Case IPR2015-01892
`U.S. Patent No. 8,677,494
`
`UNITED STATES PATENT AND TRADEMARK OFFICE
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`
`SYMANTEC CORP., and
`BLUE COAT SYSTEMS, INC.,
`Petitioner
`
`v.
`
`FINJAN, INC.
`Patent Owner
`
`Case: IPR2015-018921
`U.S. Patent No. 8,677,494
`
`CONSOLIDATED FILING:
`
`PETITIONERS’ REPLY TO PATENT OWNER’S RESPONSE
`
`1 Case IPR2016-00890 has been joined with the instant proceeding
`
`
`U.S. Patent No. 8,677,494
`
`UNITED STATES PATENT AND TRADEMARK OFFICE
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`
`SYMANTEC CORP., and
`BLUE COAT SYSTEMS, INC.,
`Petitioner
`
`v.
`
`FINJAN, INC.
`Patent Owner
`
`Case: IPR2015-018921
`U.S. Patent No. 8,677,494
`
`CONSOLIDATED FILING:
`
`PETITIONERS’ REPLY TO PATENT OWNER’S RESPONSE
`
`1 Case IPR2016-00890 has been joined with the instant proceeding
`
`
`
`Case IPR2015-01892
`U.S. Patent No. 8,677,494
`
`TABLE OF CONTENTS
`
`I.
`
`II.
`
`INTRODUCTION ...........................................................................................1
`
`FINJAN’S NEW CLAIM CONSTRUCTIONS ARE IMPROPER ................1
`
`A.
`
`B.
`
`C.
`
`“Database”.............................................................................................2
`
`“List of Suspicious Computer Operations”...........................................5
`
`“Storing the DSP data in a Database”...................................................7
`
`III.
`
`SWIMMER TEACHES DERIVING DSP DATA THAT INCLUDES A
`LIST OF SUSPICIOUS COMPUTER OPERATIONS..................................9
`
`IV.
`
`SWIMMER TEACHES STORING THE DSP DATA IN A DATABASE .13
`
`A.
`
`B.
`
`Swimmer’s Audit Records Are Stored................................................14
`
`Swimmer Teaches Storing The Audit Trail In A Database ................15
`
`V.
`
`FINJAN’S ALLEGED SECONDARY CONSIDERATIONS ARE
`LEGALLY AND FACTUALLY DEFICIENT ............................................19
`
`VI. SWIMMER WAS PUBLICLY AVAILABLE BEFORE THE EARLIEST
`POSSIBLE PRIORITY DATE OF THE ‘494 PATENT..............................23
`
`VII. CONCLUSION ..............................................................................................26
`
`i
`
`
`
`Case IPR2015-01892
`U.S. Patent No. 8,677,494
`
`TABLE OF AUTHORITIES
`
`Cases
`
`3M Innovative Properties Co., v. Tredegar Corp.,
`725 F.3d 1315 (Fed. Cir. 2013) ...................................................................3, 4
`
`Apple Inc. v. SightSound Technolgies LLC,
`CBM2013-00020 (PTAB Oct. 8, 2013) ........................................................22
`
`ABT Sys. LLC v. Emerson Elec. Co.,
`797 F.3d 1350 (Fed. Cir. 2015) .....................................................................20
`
`Cardiocom LLC v. Robert Bosch Healthcare Systems, Inc.,
`IPR2013-00468 (PTAB Jan. 28, 2014) .........................................................19
`
`In re Enhanced Sec. Research, LLC,
`739 F.3d 1347 (2014) ....................................................................................24
`
`Endo Pharmaceutical Inc. v. DepoMed Inc.,
`IPR2014-00652 (PTAB Apr. 17, 2014) ........................................................21
`
`EZ Dock, Inc. v. Schafer Sys.,
`2003 U.S. Dist. LEXIS 3634 (D. Minn. 2003)................................................4
`
`FLIR Systems, Inc. v. Leak Surveys, Inc.,
`IPR2014-00411 (PTAB Sep. 5, 2014)...........................................................23
`
`Hill-Rom Servs., Inc. v. Stryker Corp.,
`755 F.3d 1367 (Fed. Cir. 2014) .......................................................................7
`
`In re Huang,
`100 F.3d 135 (Fed. Cir. 1996) .......................................................................20
`
`Leapfrog Enters., Inc. v. Fisher-Price, Inc.,
`485 F.3d 1157 (Fed. Cir. 2007) .....................................................................19
`
`Ormco Corp. v. AlignTech. Inc.,
`463 F.3d 1299, 1312 (Fed. Cir. 2006) ...........................................................21
`
`ii
`
`
`
`Case IPR2015-01892
`U.S. Patent No. 8,677,494
`
`Phillips v. AWH Corp.,
`415 F.3d 1303 (Fed. Cir. 2005) (en banc) .......................................................5
`
`Thorner v. Sony Computer Entm’t Am.,
`669 F.3d 1362 (Fed. Cir. 2012) .......................................................................4
`
`Vitronics Corp. v. Concepironic, Inc.,
`90 F.3d 1576 (Fed. Cir. 1996) .........................................................................5
`
`VSR Industries Inc. v. Cole. Kepro International, LLC,
`IPR2015-00182 (PTAB Oct. 29, 2014).........................................................20
`
`iii
`
`
`
`Case IPR2015-01892
`U.S. Patent No. 8,677,494
`
`LIST OF ABBREVIATIONS
`
`Document Description
`Petition for Inter Partes Review (Paper No. 1)
`Patent Owner Preliminary Response (Paper No.
