Inter Partes Review of
`U.S. Patent No. 8,141,154
`
`Filed on behalf of Symantec Corporation
`
`UNITED STATES PATENT AND TRADEMARK OFFICE
`
`BEFORE THE PATENT TRIAL
`AND APPEAL BOARD
`
`SYMANTEC CORPORATION
`
`Petitioner
`
`v.
`
`FINJAN, INC
`
`Patent Owner
`
`Case To Be Assigned
`U.S. Patent No. 8,141,154
`
`DECLARATION OF JACK W. DAVIDSON IN SUPPORT OF
`PETITIONER PURSUANT TO 37 C.F.R. § 42.120
`
`Symantec 1010
`IPR of Pat. No. 8,141,154
`
`
`U.S. Patent No. 8,141,154
`
`Filed on behalf of Symantec Corporation
`
`UNITED STATES PATENT AND TRADEMARK OFFICE
`
`BEFORE THE PATENT TRIAL
`AND APPEAL BOARD
`
`SYMANTEC CORPORATION
`
`Petitioner
`
`v.
`
`FINJAN, INC
`
`Patent Owner
`
`Case To Be Assigned
`U.S. Patent No. 8,141,154
`
`DECLARATION OF JACK W. DAVIDSON IN SUPPORT OF
`PETITIONER PURSUANT TO 37 C.F.R. § 42.120
`
`Symantec 1010
`IPR of Pat. No. 8,141,154
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,141,154
`
`Declaration of Jack W. Davidson
`In Support of Petitioner Pursuant to 37 C.F.R. § 42.120
`
`I, Jack W. Davidson, declare as follows
`
`I. Overview
`
`1.
`
`I am over 21 years of age and otherwise competent to make this
`
`Declaration. I make this Declaration based upon facts and matters within my own
`
`knowledge and on information provided to me by others.
`
`2.
`
`I have been retained as an expert witness to provide testimony on
`
`behalf of Symantec Corporation (“Symantec” or “Petitioner”) as part of the above-
`
`captioned inter partes review proceeding (“IPR”), including issues relating to the
`
`validity of U.S. patent number 8,141,154 (“the ‘154 patent”), entitled “System and
`
`method for inspecting dynamically generated executable code.” I also understand
`
`that the ‘154 patent was filed on December 12, 2005 and issued on March 20, 2012
`
`and that the ‘154 patent is currently assigned to Finjan, Inc.
`
`3.
`
`I have reviewed and am familiar with the specification and
`
`prosecution history of the ‘154 patent. A copy of the ‘154 patent is provided as
`
`Symantec 1001. As I explain in more detail below, I am familiar with the
`
`technology at issue as of the December 12, 2005 filing date of the ‘154 patent.
`
`1
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,141,154
`
`4.
`
`I have also reviewed and am familiar with the following prior art,
`
`which I understand is being used by Symantec in the Petition for Inter Partes
`
`Review of the ‘154 patent:
`
`a. U.S. Patent Application Publication 2007/0113282 by Robert F. Ross
`
`(“Ross,” provided as Symantec 1002);
`
`b. U.S. Patent Application Publication 2002/0066022 by Brad Calder et
`
`al. (“Calder,” provided as Symantec 1003);
`
`c. Design and implementation of a distributed virtual machine for
`
`networked computers, by Emin Gun Sirer et al., Association for
`
`Computing Machinery, December 1999. (“Sirer,” provided as
`
`Symantec 1004).
`
`d. U.S. Patent No. 8,220,055 to Mark K. Kennedy ( “Kennedy,”
`
`provided as Symantec 1009)
`
`5. With its Petition and this supporting Declaration, I understand
`
`Symantec is requesting that the Patent Office institute a review of claims 1-12 of
`
`the ‘154 patent, and that the requested review is based on the following grounds:
`
`a. Ground 1: Claims 1-5 are anticipated under 35 U.S.C. § 102 by Ross.
