Inter Partes Review of
`U.S. Patent No. 8,677,494
`
`Filed on behalf of Symantec Corporation
`
`UNITED STATES PATENT AND TRADEMARK OFFICE
`
`BEFORE THE PATENT TRIAL
`AND APPEAL BOARD
`
`SYMANTEC CORPORATION
`
`Petitioner
`
`v.
`
`FINJAN, INC
`
`Patent Owner
`
`Case To Be Assigned
`U.S. Patent No. 8,677,494
`
`DECLARATION OF JACK W. DAVIDSON IN SUPPORT OF
`PETITIONER PURSUANT TO 37 C.F.R. § 42.120
`
`Symantec 1021
`IPR of U.S. Pat. No. 8,677,494
`
`1
`
`
`U.S. Patent No. 8,677,494
`
`Filed on behalf of Symantec Corporation
`
`UNITED STATES PATENT AND TRADEMARK OFFICE
`
`BEFORE THE PATENT TRIAL
`AND APPEAL BOARD
`
`SYMANTEC CORPORATION
`
`Petitioner
`
`v.
`
`FINJAN, INC
`
`Patent Owner
`
`Case To Be Assigned
`U.S. Patent No. 8,677,494
`
`DECLARATION OF JACK W. DAVIDSON IN SUPPORT OF
`PETITIONER PURSUANT TO 37 C.F.R. § 42.120
`
`Symantec 1021
`IPR of U.S. Pat. No. 8,677,494
`
`1
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,677,494
`
`Declaration of Jack W. Davidson
`In Support of Petitioner Pursuant to 37 C.F.R. § 42.120
`
`I, Jack W. Davidson, declare as follows
`
`I. Overview
`
`1.
`
`I am over 21 years of age and otherwise competent to make this
`
`Declaration. I make this Declaration based upon facts and matters within my own
`
`knowledge and on information provided to me by others.
`
`2.
`
`I have been retained as an expert witness to provide testimony on
`
`behalf of Symantec Corporation (“Symantec” or “Petitioner”) as part of the above-
`
`captioned inter partes review proceeding (“IPR”), including issues relating to the
`
`validity of U.S. patent number 8,677,494 (“the ‘494 patent”), entitled “Malicious
`
`mobile code runtime monitoring system and methods.” I also understand that the
`
`‘494 patent was filed on November 7, 2011 and issued on March 18, 2014 and that
`
`the ‘494 patent is currently assigned to Finjan, Inc. (“Finjan” or “Patent Owner”).
`
`3.
`
`In addition to this Declaration, I have also prepared a separate
`
`declaration in support of another IPR petition also involving the validity of the
`
`‘494 patent, which I understand being filed by Symantec concurrently with this
`
`Petition and Declaration. In the other petition, it is my understanding that
`
`Symantec has assumed that the ‘926 patent is entitled to a priority date based on
`
`the earliest-filed application referenced in the specification and, therefore, in that
`
`2
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,677,494
`
`corresponding declaration I was asked to assume that same priority date for the
`
`challenged claims. As discussed in more detail below, it is my understanding that,
`
`in this petition Symantec is challenging the priority date of the ‘494 patent. Thus
`
`for purposes of this Declaration, I was asked to assume that the challenged claims
`
`have a priority date of November 7, 2011 (i.e., the filing date of the ‘494 patent) or,
`
`at best, March 7, 2006 (i.e., the filing date of the ‘926 patent).
`
`4.
`
`I have reviewed and am familiar with the specification and
`
`prosecution history of the ‘494 patent. A copy of the ‘494 patent is provided as
`
`Symantec 1001. I have also reviewed the related patents referenced in the ‘494
`
`patent specification and certain portions of their prosecution histories, where
`
`relevant. As I explain in more detail below, I am familiar with the technology at
`
`issue as of the time of the ‘494 patent, which, for purposes of this Declaration, I
`
`have assumed to be 2006.1
`
`5.
