Trials@uspto.gov
`571-272-7822
`
`
` Paper No. 7
`Entered: September 24, 2015
`
`UNITED STATES PATENT AND TRADEMARK OFFICE
`____________
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`____________
`
`SOPHOS, INC.,
`Petitioner,
`
`v.
`
`FINJAN, INC.,
`Patent Owner.
`____________
`
`Case IPR2015-01022
`Patent 8,677,494 B2
`____________
`
`
`
`Before JAMES B. ARPIN, ZHENYU YANG, and
`CHARLES J. BOUDREAU, Administrative Patent Judges.
`
`BOUDREAU, Administrative Patent Judge.
`
`DECISION
`Denying Institution of Inter Partes Review
`37 C.F.R. § 42.108
`
`
`
`
`
`571-272-7822
`
`
` Paper No. 7
`Entered: September 24, 2015
`
`UNITED STATES PATENT AND TRADEMARK OFFICE
`____________
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`____________
`
`SOPHOS, INC.,
`Petitioner,
`
`v.
`
`FINJAN, INC.,
`Patent Owner.
`____________
`
`Case IPR2015-01022
`Patent 8,677,494 B2
`____________
`
`
`
`Before JAMES B. ARPIN, ZHENYU YANG, and
`CHARLES J. BOUDREAU, Administrative Patent Judges.
`
`BOUDREAU, Administrative Patent Judge.
`
`DECISION
`Denying Institution of Inter Partes Review
`37 C.F.R. § 42.108
`
`
`
`
`
`
`IPR2015-01022
`Patent 8,677,494 B2
`
`
`I. INTRODUCTION
`Sophos, Inc. (“Petitioner”) filed a Petition (Paper 1, “Pet.”) requesting
`inter partes review pursuant to 35 U.S.C. § 311 of claims 1, 10, 14, and 18
`of U.S. Patent No. 8,677,494 B2 to Edery et al. (Ex. 1001, “the ’494
`patent”). Pet. 4. Finjan, Inc. (“Patent Owner”) filed a Preliminary
`Response. Paper 6 (“Prelim. Resp.”). We review the Petition under
`35 U.S.C. § 314, which provides that an inter partes review may not be
`instituted “unless . . . there is a reasonable likelihood that the petitioner
`would prevail with respect to at least 1 of the claims challenged in the
`petition.” 35 U.S.C. § 314(a).
`For the reasons that follow and on this record, we are not persuaded
`that Petitioner demonstrates a reasonable likelihood of prevailing in showing
`the unpatentability of any of the challenged claims on the asserted grounds.
`Accordingly, we deny Petitioner’s request to institute an inter partes review.
`A. The ’494 Patent
`The ’494 patent issued March 18, 2014, from U.S. Patent Application
`No. 13/290,708, filed November 7, 2011. The ’494 patent also claims
`priority from nine earlier applications, of which the earliest-filed is U.S.
`Provisional Application No. 60/030,639, filed November 8, 1996 (Ex. 1005,
`“the ’639 application”). Ex. 1001, [60], [63], col. 1, ll. 7–55.
`The ’494 patent describes protection systems and methods “capable of
`protecting a personal computer (‘PC’) or other persistently or even
`intermittently network accessible devices or processes from harmful,
`undesirable, suspicious or other ‘malicious’ operations that might otherwise
`be effectuated by remotely operable code.” Id. at col. 2, ll. 51–56.
`“[R]emotely operable code that is protectable against can include,” for
`
`
`
`2
`
`
`
`IPR2015-01022
`Patent 8,677,494 B2
`
`example, “downloadable application programs, Trojan horses and program
`code groupings, as well as software ‘components’, such as Java™ applets,
`ActiveX™ controls, JavaScript™/Visual Basic scripts, add-ins, etc., among
`others.” Id. at ll. 59–64.
`B. Related Proceedings
`The ’494 patent is the subject of a district court action, Finjan, Inc. v.
`Sophos, Inc., 3:14-cv-01197 (N.D. Cal.), and has also been asserted in two
`other district court actions, Finjan, Inc. v. Symantec Corp., 3:14-cv-02998
`(N.D. Cal.), and Finjan, Inc. v. Palo Alto Networks, Inc., 3:14-cv-04908
`(N.D. Cal.). Pet. 2; Paper 5, 1. Petitioner also has filed a petition seeking
`inter partes review of a related patent, U.S. Patent No. 7,613,926 B2 to
`Edery et al. Sophos, Inc. v. Finjan, Inc., Case IPR2015-00907, Paper 1.
