Inter Partes Review of
`U.S. Patent No. 8,677,494
`
`Filed on behalf of Symantec Corporation
`
`UNITED STATES PATENT AND TRADEMARK OFFICE
`
`BEFORE THE PATENT TRIAL
`AND APPEAL BOARD
`
`SYMANTEC CORPORATION
`
`Petitioner
`
`v.
`
`FINJAN, INC.
`
`Patent Owner
`
`IPR2015-01892
`U.S. Patent No. 8,677,494
`
`DECLARATION OF JACK W. DAVIDSON IN SUPPORT OF
`PETITIONER PURSUANT TO 37 C.F.R. § 42.120
`
`Symantec 1027
`IPR2015-01892
`Symantec v. Finjan
`
`
`U.S. Patent No. 8,677,494
`
`Filed on behalf of Symantec Corporation
`
`UNITED STATES PATENT AND TRADEMARK OFFICE
`
`BEFORE THE PATENT TRIAL
`AND APPEAL BOARD
`
`SYMANTEC CORPORATION
`
`Petitioner
`
`v.
`
`FINJAN, INC.
`
`Patent Owner
`
`IPR2015-01892
`U.S. Patent No. 8,677,494
`
`DECLARATION OF JACK W. DAVIDSON IN SUPPORT OF
`PETITIONER PURSUANT TO 37 C.F.R. § 42.120
`
`Symantec 1027
`IPR2015-01892
`Symantec v. Finjan
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,677,494
`
`Declaration of Jack W. Davidson
`In Support of Petitioner Pursuant to 37 C.F.R. § 42.120
`
`I, Jack W. Davidson, declare as follows:
`
`I. Overview
`
`1.
`
`I am over 21 years of age and otherwise competent to make this
`
`Declaration. I make this Declaration based upon facts and matters within my own
`
`knowledge and on information provided to me by others.
`
`I have used my
`
`education and my years of experience working in the field of software design,
`
`computer security, and my understanding of the knowledge, creativity, and
`
`experience of a person of ordinary skill in the art, in forming the opinions
`
`expressed in this report.
`
`2.
`
`I have been retained as an expert witness to provide testimony on
`
`behalf of Symantec Corporation (“Symantec” or “Petitioner”) as part of the above-
`
`captioned inter partes review proceeding (“IPR”), including issues relating to the
`
`validity of U.S. patent number 8,677,494 (“the ‘494 patent”), entitled “Malicious
`
`mobile code runtime monitoring system and methods.” I also understand that the
`
`‘494 patent was filed on November 7, 2011 and issued on March 18, 2014 and that
`
`the ‘494 patent is assigned to Finjan, Inc. (“Finjan” or “Patent Owner”).
`
`3.
`
`I am being compensated for my time in connection with this IPR at a
`
`rate of $400 per hour. I am also being compensated for any out-of-pocket expenses
`
`1
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,677,494
`
`for my work in this review. My compensation as an expert is in no way dependent
`
`upon the results of any investigations I undertake, the substance of any opinion I
`
`express, or the ultimate outcome of the review proceedings. I have been advised
`
`that Bryan Cave LLP represents the Petitioner Symantec Corporation. in this
`
`matter.
`
`I have no personal or financial stake or interest in the outcome of this
`
`matter.
`
`4.
`
`I understand that the petition filed in this proceeding raised four
`
`proposed grounds challenging claims 1, 2, 5, 6, 10, 11, 14, and 15 of the ‘494
`
`Patent. I have reviewed the Board’s decision on the petition and its decision on
`
`Patent Owner’s request for rehearing and also understand that the Patent Trial and
`
`Appeal Board (“the Board”) granted the petition with respect to the following
`
`ground of unpatentability:
`
`
`
`5.
`
`Claims 1, 2, 5, 6, 10, 11, 14, and 15 are unpatentable under § 103 over
`Swimmer (Ex. 1005).
`
`I understand that Patent Owner has submitted a response to
`
`Symantec’s petition, together with a declaration by Dr. Nenad Medvidovic. In
`
`particular, I understand that Patent Owner and Dr. Medvidovic are challenging
`
`Symantec’s arguments and evidence that claims 1, 2, 5, 6, 10, 11, 14, and 15 of
`
`the ‘494 patent are unpatentable over the Swimmer reference (Ex. 1005).
`
`2
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,677,494
`
`6.
`
`I have been asked to provide my technical analysis and opinions
`
`regarding Patent Owner’s response and the corresponding declaration by Dr.
