After over a decade of litigating, winning multiple appeals and inter partes review (IPR) proceedings, and finally earning a $185 million jury verdict against cybersecurity giant Gen Digital Inc. that operates the Norton antivirus brand, Columbia University saw a massive setback with last week’s Federal Circuit opinion. The opinion touched on several topics in modern patent litigation, including subject matter eligibility under § 101 and damages, and its lessons will be felt far beyond the parties of this case.
In the early 2000s, antivirus protection was primarily performed by comparing suspicious code to a database of known viruses; however, this technique had the obvious flaw that new viruses that didn’t match any known signature could remain undetected and cause damage (e.g., “zero-day” attacks). Instead of determining whether suspicious code matches known viruses, Columbia’s researchers developed a solution to this drawback by evaluating whether the suspicious code performed anomalously. Specifically, an emulator would execute suspicious code, and the function calls made during that emulation would be compared against a model of how those function calls were expected to behave; any sequence of anomalous function calls would be an early indication of previously-unidentified viruses. But the key to Columbia’s innovation was a “combined model,” which was built from data gathered across many computers simultaneously. Instead of requiring a single machine to run and observe a program for days or weeks before developing a behavioral baseline, the system would instead use thousands of interconnected computers to perform the observation function simultaneously. This yielded a faster, more robust model that was difficult for sophisticated attackers to undermine through mimicry attacks designed to fool a single standardized model. These techniques were the basis of Columbia’s U.S. Patents 8,074,115 and 8,601,322 at issue in this appeal.
Columbia first filed suit in 2013 in the Eastern District of Virginia, with the Federal Circuit reversing the district court’s construction of the term “anomalous” and remanding. In 2018, the Patent Trial and Appeal Board invalidated several of the originally asserted claims as obvious in separate IPR proceedings, which the Federal Circuit affirmed. Norton then filed for judgment on the pleadings, arguing that the remaining claims were patent-ineligible under 35 U.S.C. § 101. However, the district court denied Norton’s motion, concluding that under Step One of the Alice analysis, the claims were directed to a concrete, non-abstract improvement in computer virus scanning, and never reached Step Two of Alice. The case finally went to trial in 2022, where the jury found willful infringement and awarded Columbia over $185 million in royalties.
Norton appealed to the Federal Circuit, arguing that the asserted claims were invalid as being directed to an abstract idea under Step One of Alice. The district court had answered this question in Columbia’s favor by consulting the patent’s specification, rather than by evaluating what the claims actually recite. For example, claim 1 of the ‘322 patent recites:
- A method for detecting anomalous program executions, comprising:
- executing at least a portion of a program in an emulator;
- comparing a function call made in the emulator to a model of function calls for the at least a portion of the program, wherein the model is a combined model created from at least two models created at different times; and
- identifying the function call as anomalous based on the comparison.
Using the principle that eligibility relies on what is claimed, and not what is disclosed in the specification, the Federal Circuit found that “the supposed improvements are not required by the language of the asserted claims at all.” The Court noted that the claims did not define the term “emulator,” and that the specification only generally describes the function of the emulator as monitoring and executing programs. Columbia argued that several claim elements rendered the claims non-abstract, including the use of non-conventional selective emulation, the creation of non-standard models for “randomly choosing particular features from the application execution that is modeled,” and using distributed sensor data across an application community. Yet the Federal Circuit rejected each of these arguments, noting that either Columbia had forfeited these arguments due to inadequate briefing or the claims simply failed to recite these features. The Federal Circuit also noted that the claim element of “executing at least a portion of a program in an emulator” in claim 2 of the ‘322 patent actually suggested that emulating the entire program was also possible, undercutting Columbia’s argument that selective emulation was required and what the claims are directed to.
Columbia also attempted to analogize its claims with those at issue in Finjan, Inc. v. Blue Coat Systems (Fed. Cir. 2018), in which the Court upheld a behavioral virus-detection patent because the claims recited linking a novel “security profile” file with a suspicious downloadable file, which embodied the technological improvement. In contrast, the Court found that Columbia’s claims merely recited a generic method of comparison, without any technological improvement.
Nonetheless, the Court left some hope for Columbia to save its patents, remanding for the district court to address the Alice, Step Two, question of whether the “model of function calls” limitation is an inventive concept sufficient to transform the abstract idea into a patent-eligible application. The Court acknowledged that whether this specific technique was conventional at the time of the invention raises a genuine factual question that the pleadings alone could not resolve. Thus, Columbia may demonstrate at the district court that this modeling of function calls was unconventional when its researchers developed the technique.
This is yet another opinion emphasizing the fundamental lesson for patent applicants that, despite a patent specification describing the invention, eligibility will be evaluated on what the claims recite, rather than what the inventors intended or specification explains. Columbia’s patents described selective emulation, diversified models, distributed sensor networks, and resistance to mimicry attacks, yet none of those features were fully claimed. This opinion also reaffirms that generic efficiency improvements by using multiple computers, without a specific, claimed technical improvement, will fail Step One under Alice, but that the Court will remand, if necessary, to ensure that both steps are fully considered.