`
`I have also reviewed and am familiar with the following prior art,
`
`which I understand is being used by Symantec in the Petition for Inter Partes
`
`Review of the ‘494 patent:
`
`1 In preparing this Declaration, I have also taken into account the technology, prior
`art, and knowledge of one of ordinary skill in the art around 2011. None of my
`opinions and statements in this Declaration would be affected in any material
`respect if the priority date of the challenged claims is 2011 (instead of 2006).
`
`3
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,677,494
`
`a. Ground 1: Touboul I anticipates claims 1, 5, 6, 10, 14, and 15 under
`
`35 U.S.C. § 102
`
`b. Ground 2: Touboul I renders obvious claims 2 and 11 under 35 U.S.C.
`
`§ 103
`
`c. Ground 3: Touboul II anticipates claims 1, 5, 6, 10, 14, and 15 under
`
`35 U.S.C. § 102.
`
`d. Ground 4: Touboul II renders obvious claims 2 and 11 under 35
`
`U.S.C. § 103.
`
`6.
`
`I have been asked to provide a technical review, analysis, and insight
`
`regarding the above-noted references, which I understand form the basis for the
`
`grounds of rejection set forth in the Petition.
`
`7.
`
`I am being compensated for my time in connection with this IPR at a
`
`rate of $400 per hour. I am also being compensated for any out-of-pocket expenses
`
`for my work in this review. My compensation as an expert is in no way dependent
`
`upon the results of any investigations I undertake, the substance of any opinion I
`
`express, or the ultimate outcome of the review proceedings. I have been advised
`
`that Bryan Cave LLP represents the Petitioner Symantec, Inc. in this matter. I have
`
`no direct financial interest in Symantec, Finjan, or the ‘494 patent.
`
`II. My Background and Qualifications
`
`4
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,677,494
`
`8.
`
`I am a Professor of Computer Science at the University of Virginia.
`
`In addition, I am the Founder and President of Zephyr Software LLC. Zephyr
`
`Software, in business since 2001, provides a variety of services including
`
`innovative computer security solutions targeted mainly for U.S. Department of
`
`Defense applications. For more than 35 years, I have been involved in the design
`
`of computer systems and software as well as leading and managing large software
`
`development projects.
`
`9.
`
`I earned a Bachelor’s of Applied Science in Computer Science from
`
`Southern Methodist University in 1975, a Master’s of Science in Computer
`
`Science from Southern Methodist University in 1977, and a Doctorate in Computer
`
`Science from the University of Arizona in 1981. After receiving my Doctorate, I
`
`joined the faculty at the University of Virginia. In addition, I have held visiting
`
`positions at Princeton University and Microsoft Research in Redmond,
`
`Washington.
`
`10.
`
`For over 35 years, I have conducted research in a variety of areas in
`
`computer science including compilers, interpreters, programming languages,
`
`computer architecture, embedded systems, program analysis, and most recently
`
`computer security. My current research in computer security involves developing
`
`methodologies for preventing attacks against critical, enterprise-level computer
`
`5
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,677,494
`
`systems and preventing malware from infecting personal and mobile computers. In
`
`these areas and others I have led and managed several large-scale projects
`
`involving the collaboration of top U.S. researchers. I am currently leading a large
`
`project ($5.8M) called the Cyber Fault-tolerant Attack Recovery project at the
`
`University of Virginia, which has been funded by the Defense Advanced Research
`
`Project Agency (DARPA). The goal of the Cyber Fault-tolerant Attack Recovery
`
`project is to develop defensive cyber techniques that can be deployed to protect
`
`existing and planned software systems without requiring changes to the concept of
`
`operations of these systems.
`
`11.
