`Case 4:18-cv-07229—YGR Document 132-6 Filed 11/05/20 Page 1 of 75
`
`EXHIBIT E
`
`EXHIBIT E
`
`
`
`Case 4:18-cv-07229-YGR Document 132-6 Filed 11/05/20 Page 2 of 75
`Case 4:18-cv-O7229—YGR Document 132-6 Filed 11/05/20 Page 2 of 75
`
`Attomey’s Docket No.: FIN0001—CON1—C1P3 —CIP 1
`
`PA TENT
`
`IN THE UNITED STATES PATENT AND TRADEMARK OFFICE
`
`Examiner:
`
`Jeffrey L. Williams
`
`) )
`
`In Re Patent Application of:
`
`)
`) Art Unit:
`)
`)
`)
`
`2437
`
`) )
`
`) )
`
`) )
`
`Moshe Rubin
`Moshc Matitya
`Artem Melnick
`Shlomo Touboul
`Alexander Yermakov
`Amit Shaked
`
`Application No: 1 1/009,437
`
`Filed:
`
`December 9, 2004
`
`METHOD AND SYSTEM FOR )
`ADAPTIVE RULE-BASED
`)
`CONTENT SCANNERS FOR
`)
`DESKTOP COMPUTERS
`
`) )
`
`For:
`
`Mail Stop AMENDMENT
`Commissioner for Patents
`P. O. Box 1450
`
`Alexandria, VA 22313-1450
`
`AMENDMENT AND RESPONSE TO OFFICE ACTION
`
`UNDER 37 C.F.R. §1.111
`
`Dear Examiner Williams:
`
`In response to the Office Action dated June 15, 2010, applicants
`
`respectfully request that the above-identified application be amended as requested herein. A
`
`telephone interview has been scheduled for October 28, 2010 at 11:00 AM to discuss this
`
`application and the undersigned respectfully requests that if possible, the Examiner not take
`
`additional action on this application until after the interview.
`
`Atty. Docket No. FINOOOl-CONl—CIP3—CIP1
`
`—1—
`
`FINJAN-QUALYS 002214
`
`
`
`Case 4:18-cv-07229-YGR Document 132-6 Filed 11/05/20 Page 3 of 75
`Case 4:18-cv-O7229—YGR Document 132-6 Filed 11/05/20 Page 3 of 75
`
`IN THE CLAIMS:
`
`same number:
`
`Please substitute the following claims for the pending claims with the
`
`I. (currently amended)
`
`A security system for scanning content within a computer,
`
`comprising:
`
`a network interface, housed within a computer, for receiving incoming
`
`content from the Internet on its destination to an Internet application running on the
`
`computer;
`
`a database of parser and analyzer rules corresponding to computer
`
`exploits, stored within the computer, computer exploits being portions of program code that
`
`are malicious, wherein the parser and analyzer rules describe computer exploits as patterns of
`
`types of tokens, tokens being program code constructs, and types of tokens comprising a
`
`punctuation type, an identifier type and a function pipe;
`
`a rule—based content scanner that communicates with said database of
`
`parser and analyzer rules, operatively coupled with said network interface, for scanning
`
`incoming content received by said network interface to recognize the presence of potential
`
`computer exploits therewithin;
`
`a network traffic probe, operatively coupled to said network interface
`
`and to said rule—based content scanner, for selectively diverting incoming content from its
`
`intended destination to said rule—based content scanner; and
`
`a rule update manager that communicates with said database of parser
`
`and analyzer rules, for updating said database of parser and analyzer rules periodically to
`
`incorporate new parser and analyzer rules that are made available.
`
`2. (previously presented) The security system of claim 1 wherein said database of parser and
`
`analyzer rules stores parser and analyzer rules in the form of pattern-matching engines.
`
`3. (original)
`
`The security system of Claim 2 wherein the pattern—matching engines
`
`are deterministic finite automata.
`
`Atty. Docket No. FINOOOl-CONl—CIP3—CIP1
`
`—2—
`
`FINJAN-QUALYS 002215
`
`
`
`Case 4:18-cv-07229-YGR Document 132-6 Filed 11/05/20 Page 4 of 75
`Case 4:18-cv-O7229—YGR Document 132-6 Filed 11/05/20 Page 4 of 75
`
`4. (original)
`
`The security system of claim 2 wherein the pattern—matching engines
`
`are non—deterministic finite automata.
`
`5. (previously presented) The security system of claim 1
`
`further comprising a content
`
`blocker, operatively coupled to said rule—based content scanner, for preventing incoming
`
`content having a computer exploit that was recognized by said rule-based content scanner
`
`from reaching its intended destination.
