DECLARATION OF MICHAEL T. GOODRICH, Ph.D.
`IN SUPPORT OF PETITION FOR INTER PARTES REVIEW OF
`U.S. PATENT NO. 7,448,084
`
`
`
`
`
`
`
`
`IN THE UNITED STATES PATENT AND TRADEMARK OFFICE
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`
`
`In the Inter Partes Review of:
`)
`)
`
`)
`U.S. Patent No.: 7,448,084
`)
`
`)
`
`)
`
`)
`For: SYSTEM AND METHODS
`)
`FOR DETECTING
`)
`INTRUSIONS IN A
`)
`COMPUTER SYSTEM BY
`MONITORING OPERATING )
`SYSTEM REGISTRY ACCESS
`)
`
`
`
`
`
`
`
`
`Mail Stop Patent Board
`Patent Trial and Appeal Board
`P.O. Box 1450
`Alexandria, VA 22313-1450
`
`1
`
`SYMC 1003
`
`
`IN SUPPORT OF PETITION FOR INTER PARTES REVIEW OF
`U.S. PATENT NO. 7,448,084
`
`
`
`
`
`
`
`
`IN THE UNITED STATES PATENT AND TRADEMARK OFFICE
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`
`
`In the Inter Partes Review of:
`)
`)
`
`)
`U.S. Patent No.: 7,448,084
`)
`
`)
`
`)
`
`)
`For: SYSTEM AND METHODS
`)
`FOR DETECTING
`)
`INTRUSIONS IN A
`)
`COMPUTER SYSTEM BY
`MONITORING OPERATING )
`SYSTEM REGISTRY ACCESS
`)
`
`
`
`
`
`
`
`
`Mail Stop Patent Board
`Patent Trial and Appeal Board
`P.O. Box 1450
`Alexandria, VA 22313-1450
`
`1
`
`SYMC 1003
`
`
`
`I, Michael T. Goodrich, Ph.D., declare as follows:
`
`I.
`
`INTRODUCTION
`
`1.
`
`I have been asked by the party requesting this review, Symantec Corpo-
`
`ration (“Petitioner”), to provide my expert opinions in support of the above-
`
`captioned petition for inter partes review of U.S. Patent No. 7,448,084 (the “’084
`
`patent”), challenging the patentability of claims 1, 3-14, and 16-28 of the ’084 patent.
`
`2.
`
`3.
`
`I currently hold the opinions set forth in this declaration.
`
`In summary, it is my opinion that the references cited below anticipate
`
`and render obvious claims 1, 3-14, and 16-28 of the ’084 patent. My detailed opinions
`
`on the claims are set forth below.
`
`II. BACKGROUND AND QUALIFICATIONS
`
`4.
`
`I earned a Bachelor’s Degree in Mathematics and Computer Science
`
`from Calvin College in 1983. I obtained my Master’s Degree and Ph.D. in Computer
`
`Sciences from Purdue University in 1985 and 1987, respectively.
`
`5.
`
`I currently hold the position of Chancellor’s Professor for the Depart-
`
`ment of Computer Science at the University of California, Irvine. I have been
`
`employed by the University of California, Irvine since 2001 and have spent more than
`
`two decades teaching computer science at the University of California, Irvine and
`
`previously at Johns Hopkins University.
`
`6. My research for more than 30 years has focused generally on algorithm
`
`and data structure design, information assurance and security, and parallel and distrib-
`
`
`
`2
`
`SYMC 1003
`
`
`
`uted computing. In 2011 I co-authored a book entitled “Introduction to Computer
`
`Security,” which was published by Addison-Wesley, Inc.
`
`7.
`
`I am a listed inventor on three issued U.S. Patents: U.S. Patent No.
`
`7,257,711, titled “Efficient Authenticated Dictionaries with Skip Lists and Commuta-
`
`tive Hashing,” U.S. Patent No. 7,299,219, titled “High Refresh-Rate Retrieval of
`
`Freshly Published Content using Distributed Crawling,” and U.S. Patent No.
`
`8,681,145, titled “Attribute Transfer Between Computer Models Including Identifying
`
`Isomorphic Regions in Polygonal Meshes.” Additionally, I have published over 100
`
`papers and books.
`
`8. My professional background and technical qualifications also are reflect-
`
`ed in my Curriculum Vitae, which is attached as Exhibit 1004.
