UNITED STATES PATENT AND TRADEMARK OFFICE · 2020-03-13 · 1009 Arnold, W. et al.,...

Patent No. 7,487,544 Petition For Inter Partes Review

Paper No. 1

IN THE

UNITED STATES PATENT AND TRADEMARK OFFICE

BEFORE THE PATENT TRIAL AND APPEAL BOARD

_____________

SYMANTEC CORPORATION,

Petitioner - vs. -

THE TRUSTEES OF COLUMBIA UNIVERSITY

IN THE CITY OF NEW YORK,

Patent Owner _____________

Patent No. 7,487,544

Issued: February 3, 2009 Inventors: Matthew G. Schultz, Eleazar Eskin, Erez Zadok, Manasi Bhattacharyya,

and Stolfo J. Salvatore Title: SYSTEM AND METHODS FOR DETECTION OF NEW MALICIOUS

EXECUTABLES

Inter Partes Review No.

PETITION FOR INTER PARTES REVIEW OF U.S. PATENT NO. 7,487,544 UNDER 35 U.S.C. §§ 311-319 AND 37 C.F.R. §§ 42.1-.80, 42.100-.123

_____________

Mail Stop Patent Board Patent Trial and Appeal Board

P.O. Box 1450 Alexandria, VA 22313-1450

December 5, 2014


i

TABLE OF CONTENTS

Page

I. INTRODUCTION ...................................................................................................... 1

II. MANDATORY NOTICES (37 C.F.R. § 42.8(A)(1)) ............................................ 1

A. Real Party-In-Interest (37 C.F.R. § 42.8(b)(1)) ............................................. 1

B. Notice of Related Matters (37 C.F.R. § 42.8(b)(2)) ..................................... 1

C. Designation of Lead and Backup Counsel (37 C.F.R. § 42.8(b)(3)) ........................................................................................................ 2

D. Service of Information (37 C.F.R. § 42.8(b)(4)) ........................................... 2

III. GROUNDS FOR STANDING (37 C.F.R. § 42.104(A)) ..................................... 2

IV. IDENTIFICATION OF CHALLENGE (37 C.F.R. § 42.104(B)) ..................... 2

A. Effective Filing Date of the ’544 patent ........................................................ 2

B. There Is a Reasonable Likelihood That at Least One Claim of the ’544 Patent Is Unpatentable under 35 U.S.C. § 103 ............................. 3

V. OVERVIEW OF THE ’544 PATENT .................................................................... 4

VI. CONSTRUCTION OF THE CHALLENGED CLAIMS (37 C.F.R. § 42.104(B)(3)) ............................................................................................................... 6

VII. THE CHALLENGED CLAIMS ARE UNPATENTABLE ............................... 8

A. Classifying executable email attachments using byte sequence features is not new ............................................................................................ 8

1. U.S. Patent No. 5,832,208 (“Chen”) .................................................. 9

2. “A Constructive Induction Approach to Computer Immunology” (“Cardinale”) ..............................................................10

3. “Automatically Generated WIN32 Heuristic Virus Detection” (“Arnold”) .......................................................................12


TABLE OF CONTENTS (Continued)

Page

ii

4. “Attacks on WIN32” (“Szor”) ..........................................................13

5. U.S. Patent No. 6,823,323 (“Forman”) ............................................13

6. “Boosting and Naïve Bayesian Learning” (“Elkan”) .....................14

7. Admitted Prior Art (“APA”) .............................................................14

B. Reasons the Claims are Unpatentable..........................................................14

1. Ground 1: Chen in View of Cardinale Renders Obvious Claim 34 Under 35 U.S.C. § 103(a) ..................................14

a. Claim 34: “A system for classifying an executable attachment in an email received at a server of a computer system comprising” ...............................................16

b. Claim 34: “a) an email filter configured to filter said executable attachment from said email” ......................16

c. Claim 34: “b) a feature extractor configured to extract a byte sequence feature from said executable attachment” ..........................................................17

d. Claim 34: “c) a rule evaluator is configured to predict the classification of said executable attachment as one class of a set of classes consisting of malicious, benign, and borderline by comparing said byte sequence feature of said executable attachment to a classification rule set derived from byte sequence features of a set of executables having a predetermined class in a set of classes” .................................................................................18

2. Ground 2: Chen in View of Cardinale, and further in view of Forman Renders Obvious Claim 6, 7, 10-15, 35, and 38-40 Under 35 U.S.C. § 103(a) ................................................21



Page

iii

a. Claim 6: “A method for classifying an executable attachment in an email received at an email processing application of a computer system comprising” ..............................................................................23

b. Claim 6: “a) filtering said executable attachment from said email” ......................................................................23

c. Claim 6: “b) extracting a byte sequence feature from said executable attachment” ........................................23

d. Claim 6: “c) classifying said executable attachment by comparing said byte sequence feature of said executable attachment with a classification rule set derived from byte sequence features of a set of executables having a predetermined class in a set of classes to determine a probability that said executable attachment is a member of each class in a set of classes consisting of malicious, benign, and borderline” ................................................................................24

e. Claims 7 and 35: “determin[e/ing] said probability that said executable attachment is a member of each class in said set of classes with a Naive Bayes algorithm” ..........................................................25

f. Claims 10 and 38: “classify[ing] said executable attachment as malicious if said probability that said executable attachment is malicious is greater than said probability that said executable attachment is benign” .............................................................26



Page

iv

g. Claims 11 and 39: “classify[ing] said executable attachment as benign if said probability that said executable attachment is benign is greater than said probability that said executable attachment is malicious” .................................................................................26

h. Claims 12 and 40: “classify[ing] said executable attachment as borderline if a difference between said probability that said executable attachment is benign and said probability that said executable attachment is malicious is within a predetermined threshold” .................................................................................27

i. Claim 13: “logging said class of said executable attachment classified in said step c)” ....................................28

j. Claim 14: “incrementing a count of said executable attachments classified as borderline” ................29

k. Claim 15: “if said count of executable attachments exceeds a predetermined threshold, providing a notification that said threshold has been exceeded” ........................................................................29

3. Ground 3: Cardinale in View of APA, and further in view of Forman Renders Obvious Claim 43 Under 35 U.S.C. § 103(a) .....................................................................................30

a. Claim 43: “A method for classifying an executable program comprising” ..........................................31



Page

v

b. Claim 43: “a) training a classification rule set based on a predetermined set of known executable programs having a predetermined class and one or more byte sequence features by recording the number of known executable programs in each said predetermined class that has each of said byte sequence features;” ............................32

c. Claim 43: “b) extracting a byte sequence feature from said executable program comprising converting said executable program from binary format to hexadecimal format” .............................................33

d. Claim 43: “c) determining the probability that the executable program is within each said predetermined class in a set of classes consisting of malicious, benign, and borderline, based on said one or more byte sequence features in said executable and said classification rule set.” .........................34

4. Ground 4: Chen in View of Cardinale, and further in view of Arnold and Szor Renders Obvious Claims 1, 2, 5, 28, 29, 31-33, 41, and 42 Under 35 U.S.C. § 103(a) ..................34

a. Claim 1: “A method for classifying an executable attachment in an email received at an email processing application of a computer system” ...................36

b. Claim 28: “A system for classifying an executable attachment in an email received at a server of a computer system” ....................................................................37

c. Claims 1 and 28: “filter[ing] said executable attachment from said email” ..................................................37



Page

vi

d. Claims 1 and 28: “extract[ing] a byte sequence feature from said executable attachment . . . creat[ing] a byte string representative of resources referenced by said executable attachment” ..............................................................................37

e. Claims 1 and 28: “classify[ing] said executable attachment by comparing said byte sequence feature of said executable attachment with a classification rule set derived from byte sequence features of a set of executables having a predetermined class in a set of classes to determine the probability whether said executable attachment is malicious” ........................................................38

f. Claims 2 and 29: “extract[ing] static properties of said executable attachment” ..................................................40

g. Claims 5 and 33: “updat[ing] the classification rule set based on executable attachments classified in said classifying” ..................................................41

h. Claims 31: “predict the classification of said executable attachment as one class of a set of classes consisting of malicious and benign” ........................42

i. Claims 32: “an email interface configured to log said class of said executable attachment classified in said step c)” ..........................................................................43

j. Claims 41: “wherein said email interface is configured to increment a count of said executable attachments classified as borderline” ................44



Page

vii

k. Claims 42: “wherein said email interface is configured to, if said count of executable attachments exceeds a predetermined threshold, provide a notification that said threshold has been exceeded” ........................................................................44

5. Ground 5: Chen in View of Cardinale, and further in view of Elkan Renders Obvious Claims 36 and 37 Under 35 U.S.C. § 103(a) ...................................................................44

a. Claim 36: “determine said probability that said executable attachment is a member of a class of said set of classes with a multi-Naive Bayes algorithm” .................................................................................45

b. Claim 37: “divide a determination said probability into a plurality of processing steps and to execute said processing steps in parallel” ...........................................46

6. Ground 6: Cardinale in View of APA, and further in view of Szor and Arnold Renders Obvious Claims 16, 17, and 25-27 Under 35 U.S.C. § 103(a) ..........................................47

7. Ground 7: Chen in View of Cardinale, and further in view of Arnold, Szor, and APA Renders Obvious Claims 3 and 30 Under 35 U.S.C. § 103(a) ......................................47

8. Ground 8: Chen in View of Cardinale, and further in view of Arnold, Szor, and Forman Renders Obvious Claim 4 Under 35 U.S.C. 103(a) ........................................................47

9. Ground 9: Chen in View of Cardinale, and further in view of Forman and Elkan Renders Obvious Claims 8 and 9 Under 35 U.S.C. § 103(a) ........................................................48



Page

viii

10. Ground 10: Cardinale in View of APA, and further in view of Szor, Arnold, and Chen Renders Obvious Claim 24 Under 35 U.S.C. § 103(a) ..............................................................48

