In The Matter Of:
`
`SYMANTEC CORPORATION 
`v.
` THE TRUSTEES OF COLUMBIA UNIVERSITY IN THE CITY 
`OF NEW YORK
`
`   ___________________________________________________
`
`GOODRICH, Ph.D., MICHAEL T. ‐ Vol. 1
`August 24, 2015
`
`   ___________________________________________________
`                                                                               
`
`Columbia Ex 2052-1
`Symantec v Columbia
`IPR2015-00375
`
`

`
` UNITED STATES PATENT AND TRADEMARK OFFICE
` BEFORE THE PATENT TRIAL AND APPEAL BOARD
`
`Page 1
`
`SYMANTEC CORPORATION; )
` )
` Petitioner, )
` )
` vs. ) Case No.
` ) IPR2015-00372
`THE TRUSTEES OF COLUMBIA )
`UNIVERSITY IN THE CITY OF ) VOLUME I
`NEW YORK; )
` ) (Pages 1 - 300)
` Patent Owner. )
`_______________________________)
`
` VIDEOTAPED DEPOSITION OF MICHAEL T. GOODRICH, Ph.D.
` Newport Beach, California
` Monday, August 24, 2015
`
`Reported by:
`Lynda L. Fenn, CSR, RPR
`CSR No. 12566
`
`Columbia Ex 2052-2
`Symantec v Columbia
`IPR2015-00375
`
`

`
`MICHAEL T. GOODRICH, Ph.D. - 8/24/2015
`Page 2
` UNITED STATES PATENT AND TRADEMARK OFFICE
` BEFORE THE PATENT TRIAL AND APPEAL BOARD
`
` I N D E X
` EXAMINATION BY: PAGE
` MS. ZHONG 6
`
`Page 4
`
`SYMANTEC CORPORATION; )
` )
` Petitioner, )
` )
` vs. ) Case No.
` ) IPR2015-00372
`THE TRUSTEES OF COLUMBIA )
`UNIVERSITY IN THE CITY OF )
`NEW YORK; )
` )
` Patent Owner. )
`_______________________________)
`
` VIDEOTAPED DEPOSITION of MICHAEL T.
` GOODRICH, Ph.D., taken on behalf of Defendants,
` at 840 Newport Center Drive, Suite 400, Newport
` Beach, California, at 9:05 a.m. and ending at
` 6:09 p.m., Monday, August 24, 2015, reported by
` Lynda L. Fenn, CSR No. 12566, Certified
` Shorthand Reporter within and for the State of
` California, pursuant to notice.
`
`Page 3
`
`APPEARANCES:
`For the Plaintiff:
` FENWICK & WEST, LLP
` BY: DAVID D. SCHUMANN, ESQ.
` 555 California Street, 12th Floor
` San Francisco, California 94104
` (415) 875-2321
` dschumann@fenwick.com
`
`For the Defendants:
`
` IRELL & MANELLA, LLP
` BY: H. ANNITA ZHONG, ESQ.
` 1800 Avenue of the Stars, Suite 900
` Los Angeles, California 90067-4276
` (310) 277-1010
` hzhong@irell.com
`Also Present:
` Fritz Sperberg, Videographer
`
`1
`2
`
`345
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`
`1
`2
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`
` E X H I B I T S
`
` NUMBER DESCRIPTION PAGE
`
` Exhibit 2011 A seven-page, double-sided 32
` document entitled Windows 2000
` Security Event Descriptions
` (Part 1 of 2)
` Exhibit 2012 A 11-page, double-sided 32
` document entitled Windows 2000
` Security Event Descriptions
` (Part 2 of 2)
`
` Exhibit 2013 A seven-page, double-sided 32
` document entitled Security
` Event Descriptions
`
` Exhibit 2014 A five-page, double-sided 32
` document entitled Audit Policy
` Exhibit 2015 A 15-page, double-sided 233
` document entitled Introduction
` to Computer Security
`
` INFORMATION REQUESTED
` (None)
` INSTRUCTION NOT TO ANSWER
` (None)
`
`Page 5
`
` Newport Beach, California
` Monday, August 24, 2015
` 9:05 a.m. - 6:09 p.m.
