Trials@uspto.gov Paper: 58
`571-272-7822 Entered: March 15, 2017
`
`
`
`UNITED STATES PATENT AND TRADEMARK OFFICE
`____________
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`____________
`
`SYMANTEC CORP. and
`BLUE COAT SYSTEMS LLC,
`Petitioner,
`
`v.
`
`FINJAN, INC.,
`Patent Owner.
`____________
`
`Case IPR2015-018921
`Patent 8,677,494 B2
`____________
`
`
`
`Before ZHENYU YANG, CHARLES J. BOUDREAU, and
`SHEILA F. McSHANE, Administrative Patent Judges.
`
`BOUDREAU, Administrative Patent Judge.
`
`
`
`FINAL WRITTEN DECISION
`35 U.S.C. § 318(a) and 37 C.F.R. § 42.73
`
`
`
`
`
`
`
`1 Case IPR2016-00890 has been joined with the instant proceeding.
`
`

`

`IPR2015-01892
`Patent 8,677,494 B2
`
`I. INTRODUCTION
`Symantec Corp. and Blue Coat Systems, Inc., now known as Blue
`Coat Systems LLC,2 (collectively, “Petitioner”) filed petitions requesting
`inter partes review of claims 1, 2, 5, 6, 10, 11, 14, and 15 of U.S. Patent
`No. 8,677,494 B2 (Ex. 1001, “the ’494 patent”). Paper 1 (“Petition” or
`“Pet.”); see also IPR2016-00890, Paper 2.
`Based on the information provided in the Petition, and in
`consideration of the Preliminary Response (Paper 7) of Patent Owner,
`Finjan, Inc., we instituted a trial pursuant to 35 U.S.C. § 314(a) with respect
`to claims 1, 2, 5, 6, 10, 11, 14, and 15 and subsequently joined Case
`IPR2016-00890 with the instant case. Paper 9 (“Decision on Institution” or
`“Dec. on Inst.”); see also Paper 30 (copy of decision instituting inter partes
`review in Case IPR2016-00890 and granting motion for joinder; also filed as
`IPR2016-00890, Paper 8).
`After institution, Patent Owner filed a Partial Request for Rehearing
`Pursuant to 37 C.F.R. §§ 42.71(c) and 42.71(d) (Paper 13), challenging our
`decision to institute trial, and we issued a Decision Denying Patent Owner’s
`Request for Rehearing (Paper 21, “Rehearing Decision” or “Reh’g Dec.”).
`Thereafter, Patent Owner filed a Response (Paper 27 (“PO Resp.”)), and
`Petitioner filed a Reply (Paper 31, “Pet. Reply”). Petitioner proffered
`Declarations of Sylvia Hall-Ellis, Ph.D. (Ex. 1006) and Jack W.
`Davidson, Ph.D. (Ex. 1018) with its Petition; and a Reply Declaration of
`Dr. Davidson (Ex. 1027), a Supplemental Declaration of Dr. Hall-Ellis
`(Ex. 1037), and Declarations of Richard Ford, D.Phil. (Ex. 1038) and Joseph
`
`
`2 See Paper 54, 1.
`
`2
`
`

`

`IPR2015-01892
`Patent 8,677,494 B2
`
`Kiegel (Ex. 1041) with its Reply. Patent Owner proffered Declarations of
`Nenad Medvidovic, Ph.D. (Ex. 2007) and S.H. Michael Kim (Ex. 2010) with
`its Response. Also, deposition transcripts were filed for Dr. Medvidovic
`(Ex. 1034), Dr. Hall-Ellis (Ex. 2011), and Dr. Davidson (Ex. 2012).
`Patent Owner moves to exclude certain of Petitioner’s Exhibits,
`including each of the Declarations proffered with the Reply. Paper 41.
`Petitioner filed an Opposition (Paper 48) to the motion, and Patent Owner
`filed a reply (Paper 51).
`Patent Owner also filed an identification of arguments alleged to
`exceed the proper scope of Petitioner’s Reply (Paper 39), to which Petitioner
`filed a response (Paper 46). Patent Owner further filed a Motion for
`Observations on Testimony of Dr. Davidson (Paper 42), and Petitioner filed
`a response thereto (Paper 47).
`An oral hearing was held on December 16, 2016; a transcript of the
`hearing is included in the record (Paper 56, “Tr.”).
`We have jurisdiction under 35 U.S.C. § 6. This Final Written
`Decision is issued pursuant to 35 U.S.C. § 318(a) and 37 C.F.R. § 42.73.
`For the reasons that follow, we determine that Petitioner has shown by a
`preponderance of the evidence that claims 1, 2, and 6 of the ʼ494 patent are
`unpatentable.
`We also deny-in-part and dismiss-in-part Patent Owner’s Motion to
`Exclude.
`
`II. BACKGROUND
`
`A. Related Proceedings
`The parties identify six district court actions involving the ’494 patent:
`Finjan, Inc. v. Sophos, Inc., No. 3:14-cv-01197 (N.D. Cal. 2014) (“the
`
`3
`
`

