`U.S. Patent No. 8,677,494
`
`Filed on behalf of Symantec Corporation
`
`UNITED STATES PATENT AND TRADEMARK OFFICE
`
`BEFORE THE PATENT TRIAL
`AND APPEAL BOARD
`
`SYMANTEC CORPORATION
`
`Petitioner
`
`v.
`
`FINJAN, INC.
`
`Patent Owner
`
`IPR2015-01892
`U.S. Patent No. 8,677,494
`
`DECLARATION OF JACK W. DAVIDSON IN SUPPORT OF
`PETITIONER PURSUANT TO 37 C.F.R. § 42.120
`
`Symantec 1027
`IPR2015-01892
`Symantec v. Finjan
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,677,494
`
`Declaration of Jack W. Davidson
`In Support of Petitioner Pursuant to 37 C.F.R. § 42.120
`
`I, Jack W. Davidson, declare as follows:
`
`I. Overview
`
`1.
`
`I am over 21 years of age and otherwise competent to make this
`
`Declaration. I make this Declaration based upon facts and matters within my own
`
`knowledge and on information provided to me by others.
`
`I have used my
`
`education and my years of experience working in the field of software design,
`
`computer security, and my understanding of the knowledge, creativity, and
`
`experience of a person of ordinary skill in the art, in forming the opinions
`
`expressed in this report.
`
`2.
`
`I have been retained as an expert witness to provide testimony on
`
`behalf of Symantec Corporation (“Symantec” or “Petitioner”) as part of the above-
`
`captioned inter partes review proceeding (“IPR”), including issues relating to the
`
`validity of U.S. patent number 8,677,494 (“the ‘494 patent”), entitled “Malicious
`
`mobile code runtime monitoring system and methods.” I also understand that the
`
`‘494 patent was filed on November 7, 2011 and issued on March 18, 2014 and that
`
`the ‘494 patent is assigned to Finjan, Inc. (“Finjan” or “Patent Owner”).
`
`3.
`
`I am being compensated for my time in connection with this IPR at a
`
`rate of $400 per hour. I am also being compensated for any out-of-pocket expenses
`
`1
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,677,494
`
`for my work in this review. My compensation as an expert is in no way dependent
`
`upon the results of any investigations I undertake, the substance of any opinion I
`
`express, or the ultimate outcome of the review proceedings. I have been advised
`
`that Bryan Cave LLP represents the Petitioner Symantec Corporation. in this
`
`matter.
`
`I have no personal or financial stake or interest in the outcome of this
`
`matter.
`
`4.
`
`I understand that the petition filed in this proceeding raised four
`
`proposed grounds challenging claims 1, 2, 5, 6, 10, 11, 14, and 15 of the ‘494
`
`Patent. I have reviewed the Board’s decision on the petition and its decision on
`
`Patent Owner’s request for rehearing and also understand that the Patent Trial and
`
`Appeal Board (“the Board”) granted the petition with respect to the following
`
`ground of unpatentability:
`
`
`
`5.
`
`Claims 1, 2, 5, 6, 10, 11, 14, and 15 are unpatentable under § 103 over
`Swimmer (Ex. 1005).
`
`I understand that Patent Owner has submitted a response to
`
`Symantec’s petition, together with a declaration by Dr. Nenad Medvidovic. In
`
`particular, I understand that Patent Owner and Dr. Medvidovic are challenging
`
`Symantec’s arguments and evidence that claims 1, 2, 5, 6, 10, 11, 14, and 15 of
`
`the ‘494 patent are unpatentable over the Swimmer reference (Ex. 1005).
`
`2
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,677,494
`
`6.
`
`I have been asked to provide my technical analysis and opinions
`
`regarding Patent Owner’s response and the corresponding declaration by Dr.
`
`Medvidovic, which are set forth in detail in this declaration. This declaration
`
`supplements my previous declaration in support of Symantec’s petition.
`
`7.
`
`A detailed explanation of my background and qualifications, as well
`
`as my expertise in the relevant technology, is provided in my previous declaration.
