`
`__________________
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`
`___________________
`
`PALO ALTO NETWORKS, INC.,
`Petitioner,
`
`v.
`
`FINJAN, INC.,
`Patent Owner.
`____________________
`
`Case IPR2015-02001
`Case IPR2016-00157
`Patent No. 8,225,408 B21
`__________________________________________________________
`
`
`
`PATENT OWNER RESPONSE
`
`
`1 These proceedings have been consolidated.
`
`
`
`
`
`Patent Owner Response
`IPR2015-02001 & IPR2016-00157 (U.S. Patent No. 8,225,408)
`
`TABLE OF CONTENTS
`
`Page
`
`PATENT OWNER’S EXHIBIT LIST ....................................................................... i
`
`I.
`
`II.
`
`INTRODUCTION ........................................................................................... 1
`
`FACTS ............................................................................................................. 5
`
`A.
`
`B.
`
`C.
`
`The ‘408 Patent ..................................................................................... 5
`
`Challenged Claims .............................................................................. 10
`
`The Institution Decision ...................................................................... 12
`
`III. CLAIM CONSTRUCTION .......................................................................... 12
`
`IV. GROUND 1: Chandnani in view of Kolawa Does Not Render
`Obvious Claims 1, 3–5, 9, 12–16, 18, and 19, 22, 23, 29, and 35
`Under 35 U.S.C. § 103(a) .............................................................................. 13
`
`A.
`
`Chandnani in view of Kolawa Does not Disclose “dynamically
`building, [by the computer] while said receiving receives the
`incoming stream, a parse tree” (claims 1, 22, 23, and 35) or “a
`parser […], for dynamically building while said receiver is
`receiving the incoming stream, a parse tree” (claims 9 and 29) ......... 19
`
`1.
`
`2.
`
`The Combination of Chandnani and Kolawa Does Not
`Disclose Dynamically Building a Parse Tree Because
`Chandnani’s Data Stream is Resident on the Computer
`Before Tokenization Begins ..................................................... 19
`
`The Combination of Chandnani and Kolawa Does Not
`Disclose Dynamically Building a Parse Tree Because the
`References in Combination Teach Fully Tokenizing a
`Data Stream Before Building a Parse Tree ............................... 24
`
`B.
`
`Chandnani In View of Kolawa Does Not Disclose dynamically
`detecting while dynamically building the parse tree (all
`challenged claims) ............................................................................... 30
`
`i
`
`
`
`C.
`
`D.
`
`Patent Owner Response
`IPR2015-02001 & IPR2016-00157 (U.S. Patent No. 8,225,408)
`
`1.
`
`2.
`
`Chandnani Does Not Teach Dynamically Detecting
`While Dynamically Building .................................................... 30
`
`Petitioner’s Argument is Not Tied to the Claim Language ...... 36
`
`Chandnani In View of Kolawa Does Not Disclose Detecting
`Potential Exploits (all challenged claims) ........................................... 38
`
`The Petition Provides Inadequate Motivation to Combine
`Chandnani and Kolawa ....................................................................... 41
`
`1.
`
`2.
`
`3.
`
`A POSITA Would Not Have Modified Chandnani With
`Kolawa Because Doing So Changes Chandnani’s
`Principle of Operation ............................................................... 41
`
`A POSITA Would Not Have Modified Chandnani With
`Kolawa Because They Have Different Goals ........................... 44
`
`Petitioner Failed to Explain Why a POSITA Would Have
`Modified Chandnani With Kolawa to Dynamically
`Detect ........................................................................................ 48
`
`V. Ground 2: Chandnani in View of Kolawa and Walls Does Not Render
`Obvious Claims 1, 3–5, 9, 12–16, 18, 19, 22, 23, 29, and 35 ....................... 49
`
`A.
`
`Chandnani in view of Kolawa and Walls Does not Disclose
`“dynamically building, [by the computer] while said receiving
`receives the incoming stream, a parse tree” (claims 1, 22, 23,
`and 35) or “a parser […], for dynamically building while said
`receiver is receiving the incoming stream, a parse tree” (claims
`9 and 29) .............................................................................................. 50
`
`B.
`
`Chandnani in view of Kolawa and Walls Does Not Disclose
`dynamically detecting while dynamically building the parse tree
`(all challenged claims)......................................................................... 56
`
`VI. Grounds 3 and 4: Chandnani in View of Kolawa, Walls and Huang
`Do Not Render Obvious Claims 6, 7, 20, and 21 Under 35 U.S.C.