`
`III. COMPENSATION AND RELATIONSHIP WITH PARTIES
`
`9.
`
`I am being compensated for my time. This compensation is not
`
`contingent upon my performance, the outcome of this matter, or any issues involved
`
`in or related to this matter.
`
`10.
`
`I have no financial interest in Petitioner or any related parties. I have
`
`been informed that The Trustees of Columbia University in the City of New York
`
`(“Columbia”) owns the ’084 patent. I have no financial interest in and have no con-
`
`tact with Columbia. I similarly have no financial interest in the ’084 patent and have
`
`not had any contact with any of its investors.
`
`
`
`3
`
`SYMC 1003
`
`
`
`IV. MATERIAL CONSIDERED
`
`11.
`
`I have reviewed and considered, in the preparation of this declaration,
`
`the ’084 patent (Ex. 1001) and the prosecution file history for the ’084 patent (Ex.
`
`1002).
`
`12.
`
`I have also reviewed and considered the Claim Construction Order is-
`
`sued by the district court in the ongoing litigation between the Petitioner and the Pa-
`
`tentee. (The Trustees of Columbia University in the City of New York v. Symantec Corp., Civil
`
`Action No. 3:13-cv-808, Oct. 7, 2014 Claim Construction Order (Dkt. No. 123), Ex.
`
`1005). I have also reviewed the district court’s clarification of the Claim Construc-
`
`tion Order, Ex. 1015.
`
`13.
`
`I understand that, for purposes of determining whether a reference will
`
`qualify as prior art, the challenged claims of the ’084 patent are entitled to a priority
`
`date of no earlier than January 25, 2002.
`
`14.
`
`I have also reviewed and understand various publications as discussed
`
`herein, including the following references:
`
`a. Jude Shavlik et al., Evaluating Software Sensors for Actively Profiling
`
`Windows 2000 Computer Users (RAID 2001) (Ex. 1006)
`
`b. Rebecca G. Bace, INTRUSION DETECTION (MacMillian
`
`Technical Publishing, 2000) (Ex. 1007)
`
`c. Mark Russinovich and David Solomon, INSIDE MICROSOFT
`
`WINDOWS 2000, 3rd Ed. (Microsoft Press, 2000) (Ex. 1008)
`
`
`
`4
`
`SYMC 1003
`
`
`
`d. Mark Russinovich and Bryce Cogswell, Examining the Windows 95
`
`Registry, Windows Developer’s Journal, Vol. 7, No. 10 (October
`
`1996) (Ex. 1009)
`
`e. M. Debbabi et al, Monitoring of Malicious Activity in Software Systems,
`
`1st Symposium on Requirements Engineering for Information
`
`Security (SREIS, March 2001) (Ex. 1010)
`
`f. Johnathon Korba, Windows NT Attacks for the Evaluation of Intrusion
`
`Detection Systems (M.I.T. 2000) (Ex. 1011)
`
`g. Terran Lane and Carla E. Brodley, Temporal Sequence Learning and
`
`Data Reduction for Anomaly Detection, ACM Transactions on Infor-
`
`mation and System Security, Vol. 2, No. 3 (August 1999) (Ex.
`
`1012)
`
`h. RAID
`
`2001 Program, Oct.
