Case 3:19-cv-01206-EMC Document 69 Filed 04/10/20 Page 1 of 68
`
`IN THE UNITED STATES DISTRICT COURT
`NORTHERN DISTRICT OF CALIFORNIA
`SAN FRANCISCO DIVISION
`
`TRUSTED KNIGHT CORPORATION,
`
`Plaintiff,
`
`v.
`
`INTERNATIONAL BUSINESS MACHINES
`CORPORATION
`
`Defendant.
`
`Case No. 3:19-cv-01206-EMC
`
`Declaration of Dr. Patrick McDaniel
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`Case No. 3:19-cv-01206-EMC
`DECLARATION OF DR. PATRICK MCDANIEL
`
`TK-2032 - Page 1
`
`

`

`Case 3:19-cv-01206-EMC Document 69 Filed 04/10/20 Page 2 of 68
`
`
`
`I, Patrick McDaniel, Ph.D., declare as follows:
`
`1.
`
`I have been retained by Defendant International Business Machines Corporation (
`
`“IBM”) as an expert in this matter.
`
`2.
`
`As part of that engagement I have been asked to offer opinions regarding the
`
`construction of certain terms found in the claims of U.S. Patent No. 9,503,473 (the “’473 patent”).
`
`3.
`
`I am being compensated for my time spent on this matter at a rate of $600 per hour,
`
`and my compensation is in no way contingent upon the outcome of this matter or on the opinions I
`
`offer. All of the opinions expressed in this Declaration are my own.
`
`I.
`
`BASIS FOR OPINIONS
`
`A.
`
`4.
`
`Expert Qualifications
`
`A detailed description of my professional qualifications, including a list of
`
`publications, awards, and professional activities, is contained in my curriculum vitae, a copy of
`
`which is attached as Exhibit A.
`
`5.
`
`My qualifications for forming the opinions in this Declaration are summarized
`
`here. I earned a Ph.D. in Computer Science and Engineering from University of Michigan, Ann
`
`Arbor in 2001. I earned a Bachelor of Science degree in Computer Science from Ohio
`
`University in 1989 and a Master of Science degree, also in Computer Science, from Ball State
`
`University in 1991.
`
`6.
`
`Since 2017, I have been the William L. Weiss Professor of Information and
`
`Communications Technology in the School of Electrical Engineering and Computer Science at the
`
`Pennsylvania State University in University Park, PA. I am also the director of the Institute for
`
`Network and Security Research, and founder and co-director of the Systems and Internet
`
`Infrastructure Security Laboratory, a research laboratory focused on the study of security in
`
`diverse network and computer environments. My research efforts primarily involve computer
`
`systems, network, management, authentication, systems security, and technical public policy.
`
`7.
`
`Before my current position, I was an Assistant Professor (2004-2007), Associate
`
`Professor (2007-2011), Full Professor (2011-2015), and Distinguished Professor of Computer
`
`Science and Engineering at the Pennsylvania State University (2015-2017). Since 2004, I have
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`
`
`
`
`
`
`-1-
`
`Case No. 3:19-cv-01206-EMC
`DECLARATION OF DR. PATRICK MCDANIEL
`
`TK-2032 - Page 2
`
`

`

`Case 3:19-cv-01206-EMC Document 69 Filed 04/10/20 Page 3 of 68
`
`
`
`taught several courses in the field of computer systems, systems programming, networks, and
`
`network and computer security at both the undergraduate and graduate level. I have also taught
`
`extensively in the area of systems and security, with a specific focus on the design,
`
`implementation and analysis of operating systems, device drivers, and the use of anti-malware
`
`software at both the OS and application level. I created and continue to maintain several security
`
`and systems courses for Penn State.
`
`8.
`
`From 2003-2009, I was also an Adjunct Professor at the Stern School of Business
`
`at New York University in New York, NY. At the Stern School of Business, I taught courses in
`
`computer and network security and online privacy.
`
`9.
`
`I am a Fellow of the Association for Computing Machinery (the leading
`
`professional association for computer science) and the Institute for Electrical and Electronics
`
`Engineering (the leading professional association for computer engineering).
`
`10.
`
`I was also the Program Manager (PM) and lead scientist for the Cyber Security
`
`Collaborative Research Alliance (CRA) from 2013 to 2018. The CRA is led by Penn State
`
`University and includes faculty and researchers from the Army Research Laboratory, Carnegie
`
`Mellon University, Indiana University, the University of California-Davis, and the University of
`
`California-Riverside. This initiative is a major research project aimed at developing a new
`
`science of cyber-security for military networks, computers, and installations.
`
`11.
`
`I have served as an advisor to several Ph.D. and master’s degree candidates, several
`
`of whom have gone on to become professors at various institutions such as North Carolina State
`
`University, the University of Oregon, and the Georgia Institute of Technology. I am currently an
`
`advisor to two Ph.D. candidates and a number of master’s students.
`
`12.
`
`Before joining Pennsylvania State University as a professor, I was a software
`
`developer and project manager for companies in the networking industry including Applied
`
`Innovation, Inc. and Primary Access Corporation. I was also a senior researcher at AT&T
`
`Research-Labs. As part of my duties in these industrial positions, I informed, reviewed and
`
`formed corporate policies and practices relating to the deployment and subsequent management of
`
`software systems such as those sold and supported by IBM.
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`
`
`
`
`
`
`-2-
`
`Case No. 3:19-cv-01206-EMC
`DECLARATION OF DR. PATRICK MCDANIEL
`
`TK-2032 - Page 3
`
`

