I 1111111111111111 11111 lllll 111111111111111 1111111111 111111111111111 IIII IIII
`
`
`
`
`
`
`
`US007673137B2
`
`c12) United States Patent
`Satterlee et al.
`
`(IO) Patent No.:
`(45) Date of Patent:
`
`US 7,673,137 B2
`Mar.2,2010
`
`(54) SYSTEM AND METHOD FOR THE
`MANAGED SECURITY CONTROL OF
`PROCESSES ON A COMPUTER SYSTEM
`
`(75)
`
`Inventors: Thomas James Satterlee, Felton, CA
`(US); William Frank Hackenberger,
`Los Altos, CA (US)
`
`(73) Assignee: International Business Machines
`Corporation, Armonk, NY (US)
`
`( *) Notice:
`
`Subject to any disclaimer, the term ofthis
`patent is extended or adjusted under 35
`U.S.C. 154(b) by 1987 days.
`
`4,975,950 A
`5,032,979 A
`5,121,345 A
`5,204,966 A
`
`12/1990 Lentz
`7/1991 Hecht et al.
`6/ 1992 Lentz
`4/ 1993 Wittenberg et al.
`
`(Continued)
`
`FOREIGN PATENT DOCUMENTS
`
`EP
`
`0 636 977
`
`5/2001
`
`(Continued)
`
`OTHER PUBLICATIONS
`
`(21) Appl. No.: 10/336,299
`
`(22) Filed:
`
`Jan.3,2003
`
`(65)
`
`Prior Publication Data
`
`US 2004/0025015 Al
`
`Feb.5,2004
`
`Ioannidis, Sub-Operating Systems: A New Approach to Application
`Security, 2000, p. 110-115.*
`
`(Continued)
`
`Primary Examiner-Christian LaForgia
`Assistant Examiner-Jenise E Jackson
`(74) Attorney, Agent, or Firm-King & Spalding LLP
`
`Related U.S. Application Data
`
`(57)
`
`ABSTRACT
`
`(60) Provisional application No. 60/345,432, filed on Jan.
`4, 2002.
`
`(51)
`
`Int. Cl.
`H04L 29106
`(2006.01)
`(2006.01)
`G06F 7/04
`(52) U.S. Cl. ....................... 713/164; 713/161; 713/165;
`713/167; 713/182; 713/187; 713/188; 726/1;
`726/2; 726/14; 726/22; 726/24; 726/26
`(58) Field of Classification Search ......... 713/164-165,
`713/167; 726/14, 22, 24, 26
`See application file for complete search history.
`
`(56)
`
`References Cited
`
`U.S. PATENT DOCUMENTS
`
`4,223,380 A
`4,400,769 A
`4,672,609 A
`4,773,028 A
`4,819,234 A
`
`9/1980 Antonaccio et al.
`8/1983 Kaneda et al.
`6/1987 Humphrey et al.
`9/1988 Tallman
`4/1989 Huber
`
`Managing and controlling the execution of software pro(cid:173)
`grams with a computing device to protect the computing
`device from malicious activities. A protector system imple(cid:173)
`ments a two-step process to ensure that software programs do
`not perform malicious activities which may damage the com(cid:173)
`puting device or other computing resources to which the
`device is coupled. In the first phase, the protector system
`determines whether a software program has been previously
`approved and validates that the software program has not
`been altered. If the software program is validated during the
`first phase, this will minimize or eliminate security monitor(cid:173)
`ing operations while the software program is executing dur(cid:173)
`ing the second phase. If the software program cannot be
`validated, the protector system enters the second phase and
`detects and observes executing activities at the kernel level of
`the operating system so that suspicious actions can be antici(cid:173)
`pated and addressed before they are able to do harm to the
`computing device.
`
`29 Claims, 8 Drawing Sheets
`
`IPR2024-00027
`CrowdStrike Exhibit 1001 Page 1
`
`

`

`US 7,673,137 B2
`Page 2
`
`U.S. PATENT DOCUMENTS
`
`713/159
`
`.....................
`
`5,210,704 A
`5/1993 Husseiny
`5,272,754 A * 12/1993 Boerbert
`5,274,824 A
`12/1993 Howarth
`5,278,901 A
`1/1994 Shieh et al.
`5,309,562 A
`5/1994 Li
`5,311,593 A
`5/1994 Carmi
`5,345,595 A
`9/1994 Johnson et al.
`5,347,450 A
`9/1994 Nugent
`5,353,393 A
`10/1994 Bennett et al.
`5,359,659 A
`10/1994 Rosenthal
`5,359,713 A * 10/1994 Moran et al. .................. 710/52
`5,371,852 A
`12/1994 Attanasio et al.
`5,398,196 A
`3/1995 Chambers
`5,414,833 A
`5/1995 Hershey et al.
`5,440,723 A
`8/1995 Arnold et al.
`5,452,442 A
`9/1995 Kephart
`5,454,074 A
`9/1995 Hartel et al.
`5,475,839 A
`12/1995 Watson et al.
`5,511,184 A
`4/1996 Lin
`5,515,508 A
`5/1996 Pettus et al.
`5,522,026 A
`5/1996 Records et al.
`5,539,659 A
`7/1996 McKee et al.
`5,557,742 A
`9/1996 Smahaetal.
`5,586,260 A
`12/1996 Hu
`5,590,331 A
`12/1996 Lewis et al.
`5,606,668 A
`2/1997 Shwed
`5,623,600 A
`4/1997 Ji et al.
`5,623,601 A
`4/1997 Vu
`5,630,061 A
`5/1997 Richter et al.
`5,649,095 A
`7/1997 Cozza
`5,649,185 A
`7/1997 Antognini et al.