`
`6. (previously presented) The system of claim 1 wherein the incoming content received from
`
`the Internet by said network interface is HTTP content.
`
`7. (previously presented) The system of claim 1 wherein the incoming content received from
`
`the Internet by said network interface is HTTPS content.
`
`8. (previously presented) The system of claim 1 wherein the incoming content received from
`
`the Internet by said network interface is FTP content
`
`9. (previously presented) The system of claim 1 wherein the incoming content received from
`
`the Internet by said network interface is SMTP content
`
`10. (previously presented)The system of claim 1 wherein the incoming content received from
`
`the Internet by said network interface is POP3 content
`
`11. (original)
`
`The system of claim 1 wherein the destination Internet application is a
`
`web browser.
`
`12. (original)
`
`The system of claim 1 wherein the destination Internet application is
`
`an e-mail client.
`
`13. (currently amended) A method for scanning content within a computer, comprising:
`
`Atty. Docket No. FINOOOl-CONl—CIP3—CIP1
`
`-3-
`
`FINJAN-QUALYS 002216
`
`
`
`Case 4:18-cv-07229-YGR Document 132-6 Filed 11/05/20 Page 5 of 75
`Case 4:18-cv-O7229—YGR Document 132-6 Filed 11/05/20 Page 5 of 75
`
`receiving incoming content from the Internet on its destination to an
`
`selectively diverting the received incoming content from its intended
`
`Internet application;
`
`destination;
`
`scanning the selectively diverted incoming content
`
`to recognize
`
`potential computer exploits therewithin, based on a database of parser and analyzer rules
`
`corresponding to computer exploits, computer exploits being portions of program code that
`
`are malicious, wherein the parser and analyzer rules describe computer exploits as patterns of
`
`types of tokens, tokens being program code constructs and types of tokens comprising a
`
`punctuation type. an identifier type and a function pipe; and
`
`updating the database of parser and analyzer rules periodically to
`
`incorporate new behavioral rules that are made available.
`
`14. (previously presented)The method of claim 13 wherein said database of parser and
`
`analyzer rules stores parser and analyzer rules in the form of pattern-matching engines.
`
`15. (original)
`
`The method of claim 14 wherein the pattem—matching engines are
`
`deterministic finite automata.
`
`16. (original)
`
`The method of claim 14 wherein the pattern-matching engines are non—
`
`deterministic finite automata.
`
`17. (previously presented)The method of claim 13 further comprising preventing incoming
`
`content having a computer exploit that was recognized by said scanning from reaching its
`
`intended destination.
`
`18. (previously presented)The method of claim 13 wherein the incoming content received
`
`from the Internet by said network interface is HTTP content.
`
`19. (previously presented)The method of claim 13 wherein the incoming content received
`
`from the Internet by said network interface is HTTPS content.
`
`Atty. Docket No. FINOOOl-CONl—CIP3—CIP1
`
`—4—
`
`FINJAN-QUALYS 002217
`
`
`
`Case 4:18-cv-07229-YGR Document 132-6 Filed 11/05/20 Page 6 of 75
`Case 4:18-cv-O7229—YGR Document 132-6 Filed 11/05/20 Page 6 of 75
`
`20. (previously presented)The method of claim 13 wherein the incoming content received
`
`from the Internet by said network interface is FTP content
`
`21. (previously presented)The method of claim 13 wherein the incoming content received
`
`from the Internet by said network interface is SMTP content
`
`22. (previously presented)The method of claim 13 wherein the incoming content received
`
`from the Internet by said network interface is POP3 content
`
`23. (original)
`
`The method of claim 13 wherein the destination Internet application is
`
`a web browser.
`
`24. (original)
`
`The method of claim 13 wherein the destination Internet application is
`
`an e-mail client.
`
`25. (currently amended) A computer—readable storage medium storing program code for
`
`causing a computer to perform the steps of:
`
`receiving incoming content from the Internet on its destination to an
`
`Internet application;
`
`destination;
`
`selectively diverting the received incoming content from its intended
`
`scanning the selectively diverted incoming content
`
`to recognize
`
`potential exploits therewithin, based on a database of parser and analyzer rules corresponding
`
`to computer exploits, computer exploits being portions of program code that are malicious,
`
`wherein the parser and analyzer rules describe exploits as patterns of types of tokens, tokens
`
`being program code constructs, and types of tokens comprising a punctuation type, an
`
`identifier type and a function type; and
`
`updating the database of parser and analyzer rules periodically to
`
`incorporate new parser and analyzer rules that are made available.
