`
`US. Patent Ne. 8457?,-’-I94
`
`Filed on behalf of Symantee Cerp-emtiun
`
`UNITED STATES PATENT AND TRADEMARK. OFFICE
`
`BEFORE THE PATENT TRIAL
`
`AND APPEAL BOARD
`
`SYMANTEC CORPORATION
`
`Petitioner
`
`V.
`
`FINJAN, INC
`
`Patent Owner
`
`Case To Be Assigned
`US. Patent Ne. 8457?,-’-I94
`
`DECLARATION OF JACK W. DAVIDSON IN SUPPORT OF
`
`PETITIONER PURSUANT TO 3'? C.F.R. § 42.120
`
`Symantee 1018
`
`IPR of US. Pat. Ne. 8,677,494
`
`
`
`Inter Fortes Review of
`
`Ll.S. Patent No. 8,I57?,-494
`
`Declaration of Jack W. Davidson
`
`In Support of Petitioner Pursuant to 3? C.F.R. § 42.120
`
`I, Jack ‘W. Davidson, declare as follows
`
`I. Overview
`
`1.
`
`1 am over 21 years of age and otherwise competent to make this
`
`Declaration.
`
`I make this Declaration based upon facts and matters within my own
`
`knowledge and on information provided to me by others.
`
`2.
`
`I have been retained as an expert witness to provide testimony on
`
`behalf of Symantec Corporation [“Symantec” or “Petitioner") as part of the above—
`
`captioned inter pertes review proceeding (“iPR.”}, including issues relating to the
`
`validity ot"U.S. patent number 3,ti7?,494 (“the ‘-494 patent"), entitled “Malicious
`
`mobile code runtime monitoring system and methods." I also understand that the
`
`‘-494 patent was filed on November 7'', 2[lll and issued on March 13, 2014 and that
`
`the ‘494 patent is currently assigned to Finjan, Inc. {“Finjan" or “Patent Owner”).
`
`3.
`
`In addition to this Declaration, I have also prepared a separate
`
`declaration in support of another IPR petition also involving the validity of the
`
`‘494 patent, which I understand being filed by Symantec concurrently with this
`
`Petition and Declaration. As discussed in more detail in my other declaration, it is
`
`my understanding that, in the other petition, Symantec is challenging the priority
`
`date of the ‘494 patent. For purposes of this Declaration, however, I was asked to
`
`
`
`infer Fortes Review of
`
`US. Patent No. 8,fi7?,-494
`
`assume that the challenged claims are entitled to the earliest priority date
`
`referenced in the ‘-494 patent, i.e., November 8, 1996.
`
`4.
`
`I have reviewed and am familiar with the specification and
`
`prosecution history of the ‘494 patent. A copy of the ‘494 patent is provided as
`
`Symantee 1001.
`
`I have also reviewed the related patents referenced in the ‘494
`
`patent specification and certain portions of their prosecution histories, where
`
`relevant. As I explain in more detail below, I am familiar with the technology at
`
`issue as of the time of the ‘494 patent, which, for purposes of this Declaration, I
`
`have assumed to be November 8, I 996.
`
`5.
`
`I have also reviewed and am familiar with the following prior art,
`
`which I understand is being used by Symantec in the Petition for inter Peries
`
`Review of the ‘-494 patent:
`
`a. US. Patent No. 5,313,616 (“Cline")
`
`b. A Sense ofSeif:foi* Unix Proees.re.r, by Stephanie Forrester oi.
`
`(“Forrest”)
`
`c. Dynamic Detection and Ciessificwion oy"CompuIer Viruses Using
`
`Generni Bennvionr Patterns, by Morton Swimmer ei ni.,
`
`(“Swimmer”)
`
`(1. U8. Patent No. 5,623,600 [“Ji“}
`
`
`
`Inter Fortes Review of
`
`Ll.S. Patent No. 8,fi7?,-494
`
`6.
