`571-272-7822
`
`
`Paper No. 9
`
` Entered: March 18, 2016
`
`UNITED STATES PATENT AND TRADEMARK OFFICE
`____________
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`____________
`
`SYMANTEC CORP.,
`Petitioner,
`
`v.
`
`FINJAN, INC.,
`Patent Owner.
`____________
`
`Case IPR2015-01892
`Patent 8,677,494 B2
`____________
`
`
`
`Before JAMES B. ARPIN, ZHENYU YANG, and
`CHARLES J. BOUDREAU, Administrative Patent Judges.
`
`BOUDREAU, Administrative Patent Judge.
`
`DECISION
`Institution of Inter Partes Review
`37 C.F.R. § 42.108
`
`
`
`
`
`
`IPR2015-01892
`Patent 8,677,494 B2
`
`
`I. INTRODUCTION
`
`Symantec Corp. (“Petitioner”) filed a Petition (Paper 1, “Pet.”)
`requesting inter partes review pursuant to 35 U.S.C. § 311 of claims 1, 2, 5,
`6, 10, 11, 14, and 15 of U.S. Patent No. 8,677,494 B2 to Edery et al. (Ex.
`1001, “the ’494 patent”). Pet. 1. Finjan, Inc. (“Patent Owner”) filed a
`Preliminary Response. Paper 7 (“Prelim. Resp.”). We review the Petition
`under 35 U.S.C. § 314, which provides that an inter partes review may not
`be instituted “unless . . . there is a reasonable likelihood that the petitioner
`would prevail with respect to at least 1 of the claims challenged in the
`petition.” 35 U.S.C. § 314(a).
`For the reasons that follow and on this record, we are persuaded that
`Petitioner demonstrates a reasonable likelihood of prevailing in showing the
`unpatentability of each of the challenged claims. Accordingly, we institute
`an inter partes review as to those claims.
`
`A. The ’494 Patent
`
`The ’494 patent, entitled “Malicious Mobile Code Runtime
`Monitoring System and Methods,” issued March 18, 2014, from U.S. Patent
`Application No. 13/290,708 (“the ’708 application”), filed November 7,
`2011. Ex. 1001, [21], [22], [45], [54]. On its face, the ’494 patent purports
`to claim priority from nine earlier applications, of which the earliest-filed is
`U.S. Provisional Application No. 60/030,639, filed November 8, 1996
`(Ex. 1002, “the ’639 application”). We need not make a determination on
`this record whether or not the challenged claims are entitled to the benefit of
`the filing dates of any of those earlier applications.
`
`
`
`2
`
`
`
`IPR2015-01892
`Patent 8,677,494 B2
`
`
`The ’494 patent describes protection systems and methods “capable of
`protecting a personal computer (‘PC’) or other persistently or even
`intermittently network accessible devices or processes from harmful,
`undesirable, suspicious or other ‘malicious’ operations that might otherwise
`be effectuated by remotely operable code.” Id. at 2:51–56. “Remotely
`operable code that is protectable against can include,” for example,
`“downloadable application programs, Trojan horses and program code
`groupings, as well as software ‘components’, such as Java™ applets,
`ActiveX™ controls, JavaScript™/Visual Basic scripts, add-ins, etc., among
`others.” Id. at 2:59–64.
`
`B. Related Proceedings
`
`The ’494 patent is the subject of a district court action between the
`parties, Finjan, Inc. v. Symantec Corp., 3:14-cv-02998 (N.D. Cal. 2014), and
`has also been asserted in three other district court actions, Finjan, Inc. v.
`Sophos, Inc., 3:14-cv-01197 (N.D. Cal. 2014), Finjan, Inc. v. Palo Alto
`Networks, Inc., 3:14-cv-04908 (N.D. Cal. 2014), and Finjan, Inc. v. Blue
`Coat Systems, Inc., 5:15-cv-03295 (N.D. Cal. 2015). Pet. 1; Paper 5, 1.
`Petitioner also filed another petition seeking inter partes review of the
`’494 patent (Case IPR 2015-01897), a petition seeking inter partes review of
`related U.S. Patent No. 6,154,844 (Case IPR2015-01894), and two petitions
`seeking inter partes review of related U.S. Patent No. 7,613,926 (Cases
`IPR2015-01893 and IPR2015-01895). Pet. 1. Each of those petitions has
`been denied (Case IPR2015-01893, Paper 8; Case IPR2014-01894, Paper 7;
`Case IPR2015-01895, Paper 7; Case IPR2015-01897, Paper 7).
