IN THE UNITED STATES PATENT AND TRADEMARK OFFICE BEFORE THE PATENT TRIAL AND APPEAL BOARD SYMANTEC CORPORATION, - vs. -

Transcription

1 IN THE UNITED STATES PATENT AND TRADEMARK OFFICE BEFORE THE PATENT TRIAL AND APPEAL BOARD SYMANTEC CORPORATION, - vs. - Petitioner THE TRUSTEES OF COLUMBIA UNIVERSITY IN THE CITY OF NEW YORK, Patent Owner Patent No. 7,913,306 Filed: May 21, 2008 Issued: Mar. 22, 2011 Inventors: Frank Apap, Andrew Honig, Hershkop Shlomo, Eleazar Eskin, and Salvatore J. Stolfo Title: SYSTEM AND METHODS FOR DETECTING INTRUSIONS IN A COMPUTER SYSTEM BY MONITORING OPERATING SYSTEM REGISTRY ACCESSES Inter Partes Review No. PETITION FOR INTER PARTES REVIEW OF U.S. PATENT NO. 7,913,306 UNDER 35 U.S.C AND 37 C.F.R , December 5, 2014 Mail Stop Patent Board Patent Trial and Appeal Board P.O. Box 1450 Alexandria, VA

2 TABLE OF CONTENTS Page I. INTRODUCTION... 1 II. MANDATORY NOTICES (37 C.F.R. 42.8(A)(1))... 1 A. Real Party-In-Interest (37 C.F.R. 42.8(b)(1))... 1 B. Notice of Related Matters (37 C.F.R. 42.8(b)(2))... 1 C. Designation of Lead and Backup Counsel (37 C.F.R. 42.8(b)(3))... 1 D. Service of Information (37 C.F.R. 42.8(b)(4))... 2 III. GROUNDS FOR STANDING (37 C.F.R (A))... 2 IV. IDENTIFICATION OF CHALLENGE (37 C.F.R (B))... 2 A. Effective Filing Date of the 306 Patent... 2 B. There Is a Reasonable Likelihood That at Least One Claim of the 306 Patent Is Unpatentable under 35 U.S.C. 102 and V. OVERVIEW OF THE 306 PATENT... 7 A. Overview of the Disclosure of the 306 Patent... 7 B. Prosecution History of the 306 Patent... 9 VI. CONSTRUCTION OF THE CHALLENGED CLAIMS (37 C.F.R (B)(3))...12 VII. THE CHALLENGED CLAIMS ARE UNPATENTABLE...14 A. Using File System Activity As An Information Source for Anomaly Detection Was Well Known in the Art...14 B. Ground 1: Bace anticipates claims 1-4 and ii

3 TABLE OF CONTENTS (CONTINUED) Page 1. Claim 1: A method for detecting intrusions in the operation of a computer system comprising: Claim 1: (a) gathering features from records of normal processes that access the file system of the computer; Claim 1: (b) generating a probabilistic model of normal computer system usage based on occurrences of the features and determining the likelihood of observing an event that was not observed during the gathering of features from the records of normal processes; and Claim 1: (c) analyzing features from a record of a process that accesses the file system to detect deviations from normal computer system usage to determine whether the access to the file system is an anomaly Claim 2: The method according to claim 1, wherein the step of gathering features from records of normal processes that access the file system of the computer comprises gathering a feature corresponding to a name of a process accessing the file system of the computer Claim 3: The method according to claim 1, wherein gathering features from records of normal processes that access the file system of the computer comprises gathering a feature corresponding to a type of query being sent to the file system of the computer Claim 4: The method according to claim 3, wherein gathering features from records of normal processes that access the file system of the computer comprises gathering a feature corresponding to an outcome of a query being sent to the file system of the computer iii

4 TABLE OF CONTENTS (CONTINUED) Page 8. Claim 7: The method according to claim 1, wherein generating a probabilistic model of normal computer system usage comprises determining a likelihood of observing a feature in the records of processes that access the file system of the computer Claim 8: The method according to claim 7, wherein determining a likelihood of observing a feature comprises determining a conditional probability of observing a first feature in the records of processes that access the file system of the computer given an occurrence of a second feature is the records Claim 9: The method according to claim 1, wherein analyzing a record of a process that accesses the file system of the computer comprises, for each feature, performing a check to determine if a value of the feature has been previously observed for the feature C. Ground 2: Bace in combination with Shavlik and Russinovich render claims 2-4 and obvious Reasons to Combine Shavlik with Bace and Russinovich Claim 2: The method according to claim 1, wherein the step of gathering features from records of normal processes that access the file system of the computer comprises gathering a feature corresponding to a name of a process accessing the file system of the computer Claim 3: The method according to claim 1, wherein gathering features from records of normal processes that access the file system of the computer comprises gathering a feature corresponding to a type of query being sent to the file system of the computer iv

5 TABLE OF CONTENTS (CONTINUED) Page 4. Claim 4: The method according to claim 3, wherein gathering features from records of normal processes that access the file system of the computer comprises gathering a feature corresponding to an outcome of a query being sent to the file system of the computer Claim 10: The method according to claim 9, further comprising, if the value of the feature has not been observed, computing a score based on a probability of observing the value of the feature Claim 11: The method according to claim 9, further comprising, if the score is greater than a predetermined threshold, labeling the access to the file system of the computer as anomalous and labeling the process that accessed the file system of the computer as malicious D. Ground 3: Denning anticipates claims 1-4 and Claim 1: A method for detecting intrusions in the operation of a computer system comprising: Claim 1: (a) gathering features from records of normal processes that access the file system of the computer; Claim 1: (b) generating a probabilistic model of normal computer system usage based on occurrences of the features and determining the likelihood of observing an event that was not observed during the gathering of features from the records of normal processes; and Claim 1: (c) analyzing features from a record of a process that accesses the file system to detect deviations from normal computer system usage to determine whether the access to the file system is an anomaly v

6 TABLE OF CONTENTS (CONTINUED) Page 5. Claim 2: The method according to claim 1, wherein the step of gathering features from records of normal processes that access the file system of the computer comprises gathering a feature corresponding to a name of a process accessing the file system of the computer Claim 3: The method according to claim 1, wherein gathering features from records of normal processes that access the file system of the computer comprises gathering a feature corresponding to a type of query being sent to the file system of the computer Claim 4: The method according to claim 3, wherein gathering features from records of normal processes that access the file system of the computer comprises gathering a feature corresponding to an outcome of a query being sent to the file system of the computer Claim 7: The method according to claim 1, wherein generating a probabilistic model of normal computer system usage comprises determining a likelihood of observing a feature in the records of processes that access the file system of the computer Claim 8: The method according to claim 7, wherein determining a likelihood of observing a feature comprises determining a conditional probability of observing a first feature in the records of processes that access the file system of the computer given an occurrence of a second feature is the records Claim 9: The method according to claim 1, wherein analyzing a record of a process that accesses the file system of the computer comprises, for each feature, performing a check to determine if a value of the feature has been previously observed for the feature vi

7 TABLE OF CONTENTS (CONTINUED) Page 11. Claim 10: The method according to claim 9, further comprising, if the value of the feature has not been observed, computing a score based on a probability of observing the value of the feature Claim 11: The method according to claim 9, further comprising, if the score is greater than a predetermined threshold, labeling the access to the file system of the computer as anomalous and labeling the process that accessed the file system of the computer as malicious VIII. CONCLUSION...55 vii

