`
`____________
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`
`____________
`
`SYMANTEC CORP.
`Petitioner
`v.
`
`FINJAN, INC.
`Patent Owner
`
`____________
`
`Case IPR2015-01892
`
`U.S. Patent No. 8,677,494
`
`____________
`
`
`
`DECLARATION OF NENAD MEDVIDOVIC, PH.D.
`ON THE VALIDITY OF CLAIMS 1, 2, 5, 6, 10, 11, 14, AND 15
`OF U.S. PATENT NO. 8,677,494 IN SUPPORT OF PATENT OWNER’S
`RESPONSE
`
`
`
`
`
`
`
`
`
`Declaration of Dr. Nenad Medvidovic
`IPR2015-01892 (U.S. Patent No. 8,677,494)
`
`
`TABLE OF CONTENTS
`
`Page
`
`I.
`
`II.
`
`QUALIFICATIONS ........................................................................................ 1
`
`SCOPE OF ASSIGNMENT AND APPROACH ............................................ 5
`
`III. APPLICABLE STANDARDS AND CONTROLLING PRINCIPLES ......... 7
`
`A. ANTICIPATION ........................................................................................ 7
`
`B. OBVIOUSNESS ......................................................................................... 8
`
`C.
`
`PERSON OF ORDINARY SKILL IN THE ART ........................................... 10
`
`IV. SUMMARY OF MY OPINIONS ................................................................. 12
`
`V. OVERVIEW OF THE ‘494 PATENT .......................................................... 12
`
`VI. CLAIM CONSTRUCTION .......................................................................... 23
`
`A.
`
`B.
`
`C.
`
`“DATABASE” ......................................................................................... 25
`
`“LIST OF SUSPICIOUS COMPUTER OPERATIONS” ................................... 30
`
`“STORING THE DOWNLOADABLE SECURITY PROFILE DATA IN A
`DATABASE” .......................................................................................... 33
`
`VII. DISCUSSION AND OPINIONS REGARDING THE CONTRAST
`BETWEEN THE CLAIMS OF THE ‘494 PATENT AND THE
`PRIOR ART ................................................................................................... 35
`
`A.
`
`SWIMMER DOES NOT TEACH OR SUGGEST “[A DOWNLOADABLE
`SCANNER COUPLED WITH SAID RECEIVER, FOR] DERIVING SECURITY
`PROFILE DATA FOR THE DOWNLOADABLE, INCLUDING A LIST OF
`SUSPICIOUS COMPUTER OPERATIONS THAT MAY BE ATTEMPTED BY
`THE DOWNLOADABLE” ......................................................................... 44
`
`B.
`
`SWIMMER DOES NOT TEACH OR SUGGEST “STORING THE
`DOWNLOADABLE SECURITY PROFILE DATA IN A DATABASE” ................ 60
`
`i
`
`
`
`
`
`Declaration of Dr. Nenad Medvidovic
`IPR2015-01892 (U.S. Patent No. 8,677,494)
`
`
`SWIMMER DOES NOT TEACH OR SUGGEST “A DATABASE MANAGER
`COUPLED WITH SAID DOWNLOADABLE SCANNER, FOR STORING THE
`DOWNLOADABLE SECURITY PROFILE DATA IN A DATABASE” ................ 91
`
`SWIMMER DOES NOT TEACH OR SUGGEST “WHEREIN THE
`DOWNLOADABLE INCLUDES PROGRAM SCRIPT”.................................... 96
`
`C.
`
`D.
`
`VIII. SECONDARY CONSIDERATIONS OF NON-OBVIOUSNESS .............. 99
`
`Commercial Success............................................................................ 99
`
`Long-Felt But Unresolved Need and Recognition of a problem ...... 103
`
`Skepticism and Unexpected Results ................................................. 104
`
`Teaching away by others ................................................................... 105
`
`A.
`
`B.
`
`C.
`
`D.
`
`
`
`ii
`
`
`
`
`
`I, Nenad Medvidovic, Ph.D., declare and state as follows:
`
`Declaration of Dr. Nenad Medvidovic
`IPR2015-01892 (U.S. Patent No. 8,677,494)
`
`
`I.
