UNITED STATES PATENT AND TRADEMARK OFFICE
`
`
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`
`
`
`Palo Alto Networks, Inc.
`Petitioner
`
`v.
`
`Finjan, Inc.
`Patent Owner
`
`Inter Partes Review No. 2015-02001
`Inter Partes Review No. 2016-00157
`U.S. Patent No. 8,225,4081
`
`_____________________________________________________________
`
`PETITIONER’S REPLY
`
`
`
`
`1 Cases IPR2015-02001 and IPR2016-00157 are consolidated. Cases IPR2016-
`00955 and IPR2016-00956 have been consolidated and joined with this
`consolidated proceeding.
`
`
`
`

`

`TABLE OF CONTENTS
`
`
`2.
`
`3.
`4.
`
`3.
`4.
`
`Page
`INTRODUCTION ................................................................................................ 1
`I.
`CLAIM CONSTRUCTION .................................................................................... 3
`II.
`“DYNAMIC” ANALYSIS OF A DATA STREAM WAS KNOWN IN 2004 ................. 4
`III.
`IV. GROUND 1: CHANDNANI IN VIEW OF KOLAWA RENDERS CLAIMS 1, 3-5,
`9, 12-16, 18, 19, 22, 23, 29, AND 35 OBVIOUS UNDER 35 U.S.C. §
`103(A) ............................................................................................................. 7
`A.
`Chandnani renders obvious “dynamically building” ........................... 7
`1.
`Chandnani renders obvious a detection process
`performed before the data stream is resident on the
`computer ..................................................................................... 8
`Chandnani renders obvious tokenizing a data stream
`while the stream is still being received .................................... 10
`Chandnani renders obvious parsing a token stream ................ 12
`Chandnani renders obvious parsing the token stream
`before the data stream is fully tokenized ................................. 14
`Finjan ignores the plain meaning of “data stream” ................. 15
`5.
`Chandnani renders obvious “dynamically detecting” ........................ 17
`1.
`Chandnani renders obvious detecting while parsing ............... 17
`2.
`Finjan mischaracterizes the prior art and ignores the
`knowledge of a POSA .............................................................. 19
`Finjan mischaracterizes Dr. Rubin’s testimony ....................... 20
`Finjan ignores Chandnani’s disclosure of multiple
`embodiments ............................................................................ 20
`Chandnani renders obvious detecting potential exploits.................... 23
`Chandnani + Kolawa teaches “building a parse tree” ........................ 25
`1.
`Chandnani renders obvious “building a parse tree” ................ 26
`2.
`A POSA would have combined the teachings of
`Chandnani and Kolawa ............................................................ 27
`
`B.
`
`C.
`D.
`
`
`
`
`
`i
`
`
`
`

`

`TABLE OF CONTENTS
`(CONTINUED)
`
`PAGE
`
`a.
`
`b.
`
`Combining the teachings of Chandnani and
`Kolawa does not change Chandnani’s principle of
`operation ........................................................................ 27
`Chandnani and Kolawa both teach tokenizing,
`parsing, and analyzing content to identify
`problematic code ............................................................ 28
`A POSA would have been motivated to combine
`the teachings of Chandnani and Kolawa ....................... 29
`V. GROUND 2: CHANDNANI IN VIEW OF KOLAWA AND WALLS RENDERS
`CLAIMS 1, 3-5, 9, 12-16, 18, 19, 22, 23, 29, AND 35 OBVIOUS UNDER 35
`U.S.C. § 103(A) ............................................................................................. 30
`VI. GROUNDS 3 AND 4: COMBINING GROUNDS 1 AND 2 WITH THE
`TEACHINGS OF HUANG RENDERS CLAIMS 6, 7, 20, AND 21 OBVIOUS
`UNDER 35 U.S.C. § 103(A) ............................................................................ 32
`VII. FINJAN’S SECONDARY CONSIDERATIONS EVIDENCE SHOULD BE GIVEN
`NO WEIGHT ................................................................................................... 32
`A.
`Finjan fails to establish a nexus between its licensing program
`and the challenged claims .................................................................. 33
`Finjan fails to establish nexus between any alleged commercial
`success and the challenged claims ..................................................... 33
`Finjan fails to establish nexus between any industry praise and
`the challenged claims ......................................................................... 35
`Finjan is not entitled to a presumption of nexus ................................ 36
`D.
`VIII. CONCLUSION .................................................................................................. 37
`
`c.
`
`B.
`
`C.
`
`ii
`
`
`
`
`
`