`
`See Davidson Decl., ¶¶ 9-27. I have also provided an updated copy of my
`
`curriculum vitae. See Symantec Exhibit _____. Additionally, in my previous
`
`declaration, I set forth what I believe to be a person of ordinary skill in the art of
`
`the subject matter of the ‘494 Patent, including the skillset, education, experience
`
`and knowledge such a person would have possessed. See Davidson Decl., ¶¶ 28-
`
`30. I have relied on these same principles and definitions in reaching my opinions
`
`in this declaration. I also understand that Dr. Medvidovic has provided a different
`
`definition for the person of ordinary skill in the art.
`
`It is my opinion, that the
`
`opinions set forth in my original declaration and this declaration would remain the
`
`same under either party’s definition of the person of ordinary skill in the art.
`
`II. Analysis of Patent Owner’s Response and Dr. Medvidovic’s Testimony
`
`A. Swimmer’s Audit Trail is Stored
`
`3
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,677,494
`
`8.
`
`In my opinion, the term storing is well understood by those of
`
`ordinary skill in the art and requires no further construction. Indeed, the Microsoft
`
`Computer Dictionary does not even provide a definition for the term “store” or
`
`“storing.”
`
`9.
`
`Patent Owner construes “storing” as “placing the derived DSP data
`
`into the database.” PO Resp., p. 13. In offering, this construction, Patent Owner
`
`relies on a definition of “store” as “to place data into a storage device…” PO
`
`Resp., p. 13.
`
`In my opinion, Patent Owner’s reliance is misplaced because a
`
`storage device implicates a physical medium, while a database is a logical
`
`construct. See ‘194 patent, col. 3:47 (“The data storage device 230 stores a
`
`security database 240”). See MSCD, p. 16:
`
`10.
`
`Patent Owner appears to rely on Swimmer’s disclosure of a “stream of
`
`data” to support an argument that Swimmer’s audit trail is not stored:
`
`In contrast to this procedure, Swimmer relies on pipeline processing
`where the stream of data produced by the emulator is immediately
`
`4
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,677,494
`
`consumed, without the additional step of storing anything in a
`database. Swimmer at 1 (“ASAX is used to analyse the stream of data
`which the emulator produces”). Rather, this pipeline processing
`merely involves converting emulation data into generic data, and
`piping its output as a NADF file for further processing.. See id. at 7
`(“The first ASAX system reads the raw audit trail, converts it into
`generic data, and pipes its output as a NADF file for further
`processing (see Section 5).”). Thus, Swimmer never first derives
`activity data, including a list of MS-DOS functions, and then stores
`the activity data in a database.
`
`P.O. Resp. p. 46, 19.
`
`11.
`
`It is my opinion that one of ordinary skill in the art would have
`
`understood that Swimmer teaches that the list of suspicious operations (i.e., audit
`
`trail) is actually stored at least twice. For example, as cited by Patent Owner,
`
`Swimmer teaches that the emulator data is converted from a native format, which
`
`is then converted to an NADF file. Swimmer also teaches that the data in native
`
`format is also stored in a “file.” Swimmer, p. 12 (“In the context of this paper, the
`
`sequential file is the activity data record produced by the PC emulator. The
`
`universality is attained by translating native files to generic format which is the
`
`only one supported by the evaluator.”).
`
`In this context, the generic format is the
`
`NADF file discussed on page 7 of Swimmer. Swimmer, p. 12 (“This generic
`
`format is referred to as the Normalized Audit Data Format (NADF)”).
`
`5
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,677,494
`
`12.
`
`In his declaration, Dr. Medvidovic also opines that Swimmer does not
`
`teach “storing.” For example:
`
` “That type of conversion does not actually place any data into storage
`
`of any type, let alone into a database.” Ex. 2007, ¶ 71.
`
` “In an attempt to solve this problem, Swimmer discloses generating a
`
`pipeline of system activity data to be processed immediately rather
`
`than storing any information, let alone storing system activity data in a
`
`database. “ Ex. 2007, ¶ 107.
`
` “‘storing’ is an action that is never used in describing Swimmer’s
`
`process of generating an audit trail.” Ex. 2007, ¶ 111.
`
`It is my opinion, however, that Dr. Medvidovic’s analysis is incomplete at
`
`least because it fails to address the term “file” and how it is used by Swimmer and
`
`how the term “file” is understood by one of ordinary skill in the art.
`
`13.
