IN THE UNITED STATES PATENT AND TRADEMARK OFFICE BEFORE THE PATENT TRIAL AND APPEAL BOARD SYMANTEC CORPORATION, - vs. - Petitioner THE TRUSTEES OF COLUMBIA UNIVERSITY IN THE CITY OF NEW YORK, Patent Owner Patent No. 7,448,084 Filed: Jan. 27, 2003 Issued: Nov. 4, 2008 Inventors: Frank Apap, Andrew Honig, Hershkop Shlomo, Eleazar Eskin, and Salvatore J. Stolfo Title: SYSTEM AND METHODS FOR DETECTING INTRUSIONS IN A COMPUTER SYSTEM BY MONITORING OPERATING SYSTEM REGISTRY ACCESSES Inter Partes Review No. PETITION FOR INTER PARTES REVIEW OF U.S. PATENT NO. 7,448,084 UNDER 35 U.S.C. 311-319 AND 37 C.F.R. 42.1-.80, 42.100-.123 December 5, 2014 Mail Stop Patent Board Patent Trial and Appeal Board P.O. Box 1450 Alexandria, VA 22313-1450 i
TABLE OF CONTENTS Page I. INTRODUCTION... 1 II. MANDATORY NOTICES (37 C.F.R. 42.8(A)(1))... 1 A. Real Party-In-Interest (37 C.F.R. 42.8(b)(1))... 1 B. Notice of Related Matters (37 C.F.R. 42.8(b)(2))... 1 C. Designation of Lead and Backup Counsel (37 C.F.R. 42.8(b)(3))... 1 D. Service of Information (37 C.F.R. 42.8(b)(4))... 2 III. GROUNDS FOR STANDING (37 C.F.R. 42.104(A))... 2 IV. IDENTIFICATION OF CHALLENGE (37 C.F.R. 42.104(B))... 2 A. Effective Filing Date of the 084 patent... 2 B. There Is a Reasonable Likelihood That at Least One Claim of the 084 Patent Is Unpatentable under 35 U.S.C. 103.... 2 V. THE 084 PATENT... 6 A. Overview of the Disclosure of the 084 Patent... 6 B. The 084 Patent Prosecution History... 8 VI. CONSTRUCTION OF THE CHALLENGED CLAIMS (37 C.F.R. 42.104(B)(3))...15 VII. THE CHALLENGED CLAIMS ARE UNPATENTABLE...18 A. Registry Monitoring and Anomaly Detection Were Well Known in the Art Prior to the 084 Patent...18 B. Ground 1: Bace in combination with Russinovich renders claims 1 and 3-13 obvious....24 1. Reasons to Combine Bace with Russinovich...24 i
Patent No. 7,487,544 TABLE OF CONTENTS (Continued) Page 2. Claim 1: A method for detecting intrusions in the operation of a computer system comprising:...25 3. Claim 1: (a) gathering features from records of normal processes that access the operating system registry...26 4. Claim 1: (b) generating a probabilistic model of normal computer system usage based on the features and determining the likelihood of observing an event that was not observed during the gathering of features from the records of normal processes...28 5. Claim 1: (c) analyzing features from a record of a process that accesses the operating system registry to detect deviations from normal computer system usage to determine whether the access to the operating system registry is an anomaly....31 6. Claim 3: The method according to claim 1 wherein gathering features from records of normal processes that access the operating system comprises gathering a feature corresponding to a name of a process accessing the operating system registry....32 7. Claim 4: The method according to claim 1, wherein gathering features from records of normal processes that access the operating system registry comprises gathering a feature corresponding to a type of query being sent to the operating system registry....34 8. Claim 5: The method according to claim 4, wherein gathering features from records of normal processes that access the operating system registry comprises gathering a feature corresponding to an outcome of a query being sent to the operating system registry....34
Patent No. 7,487,544 TABLE OF CONTENTS (Continued) Page 9. Claim 6: The method according to claim 1, wherein gathering features from records of normal processes that access the operating system registry comprises gathering a feature corresponding to a name of a key being accessed in the operating system registry....35 10. Claim 7: The method according to claim 6, wherein gathering features from records of normal processes that access the operating system registry comprise gathering a feature corresponding to a value of the key being accessed....37 11. Claim 8: The method according to claim 1, wherein gathering features from records of normal processes that access the operating system registry comprises gathering two features selected from the group of features consisting of a name of a process accessing the operating system registry, a type of query being sent to the operating system registry, an outcome of a query being sent to the operating system registry, a name of a key being accessed in the operating system registry, and a value of the key being accessed....37 12. Claim 9: The method according to claim 1, wherein generating a probabilistic model of normal computer system usage comprises determining a likelihood of observing a feature in the records of processes that access the operating system registry....39 13. Claim 10: The method according to claim 9, wherein determining a likelihood of observing a feature comprises determining a conditional probability of observing a first feature in the records of processes that access the operating system registry given an occurrence of a second feature in the records....41
Patent No. 7,487,544 TABLE OF CONTENTS (Continued) Page 14. Claim 11: The method according to claim 1, wherein analyzing a record of a process that accesses the operating system registry comprises, for each feature, performing a check to determine if a value of the feature has been previously observed for the feature....42 15. Claim 12: The method according to claim 11, further comprising, if the value of the feature has not been observed, computing a score based on a probability of observing the value of the feature....43 16. Claim 13: The method according to claim 12, further comprising, if the score is greater than a predetermined threshold, labeling the access to the operating system registry as anomalous and labeling the process that accessed the operating system registry as malicious....44 C. Ground 2: Bace in Combination with Shavlik and Russinovich Renders Claims 1 and 3-13 Obvious....45 1. Reasons to Combine Bace with Russinovich and Shavlik...45 2. Claim 1: A method for detecting intrusions in the operation of a computer system comprising:...47 3. Claim 1: (a) gathering features from records of normal processes that access the operating system registry...47 4. Claim 1: (b) generating a probabilistic model of normal computer system usage based on the features and determining the likelihood of observing an event that was not observed during the gathering of features from the records of normal processes...48