`

`TABLE OF AUTHORITIES
`
`PAGE(S)
`
`Cases
`In re Antor Media Corp.,
`689 F.3d 1282 (Fed. Cir. 2012) .................................................................... 20, 35
`Apple, Inc. v. Ameranth, Inc.,
`CBM2015-00080, Paper 44 (P.T.A.B. Aug. 26, 2016) ...................................... 34
`Demaco Corp. v. F. Von Langsdorff Licensing Ltd.,
`851 F.2d 1387 (Fed. Cir. 1988) .......................................................................... 38
`Facebook, Inc. v. Software Rights Archive, LLC,
`IPR2013-00479, Paper 54 (P.T.A.B. Feb. 2, 2015) ............................................ 37
`GrafTech Int’l Holdings, Inc. v. Laird Techs. Inc.,
`No. 2015-1796, 652 Fed. Appx. 973 (Fed. Cir. June 17, 2016) ................... 37, 38
`Heart Failure Techs., LLC v. CardioKinetix, Inc.,
`IPR2013-00183, Paper 12 (P.T.A.B. July 31, 2013) .......................................... 32
`J.T. Eaton & Co. v. Atl. Paste & Glue Co.,
`106 F.3d 1563 (Fed. Cir. 1997) .......................................................................... 37
`Johns Manville Corp. v. Knauf Insulation, Inc.,
`IPR2015-01402, Paper 45 (P.T.A.B. Oct. 19, 2016) .......................................... 20
`Ormco Corp. v. Align Tech., Inc.,
`
`463 F.3d at 1299 (Fed. Cir. 2006) ...................................................................... 38
`ParkerVision v. Qualcomm,
`621 F. App’x 1009 (Fed. Cir. 2015) ................................................................... 14
`Universal Remote Control, Inc. v. Universal Elecs. Inc.,
`IPR2014-01106, Paper 49 (PTAB Dec. 15, 2015) ............................................. 37
`Statutes
`35 U.S.C. § 103(a) .......................................................................................... 7, 32, 34
`
`iii
`
`
`
`
`
`

`

`REVISED LIST OF EXHIBITS
`
`Exhibit
`Description of Document
`No.
`1001 U.S. Patent No. 8,225,408 (“the ’408 patent”)
`1002 Declaration of Dr. Aviel D. Rubin
`1003 U.S. Patent No. 7,636,945 (“Chandnani”)
`1004 U.S. Patent No. 5,860,011 (“Kolawa”)
`1005 U.S. Patent No. 7,284,274 (“Walls”)
`1006 U.S. Patent No. 7,437,362 (“Ben-Natan” or the “Ben-Natan Patent”)
`Ron Ben-Natan, “Protecting Your Payload,” SQL Server Magazine,
`1007
`Vol. 5, No. 8 (August 2003) (the “Ben-Natan Article”)
`1008 U.S. Patent No. 6,697,950 (“Ko”)
`1009 U.S. Patent No. 7,210,041 (“Gryaznov”)
`Mihai Christodorescu & Somesh Jha, “Static Analysis of Executables to
`Detect Malicious Patterns,” Proc. of the 12th USENIX Security
`Symposium (Aug. 7, 2003) (“Christodorescu”)
`1011 U.S. Patent No. 8,185,003 (“Bayliss”)
`1012 U.S. Patent No. 7,546,234 (“Deb”)
`David Wagner and Drew Dean, “Intrusion Detection via Static
`Analysis,” In Proc. IEEE Symposium on Security and Privacy (2001)
`(“Wagner”)
`1014 Microsoft Press, Computer Dictionary, 3rd ed. (1997)
`1015 U.S. Patent No. 7,950,059 (“Aharon”)
`Yichen Xie, et al., “ARCHER: Using Symbolic, Path-Sensitive
`Analysis to Detect Memory Access Errors,” Proc. of the 10th ACM
`SIGSOFT International Symposium on Foundations of Software
`Engineering (Sept. 2003) (“ARCHER”)
`1017 U.S. Patent No. 7,207,065 (“Chess”)
`James F. Power and Brian A. Malloy, “Program Annotation in XML: A
`Parse Tree-Based Approach,” 9th IEEE Working Conference on Reverse
`Engineering (Nov. 1, 2002) (“Power”)
`1019 U.S. Patent No. 6,061,513 (“Scandura”)
`Stephen C. Johnson, “YACC: Yet Another Compiler Computer,” Bell
`1020
`Laboratories, Murray Hill, NJ (1978) (“YACC”)
`
`1010
`
`1013
`
`1016
`
`1018
`
`iv
`
`
`
`
`
`

