Inter Panes Review of
`
`US. Patent Ne. 8457?,-’-I94
`
`Filed on behalf of Symantee Cerp-emtiun
`
`UNITED STATES PATENT AND TRADEMARK. OFFICE
`
`BEFORE THE PATENT TRIAL
`
`AND APPEAL BOARD
`
`SYMANTEC CORPORATION
`
`Petitioner
`
`V.
`
`FINJAN, INC
`
`Patent Owner
`
`Case To Be Assigned
`US. Patent Ne. 8457?,-’-I94
`
`DECLARATION OF JACK W. DAVIDSON IN SUPPORT OF
`
`PETITIONER PURSUANT TO 3'? C.F.R. § 42.120
`
`Symantee 1018
`
`IPR of US. Pat. Ne. 8,677,494
`
`
`
`US. Patent Ne. 8457?,-’-I94
`
`Filed on behalf of Symantee Cerp-emtiun
`
`UNITED STATES PATENT AND TRADEMARK. OFFICE
`
`BEFORE THE PATENT TRIAL
`
`AND APPEAL BOARD
`
`SYMANTEC CORPORATION
`
`Petitioner
`
`V.
`
`FINJAN, INC
`
`Patent Owner
`
`Case To Be Assigned
`US. Patent Ne. 8457?,-’-I94
`
`DECLARATION OF JACK W. DAVIDSON IN SUPPORT OF
`
`PETITIONER PURSUANT TO 3'? C.F.R. § 42.120
`
`Symantee 1018
`
`IPR of US. Pat. Ne. 8,677,494
`
`
`
`Inter Fortes Review of
`
`Ll.S. Patent No. 8,I57?,-494
`
`Declaration of Jack W. Davidson
`
`In Support of Petitioner Pursuant to 3? C.F.R. § 42.120
`
`I, Jack ‘W. Davidson, declare as follows
`
`I. Overview
`
`1.
`
`1 am over 21 years of age and otherwise competent to make this
`
`Declaration.
`
`I make this Declaration based upon facts and matters within my own
`
`knowledge and on information provided to me by others.
`
`2.
`
`I have been retained as an expert witness to provide testimony on
`
`behalf of Symantec Corporation [“Symantec” or “Petitioner") as part of the above—
`
`captioned inter pertes review proceeding (“iPR.”}, including issues relating to the
`
`validity ot"U.S. patent number 3,ti7?,494 (“the ‘-494 patent"), entitled “Malicious
`
`mobile code runtime monitoring system and methods." I also understand that the
`
`‘-494 patent was filed on November 7'', 2[lll and issued on March 13, 2014 and that
`
`the ‘494 patent is currently assigned to Finjan, Inc. {“Finjan" or “Patent Owner”).
`
`3.
`
`In addition to this Declaration, I have also prepared a separate
`
`declaration in support of another IPR petition also involving the validity of the
`
`‘494 patent, which I understand being filed by Symantec concurrently with this
`
`Petition and Declaration. As discussed in more detail in my other declaration, it is
`
`my understanding that, in the other petition, Symantec is challenging the priority
`
`date of the ‘494 patent. For purposes of this Declaration, however, I was asked to
`
`
`
`infer Fortes Review of
`
`US. Patent No. 8,fi7?,-494
`
`assume that the challenged claims are entitled to the earliest priority date
`
`referenced in the ‘-494 patent, i.e., November 8, 1996.
`
`4.
`
`I have reviewed and am familiar with the specification and
`
`prosecution history of the ‘494 patent. A copy of the ‘494 patent is provided as
`
`Symantee 1001.
`
`I have also reviewed the related patents referenced in the ‘494
`
`patent specification and certain portions of their prosecution histories, where
`
`relevant. As I explain in more detail below, I am familiar with the technology at
`
`issue as of the time of the ‘494 patent, which, for purposes of this Declaration, I
`
`have assumed to be November 8, I 996.
`
`5.
`
`I have also reviewed and am familiar with the following prior art,
`
`which I understand is being used by Symantec in the Petition for inter Peries
`
`Review of the ‘-494 patent:
`
`a. US. Patent No. 5,313,616 (“Cline")
`
`b. A Sense ofSeif:foi* Unix Proees.re.r, by Stephanie Forrester oi.
