UNITED STATES PATENT AND TRADEMARK OFFICE
`
`____________
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`
`____________
`
`SYMANTEC CORP.
`Petitioner
`v.
`
`FINJAN, INC.
`Patent Owner
`
`____________
`
`Case IPR2015-01892
`
`U.S. Patent No. 8,677,494
`
`____________
`
`
`
`DECLARATION OF NENAD MEDVIDOVIC, PH.D.
`ON THE VALIDITY OF CLAIMS 1, 2, 5, 6, 10, 11, 14, AND 15
`OF U.S. PATENT NO. 8,677,494 IN SUPPORT OF PATENT OWNER’S
`RESPONSE
`
`
`
`
`
`
`
`
`
`____________
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`
`____________
`
`SYMANTEC CORP.
`Petitioner
`v.
`
`FINJAN, INC.
`Patent Owner
`
`____________
`
`Case IPR2015-01892
`
`U.S. Patent No. 8,677,494
`
`____________
`
`
`
`DECLARATION OF NENAD MEDVIDOVIC, PH.D.
`ON THE VALIDITY OF CLAIMS 1, 2, 5, 6, 10, 11, 14, AND 15
`OF U.S. PATENT NO. 8,677,494 IN SUPPORT OF PATENT OWNER’S
`RESPONSE
`
`
`
`
`
`
`
`
`
`Declaration of Dr. Nenad Medvidovic
`IPR2015-01892 (U.S. Patent No. 8,677,494)
`
`
`TABLE OF CONTENTS
`
`Page
`
`I.
`
`II.
`
`QUALIFICATIONS ........................................................................................ 1
`
`SCOPE OF ASSIGNMENT AND APPROACH ............................................ 5
`
`III. APPLICABLE STANDARDS AND CONTROLLING PRINCIPLES ......... 7
`
`A. ANTICIPATION ........................................................................................ 7
`
`B. OBVIOUSNESS ......................................................................................... 8
`
`C.
`
`PERSON OF ORDINARY SKILL IN THE ART ........................................... 10
`
`IV. SUMMARY OF MY OPINIONS ................................................................. 12
`
`V. OVERVIEW OF THE ‘494 PATENT .......................................................... 12
`
`VI. CLAIM CONSTRUCTION .......................................................................... 23
`
`A.
`
`B.
`
`C.
`
`“DATABASE” ......................................................................................... 25
`
`“LIST OF SUSPICIOUS COMPUTER OPERATIONS” ................................... 30
`
`“STORING THE DOWNLOADABLE SECURITY PROFILE DATA IN A
`DATABASE” .......................................................................................... 33
`
`VII. DISCUSSION AND OPINIONS REGARDING THE CONTRAST
`BETWEEN THE CLAIMS OF THE ‘494 PATENT AND THE
`PRIOR ART ................................................................................................... 35
`
`A.
`
`SWIMMER DOES NOT TEACH OR SUGGEST “[A DOWNLOADABLE
`SCANNER COUPLED WITH SAID RECEIVER, FOR] DERIVING SECURITY
`PROFILE DATA FOR THE DOWNLOADABLE, INCLUDING A LIST OF
`SUSPICIOUS COMPUTER OPERATIONS THAT MAY BE ATTEMPTED BY
`THE DOWNLOADABLE” ......................................................................... 44
`
`B.
`
`SWIMMER DOES NOT TEACH OR SUGGEST “STORING THE
`DOWNLOADABLE SECURITY PROFILE DATA IN A DATABASE” ................ 60
`
`i
`
`
`
`
`
`Declaration of Dr. Nenad Medvidovic
`IPR2015-01892 (U.S. Patent No. 8,677,494)
`
`
`SWIMMER DOES NOT TEACH OR SUGGEST “A DATABASE MANAGER
`COUPLED WITH SAID DOWNLOADABLE SCANNER, FOR STORING THE
`DOWNLOADABLE SECURITY PROFILE DATA IN A DATABASE” ................ 91
`
`SWIMMER DOES NOT TEACH OR SUGGEST “WHEREIN THE
`DOWNLOADABLE INCLUDES PROGRAM SCRIPT”.................................... 96
`
`C.
`
`D.
`
`VIII. SECONDARY CONSIDERATIONS OF NON-OBVIOUSNESS .............. 99
`
`Commercial Success............................................................................ 99
`
`Long-Felt But Unresolved Need and Recognition of a problem ...... 103
`
`Skepticism and Unexpected Results ................................................. 104
`
`Teaching away by others ................................................................... 105
`
`A.