`

`Case 3:19-cv-01206-EMC Document 69 Filed 04/10/20 Page 4 of 68
`
`
`
`13.
`
`I have published extensively in the field of network and security management,
`
`computer systems, authentication, systems security, applied cryptography and network security.
`
`In addition to writing several articles for industry journals and conferences, I have authored
`
`portions of numerous books related to computer systems, applied cryptography and network
`
`security. I have served on the editorial boards of several peer-reviewed journals including ACM
`
`Transactions on Internet Technology, for which I was the Editor-in-Chief. I was also an
`
`Associate Editor for ACM Transactions on Information and System Security and IEEE
`
`Transactions of Software Engineering, two highly regarded journals in the field. A complete list
`
`of my publications in the last 10 years, as well as a list of editorial positions can be found in my
`
`curriculum vitae, which is attached as Exhibit A.
`
`14.
`
`In light of the foregoing, I consider myself to be an expert in the fields of operating
`
`systems, keyboard device drivers, and anti-malware software.
`
`B.
`
`15.
`
`Level of Ordinary Skill in the Art
`
`In my opinion, a person of ordinary skill in the art at the time the ’473 patent was
`
`filed would have at least a bachelor's degree and two years’ work experience in operating systems,
`
`device drivers, or anti-malware software; or equivalent experience. This is the same definition
`
`proposed by Dr. Sorini. Sorini Decl. at ¶ 22.
`
`16.
`
`I meet this criteria and consider myself a person with at least ordinary skill in the
`
`art pertaining to the ’473 patent. I would have been such a person at the time of the filing of the
`
`invention of the ’473 patent.
`
`17.
`
`Notably, Dr. Sorini does not opine that he is a person of ordinary skill in the art.
`
`Nor does he, in my view, appear to meet his own definition. Dr. Sorini has bachelor’s, M.S., and
`
`Ph.D. degrees, all in physics. Sorini Decl. at ¶ 7. He states that his Ph.D. work was “focused
`
`on computational aspects of solid-state physics, including numerical calculations using computer
`
`software.” Id.
`
`18.
`
`Outside of his work at Exponent, where he works as a “technical consultant and
`
`intellectual property matters,” Dr. Sorini does not purport to have any experience whatsoever with
`
`“operating systems, device drivers, or anti-malware software.” Sorini Decl. at ¶¶ 8-18. While
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`
`
`
`
`
`
`-3-
`
`Case No. 3:19-cv-01206-EMC
`DECLARATION OF DR. PATRICK MCDANIEL
`
`TK-2032 - Page 4
`
`