`Additionally, a petition filed by Sophos Inc. seeking inter partes review of
`the ’494 patent was denied on September 24, 2015 (Case IPR2015-01022,
`
`
`
`3
`
`
`
`IPR2015-01892
`Patent 8,677,494 B2
`
`Paper 7), and a petition filed by Palo Alto Networks, Inc. seeking inter
`partes review of the ’494 patent is pending currently (Case IPR2016-00159,
`Paper 1).
`
`C. Illustrative Claims
`
`Of the challenged claims, claims 1 and 10 are independent. Those
`claims are illustrative and are reproduced below:
`1. A computer-based method, comprising the steps of:
`receiving an incoming Downloadable;
`deriving security profile data for the Downloadable,
`including a list of suspicious computer operations that may be
`attempted by the Downloadable; and
`storing the Downloadable security profile data in a database.
`
`10. A system for managing Downloadables, comprising:
`a receiver for receiving an incoming Downloadable;
`a Downloadable scanner coupled with said receiver, for
`deriving security profile data for the Downloadable, including a
`list of suspicious computer operations that may be attempted by
`the Downloadable; and
`a database manager coupled with said Downloadable
`scanner, for storing the Downloadable security profile data in a
`database.
`
`Ex. 1001, 21:19–25, 22:7–16. Each of challenged claims 2, 5, and 6
`depends directly from claim 1; and each of challenged claims 11, 14, and 15
`depends directly from claim 10. Id. at 21:26–28, 21:33–37, 22:17–20,
`22:26–30.
`
`
`
`4
`
`
`
`IPR2015-01892
`Patent 8,677,494 B2
`
`
`D. References Relied Upon
`
`Petitioner relies on the following references:
`
`Exhibit
`
`Reference
`
`1003 US 5,313,616, issued May 17, 1994 (“Cline”)
`
`1004
`
`Stephanie Forrest et al., A Sense of Self for Unix Processes,
`PROC. 1996 IEEE SYMPOSIUM ON SEC. & PRIVACY 120 (1996)
`(“Forrest”)1
`
`1005 Morton Swimmer et al., Dynamic Detection and Classification
`of Computer Viruses Using General Behaviour Patterns, VIRUS
`BULL. CONF. 75 (Sept. 1995) (“Swimmer”)2
`
`1012 US 5,623,600, issued Apr. 22, 1997 (filed Sept. 26, 1995) (“Ji”)
`
`Pet. 3–5. Petitioner also relies on declarations of Sylvia Hall-Ellis, Ph.D.
`(Ex. 1006) and Jack W. Davidson, Ph.D. (Ex. 1018).
`
`
`
`
`1 Petitioner adduces evidence that Forrest was available to the public as of
`June 21, 1996. Pet. 4 (citing Ex. 1006, 7–8, 11–12, 15–17; Ex. 1008; Ex.
`1009).
`2 Petitioner adduces evidence that Swimmer was available to the public as of
`December 1, 1995. Pet. 4–5 (citing Ex. 1006, 7–8, 11–12, 18–20; Ex. 1010;
`Ex. 1011).
`
`
`
`5
`
`
`
`IPR2015-01892
`Patent 8,677,494 B2
`
`
`E. Asserted Grounds of Unpatentability
`
`Petitioner challenges the patentability of the challenged claims on the
`following grounds:
`
`Reference(s)
`
`Basis
`
`Claims Challenged
`
`Swimmer
`
`Swimmer
`
`Swimmer
`
`§ 102(b)
`
`§ 103(a)
`
`1, 2, 6, 10, 11, and 15
`
`5 and 14
`
`§ 103(a) 1, 2, 5, 6, 10, 11, 14, and 15
`
`Cline and Ji
`
`§ 103(a) 1, 2, 5, 6, 10, 11, 14, and 15
`
`Forrest and Ji
`
`§ 103(a) 1, 2, 5, 6, 10, 11, 14, and 15
`
`
`Pet. 5.
