Case 4:18-cv-07229-YGR Document 52-5 Filed 03/16/20 Page 1 of 12
`Case 4:18-cv-07229—YGR Document 52-5 Filed 03/16/20 Page 1 of 12
`
`
`
`
`
`EXHIBIT D
`
`EXHIBIT D
`
`

`

`Case 4:18-cv-07229-YGR Document 52-5 Filed 03/16/20 Page 2 of 12
`Case 3:17-cv-05659-WHA Document 390-19 Filed 03/14/19 Page 1 of 11
`
`Exhibit P
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`

`

`Case 4:18-cv-07229-YGR Document 52-5 Filed 03/16/20 Page 3 of 12
`Case 3:17-cv-05659-WHA Document 390-19 Filed 03/14/19 Page 2 of 11
`Trials@uspto.gov
`Paper 62
`571-272-7822
`Entered: March 15, 2017
`
`
`
`
`UNITED STATES PATENT AND TRADEMARK OFFICE
`____________
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`____________
`
`PALO ALTO NETWORKS, INC. and SYMANTEC CORP.,
`Petitioner,
`
`v.
`
`FINJAN, INC.,
`Patent Owner.
`____________
`
`Case IPR2015-019791
`Patent 8,141,154 B2
`
`____________
`
`
`
`Before, THOMAS L. GIANNETTI, RICHARD E. RICE, and
`MIRIAM L. QUINN, Administrative Patent Judges.
`
`QUINN, Administrative Patent Judge.
`
`
`
`FINAL WRITTEN DECISION
`35 U.S.C. § 318(a) and 37 C.F.R. § 42.73
`
`
`1 This case is joined with IPR2016-00919. Paper 28 (“Decision on
`Institution of Inter Partes Review and Grant of Motion for Joinder,” filed by
`Symantec Corp.).
`
`

`

`Case 4:18-cv-07229-YGR Document 52-5 Filed 03/16/20 Page 4 of 12
`Case 3:17-cv-05659-WHA Document 390-19 Filed 03/14/19 Page 3 of 11
`IPR2015-01979
`Patent 8,141,154 B2
`
`lexicographer,” and “2) when the patentee disavows the full scope of a claim
`term either in the specification or during prosecution.” See Thorner v. Sony
`Computer Entm’t Am. LLC, 669 F.3d 1362, 1365 (Fed. Cir. 2012).
`If an inventor acts as his or her own lexicographer, the definition must
`be set forth in the specification with reasonable clarity, deliberateness, and
`precision. Renishaw PLC v. Marposs Societa’ per Azioni, 158 F.3d 1243,
`1249 (Fed. Cir. 1998) (citing In re Paulsen, 30 F.3d 1475, 1480 (Fed. Cir.
`1994)). Although it is improper to read a limitation from the specification
`into the claims, In re Van Geuns, 988 F.2d 1181, 1184 (Fed. Cir. 1993),
`claims still must be read in view of the specification of which they are a part.
`Microsoft Corp. v. Multi-Tech Sys., Inc., 357 F.3d 1340, 1347 (Fed. Cir.
`2004).
`
`“content”
`In our Decision on Institution, we did not construe expressly any
`claim terms. Dec. 5. During trial, however, Patent Owner proposed a
`construction of the term “content” as “a data container that can be rendered
`by a client web browser.” PO Resp. 5. Petitioner challenges this
`construction as unduly narrow in view of the Specification. Reply 6. In
`particular, Petitioner argues that the Specification does not define the term
`and provides no “clear disavowal” of claim scope. Id. 67. According to
`Petitioner, the Specification and extrinsic evidence support a broader
`construction of “content” to mean “code.” Id. at 78 (citing Ex. 1001,
`12:4952; Ex. 2005, 80:1123).
`Because they are not consistent with the broadest reasonable
`interpretation in light of the specification, and as discussed further below, we
`
`6
`
`