`

`IPR2015-01892
`Patent 8,677,494 B2
`
`Sophos litigation”), Finjan v. Websense, Inc., No. 14-cv-01353 (N.D. Cal.
`2014), Finjan, Inc. v. Symantec Corp., No. 3:14-cv-02998 (N.D. Cal. 2014),
`Finjan, Inc. v. Palo Alto Networks, Inc., No. 3:14-cv-04908 (N.D. Cal.
`2014), Finjan, Inc. v. Blue Coat Systems, Inc., No. 5:15-cv-03295 (N.D. Cal.
`2015), and Finjan, Inc. v. Cisco Systems Inc., No. 17-cv-00072 (N.D. Cal.
`2017). Pet. 1; Paper 6, 1; PO Resp. 57; Paper 54, 1.
`The ’494 patent is also the subject of an inter partes review in Palo
`Alto Networks, Inc. v. Finjan, Inc., Case IPR2016-00159, to which Blue
`Coat Systems, Inc. v. Finjan, Inc., Case IPR2016-01174, has been joined;
`and was the subject of denied petitions for inter partes review in Sophos Inc.
`v. Finjan, Inc., Case IPR2015-01022, Symantec Corp. v. Finjan, Inc., Case
`IPR2015-01897, and Blue Coat Systems, Inc. v. Finjan, Inc., Case
`IPR2016-01443.
`
`B. The ’494 Patent
`The ’494 patent, entitled “Malicious Mobile Code Runtime
`Monitoring System and Methods,” issued March 18, 2014, from U.S. Patent
`Application No. 13/290,708 (“the ’708 application”), filed November 7,
`2011. Ex. 1001, [21], [22], [45], [54]. On its face, the ’494 patent purports
`to claim priority from nine earlier applications: (1) U.S. Provisional
`Application No. 60/030,639 (“the ’639 provisional”), filed November 8,
`1996; (2) U.S. Patent Application No. 08/790,097, filed January 29, 1997,
`and issued as U.S. Patent No. 6,167,520 (“the ’520 patent”); (3) U.S. Patent
`Application No. 08/964,388 (“the ’388 application”), filed November 6,
`1997, and issued as U.S. Patent No. 6,092,194 (Ex. 1013, “the ’194 patent”);
`(4) U.S. Patent Application No. 09/539,667, filed March 30, 2000, and
`issued as U.S. Patent No. 6,804,780 (Ex. 2028, “the ’780 patent”);
`
`4
`
`