`In determining whether to institute an inter partes review of a patent,
`the Board, in its discretion, may “deny some or all grounds for
`unpatentability for some or all of the challenged claims.” 37 C.F.R.
`§ 42.108(b). Because Petitioner alternatively challenges claims 1, 2, 6, 10,
`11, and 15 as either anticipated by Swimmer or as rendered obvious over
`Swimmer (Pet. 12–25), we exercise our discretion and decline to reach the
`anticipation challenge. 37 C.F.R. § 42.108(a).
`
`II. DISCUSSION
`
`A. Claim Interpretation
`
`In an inter partes review proceeding, claims of an unexpired patent
`are given their broadest reasonable interpretation in light of the specification
`of the patent in which they appear. 37 C.F.R. § 42.100(b); Office Patent
`Trial Practice Guide, 77 Fed. Reg. 48,756, 48,766 (Aug. 14, 2012); In re
`
`
`
`6
`
`
`
`IPR2015-01892
`Patent 8,677,494 B2
`
`Cuozzo Speed Techs., LLC, 793 F.3d 1268, 1275–79 (Fed. Cir. 2015),
`cert. granted sub nom. Cuozzo Speed Techs. LLC v. Lee, 136 S. Ct. 890
`(2016). Under this standard, we interpret claim terms using “the broadest
`reasonable meaning of the words in their ordinary usage as they would be
`understood by one of ordinary skill in the art, taking into account whatever
`enlightenment by way of definitions or otherwise that may be afforded by
`the written description contained in the applicant’s specification.” In re
`Morris, 127 F.3d 1048, 1054 (Fed. Cir. 1997). We presume that claim terms
`have their ordinary and customary meaning. See In re Translogic Tech.,
`Inc., 504 F.3d 1249, 1257 (Fed. Cir. 2007) (“The ordinary and customary
`meaning is the meaning that the term would have to a person of ordinary
`skill in the art in question.”) (internal quotation marks omitted).
`“Database”
`The term “database” is recited in each of independent claims 1 and 10,
`as well as in dependent claims 2 and 11. Petitioner asserts that the broadest
`reasonable interpretation of the term “database” is “an organized collection
`of data.” Pet. 10–11. Citing definitions from three dictionaries and Dr.
`Davidson’s declaration for support, Petitioner contends this construction is
`consistent with the plain and ordinary meaning of the term to a person of
`ordinary skill in the art at the time of the ’494 patent. Id. at 11 (citing
`RANDOM HOUSE WEBSTER’S COLLEGE DICTIONARY, 339 (2nd ed. 1999)
`(Ex. 1014, 3); WEBSTER’S NINTH NEW COLLEGIATE DICTIONARY, 325 (1991)
`(Ex. 1015, 4); WEBSTER’S NEW WORLD DICTIONARY OF COMPUTER TERMS,
`95 (4th ed. 1992) (Ex. 1016, 3); Ex. 1018 ¶¶ 84–85). Moreover, according
`to Petitioner, “neither the specification, nor the challenged claims, say
`anything about the form or structure of the claimed ‘database,’” but “merely
`
`
`
`7
`
`
`
`IPR2015-01892
`Patent 8,677,494 B2
`
`describe the type of data that is stored in the database (e.g., [Downloadable
`security profile (‘DSP’)] data).” Id. (citing Ex. 1001, 3:47–50, 4:14–18,
`9:52–55, Fig. 2, Fig. 3, claim 1). Petitioner contends that this construction is
`also consistent with Petitioner’s position concerning the proper construction
`of this term in the related district court proceeding. Id. at 11–12 (citing
`Finjan, Inc. v. Symantec Corp., 3:14-cv-2998 (N.D. Cal. 2014), Joint Claim
`Construction and Pre-Hearing Statement at 4 (Ex. 1017, 4)). According to
`Petitioner:
`[I]n the district court, Patent Owner agreed that a “database” is a
`collection of organized data. Ex. 1017, p. 4. Patent Owner
`argued, however, that the claimed “database” further requires the
`data to be organized “according to a database schema” and must
`“serve one or more applications.” See Ex. 1017, p. 4. Patent
`Owner’s proposed construction adds limitations that are
`unnecessary, confusing and, more importantly, have no support
`whatsoever in the intrinsic record. This appears to be nothing
`more than attempt to salvage the challenged claims by excluding
`certain types of databases described in the prior art, such as log
`files. See Ex. 1017, p. 4. Significantly, in the district court
`proceeding, Patent Owner and its expert acknowledged that, even
`under Patent Owner’s proposed construction, at least some types
`of log files are “databases.”