`

`Case 4:18-cv-07229-YGR Document 52-5 Filed 03/16/20 Page 5 of 12
`Case 3:17-cv-05659-WHA Document 390-19 Filed 03/14/19 Page 4 of 11
`IPR2015-01979
`Patent 8,141,154 B2
`
`do not adopt either of the parties’ proposed constructions. Our reasoning
`follows.
`The ’154 patent is titled “System and Method for Inspecting
`Dynamically Generated Executable Code.” Ex. 1001, [54]. Although the
`title refers to “executable code,” the term “content” is used elsewhere in the
`patent when describing the invention. The Abstract further clarifies that a
`“method for protecting a client computer from dynamically generated
`malicious content, includ[es] receiving at a gateway computer content being
`sent to a client computer for processing, the content including a call to an
`original function[.]” Id. Abstract (emphasis added). The gateway computer
`modifies the “content,” which is then transmitted to the client computer for
`processing there. Id.
`By way of background, the ’154 patent explains that the “ability to
`run executable code such as scripts within Internet browsers” has caused a
`new form of viruses “embedded within web pages and other web content,
`and[, which] begin executing within an Internet browser as soon as they
`enter a computer.” Id. at 1:3440. In particular, the ’154 patent describes
`these new “dynamically generated viruses” as “taking advantage of features
`of dynamic HTML generation, such as executable code or scripts that are
`embedded within HTML pages, to generate themselves on the fly at
`runtime.” Id. at 3:3139. Therefore, according to the ’154 patent
`“dynamically generated malicious code cannot be detected by conventional
`reactive content inspection and conventional gateway level behavioral
`analysis content inspection, since the malicious JavaScript is not present in
`the content prior to run-time.” Id. at 3:654:2. The invention, therefore,
`seeks to protect against “dynamically generated malicious code, in addition
`
`7
`
`

`

`Case 4:18-cv-07229-YGR Document 52-5 Filed 03/16/20 Page 6 of 12
`Case 3:17-cv-05659-WHA Document 390-19 Filed 03/14/19 Page 5 of 11
`IPR2015-01979
`Patent 8,141,154 B2
`
`to conventional computer viruses that are statically generated.” Id. at
`4:3034.
`To accomplish this objective, the ’154 patent describes the gateway
`computer receiving “content from a network, such as the Internet, over a
`communication channel.” Id. at 8:4748. The “content may be in the form
`of HTML pages, XML documents, Java applets and other such web content
`that is generally rendered by a web browser.” Id. at 8:4851; see also id. at
`13:4952 (“Such content may be in the form of an HTML web page, an
`XML document, a Java applet, an EXE file, JavaScript, VBScript, an Active
`X Control, or any such data container that can be rendered by a client web
`browser.”); 13:4952. A “content modifier 265” at the gateway modifies
`“original content received” by the gateway computer and produces modified
`“content, which includes a layer of protection to combat dynamically
`generated malicious code.” Id. at 9:1316. It does this by scanning the
`“original content” and identifying certain function calls. Id. at 9:1620.
`Selected function calls are then replaced with a corresponding substitute
`function call. Id. at 9:2126.
`One example of a function call in the original content is identified as
`“Document.write (‘content that is dynamically generated at run-time’).” Id.
`at 11:5512:2. The original content is modified by replacing the original
`function call Document.write() with a substitute function call
`Substitute_document.write(). Id. at 10:3136. The client computer then
`receives the “content, as modified by the gateway computer.” Id. at
`11:6364. And it is this modified content that the client computer processes,
`
`8
`
`

`

`Case 4:18-cv-07229-YGR Document 52-5 Filed 03/16/20 Page 7 of 12
`Case 3:17-cv-05659-WHA Document 390-19 Filed 03/14/19 Page 6 of 11
`IPR2015-01979
`Patent 8,141,154 B2
`
`by invoking the substitute function call and transmitting the input of that
`substitute function for inspection. Id. at 16:2229.
`From the above descriptions, we understand the ‘154 patent
`Specification to refer to three categories of content. First, there is the
`“original content” that is scanned and modified at the gateway computer.
`Second, there is the “modified content” transmitted to, and received by, the
`client computer. Third is the “dynamically generated malicious content”
`that is generated at runtime and, thus, is undetected by the gateway computer
`in the “original content.”
`We also understand that the purpose of the ’154 patent is to protect
`the client computer from this “dynamically generated malicious content,”
`which is sometimes also referred to in the Specification as “dynamically
`generated malicious code.” See, e.g., Ex. 1001, 4:3133 (“new behavioral
`analysis technology affords protection against dynamically generated
`malicious code”); 4:3840 (“before the client computer invokes a function
`call that may potentially dynamically generate malicious code”); 8:1720
`(“FIG. 2 is a simplified block diagram of a system for protecting a computer
`from dynamically generated malicious executable code, in accordance with a
`preferred embodiment of the present invention”); 8:3840 (“The present
`invention concerns systems and methods for protecting computers against
`dynamically generated malicious code.”).
`Notwithstanding the variety of content described in the Specification,
`the term “content” is recited broadly in all challenged claims as “content
`including a call to a first function.” For example, claim 1 recites a content
`processor for “processing content received over a network, the content
`
`9
`
`