`

`IPR2015-01892
`Patent 8,677,494 B2
`
`(5) U.S. Patent Application No. 09/551,302, filed April 18, 2000;
`(6) U.S. Provisional Patent Application No. 60/205,591, filed May 17, 2000;
`(7) U.S. Patent Application No. 09/861,229, filed May 17, 2001;
`(8) U.S. Patent Application No. 11/370,114 (“the ’114 application”), filed
`March 7, 2006; and (9) U.S. Patent Application No. 12/471,942, filed
`May 26, 2009. Ex. 1001, [63]. In our Decision on Institution in Case
`IPR2016-00159, we determined on the record then before us in that case that
`the ’494 patent is not entitled to an earlier priority date than the November 6,
`1997, filing date of the ’388 application, due to the failure of the
`intermediate ’114 application to include priority claims either to the
`’639 provisional or to the ’097 application. See IPR2016-00159, slip op. at
`10–13 (PTAB May 13, 2016) (Paper 8). That determination does not affect
`any of our conclusions in this case.
`The ’494 patent describes protection systems and methods “capable of
`protecting a personal computer (‘PC’) or other persistently or even
`intermittently network accessible devices or processes from harmful,
`undesirable, suspicious or other ‘malicious’ operations that might otherwise
`be effectuated by remotely operable code.” Ex. 1001, 2:51–56. “Remotely
`operable code that is protectable against can include,” for example,
`“downloadable application programs, Trojan horses and program code
`groupings, as well as software ‘components’, such as Java™ applets,
`ActiveX™ controls, JavaScript™/Visual Basic scripts, add-ins, etc., among
`others.” Id. at 2:59–64.
`
`5
`
`

`

`IPR2015-01892
`Patent 8,677,494 B2
`
`C. Illustrative Challenged Claims
`Of the challenged claims, claims 1 and 10 are independent. Those
`claims are illustrative and are reproduced below:
`1. A computer-based method, comprising the steps of:
`receiving an incoming Downloadable;
`deriving security profile data for the Downloadable,
`including a list of suspicious computer operations that may be
`attempted by the Downloadable; and
`storing the Downloadable security profile data in a database.
`
`10. A system for managing Downloadables, comprising:
`a receiver for receiving an incoming Downloadable;
`a Downloadable scanner coupled with said receiver, for
`deriving security profile data for the Downloadable, including a
`list of suspicious computer operations that may be attempted by
`the Downloadable; and
`a database manager coupled with said Downloadable
`scanner, for storing the Downloadable security profile data in a
`database.
`
`Ex. 1001, 21:19–25, 22:7–16. Each of challenged claims 2, 5, and 6
`depends directly from claim 1; and each of challenged claims 11, 14, and 15
`depends directly from claim 10. Id. at 21:26–28, 21:33–37, 22:17–20,
`22:26–30.
`
`D. Instituted Ground of Unpatentability
`The Petition asserted five grounds of unpatentability. Pet. 5. We
`instituted trial in this case only on the asserted ground that claims 1, 2, 5, 6,
`10, 11, 14, and 15 of the ’494 patent are unpatentable under 35 U.S.C. § 103
`over Morton Swimmer et al., Dynamic Detection and Classification of
`
`6
`
`

`

`IPR2015-01892
`Patent 8,677,494 B2
`
`Computer Viruses Using General Behaviour Patterns, Virus Bull. Conf. 75
`(Sept. 1995) (Ex. 1005, “Swimmer”). Dec. on Inst. 34.
`
`III. ANALYSIS
`
`A. Claim Construction
`The ’494 patent expired no later than January 29, 2017. See Paper 55,
`1 (Patent Owner representing that January 29, 2017, was the expiration date
`of the ’494 patent and that Petitioner does not dispute that date). In an inter
`partes review, we construe claims of an expired patent according to the
`standard applied by the district courts. See In re Rambus Inc., 694 F.3d 42,
`46 (Fed. Cir. 2012). Specifically, because the expired claims of a patent are
`not subject to amendment, we apply the principles set forth in Phillips v.
`AWH Corp., 415 F.3d 1303, 1312–17 (Fed. Cir. 2005) (en banc). Under that
`standard, the words of a claim are generally given their ordinary and
`customary meaning, which is the meaning the term would have to a person
`of ordinary skill at the time of the invention, in the context of the entire
`patent including the specification. See Phillips, 415 F.3d at 1312–13. Only
`those terms in controversy need to be construed, and only to the extent
`necessary to resolve the controversy. See Vivid Techs., Inc. v. Am. Sci. &
`Eng’g, Inc., 200 F.3d 795, 803 (Fed. Cir. 1999).
`For purposes of this Decision, we address three claim terms and
`phrases, each of which is recited in both independent claims 1 and 10:
`(1) “list of suspicious computer operations”; (2) “database”; and (3) “storing
`the Downloadable security profile data in a database.”
`
`7
`
`

