Symantec Corporationv.the Trustees of Columbia University in the City of New YorkDownload PDFPatent Trial and Appeal BoardMay 31, 201610352343 (P.T.A.B. May. 31, 2016) Copy Citation Trials@uspto.gov Paper 57 571-272-7822 Entered: May 31, 2016 UNITED STATES PATENT AND TRADEMARK OFFICE _______________ BEFORE THE PATENT TRIAL AND APPEAL BOARD _______________ SYMANTEC CORPORATION, Petitioner, v. THE TRUSTEES OF COLUMBIA UNIVERSITY IN THE CITY OF NEW YORK, Patent Owner. _______________ Case IPR2015-00372 Patent 7,448,084 B1 _______________ Before HOWARD B. BLANKENSHIP, BRYAN F. MOORE, and ROBERT J. WEINSCHENK, Administrative Patent Judges. WEINSCHENK, Administrative Patent Judge. FINAL WRITTEN DECISION 35 U.S.C. § 318(a) and 37 C.F.R. § 42.73 IPR2015-00372 Patent 7,448,084 B1 I. INTRODUCTION Symantec Corporation (“Petitioner”) filed a Petition (Paper 2, “Pet.”) requesting an inter partes review of claims 1 and 3–13 of U.S. Patent No. 7,448,084 B1 (Ex. 1001, “the ’084 patent”). The Trustees of Columbia University in the City of New York (“Patent Owner”) filed a Preliminary Response (Paper 10, “Prelim. Resp.”) to the Petition. On June 3, 2015, we instituted an inter partes review of claims 1 and 3–10 (“the challenged claims”) of the ’084 patent on the following grounds: Claim(s) Statutory Basis Applied References 1 and 3–10 35 U.S.C. § 103(a) Rebecca G. Bace, Technology Series: Intrusion Detection (Linda R. Engelman et al. eds., 2000) (Ex. 1007, “Bace”); and Mark E. Russinovich et al., Inside Microsoft Windows 2000 (Ben Ryan et al. eds., 3d ed. 2000) (Ex. 1008, “Russinovich”) Paper 13 (“Dec. on Inst.”), 14. After institution, Patent Owner filed a Response (Paper 22, “PO Resp.”) to the Petition, and Petitioner filed a Reply (Paper 36, “Pet. Reply”) to the Response. An oral hearing was held on February 24, 2016, and a transcript of the hearing is included in the record. Paper 56 (“Tr.”). We issue this Final Written Decision pursuant to 35 U.S.C. § 318(a) and 37 C.F.R. § 42.73. For the reasons set forth below, Petitioner has shown by a preponderance of the evidence that claims 1 and 3–8 of the ’084 patent are unpatentable, but Petitioner has not shown by a preponderance of the evidence that claims 9 and 10 of the ’084 patent are unpatentable. 2 IPR2015-00372 Patent 7,448,084 B1 A. Related Proceedings The parties indicate that the ’084 patent is at issue in the following district court case: Trustees of Columbia University in New York v. Symantec Corp., No. 3:13-cv-808 (E.D. Va.). Pet. 1; Paper 6, 2. Patent Owner identifies the following petitions for inter partes review as being related to this case (Paper 6, 2): Case No. Involved U.S. Patent No. IPR2015-00374 U.S. Patent No. 7,913,306 IPR2015-00378 U.S. Patent No. 7,448,084 B. The ’084 Patent The ’084 patent relates to detecting intrusions in a computer system. Ex. 1001, Abstract. The ’084 patent explains that one type of intrusion detection system is a signature-based system. Id. at col. 1, ll. 63–65, col. 2, ll. 25–29. A signature-based system detects intrusions by comparing activity in a computer system to a database of signatures corresponding to known malicious programs. Id. This type of intrusion detection also is known as misuse detection. PO Resp. 3. According to the ’084 patent, the drawback of a signature-based or misuse detection system is that it requires prior knowledge of a malicious program, and, thus, rarely is effective at detecting new attacks. Ex. 1001, col. 1, l. 65–col. 2, l. 20, col. 2, ll. 30–32. The ’084 patent explains that a second type of intrusion detection system is an anomaly detection system. Id. at col. 2, ll. 32–34. An anomaly detection system detects intrusions by generating a model of normal behavior and then determining if the activity in a computer system deviates from that model of normal behavior. Id. at col. 2, ll. 34–37. Thus, unlike a signature-based or misuse detection system, an anomaly detection system may detect new attacks. Id. at col. 2, ll. 37–39. According to the ’084 3 IPR2015-00372 Patent 7,448,084 B1 patent, the drawback of prior anomaly detection systems is that those systems had high computational overhead and high false positive rates. Id. at col. 2, l. 65–col. 3, l. 7. The ’084 patent describes an anomaly detection system that monitors accesses to a computer’s file system, such as the computer’s registry. Id. at col. 4, ll. 55–64. The ’084 patent explains that the advantage of monitoring the registry is “that registry activity is regular by nature, that the registry can be monitored with low computational overhead, and that almost all system activities query the registry.” Id. at col. 5, ll. 6–9. The anomaly detection system described in the ’084 patent gathers data, including features from records of normal processes that access the registry, and then generates a probabilistic model of normal computer system usage based on those features. Id. at col. 3, ll. 21–27. To detect a malicious program, the system determines whether a subsequent access to the registry deviates from the model of normal computer system usage. Id. at col. 6, ll. 20–24. C. Illustrative Claim Claim 1 is independent and is reproduced below. 1. A method for detecting intrusions in the operation of a computer system comprising: (a) gathering features from records of normal processes that access the operating system registry; (b) generating a probabilistic model of normal computer system usage based on the features and determining the likelihood of observing an event that was not observed during the gathering of features from the records of normal processes; and (c) analyzing features from a record of a process that accesses the operating system registry to detect deviations from 4 IPR2015-00372 Patent 7,448,084 B1 normal computer system usage to determine whether the access to the operating system registry is an anomaly. Ex. 1001, col. 22, ll. 21–34. II. ANALYSIS A. Claim Construction The claims of an unexpired patent are interpreted using the broadest reasonable interpretation in light of the specification of the patent in which they appear. 37 C.F.R. § 42.100(b); In re Cuozzo Speed Techs., LLC, 793 F.3d 1268, 1278–79 (Fed. Cir. 2015), cert. granted sub nom. Cuozzo Speed Techs., LLC v. Lee, 136 S. Ct. 890 (mem.) (2016). In applying that standard, claim terms generally are given their ordinary and customary meaning, as would be understood by one of ordinary skill in the art in the context of the specification. In re Translogic Tech., Inc., 504 F.3d 1249, 1257 (Fed. Cir. 2007). An applicant may provide a different definition of the term in the specification with reasonable clarity, deliberateness, and precision. In re Paulsen, 30 F.3d 1475, 1480 (Fed. Cir. 1994). In the absence of such a definition, limitations are not to be read into the claims from the specification. In re Van Geuns, 988 F.2d 1181, 1184 (Fed. Cir. 1993). 