`
`b. Ground 2: Claims 2, 4-8, 10, and 11 are rendered obvious under 35
`
`U.S.C. § 103 by Ross.
`
`2
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,141,154
`
`c. Ground 3: Claims 9 and 12 are rendered obvious under 35 U.S.C. §
`
`103 by Ross in view of Calder.
`
`d. Ground 4: Claims 1-12 are rendered obvious under 35 U.S.C. § 103
`
`by Calder in view of Sirer.
`
`6.
`
`I have been asked to provide a technical review, analysis, and insight
`
`regarding the above-noted references, which I understand form the basis for the
`
`grounds of rejection set forth in the Petition.
`
`7.
`
`I am being compensated for my time in connection with this IPR at a
`
`rate of $400 per hour. I am also being compensated for any out-of-pocket expenses
`
`for my work in this review. My compensation as an expert is in no way dependent
`
`upon the results of any investigations I undertake, the substance of any opinion I
`
`express, or the ultimate outcome of the review proceedings. I have been advised
`
`that Bryan Cave LLP represents the Petitioner Symantec, Inc. in this matter. I have
`
`no direct financial interest in Symantec, Finjan, or the ‘154 patent.
`
`II. My Background and Qualifications
`
`8.
`
`I am a Professor of Computer Science at the University of Virginia.
`
`In addition, I am the Founder and President of Zephyr Software LLC. Zephyr
`
`Software, in business since 2001, provides a variety of services including
`
`innovative computer security solutions targeted mainly for U.S. Department of
`
`3
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,141,154
`
`Defense applications. For more than 35 years, I have been involved in the design
`
`of computer systems and software as well as leading and managing large software
`
`development projects.
`
`9.
`
`I earned a Bachelor’s of Applied Science in Computer Science from
`
`Southern Methodist University in 1975, a Master’s of Science in Computer
`
`Science from Southern Methodist University in 1977, and a Doctorate in Computer
`
`Science from the University of Arizona in 1981. After receiving my Doctorate, I
`
`joined the faculty at the University of Virginia. In addition, I have held visiting
`
`positions at Princeton University and Microsoft Research in Redmond,
`
`Washington.
`
`10.
`
`For over 35 years, I have conducted research in a variety of areas in
`
`computer science including compilers, interpreters, programming languages,
`
`computer architecture, embedded systems, program analysis, and most recently
`
`computer security. My current research in computer security involves developing
`
`methodologies for preventing attacks against critical, enterprise-level computer
`
`systems and preventing malware from infecting personal and mobile computers. In
`
`these areas and others I have led and managed several large-scale projects
`
`involving the collaboration of top U.S. researchers. I am currently leading a large
`
`project ($5.8M) called the Cyber Fault-tolerant Attack Recovery project at the
`
`4
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,141,154
`
`University of Virginia, which has been funded by the Defense Advanced Research
`
`Project Agency (DARPA). The goal of the Cyber Fault-tolerant Attack Recovery
`
`project is to develop defensive cyber techniques that can be deployed to protect
`
`existing and planned software systems without requiring changes to the concept of
`
`operations of these systems.
`
`11.
`
`I am also the principal investigator of a project funded by the Air
`
`Force Research Laboratories (“AFRL”) in Rome, NY. The goal of this project is
`
`to transition the results of our previously funded research in cyber security from
`
`our research laboratory to the field. That is, we are working with the AFRL to
`
`automatically secure mission-critical system against attack by well-funded,
`
`determined malicious adversaries and to develop and carry out compelling
`
`demonstrations, tests, and exercises that demonstrate the power and effectiveness
`
`of the techniques developed in the Dependability Group at the University of
`
`Virginia.
`
`12. As my current research focus is in cyber security, I have published
`
`extensively in the field of computer security. In addition to other publications, the
`
`paper “Safe Virtual Execution Using Software Dynamic Execution” written by
`
`Kevin Scott and myself and presented at the 18th Annual Computer Security
`
`Applications Conference held in Las Vegas, Nevada in December 2002 is
`
`5
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,141,154
`
`particularly relevant to the matter being considered.
