`U.S. Patent No. 8,677,494
`
`Filed on behalf of Symantec Corporation
`
`UNITED STATES PATENT AND TRADEMARK OFFICE
`
`BEFORE THE PATENT TRIAL
`AND APPEAL BOARD
`
`SYMANTEC CORPORATION
`
`Petitioner
`
`v.
`
`FINJAN, INC
`
`Patent Owner
`
`Case To Be Assigned
`U.S. Patent No. 8,677,494
`
`DECLARATION OF JACK W. DAVIDSON IN SUPPORT OF
`PETITIONER PURSUANT TO 37 C.F.R. § 42.120
`
`Symantec 1021
`IPR of U.S. Pat. No. 8,677,494
`
`1
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,677,494
`
`Declaration of Jack W. Davidson
`In Support of Petitioner Pursuant to 37 C.F.R. § 42.120
`
`I, Jack W. Davidson, declare as follows
`
`I. Overview
`
`1.
`
`I am over 21 years of age and otherwise competent to make this
`
`Declaration. I make this Declaration based upon facts and matters within my own
`
`knowledge and on information provided to me by others.
`
`2.
`
`I have been retained as an expert witness to provide testimony on
`
`behalf of Symantec Corporation (“Symantec” or “Petitioner”) as part of the above-
`
`captioned inter partes review proceeding (“IPR”), including issues relating to the
`
`validity of U.S. patent number 8,677,494 (“the ‘494 patent”), entitled “Malicious
`
`mobile code runtime monitoring system and methods.” I also understand that the
`
`‘494 patent was filed on November 7, 2011 and issued on March 18, 2014 and that
`
`the ‘494 patent is currently assigned to Finjan, Inc. (“Finjan” or “Patent Owner”).
`
`3.
`
`In addition to this Declaration, I have also prepared a separate
`
`declaration in support of another IPR petition also involving the validity of the
`
`‘494 patent, which I understand being filed by Symantec concurrently with this
`
`Petition and Declaration. In the other petition, it is my understanding that
`
`Symantec has assumed that the ‘926 patent is entitled to a priority date based on
`
`the earliest-filed application referenced in the specification and, therefore, in that
`
`2
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,677,494
`
`corresponding declaration I was asked to assume that same priority date for the
`
`challenged claims. As discussed in more detail below, it is my understanding that,
`
`in this petition Symantec is challenging the priority date of the ‘494 patent. Thus
`
`for purposes of this Declaration, I was asked to assume that the challenged claims
`
`have a priority date of November 7, 2011 (i.e., the filing date of the ‘494 patent) or,
`
`at best, March 7, 2006 (i.e., the filing date of the ‘926 patent).
`
`4.
`
`I have reviewed and am familiar with the specification and
`
`prosecution history of the ‘494 patent. A copy of the ‘494 patent is provided as
`
`Symantec 1001. I have also reviewed the related patents referenced in the ‘494
`
`patent specification and certain portions of their prosecution histories, where
`
`relevant. As I explain in more detail below, I am familiar with the technology at
`
`issue as of the time of the ‘494 patent, which, for purposes of this Declaration, I
`
`have assumed to be 2006.1
`
`5.
`
`I have also reviewed and am familiar with the following prior art,
`
`which I understand is being used by Symantec in the Petition for Inter Partes
`
`Review of the ‘494 patent:
`
`1 In preparing this Declaration, I have also taken into account the technology, prior
`art, and knowledge of one of ordinary skill in the art around 2011. None of my
`opinions and statements in this Declaration would be affected in any material
`respect if the priority date of the challenged claims is 2011 (instead of 2006).
`
`3
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,677,494
`
`a. Ground 1: Touboul I anticipates claims 1, 5, 6, 10, 14, and 15 under
`
`35 U.S.C. § 102
`
`b. Ground 2: Touboul I renders obvious claims 2 and 11 under 35 U.S.C.
`
`§ 103
`
`c. Ground 3: Touboul II anticipates claims 1, 5, 6, 10, 14, and 15 under
`
`35 U.S.C. § 102.
`
`d. Ground 4: Touboul II renders obvious claims 2 and 11 under 35
`
`U.S.C. § 103.
`
`6.