`
`I am also the principal investigator of a project funded by the Air
`
`Force Research Laboratories (“AFRL”) in Rome, NY. The goal of this project is
`
`to transition the results of our previously funded research in cyber security from
`
`our research laboratory to the field. That is, we are working with the AFRL to
`
`automatically secure mission-critical system against attack by well-funded,
`
`determined malicious adversaries and to develop and carry out compelling
`
`demonstrations, tests, and exercises that demonstrate the power and effectiveness
`
`of the techniques developed in the Dependability Group at the University of
`
`Virginia.
`
`12. As my current research focus is in cyber security, I have published
`
`6
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,677,494
`
`extensively in the field of computer security. In addition to other publications, the
`
`paper “Safe Virtual Execution Using Software Dynamic Execution” written by
`
`Kevin Scott and myself and presented at the 18th Annual Computer Security
`
`Applications Conference held in Las Vegas, Nevada in December 2002 is
`
`particularly relevant to the matter being considered.
`
`13. My curriculum vitae, which is provided as Symantec 1022, lists my
`
`publications in the computer security area.
`
`14.
`
`In addition to my scholarly activities in the field of cyber security, I
`
`am the President and sole owner of Zephyr Software LLC. I founded Zephyr
`
`Software as another vehicle for commercializing my research. Currently, Zephyr
`
`Software is focused on commercializing cyber security solutions. Including
`
`myself, Zephyr Software has four employees. Zephyr Software currently has Phase
`
`II SBIR contracts from DARPA and the Office of Naval Research (“ONR”).
`
`15.
`
`The DARPA contract is targeted at securing embedded systems.
`
`Network routers, communications equipment, supervisory control and data
`
`acquisition (“SCADA”) systems, and industrial control systems (“ICS”) are some
`
`examples of embedded systems. Because these systems are part of a critical
`
`infrastructure, such as plant operations, the power grid, communication systems,
`
`transportation systems, and similar operations, it is vital that these systems be
`
`7
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,677,494
`
`protected from malicious attacks.
`
`16.
`
`The work being performed under the ONR contract includes
`
`developing techniques to prevent malicious adversaries from taking over the
`
`control of a program via a technique known as “program hijacking.” Using
`
`program hijacking, a malicious entity can take control of a program to carry out a
`
`variety of attacks such as denial of service, secret information leakage, shutdown
`
`of critical services, and similar attacks.
`
`17.
`
`In addition to my research and commercialization activities, I am also
`
`an accomplished and award-winning instructor. In 1989, I received the NCR
`
`Faculty Innovation Award for my development of innovative curriculum materials
`
`and outstanding teaching. I am the co-author of two widely used introductory
`
`programming textbooks, C++ Program Design: An Introduction to Programming
`
`and Object-Oriented Design and Java 1.5 Program Design both published by
`
`McGraw-Hill.
`
`18.
`
`In 2008, I was co-recipient (with my co-author James P. Cohoon) of
`
`the IEEE Computer Society Taylor L. Booth Education Award for “sustained
`
`effort to transform introductory computer science education through lab-based
`
`multimedia pedagogy coupled with examples that attract a diverse student body.”
`
`In addition, I have given invited lectures at the Third International Summer School
`
`8
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,677,494
`
`on Advanced Computer Architecture and Compilation for Embedded Systems held
`
`in L’Aquila Italy in 2007. Approximately 200 students attended this summer
`
`school from the member nations of the European Union.
`
`19. As part of my ongoing activities in computer security, I created and
`
`teach a course about cyber security at the University of Virginia. The course title is
`
`“Defense against the Dark Arts.” The course focuses teaching students techniques
`
`for defending computers from computer viruses, computer worms, and other types
`
`of malicious attacks. The course was first taught in the Fall of 2005 and I have
`
`taught it multiple times since that time. I last taught the course in Spring of 2014.
`
`20.
`
`I also was a lecturer in the inaugural Indo-US Engineering Faculty
`
`Leadership Institute held in Mysore, India. The goal of the Leadership Institute is
`
`to improve University education in India. The Institute was attended by 120
`
`faculty members from Indian Universities.
`
`21.