`
`13. My curriculum vitae, which is provided as Symantec 1011, lists my
`
`publications in the computer security area.
`
`14.
`
`In addition to my scholarly activities in the field of cyber security, I
`
`am the President and sole owner of Zephyr Software LLC. I founded Zephyr
`
`Software as another vehicle for commercializing my research. Currently, Zephyr
`
`Software is focused on commercializing cyber security solutions. Including
`
`myself, Zephyr Software has four employees. Zephyr Software currently has Phase
`
`II SBIR contracts from DARPA and the Office of Naval Research (“ONR”).
`
`15.
`
`The DARPA contract is targeted at securing embedded systems.
`
`Network routers, communications equipment, supervisory control and data
`
`acquisition (“SCADA”) systems, and industrial control systems (“ICS”) are some
`
`examples of embedded systems. Because these systems are part of a critical
`
`infrastructure, such as plant operations, the power grid, communication systems,
`
`transportation systems, and similar operations, it is vital that these systems be
`
`protected from malicious attacks.
`
`16.
`
`The work being performed under the ONR contract includes
`
`developing techniques to prevent malicious adversaries from taking over the
`
`control of a program via a technique known as “program hijacking.” Using
`
`6
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,141,154
`
`program hijacking, a malicious entity can take control of a program to carry out a
`
`variety of attacks such as denial of service, secret information leakage, shutdown
`
`of critical services, and similar attacks.
`
`17.
`
`In addition to my research and commercialization activities, I am also
`
`an accomplished and award-winning instructor. In 1989, I received the NCR
`
`Faculty Innovation Award for my development of innovative curriculum materials
`
`and outstanding teaching. I am the co-author of two widely used introductory
`
`programming textbooks, C++ Program Design: An Introduction to Programming
`
`and Object-Oriented Design and Java 1.5 Program Design both published by
`
`McGraw-Hill.
`
`18.
`
`In 2008, I was co-recipient (with my co-author James P. Cohoon) of
`
`the IEEE Computer Society Taylor L. Booth Education Award for “sustained
`
`effort to transform introductory computer science education through lab-based
`
`multimedia pedagogy coupled with examples that attract a diverse student body.”
`
`In addition, I have given invited lectures at the Third International Summer School
`
`on Advanced Computer Architecture and Compilation for Embedded Systems held
`
`in L’Aquila Italy in 2007. Approximately 200 students attended this summer
`
`school from the member nations of the European Union.
`
`19. As part of my ongoing activities in computer security, I created and
`
`7
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,141,154
`
`teach a course about cyber security at the University of Virginia. The course title is
`
`“Defense against the Dark Arts.” The course focuses teaching students techniques
`
`for defending computers from computer viruses, computer worms, and other types
`
`of malicious attacks. The course was first taught in the Fall of 2005 and I have
`
`taught it multiple times since that time. I last taught the course in Spring of 2014.
`
`20.
`
`I also was a lecturer in the inaugural Indo-US Engineering Faculty
`
`Leadership Institute held in Mysore, India. The goal of the Leadership Institute is
`
`to improve University education in India. The Institute was attended by 120
`
`faculty members from Indian Universities.
`
`21.
`
`In the summers of 2010, 2011, 2012, and 2014, I helped organize and
`
`lectured at the International Summer School on Information Security and
`
`Protection (ISSISP) held in Beijing, China (2010), Ghent, Belgium (2011), Tucson,
`
`Arizona (2012), and Verona, Italy (2014). Each summer school was attended by
`
`50 students from various international universities. ISSISP 2015 will be held in Rio
`
`de Janerio, Brazil.
`
`22. Because of my expertise and stature within in the computing
`
`community, I am often asked to serve on important Boards and Councils. I served
`
`as an elected member-at-large of the Association of Computing Machinery (ACM)
`
`Special Interest Group on Programming Languages (SIGPLAN) for four years.