`Id. at 12.
`Patent Owner responds that the proper construction of “database” is
`instead “a collection of interrelated data organized according to a database
`schema to serve one or more applications.” Prelim. Resp. 9. As Patent
`Owner points out (id.), this construction previously was adopted by the
`district court in Patent Owner’s litigation with Sophos, Inc. concerning the
`’494 patent (see Finjan, Inc. v. Sophos, Inc., No. 14-cv-01197 (N.D. Cal.
`2014), Claim Construction Order at 7 (Ex. 2002, 7)), and also has been
`
`
`
`8
`
`
`
`IPR2015-01892
`Patent 8,677,494 B2
`
`applied by the Board in two previous inter partes review proceedings. See
`Sophos, Inc. v. Finjan, Inc., Case IPR2015-00907, slip op. at 8–10 (Paper 8)
`(Ex. 2003) (concerning related U.S. Patent No. 7,613,926); Sophos, Inc. v.
`Finjan, Inc., Case IPR2015-01022, slip op. at 9–10 (Paper 7) (Ex. 2004)
`(concerning the ’494 patent).
`Patent Owner asserts that its proposed construction in the concurrent
`district court litigation is “exactly the construction proposed herein,” and,
`therefore, Petitioner’s claim that “Patent Owner agreed that a database is a
`collection of organized data” (Pet. 12) “blatantly misrepresents Patent
`Owner’s position taken in the concurrent district court litigation.” Prelim.
`Resp. 11. Patent Owner contends that “[t]he goal of Petitioner’s
`construction is to broaden the term database beyond the specification so that
`it reads upon the techniques described in the cited prior art (e.g., a log file).”
`Id. at 10. Patent Owner further contends that Figure 3 of related U.S. Patent
`No. 6,092,194 (Ex. 3001, “the ’194 patent”)3 “clearly illustrates that the
`security database 240 that stores DSP data 310 is completely different than a
`simple log file (i.e., Event Log 245).”4
`
`
`3 The ’194 patent is incorporated by reference in the ’494 patent. See
`Ex. 1001, 1:35–38.
`4 Patent Owner also contends that “Petitioner neglects to mention one of the
`passages of the ’494 Patent specifically relied upon by both the district court
`[in] Finjan, Inc. v. Sophos, Inc. as well as the Board in Sophos, Inc. v.
`Finjan, Inc., Case Nos. IPR2015-00907 . . . and IPR2015-01022, that led
`both bodies to the conclusion that the claimed database could not be equated
`with a simple log file.” Id. at 10–11. Patent Owner then provides a
`quotation from a footnote in the district court’s claim construction order,
`stating in part that “[t]he fact that a database is listed along with more simple
`files does not mean that the database includes or is equated with these
`types of files” and that “[i]n fact, one could argue that this list serves to
`
`
`
`9
`
`
`
`IPR2015-01892
`Patent 8,677,494 B2
`
`
`On this record, we agree with Patent Owner that the district court’s
`construction in the litigation between Patent Owner and Sophos, as
`previously applied by the Board, represents the broadest reasonable
`construction of “database” in light of the claim language and the
`specification of the ’494 patent. See Morris, 127 F.3d at 1054; see also
`Power Integrations, Inc. v. Lee, 797 F.3d 1318, 1326–27 (Fed. Cir. 2015)
`(“The fact that the board is not generally bound by a previous judicial
`interpretation of a disputed claim term does not mean . . . that it has no
`obligation to acknowledge that interpretation or to assess whether it is
`consistent with the broadest reasonable construction of the term.”). As
`explained by the district court, the ’494 patent does not define the term
`“database”; there is no evidence that Patent Owner disavowed the full scope
`of that term either in the Specification or during prosecution; and Patent
`Owner’s definition appears to reflect both the context of the patent, as well
`as a well-accepted definition of the term. Ex. 2002, 5–7; see also IBM
`DICTIONARY OF COMPUTING, 165 (10th ed. 1993) (Ex. 2001, 3).