`
`With its eorresponding Petition and this supporting Deelaration, I
`
`understand Symantee is requesting that the Patent Clffiee institute a review of
`
`elaims ], 2, 5, 6, ID, 1 1, 14, and 15 ofthe ‘494 patent, and that the requested
`
`review is based on the following grounds:
`
`a. Ground 1: Swimmer antieipates elaims 1, 2, 6, 10,
`
`l l, and 15 under
`
`35 U.S.C. § 102
`
`I3. Ground 2: Swimmer renders obvious elaims 5 and 14 under 35 U.S.C.
`
`§ 103
`
`e. Ground 3: Cline in view ol'Ji renders obvious elaims l, 2, 5, 6, I0, I l,
`
`and 15 under 35 Ll.S.C. § 103
`
`d. Ground 4: Forrest in view of J i renders obvious elaims 1, 2, 5, I6, Ii],
`
`11, and 15 under 35 U.S.C'.§ 103
`
`'2'.
`
`I have been asked to provide a teehnieal review, analysis, and insight
`
`regarding the above—noted references, which I understand form the basis for the
`
`grounds of rejeetion set forth in the Petition.
`
`8.
`
`I am being eornpensated For my time in eonneetion with this IPR at a
`
`rate of $400 per hour. I am also being eompensated for any out—of'—poel-Let expenses
`
`for my work in this review. My compensation as an expert is in no way dependent
`
`upon the results of any investigations 1 undertake, the substanee of any opinion I
`
`express, or the ultimate outcome ol"the review proeeedings.
`
`I have been advised
`
`
`
`Inter Fortes Review of
`
`U.S. Patent No. 8,I57?,-494
`
`that Bryan Cave LLP represents the Petitioner Symarttee, Inc. in this matter.
`
`I have
`
`no direct financial interest in Symantec, Finjan, or the ‘494 patent.
`
`II. My Background and Qualifications
`
`9.
`
`I am a Professor of Computer Science at the University of Virginia.
`
`In addition, I am the Founder and President of Zephyr Software LLC. Zephyr
`
`Software, in business since 2001, provides a variety ofservices including
`
`innovative computer security solutions targeted mainly for U.S. Department of
`
`Defense applications. For more than 35 years, 1 have been involved in the design
`
`ot‘ computer systems and software as well as leading and managing large software
`
`development projects.
`
`Ii].
`
`I earned a Bachelor’s ot'Applied Science in Computer Science from
`
`Southern Methodist University in 1905, a lvIaster’s of Science in Computer
`
`Science from Southern Methodist University in l9'r"r', and a Doctorate in Computer
`
`Science from the University of Arizona in 1981. After receiving my Doctorate, I
`
`joined the faculty at the University of Virginia.
`
`In addition, 1 have held visiting
`
`positions at Princeton University and lvlicrosofl Research in Redmond,
`
`Washington.
`
`1 1.
`
`For over 35 years, I have conducted research in a variety of areas in
`
`computer science including compilers, interpreters, programming languages,
`
`computer architecture, embedded systems, program analysis, and most recently
`
`
`
`Inter Fortes Review of
`
`Ll.S. Patent No. 8457?,-’-I94
`
`computer security. My current research in computer security involves developing
`
`methodologies for preventing attacks against critical. enterprise-level computer
`
`systems and preventing malware from infecting personal and mobile computers. In
`
`these areas and others I have led and managed several large-scale projects
`
`involving the collaboration of top U.S. researchers.
`
`1 am currently leading a large
`
`project ($5.8M) called the Cyber Fault-tolerant Attack Recovery project at the
`
`University of Virginia, which has been funded by the Defense Advanced Research
`
`Project Agency {DARPA}. The goal of the Cyber Fault-tolerant Attack Recovery
`
`project is to develop defensive cyber techniques that can be deployed to protect
`
`existing and planned software systems without requiring changes to the concept of
`
`operations of these systems.
`
`12.
`
`I am also the principal investigator of a project funded by the Air
`
`Force Research Laboratories {“AFRL"} in Rome. NY. The goal of this project is
`
`to transition the results of our previously funded research in cyher security from
`
`our research laboratory to the field. That is, we are working with the AFRL to
`
`automatically secure mission-critical system against attack by well-funded,
`
`detennined malicious adversaries and to develop and carry out compelling
`
`demonstrations, tests, and exercises that demonstrate the power and effectiveness
`
`of the techniques developed in the Dependability Group at the University of
`
`Virginia.