`
`It is my opinion, that one of ordinary skill in the art would have
`
`understood a file to be a “basic unit of storage.” For example, the 3rd edition of the
`
`Microsoft Computer Dictionary defines a file as:
`
`6
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,677,494
`
`MSCD, p. 7 (highlighting added).
`
`14. Because, as discussed above, Swimmer teaches converting the audit
`
`trail data (i.e., list of suspicious operations) from one file format to another (e.g., a
`
`native format to an NADF format file), it is my opinion that one of ordinary skill in
`
`the art would have understood that Swimmer teaches that the list of suspicious
`
`operations is stored. See Swimmer, p. 12.
`
`15.
`
`Furthermore, Swimmer discusses the RUSSEL language and its use in
`
`ASAX. RUSSEL is the language for specifying rules for identifying malware.
`
`Swimmer, p. 4 (“Before we can attempt to detect a virus using ASAX, we need to
`
`model the virus attack strategy. This is then translated into RUSSEL, the rule-
`
`based language which ASAX uses to identify the virus attack”). In discussing the
`
`power of RUSSEL, Swimmer states that RUSSEL is designed to facilitate search
`
`for arbitrary patterns of records in sequential files. Swimmer, p. 12 (“RUSSEL
`
`(RUle-baSed Sequence Evaluation Language) is a novel language, specifically
`
`7
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,677,494
`
`tailored to the problem of searching arbitrary patterns of records in sequential
`
`files”). In my opinion, one of ordinary skill in the art would have understood that a
`
`list of suspicious operations is stored in a file for processing by a RUSSEL
`
`program.
`
`16. Beyond the use of “files” as storage, Swimmer explains that the stored
`
`audit trail data must be secured against attack. Swimmer, p .7 (“In addition,
`
`integrity of the ID system itself must not be compromised: this means that the audit
`
`data retrieval, analysis and archiving must be secured against corruption by
`
`viruses”) (emphasis added).
`
`In my opinion, one of ordinary skill would have
`
`understood that both “archiving” and “retrieval” of the audit trail data would have
`
`meant that such data was stored. Additionally, this view is consistent with and
`
`supported by definitions for “archive” and “retrieve” and provided by the 3rd
`
`edition of the Microsoft Computer Dictionary, which are both connected to
`
`“storage”:
`
`MSCD, p. 11 (highlighting added).
`
`8
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,677,494
`
`MSCD, p. 4 (highlighting added).
`
`17.
`
`In my opinion, although Swimmer does not explicitly use the word
`
`“storing,” Patent Owner takes a much too narrow view of Swimmer’s disclosure
`
`and ignores other disclosure, which would have indicated to one of ordinary skill
`
`in the art that Swimmer stored the audit trail data (e.g., in or more files for
`
`retrieval, archival, and/or analysis). See also, Swimmer, p. 11-12 (“Two versions
`
`of the ASAX system are currently available. The single audit trail analysis version
`
`is applicable only to a single audit trail. The other version allows a distributed
`
`analysis of multiple audit trails produced at various machines on a network. In the
`
`latter version, ASAX filters audit data at each monitored node and analyses the
`
`filtered data gathered at a central host”).
`
`18. Mounji, which is cited on page 14 of Swimmer, discusses the
`
`conversion of audit trails from native file format to NADF format. Mounji, p. 5
`
`9
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,677,494
`
`(“This process translates audit trails generated by auditd to the NADF format.
`
`Native files can be erased after being converted since they are semantically
`
`redundant with NADF files”). In my opinion, one or ordinary skill in the art would
`
`have understood that to erase something it must be stored
`
`19.
`
`Furthermore, Mounji discusses the advantages of storing the list of
`
`suspicious operations as they can be reanalyzed. Mounji, p. 5 (“Keeping converted
`
`files instead of native files has several advantages: the files are converted only
`
`once and can be reanalyzed several times without requiring a new conversion”).
`
`In my opinion, one of skill in the art would have understood that to reanalyze the
`
`audit trail several times without requiring a new conversion would have meant that
`
`the audit trail was stored.
`
`20.
