Case 3:17-cv-05659-WHA Document 410-5 Filed 03/28/19 Page 1 of 9
`Case 3:17-cv-05659-WHA Document 410-5 Filed 03/28/19 Page 1 of 9
`
`EXHIBIT E
`EXHIBIT E
`
`

`

`Case 3:17-cv-05659-WHA Document 410-5 Filed 03/28/19 Page 2 of 9
`
`
`
`I.
`
`INTRODUCTION
`
`EXPERT REPORT OF AVIEL D. RUBIN
`
`1.
`
`I have been retained as an independent expert in this lawsuit by the law firm of Irell &
`
`Manella LLP on behalf of Juniper Networks, Inc. (“Juniper”). I have been asked to provide an opinion
`
`related to whether Claim 10 of U.S. Patent No. 8,677,494 (“the ‘494 Patent”) contains an inventive
`
`concept sufficient to transform the claimed abstract idea into a patent-eligible application. As discussed
`
`in further detail in this declaration, it is my opinion that Claim 10 does not contain an inventive concept
`
`sufficient to transform the claimed abstract idea into a patent-eligible application.
`
`2.
`
`In addition to opinions outlined in this report, I may also provide testimony (1) in rebuttal
`
`to Finjan’s positions, including opinions of its experts and materials they discuss or rely upon, (2) based
`
`on any Orders from the Court, (3) based on documents, contentions, or other discovery that Finjan or
`
`others have not yet produced or were produced too late to be considered before my report was due, and/or
`
`(4) based on witness testimony which has not been given or was given too late to be considered before
`
`my report was due. I reserve the right to supplement or amend my opinions as further documentation
`
`and information is received.
`
`3.
`
`If called to testify in this matter, I may use as exhibits various documents produced in this
`
`matter that refer or relate to the matters discussed in this report. I have not yet selected the particular
`
`exhibits that may be used. In addition, I may create or assist in the creation of certain demonstrative
`
`exhibits or summaries of my findings and opinions to assist me in testifying. Such exhibits have not yet
`
`been created.
`
`II.
`
`BACKGROUND AND QUALIFICATIONS
`
`4.
`
`I am being paid at my customary rate of $775 per hour for time spent on this case. I am
`
`also being reimbursed for reasonable and customary expenses. My compensation is not dependent in
`
`any way on the results of the lawsuit or the substance of my testimony.
`
`5.
`
`I provide below an overview of my background and qualifications. Additional details of
`
`my education and employment history, professional service, patents, publications, and other testimony
`
`are
`
`set
`
`forth
`
`in my current curriculum vitae
`
`(CV), which can be
`
`found here:
`
`10571956
`
`
`- 1 -
`
`DECL OF AVIEL D RUBIN REGARRDING § 101
`Case No 3:17-cv-05659-WHA
`
`
`
`