`
`(“Forrest”)
`
`c. Dynamic Detection and Ciessificwion oy"CompuIer Viruses Using
`
`Generni Bennvionr Patterns, by Morton Swimmer ei ni.,
`
`(“Swimmer”)
`
`(1. U8. Patent No. 5,623,600 [“Ji“}
`
`
`
`Inter Fortes Review of
`
`Ll.S. Patent No. 8,fi7?,-494
`
`6.
`
`With its eorresponding Petition and this supporting Deelaration, I
`
`understand Symantee is requesting that the Patent Clffiee institute a review of
`
`elaims ], 2, 5, 6, ID, 1 1, 14, and 15 ofthe ‘494 patent, and that the requested
`
`review is based on the following grounds:
`
`a. Ground 1: Swimmer antieipates elaims 1, 2, 6, 10,
`
`l l, and 15 under
`
`35 U.S.C. § 102
`
`I3. Ground 2: Swimmer renders obvious elaims 5 and 14 under 35 U.S.C.
`
`§ 103
`
`e. Ground 3: Cline in view ol'Ji renders obvious elaims l, 2, 5, 6, I0, I l,
`
`and 15 under 35 Ll.S.C. § 103
`
`d. Ground 4: Forrest in view of J i renders obvious elaims 1, 2, 5, I6, Ii],
`
`11, and 15 under 35 U.S.C'.§ 103
`
`'2'.
`
`I have been asked to provide a teehnieal review, analysis, and insight
`
`regarding the above—noted references, which I understand form the basis for the
`
`grounds of rejeetion set forth in the Petition.
`
`8.
`
`I am being eornpensated For my time in eonneetion with this IPR at a
`
`rate of $400 per hour. I am also being eompensated for any out—of'—poel-Let expenses
`
`for my work in this review. My compensation as an expert is in no way dependent
`
`upon the results of any investigations 1 undertake, the substanee of any opinion I
`
`express, or the ultimate outcome ol"the review proeeedings.
`
`I have been advised
`
`
`
`Inter Fortes Review of
`
`U.S. Patent No. 8,I57?,-494
`
`that Bryan Cave LLP represents the Petitioner Symarttee, Inc. in this matter.
`
`I have
`
`no direct financial interest in Symantec, Finjan, or the ‘494 patent.
`
`II. My Background and Qualifications
`
`9.
`
`I am a Professor of Computer Science at the University of Virginia.
`
`In addition, I am the Founder and President of Zephyr Software LLC. Zephyr
`
`Software, in business since 2001, provides a variety ofservices including
`
`innovative computer security solutions targeted mainly for U.S. Department of
`
`Defense applications. For more than 35 years, 1 have been involved in the design
`
`ot‘ computer systems and software as well as leading and managing large software
`
`development projects.
`
`Ii].
`
`I earned a Bachelor’s ot'Applied Science in Computer Science from
`
`Southern Methodist University in 1905, a lvIaster’s of Science in Computer
`
`Science from Southern Methodist University in l9'r"r', and a Doctorate in Computer
`
`Science from the University of Arizona in 1981. After receiving my Doctorate, I
`
`joined the faculty at the University of Virginia.
`
`In addition, 1 have held visiting
`
`positions at Princeton University and lvlicrosofl Research in Redmond,
`
`Washington.
`
`1 1.
`
`For over 35 years, I have conducted research in a variety of areas in
`
`computer science including compilers, interpreters, programming languages,
`
`computer architecture, embedded systems, program analysis, and most recently
`
`
`
`Inter Fortes Review of
`
`Ll.S. Patent No. 8457?,-’-I94
`
`computer security. My current research in computer security involves developing
`
`methodologies for preventing attacks against critical. enterprise-level computer
`
`systems and preventing malware from infecting personal and mobile computers. In
`
`these areas and others I have led and managed several large-scale projects
`
`involving the collaboration of top U.S. researchers.
`
`1 am currently leading a large
`
`project ($5.8M) called the Cyber Fault-tolerant Attack Recovery project at the
`
`University of Virginia, which has been funded by the Defense Advanced Research
`
`Project Agency {DARPA}. The goal of the Cyber Fault-tolerant Attack Recovery
`
`project is to develop defensive cyber techniques that can be deployed to protect
`
`existing and planned software systems without requiring changes to the concept of
`
`operations of these systems.
`
`12.
