`U.S. Patent No. 8,677,494
`
`UNITED STATES PATENT AND TRADEMARK OFFICE
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`
`SYMANTEC CORP., and
`BLUE COAT SYSTEMS, INC.,
`Petitioner
`
`v.
`
`FINJAN, INC.
`Patent Owner
`
`Case: IPR2015-018921
`U.S. Patent No. 8,677,494
`
`CONSOLIDATED FILING:
`
`PETITIONERS’ REPLY TO PATENT OWNER’S RESPONSE
`
`1 Case IPR2016-00890 has been joined with the instant proceeding
`
`
`
`Case IPR2015-01892
`U.S. Patent No. 8,677,494
`
`TABLE OF CONTENTS
`
`I.
`
`II.
`
`INTRODUCTION ...........................................................................................1
`
`FINJAN’S NEW CLAIM CONSTRUCTIONS ARE IMPROPER ................1
`
`A.
`
`B.
`
`C.
`
`“Database”.............................................................................................2
`
`“List of Suspicious Computer Operations”...........................................5
`
`“Storing the DSP data in a Database”...................................................7
`
`III.
`
`SWIMMER TEACHES DERIVING DSP DATA THAT INCLUDES A
`LIST OF SUSPICIOUS COMPUTER OPERATIONS..................................9
`
`IV.
`
`SWIMMER TEACHES STORING THE DSP DATA IN A DATABASE .13
`
`A.
`
`B.
`
`Swimmer’s Audit Records Are Stored................................................14
`
`Swimmer Teaches Storing The Audit Trail In A Database ................15
`
`V.
`
`FINJAN’S ALLEGED SECONDARY CONSIDERATIONS ARE
`LEGALLY AND FACTUALLY DEFICIENT ............................................19
`
`VI. SWIMMER WAS PUBLICLY AVAILABLE BEFORE THE EARLIEST
`POSSIBLE PRIORITY DATE OF THE ‘494 PATENT..............................23
`
`VII. CONCLUSION ..............................................................................................26
`
`i
`
`
`
`Case IPR2015-01892
`U.S. Patent No. 8,677,494
`
`TABLE OF AUTHORITIES
`
`Cases
`
`3M Innovative Properties Co., v. Tredegar Corp.,
`725 F.3d 1315 (Fed. Cir. 2013) ...................................................................3, 4
`
`Apple Inc. v. SightSound Technolgies LLC,
`CBM2013-00020 (PTAB Oct. 8, 2013) ........................................................22
`
`ABT Sys. LLC v. Emerson Elec. Co.,
`797 F.3d 1350 (Fed. Cir. 2015) .....................................................................20
`
`Cardiocom LLC v. Robert Bosch Healthcare Systems, Inc.,
`IPR2013-00468 (PTAB Jan. 28, 2014) .........................................................19
`
`In re Enhanced Sec. Research, LLC,
`739 F.3d 1347 (2014) ....................................................................................24
`
`Endo Pharmaceutical Inc. v. DepoMed Inc.,
`IPR2014-00652 (PTAB Apr. 17, 2014) ........................................................21
`
`EZ Dock, Inc. v. Schafer Sys.,
`2003 U.S. Dist. LEXIS 3634 (D. Minn. 2003)................................................4
`
`FLIR Systems, Inc. v. Leak Surveys, Inc.,
`IPR2014-00411 (PTAB Sep. 5, 2014)...........................................................23
`
`Hill-Rom Servs., Inc. v. Stryker Corp.,
`755 F.3d 1367 (Fed. Cir. 2014) .......................................................................7
`
`In re Huang,
`100 F.3d 135 (Fed. Cir. 1996) .......................................................................20
`
`Leapfrog Enters., Inc. v. Fisher-Price, Inc.,
`485 F.3d 1157 (Fed. Cir. 2007) .....................................................................19
`
`Ormco Corp. v. AlignTech. Inc.,
`463 F.3d 1299, 1312 (Fed. Cir. 2006) ...........................................................21
`
`ii
`
`
`
`Case IPR2015-01892
`U.S. Patent No. 8,677,494
`
`Phillips v. AWH Corp.,
`415 F.3d 1303 (Fed. Cir. 2005) (en banc) .......................................................5
`
`Thorner v. Sony Computer Entm’t Am.,
`669 F.3d 1362 (Fed. Cir. 2012) .......................................................................4
`
`Vitronics Corp. v. Concepironic, Inc.,
`90 F.3d 1576 (Fed. Cir. 1996) .........................................................................5
`
`VSR Industries Inc. v. Cole. Kepro International, LLC,
`IPR2015-00182 (PTAB Oct. 29, 2014).........................................................20
`
`iii
`
`
`
`Case IPR2015-01892
`U.S. Patent No. 8,677,494
`
`LIST OF ABBREVIATIONS
`
`Document Description
`Petition for Inter Partes Review (Paper No. 1)
`Patent Owner Preliminary Response (Paper No.