`7)
`Institution Decision (Paper No. 9)
`Patent Owner Response (Paper No. 27)
`Declaration of Dr. Medvidovic in Support of Pa-
`tent Owner Response (Exhibit 2007)
`Reply Declaration of Jack Davidson (Exhibit
`1027)
`Declaration of Jack Davidson in Support of Peti-
`tion (Exhibit 1018)
`Deposition Transcript of Dr. Medvidovic, August
`19, 2016 (Exhibit 1034)
`Patent Owner Request for Rehearing (Paper No.
`13)
`Decision Denying Request for Rehearing (Paper
`No. 21)
`Microsoft Computer Dictionary 3rd Edition
`
`Abbreviation
`Pet.
`Prelim. Resp.
`
`Institution
`Resp.
`Medvidovic Dec.
`
`Davidson Rep.
`
`Davidson Pet.
`
`Transcript
`
`Rehearing Request
`
`Rehearing Dec.
`
`MSCD
`
`iv
`
`
`
`Exhibit No.
`Symantec 1001
`Symantec 1002
`
`Symantec 1003
`Symantec 1004
`
`Symantec 1005
`
`Symantec 1006
`Symantec 1007
`Symantec 1008
`Symantec 1009
`Symantec 1010
`Symantec 1011
`Symantec 1012
`Symantec 1013
`Symantec 1014
`
`Symantec 1015
`
`Symantec 1016
`
`Symantec 1017
`
`Symantec 1018
`
`Case IPR2015-01892
`U.S. Patent No. 8,677,494
`
`EXHIBIT LIST
`
`Description
`U.S. Patent No. 8,677,494 to Edery et al. (“the ‘494 patent”)
`U.S. Provisional Application No. 60/030,639 (“the ‘639 pro-
`visional”)
`U.S. Patent No. 5,313,616 to David C. Cline et al. (“Cline”)
`A Sense of Self for Unix Processes, by Stephanie Forrest et
`al., Proceedings of the 1996 IEEE Symposium on Security
`and Privacy, IEEE Computer Society Press, 1996. (“Forrest”)
`Dynamic Detection and Classification of Computer Viruses
`Using General Behaviour Patterns, by Morton Swimmer et
`al., Virus Bulletin Conference, Virus Bulletin Ltd., September
`1995. (“Swimmer”)
`Declaration by Dr. Sylvia Hall-Ellis
`Curriculum Vitae of Dr. Sylvia Hall-Ellis
`Xplore Digital Library Database printout (Forrest)
`MARC record OCLC record number 34969890 (Forrest)
`1995 Virus Bulletin Proceedings
`MARC record OCLC record number 33834197 (Swimmer)
`U.S. Patent No. 5,623,600 to Shuang Ji et al. (“Ji”)
`U.S. Patent No. 6,092,194 (“the ‘194 patent”)
`Webster’s College Dictionary, 1999 Second Random House
`Edition, p. 339
`Ninth New Collegiate Dictionary, 1991 Merriam-Webster
`Inc., p. 325
`Webster’s New World Dictionary of Computer Terms, 4th Edi-
`tion 1992, Simon & Schuster, Inc., p. 95
`Joint Claim Construction and Pre-Hearing Statement, Dkt. No.
`68, Case No. 3:14cv2998
`Declaration of Jack Davidson in Support of Petition (“Da-
`vidson Dec.”)
`
`v
`
`
`
`Exhibit No.