`
`
`
`Inter Parres Review of
`
`LLS. Patent No. 8,I57?,-494
`
`13.
`
`As my current research focus is in cyber security, I have published
`
`extensively in the field ofcomputer security. In addition to other publications, the
`
`paper “Safe Virtual Execution Using Software Dynamic Execution” written by
`
`Kevin Scott and myself and presented at the 18”‘ Annual Computer Security
`
`Applications Conference held in Las Vegas, Nevada in December 2002 is
`
`particularly relevant to the matter being considered.
`
`14. My curriculum vitae, which is provided as Symantec 1019, lists my
`
`publications in the computer security area.
`
`I5.
`
`In addition to my scholarly activities in the field ofcyber security, I
`
`am the President and sole owner of Zephyr Software LLC.
`
`I founded Zephyr
`
`Software as another vehicle for commercializing my research. Currently, Zephyr
`
`Software is focused on commercializing cyber security solutions. Including
`
`myself, Zephyr Software has Four employees. Zephyr Software currently has Phase
`
`II SBIR contracts from DARPA and the Dfftce of Naval Research [‘‘{}NR’'].
`
`16.
`
`The DARPA contract is targeted at securing embedded systems.
`
`Network routers, communications equipment, supervisory control and data
`
`acquisition (“SCA[}A”} systems, and industrial control systems (“ICS") are some
`
`examples of embedded systems. Because these systems are part of a critical
`
`infrastructure, such as plant operations, the power grid, communication systems,
`
`transportation systems, and similar operations, it is vital that these systems be
`
`
`
`inter Fortes Review of
`
`Ll.S. Patent No. 8457?,-’-I94
`
`protected from malicious attacks.
`
`I T.
`
`The work being perfonned under the ONE contract includes
`
`developing techniques to prevent malicious adversaries from taking ever the
`
`control of a program via a technique known as “program hijacking.” Using
`
`program hijacking, a malicious entity can take control of a program to carry out a
`
`variety of attacks such as denial ol" service, secret infonnation leakage, shutdown
`
`of critical services, and similar attacks.
`
`18.
`
`In addition to my research and commercialization activities, 1 am also
`
`an accomplished and award-vvinning instructor.
`
`in I939. I received the NCR
`
`Faculty Innovation Award for my development of innovative curriculum materials
`
`and outstanding teaching.
`
`I am the co—author of two widely used introductory
`
`programming textbooks, C++ Program Design: An introduction to Programming
`
`and Object-Oriented Design and Java .-‘.5 Program Design both published by
`
`McGraw—Hill.
`
`19.
`
`In 2008. I was co-recipient Ifvvitli my co-author James P. Cohoon} of
`
`the IEEF. Computer Society Taylor L. Booth Education Award For “sustained
`
`effort to transform introductory computer science education through lab—based
`
`multimedia pedagogy coupled with examples that attract a diverse student body.”
`
`In addition, I have given invited lectures at the Third lntemational Summer School
`
`on Advanced Computer Architecture and Compilation for Embedded Systems held
`
`
`
`Inter Fortes Review of
`
`U.S. Patent No. 8,I57?,-494
`
`in L’Aquila Italy in 2007'’. Approximately 200 students attended this summer
`
`school from the member nations of the European Union.
`
`20.
`
`As part of my ongoing activities in computer security, I created and
`
`teach a course about eyber security at the University of Virginia. The course title is
`
`“Defense against the Dark Arts.” The course focuses teaching students techniques
`
`for defending computers from computer viruses, computer vvonns, and other types
`
`of malicious attacks. The course was first taught in the Fall of 2005 and I have
`
`taught it multiple times since that time. I last taught the course in Spring of 2014.
`
`2].
`
`I also vvas a lecturer in the inaugural lndo-US Engineering Faculty
`
`Leadership Institute held in Mysore, India. The goal of the Leadership Institute is
`
`to improve University education in India. The Institute was attended by 120
`
`faculty members from Indian Universities.
`
`22.