11. Ground 11: Cardinale in View of APA, and further in view of Szor, Arnold, and Forman Renders Obvious Claims 18, 19, 21, 22, and 23 Under 35 U.S.C. § 103(a) ...............48

12. Ground 12: Cardinale in View of APA, and further in view of Szor, Arnold, and Elkan Renders Obvious Claim 20 Under 35 U.S.C. § 103(a) ..................................................48

VIII. CONCLUSION..........................................................................................................49


ix

EXHIBIT LIST (37 C.F.R. § 42.63(e))

Exhibit Description

1001 U.S. Patent No. 7,487,544 to Schultz et al.

1002 File History of U.S. Patent No. 7,487,544

1003 Declaration of Michael T. Goodrich, Ph.D.

1004 Curriculum vitae of Michael T. Goodrich, Ph.D.

1005 The Trustees of Columbia University in the City of New York v. Symantec Corp., Civil Action No. 3:13-cv-808, Oct. 7, 2014 Claim Construction Order (Dkt. No. 123)

1006 The Trustees of Columbia University in the City of New York v. Symantec Corp., Civil Action No. 3:13-cv-808, October 23, 2014 Memoran-dum Order Clarifying Claim Construction (Dkt. No. 146)

1007 U.S. Patent No. 5,832,208 to Chen et al.

1008 Cardinale, K. et al., “A Constructive Induction Approach to Computer Immunology,” published March 1999

1009 Arnold, W. et al., “Automatically Generated WIN32 Heuristic Vi-rus Detection,” Virus Bulletin Conference September 2000, pub-lished September 2000

1010 Szor, P. et al., “Attacks on WIN32,” Virus Bulletin Conference October 1998, published October 1998

1011 U.S. Patent No. 6,823,323 to Forman et al.

1012 Elkan, C., “Boosting and Naïve Bayesian Learning,” Technical Report No. CS97-557, published September 1997


1

I. INTRODUCTION

In accordance with 35 U.S.C. §§ 311-319 and 37 C.F.R. §§ 42.1-.80 & 42.100-

.123, inter partes review is respectfully requested for claims 1-43 of United States Patent

No. 7,487,544 to Schultz et al., titled “System and Methods for Detection of New Ma-

licious Executables” (the “’544 patent”) owned by The Trustees of Columbia Univer-

sity in the city of New York (“Columbia”). (EXHIBIT 1001 (“Ex. 1001”).) This peti-

tion demonstrates that there is a reasonable likelihood that the petitioners will prevail

on at least one of the claims challenged in the petition based on prior art references.

Claims 1-43 of the ’544 patent should therefore be canceled as unpatentable.

II. MANDATORY NOTICES (37 C.F.R. § 42.8(A)(1))

A. Real Party-In-Interest (37 C.F.R. § 42.8(b)(1))

The real party-in-interest for this petition is Symantec Corporation (“Petition-

er” or “Symantec”).

B. Notice of Related Matters (37 C.F.R. § 42.8(b)(2))

The ’544 patent is presently the subject of the following patent infringement

lawsuit brought by Columbia in the Eastern District of Virginia, Richmond Division:

Civil Action No. 3:13-cv-808 against Symantec. Concurrent with the instant petition,

Petitioner is also filing petitions requesting inter partes review of U.S. Patent Nos.:

8,601,322, 8,074,115, 7,979,907, 7,448,084, and 7,913,306.


2

C. Designation of Lead and Backup Counsel (37 C.F.R. § 42.8(b)(3))

Lead: David D. Schumann, Reg. No. 53,569. Email: [email protected].

Backup: Brian M. Hoffman, Reg. No. 39,713. Email: [email protected].

Address for both counsel: FENWICK & WEST LLP, 555 California Street,

12th Floor, San Francisco, CA 94104, Tel: (415) 875-2300, Fax: (415) 281-1350.

D. Service of Information (37 C.F.R. § 42.8(b)(4))

Service of any documents via hand-delivery may be made at the postal mailing

addresses of the respective lead and back-up counsel designated above with courtesy

copies to the email addresses [email protected] and

[email protected]. Petitioner consents to electronic service.

III. GROUNDS FOR STANDING (37 C.F.R. § 42.104(A))

Petitioner certifies pursuant to Rule 42.104(a) that the ’544 patent is available

for inter partes review and that Petitioner is not barred or estopped from requesting an

inter partes review challenging the validity of the above-referenced claims of the ’544

patent on the grounds identified in the petition.

IV. IDENTIFICATION OF CHALLENGE (37 C.F.R. § 42.104(B))

A. Effective Filing Date of the ’544 patent

The ’544 patent issued from U.S. Application No. 10/208,432 filed on July 30,

2002. The ’432 Application claims the benefit of U.S. Provisional Application Nos.

60/308,622, filed July 30, 2001 and 60/308,623, also filed July 30, 2001. Claims 1, 6,


3

16, 28, 34, and 43 are independent. The effective filing date of these claims and the

claims that depend from them is no earlier than July 30, 2001.

B. There Is a Reasonable Likelihood That at Least One Claim of the ’544 Patent Is Unpatentable under 35 U.S.C. § 103

The challenged claims are generally directed to detecting malicious executables

in email attachments. Prior art had disclosed the subject matter of these claims. The

claims are unpatentable in view of the following patents and publications:

U.S. Patent No. 5,832,208, filed on September 5, 1996, issued on Novem-

ber 3, 1998, and titled “Anti-Virus Agent for Use with Databases and Mail

Servers” (“Chen”) (Exhibit 1007). This patent is prior art to the ’544 pa-

tent under pre-AIA §§ 102(a) and (b).

Cardinale, K. et al., “A Constructive Induction Approach to Computer

Immunology,” published March 1999 (“Cardinale”) (Exhibit 1008). This

publication is prior art to the ’544 patent under pre-AIA §§ 102 (a) and (b).

Arnold, W. et al., “Automatically Generated WIN32 Heuristic Virus Detec-

tion,” Virus Bulletin Conference, September 2000, published September

2000 (“Arnold”) (Exhibit 1009). This publication is prior art to the ’544

patent under pre-AIA § 102(a).

Szor, P. et al., “Attacks on WIN32,” Virus Bulletin Conference, October

1998, published October 1998 (“Szor”) (Exhibit 1010). This publication is


4

prior art to the ’544 patent under pre-AIA §§ 102(a) and (b).

U.S. Patent No. 6,823,323, filed on April 26, 2001, published on October

31, 2002, and titled “Automatic classification method and apparatus”

(“Forman”) (Exhibit 1011). This patent is prior art to the ’544 patent un-

der pre-AIA § 102(e).

Elkan, C., “Boosting and Naïve Bayesian Learning,” Technical Report No.

CS97-557, published September 1997 (“Elkan”) (Exhibit 1012). This pub-

lication is prior art to the ’544 patent under pre-AIA §§ 102(a) and (b).

Section VII below explains how the above-cited references create a reasonable

likelihood that Petitioner will prevail on at least one of the challenged claims. See 35

U.S.C. § 314(a). Indeed, section VII, as supported by the Declaration of Michael T.

Goodrich, Ph.D. and the claim charts attached thereto (Exhibit 1003), demonstrates

that all of the challenged claims are rendered obvious in view of various combinations

of these references. Petitioner requests cancellation of claims 1-43 as unpatentable

under 35 U.S.C. § 103.

V. OVERVIEW OF THE ’544 PATENT

The ’544 patent discloses “[a] system and methods for detecting malicious exe-

cutable attachments at an email processing application of a computer system using da-


5

ta mining techniques.” (Abstract.)1 Figure 8 of the ‘544 patent is shown below.

Figure 8 illustrates “[t]he process of detecting malicious emails.” (12:58-59). The

process 100 begins when a server receives emails at step 102. (12:59-60). “[T]he

emails are filtered to extract attachments or other components from the email (step

104).” (12:66-67). The extracted attachments may be saved as a file. (12:67-13:11).

Next, at step 106, “features” in the executable attachment are extracted.

(13:12-13). These “features” include properties extracted from the attachment, such

as byte sequences of hexadecimal characters that represent the machine code in the

executable attachment. (See 13:12-37).

“The features extracted from the attachment in step 106 are evaluated using [a]

classification rule set . . . , and the attachment is classified as malicious or benign (step

1 All citations in this section are to the ‘544 patent (Ex. 1001).


6

108).” (13:38-41). The “classification rule set [is] derived from byte sequence features

of a data set of known executables having a predetermined class in a set of classes,

e.g., malicious or benign.” (Abstract). In addition to identifying an attachment as ma-

licious or benign, step 110 may also be included to identify executables that are bor-

derline (e.g., cannot be classified as either malicious nor benign). (See 13:64-14:22).

Finally, at step 112, the analyzed attachment is logged along with other information

such as whether the attachment was malicious, benign, or borderline. (14:49-52).

VI. CONSTRUCTION OF THE CHALLENGED CLAIMS (37 C.F.R. § 42.104(B)(3))

The terms in claims 1-43 are to be given their broadest reasonable construction

(“BRC”), as understood by one of ordinary skill in the art and consistent with the dis-

closure. See 37 C.F.R. § 42.100(b); see also In re Yamamoto, 740 F.2d 1569, 1571 (Fed.

Cir. 1984); In re Am. Acad. of Sci. Tech. Ctr., 367 F.3d 1359, 1363-64 (Fed. Cir. 2004).

The following constructions were adopted by the district court in The Trustees of

Columbia University in the City of New York v. Symantec Corp., Civil Action No. 3:13-cv-

808 for the ’544 patent. Petitioner submits that the claim terms should be construed

at least as broadly as the constructions the district court adopted for the reasons set

forth in that case. (Exs. 1005-1006).

Specifically, the BRC of the term “byte sequence feature” is a “[f]eature that is

a representation of machine code instructions of the executable” where a “‘[f]eature’ is

a property or attribute of data which may take on a set of values.” (Ex. 1005 at 1).