`5,675,711 A
`10/1997 Kephart et al.
`5,696,486 A
`12/1997 Poliquin et al.
`5,696,822 A
`12/1997 Nachenberg
`5,706,210 A
`1/1998 Kumano et al.
`5,715,395 A
`2/1998 Brabson et al.
`5,734,697 A
`3/1998 Jabbarnezhad
`5,745,692 A
`4/1998 Lohmann, II et al.
`5,748,098 A
`5/1998 Grace
`5,761,504 A
`6/1998 Corrigan et al.
`5,764,887 A
`6/1998 Kells et al.
`5,764,890 A
`6/1998 Glasser et al.
`5,765,030 A
`6/1998 Nachenberg et al.
`5,774,727 A
`6/1998 Walsh eta!.
`5,787,177 A
`7/1998 Leppek
`5,790,799 A
`8/1998 Mogul
`5,796,942 A
`8/1998 Esbensen
`5,798,706 A
`8/1998 Kraemer et al.
`5,812,763 A
`9/1998 Teng
`5,815,574 A
`9/1998 Fortinsky
`5,822,517 A
`10/1998 Dotan
`5,826,013 A
`10/1998 Nachenberg
`5,828,833 A
`10/1998 Belville et al.
`5,832,208 A
`11/1998 Chen et al.
`5,832,211 A
`11/1998 Blakley et al.
`5,835,726 A
`11/1998 Shwedetal.
`5,838,903 A
`11/1998 Blakely et al.
`5,842,002 A
`11/1998 Schnurer et al.
`5,845,067 A
`12/1998 Porter et al.
`5,848,233 A
`12/1998 Radia et al.
`5,854,916 A
`12/1998 Nachenberg
`5,857,191 A
`1/1999 Blackwell, Jr. et al.
`5,864,665 A
`1/1999 Tran et al.
`5,864,803 A
`1/1999 Nussbaum
`5,872,915 A
`2/1999 Dykes et al.
`5,872,978 A
`2/1999 Hoskins
`5,875,296 A
`2/1999 Shi et al.
`5,878,420 A
`3/1999 de la Salle
`5,881,236 A
`3/1999 Dickey
`5,884,033 A
`3/1999 Duvall et al.
`5,892,903 A
`4/1999 Klaus
`
`.................. 726/24
`
`5/1999 De Bonet
`5,899,999 A
`5,905,859 A
`5/1999 Holloway et al.
`5,907,834 A
`5/1999 Kephart et al.
`5,919,257 A
`7/1999 Trostle
`5,919,258 A
`7/1999 Kayashima et al.
`5,922,051 A
`7/1999 Sidey
`5,925,126 A
`7/1999 Hsieh
`5,931,946 A
`8/1999 Terada et al.
`8/1999 Boyle et al.
`5,940,591 A
`5,948,104 A * 9/1999 Gluck et al.
`5,950,012 A
`9/1999 Shiell et al.
`5,961,644 A
`10/1999 Kurtzberg et al.
`5,964,839 A
`10/1999 Johnson et al.
`5,964,889 A
`10/1999 Nachenberg
`5,974,237 A
`10/1999 Shurmer et al.
`5,974,457 A
`10/1999 Waclawsky et al.
`5,978,917 A
`11/1999 Chi
`5,983,270 A
`11/1999 Abraham et al.
`5,983,348 A
`11/1999 Ji
`5,983,350 A
`11/1999 Minear et al.
`5,987,606 A
`11/1999 Cirasole et al.
`5,987,610 A
`11/1999 Franczek et al.
`5,987,611 A
`11/1999 Freund
`5,991,856 A
`11/1999 Spilo et al.
`5,991,881 A
`11/1999 Conklin et al.
`5,999,711 A
`12/1999 Misra et al.
`5,999,723 A
`12/1999 Nachenberg
`6,003,132 A
`12/1999 Mann
`6,006,016 A
`12/1999 Faigon et al.
`6,009,467 A
`12/1999 Ratcliff et al.
`6,014,645 A
`1/2000 Cunningham
`6,016,553 A
`1/2000 Schneider et al.
`6,021,510 A
`2/2000 Nachenberg
`6,026,442 A
`2/2000 Lewis et al.
`6,029,256 A
`2/2000 Kouznetsov
`6,035,323 A
`3/2000 Narayen et al.
`6,035,423 A
`3/2000 Hodges et al.
`6,041,347 A
`3/2000 Harsham et al.
`6,052,709 A
`4/2000 Paul
`6,061,795 A
`5/2000 Dircks et al.
`6,067,410 A
`5/2000 Nachenberg
`6,070,190 A
`5/2000 Reps et al.
`6,070,244 A
`5/2000 Orchier et al.
`6,073,172 A
`6/2000 Frailong et al.
`6,081,894 A
`6/2000 Mann
`6,085,224 A
`7/2000 Wagner
`6,088,803 A
`7/2000 Tso et al.
`6,088,804 A
`7/2000 Hill eta!.
`6,092,194 A
`7/2000 Touboul
`6,094,731 A
`7/2000 Waldin et al.
`6,098,173 A
`8/2000 Elgressy et al.
`6,104,783 A
`8/2000 Defino
`6,108,799 A
`8/2000 Boulay et al.
`6,118,940 A
`9/2000 Alexander, III et al.
`6,119,165 A
`9/2000 Li et al.
`6,119,234 A
`9/2000 Aziz et al.
`6,122,738 A
`9/2000 Millard
`6,128,774 A * 10/2000 Necula et al. ............... 717/146
`6,144,961 A
`11/2000 de la Salle
`6,154,844 A
`11/2000 Touboul et al.
`6,161,109 A
`12/2000 Matamoros et al.