`
`Atty. Docket No. FINOOOl-CONl—CIP3—CIP1
`
`-5-
`
`FINJAN-QUALYS 002218
`
`
`
`Case 4:18-cv-07229-YGR Document 132-6 Filed 11/05/20 Page 7 of 75
`Case 4:18-cv-O7229-YGR Document 132-6 Filed 11/05/20 Page 7 of 75
`
`REMARKS
`
`Applicants have carefully studied the outstanding Office Action. The
`
`present amendment is intended to place the application in condition for allowance and is
`
`bclicvcd to overcome all of the objections and rcjcctions made by the Examiner. Favorablc
`
`reconsideration and allowance of the application are respectfully requested.
`
`Applicants have amended claims 1, 13 and 25 to properly claim the
`
`present invention. No new matter has been added. Claims 1 - 25 are presented for
`
`examination.
`
`Specification
`
`On pages 2 and 3 of the Office Action, the Examiner has objected to
`
`the specification as failing to provide proper antecedent basis for the claimed subject matter.
`
`Specifically, the Examiner has indicated that there is no support for “patterns OnypeS of
`
`tokens”.
`
`Applicants note that the appendix to the specification discloses that
`
`tokens are characterized into types. Thus, as defined on page 46,
`
`IDENT
`
`“[A—Za-z[!underscorel][ldollarsign!]] [A-Za—zO—
`
`9[!underscore!][ldollarsign!]]*”,
`
`a token consisting of a character a—z or a character A—Z or an underscore or a dollar sign,
`
`followed by zero or more of a character a-z or a character A-Z or a number 0 — 9 or an
`
`underscore or a dollar sign, is of type IDENT. Similarly, as defined on page 47,
`
`INTEGER_DECIMAL
`
`“[0—9]+”,
`
`a token consisting of one or more of the numbers 0 — 9, is of type INTEGER_DECIMAL;
`
`and
`
`INTEGER_HEX
`
`“0[xX][0—9A-Fa—f_|+”,
`
`a token consisting of 0x or UK followed by one or more of the numbers 0 - 9 or the characters
`
`A—F or the characters a-f, is of type INTEGER_HEX.
`
`Applicants respectfully submit that patterns of types of tokens appear
`
`throughout the specification. Inter alia, at par. [0067], the specification recites
`
`A parse tree
`
`uses parsing rules to identify groups of tokens as a single pattern.
`
`Atty. Docket No. FINOOOl-CONl—CIP3—CIP1
`
`-6-
`
`FINJAN-QUALYS 002219
`
`
`
`Case 4:18-cv-07229-YGR Document 132-6 Filed 11/05/20 Page 8 of 75
`Case 4:18-cv-O7229—YGR Document 132-6 Filed 11/05/20 Page 8 of 75
`
`Further, at par. [0085], the specification recites
`
`For example, if a pattern “(IDENT) EQUALS NUMBER” is matched
`
`if a matched
`
`pattern is “(l 2 3) 4 5”
`
`Further, at par. [0086], the specification recites
`
`Reference is now made to FIG. 5, which is an illustration of a simple finite state machine
`
`for a pattern
`
`(IDENT) <val==”foo” & match(*):Rulel> ! <val==”bar”> EQUALS NUMBER
`
`Specifically, the pattern of interest specifies either an IDENT token with value “foo” and
`
`that matches Rulel, or a List with value “bar”, followed by an EQUALS token and a
`
`NUMBER token.
`
`Further, at par. [0094] the specification recites
`
`For example, the pattern in the 1ule for FuncSig
`
`(FUNCTION) (IDENT?) (List)
`
`describes a keyword “function”, followed by zero or one IDENT tokens, and followed by
`
`a “List”. In turn, the pattern in the rule for List
`
`(LPAREN) ((Expr (COMMA Expr)*)? (RPAREN)
`
`describes an LPAREN token and an RPAREN token surrounding a list of zero or more
`
`Expr’s separated by COMMA tokens.
`
`Further, at par. [0098], the specification recites
`
`Refelring back to the example above, the pattern
`
`(IDENT) ASSIGNMENT IDENT <Val==”screen”> DOT IDENT <Val==”width”>
`
`within the rule for SchidAssign describes a five-token pattern; namely (i) an IDENT
`
`token, followed by (ii) an ASSIGNMENT token, followed by (iii) an IDENT token that
`
`has a value equal to “screen”, followed by (iv) a DOT token, followed by (v) an IDENT
`
`token that has a value equal to “width”. Such a pattern
`
`corresponds to the example
`
`exploit listed above
`
`Clearly items (i) — (v) above form a pattern of token types IDENT ASSIGNMENT IDENT
`
`DOT IDENT.