1. records of normal processes that access the operating system registry Patent Owner proposes construing the phrase “records of normal processes that access the operating system registry” to mean “records . . . obtained by monitoring registry accesses.” PO Resp. 8. Patent Owner contends that this construction is necessary to clarify that the challenged claims require monitoring registry accesses because Petitioner’s declarant, Dr. Michael T. Goodrich, testified during his deposition that the challenged claims “do not require that the model be built with any records of direct 5 IPR2015-00372 Patent 7,448,084 B1 registry access.” Id. at 7–8. Even if Patent Owner’s characterization of Dr. Goodrich’s deposition testimony is accurate, Petitioner does not argue in the Petition or the Reply that the challenged claims do not require monitoring registry accesses. See Pet. 15–18, 25–32; Pet. Reply 1–2, 4–7. As such, there does not appear to be a dispute that requires claim construction. See Vivid Techs., Inc. v. Am. Sci. & Eng’g, Inc., 200 F.3d 795, 803 (Fed. Cir. 1999) (“[O]nly those terms need be construed that are in controversy, and only to the extent necessary to resolve the controversy.”). Nonetheless, in order to avoid any ambiguity, we provide an express construction of the phrase “records of normal processes that access the operating system registry.” We determine that the evidence supports Patent Owner’s proposed construction. The written description of the ’084 patent consistently indicates that records of normal processes are obtained by monitoring accesses to the operating system registry. Ex. 1001, col. 5, ll. 6– 18, col. 8, ll. 9–10, col. 8, ll. 22–24, col. 13, ll. 28–31, col. 13, ll. 46–52. In addition, Petitioner acknowledges that the challenged claims require monitoring accesses to the operating system registry. Tr. 12:15–13:3. Patent Owner’s proposed construction, however, omits the claim terms “normal processes” and “operating system,” which are part of the phrase being construed. Ex. 1001, col. 22, ll. 23–24. Therefore, we modify Patent Owner’s proposed construction to include those terms. Specifically, we construe the phrase “records of normal processes that access the operating system registry” to mean “records of normal processes obtained by monitoring accesses to the operating system registry.”1 For the same 1 We would construe this phrase the same under Phillips v. AWH Corp., 415 F.3d 1303 (Fed. Cir. 2005). 6 IPR2015-00372 Patent 7,448,084 B1 reasons, we construe the phrase “a record of a process that accesses the operating system registry” to mean “a record of a process obtained by monitoring accesses to the operating system registry.” B. Obviousness of Claims 1 and 3–10 Petitioner argues that claims 1 and 3–10 would have been obvious over Bace and Russinovich. Pet. 24–42. A claim is unpatentable as obvious under 35 U.S.C. § 103(a) if the differences between the claimed subject matter and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which the subject matter pertains. KSR Int’l Co. v. Teleflex Inc., 550 U.S. 398, 406 (2007). The question of obviousness is resolved on the basis of underlying factual determinations, including: (1) the scope and content of the prior art; (2) any differences between the claimed subject matter and the prior art; (3) the level of ordinary skill in the art; and (4) any objective indicia of non-obviousness. Graham v. John Deere Co., 383 U.S. 1, 17–18 (1966). We have considered the parties’ arguments and supporting evidence, and we determine that Petitioner has shown by a preponderance of the evidence that claims 1 and 3–8 would have been obvious over Bace and Russinovich. We determine that Petitioner has not shown by a preponderance of the evidence that claims 9 and 10 would have been obvious over Bace and Russinovich. 7 IPR2015-00372 Patent 7,448,084 B1 1. Overview of Bace and Russinovich Bace describes techniques for detecting intrusions in a computer system. Ex. 1007, 48, 59–60.2 Similar to the ’084 patent, Bace explains that anomaly detection involves collecting reference data from a computer system, using that reference data to create a model of normal computer system usage, and then analyzing future activity to determine if it deviates from the model of normal computer system usage. Id. at 106, 108–110, 121. Bace identifies several data sources that are commonly used for anomaly detection. Id. at 66. Specifically, for computer systems that use a Windows operating system, Bace teaches that Windows event logs, such as the system log, application log, and security log, can be used as data sources. Id. at 74– 75. According to Bace, “the security log events are the primary focus of intrusion detection systems.” Id. at 75. Bace also identifies several models that are commonly used for anomaly detection. Id. at 121. Bace points out that Dorothy Denning’s model is the “seminal” anomaly detection model. Ex. 1007, 108, 121. Russinovich describes a Registry Monitor utility (“Regmon”) that monitors registry activity as it occurs. Ex. 1008, 55. Russinovich explains that “[f]or each registry access, Regmon shows you the process that performed the access and the time, type, and result of the access.” Id. In particular, Regmon gathers the name of a process that accesses the registry, the type of query sent to the registry, the outcome of a query sent to the registry, the name of a registry key that was accessed, and the value of a registry key that was accessed. Id. According to Russinovich, these specific 2 In this Decision, we cite to the exhibit page numbers used by the parties. 