Case 4:18-cv-07229-YGR Document 125-2 Filed 10/22/20 Page 1 of 99
`Case 4:18-cv-07229—YGR Document 125-2 Filed 10/22/20 Page 1 of 99
`
`
`
`
`
`EXHIBIT B
`
`EXHIBIT
`
`

`

`Case 4:18-cv-07229-YGR Document 125-2 Filed 10/22/20 Page 2 of 99
`
`UNITED STATES PATENT AND TRADEMARK OFFICE
`
`UNITED STATES DEPARTMENT OF COMMERCE
`United States Patent and Trademark Office
`Address: COMMISSIONER FOR PATENTS
`P.O. Box 1450
`Alexandria, Virginia 22313-1450
`www.usixo.gov
`
`APPLICATION NO.
`
`FILING' DATE
`
`FIRST NAMED INVENTOR
`
`ATTORNEY DOCKET NO.
`
`CONFIRMATION NO.
`
`90/013,660
`
`12/11/2015
`
`7975305
`
`FINREXM0012
`
`5600
`
`07/02/2018
`7590
`115222
`Bey & Cotropia PLLC (Finjan Inc.)
`Dawn-Marie Bey
`213 Bayly Court
`Richmond, VA 23229
`
`EXAMINER
`
`BANANKHAH, MAJID A
`
`ART UNIT
`
`PAPER NU1vIBER
`
`3992
`
`MAIL DATE
`
`DELIVERY MODE
`
`07/02/2018
`
`PAPER
`
`Please find below and/or attached an Office communication concerning this application or proceeding.
`
`The time period for reply, if any, is set in the attached communication.
`
`PTOL-90A (Rev 04/07)
`
`FINJAN-QUALYS 404251
`
`

`

`Case 4:18-cv-07229-YGR Document 125-2 Filed 10/22/20 Page 3 of 99
`
`UNITED STATES PATENT AND TRADEMARK OFFICE
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`
`Ex parte FINJAN, INC.
`Appellant
`
`Appeal 2017-010477
`Reexamination Control 90/013,660
`Patent 7,975,305 B2
`Technology Center 3900
`
`Before DENISE M. POTHIER, JEREMY J. CURCURI, and
`IRVIN E. BRANCH, Administrative Patent Judges.
`
`Opinion for the Board filed by Administrative Patent Judge BRANCH.
`
`Opinion Dissenting filed by Administrative Patent Judge CURCURI.
`
`BRANCH Administrative Patent Judge.
`
`DECISION ON APPEAL
`
`U.S. Patent 7,975,305 B2 (July 5, 2011; Rubin et al., hereinafter "the
`
`'305 patent") is under reexamination. Appellant appeals under 35 U.S.C.
`
`§§ 134(b) and 306 from the Examiner's rejection of claims 1, 2, 5, and 13.
`Final Act. 3-47. We have jurisdiction under 35 U.S.C. §§ 134(b) and 306.
`We heard the appeal on December 12, 2017. The '305 patent is also the
`
`subject of Inter Partes Review Case IPR2017-01738, for which a decision
`instituting Inter Partes Review was filed on January 31, 2018.
`
`FINJAN-QUALYS 404252
`
`

`

`Case 4:18-cv-07229-YGR Document 125-2 Filed 10/22/20 Page 4 of 99
`
`Appeal 2017-010477
`Reexamination Control 90/013,660
`Patent 7,975,305 B2
`
`Claims 1, 2, 5, and 13 are rejected under 35 U.S.C. § 103(a) as
`obvious over Wells (US 8,140,660 Bl; Mar. 20, 2012). Final Act. 3-22.
`
`Claims 1, 2, 5, and 13 are rejected under 35 U.S.C. § 103(a) as
`
`obvious over Sandu (US 2005/0172338 Al; Aug. 4, 2005) and Wells. Final
`
`Act. 22-47.
`
`We affirm.
`
`STATEMENT OF THE CASE
`
`Appellant's invention relates to "network security, and in particular to
`
`scanning of mobile content for exploits." The '305 Patent col. 1, 11. 24-25.
`
`Claim 1 is illustrative and reproduced below with the key disputed limitation
`
`emphasized:
`1. A security system for scanning content within a
`computer, comprising:
`a network interface, housed within a computer, for
`receiving incoming content from the Internet on its destination
`to an Internet application running on the computer;
`a database of parser and analyzer• rules corresponding to
`computer exploits, stored within the computer, computer
`exploits being portions of program code that are malicious,
`wherein the parser and analyzer rules describe computer
`exploits as patterns of types of tokens, tokens being program
`code constructs, and types of tokens comprising a punctuation
`type, an identifier type and a function type;
`a rule-based content scanner that communicates with said
`database of parser and analyzer rules, operatively coupled with
`said network interface, for scanning incoming content received
`by said network interface to recognize the presence of potential
`computer exploits therewithin;
`a network traffic probe, operatively coupled to said
`network interface and to said rule-based content scanner for
`
`2
`
`FINJAN-QUALYS 404253
`
`