`
`Medvidovic, which are set forth in detail in this declaration. This declaration
`
`supplements my previous declaration in support of Symantec’s petition.
`
`7.
`
`A detailed explanation of my background and qualifications, as well
`
`as my expertise in the relevant technology, is provided in my previous declaration.
`
`See Davidson Decl., ¶¶ 9-27. I have also provided an updated copy of my
`
`curriculum vitae. See Symantec Exhibit _____. Additionally, in my previous
`
`declaration, I set forth what I believe to be a person of ordinary skill in the art of
`
`the subject matter of the ‘494 Patent, including the skillset, education, experience
`
`and knowledge such a person would have possessed. See Davidson Decl., ¶¶ 28-
`
`30. I have relied on these same principles and definitions in reaching my opinions
`
`in this declaration. I also understand that Dr. Medvidovic has provided a different
`
`definition for the person of ordinary skill in the art.
`
`It is my opinion, that the
`
`opinions set forth in my original declaration and this declaration would remain the
`
`same under either party’s definition of the person of ordinary skill in the art.
`
`II. Analysis of Patent Owner’s Response and Dr. Medvidovic’s Testimony
`
`A. Swimmer’s Audit Trail is Stored
`
`3
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,677,494
`
`8.
`
`In my opinion, the term storing is well understood by those of
`
`ordinary skill in the art and requires no further construction. Indeed, the Microsoft
`
`Computer Dictionary does not even provide a definition for the term “store” or
`
`“storing.”
`
`9.
`
`Patent Owner construes “storing” as “placing the derived DSP data
`
`into the database.” PO Resp., p. 13. In offering, this construction, Patent Owner
`
`relies on a definition of “store” as “to place data into a storage device…” PO
`
`Resp., p. 13.
`
`In my opinion, Patent Owner’s reliance is misplaced because a
`
`storage device implicates a physical medium, while a database is a logical
`
`construct. See ‘194 patent, col. 3:47 (“The data storage device 230 stores a
`
`security database 240”). See MSCD, p. 16:
`
`10.
`
`Patent Owner appears to rely on Swimmer’s disclosure of a “stream of
`
`data” to support an argument that Swimmer’s audit trail is not stored:
`
`In contrast to this procedure, Swimmer relies on pipeline processing
`where the stream of data produced by the emulator is immediately
`
`4
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,677,494
`
`consumed, without the additional step of storing anything in a
`database. Swimmer at 1 (“ASAX is used to analyse the stream of data
`which the emulator produces”). Rather, this pipeline processing
`merely involves converting emulation data into generic data, and
`piping its output as a NADF file for further processing.. See id. at 7
`(“The first ASAX system reads the raw audit trail, converts it into
`generic data, and pipes its output as a NADF file for further
`processing (see Section 5).”). Thus, Swimmer never first derives
`activity data, including a list of MS-DOS functions, and then stores
`the activity data in a database.
`
`P.O. Resp. p. 46, 19.
`
`11.
`
`It is my opinion that one of ordinary skill in the art would have
`
`understood that Swimmer teaches that the list of suspicious operations (i.e., audit
`
`trail) is actually stored at least twice. For example, as cited by Patent Owner,
`
`Swimmer teaches that the emulator data is converted from a native format, which
`
`is then converted to an NADF file. Swimmer also teaches that the data in native
`
`format is also stored in a “file.” Swimmer, p. 12 (“In the context of this paper, the
`
`sequential file is the activity data record produced by the PC emulator. The
`
`universality is attained by translating native files to generic format which is the
`
`only one supported by the evaluator.”).
`
`In this context, the generic format is the
`
`NADF file discussed on page 7 of Swimmer. Swimmer, p. 12 (“This generic
`
`format is referred to as the Normalized Audit Data Format (NADF)”).
`
`5
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,677,494
`
`12.
`
`In his declaration, Dr. Medvidovic also opines that Swimmer does not
`
`teach “storing.” For example:
`
` “That type of conversion does not actually place any data into storage
`
`of any type, let alone into a database.” Ex. 2007, ¶ 71.
`
` “In an attempt to solve this problem, Swimmer discloses generating a
`
`pipeline of system activity data to be processed immediately rather
`
`than storing any information, let alone storing system activity data in a
`
`database. “ Ex. 2007, ¶ 107.
`
` “‘storing’ is an action that is never used in describing Swimmer’s
`
`process of generating an audit trail.” Ex. 2007, ¶ 111.