`6,167,520 A
`12/2000 Touboul
`6,173,413 Bl
`1/2001 Slaughter et al.
`6,185,689 Bl
`2/2001 Todd, Sr. et al.
`6,199,181 Bl
`3/2001 Rechef et al.
`6,205,552 Bl
`3/2001 Fudge
`6,220,768 Bl
`4/2001 Barroux
`6,226,372 Bl
`5/2001 Beebe et al.
`6,230,288 Bl
`5/2001 Kuo et al.
`6,266,773 Bl
`7/2001 Kisor et al.
`6,266,774 Bl
`7/2001 Sampath et al.
`6,271,840 Bl
`8/2001 Finseth et al.
`6,272,641 Bl
`8/2001 Ji
`
`IPR2024-00027
`CrowdStrike Exhibit 1001 Page 2
`
`

`

`............... 719/328
`
`4/2004 Kouznetsov
`4/2004 Schuba et al.
`8/2004 Muttik
`9/2004 Yan et al.
`9/2004 Shanklin et al.
`11/2004 Gleichauf et al.
`1/2005 Campbell et al.
`2/2005 Nachenberg
`3/2005 Cooper et al.
`4/2005 Lyle
`5/2005 Hartley et al.
`6/2005 Gusler et al.
`7/2008 Barber et al.
`10/2001 Gaul, Jr.
`3/2002 Malan et al.
`3/2002 Malan et al.
`3/2002 Poletto et al.
`3/2002 Malan et al.
`4/2002 Lahti et al. ..................
`6/2002 Krumel
`6/2002 Rogers et al.
`9/2002 Munson
`10/2002 Copeland, III
`12/2002 Bush et al. ..................
`2/2003 Labovitz et al.
`5/2003 Porras et al.
`5/2003 Mateev et al ..................
`9/2003 Dozortsev
`...................
`11/2003 Porras et al.
`1/2004 Porras et al.
`1/2005 Barton et al.
`
`713/201
`
`713/200
`
`714/38
`713/201
`
`............... 713/200
`
`US 7,673,137 B2
`Page 3
`
`717/170
`
`6,725,377 Bl
`6,725,378 Bl
`6,775,780 Bl
`6,792,144 Bl
`6,792,546 Bl
`6,816,973 Bl
`6,839,850 Bl
`6,851,057 Bl
`6,871,284 B2
`6,886,102 Bl
`6,889,168 B2
`6,912,676 Bl
`7,398,532 Bl*
`2001/0034847 Al
`2002/0032717 Al
`2002/0032793 Al
`2002/0032880 Al
`2002/0035698 Al
`2002/0042886 Al *
`2002/0083331 Al
`2002/0083334 Al
`2002/01387 53 Al
`2002/0144156 Al
`2002/0184520 Al*
`2003/0037136 Al
`2003/0088791 Al
`2003/0101381 Al*
`2003/0177394 Al *
`2003/0212903 Al
`2004/0010718 Al
`2005/0021994 Al*
`
`6,275,938 Bl
`6,275,942 Bl
`6,278,886 Bl
`6,279,113 Bl
`6,282,546 Bl
`6,298,445 Bl
`6,301,668 Bl
`6,314,520 Bl
`6,314,525 Bl
`6,321,338 Bl
`6,324,627 Bl
`6,324,647 Bl
`6,324,656 Bl
`6,334,213 Bl*
`6,338,141 Bl
`6,347,374 Bl
`6,353,385 Bl
`6,357,008 Bl
`6,377,994 Bl
`6,396,845 Bl
`6,397,242 Bl
`6,397,245 Bl
`6,405,318 Bl
`6,405,364 Bl
`6,408,391 Bl
`6,415,321 Bl
`6,429,952 Bl
`6,434,615 Bl
`6,438,600 Bl
`6,445,822 Bl
`6,453,345 B2
`6,453,346 Bl
`6,460,141 Bl
`6,463,426 Bl
`6,467,002 Bl
`6,470,449 Bl
`6,477,585 Bl
`6,477,648 Bl
`6,477,651 Bl
`6,484,203 Bl
`6,487,666 Bl
`6,493,752 Bl
`6,496,858 Bl
`6,499,107 Bl
`6,510,523 Bl
`6,517,587 B2
`6,519,647 Bl
`6,519,703 Bl
`6,530,024 Bl
`6,535,227 Bl
`6,546,493 Bl
`6,563,959 Bl
`6,574,737 Bl
`6,578,147 Bl
`6,584,454 Bl
`6,601,190 Bl
`6,606,744 Bl
`6,618,501 Bl
`6,628,824 Bl
`6,647,139 Bl
`6,647,400 Bl
`6,661,904 Bl
`6,668,082 Bl
`6,668,084 Bl
`6,681,331 Bl
`6,691,232 Bl
`6,694,434 Bl *
`6,704,874 Bl
`6,708,212 B2
`6,711,127 Bl
`6,711,615 B2
`6,718,383 Bl
`6,721,806 B2
`
`8/2001 Bond et al.
`8/2001 Bernhard et al.
`8/2001 Hwang
`8/2001 Vaidya
`8/2001 Gleichauf et al.
`10/2001 Shostack et al.
`10/2001 Gleichauf et al.
`11/2001 Schell et al.
`11/2001 Mahalingharn et al.
`11/2001 Porras et al.
`11/2001 Kricheff et al.
`11/2001 Bowman-Amuah
`11/2001 Gleichauf et al.
`12/2001 Li ..............................
`1/2002 Wells
`2/2002 Drake et al.
`3/2002 Molini et al.
`3/2002 Nachenberg
`4/2002 Ault et al.
`5/2002 Sugita
`5/2002 Devine et al.