`
` THE VIDEOGRAPHER: Good morning. My name is
`Fritz Sperberg. I'm a videographer with DTI. The court
`reporter is Lynda Fenn also with DTI at 20750 Ventura
`Boulevard, Suite 205, Woodland Hills, California.
` Today's date is August 24th, 2015. The time
`is now 9:05 a.m.
` Our location is 840 Newport Center Drive in
`Newport Beach, California.
` Counsel, please identify yourselves and state
`whom you represent.
` MS. ZHONG: This is Annita Zhong from Irell &
`Manella and I represent Columbia University.
` THE VIDEOGRAPHER: It's on the far side of the
`binder, David.
` MR. SCHUMANN: Right here.
` THE VIDEOGRAPHER: Thank you.
` MR. SCHUMANN: David Schumann for Symantec.
` THE VIDEOGRAPHER: The witness today is
`Michael T. Goodrich.
`
`1
`2
`3
`
`456
`
`7
`
`8
`
`9
`
`10
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`17
`
`18
`19
`20
`21
`22
`23
`24
`25
`
`1
`2
`3
`
`4567
`
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`
`2 (Pages 2 to 5)
`DTI Court Reporting Solutions - Los Angeles
`www.deposition.com
`
`800-826-0277
`
`Columbia Ex 2052-3
`Symantec v Columbia
`IPR2015-00375
`
`

`
`MICHAEL T. GOODRICH, Ph.D. - 8/24/2015
`Page 6
`
`Page 8
`
` Would the reporter please swear in the
`witness.
`
` MICHAEL T. GOODRICH, Ph.D.,
`produced as a witness on behalf of the Defendants, and
`having been first duly sworn, was examined and testified
`as follows:
`
` THE VIDEOGRAPHER: You may begin.
`
` EXAMINATION
`BY MS. ZHONG:
` Q Good morning, Dr. Goodrich. Have you been
`deposed before?
` A Yes.
` Q So you know the general procedures for
`deposition; correct?
` A Yes.
` Q Okay. Is there any reason why you can't
`testify truthfully today?
` A No.
` Q And is there any reason why you can't provide
`an accurate -- accurate answers today?
` A No.
` Q Okay. So I've placed in front of you Exhibits
`
`Page 7
`1001 through 1024 from IPR 2015, 000372 and 378.
` A Thank you.
` Q Okay. IPR 20 -- IPR2015 00372 and 378
`involved the '084 patents; correct?
` A Yes, I believe that's correct.
` Q Okay. And the '084 patent is entitled "System
`and methods for detecting intrusions in a computer
`system by monitoring operating system registry
`accesses"?
` A Yes.
` Q Okay. And you agree that what differentiates
`the '084 patent from prior art is it uses data obtained
`from monitoring registry accesses in anomaly detection?
` MR. SCHUMANN: Object to form.
` THE WITNESS: I would not say that that's a
`fair characterization, no.
` MS. ZHONG: Okay.
`BY MS. ZHONG:
` Q Let's turn to Exhibit 1003, paragraph 37, page
`17. And the first sentence of paragraph 37 reads, "The
`system and method described in the specification claim
`to be different from other systems because they use data
`obtained from monitoring registry accesses with anomaly
`detection."
` Did I read it correctly?
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`
` A Yes.
` Q And you don't want to -- are you changing that
`sentence or statement?
` A No.
` Q Okay. So as written here as described by the
`'084 specification what differentiates the '084
`specification from other system is that they use data
`obtained from monitoring registry accesses with anomaly
`detection; correct?
` A So what I am opining here is that the
`specification of the '084 patent is claiming to be
`different from other systems because it uses data
`obtained from monitoring registry access and uses that
`with anomaly detection.
` Q Okay. So as described by the '084 patent
`what -- the inventors believe they're different from
`other system is they use data obtained from monitoring
`registry accesses with anomaly detection --
` MR. SCHUMANN: Object --
` MS. ZHONG: Is that correct?
` MR. SCHUMANN: Object to form.