`
`It is my opinion, however, that Dr. Medvidovic’s analysis is incomplete at
`
`least because it fails to address the term “file” and how it is used by Swimmer and
`
`how the term “file” is understood by one of ordinary skill in the art.
`
`13.
`
`It is my opinion, that one of ordinary skill in the art would have
`
`understood a file to be a “basic unit of storage.” For example, the 3rd edition of the
`
`Microsoft Computer Dictionary defines a file as:
`
`6
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,677,494
`
`MSCD, p. 7 (highlighting added).
`
`14. Because, as discussed above, Swimmer teaches converting the audit
`
`trail data (i.e., list of suspicious operations) from one file format to another (e.g., a
`
`native format to an NADF format file), it is my opinion that one of ordinary skill in
`
`the art would have understood that Swimmer teaches that the list of suspicious
`
`operations is stored. See Swimmer, p. 12.
`
`15.
`
`Furthermore, Swimmer discusses the RUSSEL language and its use in
`
`ASAX. RUSSEL is the language for specifying rules for identifying malware.
`
`Swimmer, p. 4 (“Before we can attempt to detect a virus using ASAX, we need to
`
`model the virus attack strategy. This is then translated into RUSSEL, the rule-
`
`based language which ASAX uses to identify the virus attack”). In discussing the
`
`power of RUSSEL, Swimmer states that RUSSEL is designed to facilitate search
`
`for arbitrary patterns of records in sequential files. Swimmer, p. 12 (“RUSSEL
`
`(RUle-baSed Sequence Evaluation Language) is a novel language, specifically
`
`7
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,677,494
`
`tailored to the problem of searching arbitrary patterns of records in sequential
`
`files”). In my opinion, one of ordinary skill in the art would have understood that a
`
`list of suspicious operations is stored in a file for processing by a RUSSEL
`
`program.
`
`16. Beyond the use of “files” as storage, Swimmer explains that the stored
`
`audit trail data must be secured against attack. Swimmer, p .7 (“In addition,
`
`integrity of the ID system itself must not be compromised: this means that the audit
`
`data retrieval, analysis and archiving must be secured against corruption by
`
`viruses”) (emphasis added).
`
`In my opinion, one of ordinary skill would have
`
`understood that both “archiving” and “retrieval” of the audit trail data would have
`
`meant that such data was stored. Additionally, this view is consistent with and
`
`supported by definitions for “archive” and “retrieve” and provided by the 3rd
`
`edition of the Microsoft Computer Dictionary, which are both connected to
`
`“storage”:
`
`MSCD, p. 11 (highlighting added).
`
`8
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,677,494
`
`MSCD, p. 4 (highlighting added).
`
`17.
`
`In my opinion, although Swimmer does not explicitly use the word
`
`“storing,” Patent Owner takes a much too narrow view of Swimmer’s disclosure
`
`and ignores other disclosure, which would have indicated to one of ordinary skill
`
`in the art that Swimmer stored the audit trail data (e.g., in or more files for
`
`retrieval, archival, and/or analysis). See also, Swimmer, p. 11-12 (“Two versions
`
`of the ASAX system are currently available. The single audit trail analysis version
`
`is applicable only to a single audit trail. The other version allows a distributed
`
`analysis of multiple audit trails produced at various machines on a network. In the
`
`latter version, ASAX filters audit data at each monitored node and analyses the
`
`filtered data gathered at a central host”).
`
`18. Mounji, which is cited on page 14 of Swimmer, discusses the
`
`conversion of audit trails from native file format to NADF format. Mounji, p. 5
`
`9
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,677,494
`
`(“This process translates audit trails generated by auditd to the NADF format.
`
`Native files can be erased after being converted since they are semantically
`
`redundant with NADF files”). In my opinion, one or ordinary skill in the art would
`
`have understood that to erase something it must be stored
`
`19.
`
`Furthermore, Mounji discusses the advantages of storing the list of
`
`suspicious operations as they can be reanalyzed. Mounji, p. 5 (“Keeping converted
`
`files instead of native files has several advantages: the files are converted only
`
`once and can be reanalyzed several times without requiring a new conversion”).
`
`In my opinion, one of skill in the art would have understood that to reanalyze the
`
`audit trail several times without requiring a new conversion would have meant that
`
`the audit trail was stored.
`
`20.