8 IPR2015-00372 Patent 7,448,084 B1 features are “useful for understanding the way that applications and the system rely on the registry.” Id. 2. Level of Ordinary Skill in the Art Petitioner’s declarant, Dr. Michael T. Goodrich, testifies that a person of ordinary skill in the art at the time of the ’084 patent would have had “a Master’s degree in computer science or a related field with two to three years of experience in the field of software security systems.” Ex. 1003 ¶ 20. Patent Owner’s declarant, Dr. George Cybenko, testifies that a person of ordinary skill in the art at the time of the ’084 patent would have had “an undergraduate degree in computer science or mathematics, and one or two years of experience in the field of computer security.” Ex. 2019 ¶ 28. Thus, Petitioner’s declarant, Dr. Goodrich, defines the level of ordinary skill in the art slightly higher in both education and experience. Patent Owner points out this difference, but does not argue that it materially impacts either party’s analysis. PO Resp. 18–19. In fact, Petitioner’s declarant, Dr. Goodrich, testifies that his analysis would not change under the slightly lower level of ordinary skill in the art set forth by Patent Owner. Ex 1029 ¶¶ 13–14; Ex. 2018, 78:2-23. In other words, the minor distinctions between the parties’ proposed levels of ordinary skill in the art are not material. As a result, we determine that both parties define the level of ordinary skill in the art appropriately in this case. Patent Owner argues that, even if Petitioner correctly defines the level of ordinary skill in the art, Petitioner improperly conducts its obviousness analysis from the perspective of an expert in the art, not a person of ordinary skill in the art. PO Resp. 17–19. First, Patent Owner contends that Petitioner relies on a portion of an article that discusses the knowledge 9 IPR2015-00372 Patent 7,448,084 B1 available from “a security expert.” Id. at 17–18 (citing Ex. 1012, 34). Patent Owner, however, only identifies one citation to that article in the entire Petition. PO Resp. 17–18 (citing Pet. 4). We are not persuaded that this one citation indicates that Petitioner conducts its entire obviousness analysis from the perspective of an expert in the art. Second, Patent Owner argues that Bace teaches that performing certain intrusion detection tasks “may be intuitively obvious only to the most experienced security administrators.” PO Resp. 18 (citing Ex. 1007, 77) (emphasis omitted). The portion of Bace identified by Patent Owner relates specifically to performing the “balancing act” of monitoring enough features to detect significant security problems and not monitoring so many features that it would cause performance loss. Ex. 1007, 77. Patent Owner, however, does not show that Petitioner relies on that particular portion of Bace, or that Petitioner or Dr. Goodrich concludes that performing the balancing act described in that portion of Bace would have been obvious at the time of the ’084 patent. PO Resp. 18. In addition, the challenged claims do not recite a method for maintaining a certain level of computer performance or a certain level of detection accuracy. See, e.g., Ex. 1001, col. 22, ll. 21–34. As such, even if Patent Owner is correct that maintaining a specific balance of performance and accuracy would have been obvious only to an expert, Petitioner need not rely on that teaching in Bace to show that the challenged claims would have 10 IPR2015-00372 Patent 7,448,084 B1 been obvious. Therefore, we are not persuaded that Petitioner conducts its obviousness analysis from the perspective of an expert in the art.3 3. Claim 1 a. Limitations of Claim 1 Claim 1 recites “gathering features from records of normal processes that access the operating system registry.” Ex. 1001, col. 22, ll. 23–24. Bace teaches collecting reference data from several Windows event logs, including the system log, application log, and security log. Ex. 1007, 74–75. Bace specifies, though, that “security log events are the primary focus of intrusion detection systems.” Id. at 75 (emphasis added); Ex. 1029 ¶ 16. Bace also teaches that the security log includes events relating to “the creation, deletion, and alteration of system files and other objects.” Ex. 1007, 74–75. A person of ordinary skill in the art at the time of the ’084 patent would have known that monitoring “system files and other objects,” as taught in Bace, can include monitoring registry accesses. PO Resp. 24 (“Registry auditing is part of Window’s security auditing.”); Ex. 1003 ¶¶ 33, 117; Ex. 1007, 74–75; Ex. 1014, 95; Ex. 1029 ¶¶ 15–17. Thus, Bace suggests using records obtained by monitoring registry accesses as an information source for an anomaly detection method. Ex. 1003 ¶¶ 88, 139 (pp. 68–69); Ex. 1029 ¶¶ 9, 15–16. A person of ordinary skill in the art at the time of the ’084 patent also would have known that intrusions in a Windows computer system often 3 Patent Owner also mentions that Russinovich “is intended for advanced computer professionals,” but does not explain why a person of ordinary skill in the art, as defined by the parties, would not have been considered an advanced computer professional, as that term is used in Russinovich. PO Resp. 21 (citing Ex. 1008, 16). 11 IPR2015-00372 Patent 7,448,084 B1 access the registry. Ex. 1003 ¶¶ 33–34, 90–93, 128; Ex. 1006, 3; Ex. 1010, 5; Ex. 1011, 35, 51–62, 75–78, 92; Ex. 1012, 34; Ex. 1018 ¶¶ 3, 31–32; Ex. 1019, col. 2, ll. 32–41, col. 5, ll. 26–35. For example, a reference entitled “Windows NT Attacks for the Evaluation of Intrusion Detection Systems” describes testing an intrusion detection system for a Windows computer system (Ex. 1011, 11, 31–32) using attacks that access the registry, such as a Netbus attack (id. at 51), a PPMacro attack (id. at 60), and a Yaga attack (id. at 75). A reference entitled “Monitoring of Malicious Activity in Software Systems” similarly identifies the registry as one of the critical “targets” for attacks in a Windows computer system. Ex. 1010, 5. Further, several references expressly describe monitoring registry accesses in order to detect intrusions in a computer system. Ex. 1006, 3 (“Event Log monitoring is done on key NT Registry locations.”); Ex. 1011, 35 (“auditing of all files and Registry keys”); Ex. 1018 ¶ 32 (“The capabilities of the host-based IPS comprise application monitoring of: file system events, registry access . . . .”); Ex. 1019, col. 5, ll. 26–35 (“[T]he following categories of events are monitored . . . [s]ystem configuration area accesses, such as Registry files.”). As a result of this background knowledge, a person of ordinary skill in the art reading Bace would have recognized that records obtained by monitoring registry accesses, in particular, would have been useful for detecting intrusions in a Windows computer system. Ex. 1003 ¶¶ 33–34, 88, 90–93, 128, 139 (pp. 68–69); Ex. 1029 ¶¶ 15–16. Therefore, the teachings of Bace, together with the background knowledge and perspective of a person of ordinary skill in the art, would have made it obvious to use records obtained by monitoring registry accesses as an information source for an anomaly detection method. See Randall Mfg. v. Rea, 733 F.3d 1355, 1362– 12 IPR2015-00372 Patent 7,448,084 B1 