`
`in the summers of 2010, 20] 1.2012, and 2014, I helped organize and
`
`lectured at the International Summer School on Infonnation Security and
`
`Protection IIISSISP} held in Beijing, China (2010), Ghent, Belgium (201 I}, Tucson,
`
`Arizona (2012), and Verona, Italy (2014). Each summer school was attended by
`
`50 students from various intemational universities. ISSISP 2015 will be held in Rio
`
`de Janerio, Brazil.
`
`23.
`
`Because of my expertise and stature within in the computing
`
`community, I am often asked to serve on important Boards and Councils.
`
`I served
`
`
`
`inter Partes Review of
`
`US. Patent No. 8,I57?,t-I94
`
`as an elected member-at-large of the Association of Computing Machinery {ACM)
`
`Special Interest Group on Programming Languages CSIGPLAN} for four years.
`
`ACM is the largest professional computing society in the world.
`
`I was elected
`
`chair of SIGPLAN in 2005.
`
`1 am a member of the ACM Council, which oversees
`
`the operation of ACM, and I am co-chair of ACl'vl’s Publications Board, which
`
`oversees the publication of the organization’s 44 professional journals and 8
`
`magazines, and a professional book series.
`
`24.
`
`As a leading expert in the field, 1 help organize many technical
`
`conferences in the area including the lntemational Conference on Parallel
`
`Architectures and Compilation Techniques (“PACT”), lntemational Symposium
`
`on Code Generation and Dptimization (“CCU”), Conference on Programming
`
`Language Design and Implementation {“PLDl"), Conference on Languages,
`
`Compilers and Tools for Embedded Systems (“LCTES"), lntemational Conference
`
`on Compilers, Architectures and Synthesis for Embedded Systems (“CASES”),
`
`Conference on the Principles of Programming Languages {“POPL"), lntemational
`
`Conference on Autonomic Computing {“lCAC”}. and lntemational Conference on
`
`High—Perforrnance and Embedded Architectures (“HiPEAC").
`
`25.
`
`In the past, I was an Associate Editor of the ACM Transactions of
`
`Programming Languages and Systems (‘‘TOPLAS“} and ACM Transactions on
`
`Armhitectnre and Code Optimization (“TACO”) journals. TOPLAS is the archival
`
`‘I0
`
`
`
`Inter Fortes Review of
`
`LLS. Patent No. 8,I5Tl,-494
`
`journal in tlie area of programming languages and compilers. TACO is an archival
`
`journal in the area of computer architecture and program optimization.
`
`In 2009, I
`
`received SIGPLAN’s Distinguished Service Award for “substantial and sustained
`
`contributions to the programming languages research community and to SIC-PLAN
`
`in particular.”
`
`26.
`
`lam a Senior Member oI'the institute of Electrical and Electmnics
`
`Engineers (“IEEE”), the IEEE Computer Society.
`
`I am a Fellow of the Association
`
`for Computer Machinery lf“ACM"). The ACM Council established the ACM
`
`Fellows Program in 1993 to recognize and honor outstanding ACM members for
`
`their achievements in computer science and information technology and for their
`
`significant contributions to the mission of the ACM. The ACM Fellows serve as
`
`distinguished colleagues to whom the ACM and its members look to for guidance
`
`and leadership as the world oi"int"ormation technology evolves.
`
`2?.
`
`A more detailed listing of my professional background and
`
`accomplishments is found in my curriculum vitae provided as Symantec 1019.
`
`III. My Expertise and the Person of Ordinary Skill in the Art
`
`28.
`
`As a result of my more than thirty—years’ experience in the field of
`
`computer science and my deep involvement over the last 15 years with computer
`
`security through teaching and research, I am very familiar with techniques to
`
`secure and protect computer systems, including techniques to prevent computer
`
`11
`
`
`
`Inter Parres Review of
`
`Ll.S. Patent No. 8,fi7?,-494
`
`viruses, worms and other types of attacks from corrupting both personal computers
`
`and enterprise-level systems.
`
`2'3‘.