8 EXHIBIT LIST (37 C.F.R (e)) Exhibit Description 1001 U.S. Patent No. 7,913,306 to Apap et al File History of U.S. Patent No. 7,913, Declaration of Michael T. Goodrich, Ph.D Curriculum vitae of Michael T. Goodrich, Ph.D The Trustees of Columbia University in the City of New York v. Symantec Corp., Civil Action No. 3:13-cv-808, Oct. 7, 2014 Claim Construction Order (Dkt. No. 123) 1006 Jude Shavlik et al., Evaluating Software Sensors for Actively Profiling Windows 2000 Computer Users (RAID 2001) 1007 Rebecca G. Bace, INTRUSION DETECTION (MacMillian Technical Publishing, 2000) 1008 Mark Russinovich and David Solomon, INSIDE MICROSOFT WINDOWS 2000, 3 rd Ed. (Microsoft Press, 2000) 1009 Mark Russinovich and Bryce Cogswell, Examining the Windows 95 Registry, Windows Developer s Journal, Vol. 7, No. 10 (October 1996) 1010 M. Debbabi et al, Monitoring of Malicious Activity in Software Systems, 1st Symposium on Requirements Engineering for Information Security (SREIS, March 2001) 1011 Johnathon Korba, Windows NT Attacks for the Evaluation of Intrusion Detection Systems (M.I.T. 2000) 1012 Terran Lane and Carla E. Brodley, Temporal Sequence Learning and Data Reduction for Anomaly Detection, ACM Transactions on Information and System Security, Vol. 2, No. 3 (August 1999) 1013 RAID 2001 Program, Oct. 10, 2001, Located at:

9 Exhibit ix Description -symposium.org/raid2001/program.html 1014 James D. Murray, Windows NT Event Logging (O Reilly & Associates, 1998) 1015 The Trustees of Columbia University in the City of New York v. Symantec Corp., Civil Action No. 3:13-cv-808, October 23, 2014 Memorandum Order Clarifying Claim Construction (Dkt. No. 146) 1016 Anup K. Ghosh, et al., Learning Program Behavior Profiles for Intrusion Detection, USENIX Proceedings of the Workshop on Intrusion Detection and Network Monitoring, Santa Clara, California, USA, (April 1999) 1017 Aaron Schwartzbard and Anup K. Ghosh, A Study in the Feasibility of Performing Host-based Anomaly Detection on Windows NT, Proceedings of the Second International Workshop on Recent Advances in Intrusion Detection, West Lafayette, Indiana, USA, (September 1999) 1018 U.S. Patent Application Publication No. 2003/ by Richard P. Tarquini, et al U.S. Patent No. 6,973,577 by Victor Kouznetsov 1020 Call For Papers RAID 2001, Oct , 2001, Located at: -symposium.org/raid2001/cfp_raid2001.html Dorothy E. Denning, An Intrusion Detection Model, IEEE Transactions on Software Engineering, Vol. 13, No. 2 (February 1987) U.S. Patent Application Publication No. 10/352,342, by Andrew Honig (excerpts) Microsoft Computer Dictionary, 4 th Ed. (Microsoft Press, 1999) (excerpts) Matthew V. Mahoney and Philip K. Chan, Detecting Novel Attacks by Identifying Anomalous Network Packet Headers, Technical Report CS , Florida Institute of Technology (2001)

10 I. INTRODUCTION In accordance with 35 U.S.C and 37 C.F.R & , inter partes review is respectfully requested for claims 1-4 and 7-11 of United States Patent No. 7,913,306 to Apap et al., titled System and Methods for Detecting Intrusions in a Computer System by Monitoring Operating System Registry Accesses (the 306 patent ) owned by The Trustees of Columbia University in the city of New York ( Columbia ). (EXHIBIT 1001 ( Ex ).) This petition demonstrates that there is a reasonable likelihood that the petitioners will prevail on at least one of the claims challenged in the petition based on prior art references that the United States Patent and Trademark Office ( USPTO ) did not have before it during prosecution. Claims 1-4 and 7-11 of the 306 patent should therefore be canceled as unpatentable. II. MANDATORY NOTICES (37 C.F.R. 42.8(A)(1)) A. Real Party-In-Interest (37 C.F.R. 42.8(b)(1)) The real party-in-interest for this petition is Symantec Corporation ( Petitioner or Symantec ). B. Notice of Related Matters (37 C.F.R. 42.8(b)(2)) The 306 patent is presently the subject of the following patent infringement lawsuit brought by Columbia in the Eastern District of Virginia, Richmond Division: Civil Action No. 3:13-cv-808 against Symantec. C. Designation of Lead and Backup Counsel (37 C.F.R. 42.8(b)(3)) Petitioner provides the following designation of counsel: 1

11 David D. Schumann (Reg. No. 53,569) FENWICK & WEST LLP Postal and Hand Delivery Address 555 California Street 12th Floor San Francisco, CA Tel: (415) Fax: (415) Brian M. Hoffman (Reg. No. 39,713) FENWICK & WEST LLP Postal and Hand Delivery Address 555 California Street 12th Floor San Francisco, CA Tel: (415) Fax: (415) D. Service of Information (37 C.F.R. 42.8(b)(4)) Service of any documents via hand-delivery may be made at the postal mailing addresses of the respective lead and back-up counsel designated above with courtesy copies to the addresses and Petitioner consents to electronic service. III. GROUNDS FOR STANDING (37 C.F.R (A)) Petitioner certifies pursuant to Rule (a) that the 306 patent is available for inter partes review and that Petitioner is not barred or estopped from requesting an inter partes review challenging the validity of the above-referenced claims of the 306 patent on the grounds identified in the petition. IV. IDENTIFICATION OF CHALLENGE (37 C.F.R (B)) A. Effective Filing Date of the 306 Patent The 306 patent issued from U.S. Application No. 12/154,405 filed on May 21, The 405 Application is a continuation of U.S. Application No. 10/352,343, filed Jan. 27, 2033, now U.S. Patent No. 7,448,084, and which claims the benefit of U.S. Provisional Application No. 60/351,857, filed Jan. 25, B. There Is a Reasonable Likelihood That at Least One Claim of the 306 Patent Is Unpatentable under 35 U.S.C. 102 and 103 The challenged claims are directed to a method for detecting malicious intru- 2

12 sions in a computer system by monitoring accesses to the file system, which according to the 306 patent includes the operating system registry, and performing anomaly detection analysis on the observed activity. Claim 1 of the 306 patent is illustrative: As explained in more detail in Section VII below, both file system access monitoring and anomaly detection were well known in the art prior to For instance, it was well known prior to 2002 that malicious software frequently accesses the file system of a computer, as well as the operating system registry. See Ex at Various papers had proposed and described monitoring the file system and system registry to detect malicious behavior prior to See, e.g., Ex at 3 (describing monitoring key system files ); Ex at (describing file and object auditing; a chart on p. 77 shows the types of file and directory activities that can be monitored). Additionally as explained in more detail below, the 306 patent expressly states that the operating system registry is part of the file system. Ex at 4:57-61 ( Sys- 3

13 tem 10 monitors a program s access of the file system of the computer, e.g. Microsoft Windows registry (hereinafter referred to as the Windows registry or the registry ) and determines whether the program is malicious. ). Numerous references suggested monitoring the registry to detect malicious behavior. E.g., Ex at 3; Ex at Further, registry monitoring in general was described in the textbook by Mark Russinovich, Inside Windows 2000, published in 2000 ( Russinovich textbook ). See Ex at 55. An October 1996 article by the same author describes the registry and a program called Regmon that monitors all accesses to the registry. See Ex ( Russinovich paper ). Moreover, the Russinovich paper, Windows NT Attacks for the Evaluation of Intrusion Detection Systems described using the Windows operating system registry access information to create profiles of a number of known attacks. E.g. Ex at 35, 51 (attack modifies system registry), Thus, before 2002 one of ordinary skill in the art knew various attacks accessed the file system generally and the operating system registry specifically, and could be detected by monitoring accesses to the file system, including accesses both to the files themselves and the registry. Similarly, anomaly detection was a well-known technique for detecting intrusions at least as early as E.g. Ex Dorothy Denning s 1986 paper, An Intrusion Detection Model ( Denning ), was one of the first to consider applying anomaly detection models to observed computer system usage for the purpose of identifying intrusive behavior. Denning describes a system based on the hypothesis that security violations can be detected by monitoring a system s audit records for abnormal pat- 4