`
`B.
`
`C.
`
`D.
`
`
`
`ii
`
`
`
`
`
`I, Nenad Medvidovic, Ph.D., declare and state as follows:
`
`Declaration of Dr. Nenad Medvidovic
`IPR2015-01892 (U.S. Patent No. 8,677,494)
`
`
`I.
`
`QUALIFICATIONS
`1.
`
`I make this Declaration based upon my own personal knowledge,
`
`information, and belief, and I would and could competently testify to the matters
`
`set forth herein if called upon to do so.
`
`2.
`
`I received a Bachelor of Science (“BS”) degree, Summa Cum Laude,
`
`from Arizona State University’s Computer Science and Engineering department.
`
`3.
`
`I received a Master of Science (“MS”) degree from the University of
`
`California at Irvine’s Information and Computer Science department.
`
`4.
`
`I received a Doctor of Philosophy (“PhD”) degree from the University
`
`of California at Irvine’s Information and Computer Science department. My
`
`dissertation was entitled, “Architecture-Based Specification-Time Software
`
`Evolution.”
`
`5.
`
`I am employed by the University of Southern California (“USC”) as a
`
`faculty member in the Computer Science Department, and have been since
`
`January, 1999. I currently hold the title of Professor with tenure. Between
`
`January, 2009 and January 2013, I served as the Director of the Center for Systems
`
`and Software Engineering at USC. Between July, 2011, and July, 2015, I served as
`
`my Department’s Associate Chair for PhD Affairs.
`
`
`
` - 1 -
`
`
`
`
`
`Declaration of Dr. Nenad Medvidovic
`IPR2015-01892 (U.S. Patent No. 8,677,494)
`
`
`I teach graduate and undergraduate courses in Software Architecture,
`
`6.
`
`Software Engineering, and Embedded Systems, and advise PhD students. I have
`
`graduated 15 PhD students and advise 7 students currently pursuing a PhD.
`
`7.
`
`I served as Program Co-Chair for the flagship conference in my
`
`field—International Conference on Software Engineering (“ICSE”)—held in May
`
`2011. I have served as Chair or Co-Chair for various other conferences in the
`
`Software Engineering field, including: the Fifth Working IEEE/IFIP Conference
`
`on Software Architecture, the Third IEEE International Conference on Self-
`
`Adaptive and Self-Organizing Systems, the Fifteenth International ACM SIGSOFT
`
`Symposium on Component Based Software Engineering, the IEEE/CSSE/ISE
`
`Workshop on Software Architecture Challenges for the 21st Century, and the
`
`Doctoral Symposium at the Sixteenth ACM SIGSOFT International Symposium
`
`on the Foundations of Software Engineering.
`
`8.
`
`I serve or have served as an editor of several peer-reviewed journals,
`
`including: “IEEE Transactions on Software Engineering,” “ACM Transactions on
`
`Software Engineering and Methodology”, “Journal of Software Engineering for
`
`Robotics,” “Elsevier Information and Software Technology Journal,” “Journal of
`
`Systems and Software,” “Journal of Software Engineering Research and
`
`Development,” and “Springer Computing Journal.” Additionally, I have served as
`
`a guest editor of several special issues for different journals.
`
`
`
` - 2 -
`
`
`
`
`
`Declaration of Dr. Nenad Medvidovic
`IPR2015-01892 (U.S. Patent No. 8,677,494)
`
`
`Between September 2013 and September 2015 I served as Chair of
`
`9.
`
`the ICSE Steering Committee. I am currently a member of the Steering Committee
`
`of the European Conference on Software Engineering. I previously served as a
`
`member of the Steering Committees of ICSE and of the Working IEEE/IFIP
`
`Conference on Software Architecture.
`
`10. Since July, 2015, I have served as Chair of the Association for
`
`Computing Machinery’s Special Interest Group on Software Engineering (ACM
`
`SIGSOFT), the largest professional organization in my field of work.
`
`11.
`
`I co-authored “Software Architecture: Foundations, Theory, and
`
`Practice,” a widely used textbook in the field of Software Systems’ Architecture.
`
`12.
