DCT

3:13-cv-00808

Trustees Of Columbia University In City Of New York v. Symantec Corp

Log In
Key Events
Complaint

I. Executive Summary and Procedural Information

  • Parties & Counsel:
  • Case Identification: 3:13-cv-00808, E.D. Va., 12/05/2013
  • Venue Allegations: Venue is based on Defendant Symantec having offices and facilities in Herndon, Virginia, and allegedly committing acts of infringement in the district, including selling products and operating a Security Operations Center.
  • Core Dispute: Plaintiff alleges that Defendant’s antivirus and computer security software products infringe five patents related to advanced methods for detecting malicious software and computer intrusions.
  • Technical Context: The technology concerns data-mining and machine-learning techniques for identifying novel computer security threats, such as "zero-day" viruses, by modeling normal system behavior and detecting anomalous activities.
  • Key Procedural History: The complaint alleges that on August 14, 2012, Plaintiff sent letters to Defendant identifying the patents-in-suit and inviting licensing discussions, which were allegedly ignored. It also alleges Defendant was aware of the underlying research, having cited a publication that matured into one of the asserted patents during the prosecution of its own patent applications.

Case Timeline

Date Event
2001-07-30 Earliest Priority Date for ’544 and ’907 Patents
2002-01-25 Earliest Priority Date for ’084 and ’306 Patents
2005-10-25 Earliest Priority Date for ’115 Patent
2008-11-04 U.S. Patent No. 7,448,084 Issues
2009-02-03 U.S. Patent No. 7,487,544 Issues
2011-03-22 U.S. Patent No. 7,913,306 Issues
2011-07-12 U.S. Patent No. 7,979,907 Issues
2011-12-06 U.S. Patent No. 8,074,115 Issues
2012-08-14 Columbia sends letters to Symantec regarding patents
2013-12-05 Complaint Filed

II. Technology and Patent(s)-in-Suit Analysis

U.S. Patent No. 7,487,544 - "System and Methods For Detection of New Malicious Executables," issued February 3, 2009 (’544 Patent)

The Invention Explained

  • Problem Addressed: The patent’s background section describes the failure of traditional signature-based virus scanners to detect new, previously unseen malicious executables, and notes that manually generating heuristic classifiers to address this problem is a costly and slow process (’544 Patent, col. 2:50-64).
  • The Patented Solution: The invention proposes a system that uses data mining techniques to automatically classify executable files, such as email attachments, as malicious or benign (’544 Patent, col. 3:33-38). The system extracts "byte sequence features" from an executable file and compares these features to a "classification rule set" derived from a large training dataset of known malicious and benign files to determine the probability that the new file is malicious (’544 Patent, Abstract). This allows for classification without relying on a pre-existing signature for the specific threat.
  • Technical Importance: This approach enabled the automated detection of novel malware by creating generalizable models of malicious behavior rather than relying on exact signatures of known threats (Compl. ¶14).

Key Claims at a Glance

  • The complaint asserts independent claim 1 (Compl. ¶45).
  • Essential elements of claim 1 include:
    • A method for classifying an executable attachment in an email received at an email processing application of a computer system.
    • Filtering the executable attachment from the email.
    • Extracting a byte sequence feature from the executable attachment.
    • Classifying the attachment by comparing its byte sequence feature with a classification rule set derived from features of a known set of executables to determine the probability of it being malicious.
    • Wherein the extraction process comprises creating a byte string representative of resources referenced by the executable attachment.
  • The complaint alleges infringement of "one or more claims," reserving the right to assert dependent claims (Compl. ¶46).

U.S. Patent No. 7,979,907 - "Systems and Methods For Detection of New Malicious Executables," issued July 12, 2011 (’907 Patent)

The Invention Explained

  • Problem Addressed: As a continuation of the application leading to the ’544 Patent, the ’907 Patent addresses the same problem of detecting novel malicious executables that evade traditional signature-based detection methods (’907 Patent, col. 2:55-67).
  • The Patented Solution: The invention again uses data mining to classify email attachments based on byte sequence features (’907 Patent, Abstract). However, the asserted claim specifies a particular algorithmic approach: using a "Multi-Naive Bayes algorithm" to determine the probability of an attachment's class. The claim also requires "dividing said step of determining said probability into a plurality of processing steps and executing said processing steps in parallel," suggesting a focus on computational efficiency and scalability (’907 Patent, col. 12:49-56).
  • Technical Importance: This patented solution refines the data mining approach by specifying a parallel processing architecture, which could enable faster and more efficient analysis of large volumes of potential threats (Compl. ¶57).