`7)
`Institution Decision (Paper No. 9)
`Patent Owner Response (Paper No. 27)
`Declaration of Dr. Medvidovic in Support of Pa-
`tent Owner Response (Exhibit 2007)
`Reply Declaration of Jack Davidson (Exhibit
`1027)
`Declaration of Jack Davidson in Support of Peti-
`tion (Exhibit 1018)
`Deposition Transcript of Dr. Medvidovic, August
`19, 2016 (Exhibit 1034)
`Patent Owner Request for Rehearing (Paper No.
`13)
`Decision Denying Request for Rehearing (Paper
`No. 21)
`Microsoft Computer Dictionary 3rd Edition
`
`Abbreviation
`Pet.
`Prelim. Resp.
`
`Institution
`Resp.
`Medvidovic Dec.
`
`Davidson Rep.
`
`Davidson Pet.
`
`Transcript
`
`Rehearing Request
`
`Rehearing Dec.
`
`MSCD
`
`iv
`
`
`
`Exhibit No.
`Symantec 1001
`Symantec 1002
`
`Symantec 1003
`Symantec 1004
`
`Symantec 1005
`
`Symantec 1006
`Symantec 1007
`Symantec 1008
`Symantec 1009
`Symantec 1010
`Symantec 1011
`Symantec 1012
`Symantec 1013
`Symantec 1014
`
`Symantec 1015
`
`Symantec 1016
`
`Symantec 1017
`
`Symantec 1018
`
`Case IPR2015-01892
`U.S. Patent No. 8,677,494
`
`EXHIBIT LIST
`
`Description
`U.S. Patent No. 8,677,494 to Edery et al. (“the ‘494 patent”)
`U.S. Provisional Application No. 60/030,639 (“the ‘639 pro-
`visional”)
`U.S. Patent No. 5,313,616 to David C. Cline et al. (“Cline”)
`A Sense of Self for Unix Processes, by Stephanie Forrest et
`al., Proceedings of the 1996 IEEE Symposium on Security
`and Privacy, IEEE Computer Society Press, 1996. (“Forrest”)
`Dynamic Detection and Classification of Computer Viruses
`Using General Behaviour Patterns, by Morton Swimmer et
`al., Virus Bulletin Conference, Virus Bulletin Ltd., September
`1995. (“Swimmer”)
`Declaration by Dr. Sylvia Hall-Ellis
`Curriculum Vitae of Dr. Sylvia Hall-Ellis
`Xplore Digital Library Database printout (Forrest)
`MARC record OCLC record number 34969890 (Forrest)
`1995 Virus Bulletin Proceedings
`MARC record OCLC record number 33834197 (Swimmer)
`U.S. Patent No. 5,623,600 to Shuang Ji et al. (“Ji”)
`U.S. Patent No. 6,092,194 (“the ‘194 patent”)
`Webster’s College Dictionary, 1999 Second Random House
`Edition, p. 339
`Ninth New Collegiate Dictionary, 1991 Merriam-Webster
`Inc., p. 325
`Webster’s New World Dictionary of Computer Terms, 4th Edi-
`tion 1992, Simon & Schuster, Inc., p. 95
`Joint Claim Construction and Pre-Hearing Statement, Dkt. No.
`68, Case No. 3:14cv2998
`Declaration of Jack Davidson in Support of Petition (“Da-
`vidson Dec.”)
`
`v
`
`
`
`Exhibit No.