14 terns of system usage. Ex. 1021, Abst. The system includes profiles for representing the behavior of subjects with respect to objects in terms of metrics and statistics models, and rules for acquiring knowledge about this behavior from audit records and for detecting anomalous behavior. Id. Subjects are the initiators of actions in the target system, including users and processes acting on behalf of users. Id. at 2. Objects are the receptors of actions and typically include such entities as files, programs, messages, records, terminals, printers, and user- or program-created structures. Id. Denning explains that the behavior profiles are based on statistical models that determine whether a new observation is abnormal with respect to previous observations. Id. at 4-5. Applying the statistical models to new observations allows the system to detect novel attacks. Id. at 1-2. More recently, the 2000 textbook entitled Intrusion Detection by Rebecca Bace ( Bace ) contains several chapters explaining anomaly detection and how to implement an anomaly detection system. Ex at 108. Bace also describes using Windows NT event logs, which include file system accesses, as an information source for anomaly detection. Id. at Other references published before 2002 also suggest using records of accesses to the file system (including registry accesses). For example, a 2001 paper by Jude and Mark Shavlik, and Michael Fahland entitled Evaluating Software Sensors for Actively Profiling Windows 2000 Computer Users ( Shavlik ) describes using accesses to key files or the registry as an information source for anomaly detection. Ex at 1, 3. As demonstrated above, the use of information regarding accesses to the file system (including accesses to the registry) as 5

15 an information source for anomaly detections was known in the art before the priority date of the 306 patent. Section VII below provides a limitation-by-limitation analysis for each of the challenged claims. In that section, the petition demonstrates that Bace anticipates claims 1-4, and 7-11 of the 306 patent. The Bace textbook is prior art pursuant to 35 U.S.C. 102 (a) and (b) because the Bace textbook bears a copyright date of Ex at 5. Additionally, Bace in combination with Shavlik and the Russinovich textbook render claim 2-4 and obvious. Shavlik and the Russinovich textbook demonstrate that monitoring accesses to the windows registry was well known in the art before the priority date of the 306 patent. Shavlik expressly suggests using registry access data with anomaly detection, and Russinovich shows the details of what features of the registry may be monitored with a well-known registry monitor called RegMon. Notably, the 306 patent states that the disclosed registry auditing module of Fig. 1 is substantially identical to Regmon. Ex at 13: As such, accesses to the registry are also accessed to the file system. Therefore, the combination of Bace with Shavlik and Russinovich Shavlik is prior art pursuant to 35 U.S.C. 102(a). Shavlik was submitted for consideration for an October 2001 conference Recent Advances in Intrusion Detection. Ex The deadline for submissions was March 30, 2001 and decisions by the panel were due on July Ex The Shavlik paper was presented to the conference on October 11, 2001, and made available on the RAID website. Ex

16 Exhibit 1013 is the conference program website from November 21, 2001, including links to the Shavlik paper, obtained from archive.org. Id.. Thus, the Shavlik paper was available to the public at least as early as November 21, The Russinovich textbook is prior art pursuant to 35 U.S.C. 102(b) because it bears a copyright date of V. OVERVIEW OF THE 306 PATENT A. Overview of the Disclosure of the 306 Patent The 306 patent discloses a system and method for detecting intrusions in a computer system by identifying anomalies from normal computer system usage. Ex at 4: Figure 1 is shown below. Figure 1 illustrates the basic architecture of a system 10 as recited in the asserted claims. Id. Computers running the Windows operating system have an operating sys- 7

17 tem registry a hierarchical database that stores information about the computer, its users, and the programs that are installed. Id. at 5: Software programs running on those computers may access the operating system registry. Id. at 6:3-6. To determine whether those software programs are malicious, registry auditing module 12 will monitor accesses to the registry, such as program reads and writes to the registry. Ex at 13: First, however, the model run by system 10 is trained using clean data that accesses the registry. Id. at 6: The clean data will enable system 10 to identify normal computer usage, and, therefore, recognize anomalies to the normal computer usage as an intrusion or malicious behavior. Id. at 8: The 306 patent provides two exemplary methods for creating the model. Both methods are admitted in the 306 patent as being prior art. Ex at 12:60-67 ( an anomaly detection algorithm known in the art, which was developed to detect anomalies in packet headers ). See e.g., Ex (M. Mahoney and P. Chan, Detecting Novel Attacks by Identifying Anomalous Packet Headers, Technical Report CS , Florida Institute of Technology, Melbourne, Fla., 2001). In fact, the 306 patent expressly describes Mahoney as determining the likelihood of observing an event that was not observed during training and computing a score based on a probability as required by the claims: During testing, we fix the model (n, r, and the list of observed values). When an anomaly occurs, we assign a field score of t/p where p = r/n is the estimated probability of observing an anomaly.... Ex at 2; see also Ex at 12: Thus, the 306 patent admits these features were not novel. Specifically, registry auditing module 12 logs all reads and writes to the registry. 8

18 Ex at 13: The data obtained by registry auditing module 12 is transmitted, as shown by arrow 24, to data warehouse 18. There, data warehouse 18 stores all of the collected registry accesses from the training data. Id. at This data is then transmitted, as shown by arrow 28, to model generator 14. Model generator 14 then applies an algorithm to this collected data to create a model of normal computer usage. Id. at 13: Model generator 14 transmits this normal usage model, via arrow 29, to anomaly detector 16, where the normal usage model is loaded. Id. at Thereafter, anomaly detector 16 will read each record from the output data stream of registry auditing module 12 (via arrow 26). Id. Anomaly detector 16 will apply the normal usage model and algorithm against each record of registry activity received from registry auditing module 12. Ex at 14: A score generated by the anomaly detection algorithm is compared with a user configurable threshold to determine if the record should be considered anomalous. Id. A list of anomalous registry accesses are then stored and displayed as part of the detector. Id. B. Prosecution History of the 306 Patent Columbia filed U.S. Patent Application No. 12/154,405, the application underlying the 306 patent, on May 21, Ex at The application is a continuation of Patent Application No. 10/352,343, filed on January 27, 2003, which resulted in the 084 Patent. In addition, the application claims priority to Provisional Application No. 60/351,857, which was filed on January 25, The as-filed application included 11 claims, all related to accesses to the file system. It included one independent claim, claim 1, which stated as follows: 9

19 Id. at 129. The examiner issued a Non-Final Rejection on April 23, 2010, rejecting all of claims Id. at First, the examiner rejected all claims under 35 U.S.C. 101 as non-statutory subject matter. The examiner explained that the method steps are not tied to a particular machine and do not perform a transformation. Id. at 45. In addition, the examiner issued a non-statutory double patent rejection for all claims. Id. at Next, the examiner rejected claims 1, 7, and 8 as anticipated under Chong, the same patent cited during the 084 patent prosecution. Id. at 47. In addition, it rejected claims 2-6 as rejected under 35 U.S.C. 103(a) on the basis of Chong in view of Korba, and claims 9-11 as rejected under 35 U.S.C. 103(a) on the basis of Chong in view of Eskin, Adaptive Model Generation for Intrusion Detection Systems. Id. at The applicants submitted an Amendment and Remarks After Non-Final Rejec- 10