`
`In the summers of 2010, 2011, 2012, and 2014, I helped organize and
`
`lectured at the International Summer School on Information Security and
`
`Protection (ISSISP) held in Beijing, China (2010), Ghent, Belgium (2011), Tucson,
`
`Arizona (2012), and Verona, Italy (2014). Each summer school was attended by
`
`50 students from various international universities. ISSISP 2015 will be held in Rio
`
`de Janerio, Brazil.
`
`9
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,677,494
`
`22. Because of my expertise and stature within in the computing
`
`community, I am often asked to serve on important Boards and Councils. I served
`
`as an elected member-at-large of the Association of Computing Machinery (ACM)
`
`Special Interest Group on Programming Languages (SIGPLAN) for four years.
`
`ACM is the largest professional computing society in the world. I was elected
`
`chair of SIGPLAN in 2005. I am a member of the ACM Council, which oversees
`
`the operation of ACM, and I am co-chair of ACM’s Publications Board, which
`
`oversees the publication of the organization’s 44 professional journals and 8
`
`magazines, and a professional book series.
`
`23. As a leading expert in the field, I help organize many technical
`
`conferences in the area including the International Conference on Parallel
`
`Architectures and Compilation Techniques (“PACT”), International Symposium
`
`on Code Generation and Optimization (“CGO”), Conference on Programming
`
`Language Design and Implementation (“PLDI”), Conference on Languages,
`
`Compilers and Tools for Embedded Systems (“LCTES”), International Conference
`
`on Compilers, Architectures and Synthesis for Embedded Systems (“CASES”),
`
`Conference on the Principles of Programming Languages (“POPL”), International
`
`Conference on Autonomic Computing (“ICAC”), and International Conference on
`
`High-Performance and Embedded Architectures (“HiPEAC”).
`
`10
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,677,494
`
`24.
`
`In the past, I was an Associate Editor of the ACM Transactions of
`
`Programming Languages and Systems (“TOPLAS”) and ACM Transactions on
`
`Architecture and Code Optimization (“TACO”) journals. TOPLAS is the archival
`
`journal in the area of programming languages and compilers. TACO is an archival
`
`journal in the area of computer architecture and program optimization. In 2009, I
`
`received SIGPLAN’s Distinguished Service Award for “substantial and sustained
`
`contributions to the programming languages research community and to SIGPLAN
`
`in particular.”
`
`25.
`
`I am a Senior Member of the Institute of Electrical and Electronics
`
`Engineers (“IEEE”), the IEEE Computer Society. I am a Fellow of the Association
`
`for Computer Machinery (“ACM”). The ACM Council established the ACM
`
`Fellows Program in 1993 to recognize and honor outstanding ACM members for
`
`their achievements in computer science and information technology and for their
`
`significant contributions to the mission of the ACM. The ACM Fellows serve as
`
`distinguished colleagues to whom the ACM and its members look to for guidance
`
`and leadership as the world of information technology evolves.
`
`26. A more detailed listing of my professional background and
`
`accomplishments is found in my curriculum vitae provided as Symantec 1022.
`
`III. My Expertise and the Person of Ordinary Skill in the Art
`
`11
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,677,494
`
`27. As a result of my more than thirty-years’ experience in the field of
`
`computer science and my deep involvement over the last 15 years with computer
`
`security through teaching and research, I am very familiar with techniques to
`
`secure and protect computer systems, including techniques to prevent computer
`
`viruses, worms and other types of attacks from corrupting both personal computers
`
`and enterprise-level systems.
`
`28. Accordingly, I am qualified to provide expert opinions on the
`
`technology described in the ‘494 patent as well as the teachings of the prior art
`
`references at the time of the ‘494 patent.
`
`29.
`
`In my opinion, a person of ordinary skill in the art at the time of the
`
`‘494 patent would have a Master’s degree in computer science, computer
`
`engineering, or a similar field, or a Bachelor’s degree in computer science,
`
`computer engineering, or a similar field, with approximately two years of industry
`
`experience relating to computer security. Additional graduate education might
`
`substitute for experience, while significant experience in the field of computer
`
`programming and malicious code might substitute for formal education.