`
`On page 3 of the Office Action, the Examiner has indicated that
`
`parsing rules for parsing of data into tokens, and analysis rules for analyzing the meaning of
`
`patterns of tokens are known concepts. Applicants respectfully submit that a point of novelty
`
`Atty. Docket No. FINOOOl-CONl—CIP3—CIP1
`
`—7—
`
`FINJAN-QUALYS 002220
`
`
`
`Case 4:18-cv-07229-YGR Document 132-6 Filed 11/05/20 Page 9 of 75
`Case 4:18-cv-O7229—YGR Document 132-6 Filed 11/05/20 Page 9 of 75
`
`of the claimed invention is describing and recognizing computer exploits from patterns of
`
`types of tokens, which is not a known concept.
`
`Claim Re'ections — 35 USC 112
`
`On pages 3 and 4 of the Office Action, the Examiner has rejected
`
`Claims 1 — 25 under 35 USC. §112, first paragraph, as failing to comply with the written
`
`description requirement. Applicants respectfully submit that the amended claims are
`
`supported in the original specification, as indicated above.
`
`On pages 4 and 5 of the Office Action, the Examiner has rejected
`
`claims 1 — 25 under 35 USC. §112, second paragraph, as being indefinite. Moreover, the
`
`Examiner has indicated that applicants point only to portions of the specification that
`
`describe what is standard and known prior art teaching for parsing and analyzing languages
`
`according to parsing rules and analyzing rules. Applications respectfully submit that the
`
`specification teaches recognition and detection of computer exploits from patterns of types of
`
`tokens, which is not standard and known prior art.
`
`Claims Re'ections - 35 USC
`
`102 and 103
`
`On pages 5 — 7 of the Office Action, the Examiner has rejected claims
`
`1, 2, 5, 6, 8 — 13, 17, 18 and 20 — 25 under 35 USC. §102(e) as being anticipated by Freund,
`
`US. Patent No. 5,987,611 (“Freund”).
`
`On pages 7 and 8 of the Office Action, the Examiner has rejected
`
`claims 3, 4, 7, 14 — 16 and 19 under 35 USC. §103(a) as being unpatentable over Freund.
`
`The rejections of claims 1 — 25 on pages 5 — 8 of the Office Action will
`
`now be dealt with specifically.
`
`As to amended independent claim 1 for a security system, applicant
`
`respectfully submits that the limitations in claim 1 of
`
`“a database ofparser and analyzer rules corresponding to computer
`
`exploits, stored within the computer, computer exploits being portions ofprogram code that
`
`are malicious, wherein the parser and analyzer rules describe computer exploits as patterns
`
`of types of tokens, tokens being program code constructs, and types of tokens comprising a
`
`punctuation type, an identifier type and a function type”, and
`
`Atty. Docket No. FINOOOl-CONl—CIP3—CIP1
`
`-8-
`
`FINJAN-QUALYS 002221
`
`
`
`Case 4:18-cv-07229-YGR Document 132-6 Filed 11/05/20 Page 10 of 75
`Case 4:18-cv-O7229-YGR Document 132-6 Filed 11/05/20 Page 10 of 75
`
`“a network trafiic probe, operatively coupled to said network interface
`
`and to said rule-based content scanner, for selectively diverting incoming content from its
`
`intended destination to said rule-based content scanner”
`
`are neither shown nor suggested in Freund.
`
`On page 9 of the Office Action, the Examiner has indicated that
`
`Freund teaches parsing data into recognizable tokens, wherein the tokens are not the same
`
`tokens and are distinct from one another. The Examiner is citing “tokens” in rejecting the
`
`claim limitations of “patterns of types of tokens”. Applicants wish to point out that the
`
`phrases “tokens” and “patterns of types of tokens” have different meanings. In particular, as
`
`used in the subject specification, “types of tokens” refers to a categorization of tokens into
`
`types. A “type” is a category. For example, the constructs APPLET, OBJECT, EMBED,
`
`SCRIPT, HREF and IMAGE are distinct tokens; yet they are all of the same type IDENT.
`
`Similarly, the constructs 0x01, 0XC33, OxGB and 0X24AD3 are distinct tokens; yet they are
`
`all of the same type INTEGER_HEX.