`Symantec 1019
`Symantec 1020
`Symantec 1021
`Symantec 1022
`Symantec 1023
`
`Symantec 1024
`
`Symantec 1025
`Symantec 1026
`Symantec 1027
`
`Symantec 1028
`Symantec 1029
`
`Symantec 1030
`
`Symantec 1031
`
`Symantec 1032
`
`Symantec 1033
`Symantec 1034
`
`Symantec 1035
`Symantec 1036
`
`Case IPR2015-01892
`U.S. Patent No. 8,677,494
`
`Description
`Curriculum Vitae of Jack Davidson
`Advanced MS-DOS
`U.S. Patent No. 5,978,484 to Apperson et al. (“Apperson”)
`U.S. Patent No. 5,892,904 to Atkinson et al. (“Atkinson”)
`Efficient Software-Based Fault Isolation, by Robert Wahbe et
`al., ACM SIGOPS (Special Interest Group on Operating Sys-
`tems) Symposium on Operating Systems Principles, Decem-
`ber 1993
`Scott and Davidson, “Safe Virtual Execution Using Software
`Dynamic Translation”, 2002
`Affidavit of Alexander Walden
`Virus Bulletin Conference Proceedings Sept. 1995
`Declaration of Dr. Jack Davidson in Support of Petitioner’s
`Reply
`Updated Curriculum Vitae of Dr. Jack Davidson
`Selected Definitions from Microsoft Computer Dictionary 3rd
`Edition, 1997 (“MSCD”)
`D. Comer, “The Flat File Database Generator ffg”, Computer
`Science Technical Reports, Purdue University, 1981 (“Com-
`er”)
`G. Fowler, “cql - A flat file Database Query Langauge”, In
`Proceedings of the Winter 1994 USENIX Conference , San
`Francisco, California, Jan. 1994 (“Fowler”)
`D. Denning, “An intrusion detection model”, IEEE Transac-
`tions on Software Engineering, 13-2:222, Feb 1987 (“Den-
`ning”)
`Intel 8086 Family User’s Manual (“8086 Manual”)
`Transcript of Deposition of Dr. Medvidovic in IPR2015-
`01892 taken on Aug. 19, 2016
`U.S. Patent No. 5,398,196 (“the ‘196 patent”)
`A. Mounji et al. “Distributed Audit Trail Analysis”, In Pro-
`
`vi
`
`
`
`Case IPR2015-01892
`U.S. Patent No. 8,677,494
`
`Exhibit No.
`
`Symantec 1037
`Symantec 1038
`Symantec 1039
`
`Symantec 1040
`Symantec 1041
`Symantec 1042
`Symantec 1043
`
`Description
`ceedings of the Internet Society Symposium on Network and
`Distributed System Security (ISOC'95), San Diego, Califor-
`nia, Feb 1995, IEEE (“Mounji”)
`Supplemental Declaration of Dr. Sylvia Hall-Ellis
`Declaration of Dr. Richard Ford
`Exhibit C to Declaration of Dr. Richard Ford - Excerpts from
`Virus Bulletin Conference Proceedings Sept. 1995
`Exhibit E to Declaration of Dr. Richard Ford – Photograph
`Declaration of Joseph Kiegel
`MARC Record - Denning
`MARC Record - Fowler
`
`vii
`
`
`
`Case IPR2015-01892
`U.S. Patent No. 8,677,494
`
`I.
`
`INTRODUCTION
`The Board correctly instituted inter partes review after determining there
`
`was a reasonable likelihood that claims 1, 2, 5, 6, 10, 11, 14, and 15 (the “chal-
`
`lenged claims”) of U.S. Patent No. 8,677,494 (“the ‘494 patent”) are unpatentable
`
`based on Swimmer. In its Response, Patent Owner Finjan raises a wide array of
`
`arguments, none of which have merit. The vast majority of Finjan’s arguments are
`
`based on improper claim constructions that read-in additional limitations in an at-
`
`tempt to carve out Swimmer from the scope of the claims. In so doing, Finjan also
`
`mischaracterizes the teachings of Swimmer and the relevant technology.
`
`Finjan further asserts that various secondary considerations rescue the claims
`
`from being unpatentable. Not so. Finjan’s conclusory assertions fall far short of
`
`satisfying the required elements and evidentiary support. Lastly, Finjan, without
`
`support, asserts that Swimmer was not publicly available before the ‘494 patent.
`
`This is belied by the considerable evidence already provided by Symantec, and fur-
`
`ther confirmed by the additional evidence submitted herewith.
`
`II.
`
`FINJAN’S NEW CLAIM CONSTRUCTIONS ARE IMPROPER
`
`Finjan’s new construction for the term “database” improperly reads-in nu-
`
`merous other requirements to the Board’s construction. Likewise, Finjan’s pro-
`
`posed constructions for two additional claim phrases: (i) “list of suspicious com-
`
`puter operations;” and (ii) “storing the DSP data in a database” are unreasonably
`
`
`
`Case IPR2015-01892
`U.S. Patent No. 8,677,494
`
`narrow and do nothing to clarify the meaning of the claims. Importantly, once the
`
`claims are properly construed under the BRI standard, Finjan’s arguments concern-
`
`ing Swimmer fall apart swiftly.
`
`A.