`
`I am also the principal investigator of a project funded by the Air
`
`Force Research Laboratories {“AFRL"} in Rome. NY. The goal of this project is
`
`to transition the results of our previously funded research in cyher security from
`
`our research laboratory to the field. That is, we are working with the AFRL to
`
`automatically secure mission-critical system against attack by well-funded,
`
`detennined malicious adversaries and to develop and carry out compelling
`
`demonstrations, tests, and exercises that demonstrate the power and effectiveness
`
`of the techniques developed in the Dependability Group at the University of
`
`Virginia.
`
`
`
`Inter Parres Review of
`
`LLS. Patent No. 8,I57?,-494
`
`13.
`
`As my current research focus is in cyber security, I have published
`
`extensively in the field ofcomputer security. In addition to other publications, the
`
`paper “Safe Virtual Execution Using Software Dynamic Execution” written by
`
`Kevin Scott and myself and presented at the 18”‘ Annual Computer Security
`
`Applications Conference held in Las Vegas, Nevada in December 2002 is
`
`particularly relevant to the matter being considered.
`
`14. My curriculum vitae, which is provided as Symantec 1019, lists my
`
`publications in the computer security area.
`
`I5.
`
`In addition to my scholarly activities in the field ofcyber security, I
`
`am the President and sole owner of Zephyr Software LLC.
`
`I founded Zephyr
`
`Software as another vehicle for commercializing my research. Currently, Zephyr
`
`Software is focused on commercializing cyber security solutions. Including
`
`myself, Zephyr Software has Four employees. Zephyr Software currently has Phase
`
`II SBIR contracts from DARPA and the Dfftce of Naval Research [‘‘{}NR’'].
`
`16.
`
`The DARPA contract is targeted at securing embedded systems.
`
`Network routers, communications equipment, supervisory control and data
`
`acquisition (“SCA[}A”} systems, and industrial control systems (“ICS") are some
`
`examples of embedded systems. Because these systems are part of a critical
`
`infrastructure, such as plant operations, the power grid, communication systems,
`
`transportation systems, and similar operations, it is vital that these systems be
`
`
`
`inter Fortes Review of
`
`Ll.S. Patent No. 8457?,-’-I94
`
`protected from malicious attacks.
`
`I T.
`
`The work being perfonned under the ONE contract includes
`
`developing techniques to prevent malicious adversaries from taking ever the
`
`control of a program via a technique known as “program hijacking.” Using
`
`program hijacking, a malicious entity can take control of a program to carry out a
`
`variety of attacks such as denial ol" service, secret infonnation leakage, shutdown
`
`of critical services, and similar attacks.
`
`18.
`
`In addition to my research and commercialization activities, 1 am also
`
`an accomplished and award-vvinning instructor.
`
`in I939. I received the NCR
`
`Faculty Innovation Award for my development of innovative curriculum materials
`
`and outstanding teaching.
`
`I am the co—author of two widely used introductory
`
`programming textbooks, C++ Program Design: An introduction to Programming
`
`and Object-Oriented Design and Java .-‘.5 Program Design both published by
`
`McGraw—Hill.
`
`19.
`
`In 2008. I was co-recipient Ifvvitli my co-author James P. Cohoon} of
`
`the IEEF. Computer Society Taylor L. Booth Education Award For “sustained
`
`effort to transform introductory computer science education through lab—based
`
`multimedia pedagogy coupled with examples that attract a diverse student body.”
`
`In addition, I have given invited lectures at the Third lntemational Summer School
`
`on Advanced Computer Architecture and Compilation for Embedded Systems held
`
`
`
`Inter Fortes Review of
`
`U.S. Patent No. 8,I57?,-494
`
`in L’Aquila Italy in 2007'’. Approximately 200 students attended this summer
`
`school from the member nations of the European Union.
`
`20.
`
`As part of my ongoing activities in computer security, I created and
`
`teach a course about eyber security at the University of Virginia. The course title is
`
`“Defense against the Dark Arts.” The course focuses teaching students techniques
`
`for defending computers from computer viruses, computer vvonns, and other types
`
`of malicious attacks. The course was first taught in the Fall of 2005 and I have
`
`taught it multiple times since that time. I last taught the course in Spring of 2014.
`
`2].
`
`I also vvas a lecturer in the inaugural lndo-US Engineering Faculty
`
`Leadership Institute held in Mysore, India. The goal of the Leadership Institute is
`
`to improve University education in India. The Institute was attended by 120
`
`faculty members from Indian Universities.