`
`I have been asked to provide a technical review, analysis, and insight
`
`regarding the above-noted references, which I understand form the basis for the
`
`grounds of rejection set forth in the Petition.
`
`7.
`
`I am being compensated for my time in connection with this IPR at a
`
`rate of $400 per hour. I am also being compensated for any out-of-pocket expenses
`
`for my work in this review. My compensation as an expert is in no way dependent
`
`upon the results of any investigations I undertake, the substance of any opinion I
`
`express, or the ultimate outcome of the review proceedings. I have been advised
`
`that Bryan Cave LLP represents the Petitioner Symantec, Inc. in this matter. I have
`
`no direct financial interest in Symantec, Finjan, or the ‘494 patent.
`
`II. My Background and Qualifications
`
`4
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,677,494
`
`8.
`
`I am a Professor of Computer Science at the University of Virginia.
`
`In addition, I am the Founder and President of Zephyr Software LLC. Zephyr
`
`Software, in business since 2001, provides a variety of services including
`
`innovative computer security solutions targeted mainly for U.S. Department of
`
`Defense applications. For more than 35 years, I have been involved in the design
`
`of computer systems and software as well as leading and managing large software
`
`development projects.
`
`9.
`
`I earned a Bachelor’s of Applied Science in Computer Science from
`
`Southern Methodist University in 1975, a Master’s of Science in Computer
`
`Science from Southern Methodist University in 1977, and a Doctorate in Computer
`
`Science from the University of Arizona in 1981. After receiving my Doctorate, I
`
`joined the faculty at the University of Virginia. In addition, I have held visiting
`
`positions at Princeton University and Microsoft Research in Redmond,
`
`Washington.
`
`10.
`
`For over 35 years, I have conducted research in a variety of areas in
`
`computer science including compilers, interpreters, programming languages,
`
`computer architecture, embedded systems, program analysis, and most recently
`
`computer security. My current research in computer security involves developing
`
`methodologies for preventing attacks against critical, enterprise-level computer
`
`5
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,677,494
`
`systems and preventing malware from infecting personal and mobile computers. In
`
`these areas and others I have led and managed several large-scale projects
`
`involving the collaboration of top U.S. researchers. I am currently leading a large
`
`project ($5.8M) called the Cyber Fault-tolerant Attack Recovery project at the
`
`University of Virginia, which has been funded by the Defense Advanced Research
`
`Project Agency (DARPA). The goal of the Cyber Fault-tolerant Attack Recovery
`
`project is to develop defensive cyber techniques that can be deployed to protect
`
`existing and planned software systems without requiring changes to the concept of
`
`operations of these systems.
`
`11.
`
`I am also the principal investigator of a project funded by the Air
`
`Force Research Laboratories (“AFRL”) in Rome, NY. The goal of this project is
`
`to transition the results of our previously funded research in cyber security from
`
`our research laboratory to the field. That is, we are working with the AFRL to
`
`automatically secure mission-critical system against attack by well-funded,
`
`determined malicious adversaries and to develop and carry out compelling
`
`demonstrations, tests, and exercises that demonstrate the power and effectiveness
`
`of the techniques developed in the Dependability Group at the University of
`
`Virginia.
`
`12. As my current research focus is in cyber security, I have published
`
`6
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,677,494
`
`extensively in the field of computer security. In addition to other publications, the
`
`paper “Safe Virtual Execution Using Software Dynamic Execution” written by
`
`Kevin Scott and myself and presented at the 18th Annual Computer Security
`
`Applications Conference held in Las Vegas, Nevada in December 2002 is
`
`particularly relevant to the matter being considered.
`
`13. My curriculum vitae, which is provided as Symantec 1022, lists my
`
`publications in the computer security area.
`
`14.
`
`In addition to my scholarly activities in the field of cyber security, I
`
`am the President and sole owner of Zephyr Software LLC. I founded Zephyr
`
`Software as another vehicle for commercializing my research. Currently, Zephyr
`
`Software is focused on commercializing cyber security solutions. Including
`
`myself, Zephyr Software has four employees. Zephyr Software currently has Phase
`
`II SBIR contracts from DARPA and the Office of Naval Research (“ONR”).
`
`15.
`
`The DARPA contract is targeted at securing embedded systems.
