Case: 15-1146 Document: 20 Page: 1 Filed: 01/20/2015
`
`No. 2015-1146
`
`
`
`IN THE
`United States Court of Appeals
`FOR THE FEDERAL CIRCUIT
`________________
`
`THE TRUSTEES OF COLUMBIA UNIVERSITY
`IN THE CITY OF NEW YORK,
`
` Plaintiff-Appellant,
`v.
`
`SYMANTEC CORPORATION,
` Defendant-Appellee.
`
`APPEAL FROM THE UNITED STATES DISTRICT COURT
`FOR THE EASTERN DISTRICT OF VIRGINIA
`IN No. 3:13-cv-00808-JRS, SENIOR JUDGE JAMES R. SPENCER
`
`
`
`BRIEF OF PLAINTIFF-APPELLANT
`THE TRUSTEES OF COLUMBIA UNIVERSITY
`IN THE CITY OF NEW YORK
`
`
`
`
`DAVID I. GINDLER
`JASON G. SHEASBY
` RICHARD M. BIRNHOLZ
`JOSEPH M. LIPNER
`GAVIN SNYDER
`
` IRELL & MANELLA LLP
` 1800 Avenue of the Stars, Suite 900
` Los Angeles, California 90067
` (310) 277-1010
` Attorneys for Plaintiff-Appellant
`
`January 20, 2015
`
`Lawyers Brief Service • Appellate Brief Printers • (213) 613-1013 • (626) 744-2988
`
`
`
`
`
`
`Exhibit Page 1
`
`Columbia Ex. 2011-1
`Symantec v. Columbia
`IPR2015-00375
`
`

`
`Case: 15-1146 Document: 20 Page: 2 Filed: 01/20/2015
`
`
`
`CERTIFICATE OF INTEREST
`
`Counsel for Plaintiff-Appellant The Trustees of Columbia University in the
`
`City of New York certifies the following:
`
`1.
`
`
`
`2.
`
`The full name of every party or amicus represented by us is:
`
`The Trustees of Columbia University in the City of New York.
`
`The names of all real parties in interest (if the party named in the
`
`caption is not the real party in interest) represented by us are:
`
`
`
`3.
`
`Not applicable.
`
`All parent corporations and any publicly held companies that own
`
`10% or more of the stock of the party or amicus curiae represented by us are:
`
`
`
`
`
`4.
`
`None.
`
`The names of all law firms and the partners or associates that have
`
`appeared for the party or amicus now represented by us in the trial court or agency
`
`or are expected to appear in this court are:
`
`
`
`From Irell & Manella LLP: David I. Gindler, Jason G. Sheasby,
`
`Richard M. Birnholz, Joseph M. Lipner, Michael H. Strub, Jr., Gavin Snyder, C.
`
`Maclain Wells, Thomas C. Werner, Xinlin Li (no longer with firm), and Douglas
`
`A. Fretty (no longer with firm).
`
`
`
`
`- ii -
`
`
`
`
`Exhibit Page 2
`
`Columbia Ex. 2011-2
`Symantec v. Columbia
`IPR2015-00375
`
`

`
`Case: 15-1146 Document: 20 Page: 3 Filed: 01/20/2015
`
`
`
`From Spotts Fain, P.C.: Dana D. McDaniel and John M. Erbach.
`
`
`
`
`
`Dated: January 20, 2015
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
` /s/ David I. Gindler
`
`David I. Gindler
` Counsel for Plaintiff-Appellant
`
`The Trustees of Columbia University
`
`in the City of New York
`
`
`
`
`- iii -
`
`
`
`
`Exhibit Page 3
`
`Columbia Ex. 2011-3
`Symantec v. Columbia
`IPR2015-00375
`
`