`
`IV. Applicable Legal Standards
`
`30.
`
`I am not an attorney and do not expect to offer any opinions regarding
`
`the law. However, I have been informed of certain legal principles relating to
`
`12
`
`
`
`patent claim construction and invalidity that I relied upon in reaching opinions set
`
`Inter Partes Review of
`U.S. Patent No. 8,677,494
`
`forth in this report.
`
`Obviousness
`
`31.
`
`It is my understanding that obviousness is determined from the
`
`vantage point of a person of ordinary skill in the art at the time the invention was
`
`made. In order for a claim to be considered invalid under this ground, I understand
`
`that the proposed combination of asserted references must teach or suggest each
`
`and every claim feature and that the claimed invention as a whole must have been
`
`obvious at that time to one of ordinary skill in the art.2
`
`32. My understanding is that one should avoid the use of “hindsight” in
`
`assessing whether a claimed invention would have been obvious. For example, an
`
`invention should not be considered in view of what persons of ordinary skill would
`
`know today, nor should it be reconstructed after the fact by starting with the claims
`
`2 Accordingly, I understand that that the term “obvious” has both a legal and a
`
`technical meaning. When the term is used throughout this declaration, my
`
`opinions and conclusions will be directed to the technical meaning of obvious (i.e.,
`
`whether subject matter was within the technical grasp of a person of ordinary skill
`
`at the time of the ‘494 patent).
`
`13
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,677,494
`
`themselves and/or by reading into the prior art the teachings of the invention at
`
`issue.
`
`33.
`
`It is my understanding that obviousness cannot be proven by mere
`
`conclusory statements or by merely showing that an invention is a combination of
`
`elements that were already previously known in the prior art. Rather, it is my
`
`understanding that a party challenging a patent in an Inter Partes Review
`
`proceeding must further establish by a preponderance of the evidence that there
`
`was an apparent reason with some rational underpinnings that would have caused a
`
`person of ordinary skill at the time of the invention to have combined and/or
`
`altered these known elements to arrive at the claimed invention. Such reasons
`
`might include, for example, teachings, suggestions, or motivations to combine that
`
`would have been apparent to a person of ordinary skill in the art.
`
`Claim Language
`
`34.
`
`I understand that, in Inter Partes Review proceedings, claim terms are
`
`to be given the broadest reasonable construction in light of the specification as
`
`would be read by a person of ordinary skill in the relevant art.
`
`35. As the result of my education and experience, I believe that I
`
`understand how the asserted claims of the ‘494 patent would be understood by a
`
`person of ordinary skill in the art applying the above standard.
`
`14
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,677,494
`
`V. Overview of Relevant Computer Security, Malware Detection, and
`Internet Technology at the Time of the ‘494 Patent
`
`36. At the time of the ‘494 patent, the use of computers was rapidly
`
`becoming widespread and commonplace. In particular, companies and other
`
`organizations were relying on networked computer systems to perform various
`
`tasks, store various information, and manage and control various infrastructure. As
`
`the use of such networked computer systems increased significantly, computer
`
`viruses and other types of malware became a major problem for the computer
`
`industry.
`
`37.
`
`There were three major factors that contributed to the significant
`
`growth in malware. First, sophisticated malware writers had developed tools that
`
`allowed relatively unsophisticated programmers to create sophisticated malware.
`
`These tools could be easily downloaded using the Internet. A second reason was
`
`the growth in computer usage by individuals. Computers had become commodity
`
`consumer products. A third reason was the growth of the Internet as computer
`
`networks became more ubiquitous. More users, the availability of networking and
`
`the development of the World Wide Web (WWW), led to the phenomenal growth
`
`of the Internet. In 1993, traffic on the Internet was growing at the incredible rate of
`
`341,000%. As the Internet grew, so did the opportunity for criminals and other
`
`malicious entities to use the Internet to spread malware for illicit financial gain.
