UNITED STATES PATENT AND TRADEMARK OFFICE
`
`__________________
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`
`___________________
`
`SYMANTEC CORP.
`Petitioner,
`
`v.
`
`FINJAN, INC.,
`Patent Owner.
`
`____________________
`
`Case IPR2015-01892
`Patent 8,677,494
`
`__________________________________________________________
`
`PATENT OWNER’S PRELIMINARY RESPONSE
`UNDER 37 C.F.R. § 42.107
`
`
`
`
`
`

`
`Patent Owner’s Preliminary Response
`IPR2015-01892 (U.S. Patent No. 8,677,494)
`TABLE OF CONTENTS
`
`Page
`
`I.
`
`II.
`
`INTRODUCTION ............................................................................................. 1
`
`THE ‘494 PATENT ........................................................................................... 5
`
`A. Overview ................................................................................................. 5
`
`B.
`
`C.
`
`Challenged Claims .................................................................................. 7
`
`Prosecution History ................................................................................. 8
`
`III. CLAIM CONSTRUCTION .............................................................................. 9
`
`A.
`
`“database” (claims 1, 2, 5, 6, 10, 11, 14, and 15) ................................... 9
`
`IV. SPECIFIC REASONS WHY THE CITED REFERENCES DO NOT
`INVALIDATE THE CLAIMS, AND WHY INTER PARTES
`REVIEW SHOULD NOT BE INSTITUTED ................................................... 12
`
`A. Grounds 1 and 2: Swimmer Does not Anticipate Challenged
`Claims ...................................................................................................... 13
`
`1.
`
`2.
`
`3.
`
`Swimmer Cannot Anticipate the ‘494 Patent Because
`Swimmer is not Enabled ............................................................... 13
`
`Petitioner Has Not Demonstrated that Swimmer
`Discloses “[a receiver for] receiving an incoming
`Downloadable” (claims 1 and 10) ................................................. 15
`
`Petitioner Has Not Demonstrated that Swimmer
`Discloses “[a Downloadable scanner coupled with said
`receiver, for] deriving security profile data for the
`Downloadable, including a list of suspicious computer
`operations that may be attempted by the Downloadable”
`(claims 1 and 10) ........................................................................... 17
`
`4.
`
`Petitioner Has Not Demonstrated that Swimmer
`Discloses “[a database manager coupled with said
`
`- i -
`
`

`
`Patent Owner’s Preliminary Response
`IPR2015-01892 (U.S. Patent No. 8,677,494)
`
`5.
`
`6.
`
`Downloadable scanner, for] storing the Downloadable
`security profile data in a database” (claims 1 and 10) .................. 19
`
`Petitioner Has Not Demonstrated that Swimmer
`Discloses “storing a date & time when the Downloadable
`security profile data was derived [by said Downloadable
`scanner], in the database” (claims 2 and 11) ................................ 22
`
`Petitioner Has Not Demonstrated that Swimmer
`Discloses “wherein suspicious computer operations
`include calls made to an operating system, a file system,
`a network system, and to memory” (claims 6 and 15) ................. 23
`
`B. Ground 2: Swimmer Does not Render Obvious Claims 5 and 14 .......... 24
`
`1.
`
`Petitioner Has Not Demonstrated that Swimmer
`Discloses “wherein the Downloadable includes program
`script” (claims 5 and 14) ............................................................... 24
`
`C. Ground 3: Swimmer Does not Render Obvious the Challenged
`Claims ...................................................................................................... 25
`
`D. Ground 4: Cline in view of Ji Does not Render Obvious the
`Challenged Claims .................................................................................. 27
`
`1.
`
`2.
`
`3.
`
`Cline is not Analogous Art ........................................................... 28
`
`Petitioner Has Not Demonstrated that Cline in view of Ji
`Discloses “[a Downloadable scanner coupled with said
`receiver, for] deriving security profile data for the
`Downloadable, including a list of suspicious computer
`operations that may be attempted by the Downloadable”
`(claims 1 and 10) ........................................................................... 31
`
`Petitioner Has Not Demonstrated that Cline in view of Ji
`Discloses “[a database manager coupled with said
`Downloadable scanner, for] storing the Downloadable
`security profile data in a database” (claims 1 and 10) .................. 39
`
`E.
`
`Ground 5: Forrest in view of Ji does not render the Challenged
`Claims obvious under 35 U.S.C. § 103(a) .............................................. 43
`
`- ii -
`
`