`
`Network routers, communications equipment, supervisory control and data
`
`acquisition (“SCADA”) systems, and industrial control systems (“ICS”) are some
`
`examples of embedded systems. Because these systems are part of a critical
`
`infrastructure, such as plant operations, the power grid, communication systems,
`
`transportation systems, and similar operations, it is vital that these systems be
`
`7
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,677,494
`
`protected from malicious attacks.
`
`16.
`
`The work being performed under the ONR contract includes
`
`developing techniques to prevent malicious adversaries from taking over the
`
`control of a program via a technique known as “program hijacking.” Using
`
`program hijacking, a malicious entity can take control of a program to carry out a
`
`variety of attacks such as denial of service, secret information leakage, shutdown
`
`of critical services, and similar attacks.
`
`17.
`
`In addition to my research and commercialization activities, I am also
`
`an accomplished and award-winning instructor. In 1989, I received the NCR
`
`Faculty Innovation Award for my development of innovative curriculum materials
`
`and outstanding teaching. I am the co-author of two widely used introductory
`
`programming textbooks, C++ Program Design: An Introduction to Programming
`
`and Object-Oriented Design and Java 1.5 Program Design both published by
`
`McGraw-Hill.
`
`18.
`
`In 2008, I was co-recipient (with my co-author James P. Cohoon) of
`
`the IEEE Computer Society Taylor L. Booth Education Award for “sustained
`
`effort to transform introductory computer science education through lab-based
`
`multimedia pedagogy coupled with examples that attract a diverse student body.”
`
`In addition, I have given invited lectures at the Third International Summer School
`
`8
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,677,494
`
`on Advanced Computer Architecture and Compilation for Embedded Systems held
`
`in L’Aquila Italy in 2007. Approximately 200 students attended this summer
`
`school from the member nations of the European Union.
`
`19. As part of my ongoing activities in computer security, I created and
`
`teach a course about cyber security at the University of Virginia. The course title is
`
`“Defense against the Dark Arts.” The course focuses teaching students techniques
`
`for defending computers from computer viruses, computer worms, and other types
`
`of malicious attacks. The course was first taught in the Fall of 2005 and I have
`
`taught it multiple times since that time. I last taught the course in Spring of 2014.
`
`20.
`
`I also was a lecturer in the inaugural Indo-US Engineering Faculty
`
`Leadership Institute held in Mysore, India. The goal of the Leadership Institute is
`
`to improve University education in India. The Institute was attended by 120
`
`faculty members from Indian Universities.
`
`21.
`
`In the summers of 2010, 2011, 2012, and 2014, I helped organize and
`
`lectured at the International Summer School on Information Security and
`
`Protection (ISSISP) held in Beijing, China (2010), Ghent, Belgium (2011), Tucson,
`
`Arizona (2012), and Verona, Italy (2014). Each summer school was attended by
`
`50 students from various international universities. ISSISP 2015 will be held in Rio
`
`de Janerio, Brazil.
`
`9
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,677,494
`
`22. Because of my expertise and stature within in the computing
`
`community, I am often asked to serve on important Boards and Councils. I served
`
`as an elected member-at-large of the Association of Computing Machinery (ACM)
`
`Special Interest Group on Programming Languages (SIGPLAN) for four years.
`
`ACM is the largest professional computing society in the world. I was elected
`
`chair of SIGPLAN in 2005. I am a member of the ACM Council, which oversees
`
`the operation of ACM, and I am co-chair of ACM’s Publications Board, which
`
`oversees the publication of the organization’s 44 professional journals and 8
`
`magazines, and a professional book series.
`
`23. As a leading expert in the field, I help organize many technical
`
`conferences in the area including the International Conference on Parallel
`
`Architectures and Compilation Techniques (“PACT”), International Symposium
`
`on Code Generation and Optimization (“CGO”), Conference on Programming
`
`Language Design and Implementation (“PLDI”), Conference on Languages,
`
`Compilers and Tools for Embedded Systems (“LCTES”), International Conference
`
`on Compilers, Architectures and Synthesis for Embedded Systems (“CASES”),
`
`Conference on the Principles of Programming Languages (“POPL”), International
`
`Conference on Autonomic Computing (“ICAC”), and International Conference on
`
`High-Performance and Embedded Architectures (“HiPEAC”).
