PTAB

IPR2015-00375

Symantec Corp v. Trustees Of Columbia University In City Of New York

Key Events

Petition

petition

Title: Methods, Media and Systems for Detecting Anomalous Program Executions
Brief Description: The ’115 patent discloses methods for detecting anomalous program executions, which may indicate a malicious attack or program fault. The technology involves creating a model of normal program behavior, particularly focusing on function calls, and then monitoring subsequent executions to identify deviations from this established model.

Prior Art Relied Upon: Khazan (Application # 2005/0108562).
Core Argument for this Ground:
- Prior Art Mapping: Petitioner asserted that Khazan teaches every element of the challenged claims. Khazan describes a malicious code detection system that uses a combination of static and dynamic analysis. This system modifies a program using an "instrumentation technique" to monitor its execution (the "modifying" element), runs the program in an emulated environment, compares the program's run-time behavior (specifically function calls) against a pre-built application model of normal behavior (the "comparing" element), and identifies any deviations as malicious code (the "identifying" element). Petitioner argued Khazan also discloses dependent claim features, such as modifying the anomalous function call to return an error code and comparing specific function call names and arguments against the model.

Prior Art Relied Upon: Khazan (Application # 2005/0108562) and Arnold (Patent 5,440,723).
Core Argument for this Ground:
- Prior Art Mapping: Petitioner argued that Khazan teaches the core elements of executing a program in an emulator, comparing function calls to a model, and identifying anomalies. The primary difference in this set of claims is the additional "notifying" element, which Petitioner contended is taught by Arnold. Arnold discloses an "automatic immune system" for computer networks that detects anomalous behavior indicative of a virus.
- Motivation to Combine: Arnold teaches that upon detecting an anomaly, its system sends a "kill signal" to other computers on the network to alert them and prevent the spread of the virus. Petitioner asserted a person of ordinary skill in the art (POSITA) would be motivated to incorporate Arnold's known, desirable notification technique into Khazan's anomaly detection system. Both references address computer security in a networked environment, and adding a notification feature to a detection system was argued to be a simple and logical combination to improve network-wide security.
- Expectation of Success: Petitioner contended that combining a known notification system with a known detection system was a simple substitution of one known element for another to obtain the predictable result of a more robust, network-aware security system.

Prior Art Relied Upon: Khazan (Application # 2005/0108562), Arnold (Patent 5,440,723), and Agrawal (Patent 8,108,929).
Core Argument for this Ground:
- Prior Art Mapping: This ground builds upon the combination of Khazan and Arnold from Ground 2, adding Agrawal to teach the additional limitations of the dependent claims. Petitioner argued Agrawal teaches creating a combined model from multiple models built from different data sets (e.g., from different computers or at different times) and randomly selecting a model for the comparison. Agrawal explicitly discusses combining multiple detection algorithms (which it uses synonymously with "models") to improve detection precision.
- Motivation to Combine: A POSITA would be motivated to combine Agrawal's multi-model approach with the Khazan/Arnold system. All three references are directed at detecting anomalous system behavior. Agrawal expressly states that combining analysis techniques improves detection accuracy. Therefore, a POSITA would find it obvious to replace Khazan's single-model approach with Agrawal's more sophisticated multi-model system to achieve the known benefit of enhanced detection accuracy.
- Expectation of Success: The combination was presented as the application of a known technique (multi-model analysis from Agrawal) to a similar system (Khazan/Arnold) to yield predictable improvements in performance, and thus a POSITA would have had a reasonable expectation of success.

"anomalous": Petitioner proposed the construction “deviation/deviating from a model of typical, attack-free computer system usage.” This was asserted to be consistent with a construction already adopted by a district court in related litigation and supported by the patent’s specification.
"emulator": Proposed as “software, alone or in combination with hardware, that permits the monitoring and selective execution of certain parts, or all, of a program.” This construction was argued to be grounded in the specification’s description of "Selective Transactional Emulation (STEM)."
"application community": Proposed as “members of a community running the same program or a selected portion of the program.” This is based on the specification’s explicit definition.
"generating a virtualized error": Petitioner argued for the construction “simulating an error return from the function,” based on the specification’s language about using an emulator to "simulate an error return."
"reflects": Petitioner proposed the construction “describes,” arguing that the context in which the word is used in the specification indicates it is meant to convey that the model describes application characteristics, not that it mirrors them in real-time.

Petitioner requested institution of an inter partes review and cancellation of claims 1-42 of Patent 8,074,115 as unpatentable.