`Symantec 1019
`Symantec 1020
`Symantec 1021
`Symantec 1022
`Symantec 1023
`
`Symantec 1024
`
`Symantec 1025
`Symantec 1026
`Symantec 1027
`
`Symantec 1028
`Symantec 1029
`
`Symantec 1030
`
`Symantec 1031
`
`Symantec 1032
`
`Symantec 1033
`Symantec 1034
`
`Symantec 1035
`Symantec 1036
`
`Case IPR2015-01892
`U.S. Patent No. 8,677,494
`
`Description
`Curriculum Vitae of Jack Davidson
`Advanced MS-DOS
`U.S. Patent No. 5,978,484 to Apperson et al. (“Apperson”)
`U.S. Patent No. 5,892,904 to Atkinson et al. (“Atkinson”)
`Efficient Software-Based Fault Isolation, by Robert Wahbe et
`al., ACM SIGOPS (Special Interest Group on Operating Sys-
`tems) Symposium on Operating Systems Principles, Decem-
`ber 1993
`Scott and Davidson, “Safe Virtual Execution Using Software
`Dynamic Translation”, 2002
`Affidavit of Alexander Walden
`Virus Bulletin Conference Proceedings Sept. 1995
`Declaration of Dr. Jack Davidson in Support of Petitioner’s
`Reply
`Updated Curriculum Vitae of Dr. Jack Davidson
`Selected Definitions from Microsoft Computer Dictionary 3rd
`Edition, 1997 (“MSCD”)
`D. Comer, “The Flat File Database Generator ffg”, Computer
`Science Technical Reports, Purdue University, 1981 (“Com-
`er”)
`G. Fowler, “cql - A flat file Database Query Langauge”, In
`Proceedings of the Winter 1994 USENIX Conference , San
`Francisco, California, Jan. 1994 (“Fowler”)
`D. Denning, “An intrusion detection model”, IEEE Transac-
`tions on Software Engineering, 13-2:222, Feb 1987 (“Den-
`ning”)
`Intel 8086 Family User’s Manual (“8086 Manual”)
`Transcript of Deposition of Dr. Medvidovic in IPR2015-
`01892 taken on Aug. 19, 2016
`U.S. Patent No. 5,398,196 (“the ‘196 patent”)
`A. Mounji et al. “Distributed Audit Trail Analysis”, In Pro-
`
`vi
`
`
`
`Case IPR2015-01892
`U.S. Patent No. 8,677,494
`
`Exhibit No.
`
`Symantec 1037
`Symantec 1038
`Symantec 1039
`
`Symantec 1040
`Symantec 1041
`Symantec 1042
`Symantec 1043
`
`Description
`ceedings of the Internet Society Symposium on Network and
`Distributed System Security (ISOC'95), San Diego, Califor-
`nia, Feb 1995, IEEE (“Mounji”)
`Supplemental Declaration of Dr. Sylvia Hall-Ellis
`Declaration of Dr. Richard Ford
`Exhibit C to Declaration of Dr. Richard Ford - Excerpts from
`Virus Bulletin Conference Proceedings Sept. 1995
`Exhibit E to Declaration of Dr. Richard Ford – Photograph
`Declaration of Joseph Kiegel
`MARC Record - Denning
`MARC Record - Fowler
`
`vii
`
`
`
`Case IPR2015-01892
`U.S. Patent No. 8,677,494
`
`I.
`
`INTRODUCTION
`The Board correctly instituted inter partes review after determining there
`
`was a reasonable likelihood that claims 1, 2, 5, 6, 10, 11, 14, and 15 (the “chal-
`
`lenged claims”) of U.S. Patent No. 8,677,494 (“the ‘494 patent”) are unpatentable
`
`based on Swimmer. In its Response, Patent Owner Finjan raises a wide array of
`
`arguments, none of which have merit. The vast majority of Finjan’s arguments are
`
`based on improper claim constructions that read-in additional limitations in an at-
`
`tempt to carve out Swimmer from the scope of the claims. In so doing, Finjan also
`
`mischaracterizes the teachings of Swimmer and the relevant technology.
`
`Finjan further asserts that various secondary considerations rescue the claims
`
`from being unpatentable. Not so. Finjan’s conclusory assertions fall far short of
`
`satisfying the required elements and evidentiary support. Lastly, Finjan, without
`
`support, asserts that Swimmer was not publicly available before the ‘494 patent.
`
`This is belied by the considerable evidence already provided by Symantec, and fur-
`
`ther confirmed by the additional evidence submitted herewith.
`
`II.
`
`FINJAN’S NEW CLAIM CONSTRUCTIONS ARE IMPROPER
`
`Finjan’s new construction for the term “database” improperly reads-in nu-
`
`merous other requirements to the Board’s construction. Likewise, Finjan’s pro-
`
`posed constructions for two additional claim phrases: (i) “list of suspicious com-
`
`puter operations;” and (ii) “storing the DSP data in a database” are unreasonably
`
`
`
`Case IPR2015-01892
`U.S. Patent No. 8,677,494
`
`narrow and do nothing to clarify the meaning of the claims. Importantly, once the
`
`claims are properly construed under the BRI standard, Finjan’s arguments concern-
`
`ing Swimmer fall apart swiftly.
`
`A.