`
`10
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,677,494
`
`24.
`
`In the past, I was an Associate Editor of the ACM Transactions of
`
`Programming Languages and Systems (“TOPLAS”) and ACM Transactions on
`
`Architecture and Code Optimization (“TACO”) journals. TOPLAS is the archival
`
`journal in the area of programming languages and compilers. TACO is an archival
`
`journal in the area of computer architecture and program optimization. In 2009, I
`
`received SIGPLAN’s Distinguished Service Award for “substantial and sustained
`
`contributions to the programming languages research community and to SIGPLAN
`
`in particular.”
`
`25.
`
`I am a Senior Member of the Institute of Electrical and Electronics
`
`Engineers (“IEEE”), the IEEE Computer Society. I am a Fellow of the Association
`
`for Computer Machinery (“ACM”). The ACM Council established the ACM
`
`Fellows Program in 1993 to recognize and honor outstanding ACM members for
`
`their achievements in computer science and information technology and for their
`
`significant contributions to the mission of the ACM. The ACM Fellows serve as
`
`distinguished colleagues to whom the ACM and its members look to for guidance
`
`and leadership as the world of information technology evolves.
`
`26. A more detailed listing of my professional background and
`
`accomplishments is found in my curriculum vitae provided as Symantec 1022.
`
`III. My Expertise and the Person of Ordinary Skill in the Art
`
`11
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,677,494
`
`27. As a result of my more than thirty-years’ experience in the field of
`
`computer science and my deep involvement over the last 15 years with computer
`
`security through teaching and research, I am very familiar with techniques to
`
`secure and protect computer systems, including techniques to prevent computer
`
`viruses, worms and other types of attacks from corrupting both personal computers
`
`and enterprise-level systems.
`
`28. Accordingly, I am qualified to provide expert opinions on the
`
`technology described in the ‘494 patent as well as the teachings of the prior art
`
`references at the time of the ‘494 patent.
`
`29.
`
`In my opinion, a person of ordinary skill in the art at the time of the
`
`‘494 patent would have a Master’s degree in computer science, computer
`
`engineering, or a similar field, or a Bachelor’s degree in computer science,
`
`computer engineering, or a similar field, with approximately two years of industry
`
`experience relating to computer security. Additional graduate education might
`
`substitute for experience, while significant experience in the field of computer
`
`programming and malicious code might substitute for formal education.
`
`IV. Applicable Legal Standards
`
`30.
`
`I am not an attorney and do not expect to offer any opinions regarding
`
`the law. However, I have been informed of certain legal principles relating to
`
`12
`
`
`
`patent claim construction and invalidity that I relied upon in reaching opinions set
`
`Inter Partes Review of
`U.S. Patent No. 8,677,494
`
`forth in this report.
`
`Obviousness
`
`31.
`
`It is my understanding that obviousness is determined from the
`
`vantage point of a person of ordinary skill in the art at the time the invention was
`
`made. In order for a claim to be considered invalid under this ground, I understand
`
`that the proposed combination of asserted references must teach or suggest each
`
`and every claim feature and that the claimed invention as a whole must have been
`
`obvious at that time to one of ordinary skill in the art.2
`
`32. My understanding is that one should avoid the use of “hindsight” in
`
`assessing whether a claimed invention would have been obvious. For example, an
`
`invention should not be considered in view of what persons of ordinary skill would
`
`know today, nor should it be reconstructed after the fact by starting with the claims
`
`2 Accordingly, I understand that that the term “obvious” has both a legal and a
`
`technical meaning. When the term is used throughout this declaration, my
`
`opinions and conclusions will be directed to the technical meaning of obvious (i.e.,
`
`whether subject matter was within the technical grasp of a person of ordinary skill
`
`at the time of the ‘494 patent).
`
`13
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,677,494
`
`themselves and/or by reading into the prior art the teachings of the invention at
`
`issue.
`
`33.