`§ 103(a) .......................................................................................................... 59
`
`VII. SECONDARY CONSIDERATIONS ........................................................... 60
`
`A.
`
`Commercial Success and Licensing .................................................... 61
`
`- ii -
`
`
`
`Patent Owner Response
`IPR2015-02001 & IPR2016-00157 (U.S. Patent No. 8,225,408)
`
`B.
`
`Industry Praise ..................................................................................... 67
`
`VIII. CONCLUSION .............................................................................................. 67
`
`
`
`- iii -
`
`
`
`Patent Owner Response
`IPR2015-02001 & IPR2016-00157 (U.S. Patent No. 8,225,408)
`
`TABLE OF AUTHORITIES
`
` Page(s)
`
`Cases
`ActiveVideo Networks, Inc. v. Verizon Commc’n, Inc.,
`694 F.3d 1312 (Fed. Cir. 2012) .......................................................................... 60
`
`Demaco Corp. v. F. Von Langsdorff Licensing Ltd.,
`851 F.2d 1387 (Fed. Cir. 1988) .......................................................................... 62
`
`In re Gordon,
`733 F.2d 900 (Fed. Cir. 1984) ............................................................................ 42
`
`GrafTech Int’l Holdings, Inc., v. Laird Techs., Inc.,
`Nos. 2015-1796, -1797, -1798, 2016 WL 3357427
`(Fed. Cir. June 17, 2016) .................................................................................... 61
`
`Graham v. John Deere Co.,
`383 U.S. 1 (1966) .................................................................................................. 5
`
`Heart Failure Techs., LLC v. CardioKinetix, Inc.,
`IPR2013-00183, Paper 12 (P.T.A.B. July 31, 2013) .......................................... 48
`
`Institut Pasteur & Universite Pierre Et Marie Curie v. Focarino,
`738 F.3d 1337 (Fed. Cir. 2013) .......................................................................... 61
`
`J.T. Eaton & Co. v. Atl. Paste & Glue Co.,
`106 F.3d 1563 (Fed. Cir. 1997) .......................................................................... 61
`
`Kinetic Techs., Inc. v. Skyworks Solutions, Inc.,
`IPR2014-00529, Paper 8 (P.T.A.B. Sept. 23, 2014)........................................... 48
`
`KSR Int’l Co. v. Teleflex Inc.,
`550 U.S. 398 (2007) ........................................................................................ 5, 41
`
`In re Magnum Oil Tools Int’l, Ltd.,
`No. 2015-1300, 2016 WL 3974202 (Fed. Cir. July 25, 2016) ................. 1, 55, 57
`
`Minnesota Mining & Mfg. Co. v. Johnson & Johnson Orthopaedics,
`Inc.,
`976 F.2d 1559 (Fed. Cir. 1992) .......................................................................... 66
`
`- iv -
`
`
`
`Patent Owner Response
`IPR2015-02001 & IPR2016-00157 (U.S. Patent No. 8,225,408)
`
`SAS Institute, Inc. v. Complementsoft, LLC,
`No. 2015-01346, -1347, 2016 WL 3213103
`(Fed. Cir. June 10, 2016) .................................................................................... 13
`
`Statutes
`
`35 U.S.C. § 103(a) ............................................................................................. 13, 59
`
`Other Authorities
`
`37 C.F.R. § 42.1(d) .................................................................................................... 1
`
`37 C.F.R. § 42.6(e) ................................................................................................... 69
`
`37 C.F.R. § 42.20(c) ................................................................................................. 55
`
`37 C.F.R. § 42.22(a)(2) ............................................................................................ 55
`
`37 C.F.R. § 42.104(b)(4) .......................................................................................... 55
`
`37 C.F.R. § 42.65(a) ................................................................................................. 53
`
`- v -
`
`
`
`Patent Owner Response
`IPR2015-02001 & IPR2016-00157 (U.S. Patent No. 8,225,408)
`
`PATENT OWNER’S EXHIBIT LIST
`
`
`
`Description
`
`Exhibit-2001 Claim Construction Order in Finjan, Inc. v. Proofpoint, Inc., Case
`No. 13-cv-05808-HSG, Dkt. No. 267, (N.D. Cal.), dated
`December 3, 2015.
