UNITED STATES PATENT AND TRADEMARK OFFICE
`
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`
`
`
`SOPHOS, INC.
`
`Petitioner
`v.
`
`FINJAN, INC.
`
`Patent Owner
`
`
`
`CASE IPR Unassigned
`
`Patent No. 8,677,494
`
`
`PETITION FOR
`INTER PARTES REVIEW OF U.S. PATENT NO. 8,677,494
`
`
`
`
`Mail Stop “PATENT BOARD”
`Patent Trial & Appeal Board
`U.S. Patent and Trademark Office
`P.O. Box 1450
`Alexandria, VA 22313-1450
`
`
`
`WEST\255519617.1
`
`i
`
`

`

`TABLE OF CONTENTS
`
`Page
`
`I. 
`II. 
`
`INTRODUCTION .......................................................................................... 1 
`COMPLIANCE WITH FORMAL REQUIREMENTS ................................. 1 
`A.  Mandatory Notices Under 37 C.F.R. §§ 42.8(b)(1)-(4) ....................... 1 
`1. 
`Real Parties-In-Interest .............................................................. 1 
`2. 
`Related Matters .......................................................................... 1 
`3. 
`Lead and Back-up Counsel ........................................................ 2 
`4. 
`Powers of Attorney and Service Information ............................ 2 
`Proof of Service on the Patent Owner .................................................. 3 
`B. 
`Fee ........................................................................................................ 3 
`C. 
`III.  GROUNDS FOR STANDING ....................................................................... 3 
`IV.  STATEMENT OF PRECISE RELIEF REQUESTED .................................. 3 
`V. 
`IDENTIFICATION OF CHALLENGE ......................................................... 3 
`VI.  LEVEL OF ORDINARY SKILL IN THE ART ............................................ 4 
`VII.  SUMMARY OF THE ’494 PATENT ............................................................ 4
`Effective Filing Date ............................................................................ 4
`A. 
`B.  Overview of the Prosecution History ................................................... 6
`C.
`Patent Specification and Claims ........................................................... 7 
`VIII.  CLAIM CONSTRUCTION ......................................................................... 12 
`IX.  STATE OF THE ART PRIOR TO THE ’494PATENT .............................. 15
`THERE IS A REASONABLE LIKELIHOOD THAT PETITIONER
`X. 
`WILL PREVAIL WITH RESPECT TO AT LEAST ONE CLAIM OF
`THE ’494PATENT ....................................................................................... 17 
`XI.  DETAILED EXPLANATION OF THE GROUNDS FOR
`REJECTION ................................................................................................. 17
`Challenge to Claims 1, 10, and 18 based on ThunderBYTE
`A. 
`Anti-Virus Utilities User Manual in view of Ji .................................. 17 
`Challenge to Claim 14 based on ThunderBYTE Anti-Virus
`Utilities User Manual in view of Ji and Chen .................................... 29 
`
`B. 
`
`WEST\255519617.1
`
`
`
`

`

`C.
`
`D. 
`
`Challenge to Claims 1, 10, 14, and 18 based on Arnold in view
`of Chen and Ji ..................................................................................... 36
`Challenge to Claims 1, 10, 14, and 18 based on Chen in view of
`Arnold and Ji ...................................................................................... 44 
`XII.  THE CHALLENGES ARE NOT REDUNDANT ....................................... 50
`XIII.  CONCLUSION ............................................................................................. 51 
`
`WEST\255519617.1
`
`
`
`

`

`TABLE OF EXHIBITS
`
`EXHIBIT
`
`DESCRIPTION
`
`U.S. Patent No. 8,677,494 to Edery et al.
`
`Expert Declaration of Paul Clark
`
`Curriculum Vitae of Paul Clark
`
`File History for U.S. Patent No. 8,677,494
`
`U.S. Provisional Patent Application No. 60/030,639 to Touboul et
`al.
`ThunderBYTE Anti-Virus Utilities User Manual, ThunderBYTE
`B.V. (1995)
`Information Disclosure Statement filed in U.S. Patent Application
`No. 08/605,285 on October 25, 1996
`U.S. Patent No. 5,440,723 to Arnold et al.
`
`U.S. Patent No. 5,623,600 to Ji et al.
`
`U.S. Patent No. 5,951,698 to Chen et al.
`
`Finjan, Inc. v. Sophos Inc., 14-cv-1197 – Finjan Opening Claim
`Construction Brief
`File History for U.S. Patent Application No. 11/370,114
`
`File History for U.S. Patent Application No. 09/861,229
`
`U.S. Patent No. 6,804,780
`
`U.S. Patent No. 6,092,194
`
`1001
`
`1002
`
`1003
`
`1004
`
`1005
`
`1006
`
`1007
`
`1008
`
`1009
`
`1010
`
`1011
`
`1012
`
`1013
`
`1014
`
`1015
`
`WEST\255519617.1
`
`
`
`