`5/2002 Johnson, II et al.
`6/2002 Rowland
`6/2002 Bowman-Amuah
`6/2002 Huff et al.
`7 /2002 Gleichauf et al.
`8/2002 Olbricht
`8/2002 Dinh et al.
`8/2002 Greenfield et al.
`9/2002 Crill et al.
`9/2002 Trcka et al.
`9/2002 Garg et al.
`10/2002 Olden
`10/2002 Lipson et al.
`10/2002 Yang
`10/2002 Blandford
`11/2002 Cohen et al.
`11/2002 Schell et al.
`11/2002 Teal
`11/2002 Porras et al.
`11/2002 Shanklin et al.
`12/2002 Lee et al.
`12/2002 Frailong et al.
`12/2002 Gleichauf et al.
`1/2003 Perlman et al.
`2/2003 Satyavolu et al.
`2/2003 Howard et al.
`2/2003 Joyce
`3/2003 Proctor
`3/2003 Fox et al.
`4/2003 Magdych et al.
`5/2003 Troyanker
`6/2003 Kingsford et al.
`6/2003 Shanklin et al.
`6/2003 Hummel, Jr. et al.
`7/2003 Meyer et al.
`8/2003 Mikurak
`9/2003 Osawa et al.
`9/2003 Belanger
`11/2003 Kunii et al.
`11/2003 Moran
`12/2003 Sasich et al.
`12/2003 Davison et al.
`12/2003 Minarni
`1/2004 Munson et al.
`2/2004 Wood et al.
`2/2004 McGee et al ................
`3/2004 Porras et al.
`3/2004 Porras et al.
`3/2004 Gorman et al.
`3/2004 Porras et al.
`4/2004 Hebert
`4/2004 Boyd et al.
`
`FOREIGN PATENT DOCUMENTS
`
`EP
`WO
`WO
`WO
`WO
`WO
`WO
`WO
`WO
`WO
`WO
`WO
`WO
`WO
`WO
`WO
`WO
`WO
`WO
`
`0 985 995
`WO 93/25024
`WO 98/41919
`WO 99/00720
`WO 99/13427
`WO 99/15966
`WO 99/50734
`WO 99/53391
`WO 99/57626
`WO 00/02115
`WO 00/10278
`WO 00/25214
`WO 00/25527
`WO 00/34867
`WO 00/54458
`WO 01/84285
`WO 02/06928
`WO 02/056152
`WO 02/101516
`
`8/2003
`5/1993
`9/1998
`1/1999
`3/1999
`4/1999
`10/1999
`10/1999
`11/1999
`1/2000
`2/2000
`5/2000
`5/2000
`6/2000
`9/2000
`11/2001
`1/2002
`7/2002
`12/2002
`
`OTHER PUBLICATIONS
`
`for E-Commerce,
`
`Essex, David, E-Sleuths Make Net Safe
`Computerworld, Jun. 2000, pp. 1-2.
`Newman, David, Intrusion Detection Systems, Data Communica(cid:173)
`tions, 1998, pp. 1-9.
`International Search Report for PCT/US02/l 7161 of Dec. 31, 2002.
`Hyland, et al., Concentric Supervision of Security Applications: A
`New Security Management Paradigm Computer Security Applica(cid:173)
`tions Conference, 1998, pp. 59-68.
`Koilpillai et al., Recon-A Tool for Incident Detection, Tracking and
`Response, Darpa Information Survivability Conference and Exposi(cid:173)
`tion, 2000, pp. 199-206.
`Alves-Foss, J., An Overview of SNIF: A Tool for Surveying Network
`Information Flow, Network and Distributed System Security, 1995,
`pp. 94-101.
`Mansouri-Sarnani et al., A Configurable Event Service for Distrib(cid:173)
`uted Systems Configurable Distributed Systems, 1996, pp. 210-217.
`International Search Report for PCT/US0l/13769 of Mar. 8, 2002.
`
`713/189
`
`IPR2024-00027
`CrowdStrike Exhibit 1001 Page 3
`
`

`

`US 7,673,137 B2
`Page 4
`
`Jagannathan et al., System Design Document: Next-Generation
`Intrusion Detection Expert Systems (NIDES), Internet Citation, Mar.
`9, 1993, XP002136082, pp. 1-66.
`Koilpillai, Adaptive Network Security Management, DARPANGI PI
`Conference, Oct. 1998, pp. 1-27.
`Hiverworld Continuous Adaptive Risk Management, Hiverworld,
`Inc., 1999-2000, pp. 1-14.
`International Search Report for PCT/US02/04989of Sep. 19, 2002.
`International Search Report for PCT /US02/029 l 7 of Aug. 8, 2002.
`Guha et al., Network Security via Reverse Engineering of TCP Code:
`Vulnerability Analysis and Proposed Solution, IEEE, Mar. 1996, pp.
`603-610.
`Garg et al., High Level Communication Primitives for Concurrent
`Systems, IEEE, 1988, pp. 92-99.
`Hastings et al., TCP/IP Spoofing Fundamentals, IEEE, May 1996, pp.
`218-224.
`Snapp, Signature Analysis and Communication Issues in a Distrib(cid:173)
`uted Intrusion Detection System, Master Thesis, University of Cali(cid:173)
`fornia, Davis, California, 1991, pp. 1-40.
`Gulia et al., Network Security via Reverse Engineering of TCP Code:
`Vulnerability Analysis and Proposed Solutions, IEEE, Jul. 1997, pp.
`40-48.
`Djahandari et al., An MBone for an Application Gateway Firewall,
`IEEE, Nov. 1997, pp. 72-81.
