Case 4:18-cv-07229-YGR Document 195-15 Filed 05/10/21 Page 1 of 8
`Case 4:18-cv-07229—YGR Document 195-15 Filed 05/10/21 Page 1 of 8
`
`
`
`
`
`
`
`
`
`
`
`
`
`EXHIBIT 10
`
`EXHIBIT 10
`
`

`

`Case 4:18-cv-07229-YGR Document 195-15 Filed 05/10/21 Page 2 of 8
`
`HIGHLY CONFIDENTIAL – ATTORNEY’S EYES ONLY
`
`
`
`UNITED STATES DISTRICT COURT
`FOR THE NORTHERN DISTRICT OF CALIFORNIA
`
`OAKLAND DIVISION
`
`FINJAN LLC., a Delaware Limited Liability
`
`Case No. 4:18-cv-07229-YGR (TSH)
`
`Company,
`
`Plaintiff,
`
`v.
`
`Hon. Yvonne Gonzalez Rogers
`
`
`
`EXPERT REPORT OF MICHAEL
`
`QUALYS INC., a Delaware Corporation,
`
`GOODRICH, PH.D.
`
`Defendant.
`
`
`
`
`
`GOODRICH EXPERT REPORT
`
`Case No. 4:18-cv-07229-YGR (TSH)
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`
`
`
`
`

`

`Case 4:18-cv-07229-YGR Document 195-15 Filed 05/10/21 Page 3 of 8
`
`HIGHLY CONFIDENTIAL – ATTORNEY’S EYES ONLY
`
`via a communications system or network.”4 Likewise, a POSITA would understand the term
`
`“receiver” to be a term of art. This understanding is supported, for example, by the Microsoft
`
`Computer Dictionary, as I cite above and in the footnotes. Thus, a POSITA would understand that
`
`in the context of distributed computing, a plain-and-ordinary meaning of “receiver” is a
`
`component that accepts data from another component via a communications system or network.
`
`
`
`This understanding is further supported by the textbook, Computer Networks, by
`
`Tanenbaum,5 which is a widely adopted textbook used in many undergraduate computer science
`
`curricula. Tanenbaum uses the term “receiver” without needing to provide to the reader further
`
`structural definition for the concepts he is discussing, confirming that the terms are sufficient to
`
`convey structure to a POSITA.
`
`
`
`For example, Tanenbaum writes in the introductory chapter describing networking,
`
`“Point-to-point transmission with exactly one sender and exactly one receiver is sometimes called
`
`unicasting.” Tanenbaum at 17 [bold-italics added, bold as in the original] (see also Tanenbaum
`
`4/e at 20). Tanenbaum also writes, “An allocation problem that occurs at every level is how to
`
`keep a fast sender from swamping a slow receiver with data.” Tanenbaum at 34 [emphasis added]
`
`(see also Tanenbaum 3/e at 21). Further, Tanenbaum writes, “The essential aspect of a connection
`
`is that it acts like a tube: the sender pushes objects (bits) in at one end, and the receiver takes them
`
`out at the other end.” Tanenbaum at 35 [emphasis added] (see also Tanenbaum 3/e at 23). In
`
`addition, Tanenbaum writes, “Another issue that arises in the data link layer (and most of the
`
`higher layers as well) is how to keep a fast transmitter from drowning a slow receiver in data.”
`
`Tanenbaum at 43 (see also Tanenbaum 3/e at 30). Moreover, in this same introductory chapter,
`
`Tanenbaum writes, “The most practical approach [to connect office and laptop computers to the
`
`Internet] is to equip both the office and laptop computers with short-range radio transmitters and
`
`receivers to allow them to talk.” Tanenbaum at 70 [emphasis added] (see also Tanenbaum 4/e at
`
`58). Tanenbaum illustrates this idea, along with a concept known as “multipath fading” that can
`
`occur in such scenarios, in a figure, which I excerpt below:
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`4 See, e.g., Microsoft Computer Dictionary, 5/e, 2002. (“receive vb. To accept data from an
`
`25
`
`26
`
`27
`
`28
`
`
`
`external communications system, such as a local area network (LAN) or a telephone line, and
`
`store the data as a file.”) This definition is unchanged from the third edition (1997).
`
`5 Tanenbaum, Computer Networks, 5/e, Prentice Hall, 2011, 2003 (4/e), 1996 (3/e), 1989 (2/e),
`
`1981 (1/e).
`
`
`
`
`
`17
`
`GOODRICH EXPERT REPORT
`Case No. 4:18-cv-07229-YGR (TSH)
`
`