`
`Patent Owner’s Preliminary Response
`IPR2015-01892 (U.S. Patent No. 8,677,494)
`
`1.
`
`2.
`
`Petitioner Has Not Demonstrated that Forrest in view of
`discloses: “[a Downloadable scanner coupled with said
`receiver, for] deriving security profile data for the
`Downloadable, including a list of suspicious computer
`operations that may be attempted by the Downloadable”
`(claims 1 and 10) ........................................................................... 43
`
`Petitioner Has Not Demonstrated that Forrest in view of
`Ji Discloses “[a database manager coupled with said
`Downloadable scanner, for] storing the Downloadable
`security profile data in a database” (claims 1 and 10) .................. 47
`
`V.
`
`PETITIONER’S OBVIOUSNESS ARGUMENTS FAIL AS A
`MATTER OF LAW BECAUSE IT DID NOT CONDUCT A
`COMPLETE OBVIOUSNESS ANALYSIS ..................................................... 48
`
`VI. THE PROPOSED GROUNDS ARE CUMULATIVE ..................................... 51
`
`VII. THE PETITION DOES NOT COMPLY WITH 37 C.F.R. § 42.6 ................... 51
`
`VIII. CONCLUSION .................................................................................................. 52
`
`
`- iii -
`
`

`
`Patent Owner’s Preliminary Response
`IPR2015-01892 (U.S. Patent No. 8,677,494)
`TABLE OF AUTHORITIES
`
` Page(s)
`
`Cases
`Activevideo Networks, Inc., v. Verizon Communications, Inc.,
`694 F.3d 1312 (Fed. Cir. 2012) .......................................................................... 26
`
`Amgen Inc. v. Hoechst Marion Roussel, Inc.,
`314 F.3d 1313 (Fed. Cir. 2003) .............................................................. 13, 14, 16
`
`In re Antor Media Corp.,
`689 F.3d 1282 (Fed. Cir. 2012) .......................................................................... 13
`
`Apple Inc. v. Int'l Trade Comm'n,
`725 F.3d 1356 (Fed. Cir. 2013) .......................................................................... 48
`
`In re Arkley,
`455 F.2d 586 (Fed. Cir. 1972) ............................................................................ 16
`
`In re Bigio,
`381 F.3d 1320 (Fed. Cir. 2004) .......................................................................... 29
`
`In re Clay,
`966 F.2d 656 (Fed. Cir. 1992) ............................................................................ 31
`
`CFMT, Inc. v. Yieldup Intern. Corp.,
`349 F.3d 1333 (Fed. Cir. 2003) .......................................................................... 42
`
`Estee Lauder Inc. v. L'Oreal, SA,
`129 F.3d 588 (Fed. Cir. 1997) ............................................................................ 22
`
`Goertek, Inc. v. Knowles Electronics, LLC,
`Case No. IPR2013-00523, Paper 26 (PTAB May 30, 2014) .............................. 51
`
`Graham v. John Deere Co.,
`383 U.S. 1 (1966) ................................................................................................ 48
`
`In re Klein,
`647 F.3d 1343 (Fed. Cir. 2011) .................................................................... 29, 31
`
`Leo Pharm. Prods. Ltd. v. Rea,
`726 F.3d 1346 (Fed. Cir. 2013) .............................................................. 49, 50, 51
`- iv -
`
`