`

`Case 4:18-cv-07229-YGR Document 125-2 Filed 10/22/20 Page 5 of 99
`
`Appeal 2017-010477
`Reexamination Control 90/013,660
`Patent 7,975,305 B2
`
`selectively diverting incoming content from its intended
`destination to said rule-based content scanner; and
`
`a rule update manager that communicates with said
`database of parser and analyzer rules, for updating said database
`of parser and analyzer rules periodically to incorporate new
`parser and analyzer rules that are made available.
`
`THE OBVIOUSNESS REJECTION OF CLAIMS 1, 2, 5, AND 13 OVER
`SANDU AND WELLS
`Contentions
`
`The Examiner finds the combination of Sandu and Wells teaches all
`
`limitations of claim 1. Final Act. 22-44. In particular, the Examiner finds
`
`Sandu discloses the disputed "database of parser and analyzer rules"
`
`limitation. Final Act. 29-36 (citing Sandu Figs. 4, 5A, 5B, 5C, 8, and ¶¶ 11,
`
`12, 29, 37, 38, 40-53, 59, 60-62, 66).
`
`Appellant argues that the Examiner errs because Sandu does not
`
`disclose parser rules, analyzer rules, or a rules-based scanner. App. Br.
`29-46. More specifically, Appellant argues that "what Sandu (and the
`
`Examiner) refers to as parsing and parser rules, are more appropriately
`
`compared with the `normalizer 240"normalization rules' and `decoders
`
`250' of the `tokenizer 210' of the '305 Patent; none of which is descriptive
`
`of the claimed parser rules which describe computer exploits as patterns of
`
`types of tokens." Id. at 31. Appellant also argues that "Sandu's singular,
`
`static action of comparing a generated script signature to known malware
`signatures[,] without identifying any exploits therewithin, can hardly be
`equated to the claimed `analyzer rules '," and there is no "rule-based
`
`scanner" in Sandu. Id. at 35-36. Appellant argues further that Sandu does
`
`3
`
`FINJAN-QUALYS 404254
`
`

`

`Case 4:18-cv-07229-YGR Document 125-2 Filed 10/22/20 Page 6 of 99
`
`Appeal 2017-010477
`Reexamination Control 90/013,660
`Patent 7,975,305 B2
`
`not "identify any individual exploits within an executable script and,
`therefore, the malware signatures disclosed in Sandu are not the claimed
`
``analyzer rules' because they do not correspond to `computer exploits '." Id.
`
`at 37. Appellant also argues error because the Examiner failed to consider
`Appellant's evidence of secondary considerations. Id. at 46-48.
`Analysis
`
`Sandu discloses a malware detection system for determining whether
`an executable script is malware according to the script's functionality. Sandu
`¶ 12. Sandu's malware detection system includes a "normalization module,"
`a "signature comparison module," and a "malware signature store." Id. ¶ 29.
`
`Sandu discloses normalization to be "translat[ing] the functional contents of
`
`[an] executable script 208 into a common, `normal' format, referred to as a
`
`script signature." Id.
`
`Sandu discloses that normalizing an executable script made up of
`
`multiple routines includes identifying "routine tokens" in the executable
`script one routine at a time. Routine tokens include "variables, operators,
`
`constants, execution directives, comments, subroutines, white space, and the
`
`like." Id. ¶ 40. Sandu discloses grouping routine tokens for a given routine
`
`as a "routine token set" and grouping a collection of routine token sets for a
`given executable script as a "script signature." Id. ¶ 53. Figure 8 of Sandu is
`reproduced below and depicts the output from normalization.
`
`4
`
`FINJAN-QUALYS 404255
`
`