`C. Illustrative Claims
`Of the challenged claims, claims 1 and 10 are independent. Each of
`challenged claims 14 and 18 depends directly from claim 10. Independent
`claims 1 and 10 are illustrative and are reproduced below:
`1. A computer-based method, comprising the steps of:
`receiving an incoming Downloadable;
`deriving security profile data for the Downloadable,
`including a list of suspicious computer operations that may be
`attempted by the Downloadable; and
`storing the Downloadable security profile data in a database.
`
`10. A system for managing Downloadables, comprising:
`a receiver for receiving an incoming Downloadable;
`a Downloadable scanner coupled with said receiver, for
`deriving security profile data for the Downloadable, including a
`list of suspicious computer operations that may be attempted by
`the Downloadable; and
`
`
`
`3
`
`
`
`IPR2015-01022
`Patent 8,677,494 B2
`
`
`a database manager coupled with said Downloadable
`scanner, for storing the Downloadable security profile data in a
`database.
`
`Ex. 1001, col. 21, ll. 19–25, col. 22, ll. 7–16.
`
`D. References Relied Upon
`Petitioner relies on the following references:
`
`Exhibit Reference
`
`1006
`
`1008
`
`1009
`
`1010
`
`ThunderBYTE Anti-Virus Utilities User Manual (“TBAV”)
`
`Arnold, US 5,440,723, issued Aug. 8, 1995
`
`Ji, US 5,623,600, issued Apr. 22, 1997 (filed Sept. 26, 1995)
`
`Chen, US 5,951,698, issued Sept. 14, 1999 (filed Oct. 2, 1996)
`
`Petitioner also relies on the Declaration of Dr. Paul C. Clark (Ex. 1002).
`E. Asserted Grounds of Unpatentability
`Petitioner challenges the patentability of the challenged claims on the
`following four grounds:
`
`#
`
`References
`
`1 TBAV and Ji
`
`2 TBAV, Ji, and Chen
`
`3 Arnold, Chen, and Ji
`
`4 Chen, Arnold, and Ji
`
`Basis
`
`§ 103(a)
`
`§ 103(a)
`
`Claim(s)
`Challenged
`1, 10, 18
`
`14
`
`§ 103(a)
`
`1, 10, 14, 18
`
`§ 103(a)
`
`1, 10, 14, 18
`
`
`
`
`
`
`
`4
`
`
`
`IPR2015-01022
`Patent 8,677,494 B2
`
`
`II. DISCUSSION
`A. Claim Interpretation
`In an inter partes review proceeding, claims of an unexpired patent
`are given their broadest reasonable interpretation in light of the specification
`of the patent in which they appear. 37 C.F.R. § 42.100(b); Office Patent
`Trial Practice Guide, 77 Fed. Reg. 48,756, 48,766 (Aug. 14, 2012). See also
`In re Cuozzo Speed Techs., LLC, 793 F.3d 1268, 1278 (Fed. Cir. 2015) (“We
`conclude that Congress implicitly approved the broadest reasonable
`interpretation standard in enacting the AIA.”). Under this standard, we
`interpret claim terms using “the broadest reasonable meaning of the words in
`their ordinary usage as they would be understood by one of ordinary skill in
`the art, taking into account whatever enlightenment by way of definitions or
`otherwise that may be afforded by the written description contained in the
`applicant’s specification.” In re Morris, 127 F.3d 1048, 1054 (Fed. Cir.
`1997). We presume that claim terms have their ordinary and customary
`meaning. See In re Translogic Tech., Inc., 504 F.3d 1249, 1257 (Fed. Cir.
`2007) (“The ordinary and customary meaning is the meaning that the term
`would have to a person of ordinary skill in the art in question.”) (internal
`quotation marks omitted). A patentee, however, may rebut this presumption
`by acting as his own lexicographer, providing a definition of the term in the
`specification with “reasonable clarity, deliberateness, and precision.” In re
`Paulsen, 30 F.3d 1475, 1480 (Fed. Cir. 1994).