`

`Case 3:17-cv-05659-WHA Document 410-5 Filed 03/28/19 Page 3 of 9
`
`
`
`29.
`
`In IPR2016-00159, the PTAB issued a Final Written Decision invalidating Claim 1 of the
`
`‘494 Patent in view of a prior art article titled “Dynamic Detection and Classification of Computer
`
`Viruses Using General Behaviour Patterns” by Morton Swimmer et al. (“Swimmer”). IPR2016-0159,
`
`Paper 50 (Ex. 19) at 45. More specifically, the PTAB found that all of the overlapping limitations in
`
`Claim 10 (i.e., everything from the limitations that is not bolded/underlined in the table above) was
`
`disclosed in the art before the priority date for the ‘494 Patent.
`
`30.
`
`In reaching this conclusion, the PTAB applied a construction of the term “a list of
`
`suspicious computer operations” as “a list of all operations that could ever be deemed potentially
`
`hostile.” Paper 50 at 33. That construction differs from the construction of the term applied by the Court
`
`in this proceeding of “a list of computer operations in a received Downloadable that are deemed hostile
`
`or potentially hostile.” Dkt. No. 189 at 5. But the Board noted that its “ultimate conclusions regarding
`
`patentability of the challenged claims did not turn on [its] adoption of that construction….” Paper 50 at
`
`33. Indeed, the Board found “that Swimmer discloses deriving security profile data including a list of
`
`suspicious computer operations even under Patent Owner’s proposed construction,” which was “a list of
`
`computer operations deemed suspicious.” Paper 50 at 33-34. I agree with the Board that Swimmer
`
`discloses deriving “a list of computer operations deemed suspicious.” In addition, Finjan’s prior
`
`proposed construction is substantially similar to the construction adopted by the Court in this matter, and
`
`therefore it is my opinion that the Board’s previous finding that Swimmer teaches all of the limitations
`
`in Claim 1 applies in this proceeding as well.
`
`B.
`
`The Element Of A “Receiver For Receiving An Incoming Downloadable” Does Not
`
`Contain An Inventive Concept.
`
`31.
`
`It is my opinion that using a “receiver” to receive an incoming Downloadable is not an
`
`inventive concept. Rather, receivers were well known, routine, and conventional in the art before the
`
`priority date of Claim 10 of the ‘494 Patent, and using a receiver to receive an incoming file (including
`
`Java files, HTML, PDFs, Microsoft Word, executables, etc.) was a routine and conventional use of a
`
`receiver.
`
`32.
`
`For example, Swimmer teaches that a receiver can be used for receiving an incoming
`
`Downloadable in a malware detection system. Ex. 3 at 13 (“One possibility is to use it as a type of
`
`10571956
`
`
`- 8 -
`
`DECL OF AVIEL D RUBIN REGARRDING § 101
`Case No 3:17-cv-05659-WHA
`
`
`
`

`

`Case 3:17-cv-05659-WHA Document 410-5 Filed 03/28/19 Page 4 of 9
`
`
`firewall for programs entering a protected network.”). I note that Finjan did not even challenge whether
`
`Swimmer taught a receiver during the IPR proceedings. See generally IPR 2016-00159, Paper 17 (Patent
`
`Owner’s Response) (Ex. 20).
`
`33.
`
`There are numerous other prior art references that disclosed using a “receiver” to receive
`
`a Downloadable. See, e.g., U.S. Patent No. 5,802,275 (Ex. 29) (filed June 22, 1994) at Claim 6 (“a
`
`receiver for receiving [] programs”); U.S. Patent No. 6,065,118 (Ex. 30) (filed September 24, 1996) at
`
`Claim 11 (“importing to the system a data stream containing at least one mobile program component
`
`which is to execute on the computer system from an external source”) and Claim 7 (“the program
`
`components which are to be intercepted and run within the execution location are Applets”).
`
`34.
`
`Indeed, firewalls and network gateways were well-known long before the priority date of
`
`the ‘494 Patent, and all firewalls and network gateways must necessarily have a receiver for receiving
`
`files to be processed. See, e.g., U.S. Patent No. 6,065,118 (Ex. 30) at Claim 5 (“the execution location
`
`is provided with at least one firewall between the execution location and one of the external sources of
`
`data and the end user system”).
`
`C.
`
`The Element Of “A Downloadable scanner coupled with said receiver, for deriving
`
`security profile data for the Downloadable, including a list of suspicious computer
`
`operations that may be attempted by the Downloadable” Does Not Contain An
`
`Inventive Concept
`
`35.
`
`It is my opinion that using a “Downloadable scanner” to derive security profile data for a
`
`Downloadable, including a list of suspicious operations that may be attempted by the Downloadable was
`
`not an inventive concept at the time of the priority date for the ‘494 Patent.
`
`36.
`
`As noted above, the PTAB found that Swimmer disclosed the function of “deriving
`
`security profile data for the Downloadable, including a list of suspicious computer operations that may
`
`be attempted by the Downloadable,” as recited in Claim 1. The PTAB determined, however, that the
`
`Petitioner had not demonstrated that Swimmer taught a “scanner,” because Swimmer’s system was a
`
`dynamic analyzer—as opposed to a more traditional “scanner” such as a static analyzer. IPR2016-
`
`00159, Paper 50 at 51-52.
`
`10571956
`
`
`- 9 -
`
`DECL OF AVIEL D RUBIN REGARRDING § 101
`Case No 3:17-cv-05659-WHA
`
`
`
`