`
`It is my opinion that even under Patent Owner’s “data stream” theory
`
`Swimmer would have still stored a list of suspicious operations. For example,
`
`during each stage of Swimmer’s “pipeline” at least some portion of the audit trail
`
`data would have been stored. For example, one of ordinary skill in the art would
`
`have understood that generation of the audit record data by emulation, conversion
`
`of the data from native to NADF format, and analysis by ASAX by Swimmer’s
`
`VIDES system would have at least required storage of such data in memory or in
`
`one or more registers at points along the “pipeline.” This is simply how
`
`conventional digital computer systems such as the x86 operate.
`
`10
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,677,494
`
`B. Swimmer’s Audit Trail Data is Stored in a Database
`
`i. Swimmer’s Audit Trail is a Flat File Database
`
`21.
`
`Swimmer teaches that it captures audit records for DOS programs
`
`under emulation. Swimmer also teaches that each audit record has a specific set of
`
`fields (i.e., a schema). In particular, Swimmer teaches that the audit records have
`
`the following format: <code segment, RecType, StartTime, EndTime, function
`
`number, arg ( .. ),ret( .. )>. See Swimmer, p. 9 (reproduced below).
`
`22. As in my previous declaration, it is my opinion that one of ordinary
`
`skill in the art would have considered Swimmer’s audit trails, such as the one
`
`excerpted above for the Vienna virus, to be a “flat-file database.” See Davidson
`
`11
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,677,494
`
`Decl., ¶ 107-09. These audit trails are a sequence of audit records, with each audit
`
`record having been stored according to the same schema discussed above.
`
`23.
`
`I understand that Patent Owner argues that the audit trail is not a flat
`
`file database, but is instead a mere flat-file. In support, Patent Owner relies on the
`
`definitions provided in the 3rd edition of the Microsoft Computer Dictionary:
`
`MSCD, p. 8.
`
`24.
`
`Patent Owner and Dr. Medvidovic argue that based on the definition
`
`of “flat-file database,” Swimmer’s audit trail is not a “table” and thus not a flat-file
`
`database. Medvidovic, ¶ 140 (“a person of ordinary skill in the art would
`
`understand the term, Swimmer’s audit trail is not in the form of a table”). In my
`
`opinion, Patent Owner’s and Dr. Medvidovic’s analysis is incomplete and
`
`conclusory because it does not provide any reasoning as to why Swimmer’s audit
`
`trail is not in the form of a “table.”
`
`12
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,677,494
`
`25.
`
`I disagree with the conclusion that Swimmer’s audit trail is not in the
`
`form of a table, and it is my opinion that one of ordinary skill in the art would have
`
`understood Swimmer’s audit trail to be a “table.” As can be seen above,
`
`Swimmer’s audit trail consists of rows of audit records with each audit record
`
`having the same number of columns: “<code segment, RecType, StartTime,
`
`EndTime, function number, arg ( .. ),ret( .. )>.” See Swimmer, p. 9.
`
`26. Additionally, this analysis is consistent with the definition for “table”
`
`provided in the 3rd edition of the Microsoft Computer Dictionary. Although, used
`
`in connection with relational databases, a table is defined in terms of “rows and
`
`columns.”
`
`MSCD, p. 17 (highlighting added).
`
`13
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,677,494
`
`27.
`
`For illustration, I have organized Swimmer’s audit trial into a MS Word
`
`table where, each audit record represents a row and the fields represent columns.
`
`Although, certain fields (e.g., arg ()) have variable size lengths, this is still
`
`consistent with one of ordinary skill in the art’s understanding of a flat file
`
`database, since the number of fields remains constant. For example, Douglas
`
`Comer in “The Flat File Database Generator Ffg” provides the following
`
`description of a “flat-file database.” Comer, p. 3 (“A flat file is the simplest
`
`possible database. It consists of a single text file, F, containing zero or more lines,
`
`where each line is thought of as a record. Records are further divided into k fields,
`
`f1, f 2, …, fk by k-l occurrences of a distinguished separator character, S. Although
`
`k is fixed over all records, the length of individual fields is not.”), p. 2 (Abstract).
`
`Record
`#
`1
`2
`
`Code
`Segment
`CS=3911 Type=0
`CS=3911 Type=0
`
`RecType Function
`number
`Fn=30
`Fn=29
`
`Arguments
`
`arg()
`arg()
`
`3
`
`4
`
`5
`
`CS=3911 Type=0
`
`Fn=64
`
`CS=3911 Type=0
`
`Fn=51
`
`CS=3911 Type=0
`
`Fn=51
`
`arg ( AL=61 CL=3
`str1=*.COM)
`arg ( AL=0
`str1=COMMAND.COM)
`
`arg( AL=1
`str1=COMMAND .