`
`QUALIFICATIONS
`1.
`
`I make this Declaration based upon my own personal knowledge,
`
`information, and belief, and I would and could competently testify to the matters
`
`set forth herein if called upon to do so.
`
`2.
`
`I received a Bachelor of Science (“BS”) degree, Summa Cum Laude,
`
`from Arizona State University’s Computer Science and Engineering department.
`
`3.
`
`I received a Master of Science (“MS”) degree from the University of
`
`California at Irvine’s Information and Computer Science department.
`
`4.
`
`I received a Doctor of Philosophy (“PhD”) degree from the University
`
`of California at Irvine’s Information and Computer Science department. My
`
`dissertation was entitled, “Architecture-Based Specification-Time Software
`
`Evolution.”
`
`5.
`
`I am employed by the University of Southern California (“USC”) as a
`
`faculty member in the Computer Science Department, and have been since
`
`January, 1999. I currently hold the title of Professor with tenure. Between
`
`January, 2009 and January 2013, I served as the Director of the Center for Systems
`
`and Software Engineering at USC. Between July, 2011, and July, 2015, I served as
`
`my Department’s Associate Chair for PhD Affairs.
`
`
`
` - 1 -
`
`
`
`
`
`Declaration of Dr. Nenad Medvidovic
`IPR2015-01892 (U.S. Patent No. 8,677,494)
`
`
`I teach graduate and undergraduate courses in Software Architecture,
`
`6.
`
`Software Engineering, and Embedded Systems, and advise PhD students. I have
`
`graduated 15 PhD students and advise 7 students currently pursuing a PhD.
`
`7.
`
`I served as Program Co-Chair for the flagship conference in my
`
`field—International Conference on Software Engineering (“ICSE”)—held in May
`
`2011. I have served as Chair or Co-Chair for various other conferences in the
`
`Software Engineering field, including: the Fifth Working IEEE/IFIP Conference
`
`on Software Architecture, the Third IEEE International Conference on Self-
`
`Adaptive and Self-Organizing Systems, the Fifteenth International ACM SIGSOFT
`
`Symposium on Component Based Software Engineering, the IEEE/CSSE/ISE
`
`Workshop on Software Architecture Challenges for the 21st Century, and the
`
`Doctoral Symposium at the Sixteenth ACM SIGSOFT International Symposium
`
`on the Foundations of Software Engineering.
`
`8.
`
`I serve or have served as an editor of several peer-reviewed journals,
`
`including: “IEEE Transactions on Software Engineering,” “ACM Transactions on
`
`Software Engineering and Methodology”, “Journal of Software Engineering for
`
`Robotics,” “Elsevier Information and Software Technology Journal,” “Journal of
`
`Systems and Software,” “Journal of Software Engineering Research and
`
`Development,” and “Springer Computing Journal.” Additionally, I have served as
`
`a guest editor of several special issues for different journals.
`
`
`
` - 2 -
`
`
`
`
`
`Declaration of Dr. Nenad Medvidovic
`IPR2015-01892 (U.S. Patent No. 8,677,494)
`
`
`Between September 2013 and September 2015 I served as Chair of
`
`9.
`
`the ICSE Steering Committee. I am currently a member of the Steering Committee
`
`of the European Conference on Software Engineering. I previously served as a
`
`member of the Steering Committees of ICSE and of the Working IEEE/IFIP
`
`Conference on Software Architecture.
`
`10. Since July, 2015, I have served as Chair of the Association for
`
`Computing Machinery’s Special Interest Group on Software Engineering (ACM
`
`SIGSOFT), the largest professional organization in my field of work.
`
`11.
`
`I co-authored “Software Architecture: Foundations, Theory, and
`
`Practice,” a widely used textbook in the field of Software Systems’ Architecture.
`
`12.
`
`I have served as editor of various books in the Software Engineering
`
`field including: “Proceedings of the 3rd International Conference on Self-Adaptive
`
`and Self-Organizing Systems,” “Proceedings of the Warm-Up Workshop for the
`
`32nd International Conference on Software Engineering,” and “Proceedings of the
`
`5th Working IEEE/IFIP Conference on Software Architecture.”
`
`13.