`
`Accordingly, I am qualified to provide expert opinions on the
`
`technology described in the ‘-494 patent as well as the teachings of the prior art
`
`references at the time of the ‘-494 patent.
`
`30.
`
`In my opinion, a person ofordinary skill in the art at the time ofthe
`
`‘494 patent would have a lv‘laster’s degree in computer science, computer
`
`engineering, or a similar field, or a Bachelor’s degree in computer science,
`
`computer engineering, or a similar field, with approximately two years of industry
`
`experience relating to computer security. Additional graduate education might
`
`substitute for experience, while significant experience in the field of computer
`
`programming and malicious code might substitute for formal education.
`
`IV. Applicable Legal Standards
`
`31.
`
`1 am not an attorney and do not expect to offer any opinions regarding
`
`the law. However, 1 have been informed of certain legal principles relating to
`
`patent claim construction and invalidity that l relied upon in reaching opinions set
`
`forth in this report.
`
`Dbviousness
`
`32.
`
`lt is my understanding that obviousness is determined from the
`
`vantage point ot"a person ofordinary skill in the art at the time the invention was
`
`12
`
`
`
`Inter Fortes Review of
`
`Ll.S. Patent No. 8457?,-’-I94
`
`made.
`
`In order for a claim to be considered invalid under tl1is ground, I understand
`
`that the proposed combination ofassertcd references must teach or suggest each
`
`and every claim feature and that the claimed invention as a whole must have been
`
`obvious at that time to one of ordinary skill in the art.'
`
`33. My understanding is that one should avoid the use of “hindsight” in
`
`assessing whether a claimed invention would have been obvious. For example, an
`
`invention should not be considered in view of what persons of ordinary skill would
`
`know today. nor should it be reconstructed after the fact by starting with the claims
`
`themselves andfor by reading into the prior art the teachings of the invention at
`
`issue.
`
`34.
`
`It is my understanding that obviousness cannot be proven by mere
`
`eonelusory statements or by merely showing that an invention is a combination of
`
`elements that were already previously known in the prior art. Rather, it is my
`
`understanding that a party challenging a patent in an Inter Pa:rt‘e.r Review
`
`1 Accordingly, I understand that that the term “obvious" has both a legal and a
`
`technical meaning. When the term is used throughout this declaration, my
`
`opinions and conclusions will be directed to the technical meaning ofobvious {i.e..
`
`whether subject matter was within the technical grasp of a person of ordinary skill
`
`at the time of the ‘494 patent).
`
`‘I3
`
`
`
`Inter Fortes Review of
`
`Ll.S. Patent No. 8,I57?,-494
`
`proeeeding must further establish by a preponderance of the evidence that there
`
`was an apparent reason with some rational underpinnings that would have caused a
`
`person of ordinary skill at the time of the invention to have combined andfor
`
`altered these known elements to arrive at the claimed invention. Such reasons
`
`might include, for example, teachings, suggestions, or motivations to combine that
`
`would have been apparent to a person ofordinary skill in the art.
`
`Claim Language
`
`35.
`
`I understand that, in Enter Parres Review proeeedings, elaim terms are
`
`to be given the broadest reasonable construction in light of the specification as
`
`would be read by a person of ordinary skill in the relevant art.
`
`3I5.
`
`As the result of my education and experience, I believe that I
`
`understand how the asserted claims of the ‘-494 patent would be understood by a
`
`person of ordinary skill in the art applying the above standard.
`
`V. Overview of Relevant Computer Security, Malware Detection, and
`Internet Technology at the Time of the ‘494 Patent
`
`3?.
`
`At the time of the ‘494 patent, the use of computers was rapidly
`
`becoming widespread and commonplace. In particular, companies and other
`
`organizations were relying on networked computer systems to perform various
`
`tasks, store various information, and manage and control various infrastructure. As
`
`the use of such networked computer systems increased significantly, , computer
`
`14
`
`
`
`Inter Fortes Review of
`
`LLS. Patent No. 8,I57?,-494
`
`viruses and other types of malware beeame a major problem for the computer
`
`industry.
`
`38.
`
`There were three major factors that contributed to the significant
`
`growth in malware. First, sophisticated malware writers had developed tools that
`
`allowed relatively unsophistieated programmers to create sophisticated malware.