` THE WITNESS: I'm not sure of the state of
`mind of the inventors but it is true that the system
`method described in the specifications claimed to be
`different from other systems because it uses data
`
`Page 9
`obtained from monitoring registry accesses and uses
`anomaly detection.
`BY MS. ZHONG:
` Q Okay. And it's not any kind of anomaly
`detection, it's anomaly detection to determine whether a
`registry access is anomalous; is that correct?
` A The -- if you have like some specific -- so
`the way that I did my analysis was to do it based on the
`claims and then compare that to the prior art. So if
`you have some specific question with respect to claims.
`That question was a little too general for me to be able
`to answer just sitting here today.
` Q Okay. Turn to Claim One, page 16.
` A Okay.
` Q So Claim One, Step C requires, "Analyzing
`features from a record of a process that accesses the
`operating system registry to detect the deviations from
`normal computer usage to determine whether the access to
`the operating system registry is an anomaly"; correct?
` A Yes.
` Q And to determine whether the access to the
`operating system registry is an anomaly is to
`determining whether an access to the registry -- to
`determine that the -- the anomaly related to the
`registry access; is that correct?
`
`1
`2
`
`34
`
`5
`6
`7
`
`89
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`
`3 (Pages 6 to 9)
`DTI Court Reporting Solutions - Los Angeles
`www.deposition.com
`
`800-826-0277
`
`Columbia Ex 2052-4
`Symantec v Columbia
`IPR2015-00375
`
`

`
`MICHAEL T. GOODRICH, Ph.D. - 8/24/2015
`Page 10
` A Could you restate the question, please?
` Q Okay. And Claim One, Step C, to determining
`whether the access to the operating system registry is
`an anomaly is to determine the anomaly regarding a
`registry access; is that correct?
` A So I think that the claim -- the meaning of
`the claim is just as it's written here that "To
`determine that component of the limitation is to
`determine whether the access to the operating system
`registry is an anomaly." And I did my analysis in my
`declaration based on that understanding.
` Q So it's regarding the determination anomaly
`about an access to the registry; is that correct?
` A So it's regarding to determine whether the
`access to the operating system registry is an anomaly.
` Q What's your interpretation of the access to
`the operating system registry?
` A Plain meaning.
` Q And the plain meaning is?
` A To access the operating system registry. Just
`the standard understanding of that.
` Q So is that the same as registry access?
` A I don't -- I don't see immediately here --
`sitting here what the difference would be between reg --
`what you're calling a registry access.
`
`Page 12
`operating system that then was omitted from the claims
`and that this is now referring generically to operating
`system registry.
` MS. ZHONG: Okay.
`BY MS. ZHONG:
` Q So when this is applied to a Windows system,
`is a record of a process that accessed the operating
`system registry the same as a Window registry access
`record?
` A Certainly that would be inclusive of that but
`it could be potentially even broader because it doesn't
`specifically call out on the claim the Microsoft Windows
`Operating System.
` Q Okay. So when you were applying this to Bace,
`Bace's event log, what are you applying the -- a record
`of a process that accessed the operating system registry
`to? What are you reading onto?
` A Right. So I discuss this in my declaration
`with respect to the '084 patent. I gave a claim chart
`as a part of this --
` Q Mm-hmm.
` A -- where I broke down each of these
`components. And as I opine here, "Bace discloses
`analyzing features from a record of processes -- of a
`process that accesses the operating system registry to
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`
`Page 11
` Q Okay. So the access to the operating system
`registry and registry access to you means the same
`thing?
` A They may be the same thing. I did -- like I
`said, I did my analysis using the exact words of the
`claim limitation.
` Q So is there a difference between registry
`access and the access to the operating system registry?
` A Just sitting here today, I'm not seeing
`immediately what the difference would be but there may
`be that I'm just overlooking at this point. Again, I
`used the exact words from -- from the claim.
` Q Okay. And Step C requires a record of a
`process that accessed the operating system registry.
` Do you see that?
` A Yes.
` Q And a record of a process that accessed the
`operating system registry refers to a registry access
`record when you are dealing with a Windows system;
`right?
` A The --
` MR. SCHUMANN: Object to form.