`
`I have authored or co-authored over 200 papers in the Software
`
`Engineering field. My most cited paper has been cited nearly 2,500 times. A
`
`paper I co-authored in the 1998 International Conference on Software Engineering,
`
`my field’s flagship conference, was given ten years later, in 2008, that
`
`conference’s Most Influential Paper Award.
`
`
`
` - 3 -
`
`
`
`
`
`Declaration of Dr. Nenad Medvidovic
`IPR2015-01892 (U.S. Patent No. 8,677,494)
`
`
`I have served as referee or reviewer for over twenty peer-reviewed
`
`14.
`
`journals, including: “ACM Transactions on Software Engineering and
`
`Methodology,” “IEEE Transactions on Software Engineering,” “Journal of
`
`Software Engineering for Robotics,” “IEEE Software,” “IEEE Transactions on
`
`Industrial Informatics,” “Elsevier Information and Software Technology Journal,”
`
`“Journal of Systems and Software,” “Journal of Automated Software Engineering,”
`
`“IEEE Transactions on Parallel and Distributed Systems,” “IEEE Computer,” and
`
`“IEEE Proceedings – Software Engineering.”
`
`15.
`
`I have been named a Distinguished Scientist of the Association for
`
`Computing Machinery (“ACM”). I have been elected a Fellow the Institute of
`
`Electrical and Electronics Engineers (IEEE), IEEE’s highest grade that is granted
`
`to less than 0.1% of its membership annually.
`
`16.
`
`I am very familiar with and have substantial expertise in the area of
`
`software systems development / software engineering, software architecture,
`
`software design, and distributed systems.
`
`17.
`
`I have reviewed in detail U.S. Patent No. 8,677,494 (Ex. 1001, the
`
`“‘494 Patent”); the Petition for Inter Partes Review of the ‘494 Patent filed in Case
`
`No. IPR2015-01892 (Paper No. 1, “Petition”); Dr. Davidson’s declaration filed in
`
`Case No. IPR2015-01892 (Ex. 1018, “Davidson Decl.”); the Board’s Institution
`
`Decision in Case No. IPR2015-01892 (Paper 9, the “Institution Decision”); Patent
`
`
`
` - 4 -
`
`
`
`
`
`Owner’s Request for Rehearing in Case No. IPR2015-01892 (Paper No. 13,
`
`Declaration of Dr. Nenad Medvidovic
`IPR2015-01892 (U.S. Patent No. 8,677,494)
`
`
`“Rehearing Request”); the Board’s Decision Denying Request for Rehearing
`
`(Paper No. 21, “Decision Denying Rehearing”); the deposition transcript of Dr.
`
`Jack Davidson (Ex. 2012, “Davidson Transcript” or “Davidson Tr.”); and Morton
`
`Swimmer, “Dynamic Detection and Classification of Computer Viruses Using
`
`General Behavior Patterns, Virus Bulletin Conference, September 1995 (Ex. 1005,
`
`“Swimmer”).
`
`18.
`
`I understand that I am submitting a declaration in connection with the
`
`above-referenced Inter Partes review (“IPR”) proceeding involving the ‘494
`
`Patent.
`
`II.
`
`SCOPE OF ASSIGNMENT AND APPROACH
`19.
`
`I have been retained as an expert on behalf of Patent Owner, Finjan,
`
`Inc., (“Finjan”), to provide information and opinions to the Patent Trial and Appeal
`
`Board (hereinafter “the Board”) to assist in the determination of the validity of
`
`certain of Finjan’s patent claims of the ‘494 Patent for which the Board has
`
`instituted an IPR proceeding. Specifically, counsel for Finjan asked me to provide
`
`opinions regarding the validity of claims 1, 2, 5, 6, 10, 11, 14, and 15 of the ‘494
`
`Patent in view of certain prior art references cited by Petitioner Symantec Corp.
`
`(“Symantec”).
`
`
`
` - 5 -
`
`
`
`
`
`Declaration of Dr. Nenad Medvidovic
`IPR2015-01892 (U.S. Patent No. 8,677,494)
`
`
`I have been informed by counsel and I understand that the analysis of
`
`20.