`

`Case 3:19-cv-01206-EMC Document 69 Filed 04/10/20 Page 5 of 68
`
`
`
`he unquestionably has experience with computer software, he does not purport to have any
`
`identifiable experience with operating systems or device drivers. Id.
`
`19.
`
`He notes that he “developed software for programming hardware security modules
`
`via low-level protocols such as I2C1 that incorporates components such as dynamic link libraries,
`
`kernel drivers, and user mode applications.” Sorini Decl. at ¶ 11. The mere fact that I2C
`
`“incorporates” device drivers, however, does not mean that Dr. Sorini has “two years’ work
`
`experience in . . . device drivers” as Dr. Sorini’s own definition requires. Modern operating
`
`systems provide device drivers as part of their based deployment, and user of those drivers would
`
`need not know their design or how they work. Indeed, the design, behavior and use of device
`
`drivers is exceedingly complicated and subtle. For this reason, engineering students generally do
`
`not see device drivers until the last few semesters of their undergraduate career.
`
`20.
`
`Dr. Sorini does not appear to have the requisite work experience with anti-malware
`
`software either. In the context of his work as Exponent, he alleges only that he has “worked
`
`extensively in cybersecurity and network security, including as a technical consultant and expert
`
`for intellectual property matters related to network threat detection, malware, and other types of
`
`cybersecurity threats.” Sorini Decl. at ¶ 10. This is not “two years’ work experience [with] . . .
`
`anti-malware software.” Indeed, in my opinion, expert witness consulting does not qualify as
`
`sufficient “work experience” at all.
`
`21.
`
`In short, it does not appear that Dr. Sorini qualifies as a person of ordinary skill in
`
`the art under his own proposed POSITA standard. In addition, he does not purport to apply the
`
`standard he proposes for a POSITA when rendering his opinions regarding how a POSITA would
`
`understand the claims of the ’473 patent, rendering those opinions, in my opinion, entirely
`
`unreliable. In my opinion, therefore, Dr. Sorini’s declaration should be given no weight.
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`
`1 I2C is a very simple two wire communication interface developed in 1982 and is often used
`in first and second year introductory courses in Electrical Engineering and Computer Science to
`introduce the basics of computer communications.
`-4-
`
`
`
`
`
`
`
`Case No. 3:19-cv-01206-EMC
`DECLARATION OF DR. PATRICK MCDANIEL
`
`TK-2032 - Page 5
`
`

`

`Case 3:19-cv-01206-EMC Document 69 Filed 04/10/20 Page 6 of 68
`
`
`
`II.
`
`LEGAL STANDARDS
`
`22.
`
`In this section, I describe my understanding of certain legal standards. I have
`
`been informed of these legal standards by IBM’s. I am not an attorney and I am relying only on
`
`instructions from IBM’s attorneys for these legal standards.
`
`A.
`
`23.
`
`Person of Ordinary Skill in the Art
`
`I understand that a person having ordinary skill in the art is a hypothetical person
`
`who looks to prior art without the benefit of hindsight.
`
`24.
`
`I understand that the hypothetical person of ordinary skill in the art is presumed to
`
`have knowledge of all references that are sufficiently related to one another and to the pertinent
`
`art, and to have knowledge of all arts reasonably pertinent to the particular problem that the
`
`claimed invention addresses.
`
`25.
`
`I also understand that a person of ordinary skill in the art is also a person of
`
`ordinary creativity, not an automaton. A person of ordinary skill, while not someone who
`
`undertakes to innovate, is capable of drawing inferences and taking creative steps.
`
`B.
`
`26.
`
`Legal Standard for Claim Construction
`
`I have been instructed by counsel that claim construction is a matter of law for the
`
`Court to decide. Claim terms should be given their ordinary and customary meaning within the
`
`context of the patent in which the terms are used, i.e., the meaning that the term would have to a
`
`person of ordinary skill in the art in question at the time of the invention in light of what the patent
`
`teaches.
`
`27.
`
`I understand that to determine how a person of ordinary skill would understand a
`
`claim term, one should look to those sources available that show what a person of skill in the art
`
`would have understood disputed claim language to mean. Such sources include the words of the
`
`claims themselves, the remainder of the patent’s specification, the prosecution history of the patent
`
`(all considered “intrinsic” evidence), and “extrinsic” evidence concerning relevant scientific
`
`principles, the meaning of technical terms, and the state of the art.
`
`28.
`
`I understand that words or terms should be given their plain and ordinary meaning
`
`unless there is no plain meaning or it appears that the inventors were using them to mean
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`
`
`
`
`
`
`-5-
`
`Case No. 3:19-cv-01206-EMC
`DECLARATION OF DR. PATRICK MCDANIEL
`
`TK-2032 - Page 6
`
`