Patent No. 7,487,544 TABLE OF CONTENTS (Continued) Page 5. Claim 1: (c) analyzing features from a record of a process that accesses the operating system registry to detect deviations from normal computer system usage to determine whether the access to the operating system registry is an anomaly....50 6. Claim 3: The method according to claim 1 wherein gathering features from records of normal processes that access the operating system comprises gathering a feature corresponding to a name of a process accessing the operating system registry....51 7. Claim 4: The method according to claim 1, wherein gathering features from records of normal processes that access the operating system registry comprises gathering a feature corresponding to a type of query being sent to the operating system registry....51 8. Claim 5: The method according to claim 4, wherein gathering features from records of normal processes that access the operating system registry comprises gathering a feature corresponding to an outcome of a query being sent to the operating system registry....52 9. Claim 6: The method according to claim 1, wherein gathering features from records of normal processes that access the operating system registry comprises gathering a feature corresponding to a name of a key being accessed in the operating system registry....53 10. Claim 7: The method according to claim 6, wherein gathering features from records of normal processes that access the operating system registry comprise gathering a feature corresponding to a value of the key being accessed....53
Patent No. 7,487,544 TABLE OF CONTENTS (Continued) Page 11. Claim 8: The method according to claim 1, wherein gathering features from records of normal processes that access the operating system registry comprises gathering two features selected from the group of features consisting of a name of a process accessing the operating system registry, a type of query being sent to the operating system registry, an outcome of a query being sent to the operating system registry, a name of a key being accessed in the operating system registry, and a value of the key being accessed....54 12. Claim 9: The method according to claim 1, wherein generating a probabilistic model of normal computer system usage comprises determining a likelihood of observing a feature in the records of processes that access the operating system registry....55 13. Claim 10: The method according to claim 9, wherein determining a likelihood of observing a feature comprises determining a conditional probability of observing a first feature in the records of processes that access the operating system registry given an occurrence of a second feature in the records....55 14. Claim 11: The method according to claim 1, wherein analyzing a record of a process that accesses the operating system registry comprises, for each feature, performing a check to determine if a value of the feature has been previously observed for the feature....56 15. Claim 12: The method according to claim 11, further comprising, if the value of the feature has not been observed, computing a score based on a probability of observing the value of the feature....57
Patent No. 7,487,544 TABLE OF CONTENTS (Continued) Page 16. Claim 13: The method according to claim 12, further comprising, if the score is greater than a predetermined threshold, labeling the access to the operating system registry as anomalous and labeling the process that accessed the operating system registry as malicious....58 VIII. CONCLUSION...59
EXHIBIT LIST (37 C.F.R. 42.63(e)) Exhibit Description 1001 U.S. Patent No. 7,448,084 to Apap et al. 1002 File History of U.S. Patent No. 7,448,084 1003 Declaration of Michael T. Goodrich, Ph.D. 1004 Curriculum vitae of Michael T. Goodrich, Ph.D. 1005 The Trustees of Columbia University in the City of New York v. Symantec Corp., Civil Action No. 3:13-cv-808, Oct. 7, 2014 Claim Construction Order (Dkt. No. 123) 1006 Jude Shavlik et al., Evaluating Software Sensors for Actively Profiling Windows 2000 Computer Users (RAID 2001) 1007 Rebecca G. Bace, INTRUSION DETECTION (MacMillian Technical Publishing, 2000) 1008 Mark Russinovich and David Solomon, INSIDE MICROSOFT WINDOWS 2000, 3 rd Ed. (Microsoft Press, 2000) 1009 Mark Russinovich and Bryce Cogswell, Examining the Windows 95 Registry, Windows Developer s Journal, Vol. 7, No. 10 (October 1996) 1010 M. Debbabi et al, Monitoring of Malicious Activity in Software Systems, 1st Symposium on Requirements Engineering for Information Security (SREIS, March 2001) 1011 Johnathon Korba, Windows NT Attacks for the Evaluation of Intrusion Detection Systems (M.I.T. 2000) 1012 Terran Lane and Carla E. Brodley, Temporal Sequence Learning and Data Reduction for Anomaly Detection, ACM Transactions on Information and System Security, Vol. 2, No. 3 (August 1999) viii
TABLE OF AUTHORITIES (Continued) Page(s) Exhibit Description 1013 RAID 2001 Program, Oct. 10, 2001, Located at: https://web.archive.org/web/20011121095823/http://www.raidsymposium.org/raid2001/program.html 1014 James D. Murray, Windows NT Event Logging (O Reilly & Associates, 1998) 1015 The Trustees of Columbia University in the City of New York v. Symantec Corp., Civil Action No. 3:13-cv-808, October 23, 2014 Memorandum Order Clarifying Claim Construction (Dkt. No. 146) 1016 Anup K. Ghosh, et al., Learning Program Behavior Profiles for Intrusion Detection, USENIX Proceedings of the Workshop on Intrusion Detection and Network Monitoring, Santa Clara, California, USA, (April 1999) 1017 Aaron Schwartzbard and Anup K. Ghosh, A Study in the Feasibility of Performing Host-based Anomaly Detection on Windows NT, Proceedings of the Second International Workshop on Recent Advances in Intrusion Detection, West Lafayette, Indiana, USA, (September 1999) 1018 U.S. Patent Application Publication No. 2003/0084328 by Richard P. Tarquini, et al 1019 U.S. Patent No. 6,973,577 by Victor Kouznetsov 1020 Call For Papers RAID 2001, Oct. 10-12, 2001, Located at: https://web.archive.org/web/20010405202911/http://www.raidsymposium.org/raid2001/cfp_raid2001.html 1021 Dorothy E. Denning, An Intrusion Detection Model, IEEE Transactions on Software Engineering, Vol. 13, No. 2 (February 1987)