`
`15
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,677,494
`
`38. One of the primary ways malicious entities would compromise a
`
`computer on the Internet was through a malicious download when a user visited a
`
`web page. At the time, typical web-based systems allowed authors to attach an
`
`executable program to a Web page, so that anyone visiting the web page
`
`automatically downloads and runs the program. Thus, simply visiting a Web page
`
`may cause a user to unknowingly download and run a program written by a
`
`criminal or other malicious person.
`
`39.
`
`Such downloaded executables were written using various
`
`programming languages such as Java, ActiveX, VisualBasic, JavaScript, and Web
`
`plug-ins. Examples of popular plug-ins include QuickTime (viewing videos),
`
`Shockwave (multimedia viewer), and Acrobat Reader (for viewing PDF files).
`
`40. Another commonly used method to deliver an executable to a machine
`
`was via an e-mail attachment. Here, an executable was downloaded to the victim’s
`
`computer via an attachment to an e-mail message. The attachment may be named
`
`to appear as if it is a benign text file, image, digital music, etc. In reality, however,
`
`the file is an executable that performed the malicious actions intended by the
`
`author.
`
`41. Because of the frequency of these types of attacks, there was much
`
`interest by industry, university research centers, and government research
`
`16
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,677,494
`
`laboratories in developing techniques to detect and prevent malicious downloads
`
`from taking malicious actions such as modifying or destroying files, monitoring
`
`the user’s online activities, or stealing valuable information.
`
`42.
`
`The main defense against various types of malware, including
`
`malicious executable programs, was anti-virus software. Such software was
`
`generally referred to as anti-virus software even though it would detect other types
`
`of malware such as spyware, backdoors, spammers, and keyloggers that might be
`
`included or embedded in a malicious, executable program.
`
`43.
`
`Initially, the dominant technique used by anti-virus software to detect
`
`malware was signature-based scanning. Signature-based scanning is analogous to a
`
`common, standard medical approach for determining if a person is infected with a
`
`certain biological pathogen. A blood test is performed to see if particular
`
`antibodies are present that indicate that the subject is infected. Similarly, with
`
`signature-based virus detection, the anti-virus software scans relevant files for a
`
`“fingerprint” or “signature” that, if present, indicates malware is present.
`
`44. At the time, anti-virus tools used various approaches to create
`
`signatures. One widely used technique was to create a set of patterns to detect
`
`viruses and other malware. A pattern might be targeted for a particular family of
`
`related viruses. An example of such a pattern is:
`
`17
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,677,494
`
`SIG: 0x0E,0xBE,Skip(0x02),0x56,0xC3,Skip(0x3),0x83,0xEE,0x1E
`
`45.
`
`The signature specifies that the file contains a virus if the file has a
`
`sequence of bytes that match the pattern specified. The pattern says look for two
`
`consecutive bytes that have the values 0x0E and 0XBE, then skip the next two
`
`bytes (their contents are irrelevant), then look for byte values 0x56 ad 0xC3, skip
`
`three bytes, then look for 0x83, followed by 0xEE and 0x1E.
`
`46.
`
`There are many aspects to creating powerful, effective, signature-
`
`based anti-virus software. One key aspect for effective scanning is the
`
`completeness of the corpus of signatures used by the scanner. If the signature
`
`database does not contain a signature for specific malware, the malware most
`
`likely will not be detected. Anti-virus vendors expend considerable effort to ensure
`
`their signature databases contain up-to-date signatures of newly discovered viruses
`
`and that these updated databases are provided to the licensees of their software on
`
`a timely basis.