`
`These tools could be easily downloaded using the Internet. A second reason was
`
`the growth in computer usage by individuals. Computers had become commodity
`
`consumer products. A third reason was the growth of the Internet as computer
`
`networks became more ubiquitous. More users, the availability ofnetworking and
`
`the development of the World Wide Web (WWW), led to the phenomenal growth
`
`of the Internet. In 1993, traffic on the Internet was growing at the incredible rate of
`
`34 1 ,|.'}00%. As the lntemet grew, so did the opportunity for criminals and other
`
`malicious entities to use the Internet to spread malware for illicit financial gain.
`
`3'3‘.
`
`Clne of the primary ways malicious entities would compromise a
`
`computer on the lntemet was through a malicious download when a user visited a
`
`web page. At the time. typical web-based systems allowed authors to attach an
`
`executable program to a Web page, so that anyone visiting the web page
`
`automatically downloads and runs the program. Thus, simply visiting a Web page
`
`may cause a user to unknowingly download and run a program written by a
`
`criminal or other malicious person.
`
`15
`
`
`
`Inter Fortes Review of
`
`Ll.S. Patent No. 8,I57?,-494
`
`40.
`
`Such downloaded cxecutables were written using various
`
`programming languages such as Java. Activex, Visual Basic, .lavaScript, and Web
`
`plug—ins. Examples of popular plug—ins include QuickTime (viewing videos],
`
`Shockwave {multimedia viewer}, and Acrobat Reader (for viewing FDF files}.
`
`41.
`
`Another commonly used method to deliver an executable to a machine
`
`was via an e-mail attachment. Here, an executable was downloaded to the victim’s
`
`computer via an attachment to an e—mail message. The attachment may be named
`
`to appear as if it is a benign text file, image, digital music, etc. In reality, however,
`
`the file is an executable that performed the malicious actions intended by the
`
`author.
`
`42.
`
`Because of the frequency of these types of attacks, there was much
`
`interest by industry. university research centers, and government research
`
`laboratories in developing techniques to detect and Prevent malicious downloads
`
`from taking malicious actions such as modifying or destroying files, monitoring
`
`the user’s onlinc activities, or stealing valuable information.
`
`43.
`
`The main defense against various types ofmalware, including
`
`malicious executable programs, was anti—virus software. Such software was
`
`generally referred to as anti—virus software even though it would detect other types
`
`of malware such as spyware, backdoors, spammers, and keyloggcrs that might be
`
`included or embedded in a malicious, executable program.
`
`18
`
`
`
`Inter Fortes Review of
`
`LLS. Patent No. 8,I57?,-494
`
`44.
`
`Initially, the dominant technique used by anti-virus software to detect
`
`malvvare was signature-based scanning. Signature-based scanning is analogous to a
`
`common, standard medical approach for determining if a person is infected with a
`
`certain biological pathogen. A blood test is performed to see if particular
`
`antibodies are present that indicate that the subject is infected. Similarly, with
`
`signature-based virus detection, the anti -virus software scans relevant files for a
`
`“fingerprint" or “signature" that, if present, indicates malware is present.
`
`45.
`
`At the time, anti-‘virus tools used various approaches to create
`
`signatures. One widely used technique was to create a set ofpatterns to detect
`
`viruses and other rnalware. A pattern might be targeted for a particular family of
`
`related viruses. An example of such a pattern is:
`
`SIG: DXUE,{lxBE,Skip{0xU2},Ux5o,0xC3,Skip{Ox3),Ux83 ,UxEE,Ux l E
`
`46.
`
`The signature specifies that the file contains a virus it"the file has a
`
`sequence of bytes that match the pattern specified. The pattern says look for two
`
`consecutive bytes that have the values UXOE and UXBE, then skip the next two
`
`bytes (their contents are irrelevant}. then look For byte values 0x56 ad DxC3. Sl-tip
`
`three bytes, then look for ll:-L83, followed by t]xEE and 0):] E.
`
`4?.