`

`Case 4:18-cv-07229-YGR Document 195-15 Filed 05/10/21 Page 4 of 8
`
`HIGHLY CONFIDENTIAL – ATTORNEY’S EYES ONLY
`
`medium and executed by the computer, for receiving an incoming stream of program code.” For
`
`example, the ’408 Patent shows an exemplary architecture in Fig. 2:
`
`
`
`
`
`A POSITA would understand that this figure shows a “byte source” being received
`
`by the tokenizer 210, which a POSITA would understand is disclosing a tokenizer as an
`
`embodiment of a “receiver,” e.g., a component that “accept[s] data from an external
`
`communications system, such as a local area network (LAN).”6 For example, the ’408 Patent
`
`states, “The function of tokenizer 210 is to recognize and identify constructs, referred to as tokens,
`
`within a byte source, such as JavaScript Source code.” ’408 Patent at 6:51-54. The ’408 Patent
`
`also states, “Preferably, tokenizer 210 reads bytes sequentially from a content source, and builds
`
`up the bytes until it identifies a complete token.” ’408 Patent at 6:60-62.
`
`
`
`Further, the ’408 also discloses a normalizer 240 as an embodiment that a POSITA
`
`would understand to be a “receiver.” For instance, the ’408 Patent states, “In accordance with a
`
`preferred embodiment of the present invention, normalizer 240 translates a raw input stream into a
`
`
`
`6 See, e.g., See, e.g., Microsoft Computer Dictionary, 5/e, 2002. (“receive vb. To accept data from
`
`an external communications system, such as a local area network (LAN) or a telephone line, and
`
`store the data as a file.”) This definition is unchanged from the third edition (1997).
`
`
`
`
`
`
`
`19
`
`GOODRICH EXPERT REPORT
`Case No. 4:18-cv-07229-YGR (TSH)
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`
`
`

`

`Case 4:18-cv-07229-YGR Document 195-15 Filed 05/10/21 Page 5 of 8
`
`HIGHLY CONFIDENTIAL – ATTORNEY’S EYES ONLY
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`and identifying a scripting virus and reasonably identifiable polymorphs of the scripting virus by
`
`representing the scripting virus in a language independent form.” Li at 5:45-49 (emphasis added).
`
`Further, Li describes its solutions as “resulting in a very flexible virus signature.” Li at 8:6-7.
`
` A POSITA would recognize that the systems respectively described in Li and
`
`Zurko are incompatible, and that there would be no expectation of success in an alleged
`
`combination of their teachings. For example, a POSITA would understand that the approach of Li
`
`teaches away from the use of a hierarchical structure, such as a DOM tree, which is an essential
`
`component in the system of Zurko, given Zurko’s reliance on comparing DOM trees for its
`
`functionality (see, e.g., Zurko at Fig. 4, 0027, 0033, 0038, 0040). Li instead relies on a “flattened”
`
`linearized form. As noted above, the Parties agree that “parse tree” should be construed as “a
`
`hierarchical structure of interconnected nodes built from scanned content.” The tokenized source
`
`code in Li is input to the threadizor which eliminates “noise” from the tokenized source code 204’
`
`based on a dictionary of key actions, it converts the tokens to a language-independent
`
`representation, and it “flattens” the function-calling representation of key actions into a linearized
`
`form, or executing thread. Li at 6:41-49. A POSITA would understand that this step does not
`
`produce a parse tree, due to the “flattening” and linearization actions,8 and instead is incompatible
`
`with a hierarchical approach, as taught in Zurko. A POSITA would understand that the linear
`
`nature of this from is an essential feature in Li, as it allows for the patterns of key actions to be
`
`identified and matched. See, e.g., Li at 5:42-61, 6:13-61, 8:46-56, 9:12-27, 10:46-56, Figs. 7 and
`
`17
`
`11.
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`
`
` Further, the flattened linearized form used in Li discards as “noise” tokens that are
`
`not key actions; that is, Li discards tokens corresponding to punctuation, variables, and user-
`
`defined functions. See, e.g., Li at Figs. 5A, 5B, 6, 7, 9A, 9B, 10, 11, and at 6:50-61, 7:52-59, 8:40-
`
`56, 9:4-11 (“leaving only a tokenized skeleton of the original scripting source code”), 10:41-45.
`
`
`
`8 See, e.g., Microsoft Computer Dictionary, Fifth Edition (2002) (FINJAN-QUALYS 770349-
`354). (“linear structure n. A structure in which items are organized according to strict rules of
`precedence. In a linear structure, two conditions apply: if X precedes Y and Y precedes Z, then X
`precedes Z; and if X precedes Y and X precedes Z, then either Y precedes Z or Z precedes Y.”)
`Contrast: (“hierarchy n. A type of organization that, like a tree, branches into more specific units,
`each of which is “owned” by the higher-level unit immediately above. Hierarchies are
`characteristic of several aspects of computing because they provide organizational frameworks
`that can reflect logical links, or relationships, between separate records, files, or pieces of
`equipment. For example, hierarchies are used in organizing related files on a disk, related records
`in a database, and related (interconnected) devices on a network. In applications such as
`spreadsheets, hierarchies of a sort are used to establish the order of precedence in which arithmetic
`operations are to be performed by the computer. See also hierarchical file system.”)
`
`GOODRICH EXPERT REPORT
`26
`Case No. 4:18-cv-07229-YGR (TSH)
`
`
`
`