`
`It is my understanding that obviousness cannot be proven by mere
`
`conclusory statements or by merely showing that an invention is a combination of
`
`elements that were already previously known in the prior art. Rather, it is my
`
`understanding that a party challenging a patent in an Inter Partes Review
`
`proceeding must further establish by a preponderance of the evidence that there
`
`was an apparent reason with some rational underpinnings that would have caused a
`
`person of ordinary skill at the time of the invention to have combined and/or
`
`altered these known elements to arrive at the claimed invention. Such reasons
`
`might include, for example, teachings, suggestions, or motivations to combine that
`
`would have been apparent to a person of ordinary skill in the art.
`
`Claim Language
`
`34.
`
`I understand that, in Inter Partes Review proceedings, claim terms are
`
`to be given the broadest reasonable construction in light of the specification as
`
`would be read by a person of ordinary skill in the relevant art.
`
`35. As the result of my education and experience, I believe that I
`
`understand how the asserted claims of the ‘494 patent would be understood by a
`
`person of ordinary skill in the art applying the above standard.
`
`14
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,677,494
`
`V. Overview of Relevant Computer Security, Malware Detection, and
`Internet Technology at the Time of the ‘494 Patent
`
`36. At the time of the ‘494 patent, the use of computers was rapidly
`
`becoming widespread and commonplace. In particular, companies and other
`
`organizations were relying on networked computer systems to perform various
`
`tasks, store various information, and manage and control various infrastructure. As
`
`the use of such networked computer systems increased significantly, computer
`
`viruses and other types of malware became a major problem for the computer
`
`industry.
`
`37.
`
`There were three major factors that contributed to the significant
`
`growth in malware. First, sophisticated malware writers had developed tools that
`
`allowed relatively unsophisticated programmers to create sophisticated malware.
`
`These tools could be easily downloaded using the Internet. A second reason was
`
`the growth in computer usage by individuals. Computers had become commodity
`
`consumer products. A third reason was the growth of the Internet as computer
`
`networks became more ubiquitous. More users, the availability of networking and
`
`the development of the World Wide Web (WWW), led to the phenomenal growth
`
`of the Internet. In 1993, traffic on the Internet was growing at the incredible rate of
`
`341,000%. As the Internet grew, so did the opportunity for criminals and other
`
`malicious entities to use the Internet to spread malware for illicit financial gain.
`
`15
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,677,494
`
`38. One of the primary ways malicious entities would compromise a
`
`computer on the Internet was through a malicious download when a user visited a
`
`web page. At the time, typical web-based systems allowed authors to attach an
`
`executable program to a Web page, so that anyone visiting the web page
`
`automatically downloads and runs the program. Thus, simply visiting a Web page
`
`may cause a user to unknowingly download and run a program written by a
`
`criminal or other malicious person.
`
`39.
`
`Such downloaded executables were written using various
`
`programming languages such as Java, ActiveX, VisualBasic, JavaScript, and Web
`
`plug-ins. Examples of popular plug-ins include QuickTime (viewing videos),
`
`Shockwave (multimedia viewer), and Acrobat Reader (for viewing PDF files).
`
`40. Another commonly used method to deliver an executable to a machine
`
`was via an e-mail attachment. Here, an executable was downloaded to the victim’s
`
`computer via an attachment to an e-mail message. The attachment may be named
`
`to appear as if it is a benign text file, image, digital music, etc. In reality, however,
`
`the file is an executable that performed the malicious actions intended by the
`
`author.
`
`41. Because of the frequency of these types of attacks, there was much
`
`interest by industry, university research centers, and government research
`
`16
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,677,494
`
`laboratories in developing techniques to detect and prevent malicious downloads
`
`from taking malicious actions such as modifying or destroying files, monitoring
`
`the user’s online activities, or stealing valuable information.
`
`42.
`
`The main defense against various types of malware, including
`
`malicious executable programs, was anti-virus software. Such software was
`
`generally referred to as anti-virus software even though it would detect other types
`
`of malware such as spyware, backdoors, spammers, and keyloggers that might be
`
`included or embedded in a malicious, executable program.
`
`43.
`
`Initially, the dominant technique used by anti-virus software to detect
`
`malware was signature-based scanning. Signature-based scanning is analogous to a
`
`common, standard medical approach for determining if a person is infected with a
`
`certain biological pathogen. A blood test is performed to see if particular
`
`antibodies are present that indicate that the subject is infected. Similarly, with
`
`signature-based virus detection, the anti-virus software scans relevant files for a
`
`“fingerprint” or “signature” that, if present, indicates malware is present.