63 (Fed. Cir. 2013); Ariosa Diagnostics v. Verinata Health, Inc., 805 F.3d 1359, 1365 (Fed. Cir. 2015). As discussed above, Bace teaches an anomaly detection method that gathers data in order to generate a model that indicates how applications rely on “system files and other objects” during normal computer system usage. Ex. 1007, 74–75, 106. Russinovich teaches that Regmon gathers features from records obtained by monitoring registry accesses. Ex. 1008, 55. Although Russinovich does not discuss anomaly detection, Russinovich teaches that the specific features gathered by Regmon are “useful for understanding the way that applications and the system rely on the registry.” Id. (emphasis added). Thus, a person of ordinary skill in the art would have found it obvious to generate the model of normal computer system usage in Bace using the specific features gathered in Russinovich. Ex. 1003 ¶ 137; Ex. 1029 ¶¶ 25, 31, 33; see KSR, 550 U.S. at 418 (explaining that “interrelated teachings” of multiple prior art references may provide a reason to combine known elements). Claim 1 recites “generating a probabilistic model of normal computer system usage based on the features and determining the likelihood of observing an event that was not observed during the gathering of features from the records of normal processes.” Ex. 1001, col. 22, ll. 25–29. Bace describes Dorothy Denning’s model as the “seminal” anomaly detection model. Ex. 1007, 108, 121; Ex. 1003 ¶ 119. Denning’s model includes a mean and standard deviation model and a Markov process model, which are probabilistic models that determine the likelihood of observing an event that was not observed during the gathering of features from the records of normal processes. Ex. 1007, 121–122; Ex. 1003 ¶¶ 48–50, 122, 139 (pp. 71–73). 13 IPR2015-00372 Patent 7,448,084 B1 Bace teaches that those models are generated using the reference data discussed above. Ex. 1007, 74–75, 109, 121–122; Ex. 1003 ¶¶ 117–120. Claim 1 recites “analyzing features from a record of a process that accesses the operating system registry to detect deviations from normal computer system usage to determine whether the access to the operating system registry is an anomaly.” Ex. 1001, col. 22, ll. 30–34. Bace teaches obtaining a record generated by an information source, comparing the record to the contents of the models discussed above, and determining whether the event is anomalous. Ex. 1007, 109–110; Ex. 1003 ¶¶ 121, 139 (pp. 76–77). Bace teaches that the records being analyzed for anomalies also are obtained from the Windows event logs, such as the security log, discussed above. Ex. 1007, 74–75, 109; Ex. 1003 ¶¶ 117, 121. b. Patent Owner’s Arguments Patent Owner presents the following arguments regarding claim 1 in its Response: 1) Bace does not disclose expressly or inherently using records obtained by monitoring registry accesses for anomaly detection (PO Resp. 22–30); 2) it would not have been obvious to use records obtained from Windows event logs for anomaly detection (id. at 34–37); 3) it would not have been obvious to use records obtained by monitoring registry accesses for anomaly detection (id. at 37–46); 4) a person of ordinary skill in the art would not have had a reasonable expectation of success in using records obtained by monitoring registry accesses for anomaly detection (id. at 46– 52); and 5) Petitioner does not provide a sufficient reason for combining the 14 IPR2015-00372 Patent 7,448,084 B1 cited teachings of Bace and Russinovich (id. at 52–54). We address each of Patent Owner’s arguments below.4 First, Patent Owner argues that Bace does not disclose expressly or inherently using records obtained by monitoring registry accesses in an anomaly detection method, as required by claim 1. PO Resp. 22–30. Specifically, Patent Owner argues that the security log discussed in Bace is disabled by default, and, thus, monitoring registry accesses is not inherent in Bace.5 Id. at 24–27. Patent Owner also argues that, even if the security log is enabled, the security log includes numerous records that do not involve registry accesses. Id. at 27–30. As such, it still would not be inherent in Bace to use records obtained by monitoring registry accesses in an anomaly detection method. Id. Patent Owner’s argument is not persuasive. As discussed above, Petitioner’s asserted ground of unpatentability for claim 1 is based on obviousness, not anticipation. Pet. 24–32. Therefore, Petitioner does not have to show that the limitations of claim 1 are disclosed expressly or inherently in Bace. See Trintec Indus., Inc. v. Top-U.S.A. Corp., 295 F.3d 1292, 1297 (Fed. Cir. 2002). Second, Patent Owner argues that Petitioner does not show why it would have been obvious to use Windows event logs as an information source for an anomaly detection method. PO Resp. 34–37. Specifically, Patent Owner points out that Bace describes various possible information 4 We do not address Patent Owner’s argument regarding the alternative claim construction allegedly proposed by Petitioner’s declarant, Dr. Goodrich, during his deposition (PO Resp. 30–34), because we do not adopt that construction (see supra Section II.A.1). 5 Bace, however, expressly teaches enabling the security log. Ex. 1007, 76; Ex. 1029 ¶ 21. 15 IPR2015-00372 Patent 7,448,084 B1 sources and various types of intrusion detection models. Id. at 34–35 (citing Ex. 1007, 98–99, 138–140). According to Patent Owner, it would not have been obvious to combine one particular information source, Windows event logs, with one particular intrusion detection model, Denning’s model. PO Resp. 34–35. Patent Owner’s argument is not persuasive. As discussed above, Bace teaches that Windows events logs are a primary information source for detecting intrusions in a Windows computer system (Ex. 1007, 74–75), and that Denning’s model is the “seminal” anomaly detection model (id. at 108, 121). Therefore, one of ordinary skill in the art developing an anomaly detection method for a Windows computer system would have had a specific reason to use Windows event logs as an information source for Denning’s anomaly detection model. Ex. 1003 ¶¶ 113, 119; Ex. 1029 ¶ 16. Patent Owner also argues that it would not have been obvious to use Windows event logs as an information source for an anomaly detection method because Bace questions the usefulness of Windows event logs. PO Resp. 35–36 (citing Ex. 1007, 69–70). Patent Owner’s argument is not persuasive. Bace indicates that the commercial audit systems available at that time had certain shortcomings (Ex. 1007, 69), but explains that, “[d]espite the problems outlined here, many intrusion detection experts consider operating system audit trails preferable to other common host-level information sources for intrusion detection purposes” (id. at 70 (emphasis added)).6 In other words, Bace teaches that Windows events logs were the 6 Patent Owner argues that only experts preferred Windows event logs. PO Resp. 36. Although Bace indicates that experts preferred Windows event logs (Ex. 1007, 70), Patent Owner does not identify evidence indicating that persons of ordinary skill in the art did not prefer those logs (PO Resp. 36). 