`

`1016
`
`1017
`
`1018
`
`1019
`
`1020
`
`U.S. Patent No. 6,480,962
`
`Excerpts of Finjan v. McAfee et al., Trial Transcripts
`
`Information Disclosure Statement filed in U.S. Patent Application
`No. 08/684,580 on October 25, 1996
`Excerpts of Microsoft Press Computer Dictionary, Second
`Edition, Microsoft Press (1994)
`Mangosoft, Inc. v. Oracle Corp., 1:02-cv-545-SM – Claim
`Construction Order
`
`
`
`WEST\255519617.1
`
`ii
`
`

`

`I.
`
`
`INTRODUCTION
`
`It is hereby requested that the United States Patent and Trademark Office
`
`proceed with an inter partes review of claims 1, 10, 14, and 18 of U.S. Patent No.
`
`8,677,494 (Exhibit 1001) (hereinafter “the ’494 patent”).
`
`
`
`The ’494 patent relates generally to detecting suspicious computer
`
`operations in downloaded files. The claims are directed to receiving an incoming
`
`Downloadable, deriving security profile data for the Downloadable, and storing the
`
`security profile data in a database. The security profile data includes a list of
`
`suspicious computer operations that may be attempted by the Downloadable. As
`
`explained below, the claimed systems had been developed and were well known in
`
`the virus detection and computer security field long before the application for the
`
`’494 patent had been filed. Specifically, it was well known to receive downloaded
`
`files that could be infected with malware, examine the files to identify suspicious
`
`computer operations that may be attempted by the files, and store the identified
`
`data in a database. All of the claims of the ’494 patent are therefore invalid over
`
`the prior art identified below, each of which was cited during prosecution of the
`
`’494 patent.
`
`
`
`WEST\255519617.1
`
`1
`
`

`

`II. COMPLIANCE WITH FORMAL REQUIREMENTS
`A. Mandatory Notices Under 37 C.F.R. §§ 42.8(b)(1)-(4)
`1.
`Real Parties-In-Interest
`Sophos Limited and wholly owned subsidiary, Sophos Inc., are the real
`
`
`
`parties-in-interest.
`
`Related Matters
`
`2.
`To the knowledge of Petitioner, a decision in this proceeding would affect or
`
`be affected by the following matters where Finjan is asserting the ’494 patent: (1)
`
`Finjan, Inc. v. Sophos Inc., 3:14-1197 (N.D. Cal.), (2) Finjan, Inc. v. Websense,
`
`Inc., Case No. 3:14-cv-1353 (N.D. Cal.), and (3) Finjan, Inc. v. Palo Alto
`
`Networks, Inc., Case No. 3:14-cv-4908 (N.D. Cal.).
`
`Lead and Back-up Counsel
`
`3.
`Lead Counsel for Petitioner is James M. Heintz, DLA Piper LLP (US), Reg.
`
`No.
`
`41,828, who
`
`can
`
`be
`
`reached
`
`by
`
`email
`
`at Sophos-Finjan-
`
`494IPR@dlapiper.com, by phone at 703-773-4148, by fax at 703-773-5200, and by
`
`mail at 11911 Freedom Drive, Suite 300, Reston, VA 20190. Backup counsel for
`
`Petitioner is Nicholas Panno of DLA Piper LLP (US), Reg. No. 68,513, who can
`
`be reached by email at Sophos-Finjan-494IPR@dlapiper.com, by phone at 703-
`
`773-4157, by fax at 703-773-5157, and by mail at 11911 Freedom Drive, Suite
`
`300, Reston, VA 20190.
`
`4.
`
`Powers of Attorney and Service Information
`
`
`
`WEST\255519617.1
`
`2
`
`