`
`Patent Owner’s Preliminary Response
`IPR2015-01892 (U.S. Patent No. 8,677,494)
`
`Microsoft Corp. v. Proxyconn, Inc.,
`Nos. 2014-1542, 2014-1543, 2015 WL 3747257 (Fed. Cir. June
`16, 2015) ............................................................................................................. 10
`
`Mintz v. Dietz & Watson, Inc.
`679 F.3d 1372 (Fed. Cir. 2012) .......................................................................... 46
`
`Net MoneyIn, Inc., v. Verisign, Inc.,
`545 F.3d 1359 (Fed. Cir. 2008) .......................................................................... 23
`
`Ortho-McNeil Pharm., Inc. v. Mylan Labs, Inc.,
`520 F.3d 1358 (Fed. Cir. 2008) .......................................................................... 50
`
`Plantronics, Inc. v. Aliph, Inc.,
`724 F.3d 1343 (Fed. Cir. 2013) .................................................................... 49, 50
`
`Rambus Inc. v. Teresa Stanek Rea,
`731 F.3d 1248 (Fed. Cir. 2013) .......................................................................... 50
`
`In re Royka,
`490 F.2d 981 (C.C.P.A. 1974) ............................................................................ 25
`
`Ruiz v. A.B. Chance Co.,
`234 F.3d 654 (Fed. Cir. 2000) ............................................................................ 49
`
`Sophos, Inc., v. Finjan, Inc.,
`Case No. IPR2015-00907, Paper 8 (PTAB Sept. 24, 2015) ....................... 3, 9, 11
`
`Sophos, Inc., v. Finjan, Inc.,
`Case No. IPR2015-01022, Paper 7 (PTAB Sept. 24, 2015) ....................... 3, 9, 11
`
`Travelocity.com L.P. v. Conos Techs., LLC,
`CBM2014-00082, Paper 12 (PTAB Oct. 16, 2014) ............................................. 4
`
`In re Wilson,
`424 F.2d 1382 (C.C.P.A. 1970) ................................................................ 2, 21, 42
`
`Statutes
`
`35 U.S.C. § 103 ............................................................................................ 29, 43, 49
`
`Other Authorities
`
`37 C.F.R. § 42.6 ....................................................................................................... 52
`- v -
`
`

`
`Patent Owner’s Preliminary Response
`IPR2015-01892 (U.S. Patent No. 8,677,494)
`37 C.F.R. § 42.20(c) ............................................................................................. 1, 44
`
`37 C.F.R. § 42.22(a)(2) ........................................................................................ 1, 44
`
`37 C.F.R. § 42.104(b)(4) ...................................................................................... 1, 44
`
`37 C.F.R. § 42.65(a) ................................................................................................. 27
`
`37 C.F.R. § 42.104(b)(4) ...................................................................................passim
`
`77 FR 48756 ................................................................................................. 27, 28, 29
`
`80 FR 28565 ............................................................................................................. 52
`
`
`
`- vi -
`
`

`
`Patent Owner’s Preliminary Response
`IPR2015-01892 (U.S. Patent No. 8,677,494)
`
`I.
`
`INTRODUCTION
`
`On September 10, 2015, Symantec Corp. (“Petitioner”) submitted a Petition
`
`to institute inter partes review (“IPR”) of U.S. Patent No. 8,677,494 (“the ‘494
`
`Patent”), challenging claims 1, 2, 5, 6, 10, 11, 14, and 15. The Board should not
`
`institute inter partes review because Petition gives no effect to the “list of
`
`suspicious computer operations” language or the “database” language recited in the
`
`claims and thus has not met its threshold burden to “establish that it is entitled to
`
`the requested relief.” See 37 C.F.R. §§ 42.20(c), 42.22(a)(2), and 42.104(b)(4)
`
`(dictating that it is Petitioner’s burden to “establish that it is entitled to the
`
`requested relief” and to do so “[t]he petition must specify where each element of
`
`the claim is found in the prior art” and provide “a detailed explanation of the
`
`significance of the evidence.”).
`
`The ‘494 Patent generally discloses systems and methods for protecting user
`
`computers from the suspicious operations that may be attempted by
`
`Downloadables. The claims require, inter alia, “receiving an incoming
`
`Downloadable,” “deriving security profile data for the Downloadable” and “storing
`
`the Downloadable security profile data in a database.” Ex. 1001 at 19–25. The
`
`Downloadable security profile (“DSP”) data that is generated and stored in the
`
`database also must include “a list of suspicious computer operations that may be
`
`attempted by the Downloadable.” Id.
`
`- 1 -
`
`