20 tion on September 23, Id. at First, in order to overcome the rejection on the basis of nonpatentable subject matter, the applicants noted that the claimed method steps must be performed by a particular machine. For example, the step of gathering features from records of normal processes that access the file system of the computer, as recited in claim 1, inherently requires the use of a data processor since the steps set forth in paragraphs [0030]-[0031] of the Specification could not be carried out by hand. Id. at 26. Second, the applicants submitted a terminal disclaimer to overcome the double patenting rejection. Id. Third, with respect to overcoming Chong, the applicants explained that Chong does not describe gathering features from records of normal processes, but, on the contrary, gathers information corresponding to events associated with unwanted intrusion or malicious activity. Id. at 27. In addition, the applicants urged that the only data expressly described as collected by the system of Chong is data related to an attack on the computer network, such as unwanted intrusion or malicious activity. Id. The applicants also argued that Chong is not concerned with determining the likelihood of observing an event that was not observed during prior information gathering. On the contrary, since Chong is only concerned with gathering information associated with an unwanted intrusion or malicious activity, Chong merely compares the gathered information to a later event. In doing so, the system of Chong determines if the later event is the same as a previously gathered malicious event and, if so, makes inferences based on known properties of the previously gathered mali- 11

21 cious event. Id. at 28. The Patent Office issued a Notice of Allowance on December 20, Id. at U.S. Patent No. 7,913,306 issued on March 22, Id. at 4. VI. CONSTRUCTION OF THE CHALLENGED CLAIMS (37 C.F.R (B)(3)) The terms in claims 1-4 and 7-11 are to be given their broadest reasonable construction ( BRC ), as understood by one of ordinary skill in the art and consistent with the disclosure. See 37 C.F.R (b); see also In re Yamamoto, 740 F.2d 1569, 1571 (Fed. Cir. 1984); In re Am. Acad. of Sci. Tech. Ctr., 367 F.3d 1359, (Fed. Cir. 2004). The following constructions were adopted by the district court in The Trustees of Columbia University in the City of New York v. Symantec Corp., Civil Action No. 3:13-cv- 808 for the 306 patent. The district court s opinion is persuasive as to the construction of the following terms. Petitioner submits these constructions as the BRC for the below mentioned terms. The district court construed probabilistic model of normal computer usage to mean model of typical attack-free computer system usage that employs probability. Probability is the likelihood that an event will occur or a condition will be present. Ex at 2. The district court also clarified its order with regard to this claim term, stating that the model is generated with only attack-free data. Ex at 2. This definition comports with the specification s description of generating models for use in anomaly detection. For example, the specification repeatedly states that the models must be generated using only attack-free data or clean data: Some at- 12

22 tacks involve launching programs that have not been launched before and/or changing keys that have not been changed since the operating system was first installed by the manufacturer. If a model of the normal registry behavior is trained over clean data, then these kinds of registry operations will not appear in the model, and can be detected when they occur. Ex at 6:30-36; also 15:4-16 (referring to a clean (attack-free) dataset ). Therefore, the district court s construction is the BRC. Ex at 92. The district court also construed the term normal computer system usage to mean typical, attack-free usage. As discussed above in connection with probablistic model of normal computer usage, the district court s construction is supported by the intrinsic record and is therefore the BRC of this term. The district court construed the term anomaly/anomalous to mean [d]eviation/deviating from a model of typical, attack-free computer system usage. Ex at 2. The specification describes various embodiments of the invention, all of which define anomaly or anomalous as a deviation from a model of normal behavior. See, e.g., Ex at 8:13-15 ( In order to detect anomalous registry accesses, model generator 14 of the system 10 generates a model of normal registry activity. ); id. at 5:16-18 ( The model is then used by the anomaly detector 16 to decide whether each new registry access should be considered anomalous. ); id. at 8:22-27 ( When detecting anomalies, the model of normal behavior is used to determine whether the values of the features of the new registry accesses are consistent with the normal data. If such values are not consistent, the algorithm labels the registry access 13

23 as anomalous, and the processes that accessed the registry as malicious. ). Therefore, the district court s construction is the BRC of this claim term. Ex at 94. The claim terms should be construed at least as broadly as the constructions the district court adopted for the reasons set forth in that case. Ex. 1005, The claim terms not specifically construed herein are given their BRC, as understood by one of ordinary skill in the art and consistent with the disclosure. Ex at 95. VII. THE CHALLENGED CLAIMS ARE UNPATENTABLE A. Using File System Activity As An Information Source for Anomaly Detection Was Well Known in the Art As described above, the 306 patent uses monitoring of processes that access the files system of a computer, primarily consisting of registry monitoring techniques, to achieve anomaly detection (a form of what is more broadly referred to as intrusion detection). But the combination of these core concepts anomaly detection and file system monitoring (and, in particular, registry monitoring) was already recognized as prior art before the priority date for the 306 patent. Any additional elements recited by the challenged claims merely describe obvious examples of file system monitoring in combination with anomaly detection. Prior art described anomaly detection techniques, as well as intrusion detection more broadly, as early on as the late 1980 s. For instance, Denning s paper, titled An Intrusion Detection Model, describes a system based on the hypothesis that security violations can be detected by monitoring a system s audit records for abnormal patterns of system usage. Ex. 1021, Abst. The system includes profiles for representing the behavior of subjects with respect to objects in terms of metrics and statistics 14

24 models, and rules for acquiring knowledge about this behavior from audit records and for detecting anomalous behavior. Id. Another early reference authored by Anup Ghosh et al. ( Ghosh I ) describing such schemes provides that, at its most general level, [i]ntrusion detection tools seek to detect attacks against computer systems by monitoring the behavior of users, networks, or computer systems. Ex at 2. Intrusion detection breaks down into two typical approaches: misuse detection and anomaly detection. Misuse detection techniques model attacks on a system as specific patterns, then systematically scan the system for occurrences of these patterns. Id. at 3. Meanwhile, anomaly detection attempt[s] to detect intrusions by noting significant departures from normal behavior.... Id. at 3. Unlike misuse detection, which performs signature-based detection techniques, anomaly detection is able to detect novel attacks against systems, i.e., attacks that have not been seen before by our intrusion detection system. Id. at 3. Ghosh I identifies and compares the performance of three different algorithms for anomaly detection. The first of these is equality matching, which involves comparing an event sequence of against sequences stored in a database of normal program behavior to determine whether it is malicious. See id. at 5-7. This technique is predicated on the ability to capture the normal behavior of a program in a database. Id. at 6. Second, Ghosh I examines applying adaptive machine learning to generate profiles of normal behavior and comparing new event sequences against this dynamic profile of past behavior to detect anomalies. See id. at 8-9. Finally, Ghosh I studies the use of recurrent networks capable of maintaining state information be- 15

25 tween event sequences to predict future normal behavior, and thereby determining when an event sequence deviates from a predicted event. See Id. at Thus, Ghosh I identifies the three possible ways of detecting anomalous behavior: (1) comparison against a database of all possible normal behavior, assuming that generating such a database is possible; (2) comparison against a profile based on past normal behavior; and (3) comparison against future, predicted normal events. Bace, in her textbook entitled Intrusion Detection, describes the matter of anomaly detection at greater length. Bace writes that: Anomaly detection involves a process of establishing profiles of normal user behaviors, comparing actual user behavior to those profiles and flagging deviations from the normal. Ex at 121. The analysis proceeds in four phases: (1) inputting a new event record; (2) preprocessing the event into a suitable form; (3) comparing the event record to the knowledge base (i.e. profile); and (4) generating a response. Id. at Depending on the analysis approach, constructing an analyzer might involve collecting event information generated by a system functioning in an operational environment, or collecting event information in a laboratory environment. Id. at 106. For an anomaly detection scheme to function effectively, event information is collected from the live system itself or from a system designated as similar in order to build baseline profiles indicating normal user behavior. Id. Because anomaly detection relies on comparisons against some benchmark about what constitutes normal user behavior, it depends on an assumption that users exhibit predictable, consistent patterns of system usage. Id. at 121. Accordingly, for an analysis engine to function 16