` THE WITNESS: As I mentioned in my declaration
`that they -- in the prosecution history for this patent,
`I believe there was a specific reference to the Windows
`
`Page 13
`
`detect deviations from normal computer usage to
`determine whether the access to the operating system
`registry is an anomaly. "For example," and then I have
`a citation from Bace on performing analysis, "the second
`of the three phases in the analyzer is the operational
`analysis of a live event stream. In this phase the
`analyzer is applied to live data to spot intrusions and
`other activity of interest," dot, dot, dot.
` Q Okay.
` A The --
` Q So what I don't understand is after reading
`this I'm still -- it's not clear to me what exactly you
`are mapping onto.
` Why don't we look at paragraph 88?
` A Okay. I'm there.
` Q And the last sentence is -- your opinion is,
`"Because one of ordinary skill in the art would
`understand that a Windows NT event logging would capture
`registry data. All these references inherently suggest
`using records of Windows registry accesses as
`information source for intrusion detection methods."
` Did I read it correctly?
` A Yes.
` Q Okay. So are you reading records of Windows
`registry accesses as -- are you mapping records of
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`
`4 (Pages 10 to 13)
`DTI Court Reporting Solutions - Los Angeles
`www.deposition.com
`
`800-826-0277
`
`Columbia Ex 2052-5
`Symantec v Columbia
`IPR2015-00375
`
`

`
`MICHAEL T. GOODRICH, Ph.D. - 8/24/2015
`Page 14
`processes that access the operating system registry as
`records of a Windows registry accesses here?
` A I'm sorry, I'm not -- I'm not understanding
`the question.
` Q Okay. So what you are saying here is because
`-- at least you believe that Windows event log will
`inherently include records of Windows registry accesses?
` A Yes, that's correct.
` Q That -- and so you are reading the records of
`Windows registry accesses as records of processes that
`access the operating system registry?
` A Yes.
` Q Okay. Step A of Claim One requires gathering
`features from records of normal processes that access
`the operating system registry; correct?
` A Yes.
` Q And in the context of Windows NT system, those
`records are the registry auditing records; is that
`correct?
` A Registry auditing records? That is certainly
`one exemplary mapping of -- of this limitation.
` Q Any other mapping?
` A There may be others as well besides that.
` Q Did you find any?
` A I -- just sitting here today, I'm not
`
`Page 16
`was not observed during the gathering of features from
`the records of normal processes.
` Q Okay. So for Step C in order to determine
`whether a registry access is anomalous, you have -- you
`need information that reflects the registry access
`characteristics; correct?
` A I don't know if I would characterize it in
`those words but you certainly need this probabilistic
`model that is mentioned in Limitation B.
` Q And what's the characteristics of
`probabilistic model? Does a probabilistic model needs
`to reflect the characteristics of registry access?
` MR. SCHUMANN: Object to form.
` THE WITNESS: So the -- the way that I did my
`analysis again was just going by the words of the
`claims. And so if the probabilistic model is of normal
`computer system usage, it's based on the features, it
`determines the likelihood of observing an event that was
`not observed during the gathering of features from the
`records of normal processes, then it would be satisfying
`this Claim Limitation B and then in this analysis step
`that happens in Limitation C, that would presumably be
`utilizing that probabilistic model to make this
`determination of whether or not it is an anomaly.
` MS. ZHONG: Okay.
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`
`Page 17
`
`Page 15
`recalling exactly what other ones I may have also found
`in addition to that.
` Q Okay. So in the context of discussing Windows
`system, can we refer to the records of processes that
`access the operating system registry as registry
`auditing records?
` A Certainly that's one exemplary set of records
`that we could refer to.
` Q Okay. And the features gathered from -- and
`features gathered from registry auditing records reflect
`the registry access characteristics; correct?
` A So they're inclusive of registry access
`characteristics certainly.
` Q Okay. But in order to determine whether a
`registry access is anomalous, you need to have
`information that reflects the registry access
`characteristics; correct?
` A So in order to determine something that is
`anomalous, which is not a part of this limitation that
`comes later --
` Q Comment C.