`

`Case 3:17-cv-05659-WHA Document 410-5 Filed 03/28/19 Page 5 of 9
`
`
`
`37.
`
`I understand that the Court in this matter has since construed the term “scanner” to mean
`
`“software that searches code to identify suspicious patterns or suspicious computer operations.” Dkt. No.
`
`189 at 13. I further understand that the Court has interpreted its construction to include dynamic
`
`analyzers. Dkt. No. 189 at 14. If dynamic analyzers are included within the scope of the term “scanner,”
`
`then Swimmer clearly discloses this element of Claim 10. Ex. 3 at, e.g., 9-10 (“The audit system was
`
`integrated into an existing PC emulation by placing hooks into the module for processing all opcodes
`
`corresponding with the events (see fig. 4). These are primarily calls to the DOS functions. … Internally,
`
`the audit trail complies to a canonical format, which is [] very generic, and allows most types of records
`
`to be implemented.”).
`
`38. Whether or not the construction of “scanner” includes dynamic analyzers, it is my opinion
`
`that the use of a “scanner” to derive security profile data (including suspicious computer operations) was
`
`conventional as of the priority date of the ‘494 Patent and is not an inventive concept.
`
`In fact, at the time of the priority date for the ‘494 Patent, one of the most typical ways for a program to
`
`determine whether a file was malicious was by using “software that searches code to identify suspicious
`
`patters or suspicious computer operations.” One example of malware detection that used a “scanner” is
`
`static analysis, where the features and characteristics of a file are analyzed without actually executing
`
`the code and checking, for example, for specific byte sequences or other patterns in the code, or using
`
`heuristic analysis that identifies features such as if the file has an invalid digital signature, has a high
`
`entropy, or has no publisher information. Static analyzers have existed since at least the mid-1980s.
`
`39.
`
`By the early 1990s, scanners performing static analysis that used parsing techniques1 to
`
`decompose code and flag specific extracted components (including operations) that were suspicious
`
`were commonly used. See, e.g., Ex. 4 at p. 5 (“Hexadecimal patterns may be used to detect the presence
`
`of the virus with . . . a dedicated virus scanner.”; Ex. 3 at p. 3 (“Scanning techniques are further
`
`
`1 At the lowest level, computer instructions are in numerical form called “machine code” that is
`only legible to a computer, which are directly executable by a computer’s central processing unit. A
`“disassembler” can be used to abstract the machine code into a low-level but human-readable language
`known as “assembly language.” Instructions written in assembly language, however, are still generally
`difficult for a human to understand, so for analysis purposes, programs are often parsed to “decompile”
`the machine code into source code, which is the more human-understandable language in which a
`computer program is generally written. Parsing involves identifying and separating various parts of a
`program into the instructions and parameters that make up the program.
`
`10571956
`
`
`- 10 -
`
`DECL OF AVIEL D RUBIN REGARRDING § 101
`Case No 3:17-cv-05659-WHA
`
`
`
`

`

`Case 3:17-cv-05659-WHA Document 410-5 Filed 03/28/19 Page 6 of 9
`
`
`(“suspect instructions”).
`
`42.
`
`To the extent “scanner” is interpreted to include dynamic analyzers (as per the Court’s
`
`Order discussed above), there were numerous additional prior art references that disclosed the use of a
`
`dynamic analyzer to derive a security profile that included suspicious operations. “Dynamic” analysis
`
`or “emulation,” means that the file is actually executed or “detonated” in a safe, simulated environment
`
`known as a “sandbox” that determines what the file actually does when it is executed. Dynamic analysis
`
`has existed since at least the early 1990s, and there were many of dynamic analyzers that created security
`
`profiles that included suspicious operations. For example, Swimmer teaches using dynamic analysis to
`
`create a Downloadable security profile that includes a list of suspicious operations. See supra.
`
`43.
`
`As another example, the paper “Automated Assistance for Detecting Malicious Code” by
`
`R. Crawford et al. similarly teaches using dynamic analysis to create a Downloadable security profile
`
`that includes a list of suspicious computer operations. For example, Crawford teaches that “the MCT
`
`[Malicious Code Testbed] also provides automated support for detecting hierarchical advanced –
`
`occurrences of interesting activities during the execution of the suspicious program. This capability
`
`allows the MCT to represent the suspicious program’s behavior in terms of whatever higher-level
`
`abstractions have been defined by the security analyst.” Ex. 8 at 4-5. Thus, Crawford discloses a scanner
`
`under the Court’s construction (“MCT”) that derives a list of suspicious computer operations
`
`(“suspicious program’s behavior in terms of [] hire-level abstractions”).
`
`44.
`
`As another example, the SRI International paper titled “Detecting Unusual Program
`
`Behavior Using the Statistical Component of the Next-generation Intrusion Detection Expert System
`
`(NIDES)” by Debra Anderson et al., teaches using dynamic analysis to create a Downloadable security
`
`profile that includes a list of suspicious computer operations. For example, Anderson teaches: “Aspects
`
`of subject behavior are represented as measures…. For each measure, we construct a probability
`
`distribution of short-term and long-term behaviors. … We refer to the collection of measures and their
`
`long-term probability distributions as the subject’s profile.” Ex. 9 at 3-4. Thus, Anderson teaches a
`
`scanner under the Court’s construction (NIDES) that derives a list of suspicious computer operations
`
`(unusual short-term behaviors comprising part of the “subject’s profile”).
`
`45.
`
`As evidenced by the abundance of prior art literature discussing the use of static and
`
`10571956
`
`
`- 12 -
`
`DECL OF AVIEL D RUBIN REGARRDING § 101
`Case No 3:17-cv-05659-WHA
`
`
`
`