Key Claims at a Glance

  • The complaint asserts independent claim 1 (Compl. ¶57).
  • Essential elements of claim 1 include:
    • A method for classifying an executable attachment in an email.
    • Filtering the executable attachment from the email.
    • Extracting a byte sequence feature from the executable attachment.
    • Classifying the attachment by comparing its byte sequence feature to a classification rule set.
    • Wherein the classifying step comprises determining, with a "Multi-Naive Bayes algorithm," a probability that the attachment is a member of a class.
    • Wherein the determining step is divided into a plurality of processing steps that are executed in parallel.
  • The complaint alleges infringement of "one or more claims," reserving the right to assert dependent claims (Compl. ¶58).

U.S. Patent No. 7,448,084 - "System and Methods For Detecting Intrusions In A Computer System By Monitoring Operating System Registry Access," issued November 4, 2008 (’084 Patent)

  • Technology Synopsis: This patent addresses intrusion detection by modeling the normal behavior of processes that access the Windows operating system registry (’084 Patent, col. 1:43-47). The system generates a probabilistic model of normal registry access patterns and then analyzes new registry access events to detect deviations, or anomalies, that could indicate malicious activity (Compl. ¶18, 69).
  • Asserted Claims: The complaint cites claim 1 as an example (Compl. ¶69).
  • Accused Features: Symantec’s products that "perform intrusion detection" are accused of infringement (Compl. ¶70).

U.S. Patent No. 7,913,306 - "System and Methods For Detecting Intrusions In A Computer System By Monitoring Operating System Registry Accesses," issued March 22, 2011 (’306 Patent)

  • Technology Synopsis: As a continuation of the application for the ’084 Patent, this invention also relates to detecting intrusions by modeling normal system behavior (Compl. ¶19). Asserted claim 1 broadens the monitored activity from the "operating system registry" to the computer's "file system" generally. The system generates a probabilistic model of normal file system access and analyzes new events to identify anomalies (’306 Patent, claim 1; Compl. ¶81).
  • Asserted Claims: The complaint cites claim 1 as an example (Compl. ¶81).
  • Accused Features: Symantec’s products that "perform intrusion detection" are accused of infringement (Compl. ¶82).

U.S. Patent No. 8,074,115 - "Methods, Media And Systems For Detecting Anomalous Program Executions," issued December 6, 2011 (’115 Patent)

  • Technology Synopsis: This patent describes detecting anomalous program behavior by executing at least part of a program inside an "emulator" (’115 Patent, claim 1). Within this controlled environment, function calls made by the program are compared to a pre-existing model of normal function calls. A mismatch identifies the function call as anomalous, triggering a notification to an "application community" of other computers (Compl. ¶93).
  • Asserted Claims: The complaint cites claim 1 as an example (Compl. ¶93).
  • Accused Features: Symantec’s products that "detect anomalous program executions" are accused of infringement (Compl. ¶94).

III. The Accused Instrumentality

  • Product Identification: The accused instrumentalities are Symantec's suite of antivirus and computer security software products and services, including but not limited to Norton AntiVirus, Norton 360, Norton Internet Security, Symantec Endpoint Protection, Symantec Email Security.cloud, and Symantec Mail Security (Compl. ¶46).
  • Functionality and Market Context: The complaint alleges that these products provide computer security for consumer and enterprise customers (Compl. ¶5). Their relevant technical functionalities, as alleged, include the ability to "classify executable programs and attachments in an email" (’544 and ’907 Patents), "perform intrusion detection" (’084 and ’306 Patents), and "detect anomalous program executions" (’115 Patent) to protect computer systems from malicious software and intrusions (Compl. ¶¶46, 70, 82, 94).
    No probative visual evidence provided in complaint.

IV. Analysis of Infringement Allegations

’544 Patent Infringement Allegations

Claim Element (from Independent Claim 1) Alleged Infringing Functionality Complaint Citation Patent Citation
A method for classifying an executable attachment in an email received at an email processing application of a computer system comprising: The accused products allegedly provide antivirus and computer security functions that classify executable programs and attachments in email. ¶46 col. 3:17-19
a) filtering said executable attachment from said email; The accused products scan and classify email attachments, which necessitates filtering them from the email stream for analysis. ¶46 col. 5:8-13
b) extracting a byte sequence feature from said executable attachment; and To classify executables, the accused products must necessarily extract features from them for analysis. ¶46 col. 3:20-22
c) classifying said executable attachment by comparing said byte sequence feature of said executable attachment with a classification rule set... to determine the probability whether said executable attachment is malicious... The accused products allegedly classify executables to determine if they are malicious, which is the core of the infringement allegation. ¶46 col. 3:23-29
wherein extracting said byte sequence features from said executable attachment comprises creating a byte string representative of resources referenced by said executable attachment. The complaint alleges that the accused products perform the overall method of claim 1. ¶46 col. 4:6-10