`
`22.
`
`in the summers of 2010, 20] 1.2012, and 2014, I helped organize and
`
`lectured at the International Summer School on Infonnation Security and
`
`Protection IIISSISP} held in Beijing, China (2010), Ghent, Belgium (201 I}, Tucson,
`
`Arizona (2012), and Verona, Italy (2014). Each summer school was attended by
`
`50 students from various intemational universities. ISSISP 2015 will be held in Rio
`
`de Janerio, Brazil.
`
`23.
`
`Because of my expertise and stature within in the computing
`
`community, I am often asked to serve on important Boards and Councils.
`
`I served
`
`
`
`inter Partes Review of
`
`US. Patent No. 8,I57?,t-I94
`
`as an elected member-at-large of the Association of Computing Machinery {ACM)
`
`Special Interest Group on Programming Languages CSIGPLAN} for four years.
`
`ACM is the largest professional computing society in the world.
`
`I was elected
`
`chair of SIGPLAN in 2005.
`
`1 am a member of the ACM Council, which oversees
`
`the operation of ACM, and I am co-chair of ACl'vl’s Publications Board, which
`
`oversees the publication of the organization’s 44 professional journals and 8
`
`magazines, and a professional book series.
`
`24.
`
`As a leading expert in the field, 1 help organize many technical
`
`conferences in the area including the lntemational Conference on Parallel
`
`Architectures and Compilation Techniques (“PACT”), lntemational Symposium
`
`on Code Generation and Dptimization (“CCU”), Conference on Programming
`
`Language Design and Implementation {“PLDl"), Conference on Languages,
`
`Compilers and Tools for Embedded Systems (“LCTES"), lntemational Conference
`
`on Compilers, Architectures and Synthesis for Embedded Systems (“CASES”),
`
`Conference on the Principles of Programming Languages {“POPL"), lntemational
`
`Conference on Autonomic Computing {“lCAC”}. and lntemational Conference on
`
`High—Perforrnance and Embedded Architectures (“HiPEAC").
`
`25.
`
`In the past, I was an Associate Editor of the ACM Transactions of
`
`Programming Languages and Systems (‘‘TOPLAS“} and ACM Transactions on
`
`Armhitectnre and Code Optimization (“TACO”) journals. TOPLAS is the archival
`
`‘I0
`
`
`
`Inter Fortes Review of
`
`LLS. Patent No. 8,I5Tl,-494
`
`journal in tlie area of programming languages and compilers. TACO is an archival
`
`journal in the area of computer architecture and program optimization.
`
`In 2009, I
`
`received SIGPLAN’s Distinguished Service Award for “substantial and sustained
`
`contributions to the programming languages research community and to SIC-PLAN
`
`in particular.”
`
`26.
`
`lam a Senior Member oI'the institute of Electrical and Electmnics
`
`Engineers (“IEEE”), the IEEE Computer Society.
`
`I am a Fellow of the Association
`
`for Computer Machinery lf“ACM"). The ACM Council established the ACM
`
`Fellows Program in 1993 to recognize and honor outstanding ACM members for
`
`their achievements in computer science and information technology and for their
`
`significant contributions to the mission of the ACM. The ACM Fellows serve as
`
`distinguished colleagues to whom the ACM and its members look to for guidance
`
`and leadership as the world oi"int"ormation technology evolves.
`
`2?.
`
`A more detailed listing of my professional background and
`
`accomplishments is found in my curriculum vitae provided as Symantec 1019.
`
`III. My Expertise and the Person of Ordinary Skill in the Art
`
`28.
`
`As a result of my more than thirty—years’ experience in the field of
`
`computer science and my deep involvement over the last 15 years with computer
`
`security through teaching and research, I am very familiar with techniques to
`
`secure and protect computer systems, including techniques to prevent computer
`
`11
`
`
`
`Inter Parres Review of
`
`Ll.S. Patent No. 8,fi7?,-494
`
`viruses, worms and other types of attacks from corrupting both personal computers
`
`and enterprise-level systems.
`
`2'3‘.
`
`Accordingly, I am qualified to provide expert opinions on the
`
`technology described in the ‘-494 patent as well as the teachings of the prior art
`
`references at the time of the ‘-494 patent.