`
`“Database”
`
`The Board adopted Finjan’s construction for “database,” namely: “a collec-
`
`tion of interrelated data organized according to a database schema to serve one or
`
`more applications.” Institution, 10.2 The Board then correctly determined that
`
`Swimmer teaches the database under this construction. Id., 23. Incredibly, Finjan
`
`now argues for an even narrower interpretation that impermissibly injects the fol-
`
`lowing additional requirements into the claims:
`
` database schema requires “a description of [the] database to a database
`
`management system (DBMS) in the language provided by the DBMS”
`
`(Resp., 38-40 ; Medvidovic Dec., ¶60, 116, 148);
`
` DBMS requires a “program or programs that control [the] database so
`
`that the information it contains can be stored, retrieved, updated, and
`
`sorted” (Resp., 39; Medvidovic Dec., ¶61, 148);
`
` the database cannot be a flat-file (Resp., 38; Medvidovic Dec., ¶59, 140);
`
`2 Petitioners maintain this is not the broadest reasonable interpretation of “data-
`
`base,” but adopt the Board’s construction solely for purposes of this IPR.
`
`2
`
`
`
`Case IPR2015-01892
`U.S. Patent No. 8,677,494
`
`and
`
` the database cannot be an event log or log file (Resp., 7-10, 35-36;
`
`Medvidovic Dec., ¶59, 64, 115, 128, 136).
`
`There is simply no basis for reading any, much less all, of these extra re-
`
`quirements into the claims. The ‘494 patent does not even refer to any “database
`
`schema” or “DBMS.”3 Nor does it state that the database cannot be in the form of
`
`a flat file, event log, or log file. Indeed, there is no discussion whatsoever of the
`
`format of the database. The patent merely mentions that there is a “security data-
`
`base” that “includes security information,” such as DSP data. ‘194 patent, 3:47-50,
`
`4:14-18, FIG. 3; Davidson Rep., ¶37. Accordingly, Finjan’s explicit and implicit
`
`constructions are plainly improper under the BRI standard. 3M Innovative Proper-
`
`ties Co., v. Tredegar Corp., 725 F.3d 1315, 1329 (Fed. Cir. 2013).
`
`Moreover, Finjan attempts to support these new requirements – not by con-
`
`struing the claim language – but, instead, by further defining the Board’s (i.e., Fin-
`
`jan’s original) construction. In particular, Finjan provides a lengthy, narrow defi-
`
`nition of “database schema.” Resp., 38-40; Medvidovic Dec., ¶60-61. Notably,
`
`this term appears nowhere in the claims or specification - only in the Board’s con-
`
`3 Incredibly, this does not stop Finjan from asserting that Swimmer cannot teach a
`
`database because it does not use the term “database schema.” Resp., 39.
`
`3
`
`
`
`Case IPR2015-01892
`U.S. Patent No. 8,677,494
`
`struction for “database.” In turn, Finjan’s expert then provides a lengthy definition
`
`for “DBMS,” which only appears in Finjan’s new definition for “database sche-
`
`ma.” Medvidovic Dec., ¶61, 148. This too is improper. EZ Dock, Inc. v. Schafer
`
`Sys., 2003 U.S. Dist. LEXIS 3634, *34-35 (D. Minn. 2003) (“parties are not enti-
`
`tled to ‘construe’ the Court’s claim construction.”).
`
`Additionally, Finjan is effectively asserting that the claimed database must
`
`be a relational database. Resp., 38-39; Medvidovic Dec., ¶116. 148; Davidson
`
`Rep., ¶35-37. Not so. As explained above, the ‘494 patent is silent as to the type
`
`or structure of the database. Tellingly, Finjan did not and cannot point to any sup-
`
`port in the ‘494 patent, let alone a clear disavowal, that would justify limiting the
`
`claims to a relational database. Tredegar, 725 F.3d at 1329; Thorner v. Sony Com-
`
`puter Entm’t Am., 669 F.3d 1362, 1365-67 (Fed. Cir. 2012); see also Transcript,
`
`107:6-9, 108:23-109:2 (acknowledging various types of databases were well-
`
`known); Davidson Rep., ¶37.
`
`Lastly, Finjan’s new arguments are a blatant effort to carve Swimmer out of
`
`the scope of the claims in an attempt to salvage their validity. 4 Resp., 6-10;
`
`4 Indeed, Finjan proposed a different construction for “database schema” when
`
`faced with different prior art in another proceeding involving the ‘494 patent. Ex.
`
`4
`
`
`
`Case IPR2015-01892
`U.S. Patent No. 8,677,494
`
`Medvidovic Dec., ¶60-63. This is not permitted. Vitronics Corp. v. Concepironic,
`
`Inc., 90 F.3d 1576, 1584-85 (Fed. Cir. 1996) (the prior art may not “be used to
`
`vary claim terms from how they are defined, even implicitly, in the specification”);
`
`Phillips v. AWH Corp., 415 F.3d 1303, 1327 (Fed. Cir. 2005) (en banc).