26 properly, regardless of analysis approach, it must be tailored to the environment in which it is to operate. Id. at 105. Early implementations of anomaly detection schemes focused on Unixflavored platforms. Ex at 1. As Windows NT [became] the dominant desktop platform, id., however, anomaly detection research attempted to leverag[e] the base object auditing facilities of the Windows NT platform, id. at 4. As detailed in a second paper by Ghosh ( Ghosh II ), critical differences exist between Unix-based and Windows-based platforms. Given these differences between the operating systems, [b]lindly applying Unix intrusion detection techniques may not be appropriate for the Windows NT platform. Id. at 9. Unix-based systems operate under an imperative paradigm. Id. at 5. That means that, under Unix and similar operating systems, [p]rograms make requests of the operating system using system calls, and the operating system either performs the requested action and returns some indicator of success, or the operating system cannot perform the requested action, and returns an error code. Id. at 5. As Ghosh II explains, Windows NT is object oriented. Under object oriented operating systems, input and/or output operations are performed by the operating system giving an object corresponding to a specific resource to a program, and the process operates on that object. Id. at 6. Thus, [w]hereas monitoring system calls makes sense on Unix, it might not be optimal on Windows NT. Id. at 9. Prior art has long recognized that monitoring file system access and, in particular, monitoring the registry may serve as an effective way of protecting systems 17

27 running Windows NT and comparable systems against malicious activity. For instance, M. Debbabi, et al., Monitoring of Malicious Activity in Software Systems ( Debbabi ) describes a scheme for monitoring Windows NT systems for malicious activity, defined as activity that does not comply with the strictures of an explicit security policy.... Ex at 1. Rather than requiring complete management of access to memory, the strategy behind the Debbabi scheme consisted of inserting monitoring modules to control accesses to certain critical resources containing significant or strategic information. Id. at 5. The four critical resources monitored under the Debbabi scheme include the files themselves and the Windows registry, as well as communications ports and processes. Id. Debbabi identified the files themselves as a critical resource because they store [s]ystem-critical, classified and personal information. Id. Further, Debbabi identifies the Windows registry as a critical resource because it stores Windows NT configuration and user information ; malicious attacks may modify the Registry so that an unwanted application is executed at boot time without the user s knowledge. Id. For instance, one study demonstrates how several commonly known malicious attacks on Windows NT systems modify accesses to the registry of a file system. See Ex at (describing three remote-to-user attacks, including Netbus R-s-U, Netcat R-s-U, and PPMacro R-s-U, that modify keys in the registry and can be detected by analyzing accesses to the registry); see also id. at (describing a user-to-root attack called the Yaga U-b-S, which edits the victim s Registry so that the next time a service crash occurs on the victim machine, the attacker is added to the Domain Admins group ). Prior 18

28 art roundly recognizes the utility of file system monitoring, including monitoring of the registry, in intrusion detection. See Ex.1018 at 32 ( The capabilities of the hostbased IPS [intrusion prevention system] comprise application monitoring of: file system events; registry access.... ); Ex at 5:25-35, Fig. 5 (discussing a detection scheme that monitors [f]iles accesses, including read, write, redirection, open, close, and modify operations....,program executions, and system configuration area accesses, such as Registry files ). Jude Shavlik, et al., Evaluating Software Sensors for Actively Profiling Windows 2000 Computer Users ( Shavlik ) builds upon prior art anomaly detection systems such as Ghosh I by proposing a detection scheme better suited for Windowsbased operating systems, expressly disclosing (among other things) file system and registry monitoring. Shavlik presents a prototype anomaly-detection system that creates statistical profiles of the normal usage for a given computer running Windows 2000, Ex at 1, noting that prior work [in the field] has focused on Unix systems, whereas over 90% of the world s computers run some variant of Microsoft Windows. Id. at 5. The Shavlik system collects information for these statistical profiles from multiple Windows-based sources: Performance Monitor (Perfmon) data; Event Log monitoring; and User and computer state information, such as typing rates, network traffic levels, programs running, and specific system API s invoked. Id. at 3. Shavlik s Event Log monitoring examines key NT Registry locations, key system files, login abnormalities, and suspect account changes, as well as invalid accesses to key files and to registry entries. Id. at 3. Therefore, Shavlik teaches using 19

29 data obtained from monitoring the Windows operating system s file system and registry as an information source for anomaly detection, the two core elements claimed under the 306 patent. B. Ground 1: Bace anticipates claims 1-4 and Claim 1: A method for detecting intrusions in the operation of a computer system comprising: Although the Petitioner does not believe the preamble is limiting for this claim, Bace expressly discloses [a] method for detecting intrusions in the operation of a computer system. Bace s book is entitled Intrusion Detection, and is entirely devoted to describing methods of detecting intrusions during the operation of a computer system. For example, Bace explains in the Introduction, Intrusion detection is the process of monitoring the events occurring in a computer system or network, analyzing them for signs of security problems. Ex at 25. Therefore, to the extent the preamble is limiting at all, Bace anticipates it. 2. Claim 1: (a) gathering features from records of normal processes that access the file system of the computer; Bace anticipates gathering features from records of normal processes that access the file system of the computer. Anomaly detection techniques require building models of normal system behavior in order to then compare behaviors observed during normal operation against that model to identify anomalies, and Bace specifically teaches using data observed when a normal process is accessing the file system. Ex at 76-77, 109; Ex, 1003 at , 110, pp The first step of constructing the analyzer is collecting event information.... In anomaly detection, event information is collected from the live system itself or from a system designated 20

30 as similar. This information is needed to build baseline profiles indicating normal user behavior. Id. at 106. Bace further describes file system accesses as a source of event information, as described below. Bace describes using various information sources for anomaly detection. See id. at Specifically, it describes using Windows audit logs, which record file system accesses, such as requests to run a file, to delete a file, and to change permissions on a file. Id. at Bace also discloses that: Operating System Audit Trails Id. at 68. Each audit file is composed of audit records, each of which describes a single system event. These records are generated by user actions and by processes invoked on behalf of users, whenever either makes system calls or executes commands Content of Audit Trails Most commercial operating systems record events at kernel level (reflecting system calls) and at user level (reflecting application events). Audit records contain information about subjects responsible for the event and any objects involved in the event. Most records also include information about the process that initiated the event, the userid associated with the event, which sometimes includes the current userid as well as the original userid (in case the user identity changes). Kernel-level entries contain system call arguments and return values, whereas user-level entries con- 21

31 tain high-level descriptions of the event or applicationspecific data. Id. at Bace discloses different operating system event record formats. For Windows NT, the event records include features of processes that access the file system of a Windows NT machine. See id. at ( The security log consists of events that are defined as security-relevant. These events were derived from the TCSEC C2 definitions of auditable events. They include valid and invalid logins and logoffs, and events related to system resource use, especially those having to do with the creation, deletion, and alteration of system files and other objects. ). Below is a diagram of the types of file system accesses that may be monitored through the use of Windows audit logs: 22

32 Id. at 77. Additionally, temporarily storing this information, in a log for example, is one of two methods the 306 patent discusses for gathering features from records. For example, the 306 patent states, [w]hen registry auditing module 12 is used as the data source for model generation, its output is sent to a database 18 (as indicated by arrow 24) where it is stored and later used by the model generator 16 described herein. Ex at 13: As demonstrated above references, Bace anticipates gathering features of normal processes that access the file system. 3. Claim 1: (b) generating a probabilistic model of normal computer system usage based on occurrences of the features and determining the likelihood of observing an event that was not observed during the gathering of features from the records of normal processes; and Bace anticipates generating a probabilistic model of normal computer system 23