7

This construction is consistent with the specification, which states that a “byte se-

quence feature is informative because it represents the machine code in an executa-

ble.” (’544 patent, 6:12-14, Ex. 1001; Ex. 1003 ¶ 58). In addition, the specification

states that a feature is a “propert[y]” of the executable. (’544 patent, 3:30-34, Ex.

1001; Ex. 1003 ¶ 58).

The BRC of the term “email interface” is “[t]he component that reintegrates

filtered email back into normal email traffic and may send the model generator 240

each attachment to be analyzed further.” (Ex. 1005 at 1). This construction is con-

sistent with the specification, which states that the email interface “reintegrates fil-

tered email back into normal email traffic 300, and . . . may send the model generator

240 (described below) each attachment to be analyzed further.” (’544 patent, 15:30-

34, Ex. 1001; Ex. 1003 ¶ 59).

In addition to the constructions adopted by the district court, Petitioner sub-

mits the following constructions:

The BRC of the term “filtering” is “extracting.” (Ex. 1003 ¶ 60). This con-

struction is consistent with the specification, which states that “emails are filtered to

extract attachments or other components from the email.” (’544 patent, 12:66-67, Ex.

1001; Ex. 1003 ¶ 60).

The BRC of the term “classification rule set” is “a set of hypotheses that pre-

dict classification.” (Ex. 1003 ¶ 61). This construction is consistent with the specifi-


8

cation, which states that “a classification rule set is considered to have the standard

meaning in data mining terminology, i.e., a set of hypotheses that predict the classifi-

cation.” (’544 patent, 11:64-67, Ex. 1001; Ex. 1003 ¶ 61).

The BRC of the term “static properties” is “properties that do not require an

executable to be run in order to be discerned.” (Ex. 1003 ¶ 62). This construction is

consistent with the specification, which states “extracting the byte sequence feature

from said executable attachment comprises extracting static properties of the executa-

ble attachment, which are properties that do not require the executable to be run in

order to discern.” (’544 patent, 3:30-34, Ex. 1001; Ex. 1003 ¶ 62).

The BRC of the term “logging” is “recording information.” (Ex. 1003 ¶ 63).

This construction is consistent with the specification, which states “identifiers are

than kept in a log along with other information such as whether the attachment was

malicious, benign, or borderline and with what certainty the system made those pre-

dictions.” (’544 patent, 14:49-52, Ex. 1001; Ex. 1003 ¶ 63).

VII. THE CHALLENGED CLAIMS ARE UNPATENTABLE

A. Classifying executable email attachments using byte sequence fea-tures is not new

The Background section of the ’544 patent describes how the propagation of ma-

licious executables through e-mail attachments is a serious security risk. (’544 patent,

1:42-45, Ex. 1001). Therefore, virus scanner technology uses signature-based detec-

tors and heuristic classifiers to detect new viruses. (’544 patent, 1:50-52, Ex. 1001).


9

Manually generating heuristic classifiers is costly and, therefore, “finding an automatic

method to generate classifiers has been the subject of research in the anti-virus com-

munity.” (’544 patent, 1:65- 2:1, Ex. 1001). In fact, the research in the anti-virus

community had already recognized that byte sequence features could be used to de-

rive a classification rule set for classifying an executable attachment. (See Cardinale,

Ex. 1008 at 26). The elements recited by the challenged claims merely describe obvi-

ous combinations in which the byte sequence features are used to classify executables.

1. U.S. Patent No. 5,832,208 (“Chen”)

Chen discloses an agent computer program that works in “conjunction with an-

ti-virus software to detect and remove computer viruses from email attachments.”

(Chen, 5:1-6, Ex. 1007). When an email is received by a mail server, the agent com-

puter program determines whether an attachment is present in the email message.

(Chen, 7:41-43, Ex. 1007). Chen discloses that an attachment may be an executable

program. (Chen, 3:21-22, Ex. 1007). If the email includes an attachment, the agent

computer program detaches the email attachment from the email message and sends

the attachment to an anti-virus application for virus scanning. (Chen, 7:48-51, Ex.

1007).

The anti-virus application scans the attachment for viruses. (Chen, 7:21-51, Ex.

1007). If the anti-virus application classifies the attachment as being infected with a

virus, the agent computer system transmits an alert to devices in a network and the


10

anti-virus application attempts to remove the virus from the attachment. (Chen, 7:56-

58 and 8:6-8, Ex. 1007). If the anti-virus application is able to remove the virus, the

agent computer program reattaches the attachment to the original email and email is

handled like a normal email. (Chen; 5:25-27, 8:8-9; Ex. 1007). Chen discloses that the

agent computer program can work in conjunction with any virus detection program.

(Chen, 6:29-32, Ex. 1007).

2. “A Constructive Induction Approach to Computer Immu-nology” (“Cardinale”)

68. Cardinale discloses developed prototype software named MERCURY

that includes a virus scanner for detecting viruses in executable files. (Cardinale, Ex.

1008 at 114, 172). MERCURY employs a learning method called “induction learning”

to generate a set of detectors2 that can distinguish between self and nonself files.

(Cardinale, Ex. 1008 at 30-3, 49-51). Cardinale discloses that nonself files are files that

are infected with a virus and that the self files are files that are not infected. (Cardi-

nale, Ex. 1008 at 20-22).

A component of MERCURY, referred to as “HEC,” creates the detectors

which are for both self and nonself files. (Cardinale, Ex. 1008 at 140). To create the

detectors, the HEC uses training samples that include viral and nonviral examples.

2 Cardinale also refers to the detectors as “byte patterns” and “signatures.” (Cardinale,

p. 30, sec. 1.4; p. 139, sec. 5.2; p. 140, sec. 5.3, p. 141, sec. 5.3.1.1, Ex. 1008).


11

(Cardinale, Ex. 1008 at 49, 51). From the training samples, the HEC creates hypothe-

ses, which are candidate detectors. (Cardinale, Ex. 1008 at 139, 140). The HEC cre-

ates the hypotheses using “two methods: initial selection of attributes from an exam-

ple file, or construction based upon the features of two existing hypotheses from the

same concept.” (Cardinale, Ex. 1008 at 140). For selection of attributes from an ex-

ample file, the HEC uses the following three rules to select bytes from the example

file: “chunking, sliding window, and every other byte sliding window.” (Cardinale, Ex.

1008 at 143).

For each hypothesis, a score is calculated that indicates how well the hypothesis

classifies examples. (Cardinale, Ex. 1008 at 141, 156). The score is used to determine

if a detector should be derived from the hypothesis and included in a knowledge base

that includes detectors “used to classify executable files as self and nonself.” (Cardi-

nale, Ex. 1008 at 156-157, 170, 171). If the score is acceptable, a detector is derived

from the hypothesis and added to the knowledge base. (Cardinale, Ex. 1008 at 156,

170, 171).

To classify an executable file, 16 bytes at a time are extracted from the executa-

ble file. (Cardinale, Ex. 1008 at 173). Each of the byte sequences is compared to the

detectors included in the knowledge base. (Id.). The file may be classified self, non-

self, or indiscernible. (Cardinale, Ex. 1008 at 127, 173-175). An indiscernible file is

sent to a virus expert to determine whether the file is infected. (Cardinale, Ex. 1008 at


12

173-174). Once the results are received from the expert, the HEC creates a new de-

tector based on the result and adds it to the knowledge base. (Cardinale, Ex. 1008 at

115, 174).

3. “Automatically Generated WIN32 Heuristic Virus Detec-tion” (“Arnold”)

Arnold discloses a heuristic classifier for detecting computer viruses. In partic-

ular, Arnold discloses a neural network classifier having a set of eight linear networks,

where each network classifies a file and the outputs from the networks are combined

to determine whether file is infected with a virus. (Arnold, Ex. 1009 at 6). Each net-

work is trained using n-grams identified using viral and clean training samples. (Ar-

nold, Ex. 1009 at 4-5). The n-grams are small sequences of bytes extracted from files.

(Arnold, Ex. 1009 at 2).

Once the networks are trained, the classifier is tested using sample files. (Ar-

nold, Ex. 1009 at 5). For a test sample file, an input vector is generated based on

which n-gram features the file includes. (Id.). Each network calculates an output O

for the input vector. (Id.). The output is a value between 0.0 and 1.0. (Id.). The out-

put value is then compared to a threshold. (Id.). If the output is above the threshold,

a discrete output of 1 is output by the network, indicating the file is infected. (Id.). If

the output is below the threshold, a discrete output of zero is output by the network,

indicating the file is not infected. (Id.). The discrete outputs of the networks are

summed and the sum is compared to a threshold V. (Arnold, Ex. 1009 at 6). If the


13

sum is greater than V, the output of the classifier is 1, indicating that the file has been

classified as infected. (Id.). If the sum is less than V, the output of the classifier is 0,

indicating that the file has been classified as uninfected. (Id.). The output value O

calculated by each network and the sum of the discrete outputs each represents a

probability of whether the file is malicious. (Id.).

4. “Attacks on WIN32” (“Szor”)

Szor discloses known attack methods used by viruses against the Win32 API

and the platforms that support it. (Szor, Ex. 1010 at 1-2). Szor discloses various fea-

tures which can be “useful to detect 32-bit Windows viruses heuristically.” (Szor, Ex.

1010 at 24). One such suspicious feature is found if the executable file references cer-

tain resources found in the external KERNEL32.DLL file. (Szor, Ex. 1010 at 26).

5. U.S. Patent No. 6,823,323 (“Forman”)

Forman discloses “classifying an instance (i.e., a data item or a record) automat-

ically into one or more classes [] from a set of potential classes.” (Forman, Abstract,

Ex. 1011). Forman discloses that “a system [] for classifying a new instance [] includes

a ballpark classifier [], which is generated … from a set of training records [] corre-

sponding to an entire set of potential classes into which [the] new instance [] may be

classified.” (Forman, 4:5-9, Ex. 1011). The ballpark classifier may be a Naïve Bayes

classifier that assigns each of the potential classes a probability of the new instance be-

longing to the class. (Forman, 4:38-44, Ex. 1011).