`
`
`further differentiate a database from simpler files” (id. at 11 (quoting
`Ex. 2002, 5 n.1 (emphasis added by Patent Owner))), and cites certain pages
`of the Board’s decisions (id. (citing Ex. 2003, 9; Ex. 2004, 9–10)). Patent
`Owner, however, does not identify the “one of the passages of the
`’494 Patent” upon which it alleges the court and the Board “specifically
`relied.” Indeed, neither the quoted portion of Exhibit 2002 nor the cited
`portions of Exhibits 2003 and 2004 explicitly rely upon any passages of the
`’494 patent in reaching their respective conclusions. Exhibit 2002 does refer
`to column 9, lines 54–55 of related U.S. Patent No. 7,613,926, but it is
`unclear to us what relevance Patent Owner would intend us to ascribe to that
`citation.
`
`
`
`10
`
`
`
`IPR2015-01892
`Patent 8,677,494 B2
`
`
`Accordingly, on this record and for purposes of this Decision, we
`construe “database” to mean “a collection of interrelated data organized
`according to a database schema to serve one or more applications.”
`
`B. Asserted Grounds of Unpatentability
`
`Petitioner argues that claims 1, 2, 5, 6, 10, 11, 14, and 15 of the
`’494 patent are rendered obvious under 35 U.S.C. § 103 by the references
`described above. See supra Sec. I.E. A patent claim is unpatentable under
`35 U.S.C. § 103(a) if the differences between the claimed subject matter and
`the prior art are “such that the subject matter[,] as a whole[,] would have
`been obvious at the time the invention was made to a person having ordinary
`skill in the art to which said subject matter pertains.” KSR Int’l Co. v.
`Teleflex Inc., 550 U.S. 398, 406 (2007). The question of obviousness is
`resolved on the basis of underlying factual determinations, including:
`(1) the scope and content of the prior art; (2) any differences between the
`claimed subject matter and the prior art; (3) the level of skill in the art5; and
`(4) objective evidence of nonobviousness, i.e., secondary considerations.
`Graham v. John Deere Co., 383 U.S. 1, 17–18 (1966).
`We analyze the asserted grounds with the principles identified above
`in mind.
`
`
`5 Petitioner proposes a definition for a person of ordinary skill in the art.
`Pet. 9–10; see Ex. 1018 ¶ 30. Patent Owner does not challenge this
`definition. For purposes of this Decision and to the extent necessary, we
`adopt Petitioner’s definition.
`
`
`
`11
`
`
`
`IPR2015-01892
`Patent 8,677,494 B2
`
`
`1. Obviousness over Swimmer
`
`a. Overview of Swimmer
`
`Swimmer is generally directed to a system, referred to as the “Virus
`Intrusion Detection Expert System” (“VIDES”), described as “a prototype
`for an automatic analysis system for computer viruses.” Ex. 1005, 1. In
`Swimmer’s system, an emulator is used to monitor the system activity of a
`virtual computer. Id. Sets of rules are used to detect viruses and extract
`details of their behavior. Id. The emulator collects system activity data and
`creates a set of audit record attributes that identify, among other things, disk
`operating system (“DOS”) functions requested by the program, the
`register/memory values used in calls to the DOS functions, and
`register/memory values returned by the function calls. Id. at 1, 7, 9. The
`emulator provides the resulting audit trail in a canonical format as an activity
`data record for further analysis by a tool referred to as “Advanced Security
`audit trial Analysis on uniX” (“ASAX”). Id. at 9–12. ASAX analyzes the
`activity data collected by the emulator and detects viruses by employing
`rules that model typical virus behavior, using a rule-based language
`(“RUles-baSed Sequence Evaluation Language,” or “RUSSEL”) to identify
`the virus attack. Id. at 2, 4–5, 10–13. Swimmer discloses that ASAX also
`can pipe its output as a Normalized Audit Data Format (“NADF”) file for
`further processing. Id. at 7, 12. Swimmer also states that “VIDES could
`conceivably be used outside the virus lab to detect viruses in a real
`environment” and that “[o]ne possibility is to use it as a type of firewall for
`programs entering a protected network.” Id. at 13.
`
`
`
`12
`
`
`
`IPR2015-01892
`Patent 8,677,494 B2
`
`
`b. Discussion
`
`Petitioner contends that Swimmer teaches or suggests all of the
`limitations of each of the challenged claims. Pet. 12–25.