`
`It is my opinion that even under Patent Owner’s “data stream” theory
`
`Swimmer would have still stored a list of suspicious operations. For example,
`
`during each stage of Swimmer’s “pipeline” at least some portion of the audit trail
`
`data would have been stored. For example, one of ordinary skill in the art would
`
`have understood that generation of the audit record data by emulation, conversion
`
`of the data from native to NADF format, and analysis by ASAX by Swimmer’s
`
`VIDES system would have at least required storage of such data in memory or in
`
`one or more registers at points along the “pipeline.” This is simply how
`
`conventional digital computer systems such as the x86 operate.
`
`10
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,677,494
`
`B. Swimmer’s Audit Trail Data is Stored in a Database
`
`i. Swimmer’s Audit Trail is a Flat File Database
`
`21.
`
`Swimmer teaches that it captures audit records for DOS programs
`
`under emulation. Swimmer also teaches that each audit record has a specific set of
`
`fields (i.e., a schema). In particular, Swimmer teaches that the audit records have
`
`the following format: <code segment, RecType, StartTime, EndTime, function
`
`number, arg ( .. ),ret( .. )>. See Swimmer, p. 9 (reproduced below).
`
`22. As in my previous declaration, it is my opinion that one of ordinary
`
`skill in the art would have considered Swimmer’s audit trails, such as the one
`
`excerpted above for the Vienna virus, to be a “flat-file database.” See Davidson
`
`11
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,677,494
`
`Decl., ¶ 107-09. These audit trails are a sequence of audit records, with each audit
`
`record having been stored according to the same schema discussed above.
`
`23.
`
`I understand that Patent Owner argues that the audit trail is not a flat
`
`file database, but is instead a mere flat-file. In support, Patent Owner relies on the
`
`definitions provided in the 3rd edition of the Microsoft Computer Dictionary:
`
`MSCD, p. 8.
`
`24.
`
`Patent Owner and Dr. Medvidovic argue that based on the definition
`
`of “flat-file database,” Swimmer’s audit trail is not a “table” and thus not a flat-file
`
`database. Medvidovic, ¶ 140 (“a person of ordinary skill in the art would
`
`understand the term, Swimmer’s audit trail is not in the form of a table”). In my
`
`opinion, Patent Owner’s and Dr. Medvidovic’s analysis is incomplete and
`
`conclusory because it does not provide any reasoning as to why Swimmer’s audit
`
`trail is not in the form of a “table.”
`
`12
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,677,494
`
`25.
`
`I disagree with the conclusion that Swimmer’s audit trail is not in the
`
`form of a table, and it is my opinion that one of ordinary skill in the art would have
`
`understood Swimmer’s audit trail to be a “table.” As can be seen above,
`
`Swimmer’s audit trail consists of rows of audit records with each audit record
`
`having the same number of columns: “<code segment, RecType, StartTime,
`
`EndTime, function number, arg ( .. ),ret( .. )>.” See Swimmer, p. 9.
`
`26. Additionally, this analysis is consistent with the definition for “table”
`
`provided in the 3rd edition of the Microsoft Computer Dictionary. Although, used
`
`in connection with relational databases, a table is defined in terms of “rows and
`
`columns.”
`
`MSCD, p. 17 (highlighting added).
`
`13
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,677,494
`
`27.
`
`For illustration, I have organized Swimmer’s audit trial into a MS Word
`
`table where, each audit record represents a row and the fields represent columns.
`
`Although, certain fields (e.g., arg ()) have variable size lengths, this is still
`
`consistent with one of ordinary skill in the art’s understanding of a flat file
`
`database, since the number of fields remains constant. For example, Douglas
`
`Comer in “The Flat File Database Generator Ffg” provides the following
`
`description of a “flat-file database.” Comer, p. 3 (“A flat file is the simplest
`
`possible database. It consists of a single text file, F, containing zero or more lines,
`
`where each line is thought of as a record. Records are further divided into k fields,
`
`f1, f 2, …, fk by k-l occurrences of a distinguished separator character, S. Although
`
`k is fixed over all records, the length of individual fields is not.”), p. 2 (Abstract).
`
`Record
`#
`1
`2
`
`Code
`Segment
`CS=3911 Type=0
`CS=3911 Type=0
`
`RecType Function
`number
`Fn=30
`Fn=29
`
`Arguments
`
`arg()
`arg()
`
`3
`
`4
`
`5
`
`CS=3911 Type=0
`
`Fn=64
`
`CS=3911 Type=0
`
`Fn=51
`
`CS=3911 Type=0
`
`Fn=51
`
`arg ( AL=61 CL=3
`str1=*.COM)
`arg ( AL=0
`str1=COMMAND.COM)
`
`arg( AL=1
`str1=COMMAND .