14

6. “Boosting and Naïve Bayesian Learning” (“Elkan”)

Elkan discloses “boosting applied to naive Bayesian classifiers.” (Elkan, Ex.

1012 at 1). The boosting idea is to learn a series of Naïve Bayesian classifiers, “where

each classifier in the series pays more attention to the examples misclassified by its

predecessor” (Elkan, Ex. 1012 at 5). Once the Naïve Bayesian classifiers are learned

and input attributes are to be classified, each individual Naïve Bayesian classifier pro-

duces an output. (Id.). A combined output H is determined by “applying a sigmoid

function to a weighted sum of the outputs of the individual classifiers.” (Id.). In addi-

tion, Elkan discloses that Naïve Bayesian classifiers can operate on parallel computing

units. (Elkan, Ex. 1012 at 1, 6).

7. Admitted Prior Art (“APA”)

The APA in the specification of the ’544 patent discloses that “[h]exdump, as is

known in the art . . . is an open source tool that transforms binary files into hexadec-

imal files.” (‘544 patent, 6:7-12, Ex. 1001).

B. Reasons the Claims are Unpatentable

1. Ground 1: Chen in View of Cardinale Renders Obvious Claim 34 Under 35 U.S.C. § 103(a)

Chen in view of Cardinale teaches every element of claim 34. Independent

claim 34 generally recites three elements: 1) a “filtering” element in which an email fil-

ter filters an executable attachment from an email; 2) an “extracting” element in which

a feature extractor extracts a byte sequence from the executable attachment; and 3) a


15

“predicting” element in which a rule evaluator predicts the classification of the exe-

cutable attachment as one class of a set of classes consisting of malicious, benign, and

borderline. The predicting element compares the byte sequence feature to a classifica-

tion rule set derived from byte sequence features of a set of executables having a pre-

determined class in a set of classes. Each of these elements is plainly taught by the

combination of Chen and Cardinale.

A person of ordinary skill in the art would find it obvious to combine Cardi-

nale’s virus detector with the agent computer program of Chen. (Ex. 1003 ¶ 99).

Chen discloses that its agent computer program can be used with any virus detector.

(Chen, 6:29-32, Ex. 1007). Therefore, using Chen’s agent computer program with

Cardinale’s virus detector is nothing more than a simple substitution of one known

element for another to obtain predictable results, as well as a combination of prior art

elements according to known methods to yield a predictable result. (Ex. 1003 ¶ 99).

Further, one of ordinary skill in the art would have been motivated to combine

the teachings of Chen and Cardinale because they relate to the same field of art. (Id.).

Chen and Cardinale both relate to detecting viruses in executable files. (Id.). Chen

discloses the “detect[ion] and remov[al] [of] computer virus[es] that may be in e-mail

attachments.” (Chen, 5:4-5, Ex. 1007). Cardinale discloses “detecting file infector vi-

ruses in executable files.” (Cardinale, Ex. 1008 at 172).


16

a. Claim 34: “A system for classifying an executable at-tachment in an email received at a server of a comput-er system comprising”

Chen discloses a “system for classifying an executable attachment in an email

received at a server of a computer system.” (Ex. 1003 ¶ 94). Chen discloses a “mail

server [] and [a] database [that] together can be regarded as a message system.” (Chen,

7:15-16, Ex. 1007). The mail server receives email messages. (Chen, 6:58-61, Ex.

1007). Further, Chen discloses an agent computer program that works “in conjunc-

tion with anti-virus software to detect and remove computer virus[es] that may be in

e-mail attachments” of emails received by the mail server. (Chen; 5:3-5, 5:29-30, 6:54-

61; Ex. 1007). Accordingly, Chen discloses a system (agent and anti-virus software)

for classifying an executable attachment in an email received at a server (mail server)

of a computer system. (Ex. 1003 ¶ 94).

b. Claim 34: “a) an email filter configured to filter said executable attachment from said email”

Chen discloses “an email filter configured to filter said executable attachment

from said email.” (Ex. 1003 ¶ 94). The BRC of the term “filter[]” is “extract[].” (Ex.

1003 ¶ 60).

Chen discloses that the agent computer program (which may also be referred to

as the “agent”) “determines whether an attachment is present in an e-mail message.”

(Chen, 7:41-43, Ex. 1007). Chen describes that an email attachment may be an exe-

cutable attachment. (Chen, 3:21-22, Ex. 1007). “If an attachment is present in an e-


17

mail message, the agent [] detaches the attachment . . . and [] sends the attachment to

the anti-virus application” so that it can be scanned for viruses. (Chen, 7:48-52, Ex.

1007).

Therefore, Chen discloses the agent (email filter) extracting an executable at-

tachment from an email, which one of ordinary skill in the art would recognize corre-

sponds to filtering the executable attachment from the email. (Ex. 1003 ¶ 94). Ac-

cordingly, Chen discloses “an email filter configured to filter said executable attach-

ment from said email.” (Id.).

c. Claim 34: “b) a feature extractor configured to extract a byte sequence feature from said executable attach-ment”

Chen in view of Cardinale discloses “a feature extractor configured to extract a

byte sequence feature from said executable attachment.” (Ex. 1003 ¶ 95). The BRC

of the term “byte sequence feature” is a “feature that is a representation of machine

code instructions of the executable, where a ‘feature’ is a property or attribute of data

which may take on a set of values.” (Ex. 1003 ¶ 58).

Cardinale discloses a virus scanner “developed to evaluate the byte patterns in-

side files,” specifically executable files. (Cardinale, Ex. 1008 at 114, 172). To classify

an executable file, the virus scanner (feature extractor) extracts 16 byte sequences

from the entire file, one at a time. (Cardinale, Ex. 1008 at 173). As is known by a

person of ordinary skill in the art, an executable file includes machine code instruc-


18

tions. (Ex. 1003 ¶ 95). Since 16 byte sequences are read from the entire executable

file, it is obvious that one or more of the 16 byte sequences will be a feature that is a

representation of machine code instructions of the executable. (Id.). Thus, Cardinale

discloses “a feature extractor configured to extract a byte sequence feature from said

executable attachment.” (Id.).

d. Claim 34: “c) a rule evaluator is configured to predict the classification of said executable attachment as one class of a set of classes consisting of malicious, be-nign, and borderline by comparing said byte sequence feature of said executable attachment to a classifica-tion rule set derived from byte sequence features of a set of executables having a predetermined class in a set of classes”

Chen in view of Cardinale discloses “a rule evaluator is configured to predict

the classification of said executable attachment as one class of a set of classes consist-

ing of malicious, benign, and borderline by comparing said byte sequence feature of

said executable attachment to a classification rule set derived from byte sequence fea-

tures of a set of executables having a predetermined class in a set of classes.” (Ex.

1003 ¶¶ 96-98).

First, Cardinale discloses “a classification rule set derived from byte sequence

features of a set of executables having a predetermined class in a set of classes.” (Ex.

1003 ¶ 96) The BRC of the term “classification rule set” is “a set of hypotheses that

predict classification.” (Ex. 1003 ¶ 61).

Cardinale discloses a component referred to as “HEC” which creates a set of


19

detectors used to classify both nonself (viral) and self (nonviral) files. (Cardinale, Ex.

1008 at 30, 140, 171). Cardinale also refers to the detectors as byte patterns and signa-

tures. (Cardinale, Ex. 1008 at 30, 140, 170, 171).

Cardinale explains that the set of detectors are created by the HEC using train-

ing samples that include nonself and self examples. (Cardinale, Ex. 1008 at 49, 51).

From the training samples, the HEC creates hypotheses, which are candidate detec-

tors. (Cardinale, Ex. 1008 at 139, 140). The HEC creates the hypotheses by using

“three selection rules” to select bytes from the training samples: “chunking, sliding

window, and every other byte sliding window.” (Cardinale, Ex. 1008 at 143). A score

is calculated for each hypothesis that indicates how well the hypothesis classifies ex-

amples. (Cardinale, Ex. 1008 at 141, 156). If the score of a hypothesis is acceptable, a

detector is derived from the hypothesis and added to a knowledge base. (Cardinale,

Ex. 1008 at 170). The knowledge base includes detectors “used to classify files as self

or nonself.” (Cardinale, Ex. 1008 at 171).

Thus, Cardinale’s set of detectors in the knowledge base correspond to the

claimed “classification rule set derived from byte sequence features of a set of execut-

ables having a predetermined class in a set of classes.” (Ex. 1003 ¶ 96). Accordingly,

Cardinale discloses the “classification rule set” element of claim 34. (Id.).

Further, Cardinale discloses “a rule evaluator is configured to predict the classi-

fication of said executable attachment as one class of a set of classes consisting of ma-


20

licious, benign, and borderline by comparing said byte sequence feature of said exe-

cutable attachment to a classification rule set.” (Ex. 1003 ¶¶ 97-98). Cardinale dis-

closes that the virus “[s]canner is responsible for determining the classification of a

file based upon the self and nonself detectors created by HEC.” (Cardinale, Ex. 1008

at 172). Cardinale explains that to determine the classification of the executable file,

16 byte sequences extracted from the file are compared to the detectors included in

the knowledge base. (Cardinale, Ex. 1008 at 127, 173). Thus, Cardinale’s virus scan-

ner determining the classification of an executable file by comparing the extracted 16

byte sequences to the knowledge base detectors corresponds to “a rule evaluator []

configured to predict the classification of said executable attachment … by compar-

ing said byte sequence feature of said executable attachment to a classification rule

set.” (Ex. 1003 ¶ 97).

Cardinale discloses that by comparing the 16 byte sequences to the knowledge

base detectors, the executable “file is classified as self if one or more self detectors are

found in the file and no nonself detectors are found.” (Cardinale, Ex. 1008 at 174). A

person of ordinary skill in the art would recognize that a self classification corre-

sponds to a benign classification. (Ex. 1003 ¶ 98). The “file is classified as nonself if

any nonself detector is found.” (Cardinale, Ex. 1008 at 174). A person of ordinary

skill in the art would recognize that a nonself classification corresponds to a malicious

classification. (Ex. 1003 ¶ 98).