`
`Return
`Value(s)
`ret ( AX=5)
`ret (
`BX=128
`ES=3911)
`ret( AL=0
`CF=0)
`ret( AL=0
`CX=32
`CF=0)
`ret(AL=0
`CX=32
`
`14
`
`
`
`Record
`#
`
`Code
`Segment
`
`RecType Function
`number
`
`CS=3911 Type=0
`
`Fn=45
`
`Arguments
`
`COM)
`arg( AL=2 CL=32
`str1=COMMAND.COM)
`
`CS=3911 Type=0
`
`Fn=73
`
`arg( BX=5)
`
`CS=3911 Type=0
`
`Fn=27
`
`arg()
`
`CS=3911 Type=0
`
`Fn=47
`
`CS=3911 Type=0
`
`Fn=50
`
`CS=3911 Type=0
`
`Fn=48
`
`CS=3911 Type=0
`
`Fn=50
`
`CS=3911 Type=0
`
`Fn=48
`
`CS=3911 Type=0
`
`Fn=74
`
`arg( BX=5 CX=3
`DX=828 DS=3911)
`arg( AL=2 BX=5 CX=0
`DX=0)
`
`arg( BX=5 CX=648
`DX=313 DS=3911 l
`
`arg( AL=0 BX=5 CX=0
`DX=0)
`
`arg( BX=5 CX=3
`DX=831 DS=3911)
`arg(BX=5 CX=10271
`DX=6206)
`arg( BX=5)
`arg( AL=1
`str1=COMMAND.COM)
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`16
`
`Inter Partes Review of
`U.S. Patent No. 8,677,494
`
`Return
`Value(s)
`CF=0)
`ret( AL=0
`AX=5
`CF=0)
`ret(
`CX=10241
`DX=6206
`CF=0)
`ret (
`CX=5121
`DX=8032)
`ret( AX=3
`CF=0)
`ret( AL=0
`AX=50031
`DX=
`CF=0)
`ret(
`AX=648
`CF=0)
`ret( AL=0
`AX=0
`DX=0
`CF=0)
`ret( AX=3
`CF=0)
`ret( CF=0)
`
`CS=3911 Type=0
`CS=3911 Type=0
`
`Fn=46
`Fn=51
`
`ret( CF=0)
`ret( AL=0
`CX=32
`CF=0)
`28. As an another example, Glen Fowler in “cql – A Flat File Database
`
`Query Language” describes the UNIX password database, which is stored in a file
`
`at /etc/passwd as: “The example database is /etc/passwd with the record schema:
`
`15
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,677,494
`
`name:passwd:uid:gid:info:home:shell where : is the field delimiter, uid and gid are
`
`numeric fields, and the remaining fields are strings.” Fowler, p. 6 (emphasis
`
`added); see also Comer, p. 6 (“Our local version of UNIX contains many fiat files.
`
`One of the more well known, /etc /passwd contains a record for each user; it
`
`associates a symbolic name, encrypted password, and other information with the
`
`user's login id.”). Thus, like Swimmer’s audit trail, the UNIX password database is
`
`a series of records, that form a table with each record being a row and the record
`
`fields forming the columns of the table. Accordingly, in my opinion one of
`
`ordinary skill in the art, would have considered Swimmer’s audit trail to be a flat-
`
`file database much like the UNIX password database, the primary difference
`
`between the two being the particular fields used.
`
`29. As can be seen, the definition of “flat-file database” provided in the
`
`3rd edition of the Microsoft Computer Dictionary appears to be somewhat circular
`
`since it uses the term “database” – “A database that takes the form of a table.”
`
`Since the definition is circular, I will rely on the Board’s construction of the term
`
`“database.” As discussed in my prior declaration, Swimmer’s flat-file database
`
`(e.g., Swimmer’s audit trail or sequence of audit records) satisfies the Board’s
`
`construction of database: “a collection of interrelated data organized according to a
`
`database schema to serve one or more applications.” Decision, p. 11; See
`
`Davidson Decl., ¶ 107-11.
`
`16
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,677,494
`
`30.