`

`
`
`Powers of attorney are being filed with the designation of counsel in
`
`accordance with 37 C.F.R. § 42.10(b). Service information for lead and back-up
`
`counsel is provided in the designation of lead and back-up counsel above. Service
`
`of any documents via hand delivery may be made at the postal mailing address of
`
`the respective lead and back-up counsel designated above.
`
`Proof of Service on the Patent Owner
`
`B.
`As identified in the attached Certificate of Service, a copy of this Petition in
`
`
`
`its entirety is being served on the Patent Owner’s attorney of record at the address
`
`listed in the USPTO’s records by overnight courier pursuant to 37 C.F.R. § 42.6.
`
`Fee
`
`C.
`The undersigned authorizes the Director to charge the fee specified by 37
`
`
`
`C.F.R. § 42.15(a) and any additional fees that might be due in connection with this
`
`Petition to Deposit Account No. 50-1442.
`
`III. GROUNDS FOR STANDING
`
`In accordance with 37 C.F.R. § 42.104(a), the Petitioner certifies that the
`
`’494 patent is available for inter partes review and that the Petitioner is not barred
`
`or estopped from requesting an inter partes review challenging the patent claims
`
`on the grounds identified in this Petition.
`
`
`
`WEST\255519617.1
`
`3
`
`

`

`IV. STATEMENT OF PRECISE RELIEF REQUESTED
`
`In accordance with 37 C.F.R. § 42.22, the Petitioner respectfully requests
`
`that claims 1, 10, 14, and 18 of the ’494 patent be invalidated for the reasons set
`
`forth below.
`
`V.
`
`
`IDENTIFICATION OF CHALLENGE
`In accordance with 35 U.S.C. § 311 and 37 C.F.R. § 42.104(b), inter partes
`
`review of claims 1, 10, 14, and 18 of the ’494 patent is requested in view of the
`
`following grounds:
`
`
`
`A.
`
`Claims 1, 10, and 18 are invalid under 35 U.S.C. § 103 (pre-AIA) as
`
`being obvious over ThunderBYTE Anti-Virus Utilities User Manual (“TBAV”) in
`
`view of U.S. Patent No. 5,623,600 to Ji et al. (“Ji”).
`
`
`
`B.
`
`Claim 14 is invalid under 35 U.S.C. § 103 (pre-AIA) as being obvious
`
`over TBAV in view of Ji and U.S. Patent No. 5,951,698 to Chen et al. (“Chen”).
`
`
`
`C.
`
`Claims 1, 10, 14, and 18 are invalid under 35 U.S.C. § 103 (pre-AIA)
`
`as being obvious over U.S. Patent No. 5,440,723 to Arnold et al. (“Arnold”) in
`
`view of Chen and Ji.
`
`
`
`D.
`
`Claims 1, 10, 14, and 18 are invalid under 35 U.S.C. § 103 (pre-AIA)
`
`as being obvious over Chen in view of Arnold and Ji.
`
`VI. LEVEL OF ORDINARY SKILL IN THE ART
`
`A person of ordinary skill in the art at the time of the alleged invention of
`
`the ’494 patent would generally have a bachelor’s degree or the equivalent in
`
`4
`
`WEST\255519617.1
`
`

`

`computer science, computer engineering, or a related degree, and three to four
`
`years of experience in the fields of network software and security, or equivalent
`
`work experience. This person would have been aware of the computer security
`
`technology discussed herein and would have been capable of understanding and
`
`applying the prior art references discussed herein, alone or in combination. Ex.
`
`1003 ¶ 52.
`
`VII. SUMMARY OF THE ’494 PATENT
`A.
`Effective Filing Date
`
`
`
`
`The ’494 patent, entitled “Malicious Mobile Code Runtime Monitoring
`
`System and Methods,” issued on March 18, 2014, and arises from U.S. patent
`
`application No. 13/290,708 (“the ’708 application”), which was filed on November
`
`7, 2011. The patent was assigned upon issuance to Finjan, Inc. According to
`
`USPTO records, this patent is currently assigned to Patent Owner.
`
`
`
`The ’494 patent claims the benefit of provisional applications No.
`
`60/205,591 (filed May 17, 200) and No. 60/030,639 (filed November 8, 1996).
`
`Thus, assuming the ’494 patent correctly claims the benefit of the ’639 application,
`
`the earliest possible effective filing date of the ’494 patent is November 8, 1996.
`
`Ex. 1003 ¶¶ 47-51. Several other patents claiming the benefit of the same
`
`provisional application (U.S. Patent Nos. 6,092,194; 6,167,520; 6,480,962; and
`
`
`
`WEST\255519617.1
`
`5
`
`