`
`Return
`Value(s)
`ret ( AX=5)
`ret (
`BX=128
`ES=3911)
`ret( AL=0
`CF=0)
`ret( AL=0
`CX=32
`CF=0)
`ret(AL=0
`CX=32
`
`14
`
`
`
`Record
`#
`
`Code
`Segment
`
`RecType Function
`number
`
`CS=3911 Type=0
`
`Fn=45
`
`Arguments
`
`COM)
`arg( AL=2 CL=32
`str1=COMMAND.COM)
`
`CS=3911 Type=0
`
`Fn=73
`
`arg( BX=5)
`
`CS=3911 Type=0
`
`Fn=27
`
`arg()
`
`CS=3911 Type=0
`
`Fn=47
`
`CS=3911 Type=0
`
`Fn=50
`
`CS=3911 Type=0
`
`Fn=48
`
`CS=3911 Type=0
`
`Fn=50
`
`CS=3911 Type=0
`
`Fn=48
`
`CS=3911 Type=0
`
`Fn=74
`
`arg( BX=5 CX=3
`DX=828 DS=3911)
`arg( AL=2 BX=5 CX=0
`DX=0)
`
`arg( BX=5 CX=648
`DX=313 DS=3911 l
`
`arg( AL=0 BX=5 CX=0
`DX=0)
`
`arg( BX=5 CX=3
`DX=831 DS=3911)
`arg(BX=5 CX=10271
`DX=6206)
`arg( BX=5)
`arg( AL=1
`str1=COMMAND.COM)
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`16
`
`Inter Partes Review of
`U.S. Patent No. 8,677,494
`
`Return
`Value(s)
`CF=0)
`ret( AL=0
`AX=5
`CF=0)
`ret(
`CX=10241
`DX=6206
`CF=0)
`ret (
`CX=5121
`DX=8032)
`ret( AX=3
`CF=0)
`ret( AL=0
`AX=50031
`DX=
`CF=0)
`ret(
`AX=648
`CF=0)
`ret( AL=0
`AX=0
`DX=0
`CF=0)
`ret( AX=3
`CF=0)
`ret( CF=0)
`
`CS=3911 Type=0
`CS=3911 Type=0
`
`Fn=46
`Fn=51
`
`ret( CF=0)
`ret( AL=0
`CX=32
`CF=0)
`28. As an another example, Glen Fowler in “cql – A Flat File Database
`
`Query Language” describes the UNIX password database, which is stored in a file
`
`at /etc/passwd as: “The example database is /etc/passwd with the record schema:
`
`15
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,677,494
`
`name:passwd:uid:gid:info:home:shell where : is the field delimiter, uid and gid are
`
`numeric fields, and the remaining fields are strings.” Fowler, p. 6 (emphasis
`
`added); see also Comer, p. 6 (“Our local version of UNIX contains many fiat files.
`
`One of the more well known, /etc /passwd contains a record for each user; it
`
`associates a symbolic name, encrypted password, and other information with the
`
`user's login id.”). Thus, like Swimmer’s audit trail, the UNIX password database is
`
`a series of records, that form a table with each record being a row and the record
`
`fields forming the columns of the table. Accordingly, in my opinion one of
`
`ordinary skill in the art, would have considered Swimmer’s audit trail to be a flat-
`
`file database much like the UNIX password database, the primary difference
`
`between the two being the particular fields used.
`
`29. As can be seen, the definition of “flat-file database” provided in the
`
`3rd edition of the Microsoft Computer Dictionary appears to be somewhat circular
`
`since it uses the term “database” – “A database that takes the form of a table.”
`
`Since the definition is circular, I will rely on the Board’s construction of the term
`
`“database.” As discussed in my prior declaration, Swimmer’s flat-file database
`
`(e.g., Swimmer’s audit trail or sequence of audit records) satisfies the Board’s
`
`construction of database: “a collection of interrelated data organized according to a
`
`database schema to serve one or more applications.” Decision, p. 11; See
`
`Davidson Decl., ¶ 107-11.