21

If no hypotheses are found in the file, the file is flagged as indiscernible, con-

sidered unclassified, and sent to a virus expert to determine if the file is infected.

(Cardinale, Ex. 1008 at 127, 173-174). A person of ordinary skill in the art would rec-

ognize that flagging the file as indiscernible and sending it to the expert signifies that it

is unclear whether the file is self or nonself (i.e., the file is borderline). (Ex. 1003 ¶

98). Therefore, a person of ordinary skill in the art would recognize that flagging the

file as indiscernible corresponds to a “borderline” classification. (Id.). Accordingly,

Cardinale discloses the virus scanner configured to predict the classification of an exe-

cutable file as one class of a set of classes consisting of nonself (malicious), self (be-

nign), and indiscernible (borderline). (Id.).

Based on the above, Cardinale disclose “a rule evaluator is configured to pre-

dict the classification of said executable attachment as one class of a set of classes

consisting of malicious, benign, and borderline by comparing said byte sequence fea-

ture of said executable attachment to a classification rule set derived from byte se-

quence features of a set of executables having a predetermined class in a set of clas-

ses.” (Ex. 1003 ¶¶ 96-98).

2. Ground 2: Chen in View of Cardinale, and further in view of Forman Renders Obvious Claim 6, 7, 10-15, 35, and 38-40 Under 35 U.S.C. § 103(a)

Chen in view of Cardinale, and further in view of Forman teaches every ele-

ment of claims 6, 7, 10-15, 35, and 38-40. Independent claim 6 is similar to claim 34


22

discussed in section VII(B)(1), with a few exceptions. Independent claim 6 recites

three elements: 1) a “filtering” element similar to the “filtering” element of claim 34;

2) an “extracting” element similar to the “extracting” element of claim 34; and 3) a

“classifying” element in which an executable attachment is classified by comparing a

byte sequence feature of the executable attachment with a classification rule set de-

rived from byte sequence features of a set of executables having a predetermined class

in a set of classes to determine a probability that the executable attachment is a mem-

ber of each in a set of classes consisting of malicious, benign, and borderline. Thus,

the primary difference from claim 6 and claim 34 discussed above in section VII(B)(1)

is that claim 6 recites determining a probability that the executable attachment is a

member of each class in the set of classes. Each of these elements is plainly taught by

the combination of Chen, Cardinale, and Forman. Dependent claims 7, 10-15, 35,

and 38-40 recite additional features related to these elements which are also disclosed

by the combination of Chen, Cardinale, and Forman.

A person of ordinary skill in the art would find it obvious to modify Cardinale’s

virus detector to include a Naïve Bayes classifier described by Forman. (Ex. 1003 ¶

108). Cardinale discloses that even though it uses induction learning, other machine

learning approaches could have been used for classifying files and extracting signa-

tures, such as neural networks and Bayesian methods. (Cardinale, Ex. 1008 at 22, 83-

85, 232-233). As is known to a person of ordinary skill in the art, a Naïve Bayes clas-


23

sifier is a type of machine learning classifier and a Bayesian method. (Ex. 1003 ¶ 108).

Therefore, modifying Cardinale’s virus detector to include Forman’s Naïve Bayes clas-

sifier is nothing more than a simple substitution of one known element for another to

obtain predictable results. (Id.).

Further, a person of ordinary skill in the art would find it obvious to combine

Cardinale as modified by Forman with Chen for the reasons stated above for claim 34

in section VII(B)(1). (Id.). In addition, one of ordinary skill in the art would have

been motivated to combine the teachings of Chen, Cardinale, and Forman because

they relate to the same field of art, classifying into a class from a set of classes. (Id.).

a. Claim 6: “A method for classifying an executable at-tachment in an email received at an email processing application of a computer system comprising”

For the same reasons provided in section VII(B)(1)(a), Chen discloses a “meth-

od for classifying an executable attachment in an email received at an email processing

application of a computer system.”

b. Claim 6: “a) filtering said executable attachment from said email”

For the same reasons provided in section VII(B)(1)(b), Chen discloses a “filter-

ing said executable attachment from said email.”

c. Claim 6: “b) extracting a byte sequence feature from said executable attachment”

For the same reasons provided in section VII(B)(1)(c), Cardinale discloses a


24

“extracting a byte sequence feature from said executable attachment.”

d. Claim 6: “c) classifying said executable attachment by comparing said byte sequence feature of said executa-ble attachment with a classification rule set derived from byte sequence features of a set of executables having a predetermined class in a set of classes to de-termine a probability that said executable attachment is a member of each class in a set of classes consisting of malicious, benign, and borderline”

Chen in view of Cardinale, and further in view of Forman discloses “classifying

said executable attachment by comparing said byte sequence feature of said executable

attachment with a classification rule set derived from byte sequence features of a set

of executables having a predetermined class in a set of classes to determine a probabil-

ity that said executable attachment is a member of each class in a set of classes con-

sisting of malicious, benign, and borderline.” (Ex. 1003 ¶¶ 101-102).

First, for the same reasons provided in section VII(B)(1)(d), Cardinale discloses

“classifying said executable attachment by comparing said byte sequence feature of

said executable attachment with a classification rule set derived from byte sequence

features of a set of executables having a predetermined class in a set of classes

. . . consisting of malicious, benign, and borderline.”

Forman discloses determining a “probability that said executable attachment is

a member of each class in a set of classes.” Forman describes a Naïve Bayes classifier

that assigns a probability to each potential class to which an instance may belong.

(Forman, 4:38-40, Ex. 1011). Forman describes that an instance may be a data item


25

or record. (Forman, Abstract, Ex. 1011). Therefore, an instance may be an executa-

ble attachment. (Ex. 1003 ¶ 102). Accordingly, Forman’s Naïve Bayes classifier as-

signing a probability to each potential class corresponds to the “determin[ing] a prob-

ability” element of claim 6. (Id.).

Since Forman discloses determining a probability for each class in the set and

Cardinale discloses that the set of classes consists of malicious, benign, and border-

line, it is obvious to a person of ordinary skill in the art that the combination of Car-

dinale and Forman discloses “classifying said executable attachment by comparing

said byte sequence feature of said executable attachment with a classification rule set

derived from byte sequence features of a set of executables having a predetermined

class in a set of classes to determine a probability that said executable attachment is a

member of each class in a set of classes consisting of malicious, benign, and border-

line.” (Id.).

e. Claims 7 and 35: “determin[e/ing] said probability that said executable attachment is a member of each class in said set of classes with a Naive Bayes algo-rithm”

For the same reasons provided in section VII(B)(2)(d), Forman discloses a “de-

termin[e/ing] said probability that said executable attachment is a member of each

class in said set of classes with a Naive Bayes algorithm.”


26

f. Claims 10 and 38: “classify[ing] said executable at-tachment as malicious if said probability that said ex-ecutable attachment is malicious is greater than said probability that said executable attachment is be-nign”

Chen in view of Cardinale, and further in view of Forman discloses “classi-

fy[ing] said executable attachment as malicious if said probability that said executable

attachment is malicious is greater than said probability that said executable attachment

is benign.” (Ex. 1003 ¶ 103). For the same reasons provided in section VII(B)(2)(d),

Cardinale and Forman in combination disclose determining a probability that the at-

tachment is malicious and a probability that the attachment is benign. (Id.).

Further, Forman discloses that, for an instance, a preselected number of classes

having the highest probabilities are selected. (Forman, 4:40-44, Ex. 1011). Thus, the

combination of Chen and Cardinale discloses that if the preselected number of classes

is one and the malicious probability is the greatest (greater than the benign probabil-

ity), the executable attachment is classified as malicious. (Ex. 1003 ¶ 103). Accord-

ingly, the combination of Chen, Cardinale, and Forman discloses the elements of

claims 10 and 38. (Id.).

g. Claims 11 and 39: “classify[ing] said executable at-tachment as benign if said probability that said exe-cutable attachment is benign is greater than said probability that said executable attachment is mali-cious”

Chen in view of Cardinale, and further in view of Forman discloses “classi-


27

fy[ing] said executable attachment as benign if said probability that said executable at-

tachment is benign is greater than said probability that said executable attachment is

malicious.” (Ex. 1003 ¶ 103). For the same reasons provided in section VII(B)(2)(d),

Cardinale and Forman in combination disclose determining a probability that the at-

tachment is malicious and a probability that the attachment is benign. (Ex. 1003 ¶

103).

Further, Forman discloses that, for an instance, a preselected number of classes

having the highest probabilities are selected. (Forman, 4:40-44, Ex. 1011). Thus, the

combination of Chen and Cardinale discloses that if the preselected number of classes

is one and the benign probability is the greatest (greater than the malicious probabil-

ity), the executable attachment is classified as benign. (Ex. 1003 ¶ 103). Accordingly,

the combination of Chen, Cardinale, and Forman discloses the elements of claims 11

and 39. (Id.).

h. Claims 12 and 40: “classify[ing] said executable at-tachment as borderline if a difference between said probability that said executable attachment is benign and said probability that said executable attachment is malicious is within a predetermined threshold”

In view of the combination of Chen, Cardinale, Forman it is obvious to “classi-

fy said executable attachment as borderline if a difference between said probability

that said executable attachment is benign and said probability that said executable at-

tachment is malicious is within a predetermined threshold.” (Ex. 1003 ¶ 104). For


28

the same reasons provided in section VII(B)(2)(d), Cardinale and Forman in combina-

tion disclose determining a probability that the attachment is malicious and a proba-

bility that the attachment is benign. (Ex. 1003 ¶ 103). A person of ordinary skill in

the art would recognize that if the two probabilities are sufficiently close to each other

(difference between the benign probability and the malicious probability is within a

threshold), that it would be desirable to classify the file as a third class (“indiscernible”

as described by Cardinale) in order to avoid an incorrect classification of the file. (Ex.