`
`Case: 15-1146 Document: 20 Page: 4 Filed: 01/20/2015
`
`
`
`TABLE OF CONTENTS
`
`PRELIMINARY STATEMENT ............................................................................ 1 
`
`JURISDICTIONAL STATEMENT ....................................................................... 4 
`
`STATEMENT OF THE ISSUES............................................................................ 5 
`
`STATEMENT OF THE CASE ............................................................................... 6 
`
`I. 
`
`II. 
`
`The Parties ......................................................................................... 6 
`
`The Asserted Patents .......................................................................... 7 
`
`A. 
`
`B. 
`
`C. 
`
`D. 
`
`Background .............................................................................. 7 
`
`The ’544 and ’907 Patents ....................................................... 9 
`
`The ’115 and ’322 Patents ..................................................... 12 
`
`The ’084 and ’306 Patents ..................................................... 14 
`
`III. 
`
`The District Court Proceedings ....................................................... 16 
`
`A. 
`
`B. 
`
`C. 
`
`The District Court’s Claim Construction ............................... 16 
`
`Columbia’s Motion for Clarification ..................................... 17 
`
`The Stipulated Final Judgment .............................................. 18 
`
`SUMMARY OF ARGUMENT ............................................................................ 20 
`
`ARGUMENT ........................................................................................................ 24 
`
`Standard of Review .......................................................................... 24 
`
`Claims Are Given Their Ordinary Meaning Absent
`Lexicography or Express Disavowal of Claim Scope ..................... 25 
`
`The District Court Erred in Construing the ’544 and ’907
`Patents .............................................................................................. 29 
`
`A. 
`
`The District Court Incorrectly Limited “Byte Sequence
`Feature” to an Exemplary Embodiment ................................. 29 
`
`- iv -
`
`
`
`I. 
`
`II. 
`
`III. 
`
`
`
`
`
`Exhibit Page 4
`
`Columbia Ex. 2011-4
`Symantec v. Columbia
`IPR2015-00375
`
`

`
`Case: 15-1146 Document: 20 Page: 5 Filed: 01/20/2015
`
`
`
`1. 
`
`2. 
`
`3. 
`
`“Byte Sequence Features” Are Not Limited to
`“Machine Code Instructions” ...................................... 31 
`
`There Is No Lexicography or Disavowal of
`Claim Scope that Justifies Importing a
`“Machine Code Instructions” Limitation .................... 35 
`
`The Prosecution History Does Not Limit the
`Scope of Byte Sequence Features to “Machine
`Code Instructions” ....................................................... 39 
`
`B. 
`
`The District Court Erred in Holding Claims 1 and 16
`of the ’544 Patent Invalid Under Section 112 ¶ 2 .................. 42 
`
`1. 
`
`2. 
`
`The District Court’s Incorrect Byte Sequence
`Feature Construction Led to the Incorrect
`Invalidity Ruling .......................................................... 43 
`
`The Claims Are Not Directed to Mutually
`Exclusive Embodiments .............................................. 44 
`
`IV.  The District Court Erred in Construing the ’115 and ’322
`Patents .............................................................................................. 47 
`
`A. 
`
`B. 
`
`The District Court Incorrectly Relied on an Unrelated
`Patent Family in Construing “Anomalous” ........................... 48 
`
`The Term “Anomalous” Does Not Include a Negative
`Limitation Preventing Analysis of Anything Other
`Than “Attack-Free” Data ....................................................... 49 
`
`1. 
`
`2. 
`
`3. 
`
`The Claims Confirm That the Model Need Not
`Be Generated Only With Attack-Free Data ................. 50 
`
`The Specification Does Not Require Models
`Built Only With Attack-Free Data .............................. 51 
`
`The Prosecution History Describes Models Built
`Using Attack Data........................................................ 53 
`
`V. 
`
`The District Court Erred in Construing the ’084 and ’306
`Patents .............................................................................................. 55 
`
`
`
`
`- v -
`
`
`
`
`Exhibit Page 5
`
`Columbia Ex. 2011-5
`Symantec v. Columbia
`IPR2015-00375
`
`

`
`Case: 15-1146 Document: 20 Page: 6 Filed: 01/20/2015
`
`
`
`A. 
`
`The District Court Incorrectly Narrowed the Claimed
`“Probabilistic Model of Normal Computer System
`Usage” .................................................................................... 56 
`
`1. 
`
`2. 
`
`3. 
`
`The Claims Do Not Require a Model Generated
`With Only “Attack Free” Data .................................... 56 
`
`The Specification Does Not Support the District
`Court’s Construction .................................................... 57 
`
`The Prosecution History Contains No
`Disclaimer and Does Not Support the District
`Court’s Construction .................................................... 62 
`
`B. 
`
`The District Court Incorrectly Construed “Anomaly”
`and “Anomalous,” Which Should Have Received
`Their Plain Meaning .............................................................. 63 
`
`CONCLUSION ..................................................................................................... 64 
`
`ADDENDUM
`
`PROOF OF SERVICE
`
`CERTIFICATE OF COMPLIANCE
`
`
`
`
`- vi -
`
`
`
`
`Exhibit Page 6
`
`Columbia Ex. 2011-6
`Symantec v. Columbia
`IPR2015-00375
`
`