`

`Case 3:17-cv-05659-WHA Document 410-5 Filed 03/28/19 Page 7 of 9
`
`
`dynamic analyzers that create security profiles that include lists of suspicious operations in the files that
`
`are being analyzed, there is nothing transformative or inventive about this element. Rather, this element
`
`claims a typical and conventional component (“scanner”) that is used for its typical and conventional
`
`purpose (deriving security profile data, including suspicious operations). It is further my opinion that
`
`there is nothing transformative or inventive about combining the well-known components of a receiver
`
`and a scanner to perform the recited functions, even as an ordered combination that requires the receiver
`
`to first receive an incoming downloadable before the scanner performs. To the contrary, this is the usual
`
`and typical order for performing malware analysis (i.e., first the system receives the file, then it scans
`
`the file and generates the profile).
`
`D.
`
`The Element Of “Database Manager Coupled With Said Receiver, For Storing The
`
`Downloadable Security Profile Data In A Database” Does Not Contain An Inventive
`
`Concept
`
`46.
`
`It is my opinion that using a “database manager” to store downloadable security profile
`
`data in a database was not an inventive concept at the time of the priority date for the ‘494 Patent.
`
`47.
`
`As noted above, the PTAB found that Swimmer disclosed the function of “storing the
`
`Downloadable security profile data in a database,” as recited in Claim 1, but that Petitioner had not met
`
`its burden to show that Swimmer disclosed a “database manager” that performs this function. IPR2016-
`
`00159, Paper 50 at 52-53.
`
`48.
`
`I understand that the term “database” has been construed by prior Courts and PTAB
`
`panels as a “collection of data organized according to a database schema to serve one or more
`
`applications.” I further understand that the Court in this matter has not yet resolved the meaning of
`
`“database schema” within the context of this construction. That said, Finjan’s expert Dr. Medvidovic,
`
`testified that “a person skilled in the art at the time [of the priority date of the ‘494 Patent] would
`
`understand a ‘database schema’ to be ‘a description of a database to a database management system
`
`(DBMS) in the language provided by the DBMS.’” IPR 2016-00159, Paper 17 at 35 (Patent Owner’s
`
`Response quoting Medvidovic declaration ¶¶ 60, 106, 134). Thus, Finjan seems to acknowledge that all
`
`“databases” within the meaning of the ‘494 Patent have a database management system (which is another
`
`term for “database manager”).
`
`10571956
`
`
`- 13 -
`
`DECL OF AVIEL D RUBIN REGARRDING § 101
`Case No 3:17-cv-05659-WHA
`
`
`
`