`
`8
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,141,154
`
`ACM is the largest professional computing society in the world. I was elected
`
`chair of SIGPLAN in 2005. I am a member of the ACM Council, which oversees
`
`the operation of ACM, and I am co-chair of ACM’s Publications Board, which
`
`oversees the publication of the organization’s 44 professional journals and 8
`
`magazines, and a professional book series.
`
`23. As a leading expert in the field, I help organize many technical
`
`conferences in the area including the International Conference on Parallel
`
`Architectures and Compilation Techniques (“PACT”), International Symposium
`
`on Code Generation and Optimization (“CGO”), Conference on Programming
`
`Language Design and Implementation (“PLDI”), Conference on Languages,
`
`Compilers and Tools for Embedded Systems (“LCTES”), International Conference
`
`on Compilers, Architectures and Synthesis for Embedded Systems (“CASES”),
`
`Conference on the Principles of Programming Languages (“POPL”), International
`
`Conference on Autonomic Computing (“ICAC”), and International Conference on
`
`High-Performance and Embedded Architectures (“HiPEAC”).
`
`24.
`
`In the past, I was an Associate Editor of the ACM Transactions of
`
`Programming Languages and Systems (“TOPLAS”) and ACM Transactions on
`
`Architecture and Code Optimization (“TACO”) journals. TOPLAS is the archival
`
`journal in the area of programming languages and compilers. TACO is an archival
`
`9
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,141,154
`
`journal in the area of computer architecture and program optimization. In 2009, I
`
`received SIGPLAN’s Distinguished Service Award for “substantial and sustained
`
`contributions to the programming languages research community and to SIGPLAN
`
`in particular.”
`
`25.
`
`I am a Senior Member of the Institute of Electrical and Electronics
`
`Engineers (“IEEE”), the IEEE Computer Society. I am a Fellow of the Association
`
`for Computer Machinery (“ACM”). The ACM Council established the ACM
`
`Fellows Program in 1993 to recognize and honor outstanding ACM members for
`
`their achievements in computer science and information technology and for their
`
`significant contributions to the mission of the ACM. The ACM Fellows serve as
`
`distinguished colleagues to whom the ACM and its members look to for guidance
`
`and leadership as the world of information technology evolves.
`
`26. A more detailed listing of my professional background and
`
`accomplishments is found in my curriculum vitae provided as Symantec 1011.
`
`III. My Expertise and the Person of Ordinary Skill in the Art
`
`27. As a result of my more than thirty-years’ experience in the field of
`
`computer science and my deep involvement over the last 15 years with computer
`
`security through teaching and research, I am very familiar with techniques to
`
`secure and protect computer systems, including techniques to prevent computer
`
`10
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,141,154
`
`viruses, worms and other types of attacks from corrupting both personal computers
`
`and enterprise-level systems.
`
`28. Accordingly, I am qualified to provide expert opinions on the
`
`technology described in the ‘154 patent as well as the teachings of the prior art
`
`references at the time of the ‘154 patent.
`
`29. A person of ordinary skill at the time of the alleged invention of the
`
`‘154 patent would generally have a master’s degree in computer science, computer
`
`engineering, or a similar field, or a bachelor’s degree in computer science,
`
`computer engineering, or a similar field, with approximately two years of
`
`experience in the fields of networking and anti-malware development, computer
`
`security or equivalent work experience. Additional graduate education might
`
`substitute for experience, while significant experience in the field of computer
`
`programming, networking, and/or malicious code might substitute for formal
`
`education.
`
`IV. Applicable Legal Standards
`
`30.
`
`I am not an attorney and do not expect to offer any opinions regarding
`
`the law. However, I have been informed of certain legal principles relating to
`
`patent claim construction and invalidity that I relied upon in reaching opinions set
`
`forth in this report.
`
`11
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,141,154
`
`Obviousness
`
`31.