` A -- in C. There is also the Limitation B
`that's mentioned of generating a probabilistic model of
`normal computer system usage based on the features and
`determining the likelihood of observing an event that
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`
`BY MS. ZHONG:
` Q So what kind of features are analyzed in Step
`C?
` A Any features that come from the records of the
`process that accesses the operating system registry.
` Q What kind of features are contained in the
`registry access record?
` MR. SCHUMANN: Object to form.
` THE WITNESS: The -- the claims didn't have
`that specific discussion but the specification of the
`'084 has several examples that are discussed and then in
`some dependent claims, which I do opine on, it gives
`more specific examples of kinds of features that would
`be of interest and would be used for this analysis.
` MS. ZHONG: Okay.
`BY MS. ZHONG:
` Q In the context of Bace, what kind of features
`are contained in the records that you claim to be
`accessing the operating system registry?
` So why don't I hand you --
` A So Bace specifically references using Windows
`NT event logs. And then as I excerpt also in -- just
`after my paragraph 116, there's a number of kinds of
`events that Bace teaches, including changing ownership
`for a file or directory, changing permissions for a file
`5 (Pages 14 to 17)
`DTI Court Reporting Solutions - Los Angeles
`www.deposition.com
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`
`800-826-0277
`
`Columbia Ex 2052-6
`Symantec v Columbia
`IPR2015-00375
`
`

`
`MICHAEL T. GOODRICH, Ph.D. - 8/24/2015
`Page 18
`
`Page 20
`
`or directory, changing attributes for a file or
`directory, displaying owner permissions, displaying
`names of files, displaying file data, altering contents,
`going to subdirectories, running a file and deletion.
` Q Okay.
` A And then in my paragraph --
` Q Why don't we stop there?
` A -- 119.
` Q Is --
` MR. SCHUMANN: I think you need to let him
`finish. Finish your -- finish your answer.
` THE WITNESS: Yeah. So then in my paragraph
`119 also excerpting from Bace, which in turn is also
`excerpting and discussing a concept found in the Denning
`reference CHECKSPELL. It refers to measure categories
`and examples giving exemplary kind of events of four
`different types, only three of which are operational for
`this purpose that she's discussing.
` The first is binary or linear kind of events.
`Binary events are things that either happen or do not
`happen. And then linear events are things that have a
`quantity associated with them. And then you can either
`have an ordinal or continuous component to that or a
`categorical code, a discrete application of that.
` So with the binary and ordinal component you
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`
`BY MS. ZHONG:
` Q My question is very specific, not what kind of
`audit records Bace has but what kind of registry audit
`records Bace contains. I'm handing you 372, the IP
`application and if you will turn to page 27, fifth line
`down, do you agree with petitioner that Bace does not
`expressly disclose records of a registry activity as an
`information source?
` A Where were you again?
` Q The fifth line down.
` A Fifth line down. So I agree with this
`statement in the full sentence that's mentioned here
`that, "Someone with ordinary skill in the art would
`understand that the references that Bace is making to
`Windows NT event logs would include registry
`information."
` Q But there is no explicit disclosure; correct?
` A So what I, in fact, also opine on is in terms
`of explicit disclosures to the extent that the deciders
`of fact don't agree that that's inherent that Bace
`discloses specific registry information being
`included --
` Q Where is that disclosed?
` A -- then I -- I opine in, for example, when I
`talk in my claim charts about the Dependent Claim Three
`
`Page 21
`that one of ordinary skill in the art would look to
`Russinovich to find --
` Q Russinovich is not Bace; correct?
` A -- explicit -- explicit references to --
` Q Is Russinovich Bace?
` MR. SCHUMANN: Don't interrupt him. I mean, I
`understand you want him to stay on topic, but he's
`trying to finish his answer.
` MS. ZHONG: He's going off the tangent.
`BY MS. ZHONG:
` Q So my question to you is --
` A I'm trying to answer your question.
` Q I'm asking you where in Bace is registry
`mentioned and you are giving me -- mentioning
`Russinovich.
` Is Russinovich part of Bace?
` A Russinovich is not Bace.
` Q Okay. So where in Bace is registry
`information disclosed?
` A So registry information would be inherent and
`inclusive in what Bace describes as "Windows NT event
`logs."