`
`Patent Owner’s Preliminary Response
`IPR2015-01892 (U.S. Patent No. 8,677,494)
`The various references cited in Grounds 1–5 of the Petition do not disclose
`
`this approach to protect against malware because they do not derive security
`
`profile data for a Downloadable, a list of suspicious computer operations, or store
`
`Downloadable security profile data in a database. In contrast, the references cited
`
`in the Petition are generally directed either to creating an audit trail of a program’s
`
`activity (Swimmer) or system and procedure calls (Cline) regardless of whether or
`
`not any one of the activities or calls is suspicious, or identifying sequences of
`
`normal system calls (Forrest). But to interpret the claimed “list of suspicious
`
`computer operations” so broadly as to include any operation would improperly
`
`give no effect to the term “suspicious” recited in the claim language. In re Wilson,
`
`424 F.2d 1382, 1385 (C.C.P.A. 1970). “All words in a claim must be considered
`
`in judging the patentability of that claim against the prior art.” Thus, none of the
`
`cited references disclose deriving security profile data for a Downloadable, let
`
`alone DSP data that includes a list of suspicious computer operations that may be
`
`attempted by the Downloadable.
`
`Without suggestion from the cited prior art, the Petition relies on the
`
`disclosure of the ‘494 Patent itself to disclose the derived list of suspicious
`
`computer operations. In particular, the Petition points to the techniques for
`
`deriving the claimed list as disclosed by Patent Owner’s own patent applications,
`
`which are incorporated by reference by the ‘494 Patent, to disclose “deriving such
`
`- 2 -
`
`

`
`Patent Owner’s Preliminary Response
`IPR2015-01892 (U.S. Patent No. 8,677,494)
`data.” Petition at 8 (“as acknowledged by the related applications, various
`
`techniques for deriving such data, such as by parsing and decomposing executable
`
`code, were widely used and conventional at the time of the ‘494 patent.”) .
`
`Similarly, Petitioner points to the ‘494 Patent’s teaching that certain operations
`
`should be deemed “examples of suspicious operations” to substitute for
`
`Swimmer’s failure to do so. Petition at 17-18. Because the ‘494 Patent itself
`
`cannot take the place of the evidence lacking in the cited prior art, Petitioner’s
`
`flawed arguments are unavailing.
`
`Additionally, none of the cited references disclose storing Downloadable
`
`security profile data in a database. At most, Swimmer and Cline generate log files
`
`that log all of a program’s activity or system/procedure calls. These log files are
`
`not security profiles nor are they ever stored in a database. To cure this deficiency,
`
`the Petition nonsensically interprets the creation of a log file alone to disclose the
`
`claimed “storing … in a database.” Indeed, the Board already rejected a previous
`
`petition that relied upon this same interpretation as databases are not log files. See
`
`Sophos, Inc. v. Finjan, Inc., IPR2015-01022, Paper 7 at 9–10 (PTAB Sept. 24,
`
`2015) (declining to institute trial on the ‘494 Patent due to similar reasons); and
`
`Sophos, Inc. v. Finjan, Inc., IPR2015-00907, Paper 8 at 8–10 (PTAB Sept. 24,
`
`2015) (institution denied). Similarly, the district court rejected this interpretation
`
`and held databases are not log files. See Ex. 2002 at 5 n.1 and 7, Finjan, Inc., v.
`
`- 3 -
`
`

`
`Patent Owner’s Preliminary Response
`IPR2015-01892 (U.S. Patent No. 8,677,494)
`Sophos, Inc., Case No. 14-cv-01197-WHO, Dkt. No. 73, Claim Construction
`
`Order.
`
`Because the Petition has failed to make a threshold showing that the cited
`
`prior art teaches at least the claimed list of suspicious operations and the claimed
`
`database, the Board should decline to institute inter partes review.
`
`Although there are a variety of reasons why the ‘494 Patent is valid over
`
`Petitioner’s asserted prior art references, this Preliminary Response focuses on
`
`only limited reasons why inter partes review should not be instituted. See
`
`Travelocity.com L.P. v. Conos Techs., LLC, CBM2014-00082, Paper 12 at 10
`
`(PTAB Oct. 16, 2014) (“[N]othing may be gleaned from the Patent Owner’s
`
`challenge or failure to challenge the grounds of unpatentability for any particular
`
`reason.”). In view of IPR2015-01545, Paper No. 9 (PTAB Dec. 11, 2015), Patent
`
`Owner specifically reserves its right to dispute that Symantec has correctly named
`
`all real-parties-in-interest in the event that sufficient factual bases supporting such
`
`a challenge surface during the pendency of this proceeding. The deficiencies of
`
`the Petition noted herein, however, are sufficient for the Board to find that
`
`Petitioner has not met its burden to demonstrate a reasonable likelihood that it
`
`would prevail in showing unpatentability of any of the challenged claims.
`
`- 4 -
`
`