`
`It is my understanding that obviousness is determined from the
`
`vantage point of a person of ordinary skill in the art at the time the invention was
`
`made. In order for a claim to be considered invalid under this ground, I understand
`
`that the proposed combination of asserted references must teach or suggest each
`
`and every claim feature and that the claimed invention as a whole must have been
`
`obvious at that time to one of ordinary skill in the art.1
`
`32. My understanding is that one should avoid the use of “hindsight” in
`
`assessing whether a claimed invention would have been obvious. For example, an
`
`invention should not be considered in view of what persons of ordinary skill would
`
`know today, nor should it be reconstructed after the fact by starting with the claims
`
`themselves and/or by reading into the prior art the teachings of the invention at
`
`issue.
`
`1 Accordingly, I understand that that the term “obvious” has both a legal and a
`
`technical meaning. When the term is used throughout this declaration, my
`
`opinions and conclusions will be directed to the technical meaning of obvious (i.e.,
`
`whether subject matter was within the technical grasp of a person of ordinary skill
`
`at the time of the invention).
`
`12
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,141,154
`
`33.
`
`It is my understanding that obviousness cannot be proven by mere
`
`conclusory statements or by merely showing that an invention is a combination of
`
`elements that were already previously known in the prior art. Rather, it is my
`
`understanding that a party challenging a patent in an Inter Partes Review
`
`proceeding must further establish by a preponderance of the evidence that there
`
`was an apparent reason with some rational underpinnings that would have caused a
`
`person of ordinary skill at the time of the invention to have combined and/or
`
`altered these known elements to arrive at the claimed invention. Such reasons
`
`might include, for example, teachings, suggestions, or motivations to combine that
`
`would have been apparent to a person of ordinary skill in the art.
`
`Claim Language
`
`34.
`
`I understand that, in Inter Partes Review proceedings, claim terms are
`
`to be given the broadest reasonable construction in light of the specification as
`
`would be read by a person of ordinary skill in the relevant art.
`
`35. As the result of my education and experience, I believe that I
`
`understand how the asserted claims of the ‘154 patent would be understood by a
`
`person of ordinary skill in the art applying the above standard.
`
`V. Overview of Malware Detection Technology at the Time of the ‘154 Patent
`
`36. At the time of the ‘154 patent, networks of computer systems were
`
`greatly increasing society’s productivity, as well as the quality of life for many
`
`13
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,141,154
`
`citizens. Society was increasingly relying on computer systems to control vital
`
`infrastructure, such as transportation systems, power generation and transmission
`
`systems, communication systems, financial systems, and similar infrastructure
`
`components. At the time of the ‘154 patent, malware had become a major
`
`problem for the computer industry.
`
`37. Malware includes viruses, worms, and other types of malicious
`
`software, such as spyware, and malicious downloads. For example, the MyDoom
`
`virus, which appeared in early 2004, caused billions of dollars in damages, with
`
`estimates ranging from $14B to $38.5B. The virus caused various types of
`
`economic damages. For example, business incurred costs associated with
`
`providing help desk support, overtime payments, loss of business, degraded
`
`internet service, productivity loss, management time reallocation, and
`
`implementing a recovery. Because of the high cost of these damages, there was,
`
`and continues to be, much interest in developing techniques to defend against
`
`various types of malware.
`
`38. Because malware comes in many types, it is useful to categorize or
`
`classify malware by answering the following questions:
`
`a) How was the attack created?
`
`b) How was the malicious code transported?
`
`c) What vulnerabilities were exploited?
`
`14
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,141,154
`
`d) What damage did the attack cause?
`
`39.
`
`For example, the MyDoom virus was created using a popular
`
`programming language called C++. The malicious code was most often spread by
`
`e-mail, as typically inserted into the e-mail as an attachment. When an
`
`unsuspecting user clicked on the attachment, the user’s computer would be
`
`infected. This virus worked by exploiting a vulnerability of the Windows
`
`operating system; specifically, the Windows operating system used to allow e-mail
`
`attachments to be executed by the computer. If an e-mail attachment contained a
`
`virus, and the e-mail attachment was executed, the virus would execute and could
`
`install additional malware on the infected machine including a backdoor. This
`
`backdoor would then allow a remote adversary to access the infected machine. The
`
`virus could also install software to initiate a denial-of-service attack against certain
`
`Internet sites.