`Petitioner proposes constructions for four claim terms:
`“Downloadable,” “suspicious program operations,” “database,” and
`“program script.” Pet. 12–14. Patent Owner responds to each of Petitioner’s
`
`
`
`5
`
`
`
`IPR2015-01022
`Patent 8,677,494 B2
`
`proposed constructions, offering alternative constructions for
`“Downloadable,” “database,” and “program script.” Prelim. Resp. 8–16.
`1. “Downloadable”
`The term “Downloadable” is recited in each of the challenged claims.
`According to Petitioner, under the broadest reasonable interpretation, this
`term “should be understood to mean ‘an executable application program
`which is downloaded from a source computer and can be run on the
`destination computer,’ as defined in the ’639 application.” Pet. 12 (citing
`Ex. 1005, col. 2, ll. 1–4; Ex. 1002 ¶ 60). Petitioner further contends its
`proposed construction is “consistent with” and is “what one of ordinary skill
`in the art would understand from the specification of the ’494 patent,” and
`“is also consistent with what was agreed upon by Petitioner and Patent
`Owner” in the related district court proceedings. Id. at 12–13 (citing Ex.
`1001, col. 9, ll. 46–52, Ex. 1002 ¶ 60, Ex. 1011, p. 4).
`In response, Patent Owner contends that the proper construction of
`“Downloadable” is instead “an executable application program, which is
`downloaded from a source computer and run on the destination computer.”
`Prelim. Resp. 8–9. Patent Owner points out that this is the definition
`provided in U.S. Patent Nos. 6,804,780 (Ex. 1014) and 6,092,194 (Ex.
`1015), from which the ’494 patent claims priority and which the ’494 patent
`incorporates by reference, and is also the definition agreed to by the
`Petitioner in related litigation. Id. at 9 (citing Ex. 1001, col. 1, ll. 27–39; Ex.
`1014, col. 1, ll. 50–53; Ex. 1015, col. 1, ll. 44–46; Ex. 2001, 2).
`Although the broadest reasonable interpretation may differ from a
`construction agreed upon by the parties to a district court litigation, where
`claim construction is determined according to the different standard set forth
`
`
`
`6
`
`
`
`IPR2015-01022
`Patent 8,677,494 B2
`
`in Phillips v. AWH Corp., 415 F.3d 1303 (Fed. Cir. 2005) (en banc), we
`discern on this record no rationale for Petitioner’s insertion of the phrase
`“can be” into the parties’ previously agreed-upon construction. That is
`particularly the case in view of Petitioner’s assertion (Pet. 12) that its
`proposed construction is “as defined in the ’639 application,” whereas the
`definition recited in the cited portion of the ’639 application is instead
`identical to Patent Owner’s proposed construction. Compare Ex. 1005, col.
`2, ll. 1–4, with Prelim. Resp. 8–9. Indeed, Petitioner recognizes the actually
`recited definition elsewhere in the Petition. See, e.g., Pet. 7 (“A
`Downloadable is described [in the ’639 application] as ‘an executable
`application program which is automatically downloaded from a source
`computer and run on the destination computer.’”) (quoting Ex. 1005, col. 2,
`ll. 1–4).
`We agree with and adopt substantially Patent Owner’s proposed
`construction as the broadest reasonable interpretation of “Downloadable.”
`Accordingly, on this record and for purposes of this Decision, we construe
`“Downloadable” to mean “an executable application program which is
`automatically downloaded from a source computer and run on a destination
`computer.”
`2. “suspicious program operations”
`The term “suspicious computer operations” is recited in claims 1 and
`10 of the ’494 patent. Petitioner asserts that the broadest reasonable
`interpretation of this term is “computer instructions that are deemed to be
`potentially hostile.” Pet. 13. According to Petitioner, this construction is
`consistent both “with the disclosure in the ’639 application regarding
`‘potentially hostile operations’ and ‘suspect commands’” and “with the ’494
`
`
`
`7
`
`
`
`IPR2015-01022
`Patent 8,677,494 B2
`
`patent, which describes ‘harmful, undesirable, suspicious or other
`“malicious” operations that might otherwise be effectuated by remotely
`operable code.’” Id. (citing Ex. 1005, p. 8, l. 19–p. 9, l. 3, p. 15, l. 19–p. 16,
`l. 2; Ex. 1001, col. 2, ll. 54–56; Ex. 1002 ¶ 62).