`
`“Database”
`
`The Board adopted Finjan’s construction for “database,” namely: “a collec-
`
`tion of interrelated data organized according to a database schema to serve one or
`
`more applications.” Institution, 10.2 The Board then correctly determined that
`
`Swimmer teaches the database under this construction. Id., 23. Incredibly, Finjan
`
`now argues for an even narrower interpretation that impermissibly injects the fol-
`
`lowing additional requirements into the claims:
`
` database schema requires “a description of [the] database to a database
`
`management system (DBMS) in the language provided by the DBMS”
`
`(Resp., 38-40 ; Medvidovic Dec., ¶60, 116, 148);
`
` DBMS requires a “program or programs that control [the] database so
`
`that the information it contains can be stored, retrieved, updated, and
`
`sorted” (Resp., 39; Medvidovic Dec., ¶61, 148);
`
` the database cannot be a flat-file (Resp., 38; Medvidovic Dec., ¶59, 140);
`
`2 Petitioners maintain this is not the broadest reasonable interpretation of “data-
`
`base,” but adopt the Board’s construction solely for purposes of this IPR.
`
`2
`
`
`
`Case IPR2015-01892
`U.S. Patent No. 8,677,494
`
`and
`
` the database cannot be an event log or log file (Resp., 7-10, 35-36;
`
`Medvidovic Dec., ¶59, 64, 115, 128, 136).
`
`There is simply no basis for reading any, much less all, of these extra re-
`
`quirements into the claims. The ‘494 patent does not even refer to any “database
`
`schema” or “DBMS.”3 Nor does it state that the database cannot be in the form of
`
`a flat file, event log, or log file. Indeed, there is no discussion whatsoever of the
`
`format of the database. The patent merely mentions that there is a “security data-
`
`base” that “includes security information,” such as DSP data. ‘194 patent, 3:47-50,
`
`4:14-18, FIG. 3; Davidson Rep., ¶37. Accordingly, Finjan’s explicit and implicit
`
`constructions are plainly improper under the BRI standard. 3M Innovative Proper-
`
`ties Co., v. Tredegar Corp., 725 F.3d 1315, 1329 (Fed. Cir. 2013).
`
`Moreover, Finjan attempts to support these new requirements – not by con-
`
`struing the claim language – but, instead, by further defining the Board’s (i.e., Fin-
`
`jan’s original) construction. In particular, Finjan provides a lengthy, narrow defi-
`
`nition of “database schema.” Resp., 38-40; Medvidovic Dec., ¶60-61. Notably,
`
`this term appears nowhere in the claims or specification - only in the Board’s con-
`
`3 Incredibly, this does not stop Finjan from asserting that Swimmer cannot teach a
`
`database because it does not use the term “database schema.” Resp., 39.
`
`3
`
`
`
`Case IPR2015-01892
`U.S. Patent No. 8,677,494
`
`struction for “database.” In turn, Finjan’s expert then provides a lengthy definition
`
`for “DBMS,” which only appears in Finjan’s new definition for “database sche-
`
`ma.” Medvidovic Dec., ¶61, 148. This too is improper. EZ Dock, Inc. v. Schafer
`
`Sys., 2003 U.S. Dist. LEXIS 3634, *34-35 (D. Minn. 2003) (“parties are not enti-
`
`tled to ‘construe’ the Court’s claim construction.”).
`
`Additionally, Finjan is effectively asserting that the claimed database must
`
`be a relational database. Resp., 38-39; Medvidovic Dec., ¶116. 148; Davidson
`
`Rep., ¶35-37. Not so. As explained above, the ‘494 patent is silent as to the type
`
`or structure of the database. Tellingly, Finjan did not and cannot point to any sup-
`
`port in the ‘494 patent, let alone a clear disavowal, that would justify limiting the
`
`claims to a relational database. Tredegar, 725 F.3d at 1329; Thorner v. Sony Com-
`
`puter Entm’t Am., 669 F.3d 1362, 1365-67 (Fed. Cir. 2012); see also Transcript,
`
`107:6-9, 108:23-109:2 (acknowledging various types of databases were well-
`
`known); Davidson Rep., ¶37.
`
`Lastly, Finjan’s new arguments are a blatant effort to carve Swimmer out of
`
`the scope of the claims in an attempt to salvage their validity. 4 Resp., 6-10;
`
`4 Indeed, Finjan proposed a different construction for “database schema” when
`
`faced with different prior art in another proceeding involving the ‘494 patent. Ex.
`
`4
`
`
`
`Case IPR2015-01892
`U.S. Patent No. 8,677,494
`
`Medvidovic Dec., ¶60-63. This is not permitted. Vitronics Corp. v. Concepironic,
`
`Inc., 90 F.3d 1576, 1584-85 (Fed. Cir. 1996) (the prior art may not “be used to
`
`vary claim terms from how they are defined, even implicitly, in the specification”);
`
`Phillips v. AWH Corp., 415 F.3d 1303, 1327 (Fed. Cir. 2005) (en banc).
`
`B.