`
`I have served as editor of various books in the Software Engineering
`
`field including: “Proceedings of the 3rd International Conference on Self-Adaptive
`
`and Self-Organizing Systems,” “Proceedings of the Warm-Up Workshop for the
`
`32nd International Conference on Software Engineering,” and “Proceedings of the
`
`5th Working IEEE/IFIP Conference on Software Architecture.”
`
`13.
`
`I have authored or co-authored over 200 papers in the Software
`
`Engineering field. My most cited paper has been cited nearly 2,500 times. A
`
`paper I co-authored in the 1998 International Conference on Software Engineering,
`
`my field’s flagship conference, was given ten years later, in 2008, that
`
`conference’s Most Influential Paper Award.
`
`
`
` - 3 -
`
`
`
`
`
`Declaration of Dr. Nenad Medvidovic
`IPR2015-01892 (U.S. Patent No. 8,677,494)
`
`
`I have served as referee or reviewer for over twenty peer-reviewed
`
`14.
`
`journals, including: “ACM Transactions on Software Engineering and
`
`Methodology,” “IEEE Transactions on Software Engineering,” “Journal of
`
`Software Engineering for Robotics,” “IEEE Software,” “IEEE Transactions on
`
`Industrial Informatics,” “Elsevier Information and Software Technology Journal,”
`
`“Journal of Systems and Software,” “Journal of Automated Software Engineering,”
`
`“IEEE Transactions on Parallel and Distributed Systems,” “IEEE Computer,” and
`
`“IEEE Proceedings – Software Engineering.”
`
`15.
`
`I have been named a Distinguished Scientist of the Association for
`
`Computing Machinery (“ACM”). I have been elected a Fellow the Institute of
`
`Electrical and Electronics Engineers (IEEE), IEEE’s highest grade that is granted
`
`to less than 0.1% of its membership annually.
`
`16.
`
`I am very familiar with and have substantial expertise in the area of
`
`software systems development / software engineering, software architecture,
`
`software design, and distributed systems.
`
`17.
`
`I have reviewed in detail U.S. Patent No. 8,677,494 (Ex. 1001, the
`
`“‘494 Patent”); the Petition for Inter Partes Review of the ‘494 Patent filed in Case
`
`No. IPR2015-01892 (Paper No. 1, “Petition”); Dr. Davidson’s declaration filed in
`
`Case No. IPR2015-01892 (Ex. 1018, “Davidson Decl.”); the Board’s Institution
`
`Decision in Case No. IPR2015-01892 (Paper 9, the “Institution Decision”); Patent
`
`
`
` - 4 -
`
`
`
`
`
`Owner’s Request for Rehearing in Case No. IPR2015-01892 (Paper No. 13,
`
`Declaration of Dr. Nenad Medvidovic
`IPR2015-01892 (U.S. Patent No. 8,677,494)
`
`
`“Rehearing Request”); the Board’s Decision Denying Request for Rehearing
`
`(Paper No. 21, “Decision Denying Rehearing”); the deposition transcript of Dr.
`
`Jack Davidson (Ex. 2012, “Davidson Transcript” or “Davidson Tr.”); and Morton
`
`Swimmer, “Dynamic Detection and Classification of Computer Viruses Using
`
`General Behavior Patterns, Virus Bulletin Conference, September 1995 (Ex. 1005,
`
`“Swimmer”).
`
`18.
`
`I understand that I am submitting a declaration in connection with the
`
`above-referenced Inter Partes review (“IPR”) proceeding involving the ‘494
`
`Patent.
`
`II.
`
`SCOPE OF ASSIGNMENT AND APPROACH
`19.
`
`I have been retained as an expert on behalf of Patent Owner, Finjan,
`
`Inc., (“Finjan”), to provide information and opinions to the Patent Trial and Appeal
`
`Board (hereinafter “the Board”) to assist in the determination of the validity of
`
`certain of Finjan’s patent claims of the ‘494 Patent for which the Board has
`
`instituted an IPR proceeding. Specifically, counsel for Finjan asked me to provide
`
`opinions regarding the validity of claims 1, 2, 5, 6, 10, 11, 14, and 15 of the ‘494
`
`Patent in view of certain prior art references cited by Petitioner Symantec Corp.
`
`(“Symantec”).
`
`
`
` - 5 -
`
`
`
`
`
`Declaration of Dr. Nenad Medvidovic
`IPR2015-01892 (U.S. Patent No. 8,677,494)
`
`
`I have been informed by counsel and I understand that the analysis of
`
`20.