`

`7,058,822) have been invalidated as a result of Federal Court or PTAB
`
`proceedings.
`
`
`
`
`
`B. Overview of the Prosecution History
`
`The ’708 application was filed on November 7, 2011. A non-final rejection
`
`was mailed on July 23, 2012, which rejected the claims of the ’708 application for
`
`double patenting and under 35 U.S.C. § 102(e) as being anticipated by U.S. Patent
`
`No. 5,983,348 to Ji. Ex. 1004, pp. 757-766. Applicants addressed the rejections by
`
`filing a terminal disclaimer and a petition to accept unintentionally delayed claim
`
`of priority to the ’639 application. Ex. 1004, pp. 721-256. This petition was
`
`dismissed on Novmber 27, 2012 because it was not accompanied by a copy of
`
`the’639 application. Ex. 1004, pp. 719-720. A final rejection was mailed on
`
`January 7, 2013, accepting the terminal disclaimer and citing the same U.S. Patent
`
`No. 5,983,348 to Ji. Ex. 1004, pp. 711-717. On May 7, 2013, Applicants filed a
`
`declaration by inventor Shlomo Touboul purporting to establish an invention date
`
`prior to the filing date of the Ji patent. Ex. 1004, pp. 182-190. Specifically,
`
`Touboul declares that his "sole invention was in [his] mind and developed by at
`
`least November 18, 1996," which is after the filing date of the ‘639 application. Ex.
`
`1004, p. 189. A notice of allowance was mailed on August 29, 2013. Ex. 1004, pp.
`
`118-124. Applicants subsequently filed a petition to withdraw from issue, a new
`
`petition to accept unintentionally delayed claim of priority to the ’639 application,
`
`
`
`WEST\255519617.1
`
`6
`
`

`

`and a request for continued examination on October 1, 2013, and a corrected
`
`petition on December 6, 2013. Ex. 1004, ppp. 65-77, 94-102. The USPTO granted
`
`the petition for acceptance of a claim for late priority to the ’639 application on
`
`December 24, 2013, and the patent issued on March 18, 2014. Ex. 1001, p.1; Ex.
`
`1004, pp. 53-54.
`
`
`
`
`
`C.
`
`Patent Specification and Claims
`
`The ’494 patent relates generally to protecting personal computers (PCs) or
`
`other devices from malicious software obtained over a network. The ’494 patent
`
`refers
`
`to executable
`
`files and software obtained over a network as
`
`“Downloadables” and focuses on identifying malicious Downloadables. The
`
`specification of the ‘494 patent itself has little specific teaching of the claimed
`
`subject matter beyond providing descriptions that are broadly in the same field as
`
`the claims. Ex. 1002 ¶39.
`
`
`
`The disclosure of the ’639 application most closely resembles the subject
`
`matter claimed by the ‘494 patent. The ’639 application relates generally to a
`
`system and method for protecting computers from hostile Downloadables. Ex.
`
`1005, p. 1, ll. 6-8; Ex. 1002 ¶40. A Downloadable is described as “an executable
`
`application program which is automatically downloaded from a source computer
`
`and run on the destination computer.” Ex. 1005, p. 2, ll. 1-4; Ex. 1002 ¶40.
`
`Examples of Downloadables include executables as well as applets for Java and
`
`
`
`WEST\255519617.1
`
`7
`
`

`

`Active X. Ex. 1005, p. 2, ll. 4-7; Ex. 1002 ¶40. According to the ’639 application,
`
`viruses may be attached to Downloadables. Ex. 1005, p. 1, ll. 20-22; p. 2, ll. 7-9;
`
`Ex. 1002 ¶40.
`
`
`
`The method
`
`taught by
`
`the ’639 application
`
`includes receiving a
`
`Downloadable, and, when the Downloadable does not get identified as a previously
`
`identified hostile Downloadable, deriving Downloadable security profile data from
`
`the received Downloadable. Ex. 1005, p. 3, ll. 13-21; Ex. 1002 ¶41.
`
`
`
`Specifically, an
`
`internal network
`
`security
`
`system 110 examines
`
`Downloadables, determines whether they are hostile, and prevents hostile
`
`Downloadables from reaching an internal computer network 115 (e.g., a corporate
`
`local area network (LAN)). Ex. 1005, p. 6, ll. 2-17; Ex. 1002 ¶42. The internal
`
`network security system 110 is shown in FIG. 2 and includes a central processing
`
`unit (CPU) 205, communications interfaces 210, 225, input/output (I/O) interfaces
`
`215, a data storage device 230, memory 235, and a signal bus 220. Ex. 1005, p. 6,
`
`l. 19 – p. 8, l. 4; Ex. 1002 ¶42. The security program 255 in memory 235 controls
`
`the operations of the internal network security system 110. Ex. 1005, p. 8, ll. 1-4;
`
`Ex. 1002 ¶42. The security database 240 in the data storage device 230 stores
`
`Downloadable security profiles (DSPs). Ex. 1005, p. 8, ll. 14-19; Ex. 1002 ¶42.
`
`
`
`WEST\255519617.1
`
`8
`
`