`Patent Owner responds that “the term . . . needs no construction and
`the plain and ordinary meaning within the context of the claims should
`apply.” Prelim. Resp. 9. According to Patent Owner,
`Petitioner’s proposed construction should also be rejected
`because computer instructions are not “computer operations
`that may be attempted by the Downloadable.” An instruction is
`a low-level programmatical construct, while an operation is a
`high-level command that the program actually performs. This
`distinction is reinforced by the claim language, which recites
`“computer operations
`that may be attempted by
`the
`Downloadable” as well as the specification, which differentiates
`between “remotely operable code” and
`the “harmful,
`undesirable, suspicious or other ‘malicious’ operations that
`might otherwise be effectuated by remotely operable code.”
`(Ex. 1001 at 2:54–64).
`Id. at 11 (italics and boldface omitted).
`We agree with Patent Owner that that this term requires no explicit
`construction, particularly not a construction that replaces the term
`“operations” with “instructions.” Whereas a suspicious computer operation
`might result from the execution of instructions deemed to be potentially
`hostile, instructions are not operations. And indeed, as Patent Owner
`correctly points out (id. at 10), the portions of the ’639 application and ’494
`patent cited by Petitioner do not mention the term “instruction.” Moreover,
`we cannot discern how construing the phrase “suspicious computer
`operations” would add any clarity to the claim phrase itself in the context of
`
`
`
`8
`
`
`
`IPR2015-01022
`Patent 8,677,494 B2
`
`claims 1 and 10. Accordingly, we conclude that no explicit construction of
`“suspicious computer operations” is either warranted or necessary.
`3. “database”
`The term “database” is recited in claims 1 and 10 of the ’494 patent.
`Patent Owner argues that, under the broadest reasonable interpretation, this
`term “should be understood to mean ‘any structured store of data.’” Pet. 13.
`Petitioner contends that one of ordinary skill in the art would understand the
`term “database” to have this meaning, citing a claim construction order in an
`unrelated case, Mangosoft, Inc. v. Oracle Corp., No. 02-545-SM (D.N.H.).
`Id. (citing Ex. 1020, 29). Petitioner also contends that its proposed
`construction is consistent with both the ’639 application and the ’494 patent.
`Id. at 13–14.
`Patent Owner responds that the proper construction of “database” is
`instead “a collection of interrelated data organized according to a database
`schema to serve one or more applications.” Prelim. Resp. 12. As Patent
`Owner points out (id.), this construction has been adopted by the district
`court in related litigation between the parties (see Finjan, Inc. v. Sophos,
`Inc., No. 14-cv-01197 (N.D. Cal.), Claim Construction Order at 7 (Ex. 2003,
`7)). Patent Owner contends that this “[t]his construction stays true to the
`claim language and most naturally aligns with the patent’s description of the
`invention as well as the well-accepted definition of the term.” Prelim. Resp.
`12 (citing IBM DICTIONARY OF COMPUTING, 165 (10th ed. 1993) (Ex. 2002,
`3)).
`
`We agree with Patent Owner that the district court’s construction in
`the related litigation between the parties represents the broadest reasonable
`construction of “database” in light of the claim language and the
`
`
`
`9
`
`
`
`IPR2015-01022
`Patent 8,677,494 B2
`
`specification of the ’494 patent. See Morris, 127 F.3d at 1054; see also
`Power Integrations, Inc. v. Lee, ___ F.3d ____, 2015 WL 4757642, at *6
`(Fed. Cir. Aug. 12, 2015) (“The fact that the board is not generally bound by
`a previous judicial interpretation of a disputed claim term does not mean . . .
`that it has no obligation to acknowledge that interpretation or to assess
`whether it is consistent with the broadest reasonable construction of the
`term.”). As explained by the district court, the ’494 patent does not define
`the term “database”; there is no evidence that Patent Owner disavowed the
`full scope of that term either in the Specification or during prosecution; and
`Patent Owner’s definition appears to reflect both the context of the patent, as
`well as a well-accepted definition of the term. Ex. 2003, 5, 7.
`Notably, in contrast, the court in the Mangosoft case cited by
`Petitioner did not construe the term “database,” but rather construed
`“structured store of data” as “data that are organized in some recognized
`fashion (e.g., database files, word processing document files, or Web pages)
`and stored in the volatile and/or non-volatile memory of the various nodes
`participating in the shared memory system.” See Ex. 1020, 23–29.