`
`B.
`
`“List of Suspicious Computer Operations”
`
`Symantec submits this claim phrase should be given its plain and ordinary
`
`meaning consistent with the specification of the ‘494 patent, namely: a list includ-
`
`ing one or more types of computer operations that could be used by the Down-
`
`loadable in a potentially hostile or undesirable manner (e.g., operating system, file
`
`system, or memory operations). ‘194 patent, 3:17-21, 5:58-6:4.
`
`The ‘194 patent (referenced in the ‘494 patent) explains that examples of
`
`“suspicious” operations include file system operations (e.g., reading and writing
`
`files), OS operations, and registry, network, and memory operations. ‘194 patent,
`
`5:57-6:4. In turn, the system determines whether an operation in a Downloadable
`
`is “suspicious” simply by determining “whether [it] is one of the operations identi-
`
`fied in the list described above” (i.e., at 5:57-6:4). Id., 9:20-42; Davidson Rep.,
`
`¶75-81, 97-100 (explaining that a POSITA would have readily appreciated that
`
`2033, ¶31 (“The ‘database schema’ of a database describes how the data stored
`
`within the database is organized.”).
`
`5
`
`
`
`Case IPR2015-01892
`U.S. Patent No. 8,677,494
`
`these were the types of computer operations used by viruses to do harm).
`
`Finjan asserts that a “list of suspicious computer operations” should be con-
`
`strued as a “list of computer operations deemed suspicious.” Resp., 10 (emphasis
`
`added). In so doing, Finjan merely rehashes the same arguments that it already
`
`raised, and lost, in this proceeding. Resp., 11 (arguing that the claimed “list” must
`
`only include the “subset of all possible computer operations” that have been
`
`deemed suspicious); Prelim Resp., 17-19; Institution, 22 (determining that “the
`
`claims do not require that the list consist only of suspicious operations.”); see also
`
`Resp., 12; Prelim Resp., 23; Institution, 22.
`
`Moreover, Finjan’s “construction” merely rearranges the claim language and
`
`inserts the word “deemed.” As such, in addition to being unhelpful, this construc-
`
`tion is, on its face, unreasonably narrow because it reads-in an additional “deem-
`
`ing” step. Indeed, Finjan brazenly asserts that the claimed list “cannot be created
`
`without the additional step of deeming certain operations as suspicious.” Resp.,
`
`22 (emphasis added); Medvidovic Dec., ¶84. The claim language itself and the
`
`specification refute Finjan’s position. Not surprisingly, Finjan points to nothing in
`
`the specification that mandates (or suggests) an additional “deeming” step. This
`
`construction is improper. See, e.g., Hill-Rom Servs., Inc. v. Stryker Corp., 755
`
`F.3d 1367, 1371 (Fed. Cir. 2014) (“While we read claims in view of the specifica-
`
`tion . . . we do not read limitations from the embodiments in the specification into
`
`6
`
`
`
`Case IPR2015-01892
`U.S. Patent No. 8,677,494
`
`the claims.”).
`
`In fact, Finjan’s position is directly contradicted by the ‘194 patent upon
`
`which it relies. As discussed above, the ‘194 patent makes clear that an operation
`
`is “suspicious” merely because it is a type of operation that could be used in a po-
`
`tentially hostile manner (e.g., file system operations). Specifically, the ‘194 patent
`
`states that DSP data may include “a list of all operations in the Downloadable
`
`code which could ever be deemed potentially hostile.” Id., 5:51-59 (emphasis add-
`
`ed). In other words, at the time an operation is included in the list, there has been
`
`no determination yet of whether that particular operation is actually being used in a
`
`potentially hostile or “suspicious” manner. Davidson Rep., ¶91-96.
`
`C.
`
`“Storing the DSP data in a Database”
`
`Symantec submits that this claim phrase needs no further construction and
`
`should be given its plain and ordinary meaning, namely: that the DSP data is stored
`
`in a database.
`
`Finjan incorrectly asserts this phrase should be construed as “placing the de-
`
`rived DSP data into the database.” Resp., 13 (emphasis added). Finjan’s construc-
`
`tion does nothing more than replace the claim term “storing” with the word “plac-
`
`ing.” The term “storing,” however, is extremely well-known in the context of
`
`computer systems. Davidson Rep., ¶8-9; Transcript, 97:4-9 (agreeing that “stor-
`
`ing” is a well understood term that needs no construction). There is also no dispute
`
`7
`
`
`
`Case IPR2015-01892
`U.S. Patent No. 8,677,494
`
`that the ‘494 patent uses “storing” consistent with its ordinary meaning. Accord-
`
`ingly, Finjan’s construction is, at best, unnecessary, and, in fact, creates ambiguity
`
`as to what “placing” data “into” a database means. Transcript, 98:6-99:8.
