accesses these specific resources. This is an example of information that can be present in byte
`
`sequence features extracted from an executable.
`
`3109225
`
`
`- 11 -
`
`
`
`
`
`Exhibit Page 14
`
`Columbia Ex. 2002
`Symantec v. Columbia
`IPR2015-00375
`
`

`

`Case 3:13-cv-00808-JRS Document 106-1 Filed 08/15/14 Page 15 of 41 PageID# 1804
`
`
`35. With this in mind, I can address some of the subsidiary concepts in the claim:
`
`ii.
`
`Bits and Bytes
`
`36.
`
`In computer science, all data can be reduced to ones and zeros. Each one or zero
`
`is called a “bit,” which is short for a “binary digit.” See Ex. I to Snyder Decl., McGraw-Hill
`
`Dictionary of Scientific and Technical Terms 246 (6th ed. 2002) (“bit [COMPUT SCI] 1. A unit
`
`of information content equal to one binary decision or the designation of one of two possible or
`
`equally likely values or states of anything used to store or convey information.”).
`
`37.
`
`In order to represent larger amounts of information, bits are generally grouped
`
`together. A grouping of eight bits is traditionally viewed as the classic example of a byte. See
`
`id. 305 (“byte [COMPUT SCI] A sequence of adjacent binary digits operated upon as a unit in a
`
`computer and usually shorter than a word.”).
`
`iii.
`
`Byte Sequence
`
`38.
`
`As noted above, a “byte” is group of eight bits. And a “byte sequence” is simply
`
`a sequence of bytes.
`
`iv.
`
`Byte Sequence Feature
`
`39.
`
`The patent explains that “a feature is a property or attribute of data (such as a
`
`‘byte sequence feature’) which may take on a set of values.” Ex. C to Snyder Decl., ’544 patent
`
`at 5:61–64.
`
`40.
`
`Taken together, a “byte sequence feature” is a feature or property of a sequence of
`
`bytes, which may take on a set of values. Some claims, such as claim 1 of the ’544 patent, also
`
`contain a subsequent limitation that specifies the information that the byte sequence feature must
`
`represent.
`
`3109225
`
`
`- 12 -
`
`
`
`
`
`Exhibit Page 15
`
`Columbia Ex. 2002
`Symantec v. Columbia
`IPR2015-00375
`
`

`

`Case 3:13-cv-00808-JRS Document 106-1 Filed 08/15/14 Page 16 of 41 PageID# 1805
`
`
`v.
`
`Extracting a Byte Sequence Feature by Creating a Byte String
`Representative of Resources
`
`41.
`
`Claim 1 of the ’544 patent recites “extracting a byte sequence feature from said
`
`executable attachment . . . wherein extracting said byte sequence features from said executable
`
`attachment comprises creating a byte string representative of resources referenced by said
`
`executable attachment.” See id. claim 1. Thus, the claimed byte sequence features will comprise
`
`“a byte string representative of resources.” This is a clear concept to a person of ordinary skill:
`
`The “a byte sequence feature” of claim 1 must include a very particular class of information: a
`
`string of bytes representative of resources referenced by the executable. The claimed “a byte
`
`sequence feature” can have other things, but it must include data on resources referenced by the
`
`executable.
`
`vi.
`
`Instructions Executed by the Central Processing Unit Are Not the
`Only Source for Byte Sequence Features
`
`42.
`
`Executable programs can contain a wide array of information. One piece of
`
`information is the instructions that are performed by a computer’s central processing unit
`
`(“CPU”). But CPU instructions are not the only thing in an executable. They are also not the
`
`only type of byte sequence features. For example, the patent teaches creating byte sequence
`
`features based on the list of DLLs used by the program, the number of different functions in
`
`those DLLS that are called by the program, and information written in plain text in portions of
`
`the program. See, e.g., id. at 6:64–7:12, 7:43–45 (“Headers in PE format are in plain text, which
`
`allows extraction of the same information from the PE executables by extracting the plain text
`
`header.”). None of these would be classically described as instructions performed by the central
`
`processing unit, but all are recognized as pa