TABLE OF AUTHORITIES (Continued) Page(s) Exhibit 1022 1023 1024 Description U.S. Patent Application Publication No. 10/352,342, by Andrew Honig (excerpts) Microsoft Computer Dictionary, 4 th Ed. (Microsoft Press, 1999) (excerpts) Matthew V. Mahoney and Philip K. Chan, Detecting Novel Attacks by Identifying Anomalous Network Packet Headers, Technical Report CS-2001-2, Florida Institute of Technology (2001)
I. INTRODUCTION In accordance with 35 U.S.C. 311-319 and 37 C.F.R. 42.1-.80 & 42.100-.123, inter partes review is respectfully requested for claims 1 and 3-14 of United States Patent No. 7,448,084 to Apap et al., titled System and Methods for Detecting Intrusions in a Computer System by Monitoring Operating System Registry Accesses (the 084 patent ) owned by The Trustees of Columbia University in the city of New York ( Columbia ). (EXHIBIT 1001 ( Ex. 1001 ).) This petition demonstrates that there is a reasonable likelihood that the petitioners will prevail on at least one of the claims challenged in the petition based on prior art references that the United States Patent and Trademark Office ( USPTO ) did not have before it during prosecution. Claims 1 and 3-13 of the 084 patent (the challenged claims ) should therefore be canceled as unpatentable. II. MANDATORY NOTICES (37 C.F.R. 42.8(A)(1)) A. Real Party-In-Interest (37 C.F.R. 42.8(b)(1)) The real party-in-interest for this petition is Symantec Corporation ( Petitioner or Symantec ). B. Notice of Related Matters (37 C.F.R. 42.8(b)(2)) The 084 patent is presently the subject of the following patent infringement lawsuit brought by Columbia in the Eastern District of Virginia, Richmond Division: Civil Action No. 3:13-cv-808 against Symantec. C. Designation of Lead and Backup Counsel (37 C.F.R. 42.8(b)(3)) Petitioner provides the following designation of counsel: 1
David D. Schumann (Reg. No. 53,569) FENWICK & WEST LLP Postal and Hand Delivery Address 555 California Street 12th Floor San Francisco, CA 94104 Tel: (415) 875-2300 Fax: (415) 281-1350 Email: dschumann@fenwick.com Brian M. Hoffman (Reg. No. 39,713) FENWICK & WEST LLP Postal and Hand Delivery Address 555 California Street 12th Floor San Francisco, CA 94104 Tel: (415) 875-2300 Fax: (415) 281-1350 Email: bhoffman@fenwick.com D. Service of Information (37 C.F.R. 42.8(b)(4)) Service of any documents via hand-delivery may be made at the postal mailing addresses of the respective lead and back-up counsel designated above with courtesy copies to the email addresses dschumann@fenwick.com and bhoffman@fenwick.com. Petitioner consents to electronic service. III. GROUNDS FOR STANDING (37 C.F.R. 42.104(A)) Petitioner certifies pursuant to Rule 42.104(a) that the 084 patent is available for inter partes review and that Petitioner is not barred or estopped from requesting an inter partes review challenging the validity of the above-referenced claims of the 084 patent on the grounds identified in the petition. IV. IDENTIFICATION OF CHALLENGE (37 C.F.R. 42.104(B)) A. Effective Filing Date of the 084 patent The 084 patent issued from U.S. Application No. 10/352,343 filed on Jan. 27, 2003. The 343 Application claims the benefit of U.S. Provisional Application No. 60/351,857, filed Jan. 25, 2002. B. There Is a Reasonable Likelihood That at Least One Claim of the 084 Patent Is Unpatentable under 35 U.S.C. 103. 2
The challenged claims are directed to a method for detecting malicious intrusions in a computer system by monitoring operating system registry accesses and performing anomaly detection analysis on the observed activity. Claim 1 of the 084 patent is illustrative: As explained in more detail in Section VII below, both registry monitoring and anomaly detection was well known in the art prior to 2002. For example, registry monitoring was the subject of the textbook by Mark Russinovich, Inside Windows 2000, published in 2000 ( Russinovich textbook ). See Ex. 1008 at 55. An October 1996 article by the same author describes the registry and a program called Regmon that monitors all accesses to the registry. See Ex. 1009 ( Russinovich paper ). Additionally, it was well known prior to 2002 that malicious software frequently accesses the operating system registry; various papers had proposed and described monitoring the system registry to detect malicious behavior prior to 2002. See Ex. 1006; Ex. 1010; Ex. 1003 at 104-106, pp. 67-79. For instance, a 2000 paper titled Windows NT Attacks for the Evaluation of Intrusion Detection Systems described using the Windows operating system registry access information to create profiles of a number of 3
known attacks. E.g., Ex. 1011 at 35, 51 (attack modifies system registry), 54-55. Thus, as of 2000, one of ordinary skill in the art knew various attacks modified the operating system registry, and could be detected by monitoring the registry accesses. Ex. 1003 at 83-93. Similarly, anomaly detection was a well-known technique for detecting intrusions at least as early as 1986. E.g. Ex. 1021. More recently, the 2000 textbook entitled Intrusion Detection by Rebecca Bace ( Bace ) contains several chapters explaining anomaly detection and how to implement an anomaly detection system. Id. In fact, references published before 2002 suggest using records of registry accesses as an information source for anomaly detection systems. For example, the 1999 paper entitled Sequence Learning by Lane and Brodley dealing with anomaly detection suggests that the system it discloses could be improved by using Window registry activity. Ex. 1012 at 34 ( Pay special attention to activity on critical files such as /etc/passwd or the Windows NT registry ). Another explicit disclosure of using anomaly detection with the Windows operating system registry appears in a 2001 paper by Jude and Mark Shavlik, and Michael Fahland entitled Evaluating Software Sensors for Actively Profiling Windows 2000 Computer Users attached to this petition as Exhibit 1006 ( Shavlik ). Shavlik explains that using anomaly detection results in lower false positives than other intrusion detection techniques, and describes monitoring Windows NT registry locations and corresponding accesses as an information source for anomaly detection. Ex. 1006 at 1, 3. As demonstrated above, the use of information regarding registry accesses as an information source for anomaly 4