`

`Case 4:18-cv-07229-YGR Document 52-5 Filed 03/16/20 Page 8 of 12
`Case 3:17-cv-05659-WHA Document 390-19 Filed 03/14/19 Page 7 of 11
`IPR2015-01979
`Patent 8,141,154 B2
`
`including a call to a first function, and the call including an input.” Id. at
`17:3436.
`The claim language also requires that the processed “content” be
`received over a network. Because the recited “first function” is the
`substituted function whose input is verified, the claimed “content,” in the
`context of the surrounding claim language, must refer to the modified
`content received at the client computer. See id. at 17:3940 (“transmitting
`the input [of the first function call] to the security computer for inspection,
`when the first function is invoked”). The claimed content cannot refer to the
`“original content” that is received by the gateway computer and over the
`Internet because that content, according to the Specification, would be
`capable of generating the undetected dynamically generated malicious
`content from which the client computer is to be protected.
`Based on this understanding, we do not agree with Patent Owner that
`the recited “content” is “a data container that can be rendered by a client
`web browser.” See PO Resp. 6. Although the Specification states that
`“content may be in the form of an HTML web page, an XML document, a
`Java applet, an EXE file, JavaScript, VBScript, an ActiveX Control, or any
`such data container that can be rendered by a client web browser,” that
`passage describes the “original content,” not the “modified content.” See
`Ex. 1001, 13:4952. Furthermore, even if that description were applicable
`to the “modified content,” the Specification uses the permissive words
`“may” and “can,” which suggests that the description of the form of the
`content in the Specification was not intended to set forth a definition for the
`term “content.” See i4i Ltd. P’ship v. Microsoft Corp., 598 F.3d 831, 844
`
`10
`
`

`

`Case 4:18-cv-07229-YGR Document 52-5 Filed 03/16/20 Page 9 of 12
`Case 3:17-cv-05659-WHA Document 390-19 Filed 03/14/19 Page 8 of 11
`IPR2015-01979
`Patent 8,141,154 B2
`
`(Fed. Cir. 2010) (declining to limit claim term where the specification used
`permissive language).
`Furthermore, although the Specification addresses embodiments
`concerning web pages received over the Internet, the Specification does not
`limit the “content” to web content only, or to content that can be rendered by
`a web browser. For example, in describing a content processor, the
`Specification states that it “may be a web browser running on client
`computer 210.” Ex. 1001, 10:6062. This description again uses permissive
`language that suggests the intent not to limit the content to a data container
`that can be rendered by a client web browser. We also find it informative
`that in discussing the communication channels over which the client
`computer receives the “modified content,” the Specification states that
`“communication channels 220, 225 and 230 [of Figure 2] may each be
`multiple channels using standard communication protocols such as TCP/IP.”
`Ex. 1001, 8:679:2.9 That is, the network over which the content is received
`may be any network that delivers data using a standard communication
`protocol, not just the Internet.
`Accordingly, we are not persuaded that the Specification supports a
`construction of “content” that is limited to the specific embodiment of a data
`container that can be rendered by a client web browser, as Patent Owner
`argues. In re Van Geuns, 988 F.2d 1181, 1184, (Fed. Cir. 1993)
`(“Moreover, limitations are not to be read into the claims from the
`specification.”) (internal citations omitted).
`
`9 TCP/IP is an abbreviation for Transmission Control Protocol over Internet
`Protocol, and it is the most widely used communication protocol for delivery
`of data over networks, including the Internet. TCP/IP, WILEY ELECTRICAL
`AND ELECTRONICS ENGINEERING DICTIONARY, 774 (2004) (Ex. 3001).
`
`11
`
`

`

`Case 4:18-cv-07229-YGR Document 52-5 Filed 03/16/20 Page 10 of 12
`Case 3:17-cv-05659-WHA Document 390-19 Filed 03/14/19 Page 9 of 11
`IPR2015-01979
`Patent 8,141,154 B2
`
`
`We are not persuaded, in addition, that Petitioner has made a
`sufficient showing that a person of ordinary skill in the art would understand
`the plain meaning of “content” as “code.” To support its proposed
`construction, Petitioner relies on the cross-examination testimony of its own
`expert, Dr. Aviel Rubin. Ex. 2005, 80:1123. His testimony, however, is
`not persuasive because he proffers no reasoning for the conclusion that
`“content” is “code” under the broadest reasonable interpretation:
`Q· · What is your understanding of what “content” means?
`A· · In the context of the ’154 patent, content would be code.
`Q· · What do you mean by code?
`A· · Code, like an HTML page that has JavaScript in it.
`Q· · When you say code, do you mean any type of code?
`A· · Well, if you just say content, we are going to take the broadest
`reasonable interpretation of that. It would be any type of code, yes.
`
`Id.10
`Although it seems reasonable to say that the content includes “code,”
`
`no persuasive evidence limits the claimed content to only code. As we noted
`above, the Specification refers to code, sometimes interchangeably with
`content, but only in the context of dynamically generated code. The
`dynamically generated code, however, is not generated until runtime and,
`therefore, is not contained in the “modified content” that the client receives.
`See Ex. 1001, 3:654:2 (“dynamically generated code cannot be detected by
`conventional reactive content inspection and conventional gateway level
`
`
`10 We do not give weight to the testimony proffered by Dr. Medvidovic with
`regard to claim construction of this term given the contradictory positions
`asserted in this regard. See Reply 8.
`
`12
`
`