`
`Case: 15-1146 Document: 20 Page: 7 Filed: 01/20/2015
`
`
`
`TABLE OF AUTHORITIES
`
`Cases 
`Abbott Labs. v. Dey, L.P.,
`287 F.3d 1097 (Fed. Cir. 2002) .............................................................. 48
`
`AIA Eng’g Ltd. V. Magotteaux Int’l S/A,
`657 F. 3d 1264 (Fed. Cir. 2011) ............................................................. 44
`
`Alcon Research, Ltd. v. Apotex Inc.,
`687 F.3d 1362 (Fed. Cir. 2012) .............................................................. 50
`
`Allen Eng’g Corp. v. Bartell Indus., Inc.,
`299 F.3d 1336 (Fed. Cir. 2002). ........................................... 17, 43, 44, 45
`
`Ancora Techs., Inc. v. Apple, Inc.,
`744 F.3d 732 (Fed. Cir. 2014) .......................................................... 37, 47
`
`Azure Networks, LLC v. CSR PLC,
`771 F.3d 1336 (Fed. Cir. 2014) .................................................. 26, 27, 38
`
`Cordis Corp. v. Boston Sci. Corp.,
`561 F.3d 1319 (Fed. Cir. 2009) .............................................................. 41
`
`e.Digital Corp. v. Futurewei Techs., Inc.,
`772 F.3d 723 (Fed. Cir. 2014) ................................................................ 48
`
`Elkay Mfg. Co. v. Ebco Mfg. Co.,
`192 F.3d 973 (Fed. Cir. 1999) ................................................................ 48
`
`GE Lighting Solutions, LLC. v. Agilight, Inc.,
`750 F.3d 1304 (Fed. Cir. 2014) ............................................ 27, 38, 44, 51
`
`Hill-Rom Servs., Inc. v. Stryker Corp.,
`755 F.3d 1367 (Fed. Cir. 2014) ............................................ 26, 27, 35, 41
`
`Home Diagnostics, Inc. v. LifeScan, Inc.,
`381 F.3d 1352 (Fed. Cir. 2004) .............................................................. 28
`
`Innogenetics N.V. v. Abbott Labs.,
`512 F.3d 1363 (Fed. Cir. 2008) .............................................................. 28
`
`
`
`
`- vii -
`
`
`
`
`Exhibit Page 7
`
`Columbia Ex. 2011-7
`Symantec v. Columbia
`IPR2015-00375
`
`

`
`Case: 15-1146 Document: 20 Page: 8 Filed: 01/20/2015
`
`
`
`Liebel-Flarsheim Co. v. Medrad, Inc.,
`358 F.3d 898 (Fed. Cir. 2004) ................................................................ 28
`
`Micro Chem., Inc. v. Great Plains Chem. Co., Inc.,
`194 F.3d 1250 (Fed. Cir. 1999) .............................................................. 63
`
`Microsoft Corp. v. i4i Ltd. P’ship,
`131 S. Ct. 2238 (2011) ............................................................................ 25
`
`Oatey Co. v. IPS Corp.,
`514 F.3d 1271 (Fed. Cir. 2008) .............................................................. 25
`
`Omega Eng’g v. Raytek Corp.,
`334 F.3d 1314 (Fed. Cir. 2003) .............................................................. 57
`
`Phillips v. AWH Corp.,
`415 F.3d 1303 (Fed. Cir. 2005) ....................................................... passim
`
`PSN Illinois, LLC v. Ivoclar Vivadent, Inc.,
`525 F.3d 1159 (Fed. Cir. 2008) .............................................................. 34
`
`Renishaw PLC v. Marposs Societa’ per Azioni,
`158 F.3d 1243 (Fed. Cir. 1998) .............................................................. 31
`
`Rexnord Corp. v. Laitram Corp.,
`274 F.3d 1336 (Fed. Cir. 2001) .............................................................. 34
`
`SciMed Life Sys., Inc. v. Advanced Cardiovascular Sys., Inc.,
`242 F.3d 1337 (Fed. Cir. 2001) .............................................................. 27
`
`Solomon v. Kimberly-Clark Corp.,
`216 F.3d 1372 (Fed. Cir. 2000) ........................................................ 25, 44
`
`Sun. Pharm. Indus., Ltd. v. Eli Lilly & Co.,
`611 F.3d 1381 (Fed. Cir. 2010) .............................................................. 41
`
`SunRace Roots Enters. Co., Ltd. v. SRAM Corp.,
`336 F.3d 1298 (Fed. Cir. 2003) .............................................................. 38
`
`Sun-Tiger, Inc. v. Scientific Research Funding Group,
`189 F.3d 1327 (Fed. Cir. 1999) .............................................................. 57
`
`
`
`
`- viii -
`
`
`
`
`Exhibit Page 8
`
`Columbia Ex. 2011-8
`Symantec v. Columbia
`IPR2015-00375
`
`