`
`Finjan also argues its proposed construction is needed because Symantec
`
`“equate[s] storing to converting” and the claimed step of “storing” data cannot in-
`
`clude “converting” data. Resp., 14-15. This is a red herring. Symantec did not
`
`equate storing with converting, nor even rely on Swimmer’s discussion of convert-
`
`ing files as the basis for teaching the claimed “storing” step. 5 Rather, as the Peti-
`
`tion demonstrated (and the Board agreed), Swimmer teaches storing its audit rec-
`
`ords (i.e., DSP data) in an audit trail that is in the form of a large sequential file
`
`having a particular schema for each record (i.e., a flat-file database). Pet., 19; In-
`
`stitution, 23. Moreover, Finjan’s attempt to exclude “converting” is based entirely
`
`on its argument that Swimmer uses the word “convert” but not the word “storing.”
`
`Resp., 14. As discussed above, such constructions are improper.
`
`Lastly, Finjan asserts that its construction is needed in order to make clear
`
`that “deriving” and “storing” are separate steps, and that “the DSP data is only
`
`5 Finjan’s argument is also technically inaccurate. As discussed below, Finjan’s
`
`assertion that converting a file from one format to another format “does not actual-
`
`ly place any . . . data into storage” is nonsensical. Davidson Rep., ¶10-20.
`
`8
`
`
`
`Case IPR2015-01892
`U.S. Patent No. 8,677,494
`
`placed in the database upon derivation of the [security] profile, including the list of
`
`suspicious computer operations.” Resp., 15-16, 46-47. In other words, Finjan ap-
`
`pears to be arguing that the claims require that the entire security profile be derived
`
`before placing any of the DSP data into the database. This too is incorrect. The
`
`claims expressly recite deriving and storing DSP data – not deriving and storing
`
`the entire security profile for the Downloadable. Thus, the broadest reasonable in-
`
`terpretation cannot possibly require that the entire security profile first be derived.
`
`Davidson Rep., ¶95.
`
`III.
`
`SWIMMER TEACHES DERIVING DSP DATA THAT INCLUDES A
`LIST OF SUSPICIOUS COMPUTER OPERATIONS
`
`There is no dispute that Swimmer is specifically directed to detecting viruses
`
`in computer programs and code (e.g., incoming Downloadables). Swimmer, 1 (de-
`
`scribing “an automatic analysis system for computer viruses,” called VIDES).
`
`VIDES includes an audit system, which emulates a computer program and gener-
`
`ates an audit trail “representing program behavior in general, and virus activity in
`
`particular.” Id., 9. This audit trail can then be used by an Intrusion Detection sys-
`
`tem, such as ASAX, to detect the presence of a virus by analyzing the behavior of
`
`the computer program using virus behavior rules. Id., 10-11.
`
`More specifically, Swimmer’s audit trail includes a list of audit records that
`
`are generated when the program attempts to invoke certain types of computer op-
`
`9
`
`
`
`Case IPR2015-01892
`U.S. Patent No. 8,677,494
`
`erations, such as DOS system functions (or “INT 21h” functions). Each audit rec-
`
`ord includes, inter alia, a function number, identifying the specific DOS function
`
`invoked by the program (e.g., read a file), as well as any arguments or parameters
`
`and any return value(s). Id., 7, 9.
`
`Although Swimmer does not use the word “suspicious” when discussing the
`
`computer operations listed in the audit trail, these DOS functions are the funda-
`
`mental operations that provide access to core components of the computer, such as
`
`the file system, OS, and memory. Davidson Pet., ¶101. Thus, a POSITA would
`
`have readily understood that these DOS functions were being recorded by Swim-
`
`mer’s VIDES system because they are the type of operations that can be used by
`
`viruses to cause harm (i.e., suspicious computer operations). Id., ¶153; Davidson
`
`Rep., ¶82-90. Indeed, as the Board recognized, these DOS functions are the very
`
`same examples given in the ‘494 patent for the claimed “suspicious computer op-
`
`erations.” Institution, 22; ‘194 patent, 5:58-69; ‘494 patent, claims 6, 15; Davidson
`
`Pet., ¶102, 117-119. Accordingly, Swimmer teaches deriving DSP data (an audit
`
`trail) that includes a list of suspicious computer operations (a list of audit records
`
`each representing an operation) that may be attempted by the Downloadable. Pet.,
`
`16-18.