`

`IPR2015-01892
`Patent 8,677,494 B2
`
`1. “list of suspicious computer operations”
`Neither party identified “list of suspicious computer operations” as
`requiring construction prior to institution, and we did not provide an express
`construction of that phrase in the Decision on Institution. In the Decision on
`Institution, we were persuaded, however, by Petitioner’s contentions that the
`DOS functions corresponding to the “function numbers” included in
`Swimmer’s audit trail include the same types of operations referred to by
`applications related to the ’494 patent as examples of “suspicious
`operations,” including the four specific types of operations that are recited as
`“suspicious computer operations” in challenged dependent claims 6 and 15.
`Dec. on Inst. 22 (citing Pet. 17–18, 21–22).
`In the Patent Owner Response, Patent Owner contends “[a] ‘list of
`suspicious computer operations’ is properly construed as ‘a list of computer
`operations deemed suspicious’” (PO Resp. 10). According to Patent Owner,
`“[t]he ’494 Patent requires this construction, specifically that the operations
`are deemed to be suspicious.” Id. “For example,” Patent Owner contends,
`“the ’194 Patent, which is incorporated by reference into the ’494 Patent,
`explains how generating the ‘list of suspicious computer operations’ first
`requires that a determination be made as to whether the operations to be
`listed are suspicious.” Id. (citing Ex. 1013, 9:20–42, Fig. 7; Ex. 2007 ¶¶ 47–
`48, 65). Patent Owner further contends that Petitioner’s argument that DOS
`function numbers identified by Swimmer correspond to the same types of
`operations identified in one related application (i.e., the ’639 provisional,
`Ex. 1002) is both factually incorrect, in that the cited portion of the ’639
`provisional “relates to ‘fundamental computer operations,’ not “suspicious
`computer operations[’]” (Id. at 10–11 (citing Ex. 1002, 18:9–13)), and
`
`8
`
`

`

`IPR2015-01892
`Patent 8,677,494 B2
`
`contrary to the law, in “relying on knowledge gleaned from the ’494 Patent
`itself—namely the insight to deem some subset of ‘calls made to an
`operating system, a file system, a network system, and to memory’ as
`suspicious in deriving a list of the suspicious computer operations that may
`be attempted by a Downloadable” (id. at 11).
`Regarding the first point, Patent Owner points out that certain
`disclosure in the ’194 patent “actually relates to ‘suspicious computer
`operations,’” providing “An Example List of Operations Deemed
`Potentially Hostile.” Id. (citing Ex. 1013, 5:50–54; quoting Ex. 1013, 5:58–
`6:4 (emphasis added by Patent Owner)). Patent Owner contends this
`“mean[s] that there is no a priori understanding of what constitutes a
`‘suspicious computer operation,’” but “[r]ather, some subset of all possible
`computer operations must first be deemed suspicious in order to derive a list
`of suspicious computer operations for a Downloadable.” Id. (citing Ex.
`1013, 5:58–6:4, 9:20–42, Fig. 7). Regarding the second point, Patent Owner
`argues, “in assessing obviousness Petitioner may consider ‘only knowledge
`which was within the level of ordinary skill in the art at the time the claimed
`invention was made,’ but may not consider the claimed invention itself.” Id.
`at 11–12 (quoting In re McLaughlin, 443 F.2d 1392, 1395 (CCPA 1971)).
`Finally, Patent Owner contends “the Board appears to have misunderstood
`how dependent claims 6 and 15 limit claims 1 and 10, respectively,” as
`“claims 6 and 15 do not equate all ‘calls made to an operating system, a file
`system, a network system, and to memory’ with suspicious computer
`operations . . . .” Id. at 12 (citing Dec. on Inst. 22). Rather, Patent Owner
`contends, “a person of ordinary skill in the art would understand these
`claims to require that certain ‘calls made to an operating system, a file
`
`9
`
`