`
`30.
`
`In my opinion, a person ofordinary skill in the art at the time ofthe
`
`‘494 patent would have a lv‘laster’s degree in computer science, computer
`
`engineering, or a similar field, or a Bachelor’s degree in computer science,
`
`computer engineering, or a similar field, with approximately two years of industry
`
`experience relating to computer security. Additional graduate education might
`
`substitute for experience, while significant experience in the field of computer
`
`programming and malicious code might substitute for formal education.
`
`IV. Applicable Legal Standards
`
`31.
`
`1 am not an attorney and do not expect to offer any opinions regarding
`
`the law. However, 1 have been informed of certain legal principles relating to
`
`patent claim construction and invalidity that l relied upon in reaching opinions set
`
`forth in this report.
`
`Dbviousness
`
`32.
`
`lt is my understanding that obviousness is determined from the
`
`vantage point ot"a person ofordinary skill in the art at the time the invention was
`
`12
`
`
`
`Inter Fortes Review of
`
`Ll.S. Patent No. 8457?,-’-I94
`
`made.
`
`In order for a claim to be considered invalid under tl1is ground, I understand
`
`that the proposed combination ofassertcd references must teach or suggest each
`
`and every claim feature and that the claimed invention as a whole must have been
`
`obvious at that time to one of ordinary skill in the art.'
`
`33. My understanding is that one should avoid the use of “hindsight” in
`
`assessing whether a claimed invention would have been obvious. For example, an
`
`invention should not be considered in view of what persons of ordinary skill would
`
`know today. nor should it be reconstructed after the fact by starting with the claims
`
`themselves andfor by reading into the prior art the teachings of the invention at
`
`issue.
`
`34.
`
`It is my understanding that obviousness cannot be proven by mere
`
`eonelusory statements or by merely showing that an invention is a combination of
`
`elements that were already previously known in the prior art. Rather, it is my
`
`understanding that a party challenging a patent in an Inter Pa:rt‘e.r Review
`
`1 Accordingly, I understand that that the term “obvious" has both a legal and a
`
`technical meaning. When the term is used throughout this declaration, my
`
`opinions and conclusions will be directed to the technical meaning ofobvious {i.e..
`
`whether subject matter was within the technical grasp of a person of ordinary skill
`
`at the time of the ‘494 patent).
`
`‘I3
`
`
`
`Inter Fortes Review of
`
`Ll.S. Patent No. 8,I57?,-494
`
`proeeeding must further establish by a preponderance of the evidence that there
`
`was an apparent reason with some rational underpinnings that would have caused a
`
`person of ordinary skill at the time of the invention to have combined andfor
`
`altered these known elements to arrive at the claimed invention. Such reasons
`
`might include, for example, teachings, suggestions, or motivations to combine that
`
`would have been apparent to a person ofordinary skill in the art.
`
`Claim Language
`
`35.
`
`I understand that, in Enter Parres Review proeeedings, elaim terms are
`
`to be given the broadest reasonable construction in light of the specification as
`
`would be read by a person of ordinary skill in the relevant art.
`
`3I5.
`
`As the result of my education and experience, I believe that I
`
`understand how the asserted claims of the ‘-494 patent would be understood by a
`
`person of ordinary skill in the art applying the above standard.
`
`V. Overview of Relevant Computer Security, Malware Detection, and
`Internet Technology at the Time of the ‘494 Patent
`
`3?.
`
`At the time of the ‘494 patent, the use of computers was rapidly
`
`becoming widespread and commonplace. In particular, companies and other
`
`organizations were relying on networked computer systems to perform various
`
`tasks, store various information, and manage and control various infrastructure. As
`
`the use of such networked computer systems increased significantly, , computer
`
`14
`
`
`
`Inter Fortes Review of
`
`LLS. Patent No. 8,I57?,-494
`
`viruses and other types of malware beeame a major problem for the computer
`
`industry.
`
`38.
`
`There were three major factors that contributed to the significant
`
`growth in malware. First, sophisticated malware writers had developed tools that
`
`allowed relatively unsophistieated programmers to create sophisticated malware.