`Accordingly, on this record and for purposes of this Decision, we
`construe “database” to mean “a collection of interrelated data organized
`according to a database schema to serve one or more applications.”
`4. Other Claim Terms
`For purposes of this Decision, no other claim terms require express
`interpretation. Wellman, Inc. v. Eastman Chem. Co., 642 F.3d 1355, 1361
`(Fed. Cir. 2011) (“claim terms need only be construed ‘to the extent
`necessary to resolve the controversy’” (quoting Vivid Techs., Inc. v. Am. Sci.
`& Eng’g, Inc., 200 F.3d 795, 803 (Fed. Cir. 1999))).
`
`
`
`10
`
`
`
`IPR2015-01022
`Patent 8,677,494 B2
`
`
`B. Asserted Grounds of Unpatentability
`1. Obviousness over TBAV and Ji
`Petitioner contends that TBAV, either alone or in combination with Ji,
`would have rendered obvious the subject matter of claims 1, 10, and 18 of
`the ’494 patent. Pet. 23–29. For the reasons that follow, we are not
`persuaded that Petitioner has established a reasonable likelihood that it
`would prevail on this ground with respect to any of the challenged claims.
`a. TBAV
`TBAV is a user manual for a set of software programs for protecting
`computer systems against viruses and for recovering those systems from any
`viruses that slip through. Ex. 1006, 6. TBAV describes two virus-scanning
`programs, “TbScan” and “TbScanX,” as well as various utility programs for
`restoration of infected boot sectors and partition tables (“TbUtil”),
`reconstruction and removal of infected files (“TbClean,” “TbDel”),
`definition of new virus signatures (“TbGenSig”), and other computer-
`security measures (e.g., “TbMem,” “TbFile,” “TbDisk”). Ex. 1006, 6–10.
`TbScan, in particular, is described as including both signature
`scanning functionality, for detecting known viruses whose signatures are
`stored in a signature file, and heuristic scanning functionality, for
`disassembling and analyzing files to detect suspicious instruction sequences
`and yet-unknown viruses. Id. at 6–7, 52, 158–160. According to TBAV,
`heuristic scanning allows TbScan to look into a file’s contents and interpret
`program instructions to detect their purpose. Id. at 160. TbScan assigns a
`“heuristic flag” and a score to instruction sequences known to be common in
`viruses but uncommon in “normal” programs. Id. By adding the scores
`associated with the flags, TbScan informs the user whether a file might be,
`
`
`
`11
`
`
`
`IPR2015-01022
`Patent 8,677,494 B2
`
`or probably is, infected by an unknown virus. Id. TbScan also provides the
`option to output a list of infected program files, heuristic flags, and file
`pathnames either to a printer or to a log file. Id. at 65. According to TBAV,
`TbScan can be used to scan files stored on disks, fixed drives, and/or
`network drives, and may be run either upon user request or automatically
`(e.g., upon startup). Id. at 52–53, 55–56.
`TbScanX is described by TBAV as “the memory resident version of
`TbScan.” Id. at 7. According to TBAV, “[t]his signature scanner remains
`resident in memory and automatically scans those files that are being
`executed, copied, de-archived, downloaded, etc.” Id. Although at one point
`TBAV also states that “TbScanX is virtually identical to TbScan, with one
`important difference: TbScan is memory-resident” (id. at 89), it appears that
`TbScanX lacks TbScan’s heuristic scanning capability, particularly in view
`of the above-quoted description of the program as a “signature scanner” (id.
`at 7).
`
`b. Ji
`Ji describes a system for detecting and eliminating viruses on a
`computer network, where a File Transfer Protocol (FTP) proxy server is
`used to scan incoming and outgoing files for viruses and to transfer those
`files if they do not contain viruses. Ex. 1009, Abstract.
`c. Discussion
`Petitioner relies on TBAV alone for all elements of claims 1, 10, and
`18, with the exception of “a receiver for receiving an incoming
`Downloadable” recited in claim 10. Pet. 24–29. Petitioner contends that
`that receiver “is at least implicitly taught by TBAV,” but asserts further that,
`“[t]o the extent TBAV does not explicitly describe a receiver, . . . it would
`
`
`
`12
`
`
`
`IPR2015-01022
`Patent 8,677,494 B2
`
`have been obvious to one of ordinary skill in the art to apply the teachings of
`a receiver in Ji to the system of TBAV.” Id. at 26–27.