`
`whether a patent is anticipated or obvious is performed from the perspective of a
`
`person of ordinary skill in the art at the time of the patented inventions. The
`
`relevant timeframe for the Method Claims of the ‘494 Patent is November 1996.
`
`21.
`
`In reaching the opinions expressed in this declaration, I adopt the
`
`claim constructions set forth by the Board in its Institution Decision. See
`
`Institution Decision, pp. 6–11.
`
`22.
`
`I addition to the documents referred to in paragraph 17, which are
`
`already of reference in this case, a list of the documents and materials that I
`
`considered in connection with the development of my opinions set forth in this
`
`declaration is attached to Patent Owner’s Response as Ex. 2009. I have reviewed
`
`the documents cited by Dr. Davidson in his declaration. I intend the full page
`
`range of all exhibits attached to his declaration be considered as part of this
`
`declaration.
`
`23.
`
`I am being compensated for my time spent in connection with this
`
`matter at the rate of $350 per hour for regular work, and $500 an hour for
`
`deposition and trial testimony. My compensation is in no way contingent on the
`
`outcome of this case..
`
`
`
` - 6 -
`
`
`
`
`
`Declaration of Dr. Nenad Medvidovic
`IPR2015-01892 (U.S. Patent No. 8,677,494)
`
`24. To the extent that I am presented with new information concerning the
`
`subject matter of this declaration or affecting any assumptions made herein, I
`
`reserve the right to supplement this declaration accordingly.
`
`III. APPLICABLE STANDARDS AND CONTROLLING PRINCIPLES
`A. ANTICIPATION
`25. Counsel has informed me, and I understand, that an issued patent
`
`claim is invalid as anticipated if each and every element of that claim is disclosed
`
`in a single prior art reference that enables a person of ordinary skill in the art to
`
`make the allegedly anticipating subject matter. I understand that to be anticipatory,
`
`a reference must enable one of skill in the art to practice an embodiment of the
`
`claimed invention without undue experimentation.
`
`26. Counsel has informed me, and I understand, that if a prior art
`
`reference does not disclose a given element expressly, it may do so inherently. I
`
`have been informed by counsel and I further understand that a prior art reference
`
`will inherently anticipate a claimed invention if any claim elements or other
`
`information missing from the reference would nonetheless be known by the person
`
`of ordinary skill in the art to be necessarily present in the subject matter of the
`
`reference.
`
`
`
` - 7 -
`
`
`
`
`
`Declaration of Dr. Nenad Medvidovic
`IPR2015-01892 (U.S. Patent No. 8,677,494)
`
`
`B. OBVIOUSNESS
`27. Counsel has informed me, and I understand, that an issued patent
`
`claim is invalid as obvious if it can be shown that the differences between the
`
`patented subject matter and the prior art are such that the subject matter as a whole
`
`would have been obvious, at the time the invention was made, to a person having
`
`ordinary skill in the art. Relevant considerations include the level of ordinary skill
`
`in the art; the scope and content of the prior art; differences between the prior art
`
`and the claims at issue; and the so-called objective secondary factors of
`
`nonobviousness.
`
`28. Counsel has informed me, and I understand, that in order to evaluate
`
`the obviousness of any claim of the ‘494 Patent over a given prior art combination,
`
`I should analyze whether the prior art references, included collectively in the
`
`combination, disclose each and every element of the allegedly invalid claim as
`
`those references are read by the person of ordinary skill in the art at the time of the
`
`invention. Then I am to determine whether that combination makes the claims of
`
`the ‘494 Patent obvious to the person of ordinary skill in the art by a
`
`preponderance of the evidence, at the time of the inventions. I understand that
`
`such preponderance of the evidence is satisfied if the proposition is more likely to
`
`be true than not true.
`
`
`
` - 8 -
`
`
`
`
`
`Declaration of Dr. Nenad Medvidovic
`IPR2015-01892 (U.S. Patent No. 8,677,494)
`
`
`29. Counsel has informed me, and I understand, that the obviousness
`
`inquiry requires that the prior art be considered in its entirety. I am further
`
`informed and I understand that an invention cannot be obvious to try where “the
`
`breadth of the[] choices and the numerous combinations indicate that the[]
`
`disclosures would not have rendered the claimed invention obvious to try.”