`
`“List of Suspicious Computer Operations”
`
`Symantec submits this claim phrase should be given its plain and ordinary
`
`meaning consistent with the specification of the ‘494 patent, namely: a list includ-
`
`ing one or more types of computer operations that could be used by the Down-
`
`loadable in a potentially hostile or undesirable manner (e.g., operating system, file
`
`system, or memory operations). ‘194 patent, 3:17-21, 5:58-6:4.
`
`The ‘194 patent (referenced in the ‘494 patent) explains that examples of
`
`“suspicious” operations include file system operations (e.g., reading and writing
`
`files), OS operations, and registry, network, and memory operations. ‘194 patent,
`
`5:57-6:4. In turn, the system determines whether an operation in a Downloadable
`
`is “suspicious” simply by determining “whether [it] is one of the operations identi-
`
`fied in the list described above” (i.e., at 5:57-6:4). Id., 9:20-42; Davidson Rep.,
`
`¶75-81, 97-100 (explaining that a POSITA would have readily appreciated that
`
`2033, ¶31 (“The ‘database schema’ of a database describes how the data stored
`
`within the database is organized.”).
`
`5
`
`
`
`Case IPR2015-01892
`U.S. Patent No. 8,677,494
`
`these were the types of computer operations used by viruses to do harm).
`
`Finjan asserts that a “list of suspicious computer operations” should be con-
`
`strued as a “list of computer operations deemed suspicious.” Resp., 10 (emphasis
`
`added). In so doing, Finjan merely rehashes the same arguments that it already
`
`raised, and lost, in this proceeding. Resp., 11 (arguing that the claimed “list” must
`
`only include the “subset of all possible computer operations” that have been
`
`deemed suspicious); Prelim Resp., 17-19; Institution, 22 (determining that “the
`
`claims do not require that the list consist only of suspicious operations.”); see also
`
`Resp., 12; Prelim Resp., 23; Institution, 22.
`
`Moreover, Finjan’s “construction” merely rearranges the claim language and
`
`inserts the word “deemed.” As such, in addition to being unhelpful, this construc-
`
`tion is, on its face, unreasonably narrow because it reads-in an additional “deem-
`
`ing” step. Indeed, Finjan brazenly asserts that the claimed list “cannot be created
`
`without the additional step of deeming certain operations as suspicious.” Resp.,
`
`22 (emphasis added); Medvidovic Dec., ¶84. The claim language itself and the
`
`specification refute Finjan’s position. Not surprisingly, Finjan points to nothing in
`
`the specification that mandates (or suggests) an additional “deeming” step. This
`
`construction is improper. See, e.g., Hill-Rom Servs., Inc. v. Stryker Corp., 755
`
`F.3d 1367, 1371 (Fed. Cir. 2014) (“While we read claims in view of the specifica-
`
`tion . . . we do not read limitations from the embodiments in the specification into
`
`6
`
`
`
`Case IPR2015-01892
`U.S. Patent No. 8,677,494
`
`the claims.”).
`
`In fact, Finjan’s position is directly contradicted by the ‘194 patent upon
`
`which it relies. As discussed above, the ‘194 patent makes clear that an operation
`
`is “suspicious” merely because it is a type of operation that could be used in a po-
`
`tentially hostile manner (e.g., file system operations). Specifically, the ‘194 patent
`
`states that DSP data may include “a list of all operations in the Downloadable
`
`code which could ever be deemed potentially hostile.” Id., 5:51-59 (emphasis add-
`
`ed). In other words, at the time an operation is included in the list, there has been
`
`no determination yet of whether that particular operation is actually being used in a
`
`potentially hostile or “suspicious” manner. Davidson Rep., ¶91-96.
`
`C.
`
`“Storing the DSP data in a Database”
`
`Symantec submits that this claim phrase needs no further construction and
`
`should be given its plain and ordinary meaning, namely: that the DSP data is stored
`
`in a database.
`
`Finjan incorrectly asserts this phrase should be construed as “placing the de-
`
`rived DSP data into the database.” Resp., 13 (emphasis added). Finjan’s construc-
`
`tion does nothing more than replace the claim term “storing” with the word “plac-
`
`ing.” The term “storing,” however, is extremely well-known in the context of
`
`computer systems. Davidson Rep., ¶8-9; Transcript, 97:4-9 (agreeing that “stor-
`
`ing” is a well understood term that needs no construction). There is also no dispute
`
`7
`
`
`
`Case IPR2015-01892
`U.S. Patent No. 8,677,494
`
`that the ‘494 patent uses “storing” consistent with its ordinary meaning. Accord-
`
`ingly, Finjan’s construction is, at best, unnecessary, and, in fact, creates ambiguity
`
`as to what “placing” data “into” a database means. Transcript, 98:6-99:8.