`
`16
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,677,494
`
`30.
`
`In my opinion, based on at least the above, one of ordinary skill in the
`
`art would have understood Swimmer’s audit trail to be organized according to a
`
`database schema (e.g., a “table”, which in Swimmer’s usage is made up of a
`
`sequence of audit records having a particular format). This audit trail serves the
`
`ASAX application, which analyzes the audit trail for viruses. Swimmer, p. 1 (“the
`
`expert system ASAX is used to analyse the stream of data whicg [sic] the emulator
`
`produces”), p. 2 (“ASAX analyse[s] arbitrary sequential files . ., [which] is the
`
`activity data record produced by the PC emulator”).
`
`ii. Swimmer Teaches a Database Schema Even Under Patent Owner’s
`Definition
`
`31.
`
`It is my understanding that Patent Owner through Dr. Medvidovic
`
`wishes to further provide context for the phrase database schema found in Patent
`
`Owner’s own construction, which the Board ultimately adopted. According to
`
`Patent Owner, a “database schema” is “‘a description of a database to a database
`
`management system (DBMS) in the language provided by the DBMS.’
`
`Medvidovic, ¶¶ 60, 116, 148 (citing Ex. 2024 at 421, Ex. 2026, Dictionary of
`
`Computer Words at 62).” PO Resp., p. 38-39.
`
`17
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,677,494
`
`MSCD, p. 12 (highlighting added); Ex. 2024 at 421.
`
`32.
`
`Swimmer’s teachings are consistent with the above definition cited by
`
`Patent Owner that a “schema defines aspects of the database, such as attributes
`
`(fields).” As discussed above, Swimmer provides a description of the fields of the
`
`database records (e.g., audit records) stored in a flat-file database. See Swimmer,
`
`p. 9 (“<code segment, RecType, StartTime, EndTime, function number, arg ( ..
`
`),ret( .. )>”).
`
`33. As discussed by Glen Fowler in “cql – A Flat File Database Query
`
`Language,” such a description could be used to query and retrieve information
`
`from the flat-file database. Fowler, p. 5 (“cql is a UNIX system tool that applies C
`
`style query expressions to flat file databases.”). For example, Fowler teaches a
`
`language for describing and querying a flat-file database using the description of a
`
`single record. The particular example given by Fowler is tuned to the UNIX
`
`password database, which defines the records as:
`
`name:passwd:uid:gid:info:home:shell. Fowler, p. 6.
`
`18
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,677,494
`
`Fowler, p. 7.
`
`34.
`
`In my opinion, one of ordinary skill in the art would have understood
`
`that Swimmer teaches a description of a database (e.g., “<code segment, RecType,
`
`StartTime, EndTime, function number, arg ( .. ),ret( .. )>”) to a database
`
`management system (DBMS) in the language provided by the DBMS (e.g., cql).
`
`35. As introduced above, it is my understanding that Patent Owner further
`
`argues that a “database schema” is “a description of a database to a database
`
`management system (DBMS) in the language provided by the DBMS.” See e.g.,
`
`Medvidovic, ¶¶ 60. Based on this narrow definition, it is my opinion that this is an
`
`attempt to limit the types of databases covered by the ‘494 patent claims. See
`
`Medvidovic Tr. 102:18-103:5 (listing four types of databases: “flat-file,”
`
`“relational,” “object oriented,” and “NoSQL”). According to Dr. Medvidovic, the
`
`‘494 patent could not have contemplated a “NoSQL” database, since they only
`
`emerged in the last 5 to 10 years. Medvidovic Tr. 107:6-9, 108:23-109:2.
`
`19
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,677,494
`
`36. According to Dr. Medvidovic, this leaves potentially three types of
`
`databases. Two types of databases were well-known by the time of the ‘494
`
`patent (relational and flat-file), the other (object-oriented) was still fairly new, with
`
`relational being the “most successful.” Medvidovic Tr. 109:7-17 (“I believe
`
`relational, object-oriented, and flat-file databases have been around for a while. I
`
`think I studied both flat-file and relational databases as an undergraduate. And I
`
`think by the early 1990s object-oriented databases were emerging as a new attempt
`
`at organizing data in a database. So they existed back then. I think that over time
`
`now, looking back historically, by far the most successful paradigm has been
`
`relational databases”).