`
`30. Counsel has informed me, and I understand, that even where all of the
`
`claim limitations are expressly disclosed in the prior art references, there must be
`
`some showing that a person of ordinary skill in the art would have been motivated
`
`to combine such prior art references and that there would have been a reasonable
`
`expectation of successfully achieving the claimed invention from such
`
`combination.
`
`31. Counsel has informed me, and I understand, in considering the
`
`obviousness of a claimed invention, one should not view the invention and the
`
`prior art with the benefit of hindsight. It is for that reason, I am informed and I
`
`understand, that obviousness is assessed by the person of ordinary skill in the art at
`
`the time the invention was made. In this regard, I am informed and I understand
`
`that the invention cannot be used as a guide to selecting and understanding the
`
`prior art. I understand that the appropriate standard is to determine whether a
`
`person of skill in the art would be motivated to combine references, not whether
`
`they could.
`
`
`
` - 9 -
`
`
`
`
`
`Declaration of Dr. Nenad Medvidovic
`IPR2015-01892 (U.S. Patent No. 8,677,494)
`
`
`32. Counsel has informed me, and I understand, that obviousness cannot
`
`be predicated on what was unknown at the time of the invention, even if the
`
`inherency of a certain feature is later established. Counsel has also informed me,
`
`and I understand, that unknown properties of the prior art may not be relied upon
`
`to provide the rationale for modifying or combining the prior art to reach the
`
`claimed subject matter.
`
`33. Counsel has informed me, and I understand, that a reference may be
`
`said to teach away when a person of ordinary skill, upon reading the reference,
`
`would be discouraged from following the path set out in the reference, or would be
`
`led in a direction divergent from the path that was taken by the applicant.
`
`34. Counsel has informed me, and I understand, that the “time of
`
`invention” applicable to the inventions of claims 1, 2, 5, 6, 10, 11, 14, and 15 of
`
`the’494 Patent is no later than November 8, 1996, which I understand to be the
`
`priority date of the ‘494 Patent.
`
`C.
`PERSON OF ORDINARY SKILL IN THE ART
`35. Counsel has informed me, and I understand, that the “person of
`
`ordinary skill in the art” is a hypothetical person who is presumed to be familiar
`
`with the relevant scientific field and its literature at the time of the invention. This
`
`hypothetical person is also a person of ordinary creativity capable of understanding
`
`the scientific principles applicable to the pertinent field.
`
`
`
` - 10 -
`
`
`
`
`
`Declaration of Dr. Nenad Medvidovic
`IPR2015-01892 (U.S. Patent No. 8,677,494)
`
`
`I am informed by counsel and I understand that the level of ordinary
`
`36.
`
`skill in the art may be determined by reference to certain factors, including (1) the
`
`type of problems encountered in the art, (2) prior art solutions to those problems,
`
`(3) the rapidity with which innovations are made, (4) the sophistication of the
`
`technology, and (5) the educational level of active workers in the field. I further
`
`understand that the ‘494 Patent claims a priority date of November 8, 1996.
`
`37.
`
`It is my opinion that the person of ordinary skill in the art in the field
`
`of the ‘494 Patent would be someone with a bachelor’s degree in computer science
`
`or related field, and either (1) two or more years of industry experience and/or (2)
`
`an advanced degree in computer science or related field.
`
`38. Based on my training and experience, I believe that I am a person of
`
`greater-than-ordinary skill in the relevant art and, as of November 1996 was a
`
`person of ordinary skill in the relevant art, which permits me to give an opinion
`
`about the qualifications of one of ordinary skill at the time of the invention.
`
`39.
`
`I note that Dr. Davidson’s opinion on person of ordinary skill in the
`
`art in his declaration is (Davidson Decl. at ¶ 30):
`
`In my opinion, a person of ordinary skill in the art at the time of the
`‘494 Patent would have a Master’s degree in computer science,
`computer engineering, or a similar field, or a Bachelor’s degree in
`computer science, computer engineering, or a similar field, with
`approximately two years of industry experience relating to computer
`
`
`
` - 11 -
`
`
`
`
`
`Declaration of Dr. Nenad Medvidovic
`IPR2015-01892 (U.S. Patent No. 8,677,494)
`
`
` Additional graduate education might substitute for
`security.
`experience, while significant experience in the field of computer
`programming and malicious code might substitute for formal
`education.
`
`40. My opinions stated in this declaration would be the same if rendered
`
`from the perspective of a person of ordinary skill in the art set out by Dr.
`
`Davidson.