`

`Case 3:19-cv-01206-EMC Document 69 Filed 04/10/20 Page 7 of 68
`
`
`
`something else. In making this determination, however, of paramount importance are the claims,
`
`the patent specification, and the prosecution history.
`
`29.
`
`I understand that, in construing a claim term, one looks primarily to the intrinsic
`
`patent evidence, including the words of the claims themselves, the remainder of the patent
`
`specification, and the prosecution history.
`
`30.
`
`I understand that extrinsic evidence, which is evidence external to the patent and
`
`the prosecution history, may also be useful in interpreting patent claims when the intrinsic
`
`evidence itself is insufficient.
`
`31.
`
`I understand that the claims of a patent define the purported invention. I understand
`
`that the purpose of claim construction is to understand how one skilled in the art would have
`
`understood the claim terms at the time of the purported invention.
`
`III. TECHNOLOGY BACKGROUND
`
`32.
`
`A computer program is a sequence of instructions that tell a computer processor
`
`(CPU) what to do. Although the author of a computer program would be understandably upset if
`
`processors refused to obey the instructions, the blind obedience they are designed to deliver makes
`
`them incredibly vulnerable to misuse. Computer processors will not question the instructions
`
`they are given no matter how harmful. Moreover, processors can run billions of instructions per
`
`second whether a human is monitoring them or not.
`
`33.
`
`Even when they can be monitored, computer instructions that make up a software
`
`program are too large, too complicated, and too cryptic for a human to easily review. Even if
`
`they could be inspected, it is very difficult to ensure that they are not modified at any time before
`
`they reach the processor.
`
`34.
`
`Accordingly, those individuals and organizations that attempt to produce harmful
`
`computer instructions and those that attempt to stop them have been and will always be in an arms
`
`race. Each year, the “bad guys” (e.g., hackers, adversaries) will find a new way to get processors
`
`to do things they should not and each year the “good guys” (e.g., virus protection providers,
`
`security professionals) will have to find new ways to defeat them. This ongoing struggle was
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`
`
`
`
`
`
`-6-
`
`Case No. 3:19-cv-01206-EMC
`DECLARATION OF DR. PATRICK MCDANIEL
`
`TK-2032 - Page 7
`
`

`

`Case 3:19-cv-01206-EMC Document 69 Filed 04/10/20 Page 8 of 68
`
`
`
`already in full swing by the beginning of the 1990’s as the anti-virus community matured both in
`
`academic research and commercial products.
`
`35.
`
`The ’473 patent describes a particular kind of malware called a keylogger. A
`
`keylogger is a software program that is designed to make a record or “log” of the keys by
`
`capturing them as they are entered by a user. ’473 patent at 1:35-48. Keyloggers are not
`
`necessarily malicious. They can be implemented for diagnostic or other beneficial purposes. In
`
`general, however, unauthorized keylogger software is deemed malware. Id. at 1:54-64.
`
`Keyloggers can be implemented in either hardware or software. A hardware keylogger might
`
`take the form of a device that sits between the keyboard and the computer itself. Thus, with a
`
`hardware keylogger, instead of the keyboard being plugged directly into the computer, the
`
`keyboard is plugged into a malicious device which is plugged into the computer. This device
`
`then logs all the user’s keystrokes. Keyloggers can also be implemented in software. Id. at
`
`1:54-64. In principle, software keyloggers are the same as hardware keyloggers. They are
`
`installed at a low-level in a computer so they can access the keyboard’s inputs, utilizing techniques
`
`such as hooking operating system APIs and system drivers, screen capturing, form grabbing,
`
`hook-based keystroke logging, or other methods. Id. at 1:61-64. As a consequence, they have
`
`early access to the keyboard, and can capture its keystrokes. However, both low-level keylogger
`
`malware software and hardware keyloggers are indiscriminate in what they log. Therefore, the
`
`vast majority of the information captured is not useful to a cybercriminal, and the sensitive
`
`information targeted by the cybercriminal would be difficult to impossible to identify. Id. at
`
`2:14-24.
`
`36.
`
`One type of keylogging software that utilizes the indiscriminate method of
`
`keylogging is a hook-based keylogger. Id. at 1:64-2:13. This keylogging software uses a
`
`software method called a “hook” to, essentially, install itself immediately next to the keyboard’s
`
`hardware drivers. Id. at 1:64-2:3. The hook acts as a filter and, as a result of this filter,
`
`whenever the keyboard hardware driver performs an operation, the hook is triggered, and the
`
`keylogger is able to capture the information. Id. at 2:3-6 Thus, when a user directs his browser to
`
`a website, the filter registers that keylogging would be timely, and records all keystrokes passing
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`
`
`
`
`
`
`-7-
`
`Case No. 3:19-cv-01206-EMC
`DECLARATION OF DR. PATRICK MCDANIEL
`
`TK-2032 - Page 8
`
`