`
`37. Because Swimmer, teaches a flat-file database audit trail, Patent
`
`Owner’s further interpretation of database schema can be understood as an attempt
`
`to draw an arbitrary line between the two most well-known database forms. In my
`
`opinion, this line is arbitrary because the ‘494 patent provides no discussion of flat-
`
`file databases vs. relational databases. The ‘494 patent merely describes what is
`
`stored in the “security database,” which is “security information” (e.g., DSP data),
`
`and does limit the database to a particular type of database. ‘194 patent, col. 3:47-
`
`50 (“The data storage device 230 stores a security database 240, which includes
`
`security information”), col. 4:14-18 (The security program 255 operates in
`
`conjunction with the security database 240, which includes security policies 305,
`
`20
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,677,494
`
`known Downloadables 307, known Certificates 309 and Downloadable Security
`
`Profile (DSP) data 310 corresponding to the known Downloadables 307”), FIG. 3.
`
`As acknowledged by the Board, the ‘494 patent does not disavow the scope of the
`
`term database. Dec., p. 10. Therefore, the full scope of the term should include at
`
`least relational and flat-file databases.
`
`38.
`
`In any event, as discussed in my previous declaration, it is my
`
`opinion that one of ordinary skill in the art would have found it obvious to
`
`substitute any known storage format for Swimmer’s flat-file database including a
`
`relational database. See Davidson Decl. ¶ 111.
`
`39.
`
`Specifically with regard to audit records which form the audit trail,
`
`Swimmer explicitly cites to Dorothy Denning’s paper on intrusion detection.
`
`Swimmer, p. 9 (“Audit records representing the program behaviour in general, and
`
`virus activity in particular, have a pattern which is borrowed from the Dorothy
`
`Denning’s model of Intrusion Detection [Den87]”), Swimmer, p. 14 (“[Den87]
`
`Dorothy E. Denning. ‘An intrusion detection model’, IEEE Transactions on
`
`Software Engineering, 13-2:222, Feb 1987”).
`
`40.
`
`In this paper, Denning teaches that records (e.g., audit records) may
`
`be stored in relational databases. Denning, p. 6 (“Additional structure may also be
`
`imposed, e.g., records may be grouped into files or database relations; files may be
`
`grouped into directories. Different environments may require different object
`
`21
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,677,494
`
`granularity; e.g., for some database applications, granularity at the record level
`
`may be desired”).
`
`Denning, p. 6.
`
`C.
`
`41.
`
`Swimmer Teaches “Storing” After “Deriving”
`
`Swimmer teaches that an emulator or virtual machine may be used to
`
`generate/derive individual audit records and over the course of execution an audit
`
`trail (list of audit records). Swimmer, p. 9 (“The audit record attributes of records
`
`as collected by the PC emulator have the following meaning: code segment is the
`
`address in memory of the executable image of the program; function number is the
`
`number of the DOS function requested by the program; arg ( .. ) is a list of
`
`register/memory values used in the call to a DOS function; ret( .. ) is a list of
`
`register/memory values as returned by the function call; RecType is the type of the
`
`22
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,677,494
`
`record; StartTime and EndTime are the time stamp of action start and end
`
`respectively. The final format for an MS-DOS audit record is as follows: <code
`
`segment, RecType, StartTime, EndTime, function number, arg ( .. }, ret( .. )>”).
`
`42.
`
`Swimmer teaches that the audit trail is stored in at least two formats: a
`
`native file format and an NADF file format. Swimmer, p. 12 (“the sequential file
`
`is the activity data record produced by the PC emulator. The universality is
`
`attained by translating native files to a generic format which is the only one
`
`supported by the evaluator. The format is simple and flexible enough to allow
`
`straightforward conversion of most file formats. This generic format is referred to
`
`as the Normalized Audit Data Format (NADF). An NADF file is a sequential file
`
`of records in NADF format.”) (emphasis added).
`
`43. Because it is technically infeasible to store data in a file before the
`
`data itself is derived/generated, Swimmer teaches “storing the Downloadable
`
`security profile data in a database” after it is derived.
`
`44.