`
`whether a patent is anticipated or obvious is performed from the perspective of a
`
`person of ordinary skill in the art at the time of the patented inventions. The
`
`relevant timeframe for the Method Claims of the ‘494 Patent is November 1996.
`
`21.
`
`In reaching the opinions expressed in this declaration, I adopt the
`
`claim constructions set forth by the Board in its Institution Decision. See
`
`Institution Decision, pp. 6–11.
`
`22.
`
`I addition to the documents referred to in paragraph 17, which are
`
`already of reference in this case, a list of the documents and materials that I
`
`considered in connection with the development of my opinions set forth in this
`
`declaration is attached to Patent Owner’s Response as Ex. 2009. I have reviewed
`
`the documents cited by Dr. Davidson in his declaration. I intend the full page
`
`range of all exhibits attached to his declaration be considered as part of this
`
`declaration.
`
`23.
`
`I am being compensated for my time spent in connection with this
`
`matter at the rate of $350 per hour for regular work, and $500 an hour for
`
`deposition and trial testimony. My compensation is in no way contingent on the
`
`outcome of this case..
`
`
`
` - 6 -
`
`
`
`
`
`Declaration of Dr. Nenad Medvidovic
`IPR2015-01892 (U.S. Patent No. 8,677,494)
`
`24. To the extent that I am presented with new information concerning the
`
`subject matter of this declaration or affecting any assumptions made herein, I
`
`reserve the right to supplement this declaration accordingly.
`
`III. APPLICABLE STANDARDS AND CONTROLLING PRINCIPLES
`A. ANTICIPATION
`25. Counsel has informed me, and I understand, that an issued patent
`
`claim is invalid as anticipated if each and every element of that claim is disclosed
`
`in a single prior art reference that enables a person of ordinary skill in the art to
`
`make the allegedly anticipating subject matter. I understand that to be anticipatory,
`
`a reference must enable one of skill in the art to practice an embodiment of the
`
`claimed invention without undue experimentation.
`
`26. Counsel has informed me, and I understand, that if a prior art
`
`reference does not disclose a given element expressly, it may do so inherently. I
`
`have been informed by counsel and I further understand that a prior art reference
`
`will inherently anticipate a claimed invention if any claim elements or other
`
`information missing from the reference would nonetheless be known by the person
`
`of ordinary skill in the art to be necessarily present in the subject matter of the
`
`reference.
`
`
`
` - 7 -
`
`
`
`
`
`Declaration of Dr. Nenad Medvidovic
`IPR2015-01892 (U.S. Patent No. 8,677,494)
`
`
`B. OBVIOUSNESS
`27. Counsel has informed me, and I understand, that an issued patent
`
`claim is invalid as obvious if it can be shown that the differences between the
`
`patented subject matter and the prior art are such that the subject matter as a whole
`
`would have been obvious, at the time the invention was made, to a person having
`
`ordinary skill in the art. Relevant considerations include the level of ordinary skill
`
`in the art; the scope and content of the prior art; differences between the prior art
`
`and the claims at issue; and the so-called objective secondary factors of
`
`nonobviousness.
`
`28. Counsel has informed me, and I understand, that in order to evaluate
`
`the obviousness of any claim of the ‘494 Patent over a given prior art combination,
`
`I should analyze whether the prior art references, included collectively in the
`
`combination, disclose each and every element of the allegedly invalid claim as
`
`those references are read by the person of ordinary skill in the art at the time of the
`
`invention. Then I am to determine whether that combination makes the claims of
`
`the ‘494 Patent obvious to the person of ordinary skill in the art by a
`
`preponderance of the evidence, at the time of the inventions. I understand that
`
`such preponderance of the evidence is satisfied if the proposition is more likely to
`
`be true than not true.
`
`
`
` - 8 -
`
`
`
`
`
`Declaration of Dr. Nenad Medvidovic
`IPR2015-01892 (U.S. Patent No. 8,677,494)
`
`
`29. Counsel has informed me, and I understand, that the obviousness
`
`inquiry requires that the prior art be considered in its entirety. I am further
`
`informed and I understand that an invention cannot be obvious to try where “the
`
`breadth of the[] choices and the numerous combinations indicate that the[]
`
`disclosures would not have rendered the claimed invention obvious to try.”