`
`40.
`
`In the early 2000’s, the main defense against various types of
`
`malware, including viruses, was anti-virus software. Such software was generally
`
`referred to as anti-virus software even though it would detect other types of
`
`malware such as spyware, backdoors, spammers, and keyloggers.
`
`41.
`
`The dominant technique used by anti-virus software to detect malware
`
`was signature-based scanning. Signature-based scanning is analogous to a
`
`common, standard medical approach for determining if a person is infected with
`
`15
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,141,154
`
`certain biological pathogen. A blood test is performed to see if particular
`
`antibodies are present that indicate that the subject is infected. Similarly, with
`
`signature-based virus detection, the anti-virus software scans relevant files for a
`
`“fingerprint” or “signature” that, if present, indicates malware is present.
`
`42.
`
`There are many aspects to creating powerful, effective, signature-
`
`based anti-virus software. One key aspect for effective scanning is the
`
`completeness of the corpus of signatures used by the scanner. If the signature
`
`database does not contain a signature for specific malware, the malware most
`
`likely will not be detected. Anti-virus vendors expend considerable effort to ensure
`
`their signature databases contain up-to-date signatures of newly discovered viruses
`
`and that these updated databases are provided to the licensees of their software on
`
`a timely basis.
`
`43. Another aspect for effective scanning is the sophistication of the
`
`scanning algorithms and techniques. Anti-virus software vendors continually
`
`investigated new scanning techniques to both speed the scanning process and to
`
`improve the accuracy. Much like the medical tests I mention above, signature-
`
`based scanning may sometimes result in false positives or false negatives. In the
`
`medical context a false positive is when a test has incorrectly indicated the
`
`presence of a pathogen when there is, in actuality, none present. A false negative
`
`16
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,141,154
`
`is when the test has incorrectly indicated that no pathogen is present when there is,
`
`in actuality, a pathogen present.
`
`44. At the time of the ‘154 patent, anti-virus researchers continually
`
`worked to improve the accuracy of the signature-based scanning by lowering the
`
`rates of false positives and false negatives. Unfortunately, virus writers also
`
`continually worked to create new techniques for creating malware that would
`
`evade detection by signature-based scanning. This back-and-forth struggle between
`
`virus writers and anti-virus defenders is much like an arms race. Each time a virus
`
`writer devised a new mechanism for avoiding detection, anti-virus researchers
`
`responded by developing new techniques. With each successive generation of
`
`malware, maintaining the effectiveness of signature-based scanning (i.e., low rates
`
`of false positives and false negatives) grew more difficult.
`
`45. One of the advantages of signature-based malware detection is that
`
`anti-virus vendors could extensively test their signatures to avoid false positives.
`
`They did this by maintaining an extensive corpus of benign programs that would
`
`be typically found on target machines. Before a new set of signatures is released,
`
`the signatures are extensively tested against the corpus.
`
`46. A disadvantage of signature-based scanning is that it is only effective
`
`against known families of malware. That is, appropriate signatures can be tested
`
`17
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,141,154
`
`and evaluated only if a sample of the malware has been captured and analyzed. As
`
`it became easier to create new malware and the speed of infection increased
`
`because of the growth of the Internet, anti-virus researchers began to search for
`
`other approaches that could complement signature-based scanning.
`
`47. Another approach to detecting malware is to analyze a program to
`
`identify intrinsic malware behavior. This approach is sometimes called “behavior
`
`blocking.” The approach had been known since at least 1997 where it had been
`
`proposed and used for intrusion detection and detection of violations of security
`
`policies. The approach is also sometimes referred to as “execution monitoring.”