16 IPR2015-00372 Patent 7,448,084 B1 preferred information source for intrusion detection methods at that time. Ex. 1029 ¶ 28. Patent Owner also argues that it would not have been obvious to use Windows event logs as an information source for an anomaly detection method because Bace only teaches using Windows event logs for misuse detection, not anomaly detection. PO Resp. 36–37 (citing Ex. 1007, 70, 112). Patent Owner’s argument is not persuasive. As discussed above, anomaly detection involves identifying abnormal computer system usage. Ex. 1001, col. 2, ll. 34–37; Ex. 1007, 106, 110, 121. Bace teaches that the “finer-grained level of detail” provided by operating system audit trails, such as Windows event logs, can be used to identify “abnormal patterns of process execution,” such as “the execution of trojan horses and other malicious code.”7 Ex. 1007, 70. Therefore, contrary to Patent Owner’s argument, Bace expressly teaches using Windows event logs for anomaly detection, not just misuse detection. Ex. 1003 ¶ 106; Ex. 1029 ¶ 15. Third, Patent Owner argues that, even if it would have been obvious to use Windows event logs as an information source for an anomaly detection method, Petitioner does not show why it would have been obvious to use records obtained by monitoring registry accesses, as opposed to the various other records gathered by Windows event logs. PO Resp. 37–46. Patent Owner points out that there are several types of Windows event logs that contain “a vast array of information.” Id. at 38–39. Patent Owner 7 Patent Owner suggests that this teaching in Bace only relates to the system call records gathered by UNIX system audit trails. Paper 47 ¶¶ 7–8. Section 3.2.4 of Bace, however, describes the advantages of operating system audit trails generally, not just UNIX system audit trails. Ex. 1007, 70. 17 IPR2015-00372 Patent 7,448,084 B1 argues that the security log alone records fifty-six possible events and only five may relate to registry accesses. Id. at 39–40 (citing Ex. 2019 ¶¶ 166, 180). Further, according to Patent Owner, those five events that may relate to registry accesses may also relate to other types of objects. PO Resp. 39– 40 (citing Ex. 2019 ¶¶ 166, 180). Patent Owner’s argument is not persuasive because it does not address the background knowledge of a person of ordinary skill in the art. As discussed above, Bace suggests using records obtained by monitoring registry accesses as an information source for detecting intrusions in a Windows computer system. See supra Section II.B.3.a. As also discussed above, a person of ordinary skill in the art at the time of the ’084 patent would have known that intrusions in a Windows computer system often access the registry. Id. As a result of this background knowledge, a person of ordinary skill in the art reading Bace would have recognized that records obtained by monitoring registry accesses, in particular, would have been useful for detecting intrusions in a Windows computer system. Id. Patent Owner also argues that it would not have been obvious to use records obtained by monitoring registry accesses for anomaly detection because several references discourage registry monitoring. PO Resp. 40–41 (citing Ex. 1014, 26–29, 81, 84–85, 95–96, 98; Ex. 2014, 6; Ex. 2021, 88; Ex. 2022, 10). Patent Owner’s argument is not persuasive. Most of the references identified by Patent Owner recommend that registry monitoring be disabled as a default to avoid unnecessarily consuming system resources, but do not otherwise discourage registry monitoring. Ex. 2014, 5–6; Ex. 2021, 88; Ex. 2022, 10. The other reference identified by Patent Owner indicates that, even though monitoring registry accesses may impair system 18 IPR2015-00372 Patent 7,448,084 B1 performance in some circumstances (Ex. 1014, 98, 100–101), it nonetheless can be very useful for computer security (id. at 84–85; Ex. 1029 ¶ 23). This is consistent with the evidence discussed above, which indicates that a person of ordinary skill in the art would have known that records obtained by monitoring registry accesses were useful for detecting intrusions in a Windows computer system. See supra Section II.B.3.a. Patent Owner also argues that it would not have been obvious to use records obtained by monitoring registry accesses for anomaly detection because Petitioner does not identify any reference that expressly teaches using records obtained by monitoring registry accesses for anomaly detection. PO Resp. 44–46. Patent Owner acknowledges that one reference cited by Petitioner, known as Shavlik, mentions monitoring registry accesses in connection with an anomaly detection method. Id. at 45 (citing Ex. 1006, 3). But, according to Patent Owner, the authors of that reference subsequently decided not to use records obtained by monitoring registry accesses. PO Resp. 45 (citing Ex. 2024, 9).8 Patent Owner’s argument is not persuasive. Petitioner does not have to provide a reference that discloses all the limitations of claim 1 in order to show that claim 1 would have been obvious. As discussed above, the teachings of Bace and Russinovich, together with the background knowledge of a person of ordinary skill in the art, show that it would have been obvious to use records obtained by monitoring registry accesses for anomaly detection. See supra Section II.B.3.a. 8 The evidence cited by Patent Owner does not predate the ’084 patent, and, thus, may not be relevant to the obviousness analysis regarding claim 1. Ex. 2024; Tr. 55:19–57:7. 