`
`Finjan also argues its proposed construction is needed because Symantec
`
`“equate[s] storing to converting” and the claimed step of “storing” data cannot in-
`
`clude “converting” data. Resp., 14-15. This is a red herring. Symantec did not
`
`equate storing with converting, nor even rely on Swimmer’s discussion of convert-
`
`ing files as the basis for teaching the claimed “storing” step. 5 Rather, as the Peti-
`
`tion demonstrated (and the Board agreed), Swimmer teaches storing its audit rec-
`
`ords (i.e., DSP data) in an audit trail that is in the form of a large sequential file
`
`having a particular schema for each record (i.e., a flat-file database). Pet., 19; In-
`
`stitution, 23. Moreover, Finjan’s attempt to exclude “converting” is based entirely
`
`on its argument that Swimmer uses the word “convert” but not the word “storing.”
`
`Resp., 14. As discussed above, such constructions are improper.
`
`Lastly, Finjan asserts that its construction is needed in order to make clear
`
`that “deriving” and “storing” are separate steps, and that “the DSP data is only
`
`5 Finjan’s argument is also technically inaccurate. As discussed below, Finjan’s
`
`assertion that converting a file from one format to another format “does not actual-
`
`ly place any . . . data into storage” is nonsensical. Davidson Rep., ¶10-20.
`
`8
`
`
`
`Case IPR2015-01892
`U.S. Patent No. 8,677,494
`
`placed in the database upon derivation of the [security] profile, including the list of
`
`suspicious computer operations.” Resp., 15-16, 46-47. In other words, Finjan ap-
`
`pears to be arguing that the claims require that the entire security profile be derived
`
`before placing any of the DSP data into the database. This too is incorrect. The
`
`claims expressly recite deriving and storing DSP data – not deriving and storing
`
`the entire security profile for the Downloadable. Thus, the broadest reasonable in-
`
`terpretation cannot possibly require that the entire security profile first be derived.
`
`Davidson Rep., ¶95.
`
`III.
`
`SWIMMER TEACHES DERIVING DSP DATA THAT INCLUDES A
`LIST OF SUSPICIOUS COMPUTER OPERATIONS
`
`There is no dispute that Swimmer is specifically directed to detecting viruses
`
`in computer programs and code (e.g., incoming Downloadables). Swimmer, 1 (de-
`
`scribing “an automatic analysis system for computer viruses,” called VIDES).
`
`VIDES includes an audit system, which emulates a computer program and gener-
`
`ates an audit trail “representing program behavior in general, and virus activity in
`
`particular.” Id., 9. This audit trail can then be used by an Intrusion Detection sys-
`
`tem, such as ASAX, to detect the presence of a virus by analyzing the behavior of
`
`the computer program using virus behavior rules. Id., 10-11.
`
`More specifically, Swimmer’s audit trail includes a list of audit records that
`
`are generated when the program attempts to invoke certain types of computer op-
`
`9
`
`
`
`Case IPR2015-01892
`U.S. Patent No. 8,677,494
`
`erations, such as DOS system functions (or “INT 21h” functions). Each audit rec-
`
`ord includes, inter alia, a function number, identifying the specific DOS function
`
`invoked by the program (e.g., read a file), as well as any arguments or parameters
`
`and any return value(s). Id., 7, 9.
`
`Although Swimmer does not use the word “suspicious” when discussing the
`
`computer operations listed in the audit trail, these DOS functions are the funda-
`
`mental operations that provide access to core components of the computer, such as
`
`the file system, OS, and memory. Davidson Pet., ¶101. Thus, a POSITA would
`
`have readily understood that these DOS functions were being recorded by Swim-
`
`mer’s VIDES system because they are the type of operations that can be used by
`
`viruses to cause harm (i.e., suspicious computer operations). Id., ¶153; Davidson
`
`Rep., ¶82-90. Indeed, as the Board recognized, these DOS functions are the very
`
`same examples given in the ‘494 patent for the claimed “suspicious computer op-
`
`erations.” Institution, 22; ‘194 patent, 5:58-69; ‘494 patent, claims 6, 15; Davidson
`
`Pet., ¶102, 117-119. Accordingly, Swimmer teaches deriving DSP data (an audit
`
`trail) that includes a list of suspicious computer operations (a list of audit records
`
`each representing an operation) that may be attempted by the Downloadable. Pet.,
`
`16-18.
`
`Finjan asserts that “Swimmer’s audit trail does not deem any operations as
`
`suspicious” and that there must be a list designating only the suspicious operations
`
`10
`
`
`
`Case IPR2015-01892
`U.S. Patent No. 8,677,494
`
`– “not just a listing of every computer command that is executed within a pro-
`
`gram.” Resp., 22-25, 28. These arguments are premised entirely on Finjan’s un-
`
`reasonably narrow claim interpretations and rehashed arguments that the Board
`
`previously rejected.
`
`Finjan also fails to explain what this “deeming” step actually entails and, in-
`
`stead, relies on nothing more than conclusory and circular statements. See, e.g.,
`
`Resp., 25 (“computer operations are only suspicious to the extent that they have
`
`been deemed suspicious”). Presumably, this is because the ‘494 patent makes
`
`clear that determining whether a computer operation is “suspicious” simply in-
`
`volves determining whether it is a certain type of operation (e.g., a file system op-
`
`eration).