detections was known in the art before the priority date of the 084 patent. Section VII below provides a limitation-by-limitation analysis for each of the challenged claims. In that section, the petition demonstrates that (1) Bace in combination with the Russinovich textbook and (2) Bace and Russinovich in combination of Shavlik render all the challenged claims obvious. Ex. 1006, 1007, 1008. As described above, Bace details various anomaly detection schemes, including those running on computer using a Windows-based operating system. Meanwhile, the Russinovich textbook discloses further details about a well-known registry monitor called RegMon, which one of ordinary skill in the art would recognize would be useful for collecting data on registry accesses to detect malicious activity on Windows-based systems. Moreover, Shavlik expressly discloses the combination of anomaly detection and registry monitoring. The Bace textbook is prior art pursuant to 35 U.S.C. 102 (a) and (b) because the Bace textbook bears a copyright date of 2000. Ex. 1007 at 5. The Russinovich textbook is prior art pursuant to 35 U.S.C. 102 (a) and (b) because it bears a copyright date of 2000. Shavlik is prior art pursuant to 35 U.S.C. 102 (a). Shavlik was submitted for consideration for an October 2001 conference Recent Advances in Intrusion Detection. Ex. 1013. The deadline for submissions was March 30, 2001 and decisions by the panel were due on July 2001. Ex. 1020. The Shavlik paper was presented to the conference on October 11, 2001, and made available on the RAID website. Ex. 1013. Exhibit 1013 is the conference program website from November 21, 2001, including 5
links to the Shavlik paper, obtained from archive.org. Ex. 1013. Thus, the Shavlik paper was available to the public at least as early as November 21, 2001. The reasons for combination of the Bace, Russinovich and Shavlik references are discussed below in Section VII. This analysis is supported by a declaration by Dr. Michael Goodrich, and includes claim charts with further detailed analysis. See Ex. 1003. Based on this analysis, Petitioner requests cancellation of claims 1 and 3-14 as unpatentable under 35 U.S.C. 103. V. THE 084 PATENT A. Overview of the Disclosure of the 084 Patent The 084 patent discloses a system and method for detecting intrusions in a computer system by identifying anomalies from normal computer system usage. Ex. 1001 at 4:55-64. Figure 1 is shown below. Figure 1 illustrates the basic architecture of a system 10 as recited in the asserted claims. Id. Computers running the Windows operating system have an operating system registry a hierarchical database that stores information about the computer, its users, and the programs that are installed. Id. at 5:21-36. Software programs run- 6
ning on those computers may access the operating system registry. Id. at 5:66-6:2. To determine whether those software programs are malicious, registry auditing module 12 will monitor accesses to the registry, such as program reads and writes to the registry. Ex. 1001 at 13:28-54. First, however, a model of normal operation is trained using by observing the operation of the computer in the absence of malicious programs. Id. at 6:30-33. This model will enable system 10 to identify normal computer usage, and, therefore, recognize anomalies to the normal computer usage as an intrusion or malicious behavior. Id. at 8:7-21. The 084 patent provides two exemplary methods for creating the model. Both methods are admitted in the 084 patent as being prior art. Ex. 1001 at 13:4-11 ( an anomaly detection algorithm known in the art, which was developed to detect anomalies in packet headers. See e.g. Ex. 1024 (M. Mahoney and P. Chan, Detecting Novel Attacks by Identifying Anomalous Packet Headers, Technical Report CS-2001-2, Florida Institute of Technology, Melbourne, Fla., 2001). In fact, the 084 expressly describes Mahoney as determining the likelihood of observing an event that was not observed during training and computing a score based on a probability as required by the claims: During testing, we fix the model (n, r, and the list of observed values). When an anomaly occurs, we assign a field score of t/p where p = r/n is the estimated probability of observing an anomaly.... ) Ex. 1024 at 2; see also Ex. 1001 at 12:42-13:11. Thus, the 084 patent admits these features were not novel. Specifically, registry auditing module 12 logs all reads and writes to the registry. Ex. 1001 at 13:52-58. The data obtained by registry auditing module 12 is transmitted, 7
as shown by arrow 24, to data warehouse 18. There, data warehouse 18 stores all of the collected registry access from the training data. Id. at 65-66. This data is then transmitted, as shown by arrow 28, to model generator 14. Model generator 14 then applies an algorithm to this collected data to create a model of normal computer usage. Id. at 13:66-14:3. Model generator 14 transmits this normal usage model, via arrow 29, to anomaly detector 16, where the normal usage model is loaded. Id. at 27-30. Thereafter, anomaly detector 16 will read each record from the output data stream of registry auditing module 12 (via arrow 26). Id. Anomaly detector 16 will apply the normal usage model and algorithm against each record of registry activity received from registry auditing module 12. Ex. 1001 at 14:27-36. A score generated by the anomaly detection algorithm is compared with a user configurable threshold to determine if the record should be considered anomalous. Id. A list of anomalous registry accesses are then stored and displayed as part of the detector. Id. B. The 084 Patent Prosecution History U.S. Patent Application No. 10/352,343, the application underlying the 084 patent, was filed on January 27, 2003. As filed, the 343 application had 39 claims, including independent claims 1, 14, and 25 as follows: 8
Ex. 1002 at 41, 43, 45. The examiner issued a Non-Final Rejection on March 23, 2006, rejecting claims 1-39 on a number of grounds. First, the examiner rejected claims 1-13, 16, 18, 20, 22 and 25-39 as indefinite pursuant to 35 U.S.C. 112. Other claims were rejected for lack of antecedent basis or for using the trademark/trade name WINDOWS. Second, the examiner rejected claims 1, 2, 9, 10, 14, 20-21, 25, 26-28, 36, and 37 under Pre- AIA 35 U.S.C. 102(e) as being anticipated by Chong et al., U.S Publication No. 2003/0070003. The examiner explained that Chong, among other things teaches that the step of generating a probabilistic model of normal computer usage comprises determining a likelihood of observing a feature in the records of processes that access 9