`
`Patent Owner’s Preliminary Response
`IPR2015-01892 (U.S. Patent No. 8,677,494)
`
`II. THE ‘494 PATENT
`A. Overview
`Patent Owner’s ’494 Patent claims priority to a number of patents and patent
`
`applications, including U.S. Patents Nos. 6,804,780 (“the ‘780 Patent”), 6,092,194
`
`(Ex. 1013, “the ‘194 Patent”), and 6,480,962 (“the ‘962 Patent”), with an earliest
`
`claimed priority date of November 8, 1996. ‘494 Patent at 1:8–55. The ‘494
`
`Patent incorporates each of these patents by reference. Id.
`
`The systems and methods of the ‘494 Patent protect personal computers
`
`(PCs) and other network accessible devices from “ suspicious or other ‘malicious’
`
`operations that might otherwise be effectuated by remotely operable code.” ‘494
`
`Patent at 2:51–56.
`
`The protection paradigm involves deriving security profile data for an
`
`incoming Downloadable. ‘494 Patent at 21:21; ‘194 Patent at 5:38–45; 9:20–22.
`
`The Downloadable security profile (“DSP”) data for each Downloadable includes a
`
`“list of all potentially hostile or suspicious computer operations that may be
`
`attempted by a specific Downloadable.” ‘194 Patent at 5:45–48. Security policies,
`
`which include policies specific to particular users and generic policies, can be
`
`compared with the DSP data for an incoming Downloadable to determine whether
`
`to allow or block the incoming Downloadable. ‘194 Patent at 4:18–24.
`
`- 5 -
`
`

`
`Patent Owner’s Preliminary Response
`IPR2015-01892 (U.S. Patent No. 8,677,494)
`The derived DSP data is stored in a database. ‘494 Patent at 21:24–25; ‘194
`
`Patent at 4:14–18; 9:52–55. Because DSP data stored in this manner can be
`
`efficiently retrieved when a known Downloadable is encountered, the invention
`
`claimed in the ‘494 Patent allows accurate security decisions to be made without
`
`the need to generate profiles for all incoming Downloadables; additionally, there is
`
`no need for the Downloadable to be scanned for malicious operations at the
`
`destination device since the DSP data already lists malicious operations that may
`
`be attempted by the Downloadable. See ‘194 Patent at 5:38–41. As shown in FIG.
`
`3, for example, DSP Data 310 can be stored in and retrieved from Security
`
`Database 240:
`
`- 6 -
`
`

`
`Patent Owner’s Preliminary Response
`IPR2015-01892 (U.S. Patent No. 8,677,494)
`
`
`
`See, e.g., id., 5:38–41 (retrieving DSP data from the security database); and 6:9–12
`
`(storing DSP data in the security database).
`
`B. Challenged Claims
`Petitioner challenges eight claims of the ‘494 Patent, namely method claims
`
`1, 2, 5, and 6 and system claims 10, 11, 14, and 15, of which claim 1 and 15 are
`
`independent. Claim 1 is reproduced below:
`
`1. A computer-based method, comprising the steps of:
`
`receiving an incoming Downloadable;
`
`- 7 -
`
`

`
`Patent Owner’s Preliminary Response
`IPR2015-01892 (U.S. Patent No. 8,677,494)
`deriving security profile data for the Downloadable, including a
`
`list of suspicious computer operations that may be attempted by the
`Downloadable; and
`
`storing the Downloadable security profile data in a database.
`
`Ex. 1001 at 21:19–25. Claim 2 recites “storing a date & time when the
`
`Downloadable security profile data was derived, in the database.” Id. at 21:26–28.
`
`Claim 5 recites “wherein the Downloadable include program script.” Id. at 21:33–
`
`34. Claim 6 recites “wherein suspicious computer operations include calls made to
`
`an operating system, a file system, a network system, and to memory.” Id. at
`
`21:35–37.
`
`System claim 10 further recites the components “receiver,” “Downloadable
`
`scanner,” and “database manager.” Id. at 22:7–16. Claim 14 recites “wherein the
`
`Downloadable includes program script.” Id. at 22:26–27. Claim 15 recites
`
`“wherein suspicious computer operations include calls made to an operating
`
`system, a file system, a network system, and to memory.” Id. at 22:28–30.
`
`C.
`
`Prosecution History
`
`The ‘494 Patent issued March 18, 2014, from U.S. Patent Application
`
`Serial No. 13/290,708, filed November 7, 2011.
`
`- 8 -
`
`