`

`
`
`FIG. 3 illustrates security program 255 details. An ID generator 315 of the
`
`security program 255 receives a Downloadable from external computer network
`
`105. Ex. 1005, p. 9, ll. 14-16; Ex. 1002 ¶43.
`
`
`
`
`
`WEST\255519617.1
`
`9
`
`

`

`
`
`
`
`A first comparator 320 of the security program 255 determines if the
`
`Downloadable is identical to a known non-hostile or hostile Downloadable 307 and
`
`discards the Downloadable if it is identical to a known hostile Downloadable. Ex.
`
`1005, p. 9, l. 20 – p. 10, l. 5; Ex. 1002 ¶44. Known Downloadables 307 (hostile
`
`and non-hostile) along with corresponding DSP data 310 are stored in the data
`
`storage device 230. Ex. 1005, p. 8, ll. 13-19; Ex. 1002 ¶44. DSP data 310 includes
`
`the
`
`fundamental computer operations
`
`included
`
`in
`
`the known hostile
`
`Downloadables 307 (e.g., read, write, file management operations, system
`
`management operations, memory management operations, CPU allocation
`
`operations). Ex. 1005, p. 9, ll. 9-13; Ex. 1002 ¶44.
`
`
`
`WEST\255519617.1
`
`10
`
`

`

`
`
`In the event that the Downloadable is unknown (either not identical to a
`
`known hostile Downloadable or not
`
`identical
`
`to a known non-hostile
`
`downloadable), a code scanner 325 of the security program 255 decomposes the
`
`code of the unknown Downloadable into DSP data and sends the Downloadable
`
`and DSP data to a second comparator 330 of the security program 255. Ex. 1005,
`
`p. 10, ll. 9-20; Ex. 1002 ¶45. Decomposing the code includes disassembling the
`
`machine code of the Downloadable, resolving a command in the machine code,
`
`and determining whether the resolved command is a suspect command (e.g., a
`
`memory allocation command or loop command). Ex. 1005, p. 15, l. 15 – p. 16, l. 2;
`
`Ex. 1002 ¶45. Code containing suspect commands is decoded, and the command
`
`and command parameters are registered as DSP data that can be stored in the data
`
`storage device 230; Ex. 1002 ¶45.
`
`
`
`The second comparator 330 compares the DSP data against stored security
`
`policies 305 to determine whether the Downloadable includes a hostile operation.
`
`Ex. 1005, p. 10, l. 21 – p. 11, l. 5; Ex. 1002 ¶46. The known Downloadables 307
`
`stored in the data storage device 230 include Downloadables that the second
`
`comparator 330 determines to be hostile. The DSP data 310 associated with these
`
`hostile Downloadables includes the fundamental operations performed by the
`
`Downloadables (i.e., the hostile operations). Ex. 1005, p. 9, ll. 3-13; Ex. 1002 ¶46.
`
`
`
`WEST\255519617.1
`
`11
`
`

`

`VIII. CLAIM CONSTRUCTION
`In accordance with 37 C.F.R. § 42.104(b)(3), Petitioner provides the
`
`
`following statement regarding construction of the ’494 patent claims.
`
`
`
`
`
`A.
`
`Legal Standard
`
`Claims in an inter partes review of an unexpired patent are to be given their
`
`“broadest reasonable interpretation in light of the specification.” 37 C.F.R.
`
`42.100(b). This standard is often referred to as “BRI”.
`
`
`
`
`
`B. Construction of the Terms Used in the Claims
`
`Because the claim construction standard in this proceeding differs from that
`
`used in U.S. district court litigation, Petitioner expressly reserves the right to assert
`
`different claim construction positions under the standard applicable in district court
`
`for any term of the ’494 patent in any district court litigation. Claim construction is
`
`further discussed in Ex. 1002 ¶¶ 53-66.
`
`
`
`
`
`1.
`
`“Downloadable” (claims 1, 10, 14, and 18): Under the BRI,
`
`this limitation should be understood to mean “an executable application program
`
`which is downloaded from a source computer and can be run on the destination
`
`computer”, as defined in the ’639 application. Ex. 1005, p. 2, ll. 1-4; Ex. 1002 ¶60.
`
`This construction is also consistent with the ’494 patent, which describes a
`
`Downloadable as “information including executable code.” This definition is what
`
`one of ordinary skill in the art would understand from the specification of the ’494
`
`
`
`WEST\255519617.1
`
`12
`
`