`
`44. At the time, anti-virus tools used various approaches to create
`
`signatures. One widely used technique was to create a set of patterns to detect
`
`viruses and other malware. A pattern might be targeted for a particular family of
`
`related viruses. An example of such a pattern is:
`
`17
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,677,494
`
`SIG: 0x0E,0xBE,Skip(0x02),0x56,0xC3,Skip(0x3),0x83,0xEE,0x1E
`
`45.
`
`The signature specifies that the file contains a virus if the file has a
`
`sequence of bytes that match the pattern specified. The pattern says look for two
`
`consecutive bytes that have the values 0x0E and 0XBE, then skip the next two
`
`bytes (their contents are irrelevant), then look for byte values 0x56 ad 0xC3, skip
`
`three bytes, then look for 0x83, followed by 0xEE and 0x1E.
`
`46.
`
`There are many aspects to creating powerful, effective, signature-
`
`based anti-virus software. One key aspect for effective scanning is the
`
`completeness of the corpus of signatures used by the scanner. If the signature
`
`database does not contain a signature for specific malware, the malware most
`
`likely will not be detected. Anti-virus vendors expend considerable effort to ensure
`
`their signature databases contain up-to-date signatures of newly discovered viruses
`
`and that these updated databases are provided to the licensees of their software on
`
`a timely basis.
`
`47. Another aspect of effective scanning is the sophistication of the
`
`scanning algorithms and techniques. Anti-virus software vendors continually
`
`investigated new scanning techniques to both speed the scanning process and to
`
`improve the accuracy. Much like the medical tests I mention above, signature-
`
`based scanning may sometimes result in false positives or false negatives. In the
`
`18
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,677,494
`
`medical context, a false positive is when a test has incorrectly indicated the
`
`presence of a pathogen when there is, in actuality, none present. A false negative
`
`is when the test has incorrectly indicated that no pathogen is present when there is,
`
`in actuality, a pathogen present.
`
`48. Another well-known technique employed by anti-virus tools at the
`
`time was hashing. Hashing was a well-known technique that was (and still is) used
`
`in several contexts of anti-virus technology. One use of hashing is to create a
`
`unique “digest” of a file. The message digest is orders of magnitude smaller than
`
`the message (hence the term digest). The original use of such hashes was to create
`
`a digest of a message to detect if a message was corrupted during transmission to a
`
`receiver. The corruption could be because of an error in the transmission (e.g., a
`
`bit or bits are inadvertently changed or dropped) or because the message had been
`
`intentionally changed.
`
`49. Before transmitting the message, a cryptographic hash function is
`
`used to create the message digest. The digest is attached to the message (either
`
`prepended or appended) and the package would be transmitted. At the receiver,
`
`after the package was received, the digest would be recomputed and compared to
`
`the digest attached to the message. If the computed digest was different from the
`
`attached digest, then either the message or the attached digest had been corrupted
`
`19
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,677,494
`
`and appropriate action could be taken. As one example, the receiver could request
`
`that the message be resent. Attaching a digest to a message is conceptually similar
`
`to attaching a certificate to a downloaded executable.
`
`50. Attaching or appending additional information (such as a certificate)
`
`onto executables that were downloaded or transferred via a network was also well
`
`known in the art at the time of the ‘494 patent. For example, Atkinson (U.S. Patent
`
`No. 5,892,904, provided as Ex. 1023) teaches that “a publisher digital certificate
`
`122 (FIG. 4) and publisher signature 110 are attached, appended to or incorporated
`
`with an executable file 102.” Atkinson, col. 6:44-46, FIG. 4. In addition, it was
`
`also well known that components of these certificates could be used to link to and
`
`retrieve additional information or data related to the executable. Atkinson, col.
`
`2:56-58 (“publisher digital signature also includes an identifying name of the
`
`executable file and a link or hyperlink to a description of the executable file”),
`
`FIG. 4.
`
`51.
`
`Such cryptographic hashes were also used to create a database on a
`
`user’s machine of files that had previously been scanned (perhaps using a
`
`signature-based scanner) and were deemed to be virus-free. The database
`
`contained a cryptographic hash, and a pointer to the file on disk. Periodically, the
`
`anti-virus software would check to make sure the cryptographic hash matched the
`
`20
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,677,494
`
`computed hash. If the computed hash did not match the hash stored in the database,
`
`this indicated the file had been changed, which might be the result of a virus.