33 usage based on occurrences of the features and determining the likelihood of observing an event that was not observed during the gathering of features from the records of normal processes. As discussed above, the BRC of probabilistic model of normal computer usage is a model of typical attack-free computer system usage that employs probability. Probability is the likelihood that an event will occur or a condition will be present. Additionally, the BRC of normal computer system usage is [t]ypical, attack-free computer system usage. Each of the portions of this claim limitation are discussed in detail below. Bace describes building models of system behavior by gathering information related to normal system operation: For anomaly detection, event information is collected from the live system itself or from a system designated as similar. This information is needed to build baseline profiles indicating normal user behavior. Ex at 106; Ex at 82, pp Bace further explains, Anomaly detection involves a process of establishing profiles of normal user behaviors, comparing actual user behavior to those profiles, and flagging deviations from the normal. Ex at 121. Bace indicates that normal behavior is behavior that does not indicate an intrusion or other suspicious activity. Id. at This normal behavior meets the BRC of normal computer usage, normal, attack-free computer system usage.... Moreover, Bace discloses that the models of user behavior are probablistic. Bace describes developing models and classifications using statistical profiles of user behavior. In anomaly detection, the classification model usually consists of statis- 24

34 tical profiles of user behavior over time. These profiles can also be used to characterize the behavior of system processes, an important consideration given the widespread use of automated attack scripts. Id. at 108. The reference to the use of statistical profiles indicates that the models will determine how likely an event is to fit the profile of normal operation. Ex at 48-49, 114; pp In fact, Bace discloses several anomaly detection analysis methods that rely on probabilistic models. The following example in Bace is a summary of a method proposed by Dorothy Denning in her paper, An Intrusion Detection Model (see Ex. 1021): Mean and Standard Deviation Model... Denning s second detection model proposes a classic mean and standard deviation characterization of data. The assumption is that all the analyzer knows about system behavior metrics are the mean and standard deviations as determined from the first two moments. A new behavior observation is defined to be abnormal if it falls outside a confidence interval. This confidence interval is defined as d standard deviations from the mean for some parameter d. Ex at Notably, this mean and standard deviation model meets the limitation, determining the likelihood of observing an event that was not observed during the gathering of features from the records of normal processes. Additionally, the Denning method summarized here in Bace also uses Chebyshev s inequality to compute the probability that something is significantly deviating from its mean. Id. at 4. One of ordinary skill in the art would understand Bace s summary of Denning to meet 25

35 the determining the likelihood... portion of this claim. Ex at 48. A second Bace method describes using a state transition matrix for the same determination: Under this model, the detector considers each different type of audit event as a state variable and uses a state transition matrix to characterize the transition frequencies between states (not the frequencies of the individual states/audit records). A new observation is defined as anomalous if its probability, as determined by the previous state and value in the state transition matrix, is too low. Exhibit 1007 at 122. The reference to observation is defined as anomalous if its probability... is too low in the above citation demonstrates that the transition matrix determines the likelihood of observing an event that was not observed during normal operation because an anomalous event would not have been observed during normal operation. Ex at pp As demonstrated by the above citations Bace discloses generating a probabilistic model based on the features and determining the likelihood of observing an event that was not observed during the gathering of features from the records of normal processes. Therefore, Bace anticipates this limitation. 4. Claim 1: (c) analyzing features from a record of a process that accesses the file system to detect deviations from normal computer system usage to determine whether the access to the file system is an anomaly. Bace anticipates analyzing features from a record of a process that accesses 26

36 the file system to detect deviations from normal computer system usage to determine whether the access to the file system is an anomaly. As discussed above, the BRC of anomaly is deviation from a model of typical, attack-free computer system usage, and normal computer system usage is typical, attack-free computer system usage. Bace describes performing the analysis claimed in this limitation on the audit records described above in connection with claim limitation 1(b). Ex at ; Ex at pp The first step of performing analysis is taking an event record generated by one of the information sources. Ex at 109. Bace further describes that after obtaining the event record, the contents of the user profile for the session is compared to the historical profile for that user. Id. Then, a judgment is made as to whether the user behavior is close enough to the historical profile to be considered normal and therefore not indicative of an attack. Id. As described above, the audit records contain information regarding file system accesses. As demonstrated by these exemplary quotations from Bace, Bace discloses the claim limitation. 5. Claim 2: The method according to claim 1, wherein the step of gathering features from records of normal processes that access the file system of the computer comprises gathering a feature corresponding to a name of a process accessing the file system of the computer. Dependent claim 2 requires that the feature recited in step (a) be a feature corresponding to a name of a process accessing the file system of the computer. This is because all the language preceding that phrase, The method according to claim 1, wherein gathering features from records of normal processes that access the file sys- 27

37 tem of the computer comprises..., is repeated from claim 1, step (a) to provide context for the rest of the claim. Bace anticipates this claim because it discloses a feature corresponding to a name of a process accessing the file system of the computer for the reasons discussed below. Bace discloses using Windows audit logs as input data for anomaly detection. Ex at 74-77; Ex at pp Specifically, Fig. 3.3 shows the structure of the logs as including various elements that describe the event being recorded: Ex at 75. The Source records the name of the process accessing the file system: Source The software responsible for generating the event record. The source can be an application, a system service, or a device driver. Id. at 76. One of ordinary skill in the art would understand an application, system service or device driver to all be processes. Ex at 34; pp Thus, the Source field of the event records provides the name of the process accessing the file system as required by claim 2. Therefore, Bace anticipates this claim. 28

38 6. Claim 3: The method according to claim 1, wherein gathering features from records of normal processes that access the file system of the computer comprises gathering a feature corresponding to a type of query being sent to the file system of the computer. Claim 3 requires gathering a feature corresponding to a type of query being sent to the file system of the computer because the other language in this claim only provides context and is repeated from claim 1. See Section VII.B.2. Bace discloses gathering a feature corresponding to a type of query being sent to the file system of the computer. For example, Bace explains, The security log consists of events that are defined as security-relevant. These events were derived from the TCSEC C2 definitions of auditable events. They include valid and invalid logins and logoffs, and events related to system resource use, especially those having to do with the creation, deletion, and alteration of system files and other objects. Ex at Bace also describes the event records as including a description field that would describe the type of event being recorded. Each event record is divided into three functional parts: a header, a description of the event, and an optional additional data field. Id. at 75; see also Fig. 3.4 at 75. The event record also includes a category field that records the triggering event type.... Ex at 76. Thus, the audit records analyzed by Bace correspond to a type of query being sent to the file system. Bace anticipates this claim. 29

39 7. Claim 4: The method according to claim 3, wherein gathering features from records of normal processes that access the file system of the computer comprises gathering a feature corresponding to an outcome of a query being sent to the file system of the computer. Dependent claim 4 requires that the feature recited in claim 3 be a feature corresponding to an outcome of a query being sent to the file system of the computer. This is because all the language preceding that phrase, The method according to claim 3, wherein gathering features from records of normal processes that access the file system of the computer comprises gathering... is repeated from claim 3 or step (a) of claim 1 to provide context for the rest of the claim. Analysis related to how the method of claims 1 and 3 is anticipated by Bace is discussed above. See Sections VII.B.1-VII.B.5. Bace also anticipates this claim. Bace discloses event records that contain a Type field. Ex at 75. The Type field records whether the event was a success or failure. [T]he types can be success audit or failure audit. Id. at 76. Therefore, Bace anticipates claim Claim 7: The method according to claim 1, wherein generating a probabilistic model of normal computer system usage comprises determining a likelihood of observing a feature in the records of processes that access the file system of the computer. Claim 7 requires determining a likelihood of observing a feature in the records of processes that access the file system.... because the other language preceding this phrase is copied from claim 1 for context and is discussed above in Section VII.B.3. Bace anticipates claim 7. Bace surveys several models that have been used to model normal computer 30