`
`These tools could be easily downloaded using the Internet. A second reason was
`
`the growth in computer usage by individuals. Computers had become commodity
`
`consumer products. A third reason was the growth of the Internet as computer
`
`networks became more ubiquitous. More users, the availability ofnetworking and
`
`the development of the World Wide Web (WWW), led to the phenomenal growth
`
`of the Internet. In 1993, traffic on the Internet was growing at the incredible rate of
`
`34 1 ,|.'}00%. As the lntemet grew, so did the opportunity for criminals and other
`
`malicious entities to use the Internet to spread malware for illicit financial gain.
`
`3'3‘.
`
`Clne of the primary ways malicious entities would compromise a
`
`computer on the lntemet was through a malicious download when a user visited a
`
`web page. At the time. typical web-based systems allowed authors to attach an
`
`executable program to a Web page, so that anyone visiting the web page
`
`automatically downloads and runs the program. Thus, simply visiting a Web page
`
`may cause a user to unknowingly download and run a program written by a
`
`criminal or other malicious person.
`
`15
`
`
`
`Inter Fortes Review of
`
`Ll.S. Patent No. 8,I57?,-494
`
`40.
`
`Such downloaded cxecutables were written using various
`
`programming languages such as Java. Activex, Visual Basic, .lavaScript, and Web
`
`plug—ins. Examples of popular plug—ins include QuickTime (viewing videos],
`
`Shockwave {multimedia viewer}, and Acrobat Reader (for viewing FDF files}.
`
`41.
`
`Another commonly used method to deliver an executable to a machine
`
`was via an e-mail attachment. Here, an executable was downloaded to the victim’s
`
`computer via an attachment to an e—mail message. The attachment may be named
`
`to appear as if it is a benign text file, image, digital music, etc. In reality, however,
`
`the file is an executable that performed the malicious actions intended by the
`
`author.
`
`42.
`
`Because of the frequency of these types of attacks, there was much
`
`interest by industry. university research centers, and government research
`
`laboratories in developing techniques to detect and Prevent malicious downloads
`
`from taking malicious actions such as modifying or destroying files, monitoring
`
`the user’s onlinc activities, or stealing valuable information.
`
`43.
`
`The main defense against various types ofmalware, including
`
`malicious executable programs, was anti—virus software. Such software was
`
`generally referred to as anti—virus software even though it would detect other types
`
`of malware such as spyware, backdoors, spammers, and keyloggcrs that might be
`
`included or embedded in a malicious, executable program.
`
`18
`
`
`
`Inter Fortes Review of
`
`LLS. Patent No. 8,I57?,-494
`
`44.
`
`Initially, the dominant technique used by anti-virus software to detect
`
`malvvare was signature-based scanning. Signature-based scanning is analogous to a
`
`common, standard medical approach for determining if a person is infected with a
`
`certain biological pathogen. A blood test is performed to see if particular
`
`antibodies are present that indicate that the subject is infected. Similarly, with
`
`signature-based virus detection, the anti -virus software scans relevant files for a
`
`“fingerprint" or “signature" that, if present, indicates malware is present.
`
`45.
`
`At the time, anti-‘virus tools used various approaches to create
`
`signatures. One widely used technique was to create a set ofpatterns to detect
`
`viruses and other rnalware. A pattern might be targeted for a particular family of
`
`related viruses. An example of such a pattern is:
`
`SIG: DXUE,{lxBE,Skip{0xU2},Ux5o,0xC3,Skip{Ox3),Ux83 ,UxEE,Ux l E
`
`46.
`
`The signature specifies that the file contains a virus it"the file has a
`
`sequence of bytes that match the pattern specified. The pattern says look for two
`
`consecutive bytes that have the values UXOE and UXBE, then skip the next two
`
`bytes (their contents are irrelevant}. then look For byte values 0x56 ad DxC3. Sl-tip
`
`three bytes, then look for ll:-L83, followed by t]xEE and 0):] E.
`
`4?.
`
`There are many aspects to creating powerful, effective, signature-
`
`bascd anti-‘virus software. One key aspect for effectiye scanning is the
`
`completeness of the corpus of signatures used by the scanner.
`
`lt"the signature
`
`1?
`
`
`
`Inter Fortes Review of
`
`Ll.S. Patent No. 8457?,-’-I94
`
`database does not eontain a signature for speeifie malware, the malware most
`
`likely will not be detected. Anti-virus vendors expend eonsiderable effort to ensure
`
`their signature databases eontain up—to—date signatures of newly diseovered viruses
`
`and that these updated databases are provided to the lieensees of their software on
`
`a timely basis.