`
`10,
`
`2001, Located
`
`at:
`
`https://web.archive.org/web/20011121095823/http://www.raid
`
`-symposium.org/raid2001/program.html (Ex. 1013)
`
`i. Anup K. Ghosh, et al., Learning Program Behavior Profiles for Intrusion
`
`Detection, USENIX Proceedings of the Workshop on Intrusion
`
`Detection and Network Monitoring, Santa Clara, California, USA,
`
`(April 1999) (Ex. 1016)
`
`j. Aaron Schwartzbard and Anup K. Ghosh, A Study in the Feasibility
`
`of Performing Host-based Anomaly Detection on Windows NT, Proceed-
`
`
`
`5
`
`SYMC 1003
`
`
`
`ings of the Second International Workshop on Recent Advances
`
`in Intrusion Detection, West Lafayette, Indiana, USA, (September
`
`1999) (Ex. 1017)
`
`k. U.S. Patent Application Publication No. 2003/0084328 by Rich-
`
`ard P. Tarquini, et al. (Ex. 1018)
`
`l. U.S. Patent No. 6,973,577 by Victor Kouznetsov (Ex. 1019)
`
`m. Call For Papers – RAID 2001, Oct. 10-12, 2001, Located at:
`
`https://web.archive.org/web/20010405202911/http://www.raid
`
`-symposium.org/raid2001/CFP_RAID2001.html (Ex. 1020)
`
`n. James D. Murray, Windows NT Event Logging (O’Reilly & Asso-
`
`ciates, 1998) (Ex. 1014)
`
`o. Dorothy E. Denning, An Intrusion Detection Model, IEEE Transac-
`
`tions on Software Engineering, Vol. 13, No. 2 (February 1987)
`
`(Ex. 1021)
`
`p. U.S. Patent Application Publication No. 10/352,342, by Andrew
`
`Honig (excerpts) (Ex. 1022)
`
`q. Microsoft Computer Dictionary, 4th Ed. (Microsoft Press, 1999)
`
`(excerpts) (Ex. 1023)
`
`r. Matthew V. Mahoney and Philip K. Chan, Detecting Novel Attacks
`
`by Identifying Anomalous Network Packet Headers, Technical Report
`
`CS-2001-2, Florida Institute of Technology (2001) (Ex. 1024).
`
`
`
`6
`
`SYMC 1003
`
`
`
`15.
`
`I understand that the above references form the basis for the grounds
`
`for rejection set forth in the Petition for Inter Partes Review of the ’084 patent.
`
`Additionally, I am aware of information generally available to, and relied upon by,
`
`persons of ordinary skill in the art at the relevant times, including technical
`
`dictionaries and technical reference materials (including, for example, textbooks,
`
`manuals, technical papers, articles, and relevant technical standards); some of my
`
`statements below are expressly based on such awareness.
`
`16. Due to procedural limitations for inter partes reviews, the grounds of
`
`invalidity discussed herein are based solely on prior patents and other printed
`
`publications. I understand that Petitioner and the other interested parties reserve all
`
`rights to assert other grounds for invalidity not addressed herein at a later time, for
`
`instance failure of the application to claim patentable subject matter under 35 U.S.C. §
`
`101, failure to meet requirements under 35 U.S.C. § 112 (e.g., lack of written
`
`description in support of the claims) and anticipation/obviousness under 35 U.S.C. §§
`
`102 and 103 not based solely on patents and printed publications (e.g., evidence of
`
`prior use of combinations of elements claimed in the ’084 patent). Thus, absence of
`
`discussion of such matters here should not be interpreted as indicating that there are
`
`no such additional grounds for invalidity of the ’084 patent.
`
`17.
`
`I reserve the right to supplement my opinions to address any
`
`information obtained, or positions taken, based on any new information that comes
`
`to light throughout this proceeding.
`
`
`
`7
`
`SYMC 1003
`
`
`
`V.
`
`BASIS OF OPINIONS FORMED
`
`A.
`
`18.
`
`Level of Ordinary Skill in the Art
`
`It is my understanding that the ’084 patent is to be interpreted based on
`
`how it would be read by a person of “ordinary skill in the art” at the time of the
`
`effective filing date of the application. It is my understanding that factors such as the
`
`education level of those working in the field, the sophistication of the technology, the
`
`types of problems encountered in the art, the prior art solutions to those problems,
`
`and the speed at which innovations are made may help establish the level of skill in
`
`the art.
`
`19.
`
`I am familiar with the technology at issue and the state of the art at the
`
`earliest priority date of the ’084 patent, January 25, 2002.
`
`20.
`
`In my opinion, the level of ordinary skill in the art of the ʼ084 patent at
`
`the time of the effective filing date is a person with a Master’s degree in computer sci-
`
`ence or a related field with two to three years of experience in the field of software
`
`security systems. With more education, for example additional post-graduate degrees
`
`and/or study, less industry experience is needed to attain an ordinary level of skill.
`
`21.
`
`I consider myself to have at least such ordinary skill in the art with
`
`respect to the subject matter of the ʼ084 patent at the time of the effective filing date.
`
`22.
`
`I am not a patent attorney and my opinions are limited to what I believe
`
`a person of ordinary skill in the art would have understood the meaning of certain
`
`
`
`8
`
`SYMC 1003
`
`
`
`claim terms to be, based on the patent documents. I use the principles below,
`
`however, as a guide in formulating my opinions.