19 IPR2015-00372 Patent 7,448,084 B1 Fourth, Patent Owner argues that Petitioner does not show that a person of ordinary skill in the art would have had a reasonable expectation of success in using records obtained by monitoring registry accesses for anomaly detection. PO Resp. 46–52. Specifically, Patent Owner argues that monitoring too many features may degrade the performance of the computer system (id. at 47–49), whereas monitoring too few features may reduce the accuracy of the anomaly detection system (id. at 49–51). Patent Owner points out again that, according to Bace, performing the balancing act between those two competing interests would have been obvious only to the most experienced security administrators. Id. at 51 (citing Ex. 1007, 77). Patent Owner’s argument is not persuasive because it is not commensurate with the scope of claim 1. Allergan, Inc. v. Apotex Inc., 754 F.3d 952, 962–63 (Fed. Cir. 2014). Claim 1 does not require that the computer system maintain a certain level of performance or that the anomaly detection method maintain a certain level of accuracy. Ex. 1001, col. 22, ll. 21–34. Thus, even if developing a method with a specific balance of performance and accuracy would have been obvious only to an expert, claim 1 does not require such a method. Further, Patent Owner’s argument is not persuasive because a reasonable expectation of success does not require absolute predictability. In re Kubin, 561 F.3d 1351, 1360 (Fed. Cir. 2009). Although monitoring registry accesses may impair system performance in some circumstances (Ex. 1014, 98, 100–101), a person of ordinary skill in the art nonetheless would have reasonably expected an intrusion detection method that uses records obtained by monitoring registry accesses to work. Ex. 1011, 35 (describing an intrusion detection system with “maximum auditing enabled,” including “all files and Registry keys”); id. at 92 20 IPR2015-00372 Patent 7,448,084 B1 (recommending “a more extensive Windows NT auditing policy” that “should audit important Registry keys”); Ex. 1018 ¶ 32 (“The capabilities of the host-based IPS comprise application monitoring of: file system events, registry access . . . .”); Ex. 1019, col. 5, ll. 26–35 (“[T]he following categories of events are monitored . . . [s]ystem configuration area accesses, such as Registry files.”); Ex. 1029 ¶¶ 27–28. Patent Owner’s argument that a person of ordinary skill in the art would not have had a reasonable expectation of success also is not persuasive because Patent Owner does not address the teachings of Russinovich. See PO Resp. 46–52. Patent Owner contends that “[a]t the time of the invention, searching for a minimal set of important features remained computationally intractable for large sets of features.” Id. at 52. However, as discussed above, Russinovich teaches gathering five specific features from records obtained by monitoring registry accesses. Ex. 1008, 55. Russinovich explains that those features are useful for understanding the way that applications rely on the registry. Id. Thus, as discussed above, a person of ordinary skill in the art would have found it obvious to generate the model of normal computer system usage in Bace using the five specific features gathered in Russinovich. See supra Section II.B.3.a; Ex. 1003 ¶ 137; Ex. 1029 ¶¶ 25, 31, 33. Fifth, Patent Owner argues that Petitioner does not provide a sufficient reason for combining the cited teachings of Bace and Russinovich. PO Resp. 52–54. Specifically, Patent Owner argues that a person of ordinary skill in the art would not have had a reason to use records obtained by monitoring registry accesses in anomaly detection, and, thus, would not have even considered the teachings of Russinovich. Id. at 53. Patent 21 IPR2015-00372 Patent 7,448,084 B1 Owner’s argument is not persuasive. As discussed above, the teachings in Bace together with the background knowledge of a person of ordinary skill in the art would have made it obvious to use features obtained by monitoring registry accesses in anomaly detection. See supra Section II.B.3.a. Thus, a person of ordinary skill in the art would have had a reason to consider the cited teachings of Russinovich in connection with the cited teachings of Bace. Ex. 1003 ¶ 137; Ex. 1029 ¶¶ 25, 31, 33. Patent Owner also argues that it would not have been obvious to combine the cited teachings of Bace and Russinovich because Bace relates to Windows NT, whereas Russinovich relates to Windows 2000. PO Resp. 53. Patent Owner’s argument is not persuasive. The evidence indicates that a person of ordinary skill in the art would have known that the Regmon utility taught in Russinovich also would have worked with Windows NT. Ex. 1003 ¶¶ 32, 98; Ex. 1027, 1 (“Regmon works on NT 4.0, Win2K, Windows 95, Windows 98, Windows ME”); Ex. 1029 ¶ 30. c. Summary For the reasons discussed above, we determine that Petitioner has shown by a preponderance of the evidence that claim 1 would have been obvious over Bace and Russinovich. 4. Claims 3–8 Claims 3–8 depend directly or indirectly from claim 1, and recite specific features gathered from records of normal processes that access the operating system registry. Ex. 1001, col. 22, l. 38–col. 23, l. 3. Petitioner identifies evidence indicating that Russinovich teaches gathering those specific features. Pet. 32–39 (citing Ex. 1008, 55). Specifically, the “Process” column of Regmon gathers the name of a process that accesses the 22 IPR2015-00372 Patent 7,448,084 B1 registry, as recited in claim 3. Ex. 1008, 55. The “Request” column gathers the type of query sent to the registry, as recited in claim 4. Id. The “Result” column gathers the outcome of a query sent to the registry, as recited in claim 5. Id. The “Path” column gathers the name of a key that was accessed in the registry, as recited in claim 6. Id. The “Other” column gathers the value of a key that was accessed in the registry, as recited in claim 7. Id. The columns of Regmon together gather at least two of the aforementioned features, as recited in claim 8. Id. Patent Owner argues that, because claims 3–8 depend from claim 1, the specific features recited in claims 3–8 must be gathered and then used to generate a model of normal computer system usage for an anomaly detection method. PO Resp. 54. Patent Owner contends that Petitioner does not show that it would have been obvious to use the specific features taught in Russinovich to generate a model of normal computer system usage because there were “nearly limitless features” that could have been selected. Id. at 54–55. Patent Owner’s argument is not persuasive. As discussed above, Bace teaches generating a model that indicates how applications rely on “system files and other objects” during normal computer system usage (Ex. 1007, 74–75, 106), and Russinovich teaches that the specific features gathered by Regmon are “useful for understanding the way that applications and the system rely on the registry” (Ex. 1008, 55) (emphasis added). Thus, a person of ordinary skill in the art would have found it obvious to generate the model of normal computer system usage in Bace using the specific features gathered in Russinovich. Ex. 1003 ¶ 137; Ex. 1029 ¶¶ 25, 31, 33. Patent Owner also argues that Regmon only displays features and does not store them. PO Resp. 55–57 (citing Ex. 1008, 55; Ex. 2019 ¶ 236). 