40 usage in anomaly detection systems. These models determine the likelihood that an event that was not observed during normal operation. Bace describes one such model: The assumption is that all the analyzer knows about system behavior metrics are the mean and standard deviations as determined from the first two moments. A new behavior observation is defined to be abnormal if it falls outside a confidence interval. This confidence interval is defined as d standard deviations from the mean for some parameter d. Ex at The confidence interval determines the likelihood that an event was not observed during normal operation. Ex at 46-47, 112. For example, the smaller the confidence interval d, the more likely a given behavior will fall outside of observed normal operations. Ex at A second operational model describes using a state transition matrix for the same determination: Under this model, the detector considers each different type of audit event as a state variable and uses a state transition matrix to characterize the transition frequencies between states (not the frequencies of the individual states/audit records). A new observation is defined as anomalous if its probability, as determined by the previous state and value in the state transition matrix, is too low. Id. at 122. The reference to observation is defined as anomalous if its probability... 31

41 is too low in the above citation demonstrates that the transition matrix determines the likelihood of observing an event that was not observed during normal operation because an anomalous event would not have been observed during normal operation. As demonstrated by the above citations Bace discloses generating a probabilistic model based on the features and determining the likelihood of observing an event that was not observed during the gathering of features from the records of normal processes. 9. Claim 8: The method according to claim 7, wherein determining a likelihood of observing a feature comprises determining a conditional probability of observing a first feature in the records of processes that access the file system of the computer given an occurrence of a second feature is the records. Claim 8 requires determining a conditional probability of observing a first feature in the records of processes that access the file system of the computer given an occurrence of a second feature is the records because the other language that precedes this phrase is repeated from claim 7 for context, and is discussed above in Section VII.B.8. Bace anticipates claim 8. Bace describes the use of conditional probabilities. Bace describes models used with anomaly detection, many of which discuss conditional probability scenarios. For example, Bace describes a multivariate model where instead of basing detection of an anomaly strictly on one measure, you might base it on correlation of that measure with another measure. Ex at 122. This correlation of one measure with another is determining the likelihood of an occurrence of a feature given a second feature, as required by this claim. Another such example from Bace involves the TIM 32

42 intrusion detection system: TIM observes historical event record sequence, characterizing the probability of particular sequences of events occurring. TIM focuses on sequences of events, checking to see whether a chain of events corresponds to what would be expected based on its observation of historical event sequences. For example, suppose events E1, E2, and E3 are listed sequentially in an audit trail. TIM characterizes the probability of the occurrence of E1 followed by E2 followed by E3, based on the history of sequences it has observed in the past. Ex at 129. As seen above, the TIM system calculates the probability of E2 given E1, which meets the requirement of claim 1. Therefore, Bace anticipates claim Claim 9: The method according to claim 1, wherein analyzing a record of a process that accesses the file system of the computer comprises, for each feature, performing a check to determine if a value of the feature has been previously observed for the feature. Claim 9 requires for each feature, performing a check to determine if a value of the feature has been previously observed for the feature because the language preceding the phrase is copied from claim 1 and is supplied for context. Section VII.B.4 shows how that language is anticipated by the Bace reference. Bace expressly discloses this limitation. As Bace explains, [t]he next step of the process depends on the results of this comparison and on the analysis scheme in question. If the record indicates an intru- 33

43 sion, it may be logged. If the record does not indicate an intrusion, the analyzer simply accepts the next event record and repeats the formatting and comparison. Ex at 110. As described earlier, anomaly detection builds profiles of normal computer behavior. See id. at 106; Ex at 1; Ex 1003 at 82, pp When the analyzer described in Base sees a record that does not indicate an intrusion, it is a record that matches a record that the analyzer has already observed. As a result, Bace discloses performing a check to determine if a value of the feature has been previously observed. Therefore, Bace anticipates claim 9. C. Ground 2: Bace in combination with Shavlik and Russinovich render claims 2-4 and obvious. 1. Reasons to Combine Shavlik with Bace and Russinovich As discussed above, the Shavlik paper is prior art pursuant to 35 U.S.C. 102 (a). The Bace and Russinovich are prior art pursuant to 35 U.S.C. 102 (a) and (b). One of ordinary skill in the art would naturally combine these three references for the following reasons. Bace and Shavlik both describe systems and methods for identifying malicious computer activity on computers running the Windows operating system. For example, the Shavlik paper begins, [w]e report on a new, on-going intrusion detection project.... Ex. 1006, Abst.; id. at 1 ( Building on our expertise in Windows 2000 computer security and machine learning, we have written and are currently extending a prototype anomaly detection system that creates statistical profiles of the normal usage for a given computer running Windows ). Its title, Evaluating Software Sensors for Actively Profiling Windows 2000 Computer Users, indicates that it operates on computers running Windows 2000, which is a variant of 34

44 Windows NT. Ex at 33. Similarly, the Bace textbook, entitled Intrusion Detection describes various techniques for detecting intrusions in computer systems, and in fact contains a detailed description of Windows NT. Ex at 25 ( Intrusion Detection is monitoring events occurring in a computer system or network, analyzing them for signs of security problems. ); id. at 74 ( Operating System Example 2: Windows NT ). Both Bace and Shavlik discuss using records of activities occurring in the Windows registry. Shavlik expressly teaches monitoring the Windows registry as an information source for anomaly detection. Ex at 3. ( Some of the Windows 2000 Properties We Measure... Event Log Monitoring is done on key NT Registry locations... invalid accesses to key files and to registry entries are monitored. ). Bace discusses using event and security logs in Windows NT as an information source; these logs would record accesses to the Windows registry. Ex at 74, 76; Ex at 33-34, One of ordinary skill in the art would also combine Shavlik and Bace because both Shavlik and Bace describe using anomaly detection. Bace is a textbook that teaches the larger field of Intrusion Detection, and specifically includes anomaly detection. E.g., Ex at Anomaly detection involves a process of establishing profiles of normal user behaviors, comparing actual user behavior to those profiles and flagging deviations from the normal. Id. at 121. Bace describes the same anomaly detection methods as discussed in Shavlik, but in greater detail. For example, like Bace, Shavlik discusses building a model of normal computer usage and 35

45 comparing actual usage against that model to detect abnormal activities: a prototype anomaly detection system that creates statistical profiles of normal usage for a given computer running Windows Significant deviations from normal behavior indicate that an intrusion is likely occurring. Ex at 1. One of ordinary skill in the art reading the references in Shavlik to anomaly detection would naturally look to the Bace textbook for additional information on that subject. Ex at Both Shavlik and Bace were known to those of ordinary skill in the art prior to the priority date of the 306 patent, and one of ordinary skill in the art would have naturally combined the teachings of those references to achieve the predictable result of using anomaly detection techniques with Shavlik s event monitoring system. Additionally, the Russinovich textbook is used to show what one of ordinary skill in the art would have known regarding various Windows registry components. The Russinovich textbook is entitled Inside Windows One of ordinary skill in the art would have looked to this book to understand more details regarding the references to the Windows operating system in Shavlik and Bace. Additionally, the Russinovich book discusses Regmon, a prior art tool that monitors and displays registry accesses by all applications as they occur. Ex at 55. One of skill in the art reading Shavlik s reference to registry monitoring would naturally look to the Russinovich book for further teachings regarding monitoring the Windows registry. Additionally, both Shavlik and Russinovich are specifically discussing these techniques in connection with the Windows 2000 operating system environment. One of skill in the art would have been aware of both Shavlik and Russinovich and would have 36