`
`IV. SUMMARY OF MY OPINIONS
`41.
`In this declaration I explain that the person of ordinary skill in the art
`
`understands, and I conclude, that claims 1, 2, 5, 6, 10, 11, 14, and 15 of the ‘494
`
`Patent are not obvious over Swimmer.
`
`V. OVERVIEW OF THE ‘494 PATENT
`42. The ‘494 patent focuses on inspecting content that is requested by a
`
`computer and verifying that the code is legitimate and will not cause any harm
`
`before it is allowed to run on the destination computer. In other words, the
`
`technology disclosed in the ‘494 Patent focuses on protecting a computer system
`
`from potentially malicious Downloadables. Edery et al. U.S. Patent No. 6,092,194,
`
`1:24–27 (Ex. 1013, the “‘194 Patent”).1 In the context of the ‘494 Patent, “[a]
`
`
`1 The ‘194 Patent is the great-great-great grandparent of the ‘494 Patent, and the
`
`‘494 Patent incorporates the disclosure of the ‘194 Patent by reference. See ‘494
`
`
`
` - 12 -
`
`
`
`
`
`Downloadable is an executable application program, which is downloaded from a
`
`Declaration of Dr. Nenad Medvidovic
`IPR2015-01892 (U.S. Patent No. 8,677,494)
`
`
`source computer and run on the destination computer.” Id. at 1:44–47.
`
`43. The techniques disclosed in the ‘494 Patent protect a destination
`
`computer from potentially malicious code by inspecting an incoming
`
`Downloadable, generating a security profile for the Downloadable (“DSP”), and
`
`storing the Downloadable security profile in a database. See ‘494 Patent at claims
`
`1 and 10; ‘194 Patent at 3:10–13 (disclosing receiving an incoming Downloadable
`
`at an internal security system from an external computer network); 5:41–48
`
`(disclosing deriving a DSP for in incoming Downloadable); 6:9–12 (disclosing
`
`storing the DSP in a database).
`
`Receiving an Incoming Downloadable
`
`44. The specification further states that a “Downloadable is typically
`
`requested by an ongoing process such as an Internet browser or web engine.” ‘194
`
`
`Patent at 1:8–55. The Board has previously determined that claims 1, 2, 5, 6, 10,
`
`11, 14, and 15 are entitled to the benefit of the filing date of the application that
`
`matured into the ‘194 Patent, U.S. Patent Application No. 08,964,388 (“the ‘388
`
`application”), filed November 6, 1997. See Decision Denying Institution,
`
`Symantec Corp. v. Finjan, Inc., Case No. IPR2015-01897, Paper No. 7 at 2
`
`(P.T.A.B. Feb. 26, 2016).
`
`
`
` - 13 -
`
`
`
`
`
`Patent at 1:47–49. Downloadables are typically obtained from websites that a user
`
`Declaration of Dr. Nenad Medvidovic
`IPR2015-01892 (U.S. Patent No. 8,677,494)
`
`
`believes to be legitimate in the form of Java applets, ActiveX controls, JavaScript,
`
`Visual Basic scripts, etc. Id. at 1:49–55. For that reason, Downloadables are
`
`common vectors for delivery of malicious code to a system. Id. at 1:41–44. Since
`
`this type of mobile code bypassed the traditional virus security measures in place at
`
`the time of the ‘494 Patent, the additional protections provided in the ‘494 Patent
`
`were and are needed in order to minimize damage to computer systems caused by
`
`this type of code. Id. at 1:37–44. In particular, a receiver intercepts a
`
`Downloadable from the Internet intended for the client, which allows the ‘494
`
`Patent to identify the code and protect clients before the Downloadable resides
`
`within the filesystem of the client:
`
`The internal network security system 110 further includes an external
`communications interface 210 coupled between the communications
`channel 125 and the signal bus 220 for receiving Downloadables from
`external computer network 105, and an internal communications
`interface 225 coupled between
`the signal bus 220 and
`the
`communications channel 130 for forwarding Downloadables not
`deemed suspicious to the internal computer network 115
`
`‘194 Patent at 3:27-35.
`
`45. An example of a security system that includes such a receiver is
`
`shown in Figure 1 at 110, below:
`
`
`
` - 14 -
`
`
`
`
`
`Declaration of Dr. Nenad Medvidovic
`IPR2015-01892 (U.S. Patent No. 8,677,494)
`
`
`
`
`‘194 Patent at Fig.1. Thus, one of skill in the art understood that the receiving of
`
`an incoming downloadable requires, at least, intercepting the Downloadable before
`
`the Downloadable resides within the filesystem of the client it is trying to protect.