`
`Exhibit-2002 Plaintiff Finjan, Inc.’s Objections and Responses to Defendant
`Palo Alto Networks, Inc.’s First Set of Interrogatories (Nos. 1-
`13), in Finjan, Inc. v. Palo Alto Networks, Inc., Case No. 14-cv-
`04908-PJH, (N.D. Cal.), dated February 25, 2015
`
`Exhibit-2003 Petition for Inter Partes Review of U.S. Patent No. 8,225,408
`filed in Palo Alto Networks, Inc. v. Finjan, Inc., IPR2015-02001,
`dated September 30, 2015 [filed only in IPR2015-00157]
`
`Exhibit-2004 Reserved
`
`Exhibit-2005 Reserved
`
`Exhibit-2006 Cisco Webpage – “What Is the Difference: Viruses, Worms,
`Trojans, and Bots?” – available at
`http://www.cisco.com/c/en/us/about/security-center/virus-
`differences.html
`
`Exhibit-2007 Declaration of Nenad Medvidovic, Ph.D. On The Validity Of
`Claims 1, 3-7, 9, 12-16, 18-23, 29, and 35 of U.S. Patent No.
`8,225,408 In Support Of Patent Owner’s Response with
`Appendix A (Curriculum Vitae of Dr. Nenad Medvidovic)
`
`Exhibit 2008 Microsoft Computer Dictionary, Fifth Edition (2002) (Pages 76,
`133, 145, 211, 529)
`
`Exhibit 2009 Deposition Transcript of Dr. Aviel Rubin for Case No. IPR2015-
`02001 & IPR2016-00157, taken on July 26, 2016
`
`Exhibit 2010 Deposition Transcript of Dr. Aviel Rubin for Case No. IPR2015-
`02001 & IPR2016-00157, taken on July 27, 2016
`
`- i -
`
`
`
`Patent Owner Response
`IPR2015-02001 & IPR2016-00157 (U.S. Patent No. 8,225,408)
`
`
`
`Description
`
`Exhibit-2011 Effective C++: 50 Specific Ways to Improve Your Programs and
`Designs, Addison-Wesley Professional Computing Series, 1992.
`
`Exhibit-2012 Declaration of S.H. Michael Kim in Support of Patent Owner’s
`Response to Petition
`
`Exhibit-2013 Declaration of Harry Bims, Ph.D. in Support of Patent Owner’s
`Response to Petition with Appendix A (Curriculum Vitae of
`Harry Bims)
`
`Exhibit-2014 Finjan, Inc. v. Websense, Inc., Case No. 13-cv-04398 (N.D. Cal.),
`Appendix C (‘408 Patent Claim Chart) to Plaintiff Finjan, Inc.’s
`Disclosure of Asserted Claims and Infringement Contentions,
`dated February 28, 2014
`
`Exhibit-2015 Websense, Inc. Revenue and Financial Data, available at
`http://www.hoovers.com/company-information/cs/revenue-
`financial.websense_inc.89ee9262879a5b65.html.
`
`Exhibit-2016 Websense, Inc. brochure - Triton APX (2015), available at
`https://www.websense.com/assets/brochures/brochure-triton-apx-
`en.pdf.
`
`Exhibit-2017 Finjan, Inc. v. Proofpoint Technologies, Inc. et al., Case No. 13-
`cv-05808-HSG (N.D. Cal.), Appendix E (‘408 Patent Claim
`Chart) to Plaintiff Finjan, Inc.’s Disclosure of Asserted Claims
`and Infringement Contentions, dated April 17, 2014
`
`Exhibit-2018 Proofpoint, Inc. 10-K, dated December 31, 2014
`
`Exhibit-2019 Proofpoint, Inc. Press Release - Proofpoint Announces Fourth
`Quarter and Full Year 2015 Financial Results (Jan. 28, 2016),
`available at
`http://investors.proofpoint.com/releasedetail.cfm?releaseid=9522
`95
`
`Exhibit-2020 Proofpoint Inc. 10-K, dated February 25, 2016
`
`Exhibit-2021 Gartner - Magic Quadrant for Secure Web Gateways, 2007
`
`- ii -
`
`
`
`Patent Owner Response
`IPR2015-02001 & IPR2016-00157 (U.S. Patent No. 8,225,408)
`
`
`
`Description
`
`Exhibit-2022 Gartner - Magic Quadrant for Secure Email Gateways, July 2,
`2013
`
`Exhibit-2023 Gartner - Magic Quadrant for Secure Web Gateways, May 28,
`2013
`
`Exhibit-2024 Finjan Holdings, Inc. 8-K, dated September 24, 2014
`
`Exhibit-2025 Finjan Holdings, Inc. 8-K, dated April 7, 2015
`
`Exhibit-2026 Finjan Holdings, Inc. 8-K, dated May 14, 2015
`
`Exhibit-2027 Finjan Holdings, Inc. 8-K, dated November 15, 2015
`
`Exhibit-2028 Finjan Holdings, Inc. 8-K, dated December 30, 2015
`
`Exhibit-2029 Finjan Holdings, Inc. 8-K, dated May 20, 2016
`
`Exhibit-2030 Wikipedia – Assembly Line
`
`Exhibit 2031 Declaration of Jeffrey Price in Support of Patent Owner’s
`Response to Petition
`
`
`
`- iii -
`
`
`
`Patent Owner Response
`IPR2015-02001 & IPR2016-00157 (U.S. Patent No. 8,225,408)
`
`I.