`
`Case: 15-1146 Document: 20 Page: 9 Filed: 01/20/2015
`
`
`
`Talbert Fuel Sys. Patents Co. v. Unocal Corp.,
`275 F.3d 1371 (Fed. Cir. 2002) .............................................................. 44
`
`Teleflex, Inc. v. Ficosa N. Am. Corp.,
`299 F.3d 1313 (Fed. Cir. 2002) .............................................................. 57
`
`Teva Pharms. USA, Inc. v. Sandoz, Inc.,
`574 U.S. __ (Jan. 20, 2015) .................................................................... 24
`
`Thorner v. Sony Computer Entm’t Am. LLC,
`669 F.3d 1362 (Fed. Cir. 2012) .............................................................. 27
`
`Williamson v. Citrix Online LLC,
`770 F.3d 1371 (Fed. Cir. 2014) .............................................................. 38
`
`Statutes 
`28 U.S.C. § 1295(a)(1) ........................................................................................ 4
`
`28 U.S.C. § 1338(a) ............................................................................................ 4
`
`28 U.S.C. § 2107(a) ............................................................................................ 4
`
`35 U.S.C. § 112 ¶ 2 ....................................................................................... 2, 44
`
`35 U.S.C. § 282 ................................................................................................. 25
`
`Rules 
`Fed. R. App. P. 4(a) ............................................................................................ 4
`
`Fed. R. Civ. P. 54(b) ................................................................................. 3, 4, 19
`
`
`
`
`
`
`- ix -
`
`
`
`
`Exhibit Page 9
`
`Columbia Ex. 2011-9
`Symantec v. Columbia
`IPR2015-00375
`
`

`
`Case: 15-1146 Document: 20 Page: 10 Filed: 01/20/2015
`
`
`
`STATEMENT OF RELATED CASES
`
`No other appeal in or from this same civil action was previously before this
`
`court or any other court of appeals. No other cases are pending between the same
`
`parties and there are no known or pending cases that will directly affect or be
`
`directly affected by this court’s decision in this matter.
`
`
`
`
`
`
`- x -
`
`
`
`
`Exhibit Page 10
`
`Columbia Ex. 2011-10
`Symantec v. Columbia
`IPR2015-00375
`
`

`
`Case: 15-1146 Document: 20 Page: 11 Filed: 01/20/2015
`
`
`
`PRELIMINARY STATEMENT
`
`This appeal concerns claim constructions that violate this Court’s rules of
`
`claim interpretation. A construction may not import limitations restricting claims
`
`to particular embodiments or examples. Claims are presumed to have their full
`
`scope. This presumption is only overcome by a clear definition or words of
`
`manifest exclusion or restriction disavowing claim scope. Without finding any
`
`definition or disclaimer, the District Court strayed from these core principles and
`
`issued a two-page claim construction order that limits the claims to specific
`
`embodiments and examples from the specification.
`
`This litigation involves six Columbia patents from three distinct families
`
`relating to important advances in computer security. The patents describe novel
`
`ways to use machine learning to detect previously unknown viruses and malicious
`
`computer intrusions, often called “zero day” attacks. Each patent family describes
`
`using models of program behavior to diagnose programs as malicious or benign.
`
`The patents explain how these models of program behavior may be created using
`
`different types of ingredients.
`
`The first patent family, U.S. Patent Nos. 7,487,544 and 7,979,907, describes,
`
`among other things, extracting “byte sequence features” from executable email
`
`attachments to determine whether they are malicious. The District Court
`
`incorrectly construed the term “byte sequence feature” to be limited to only “a
`
`
`
`
`
`- 1 -
`
`
`
`
`Exhibit Page 11
`
`Columbia Ex. 2011-11
`Symantec v. Columbia
`IPR2015-00375
`
`