`

`Case 4:18-cv-07229-YGR Document 195-15 Filed 05/10/21 Page 6 of 8
`
`HIGHLY CONFIDENTIAL – ATTORNEY’S EYES ONLY
`
`233. Similar to Li, Zurko also discloses tokens that are in accordance with
`parser rules in a data structure. Thus, it would have been obvious to a POSITA to
`combine Li's parser that produces parsed results for computer exploit scanning,
`with Zurko's parser functionality that builds a parse tree.
`
`234. To the extent it may be found that this element is not disclosed by this
`reference explicitly, implicitly, or inherently, Li and Zurko would render this
`limitation obvious when combined with the knowledge of a POSITA. For
`example, it would have been obvious to construct a parse tree dynamically while
`the incoming stream is being received by the local computing system.
`Constructing a parse tree while receiving data on the computer constituted nothing
`more than combining prior art elements according to known methods to yield a
`predictable result that parse trees are generated for downloaded data.
`
`Rubin Report at ¶¶ 227-234.
`
`
`
`I disagree with Dr. Rubin’s opinion. As a preliminary matter, as explained above
`
`and included by reference here, a POSITA would not have been motivated to combine Li and
`
`Zurko and as explained further below, any purported combination would not remedy the
`
`deficiencies in Li. Further, neither Li nor Zurko disclose “parser rules … for the specific
`
`programming language” as required by the claim; hence, any alleged combination of Li and Zurko
`
`would necessarily not disclose or render obvious “a parse tree whose nodes represent tokens and
`
`patterns in accordance with the parser rules.” I include by reference my analysis for Claim 1(d).
`
`Further, Zurko is also silent as to “tokens;” hence, adding Zurko’s teaching to Li does not disclose
`
`or render obvious “a parse tree whose nodes represent tokens and patterns in accordance with the
`
`parser rules.”
`
` Dr. Rubin points to Li’s “building a data structure for tokens in accordance with
`
`parser rules.” Rubin Report at ¶ 228. I disagree with his description and that any such portion of
`
`Li teaches or renders obvious this claim element. Indeed, Dr. Rubin admits, “Li does not
`
`specifically disclose a parse tree that stores nodes and patterns as parsing results.” Rubin Report at
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`¶ 229. Further, as described above for Claim 1(d), and included by reference here, Li does not
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`
`
`disclose “parser rules … for the specific programming language.” Moreover, it would not have
`
`been obvious to a POSITA to build a parse tree based on the purported teachings of Li. As noted
`
`above, the Parties agree that “parse tree” should be construed as “a hierarchical structure of
`
`interconnected nodes built from scanned content.” Li teaches away from the use of a “hierarchical
`
`structure,” such as a parse tree, and instead relies on a “flattened” linearized form. The tokenized
`
`source code in Li is input to the threadizor which eliminates “noise” from the tokenized source
`
`code 204’ based on a dictionary of key actions, it converts the tokens to a language-independent
`
`representation, and it “flattens” the function-calling representation of key actions into a linearized
`
`
`
`
`
`50
`
`GOODRICH EXPERT REPORT
`Case No. 4:18-cv-07229-YGR (TSH)
`
`