`
`VI. LEGAL STANDARD FOR CLAIM CONSTRUCTION
`
`23. My understanding is that a primary step in determining validity of patent
`
`claims is to properly construe the claims to determine claim scope and meaning.
`
`24.
`
`In an inter partes review proceeding, I understand that claims are to be
`
`given their broadest reasonable construction (BRC) in light of the patent’s
`
`specification. (See 37 C.F.R. § 42.100(b).) In other forums, such as in federal courts,
`
`different standards of proof and claim interpretation control, which are not applied by
`
`the PTO for inter partes review. Accordingly, any interpretation or construction of the
`
`challenged claims in this proceeding, either implicitly or explicitly, should not be
`
`viewed as constituting, in whole or in part, Petitioner’s own interpretation or
`
`construction, except as regards to the broadest reasonable construction of the claims
`
`presented.
`
`VII. THE ’084 PATENT
`
`25. U.S. Patent No. 7,448,084 (the “ʼ084 patent”) (Ex. 1001) is titled, System
`
`and methods for detecting intrusions in a computer system by monitoring operating system registry ac-
`
`cesses. The ʼ084 patent was filed on January 27, 2003, and claims priority to U.S. Pro-
`
`visional Application No. 60/351,857 (the “ʼ857 Application”), titled, Behavior Based
`
`Anomaly Detection for Host-Based Systems for Detection of Intrusion in Computer Systems, and
`
`
`
`9
`
`SYMC 1003
`
`
`
`filed January 25, 2002. The named inventors of the ʼ084 patent are Frank Apap, An-
`
`drew Honig, Hershkop Shlomo, Eleazar Eskin, and Salvatore Stolfo. The ’084 patent
`
`includes 28 claims, of which claims 1 and 14 are independent. Claims 1, 3-14, and 16-
`
`28 are challenged in the Petition.
`
`A. General Background of the Technology of the ’084 patent
`
`26. The ’084 patent describes detecting intrusions in a computer system by
`
`identifying differences from normal computer system usage, also known as anomalies.
`
`Ex. 1001 at 4:55-64.
`
`1.
`
`Anomaly Detection
`
`27. The ʼ084 patent describes systems and methods that perform “anomaly
`
`detection.” See, e.g., Ex. 1001 at 4:55-64. (“The system and methods described herein
`
`incorporate a novel technique referred to herein as ‘RAD’ (Registry Anomaly
`
`Detection), which monitors the accesses to the registry, preferably in real time, and
`
`detects the actions of malicious software.”). According to the specification,
`
`“[a]nomaly detection algorithms may build models of normal behavior in order to
`
`detect behavior that deviates from normal behavior and which may correspond to an
`
`attack.” Id. at 2:34-37. These systems “do not operate by looking for malicious
`
`activity directly. Rather, they look for deviations from normal activity.” Id. at 7:47-49.
`
`28. The specification distinguishes other systems and methods for detecting
`
`malicious software from anomaly detection. See generally Ex. 1001 at 1:54-2:32. The
`
`
`
`10
`
`SYMC 1003
`
`
`
`ʼ084 patent distinguishes “virus scanners” and “security patches.” Id. at 1:54-62
`
`(“Two conventional approaches to respond to malicious software include virus
`
`scanners, which attempt to detect the malicious software, and security patches that are
`
`created to repair the security ‘hole’ in the operating system that the malicious software
`
`has been found to exploit.”). The specification explains, “[m]any virus scanners are
`
`signature-based, which generally means that they use byte sequences or embedded
`
`strings in software to identify certain programs as malicious,” and “[i]f a virus
`
`scanner’s signature database does not contain a signature for a malicious program, the
`
`virus scanner is unable to detect or protect against that malicious program.” Id. at
`
`1:63-2:1. According to the specification, the disadvantage of security patches is that
`
`they “protect systems only when they have been written, distributed and applied to
`
`host systems in response to known attacks.” Id. at 2:3-7.
`
`29. The specification also distinguishes systems that “can detect the effects
`
`or behavior of malicious software rather than distinct signatures of that software.”
`
`Ex. 1001 at 2:21-25. Such systems are known as “misuse detection” and are described
`
`in U.S. Patent Application No. 10/352,342, which is incorporated by reference into
`
`the ʼ084 patent. See Id. at 14:5-10. The ʼ342 application has three inventors in
`
`common with the ʼ084 patent.