`
`Downloadable Security Profile (DSP)
`
`46. The techniques disclosed in the ‘494 Patent protect a destination
`
`computer from potentially malicious code by inspecting an incoming
`
`Downloadable and generating a security profile for the Downloadable (“DSP”). A
`
`DSP can protect against threats posed by malicious code in a number of ways. In
`
`one example, the DSP may be derived and used in real-time to determine an action
`
`to be taken on the Downloadable, such as whether to block it or allow it to pass to
`
`a destination computer. See id. at 6:13–24 (disclosing a comparator comparing a
`
`
`
` - 15 -
`
`
`
`
`
`DSP against a security policy and determining whether to pass or fail the
`
`Declaration of Dr. Nenad Medvidovic
`IPR2015-01892 (U.S. Patent No. 8,677,494)
`
`
`Downloadable associated with the DSP). In other instances, the profile could be
`
`analyzed by one or more components of a security system to classify malicious
`
`content. See id. at 7:26–29 (disclosing classifying a Downloadable as hostile so
`
`that it may be added to a list of Downloadables to block). In still other instances,
`
`the profile could be used to provide information to a customer regarding the types
`
`of threats that are observed on the network. See id. at 6:64–7:6 (disclosing two
`
`examples of reporting a malicious Downloadable: forwarding a non-hostile
`
`Downloadable to the intended recipient; and storing a status report in an event log
`
`for later review).
`
`Deriving a List of Suspicious Computer Operations Necessarily Requires Deeming
`Certain Operations as Suspicious
`
`47. One key aspect of the DSP that facilitates the powerful, efficient, and
`
`flexible analysis techniques disclosed in the ‘494 Patent is the inclusion of a list of
`
`suspicious computer operations that may be attempted by the Downloadable. See
`
`id. at 4:33–37; ‘494 Patent at claims 1 and 10. Simply listing every operation,
`
`regardless of whether it is suspicious, does not create a list of suspicious computer
`
`operations without the additional step of deeming certain operations as suspicious.
`
`Otherwise, a different type of list would be created, namely a list of computer
`
`operations, as opposed to the required “list of suspicious computer operations.”
`
`
`
` - 16 -
`
`
`
`
`
`Declaration of Dr. Nenad Medvidovic
`IPR2015-01892 (U.S. Patent No. 8,677,494)
`
`Indeed, the specification describes an example of how a list of suspicious computer
`
`operations is derived, which includes determining whether the resolved command
`
`is suspicious (e.g. step 715) and how this process is distinctly different from the
`
`process of determining “whether all operations in the Downloadable code have
`
`been resolved” (e.g. step 725):
`
`The code scanner 325 in step 710 resolves a respective command…,
`and in step 715 determines whether the resolved command is
`suspicious (e.g., whether the command is one of the operations
`identified in the list described above with reference to FIG. 3). If
`not, then the code scanner 325 in step 725 determines whether it has
`completed decomposition of the Downloadable, i.e., whether all
`operations in the Downloadable code have been resolved. If so, then
`method 628 ends. Otherwise, method 628 returns to step 710.
`
`Otherwise, if the code scanner 325 in step 715 determines that the
`resolved command is suspect, then the code scanner 325 in step 720
`decodes and registers the suspicious command and its command
`parameters as DSP data 310.
`
`‘194 Patent at 9:24–37 (emphasis added); see also ‘194 Patent at Fig. 7 (step 715
`
`“Is the resolved command suspect?”).
`
`48. Accordingly, it is my opinion that suspicious computer operations
`
`must be understood as the subset of all possible computer operations that may be
`
`attempted by the Downloadable that have been deemed suspicious.