`
`30. Counsel has informed me, and I understand, that even where all of the
`
`claim limitations are expressly disclosed in the prior art references, there must be
`
`some showing that a person of ordinary skill in the art would have been motivated
`
`to combine such prior art references and that there would have been a reasonable
`
`expectation of successfully achieving the claimed invention from such
`
`combination.
`
`31. Counsel has informed me, and I understand, in considering the
`
`obviousness of a claimed invention, one should not view the invention and the
`
`prior art with the benefit of hindsight. It is for that reason, I am informed and I
`
`understand, that obviousness is assessed by the person of ordinary skill in the art at
`
`the time the invention was made. In this regard, I am informed and I understand
`
`that the invention cannot be used as a guide to selecting and understanding the
`
`prior art. I understand that the appropriate standard is to determine whether a
`
`person of skill in the art would be motivated to combine references, not whether
`
`they could.
`
`
`
` - 9 -
`
`
`
`
`
`Declaration of Dr. Nenad Medvidovic
`IPR2015-01892 (U.S. Patent No. 8,677,494)
`
`
`32. Counsel has informed me, and I understand, that obviousness cannot
`
`be predicated on what was unknown at the time of the invention, even if the
`
`inherency of a certain feature is later established. Counsel has also informed me,
`
`and I understand, that unknown properties of the prior art may not be relied upon
`
`to provide the rationale for modifying or combining the prior art to reach the
`
`claimed subject matter.
`
`33. Counsel has informed me, and I understand, that a reference may be
`
`said to teach away when a person of ordinary skill, upon reading the reference,
`
`would be discouraged from following the path set out in the reference, or would be
`
`led in a direction divergent from the path that was taken by the applicant.
`
`34. Counsel has informed me, and I understand, that the “time of
`
`invention” applicable to the inventions of claims 1, 2, 5, 6, 10, 11, 14, and 15 of
`
`the’494 Patent is no later than November 8, 1996, which I understand to be the
`
`priority date of the ‘494 Patent.
`
`C.
`PERSON OF ORDINARY SKILL IN THE ART
`35. Counsel has informed me, and I understand, that the “person of
`
`ordinary skill in the art” is a hypothetical person who is presumed to be familiar
`
`with the relevant scientific field and its literature at the time of the invention. This
`
`hypothetical person is also a person of ordinary creativity capable of understanding
`
`the scientific principles applicable to the pertinent field.
`
`
`
` - 10 -
`
`
`
`
`
`Declaration of Dr. Nenad Medvidovic
`IPR2015-01892 (U.S. Patent No. 8,677,494)
`
`
`I am informed by counsel and I understand that the level of ordinary
`
`36.
`
`skill in the art may be determined by reference to certain factors, including (1) the
`
`type of problems encountered in the art, (2) prior art solutions to those problems,
`
`(3) the rapidity with which innovations are made, (4) the sophistication of the
`
`technology, and (5) the educational level of active workers in the field. I further
`
`understand that the ‘494 Patent claims a priority date of November 8, 1996.
`
`37.
`
`It is my opinion that the person of ordinary skill in the art in the field
`
`of the ‘494 Patent would be someone with a bachelor’s degree in computer science
`
`or related field, and either (1) two or more years of industry experience and/or (2)
`
`an advanced degree in computer science or related field.
`
`38. Based on my training and experience, I believe that I am a person of
`
`greater-than-ordinary skill in the relevant art and, as of November 1996 was a
`
`person of ordinary skill in the relevant art, which permits me to give an opinion
`
`about the qualifications of one of ordinary skill at the time of the invention.
`
`39.
`
`I note that Dr. Davidson’s opinion on person of ordinary skill in the
`
`art in his declaration is (Davidson Decl. at ¶ 30):
`
`In my opinion, a person of ordinary skill in the art at the time of the
`‘494 Patent would have a Master’s degree in computer science,
`computer engineering, or a similar field, or a Bachelor’s degree in
`computer science, computer engineering, or a similar field, with
`approximately two years of industry experience relating to computer
`
`
`
` - 11 -
`
`
`
`
`
`Declaration of Dr. Nenad Medvidovic
`IPR2015-01892 (U.S. Patent No. 8,677,494)
`
`
` Additional graduate education might substitute for
`security.