`
`In my opinion, based on at least the above, one of ordinary skill in the
`
`art would have understood Swimmer’s audit trail to be organized according to a
`
`database schema (e.g., a “table”, which in Swimmer’s usage is made up of a
`
`sequence of audit records having a particular format). This audit trail serves the
`
`ASAX application, which analyzes the audit trail for viruses. Swimmer, p. 1 (“the
`
`expert system ASAX is used to analyse the stream of data whicg [sic] the emulator
`
`produces”), p. 2 (“ASAX analyse[s] arbitrary sequential files . ., [which] is the
`
`activity data record produced by the PC emulator”).
`
`ii. Swimmer Teaches a Database Schema Even Under Patent Owner’s
`Definition
`
`31.
`
`It is my understanding that Patent Owner through Dr. Medvidovic
`
`wishes to further provide context for the phrase database schema found in Patent
`
`Owner’s own construction, which the Board ultimately adopted. According to
`
`Patent Owner, a “database schema” is “‘a description of a database to a database
`
`management system (DBMS) in the language provided by the DBMS.’
`
`Medvidovic, ¶¶ 60, 116, 148 (citing Ex. 2024 at 421, Ex. 2026, Dictionary of
`
`Computer Words at 62).” PO Resp., p. 38-39.
`
`17
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,677,494
`
`MSCD, p. 12 (highlighting added); Ex. 2024 at 421.
`
`32.
`
`Swimmer’s teachings are consistent with the above definition cited by
`
`Patent Owner that a “schema defines aspects of the database, such as attributes
`
`(fields).” As discussed above, Swimmer provides a description of the fields of the
`
`database records (e.g., audit records) stored in a flat-file database. See Swimmer,
`
`p. 9 (“<code segment, RecType, StartTime, EndTime, function number, arg ( ..
`
`),ret( .. )>”).
`
`33. As discussed by Glen Fowler in “cql – A Flat File Database Query
`
`Language,” such a description could be used to query and retrieve information
`
`from the flat-file database. Fowler, p. 5 (“cql is a UNIX system tool that applies C
`
`style query expressions to flat file databases.”). For example, Fowler teaches a
`
`language for describing and querying a flat-file database using the description of a
`
`single record. The particular example given by Fowler is tuned to the UNIX
`
`password database, which defines the records as:
`
`name:passwd:uid:gid:info:home:shell. Fowler, p. 6.
`
`18
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,677,494
`
`Fowler, p. 7.
`
`34.
`
`In my opinion, one of ordinary skill in the art would have understood
`
`that Swimmer teaches a description of a database (e.g., “<code segment, RecType,
`
`StartTime, EndTime, function number, arg ( .. ),ret( .. )>”) to a database
`
`management system (DBMS) in the language provided by the DBMS (e.g., cql).
`
`35. As introduced above, it is my understanding that Patent Owner further
`
`argues that a “database schema” is “a description of a database to a database
`
`management system (DBMS) in the language provided by the DBMS.” See e.g.,
`
`Medvidovic, ¶¶ 60. Based on this narrow definition, it is my opinion that this is an
`
`attempt to limit the types of databases covered by the ‘494 patent claims. See
`
`Medvidovic Tr. 102:18-103:5 (listing four types of databases: “flat-file,”
`
`“relational,” “object oriented,” and “NoSQL”). According to Dr. Medvidovic, the
`
`‘494 patent could not have contemplated a “NoSQL” database, since they only
`
`emerged in the last 5 to 10 years. Medvidovic Tr. 107:6-9, 108:23-109:2.
`
`19
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,677,494
`
`36. According to Dr. Medvidovic, this leaves potentially three types of
`
`databases. Two types of databases were well-known by the time of the ‘494
`
`patent (relational and flat-file), the other (object-oriented) was still fairly new, with
`
`relational being the “most successful.” Medvidovic Tr. 109:7-17 (“I believe
`
`relational, object-oriented, and flat-file databases have been around for a while. I
`
`think I studied both flat-file and relational databases as an undergraduate. And I
`
`think by the early 1990s object-oriented databases were emerging as a new attempt
`
`at organizing data in a database. So they existed back then. I think that over time
`
`now, looking back historically, by far the most successful paradigm has been
`
`relational databases”).