`

`Case 4:18-cv-07229-YGR Document 125-2 Filed 10/22/20 Page 7 of 99
`
`Appeal 2017-010477
`Reexamination Control 90/013,660
`Patent 7,975,305 B2
`
`790
`
`VO= left { wseript scriettuilnaine len ( wsviet
`ec,Tiptfuttnarite ) - ten (x-script seripthaine
`VI = ertay lesnwobservios' )
`V2 army j VO )
`•
`
`•
`
`set VO ottobjeot "iiingtocalhost/w3eve/1" )
`iE isobjeet i VD ) =1aise then
`if net VI Itioo
`
`beate the sRe. fie roust ee ineWied." )
`
`end if
`•
`
`894
`
`set V2 = VO . goietlecti'llswobvietualcie "toot" )
`it (V3 <> 0 ) teen
`if not VI then
`'eriabie to access slot tot & VO . fxispeth )
`end if
`•
`•
`
`•
`•
`
`Fig.8.
`
`Figure 8 depicts a script signature 800 made up of several routine
`
`token sets 700, 802, and 804. Id. ¶ 59.
`
`Sandu discloses that
`
`after having generated a first script signature 210, at block 304,
`the first script signature is compared to known malware script
`signatures stored in the malware signature store 206. Script
`signatures, such as script signature 210, are compared on a
`routine basis, i.e., the signature comparison module 204 attempts
`to match routine token sets in the script signature 210 to routine
`token sets of known malware signature scripts stored in the script
`signature store 206.
`Id. ¶ 60.
`
`5
`
`FINJAN-QUALYS 404256
`
`

`

`Case 4:18-cv-07229-YGR Document 125-2 Filed 10/22/20 Page 8 of 99
`
`Appeal 2017-010477
`Reexamination Control 90/013,660
`Patent 7,975,305 B2
`
`The Examiner finds that Sandu's "routine token sets" correspond to
`
`the claimed "parser rules."' Ans. 37 ("The `routine token sets' in the
`
`signature store are a good example of parser rules because they are related to
`
`known malware (computer exploit), and they are presented as patterns of
`
`types of tokens.").
`Appellant argues error in the Examiner's finding that Sandu's "routine
`
`token sets" correspond to the claimed "parser rules." App. Br. 29-46.
`Appellant argues the Examiner improperly imported extrinsic evidence to
`
`arrive at an incorrect construction of "parser rules." Id. at 8-10. Appellant
`
`argues "[t]he '305 Patent discloses parser rules' or parsing rules' as
`
``patterns of tokens that form syntactical constructs of program code' that
`
``identify groups of tokens as a single pattern'." Id. at 8 (citing '305 Patent
`2:22-24, 10:53-54). We understand Appellant to argue that "parser rules"
`
`should be construed as "patterns of tokens that form syntactical constructs of
`
`program code that identify groups of tokens as a single pattern."
`
`According to the '305 Patent,
`
`"[r]ule files for a language describe character encodings,
`sequences of characters that form lexical constructs of the
`language, referred to as tokens, patterns of tokens that form
`syntactical constructs of program code, referred to as parsing
`rules, and patterns of tokens that correspond to potential exploits,
`referred to as analyzer rules.
`The '305 Patent 2:20-25. The '305 Patent also discloses that "[a] parse tree
`contains a node for each token identified while parsing, and uses parsing
`
`1 Notably, claim 1 recites "parser and analyzer rules" (App. Br. 50 (Claims
`App'x)) not "parser rules" and "analyzer rules" as discussed by both the
`Examiner and Appellant. For simplicity, we refer to the disputed "parser . . .
`rules" as "parser rules" throughout the Opinion.
`
`6
`
`FINJAN-QUALYS 404257
`
`