`

`Case 3:17-cv-05659-WHA Document 410-5 Filed 03/28/19 Page 8 of 9
`
`
`the structural components (i.e., the receiver, scanner, and database manager) are being used to perform
`
`their conventional functions (i.e., storing, deriving security profile information, and storing data in a
`
`database).
`
`55. Moreover, the functional steps described in the claim are being performed in the typical
`
`and expected order—i.e., first receive a file, then perform a malware analysis, then store the results.
`
`Thus, there is nothing unconventional or inventive about the order in which the steps are being
`
`performed.
`
`56.
`
`In addition, the PTAB found that the functional combination of deriving security profile
`
`data for a Downloadable (including a list of suspicious operations) and then storing that profile in a
`
`database was disclosed by the Swimmer prior art reference, so the combined functions also lack an
`
`inventive concept.
`
`57.
`
`I understand that—prior to the PTAB’s finding that Claim 1 is invalid in view of
`
`Swimmer—the Blue Coat court found that the ‘494 invention was patentable under Alice Step Two
`
`because, “the claims, taken as an ordered combination, recite an inventive concept sufficient to render
`
`them patent-eligible.” Blue Coat, 2016 WL 7212322, at *10-11. More specifically, the Blue Coat court
`
`found that “spatially, the ‘494 claims move malware profiling from its traditional location on end-user
`
`computers to an intermediate location on the network,” and “temporally, the ‘494 claims shift malware
`
`profiling logic from something that must be applied to a single, complete file to something that must be
`
`applied to extracted aspects or components of a file (namely, operations) after it has been decomposed.”
`
`Id. at *11.
`
`58.
`
`Given the plain language of the claim, the subsequent IPR proceedings, and the factual
`
`record developed in this case, I disagree with the Blue Coat court’s conclusion that there were “spatial”
`
`and “temporal” concepts that made the ‘494 Patent inventive.
`
`59.
`
`For example, with regard to the “spatial” concept, there is nothing in the claim language
`
`that actually requires the ‘494 invention to be implemented on an intermediate location on the network.
`
`Specifically, there is nothing in the Court’s construction of “scanner,” “suspicious operations,” or any
`
`other term that limits the invention to an intermediate location on the network. Finjan does not even
`
`appear to dispute this. Ex. 10 at 65:21-66:5.
`
`10571956
`
`
`- 16 -
`
`DECL OF AVIEL D RUBIN REGARRDING § 101
`Case No 3:17-cv-05659-WHA
`
`
`
`

`

`Case 3:17-cv-05659-WHA Document 410-5 Filed 03/28/19 Page 9 of 9
`
`
`decomposed. See, e.g., Ex. 3 at 3 (“When polymorphic technology improved, statistical analysis of the
`
`opcodes2 was used. Recently, the best of the scanners have shifted course for merely detecting viruses
`
`to attempting to identify the virus. This is often done with added strings, perhaps position dependent, or
`
`checksums, over the invariant part of the virus. … The next shift many scanners are presently
`
`experiencing is away from known virus only detection to detection of unknown viruses. … This is most
`
`often done by looking for a pattern of certain code fragments most often in viruses…. “).
`
`64.
`
`Finjan has also argued that Claim 10 contains an inventive concept because it supposedly
`
`allows for the detection of new viruses, rather than only identifying known viruses. But the concept and
`
`process of detecting new viruses was not new as of the priority date of the ‘494 Patent. Indeed, Swimmer
`
`specifically notes that “many scanners are [shifting] away from known virus only detection to detection
`
`of unknown viruses.” Ex. 3 at 3. And it further notes that “This is most often done by looking for a
`
`pattern of certain code fragments most often in viruses.” Id. Thus, the prior art shows that this was a
`
`common technique and not anything unconventional or inventive.
`
`65.
`
`In sum, it is my opinion that there is nothing transformative or inventive about Claim 10,
`
`even as an ordered combination and even if the “spatial” and/or “temporal” concepts articulated by the
`
`Blue Coat court were actually recited in the claim.
`
`IX.
`
`POSSIBLE REVISIONS TO REPORT
`
`66.
`
`I intend to review and consider any additional information provided to me after the
`
`production of this report and I reserve the right to supplement or revise my analysis and conclusions.
`
`Date: September 11, 2018
`
`Aviel D. Rubin
`
`
`
`
`2 Ex. 3 at 9 (noting that “opcodes” are “primarily calls to the DOS functions” in a program).
`
`10571956
`
`
`- 18 -
`
`DECL OF AVIEL D RUBIN REGARRDING § 101
`Case No 3:17-cv-05659-WHA
`
`
`
`