`
`Significantly, Swimmer teaches this exact technique. Swimmer’s audit sys-
`
`tem only generates audit records for certain types of computer operations, e.g.,
`
`DOS functions, that the Downloadable attempts to invoke. As Finjan’s expert
`
`acknowledged, in addition to these types of system functions (e.g., the DOS func-
`
`tions recorded by Swimmer) programs invoke many other types of operations dur-
`
`ing their execution, such as arithmetic operations, internal functions, and jump op-
`
`erations. Transcript, 126:19-127:22; MSCD, 10 (defining “operation”); Davidson
`
`Rep., ¶65-74. Thus, Swimmer’s audit trail is not just a listing of every operation
`
`executed by the Downloadable; rather, it only includes certain operations, e.g.,
`
`11
`
`
`
`Case IPR2015-01892
`U.S. Patent No. 8,677,494
`
`DOS system functions that need to be further analyzed by Swimmer’s virus detec-
`
`tion system (i.e., suspicious operations). Accordingly, even under Finjan’s overly
`
`narrow construction, Swimmer teaches this claim limitation.
`
`Finjan argues that Swimmer’s “VIDES system would have to be applied to
`
`every file, regardless of whether it actually contains a virus.” Resp., 25-27. But,
`
`this is the case for virtually all virus detection systems, including the claimed sys-
`
`tem. Indeed, both in Swimmer and the ‘494 patent, the system does not yet know
`
`whether the Downloadable is malicious when the DSP data is being derived. As
`
`Finjan acknowledges, the ‘194 patent discloses that Downloadables for which a
`
`DSP is derived may be blocked or may be passed “to a destination computer.”
`
`Resp., 20; ‘194 patent, 6:9-29 (explaining that Downloadables may be “passed” or
`
`“allowed” if the policy used during subsequent analysis permits the operations that
`
`are included in the DSP data). As a result, both systems create DSP data with a list
`
`of suspicious computer operations irrespective of whether the Downloadable is be-
`
`nign or malicious. Transcript, 92:16-99:3; Davidson Rep., ¶91-96.
`
`Finjan argues that it is “nonsensical” to believe that Microsoft intended its
`
`“standard [DOS] system functions [to be used as] suspicious computer operations.”
`
`Resp., 24. While this is presumably true, it does not change the fact that these are
`
`precisely the type of computer operations used by viruses and other malicious pro-
`
`grams. Finjan asserts that the Board (on rehearing) incorrectly equated a single
`
`12
`
`
`
`Case IPR2015-01892
`U.S. Patent No. 8,677,494
`
`audit record in Swimmer (rather than the audit trail) with the claimed “DSP data.”
`
`Resp., 22, 28-29. Finjan makes too much of this alleged inconsistency. Indeed, as
`
`Finjan acknowledges, the petition clearly mapped Swimmer’s audit trail (i.e., list
`
`of audit records) to the claimed DSP data, as did the Board in its Institution Deci-
`
`sion. Id., 22; Institution, 23.
`
`Lastly, Finjan asserts that Swimmer does not teach the “Downloadable scan-
`
`ner” recited in independent claim 10, because Swimmer “teaches against the use of
`
`scanners.” Resp., 29-30. This is incorrect. As Dr. Davidson explains, the cited
`
`background portion of Swimmer is referring to an entirely different type of “scan-
`
`ner” than the one described and claimed in the ‘494 patent (which is taught by
`
`Swimmer’s audit system and/or emulator). Davidson Rep., ¶47-52; Davidson Pet.,
`
`¶44-47; Davidson Tr., 49:20-53:5.
`
`IV.
`
`SWIMMER TEACHES STORING THE DSP DATA IN A DATABASE
`
`As demonstrated in Symantec’s Petition, a POSITA would have understood
`
`Swimmer’s audit trail to be a flat-file database storing a collection of interrelated
`
`information (e.g., audit records) organized according to a database schema (e.g.,
`
`audit record format) that serves one or more applications (e.g., ASAX). Pet., 19-
`
`20; Institution, 23; Rehearing Dec., 6. Finjan’s arguments to the contrary are based
`
`on its overly narrow constructions and misinterpretations of Swimmer and the
`
`technology.
`
`13
`
`
`
`Case IPR2015-01892
`U.S. Patent No. 8,677,494
`
`A.