`

`Case 4:18-cv-07229-YGR Document 125-2 Filed 10/22/20 Page 9 of 99
`
`Appeal 2017-010477
`Reexamination Control 90/013,660
`Patent 7,975,305 B2
`
`rules to identify groups of tokens as a single pattern." Id. at 10:52-54. Claim
`1 recites "a database of parser and analyzer rules corresponding to computer
`
`exploits, [that] describe computer exploits as patterns of types of tokens,"
`
`"types of tokens comprising a punctuation type, an identifier type and a
`function type." Claim 13 includes a similar recitation.
`We find that the broadest reasonable construction of "parser rules" is
`
`"patterns of tokens that form syntactical constructs of program code." The
`
`'305 Patent explicitly defines parser rules as such. Id. at 2:20-25. We do not
`
`find, however, that the broadest reasonable construction of parser rules
`
`includes "identif[ing] groups of tokens as a single pattern," as Appellant
`
`argues. App. Br. 8. The '305 Patent describes "identif[ing] groups of tokens
`
`as a single pattern" as a use for "parser rules," but does not otherwise limit
`
`the term's construction.
`
`Without regard to whether our construction of "parser rules" differs
`
`from the Examiner's construction, we are unpersuaded of error in the
`Examiner's finding that "parser rules" reads on Sandu's routine token sets,
`
`which are found in malware signatures in malware signature store 206. Ans.
`
`37 (citing Sandu ¶¶ 29, 46); see also Sandu, Fig. 2. For purposes of
`illustration, Figure 8 depicts "a block diagram illustrating an exemplary
`script signature, containing exemplary routine token sets generated by the
`first normalization pass" (¶ 23), which is then compared to script signatures
`
`of known malware in Sandu's signature store. Sandu ¶ 60. Because script
`
`signatures from executable scripts under evaluation (Fig. 8) are compared to
`
`script signatures of known malware in the signature store (i.e., a database of
`
`parser and analyzer rules) by attempting to match a script signature's routine
`
`7
`
`FINJAN-QUALYS 404258
`
`

`

`Case 4:18-cv-07229-YGR Document 125-2 Filed 10/22/20 Page 10 of 99
`
`Appeal 2017-010477
`Reexamination Control 90/013,660
`Patent 7,975,305 B2
`
`token sets with known malware script signatures' routine token sets, Sandu
`teaches or suggests to one skilled in the art that the script signatures in the
`
`script signature store (e.g., 206) have a structure that corresponds to that
`
`depicted in Figure 8.
`Sandu's routine token sets, similar to those depicted in Figure 8, are
`"parser rules" because the routine token sets are "patterns of tokens that
`
`form syntactical constructs of program code." Routine token sets are
`"normalized" versions of actual program code constructs (i.e., "tokens" such
`
`as the "if' "then" statements in routine token sets 802 and 804). Moreover,
`
`the tokens form patterns, such as the "if" "then" patterns, and are "types of
`
`tokens," including at least functions (e.g., "getobject" in elements 802 and
`
`804), identifiers (e.g., "iiswebvirtualdir" in element 804), and punctuation
`(e.g., "=" and "." in elements 700, 802, and 804). Sandu, Fig. 8.
`
`Accordingly, we are unpersuaded by Appellant's arguments (App. Br.
`
`29-35; Reply Br. 16-19) that Sandu does not disclose "parser rules."
`Except for the Examiner's reference to extrinsic evidence (i.e., the definition
`
`of "parsing" in Final Act. 48-49, cited in App. Br. 9), we adopt the
`
`Examiner's findings and conclusion that Sandu teaches or suggests "parser
`
`rules," and we rely on the Examiner's response to Appellant's arguments to
`
`the contrary. Final Act. 29-36; Ans. 34-39. We highlight the following for
`
`emphasis.
`
`Appellant argues that "one of ordinary skill in the art can easily
`
`recognize the overlapping concepts of tokenization and normalization [in
`
`Sandu], which exclude the claimed parser rules." App. Br. 31 (relying on
`
`Declaration of Dr. Nenad Medvidovic ("Medvidovic Declaration") ¶ 46; see
`
`8
`
`FINJAN-QUALYS 404259
`
`

`

`Case 4:18-cv-07229-YGR Document 125-2 Filed 10/22/20 Page 11 of 99
`
`Appeal 2017-010477
`Reexamination Control 90/013,660
`Patent 7,975,305 B2
`
`App. Br. 29-35, Reply Br. 16-19, Medvidovic Declaration ¶¶ 44-48. We
`
`are not persuaded that Sandu's tokenization and normalization "exclude"
`
`parser rules as claimed. Properly construed in accordance with the '305
`
`Patent, (see infra), "parser rules" include Sandu's "routine token sets" in the
`script signature store, which describe computer exploits as "patterns of
`tokens that form syntactical constructs of program code" and do not require
`
`the parser rules to identify groups of tokens as a single pattern as Dr.
`Medvidovic determines. See Medvidovic Declaration T146-47.
`
`We also are not persuaded by Appellant's arguments that the
`
`Examiner errs because Sandu's "'routine token sets' from `the script
`
`signature' of Sandu were not generated in accordance with the claimed
`
`parser [1 rules," and that the claims require a scanner to parse incoming
`content "in accordance with" parser rules. Reply Br. 18 (emphasis added).
`
`Appellant's arguments in this regard are beyond the scope of the claims.
`
`Claim 1 recites a database of parser and analyzer rules but does not
`
`describe using the rules in the manner Appellant argues (i.e., generating
`
`script signatures in accordance with the parser rules or parsing the incoming
`
`content in accordance with the parser rules). At best, claim 1 recites a
`scanner "that communicates with said database of parser and analyzer rules"
`and is "for scanning incoming content." Similarly, claim 13 recites scanning
`incoming content "based on" the database of parser and analyzer rules,
`
`which Sandu does when comparing the generated script signature to script
`signatures in the script signature store. But claim 13 does not recite a
`scanner using parsing rules to parse incoming content as Appellant argues.
`
`Id.
`
`9
`
`FINJAN-QUALYS 404260
`
`