1003 ¶ 104). Thus, the elements of claims 12 and 40 are obvious in view of the com-

bination of Chen, Cardinale, and Forman. (Id.).

i. Claim 13: “logging said class of said executable at-tachment classified in said step c)”

Chen in view of Cardinale, and further in view of Forman discloses “logging

said class of said executable attachment classified in said step c).” (Ex. 1003 ¶ 105).

The BRC of the term “logging” is “recording information.” (Ex. 1003 ¶ 63).

Chen discloses that if “the anti-virus application 120 detects the presence of a

virus in the attachment, then an alert is generated” and transmitted to devices in a

network. (Chen, 7:56-61, Ex. 1005). A person of ordinary skill in the art would rec-

ognize it is obvious that the generated alert includes information about the classifica-

tion. (Ex. 1003 ¶ 105). Therefore, generating the alert corresponds to recording in-

formation as to the class of the classified executable attachment. (Id.). Accordingly,

Chen discloses the elements of claim 13. (Id.)


29

j. Claim 14: “incrementing a count of said executable at-tachments classified as borderline”

In view of Chen, Cardinale, Forman it is obvious to “increment[] a count of

said executable attachments classified as borderline.” (Ex. 1003 ¶ 106). As described

in section VII(B)(1)(d), Cardinale discloses that when an executable file is classified as

borderline (flagged as indiscernible), the file is sent to an expert for a determination as

to whether the file is infected with a virus. Further, Cardinale describes monitoring

the performance of the virus scanner. (Cardinale, Ex. 1008 at 188). A person of or-

dinary skill in the art would recognize that as part of monitoring performance it would

be obvious to track the number of files classified as borderline. (Ex. 1003 ¶ 106). If

the number of borderline classification is high, it is an indication that the virus scan-

ner is having trouble determining whether files are infected with viruses. (Id).

Therefore, a person of ordinary skill in the art would recognize that it is obvious for

the virus scanner to maintain a count of the number of borderline classifications and

increment the count if an executable file is classified as borderline. (Id.).

k. Claim 15: “if said count of executable attachments ex-ceeds a predetermined threshold, providing a notifica-tion that said threshold has been exceeded”

In view of Chen, Cardinale, Forman it is obvious to “if said count of executable

attachments exceeds a predetermined threshold, providing a notification that said

threshold has been exceeded.” (Ex. 1003 ¶ 107). As described in section VII(B)(2)(j),

it is obvious for Cardinale’s virus scanner to maintain a count of the number of bor-


30

derline classifications for monitoring the performance of the virus scanner. (Ex. 1003

¶ 106). Further, a person of ordinary skill in the art would recognize that if the count

of borderline classification exceeds a predetermined threshold, it is obvious for the

virus scanner to provide a notification to a system administrator that the threshold has

been exceeded. (Ex. 1003 ¶ 107). The notification would allow the system adminis-

trator to know that the virus scanner is having problems with determining whether or

not files are infected with viruses. (Id.). Thus, claim 15 is obvious in view of Chen,

Cardinale, and Forman. (Id.).

3. Ground 3: Cardinale in View of APA, and further in view of Forman Renders Obvious Claim 43 Under 35 U.S.C. § 103(a)

Cardinale in view of APA, and further in view of Forman teaches every ele-

ment of claim 43. Independent claim 43 generally recites three elements: 1) a “train-

ing” element in which a classification rule set is trained based on a predetermined set

of known executable programs having a predetermined class and one or more byte

sequence features by recording the number of known executable programs in each

predetermined class that has each of the byte sequence features; 2) an “extracting” el-

ement in which a byte sequence feature is extracted from the executable program by

converting the executable program from binary format to hexadecimal format; and 3)

a “probability” element in which a probability is determined that the executable pro-

gram is within each predetermined class in a set of classes consisting of malicious, be-


31

nign, and borderline based on one or more byte sequence features in the executable

and the classification rule set. Each of these elements is plainly taught by the combi-

nation of Cardinale, APA, and Forman.

A person of ordinary skill in the art would find it obvious to combine APA

teaching with the teachings of Cardinale because it is nothing more than a combina-

tion of prior art elements according to known methods to yield a predictable result.

(Ex. 1003 ¶ 112). Further, a person of ordinary skill in the art would find it obvious

to combine Forman with Cardinale for the reasons stated above for claims 6, 7, 10-13,

35, and 38-40 in section VII(B)(2). (Id.).

a. Claim 43: “A method for classifying an executable program comprising”

Cardinale in view of APA, and further in view of Forman discloses a “method

for classifying an executable program.” Cardinale describes that it is “concerned with

detecting file infector viruses in executable files.” (Cardinale, Ex. 1008 at 172). To

classify an executable file, 16 byte sequences extracted from the file are compared to

the detectors included in a knowledge base. (Cardinale, Ex. 1008 at 127, 173). The

“file is classified as self if one or more self detectors are found in the file and no non-

self detectors are found.” (Cardinale, Ex. 1008 at 174). The “file is classified as non-

self if any nonself detector is found.” (Id.). Therefore, Cardinale discloses a “method

for classifying an executable program.”


32

b. Claim 43: “a) training a classification rule set based on a predetermined set of known executable programs having a predetermined class and one or more byte sequence features by recording the number of known executable programs in each said predetermined class that has each of said byte sequence features;”

Cardinale in view of APA, and further in view of Forman discloses “training a

classification rule set based on a predetermined set of known executable programs

having a predetermined class and one or more byte sequence features by recording the

number of known executable programs in each said predetermined class that has each

of said byte sequence features.” (Ex. 1003 ¶¶ 110-111).

As described in section VII(B)(1)(d), Cardinale discloses creating hypotheses

based on training samples, determining a score for each hypothesis, and only adding

to the knowledge base detectors derived from hypotheses with acceptable scores,

where the knowledge base includes detectors for classifying executable files. One of

ordinary skill in the art would recognize that Cardinale’s creation of detectors and

adding them to the knowledge base corresponds to “training a classification rule set

based on a predetermined set of known executable programs having a predetermined

class and one or more byte sequence features.” (Ex. 1003 ¶ 110).

Further, Cardinale describes that in calculating the score for a hypothesis, the

hypothesis “is compared against [an] example set” of executable files. (Cardinale, Ex.

1008 at 156). A determination is made as to the number of examples that the hypoth-

esis classified as nonself, the number of examples that the hypothesis classified as self,


33

and whether the classifications were correct. (Cardinale, Ex. 1008 at 157). The num-

bers are stored and input into an equation to obtain the score for the hypothesis.

(Id.). Therefore, by calculating a score for each hypothesis, Cardinale is “recording the

number of known executable programs in each said predetermined class that has each

of said byte sequence features.” (Ex. 1003 ¶ 111).

Based on the above, Cardinale discloses “training a classification rule set based

on a predetermined set of known executable programs having a predetermined class

and one or more byte sequence features by recording the number of known executa-

ble programs in each said predetermined class that has each of said byte sequence fea-

tures.” (Ex. 1003 ¶¶ 110-111).

c. Claim 43: “b) extracting a byte sequence feature from said executable program comprising converting said executable program from binary format to hexadeci-mal format”

Cardinale in view of APA, and further in view of Forman discloses “b) extract-

ing a byte sequence feature from said executable program comprising converting said

executable program from binary format to hexadecimal format.” (Ex. 1003 ¶ 112).

For the same reasons provided in section VII(B)(1)(c), Cardinale disclose “extracting a

byte sequence feature from said executable program.”

Further, APA discloses that “[h]exdump, as is known in the art . . . is an open

source tool that transforms binary files into hexadecimal files.” (’544 patent, 6:7-12,

Ex. 1001). Therefore, APA discloses “converting [an] executable program from bina-


34

ry format to hexadecimal format” since APA acknowledges the existence of a prior art

tool for this express purpose. (Ex. 1003 ¶ 112).

Accordingly, Cardinale and APA in combination disclose the “extracting” ele-

ment of claim 43. (Id.). A person of ordinary skill in the art would recognize that it is

obvious for Cardinale’s virus detector to use hexdump to convert an executable file

from binary format to hexadecimal format because hexadecimal is one of two practi-

cal and commonly used ways of representing binary data. (Id.).

d. Claim 43: “c) determining the probability that the exe-cutable program is within each said predetermined class in a set of classes consisting of malicious, be-nign, and borderline, based on said one or more byte sequence features in said executable and said classifi-cation rule set.”

For the same reasons provided in section VII(B)(2)(d), Cardinale and Forman

in combination disclose “determining the probability that the executable program is

within each said predetermined class in a set of classes consisting of malicious, benign,

and borderline, based on said one or more byte sequence features in said executable

and said classification rule set.”

4. Ground 4: Chen in View of Cardinale, and further in view of Arnold and Szor Renders Obvious Claims 1, 2, 5, 28, 29, 31-33, 41, and 42 Under 35 U.S.C. § 103(a)

Chen in view of Cardinale, and further in view of Arnold and Szor teaches eve-

ry element of claims 1, 2, 5, 28, 29, 31-33, 41, and 42. Independent claims 1 and 28


35

are similar to claim 34 discussed above in section VII(B)(1). Claims 1 and 28 generally

recites three elements: 1) a “filtering” element similar to the “filtering” element of

claim 34; 2) an “extracting” element in which a byte sequence feature is extracted

from the executable attachment, where a byte string is created representative of re-

sources referenced by the executable attachment; and 3) a “classifying” element in

which to classify the executable attachment a byte sequence feature of the executable

attachment is compared with a classification rule set derived from byte sequence fea-

tures of a set of executables having a predetermined class in a set of classes to deter-

mine the probability whether the executable attachment is malicious.