`
`There are many aspects to creating powerful, effective, signature-
`
`bascd anti-‘virus software. One key aspect for effectiye scanning is the
`
`completeness of the corpus of signatures used by the scanner.
`
`lt"the signature
`
`1?
`
`
`
`Inter Fortes Review of
`
`Ll.S. Patent No. 8457?,-’-I94
`
`database does not eontain a signature for speeifie malware, the malware most
`
`likely will not be detected. Anti-virus vendors expend eonsiderable effort to ensure
`
`their signature databases eontain up—to—date signatures of newly diseovered viruses
`
`and that these updated databases are provided to the lieensees of their software on
`
`a timely basis.
`
`48. Another aspeet of efTeetive scanning is the sophistication of the
`
`seanning algorithms and teehniques. Anti~vims software vendors eontinuall};
`
`investigated new seanning teehniques to both speed the seanning proeess and to
`
`improve the aeeuraey. Much like the medical tests I mention above, signature-
`
`based seanning may sometimes result in false positives or false negatives.
`
`In the
`
`medical context, a false positive is when a test has ineorreetly indicated the
`
`presenee of a pathogen when there is, in aetuality, none present. A false negative
`
`is when the test has ineorreetly indicated that no pathogen is present when there is,
`
`in aetualitv, a pathogen present.
`
`49. Another well-known teehnique employed by anti—vims tools at the
`
`time was hashing. Hashing was a well-known technique that was {and still is) used
`
`in several eontexts of anti—vims teehnology. Cine use of hashing is to ereate a
`
`unique “digest" of a file. The message digest is orders of magnitude smaller than
`
`the message {henee the term digest}. The original use of sueh bashes was to ereate
`
`a digest of a message to detect it" a message was eorrupted during transmission to a
`
`18
`
`
`
`Inter Fortes Review of
`
`LLS. Patent No. 8,I57?,-494
`
`receiver. The corruption could be because of an error in the transmission {e.g., a
`
`bit or bits are inadvertently changed or dropped) or because the message had been
`
`intentionally changed.
`
`50.
`
`Before transmitting the message, a cryptographic hash function is
`
`used to create the message digest. The digest is attached to the message {either
`
`prepended or appended} and the package would be transmitted. At the receiver,
`
`after the package was received, the digest would be reeomputed and compared to
`
`the digest attached to the message. If the computed digest was different from the
`
`attached digest, then either the message or the attached digest had been corrupted
`
`and appropriate action could be taken. As one example, the receiver could request
`
`that the message he resent. Attaching a digest to a message is conceptually similar
`
`to attaching a certificate to a downloaded executable.
`
`5| .
`
`Attaching or appending additional in formation (such as a certificate)
`
`onto executables that were downloaded or transferred via a network was also well
`
`known in the art at the ti1ne of the ‘494 patent. For example, Atkinson IfU.S. Patent
`
`No. 5,392,904, provided as Ex. I022) teaches that “a publisher digital certificate
`
`122 (FIG. 4} and publisher signature I ID are attached, appended to or incorporated
`
`with an executable file 102." Atkinson, col. 5:44-45, FIG. 4.
`
`In addition, it was
`
`also well known that components of these certificates could be used to link to and
`
`retrieve additional information or data related to the executable. Atkinson, col.
`
`19
`
`
`
`Inter Fortes Review of
`
`Ll.S. Patent No. 8457?,-’-I94
`
`2:56-58 (“publisher digital signature also includes an identifying name of the
`
`executable file and a link or hyperlink to a description ofthe executable file"),
`
`FIG. 4.
`
`52.
`
`Such cryptographic hashes were also used to create a database on a
`
`user's machine of files that had previously been scanned {perhaps using a
`
`signature-based scanner} and were deemed to be virus-free. The database
`
`contained a cryptographic hash, and a pointer to the file on disk. Periodically, the
`
`anti-virus software would check to make sure the cryptographic hash matched the
`
`computed hash. If the computed hash did not match the hash stored in the database,
`
`this indicated the file had been changed, which might be the result of a virus.
`
`Typically further checking would be done. These databases were often called file
`
`integrity databases. Such databases were also used by intrusion detection systems.
`
`53.