`
`INTRODUCTION
`
`Palo Alto Networks, Inc., (“PAN” or “Petitioner”) submitted Petitions in
`
`Case Nos. IPR2015-02001 (the “‘2001 Petition”) and IPR2016-00157 (the “‘00157
`
`Petition”) requesting inter partes review (“IPR”) of certain claims of U.S. Patent
`
`No. 8,225,408 (Ex. 1001, the “‘408 Patent”).2 On March 29, 2016, the Board
`
`consolidated these two cases and instituted inter partes review of claims 1, 3–7, 9,
`
`12–16, 18–23, 29, and 35 (“the Challenged Claims”). See Decision on Institution,
`
`IPR2015-02001, Paper 7; Decision on Institution, IPR2016-00157 (“Institution
`
`Decision”). Finjan, Inc., (“Finjan” or “Patent Owner”) requests that the Board find
`
`the challenged claims patentable over the references cited against the claims
`
`because Petitioner has not met its burden to demonstrate unpatentability of the
`
`challenged claims by a preponderance of the evidence as required under 37 C.F.R.
`
`§ 42.1(d). In re Magnum Oil Tools Int’l, Ltd., No. 2015-1300, 2016 WL 3974202,
`
`at *7 (Fed. Cir. July 25, 2016) (“the petitioner continues to bear the burden of
`
`proving unpatentability after institution, and must do so by a preponderance of the
`
`evidence at trial. And, the Board has an obligation to assess the question anew
`
`after trial based on the totality of the record.”) (citation omitted).
`
`
`2 For the sake of clarity, Patent Owner’s citations to Petitioner’s exhibits refer to
`
`those papers filed in Case No. IPR2015-02001, unless otherwise noted.
`
`- 1 -
`
`
`
`Patent Owner Response
`IPR2015-02001 & IPR2016-00157 (U.S. Patent No. 8,225,408)
`
`The ‘408 Patent generally discloses systems and methods for receiving
`
`incoming content, determining the specific programming language being used, and
`
`then detecting exploits within received content by instantiating a language-specific
`
`scanner which has parser rules and analyzer rules created for that programming
`
`language. The ‘408 Patent teaches that by dynamically building a parse tree
`
`potential exploits can be dynamically detected during the receiving and scanning of
`
`the incoming program code. See ’408 Patent, 14:48–55 (“It may thus be
`
`appreciated that the analyzer is called repeatedly, while the parse tree is being
`
`dynamically built up.”); id., claim 1. For instance, the parse tree can be
`
`dynamically analyzed to detect exploits within the content using analyzer rules and
`
`a pattern matching engine, which can identify patterns that match those of potential
`
`exploits. See id. at 2:25–3:6 and 9:42–54.
`
`In stark contrast to the dynamic building and detecting techniques disclosed
`
`and claimed in the ‘408 Patent, each one the references cited against the claims
`
`teaches that analysis should be conducted in distinct stages, in which the fully
`
`formed output of one stage is used as the input to later stages:
`
`• Chandnani et al., U.S. Patent No. 7,636,945 (Ex. 1003, “Chandnani”),
`
`which foregoes the use of a parse tree to analyze computer code,
`
`discloses a detection process that “includes two stages: (i) tokenize the
`
`- 2 -
`
`
`
`Patent Owner Response
`IPR2015-02001 & IPR2016-00157 (U.S. Patent No. 8,225,408)
`
`data stream; and (ii) process the tokens using the detection data.”