Thus, the primary difference from claims 1 and 28 and claim 34 discussed

above in section VII(B)(1) is that claims 1 and 28 recite additional elements of creat-

ing a byte string representative of resources referenced by the executable attachment

and determining a probability of whether the attachment is malicious. Each of these

elements is plainly taught by the combination of Chen, Cardinale, Arnold, and Szor.

Dependent claims 2, 5, 29, 31- 33, 41, and 42 recite additional features related to these

elements which are also disclosed by the combination of Chen, Cardinale, Arnold, and

Szor.


virus detector to determine a probability as described by Arnold because it is nothing

more than a simple substitution of one known element for another to obtain predict-


36

able results. (Ex. 1003 ¶ 120). Further, a person of ordinary skill in the art would find

it obvious to combine Cardinale’s teachings with Szor’s teachings for extracting byte

sequence features. (Ex. 1003 ¶ 121). Cardinale describes that future iterations of its

virus scanner should employ heuristics from current antivirus programs to supple-

ment its ability to detect previously unseen invaders. (Cardinale, Ex. 1008 at 22).

Therefore, combining Cardinale’s teachings with Szor’s teachings is nothing more

than combining prior art elements according to known methods to yield a predictable

result. (Ex. 1003 ¶ 121).

Further, a person of ordinary skill in the art would find it obvious to combine

Cardinale as modified by Arnold with Chen for the reasons stated above for claim 34

in section VII(B)(1). (Ex. 1003 ¶ 122). In addition, one of ordinary skill in the art

would have been motivated to combine the teachings of Chen, Cardinale, Arnold, and

Szor because they relate to the same field of art, detecting viruses. (Id.).

a. Claim 1: “A method for classifying an executable at-tachment in an email received at an email processing application of a computer system”

For the same reasons provided in section VII(B)(1)(a), Chen discloses a “meth-

od for classifying an executable attachment in an email received at an email processing

application of a computer system.”


37

b. Claim 28: “A system for classifying an executable at-tachment in an email received at a server of a comput-er system”

For the same reasons provided in section VII(B)(1)(a), Chen discloses a “sys-

tem for classifying an executable attachment in an email received at a server of a com-

puter system.”

c. Claims 1 and 28: “filter[ing] said executable attach-ment from said email”

For the same reasons provided in section VII(B)(1)(b), Chen discloses “fil-

ter[ing] said executable attachment from said email.”

d. Claims 1 and 28: “extract[ing] a byte sequence feature from said executable attachment . . . creat[ing] a byte string representative of resources referenced by said executable attachment”

Chen in view of Cardinale, and further in view of Arnold and Szor discloses

“extract[ing] a byte sequence feature from said executable attachment . . . [wherein ex-

tracting the byte sequence feature comprises] creat[ing] a byte string representative of

resources referenced by said executable attachment.” (Ex. 1003 ¶¶ 114-115).

For the same reasons provided in section VII(B)(1)(c), Cardinale discloses “ex-

tracting a byte sequence feature from said executable attachment” by extracting 16

byte sequences from the executable file to be classified.

Szor shows that Cardinale also discloses “creat[ing] a byte string representative

of resources referenced by said executable attachment” when extracting the 16 byte


38

sequences. Szor describes various features which can be “useful to detect 32-bit Win-

dows viruses heuristically” and cause a heuristic flag to be set. (Szor, Ex. 1010 at 24).

One feature that is suspicious is if the functions GetProcAddress or GetModuleHan-

dleA are imported by a file from KERNEL32.DLL. (Szor, Ex. 1010 at 26). Another

feature that is suspicious is if the functions GetProcAddress and GetModuleHandleA

are both imported by the file from KERNEL32.DLL at the same time. (Id.).

Thus, Szor shows that files (e.g., malicious executable attachments) will refer-

ence resources, such as DLL and DLL functions. (Ex. 1003 ¶ 114). As described

above, Cardinale extracts 16 byte sequences from an entire executable file to be classi-

fied. (Cardinale, Ex. 1008 at 173). A person of ordinary skill in the art would recog-

nize that in view of Szor, if the file is infected with a virus that imports DLL func-

tions, one or more byte sequences extracted by Cardinale for the file will be a created

byte string representative of resources referenced by the executable file. (Ex. 1003 ¶

115). Accordingly, Cardinale in view of Szor discloses the “extracting” element of

claims 1 and 28. (Ex. 1003 ¶¶ 114-115).

e. Claims 1 and 28: “classify[ing] said executable at-tachment by comparing said byte sequence feature of said executable attachment with a classification rule set derived from byte sequence features of a set of ex-ecutables having a predetermined class in a set of classes to determine the probability whether said exe-cutable attachment is malicious”



39

“classify[ing] said executable attachment by comparing said byte sequence feature of

said executable attachment with a classification rule set derived from byte sequence

features of a set of executables having a predetermined class in a set of classes to de-

termine the probability whether said executable attachment is malicious.” (Ex. 1003

¶¶ 116-117). For the same reasons provided in section VII(B)(1)(d), Cardinale dis-

close “classify[ing] said executable attachment by comparing said byte sequence fea-

ture of said executable attachment with a classification rule set derived from byte se-

quence features of a set of executables having a predetermined class in a set of clas-

ses.”

Cardinale also discloses comparing the byte sequence to the classification rule

set “to determine the probability whether said executable attachment is malicious.”

As described in section VII(B)(1)(d), Cardinale discloses that by comparing the 16

byte sequences to the knowledge base detectors, the executable “file is classified as

self if one or more self detectors are found in the file and no nonself detectors are

found.” (Cardinale, Ex. 1008 at 174). The “file is classified as nonself if any nonself

detector is found.” (Id.). A person of ordinary skill in the art would recognize that

Cardinale’s classification of the file corresponds to a determination of a probability of

whether the executable attachment is malicious. (Ex. 1003 ¶ 116). For example, a

classification of nonself may be a 100% probability that the file is malicious, while a

classification of self is a 0% probability that the file is malicious. Therefore, Cardinale


40

discloses the “determine the probability” element. (Ex. 1003 ¶ 116).

Arnold provides supports to Cardinale’s “determine the probability” element.

(Ex. 1003 ¶ 114-117). Arnold describes a neural network classifier made up of eight

linear networks that are trained using n-grams identified using viral and clean training

samples. (Arnold, Ex. 1009 at 4-5). For a file to be classified, an input vector is gen-

erated based on which n-gram features the file includes. (Arnold, Ex. 1009 at 5).

Each network calculates an output value O for the input vector, with a value between

0.0 and 1.0. (Id.).

If the output value O is above the threshold, a discrete output of 1 is output by

the network, indicating the file is infected. (Id.). If the output value O is below the

threshold, a discrete output of zero is output by the network, indicating the file is not

infected. (Id.). The discrete output of the networks are summed to determine an

overall output for the classifier. (Arnold, Ex. 1009 6).

Therefore, each network determines a probability (output value O) of whether

the file is malicious. (Ex. 1003 ¶ 117). Accordingly, the combination of Cardinale and

Arnold discloses the “classifying” element of claims 1 and 28. (Id.).

f. Claims 2 and 29: “extract[ing] static properties of said executable attachment”


“extracting static properties of said executable attachment.” (Ex. 1003 ¶ 118). The


41

BRC of the phrase “static properties” is “properties that do not require an executable

to be run in order to be discerned.” (Ex. 1003 ¶ 62).

Cardinale discloses “extracting static properties of said executable attachment.”

(Ex. 1003 ¶ 118). For the same reasons provided in section VII(B)(1)(c), Cardinale

discloses “extracting a byte sequence feature from said executable attachment” by ex-

tracting 16 byte sequences from the executable file to be classified. Cardinale extracts

the 16 byte sequences directly from the contents of the executable file. (Cardinale,

Ex. 1008 at 173). A person of ordinary skill in the art would recognize that the exe-

cutable file does not have to be run to extract the byte sequences. (Ex. 1003 ¶ 118).

Therefore, a person of ordinary skill in the art would recognize that the byte sequence

features extracted by Cardinale are static properties. (Id.). Accordingly, Cardinale dis-

closes the elements of claims 2 and 29. (Id.).

g. Claims 5 and 33: “updat[ing] the classification rule set based on executable attachments classified in said classifying”


“update[ing] the classification rule set based on executable attachments classified in

said classifying.” (Ex. 1003 ¶ 119). Specifically, Cardinale discloses the elements of

claims 5 and 33. (Id.).

Cardinale discloses that in classifying a file, the file is flagged as indiscernible “if

no detector [from the knowledge base] was able to classify it . . . and sent to [a] virus


42

expert to determine if the file is infected.” (Cardinale, Ex. 1008 at 127, 173-174).

“Once the expert classifie[s] the file, HEC [] learn[s] a new detector” for classifying

files. (Cardinale, Ex. 1008 at 174). The new detector is added to the knowledge base

for use in classifying files. (Cardinale, Ex. 1008 at 115).

Therefore, Cardinale is updating the knowledge base based on the classification

of the executable file, which corresponds to the claimed “update[ing] the classification

rule set based on executable attachments classified in said classifying.” Accordingly,

Cardinale discloses the elements of claims 5 and 33. (Ex. 1003 ¶ 119).

h. Claims 31: “predict the classification of said executa-ble attachment as one class of a set of classes consist-ing of malicious and benign”


“predict[ing] the classification of said executable attachment as one class of a set of

classes consisting of malicious and benign.” (Ex. 1003 ¶ 119).

As described in section VII(B)(4)(e), Arnold discloses that the discrete output

of the networks are summed to determine an overall output for the classifier. To de-

termine the overall output, the sum is compared to a threshold V. (Arnold, Ex. 1009

at 6). If the sum is greater than V, the output of the classifier is 1, indicating that the

file has been classified as infected. (Id.). If the sum is less than V, the output of the

classifier is 0, indicating that the file has been classified as uninfected. (Id.).

Therefore, Arnold is predicting the classification of a file as one class of a set of


43

classes consisting of malicious (infected) and benign (uninfected). (Ex. 1003 ¶ 119).