`

`Case 3:19-cv-01206-EMC Document 69 Filed 04/10/20 Page 9 of 68
`
`
`
`through the operating system’s hardware drivers. Id. One method described by the ’473 patent
`
`monitors and records each key press that generates an Interrupt Request (IRQ) to the motherboard.
`
`Id. at 2:8-11. The keylogger will then save this data, which can be delivered to a cybercriminal
`
`by some means. Id. at 2:11-13. However, because this type of keylogger is triggered no matter
`
`what website is visited, the captured data is indiscriminate and voluminous, and not necessarily
`
`useful to a cybercriminal. Id. at 2:14-21.
`
`37.
`
`Cybercriminals developed a way around this problem by developing keylogger
`
`malware that not only interacts with the hardware keyboard drivers, but also interacts with
`
`software web browsers. Id. at 2:26-31. Since sensitive information such as banking or credit
`
`card numbers, or usernames and passwords are typically the cybercriminal’s target, keylogger
`
`software can be developed that more accurately targets the sensitive information. Id. at 2:27-34.
`
`Form grabbers take advantage of the knowledge that the targeted sensitive information will most
`
`likely be implemented in a “form” in a web page. Id. Since web browsers have defined code,
`
`protocols, and functions for implementing and utilizing forms, a savvy cybercriminal can develop
`
`a keylogger that targets these forms. Id. at 2:39-47.
`
`38.
`
`Form grabbing keyloggers place themselves, effectively, between the internet
`
`browser and the called web page. Id. at 2:48-49. As a consequence, the form grabber is able to
`
`record all data passed to the form such as credit card numbers at the same time it is being passed
`
`by the browser to the server. Id. at 2:51-52.
`
`39.
`
`By way of emphasis, hook-based based keyloggers are generally operating within
`
`the operating system itself (similar to a driver) while form grabbing keyloggers are generally
`
`operating in the application space (within the browser program itself and outside of the privileged
`
`operating system). Id. at 2:59-61. Additionally, they differ in that hook-based key loggers
`
`capture each character as it is pressed, while form grabbers wait for form fields to be filled, and
`
`then retrieve the information directly from the form. Id. at 2:62-64.
`
`40.
`
`At a high-level, the systems containing these different types of keyloggers are
`
`depicted in Figure 1:
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`
`
`
`
`
`
`-8-
`
`Case No. 3:19-cv-01206-EMC
`DECLARATION OF DR. PATRICK MCDANIEL
`
`TK-2032 - Page 9
`
`

`

`Case 3:19-cv-01206-EMC Document 69 Filed 04/10/20 Page 10 of 68
`
`
`
`
`
`41.
`
`Described as “the generalized location[s]” of components of “the environment in
`
`which embodiments of the invention operate,” this figure depicts at a high level the flow of
`
`information and the types of keyloggers described above, all of which the ’473 patent purports to
`
`counter. Id. at 5:14-28. Keylogger 115 is a generalization of the location of a hook-based key
`
`logger, while keylogger 135 is a generalization of the location of a form grabbing keylogger. See
`
`id.
`
`42.
`
`The ’473 patent claims the use of “API stacks,” which I explain herein.
`
`Application programming interfaces, or APIs, are a common and widely used computer science
`
`concept. An API is the interface by which one software program, including the operating
`
`system, interacts with another. Microsoft Windows has APIs, as does Microsoft Office. This
`
`allows other applications to access the functionality, including the system drivers, necessary to
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`
`
`
`
`
`
`-9-
`
`Case No. 3:19-cv-01206-EMC
`DECLARATION OF DR. PATRICK MCDANIEL
`
`TK-2032 - Page 10
`
`