`

`Case 4:18-cv-07229-YGR Document 125-2 Filed 10/22/20 Page 12 of 99
`
`Appeal 2017-010477
`Reexamination Control 90/013,660
`Patent 7,975,305 B2
`
`In view of the foregoing, Appellant's argument that Sandu does not
`teach or suggest "parser rules" is unpersuasive. App. Br. 29-35, Reply Br.
`
`16-19.
`
`Appellant argues that Sandu does not disclose "analyzer rules" and a
`"rules-based content scanner." App. Br. 35-46, Reply Br. 19. Appellant's
`arguments in this regard are premised on the claimed "computer exploits"
`
`precluding Sandu's "malware." See, e.g., App. Br. 36 ("Sandu is enabled for
`a binary YES/NO `complete match' determination in comparing a generated
`
`script signature to known malware signatures; without identifying any
`
`exploits therewithin") and 45 ("the definition of `exploit' is consistently
`
`described as portions of code that are malicious and generally described in
`
`terms of composite pattern matches, involving combinations of more than
`one pattern").
`
`We are not persuaded for the reasons stated by the Examiner (Ans.
`
`39-43), which Appellant does not persuasively rebut (see, e.g., Reply Br.
`19). In particular, we agree with the Examiner that malware is a form of
`
`computer exploit when construed in light of the disclosure. Final Act. 58.
`
`Sandu discloses recognizing computer exploits as patterns of routine token
`sets, which are themselves patterns of tokens as discussed infra. Sandu, Figs.
`3A—B, 8 and ¶ 60.
`
`ADDITIONAL ARGUMENTS
`
`Appellants argue that "the Examiner has failed to adequately consider
`and weigh the evidence of non-obviousness presented in the Declaration of
`
`Dr. Medvidovic and the Declaration of Michael Kim." Reply Br. 19; see
`
`10
`
`FINJAN-QUALYS 404261
`
`

`

`Case 4:18-cv-07229-YGR Document 125-2 Filed 10/22/20 Page 13 of 99
`
`Appeal 2017-010477
`Reexamination Control 90/013,660
`Patent 7,975,305 B2
`
`App. Br. 46-4-8. We disagree with Appellant's arguments for the reasons
`stated by the Examiner. Ans. 43-45.
`
`Because we are unpersuaded of error in the Examiner's rejection of
`
`the claims as obvious over Wells and Sandu, we need not reach the merits of
`Appellant's arguments regarding the Examiner's rejection of the claims as
`obvious over Wells alone. See In re Gleave, 560 F.3d 1331, 1338 (Fed. Cir.
`
`2009).
`In view of the foregoing, we are unpersuaded of error in the
`
`Examiner's findings and conclusion that the combination of Wells and
`
`Sandu render independent claims 1 and 13 obvious, as well as the claims
`
`that depend therefrom.
`
`DECISION
`
`The Examiner's decision rejecting claims 1, 2, 5, and 13 is affirmed.
`
`Extensions of time for taking any subsequent action in connection
`with this appeal are governed by 37 C.F.R. § 1.550(c). See 37 C.F.R.
`§ 41.50(0.
`
`AFFIRMED
`
`1 1
`
`FINJAN-QUALYS 404262
`
`