`
`30. The ʼ342 application describes the differences between misuse detection
`
`and anomaly detection as follows:
`
`
`
`11
`
`SYMC 1003
`
`
`
`Misuse detection algorithms train over normal and attack data. Using
`this data, these algorithms build a model that can discriminate between
`attack records and normal records. These models can then classify new
`records as either attack or normal. The only major disadvantage of this
`type of system is that it requires labeled training data that contains la-
`beled normal activity and labeled attacks. … The training data for misuse
`detection algorithms must consist of labeled normal and attack data, of-
`ten making the training data for this algorithm very expensive.
`
`Ex. 1022 at 59 (ʼ342 application at [00102]).
`
`Anomaly detection algorithms train over normal data to create a model
`of normal activity. These algorithms need to train over data that con-
`tains no intrusions. The training data needed for these algorithms is ex-
`pensive because it is difficult to ensure that the data contains no intru-
`sions. This can be done by either having an expert manually clean the
`data, or by somehow ensuring that the data contains no intrusions to
`begin with. … Once an anomaly detection model is trained, it can then
`classify new data as normal or anomalous. These algorithms operate on
`the principle that attacks are behavior that is different from normal.
`
`Id. at 60 ([00104]).
`
`2. Monitoring Registry Accesses
`
`31. The anomaly detection methods and systems disclosed in the ʼ084
`
`patent are “host-based,” meaning they “monitor a host system and attempt to detect
`
`an intrusion.” Ex. 1001 at 2:22-23. According to the specification, prior-art host-
`
`based anomaly detectors usually employed a “system call approach.” Id. at 2:65-3:7.
`
`
`
`12
`
`SYMC 1003
`
`
`
`But, “the computational overhead of monitoring all system calls is potentially very
`
`high, which may degrade the performance of a system.” Id. According to the
`
`specification, “system calls themselves are typically irregular by nature,” and
`
`“[c]onsequently, it is difficult to differentiate between normal and malicious behavior,
`
`and such difficulty to differentiate behavior may result in a high false positive rate.”
`
`Id.
`
`32. As suggested by others, one possible focus for anomaly detection is the
`
`Windows system registry. E.g. Ex. 1006 at 3. This structure was first introduced as
`
`part of Microsoft Corporation’s Windows 3.1 operating system to centralize
`
`configuration information and obviate the need for individual *.ini files. Microsoft
`
`released Windows NT that also depended on a more robust version of the original
`
`Windows system registry. The Windows NT system registry was then incorporated
`
`into later versions of Windows, including Windows 2000. The Windows system
`
`registry is basically the same in all relevant aspects between the various Windows
`
`operating systems that were released after Windows NT. See Ex. 1023 (Microsoft
`
`Dictionary excerpts).
`
`33. Additionally, in Windows versions running on Windows NT technology,
`
`there was the ability for the operating system itself to gather information on accesses
`
`(or attempted accesses) to the Windows system registry. “Windows NT event-logging
`
`mechanisms collect three types of system events: operating system events, security
`
`events, and application events. . . . The security log consists of events that are defined
`
`
`
`13
`
`SYMC 1003
`
`
`
`as security-relevant. . . . They include valid and invalid logins and logoffs, and events
`
`related to system resource use, especially those having to do with the creation,
`
`deletion, and alteration of system files and other objects” Ex. 1007 at 74-75. One of
`
`ordinary skill in the art would know that the Windows system registry was frequently
`
`monitored through security event logging and that the Windows system registry was
`
`itself comprised of “system files and other objects.” Specifically, registry keys are
`
`container type objects similar to folders, and registry values are non-container type
`
`objects similar to files. One of ordinary skill in the art would also know that the level
`
`of detail in Windows NT security logs was sufficient to be able to identify specific
`
`anomalous activity and the program initiating it. As is apparent from contemporary
`
`surveys of common computer intrusions taking advantage of the registry, one of
`
`ordinary skill in the art would further know that the Windows system registry would
`
`be properly defined as “security-relevant” and was routinely monitored by Windows
`
`NT security functionality. See, e.g., Ex. 1011.
`
`Numerous academic publications discussed Registry accesses as a source of au-
`
`dit data for intrusion detection models before the priority date of the ʼ084 patent.