`

`Case 3:19-cv-01206-EMC Document 69 Filed 04/10/20 Page 11 of 68
`
`
`
`perform their intended function. More explicitly, for security, reliability and performance
`
`reasons applications are not generally allowed to access system operations, such as reading and
`
`writing files directly. Instead, applications must use the operating system’s API to access system
`
`operations. Accordingly, a list of operating system API’s must be published so that applications
`
`can perform their programmed tasks. While not all applications have API’s, most that do provide
`
`them for modification, extension, or other dynamic interactions. As stated previously, Internet
`
`Explorer provides API’s so that plugins called Browser Helper Objects can provide customized
`
`additional functionality.
`
`43.
`
`Stacks are another common computer science concept. Stacks are a type of 1-
`
`dimensional array of information. In a stack, the last element in is the first element out. This is
`
`called a LIFO (last-in, first-out) data structure. A stack can be contrasted with a queue, in which
`
`the first element in is the first element out. In effect, the stack defines the ordering of whatever
`
`information it is being used to store. For example, a stack might be used to keep track of running
`
`processes, allowing shorter term processes which were initiated more recently to finish first.
`
`44.
`
`Not all software has the same access to the operating system and other functions in
`
`a running software system. In this way, a stack can be used to define the relationship between
`
`privileged interactions in the software system. The differences between privileged access levels
`
`are commonly discussed to in the context of protection rings, which provide a visualization for
`
`these access levels. The lowest, most protected, and most privileged, level is the 0-ring level.
`
`The 0-ring level has direct access to the system’s hardware functions. It is commonly referred to
`
`as the “kernel,” or “kernel level.” The ’473 patent describes this precise arrangement. ’473
`
`patent at 8:50-53. In contrast, the highest, or least protected, level is the 3-ring level, known as
`
`the “application level” or “user space”. The 3-ring level is where a software application such as a
`
`web browser or a word processing program resides. The ’473 patent describes this as well. Id.
`
`at 8:57-60.
`
`45.
`
`The relationship between ring levels is shown in Figure 3, which depicts a “Typical
`
`Web Browser API Stack,” a “Web Browser API Stack with Keylogger,” and a “Web Browser API
`
`Stack with Anti-Keylogger and Keylogger”:
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`
`
`
`
`
`
`-10-
`
`Case No. 3:19-cv-01206-EMC
`DECLARATION OF DR. PATRICK MCDANIEL
`
`TK-2032 - Page 11
`
`

`

`Case 3:19-cv-01206-EMC Document 69 Filed 04/10/20 Page 12 of 68
`
`
`
`
`
`46.
`
`In modern computers, certain protections are enforced at different ring levels, such
`
`as allowing certain highly sensitive operations only in ring-0 or only allowing accessing certain
`
`memory locations in ring-0. For example, an operating system may prevent a 3-ring web
`
`browser from executing the “read” command for reading directly from memory. Instead, to
`
`execute this command, it will execute a “trap” to kernel mode through a variety of API calls.
`
`This sequence of API calls accessed by the application, including the eventual “read” command at
`
`the kernel level, is a stack of APIs, or an “API stack.”
`
`IV.
`
`Summary of Opinions
`
`47.
`
`I have reviewed the ’473 patent and its prosecution history. I understand that the
`
`claims are construed from the perspective of a person of ordinary skill in the art, using the
`
`specification as a guide to the meaning of the claims. Based on that understanding, in my
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`
`
`
`
`
`
`-11-
`
`Case No. 3:19-cv-01206-EMC
`DECLARATION OF DR. PATRICK MCDANIEL
`
`TK-2032 - Page 12
`
`

`

`Case 3:19-cv-01206-EMC Document 69 Filed 04/10/20 Page 13 of 68
`
`
`
`opinion, the term “most privileged access level” should be construed as “kernel level,” and the
`
`term “an application programming interface (API) stack” means either “API stack accessed by an
`
`application including the operating system’s API” or “an ordered collection of APIs accessed by
`
`an application including the operating system’s API.”
`
`V.
`
`CLAIM CONSTRUCTION
`
`48.
`
`In conducting my analysis of the construction of the claims of the ’473 patent, I
`
`have applied the legal understandings set out in Section II of this Declaration.
`
`49.
`
`I understand that Trusted Knight previously asserted U.S. Patent No. 8,316,445, the
`
`great-grandparent of the ’473 patent, against IBM in a case filed in the District of Delaware.
`
`Trusted Knight Corp. v. Int’l Bus. Mach. Co. et al., C.A. No. 1:14-cv-01063-LPS (D. Del.)
`
`(“Delaware Case”). I understand that on June 12, 2015, the parties jointly filed a Joint Claim
`
`Construction Chart in that case. (Delaware Case, Dkt. 49).
`
`50.
`
`In that claim construction chart, I understand that the parties provided an agreed
`
`construction for “zero-ring level” or “0-Ring level” that is pertinent to the terms of the ’473 patent
`
`disputed in this case:
`
`Agreed Construction
`most privileged access level
`
`’445 Patent Term
`zero-ring level /
`0-Ring level
`
`
`51.
`
`Trusted Knight does not address the fact that “most privileged access level” is an
`
`agreed construction for “0-Ring level” in its brief.
`
`52.
`
`In that claim construction chart, I further understand that the parties provided
`
`disputed constructions for the phrase “an application programming interface (‘API’) stack of a
`
`browser” that is pertinent to the terms of the ’473 patent disputed in this case:
`
`’445 Patent Term
`
`IBM Proposed Construction
`
`an application
`programming
`interface (“API”)
`stack of a browser
`
`
`the API stack accessed by a browser
`when the browser uses the operating
`system’s API
`
`Trusted Knight Proposed
`Construction
`the interfaces for process and
`library functions of a browser
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`
`
`
`
`
`
`-12-
`
`Case No. 3:19-cv-01206-EMC
`DECLARATION OF DR. PATRICK MCDANIEL
`
`TK-2032 - Page 13
`
`