`
`Patent Owner’s Preliminary Response
`IPR2015-01892 (U.S. Patent No. 8,677,494)
`
`III. CLAIM CONSTRUCTION
`A.
`“database” (claims 1, 2, 5, 6, 10, 11, 14, and 15)
`The proper construction of “database” is “a collection of interrelated data
`
`organized according to a database schema to serve one or more applications.” This
`
`construction stays true to the claim language and most naturally aligns with the
`
`patent’s description of the invention as well as the well-accepted definition of the
`
`term. Ex. 2001 at 3. Furthermore, this claim construction has been applied by
`
`every other tribunal that has construed this term. In a district court litigation
`
`pending between Patent Owner and Sophos, Inc., the district court held that Patent
`
`Owner’s construction follows the context of the patent and the well-understood
`
`accepted definition for database: “[b]ecause Finjan’s definition appears to reflect
`
`both the context of the patent as well as a well-accepted definition of the term.”
`
`Ex. 2002 at 7. The Board also applied Patent Owner’s construction in two
`
`previous inter partes review proceedings: Sophos, Inc. v. Finjan, Inc., IPR2015-
`
`01022, Paper 7 at 9–10 (PTAB Sept. 24, 2015) (institution denied), the petition for
`
`which was filed against the ‘494 Patent; and Sophos, Inc. v. Finjan, Inc., IPR2015-
`
`00907, Paper 8 at 8–10 (PTAB Sept. 24, 2015)(institution denied), the petition for
`
`which was filed against related U.S. Patent No. 7,613,926.
`
`Despite these previous confirmations of Patent Owner’s proposed
`
`construction, Petitioner proposes to construe the term “database” as “an organized
`
`- 9 -
`
`

`
`Patent Owner’s Preliminary Response
`IPR2015-01892 (U.S. Patent No. 8,677,494)
`collection of data” under the BRI. Petition at 11. The goal of Petitioner's
`
`construction is to broaden the term database beyond the specification so that it
`
`reads upon the techniques described in the cited prior art (e.g. a log file). To the
`
`contrary, the Federal Circuit dictates that the broadest reasonable interpretation
`
`requires consideration of specification. See Microsoft Corp. v. Proxyconn, Inc.,
`
`Nos. 2014-1542, 2014-1543, 2015 WL 3747257, at *3 (Fed. Cir. June 16, 2015)
`
`(“[A] construction that is ‘unreasonably broad’ and which does not ‘reasonably
`
`reflect the plain language and disclosure’ will not pass muster.”). FIG. 3 of the
`
`‘194 Patent clearly illustrates that the security database 240 that stores DSP data
`
`310 is completely different than a simple log file (i.e. Event Log 245):
`
`Petitioner neglects to mention one of the passages of the ‘494 Patent
`
`specifically relied upon by both the district court Finjan, Inc. v. Sophos, Inc. as
`
`
`
`- 10 -
`
`