`

`Case 4:18-cv-07229-YGR Document 125-2 Filed 10/22/20 Page 14 of 99
`
`Appeal 2017-010477
`Reexamination Control 90/013,660
`Patent 7,975,305 B2
`
`CURCURI, Administrative Patent Judge, DISSENTING:
`
`I would not sustain the Examiner's obvious rejection based on Sandu
`
`and Wells of claims 1, 2, 5, and 13.
`
`The Examiner finds Sandu and Wells teach all limitations of claim 1.
`Final Act. 23-44. In particular, the Examiner finds Sandu's normalization
`module 202 in Figure 2 teaches the recited "parser rules." See Final Act. 29-
`
`36; see also Ans. 34-39. In particular, the Examiner finds Sandu's malware
`
`signatures teach the recited "analyzer rules." See Final Act. 29-36; see also
`
`Ans. 34-43.
`
`The majority decision relies on a different mapping of the recited
`
`"parser rules" to Sandu than I do. The majority decision maps the recited
`
`"parser rules" to Sandu's routine token sets found in malware signatures.
`Although the majority's position is supported on the record at page 37 of the
`
`Examiner's Answer, this position appears to be inconsistent with the
`
`Examiner's overall analysis. See Final Act. 29-36; see also Ms. 34-43. I
`also find the majority's position problematic because it results in mapping
`
`both the recited "parser rules" and the recited "analyzer rules" to Sandu's
`
`malware signatures. Accordingly, I believe the correct way to analyze this
`rejection is with the recited "parser rules" mapped to Sandu's normalization
`module, and in turn, I reach a different result than the majority.
`
`Among other arguments, Appellant presents the following principal
`
`arguments:
`
`i.
`
`The Examiner's interpretation of the claim term "parser rules"
`
`is incorrect. See App. Br. 8-10; see also Reply Br. 4-11.
`
`12
`
`FINJAN-QUALYS 404263
`
`

`

`Case 4:18-cv-07229-YGR Document 125-2 Filed 10/22/20 Page 15 of 99
`
`Appeal 2017-010477
`Reexamination Control 90/013,660
`Patent 7,975,305 B2
`
`ii.
`Sandu does not disclose the claimed parser rules. See App. Br.
`29-35; see also Reply Br. 16-19. Sandu describes tokenization and
`
`normalization (Sandu, Figure 2, normalization module 202), but these
`
`concepts do not describe the claimed parser rules; rather, Sandu's
`
`tokenization and normalization correspond to the '305 patent's normalizer
`
`240 and decoder 250 of tokenizer 210 in Figure 2 of the '305 patent. See
`
`App Br. 30-31 (citing Decl. Medvidovic ¶ 46); see also App Br. 32-34
`(comparing Sandu's disclosure of parsing (tokenization) and normalizing
`
`with the '305 patent's disclosure of tokenization (normalizing and
`
`decoding)) and App. Br. 34-35 (citing Decl. Medvidovic
`
`¶ 47) ("The normalization and tokenization in the '305 Patent and Sandu are
`
`pre-parsing steps taken to prepare the raw incoming data stream for future
`
`action."). After these pre-parsing steps, Sandu's match routine then
`
`performs a static comparison of the script signature to known malware
`
`signatures, while the '305 patent then utilizes parser and analyzer rules that
`describe computer exploits as patterns of types of tokens to find potential
`
`exploits. See App Br. 34-35.
`Regarding the terms "parser rules" and "analyzer rules," Appellant's
`
`Specification discloses
`Rule files for a language describe character encodings, sequences
`of characters that form lexical constructs of the language,
`referred to as tokens, patterns of tokens that form syntactical
`constructs of program code, referred to as parsing rules, and
`patterns of tokens that correspond to potential exploits, referred
`to as analyzer rules.
`The '305 patent 2:20-25.
`
`13
`
`FINJAN-QUALYS 404264
`
`