`
`Finjan asserts that “Swimmer’s audit trail does not deem any operations as
`
`suspicious” and that there must be a list designating only the suspicious operations
`
`10
`
`
`
`Case IPR2015-01892
`U.S. Patent No. 8,677,494
`
`– “not just a listing of every computer command that is executed within a pro-
`
`gram.” Resp., 22-25, 28. These arguments are premised entirely on Finjan’s un-
`
`reasonably narrow claim interpretations and rehashed arguments that the Board
`
`previously rejected.
`
`Finjan also fails to explain what this “deeming” step actually entails and, in-
`
`stead, relies on nothing more than conclusory and circular statements. See, e.g.,
`
`Resp., 25 (“computer operations are only suspicious to the extent that they have
`
`been deemed suspicious”). Presumably, this is because the ‘494 patent makes
`
`clear that determining whether a computer operation is “suspicious” simply in-
`
`volves determining whether it is a certain type of operation (e.g., a file system op-
`
`eration).
`
`Significantly, Swimmer teaches this exact technique. Swimmer’s audit sys-
`
`tem only generates audit records for certain types of computer operations, e.g.,
`
`DOS functions, that the Downloadable attempts to invoke. As Finjan’s expert
`
`acknowledged, in addition to these types of system functions (e.g., the DOS func-
`
`tions recorded by Swimmer) programs invoke many other types of operations dur-
`
`ing their execution, such as arithmetic operations, internal functions, and jump op-
`
`erations. Transcript, 126:19-127:22; MSCD, 10 (defining “operation”); Davidson
`
`Rep., ¶65-74. Thus, Swimmer’s audit trail is not just a listing of every operation
`
`executed by the Downloadable; rather, it only includes certain operations, e.g.,
`
`11
`
`
`
`Case IPR2015-01892
`U.S. Patent No. 8,677,494
`
`DOS system functions that need to be further analyzed by Swimmer’s virus detec-
`
`tion system (i.e., suspicious operations). Accordingly, even under Finjan’s overly
`
`narrow construction, Swimmer teaches this claim limitation.
`
`Finjan argues that Swimmer’s “VIDES system would have to be applied to
`
`every file, regardless of whether it actually contains a virus.” Resp., 25-27. But,
`
`this is the case for virtually all virus detection systems, including the claimed sys-
`
`tem. Indeed, both in Swimmer and the ‘494 patent, the system does not yet know
`
`whether the Downloadable is malicious when the DSP data is being derived. As
`
`Finjan acknowledges, the ‘194 patent discloses that Downloadables for which a
`
`DSP is derived may be blocked or may be passed “to a destination computer.”
`
`Resp., 20; ‘194 patent, 6:9-29 (explaining that Downloadables may be “passed” or
`
`“allowed” if the policy used during subsequent analysis permits the operations that
`
`are included in the DSP data). As a result, both systems create DSP data with a list
`
`of suspicious computer operations irrespective of whether the Downloadable is be-
`
`nign or malicious. Transcript, 92:16-99:3; Davidson Rep., ¶91-96.
`
`Finjan argues that it is “nonsensical” to believe that Microsoft intended its
`
`“standard [DOS] system functions [to be used as] suspicious computer operations.”
`
`Resp., 24. While this is presumably true, it does not change the fact that these are
`
`precisely the type of computer operations used by viruses and other malicious pro-
`
`grams. Finjan asserts that the Board (on rehearing) incorrectly equated a single
`
`12
`
`
`
`Case IPR2015-01892
`U.S. Patent No. 8,677,494
`
`audit record in Swimmer (rather than the audit trail) with the claimed “DSP data.”
`
`Resp., 22, 28-29. Finjan makes too much of this alleged inconsistency. Indeed, as
`
`Finjan acknowledges, the petition clearly mapped Swimmer’s audit trail (i.e., list
`
`of audit records) to the claimed DSP data, as did the Board in its Institution Deci-
`
`sion. Id., 22; Institution, 23.
`
`Lastly, Finjan asserts that Swimmer does not teach the “Downloadable scan-
`
`ner” recited in independent claim 10, because Swimmer “teaches against the use of
`
`scanners.” Resp., 29-30. This is incorrect. As Dr. Davidson explains, the cited
`
`background portion of Swimmer is referring to an entirely different type of “scan-
`
`ner” than the one described and claimed in the ‘494 patent (which is taught by
`
`Swimmer’s audit system and/or emulator). Davidson Rep., ¶47-52; Davidson Pet.,
`
`¶44-47; Davidson Tr., 49:20-53:5.
`
`IV.