`
`Case: 15-1146 Document: 20 Page: 12 Filed: 01/20/2015
`
`
`
`representation of machine code instructions,” even though the specification
`
`expressly discloses byte sequence features that are not representations of machine
`
`code instructions. Using this faulty construction, the District Court compounded
`
`the error by holding claims 1 and 16 of the ’544 patent indefinite under section 112
`
`¶ 2 on the grounds that they cover mutually exclusive embodiments. This holding
`
`is incorrect—the claims track the express teaching of the specification.
`
`The second family, U.S. Patent Nos. 8,074,115 and 8,601,322, teaches ways
`
`to determine if a program is “anomalous” by using machine learning to create
`
`models of function calls that programs make when they run. The meaning of
`
`“anomalous” in these patents is “behavior that deviates from normal and may
`
`correspond to an attack.” The District Court departed from this plain meaning in
`
`the intrinsic record, incorrectly reading the term “anomalous” to require a
`
`deviation from a “model of typical, attack free computer system usage” created
`
`with only “attack free” data. There is no justification for importing only “attack
`
`free” data or other restrictions into the claims. Indeed, rather than exclude the use
`
`of attack data in the model, the specification, the claims as filed, and the claims as
`
`issued all specify using attack data when creating the model. Moreover, in
`
`explaining this aspect of its construction, the District Court did not cite the ’115
`
`and ’322 patents, but instead only referred to the unrelated third family in the case.
`
`
`
`
`
`- 2 -
`
`
`
`
`Exhibit Page 12
`
`Columbia Ex. 2011-12
`Symantec v. Columbia
`IPR2015-00375
`
`

`
`Case: 15-1146 Document: 20 Page: 13 Filed: 01/20/2015
`
`
`
`Applying a construction from one patent family to another is contrary to the well-
`
`settled principle that claims of unrelated patents are construed separately.
`
`The third patent family at issue, U.S. Patent Nos. 7,448,084 and 7,913,306,
`
`describes how modeling activity on particular locations in a computer system – the
`
`Windows registry and file system – can improve detection of anomalous program
`
`behavior reflecting an intrusion. The District Court again improperly read in
`
`extraneous, negative
`
`limitations
`
`to
`
`the
`
`terms “anomaly/anomalous” and
`
`“probabilistic model of normal computer system usage,” requiring a model created
`
`using only “attack free” data. The claim language is not so limited and the
`
`specification teaches otherwise.
`
`In order to redress promptly these incorrect claim constructions, Columbia
`
`stipulated to judgment of non-infringement under Rule 54(b). The District Court’s
`
`claim constructions are incorrect and should be reversed. The corresponding
`
`judgment should be vacated and the case remanded so it can proceed under proper
`
`claim constructions.
`
`
`
`
`
`- 3 -
`
`
`
`
`Exhibit Page 13
`
`Columbia Ex. 2011-13
`Symantec v. Columbia
`IPR2015-00375
`
`

`
`Case: 15-1146 Document: 20 Page: 14 Filed: 01/20/2015
`
`
`
`JURISDICTIONAL STATEMENT
`
`The U.S. District Court for the Eastern District of Virginia had subject
`
`matter jurisdiction over this action pursuant to 28 U.S.C. § 1338(a).
`
`On November 4, 2014, the District Court entered a Final Judgment Pursuant
`
`to Rule 54(b) of the Federal Rules of Civil Procedure pursuant to the parties’
`
`stipulation of non-infringement based on the District Court’s claim constructions
`
`and ruling that certain claims of the ’544 patent were invalid as indefinite. A1-8.
`
`On November 10, 2014, Columbia timely filed its Notice of Appeal in
`
`accordance with 28 U.S.C. § 2107(a) and Rule 4(a) of the Federal Rules of
`
`Appellate Procedure. A314-16.
`
`This Court has jurisdiction over this appeal pursuant to 28 U.S.C. §
`
`1295(a)(1).
`
`
`
`
`
`
`
`- 4 -
`
`
`
`
`Exhibit Page 14
`
`Columbia Ex. 2011-14
`Symantec v. Columbia
`IPR2015-00375
`
`