`

`IPR2015-01892
`Patent 8,677,494 B2
`
`system, a network system, and to memory’ be among those computer
`operations that have been deemed ‘suspicious.’” Id. (citing Ex. 2007 ¶¶ 69,
`97).
`
`Petitioner replies that the phrase “list of suspicious computer
`operations” should be given its plain and ordinary meaning consistent with
`the specification of the ’494 patent, which, Petitioner asserts, is “a list
`including one or more types of computer operations that could be used by
`the Downloadable in a potentially hostile or undesirable manner (e.g.,
`operating system, file system, or memory operations).” Pet. Reply 5 (citing
`Ex. 1013, 3:17–21, 5:58–6:4). Petitioner contends that the ’194 patent,
`incorporated by reference in the ’494 patent, “explains that examples of
`‘suspicious’ operations include file system operations (e.g., reading and
`writing files), OS [operating system] operations, and registry, network, and
`memory operations” (id. (citing Ex. 1013, 5:57–6:4)), and “[i]n turn, the
`system determines whether an operation in a Downloadable is ‘suspicious’
`simply by determining ‘whether [it] is one of the operations identified in the
`list described above’ (i.e., at [Ex. 1013,] 5:57–6:4)” (id. (quoting Ex. 1013,
`9:20–42)). Petitioner also relies on the testimony of Dr. Davidson as
`explaining that a person of ordinary skill in the art would have appreciated
`that these were the types of computer operations used by viruses to do harm.
`Id. at 5–6 (citing Ex. 1018 ¶¶ 75–81, 97–100). According to Petitioner,
`Patent Owner’s construction, which “merely rearranges the claim language
`and inserts the word ‘deemed,’” is both unhelpful and unreasonably narrow
`because it reads an additional “deeming” step into the claims. Id. at 6.
`Petitioner contends Patent Owner’s position that such a step is required is
`“directly contradicted by the ’194 patent,” which, Petitioner contends,
`
`10
`
`

`

`IPR2015-01892
`Patent 8,677,494 B2
`
`“makes clear that an operation is ‘suspicious’ merely because it is a type of
`operation that could be used in a potentially hostile manner (e.g., file system
`operations)” by “stat[ing] that [Downloadable security profile (“DSP”)] data
`may include ‘a list of all operations in the Downloadable code which could
`ever be deemed potentially hostile.’” Id. at 7 (quoting Ex. 1013, 5:51–59
`(emphasis added by Petitioner)). In other words, Petitioner contends, “at the
`time an operation is included in the list, there has been no determination yet
`of whether that particular operation is actually being used in a potentially
`hostile or ‘suspicious’ manner.” Id. (citing Ex. 1018 ¶¶ 91–96).
`We agree with Petitioner that Patent Owner’s proposed construction is
`unhelpful to an understanding of the scope of the challenged claims insofar
`as it “merely rearranges the claim language and inserts the word ‘deemed’”
`(Pet. Reply 6). More helpful is the portion of the ’194 patent cited by
`Petitioner that explains that DSP data may include “a list of all operations in
`the Downloadable code which could ever be deemed potentially hostile.”
`Ex. 1013, 5:51–53 (emphasis added)). The inclusion of the phraseology “all
`operations . . . which could ever be deemed potentially hostile” in that
`passage renders it more objective, and “potentially hostile” captures our
`understanding of the meaning of “suspicious” in the context of the claims in
`light of the intrinsic and extrinsic evidence of record. Indeed, column 9,
`lines 20–42, of the ’194 patent, cited by Patent Owner in support of its
`assertion that “generating the ‘list of suspicious computer operations’ first
`requires that a determination be made as to whether the operations to be
`listed are suspicious” (see PO Resp. 10), directly links the term “suspicious”
`with “the list described above with reference to FIG. 3”—i.e., the “list of all
`
`11
`
`