`
`The primary advantage of behavior blocking over signature-based malware
`
`detection is that it can thwart unknown or previously unseen malware, and it can
`
`thwart malware that may have been seen, but for which the signature has not yet
`
`been distributed to end users.
`
`48. One form of behavior blocking is to monitor a program as it runs and
`
`observe its actions. If the program behaves in some suspicious way, perhaps by
`
`carrying out a set of operations that is characteristic of malware, a predetermined
`
`security policy can be applied.
`
`49.
`
`To avoid damage that might be done before the malicious behavior is
`
`recognized, the monitored program is often executed in a “sandbox” that prevents
`
`18
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,141,154
`
`the application from compromising the host computer. The sandbox could be
`
`created through some form of virtualization that is either process-level or system-
`
`level on the host machine or a separate machine.
`
`50.
`
`Typically, the monitoring necessary for behavior blocking is done by
`
`some type of reference monitor. A reference monitor works by monitoring a
`
`program’s execution steps. The execution may be monitored at different levels. It
`
`may be low-level and fine-grained by monitoring every instruction or every
`
`memory-reference. It may be high-level such as by monitoring system calls, API
`
`calls, or application function or method calls.
`
`51. A common approach to monitoring a program’s execution is to
`
`rewrite function calls so that a substitute function is called. The substitute function
`
`can perform the necessary actions so an execution policy (including a security
`
`policy) can be enforced. Such actions include recording context information (e.g.,
`
`the contents of the run-time stack, the values of arguments, etc.), checking,
`
`modifying, or recording the values of arguments to functions, preventing the
`
`execution of the function, and redirecting control to a substitute function. Because
`
`the substitute function can be written in a high-level language, the writer of the
`
`substitute function has great flexibility in choosing what actions to take when the
`
`substitute function is invoked.
`
`19
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,141,154
`
`52. Many of these concepts are concretely illustrated in the paper “Safe
`
`Virtual Execution Using Software Dynamic Translation” which I coauthored with
`
`Kevin Scott. Published in 2002 (provided as Symantec 1018), the paper discusses
`
`one approach to execution monitoring or behavior blocking. The paper describes
`
`how an application’s execution can be monitored so that system calls are
`
`intercepted or “hooked” and a specific security policy is enforced. While the paper
`
`focuses on interception or hooking of system calls, the paper notes that the process
`
`need not be limited to system calls. The paper shows high-level language
`
`examples where particular function calls are hooked.
`
`53. One example in the paper shows the open system call being hooked.
`
`The open system call makes a file available for access by the application. In the
`
`example, the monitor enforces a security policy that prevents a password file from
`
`being opened by the application. The password file is stored in the
`/etc/passwd location. By hooking the open system function, the monitor
`
`invokes a substitute function that modifies the original argument passed to the
`
`function to make it an absolute pathname and checks to make sure that the file
`attempting to be opened is not the password file stored in the /etc/passwd
`
`location. If the file being opened is this password file, the substitute function issues
`
`an error message and terminates the function. If the file being opened is not the
`
`20
`
`
`
`password file, the substitute function opens the file and returns the necessary file
`
`Inter Partes Review of
`U.S. Patent No. 8,141,154
`
`descriptor to the original calling function.
`
`VI. OVERVIEW OF THE ‘154 PATENT
`
`A. The Specification
`
`54.
`
`The ‘154 patent generally relates to “protecting a client computer
`
`from dynamically generated malicious content.” ‘154 patent, Abstract, 1:5-22;
`
`4:30-34, 13:37-40. The ‘154 patent explains that early prior art techniques for
`
`virus detection protection were “reactive,” in that they relied upon a database of
`
`known virus signatures. Id., 1:23-32, 1:54-55, FIG. 1. Following the proliferation
`
`of the Internet, later prior art techniques recognized that certain virus types could
`
`not be recognized by signature-based scans. Instead of relying these techniques,
`
`the prior art systems turned to “proactive” techniques such as “behavioral
`
`analysis.” Id., col. 1:34-64.
`
`55.