`
`In my opinion, one of ordinary skill in the art would have understood
`
`each of Swimmer’s audit record to be “security profile data.” Additionally, each
`
`audit record is a list of suspicious computer operations, because one of ordinary
`
`skill in the art would have considered “a list” to be 0, 1, or more items, as
`
`confirmed by Dr. Medvidovic. Medvidovic Tr., p. 90:14-24. Accordingly,
`
`iteratively storing each audit record one by one as it is generated stores the
`
`23
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,677,494
`
`“security profile data” in a database, since each audit record itself is a list of
`
`suspicious operations. See PO Resp., p. 28-29; Medvidovic Decl., ¶ 79.
`
`45.
`
`In my opinion, one of ordinary skill in the art would have understood
`
`an individual audit record or even a portion of an audit record to be “data” because
`
`an audit record is an “item of information.” In my opinion, the interpretation of
`
`“data” as “item of information” is consistent with how the term would have been
`
`understood by one of ordinary skill in the art. For example, the 3rd edition of the
`
`Microsoft Computer Dictionary provides the following definition for “data”:
`
`MSCD, p. 6.
`
`46.
`
`If it is understood that Patent Owner is requiring that the entire
`
`security profile be derived before it is stored, it is my opinion that this more narrow
`
`interpretation would have also been obvious based on Swimmer. As discussed
`
`above, Swimmer teaches generating a native format audit trail file, which is then
`
`converted into an NADF format file. In my opinion, it would have been obvious
`
`for one of ordinary skill in the art to wait for the entire native file to be generated
`
`and then convert the native file to the NADF file format. One of ordinary skill
`
`would have considered both the native format and NADF format to be flat-file
`
`24
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,677,494
`
`databases.
`
`Indeed, Swimmer establishes the equivalency between the native and
`
`NADF formats. Swimmer, p. 10 (“the audit trail complies to a canonical format,
`
`which is also ASAX’s native format”); see also Mounji, p. 5 (“Native files can be
`
`erased after being converted since they are semantically redundant with NADF
`
`files”).
`
`Swimmer Does Not “Teach Against” the Use of the Claimed
`D.
`Downloadable Scanner
`
`47.
`
`Patent Owner argues that Swimmer “teaches against” use of the
`
`claimed downloadable scanner. See, e.g., PO Resp., p. 29 (“However, Swimmer
`
`does not disclose the ‘Downloadable scanner,’ and actually teaches against the use
`
`of scanners by reasoning that they are easily circumvented. Swimmer at 000003, ¶¶
`
`1–5.”), p. 4.
`
`In the cited section, however, Swimmer is discussing and
`
`recognizing the limitations of a specific type of scanner (i.e., a simple pattern
`
`matching scanner), which is different from the claimed scanner. According to
`
`Swimmer, these pattern matching scanners had difficulty detecting the new types
`
`of encrypted and polymorphic virus. Swimmer, p. 3 (“The term scanner has
`
`become increasingly incorrect terminology. The term comes from lexical scanner,
`
`i.e. a pattern matching tool…. Finding such strings was the entire art of anti-virus
`
`program writing until polymorphic viruses appeared on the scene. Encrypted
`
`viruses were the first minor challenge to string searching methods.”).
`
`25
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,677,494
`
`48.
`
`I previously described such scanners in my previous declaration in
`
`support of the Petition. Davidson Decl., ¶ 44-47. Since these are simple pattern
`
`matching scanners, these types of scanners do not care what the bytes under
`
`analysis are trying to perform.
`
`In fact, the patterns themselves may not be
`
`operations at all. Davidson Tr., 49:20-53:5. This is made clear by Swimmer.
`
`Swimmer, p. 3 (“When polymorphic technology improved, statistical analysis of
`
`the opcodes was used”).
`
`49.
`
`In contrast, as also set forth in my prior declaration, both the
`
`downloadable scanner described and claimed by the ‘494 patent and Swimmer’s
`
`emulator (the asserted downloadable scanner) analyze and understand the opcodes
`
`of the Downloadable being analyzed. Davidson Decl., ¶ 98-104; ‘194 patent, col.
`
`9:20- 25 (“The code scanner 325 in step 710 resolves a respective command in the
`
`machine code”); Swimmer, p. 8 (“The solution wh