Accordingly, the combination of Chen, Cardinale, Arnold, and Szor discloses the ele-

ments of claim 31. (Id.).

i. Claims 32: “an email interface configured to log said class of said executable attachment classified in said step c)”


“an email interface configured to log said class of said executable attachment classified

in said step c).” The BRC of the term “email interface” is “[t]he component that rein-

tegrates filtered email back into normal email traffic and may send the model genera-

tor 240 each attachment to be analyzed further.” (Ex. 1003 ¶ 59).

For the same reasons provided in section VII(B)(2)(i), Chen discloses “logging

said class of said executable attachment classified in said step c).” Further, Chen dis-

closes that the logging is performed by an email interface. Chen discloses that the

agent sends a detached attachment to the anti-virus software to be scanned for virus-

es, and once it is scanned the agent provides the email to the email system so that it

can be handled as normal. (Chen; 5:1-10, 5:25-27, 7:48-51; Ex. 1007). Therefore, the

agent corresponds to the claimed email interface. Accordingly, Chen discloses the el-

ements of claim 32.


44

j. Claims 41: “wherein said email interface is configured to increment a count of said executable attachments classified as borderline”

For the same reasons provided in section VII(B)(2)(j), claim 41 is obvious.

k. Claims 42: “wherein said email interface is configured to, if said count of executable attachments exceeds a predetermined threshold, provide a notification that said threshold has been exceeded”

For the same reasons provided in section VII(B)(2)(k), claim 42 is obvious.

5. Ground 5: Chen in View of Cardinale, and further in view of Elkan Renders Obvious Claims 36 and 37 Under 35 U.S.C. § 103(a)

Chen in view of Cardinale, and further in view of Elkan teaches every element

of dependent claims 36 and 37. Claim 36 generally recites determining a probability

that the executable attachment is a member of a class of a set of classes with a multi-

Naive Bayes algorithm. Claim 37 generally recites dividing the determination of the

probability into a plurality of processing steps and to execute the steps in parallel.


virus detector to include the multi-Naïve Bayes algorithm disclosed by Elkan for clas-

sifying executable files. (Ex. 1003 ¶ 127). Cardinale discloses that even though it uses

induction learning, other machine learning approaches could have been used for clas-

sifying files and extracting signatures, such as neural networks and Bayesian methods.

(Cardinale, Ex. 1008 at 22, 83-85, 232-233). As is known to a person of ordinary skill


45

in the art, a multi-Naïve Bayes alogorithm is a type of machine learning approach and

a Bayesian method. (Ex. 1003 ¶ 127). Therefore, modifying Cardinale’s virus detec-

tor to include Elkan’s multi-Naïve Bayes algorithm is nothing more than a simple sub-

stitution of one known element for another to obtain predictable results. (Id.). Fur-

ther, a person of ordinary skill in the art would find it obvious to combine Cardinale

as modified by Elkan and Chen for the reasons stated above for claim 34 in section

VII(B)(1). (Ex. 1003 ¶ 128). In addition, one of ordinary skill in the art would have

been motivated to combine the teachings of Chen, Cardinale, and Elkan because they

relate to the same field of art, classifiers. (Id.).

a. Claim 36: “determine said probability that said exe-cutable attachment is a member of a class of said set of classes with a multi-Naive Bayes algorithm”

Chen in view of Cardinale, and further in view of Elkan discloses “determine

said probability that said executable attachment is a member of a class of said set of

classes with a multi-Naive Bayes algorithm.” (Ex. 1003 ¶¶ 124-125). Elkan discloses

multiple Naïve Bayes classifiers, where the classifiers are learned in a series “where

each classifier in the series pays more attention to the examples misclassified by its

predecessor.” (Elkan, Ex. 1012 at 5). Once the Naïve Bayes classifiers are learned

and input attributes are to be classified, each individual Naïve Bayes classifier produc-

es an output. (Id.). A combined output H is determined “by applying a sigmoid func-

tion to a weighted sum of the outputs of the individual classifiers.” (Id.). Since Elkan


46

is using multiple Naïve classifiers whose outputs are used to generate a combined

output, Elkan’s algorithm is therefore a multi-Naïve Bayes algorithm. (Ex. 1003 ¶

124).

Further, a sigmoid function as the one described by Elkan produces a com-

bined output that is a probability that input attributes are a member of a given class.

(Ex. 1003 ¶ 125). Therefore, Elkan discloses determining a probability that input at-

tributes are a member of a class of a set of classes with a multi-Naïve Bayes algorithm.

(Id.). In view of Chen and Cardinale it is obvious to a person of ordinary skill in the

art to use Elkan’s multi-naïve Bayes algorithm for executable attachments. (Id.). Ac-

cordingly, the combination of Chen, Cardinale, and Elkan discloses the elements of

claim 36. (Id.).

b. Claim 37: “divide a determination said probability into a plurality of processing steps and to execute said pro-cessing steps in parallel”

Chen in view of Cardinale, and further in view of Elkan discloses “divid[ing] a

determination said probability into a plurality of processing steps and to execute said

processing steps in parallel. ” (Ex. 1003 ¶ 126). As described in section VII(B)(5)(a),

Elkan determines the probability using multiple Naïve Bayes classifiers. Since the

output of each classifier is used to determine the probability, a person of ordinary skill

in the art would recognize that the determining of the probability is divided by Elkan

into a plurality of processing steps, where each classifier performs some of the steps.


47

(Id.). Elkan further discloses that the multiple Naive Bayes classifiers can operate on

parallel computing units. (Elkan, Ex. 1012 at 1, 6). Since the classifiers operate on

parallel computing units and each classifier is processing steps for determining the

probability, a person of ordinary skill in the art would recognize that Elkan discloses

dividing said determining said probability into a plurality of processing steps and exe-

cuting said processing steps in parallel. (Ex. 1003 ¶ 126).

6. Ground 6: Cardinale in View of APA, and further in view of Szor and Arnold Renders Obvious Claims 16, 17, and 25-27 Under 35 U.S.C. § 103(a)

For the same reasons provided in sections VII(B)(3) and VII(B)(4), the combi-

nation of Cardinale, APA, Szor, and Arnold discloses the elements of claims 16, 17,

and 27. Further, for the same reasons provided in sections VII(B)(2)(j) and

VII(B)(4)(k), claims 25 and 26 are obvious.

7. Ground 7: Chen in View of Cardinale, and further in view of Arnold, Szor, and APA Renders Obvious Claims 3 and 30 Under 35 U.S.C. § 103(a)

For the same reasons provided in section VII(B)(3)(c), the combination of

Chen, Cardinale, Arnold, Szor, and APA discloses the elements of claims 3 and 30.

8. Ground 8: Chen in View of Cardinale, and further in view of Arnold, Szor, and Forman Renders Obvious Claim 4 Under 35 U.S.C. 103(a)

For the same reasons provided in section VII(B)(4)(h), the combination of

Chen, Cardinale, Arnold, Szor, and Forman discloses the elements of claim 4.


48

9. Ground 9: Chen in View of Cardinale, and further in view of Forman and Elkan Renders Obvious Claims 8 and 9 Under 35 U.S.C. § 103(a)

For the same reasons provided in sections VII(B)(5)(a) and VII(B)(5)(b), the

combination of Chen, Cardinale, Forman, and Elkan discloses the elements of claims

8 and 9.

10. Ground 10: Cardinale in View of APA, and further in view of Szor, Arnold, and Chen Renders Obvious Claim 24 Under 35 U.S.C. § 103(a)

For the same reasons provided in section VII(B)(2)(i), the combination of Car-

dinale, APA, Szor, Arnold, and Chen discloses the elements of claim 24.

11. Ground 11: Cardinale in View of APA, and further in view of Szor, Arnold, and Forman Renders Obvious Claims 18, 19, 21, 22, and 23 Under 35 U.S.C. § 103(a)

For the same reasons provided in sections VII(B)(2)(d), VII(B)(2)(e),

VII(B)(2)(f), VII(B)(2)(g), VII(B)(2)(h), and VII(B)(4)(h) the combination of Cardi-

nale, APA, Szor, Arnold, and Forman discloses the elements of claims 18, 19, 21, 22,

and 23.

12. Ground 12: Cardinale in View of APA, and further in view of Szor, Arnold, and Elkan Renders Obvious Claim 20 Under 35 U.S.C. § 103(a)

For the same reasons provided in section VII(B)(5)(a), the combination of Car-

dinale, APA, Szor, Arnold, and Elkan discloses the elements of claim 20.


49

VIII. CONCLUSION

For the reasons given above, inter partes review under 35 U.S.C. § 311 and 37

C.F.R. § 42.101 of United States Patent No. 7,487,544 to Schultz et al., titled “System

and Methods for Detection of New Malicious Executables” is hereby requested.

Respectfully submitted, /David D. Schumann/_ David D. Schumann Reg. No. 53,569 December 5, 2014

CERTIFICATION OF SERVICE ON PATENT OWNER (37 C.F.R. § 42.101(a))

The undersigned hereby certifies that the foregoing Petition for Inter Partes

Review of U.S. Patent No. 7,487,544 (“the ‘'544 patent”), and associated Exhibits

1001-1012, was served on December 5, 2014, in its entirety by FedEx upon the

following:

The Trustees of Columbia University in the City of New York c/o Baker Botts L.L.P. 30 Rockefeller Plaza 44th Floor New York, NY 10112-4498 Patent owner’s correspondence address of record for USP 7,487,544

FENWICK & WEST, LLP /Brian Hoffman/ Brian M. Hoffman Attorney for Petitioner Registration No. 39,713 Date: December 5, 2014 555 California Street San Francisco, CA Tel: (650) 988-8500

Date post:	15-Aug-2020
Category:	Documents
Upload:	others
View:	0 times
Download:	0 times

UNITED STATES PATENT AND TRADEMARK OFFICE · 2020-03-13 · 1009 Arnold, W. et al.,...

Documents