`

`Case 4:18-cv-07229-YGR Document 125-2 Filed 10/22/20 Page 16 of 99
`
`Appeal 2017-010477
`Reexamination Control 90/013,660
`Patent 7,975,305 B2
`
`The Specification of the '305 patent makes clear that what it "refer[s]
`
`to as parsing rules" are "patterns of tokens that form syntactical constructs of
`
`program code" and that what it "refer[s] to as analyzer rules" are "patterns of
`
`tokens that correspond to potential exploits." The '305 patent 2:22-25. This
`is done with sufficient "clarity, deliberateness, and precision" for the
`Specification's statements to qualify as definitions of the terms, which I
`
`would adopt as the constructions of "parser rules" and "analyzer rules." See
`
`Paulsen, 30 F.3d 1475, 1480 (Fed. Cir. 1994).
`
`I would construe "parser rules" as "patterns of tokens that form
`
`syntactical constructs of program code." I would construe "analyzer rules"
`
`as "patterns of tokens that correspond to potential exploits." My
`
`constructions here for these terms are the same as the constructions for these
`
`terms in Inter Partes Review Case IPR2017-01738, in the decision
`
`instituting Inter Partes Review filed on January 31, 2018.
`
`Regarding the Examiner's fmding that Sandu's normalization module
`202 in Figure 2 teaches the recited "parser rules," I do not agree with the
`
`Examiner. Sandu discloses tokenization and normalization. For example,
`
`Sandu discloses
`At block 506, a first token from the selected routine is
`obtained. Obtaining tokens from an executable script is well
`known in the art as parsing, in this case parsing the selected
`routine. Those skilled in the art will recognize that parsing
`identifies individual elements from the executable script. The
`individual elements are hereafter referred to as routine tokens.
`These routine tokens will comprise tokens of various types,
`including variables, operators, constants, execution directives,
`comments, subroutines, white space, and the like.
`At block 508, the current routine token is evaluated to
`determine its type, such as those token types described above. At
`
`14
`
`FINJAN-QUALYS 404265
`
`

`

`Case 4:18-cv-07229-YGR Document 125-2 Filed 10/22/20 Page 17 of 99
`
`Appeal 2017-010477
`Reexamination Control 90/013,660
`Patent 7,975,305 B2
`
`block 510, a determination is made as to whether the routine
`token is a type of token that is to be ignored, i.e., one that is
`unimportant for comparison purposes and, correspondingly, not
`written to the routine token set. According to one embodiment of
`the present invention, few routine token types are ignore tokens
`during the first normalization of the executable script 208. For
`example, ignore tokens during the first normalization include
`comment tokens, execution directive tokens, and white space
`tokens.
`If the current routine token is of a type that can be ignored,
`at decision block 512, a further determination is made as to
`whether there are any additional routine tokens in the selected
`routine. If there are additional routine tokens, at block 514, the
`next routine token is obtained from the selected routine.
`Thereafter, the process 500 returns to block 508 where the newly
`obtained routine token is evaluated.
`Returning again to decision block 510, if the current
`routine token is not of a type that is ignored in this first
`normalization, the process 500 proceeds to decision block 518.
`At decision block 518 (FIG. 5B), a determination is made as to
`whether the routine token is a variable token. If the routine token
`is a variable token, at decision block 520, a further determination
`is made as to whether this particular variable token was already
`normalized. If this variable token has already been normalized,
`at block 526, the normalized variable name for the variable token
`is written to the routine token set.
`If the variable token has not already been normalized, at
`block 522, a normalized variable name is generated.
`Sandu ¶¶ 40-44.
`Thus, Sandu performs parsing to identify individual tokens, and the
`individual tokens are normalized (for example, normalize the names of
`
`variables and subroutines). I do not readily see, in Sandu's tokenization and
`
`normalization, any discussion of "patterns of tokens that form syntactical
`
`constructs of code" because, at best, Sandu's tokenization and normalization
`
`15
`
`FINJAN-QUALYS 404266
`
`

`

`Case 4:18-cv-07229-YGR Document 125-2 Filed 10/22/20 Page 18 of 99
`
`Appeal 2017-010477
`Reexamination Control 90/013,660
`Patent 7,975,305 B2
`
`operate on lexical constructs of the language (individual tokens)—not on
`
`syntactical constructs of program code (patterns of tokens). Because the
`
`claimed "parser rules" require "patterns of tokens that form syntactical
`
`constructs of program code" and Sandu's normalization module operates on
`
`individual tokens, I would decide the Examiner erred in finding that Sandu's
`normalization module 202 in Figure 2 teaches the recited "parser rules." Put
`
`another way, the "parsing" or "parser rules" of Sandu's normalization
`module are not "parser rules" as claimed.
`
`I, therefore, would not sustain the Examiner's obviousness rejection
`
`based on Sandu and Wells of claim 1. I would also not sustain the
`
`Examiner's obviousness rejection based on Sandu and Wells of claims 2 and
`
`5, which depend from claim 1.
`
`Independent claim 13 recites the same key disputed limitation. I,
`
`therefore, also would not sustain the Examiner's obvious rejection based on
`
`Sandu and Wells of claim 13.
`
`I also would not sustain the Examiner's obvious rejection based on
`
`Wells of claims 1, 2, 5, and 13.
`
`The Examiner finds Wells teaches all limitations of claim 1. Final
`Act. 3-22. In particular, the Examiner finds Wells's content pattern
`recognition language (CPRL) signatures teach the recited "parser and
`analyzer rules." See Final Act. 6-15; see also Ms. 15-34.
`
`Among other arguments, Appellant presents the following principal
`
`argument:
`
`Wells does not disclose the claimed parser and analyzer rules. See
`
`App. Br. 13-28; see also Reply Br. 12-16. Wells's CPRL code is not
`
`16
`
`FINJAN-QUALYS 404267
`
`