`
`Case: 15-1146 Document: 20 Page: 15 Filed: 01/20/2015
`
`
`
`STATEMENT OF THE ISSUES
`
`1. Whether the judgment of non-infringement of the ’544 and ’907
`
`patents must be vacated because the District Court erred in limiting “byte sequence
`
`feature” to a “representation of machine code instructions,” when no lexicography
`
`or disavowal restricts claim scope.
`
`2. Whether the judgment of indefiniteness of claims 1 and 16 of the ’544
`
`patent must be vacated because the District Court erred in concluding that the
`
`claim terms “byte sequence feature” and “byte string representative of resources”
`
`are directed to separate and mutually exclusive embodiments.
`
`3. Whether the judgment of non-infringement of the ’115 and ’322
`
`patents must be vacated because the District Court erred in construing
`
`“anomaly/anomalous” to require “deviation/deviating from a model” generated
`
`with only “typical, attack-free data” and, when doing so, relied on the disclosure of
`
`a different patent family.
`
`4. Whether the judgment of non-infringement of the ’084 and ’306
`
`patents must be vacated because the District Court erred in construing
`
`“probabilistic model of normal computer system usage” and “anomaly/anomalous”
`
`by imposing a negative limitation requiring a model generated with only “typical,
`
`attack-free data.”
`
`
`
`
`
`- 5 -
`
`
`
`
`Exhibit Page 15
`
`Columbia Ex. 2011-15
`Symantec v. Columbia
`IPR2015-00375
`
`

`
`Case: 15-1146 Document: 20 Page: 16 Filed: 01/20/2015
`
`
`
`I.
`
`THE PARTIES
`
`STATEMENT OF THE CASE
`
`Columbia is a leading university and research institution. The next
`
`generation computer security techniques at issue in this case were developed at
`
`Columbia’s School of Engineering and Applied Sciences, which includes the
`
`Department of Computer Science—a department dedicated to training future
`
`leaders to solve important security challenges. A194-95. Symantec is based in
`
`Mountain View, California and sells popular computer security products and
`
`services, including “Norton” antivirus software. A195.
`
`Columbia brought this action in December 2013 alleging that Symantec
`
`antivirus and computer security products and services infringed six Columbia
`
`patents from three separate families. A160-68; A173-190; A193-202; A209-28.1
`
`The asserted patent families are (1) U.S. Patent Nos. 7,487,544 (the ’544 patent)
`
`and 7,979,907 (the ’907 patent), (2) U.S. Patent Nos. 7,448,084 (the ’084 patent)
`
`and 7,913,306 (the ’306 patent), and (3) U.S. Patent Nos. 8,074,115 (the ’115
`
`
`
`1 Columbia also alleged state law claims relating to Columbia intellectual
`property in “decoy” technology and to correct inventorship on a patent presently
`assigned to Symantec. A202-08; A228-36. These claims are separate from the
`Asserted Patents addressed in the judgment at issue on this appeal and have been
`stayed. A14.
`
`
`
`
`
`- 6 -
`
`
`
`
`Exhibit Page 16
`
`Columbia Ex. 2011-16
`Symantec v. Columbia
`IPR2015-00375
`
`

`
`Case: 15-1146 Document: 20 Page: 17 Filed: 01/20/2015
`
`
`
`patent) and 8,601,322 (the ’322 patent) (collectively “Asserted Patents”). Each
`
`family has a distinct disclosure with distinct priority dates.
`
`II. THE ASSERTED PATENTS
`
`A. Background
`
`Computer networks are continually becoming larger and more complex, and
`
`the amount of sensitive information exchanged and accessible on networked
`
`computers is increasing dramatically. As a result, there is a strong need for
`
`technologies preventing malicious viruses and other harmful intrusions to
`
`computers. The technology at issue concerns important advances meeting this
`
`need. ’544 patent, A48 (1:30-2:67); ’084 patent, A83-84 (1:41-3:10); ’115 patent,
`
`A124 (1:20-44).
`
`One challenge in computer security involves detecting attacks never
`
`previously seen by an intrusion detection system. These attacks sometimes are
`
`referred to as “zero-day” attacks because developers have “zero days” beforehand
`
`to patch the vulnerability. A382.
`
`Professors Salvatore Stolfo and Angelos Keromytis and their students in
`
`Columbia’s Intrusion Detection Lab and Network Security Lab pioneered next
`
`generation
`
`technologies based on, among other
`
`things, machine
`
`learning
`
`techniques providing vastly improved detection of new viruses and attacks. A196-
`
`
`
`
`
`- 7 -
`
`
`
`
`Exhibit Page 17
`
`Columbia Ex. 2011-17
`Symantec v. Columbia
`IPR2015-00375
`
`