`
`Typically further checking would be done. These databases were often called file
`
`integrity databases. Such databases were also used by intrusion detection systems.
`
`52.
`
`In the context of anti-virus technology, cryptographic hashes were
`
`also used to implement “whitelists” and “blacklists” that could be quickly checked
`
`to determine whether to allow an executable to be downloaded and/or run on a
`
`computer. To create whitelists, executable files that were known to not contain
`
`viruses were hashed, and these hashes were stored in a whitelist table. Similarly,
`
`executable files that were known to contain viruses were hashed, and these hashes
`
`were stored in a blacklist table. When a new file was received (perhaps it is
`
`downloaded from a website, or attached to an e-mail), the hash function was
`
`applied to the file and a hash value was computed. Using the computed hash value,
`
`the whitelist and blacklist were searched. If the hash value for the received file
`
`was on the whitelist, the file was categorized as not containing a virus. If the hash
`
`value for the received file was on the blacklist, the file was categorized as
`
`containing a virus.
`
`53.
`
`Such hashes were also widely used to create efficient methods to store
`
`and find information. Well known to those skilled in the art was the use of hashing
`
`21
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,677,494
`
`techniques to create “hash tables” for efficiently storing and retrieving information.
`
`A hash table is a data structure that is searched using the hash value computed by
`
`the function (often called a “hash function” in this context). There are several
`
`techniques for creating hash tables, but the key idea is that the hash value of an
`
`object is used to locate the object in the table. Those skilled in the art routinely
`
`used hash tables to store information for fast lookup. Furthermore, it was well
`
`understood by those skilled in art that in many cases it was often preferable to store
`
`the hash of an object in other data structures rather than storing a duplicate of the
`
`object (which required substantially more storage space). The object could easily
`
`and quickly be retrieved by using the hash and then accessing the hash table that
`
`contained the object.
`
`54. Over the years, anti-virus researchers and researchers in other areas
`
`(e.g., software engineering and programming languages) have built various tools to
`
`help them analyze programs including downloads. Such tools can be generally
`
`categorized as either static or dynamic analyzers. A static analyzer determines
`
`information about a program without running the program. Rather it builds various
`
`data structures that can be analyzed to determine various properties of a program.
`
`A very common data structure that is useful for static analysis of a program is the
`
`control-flow graph.
`
`22
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,677,494
`
`55.
`
`To build a control-flow graph of an executable program, the file
`
`containing the program is parsed to determine the instructions that may be invoked
`
`by the program. By analyzing the instructions and identifying the instructions that
`
`cause the control of flow to change (i.e., jump instructions or control transfer
`
`instructions), the static analyzer can construct a graph that represents the
`
`relationship between various sections of the program. The nodes in the control-
`
`flow graph were often referred to as basic blocks by those skilled in the art.
`
`56. Using the control-flow graph, a static analyzer performs other useful
`
`analyses. One example is called “dead code” elimination. Here, code that cannot
`
`possibly be executed can be removed from the program thereby saving space.
`
`57. While static analysis is a powerful tool, it must be conservative
`
`because it is analyzing the program without the benefit knowing what inputs the
`
`program might process, and therefore could produce erroneous information.
`
`Consequently, dynamic analysis was also used to analyze executable programs.
`
`Dynamic analysis requires running the program on some input. The advantage of
`
`dynamic analysis is that one can observe how the program behaves on a particular
`
`input or set of inputs and monitor the instructions that are called by the program.
`
`58. Because of their complementary nature, both static and dynamic
`
`analyses were often used together when analyzing executable programs.
`
`23
`
`
`
`Inter Partes Review of
`U.S. Patent No. 8,677,494
`
`59. At the time of the ‘494 patent (and even now), anti-virus researchers
`
`continually worked to improve the accuracy of the signature-based scanning by
`
`lowering the rates of false positives and false negatives. Unfortunately, virus
`
`writers also continually worked to create new techniques for creating malware that
`
`would evade detection by signature-based scanning. This back-and-forth struggle
`
`between virus writers and anti-virus defenders is much li