the Windows registry (database). Ex. 1002 at 194 (March 23, 2006 Office Action). The examiner also rejected claims 3-8, 15-19, 29, and 30-35 under 35 U.S.C. 103(a) as unpatentable over Chong in view of Korba (Windows NT Attacks). Id. at 6-8. He explained that Korba is directed to a method for evaluating intrusion detection systems in a Windows environment. Korba teaches that the step of gathering features from records of normal processes that access the Windows registry comprises gathering a feature corresponding to a name of a process (explore.exe) accessing the Windows registry. Id. at 197. The examiner added that Chong s method collects all information regarding the nature, type, and objective of a computer based event in a database. Korba collects information regarding accesses to the windows registry (database). Id. (citations omitted); see also Ex. 1002 at 196-206 (March 23, 2006 Office Action). The examiner further rejected claims 11-13, 22-24, and 39-39 under 35 U.S.C. 103(a) as unpatentable over Chong in view of Eskin et al. (Adaptive Model Generation for Intrusion Detection Systems). Regarding Eskin, the examiner explained that it is directed to a method for generating an adaptive model for use in an Intrusion Detection System. Eskin teaches that the step of analyzing a record of a process that accesses the Windows registry comprises, for each feature, performing a check to determine if a value of the feature has been previously observed for the feature. Id. at 207. The applicants filed an Amendment and Remarks on August 28, 2006. First, each of the independent claims was amended to include the language detect devia- 10
tions from normal computer system usage. Ex. 1002 at 171, 174, 176. The applicants attempted to distinguish the Chong referenced by explaining that it is a supervised learning technique that is only able to estimate the likelihood of events which are observed during training, not previously unobserved events: 11
Ex. 1002 at 180-181 (August 28, 2006 Amendment and Remarks). This is because the dataset used to generate the models in Chong is gathered from a variety of sources and includes data representing both typical network behavior and attacks. See also id. at 181 ( Chong does not teach or suggest gathering features of normal processes that access the operating system registry. ). Accordingly, the applicants distinguished Chong on the grounds that Chong s training data included attacks and therefore did not constitute a model of normal computer system usage. With respect to obviousness, the applicants argued that there was insufficient motivation to combine Chong and Korba, and that the examiner had not provided reasonable expectation of success of such combination. Id. at 183. The examiner issued a Final Rejection on November 14, 2006, rejecting all claims 1-39, and maintaining the prior grounds for rejection, except for withdrawing the rejections made pursuant to 35 U.S.C. 112. Applicant issued an Amendment and Response to the Final Rejection on March 12, 2007. Specifically, the applicants made an amendment to each of the inde- 12
pendent claims, adding the limitation of determine/[determining] the likelihood of observing an event/[process] that was not observed... : Ex. 1002 at 122, 124-125, 127. 13
These amendments were made in response to the Chong reference, which applicants described as disclosing the ability to predict an attack is [sic] if it conforms with attacks which were observed during model training. Chong describes using evidence from the bottom-up into the Bayesian network in order to propagate evidence and compute a posterior probability of an attack. Chong neither discloses nor suggests a technique for determining the likelihood of observing an event which was not observed during the gathering of features. Ex. 1002 at 132 (March 12, 2007 Response). The examiner issued a Non-Final Rejection on July 24, 2007, rejecting claims 14-24 but allowing claims 1-3 and 25-39. With respect to anticipation, the examiner rejected claims 14, 20, and 21 on the basis of Chong. With respect to obviousness, the examiner rejected claims 15-19 on the basis of Chong in view of Korba, and claims 22-24 on the basis of Chong in view of Eskin. Applicants responded to the July 24, 2007 Office Action on December 19, 2007 by re-inserted certain originally considered dependent claims. Once again, the applicants attempted to distinguish Chong on the basis that its model included previously seen data, and therefore Chong can predict an attack is [sic] if it conforms with attacks which were observed during model training.... Since Chong relies only on observed conditions to generate a model, Chong neither discloses nor suggests a technique for determining the likelihood of observing an event which was not observed during the gathering of features, as recited in claim 1. Ex. 1002 at 75 (December 19, 2007 Response). 14
The examiner issued a Final Office Action on March 18, 2008. The examiner again disagreed with applicants characterization of Chong, explaining that Based upon the teachings of Chong et al, the use of a model representing any type of condition and state is indicative of normal processes and the applicant s arguments are moot. Ex. 1002 at 47 (March 18, 2008 Final Office Action). The examiner reiterated his previous rejections: with respect to anticipation, claims 14, 20, and 21 on the basis of Chong; with respect to obviousness, the examiner rejected claims 15-19 on the basis of Chong in view of Korba, and claims 22-24 on the basis of Chong in view of Eskin. Claims 1-13 and 25-39 were allowed. The applicants filed a Response to the March 18, 2008 Final Office Action on May 2, 2008, cancelling previously rejected claims 14-21. The Patent Office issued a Notice of Allowance on May 22, 2008 on the basis of claims 1-13 and 25-39. On September 23, 2008, the Patent Office issued a Supplemental Notice of Allowability with respect to claim 25. The examiner issued an amendment to the claim, adding the language an operating system registry as the first claim element. U.S. Patent No. 7,448,084 issued on November 4, 2008. VI. CONSTRUCTION OF THE CHALLENGED CLAIMS (37 C.F.R. 42.104(B)(3)) The terms in claims 1 and 3-13 are to be given their broadest reasonable construction ( BRC ), as understood by one of ordinary skill in the art and consistent with the disclosure. See 37 C.F.R. 42.100(b); see also In re Yamamoto, 740 F.2d 1569, 1571 (Fed. Cir. 1984); In re Am. Acad. of Sci. Tech. Ctr., 367 F.3d 1359, 1363-64 (Fed. Cir. 2004). The following constructions were adopted by the district court in The Trustees of Columbia University in the City of New York v. Symantec Corp., Civil Action No. 15