`
`Patent Owner’s Preliminary Response
`IPR2015-01892 (U.S. Patent No. 8,677,494)
`well as the Board in Sophos, Inc., v. Finjan, Inc., Case Nos. IPR2015-00907
`
`(institution denied, rehearing request denied) and IPR2015-01022, that led both
`
`bodies to the conclusion that the claimed database could not be equated with a
`
`simple log file log file:
`
`The fact that a database is listed along with more simple files does not
`mean that the database includes or is equated with these types of
`files. In fact, one could argue that this list serves to further
`differentiate a database from simpler files.
`
`Ex. 2002 at 5 n.1 (emphasis added); see also Ex. 2003 at 9 (IPR2015-00907
`
`Institution Decision); Ex. 2004 at 9–10 (IPR2015-01022 Institution Decision).
`
`Petitioner also blatantly misrepresents Patent Owner’s position taken in the
`
`concurrent district court litigation. To wit, Petitioner claims, “Patent Owner
`
`agreed that a ‘database’ is a collection of organized data.” Petition at 12 (citing
`
`Ex. 1017 at 4). Not so. Patent Owner’s proposed construction in the concurrent
`
`district court litigation is exactly the construction proposed herein—namely “a
`
`collection of interrelated data organized according to a database schema to serve
`
`one or more applications.” Ex. 1017 at 3.
`
`Because there is no support for Petitioner’s broader construction of
`
`“database” in the ‘494 patent, the PTAB should adopt Patent Owner’s construction
`
`as following the ‘494 patent, adopted well-understood definition, and the law.
`
`- 11 -
`
`

`
`Patent Owner’s Preliminary Response
`IPR2015-01892 (U.S. Patent No. 8,677,494)
`IV. SPECIFIC REASONS WHY THE CITED REFERENCES DO NOT
`INVALIDATE THE CLAIMS, AND WHY INTER PARTES REVIEW
`SHOULD NOT BE INSTITUTED
`
`The proposed grounds rely on four references.
`
`Ground 1 proposes that Swimmer et al., Dynamic Detection and
`
`Classification of Computer Viruses Using General Behaviour Patterns (Ex. 1005,
`
`“Swimmer”), anticipates claims 1, 2, 6, 10, 11, and 15.
`
`Ground 2 proposes that Swimmer renders claims 5 and 14 obvious.
`
`Ground 3 proposes that Swimmer renders obvious claims 1, 2, 5, 6, 10, 11,
`
`and 15.
`
`Ground 4 proposes that Cline et al. U.S. Patent No. 5,313,616 (Ex. 1003,
`
`“Cline”) combined with Ji et al. U.S. Patent No. 5,623,600 (Ex. 1012, “Ji”) renders
`
`obvious claims 1, 2, 5, 6, 10, 11, and 15.
`
`Ground 5 proposes that Forrest et al., A Sense of Self for Unix Processes,
`
`Proceedings of the 1996 IEEE Symposium on Security and Privacy, IEEE
`
`Computer Society Press (Ex. 1004, “Forrest”), combined with Ji renders obvious
`
`claims 1, 2, 5, 6, 10, 11, and 15.
`
`However, none of these references, individually or in combination, disclose
`
`at least the claimed features of “deriving security profile data for [a]
`
`Downloadable, including a list of suspicious computer operations that may be
`
`- 12 -
`
`

`
`Patent Owner’s Preliminary Response
`IPR2015-01892 (U.S. Patent No. 8,677,494)
`attempted by the Downloadable” or “storing the Downloadable security profile
`
`data in a database.”
`
`A. Grounds 1 and 2: Swimmer Does not Anticipate Challenged
`Claims
`
`Swimmer discloses a “PC AUDITING” system that “securely collects
`
`system activity data,” which is formatted into audit records. Swimmer at 7–8. The
`
`audit system processes all opcodes corresponding to program events. Id. at 9.
`
`That is, the generated audit record is a comprehensive list of any system activity,
`
`rather than a list of suspicious computer operations. Moreover, Swimmer’s audit
`
`record is never stored anywhere, let alone in a database. Id. at 13. Additionally,
`
`Swimmer specifically denigrates the use of scanners, such as the claimed
`
`Downloadable scanner, for virus detection because lexical scanners are allegedly
`
`not capable of detecting polymorphic viruses, and heuristic scanners allegedly
`
`suffer from a moderate to high false-positive rate. Id. at 3.
`
`1.
`
`Swimmer Cannot Anticipate the ‘494 Patent Because Swimmer
`is not Enabled
`
`As a threshold matter, Swimmer is not enabling and cannot, therefore,
`
`anticipate the ‘494 Patent. It is well settled that “[a] claimed invention cannot be
`
`anticipated by a prior art reference if the allegedly anticipatory disclosures cited as
`
`prior art are not enabled.” Amgen Inc. v. Hoechst Marion Roussel, Inc., 314 F.3d
`
`1313, 1354 (Fed. Cir. 2003); see also In re Antor Media Corp., 689 F.3d 1282,
`
`- 13 -
`
`