`
`One example is Korba, Windows NT Attacks for the Evaluation of Intrusion Detection Sys-
`
`tems (2000) (“Korba”) (Ex. 1011), a thesis from the Massachusetts Institute of Tech-
`
`nology Lincoln Lab. Ex. 1011, Abst. The purpose of the thesis was to explore how
`
`Windows NT systems could be integrated into DARPA’s 1999 Offline Intrusion De-
`
`tection Evaluation, a program that “provided data training data containing no attacks
`
`
`
`14
`
`SYMC 1003
`
`
`
`for training anomaly detection systems.” Id., Abst., 88 (emphasis added). The test-
`
`bed network for the 1999 Evaluation included the addition of three Windows NT sys-
`
`tems. Id. at Abstract. Korba explains that “[e]verything is viewed as an object by the
`
`Windows NT operating system (files, drives, memory, etc.),” and that “[b]y enabling
`
`base object auditing, low-level activities, such as memory requests by a process, are
`
`recorded by the logging service.” Id. at 23. Korba recognizes that auditing registry
`
`accesses was not a default setting in the 1999 DARPA Evaluation, but he expressly
`
`teaches enabling registry auditing to capture “Extended Host Data.” Id. at 34-35.
`
`One example of the Extended Host Data allows for specific auditing of registry keys
`
`for write accesses:
`
`Id. at 54-55; Fig. 7-4.
`
`34. As shown in Figure 7-4 above, the audited registry accesses gather
`
`
`
`
`
`15
`
`SYMC 1003
`
`
`
`features of processes that access the operating system registry, including process ID,
`
`process name, type of query, key, value, and access privileges. Ex. 1011 at 54-55; see
`
`also id. at 59; Fig. 7-6. Korba concludes that auditing registry accesses leads to “a
`
`better chance of detecting Windows NT attacks.” Id. at 92. He further recommends
`
`“a more extensive Windows NT auditing policy” that includes “important Registry
`
`keys and important files on the system.” Id. And while Korba recognizes that too
`
`much auditing can affect system performance, the thesis suggests conducting
`
`experiments to find the right balance between useful information and system
`
`performance. Id.
`
`35. As I discuss in more detail below, during prosecution of the ʼ084 patent,
`
`the Patent Examiner cited Korba as “directed to a method for evaluating intrusion
`
`detection systems in a Windows environment” that “teaches [] the step of gathering
`
`features from records of normal processes that access the Windows registry.” Ex.
`
`1002 at 197. The Examiner further concluded that it would have been obvious to a
`
`person of ordinary skill in the art at the time of the invention to collect information
`
`disclosed in Korba for the purpose of constructing a Bayesian probabilistic intrusion
`
`detection model as disclosed in Chong. Id. In response, Columbia did not dispute
`
`the Examiner’s characterization, but instead argued that was not compatible with the
`
`cited Chong reference. See id. at 179-85. The Examiner disagreed and maintained his
`
`rejection based on the combination of Chong and Korba. See id. at 145-47. The
`
`pending claims issued without Columbia ever refuting the Examiner’s characterization
`
`
`
`16
`
`SYMC 1003
`
`
`
`of Korba.
`
`36.
`
`I agree with the Examiner’s characterization of Korba, and I agree with
`
`the Examiner’s conclusion that it would have been obvious to gather registry data as
`
`disclosed in Korba for the purpose of constructing intrusion detection models, such
`
`as those disclosed in Bace, Ghosh, and Denning.
`
`37. The system and method described in the specification are claimed to be
`
`different from other systems because they use data obtained from monitoring registry
`
`accesses with anomaly detection. See Ex. 1001 at 5:2-4 (“The novel technique
`
`includes building a sensor, e.g., registry auditing module, on the registry and applying
`
`the information gathered by this sensor to an anomaly detector.”). The specification
`
`explains, “[s]everal advantages of monitoring the registry include the fact that registry
`
`activity is regular by nature, that the registry can be monitored with low computational
`
`overhead, and that almost all system activities query the registry.” Id. at 5:6-9.
`
`38. The specification defines a “registry auditing module” that monitors
`
`registry accesses. See Ex. 1001 at 13:28-32. The registry auditing module is
`
`implemented as a “Basic Auditing Module (BAM),” an architecture that the
`
`specification describes as “known in the art.” Id. at 13:30-34. The registry auditing
`
`module gathers information on registry reads and writes, including five specific
`
`features of each access: Process Name, Query, Key, Response, and Result Value. See
`
`id. at 8:22-45.