`
`In the context of anti-virus technology. cryptographic hashes were
`
`also used to implement “whitelists" and “blacklists" that could be quickly checked
`
`to determine whether to allow an executable to be downloaded andfor run on a
`
`computer. To create whitelists. executable files that were known to not contain
`
`viruses were hashed, and these hashes were stored in a whitelist table. Similarly,
`
`executable files that were known to contain viruses were hashed, and these hashes
`
`were stored in a blacklist table. When a new file was received {perhaps it is
`
`downloaded from a website. or attached to an e-mail), the hash function was
`
`20
`
`
`
`Inter Fortes Review of
`
`LLS. Patent No. 8457?,-’-I94
`
`applied to the file and a hash value was computed. Using the computed hash value,
`
`the whitelist and blacklist were searched.
`
`it" the hash value for the received file
`
`was on the whitelist, the file was categorized as not containing a virus. If the hash
`
`value for the received file was on the blacklist, the file was categorized as
`
`containing a virus.
`
`54.
`
`Such hashes were also widely used to create efficient methods to store
`
`and find information. Well known to these skilled in the art was the use of hashing
`
`techniques to create “hash tables” for efficiently storing and retrieving information.
`
`A hash table is a data structure that is searched using the hash value computed by
`
`the function {ofien called a “hash function" in this context). There are several
`
`techniques for creating hash tables, but the key idea is that the hash value of an
`
`object is used to locate the object in the table. These skilled in the art routinely
`
`used hash tables to store information For fast lockup. Furthermore, it was well
`
`understood by those skilled in art that in many cases it was often preferable to store
`
`the hash of an object in other data structures rather than storing a duplicate of the
`
`object {which required substantially more storage space). The object could easily
`
`and quickly be retrieved by using the hash and then accessing the hash table that
`
`contained the object.
`
`55.
`
`Over the years, anti-virus researchers and researchers in other areas
`
`(eg, software engineering and programming languages) have built various tools to
`
`21
`
`
`
`Inter Fortes Review of
`
`Ll.S. Patent No. 8457?,-’-I94
`
`help them analyze programs including downloads. Such tools can be generally
`
`categorized as either static or dynamic analyzers. A static analyzer determines
`
`information about a program without running the program. Rather it builds various
`
`data structures that can be analyzed to determine various properties of a program.
`
`A very common data structure that is useful for static analysis of a program is the
`
`contml-flow graph.
`
`56.
`
`To build a control—flow graph of an executable program, the file
`
`containing the program is parsed to determine the instructions that may be invoked
`
`by the program. By analyzing the instructions and identifying the instructions that
`
`cause the control of How to change (i.e., jump instructions or control transfer
`
`instructions}, the static analyzer can construct a graph that represents the
`
`relationship between various sections of the program. The nodes in the control-
`
`flow graph were often referred to as basic blocks by those skilled in the art.
`
`5?.
`
`Using the control—flow graph, a static analyzer performs other usefiil
`
`analyses. One example is called “dead code” elimination. Here, code that cannot
`
`possibly be executed can be removed from the program thereby saving space.
`
`58. While static analysis is a powerful tool, it must be conservative
`
`because it is analyzing the program without the benefit knowing what inputs the
`
`program might process, and therefore could produce erroneous information.
`
`Consequently, dynamic analysis was also used to analyze executable programs.
`
`22
`
`
`
`Inter Fortes Review of
`
`Ll.S. Patent No. 8,I57?,-494
`
`Dynamic analysis requires running the program on some input. The advantage of
`
`dynamic analysis is that one can observe how the program behaves on a particular
`
`input or set of inputs and monitor the instructions that are called by the program.
`
`59.
`
`Because of their complementary nature, both static and dynamic
`
`analyses were often used together when analyzing executable programs.
`
`60.
`
`At the time of the ‘494 patent (and even now), anti -virus researchers
`
`continually worked to improve the accuracy of the signature—based scanning by
`
`lowering the rates of false positives and false negatives. Unfortunately, virus
`
`writers also continually worked to create new techniques for creating malware that
`
`would evade detection by signarure—based scanning. This bae