`

`patent. Ex. 1001, col. 9, ll. 46-52; Ex. 1002 ¶60. This construction is also
`
`consistent with what was agreed upon by Petitoner and Patent Owner in related
`
`proceedings cited above. Ex. 1011, p. 4.
`
`
`
`
`
`2.
`
`“suspicious computer operations” (claims 1 and 10): Under
`
`the BRI, this limitation should be understood to mean “computer instructions that
`
`are deemed to be potentially hostile”. This construction is consistent with the
`
`disclosure in the ’639 application regarding “potentially hostile operations” and
`
`“suspect commands.” Ex. 1005, p. 8, l. 19 – p. 9, l. 3; p. 15, l. 19 – p. 16, l. 2; Ex.
`
`1002 ¶62. This construction is also consistent with the ’494 patent, which describes
`
`“harmful, undesirable, suspicious or other ‘malicious’ operations that might
`
`otherwise be effectuated by remotely operable code.” Ex. 1001, col. 2, ll. 54-56;
`
`Ex. 1002 ¶62.
`
`
`
`
`
`3.
`
`“database” (claims 1 and 10): Under the BRI, this limitation
`
`should be understood to mean “any structured store of data”. The ’639 application
`
`does not define “database”, but one of ordinary skill in the art would understand
`
`the term “database” to have this meaning. See, e.g., Ex. 1020, p. 29 (wherein
`
`database files are given as examples of structured stores of data). This construction
`
`is consistent with the disclosure in the ’639 application of a data storage device
`
`230 that stores a security database 240. Ex. 1005, p. 7, ll. 16-20; Ex. 1002 ¶64.
`
`This construction is also consistent with the ’494 patent, which teaches “[a]ny
`
`
`
`WEST\255519617.1
`
`13
`
`

`

`suitable explicit or referencing list, database or other storage structure(s) or storage
`
`structure configuration(s) can also be utilized to implement a suitable user/device
`
`based protection scheme” Ex. 1001, col. 17, ll. 10-14; Ex. 1002 ¶64.
`
`
`
`
`
`4.
`
`“program script” (claim 14): Under the BRI, this limitation
`
`should be understood to mean “a set of instructions that can be executed by a
`
`computer through an interpreter or some other program with a computer.”. The
`
`’639 application does not define “program script”, but one of ordinary skill in the
`
`art would understand the term “program script” to have this meaning. See, e.g., Ex.
`
`1019, p. 350. This construction is consistent with the disclosure in the ’639
`
`application regarding Downloadables containing Java applets or ActiveX applets.
`
`Ex. 1005, p. 2, ll. 1-7; Ex. 1002 ¶66. This construction is also consistent with the
`
`’494 patent, which describes “downloadable application programs, Trojan horses
`
`and program code groupings, as well as software ‘components’, such as JavaTM
`
`applets, ActiveXTM controls, JavaScript/Visual Basic scripts, add-ins, etc.” Ex.
`
`1001, col. 2, ll. 59-64; Ex. 1002 ¶66. Those of ordinary skill in the art would
`
`understand that JavaTM applets, ActiveXTM controls, JavaScript/Visual Basic
`
`scripts contain instructions that can be executed by a computer through an
`
`interpreter or some other program. Ex. 1002 ¶66.
`
`
`
`WEST\255519617.1
`
`14
`
`

`

`IX. STATE OF THE ART PRIOR TO THE ’494 PATENT
`
`The state of the art prior to the ’494 patent is discussed generally in Ex. 1002
`
`¶¶35-38. By the time of the filing of the ‘494 patent, malware downloaded from a
`
`network was a well-known threat. Companies like Norton, McAfee, and Trend
`
`Micro were known to offer established products available to detect and prevent
`
`hostile downloadable software from being installed through the use of local and
`
`firewall resident scanners. In particular, these commercially available solutions
`
`generally included data files intended to assist an executable scanner in the
`
`identification of malware.
`
`
`
`These companies and others continuously monitored developments in
`
`malware to identify new malware and update their product data files to enable
`
`identification of the new malware. Data file updates were distributed to end users
`
`periodically to keep their systems up to date.
`
`
`
`However, it was widely known that new malware could appear on an end
`
`user system faster than it could be detected and incorporated into the data files by
`
`scanner software distributors. For example, it was widely known at the timein 1996
`
`that files could be downloaded onto computers from networks. FTP, HTTP, and
`
`other network protocols were in general use, and computers used these protocols to
`
`interface with networks to download files, including executable files and files
`
`containing program script. See, e.g., Ex. 1009, col. 1, ll. 15-42; col. 2, l. 39 – col.
`
`
`
`WEST\255519617.1
`
`15
`
`