`Kim et al., Implementing a Secure Login Environment: A Case Study
`ofU sing a Secure Network Layer Protocol, Department of Computer
`Science, University of Alabama, Jun. 1995, pp. 1-9.
`Satyanarayanan, Integrating Security in a Large Distributed System,
`Acm Transaction on Computer Systems, vol. 7, No. 3, Aug. 1989, pp.
`47-280.
`Winn Schwartau, "e.Security™-Solving 'Dumb Days'With Security
`Visualization," e-Security, Inc., Naples, FL 34103, 2000.
`Anita D' Amico, Ph.D., "Assessment of Open e-Security Platfor™:
`Vendor-Independent Central Management of Computer Security
`Resources," Applied Visions, Inc., 1999.
`"e.Security™-Open Enterprise Security Management: Delivering an
`integrated, automated, centrally Managed Solution You Can Lever(cid:173)
`age Today and Tomorrow," e-Security, Inc., Naples, FL 34102, 1999.
`"e.Security™-Vision," e-Security, Inc., Naples, FL, 1999.
`"e.Security™-AdministratorWorkbench™," e-Security, Inc. Naples,
`FL, 1999.
`"e.Security™-Fact Sheet," e-Security, Inc., Naples, FL, 1999.
`"e.Security™-Open e-Security Platform™," e-Security, Inc. Naples,
`FL, 1999.
`Babcock, "E-Security Tackles The Enterprise," Jul. 28, 1999;
`Inter@ctive Week, www.Zdnet.com.
`Kay Blough, "In Search of More-Secure Extranets," Nov. 1, 1999,
`www.InformationWeek.com.
`Paul H. Desmond, "Making Sense ofYour Security Tools," Software
`Magazine and Wiesner Publishing, www.softwaremag.com, 1999.
`Kay Blough, "Extra Steps Can Protect Extranets," Nov. 1, 1999,
`www. InformationWeek.com.
`Sean Hao, "Software protects e-commerce-e-Security's product
`alerts networks when hackers attack," Florida Today, Florida.
`Scott Weiss, "Security Strategies-E-Security, Inc.," product brief,
`Hurwitz Group, Inc., Mar. 24, 2000.
`Sean Adee, CISA, "Managed Risk, Enhanced Response-The Posi(cid:173)
`tive Impact of Real-Time Security Awareness," Information Systems
`Control Journal, vol. 2, 2000.
`"Reprint Review-The
`Information Security Portal---Open e-Secu(cid:173)
`rity Platform Version 1.0", Feb. 2000, West Coast Publishing, SC
`Magazine, 1999.
`the First Integrated, Automated, and Cen(cid:173)
`e.Security-"Introducing
`tralized Enterprise Security Management System," white paper,
`e-Security, Inc., Naples, FL 34102, 1999.
`Security Helps Zap
`Ann Harrison, "Computerworld-Integrated
`Bugs," Feb. 21, 2000, Computerworld, vol. 34, No. 8, Framingham,
`MA.
`Shruti Date, "Justice Department Will Centrally Monitor Its Systems
`For Intrusions," Apr. 3, 2000, Post-Newsweek Business Information,
`Inc., www.gcn.com.
`, website pages (pp. 1-83), www.esecurityinc.com,
`e.SecurityTM
`e-Security, Inc., Naples, FL 34103, Sep. 14, 2000.
`
`Peter Sommer, "Intrusion Detection Systems as Evidence," Com(cid:173)
`puter Security Research Centre, United Kingdom.
`Musman et al., System or Security Managers Adaptive Response
`Tool, DARPA Information Survivability Conference and Exposition,
`Jan. 25, 2000, pp. 56-68.
`Gibson Research Corporation Web Pages, Shields Up!-Internet
`Connection Security Analysis, grc.corn/default.htrn, Laguna Hills,
`California, 2000.
`Rouse et al., Design and Evaluation of an Onboard Computer-Based
`Information System fro Aircraft, IEEE Transactions of Systems,
`Man, and Cybernetics, vol. SMC-12, No. 4, Jul./Aug. 1982, pp.
`451-463.
`Hammer, An Intelligent Flight-Management Aid for Procedure
`Execution, IEEE Transactions on Systems, Man, and Cybernetics,
`vol. SMC-14, No. 6, Nov./Dec. 1984, pp. 885-888.
`Mann et al., Analysis of User Procedural Compliance in Controlling
`a Simulated Process, IEEE Transactions on Systems, Man, and
`Cybernetics, vol. SMC-16, No. 4, Jul./Aug. 1986.
`Todd, Signed and Delivered: An Introduction to Security and Authen(cid:173)
`tication, Find Out How the Jave Security API Can Help you Secure
`your Code, Javaworld, Web Publishing, Inc., San Francisco, Dec. 1,
`1998, pp. 1-5.
`Arvind, Secure This. Inform, Association for Information and Image
`Management, Silver Spring, Sep./Oct. 1999, pp. 1-4.
`Stevens, TCP/IP Illustrated, vol. 1, 1994, pp. 247.
`Lee et al., A Generic Virus Detection Agent on the Internet, IEEE,
`30 th Annual Hawaii International Conference on System Sciences,
`1997, vol. 4.
`Cutler, Inside Windows NT, 1993, Microsoft Press.
`Duncan, Advanced MS-Dos, 1986, Microsoft Press.
`McDaniel, IBM Dictionary of Computing, 1994, International Busi(cid:173)
`ness Machines Corporation.
`Burd, Systems Architecture, 1998, Course Technology, Second Edi(cid:173)
`tion.
`Programmer's Guide PowerJ, 1997, Sybase.
`Swimmer et al., Dynamic detection and classification of computer
`viruses using general behavior patterns, 1995, Proceedings of the
`Fifth International Virus Bulletin Conference, Boston.