’907 Patent Infringement Allegations

Claim Element (from Independent Claim 1) Alleged Infringing Functionality Complaint Citation Patent Citation
a) filtering said executable attachment from said email; b) extracting a byte sequence feature...; and c) classifying said executable attachment... The accused products allegedly perform the general method of filtering, extracting features from, and classifying email attachments. ¶58 col. 12:35-46
wherein said classifying comprises determining using a computer processor, with a Multi-Naive Bayes algorithm, a probability that said executable attachment is a member of each class... The complaint alleges that the accused products' classification functionality operates using the claimed algorithm. ¶58 col. 12:49-53
...and dividing said step of determining said probability into a plurality of processing steps and executing said processing steps in parallel. The complaint alleges the accused products' classification functionality operates using the claimed parallel processing architecture. ¶58 col. 12:53-56

Identified Points of Contention:

  • Evidentiary Questions: The complaint makes conclusory allegations that Symantec's products practice the claimed methods. A central point of contention will be an evidentiary one: what proof can be adduced in discovery that the accused products perform the highly specific steps recited in the claims? For the ’544 Patent, this includes whether the products extract features by "creating a byte string representative of resources referenced." For the ’907 Patent, this raises the question of whether the products specifically use a "Multi-Naive Bayes algorithm" and execute classification steps "in parallel."
  • Scope Questions: The dispute may also involve claim scope. For example, analysis may focus on whether the particular algorithms and methods used in Symantec’s products, once revealed, fall within the scope of the claim terms as they would be construed by a court.

V. Key Claim Terms for Construction

For the ’544 Patent:

  • The Term: "byte sequence feature"
  • Context and Importance: The definition of this term is central to the infringement analysis, as it defines the raw material used for classification. Whether Symantec's method of analyzing executables infringes will depend on whether the data it extracts and analyzes constitutes a "byte sequence feature" under the patent's definition. Practitioners may focus on this term because the claim itself appears to narrow its meaning via a "wherein" clause.
  • Intrinsic Evidence for Interpretation:
    • Evidence for a Broader Interpretation: The specification describes features more broadly as "static properties" of an executable that do not require the program to be run (’544 Patent, col. 6:3-6). This could support an interpretation covering various forms of static data extracted from a file.
    • Evidence for a Narrower Interpretation: Claim 1 itself states, "wherein extracting said byte sequence features from said executable attachment comprises creating a byte string representative of resources referenced by said executable attachment." This language may be used to argue that for infringement of this claim, the "byte sequence feature" must be specifically tied to referenced resources, not just any sequence of bytes from the file.

For the ’907 Patent:

  • The Term: "Multi-Naive Bayes algorithm"
  • Context and Importance: This term recites a specific type of machine learning algorithm. Infringement of claim 1 requires proof that the accused products use this specific algorithm or a legal equivalent. The entire infringement case for this patent may depend on the construction of this term and the subsequent factual inquiry.
  • Intrinsic Evidence for Interpretation:
    • Evidence for a Broader Interpretation: A party might argue the term should be understood by its plain and ordinary meaning to one of skill in the art of machine learning at the time, potentially encompassing similar multi-classifier voting systems.
    • Evidence for a Narrower Interpretation: The specification describes a specific implementation where the algorithm is "essentially a collection of Naive Bayes algorithms that voted on an overall classification," and where data is divided into subsets for parallel processing (’907 Patent, col. 9:45-55). This description of a specific embodiment could be used to argue for a narrower construction limited to that architecture.

VI. Other Allegations

  • Indirect Infringement: The complaint alleges both induced and contributory infringement for all asserted patents. Inducement is alleged based on Symantec "encouraging, teaching and instructing users" through materials like manuals and guides to use the products in an infringing manner (Compl. ¶¶47, 59, 71, 83, 95). Contributory infringement is alleged on the basis that the products are "especially made or especially adapted for infringing use" and are not staple articles of commerce (Compl. ¶¶50, 62, 74, 86, 98).
  • Willful Infringement: Willfulness is alleged for all asserted patents based on alleged pre-suit knowledge. The complaint asserts that Symantec was aware of the patents as of an August 14, 2012 letter from Columbia (Compl. ¶23). It further alleges knowledge based on Symantec’s researchers citing publications by the inventors and Symantec itself citing a related Columbia publication during its own patent prosecution (Compl. ¶¶25-26).

VII. Analyst’s Conclusion: Key Questions for the Case

  • A core issue will be one of evidentiary proof: can Plaintiff, through discovery, produce evidence showing that the internal workings of Symantec's complex security software products practice the specific technical limitations of the asserted claims, such as creating "a byte string representative of resources" or using a "Multi-Naive Bayes algorithm"? The complaint's lack of specific factual allegations on these technical points suggests this will be a central battleground.
  • A key legal question will be one of definitional scope, particularly for the term "Multi-Naive Bayes algorithm." The case may turn on whether this term is construed narrowly to its specific embodiment in the patent or more broadly to cover other probabilistic, multi-classifier systems that Symantec might use.
  • Finally, a significant question will be one of culpability: given the detailed allegations of pre-suit notice, including direct correspondence and citation of related art, the court will likely need to resolve whether Symantec's conduct, if found to be infringing, was objectively reckless and therefore warrants enhanced damages.