23 IPR2015-00372 Patent 7,448,084 B1 Thus, according to Patent Owner, a person of ordinary skill in the art could not have used the features gathered by Regmon to generate a model of normal computer system usage. Id. at 56. Patent Owner’s argument is not persuasive. The evidence indicates that a person of ordinary skill in the art would have known that the features gathered by Regmon can be stored, not just displayed. Ex. 1027, 1 (“save the listview contents to an ASCII file”); Ex. 1029 ¶ 35. Patent Owner argues that claims 5, 7, and 8 each require gathering at least two features from records of processes that access the registry and generating a model of normal computer system usage based on those two features. PO Resp. 57. Patent Owner contends that, although Russinovich teaches gathering two different features, Russinovich does not teach generating a model of normal computer system usage based on those two different features. Id. at 57–58. Patent Owner also argues that Petitioner does not explain how the mean and standard deviation model or the Markov process model in Bace could have been generated based on two different features. Id. at 58. Patent Owner’s argument is not persuasive. Bace teaches that the mean and standard deviation model can be applied to event counters. Ex. 1007, 108, 121–122. Petitioner’s declarant, Dr. Goodrich, provides an example of how the mean and standard deviation model in Bace can be applied to an event counter that counts the number of failed reads to a protected system file. Ex. 1003 ¶¶ 49, 139 (pp. 72–73); Pet 28–30 (citing Ex. 1003 ¶ 49). An event counter that counts the number of failed reads to a particular system file would have required monitoring at least three different features—the name of the system file being accessed (e.g., registry key name), the type of query (e.g., read) and the outcome of 24 IPR2015-00372 Patent 7,448,084 B1 the query (e.g., fail). Thus, Petitioner identifies evidence indicating that it would have been obvious to generate the mean and standard deviation model in Bace based on least two different types of features. Id. Dr. Goodrich further testifies that it would have been obvious to one of ordinary skill in the art to generate the model based on other combinations of features. Ex. 1029 ¶ 34. Therefore, we determine that Petitioner has shown by a preponderance of the evidence that claims 3–8 would have been obvious over Bace and Russinovich. 5. Claim 9 Claim 9 depends from claim 1, and recites “wherein generating a probabilistic model of normal computer system usage comprises determining a likelihood of observing a feature in the records of processes that access the operating system registry.” Ex. 1001, col. 23, ll. 4–7. Petitioner argues that the mean and standard deviation model and the Markov process model in Bace determine the likelihood of observing an event. Pet. 39–41 (citing Ex. 1007, 101, 121–122). Petitioner also argues that the TIM system in Bace determines the likelihood of observing one event given the occurrence of another event. Pet. Reply 23–24 (citing Ex. 1007, 128–129). Thus, Petitioner identifies evidence indicating that Bace teaches determining the likelihood of observing an event, but does not identify evidence indicating that Bace teaches determining the likelihood of observing a feature, as recited in claim 9. Pet. 39–41; Pet. Reply 23–24; Tr. 30:2–15, 31:6–12. Petitioner instead argues that an event is the “same thing” as a feature. Tr. 30:20–24, 32:9–13. Petitioner, however, improperly 25 IPR2015-00372 Patent 7,448,084 B1 presented this argument for the first time at the oral hearing. Id. at 30:13– 15; Pet. 39–41; Pet. Reply 23–24; see Office Patent Trial Practice Guide, 77 Fed. Reg. 48,756, 48,768 (Aug. 14, 2012) (“No new evidence or arguments may be presented at the oral argument.”). Moreover, Petitioner does not identify any evidence from the ’084 patent (or otherwise) to support its argument that an event is the same thing as a feature. Tr. 31:1–5; see Helmsderfer v. Bobrick Washroom Equip., Inc., 527 F.3d 1379, 1381–82 (Fed. Cir. 2008) (“Our precedent instructs that different claim terms are presumed to have different meanings.”). Therefore, we determine that Petitioner has not shown by a preponderance of the evidence that claim 9 would have been obvious over Bace and Russinovich. 6. Claim 10 Claim 10 depends from claim 9, and recites “wherein determining a likelihood of observing a feature comprises determining a conditional probability of observing a first feature in the records of processes that access the operating system registry given an occurrence of a second feature in the records.” Ex. 1001, col. 23, ll. 8–12. Because claim 10 depends from claim 9, and Petitioner has not shown that claim 9 would have been obvious over Bace and Russinovich, we determine that Petitioner also has not shown by a preponderance of the evidence that claim 10 would have been obvious over Bace and Russinovich. See supra Section II.B.5. C. Patent Owner’s Motion to Strike Patent Owner filed a Motion to Strike Petitioner’s Reply (Paper 41, “PO Mot. Str.”), to which Petitioner filed an Opposition (Paper 43, “Pet. 26 IPR2015-00372 Patent 7,448,084 B1 Opp. Str.”).9 Patent Owner argues that the portion of Petitioner’s Reply relating to claim 9 should be stricken because it is beyond the scope of a proper reply. PO Mot. Str. 1–2. Specifically, the Petition relies on two anomaly detection models in Bace, the mean and standard deviation model and the Markov process model, as teaching the limitations of claim 9. Id. at 1; Pet. 39–41. Patent Owner argues in the Response that those models do not teach the limitations of claim 9. PO Mot. Str. 2; PO Resp. 58–60. Petitioner responds in the Reply that a different model, the TIM system, teaches the limitations of claim 9. PO Mot. Str. 2; Pet. Reply 23–24. “A reply may only respond to arguments raised in the corresponding opposition or patent owner response.” 