`
`
`
` - 17 -
`
`
`
`
`
`Declaration of Dr. Nenad Medvidovic
`IPR2015-01892 (U.S. Patent No. 8,677,494)
`
`
`49. Generating a list of suspicious computer operations provides more
`
`efficient and effective detection than simply listing every operation. Efficiency
`
`gains manifest on the back end where analysis need only proceed with respect to
`
`those operations that have already been deemed suspicious. For example, using a
`
`DSP that includes a list of suspicious computer operations to determine whether or
`
`not to pass a Downloadable to its destination is based solely on a relatively simple
`
`comparison of the DSP against a security policy:
`
`the
`the Downloadable,
`receives
`The ACL comparator 330
`corresponding DSP data and the security policy 305 from the code
`scanner 325, and compares the DSP data against the security policy
`305. That is, the ACL comparator 330 compares the DSP data of the
`received Downloadable against the access control lists 410 in the
`received security policy 305. The access control list 410 contains
`criteria indicating whether to pass or fail the Downloadable. For
`example, an access control
`list may
`indicate
`that
`the
`Downloadable fails if the DSP data includes a WRITE command
`to a system file. The ACL comparator 330 sends its results to the
`logical engine 333.
`
` ‘194 Patent at 6:13–24 (emphasis added).
`
`50. The relatively simple comparison made possible by virtue the list of
`
`suspicious computer operations claimed in the ‘494 Patent is far more efficient
`
`
`
` - 18 -
`
`
`
`
`
`than the type of analysis disclosed in the Swimmer reference which requires, for
`
`Declaration of Dr. Nenad Medvidovic
`IPR2015-01892 (U.S. Patent No. 8,677,494)
`
`
`example, analysis of an entire stream of activity data.
`
`51. Moreover, by storing the DSP, including the list of suspicious
`
`computer operations, in a database means avoids the slow process of deriving a
`
`comprehensive listing of operations each time a known Downloadable is received.
`
`As networks scale up, the likelihood that a particular Downloadable will be
`
`requested multiple times—potentially by different users associated with different
`
`security policies against which the DSP is compared—increases. Using the DSPs
`
`in this manner, therefore, yields dividends each time.
`
`52. Generating a list of suspicious computer operations also provides
`
`more effective detection of malware that obfuscates its true intention by including
`
`numerous benign actions when compared with techniques that log every operation.
`
`Most of the time, such malware continues to rely on the same set of computer
`
`operations to cause harm as before. By deeming certain sets of these behaviors as
`
`potentially hostile, the claimed invention can cut through the obfuscation to
`
`recognize malware based on recognizing patterns of behaviors previously deemed
`
`to be suspicious behaviors. See ‘194 Patent at 5:58-6:3 (providing an example
`
`combination of certain file, network, registry, operating system and process
`
`operations as “an example of List of Operations Deemed Potentially Hostile”); see
`
`also ‘194 Patent at 9:24–37(describing examples of determining “whether the
`
`
`
` - 19 -
`
`
`
`
`
`resolved command is suspicious (e.g., whether the command is one of the
`
`Declaration of Dr. Nenad Medvidovic
`IPR2015-01892 (U.S. Patent No. 8,677,494)
`
`
`operations identified in the list described above with reference to FIG. 3).”).
`
`Storing the DSP in a Database
`
`53. Providing security for a computer system often involves weighing
`
`tradeoffs between safety and system performance. In the context of the ‘494
`
`Patent, for example, deriving a DSP for a Downloadable entering a network is
`
`resource and time intensive. See, e.g., id. at 6:5–9 (“In the preferred embodiment,
`
`the code scanner 325 performs a full-content inspection. However, for improved
`
`speed but reduced security, the code scanner 325 may examine only a portion of
`
`the Downloadable such as the Downloadable header.”). A process that requires
`
`scanning every incoming Downloadable can, therefore, impose an un
Accessing this document will incur an additional charge of $.
After purchase, you can access this document again without charge.
Accept $ Charge
Still Working On It
This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.
Give it another minute or two to complete, and then try the refresh button.
A few More Minutes ... Still Working
It can take up to 5 minutes for us to download a document if the court servers are running slowly.
Thank you for your continued patience.
This document could not be displayed.
We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.
Your account does not support viewing this document.
You need a Paid Account to view this document. Click here to change your account type.
Your account does not support viewing this document.
Set your membership
status to view this document.
With a Docket Alarm membership, you'll
get a whole lot more, including:
- Up-to-date information for this case.
- Email alerts whenever there is an update.
- Full text search for other cases.
- Get email alerts whenever a new case matches your search.
One Moment Please
The filing “” is large (MB) and is being downloaded.
Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.
Your document is on its way!
If you do not receive the document in five minutes, contact support at support@docketalarm.com.
Sealed Document
We are unable to display this document, it may be under a court ordered seal.
If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.
Access Government Site