`
`48. Another aspeet of efTeetive scanning is the sophistication of the
`
`seanning algorithms and teehniques. Anti~vims software vendors eontinuall};
`
`investigated new seanning teehniques to both speed the seanning proeess and to
`
`improve the aeeuraey. Much like the medical tests I mention above, signature-
`
`based seanning may sometimes result in false positives or false negatives.
`
`In the
`
`medical context, a false positive is when a test has ineorreetly indicated the
`
`presenee of a pathogen when there is, in aetuality, none present. A false negative
`
`is when the test has ineorreetly indicated that no pathogen is present when there is,
`
`in aetualitv, a pathogen present.
`
`49. Another well-known teehnique employed by anti—vims tools at the
`
`time was hashing. Hashing was a well-known technique that was {and still is) used
`
`in several eontexts of anti—vims teehnology. Cine use of hashing is to ereate a
`
`unique “digest" of a file. The message digest is orders of magnitude smaller than
`
`the message {henee the term digest}. The original use of sueh bashes was to ereate
`
`a digest of a message to detect it" a message was eorrupted during transmission to a
`
`18
`
`
`
`Inter Fortes Review of
`
`LLS. Patent No. 8,I57?,-494
`
`receiver. The corruption could be because of an error in the transmission {e.g., a
`
`bit or bits are inadvertently changed or dropped) or because the message had been
`
`intentionally changed.
`
`50.
`
`Before transmitting the message, a cryptographic hash function is
`
`used to create the message digest. The digest is attached to the message {either
`
`prepended or appended} and the package would be transmitted. At the receiver,
`
`after the package was received, the digest would be reeomputed and compared to
`
`the digest attached to the message. If the computed digest was different from the
`
`attached digest, then either the message or the attached digest had been corrupted
`
`and appropriate action could be taken. As one example, the receiver could request
`
`that the message he resent. Attaching a digest to a message is conceptually similar
`
`to attaching a certificate to a downloaded executable.
`
`5| .
`
`Attaching or appending additional in formation (such as a certificate)
`
`onto executables that were downloaded or transferred via a network was also well
`
`known in the art at the ti1ne of the ‘494 patent. For example, Atkinson IfU.S. Patent
`
`No. 5,392,904, provided as Ex. I022) teaches that “a publisher digital certificate
`
`122 (FIG. 4} and publisher signature I ID are attached, appended to or incorporated
`
`with an executable file 102." Atkinson, col. 5:44-45, FIG. 4.
`
`In addition, it was
`
`also well known that components of these certificates could be used to link to and
`
`retrieve additional information or data related to the executable. Atkinson, col.
`
`19
`
`
`
`Inter Fortes Review of
`
`Ll.S. Patent No. 8457?,-’-I94
`
`2:56-58 (“publisher digital signature also includes an identifying name of the
`
`executable file and a link or hyperlink to a description ofthe executable file"),
`
`FIG. 4.
`
`52.
`
`Such cryptographic hashes were also used to create a database on a
`
`user's machine of files that had previously been scanned {perhaps using a
`
`signature-based scanner} and were deemed to be virus-free. The database
`
`contained a cryptographic hash, and a pointer to the file on disk. Periodically, the
`
`anti-virus software would check to make sure the cryptographic hash matched the
`
`computed hash. If the computed hash did not match the hash stored in the database,
`
`this indicated the file had been changed, which might be the result of a virus.
`
`Typically further checking would be done. These databases were often called file
`
`integrity databases. Such databases were also used by intrusion detection systems.
`
`53.
`
`In the context of anti-virus technology. cryptographic hashes were
`
`also used to implement “whitelists" and “blacklists" that could be quickly checked
`
`to determine whether to allow an executable to be downloaded andfor run on a
`
`computer. To create whitelists. executable files that were known to not contain
`
`viruses were hashed, and these hashes were stored in a whitelist table. Similarly,
`
`executable files that were known to contain viruses were hashed, and these hashes
`
`were stored in a blacklist table. When a new file was received {perhaps it is
`
`downloaded from a website. or attached to an e-mail), the hash function was
`
`20
`
`
`
`Inter Fortes Review of
`
`LLS. Patent No. 8457?,-’-I94
`
`applied to the file and a hash value was computed. Using the computed hash value,
`
`the whitelist and blacklist were searched.