`

`3, l. 16. Such files were known to be potentially contain suspicious computer
`
`instructions, such as malware. Often, malware was distributed to computers via
`
`networks in executable or script files before it could be detected by the distributors
`
`of malware protection software. See, e.g., Ex. 1006, p. 165.
`
`
`
`To that end, it was well known by the time of the filing of the ‘494 patent to
`
`include modules for end user systems and other network-deployed systems to
`
`allow them to detect and respond to programs that contained suspicious
`
`instructions, and therefore potentially hostile software, in the absence of a
`
`signature in the scanner’s data file.
`
`
`
`As discussed below, all of the elements of claims 1, 10, 14, and 18 of the
`
`’494 patent are known in the prior art, and it would have been obvious to combine
`
`the prior art in the manner recited in those claims.
`
`X. THERE IS A REASONABLE LIKELIHOOD THAT PETITIONER
`WILL PREVAIL WITH RESPECT TO AT LEAST ONE CLAIM OF THE
`’494 PATENT
`A petition for inter partes review must demonstrate “a reasonable likelihood
`
`
`
`that the Petitioner would prevail with respect to at least one of the claims
`
`challenged in the petition.” 35 U.S.C. § 314(a). This Petition meets that threshold.
`
`There is a reasonable likelihood that Petitioner will prevail in establishing that at
`
`least one of claims 1, 10, 14, and 18 of the ’494 patent is invalid under 35 U.S.C. §
`
`103 as explained below.
`
`
`
`WEST\255519617.1
`
`16
`
`

`

`XI. DETAILED EXPLANATION OF THE GROUNDS FOR REJECTION
`
`A detailed explanation of the pertinence and manner of applying the prior art
`
`references to claims 1, 10, 14, and 18 of the ’494 patent is provided below in
`
`accordance with 37 C.F.R. §§ 42.104(b)(4) and 42.104(b)(5). Except as noted, the
`
`detailed explanation set forth below assumes that the claims of the ’494 patent are
`
`construed consistent with the claim constructions set forth above.
`
`
`
`
`
`A. Challenge to Claims 1, 10, and 18 based on TBAV in view of Ji
`
`TBAV qualifies as prior art to the ’494 patent under 35 U.S.C. § 102(a)
`
`because TBAV has a copyright date of 1995 and was publicly available by at least
`
`October 25, 1996, as evidenced by the fact that it was disclosed by a patent
`
`applicant in an Information Disclosure Statement which was filed in U.S. Patent
`
`Application No. 08/605,285 on October 25, 1996 and an Information Disclosure
`
`Statement which was filed in U.S. Patent Application No. 08/684,580 on October
`
`25, 1996. See Ex. 1007, pp. 2 and 6; Ex. 1018, pp. 2 and 65. October 25, 1996 is
`
`prior to the earliest possible effective filing date of the application of the ’494
`
`patent on November 8, 1996. Ex. 1006, cover page; Ex. 1007, pp. 2 and 6. Ji
`
`qualifies as prior art to the ’494 patent under 35 U.S.C. § 102(e) because Ji was
`
`granted on an application filed in the U.S. on September 26, 1995, which is prior to
`
`the earliest possible ’494 patent effective filing date.
`
`
`
`WEST\255519617.1
`
`17
`
`

`

`
`
`TBAV: TBAV is a user manual for the ThunderBYTE anti-virus software.
`
`TBAV describes a software program that protects computer systems against both
`
`known and unknown viruses. The TBAV software includes TbScan, a virus
`
`scanner, and TbScanX, a memory resident version of TbScan. Ex. 1006, pp. 1-2;
`
`Ex. 1002 ¶ 70.
`
`
`
`TbScan is run upon user request or automatically (e.g., on startup via the
`
`AUTOEXEC.BAT file), and can be used to scan some or all files that have been
`
`downloaded or that have otherwise been stored on disks, fixed drives, and/or
`
`network drives. Ex. 1006, pp. 48-51; Ex. 1002 ¶ 71. TbScan includes a signature
`
`scanner and a heuristic scanner. The signature scanner detects known viruses
`
`whose signatures are stored in a signature file. The heuristic scanner disassembles
`
`files using a built-in disassembler and searches for suspicious instruction
`
`sequences within the files using a built-in code analyzer. Ex. 1006, pp. 1-2, 153-
`
`155; Ex. 1002 ¶ 71. The heuristic scanner disassembles files and interprets their
`
`instructions. The heuristic scanner disassembles the files to allow scanning to be
`
`restricted to an area of a file where a virus might reside, to make it possible to use
`
`algorithmic detection methods on encrypted viruses, and to make it possible to
`
`detect suspicious instruction sequences. Ex. 1006, p. 154; Ex. 1002 ¶ 71.
`
`
`
`TbScan looks into a file’s contents and interprets the file’s instructions to
`
`detect their purpose (e.g., formatting a disk or infecting a file). Heuristic flags are
`
`
`
`WEST\255519617.1
`
`18
`
`