`

`IPR2015-01892
`Patent 8,677,494 B2
`
`operations in the Downloadable code which could ever be deemed
`potentially hostile.”
`Because we determine that column 5, line 50, to column 6, line 4, of
`the ’194 patent, incorporated by reference into the ’494 patent (see Ex. 1001,
`1:35–38), provides the most probative evidence on the record before us as to
`the meaning of “list of suspicious computer operations” as recited in the
`challenged claims, we conclude that phrase is properly construed as a “list of
`all operations that could ever be deemed potentially hostile,” non-limiting
`examples of which includes file operations; network operations; registry
`operations; operating systems operations; resource usage threshold
`operations, memory operations, CPU operations, and graphics operations.
`Ex. 1013, 5:50–6:4.
`Notwithstanding our conclusion regarding the proper construction of
`“list of suspicious computer operations,” however, as we discuss in greater
`detail, infra Section III.B.4.a.iii, our ultimate conclusions in this proceeding
`do not turn on our adoption of this construction, Patent Owner’s proposed
`construction, or Petitioner’s proposed construction.
`
`2. “database”
`In the Decision on Institution, in view of competing constructions
`advanced in the Petition and the Preliminary Response, we construed the
`term “database” as “a collection of interrelated data organized according to a
`database schema to serve one or more applications.” Dec. on Inst. 7–11. As
`we explained, we agreed with Patent Owner that that construction, which
`was previously articulated by the district court in the Sophos litigation and
`applied by the Board in prior proceedings, represented the broadest
`reasonable interpretation in light of the claim language and the specification
`
`12
`
`

`

`IPR2015-01892
`Patent 8,677,494 B2
`
`of the ’494 patent. Id. at 10; see Ex. 2002, 7 (Finjan, Inc. v. Sophos, Inc.,
`No. 14-cv-01197 (N.D. Cal. 2014), Claim Construction Order at 7);
`Ex. 2003, 8–10 (Sophos, Inc. v. Finjan, Inc., Case IPR2015-00907, slip op.
`at 8–10 (Paper 8) (concerning related U.S. Patent No. 7,613,926)); Ex. 2004,
`9–10 (Sophos, Inc. v. Finjan, Inc., Case IPR2015-01022, slip op. at 9–10
`(Paper 7) (concerning the ’494 patent)).
`Neither Petitioner nor Patent Owner challenges that construction, per
`se, post-institution. Patent Owner contends, however, that “[t]he practical
`import of this construction excludes log files from being databases.” PO
`Resp. 7 (emphasis added). In support of its contention, Patent Owner asserts
`that the district court explained in the claim construction order in the Sophos
`litigation that “the term ‘database’ is not broad enough to include a log file.”
`Id. (quoting Ex. 2002, 7). According to Patent Owner, the district court
`“based its reasoning of the intrinsic record which demonstrates that
`databases and log files are separate and distinct entities.” Id. “For
`example,” Patent Owner alleges, “the specification designates the database
`that stores DSP with box ‘Security Database 240’ while an event log is
`designated with box ‘Event Log 245,’” and “[t]he ’494 Patent further
`describes how databases and log files function differently by describing how
`logging results in an event log is an action that is distinct from storing in a
`security database.” Id. at 7–8 (reproducing Ex. 1013, Fig. 2; citing Ex.
`1013, 7:2–6); see also id. at 8 (reproducing and referring to Ex. 1013, Fig. 3,
`as allegedly illustrating that “[t]his logging functionality is distinct from
`storing in a database, which allows DSP to be efficiently retrieved from the
`database, as shown by the bidirectional arrow between the DSP data 310
`stored within Security Database 240 and Code Scanner 325 as compared to
`
`13
`
`

`

`IPR2015-01892
`Patent 8,677,494 B2
`
`the arrow from logical engine 333 to record-keeping engine 335 to event log
`245”), 9 (“The data storage device 230 stores a security database 240, which
`includes security information for determining whether a received
`Downloadable is to be deemed suspicious.” (quoting Ex. 1013, 3:47–50)).
`Patent Owner concludes, “[b]ecause the District Court’s holding is based on
`sound reasoning, it should generally be followed in these proceedings.” Id.
`at 9.
`
`Petitioner “maintain[s] this is not the broadest reasonable
`interpretation of ‘database,’ but adopt[s] the Board’s construction solely for
`purposes of this IPR.” Pet. Reply 2 n.2. Petitioner additionally takes issue
`with Patent Owner’s assertion, among others, that the database cannot be a
`log file. Id. at 2–5.
`We note that despite Patent Owner’s assertions regarding what “the
`specification designates” and what “the ’494 Patent further describes” (see
`PO Resp. 7–8), the citations and figures reproduced by Patent Owner in
`support of those assertions are not from the ’494 patent, but instead are from
`the ancestral ’194 patent. Although the ’494 patent incorporates by
`reference the ’194 patent, among other patents and applications (see supra
`Section II.B), the ’494 patent includes different versions of the cited figures
`and different descriptions thereof. Further, despite Patent Owner’s
`bookending of those figures, citations, and quotations from the ’194 patent
`with arguments regarding the district court’s claim construction order in the
`Sophos litigation, we find that that order did not refer to the ’194 patent. See
`Ex. 2002.
`Nonetheless, we agree that the district court found that the parties’
`disagreement in the Sophos litigation “center[ed] on whether ‘database’
`
`14
`
`