`
`Chandnani at 7:56–59.
`
`• Kolawa et al., U.S. Patent No. 5,860,011 (Ex. 1004, “Kolawa”), cited
`
`in attempt to cure Chandnani’s non-disclosure of parse tree analysis,
`
`also discloses a staged approach in which (1) source code instructions
`
`are first grouped into tokens, (2) a parser then groups the tokens into
`
`grammatical phrases that are represented by a parse tree, and (3) the
`
`completed parse tree is read by a compiler/linker and a source code
`
`quality analyzer. See Kolawa at 3:66–4:15.
`
`• Walls et al., U.S. Patent No. 7,284,274 (Ex. 1005, “Walls”) discloses
`
`a “pipelined approach for certifying software wherein distinct
`
`components are assembled into a pipeline such that the results of one
`
`component are used as input for the next component.” Walls at 7:3–6.
`
`These staged analysis techniques, taken alone or in combination, fail to disclose
`
`the claimed “dynamically building” and “dynamically detecting” features recited in
`
`each independent claim of the ‘408 Patent because they do not meet the temporal
`
`overlaps that Petitioner acknowledges are required. See ‘2001 Petition at 12 (“The
`
`BRI of each of the ‘dynamically building’ terms is ‘building during a time period
`
`that overlaps with the time period during which the incoming stream is being
`
`received.’”); id. at 13 (“The BRI of each of the ‘dynamically detecting’ terms is
`
`- 3 -
`
`
`
`Patent Owner Response
`IPR2015-02001 & IPR2016-00157 (U.S. Patent No. 8,225,408)
`
`‘detecting during a time period that overlaps with the time period during which the
`
`parse tree is being built.’”)
`
`In addition, Petitioner has failed to demonstrate why a POSITA would be
`
`motivated to modify Chandnani with Kolawa (for Grounds 1–4), Walls (for
`
`Grounds 3 and 4) and Huang (for Grounds 2 and 4). Indeed, Kolawa and Walls are
`
`not even in the field of computer security. Rather, these references are focused on
`
`helping companies create software without bugs. See Kolawa at 1:25-29
`
`(describing how Kolawa is addressed at the “problem of writing error-free
`
`computer programs has plagued programmers since the very beginning.”); see also
`
`Walls at 2:10-21 (describing how Walls is directed towards “companies that
`
`develop and release application software… Developers of operating systems such
`
`as Sun Microsystems and Hewlett-Packard”); see also id. at 6:30–43 (describing
`
`how Walls “provides a process for certifying whether a software program is free
`
`from a common class of software flaws…”). Rather than assisting a software
`
`company identify flaws or bugs in their own software, the ‘408 Patent is directed
`
`towards identifying the presence of malicious intent as exemplified with the
`
`description of “portions of code that are malicious.” ‘408 Patent at 4:15–16.
`
`Finally, Petitioner did not address the abundant secondary considerations
`
`that demonstrate that the challenged claims are not obvious. This is another basis
`
`for finding the challenged claims not invalid because the Petitioner provides an
`
`- 4 -
`
`
`
`Patent Owner Response
`IPR2015-02001 & IPR2016-00157 (U.S. Patent No. 8,225,408)
`
`incomplete obviousness analysis. Graham v. John Deere Co., 383 U.S. 1, 17-18
`
`(1966); KSR Int’l Co. v. Teleflex Inc., 550 U.S. 398, 418 (2007). For these reasons,
`
`and those stated below, Petitioner’s obviousness challenge to the instituted claims
`
`of the ‘408 Patent should be denied and all claims found patentable.
`
`II.
`
`FACTS
`
`A. The ‘408 Patent
`
`Patent Owner’s ‘408 Patent was filed on August 30, 2004, and claims
`
`priority to U.S. Patent No. 6,804,780, filed March 30, 2000, and U.S. Patent No.