` Q Okay. So you are Bace inherently, you're not
`based on express disclosure?
` A The discussion of registry information is
`6 (Pages 18 to 21)
`DTI Court Reporting Solutions - Los Angeles
`www.deposition.com
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`
`Page 19
`could have CPU time used. You could also have a number
`of audit records produced. And then in the categorical
`for binary you could have whether a directory was used,
`you could have whether a file was accessed, whether
`audit records indicating use for a day, a week or a
`month.
` MS. ZHONG: Okay.
` THE WITNESS: And then in the linear component
`of that --
` MS. ZHONG: I don't --
` THE WITNESS: -- you could have a number of
`times each --
` MS. ZHONG: I'm sorry, Dr. Goodrich.
` THE WITNESS: -- command was used --
` MS. ZHONG: I think that --
` THE WITNESS: -- number of system related
`errors.
` MS. ZHONG: -- you went off -- sorry, sorry,
`Goodrich --
` THE WITNESS: A number of login failures in
`the last hour, a number of audit events recorded and a
`number of files modified.
` MS. ZHONG: Dr. Goodrich, I don't think you're
`answering my question.
`//
`
`800-826-0277
`
`Columbia Ex 2052-7
`Symantec v Columbia
`IPR2015-00375
`
`

`
`MICHAEL T. GOODRICH, Ph.D. - 8/24/2015
`Page 22
`inherent in this mention in Bace of "Windows NT event
`logs."
` Q Okay. And in your discussion, the only
`information you're relying on as to the records of
`processes that access the operating system registry is
`what you call the registry auditing records; correct?
` A Could you point to me where you're reading
`that from, please?
` Q Paragraph 88 is "Records of Windows Registry
`Accesses."
` A So as I opine here and as I was saying
`earlier, "Because one of ordinary skill in the art would
`understand that Windows NT event logging would capture
`registry data, all these references inherently suggest
`using records of Windows registry accesses as
`information sources for intrusion detection methods."
` Q Okay. So your theory is that records of
`Windows registry accesses are records of the processes
`that are accessed, the operating system registry; is
`that correct?
` A Could you say this question again, sorry?
` Q So your theory is that records of Windows
`registry accesses are a form of registry accesses -- a
`form of records that -- of the processes that access the
`operating system registry?
`
`Page 24
`as I opined in my chart, Bace discloses gathering
`features from normal computer use to later use in
`anomaly detection. And one example of that given in
`Bace is the Windows NT event logs, which as I opined,
`would include records of Windows registry accesses.
` Q So what if the Windows NT log does not contain
`any registry auditing records, would Bace still satisfy
`Element A?
` MR. SCHUMANN: Object to form.
` THE WITNESS: I'm sorry, I don't understand
`the question. Could you rephrase or restate.
` MS. ZHONG: Okay.
`BY MS. ZHONG:
` Q So your assumption is that Windows NT log
`inherently contains Windows registry access records and
`based on that you believe Bace disclosed Element A;
`correct?
` A So it's -- I wouldn't -- I wouldn't call it an
`assumption. It's true that Windows NT event logs
`include records of Windows registry accesses.
` Q What if that assumption or whatever you call
`it is incorrect?
` Would Bace still disclose gathering features
`from records of normal processes that access the
`operating system registry?
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`
`Page 23
` A I'm not sure it's fair to characterize it as a
`theory. Is that -- and there's a lot of words there so
`I'm not --
` Q Okay. So --
` A -- sure I fully understand what you're asking.
` Q Okay. Let me withdraw the question and
`re-ask.
` A Okay.
` Q So the records of processes that access the
`operating system registry, what you are mapping on is
`the records of Windows registry accesses; correct?
` A Yes, that's correct.
` Q Okay. And the features that's gathered from
`records of processes that access the Windows -- the
`operating system registry, are features gathered from
`Windows registry access records; correct?
` A Could you restate the question again, please?
` Q Step A recites, "Gathering features from
`records of normal processes that access the operating
`system registry"?
` A Yes.
` Q And the features that's gathered from these
`records are the features gathered from Windows registry
`records; correct?