`First, Petitioner contends that Swimmer discloses both a “computer-
`based method,” as recited in the preamble of claim 1, as well as a “system
`for managing Downloadables,” as recited in the preamble of claim 10. Id. at
`13–14. In particular, Petitioner contends, “Swimmer explains that its
`VIDES system is used to detect viruses in application programs and program
`code by monitoring and analyzing the functions and operations these
`programs attempt to invoke.” Id. at 14 (citing Ex. 1005, 7; Ex. 1018 ¶ 89).
`“These application programs can include ‘programs entering a protected
`network’ (i.e., executable code being downloaded over a network).” Id.
`(citing Ex. 1005, 13).
`Second, according to Petitioner, because Swimmer “explains that the
`VIDES system can be used in a networked environment as part of a firewall
`for a protected network,” Swimmer explicitly discloses that an incoming
`Downloadable is received over a network, as recited in claim 1. Id. at 15
`(citing Ex. 1005, 13; Ex. 1018 ¶¶ 92–93 (explaining that firewalls are
`security devices or software located between an outside network, such as the
`Internet, and an internal network, such as an intranet that connects client
`computers)).
`Relying on the testimony of Dr. Davidson, Petitioner further contends
`that, “in order for VIDES to be used at a firewall for ‘programs entering a
`protected network’ (i.e., receive and analyze incoming Downloadables), a
`[person of ordinary skill in the art] would have understood that the system
`necessarily included a ‘receiver’ (i.e., networking components) for receiving
`
`
`
`13
`
`
`
`IPR2015-01892
`Patent 8,677,494 B2
`
`these Downloadables.” Id. at 16 (citing Ex. 1018 ¶ 94). Petitioner,
`accordingly, asserts that “Swimmer also discloses that the VIDES system
`includes a ‘receiver’ for receiving the Downloadable,” as recited in claim 10.
`Id. Petitioner also argues, in the alternative, that this feature would have
`been obvious based on the teachings in Swimmer. Id. at 23–24. In
`particular, according to Petitioner, it would have been obvious that
`Swimmer’s VIDES “could be used at a network device, such as a gateway or
`[file transfer protocol (“FTP”)] or Web server in order to intercept incoming
`Downloadables and analyze them before they are sent to a destination
`computer,” and “[o]ne of ordinary skill in the art would have been motivated
`to do so for a number of reasons, such as to improve the efficiency when
`checking incoming Downloadables.” Id. at 23–24. Petitioner contends that,
`“[f]or one of ordinary skill in the art, this would have involved nothing more
`than combining well-known prior art elements (i.e., a gateway with
`Swimmer’s VIDES system) according to well-known software programming
`techniques in order to yield a predictable result (i.e., a gateway scanner that
`receives Downloadables and analyzes their behavior).” Id. at 24 (citing Ex.
`1018 ¶ 95).
`Third, Petitioner contends, “Swimmer discloses [a Downloadable
`scanner coupled with said receiver for] deriving security profile data for the
`Downloadable, including a list of suspicious computer operations that may
`be attempted by the Downloadable,” as recited in claims 1 and 10. Id. at 16
`(alteration in original) (boldface omitted). In particular, Petitioner alleges, to
`generate system activity data, Swimmer’s emulator “accepts the entire
`instruction set of a processor as input, and interprets the binary code as the
`original processor would.” Id. (quoting Ex. 1005, 8). Swimmer discloses
`
`
`
`14
`
`
`
`IPR2015-01892
`Patent 8,677,494 B2
`
`that the “audit record attributes of records as collected by the PC emulator
`have the following meaning . . . [t]he final format for an MS-DOS audit
`record is as follows: <code segment, RecType[,] StartTime, EndTime,
`function number, [arg(…), ret(…)]>.” Id. at 17 (quoting Ex. 1005, 9) (italics
`omitted by Petitioner). “In other words, the audit system and/or emulator
`generates audit records for the Downloadables (i.e., Downloadable security
`profile data) that identifies and lists functions (i.e., operations) that the
`Downloadables attempt to invoke.” Id. (citing Ex. 1005, Fig. 3 (illustrating
`an exemplary audit record listing identified operations); Ex. 1018 ¶¶ 98–99).