`
`37. Because Swimmer, teaches a flat-file database audit trail, Patent
`
`Owner’s further interpretation of database schema can be understood as an attempt
`
`to draw an arbitrary line between the two most well-known database forms. In my
`
`opinion, this line is arbitrary because the ‘494 patent provides no discussion of flat-
`
`file databases vs. relational databases. The ‘494 patent merely describes what is
`
`stored in the “security database,” which is “security information” (e.g., DSP data),
`
`and does limit the database to a particular type of database. ‘194 patent, col. 3:47-
`
`50 (“The data storage device 230 stores a security database 240, which includes
`
`security information”), col. 4:14-18 (The security program 255 operates in
`
`conjunction with the security database 240, which includes security policies 305,
`
`20
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,677,494
`
`known Downloadables 307, known Certificates 309 and Downloadable Security
`
`Profile (DSP) data 310 corresponding to the known Downloadables 307”), FIG. 3.
`
`As acknowledged by the Board, the ‘494 patent does not disavow the scope of the
`
`term database. Dec., p. 10. Therefore, the full scope of the term should include at
`
`least relational and flat-file databases.
`
`38.
`
`In any event, as discussed in my previous declaration, it is my
`
`opinion that one of ordinary skill in the art would have found it obvious to
`
`substitute any known storage format for Swimmer’s flat-file database including a
`
`relational database. See Davidson Decl. ¶ 111.
`
`39.
`
`Specifically with regard to audit records which form the audit trail,
`
`Swimmer explicitly cites to Dorothy Denning’s paper on intrusion detection.
`
`Swimmer, p. 9 (“Audit records representing the program behaviour in general, and
`
`virus activity in particular, have a pattern which is borrowed from the Dorothy
`
`Denning’s model of Intrusion Detection [Den87]”), Swimmer, p. 14 (“[Den87]
`
`Dorothy E. Denning. ‘An intrusion detection model’, IEEE Transactions on
`
`Software Engineering, 13-2:222, Feb 1987”).
`
`40.
`
`In this paper, Denning teaches that records (e.g., audit records) may
`
`be stored in relational databases. Denning, p. 6 (“Additional structure may also be
`
`imposed, e.g., records may be grouped into files or database relations; files may be
`
`grouped into directories. Different environments may require different object
`
`21
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,677,494
`
`granularity; e.g., for some database applications, granularity at the record level
`
`may be desired”).
`
`Denning, p. 6.
`
`C.
`
`41.
`
`Swimmer Teaches “Storing” After “Deriving”
`
`Swimmer teaches that an emulator or virtual machine may be used to
`
`generate/derive individual audit records and over the course of execution an audit
`
`trail (list of audit records). Swimmer, p. 9 (“The audit record attributes of records
`
`as collected by the PC emulator have the following meaning: code segment is the
`
`address in memory of the executable image of the program; function number is the
`
`number of the DOS function requested by the program; arg ( .. ) is a list of
`
`register/memory values used in the call to a DOS function; ret( .. ) is a list of
`
`register/memory values as returned by the function call; RecType is the type of the
`
`22
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,677,494
`
`record; StartTime and EndTime are the time stamp of action start and end
`
`respectively. The final format for an MS-DOS audit record is as follows: <code
`
`segment, RecType, StartTime, EndTime, function number, arg ( .. }, ret( .. )>”).
`
`42.
`
`Swimmer teaches that the audit trail is stored in at least two formats: a
`
`native file format and an NADF file format. Swimmer, p. 12 (“the sequential file
`
`is the activity data record produced by the PC emulator. The universality is
`
`attained by translating native files to a generic format which is the only one
`
`supported by the evaluator. The format is simple and flexible enough to allow
`
`straightforward conversion of most file formats. This generic format is referred to
`
`as the Normalized Audit Data Format (NADF). An NADF file is a sequential file
`
`of records in NADF format.”) (emphasis added).
`
`43. Because it is technically infeasible to store data in a file before the
`
`data itself is derived/generated, Swimmer teaches “storing the Downloadable
`
`security profile data in a database” after it is derived.
`
`44.
`
`In my opinion, one of ordinary skill in the art would have understood
`
`each of Swimmer’s audit record to be “security profile data.” Additionally, each
`
`audit record is a list of suspicious computer operations, because one of ordinary
`
`skill in the art would have considered “a list” to be 0, 1, or more items, as
`
`confirmed by Dr. Medvidovic. Medvidovic Tr., p. 90:14-24. Accordingly,
`
`iteratively storing each audit record one by one as it is generated stores the
`
`23
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,677,494
`
`“security profile data” in a database, since each audit record itself is a list of
`
`suspicious operations. See PO Resp., p. 28-29; Medvidovic Decl., ¶ 79.
`
`45.