`

`assigned to suspicious instructions, such as instructions that are common to viruses
`
`but uncommon to normal programs. TBAV discloses that a heuristic flag is a
`
`character indicating a specific type of suspicious instruction. Ex. 1006, pp. 155,
`
`180-185; Ex. 1002 ¶ 72. For example, the flags include “# - Decryptor code found”
`
`(indicating that the file contains instructions that perform self-decryption
`
`operations), “A – Suspicious Memory Allocation” (indicating the program contains
`
`instructions
`
`that perform non-standard memory search and/or allocation
`
`operations), “B – Back to entry” (indicating the program contains instructions that
`
`perform endless loop operations), “D – Direct disk access” (indicating the program
`
`contains instructions that perform a write operation to a disk directly), “L –
`
`program load trap” (indicating the program contains instructions that perform an
`
`operation to trap the execution of other software), “S – Search for executables”
`
`(indicating the program contains instructions that perform a search operation for
`
`executable files), and “U – Undocumented system call” (indicating the program
`
`contains instructions that perform unknown DOS call or interrupt operations),
`
`among others. Ex. 1006, pp. 180-185; Ex. 1002 ¶ 72.
`
`
`
`The heuristic flags are associated with scores, so that if the total score (i.e.,
`
`the sum of heuristic flag scores) for a file exceeds a predefined limit, the file is
`
`assumed to contain a virus. Ex. 1006, pp. 153-155. Multiple predefined limits can
`
`be established, so that a file having a score above a sensitive limit “might” be
`
`
`
`WEST\255519617.1
`
`19
`
`

`

`infected, and a file having a score above a higher limit is assumed to include a
`
`virus. Ex. 1006, p. 155; Ex. 1002 ¶ 73.
`
`
`
`TbScan provides the option to output scan results to a log file. The results in
`
`the log file include the heuristic flags assigned to each file. Ex. 1006, p. 60; Ex.
`
`1002 ¶ 74. If suspicious instructions are found in a file during a scan, the heuristic
`
`flags in the log file indicate their presence and describe the nature of the suspicious
`
`instructions. In addition to these flags, if a detailed log level is selected for the log,
`
`TbScan adds a description to the log file. Ex. 1006, pp. 76-77; Ex. 1002 ¶ 74.
`
`
`
`TbScan scans files with filename extensions that indicate the file is a
`
`program file (e.g., .EXE, .COM, .BIN, .SYS, .OV?). TbScan can be configured to
`
`also scan files with filename extensions that suggest the file can be infected by
`
`viruses (e.g., .DLL, .SCR, .MOD, .CPL, .00?, and .APP). Ex. 1006, p. 57; Ex. 1002
`
`¶75. Files such as .DLLs contain executable code that is executed by other
`
`programs, so these files can be infected by malware, as those of ordinary skill in
`
`the art would understand. Ex. 1002 ¶75.
`
`
`
`TBAV also includes a TbGenSig program that can be called by TbScan to
`
`define signature records for suspicious files. Ex. 1006, pp. 4, 57; Ex. 1002 ¶76.
`
`TbScan is used to extract instructions from files that are being examined, such as
`
`files that are believed to be infected with viruses. The signature comprises
`
`suspicious instructions form a signature for of the potential virus infecting the file.
`
`
`
`WEST\255519617.1
`
`20
`
`

`

`Ex. 1006, pp. 166-168; Ex. 1002 ¶76. A virus name, one or more keywords, and
`
`the instructions are added to a file (e.g., USERSIG.DAT). Ex. 1006, p. 168; Ex.
`
`1002 ¶76. Note that TBAV explicitly uses *.DAT files as databases (see also,
`
`ANTI-VIR.DAT). Ex. 1006, pp. 4, 36; Ex. 1002 ¶76. TbGenSig