` A So the -- the limitation is, as you read and
`
`Page 25
` A I didn't -- I didn't consider a scenario where
`that fact were not true, because it does -- Windows NT
`event logs do include Windows registry accesses.
` Q Okay. Isn't it a fact that Windows registry
`auditing is turned off by default?
` A I don't know.
` Q You don't know? Did you investigate?
` A No.
` Q Okay. You just assumed that registry auditing
`is always on?
` A No. What I assumed or what -- the way that I
`did my analysis was to understand what Bace understood
`would be included, and what a person of ordinary skill
`in the art would understand is included when Bace
`discusses Windows event logging. And that that would
`inherently suggest using records of the Windows registry
`access.
` Q But the fact is Bace does not even mention
`registry; correct?
` A Again, Bace inherently suggests using a
`Windows registry.
` Q What if the registry auditing is turned off by
`default, does that still inherently disclose -- does --
`is that log still inherently contain registry access
`records?
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`
`7 (Pages 22 to 25)
`DTI Court Reporting Solutions - Los Angeles
`www.deposition.com
`
`800-826-0277
`
`Columbia Ex 2052-8
`Symantec v Columbia
`IPR2015-00375
`
`

`
`MICHAEL T. GOODRICH, Ph.D. - 8/24/2015
`Page 26
` A It still would suggest including registry --
`Windows registry accesses.
` Q Even if the registry auditing is never turned
`on?
` A Because it has that capability, then it's some
`-- it's an information source. Bace is talking about
`all the different kinds of information sources that you
`can use and that still would be inclusive of what you
`would inherently be able to include in an anomaly
`detection engine that she describes.
` Q So what you are saying is that because it has
`a capability to log it will always -- the event log will
`always contain registry access information?
` A No. What I'm saying is that Bace teaches
`using Windows event logs and that inherently suggests
`using records of the Windows registry accesses.
` Q Okay. Why turn to -- why don't you turn to
`Exhibit No. 1014, page 81.
` A Okay.
` Q Last paragraph, third line down it says,
`"Security auditing is disabled by default." Do you see
`that sentence? Last paragraph?
` A Last paragraph.
` Q Third line.
` A Third line. I see the third line.
`
`Page 28
` Q Page 95. Do you see that, "User manager must
`be used to turn on the Windows NT auditing facility"?
`Third paragraph, last sentence.
` A Yes.
` Q And reg X 32 is used to selected registry keys
`and events that are audited CHECKSPELL?
` A Yes.
` Q Okay. Does that tell you that registry
`auditing must be enabled instead of turned down
`automatically?
` A So I think the confusion here is that what
`we're talking about with respect to '084 is a system
`that would be doing even a higher level of checking and
`auditing than is provided by default in Windows NT.
`Hence, when you would be deploying a system that's going
`to be doing not just vanilla basic level auditing, but
`it's going to be doing this process of building a model,
`detecting anomalies, doing all this work, then it would
`be natural and normal for that system itself when you
`install it to change what would be default settings in a
`Windows NT system that would not be doing such checks to
`then turn them on.
` Q Okay. So --
` A That's why it's not in my opinion --
` Q -- isn't that circular --
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`
`Page 29
` A -- relevant whether or not I did that analysis
`because you would naturally -- the system itself would
`naturally turn on such checks as a part of the system.
` Q Isn't that circular reasoning? You are
`assuming that a person of ordinary skill in the art
`would have motivation to do -- use registry access
`features to do anomaly detection --
` MR. SCHUMANN: Object.
`BY MS. ZHONG:
` Q -- and then argue that because they have such
`motivation they will turn it on?
` A No, that's --
` MR. SCHUMANN: Object to form.
` THE WITNESS: No, that's not a
`characterization of my opinion. Instead what I'm saying
`is: If someone would be motivated to use a system like
`what is described in '084 and also in Bace
`independently, then they would be motivated to, when
`they install it, utilize the features that the system
`provides for gathering information. That's what Claim A
`was talking about, gathering features.
`BY MS. ZHONG:
` Q Well, we can --
` A And hence, you would utilize what is the
`capabilities of the system and that's what is taught
`8 (Pages 26 to 29)
`DTI Court