`
`39. To capture these features, the registry auditing module uses a well-
`
`
`
`17
`
`SYMC 1003
`
`
`
`known programming construct called hooks. Ex. 1001 at 13:46-52 (“Win32 hooks []
`
`tap into the registry and log all reads and writes to the registry.”). The registry
`
`auditing module “uses an architecture substantially identical to SysInternal’s Regmon”
`
`and “extracts a subset of data available to Regmon.” Id. As I discuss below, Regmon
`
`and the related program Filemon were open-source registry and file-system
`
`monitoring tools available before the alleged invention date of the ʼ084 patent.
`
`3. Model Generation
`
`40. Data obtained from monitoring accesses to the registry is used to
`
`generate a model of normal computer system usage. Ex. 1001 at 13:66-14:1. The
`
`specification discloses two different algorithms for constructing the model of normal
`
`computer system usage, both of which are described as “probabilistic.” Id. at 14:1-3;
`
`see also id. at 10:1-11.
`
`41. The first algorithm computes a density estimation over the features. See
`
`Ex. 1001 at 10:12-31 (“If a density function p(x) can be estimated over the normal
`
`data, anomalies are defined as data elements that occur with low probability.”). The
`
`specification explains that “[s]ince probability density estimation is a very complex
`
`problem over sparse data, the method of the present invention defines a set of
`
`consistency checks over the normal data for determining which records from a sparse
`
`data set are anomalous. If the record fails any consistency check, the record is labeled
`
`as anomalous.” Id. at 10:25-31. The consistency checks rely on calculating two
`
`different likelihoods: (1) the likelihood of observing a particular “element,” and (2)
`
`
`
`18
`
`SYMC 1003
`
`
`
`the likelihood of observing a previously unseen element. See id. at 11:15-67. The
`
`specification defines the term “element” as a “feature value” or a “vector of feature
`
`values.” See id. at 11:34-36. The specification provides equations for computing these
`
`likelihoods, reproduced below:
`
`
`
`Id. at 11:37-53.
`
`
`
`42. According to the specification, “[t]he prediction of the above probability
`
`estimator is derived using a mixture of Dirichlet estimators, as are known in the art.”
`
`The specification cites Friedman & Singer, Efficient Bayesian Parameter Estimation in
`
`Large Discrete Domains, in Advances in Neural Information Processing Systems 11,
`
`MIT Press (1999). Additionally, “the algorithm labels every registry access as either
`
`normal or anomalous.” Ex. 1001 at 12:26-35.
`
`43. The second algorithm for computing the model of normal computer
`
`system usage is a based on the work of Mahoney & Chan, Detecting Novel Attacks by
`
`Identifying Anomalous Network Packet Headers, Technical Report CS-2001-2, Florida
`
`Institute of Technology (2001). Under this algorithm, “as the data is being collected,
`
`several important statistics are collected about each feature and the values that occur
`
`
`
`19
`
`SYMC 1003
`
`
`
`for each feature.” Ex. 1001 at 12:49-51, see also Ex. 1024. This algorithm also
`
`computes the likelihood of observing a previously unseen feature value:
`
`During training, for each of the features, all of the distinct observed val-
`ues of the feature are stored, as well as the number of distinct observed
`values r. The total number of training records n is computed. For each
`feature, the algorithm computes p=r/n, which is an approximation of
`the probability of observing an unseen value for that feature in the nor-
`mal data.
`
`Id. at 12:63-13:1.
`
`44. According to the specification, the purpose of computing p = r/n as
`
`follows:
`
`If many distinct values for a feature have been previously observed, i.e.,
`a high value for r, and subsequently a never-observed value is encoun-
`tered, such new value would be expected and considered normal. In con-
`trast, if only a few distinct values have been observed, i.e., a low value
`for r, the observation of a new value is unlikely and possibly anomalous.
`
`Ex. 1001 at 12:54-60.