`

`Case 4:18-cv-07229-YGR Document 52-5 Filed 03/16/20 Page 11 of 12
`Case 3:17-cv-05659-WHA Document 390-19 Filed 03/14/19 Page 10 of 11
`IPR2015-01979
`Patent 8,141,154 B2
`
`behavioral analysis content inspection, since the malicious JavaScript is not
`present in the content prior to run-time.”). Furthermore, the Specification
`describes various forms in which the content occurs, such as an HTML web
`page and Java applets (id. at 13:4952), but does not address sufficiently
`what is the “content” itself. But see, id. at 11:5051 (“suppose the content is
`an HTML page”).
`
`Given the broad disclosure of a network, as discussed above, the
`reference to a “data container” (id. at 13:5152) and “network content” (id.
`at 4:3737), the concern over scripts embedded in web pages or “other web
`content” (id. at 1:3739), we conclude that the Specification of the ’154
`patent uses the claimed “content” to refer broadly to the data or information,
`modified for processing, that the client receives from the network, where, in
`the case of the Internet, it may refer to a web page and its elements. This
`interpretation is consistent also with the meaning of the term in the art, as
`evidenced by dictionaries concerning computing and engineering. See
`content, Microsoft Computer Dictionary, 125 (5th ed. 2002) (Ex. 3002)
`(defining “content” as (1) “the data that appears between the starting and
`ending tags of an element in an SGML, XML, or HTML document. The
`content of an element may consist of plain text or other elements,” (2) “The
`message body of a newsgroup article or e-mail message;” and (3) “The
`‘meat’ of a document, as opposed to its format or appearance.”); see also
`content, WILEY ELECTRICAL AND ELECTRONICS ENGINEERING DICTIONARY,
`142 (2004) (Ex. 3001) (“Information, especially that which is available
`online, which may be any combination of text, audio, video, files, or the
`like.”).
`
`13
`
`

`

`Case 4:18-cv-07229-YGR Document 52-5 Filed 03/16/20 Page 12 of 12
`Case 3:17-cv-05659-WHA Document 390-19 Filed 03/14/19 Page 11 of 11
`IPR2015-01979
`Patent 8,141,154 B2
`
`
`Accordingly, under the broadest reasonable interpretation in the
`context of the Specification and the surrounding claim language, we
`conclude that “content” is data or information, which has been modified and
`is received over a network.
`“call to a first function”
`The term “call to a first function” is recited in all challenged claims.
`The arguments presented regarding this limitation turn on the scope of the
`word “call.” Specifically, Patent Owner attempts to distinguish the claims
`over Khazan by arguing that a “jump” instruction is not the recited “call” to
`a function. PO Resp. 2527. Dr. Medvidovic, Patent Owner’s expert,
`proffers opinions on the issue by relying on a definition of “function call”
`derived from the Microsoft Press Computer Dictionary. Ex. 2002 ¶ 110
`(citing Ex. 2014). That Dictionary provides that a “function call” is “[a]
`program’s request for the services of a particular function.” Id.; Ex. 2014. It
`also explains that “[a] function call is coded as the name of the function
`along with any parameters needed for the function to perform its task.” Id.
`The Specification of the ’154 patent does not define the term “call to a
`first function.” The Specification, however, does use the phrase “function
`call” to state that “before the client computer invokes a function call that
`may potentially dynamically generate malicious code, the client computer
`passes the input to the function to the security computer for inspection.” Ex.
`1001, 4:3743 (emphasis added). The Specification also states that “the
`present invention operates by replacing original function calls with substitute
`function calls within the content, at a gateway computer, prior to the content
`being received at the client computer.” Id. at 4:5760. Therefore, we
`understand the Specification to use the phrase “function call” in the same
`
`14
`
`