`Petitioner further contends:
`Swimmer explains that audit records generated by the audit
`system include a field, called “function number,” which is the
`“number of the DOS function requested by the program.” [Ex.
`1005,] 9. As explained by Dr. Davidson, in DOS, function
`numbers are assigned to “INT 21h” functions, which include
`various types of system operations. [Id. at] 7 (“Primarily,
`interrupt 0x21 is used”); [Ex. 1018] ¶ 100. For example, function
`numbers 0, 49, 76 are program termination operations. Function
`numbers 15 are file operations (open, close). Functions 72-74,
`and 88 are memory operations. Function numbers 68, 94, and 95
`are network operations. [Id. at] ¶ 101. Significantly, these
`operations identified by Swimmer’s audit system are the very
`same types of operations referred to by the applications related
`to the ’494 patent as examples of “suspicious operations.” [Ex.
`1002, 18:9-13] (DSP data “includes the fundamental computer
`operations,” in a Downloadable such as “file management
`operations,
`system management
`operations, memory
`management operations and CPU allocation operations.”). Thus,
`Swimmer discloses deriving security profile data (e.g., audit
`records) that includes a list of suspicious operations that the
`Downloadable may attempt to invoke (e.g., INT 21h system
`functions). [Ex. 1018] ¶ 102.
`Id. at 17–18.
`
`
`
`15
`
`
`
`IPR2015-01892
`Patent 8,677,494 B2
`
`
`Additionally, Petitioner contends, “Swimmer discloses that this
`Downloadable security profile data is derived by a Downloadable scanner
`(e.g., an emulator and/or audit system).” Id. at 18 (citing Ex. 1005, 8
`(stating that the emulator is “a program which accepts the entire instruction
`set of a processor as input, and interprets the binary code as the original
`processor would”); Ex. 1018 ¶¶ 103–105 (explaining that identification and
`recordation of DOS function call numbers in Swimmer determines and
`identifies suspicious operations in the same manner as the code scanner
`described in the ’194 patent)). Petitioner contends that the Downloadable
`scanner also is coupled to the receiver (e.g., the network components at the
`firewall). Id.
`Lastly, Petitioner argues that Swimmer discloses that the audit records
`(i.e., Downloadable security profile data) are stored in a database, and that,
`accordingly, “Swimmer discloses [a database manager coupled with said
`Downloadable scanner, for] storing the Downloadable security profile data
`is a database,” as recited in claims 1 and 10. Id. at 18–19 (alteration in
`original) (boldface omitted). Petitioner contends, in particular, that Figure 3
`of Swimmer shows that “the audit record includes a list of suspicious
`operations identified by the audit system that are organized according to a
`clearly defined structure with various fields (i.e., an organized collection of
`data that is organized based on a particular schema).” Id. at 19. Petitioner
`equates Swimmer’s “audit system or a portion thereof” with the “database
`manager” recited in claim 10, and contends that “the database manager is
`coupled to the Downloadable scanner (e.g., emulator),” as “both components
`are located on the same computer system (e.g., a firewall) and would be
`stored together in memory (e.g., RAM).” Id. at 20. Moreover, Petitioner
`
`
`
`16
`
`
`
`IPR2015-01892
`Patent 8,677,494 B2
`
`contends, “to the extent Patent Owner argues that the claimed ‘database’
`must ‘serve one or more applications,’ Swimmer . . . discloses that the audit
`records stored in the database are used by other processes.” Id. at 19–20.
`“For example, the database is used by an expert system (e.g., application) to
`analyze program behavior using virus behavior rules.” Id. at 20 (citing
`Ex. 1005, 1, 2).
`Petitioner also argues, in the alternative, that “the claimed [database
`manager for] storing the DSP data in a database would have been obvious
`based on the teachings in Swimmer.” Id. at 24–25 (alteration in original). In
`particular, according to Petitioner, “it would have been obvious to one of
`ordinary skill in the art that the security profile data in Swimmer could have
`been stored in any suitable format or structure, such as a relational
`database.” Id. (citing Ex. 1018 ¶ 111). “One of ordinary skill in the art
`would have been motivated to use such a database for a number of reasons,”
`Petitioner contends, including “to improve the organization, efficiency and
`speed when storing and retrieving this data.” Id. at 25 (citing Ex. 1018
`¶ 111). “Additionally, one of ordinary skill in the art would have also found
`it obvious to use a database manager with these types of databases.” Id.