`
`6,092,194, filed Nov. 6, 1997. The systems and methods of the ‘408 Patent are
`
`generally directed towards systems and methods for using a dynamically built
`
`parse tree to detect exploits within incoming program code. This parse tree is
`
`dynamically created and analyzed using parser rules that define certain patterns in
`
`terms of tokens and analyzer rules that identify certain combinations of tokens and
`
`patterns as being indicators of potential exploits. See, e.g., ‘408 Patent at 2:25–3:6;
`
`see also id. at 9:42–54. By describing portions of potentially malicious program
`
`code in this novel manner, the ‘408 Patent allows for efficient and accurate
`
`detection of exploits within incoming program code. See ’408 Patent at 14:48–54.
`
`More particularly, the ‘408 Patent is directed to adaptive rule-based
`
`(“ARB”) content scanners, which adapt themselves dynamically to scan specific
`
`types of content, such as JavaScript, VBScript, URI, URL, and HTML, as opposed
`
`- 5 -
`
`
`
`Patent Owner Response
`IPR2015-02001 & IPR2016-00157 (U.S. Patent No. 8,225,408)
`
`to being hard coded for one particular content type. ‘408 Patent at 1:65–2:3. The
`
`invention disclosed in the ‘408 Patent utilizes at least three different types of rule
`
`files that are used to identify tokens, patterns of tokens, and potential exploits:
`
`Rule files are text files that describe lexical characteristics of a
`particular language. Rule files for a language describe character
`encodings, sequences of characters that form lexical constructs of the
`language, referred to as tokens, patterns of tokens that form
`syntactical constructs of program code, referred to as parsing rules,
`and patterns of tokens that correspond to potential exploits, referred to
`as analyzer rules.
`
`Id. at 2:6–13. Taken together, the ‘408 Patent discloses identifying exploits
`
`in computer code by using rule files that (1) describe the basic constructs of
`
`a particular programming language (e.g. rule files used to tokenize an
`
`incoming byte source into language constructs, such as words), (2) identify
`
`groups of tokens as a single pattern (e.g. parser rules that group tokens into
`
`phrases), and (3) identify syntax patterns that indicate a potential computer
`
`exploit (e.g. analyzer rules that match phrases to potential exploits).
`
`FIG. 2 of the ‘408 Patent is a simple block diagram illustrating an exemplary
`
`scanner system that uses these rule files to identify computer exploits:
`
`- 6 -
`
`
`
`Patent Owner Response
`IPR2015-02001 & IPR2016-00157 (U.S. Patent No. 8,225,408)
`
`
`
`In the context of the ‘408 Patent, the tokenizer functions to “recognize and identify
`
`constructs, referred to as tokens, within a byte source, such as JavaScript source
`
`code.” ‘408 Patent at 6:51–54. The parser controls the scanning of incoming
`
`content by invoking the tokenizer, which returns tokens identified in the incoming
`
`byte stream, and positioning successive tokens as siblings in a parse tree. ‘408
`
`Patent at 8:18–32. The parser applies “parser rules” to identify a group of sibling
`
`tokens as a single pattern and reducing the siblings to a single parent node that
`
`represents the pattern. ‘408 Patent at 8:32–37. The analyzer uses a set of
`
`“analyzer rules,” which define generic syntax patterns that indicate a potential
`
`exploit. ‘408 Patent at 9:23–27.
`
`Importantly, the techniques described and claimed in the ‘408 Patent involve
`
`operating on an “incoming stream of program code.” See ‘408 Patent at claims 1,
`
`- 7 -
`
`
`
`Patent Owner Response
`IPR2015-02001 & IPR2016-00157 (U.S. Patent No. 8,225,408)
`
`9, 22, 23, 29, and 35; see also id. at 8:18–20 (“[P]arser 220 controls the process of
`
`scanning incoming content.”); 9:19–20 (“Preferably, immediately after parser 220
`
`performs a reduce operation, it calls analyzer 230 to check for exploits.”); 2:20–21
`
`(“Thus it may be appreciated that the present invention is able to diagnose
`
`incoming content.”). Indeed, each independent claim of the ‘408 Patent explicitly
`
`recites that exploits are detected in an incoming stream of program code. Claim 1,
`
`for example, recites:
`
`• “dynamically building, by the computer while said receiving receives
`
`the incoming stream, a parse tree…” and
`
`• “dynamically detecting, by the computer while said dynamically
`
`building builds the parse tree, combinations of nodes in the parse tree
`
`which are indicators of potential exploits.”