`
`In my opinion, one of ordinary skill in the art would have understood
`
`an individual audit record or even a portion of an audit record to be “data” because
`
`an audit record is an “item of information.” In my opinion, the interpretation of
`
`“data” as “item of information” is consistent with how the term would have been
`
`understood by one of ordinary skill in the art. For example, the 3rd edition of the
`
`Microsoft Computer Dictionary provides the following definition for “data”:
`
`MSCD, p. 6.
`
`46.
`
`If it is understood that Patent Owner is requiring that the entire
`
`security profile be derived before it is stored, it is my opinion that this more narrow
`
`interpretation would have also been obvious based on Swimmer. As discussed
`
`above, Swimmer teaches generating a native format audit trail file, which is then
`
`converted into an NADF format file. In my opinion, it would have been obvious
`
`for one of ordinary skill in the art to wait for the entire native file to be generated
`
`and then convert the native file to the NADF file format. One of ordinary skill
`
`would have considered both the native format and NADF format to be flat-file
`
`24
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,677,494
`
`databases.
`
`Indeed, Swimmer establishes the equivalency between the native and
`
`NADF formats. Swimmer, p. 10 (“the audit trail complies to a canonical format,
`
`which is also ASAX’s native format”); see also Mounji, p. 5 (“Native files can be
`
`erased after being converted since they are semantically redundant with NADF
`
`files”).
`
`Swimmer Does Not “Teach Against” the Use of the Claimed
`D.
`Downloadable Scanner
`
`47.
`
`Patent Owner argues that Swimmer “teaches against” use of the
`
`claimed downloadable scanner. See, e.g., PO Resp., p. 29 (“However, Swimmer
`
`does not disclose the ‘Downloadable scanner,’ and actually teaches against the use
`
`of scanners by reasoning that they are easily circumvented. Swimmer at 000003, ¶¶
`
`1–5.”), p. 4.
`
`In the cited section, however, Swimmer is discussing and
`
`recognizing the limitations of a specific type of scanner (i.e., a simple pattern
`
`matching scanner), which is different from the claimed scanner. According to
`
`Swimmer, these pattern matching scanners had difficulty detecting the new types
`
`of encrypted and polymorphic virus. Swimmer, p. 3 (“The term scanner has
`
`become increasingly incorrect terminology. The term comes from lexical scanner,
`
`i.e. a pattern matching tool…. Finding such strings was the entire art of anti-virus
`
`program writing until polymorphic viruses appeared on the scene. Encrypted
`
`viruses were the first minor challenge to string searching methods.”).
`
`25
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,677,494
`
`48.
`
`I previously described such scanners in my previous declaration in
`
`support of the Petition. Davidson Decl., ¶ 44-47. Since these are simple pattern
`
`matching scanners, these types of scanners do not care what the bytes under
`
`analysis are trying to perform.
`
`In fact, the patterns themselves may not be
`
`operations at all. Davidson Tr., 49:20-53:5. This is made clear by Swimmer.
`
`Swimmer, p. 3 (“When polymorphic technology improved, statistical analysis of
`
`the opcodes was used”).
`
`49.
`
`In contrast, as also set forth in my prior declaration, both the
`
`downloadable scanner described and claimed by the ‘494 patent and Swimmer’s
`
`emulator (the asserted downloadable scanner) analyze and understand the opcodes
`
`of the Downloadable being analyzed. Davidson Decl., ¶ 98-104; ‘194 patent, col.
`
`9:20- 25 (“The code scanner 325 in step 710 resolves a respective command in the
`
`machine code”); Swimmer, p. 8 (“The solution wh
Accessing this document will incur an additional charge of $.
After purchase, you can access this document again without charge.
Accept $ Charge
Still Working On It
This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.
Give it another minute or two to complete, and then try the refresh button.
A few More Minutes ... Still Working
It can take up to 5 minutes for us to download a document if the court servers are running slowly.
Thank you for your continued patience.
This document could not be displayed.
We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.
Your account does not support viewing this document.
You need a Paid Account to view this document. Click here to change your account type.
Your account does not support viewing this document.
Set your membership
status to view this document.
With a Docket Alarm membership, you'll
get a whole lot more, including:
- Up-to-date information for this case.
- Email alerts whenever there is an update.
- Full text search for other cases.
- Get email alerts whenever a new case matches your search.
One Moment Please
The filing “” is large (MB) and is being downloaded.
Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.
Your document is on its way!
If you do not receive the document in five minutes, contact support at support@docketalarm.com.
Sealed Document
We are unable to display this document, it may be under a court ordered seal.
If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.
Access Government Site