`
`Case: 15-1146 Document: 20 Page: 18 Filed: 01/20/2015
`
`
`
`201. The Asserted Patents concern the application of machine learning techniques
`
`to various areas of computer security.
`
`Machine learning is a subfield of artificial intelligence and statistics. A382-
`
`83. Machine learning systems are able to learn automatically from data. ’544
`
`patent, A48 (1:65-2:45); ’084 patent, A87 (10:1-11). The first step involves
`
`collecting large amounts of data. ’544 patent, A50 (5:16-27). Next, in a training
`
`phase, the collected data is fed into a machine learning algorithm to generate a
`
`model based on important parts of the data called features. ’544 patent, A50 (5:28-
`
`6:6); ’084 patent, A87-88 (10:1-11, 12:49-65); ’115 patent, A125 (3:28-45). A
`
`model is the encapsulation of the automatically-generated insights that the machine
`
`learning algorithm derived from the training data. ’544 patent, A49-50 (4:67-5:5).
`
`As additional training data is obtained, the model may be modified. A54-57 (14:4-
`
`22, cl. 5). The model is then deployed in the field. New programs not seen during
`
`the training phase are run through, or compared to, the model. ’544 patent, A50
`
`(5:6-15); ’084 patent, A88 (12:36-48); ’115 patent, A125 (3:46-56). The system
`
`can classify or evaluate the new program based on the comparison with the model.
`
`’544 patent, A51 (8:3-12).
`
`Model creation using machine learning raises two questions: what the
`
`model represents and what ingredients are used to create the model. These are
`
`different concepts. For example, anomaly detection models can detect deviations
`
`
`
`
`
`- 8 -
`
`
`
`
`Exhibit Page 18
`
`Columbia Ex. 2011-18
`Symantec v. Columbia
`IPR2015-00375
`
`

`
`Case: 15-1146 Document: 20 Page: 19 Filed: 01/20/2015
`
`
`
`from normal behavior. The ingredients for such a model include attack-free data
`
`but also can include attack data. ’115 patent, A133-34 (cls. 1, 8, 18, 29, 39); A674.
`
`By analogy, a model of a fresh apple could consider the attributes of a fresh apple
`
`in isolation but may be enriched by considering how fresh apples differ from rotten
`
`apples. A382-83; A398-402.
`
`B.
`
`The ’544 and ’907 Patents
`
`The ’544 and ’907 patents are entitled “System and Methods for Detection
`
`of New Malicious Executables.” The ’544 and ’907 patents generally relate to
`
`“detecting malicious executable programs, and more particularly to the use of data
`
`mining techniques to detect such malicious executables in email attachments.”
`
`’544 patent, A48 (1:33-37). The patents improved on prior art approaches relying
`
`on specific signatures of known viruses and were directed at a new technique for
`
`classifying executables as malicious or benign “which is not limited to particular
`
`types of files . . . and which provides the ability to detect new, previously unseen
`
`files.” A48 (1:39-2:1, 2:64-67).
`
`An executable fundamentally is a collection of bytes. A50 (6:29-35); A582-
`
`84 (describing sections of files in Windows Portable Executable (PE) format);
`
`A598 (“Initialized data for a section consists of simple blocks of bytes.”). Both
`
`parties’ experts agreed during claim construction that an executable may be
`
`organized into sections containing sequences of bytes representing different
`
`
`
`
`
`- 9 -
`
`
`
`
`Exhibit Page 19
`
`Columbia Ex. 2011-19
`Symantec v. Columbia
`IPR2015-00375
`
`