`

`Case 4:18-cv-07229-YGR Document 195-15 Filed 05/10/21 Page 7 of 8
`
`HIGHLY CONFIDENTIAL – ATTORNEY’S EYES ONLY
`
`form, or executing thread. Li at 6:41-49. A POSITA would understand that this step does not
`
`produce a parse tree, due to the “flattening” and linearization actions.12 A POSITA would
`
`understand that the linear nature of this is an essential ingredient in Li, as it allows for the patterns
`
`of key actions to be identified and matched. See, e.g., Li at 5:42-61, 6:13-61, 8:46-56, 9:12-27,
`
`10:46-56, Figs. 7 and 11.
`
` Further, for the requirement of “parser rules,” Dr. Rubin is pointing to a teaching in
`
`Li that he has already mapped to “analyzer rules.” See, e.g., Rubin Report at ¶ 228 (“Li’s
`
`invention chains token nodes together in either a serial or a parallel chain.”). For example, Dr.
`
`Rubin is mapping the serial or parallel chaining taught in Li as stored in a master pattern file to the
`
`alleged “analyzer rules.” since the serial or parallel chaining is information that may be added to
`
`the master pattern file by a human virus analyst. See, e.g., Li at 7:22-8:7. More specifically, a
`
`POSITA would understand that the teaching in Li regarding chaining token patterns in serial or
`
`parallel chains as applying only to the elements in a master pattern file, as they allow a given input
`
`pattern to match a pattern expression from the master pattern file that is defined in terms of
`
`“AND” and “OR” combinations. Id. Thus, even if one accepts Dr. Rubin’s mapping of the master
`
`pattern file to the “analyzer rules” of the claim (which I disagree with), he cannot now call the
`
`same information the “parser rules.” I incorporate by reference my analysis for Claim 1(d). See,
`
`also, Li at 9:28-42. This is further evidence of Dr. Rubin apparently using the ’408 Patent as a
`
`guide in hindsight, since any alleged motivation to extend the serial or parallel chaining taught in
`
`Li to a parse tree would apply to what Dr. Rubin identifies as “analyzer rules” rather than “parser
`
`rules.”
`
` Zurko does not remedy these deficiencies. Dr. Rubin points to the building of a
`
`DOM tree in Zurko. Rubin Report ¶¶ 230-232. Dr. Rubin does not identify specifically where
`
`
`
`12 See, e.g., Microsoft Computer Dictionary, Fifth Edition (2002) (FINJAN-QUALYS 770349-
`354). (“linear structure n. A structure in which items are organized according to strict rules of
`precedence. In a linear structure, two conditions apply: if X precedes Y and Y precedes Z, then X
`precedes Z; and if X precedes Y and X precedes Z, then either Y precedes Z or Z precedes Y.”)
`Contrast: (“hierarchy n. A type of organization that, like a tree, branches into more specific units,
`each of which is “owned” by the higher-level unit immediately above. Hierarchies are
`characteristic of several aspects of computing because they provide organizational frameworks
`that can reflect logical links, or relationships, between separate records, files, or pieces of
`equipment. For example, hierarchies are used in organizing related files on a disk, related records
`in a database, and related (interconnected) devices on a network. In applications such as
`spreadsheets, hierarchies of a sort are used to establish the order of precedence in which arithmetic
`operations are to be performed by the computer. See also hierarchical file system.”)
`
`GOODRICH EXPERT REPORT
`51
`Case No. 4:18-cv-07229-YGR (TSH)
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`
`
`

`

`Case 4:18-cv-07229-YGR Document 195-15 Filed 05/10/21 Page 8 of 8
`
`HIGHLY CONFIDENTIAL – ATTORNEY’S EYES ONLY
`
`any version of VM and/or the Scanner Appliance with respect to any claim of the ’408 Patent.
`
`Thus, Dr. Rubin has failed to establish that any of the Asserted Claims of the ’408 Patent are
`
`invalid in light of VM and/or the Scanner Appliance. Further, Dr. Rubin has failed to specify or
`
`establish any version of VM or Scanner Appliance as prior art or a non-infringing alternative to
`
`the ’408 Patent.
`
`
`
`DEMONSTRATIVES
`
`
`
`I anticipate that I may create or cause to be created demonstratives that I will use at
`
`trial to help explain to the jury various issues, such as background technology of the Asserted
`
`Patents, computer and network security generally, and the references and technologies asserted by
`
`Defendant as prior art. I reserve the right to create demonstratives to show and explain any of the
`
`concepts that I include in my Report below.
`
`
`
`In order to aid the Court and jury in understanding my opinion, I intend to create
`
`demonstrative exhibits for trial. These demonstrative exhibits will include non-graphical
`
`illustrations (such as documents, charts, tables, etc.) and graphical illustrations (such as figures,
`
`drawings, animations, pictures, videos, etc.). My demonstratives may include summaries of my
`
`background and findings in this case, the claim language, excerpts and/or annotations of cited
`
`evidence, and one or more timelines of important events. While these demonstratives have not yet
`
`been created, they will be completed and demonstrated at trial. I also will respond to and
`
`comment on any demonstratives created by Dr. Rubin.
`
` I
`
`
`
` declare under the penalty of perjury under the laws of the United States that the foregoing
`
`is true and correct. Executed on this 12th day of January, 2021 in Irvine, CA.
`
`
`
`
`
`
`
`__________________________________
`
` Michael T. Goodrich
`
`
`
` 148
`
`GOODRICH EXPERT REPORT
`Case No. 4:18-cv-07229-YGR (TSH)
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`
`
`