3:13-cv-808 for the 084 patent. Ex. 1005. The district court s opinion is persuasive as to the construction of the following terms. The claim terms should be construed at least as broadly as the constructions the district court adopted for the reasons set forth in that case. Ex. 1005. Petitioner submits these constructions may be used as the BRC of the corresponding claim terms for the purposes of this challenge. The district court construed the term operating system registry to mean a database of information about a computer s configuration, utilized by an operating system, organized hierarchically as a tree, with entries consisting of keys and values. Ex. 1005 at 1. This is consistent with the use of this term in the specification of the 084 patent. For example, the 084 patent describes the operating system registry as follows: As is known in the art, the registry is a database of information about a computer's configuration... The registry is the main storage location for all configuration information for almost all programs... The registry also stores much of the important configuration information that are needed by programs in order to run. The registry is organized hierarchically as a tree. Each entry in the registry is called a key and has an associated value. Ex. 1001 at 5:21-36. The 084 patent expressly describes the Windows system registry as an example of an operating system registry. Ex. Ex. 1001 at 4:55-60, 5:21-22. The district court construed probabilistic model of normal computer usage to mean model of typical attack-free computer system usage that employs probabil- 16
ity. Probability is the likelihood that an event will occur or a condition will be present. Ex. 1005 at 2. The district court also clarified its order with regard to this claim term stating, the model is generated with only attack-free data. Ex. 1015 at 2. This definition comports with the specification s description of generating models for use in anomaly detection. For example, the specification repeatedly states that the models must be generated using only attack-free data or clean data: Some attacks involve launching programs that have not been launched before and/or changing keys that have not been changed since the operating system was first installed by the manufacturer. If a model of the normal registry behavior is trained over clean data, then these kinds of registry operations will not appear in the model, and can be detected when they occur. Ex. 1001 at 6:26-40; also 15:4-16 (referring to a clean (attack-free) dataset ). Therefore, the district court s construction is the BRC. Ex. 1003 at 100. The district court also construed the term normal computer system usage to mean typical, attack-free usage. As discussed above in connection with probablistic model of normal computer usage, the district court s construction is supported by the intrinsic record and is therefore the BRC of this term. The district court construed the term anomaly/anomalous to mean deviation/deviating from a model of typical, attack-free computer system usage. Ex. 1005 at 2. The specification describes various embodiments of the invention, all of which define anomaly or anomalous as a deviation from a model of normal behavior. See, e.g., Ex. 1001 at 8:7-9 ( In order to detect anomalous registry accesses, model generator 14 of the system 10 generates a model of normal registry activity. ); id. at 17
5:16-18 ( The model is then used by the anomaly detector 16 to decide whether each new registry access should be considered anomalous. ) id. at 8:16-19 ( When detecting anomalies, the model of normal behavior is used to determine whether the values of the features of the new registry accesses are consistent with the normal data. If such values are not consistent, the algorithm labels the registry access as anomalous, and the processes that accessed the registry as malicious. ). Therefore, the district court s construction is the BRC of this claim term. Ex. 1003 at 102. The claim terms should be construed at least as broadly as the constructions the district court adopted for the reasons set forth in that case. Ex. 1005, 1015. The claim terms not specifically construed herein are given their BRC, as understood by one of ordinary skill in the art and consistent with the disclosure. Ex. 1003 at 103. VII. THE CHALLENGED CLAIMS ARE UNPATENTABLE A. Registry Monitoring and Anomaly Detection Were Well Known in the Art Prior to the 084 Patent As described above, the 084 patent uses registry monitoring techniques to achieve anomaly detection (a form of what is more broadly referred to as intrusion detection). But the combination of these two core concepts anomaly detection and registry monitoring was already recognized as prior art before the priority date for the 084 patent. Any additional elements recited by the challenged claims merely describe obvious examples of registry monitoring combined with anomaly detection. Prior art described anomaly detection techniques, as well as intrusion detection more broadly, as early on as the late 1980 s. See, e.g., Ex. 1021. One early reference authored by Anup Ghosh et al. ( Ghosh I ) describing such schemes provides that, at 18