`experience, while significant experience in the field of computer
`programming and malicious code might substitute for formal
`education.
`
`40. My opinions stated in this declaration would be the same if rendered
`
`from the perspective of a person of ordinary skill in the art set out by Dr.
`
`Davidson.
`
`IV. SUMMARY OF MY OPINIONS
`41.
`In this declaration I explain that the person of ordinary skill in the art
`
`understands, and I conclude, that claims 1, 2, 5, 6, 10, 11, 14, and 15 of the ‘494
`
`Patent are not obvious over Swimmer.
`
`V. OVERVIEW OF THE ‘494 PATENT
`42. The ‘494 patent focuses on inspecting content that is requested by a
`
`computer and verifying that the code is legitimate and will not cause any harm
`
`before it is allowed to run on the destination computer. In other words, the
`
`technology disclosed in the ‘494 Patent focuses on protecting a computer system
`
`from potentially malicious Downloadables. Edery et al. U.S. Patent No. 6,092,194,
`
`1:24–27 (Ex. 1013, the “‘194 Patent”).1 In the context of the ‘494 Patent, “[a]
`
`
`1 The ‘194 Patent is the great-great-great grandparent of the ‘494 Patent, and the
`
`‘494 Patent incorporates the disclosure of the ‘194 Patent by reference. See ‘494
`
`
`
` - 12 -
`
`
`
`
`
`Downloadable is an executable application program, which is downloaded from a
`
`Declaration of Dr. Nenad Medvidovic
`IPR2015-01892 (U.S. Patent No. 8,677,494)
`
`
`source computer and run on the destination computer.” Id. at 1:44–47.
`
`43. The techniques disclosed in the ‘494 Patent protect a destination
`
`computer from potentially malicious code by inspecting an incoming
`
`Downloadable, generating a security profile for the Downloadable (“DSP”), and
`
`storing the Downloadable security profile in a database. See ‘494 Patent at claims
`
`1 and 10; ‘194 Patent at 3:10–13 (disclosing receiving an incoming Downloadable
`
`at an internal security system from an external computer network); 5:41–48
`
`(disclosing deriving a DSP for in incoming Downloadable); 6:9–12 (disclosing
`
`storing the DSP in a database).
`
`Receiving an Incoming Downloadable
`
`44. The specification further states that a “Downloadable is typically
`
`requested by an ongoing process such as an Internet browser or web engine.” ‘194
`
`
`Patent at 1:8–55. The Board has previously determined that claims 1, 2, 5, 6, 10,
`
`11, 14, and 15 are entitled to the benefit of the filing date of the application that
`
`matured into the ‘194 Patent, U.S. Patent Application No. 08,964,388 (“the ‘388
`
`application”), filed November 6, 1997. See Decision Denying Institution,
`
`Symantec Corp. v. Finjan, Inc., Case No. IPR2015-01897, Paper No. 7 at 2
`
`(P.T.A.B. Feb. 26, 2016).
`
`
`
` - 13 -
`
`
`
`
`
`Patent at 1:47–49. Downloadables are typically obtained from websites that a user
`
`Declaration of Dr. Nenad Medvidovic
`IPR2015-01892 (U.S. Patent No. 8,677,494)
`
`
`believes to be legitimate in the form of Java applets, ActiveX controls, JavaScript,
`
`Visual Basic scripts, etc. Id. at 1:49–55. For that reason, Downloadables are
`
`common vectors for delivery of malicious code to a system. Id. at 1:41–44. Since
`
`this type of mobile code bypassed the traditional virus security measures in place at
`
`the time of the ‘494 Patent, the additional protections provided in the ‘494 Patent
`
`were and are needed in order to minimize damage to computer systems caused by
`
`this type of code. Id. at 1:37–44. In particular, a receiver intercepts a
`
`Downloadable from the Internet intended for the client, which allows the ‘494
`
`Patent to identify the code and protect clients before the Downloadable resides
`
`within the filesystem of the client:
`
`The internal network security system 110 further includes an external
`communications interface 210 coupled between the communications
`channel 125 and the signal bus 220 for receiving Downloadables from
`external computer network 105, and an internal communications
`interface 225 coupled between
`the signal bus 220 and
`the
`communications channel 130 for forwarding Downloadables not
`deemed suspicious to the internal computer network 115
`
`‘194 Patent at 3:27-35.