`
`Several prior art systems that perform this type of behavioral analysis
`
`are described in the ‘154 patent. These prior art systems included a “gateway
`
`computer,” which received content and transmitted it to a “client computer.” ‘154
`
`patent, 2:46-53, FIG. 1 (labeled “PRIOR ART”). The gateway and/or client
`
`included a “content inspector,” which was used to “automatically scan and parse
`
`executable content, in order to detect which computer operations the content may
`
`21
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,141,154
`
`perform.” It also developed a “security profile” that was then compared against a
`
`set of allowable actions, which is a “security policy”. Id., 1:57-2:17, FIG. 1. The
`
`client also included a “content processor” for processing the content received from
`
`the gateway, such as “a conventional web browser, which processes Internet
`
`content.” Id., 2:54-3:2, FIG. 1.
`
`56. However, according to the ‘154 patent, these prior art proactive virus
`
`protection systems were not able to detect dynamically generated viruses because
`
`inputs that were generated at runtime were not available to the content inspector.
`
`‘154 patent, 3:31-4:26, 4:65-5:3. FIG. 2 of the ‘154 patent attempts to address this
`
`problem through simple and straight-forward modifications to the prior art in order
`
`to analyze inputs generated by the content processor at run time. ‘154 patent, 4:43-
`
`51, 11:63-12:14.
`
`57. As can be seen from the figures below, there are only a few
`
`differences between the system depicted in FIG. 2 and the prior art. In FIG. 2, the
`
`content inspector is replaced with a content modifier. While a content inspector of
`
`FIG. 1 might have modified the content,2 the content modifier of FIG. 2 inserts a
`
`substitute function that is “operational to send the input to a security computer for
`
`inspection.” ‘154 patent, col. 5:10-12. Because this substitute function sends the
`
`2 ‘154 patent, col. 3:9-12 (“gateway computer 105 may modify the content so as to render it harmless, and
`
`subsequently transmit the modified content to client computer 110”).
`
`22
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,141,154
`
`input to a security computer, a security computer is also added which
`
`communicates with the client. This security computer has an input inspector and
`
`an input modifier for inspecting and modifying the inputs passed to it by the client,
`
`respectively.
`
`58. As FIG. 2 shows, the gateway computer includes a content modifier
`
`instead of a content inspector. The content modifier “modifies original content
`
`received by gateway computer 205 … by scan[ning] the original content and
`
`identif[ying] function calls… [and then] modif[ying] selected ones of the function
`
`calls to corresponding [substitute] function calls.” ‘154 patent, col. 9:13-28,
`
`13:52-62, FIGS. 3, 5. The modified content is sent to the content processor at the
`
`23
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,141,154
`
`client computer. Id., 13:63-14:1, FIGS. 3, 5. The output of the content modifier
`
`may be a simple wrapper around the original functions, which causes the original
`
`functions to be checked at runtime before it is executed.
`
`Id., Table I.
`
`59.
`
`Scanning content and creating
Accessing this document will incur an additional charge of $.
After purchase, you can access this document again without charge.
Accept $ Charge
Still Working On It
This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.
Give it another minute or two to complete, and then try the refresh button.
A few More Minutes ... Still Working
It can take up to 5 minutes for us to download a document if the court servers are running slowly.
Thank you for your continued patience.
This document could not be displayed.
We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.
Your account does not support viewing this document.
You need a Paid Account to view this document. Click here to change your account type.
Your account does not support viewing this document.
Set your membership
status to view this document.
With a Docket Alarm membership, you'll
get a whole lot more, including:
- Up-to-date information for this case.
- Email alerts whenever there is an update.
- Full text search for other cases.
- Get email alerts whenever a new case matches your search.
One Moment Please
The filing “” is large (MB) and is being downloaded.
Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.
Your document is on its way!
If you do not receive the document in five minutes, contact support at support@docketalarm.com.
Sealed Document
We are unable to display this document, it may be under a court ordered seal.
If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.
Access Government Site