`
`Types of tokens disclosed in the subject specification include inter alia
`
`identifier tokens (say, type TYPEl), assignment tokens (say, type TYPE2), and punctuation
`
`tokens (say, type TYPE3). A pattern of types of tokens is, e. g., a pattern TYPEl TYPE2
`
`TYPEl TYPE3 TYPEl; meaning, a token of type TYPEl followed by a token of type
`
`TYPE2 followed by a token of type TYPEl followed by a token of type TYPE3 followed by
`
`a token of type TYPEl; e.g., an identifier token followed by an assignment token followed
`
`by an identifier token followed by a punctuation token followed by an identifier token.
`
`On page 9 of the Office Action, the Examiner has indicated that
`
`applicants fail to specifically explain how the recited language “patterns of types of tokens”
`
`distinguishes from the prior art. Applicants respectfully submit that the prior art does not
`
`relate to categorization of tokens into types, i.e., categories of tokens, and to description of
`
`computer exploits in terms of such categories. Moreover, the Examiner’s citations, e.g.,
`
`Freund 23:44-55, 28: 14—16 and 29:54 — 30:9 do not relate to patterns of types of tokens.
`
`Indeed, Freund 23:44-55 concerns types of Internet protocols, and not types of tokens. (An
`
`Internet protocol is not a token.) Freund 28:14 — l6 relates to filtering of rules. Freund 29:54
`
`— 30:9 relates to specific tags (<APPLET>, <OBJECT>, <EMBED>, <SCRIPT>, <HREF>
`
`and <IMAGE>) and other “syntax elements” and “HTML components”. Applicants
`
`respectfully submit that tags, other syntax elements and HTML components may correspond
`
`to tokens, but they do not correspond to “patterns of types”.
`
`Atty. Docket No. FINOOOl-CONl—CIP3—CIP1
`
`-9-
`
`FINJAN-QUALYS 002222
`
`
`
`Case 4:18-cv-07229-YGR Document 132-6 Filed 11/05/20 Page 11 of 75
`Case 4:18-cv-O7229—YGR Document 132-6 Filed 11/05/20 Page 11 of 75
`
`Therefore, Freund does not teach categorization of tokens into types,
`
`nor description of computer exploits in terms of patterns of types of tokens.
`
`In order to further clarify this distinction, applicants have amended
`
`claim 1 to include the limitation that types of tokens comprise a punctuation type, an
`
`identifier type and a function type.
`
`In rejecting claim 1 on page 6 of the Office Action, the Examiner,
`
`referring to Freund, FIG. 3A:311, has indicated the Freund discloses a network traffic probe
`
`that selectively diverts incoming content from its intended destination to a rule-based content
`
`scanner. Applicants respectfully submit that elements 3 1 la, 3 1 lb and 3 1 1c of Freund, FIG.
`
`3A, are client-side monitors for monitoring Internet access (Freund 14:59—62), which do not
`
`divert incoming content to a content scanner. Indeed, Freund’s client—side monitors limit
`
`Internet access; they do not divert incoming content to a content scanner.
`
`In rejecting claim 2 on page 6 of the Office Action, the Examiner has
`
`cited Freund 29:54 — 30: 10 as disclosing that the rules enable the driver or parser to operate
`
`according to a particular manner. Applicants respectfully submit that Freund does not
`
`disclose storing parser and analyzer rules in the form of pattern—matching engines, and that
`
`rules that operate according to a particular manner does not anticipate or render obvious m
`
`stored in the form of pattem-matching engines. Examples of rules in the form of pattern
`
`matching engines are provided on pages 47 — 51 in the appendix of the original specification,
`
`and storing rules in the form of pattern matching engines is discussed at paragraphs [0071] —
`
`[0078] of the original specification with reference to FIGS. 4A and 4B.
`
`Because claims 3 — 12 depend from claim 1 and include additional
`
`features, applicants respectfully submit that claims 2 - 12 are not anticipated or rendered
`
`obvious by Freund.
`
`Accordingly claims 1 — 12 are deemed to be allowable.
`
`As to amended independent method claim 13 and amended
`
`independent claim 25 for a computer-readable storage medium, applicants respectfully
`
`submit that the limitations in claims 13 and 25 of
`
`“selectively diverting the received incoming contentfrom its intended
`
`destination”, and
`
`"scanning the selectively diverted incoming content to recognize
`
`potential computer exploits therewithin, based on a database ofparser and analyzer rules
`
`corresponding to computer exploits, computer exploits being portions ofprogram code that
`
`Atty. Docket No. FINOOOl-CONl—CIP3—CIP1
`
`-10-
`
`FINJAN-QUALYS 002223
`
`
`
`Case 4:18-cv-07229-YGR Document 132-6 Filed 11/05/20 Page 12 of 75
`Case 4:18-cv-O7229—YGR Document 132-6 Filed 11/05/20 Page 12 of 75
`
`are malicious, wherein the parser and analyzer rules describe computer exploits as patterns
`
`of types of tokens, tokens being program code constructs, and types of tokens comprising a
`
`punctuation type, an identifier type and a,function type”
`
`are neither shown nor suggested in Freund.