`
`45. An example of a security system that includes such a receiver is
`
`shown in Figure 1 at 110, below:
`
`
`
` - 14 -
`
`
`
`
`
`Declaration of Dr. Nenad Medvidovic
`IPR2015-01892 (U.S. Patent No. 8,677,494)
`
`
`
`
`‘194 Patent at Fig.1. Thus, one of skill in the art understood that the receiving of
`
`an incoming downloadable requires, at least, intercepting the Downloadable before
`
`the Downloadable resides within the filesystem of the client it is trying to protect.
`
`Downloadable Security Profile (DSP)
`
`46. The techniques disclosed in the ‘494 Patent protect a destination
`
`computer from potentially malicious code by inspecting an incoming
`
`Downloadable and generating a security profile for the Downloadable (“DSP”). A
`
`DSP can protect against threats posed by malicious code in a number of ways. In
`
`one example, the DSP may be derived and used in real-time to determine an action
`
`to be taken on the Downloadable, such as whether to block it or allow it to pass to
`
`a destination computer. See id. at 6:13–24 (disclosing a comparator comparing a
`
`
`
` - 15 -
`
`
`
`
`
`DSP against a security policy and determining whether to pass or fail the
`
`Declaration of Dr. Nenad Medvidovic
`IPR2015-01892 (U.S. Patent No. 8,677,494)
`
`
`Downloadable associated with the DSP). In other instances, the profile could be
`
`analyzed by one or more components of a security system to classify malicious
`
`content. See id. at 7:26–29 (disclosing classifying a Downloadable as hostile so
`
`that it may be added to a list of Downloadables to block). In still other instances,
`
`the profile could be used to provide information to a customer regarding the types
`
`of threats that are observed on the network. See id. at 6:64–7:6 (disclosing two
`
`examples of reporting a malicious Downloadable: forwarding a non-hostile
`
`Downloadable to the intended recipient; and storing a status report in an event log
`
`for later review).
`
`Deriving a List of Suspicious Computer Operations Necessarily Requires Deeming
`Certain Operations as Suspicious
`
`47. One key aspect of the DSP that facilitates the powerful, efficient, and
`
`flexible analysis techniques disclosed in the ‘494 Patent is the inclusion of a list of
`
`suspicious computer operations that may be attempted by the Downloadable. See
`
`id. at 4:33–37; ‘494 Patent at claims 1 and 10. Simply listing every operation,
`
`regardless of whether it is suspicious, does not create a list of suspicious computer
`
`operations without the additional step of deeming certain operations as suspicious.
`
`Otherwise, a different type of list would be created, namely a list of computer
`
`operations, as opposed to the required “list of suspicious computer operations.”
`
`
`
` - 16 -
`
`
`
`
`
`Declaration of Dr. Nenad Medvidovic
`IPR2015-01892 (U.S. Patent No. 8,677,494)
`
`Indeed, the specification describes an example of how a list of suspicious computer
`
`operations is derived, which includes determining whether the resolved command
`
`is suspicious (e.g. step 715) and how this process is distinctly different from the
`
`process of determining “whether all operations in the Downloadable code have
`
`been resolved” (e.g. step 725):
`
`The code scanner 325 in step 710 resolves a respective command…,
`and in step 715 determines whether the resolved command is
`suspicious (e.g., whether the command is one of the operations
`identified in the list described above with reference to FIG. 3). If
`not, then the code scanner 325 in step 725 determines whether it has
`completed decomposition of the Downloadable, i.e., whether all
`operations in the Downloadable code have been resolved. If so, then
`method 628 ends. Otherwise, method 628 returns to step 710.
`
`Otherwise, if the code scanner 325 in step 715 determines that the
`resolved command is suspect, then the code scanner 325 in step 720
`decodes and registers the suspicious command and its command
`parameters as DSP data 310.