`(citing Ex. 1018 ¶¶ 112–113).
`With respect to dependent claims 2 and 11, which depend from claims
`1 and 10, respectively, and further recite “stor[ing] a date & time when the
`Downloadable security profile data was derived [by said Downloadable
`scanner], in the database,” Petitioner points to Swimmer’s disclosure that
`each audit record entry includes “StartTime” and “EndTime” fields that
`indicate when the audit record was generated by the emulator and/or audit
`system. Id. at 20–21 (citing Ex. 1005, 9, 10, Fig. 3; Ex. 1018 ¶¶ 115–116).
`
`
`
`17
`
`
`
`IPR2015-01892
`Patent 8,677,494 B2
`
`
`With respect to claims 5 and 14, which depend from claims 1 and 10,
`respectively, and recite that the Downloadable “includes program script,”
`Petitioner points to Swimmer’s disclosure that VIDES can be used to derive
`security profile data for application programs and code, including programs
`received at a firewall, and argues that “[a]lthough Swimmer does not
`explicitly state that the Downloadables that are received and analyzed
`include ‘program scripts,’ this would have been obvious” to a person of
`ordinary skill in the art. Id. at 22 (citing Ex. 1005, Abst., 13; Ex. 1018
`¶¶ 121–122). Petitioner also points out that the ’494 patent admits that
`various kinds of program scripts, including scripts received over a network,
`were well-known and disclosed in the prior art. Id. (citing Ex. 1001,
`2:22–27). Thus, Petitioner contends, for a person of ordinary skill in the art,
`“this would have merely involved applying the same techniques to another
`well-known form of executable code (e.g., receiving program scripts at a
`firewall and using the emulator to identify and record suspicious operations
`in the script),” and a person of ordinary skill in the art “would have been
`motivated to do so for a number of reasons, including to improve the
`effectiveness of the virus detection system taught by Swimmer by enabling
`use with a wider range of Downloadables.” Id. at 23 (citing Ex. 1018
`¶¶ 124–125).
`With respect to dependent claims 6 and 15, which depend from claims
`1 and 10, respectively, and further recite that the suspicious computer
`operations “include calls made to an operating system, a file system, a
`network system, and to memory,” Petitioner contends that “Swimmer
`discloses that the emulator and/or audit system identifies and records DOS
`system calls (i.e., suspicious operations) that a Downloadable attempts to
`
`
`
`18
`
`
`
`IPR2015-01892
`Patent 8,677,494 B2
`
`invoke.” Id. at 21 (citing Ex. 1005, Fig. 3). Citing Dr. Davidson’s
`testimony that different function numbers are assigned to the different types
`of system calls, including function numbers for file system operations,
`network system operations, and memory operations, Petitioner contends a
`person of ordinary skill in the art would have considered all of the system
`calls to be “operating system operations.” Id. Petitioner additionally
`contends that certain other function numbers correspond to operating system
`operations for terminating a program, which, Petitioner points out, is an
`example of an operating system operation explicitly discussed in the
`’194 patent. Id. at 21–22 (citing Ex. 1005, Fig. 3; Ex. 1018 ¶¶ 119–120;
`Ex. 3001, 5:66–6:3).
`Patent Owner raises a number of arguments in response to Petitioner’s
`contentions, including that “Swimmer is not enabling and cannot, therefore,
`anticipate the ’494 patent”; that Swimmer does not disclose “receiving an
`incoming Downloadable” or “a receiver for receiving an incoming
`Downloadable”; that Petitioner has not met its burden to demonstrate that
`Swimmer teaches the claimed “security profile data for the Downloadable,
`including a list of suspicious computer operations that may be attempted by
`the Downloadable”; that “Swimmer does not teach storing Downloadable
`security profile data in a database because it does not teach the derivation of
`the claimed Downloadable security profile data”; and that, “additionally,
`Petitioner does not identify any element disclosed in Swimmer that could be
`considered a ‘database.’” Prelim. Resp. 13–22. With respect to claims 6
`and 15, Patent Owner contends that, “even under its own theory, Petitioner
`has not met its burden to demonstrate that Swi