`
`In rejecting claims 13 and 25 on page 7 of the Office Action, the
`
`Examiner has referenced his rejection of claim 1, which cited Freund. As explained above,
`
`the claimed invention includes the limitation of patterns of types of tokens, which is not
`
`disclosed in F reund. The claimed invention also includes the limitation of selectively
`
`diverting incoming content, which is not disclosed in Freund.
`
`Because claims 14 — 24 depend from claim 13 and include additional
`
`features, applicants respectfully submit that claims 14 — 24 are not anticipated or rendered
`
`obvious by Freund.
`
`Accordingly claims 13 — 25 are deemed to be allowable.
`
`Support for Amended Claims in Original Specification
`
`Independent claims 1, 13 and 25 have been amended to include the
`
`limitation that types of tokens include at least (i) a punctuation type, (ii) an identifier type
`
`and (iii) a function type. This limitation is supported in the original specification at least (i)
`
`by the various punctuation types of tokens defined on pages 46 and 47 (LBRACE, RBRACE,
`
`etc.), (ii) by the IDENT type of token defined on page 46, and (iii) by the FUNCTION type
`
`of token appearing on pages 29, 47 ad 48.
`
`Atty. Docket No. FINOOOl-CONl—CIP3—CIP1
`
`-11—
`
`FINJAN-QUALYS 002224
`
`
`
`Case 4:18-cv-07229-YGR Document 132-6 Filed 11/05/20 Page 13 of 75
`Case 4:18-cv-O7229—YGR Document 132-6 Filed 11/05/20 Page 13 of 75
`
`CONCLUSION
`
`For the foregoing reasons, applicants respectfully submit that the
`
`applicable objections and rejections have been overcome and that the claims are in condition
`
`for allowance. The undersigned looks forward to discussing the response with the Examiner
`
`on October 28, 2010 at 11 AM. If any additional fees are required in connection with the
`
`filing of this response, the Commissioner is hereby authorized to charge the same to Deposit
`
`Account 50-4402.
`
`Respectfully submitted,
`
`Date: September 15, 2010
`
`By:
`
`/Dawn-Marie Bey - 44, 442/
`
`King & Spalding LLP
`1700 Pennsylvania Avenue
`Suite 200
`
`Washington DC 20006
`(202) 626-8978
`
`Dawn-Marie Bey
`Registration No. 44,442
`
`Atty. Docket No. FINOOOl-CONl—CIP3—CIP1
`
`-12—
`
`FINJAN-QUALYS 002225
`
`
`
`Case 4:18-cv-07229-YGR Document 132-6 Filed 11/05/20 Page 14 of 75
`Case 4:18-cv-07229—YGR Document 132-6 Filed 11/05/20 Page 14 of 75
`FIN0001CON1CIP3CIP1
`PATENT
`
`IN THE UNITED STATES PATENT AND TRADEMARK OFFICE
`
`Examiner:
`
`Jeffrey L. Williams
`
`Art Unit:
`
`2437
`
`In Re Patent Application of:
`
`Moshe Rubin
`
`Moshe Matitya
`Artem Melnick
`
`Shlomo Touboul
`
`Alexander Yermakov
`Amit Shaked
`
`Application No: 11/009,437
`
`Filed:
`
`December 9, 2004
`
`For:
`
`METHOD AND SYSTEM FOR
`ADAPTIVE RULE-BASED
`
`CONTENT SCANNERS FOR
`DESKTOP COMPUTERS
`
`Mail Stop fl
`Commissioner for Patents
`P. O. Box 1450
`
`Alexandria,VA 22313-1450
`
`vvvvvvvvvvvvvvvvvv
`
`AMENDMENT AND RESPONSE TO OFFICE ACTION
`
`UNDER 37 C.F.R. 1.116
`
`Sir:
`
`In response to the Office Action dated January 29,
`
`2010, applicants respectfully request that the above-identified application
`
`be amended as follows:
`
`Page 1 of 12
`
`FINJAN-QUALYS 002281
`
`
`
`Case 4:18-cv-07229-YGR Document 132-6 Filed 11/05/20 Page 15 of 75
`Case 4:18-cv-O7229—YGR Document 132-6 Filed 11/05/20 Page 15 of 75
`FIN0001CON1CIP3CIP1
`PATENT
`
`IN THE CLAIMS:
`
`Please substitute the following claims for the pending
`
`claims with the same number:
`
`1. (currently amended)
`
`A security system for
`
`scanning content
`
`within a computer, comprising:
`
`a network interface, housed within a computer,
`
`for
`
`receiving incoming content from the Internet on its destination to an
`
`Internet application running on the computer;
`
`a database of parser and analyzer rules corresponding
`
`to computer exploits, stored within the computer, computer exploits being
`
`portions of program code that are malicious, wherein the parser and
`
`analyzer
`
`rules describe computer exploits as +eg+eal—eembH=iatieHs—ef
`
`patterns of types of tokens, tokens being program code constructs;
`
`a rule-based content scanner that communicates with