its most general level, [i]ntrusion detection tools seek to detect attacks against computer systems by monitoring the behavior of users, networks, or computer systems. Ex. 1016 at 2. Intrusion detection breaks down into two typical approaches: misuse detection and anomaly detection. Misuse detection techniques model attacks on a system as specific patterns, then systematically scan the system for occurrences of these patterns. Ex. 1016 at 3. Meanwhile, anomaly detection attempt[s] to detect intrusions by noting significant departures from normal behavior. Ex. 1016 at 3. Unlike misuse detection, which performs signature-based detection techniques, anomaly detection is able to detect novel attacks against systems, i.e., attacks that have not been seen before by our intrusion detection system. Ex. 1016 at 3. Ghosh I identifies and compares the performance of three different algorithms for anomaly detection. The first of these is equality matching, which involves comparing an event sequence of against sequences stored in a database of normal program behavior to determine whether it is malicious. See Ex. 1016 at 5-7. This technique is predicated on the ability to capture the normal behavior of a program in a database. Ex. 1016 at 6. Second, Ghosh I examines applying adaptive machine learning to generate profiles of normal behavior and comparing new event sequences against this dynamic profile of past behavior to detect anomalies. See Ex. 1016 at 8-10. Finally, Ghosh I studies the use of recurrent networks capable of maintaining state information between event sequences to predict future normal behavior, and thereby determining when an event sequence deviates from a predicted event. See Ex. 1016 at 10-12. Thus, Ghosh I identifies the three possible ways of detecting anoma- 19
lous behavior: (1) comparison against a database of all possible normal behavior; (2) comparison against a profile based on past normal behavior; and (3) comparison against future, predicted normal events. Bace, in her text book entitled Intrusion Detection, describes the matter of anomaly detection at greater length. Bace writes that: Anomaly detection involves a process of establishing profiles of normal user behaviors, comparing actual user behavior to those profiles and flagging deviations from the normal. Ex. 1007 at 121. The analysis proceeds in four phases: (1) inputting a new event record; (2) preprocessing the event into a suitable form; (3) comparing the event record to the knowledge base (i.e. profile); and (4) generating a response. Ex. 1007 at 109-110. Depending on the analysis approach, constructing an analyzer might involve collecting event information generated by a system functioning in an operational environment, or collecting event information in a laboratory environment. Ex. 1007 at 106. For an anomaly detection scheme to function effectively, event information is collected from the live system itself or from a system designated as similar in order to build baseline profiles indicating normal user behavior. Ex. 1007 at 106. Because anomaly detection relies on comparisons against some benchmark about what constitutes normal user behavior, it depends on an assumption that users exhibit predictable, consistent patterns of system usage. Ex. 1007 at 121. Accordingly, for an analysis engine to function properly, regardless of analysis approach, it must be tailored to the environment in which it is to operate. Ex. 1007 at 105. Early implementations of anomaly detection schemes focused on Unix- 20
flavored platforms. Ex. 1017 at 1. As Windows NT [became] the dominant desktop platform, id., however, anomaly detection research attempted to leverag[e] the base object auditing facilities of the Windows NT platform, id. at 4. As detailed in a second paper by Ghosh ( Ghosh II ), critical differences exist between Unix-based and Windows-based platforms. Given these differences between the operating systems, [b]lindly applying Unix intrusion detection techniques may not be appropriate for the Windows NT platform. Ex. 1017 at 9. Unix-based systems operate under an imperative paradigm. Ex. 1017 at 5. That means that, under Unix and similar operating systems, [p]rograms make requests of the operating system using system calls, and the operating system either performs the requested action and returns some indicator of success, or the operating system cannot perform the requested action, and returns an error code. Ex. 1017 at 5. As Ghosh II explains, Windows NT is object oriented. Under object oriented operating systems, input and/or output operations are performed by the operating system giving an object corresponding to a specific resource to a program, and the process operates on that object. Ex. 1017 at 6. Thus, [w]hereas monitoring system calls makes sense on Unix, it might not be optimal on Windows NT. Ex. 1017 at 9. Recognizing the importance of tailoring anomaly detection to the Windows environment, Bace suggests using multiple Windows resources as information sources. In particular, Bace discusses drawing information from event logs in Windows NT to generate profiles of normal user behavior. Ex. 1007 at 74-76. Bace provides that the Windows NT event-logging mechanisms collect three types of system events: 21
operating system events, security events, and application events, each of which are logged by the system. Ex. 1007 at 74. Although all events are of interest to those attempting to reconstruct system activities, the security log events are the primary focus of intrusion detection systems. Ex. 1007 at 75. The security log consists of events that are defined as security-relevant.... includ[ing] valid and invalid logins and logoffs, and events related to system resource use, especially those having to do with the creation, deletion, and alteration of system files and other objects. Ex. 1007 at 74-75. For any effective anomaly detection scheme running under a Windows operating system, these security logs and related audit logs would necessarily include a record of accesses to the Windows registry. Ex. 1003 at 32-33, 88-89, 117. Prior art has long recognized that monitoring the registry may serve useful functions, including in the detection of malicious activity. For instance, one study demonstrates how several commonly known malicious attacks on Windows NT systems modify the registry. See Ex. 1011 at 51-62 (describing three remote-to-user attacks, including Netbus R-s-U, Netcat R-s-U, and PPMacro R-s-U, that modify keys in the registry and can be detected by analyzing accesses to the registry); see also id. at 75-78 (describing a user-to-root attack called the Yaga U-b-S, which edits the victim s Registry so that the next time a service crash occurs on the victim machine, the attacker is added to the Domain Admins group ). Moreover, prior art roundly recognizes the utility of registry monitoring in intrusion detection. See Ex.1018 at 32 ( The capabilities of the host-based IPS [intrusion prevention system] comprise application monitoring of: file system events; registry access.... ); Ex. 1019 at 5:25-35, 22