`

`Case 3:19-cv-01206-EMC Document 69 Filed 04/10/20 Page 14 of 68
`
`
`
`53.
`
`I understand that on July 31, 2015, both IBM and Trusted Knight submitted
`
`opening claim construction briefs in which they argued their respective proposed constructions for
`
`the API stack term. (Delaware Case, Dkts. 58, 59).
`
`54.
`
`I understand that on August 28, 2015, before the parties submitted their answering
`
`claim construction briefs, the parties jointly filed a Joint Supplemental Claim Construction Chart
`
`in the Delaware Case. (Delaware Case, Dkt. 68). In that claim construction chart, I understand
`
`that the parties provided an agreed construction for the API stack term that is pertinent to the terms
`
`of the ’473 patent disputed in this case:
`
`Agreed Construction
`API stack accessed by a browser including the operating system’s API
`
`’445 Patent Term
`an application
`programming
`interface (“API”)
`stack of a browser
`
`
`55.
`
`The construction the parties agreed to is nearly identical to the construction
`
`originally proposed by IBM. Trusted Knight does not address this prior agreement in its brief.
`
`56.
`
`I understand that on February 13, 2020, the parties jointly filed a Joint Claim
`
`Construction Chart. (Dkt. 59). I understand that chart includes the parties’ proposed
`
`constructions for each of the disputed constructions and includes both intrinsic and extrinsic
`
`evidence in support of those constructions. (Dkts. 49-1, 49-2).
`
`A.
`
`57.
`
`Terms Requiring Construction
`
`In my opinion, the claim terms identified below, when viewed in light of the
`
`specification and prosecution history, should be construed as IBM proposes.
`
`1.
`
`“most privileged access level”
`
`58.
`
`The claim limitation containing the phrase “most privileged access level” recites, in
`
`full, “installing and maintaining an anti-key logger at a most privileged access level for browser
`
`events in an Application Programming Interface (API) stack.” The context surrounding the
`
`disputed claim term is important because, in isolation and without further context, “most
`
`privileged access level” is meaningless to a person having ordinary skill in the art. A person of
`
`ordinary skill in the art, seeing that term in isolation would be forced to ask: the “most privileged
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`access level of what?” Only with the added context provided by the claim does its meaning
`-13-
`
`
`
`
`
`
`
`Case No. 3:19-cv-01206-EMC
`DECLARATION OF DR. PATRICK MCDANIEL
`
`TK-2032 - Page 14
`
`

`

`Case 3:19-cv-01206-EMC Document 69 Filed 04/10/20 Page 15 of 68
`
`
`
`become clear: it is the most privileged access level of an API stack, and a person of ordinary skill
`
`in the art would understand that level is the kernel level.
`
`59.
`
`By itself, “most privileged access level” is not a term with a commonly understood
`
`meaning or a dictionary definition. Nevertheless, it is a term with a readily apparent meaning to
`
`a person of ordinary skill in the art, because the specifications of the ’473 patent and the ’445
`
`patent that it incorporates by reference are clear that the level with the most privileges—i.e., the
`
`“most privileged” level—is the “0-ring” or “ring 0” level, also known as the “kernel level.”
`
`60.
`
`Although “most privileged access level” is not a commonly used term, in context it
`
`is readily understandable to a person of ordinary skill in the art, for several reasons.
`
`61.
`
`First, during the Delaware Case involving the ’445 patent, the parties agreed that
`
`“most privileged access level” was a construction for the “0-Ring level” claim term used in that
`
`patent. The ’473 patent was f