`In response to Petitioner’s contentions, Patent Owner argues, inter
`alia, that the combination of TBAV and Ji fails to disclose “deriving security
`profile data for the Downloadable, including a list of suspicious computer
`operations that may be attempted by the Downloadable,” and “storing the
`Downloadable security profile data in a database,” as recited in independent
`claims 1 and 10. Prelim. Resp. 23–32.
`In view of Patent Owner’s arguments, we are not persuaded that
`Petitioner demonstrates a reasonable likelihood that it would prevail in
`showing that any of claims 1, 10, and 18 are unpatentable over TBAV and
`Ji.
`
`With respect to the recited “deriving” step, Petitioner asserts that
`TBAV’s TbScan “performs heuristic analysis of files,” which heuristic
`analysis “includes detecting suspicious instruction sequences within a file
`and applying heuristic flags to the file.” Pet. 24. According to Petitioner,
`“[t]he heuristic flags indicate the suspicious instructions.” Id. Although
`heuristic flags reasonably could be termed “security profile data for [a]
`Downloadable,” claims 1 and 10 both require, more particularly, “deriving
`security profile data . . . including a list of suspicious computer operations
`that may be attempted by the Downloadable.” Ex. 1001, claims 1, 10
`(emphasis added). Petitioner does not explain, nor can we discern, how
`TBAV’s heuristic analysis discloses “deriving . . . a list of suspicious
`computer operations that may be attempted by the Downloadable.” As we
`explain in our interpretation of the term “suspicious computer operations” in
`Section II.A.2, supra, Petitioner dos not persuade us that “instructions” are
`
`
`
`13
`
`
`
`IPR2015-01022
`Patent 8,677,494 B2
`
`themselves “operations.” Further, notwithstanding Petitioner’s conclusory
`assertion that “the list of heuristic flags in the file is a list of suspicious
`instructions” (Pet. 24), Petitioner does not identify where TBAV discloses
`such a “list of heuristic flags in the file.”
`Additionally, the evidence cited by Petitioner does not demonstrate
`that TBAV and Ji teach or suggest storing security profile data in a
`“database,” as that term is properly construed. Neither the “log file” to
`which Petitioner asserts “TBAV teaches that heuristic analysis results . . .
`can be output” nor the “TBSCAN.SIG file” to which Petitioner asserts
`TBAV’s TbGenSig program adds virus signatures (Pet. 25) is disclosed to
`be a database, and Petitioner provides no persuasive evidence in support of
`its assertion that “[a] person of ordinary skill in the art would understand
`either or both of these files could be is [sic] a database containing that
`contains one or more data entries” (id. at 25–26). Indeed, although there is a
`page missing from the copy of TBAV provided by Petitioner, TBAV does
`not appear to disclose that the log file has any particular organization or
`serves any other applications, which, as explained in Section II.A.3, supra,
`are among the hallmarks of a database. Instead, the log file appears instead
`to be a simple output of “infected program files, specifying heuristic flags . .
`. and complete pathnames” either to a printer or to a file that is, by default,
`overwritten by the results of each new scan by the TbScan program. See Ex.
`1006, 65–66; see also Ex. 2003, 7 (“The practical import of adopting the
`IEEE definition or the IBM definition cited by the parties is largely the
`same, as both definitions appear to exclude ‘log files.’ . . . Therefore, I find
`that a log file does not qualify as a database in the context of this patent.”).
`
`
`
`14
`
`
`
`IPR2015-01022
`Patent 8,677,494 B2
`
`
`On this record, Petitioner has not identified sufficient evidence that
`TBAV and Ji disclose either “deriving security profile data for the
`Downloadable, including a list of suspicious computer operations that may
`be attempted by the Downloadable,” or “storing the Downloadable security
`profile data in a database,” as recited in independent claims 1 and 10.
`Consequently, we are not persuaded that Petitioner demonstrates a
`reasonable likelihood that it would prevail at trial in showing that either of
`those claims or dependent claim 18 would have been obvious over the
`combination of those references.
`2. Obviousness over TBAV, Ji, and Chen
`Claim 14 depends from claim 10 and further recites the limitation
`“wherein the Downloadable includes program script.” Ex. 1001, claim 14.