Fig. 5 (discussing a detection scheme that monitors system configuration area accesses, such as Registry files ). Common registry monitors available before the priority date of the 084 patent included Regmon, which is expressly described in the 084 patent as prior art and substantially identical to the registry monitor described therein. Ex. 1001 at 13:42-52. A textbook by Mark Russinovich, Inside Windows 2000, published in 2000, illustrates the output of the Regmon registry monitor: Ex. 1008 at 55. As Russinovich explains, [f]or each registry access, Regmon shows you the process that performed the access, and the time, type and result of the access. Id. One of ordinary skill in the art creating an anomaly detection scheme in a Windows-based environment would understand the value of such registry monitoring and would combine it with the teachings of Bace. Ex. 1003 at 32-33. Proposing a detection scheme better suited for Windows-based operating systems, Jude Shavlik, et al., in his paper titled Evaluating Software Sensors for Actively Profiling Windows 2000 Computer Users ( Shavlik ), expresses the combination of 23
registry monitoring and anomaly detection claimed by the 084 patent. Shavlik presents a prototype anomaly-detection system that creates statistical profiles of the normal usage for a given computer running Windows 2000, Ex. 1006 at 1, noting that prior work [in the field] has focused on Unix systems, whereas over 90% of the world s computers run some variant of Microsoft Windows. Ex. 1006 at 5. The Shavlik system collects information for these statistical profiles from multiple Windows-based sources: Performance Monitor (Perfmon) data; Event Log monitoring; and User and computer state information, such as typing rates, network traffic levels, programs running, and specific system API s invoked. Ex. 1006 at 3. Shavlik s Event Log monitoring examines key NT Registry locations, key system files, login abnormalities, and suspect account changes, as well as invalid accesses to key files and to registry entries. Ex. 1006 at 3. Therefore, Shavlik demonstrates the clear motivation to combine using data obtained from monitoring the Windows operating system registry with the anomaly detection disclosed in Bace. B. Ground 1: Bace in combination with Russinovich renders claims 1 and 3-13 obvious. 1. Reasons to Combine Bace with Russinovich As described above, the Bace and Russinovich references are prior art pursuant to 35 U.S.C. 102 (a) and (b). One of ordinary skill in the art would naturally combine these references for the following reasons. Bace expressly discloses using various features of the Windows operating system in anomaly detection. Ex. 1007 at 74-78; Ex. 1003 at 113-117. The Russinovich textbook entitled Inside Windows 2000 is entirely devoted to describing various 24
features of the Windows operating system. One or ordinary skill in the art needing more information regarding Bace s disclosure of various Windows features would naturally have looked to the Russinovich textbook to find additional teachings and details. One such feature is the Windows logs, which include data regarding registry accesses. The Russinovich book discusses Regmon, a prior art tool that monitors and displays registry accesses by all applications as they occur. Ex. 1008 at 55. One skilled in the art reading Bace s disclosure of an anomaly detection scheme on a computer running the Windows operating system would naturally look to the Russinovich book for further teachings regarding monitoring the Windows registry. Ex. 1003 at 137. 2. Claim 1: A method for detecting intrusions in the operation of a computer system comprising: Although the Petitioner does not believe the preamble is limiting for this claim, Bace expressly discloses [a] method for detecting intrusions in the operation of a computer system. The Bace textbook, entitled Intrusion Detection, describes various techniques for detecting intrusions in the operation of a computer system. For example, Bace describes intrusion detection as monitoring events occurring in a computer system or network, analyzing them for signs of security problems. Ex. 1007 at 25. Bace is also directed toward multiple computer systems, including computer systems running Windows NT. See id. at 53. As shown by these citations, Bace describes a method for detecting intrusions in a computer system as required by the preamble. Ex. 1003 at pp. 67-68. 25
3. Claim 1: (a) gathering features from records of normal processes that access the operating system registry Bace, whether standing alone or in view of Russinovich, renders obvious gathering features from records of normal processes that access the operating system registry. For example, as Bace explains, Anomaly Detection Anomaly detectors are populated by running them against collected reference event data (training sets), allowing the system to calculate user profiles based on this data. Ex. 1007 at 109 (emphasis in original). Additionally, Bace describes building models of system behavior by gathering information related to normal system operation: Anomaly Detection Ex. 1007 at 108. In anomaly detection, the classification model usually consists of statistical profiles of user behavior over time. These profiles can also be used to characterize the behavior of system processes, an important consideration given the widespread use of automated attack scripts. These statistical profiles may be calculated with various algorithms, using schemes that make allowances for gradual change in user behavior patterns. The BRC of operating system registry is a database of information about a computer s configuration, utilized by an operating system, organized hierarchically as a tree, with entries consisting of keys and values. The Windows system registry is an operating system registry pursuant to the BRC of that term. Ex. 1003 at 97-98; see Ex. 1008 at 47 (description of Windows registry). Bace suggests using records of 26