37 C.F.R. § 42.23(b). Here, Patent Owner argues that Petitioner’s Reply exceeds the scope of a proper reply because it presents a new theory of unpatentability for claim 9 based on the TIM system in Bace that is not included in the Petition. PO Mot. Str. 2–3. Petitioner, on the other hand, argues that its Reply is proper because the Petition relies on the TIM system in Bace with respect to claim 10, and, thus Patent Owner was on notice that Petitioner also may rely on the TIM system with respect to claim 9. Pet. Opp. Str. 1–2. Petitioner’s arguments in the Reply relating to claim 9 test the limits of a proper reply under 37 C.F.R. § 42.23(b). Petitioner acknowledges that it relied on the TIM system in the Reply simply because “[i]t became clear that . . . the case is easier under the TIM Model.” Tr. 32:16–33:22. As discussed above, though, we determine that Petitioner’s allegedly improper arguments in the Reply relating to claim 9 are not persuasive. See supra 9 We authorized Patent Owner to file a motion to strike and Petitioner to file an opposition. Paper 39, 3. 27 IPR2015-00372 Patent 7,448,084 B1 Section II.B.5. As a result, Petitioner’s allegedly improper arguments in the Reply do not prejudice Patent Owner, and we determine that it is unnecessary to strike those portions of Petitioner’s Reply. Therefore, Patent Owner’s Motion to Strike Petitioner’s Reply is denied. D. Patent Owner’s Motion to Exclude Patent Owner filed a Motion to Exclude (Paper 44, “PO Mot. Excl.”), to which Petitioner filed an Opposition (Paper 51, “Pet. Opp. Excl.”), and Patent Owner filed a Reply (Paper 53, “PO Reply Excl.”). Patent Owner argues that Exhibit 1006, and portions of Exhibit 1029 should be excluded. PO Mot. Excl. 1–3. We have considered the parties’ arguments, and, for the reasons discussed below, Patent Owner’s Motion to Exclude is denied. 1. Exhibit 1006 Exhibit 1006 is a document entitled “Evaluating Software Sensors for Actively Profiling Windows 2000 Computer Users,” by Jude Shavlik et al. (“Shavlik”). Patent Owner argues that Exhibit 1006 should be excluded because, in the Decision on Institution, we denied institution of an inter partes review on the asserted ground of unpatentability that included Shavlik. PO Mot. Excl. 1 (citing Dec. on Inst. 11–12). Patent Owner’s argument is not persuasive. Although Shavlik is not identified expressly as part of the grounds of unpatentability in this inter partes review, Petitioner nonetheless may rely on Shavlik to show, for example, “the knowledge that skilled artisans would bring to bear in reading the prior art identified as producing obviousness.” Ariosa Diagnostics, 805 F.3d at 1365. Patent Owner also argues that Exhibit 1006 should be excluded for lack of authentication under Fed. R. Evid. 901. PO Mot. Excl. 2–3. Patent Owner does not dispute that Shavlik was presented at the RAID 2001 28 IPR2015-00372 Patent 7,448,084 B1 Program on October 11, 2001, and was available on the RAID 2001 Program website as of November 21, 2001. PO Reply Excl. 3. Patent Owner contends that Petitioner does not show that Exhibit 1006 is the same version of Shavlik that was available on the RAID 2001 Program website as of November 21, 2001. Id. Patent Owner points out that the archived copy of the RAID 2001 Program website submitted by Petitioner links to a copy of Shavlik that was archived on June 13, 2003, not November 21, 2001. PO Mot. Excl. 2–3 (citing Ex. 2065 ¶¶ 2–4). Patent Owner’s argument is not persuasive. Federal Rule of Evidence 901 requires that the proponent produce evidence sufficient to support a finding that an item is what the proponent claims it is. The copy of Shavlik submitted as Exhibit 1006 contains the same title and authors as the paper listed on the archived RAID 2001 Program website. Ex. 1006, 1; Ex. 1013, 2. The copy of Shavlik submitted as Exhibit 1006 also contains the footer “RAID 2001,” which is consistent with it being a copy of the paper presented at the RAID 2001 Program. Ex. 1006, 1. Thus, the evidence indicates that Exhibit 1006 is the same copy of Shavlik that was available on the RAID 2001 Program website as of November 21, 2001. See Fed. R. Evid. 901(b)(4). Further, Patent Owner does not identify any persuasive reason to believe that the copy of Shavlik submitted as Exhibit 1006 differs in any way from the copy of Shavlik that was available on the RAID 2001 Program website as of November 21, 2001. PO Mot. Excl. 2–3; Pet. Reply Excl. 1–3. Therefore, Patent Owner’s Motion to Exclude Exhibit 1006 is denied. 29 IPR2015-00372 Patent 7,448,084 B1 2. Exhibit 1029 Exhibit 1029 is the Supplemental Declaration of Dr. Michael T. Goodrich. Patent Owner argues that paragraphs 36 and 37 of Exhibit 1029 should be excluded as prejudicial under Fed. R. Evid. 403, because Petitioner relies on those paragraphs to support the allegedly improper arguments in the Reply relating to claim 9. PO Mot. Excl. 3. Patent Owner identifies the arguments in its Motion to Strike Petitioner’s Reply as support for its Motion to Exclude. Id. As discussed above, we determine that it is unnecessary to strike the allegedly improper arguments in Petitioner’s Reply. See supra Section II.C. For the same reasons, we determine that it is unnecessary to exclude paragraphs 36 and 37 of Exhibit 1029. Therefore, Patent Owner’s Motion to Exclude paragraphs 36 and 37 of Exhibit 1029 is denied. E. Patent Owner’s Motion for Observations Patent Owner filed a Motion for Observations on the cross examination of Dr. Michael T. Goodrich (Paper 47), to which Petitioner filed a Response (Paper 50). We have considered Patent Owner’s observations and Petitioner’s responses, and we have given Dr. Goodrich’s testimony the appropriate weight in making our determination in this case. III. CONCLUSION Petitioner has shown by a preponderance of the evidence that claims 1 and 3–8 of the ’084 patent are unpatentable. Petitioner, however, has not shown by a preponderance of the evidence that claims 9 and 10 of the ’084 patent are unpatentable. 30 IPR2015-00372 Patent 7,448,084 B1 IV. ORDER In consideration of the foregoing, it is hereby: ORDERED that claims 1 and 3–8 of the ’084 patent are shown unpatentable; FURTHER ORDERED that claims 9 and 10 of the ’084 patent are not shown unpatentable; FURTHER ORDERED that Patent Owner’s Motion to Strike Petitioner’s Reply is denied; FURTHER ORDERED that Patent Owner’s Motion to Exclude is denied; and FURTHER ORDERED that, because this is a Final Written Decision, parties to the proceeding seeking judicial review of the decision must comply with the notice and service requirements of 37 C.F.R. § 90.2. 31 IPR2015-00372 Patent 7,448,084 B1 PETITIONER: Brian M. Hoffman Michael Sacksteder FENWICK & WEST LLP bhoffman-ptab@fenwick.com MSacksteder-ptab@fenwick.com PATENT OWNER: Hong A. Zhong Michael Fleming IRELL & MANELLA LLP hzhong@irell.com mfleming@irell.com 32 Copy with citationCopy as parenthetical citation