`Petitioner contends that TBAV, either alone or in combination with Ji and/or
`Chen, would have rendered the subject matter of claim 14 obvious. Pet. 34–
`36. For essentially the same reasons as set forth in our discussion of asserted
`ground 1 in Section II.B.1, supra, we are not persuaded that Petitioner has
`established a reasonable likelihood that it would prevail on this ground.
`a. Chen
`Chen describes methods and systems for detecting and removing
`viruses from macros. Ex. 1010, Abstract. In one embodiment, Chen
`discloses computer system 100 that includes central processing unit (CPU)
`104, memory 106, communications unit 112 for facilitating communication
`with other systems, and various other computer components. Id. at col. 4, ll.
`42–59. CPU 104, as directed by instructions received from memory 106,
`provides signals for accessing computer files, determining whether they
`include macros, locating the macros, scanning the macros to determine
`
`
`
`15
`
`
`
`IPR2015-01022
`Patent 8,677,494 B2
`
`whether viruses are present, and taking corrective action when viruses are
`detected. Id. at col. 5, ll. 3–9. In a preferred embodiment, memory 106
`includes macro virus detection module 206, which in turn includes macro
`locating and decoding module 302, macro virus scanning module 304,
`macro treating module 306, virus information module 308, file correcting
`module 310, and data buffer 312. Id. at col. 5, ll. 10–14, col. 5, l. 64–col. 6,
`l. 9.
`
`According to Chen, files may be targeted for access by user selection
`or based upon triggering events such as the opening of certain application
`file, system boots, or at periodic intervals, preferably prior to launch of an
`application program that may cause operation of a macro virus. Id. at col. 6,
`ll. 10–30. Macro locating and decoding module 302 examines targeted files
`to determine, among other things, whether they include embedded macros.
`Id. at col. 6, ll. 38–41, col. 12, ll. 4–65. If a macro is present, the macro is
`located and decoded into binary code and stored, so that it can be scanned
`for viruses. Id. at col. 12, ll. 54–57. Macro virus scanning module 304
`includes routines to detect combinations of suspect instructions likely to be
`used by macro viruses, such as the combination of a macro enablement
`instruction, which allows the formatting of a file to be set to indicate that the
`file includes a macro for execution, and a macro reproduction instruction,
`which allows the macro virus to be replicated. Id. at col. 8, ll. 40–53.
`To identify suspect instruction combinations, macro virus scanning
`module 304 accesses comparison data from virus information module 308,
`including sets of instruction identifiers that are used to identify combinations
`of suspect instructions in the decoded macro. Id. at col. 8, ll. 58–63, col. 13,
`ll. 7–32. If it is determined that a macro includes a combination of suspect
`
`
`
`16
`
`
`
`IPR2015-01022
`Patent 8,677,494 B2
`
`instructions defined and identified by the set of instruction identifiers, the
`macro is deemed to be infected by an unknown virus corresponding to that
`set of data, and macro virus scanning module 304 flags the decoded macro
`as infected and stores information associating the decoded macro to the set
`of instruction identifiers that resulted in a positive unknown virus detection
`in data buffer 312 so that other modules such as macro treating module 306
`can treat the infected macro accordingly. Id. at col. 8, l. 67–col. 9, l. 11.
`b. Discussion
`As explained in Section II.B.1, we are not persuaded by Petitioner’s
`argument and evidence that TBAV or TBAV and Ji teach or suggest
`“deriving security profile data for the Downloadable, including a list of
`suspicious computer operations that may be attempted by the
`Downloadable,” or “storing the Downloadable security profile data in a
`database,” as recited in independent claim 10, from which claim 14 depends.
`Petitioner relies on Chen in connection with this asserted ground only for
`Chen’s alleged disclosure of the claim limitation “wherein the
`Downloadable includes program script,” as recited in claim 14 (see Pet. 34–
`36), and does not argue persuasively that Chen remedies the deficiencies of
`TBAV or TBAV and Ji with respect to the elements of claim 10.
`Accordingly, we also are not persuaded that Petitioner demonstrates a
`reasonable likelihood that it would prevail at trial in showing that claim 14 is
`unpatentable over the asserted combinations of TBAV, Ji, and Chen.
`On this record, Petitioner has not identified sufficient evidence that
`TBAV, Ji, and Chen teach or suggest either “deriving security profile data
`for the Downloadable, including a list of suspicious computer operations that
`may be attempted by the Downloadable,” or “storing the Downloadable
`
`
`
`17
`
`
`
`IPR2015-01022
`Patent 8,677,494 B2
`
`security profile data in a database,” as recited in independent 10.