`

`IPR2015-01892
`Patent 8,677,494 B2
`
`includes ‘simple files such as a log file,’” where, “[a]ccording to Finjan, a
`log file is unstructured collection of data on a computer,” and explained that
`“database” should be construed, in part, “because the parties dispute the
`categorization of ‘log file’ as a ‘database.’” Id. at 4. The court found, based
`on references to a “database” in the ’494 patent itself, that “a database is
`used as an information source that serves protection engines when they
`inspect Downloadables.” Id. at 5–6. The court also found that the related
`’780 patent “reflects the same understanding of database in its reference to a
`‘security database,’” and separately “refers to an ‘event log,’ stating that it
`‘includes determination results for each Downloadable examined and
`runtime indications of the internal network security system.” Id. at 6
`(quoting Ex. 2028, 3:62–64). The court concluded:
`The patent’s language and context supports Finjan’s
`definition of a database. The specifications illustrate that a
`“database” serves applications, a characteristic that is not
`included in Sophos’s definition. The fact that a database assists
`applications also undermines Sophos’s argument that a log file is
`a database, because a log file is more properly understood as a
`passive record, instead of a storage device that interacts with an
`application. The ’780 patent also differentiates between log files
`and “databases” by referring to them separately.
`In addition, Finjan’s expert, Nenad Medvidovic, states that
`a person of ordinary skill in the art would understand “database”
`to mean “a collection of interrelated data organized according to
`a database schema to serve one or more applications.”
`[Dr.] Medvidovic further states
`that “[a] person would
`understand a simple log file is not a database because it is not
`structured like a database . . . A database, on the other hand, is a
`structured software component that allows user and other
`software components to store and retrieve data in an efficient
`manner.” . . . [Dr.] Medvidovic’s definition appears reasonable
`when compared to the language of the patent and the definitions
`from computing dictionaries such as the IBM Dictionary of
`
`15
`
`

`

`IPR2015-01892
`Patent 8,677,494 B2
`
`Computing and the IEEE Standard Dictionary of Electrical and
`Electronics Terms.
`
`. . . .
`I am persuaded by Finjan’s assertion that “[t]he claim
`language of the asserted patents all relate to the storage of data
`within the database in the context of the security profile or the
`downloadable security profile. The system actively uses these
`security profiles to detect malware and manage the system, not
`just for archival storage.” Therefore, I find that a log file does
`not qualify as a database in the context of this patent. Because
`Finjan’s definition appears to reflect both the context of the
`patent as well as a well-accepted definition of the term, I adopt
`Finjan’s construction of “database.”
`
`
`Id. at 6–7 (internal citations omitted).
`Although our construction of the term “database” in the Decision on
`Institution was rendered under the “broadest reasonable interpretation”
`standard applicable to unexpired patents (see 37 C.F.R. § 42.100(b)), we
`conclude, in view of the parties’ arguments and cited evidence, and having
`considered the district court’s explanation set forth in the claim construction
`order in the Sophos litigation, that there is no reason to modify our
`construction of “database” set forth in the Decision on Institution, which
`mirrors the district court’s express construction. Accordingly, we again
`construe “database” as “a collection of interrelated data organized according
`to a database schema to serve one or more applications.” To the extent that
`construction would exclude a log file consisting of an “unstructured
`collection of data on a computer,” we agree for the reasons articulated by the
`district court that such a simple, unstructured log file would not be a
`database. See Ex. 2002, 4–7. However, we do not agree with Patent
`Owner’s suggestion that this construction necessarily excludes all log files
`from being databases. See infra Section III.B.4.a.iv. In particular, we credit
`
`16
`
`

