Symantec Corp v. Trustees Of Columbia University

1. Case Identification

• Case #: IPR2015-00377
• Patent #: 8,601,322
• Filed: December 5, 2014
• Petitioner(s): Symantec Corporation
• Patent Owner(s): The Trustees of Columbia University in the City of New York
• Challenged Claims: 1-27

2. Patent Overview

• Title: Methods, Media and Systems for Detecting Anomalous Program Executions
• Brief Description: The ’322 patent discloses systems for detecting anomalous program executions that may indicate a malicious attack or program fault. The technology involves training a model of normal program behavior, specifically focusing on function calls, and then monitoring subsequent program executions in an emulator to identify deviations from that trained model.

3. Grounds for Unpatentability

Ground 1: Obviousness over Khazan and Agrawal - Claims 1-8, 10-17, 19-25, and 27 are obvious over Khazan in view of Agrawal.

• Prior Art Relied Upon: Khazan (Application # 2005/0108562) and Agrawal (Patent 8,108,929).
• Core Argument for this Ground:
  • Prior Art Mapping: Petitioner argued that Khazan teaches the core elements of the independent claims: executing a portion of a program in an emulator, comparing a function call made in the emulator to a model of normal behavior, and identifying the function call as anomalous based on a deviation. Khazan was presented as a system for detecting malicious code by creating an application model of normal function calls and then dynamically analyzing program execution against that model in a virtual environment. Petitioner asserted that Agrawal supplies the remaining limitations of the independent claims, specifically teaching the use of a "combined model." Agrawal discloses combining multiple detection algorithms (models) to improve anomaly detection precision. Petitioner argued this teaching renders obvious the limitations of creating a combined model from at least two models created at different times (claims 1, 10, 19) or using different computers (claims 2, 11, 27).
  • Motivation to Combine: A POSITA would combine Khazan and Agrawal because both references are directed to detecting anomalous system behavior. Petitioner contended it would have been obvious to use Agrawal’s multi-model approach in place of the single model in Khazan’s anomaly detection system. This was characterized as a simple substitution of one known element for another to improve detection accuracy.
  • Expectation of Success: A POSITA would have had a reasonable expectation of success because combining multiple detection models, as taught by Agrawal, was a known technique for improving the precision of anomaly detection systems like Khazan’s.

Ground 2: Obviousness over Khazan, Agrawal, and Arnold - Claims 9, 18, and 26 are obvious over Khazan in view of Agrawal and in further view of Arnold.

• Prior Art Relied Upon: Khazan (Application # 2005/0108562), Agrawal (Patent 8,108,929), and Arnold (Patent 5,440,723).
• Core Argument for this Ground:
  • Prior Art Mapping: This ground builds on the combination of Khazan and Agrawal from Ground 1 to establish the elements of the underlying independent claims. Petitioner argued that Arnold teaches the additional limitation recited in dependent claims 9, 18, and 26: "notifying another computer of the anomalous function call." Arnold discloses an "automatic immune system" for computer networks that, upon detecting anomalous behavior indicative of a virus, sends a "kill signal" from the infected computer to neighboring computers. This signal alerts other computers on the network to the presence of the anomaly.
  • Motivation to Combine: A POSITA would combine Arnold’s teaching with the Khazan/Agrawal system because all three references address detecting and responding to malicious software. Petitioner argued that once an anomaly is detected using the Khazan/Agrawal system, it would be an obvious and logical step to incorporate Arnold’s known technique of notifying other computers to limit the spread of the threat, particularly for network-aware malware like worms.
  • Expectation of Success: The combination was presented as a predictable integration of a known network security feature (notification) into an anomaly detection system, with the expected result of improved overall network immunity.

4. Key Claim Construction Positions

Petitioner argued for constructions adopted by the district court in a related litigation, as well as additional constructions, to be applied under the Broadest Reasonable Construction standard.

• anomalous: Petitioner proposed the construction "deviation/deviating from a model of typical, attack-free computer system usage." This construction was argued to be central to the obviousness analysis, aligning the claims with the prior art's focus on detecting deviations from normal behavior.
• emulator: Petitioner proposed "software, alone or in combination with hardware, that permits the monitoring and selective execution of certain parts, or all, of a program." This broad construction was used to map prior art disclosing virtual environments (like VMWare in Khazan) to the claim limitation.
• generating a virtualized error: Petitioner proposed "simulating an error return from the function." This construction was key to mapping Khazan’s disclosure of returning a "function-specific error code" upon detecting malicious code to the limitations of dependent claims 4, 13, and 21.
• reflects: Petitioner proposed this term means "describes," arguing this interpretation is consistent with its use in the specification and necessary for mapping Khazan's model of "normal behavior" to claims requiring the model to reflect normal activity.

5. Relief Requested

• Petitioner requests institution of an inter partes review and cancellation of claims 1-27 of Patent 8,601,322 as unpatentable.