`
`it" the hash value for the received file
`
`was on the whitelist, the file was categorized as not containing a virus. If the hash
`
`value for the received file was on the blacklist, the file was categorized as
`
`containing a virus.
`
`54.
`
`Such hashes were also widely used to create efficient methods to store
`
`and find information. Well known to these skilled in the art was the use of hashing
`
`techniques to create “hash tables” for efficiently storing and retrieving information.
`
`A hash table is a data structure that is searched using the hash value computed by
`
`the function {ofien called a “hash function" in this context). There are several
`
`techniques for creating hash tables, but the key idea is that the hash value of an
`
`object is used to locate the object in the table. These skilled in the art routinely
`
`used hash tables to store information For fast lockup. Furthermore, it was well
`
`understood by those skilled in art that in many cases it was often preferable to store
`
`the hash of an object in other data structures rather than storing a duplicate of the
`
`object {which required substantially more storage space). The object could easily
`
`and quickly be retrieved by using the hash and then accessing the hash table that
`
`contained the object.
`
`55.
`
`Over the years, anti-virus researchers and researchers in other areas
`
`(eg, software engineering and programming languages) have built various tools to
`
`21
`
`
`
`Inter Fortes Review of
`
`Ll.S. Patent No. 8457?,-’-I94
`
`help them analyze programs including downloads. Such tools can be generally
`
`categorized as either static or dynamic analyzers. A static analyzer determines
`
`information about a program without running the program. Rather it builds various
`
`data structures that can be analyzed to determine various properties of a program.
`
`A very common data structure that is useful for static analysis of a program is the
`
`contml-flow graph.
`
`56.
`
`To build a control—flow graph of an executable program, the file
`
`containing the program is parsed to determine the instructions that may be invoked
`
`by the program. By analyzing the instructions and identifying the instructions that
`
`cause the control of How to change (i.e., jump instructions or control transfer
`
`instructions}, the static analyzer can construct a graph that represents the
`
`relationship between various sections of the program. The nodes in the control-
`
`flow graph were often referred to as basic blocks by those skilled in the art.
`
`5?.
`
`Using the control—flow graph, a static analyzer performs other usefiil
`
`analyses. One example is called “dead code” elimination. Here, code that cannot
`
`possibly be executed can be removed from the program thereby saving space.
`
`58. While static analysis is a powerful tool, it must be conservative
`
`because it is analyzing the program without the benefit knowing what inputs the
`
`program might process, and therefore could produce erroneous information.
`
`Consequently, dynamic analysis was also used to analyze executable programs.
`
`22
`
`
`
`Inter Fortes Review of
`
`Ll.S. Patent No. 8,I57?,-494
`
`Dynamic analysis requires running the program on some input. The advantage of
`
`dynamic analysis is that one can observe how the program behaves on a particular
`
`input or set of inputs and monitor the instructions that are called by the program.
`
`59.
`
`Because of their complementary nature, both static and dynamic
`
`analyses were often used together when analyzing executable programs.
`
`60.
`
`At the time of the ‘494 patent (and even now), anti -virus researchers
`
`continually worked to improve the accuracy of the signature—based scanning by
`
`lowering the rates of false positives and false negatives. Unfortunately, virus
`
`writers also continually worked to create new techniques for creating malware that
`
`would evade detection by signarure—based scanning. This bae
Accessing this document will incur an additional charge of $.
After purchase, you can access this document again without charge.
Accept $ Charge
Still Working On It
This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.
Give it another minute or two to complete, and then try the refresh button.
A few More Minutes ... Still Working
It can take up to 5 minutes for us to download a document if the court servers are running slowly.
Thank you for your continued patience.
This document could not be displayed.
We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.
Your account does not support viewing this document.
You need a Paid Account to view this document. Click here to change your account type.
Your account does not support viewing this document.
Set your membership
status to view this document.
With a Docket Alarm membership, you'll
get a whole lot more, including:
- Up-to-date information for this case.
- Email alerts whenever there is an update.
- Full text search for other cases.
- Get email alerts whenever a new case matches your search.
One Moment Please
The filing “” is large (MB) and is being downloaded.
Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.
Your document is on its way!
If you do not receive the document in five minutes, contact support at support@docketalarm.com.
Sealed Document
We are unable to display this document, it may be under a court ordered seal.
If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.
Access Government Site