`Advanced Virus Detection Technology for the Next Millennium,
`Aug. 1999, Network Associates, A Network Associates Executive
`White Paper, pp. 1-14.
`Enterprise-Grade Anti-Virus Automation in the 21' 1 Century, Jun.
`2000, Symantec, TechnologyBrief,pp.1-17.
`Kephart et al., Blueprint for a Computer Immune System, 1997,
`Retrieved
`from
`Internet, URL: http//www.research.ibm.com/
`antivirus/scipapers/kephart/VB97, pp. 1-15.
`Richardson, Enterprise Antivirus Software, Feb. 2000, Retrieved
`from
`Internet, URL: http://www.networkrnagazine.com/article/
`nmg20000426S0006, pp. 1-6.
`1996,
`Understanding
`and Managing Polymorphic Viruses,
`Symantec, The Symantec Enterprise Papers, vol. XXX, pp. 1-13.
`Gong, Java™ Security Architecture (JDKl.2), Oct. 2, 1998, Sun
`Microsystems, Inc., Version 1.0, pp. i-iv, 1-62.
`Softworks LimitedVBVMWhitepaper, Nov. 3, 1998, Retrieved from
`the Internet, URL: http://web.archive.org/web/19981203105455/
`http://softworksltd.com/vbvm.html, pp. 1-4.
`Kephart, A Biologically Inspired Immune System for Computers,
`1994, Artificial Life IV, pp. 130-139.
`International Search Report for PCT/US0l/26804 of Mar. 21, 2002.
`Kosoresow et al., Intrusion Detection via System Call Traces, IEEE
`Software, pp. 35-42, Sep./Oct. 1997.
`Veldman, Heuristic Anti-Virus Technology, Proceedings, Yd Interna(cid:173)
`tional Virus Bulletin Conference, pp. 67-76, Sep. 1993.
`Symantec, Understanding Heuristics: Symantec's Bloodhound
`Technology, Symantec White Paper Series, vol. XXXIV, pp. 1-14,
`Sep. 1997.
`N achenberg, AN ew Technique for Detecting Polymorphic Computer
`Viruses, A thesis submitted in partial satisfaction of the requirements
`for the degree Master of Science in Computer Science, University of
`California Los Angeles, pp. 1-127, 1995.
`Microsoft P-Code Technology, http://msdn.microsoft.com/archive/
`default.asp?url~/archive/en-us/dnarvc/htrnl/msdn_c7pcode2.asp,
`pp. 1-6, Apr. 1992.
`
`IPR2024-00027
`CrowdStrike Exhibit 1001 Page 4
`
`

`

`US 7,673,137 B2
`Page 5
`
`DJGPP COFF Spec, http://delorie.com/djgpp/doc/coff/, pp. 1-15,
`Oct. 1996.
`Natvig, Sandbox Technology Inside AV Scanners, Virus Bulletin
`Conference, Sep. 2001, pp. 47 5-488.
`Norman introduces a new technique for eliminating new computer
`viruses,
`found
`on
`Norman's
`website,
`file://c:/
`documents%20and%20settings\7489\local%20settings\temporary%
`20intemet%20files\olk, pp. 1-2, published Oct. 25, 2001, printed
`from website Dec. 27, 2002.
`International Search Report for PCT/US0l/19142 of Jan. 17, 2003.
`Using the CamNet BBS FAQ, http://www.cam.net.uk/manuals/
`bbsfaq/bbsfaq.htrn, Jan. 17, 1997.
`Express Storehouse Ordering System, "Accessing ESOS through the
`Network", http://www-bfs.ucsd.edu/mss/esos/man3.htm,
`Sep. 3,
`1996.
`Nasire, Nasirc Bulletin #94-10, http://cs-www.ncsl.nist.gov/secalert/
`nasa/nasa9410.txt, Mar. 29, 1994.
`Packages in the net directory, http://linux4u.jinr.ru/usoft/WWW/
`www_debian.org/FTP/net.htrnl, Mar. 20, 1997.
`Sundaram, An Introduction to Intrusion Detection, Copyright 1996,
`published at www.acm.orp/crossroads/xrds2-4/intrus.html, pp. 1-12.
`Samfat, IDAMN: An Intrusion Detection Architecture for Mobile
`Networks, IEEE Journal on Selected Areas in Communications, vol.
`15, No. 7, Sep. 1997, pp. 1373-1380.
`Info: Visual Basic Supports P-Code and Native Code Compilation
`(Q2294 l 5), http:/ /support.micorsoft.com/support/kb/articles/Q229/
`4/15.ASP, pp. 1-2, Apr. 28, 1999.
`International Search Report for PCT/US99/29 l l 7 of May 2, 2000.
`Nordin, U of MN OIT Security and Assurance, Feb. 9, 2000.
`Internet Security Systems, RealSecure SiteProtector, SAFEsuite
`Decisions to SiteProtector Migration, Aug. 8, 2003, pp. 1-42.
`Internet Security Systems, SAFEsuite Enterprise, SAFEsuite Deci(cid:173)
`sions, 1998.
`Internet Security Systems, SAFEsuite Enterprise, Recognizing the
`Need for Enterprise Security: An Introduction to SAFEsuite Deci(cid:173)
`sions, Aug. 1998, pp. 1-9.
`Internet Security Systems, SAFEsuite Decisions 2.6, Frequently
`Asked Questions, Feb. 21, 2001, pp. 1-10.
`Internet Security Systems, SAFEsuite Decisions Version 1.0, User's
`Guide, 1998, pp. 1-78.
`Porras et al., Emerald: Event Monitoring Enabling Responses to
`Anomalous Live Disturbances, Computer Science Laboratory, SRI
`International, Menlo Park, CA, Oct. 1997, pp. 353-365.