`
`‘408 Patent at claim 1 (emphasis added). This technique of dynamically detecting
`
`potential exploits in incoming program code stands in stark contrast to the staged
`
`code analysis disclosed in Chandnani, Kolawa, and Walls where program code is
`
`fully tokenized before any parse tree is built and a parse tree (if built at all) is fully
`
`built before any analysis begins.
`
`Another key feature that distinguishes the ‘408 Patent from the prior art is its
`
`focus on detecting exploits “being portions of program code that are malicious,”
`
`rather than simply recognizing previously known malware. See ‘408 Patent,
`
`- 8 -
`
`
`
`Patent Owner Response
`IPR2015-02001 & IPR2016-00157 (U.S. Patent No. 8,225,408)
`
`claims 1, 9, 22, 23, 29, and 35; 4:15–16 (“Many examples of malicious mobile
`
`code are known today. Portions of code that are malicious are referred to as
`
`exploits.”). Although malware, such as viruses, can sometimes include an exploit,
`
`they are not the same thing:
`
`An exploit is a piece of software, a command, or a methodology that
`attacks a particular security vulnerability. Exploits are not always
`malicious in intent—they are sometimes used only as a way of
`demonstrating that a vulnerability exists. However, they are a
`common component of malware.
`
`Ex. 2006 at 1-2 (explaining the differences between an exploit versus the most
`
`common types of malware, such as viruses, worms and Trojans).
`
`Detecting individual exploits, particularly using the behavior-based scanning
`
`techniques disclosed in the ‘408 Patent, facilitates the “zero-day” recognition of
`
`malicious code, even if it is surrounded by otherwise benign and/or not previously
`
`encountered code, based only on the behavior associated with the exploit.
`
`Moreover, changes to the code—ranging from major structural changes to
`
`superficial changes, like variable renaming—that can easily defeat signature-based
`
`scanners are transparent to the ‘408 Patent’s exploit recognition techniques. This
`
`is the reason the ‘408 Patent claims scanning content to detect patterns or
`
`combinations “of nodes in the parse tree which are indicators of potential exploits.”
`
`See, e.g.,‘408 Patent at claim 1. The insight is not to attempt to simply recognize
`
`- 9 -
`
`
`
`Patent Owner Response
`IPR2015-02001 & IPR2016-00157 (U.S. Patent No. 8,225,408)
`
`program code that has been seen before, but rather to recognize exploits within
`
`program code because both the exploit and the code surrounding the exploit can be
`
`easily obfuscated.
`
`On the other hand, the scanning technique disclosed in Chandnani requires
`
`that an entire file or program that contains malicious code be known before it can
`
`be detected because in each case, the token patterns and CRC checks used to
`
`identify content are generated based upon the known malware and are used to
`
`recognize the known malware. See Chandnani at 6:57–67 (describing the
`
`generation of “viral code detection data” by taking samples of and analyzing
`
`collected (known) polymorphic script language viral code). Accordingly, rather
`
`than analyzing program code to detect potential exploits, Chandnani’s analysis is
`
`designed to identify already known viral code, whether or not it contains any
`
`exploits.
`
`B. Challenged Claims
`
`This inter partes review proceeding involves claims 1, 3–7, 9, 12–16, 18–23,
`
`29, and 35 of the ‘408 Patent, of which claims 1, 9, 22, 23, 29, and 35 are
`
`independent. Claim 1 is reproduced below:
`
`1. A computer processor-based multi-lingual method for scanning
`incoming program code, comprising:
`
`receiving, by a computer, an incoming stream of program code;
`
`- 10 -
`
`
`
`Patent Owner Response
`IPR2015-02001 & IPR2016-00157 (U.S. Patent No. 8,225,408)
`
`determining, by the computer, any specific one of a plurality of
`
`programming languages in which the incoming stream is written;
`
`instantiating, by the computer, a scanner for the specific
`programming language, in response to said determining, the scanner
`comprising parser rules and analyzer rules for
`the specific
`programming language, wherein the parser rules define certain
`patterns in terms of tokens, tokens being lexical constructs for the
`specific programming language, and wherein the analyzer rules
`identify certain combinations of tokens and patterns as being
`indicators of potential exploits, exploits being portions of program
`code that are malicious;
`
`identifying, by the computer, individual tokens within the
`incoming stream;
`
`dynamically building, by the computer while said receiving
`receives the incoming stream, a parse tree whose nodes represent
`tokens and patterns in accordance with the parser rules;
`
`dynamically detecting, by the computer while said dynamically
`building builds the parse tree, combinations of nodes in the parse tree
`which are indicators of potential exploits, based on the analyzer rules;
`and
`indicating, by the computer, the presence of potential exploits
`
`within the incoming stream, based on said dynamically detecting.