`
`47. Another aspect of effective scanning is the sophistication of the
`
`scanning algorithms and techniques. Anti-virus software vendors continually
`
`investigated new scanning techniques to both speed the scanning process and to
`
`improve the accuracy. Much like the medical tests I mention above, signature-
`
`based scanning may sometimes result in false positives or false negatives. In the
`
`18
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,677,494
`
`medical context, a false positive is when a test has incorrectly indicated the
`
`presence of a pathogen when there is, in actuality, none present. A false negative
`
`is when the test has incorrectly indicated that no pathogen is present when there is,
`
`in actuality, a pathogen present.
`
`48. Another well-known technique employed by anti-virus tools at the
`
`time was hashing. Hashing was a well-known technique that was (and still is) used
`
`in several contexts of anti-virus technology. One use of hashing is to create a
`
`unique “digest” of a file. The message digest is orders of magnitude smaller than
`
`the message (hence the term digest). The original use of such hashes was to create
`
`a digest of a message to detect if a message was corrupted during transmission to a
`
`receiver. The corruption could be because of an error in the transmission (e.g., a
`
`bit or bits are inadvertently changed or dropped) or because the message had been
`
`intentionally changed.
`
`49. Before transmitting the message, a cryptographic hash function is
`
`used to create the message digest. The digest is attached to the message (either
`
`prepended or appended) and the package would be transmitted. At the receiver,
`
`after the package was received, the digest would be recomputed and compared to
`
`the digest attached to the message. If the computed digest was different from the
`
`attached digest, then either the message or the attached digest had been corrupted
`
`19
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,677,494
`
`and appropriate action could be taken. As one example, the receiver could request
`
`that the message be resent. Attaching a digest to a message is conceptually similar
`
`to attaching a certificate to a downloaded executable.
`
`50. Attaching or appending additional information (such as a certificate)
`
`onto executables that were downloaded or transferred via a network was also well
`
`known in the art at the time of the ‘494 patent. For example, Atkinson (U.S. Patent
`
`No. 5,892,904, provided as Ex. 1023) teaches that “a publisher digital certificate
`
`122 (FIG. 4) and publisher signature 110 are attached, appended to or incorporated
`
`with an executable file 102.” Atkinson, col. 6:44-46, FIG. 4. In addition, it was
`
`also well known that components of these certificates could be used to link to and
`
`retrieve additional information or data related to the executable. Atkinson, col.
`
`2:56-58 (“publisher digital signature also includes an identifying name of the
`
`executable file and a link or hyperlink to a description of the executable file”),
`
`FIG. 4.
`
`51.
`
`Such cryptographic hashes were also used to create a database on a
`
`user’s machine of files that had previously been scanned (perhaps using a
`
`signature-based scanner) and were deemed to be virus-free. The database
`
`contained a cryptographic hash, and a pointer to the file on disk. Periodically, the
`
`anti-virus software would check to make sure the cryptographic hash matched the
`
`20
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,677,494
`
`computed hash. If the computed hash did not match the hash stored in the database,
`
`this indicated the file had been changed, which might be the result of a virus.
`
`Typically further checking would be done. These databases were often called file
`
`integrity databases. Such databases were also used by intrusion detection systems.
`
`52.
`
`In the context of anti-virus technology, cryptographic hashes were
`
`also used to implement “whitelists” and “blacklists” that could be quickly checked
`
`to determine whether to allow an executable to be downloaded and/or run on a
`
`computer. To create whitelists, executable files that were known to not contain
`
`viruses were hashed, and these hashes were stored in a whitelist table. Similarly,
`
`executable files that were known to contain viruses were hashed, and these hashes
`
`were stored in a blacklist table. When a new file was received (perhaps it is
`
`downloaded from a website, or attached to an e-mail), the hash function was
`
`applied to the file and a hash value was computed. Using the computed hash value,
`
`the whitelist and blacklist were searched. If the hash value for the received file
`
`was on the whitelist, the file was categorized as not containing a virus. If the hash
`
`value for the received file was on the blacklist, the file was categorized as
`
`containing a virus.
`
`53.