`
`SWIMMER TEACHES STORING THE DSP DATA IN A DATABASE
`
`As demonstrated in Symantec’s Petition, a POSITA would have understood
`
`Swimmer’s audit trail to be a flat-file database storing a collection of interrelated
`
`information (e.g., audit records) organized according to a database schema (e.g.,
`
`audit record format) that serves one or more applications (e.g., ASAX). Pet., 19-
`
`20; Institution, 23; Rehearing Dec., 6. Finjan’s arguments to the contrary are based
`
`on its overly narrow constructions and misinterpretations of Swimmer and the
`
`technology.
`
`13
`
`
`
`Case IPR2015-01892
`U.S. Patent No. 8,677,494
`
`A.
`
`Swimmer’s Does Not Teach Away From Using Databases
`
`Finjan argues that Swimmer “teaches that database solutions should not be
`
`used because they are easily circumvented with polymorphic viruses.” Resp., 19-
`
`20. Not so. In these cited background portions, Swimmer is describing previous
`
`pattern-matching virus detection techniques that used databases of “virus identifi-
`
`cation information.” Davidson Rep., ¶47-53. Swimmer, simply recognizes that
`
`such prior-art approaches may not be effective for all types of viruses. Swimmer
`
`does not, however, criticize the use of databases generally, and in fact teaches stor-
`
`ing audit records in a database, as discussed below. Id. ¶54-56.
`
`B.
`
`Swimmer’s Audit Records Are Stored
`
`Finjan asserts that Swimmer does not store any data, because it uses the
`
`word “convert,” but not “storing,” when describing its audit trail. Based on this,
`
`Finjan concludes that Swimmer does not store [the audit records] produced by the
`
`emulator” and does not “place any of this data into storage of any type.” Resp., 14,
`
`35; Medvidovic Dec., ¶71, 109. Nothing could be further from the truth. As Fin-
`
`jan acknowledges, Swimmer clearly teaches that its audit records are “produced”
`
`by the emulator and then placed into a large sequential file. Resp., 14; Medvidovic
`
`Dec., ¶71, 107; Swimmer, 10, 12 (explaining that its audit trail is “a sequential file
`
`of records in NADF format.”), Fig. 3; Davidson Rep., ¶10-17. Thus, there can be
`
`no reasonable dispute that Swimmer’s audit trail (i.e., DSP data) is placed into
`
`14
`
`
`
`Case IPR2015-01892
`U.S. Patent No. 8,677,494
`
`storage. MSCD, 7 (defining a “file” as “a basic unit of storage.”). Indeed, it would
`
`be technically impossible for Swimmer’s system to generate a list of audit records,
`
`put them in a file, and then access and analyze these records without ever placing
`
`them in any form of storage. Davidson Rep., ¶20.
`
`C.
`
`Swimmer Teaches Storing The Audit Trail In A Database
`
`Finjan’s assertions that Swimmer does not teach the claimed database boil
`
`down to three main arguments. First, Finjan argues that Symantec’s expert admit-
`
`ted that Swimmer’s audit trail is a “log file” and, therefore, not a database under its
`
`overly narrow construction. Resp., 36-37. This is incorrect. The term “log file” or
`
`“log” does not appear anywhere in Swimmer. Moreover, Dr. Davidson provided
`
`detailed testimony that Swimmer’s audit trail is not a generic log file or “event
`
`log” – rather, it is a list of audit records (i.e., suspicious computer operations) that
`
`are organized in a particular format with each record having the same number and
`
`order of fields (i.e., a flat-file database). Davidson Dec., 107-113; Davidson Tr.,
`
`134:3-17; Davidson Rep., ¶112-114. Finjan’s similar attempts to characterize
`
`Swimmer’s audit trail as a generic “log file” or “event log” were previously reject-
`
`ed by the Board. Institution, 23; Rehearing Dec., 7-10.
`
`Second, Finjan asserts that Swimmer’s audit trail is a “flat file” – but not a
`
`“flat file database.” Resp., 37-38. Finjan’s sole basis for this errant distinction is
`
`that “the audit trail is not in the form of a table.” Id., 38. This is simply not true.
`
`15
`
`
`
`Case IPR2015-01892
`U.S. Patent No. 8,677,494
`
`Swimmer explains that its audit trail is organized as a list or sequence of audit rec-
`
`ords, each of which have the same five fields corresponding to various audit record
`
`attributes. Swimmer, 9, Fig. 3. This format is shown in the following excerpt of a
`
`chart created by Dr. Davidson based on Figure 3 of Swimmer:
`
`Davidson Rep., ¶23-27. Thus, the audit trail is clearly in a table format, with the
`
`five fields representing the columns and each audit record representing a new row.
`
`Indeed, Finjan’s argument is belied by its own expert. Transcript, 107:19-108:21
`
`(testifying that a flat-file database is a list of records stored in a sequential file),
`
`110:24-