`
`‘408 Patent at 19:45–20:7.
`
`- 11 -
`
`
`
`Patent Owner Response
`IPR2015-02001 & IPR2016-00157 (U.S. Patent No. 8,225,408)
`
`C. The Institution Decision
`
`Based on the limited record before it, the Board instituted inter partes of the
`
`‘408 Patent, finding that Petitioner raised a reasonable likelihood that claims 1, 3–
`
`7, 9, 12–16, 18–21, 29, and 35 are unpatentable. See Institution Decision at 24. In
`
`particular, this proceeding involves the following four grounds:
`
`Ground 1 proposes that Chandnani in view of Kolawa renders obvious
`
`claims 1, 3–5, 9, 12–16, 18, and 19, 22, 23, 29, and 35 of the ‘408 Patent.
`
`Ground 2 proposes that Chandnani in view of Kolawa and Walls renders
`
`obvious claims 1, 3–5, 9, 12–16, 18, and 19, 22, 23, 29, and 35 of the ‘408 Patent.
`
`Ground 3 proposes that Chandnani in view of Kolawa and Huang renders
`
`obvious claims 6, 7, 20 and 21 of the ‘408 Patent.
`
`Ground 4 proposes that Chandnani in view of Kolawa, Walls and Huang
`
`renders obvious claims 6, 7, 20 and 21 of the ‘408 Patent.
`
`III. CLAIM CONSTRUCTION
`
`In the Institution Decision, the Board provided constructions for the terms
`
`“parse tree,” “dynamically building…,” “dynamically detecting…,” and
`
`“instantiating… a scanner for the specific programming language.” Institution
`
`Decision at 8–12. Although Patent Owner maintains that the terms “dynamically
`
`building” and “dynamically detecting” do not require construction, it does not
`
`contest these constructions for purposes of this proceeding, and they are, therefore,
`
`- 12 -
`
`
`
`Patent Owner Response
`IPR2015-02001 & IPR2016-00157 (U.S. Patent No. 8,225,408)
`
`controlling. SAS Institute, Inc. v. Complementsoft, LLC, No. 2015-01346, -1347,
`
`2016 WL 3213103, at *14-15 (Fed. Cir. June 10, 2016) (holding that an agency
`
`may not change theories in midstream without giving reasonable notice of the
`
`change and the opportunity to present argument under the new theory).
`
`IV. GROUND 1: Chandnani in view of Kolawa Does Not Render Obvious
`Claims 1, 3–5, 9, 12–16, 18, and 19, 22, 23, 29, and 35 Under 35 U.S.C.
`§ 103(a)
`
`Ground 1 alleges that the Chandnani and Kolawa references render obvious
`
`challenged claims 1, 3–5, 9, 12–16, 18, and 19, 22, 23, 29, and 35 under 35 U.S.C.
`
`§ 103(a). For at least the following reasons, Patent Owner submits that the
`
`challenged claims are not obvious over the combination of Chandnani and Kolawa.
`
`Chandnani discloses a method of detecting script language viruses by
`
`performing three consecutive, or “staged,” lexical analyses, none of which involves
`
`either building a parse tree or detecting combinations of nodes in the parse tree
`
`which are indicators of potential exploits. The first lexical analysis involves
`
`lexically analyzing a data stream to determine an appropriate script language.
`
`Chandnani at 7:60–65. The second lexical analysis involves lexically analyzing
`
`the same data stream a second time to generate a stream of tokens. Chandnani at
`
`7:67–8:3. Finally, the generated token stream is lexically analyzed using “pattern
`
`match detection data.” Chandnani at 8:50–53. This process flow is illustrated in
`
`- 13 -
`
`
`
`Patent Owner Response
`IPR2015-02001 & IPR2016-00157 (U.S. Patent No. 8,225,408)
`
`FIGS. 6 and 7 of Chandnani, reproduced below, in which the three separate lexical
`
`analyses are represented by steps 33, 37, and 44, respectively:
`
`
`
`
`
`As Dr. Medvidovic explains, Dr. Rubin’s “assembly line” analogy for
`
`describing Chandnani’s virus detection technique is particularly apt and
`
`