`Cisco Systems, Empowering the Internet Generation, 1998.
`Messmer, Start-Up Puts Hackers on BlackICE, Network World
`Fusion, http://www.nwfusion.com/cgi-bin/mailto/x/cgi, Apr. 21,
`1999, p. 1-2.
`NeworkICE Corporation, Can You Explain How Your Product Can
`Protect a Remote User with a VPN Client?, 1998-1999, pp. 1-2,
`http://www.webarchive.org/web/20000304071415/advice.
`networkice.com/advice/support/kb/a000003/default.
`Yasin, Start-Up Puts Network
`Intruders on Ice, http://www.
`internetweek.com/story/INW19990505S0001, May 5, 1999, pp. 1-2.
`Morency, NetworkWorldFusion,
`http://nwfusion.com/cgi-bin/
`mailto/x.cgi, Jun. 28, 1999, pp. 1-2.
`Rogers, Network ICE Touts Security Wares, Apr. 23, 1999, San
`Mateo,
`California,
`http://www.crn.com/show Article.
`jhtrnl?articleID~ 18829106&flatPage=true, pp. 1-2.
`Rogers, Network ICE Signs Resellers, May 26, 1999, San Mateo,
`California,
`http://www.crn.com/show Article.
`jhtrnl?articleID~ l 8805302&flatPage=true, pp. 1-2.
`Internet Secuiity Systems, I've Been Attacked! Now What?, Aug. 27,
`1999,
`http://www.iss.net/security _center/advice/Support/KB/
`q000033/default.htrn, pp. 1-2.
`Internet Security Systems, What is the Format of "Attack-List.
`CSV"?, Aug. 21, 1999, http://www.iss.net/security_center/advice/
`Support/KB/q0000 18/default.htrn, pp. 1-2.
`Neumann et al., Experience with Emerald to Date, Apr. 11-12, 1999,
`pt Usenix Workshop on Intrusion Detection and Network Monitor(cid:173)
`ing, Santa Clara, California, pp. 1-9.
`Lindqvist et al., Detecting Computer and Network Misuse Through
`the Production-Based Expert System Toolset (P-BEST), May 9-12,
`
`1999, Proceedings of the 1999 IEEE Symposium on Security and
`Privacy, Oakland, California, pp. 1-16.
`Kendall, A Database of Computer Attacks for the Evaluation of
`Intrusion Detection Systems, Jun. 1999, Department of Defense
`Advanced Research Projects Agency, pp. 1-124.
`Neumann, Computer Security and the U.S. Infrastructure, Nov. 6,
`1997, Congressional Testimony, pp. 1-11.
`Porras et al., Life Traffic Analysis of TCP/IP Gateways, Nov. 10,
`1997, Internet Society's Networks and Distributed Systems Security
`Systems Symposium, Mar. 1998, http://www.sdl.sri.com/projects/
`emerald/live-traffic.html, pp. 1-16.
`Raynaud et al., Integrated Network Management IV, 1995, Proceed(cid:173)
`ings of the 4th International Symposium on Integrated Network Man(cid:173)
`agement, pp. 1-2 and 5-16.
`Heberlein et al., A Method to Detect Intrusive Activity in a
`Networked Environment, Oct. 1-4, 1991, 14th National Computer
`Security Conference, Washington, D.C., pp. 362-363 and 365-371.
`Ko et al., Execution Monitoring of Security-Critical Programs in
`Distributed Systems: A Specification-Based Approach, 1997, Pro(cid:173)
`ceedings of the 1997 IEEE Symposium on Security and Privacy, pp.
`175-187.
`Crosbie et al., Active Defense of a Computer System Using Autono(cid:173)
`mous Agents, Technical Report No. 95-008, Feb. 15, 1995, Purdue
`University, West Lafayette, Indiana, pp. 1-14.
`Mansouri-Samani et al., Monitoring Distributed Systems, Nov. 1993,
`IEEE Network, pp. 20-30.
`Jakobson et al., Alarm Correlation, Nov. 1993, IEEE Network, pp.
`52-59.
`Intrusion Detection Expert
`Anderson et al., Next-Generation
`(NIDES), A Sununary, May 1995, SRI International, pp. 1-37.
`Veritas Software, Press Release, Robust Enhancements in Version 6.0
`Maintain Seagate WI as the De Facto Standard for Software Distri(cid:173)
`bution, Oct. 6, 1997, Press Releases, pp. 1-4, hrtp://216.239.39.104/
`search?q~cache:HS9kmKlm2QoJ:
`www.veritas.com/us/aboutus/
`pressroom/ 199 ..
`Yasin, Network-Based IDS are About to Stop Crying Wolf, Security
`Mandate: Silence False Alarms, Apr. 9, 1999, http://lists.jarnmed.
`com/ISN/1999/04/0021.htrnl, pp. 1-3.
`Internet Security Systems, Press Release, ISS Reports Record Rev(cid:173)
`enues and Net Income for Second Quarter, Jul. 19, 1999, http://
`bvlive0 l .iss.net/issEn/delivery/prdetail.j sp?type~ Financial
`&oid~l4515, pp. 1-5.
`LaPadula, State of the Art in CyberSecurity Monitoring, A Supple(cid:173)
`ment, Sep. 2001, Mitre Corporation, pp. 1-1.
`Balasubramaniyan et al., An Architecture for Intrusion Detection
`Using Autonomous Agents, Jun. 11, 1998, Purdue University, West
`Lafayette, Indiana, pp. 1-4, http://gunther.smeal.psu.edu/images/b9/
`f3/bb/9e/ba7f39c387 ldcedeb9abd0f70cb84607 /l .png.