`
`said database of parser and analyzer rules, operatively coupled with said
`
`network interface,
`
`for
`
`scanning incoming content
`
`received by said
`
`network interface to recognize the presence of potential computer exploits
`
`therewithin;
`
`a network traffic probe, operatively coupled to said
`
`network interface and to said rule—based content scanner, for selectively
`
`diverting incoming content from its intended destination to said rule-
`
`based content scanner; and
`
`a rule update manager that communicates with said
`
`database of parser and analyzer rules,
`
`for updating said database of
`
`parser and analyzer rules periodically to incorporate new parser and
`
`analyzer rules that are made available.
`
`Page 2 of 12
`
`FINJAN-QUALYS 002282
`
`
`
`Case 4:18-cv-07229-YGR Document 132-6 Filed 11/05/20 Page 16 of 75
`Case 4:18-cv-O7229—YGR Document 132-6 Filed 11/05/20 Page 16 of 75
`FIN0001CON1CIP3CIP1
`PATENT
`
`2. (previously presented)
`
`The security system of claim 1 wherein said
`
`database of parser and analyzer rules stores parser and analyzer rules in
`
`the form of pattern-matching engines.
`
`3. (original)
`
`The security system of claim 2 wherein the pattern-
`
`matching engines are deterministic finite automata.
`
`4. (original)
`
`The security system of claim 2 wherein the pattern—
`
`matching engines are non-deterministic finite automata.
`
`5. (previously presented)
`
`The security system of claim 1
`
`further
`
`comprising a content blocker, operatively coupled to said rule-based
`
`content scanner,
`
`for preventing incoming content having a computer
`
`exploit that was recognized by said rule-based content scanner from
`
`reaching its intended destination.
`
`6. (previously presented)
`
`The system of claim 1 wherein the incoming
`
`content received from the Internet by said network interface is H'I'I'P
`
`content.
`
`7. (previously presented)
`
`The system of claim 1 wherein the incoming
`
`content received from the Internet by said network interface is H'I'I'PS
`
`content.
`
`8. (previously presented)
`
`The system of claim 1 wherein the incoming
`
`content
`
`received from the Internet by said network interface is FTP
`
`content
`
`Page 3 of 12
`
`FINJAN-QUALYS 002283
`
`
`
`Case 4:18-cv-07229-YGR Document 132-6 Filed 11/05/20 Page 17 of 75
`Case 4:18-cv-O7229—YGR Document 132-6 Filed 11/05/20 Page 17 of 75
`FIN0001CON1CIP3CIP1
`PATENT
`
`9. (previously presented)
`
`The system of claim 1 wherein the incoming
`
`content received from the Internet by said network interface is SMTP
`
`content
`
`10. (previously presented)
`
`The system of claim 1 wherein the incoming
`
`content received from the Internet by said network interface is POP3
`
`Content
`
`11. (original)
`
`The system of claim 1 wherein the destination Internet
`
`application is a web browser.
`
`12. (original)
`
`The system of claim 1 wherein the destination Internet
`
`application is an e-mail client.
`
`13. (currently amended)
`
`A method for scanning content within a
`
`computer, comprising:
`
`receiving eu-FFth-l-y—amefieled incoming content from the
`
`Internet on its destination to an Internet application;
`
`selectively diverting the received eu-FFefit-ly—amefieleel
`
`incoming content from its intended destination;
`
`scanning the selectively diverted eu-FFentI-y—amefieled
`
`incoming content to recognize potential computer exploits therewithin,
`
`based on a database of parser and analyzer
`
`rules corresponding to
`
`computer exploits, computer exploits being portions of program code that
`
`are malicious, wherein the parser and analyzer rules describe computer
`
`exploits as legieal—eemlaifiat-iens—ef patterns of types of tokens,
`
`tokens
`
`being program code constructs; and
`
`Page 4 of 12
`
`FINJAN-QUALYS 002284
`
`
`
`Case 4:18-cv-07229-YGR Document 132-6 Filed 11/05/20 Page 18 of 75
`Case 4:18-cv-O7229—YGR Document 132-6 Filed 11/05/20 Page 18 of 75
`FIN0001CON1CIP3CIP1
`PATENT
`
`updating the database of parser and analyzer
`
`rules
`
`periodically to incorporate new behavioral rules that are made available.