`
`Swimmer’s Does Not Teach Away From Using Databases
`
`Finjan argues that Swimmer “teaches that database solutions should not be
`
`used because they are easily circumvented with polymorphic viruses.” Resp., 19-
`
`20. Not so. In these cited background portions, Swimmer is describing previous
`
`pattern-matching virus detection techniques that used databases of “virus identifi-
`
`cation information.” Davidson Rep., ¶47-53. Swimmer, simply recognizes that
`
`such prior-art approaches may not be effective for all types of viruses. Swimmer
`
`does not, however, criticize the use of databases generally, and in fact teaches stor-
`
`ing audit records in a database, as discussed below. Id. ¶54-56.
`
`B.
`
`Swimmer’s Audit Records Are Stored
`
`Finjan asserts that Swimmer does not store any data, because it uses the
`
`word “convert,” but not “storing,” when describing its audit trail. Based on this,
`
`Finjan concludes that Swimmer does not store [the audit records] produced by the
`
`emulator” and does not “place any of this data into storage of any type.” Resp., 14,
`
`35; Medvidovic Dec., ¶71, 109. Nothing could be further from the truth. As Fin-
`
`jan acknowledges, Swimmer clearly teaches that its audit records are “produced”
`
`by the emulator and then placed into a large sequential file. Resp., 14; Medvidovic
`
`Dec., ¶71, 107; Swimmer, 10, 12 (explaining that its audit trail is “a sequential file
`
`of records in NADF format.”), Fig. 3; Davidson Rep., ¶10-17. Thus, there can be
`
`no reasonable dispute that Swimmer’s audit trail (i.e., DSP data) is placed into
`
`14
`
`
`
`Case IPR2015-01892
`U.S. Patent No. 8,677,494
`
`storage. MSCD, 7 (defining a “file” as “a basic unit of storage.”). Indeed, it would
`
`be technically impossible for Swimmer’s system to generate a list of audit records,
`
`put them in a file, and then access and analyze these records without ever placing
`
`them in any form of storage. Davidson Rep., ¶20.
`
`C.
`
`Swimmer Teaches Storing The Audit Trail In A Database
`
`Finjan’s assertions that Swimmer does not teach the claimed database boil
`
`down to three main arguments. First, Finjan argues that Symantec’s expert admit-
`
`ted that Swimmer’s audit trail is a “log file” and, therefore, not a database under its
`
`overly narrow construction. Resp., 36-37. This is incorrect. The term “log file” or
`
`“log” does not appear anywhere in Swimmer. Moreover, Dr. Davidson provided
`
`detailed testimony that Swimmer’s audit trail is not a generic log file or “event
`
`log” – rather, it is a list of audit records (i.e., suspicious computer operations) that
`
`are organized in a particular format with each record having the same number and
`
`order of fields (i.e., a flat-file database). Davidson Dec., 107-113; Davidson Tr.,
`
`134:3-17; Davidson Rep., ¶112-114. Finjan’s similar attempts to characterize
`
`Swimmer’s audit trail as a generic “log file” or “event log” were previously reject-
`
`ed by the Board. Institution, 23; Rehearing Dec., 7-10.
`
`Second, Finjan asserts that Swimmer’s audit trail is a “flat file” – but not a
`
`“flat file database.” Resp., 37-38. Finjan’s sole basis for this errant distinction is
`
`that “the audit trail is not in the form of a table.” Id., 38. This is simply not true.
`
`15
`
`
`
`Case IPR2015-01892
`U.S. Patent No. 8,677,494
`
`Swimmer explains that its audit trail is organized as a list or sequence of audit rec-
`
`ords, each of which have the same five fields corresponding to various audit record
`
`attributes. Swimmer, 9, Fig. 3. This format is shown in the following excerpt of a
`
`chart created by Dr. Davidson based on Figure 3 of Swimmer:
`
`Davidson Rep., ¶23-27. Thus, the audit trail is clearly in a table format, with the
`
`five fields representing the columns and each audit record representing a new row.
`
`Indeed, Finjan’s argument is belied by its own expert. Transcript, 107:19-108:21
`
`(testifying that a flat-file database is a list of records stored in a sequential file),
`
`110:24-
Accessing this document will incur an additional charge of $.
After purchase, you can access this document again without charge.
Accept $ Charge
Still Working On It
This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.
Give it another minute or two to complete, and then try the refresh button.
A few More Minutes ... Still Working
It can take up to 5 minutes for us to download a document if the court servers are running slowly.
Thank you for your continued patience.
This document could not be displayed.
We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.
Your account does not support viewing this document.
You need a Paid Account to view this document. Click here to change your account type.
Your account does not support viewing this document.
Set your membership
status to view this document.
With a Docket Alarm membership, you'll
get a whole lot more, including:
- Up-to-date information for this case.
- Email alerts whenever there is an update.
- Full text search for other cases.
- Get email alerts whenever a new case matches your search.
One Moment Please
The filing “” is large (MB) and is being downloaded.
Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.
Your document is on its way!
If you do not receive the document in five minutes, contact support at support@docketalarm.com.
Sealed Document
We are unable to display this document, it may be under a court ordered seal.
If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.
Access Government Site