`
`Patent Owner’s Preliminary Response
`IPR2015-01892 (U.S. Patent No. 8,677,494)
`1287 (Fed. Cir. 2012). A non-enabled disclosure cannot be anticipatory because it
`
`“fails to ‘enable one of skill in the art to reduce the disclosed invention to
`
`practice.’” Amgen, 314 F.3d at 1354 (citing In re Borst, 345 F.2d 851, 855
`
`(C.C.P.A. 1962)).
`
`In the introductory paragraph, the author admits that the underlying VIDES
`
`product and, therefore, the explanatory article is not enabling:
`
`The present version of VIDES is only of interest to virus
`researchers; it is not designed to be a practical system for the end-
`user – its demands on processing power and hardware platform are
`too high. However, it can be used to identify unknown viruses rapidly
`and provide detection and classification information to the researcher.
`It also serves as a prototype for future application of intrusion
`detection technology….
`
`Swimmer at 2 (emphasis added). The author readily admits that the disclosure
`
`does not describe a “practical system for the end-user” and, therefore, it cannot
`
`teach one of skill in the art how to make and use such a system without "undue
`
`experimentation.” See Amgen, 314 F.3d at 1334 (stating that the enablement
`
`requirement is only satisfied if “the specification teaches those in the art enough
`
`that they can make and use the invention without undue experimentation.”)
`
`(citations and internal quotations omitted).
`
`Furthermore, the authors of Swimmer also admit that using the VIDES
`
`system “outside the virus lab to detect viruses in a real environment…must not
`- 14 -
`
`

`
`Patent Owner’s Preliminary Response
`IPR2015-01892 (U.S. Patent No. 8,677,494)
`cause false positives” and “[a] concept for this is currently under development.”
`
`Swimmer at 13. Notably this “real environment” implementation, which is not
`
`enabled because Swimmer admits that it was still “under development” at the time
`
`the article was published, is specifically relied upon in the Petition to demonstrate
`
`that Swimmer allegedly teaches “a receiver for receiving an incoming
`
`Downloadable.” Petition at 15-16.
`
`Accordingly, the Board should decline to institute trial on proposed
`
`Ground 1 at least because Swimmer is not enabled.
`
`2.
`
`Petitioner Has Not Demonstrated that Swimmer Discloses “[a
`receiver for] receiving an incoming Downloadable” (claims 1
`and 10)
`
`Independent claim 1 recites, “receiving an incoming Downloadable.”
`
`Independent claim 10 recites, “a receiver for receiving an incoming
`
`Downloadable.” Swimmer does not disclose this claim feature at least because
`
`Petitioner gives no patentable weight to the term “incoming.”
`
`Swimmer relies on the virus to be installed and running on the user’s
`
`machine in order to run the emulation. See Swimmer at 9 (“[T]he target machine's
`
`memory is being controlled entirely by the emulation, and file accesses are directed
`
`to a virtual disk, stored as a disk image file.”). Thus, the emulator is not run on a
`
`Downloadable intended for a destination computer, but rather a Downloadable that
`
`has already been Downloaded and installed on the target machine.
`
`- 15 -
`
`

`
`Patent Owner’s Preliminary Response
`IPR2015-01892 (U.S. Patent No. 8,677,494)
`Recognizing this deficiency in Swimmer, Petitioner asserts without any
`
`evidence that Swimmer teaches “that VIDES can be used at a firewall in order to
`
`monitor and analyze incoming Downloadables received at the firewall.” Petition at
`
`15 (citing Swimmer at 13). To the contrary, Swimmer acknowledges that that it is
`
`unclear how such a system would operate—rendering any such hypothetical
`
`system non-enabled. See Amgen, 314 F.3d at 1334.
`
`Additionally, Swimmer notes that any such system would be based on a
`
`virtual machine embodiment—not the emulator embodiment that forms the basis
`
`for Petitioner’s argument:
`
`A concept for this is currently under development. Such a system
`must also be unnoticeable unless a virus is found. As a virtual 8086
`machine will be the basis for this, the only extra overhead will come
`from the audit system and from ASAX.
`
`Swimmer at 13 (emphasis added). Accordingly, not only does Swimmer