`
`14. (previously presented)
`
`The method of
`
`claim 13 wherein said
`
`database of parser and analyzer rules stores parser and analyzer rules in
`
`the form of pattern-matching engines.
`
`15. (original)
`
`The method of claim 14 wherein the pattern—matching
`
`engines are deterministic finite automata.
`
`16. (original)
`
`The method of claim 14 wherein the pattern-matching
`
`engines are non-deterministic finite automata.
`
`17. (previously presented)
`
`The method of claim 13 further comprising
`
`preventing incoming content having a
`
`computer exploit
`
`that was
`
`recognized by said scanning from reaching its intended destination.
`
`18. (previously presented)
`
`The method
`
`of
`
`claim 13 wherein the
`
`incoming content received from the Internet by said network interface is
`
`H'I'I'P content.
`
`19. (previously presented)
`
`The method
`
`of
`
`claim 13 wherein the
`
`incoming content received from the Internet by said network interface is
`
`H'I'I'PS content.
`
`20. (previously presented)
`
`The method
`
`of
`
`claim 13 wherein the
`
`incoming content received from the Internet by said network interface is
`
`FTP content
`
`Page 5 of 12
`
`FINJAN-QUALYS 002285
`
`
`
`Case 4:18-cv-07229-YGR Document 132-6 Filed 11/05/20 Page 19 of 75
`Case 4:18-cv-O7229—YGR Document 132-6 Filed 11/05/20 Page 19 of 75
`FIN0001CON1CIP3CIP1
`PATENT
`
`21. (previously presented)
`
`The method
`
`of
`
`claim 13 wherein the
`
`incoming content received from the Internet by said network interface is
`
`SMTP content
`
`22. (previously presented)
`
`The method
`
`of
`
`claim 13 wherein the
`
`incoming content received from the Internet by said network interface is
`
`POP3 content
`
`23. (original)
`
`The method of claim 13 wherein the destination
`
`Internet application is a web browser.
`
`24. (original)
`
`The method of claim 13 wherein the destination
`
`Internet application is an e-mail client.
`
`25. (currently amended)
`
`A
`
`computer—readable
`
`storage medium
`
`storing program code for causing a computer to perform the steps of:
`
`receiving incoming content
`
`from the Internet on its
`
`destination to an Internet application;
`
`selectively diverting the received incoming content from
`
`its intended destination;
`
`scanning the selectively diverted incoming content
`
`to
`
`recognize potential exploits therewithin, based on a database of parser
`
`and analyzer rules corresponding to computer exploits, computer exploits
`
`being portions of program code that are malicious, wherein the parser
`
`and analyzer rules describe exploits as leg-ieal—eemlsi—natieHs—ef patterns of
`
`types of tokens; tokens being program code constructs; and
`
`Page 6 of 12
`
`FINJAN-QUALYS 002286
`
`
`
`Case 4:18-cv-07229-YGR Document 132-6 Filed 11/05/20 Page 20 of 75
`Case 4:18-cv-O7229—YGR Document 132-6 Filed 11/05/20 Page 20 of 75
`FIN0001CON1CIP3CIP1
`PATENT
`
`updating the database of parser and analyzer
`
`rules
`
`periodically to incorporate new parser and analyzer rules that are made
`
`available.
`
`Page 7 of 12
`
`FINJAN-QUALYS 002287
`
`
`
`Case 4:18-cv-07229-YGR Document 132-6 Filed 11/05/20 Page 21 of 75
`Case 4:18-cv-O7229—YGR Document 132-6 Filed 11/05/20 Page 21 of 75
`FIN0001CON1CIP3CIP1
`PATENT
`
`REMARKS
`
`Applicants have carefully studied the outstanding Office
`
`Action. The present amendment is intended to place the application in
`
`condition for allowance and is believed to overcome all of the objections
`
`and rejections made by the Examiner. Favorable reconsideration and
`
`allowance of the application are respectfully requested.
`
`Applicants have amended claims 1, 13 and 25 to
`
`properly claim the