`Consequently, we are not persuaded that Petitioner demonstrates a
`reasonable likelihood that it would prevail at trial in showing that dependent
`claim 14 would have been obvious over the asserted combinations of those
`references.
`3. Obviousness over Arnold, Chen, and Ji
`Petitioner contends that Arnold, either alone or in combination with
`Chen and Ji, would have rendered obvious the subject matter of claims 1, 10,
`14, and 18 of the ’494 patent. Pet. 39–44. For the reasons that follow, we
`are not persuaded that Petitioner has established a reasonable likelihood that
`it would prevail on this ground with respect to any of the challenged claims.
`a. Arnold
`Arnold describes “methods and apparatus for providing computational
`integrity for digital data processors and networks,” including, inter alia,
`periodically monitoring a data processing system for anomalous behavior
`that may indicate the presence of an undesirable software entity such as a
`computer virus, worm, or Trojan Horse; scanning for occurrences of known
`types of undesirable software entities and taking remedial action if any are
`discovered; capturing samples of unknown types of viruses; identifying
`machine code portions of the captured samples; extracting an identifying
`signature from executable code portions and adding the signature to a
`signature database; and informing neighboring data processing systems on a
`network of an occurrence of the undesirable software entity. Ex. 1008,
`Abstract, col. 1, ll. 15–18, col. 4, ll. 29–56.
`
`
`
`18
`
`
`
`IPR2015-01022
`Patent 8,677,494 B2
`
`
`Figure 8 of Arnold is reproduced below.
`
`
`
`Figure 8 is a block diagram of a system operable for executing
`Arnold’s method. Id. at col. 3, ll. 44–45. If preliminary evidence of virus-
`like activity is detected, computational resources are devoted to obtaining
`more conclusive evidence of infection. Id. at col. 5, ll. 29–32. With
`reference to Figure 8, anomaly detector 72 detects anomalous behavior of
`CPU 14. Id. at col. 28, ll. 47–49. Upon detection of anomalous behavior,
`scanner 74 compares valid signatures from a signature database (SDB 74a)
`to programs stored in the memory to identify known viruses. Id. at col. 28,
`ll. 56–60. If no known virus is found, the anomaly may be due to an
`unknown virus, and a decoy program is deployed by decoy program unit 76
`to obtain a sample of the unknown virus. Id. at col. 6, ll. 3–7, col. 29, ll. 1–
`17. If a modification to the decoy program is detected, decoy program unit
`76 isolates the undesirable software entity and provides one or more samples
`
`
`
`19
`
`
`
`IPR2015-01022
`Patent 8,677,494 B2
`
`to code/data segregator 38 (also termed “invariant code identifier 38”). Id.
`at col. 29, ll. 10–14. Portions of the virus that are likely to vary from one
`instance of the virus are then filtered out, code-data segregation is performed
`to separate non-executable “data” portions from “code” portions
`representing machine instructions, and a viral signature is extracted from
`“probably-invariant” portions of the code. Id. at col. 7, ll. 11–21, col. 7, l.
`59–col. 8, l. 6, col. 9, ll. 13–16. For each virus, one or more candidate
`signatures having the best “scores” are selected to represent the virus. Id. at
`col. 19, ll.
Accessing this document will incur an additional charge of $.
After purchase, you can access this document again without charge.
Accept $ Charge
Still Working On It
This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.
Give it another minute or two to complete, and then try the refresh button.
A few More Minutes ... Still Working
It can take up to 5 minutes for us to download a document if the court servers are running slowly.
Thank you for your continued patience.
This document could not be displayed.
We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.
Your account does not support viewing this document.
You need a Paid Account to view this document. Click here to change your account type.
Your account does not support viewing this document.
Set your membership
status to view this document.
With a Docket Alarm membership, you'll
get a whole lot more, including:
- Up-to-date information for this case.
- Email alerts whenever there is an update.
- Full text search for other cases.
- Get email alerts whenever a new case matches your search.
One Moment Please
The filing “” is large (MB) and is being downloaded.
Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.
Your document is on its way!
If you do not receive the document in five minutes, contact support at support@docketalarm.com.
Sealed Document
We are unable to display this document, it may be under a court ordered seal.
If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.
Access Government Site