`Crosbie et al., Active Defense of a Computer System Using Autono(cid:173)
`mous Agents, Feb. 15, 1995, Technical Report No. 95-008, Purdue
`University, West Lafayette, Indiana, pp. 1-14.
`Crosbie et al., Defending a Computer System Using Autonomous
`Agents, Mar. 11, 1994, Technical Report No. 95-022, Purdue Uni(cid:173)
`versity, West Lafayette, Indiana, pp. 1-11.
`Denning, An Intrusion-Detection Model, Feb. 1987, IEEE Transac(cid:173)
`tions on Software Engineering, vol. SE-13, No. 2, pp. 1-17.
`Lunt, A Survey oflntrusion Detection Techniques, 1993, Computers
`& Security, 12 (1993), pp. 405-418.
`Porras et al., Penetration State Transition Analysis A Rule-Based
`Intrusion Detection Approach, 1992, pp. 220-229.
`Javitz et al., The NIDES Statistical Component: Description and
`Justification, SRI International, Menlo Park, California, SRI Project
`3131, Mar. 7, 1994.
`Lindqvist et al., Detecting Computer and Network Misuses Through
`the Production-Based Expert System Toolset (P-BEST), Oct. 25,
`1998, pp. 1-20.
`Javitz et al., The SRI IDES Statistical Anomaly Detector, SRI
`Intemationa, Menlo Park, California, May 1991, IEEE Symposium
`on Security and Privacy, pp. 1-11.
`Porras et al., Live Traffic Analysis of TCP/IP Gateways, Nov. 10,
`1997, SRI International, Menlo Park, California, pp. 1-16.
`
`IPR2024-00027
`CrowdStrike Exhibit 1001 Page 5
`
`

`

`US 7,673,137 B2
`Page 6
`
`Porras et al., Live Traffic Analysis of TCP/IP Gateways, Dec. 12,
`1997, SRI International, Menlo Park, California, Proceedings of the
`1998 ISOC Symposium on Network and Distributed Systems Secu(cid:173)
`rity, pp. 1-13.
`Information & Computing Sciences: System Design Laboratory:
`Programs: Intrusion Detection, SRI International, http://www.sdl.sri.
`corn/programs/intrusion/, Jun. 17, 2004, pp. 1-2.
`Lindqvist et al., eXpert-BSM: A Host-based Intrusion Detection
`Solution for Sun Solaris, SRI International, Menlo Park, California,
`Dec. 10-14, 2001, Proceedings of the 17th Annual Computer Security
`Applications Conference, pp. 1-12.
`Almgren et al., Application-Integrated Data Collection for Security
`Monitoring, Oct. 10-12, 2001, SRI International, Menlo Park, Cali(cid:173)
`fornia, pp. 1-15.
`Debar et al., Research Report: A Revised Taxonomy for Intrusion(cid:173)
`Detection Systems, Oct. 25, 1999, IBM Research, Switzerland, pp.
`1-23.
`Porras et al., Emerald: Event Monitoring Enabling Responses to
`Anomalous Live Disturbances, Computer Science Laboratory, SRI
`International, Menlo Park, CA, Dec. 18, 1996, pp. 1-3.
`Frequently-Asked Questions about RealSecure, pp. 1-14, http:! /web.
`archive.org/web/ 19970721183227 /iss.net/prod/rs_faq.html,
`May
`30, 1997.
`Cisco Systems, Inc., Empowering the Internet Generation, 1998.
`Internet Security Systems, Inc., RealSecure Release 1.2 for UNIX, A
`User Guide and Reference Manual, 1997.
`Internet Security Systems, Inc., Real-time attack recognition and
`response: A solution for tightening network security, Jan. 1997, pp.
`1-13.
`Internet Security Systems, Inc., SAFEsuite Decisions User Guide,
`Version 1.0, 1998, pp. 1-78.
`NetworkICE Corporation, ICEcap Administrator's Guide, Version
`1.0 BETA, 1999, pp. 1-142.
`Debar, Herve et al., A Neural Network Component for an Intrusion
`Detection System, 1992, pp. 240-250.
`SRI International, A Prototype IDES: A Real-Time Intrusion-Detec(cid:173)
`tion Expert System, Aug. 1987, p. 1-63.
`SRI International, Requirements and Model for IDES-A Real-Time
`Intrusion-Detection Expert System, Aug. 1985, pp. 1-70.
`SRI International, An Intrusion-Detection Model, Nov. 1985, pp.
`1-29.
`Dowell et al., The Computer Watch Data Reduction Tool, Proc. of the
`13th National Computer Security Conference, Washington, D.C.,
`Oct. 1990, pp. 99-108.
`Fox et al., A Neural Network Approach Towards Intrusion Detection,
`Jul. 2, 1990, pp. 125-134.
`Garvey et al., Model-Based Intrusion Detection, Oct. 1991, pp. 1-14.
`Ilgun et al., State Transition Analysis: A Rule-Based Intrusion Detec(cid:173)
`tion Approach, Mar. 1995, pp. 181-199.
`Javitz et al., The SRI IDES Statistical Anomaly Detector, May 1991,
`pp. 1-11.
`Sri International, The NIDES Statistical Component Description and
`Justification, Mar. 7, 1994, pp. 1-46.
`Karen, Oliver, PC Magazine, The Digital Doorman, Nov. 16, 1999, p.
`68.
`Liepins et al., Anomaly Detection: Purpose and Frameowrk, 1989,
`pp. 495-504.
`Lindqvist et al., Detecting Computer and Network Misuse Through
`the Production-Bases Expert System Toolset (P-BEST), Oct. 25,
`1998, pp. 1-20.
`Lunt, Teresa, A su