`

`IPR2015-01892
`Patent 8,677,494 B2
`
`Dr. Davidson’s deposition testimony that the word “log” refers to the kind of
`data that is stored in a file, not to the file’s format or organization, and that a
`log file can, therefore, be considered a database “if it’s organized in a
`fashion . . . for a database, which it’s an interrelated collection of data
`organized according to the scheme of serving one or more applications.”
`Ex. 2041, 50:8–51:1; see also id. at 52:2–10 (“Q. So a log file would be
`considered a database, correct? A. Again, it depends on how it’s organized
`whether it would be considered a database. . . . [I]t’s not like it's one or the
`other. It could be both.”). In contrast, we understand the district court’s
`stated exclusion of “log files” from the construction of “database” to have
`been based on a fundamentally different interpretation of “log file” than
`Dr. Davidson’s, informed by Patent Owner’s representation in the district
`court litigation that a log file is an “unstructured collection of data.” See Ex.
`2002, 4:20–21. In view of the clear disconnection between Dr. Davidson’s
`and the district court’s interpretations of the term “log file,” we disagree
`with Patent Owner’s contentions that “[t]he practical import” of our
`construction is to exclude log files from being databases (see PO Resp. 7)
`and that Dr. Davidson’s “admission” that Swimmer’s audit trail is a database
`“is decisive” (id. at 9).
`
`3. “storing the Downloadable security profile data in a database”
`Neither party identified “storing the Downloadable security profile
`data in a database” as requiring construction prior to institution, and we did
`not provide an express construction of that phrase in the Decision on
`Institution. In the Patent Owner Response, Patent Owner contends that the
`phrase “storing the Downloadable security profile data in a database” is
`properly construed as “placing the derived DSP data into the database.” PO
`
`17
`
`

`

`IPR2015-01892
`Patent 8,677,494 B2
`
`Resp. 13. More particularly, according to Patent Owner, a person of
`ordinary skill in the art would understand the term “storing” to mean “to
`place in storage” (id. at 13 (citing Ex. 2007 ¶ 71; Ex. 2027 (IBM Dictionary
`of Computing, 10th Ed.), 653)), and that understanding is “also reflected by
`how the specification3 describes storing in a database, namely by placing
`DSP data 310 into Security Database 240” (id. (citing Ex. 1013, Fig. 3)). “In
`contrast,” Patent Owner speculates, Petitioner “equates storing to
`converting.” Id. at 14. According to Patent Owner, this is necessarily the
`case “because ‘storing’ is an action that is never used in describing
`Swimmer’s audit trail.” Id. Patent Owner contends that “reading ‘storing’
`so broadly that it includes ‘converting’ is completely at odds with the
`understanding of one of skill in the art at the time and does not reasonably
`reflect the disclosure of the ’494 Patent.” Id. at 15. Patent Owner also
`contends that construction of this phrase is “necessary in order to avoid
`Petitioner’s conflation of claim terms.” Id. In particular, Patent Owner
`asserts, “Petitioner seeks to map Swimmer’s generation of an audit trail to
`both the claimed ‘deriving DSP data’ and ‘storing the DSP data in a
`database’” (id. (citing Pet. 16–20; Dec. on Inst. 16, 23)), thereby improperly
`reading the “storing . . . in a database” limitation out of the claim (id. at 15–
`16). According to Patent Owner, “the unequivocal disclosure in the ’494
`Patent and Petitioner’s misleading attempt to conflate claim terms” require
`that Patent Owner’s construction be adopted “to make clear that ‘deriving
`DSP data’ is separate from ‘storing the DSP data in a database,’ and that the
`
`
`3 As with its references to “the specification” in connection with the term
`“database,” Patent Owner’s reference to “the specification” here is not to the
`’494 patent itself, but instead to the related ’194 patent.
`
`18
`
`

`

`IPR2015-01892
`Patent 8,677,494 B2
`
`DSP data is only placed in the database upon derivation of the profile,
`including the list of suspicious computer operations.” Id. at 16.
`Petitioner replies that the phrase needs no further construction and
`should be given its plain and ordinary meaning, namely, “th