`
`‘194 Patent at 9:24–37 (emphasis added); see also ‘194 Patent at Fig. 7 (step 715
`
`“Is the resolved command suspect?”).
`
`48. Accordingly, it is my opinion that suspicious computer operations
`
`must be understood as the subset of all possible computer operations that may be
`
`attempted by the Downloadable that have been deemed suspicious.
`
`
`
` - 17 -
`
`
`
`
`
`Declaration of Dr. Nenad Medvidovic
`IPR2015-01892 (U.S. Patent No. 8,677,494)
`
`
`49. Generating a list of suspicious computer operations provides more
`
`efficient and effective detection than simply listing every operation. Efficiency
`
`gains manifest on the back end where analysis need only proceed with respect to
`
`those operations that have already been deemed suspicious. For example, using a
`
`DSP that includes a list of suspicious computer operations to determine whether or
`
`not to pass a Downloadable to its destination is based solely on a relatively simple
`
`comparison of the DSP against a security policy:
`
`the
`the Downloadable,
`receives
`The ACL comparator 330
`corresponding DSP data and the security policy 305 from the code
`scanner 325, and compares the DSP data against the security policy
`305. That is, the ACL comparator 330 compares the DSP data of the
`received Downloadable against the access control lists 410 in the
`received security policy 305. The access control list 410 contains
`criteria indicating whether to pass or fail the Downloadable. For
`example, an access control
`list may
`indicate
`that
`the
`Downloadable fails if the DSP data includes a WRITE command
`to a system file. The ACL comparator 330 sends its results to the
`logical engine 333.
`
` ‘194 Patent at 6:13–24 (emphasis added).
`
`50. The relatively simple comparison made possible by virtue the list of
`
`suspicious computer operations claimed in the ‘494 Patent is far more efficient
`
`
`
` - 18 -
`
`
`
`
`
`than the type of analysis disclosed in the Swimmer reference which requires, for
`
`Declaration of Dr. Nenad Medvidovic
`IPR2015-01892 (U.S. Patent No. 8,677,494)
`
`
`example, analysis of an entire stream of activity data.
`
`51. Moreover, by storing the DSP, including the list of suspicious
`
`computer operations, in a database means avoids the slow process of deriving a
`
`comprehensive listing of operations each time a known Downloadable is received.
`
`As networks scale up, the likelihood that a particular Downloadable will be
`
`requested multiple times—potentially by different users associated with different
`
`security policies against which the DSP is compared—increases. Using the DSPs
`
`in this manner, therefore, yields dividends each time.
`
`52. Generating a list of suspicious computer operations also provides
`
`more effective detection of malware that obfuscates its true intention by including
`
`numerous benign actions when compared with techniques that log every operation.
`
`Most of the time, such malware continues to rely on the same set of computer
`
`operations to cause harm as before. By deeming certain sets of these behaviors as
`
`potentially hostile, the claimed invention can cut through the obfuscation to
`
`recognize malware based on recognizing patterns of behaviors previously deemed
`
`to be suspicious behaviors. See ‘194 Patent at 5:58-6:3 (providing an example
`
`combination of certain file, network, registry, operating system and process
`
`operations as “an example of List of Operations Deemed Potentially Hostile”); see
`
`also ‘194 Patent at 9:24–37(describing examples of determining “whether the
`
`
`
` - 19 -
`
`
`
`
`
`resolved command is suspicious (e.g., whether the command is one of the
`
`Declaration of Dr. Nenad Medvidovic
`IPR2015-01892 (U.S. Patent No. 8,677,494)
`
`
`operations identified in the list described above with reference to FIG. 3).”).
`
`Storing the DSP in a Database
`
`53. Providing security for a computer system often involves weighing
`
`tradeoffs between safety and system performance. In the context of the ‘494
`
`Patent, for example, deriving a DSP for a Downloadable entering a network is
`
`resource and time intensive. See, e.g., id. at 6:5–9 (“In the preferred embodiment,
`
`the code scanner 325 performs a full-content inspection. However, for improved
`
`speed but reduced security, the code scanner 325 may examine only a portion of
`
`the Downloadable such as the Downloadable header.”). A process that requires
`
`scanning every incoming Downloadable can, therefore, impose an un