46 combined Russinovich s description of registry monitoring with Shavlik s teaching that anomaly detection may be used advantageously with registry monitoring. 2. Claim 2: The method according to claim 1, wherein the step of gathering features from records of normal processes that access the file system of the computer comprises gathering a feature corresponding to a name of a process accessing the file system of the computer. Dependent claim 2 requires that the feature recited in step (a) be a feature corresponding to a name of a process accessing the file system of the computer. This is because all the language preceding that phrase, The method according to claim 1, wherein gathering features from records of normal processes that access the file system of the computer comprises..., is repeated from step (a) of claim 1 to provide context for the rest of the claim. The 306 patent expressly describes the Windows system registry as part of the file system: This invention relates to systems and methods for detecting anomalies in a computer system, and more particularly to the use of probabilistic and statistical models to model the behavior of processes which access the file system of the computer, such as the Windows TM registry. Ex at 1:45-49; also 4:56-62 ( A novel intrusion detection system 10 is disclosed herein and illustrated in FIG. 1. System 10 monitors a program's access of the file system of the computer, e.g., Microsoft TM Windows TM registry (hereinafter referred to as the Windows TM registry or the registry ) and determines whether the program is malicious. ). Bace suggests using records of Windows registry events as information for building the historical profile of normal usage. For example, Bace describes Windows NT event logs as a source of information for building profiles. Ex at 74. These 37

47 event logs would contain information regarding registry activity. Ex at 33-34, , pp Although Bace does not expressly disclose records of registry activity as an information source, one of ordinary skill in the art would understand that these references to the various Windows logs would include registry information. Ex at 109. Shavlik also discloses monitoring of the Windows system registry, which includes names of normal processes accessing the computer. For example, Shavlik describes, Some of the Windows 2000 Properties We Measure... Event Log Monitoring is done on key NT Registry locations, key system files... accesses to key files and to registry entries is monitored. Ex at 3; Ex 1003 at pp Additionally, common registry monitors at the time, such as Regmon that is expressly described in the 306 patent as prior art and substantially identical to the registry monitor described in the 306 patent (Ex at 13:36-41), were known to provide the names of normal processes accessing the registry. For example, Russinovich shows a Regmon window that includes the name of the process accessing the registry, shown below in the Process column. 38

48 Ex at 55. As Russinovich explains, [f]or each registry access, Regmon shows you the process that performed the access, and the time, type and result of the access. Id. Thus, Russinovich discloses a feature corresponding to a name of normal processes accessing the file system of the computer. One of ordinary skill in the art would combine Bace, Shavlik and Russinovich for the reasons described above in section VII.C.1. Therefore, Bace, Shavlik and Russinovich render this claim obvious. 3. Claim 3: The method according to claim 1, wherein gathering features from records of normal processes that access the file system of the computer comprises gathering a feature corresponding to a type of query being sent to the file system of the computer. Claim 3 requires gathering a feature corresponding to a type of query being sent to the file system of the computer because the other language in this claim only 39

49 provides context and is repeated from claim 1. See Section VII.B.2. As discussed above, the 306 patent expressly describes the Windows system registry as part of the file system: This invention relates to systems and methods for detecting anomalies in a computer system, and more particularly to the use of probabilistic and statistical models to model the behavior of processes which access the file system of the computer, such as the Windows TM registry. Ex at 1:45-49; see also id. at 4:56-62 ( A novel intrusion detection system 10 is disclosed herein and illustrated in FIG. 1. System 10 monitors a program's access of the file system of the computer, e.g., Microsoft TM Windows TM registry (hereinafter referred to as the Windows TM registry or the registry ) and determines whether the program is malicious. ). Bace suggests using records of Windows registry events as information for building the historical profile of normal usage. For example, Bace describes Windows NT event logs as a source of information for building profiles. Ex at 74. These event logs would contain information regarding registry activity. Ex at 33-34, Although Bace does not expressly disclose records of registry activity as an information source, one of ordinary skill in the art would understand that these references to the various Windows logs would include registry information. Ex at 109. Shavlik also discloses monitoring of the Windows system registry, which includes the type of query sent to the file system of the computer. For example, Shavlik describes, Some of the Windows 2000 Properties We Measure... Event Log Monitoring is done on key NT Registry locations, key system files... accesses to key files 40

50 and to registry entries is monitored. Ex at 3; Ex 1003 at pp Additionally, common registry monitors at the time, such as Regmon that is expressly described in the 306 patent as prior art and substantially identical to the registry monitor described in the 306 patent (Ex at 13:36-41), were known to provide the types of access to the registry. For example, Russinovich shows a Regmon window that includes the type of query sent to the registry, shown below in the Request column. Ex at 55. As Russinovich explains, [f]or each registry access, Regmon shows you the process that performed the access, and the time, type and result of the access. Id. Thus, Russinovich discloses a feature corresponding to the type of query sent to the file system of the computer. One of ordinary skill in the art would com- 41

51 bine Bace, Shavlik and Russinovich for the reasons described above in section VII.C.1. Therefore, Bace, Shavlik and Russinovich render this claim obvious. 4. Claim 4: The method according to claim 3, wherein gathering features from records of normal processes that access the file system of the computer comprises gathering a feature corresponding to an outcome of a query being sent to the file system of the computer. Dependent claim 4 requires that the feature recited in claim 3 be a feature corresponding to an outcome of a query being sent to the file system of the computer. This is because all the language preceding that phrase, The method according to claim 3, wherein gathering features from records of normal processes that access the file system of the computer comprises gathering... is repeated from claim 4 or step (a) of claim 1 to provide context for the rest of the claim. As discussed above, the 306 patent expressly describes the Windows system registry as part of the file system: This invention relates to systems and methods for detecting anomalies in a computer system, and more particularly to the use of probabilistic and statistical models to model the behavior of processes which access the file system of the computer, such as the Windows TM registry. Ex at 1:45-49; see also id. at 4:56-62 ( A novel intrusion detection system 10 is disclosed herein and illustrated in FIG. 1. System 10 monitors a program's access of the file system of the computer, e.g., Microsoft TM Windows TM registry (hereinafter referred to as the Windows TM registry or the registry ) and determines whether the program is malicious. ). Bace suggests using records of Windows registry events as information for building the historical profile of normal usage. For example, Bace describes Windows 42

52 NT event logs as a source of information for building profiles. Ex at 74. These event logs would contain information regarding registry activity. Ex at 33-34, , pp Although Bace does not expressly disclose records of registry activity as an information source, one of ordinary skill in the art would understand that these references to the various Windows logs would include registry information. Ex at 109. Shavlik also discloses monitoring of the Windows system registry, which includes the outcome of a query sent to the file system of the computer. For example, Shavlik describes, Some of the Windows 2000 Properties We Measure... Event Log Monitoring is done on key NT Registry locations, key system files... accesses to key files and to registry entries is monitored. Ex at 3; Ex 1003 at pp Additionally, common registry monitors at the time, such as Regmon that is expressly described in the 306 patent as prior art and substantially identical to the registry monitor described in the 306 patent (Ex at 13:36-41), were known to provide the outcome of a query sent to the registry. For example, Russinovich shows a Regmon window that includes the outcome of a query sent to the registry, shown below in the Result column. 43

53 Ex at 55. As Russinovich explains, [f]or each registry access, Regmon shows you the process that performed the access, and the time, type and result of the access. Id. Thus, Russinovich discloses a feature corresponding to the outcome of a query sent to the file system of the computer. One of ordinary skill in the art would combine Bace, Shavlik and Russinovich for the reasons described above in section VII.C.1. Therefore, Bace, Shavlik and Russinovich render this claim obvious. 5. Claim 10: The method according to claim 9, further comprising, if the value of the feature has not been observed, computing a score based on a probability of observing the value of the feature. Shavlik discloses the additional limitations of claim 10. Shavlik describes obtaining a composite score the represents the likelihood of an intrusion: we aim to 44