`

`Case 4:18-cv-07229-YGR Document 125-2 Filed 10/22/20 Page 19 of 99
`
`Appeal 2017-010477
`Reexamination Control 90/013,660
`Patent 7,975,305 B2
`
`incoming program code (that may contain exploits and is subject to
`scanning); rather, CPRL code controls a processor to perform scanning. See
`
`App. Br. 13 (citing Decl. Medvidovic ¶¶ 29-30, 36, 37). Further, Well's
`
`CPRL code predicates are not tokens because the claimed tokens are in the
`incoming program code that is being scanned. See App. Br. 14-15 (citing
`Decl. Medvidovic 1129-30, 36-37). Further, the Examiner conflates tokens
`and parser rules by referring to Wells's CPRL predicates as parser rules and
`tokens. See App. Br. 15-18 (citing Decl. Medvidovic ¶¶ 29, 36, 37). Finally,
`
`Wells does not disclose the claimed patterns of types of tokens. See App. Br.
`
`18-28 (citing Decl. Medvidovic ¶¶ 20, 28, 29).
`
`Regarding the Examiner's finding that Wells's content pattern
`
`recognition language (CPRL) signatures teach the recited "parser and
`analyzer rules," I do not agree with the Examiner.
`
`The Examiner's position, at its essence, is that Wells's CPRL
`
`signature is a "pattern of types of tokens, tokens being program code
`constructs..." and the CPRL signature describes a computer exploit. That is,
`
`the CPRL predicates are tokens, and the CPRL signature composed of
`
`predicates is used to identify an exploit.
`Appellant's position, at its essence, is that, according to the claim
`language, the exploit itself must be described as a "pattern of types of
`tokens, tokens being program code constructs..."
`
`I agree with Appellant.
`
`The actual language of claim 1 includes "wherein the parser and
`analyzer rules describe computer exploits as patterns of types of tokens,
`
`17
`
`FINJAN-QUALYS 404268
`
`

`

`Case 4:18-cv-07229-YGR Document 125-2 Filed 10/22/20 Page 20 of 99
`
`Appeal 2017-010477
`Reexamination Control 90/013,660
`Patent 7,975,305 B2
`
`tokens being program code constructs, and types of tokens comprising a
`punctuation type, an identifier type and a function type."
`
`To the extent Wells's CPRL signature identifies a computer exploit,
`
`the CPRL signature does not describe the computer exploit as patterns of
`types of tokens. At best, the CPRL code takes a programmatic approach to
`identifying the exploit and the exploit is not described as patterns of types of
`
`tokens. Put another way. the CPRL signature may be a pattern of types
`tokens, but the CPRL signature is not describing the exploit as a pattern of
`
`types of tokens.
`
`I, therefore, would not sustain the Examiner's obviousness rejection
`
`based on Wells of claim 1. I would also do not sustain the Examiner's
`
`obviousness rejection based on Wells of claims 2 and 5, which depend from
`
`claim 1.
`
`Independent claim 13 recites the same key disputed limitation. I,
`
`therefore, also would not sustain the Examiner's obvious rejection based on
`Wells of claim 13.
`
`Therefore, I would reverse the Examiner's decision rejecting claims 1,
`
`2, 5, and 13.
`
`18
`
`FINJAN-QUALYS 404269
`
`

`

`Case 4:18-cv-07229-YGR Document 125-2 Filed 10/22/20 Page 21 of 99
`
`UNITED STATES PATENT AND TRADEMARK OFFICE
`
`UNITED STATES DEPARTMENT OF COMMERCE
`United States Patent and Trademark Office
`Address: COMMISSIONER FOR PATENTS
`P.O. Box 1450
`www.uspto.gov
`
`22313-1450
`
`APPLICATION NO.
`
`FILING DATE
`
`FIRST NAMED INVENTOR
`
`ATTORNEY DOCKET NO.
`
`CONFIRMATI