`
`Such hashes were also widely used to create efficient methods to store
`
`and find information. Well known to those skilled in the art was the use of hashing
`
`21
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,677,494
`
`techniques to create “hash tables” for efficiently storing and retrieving information.
`
`A hash table is a data structure that is searched using the hash value computed by
`
`the function (often called a “hash function” in this context). There are several
`
`techniques for creating hash tables, but the key idea is that the hash value of an
`
`object is used to locate the object in the table. Those skilled in the art routinely
`
`used hash tables to store information for fast lookup. Furthermore, it was well
`
`understood by those skilled in art that in many cases it was often preferable to store
`
`the hash of an object in other data structures rather than storing a duplicate of the
`
`object (which required substantially more storage space). The object could easily
`
`and quickly be retrieved by using the hash and then accessing the hash table that
`
`contained the object.
`
`54. Over the years, anti-virus researchers and researchers in other areas
`
`(e.g., software engineering and programming languages) have built various tools to
`
`help them analyze programs including downloads. Such tools can be generally
`
`categorized as either static or dynamic analyzers. A static analyzer determines
`
`information about a program without running the program. Rather it builds various
`
`data structures that can be analyzed to determine various properties of a program.
`
`A very common data structure that is useful for static analysis of a program is the
`
`control-flow graph.
`
`22
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,677,494
`
`55.
`
`To build a control-flow graph of an executable program, the file
`
`containing the program is parsed to determine the instructions that may be invoked
`
`by the program. By analyzing the instructions and identifying the instructions that
`
`cause the control of flow to change (i.e., jump instructions or control transfer
`
`instructions), the static analyzer can construct a graph that represents the
`
`relationship between various sections of the program. The nodes in the control-
`
`flow graph were often referred to as basic blocks by those skilled in the art.
`
`56. Using the control-flow graph, a static analyzer performs other useful
`
`analyses. One example is called “dead code” elimination. Here, code that cannot
`
`possibly be executed can be removed from the program thereby saving space.
`
`57. While static analysis is a powerful tool, it must be conservative
`
`because it is analyzing the program without the benefit knowing what inputs the
`
`program might process, and therefore could produce erroneous information.
`
`Consequently, dynamic analysis was also used to analyze executable programs.
`
`Dynamic analysis requires running the program on some input. The advantage of
`
`dynamic analysis is that one can observe how the program behaves on a particular
`
`input or set of inputs and monitor the instructions that are called by the program.
`
`58. Because of their complementary nature, both static and dynamic
`
`analyses were often used together when analyzing executable programs.
`
`23
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,677,494
`
`59. At the time of the ‘494 patent (and even now), anti-virus researchers
`
`continually worked to improve the accuracy of the signature-based scanning by
`
`lowering the rates of false positives and false negatives. Unfortunately, virus
`
`writers also continually worked to create new techniques for creating malware that
`
`would evade detection by signature-based scanning. This back-and-forth struggle
`
`between virus writers and anti-virus defenders is much li
Accessing this document will incur an additional charge of $.
After purchase, you can access this document again without charge.
Accept $ Charge
Still Working On It
This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.
Give it another minute or two to complete, and then try the refresh button.
A few More Minutes ... Still Working
It can take up to 5 minutes for us to download a document if the court servers are running slowly.
Thank you for your continued patience.
This document could not be displayed.
We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.
Your account does not support viewing this document.
You need a Paid Account to view this document. Click here to change your account type.
Your account does not support viewing this document.
Set your membership
status to view this document.
With a Docket Alarm membership, you'll
get a whole lot more, including:
- Up-to-date information for this case.
- Email alerts whenever there is an update.
- Full text search for other cases.
- Get email alerts whenever a new case matches your search.
One Moment Please
The filing “” is large (MB) and is being downloaded.
Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.
Your document is on its way!
If you do not receive the document in five minutes, contact support at support@docketalarm.com.
Sealed Document
We are unable to display this document, it may be under a court ordered seal.
If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.
Access Government Site