`
`Case: 15-1146 Document: 20 Page: 20 Filed: 01/20/2015
`
`
`
`functions. A1700-05; A1322-25. For example, an executable contains the
`
`program’s instructions. Symantec’s expert stated that these “machine code
`
`instructions” are byte sequences “that tell a computer’s central processing unit
`
`what to do.” A1321. Machine code instructions are not the only sequences of
`
`bytes in an executable. An executable also may contain information about
`
`“resources” that the program uses, such as dynamically linked libraries or “DLLs”
`
`the program may invoke, and may also contain “plain text strings” with other data.
`
`A50-51 (6:23-8:2); A389-92.2 Resource information and plain text strings may be
`
`in a different section than the machine code instructions, such as in the program
`
`“header.” A50-51 (6:48-58, 7:40-53). Although the machine code instructions,
`
`resource information, and plain text strings may reflect different functions and may
`
`be in different locations in the executable, they all are indisputably made up of
`
`sequences of bytes. A635-39 (example of byte sequences containing resource
`
`information); A594-97 (example of byte sequences that are plain text strings);
`
`A1700-05 (explaining how byte sequences may represent machine code
`
`instructions, resource information, and plain text strings).
`
`
`
`2 Dynamic link libraries (DLLs) generally are libraries of frequently used
`functions that an executable may call, for example, to interact with the operating
`system. A50-51 (6:35-7:39); A90-91. Plain text strings are sequences of printable
`characters that may appear in various places in an executable, such as the string
`“microsoft.” A51 (7:40-8:2); A1704-1705.
`
`
`
`
`
`- 10 -
`
`
`
`
`Exhibit Page 20
`
`Columbia Ex. 2011-20
`Symantec v. Columbia
`IPR2015-00375
`
`

`
`Case: 15-1146 Document: 20 Page: 21 Filed: 01/20/2015
`
`
`
`The inventors of the ’544 and ’907 patents described a technique that could
`
`analyze the entirety, or selected parts, of an executable. The approach of the ’544
`
`and ’907 patents involves extracting information from an executable for use in a
`
`machine learning system to classify the executable. The patents refer to the
`
`properties or attributes of the sequences of bytes in the executable that are analyzed
`
`as “byte sequence features.” The term “byte sequence feature” is used in the
`
`specification and claims to describe a broad category of information derived from
`
`sequences of bytes in the executable to be classified. That is, the data to be
`
`analyzed, like pieces of evidence in the dossier on a suspect, could be multiple
`
`types of information from the entire executable or just a part. The extraction of
`
`“byte sequence features” from executables is a concept in all claims of the ’544
`
`and ’907 patents. A49 (3:23-24) (“A byte sequence feature is subsequently
`
`extracted from the executable attachment.”); see, e.g., A57 (cl. 1). The byte
`
`sequence features are then used in a machine learning system to classify the
`
`executable. A49 (3:24-29); A51 (8:3-55).
`
`Various examples of byte sequence features are described. The Summary
`
`describes how in one embodiment “[e]xtracting the byte sequence feature from the
`
`executable attachment may comprise converting the executable attachment from
`
`binary format to hexadecimal format.” A49 (3:34-37). In this embodiment, byte
`
`sequence features are extracted from the entire file and “each byte sequence in the
`
`
`
`
`
`- 11 -
`
`
`
`
`Exhibit Page 21
`
`Columbia Ex. 2011-21
`Symantec v. Columbia
`IPR2015-00375
`
`

`
`Case: 15-1146 Document: 20 Page: 22 Filed: 01/20/2015
`
`
`
`program is used as a feature.” A50 (6:21-22) (describing embodiment using utility
`
`known as “hexdump” to convert the entire file to hexadecimal). In other words,
`
`this embodiment includes byte sequence features representing machine code
`
`instructions but also includes byte sequence features representative of all other
`
`information in the executable.
`
`The Summary also describes an embodiment in which “extracting the byte
`
`sequence features from the executable attachment may comprise creating a byte
`
`string representative of resources referenced by said executable attachment.” A49
`
`(3:37-40). In other words, in this embodiment, the byte sequence features
`
`extracted must represent a specific type of information in the executable, the
`
`“resources” referenced by the executable, not all the information in the executable.
`
`These embodiments are described in greater detail in the “Detailed Description of
`
`Exemplary Embodime