`
`45. The specification explains that feature values are likely to be observed
`
`that were not seen during training of the model. Borrowing a concept from Mahoney
`
`& Chan, the inventors attempted to estimate how likely it would be to come across a
`
`previously unseen feature value. For example, imagine a feature that represents the
`
`date, i.e., month/day/year. As time progresses, many different values will be seen for
`
`this feature, and so seeing a new value should not be surprising at all; the likelihood of
`
`
`
`20
`
`SYMC 1003
`
`
`
`observing a new value for the feature would be high. Conversely, if a particular
`
`feature has always had a particular value, and only that value has been tens of
`
`thousands of times. For example, for a feature that represents the data of Christmas
`
`day, there would be only one value for that feature: December 25th. Therefore,
`
`seeing a different value would be very surprising. In this case, the likelihood of
`
`observing a new value for the feature would be low.
`
`46. According to the specification, the likelihood of observing an unseen
`
`event is useful for anomaly detection systems:
`
`For anomaly detection, it is often desirable to take into account how
`likely it is to observe a previously unobserved element. Thus, if many
`different elements have been seen in the training data, it is therefore
`more likely to see additional, unobserved elements, as opposed to the
`case where very few elements have been seen, in which additional, unob-
`served elements would be unlikely.
`
`Ex. 1001 at 11:28-34.
`
`47. After the model is trained, “new registry accesses can be evaluated and a
`
`score computed to determine whether or not the registry accesses are abnormal.” Ex.
`
`1001 at 13:12-14. The scoring process includes the following steps:
`
`•
`
`•
`
`For a new registry access, we first extract the features for the reg-
`
`istry access.
`
`For each of these features, a check is performed to see if the value
`
`of the feature has been observed for the feature.
`
`
`
`21
`
`SYMC 1003
`
`
`
`•
`
`•
`
`•
`
`•
`
`If the value has not been observed, a heuristic score is computed
`
`which determines the level of anomaly for that feature.
`
`The score is determined as 1/p for each feature. Intuitively this
`
`score will be higher for features where fewer distinct values have
`
`been observed.
`
`The final score for a registry access is the sum of the scores for
`
`each feature that observed a previously unobserved value.
`
`If this value is greater than a threshold, we label the registry access
`
`anomalous and declare the process that generated it as malicious.
`
`Id. at 13:14-26.
`
`48. One of ordinary skill in the art would have also understood that general
`
`statistical and probabilistic concepts could be used to represent the determinations
`
`described in the two algorithms disclosed in the specification. For example, the same
`
`concept could be represented using confidence intervals. A confidence interval is a
`
`range of possible values from a certain number of standard deviations below the mean
`
`to the same number of standard deviations above the mean. “This confidence
`
`interval is defined as d standard deviations from the mean for some parameter d.” Ex.
`
`1007 at 122. Generally, confidence intervals are constructed such that, statistically,
`
`some percentage of possible observable values would be expected to fall within the
`
`interval. A much smaller percentage of possible observable values would be expected
`
`
`
`22
`
`SYMC 1003
`
`
`
`to fall outside the interval, indicating a possible outlier or anomaly to the data set
`
`represented by the confidence interval. “A new behavior observation is defined to be
`
`abnormal if it falls outside a confidence interval.” Id.
`
`49. Thus,
`
`the mean-and-standard-deviation model gives a precise
`
`mathematical disclosure of the limitation “determining the likelihood of observing an
`
`event that was not observed during the gathering of features from the records of
`
`normal processes.” For example, suppose an event is defined by the number of failed
`
`reads of a protected system file during a 10-minute time window, and during the
`
`gathering of features of normal processes that access the file
Accessing this document will incur an additional charge of $.
After purchase, you can access this document again without charge.
Accept $ Charge
Still Working On It
This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.
Give it another minute or two to complete, and then try the refresh button.
A few More Minutes ... Still Working
It can take up to 5 minutes for us to download a document if the court servers are running slowly.
Thank you for your continued patience.
This document could not be displayed.
We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.
Your account does not support viewing this document.
You need a Paid Account to view this document. Click here to change your account type.
Your account does not support viewing this document.
Set your membership
status to view this document.
With a Docket Alarm membership, you'll
get a whole lot more, including:
- Up-to-date information for this case.
- Email alerts whenever there is an update.
- Full text search for other cases.
- Get email alerts whenever a new case matches your search.
One Moment Please
The filing “” is large (MB) and is being downloaded.
Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.
Your document is on its way!
If you do not receive the document in five minutes, contact support at support@docketalarm.com.
Sealed Document
We are unable to display this document, it may be under a court ordered seal.
If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.
Access Government Site