`

`REVISED LIST OF EXHIBITS
`
`Exhibit
`Description of Document
`No.
`1021 File History of U.S. Patent No. 8,225,408 (“408 File History”)
`1022 Curriculum Vitae of Dr. Aviel Rubin
`F-SCRIPT, F-Secure Script Viruses Detector and Eliminator, Version
`1023
`1.6, Data Fellows Corp. (1998-99)
`1024 U.S. Patent Application Publication No. 2004/0181677 (“Hong”)
`1025 Webster’s New World Computer Dictionary, 9th ed. (2001)
`David M. Chess and Steve R. White, “An Undetectable Computer
`1026
`Virus” (“Chess and White”)
`Symantec.com, “Updating virus definitions on a daily basis with
`1027
`Symantec AntiVirus”
`1028 Wikipedia.org, “Lexical Analysis”
`1029 Computer Desktop Encyclopedia, 2nd ed. (1999)
`David Patterson and John Hennessy, “Computer Organization &
`1030
`Design, The Hardware / Software Interface” (1994)
`1031 U.S. Patent No. 5,996,059 (“Porten”)
`John Lockwood, “Internet Worm and Virus Protection for Very High-
`1032
`Speed Networks” (August 1998)
`Sebastian Gerlach and Roger D. Hersch, “DPS – Dynamic Parallel
`Schedules,” IEEE Press (2003)
`B. Ramakrishna Rau and Joseph A. Fisher, “Instruction-Level Parallel
`Processing: History, Overview, and Perspective,” The Journal of
`Supercomputing (1993)
`1035 U.S. Patent Application No. 08/964,388
`1036 U.S. Patent Application No. 09/539,667
`1037 Webster’s New World Dictionary of Computer Terms, 5th ed. (1994)
`J. Mark Smith, et al., “Protecting a Private Network: The AltaVista
`1038
`Firewall,” Digital Technical Journal (1997)
`1039 Martin Hitz and Behzad Montazeri, “Measuring Coupling and Cohesion
`in Object-Oriented Systems” (“Hitz”)
`1040 Dictionary.com, “vis-à-vis”
`Testimony of Stephen R. Malphrus, “The ‘I Love You’ computer virus
`1041
`and the financial services industry,” Before the Subcommittee on
`
`1033
`
`1034
`
`v
`
`
`
`
`
`

`

`REVISED LIST OF EXHIBITS
`
`Exhibit
`No.
`
`1046
`
`1049
`
`1042
`
`Description of Document
`Financial Institutions of the Committee on Banking, Housing, and
`Urban Affairs, U.S. Senate, May 18, 2000
`Jack D. Shorter, et al., “Aspects of Information Security: Penetration
`Testing Is Crucial for Maintaining System Security Viability,” Journal
`of Information Systems Technology and Planning, Volume 5, Issue 12
`(Spring 2012)
`ccm.net, “The Klez Virus” (September 2015)
`1043
`Jakob Nielsen, “100 Million Websites”
`1044
`1045 Margrethe H. Olson, “Remote Office Work: Changing Work Patterns In
`Space and Time” (March 1983)
`“Intrusion Detection Systems,” Group Test (Edition 2), An NSS Group
`Report (December 2001)
`1047 Carey Nachenberg, “The Evolving Virus Threat” (“Nachenberg”)
`1048 Dmitry O. Gryaznov, “Scanners of the Year 2000: Heuristics,” Virus
`Bulletin (1995)
`Emin Gun Sirer, et al., “Design and Implementation of a Distributed
`Virtual Machine for Networked Computers,” 33 ACM SIGOPS
`Operating Systems Review 202 (Dec. 5, 1999) (“Sirer”)
`1050 Frederick B. Cohen, “A Short Course on Computer Viruses” (1990)
`1051 United States Patent No. 5,842,002 (“Schnurer”)
`1052 Hal Berghel, “The Client Side of the Web” (April 8, 1996)
`1053 w3schools.com, “My First JavaScript Tutorial”
`1054 Sarah Gordon and David Chess, “Attitude Adjustment: Trojans and
`Malware on the Internet”
`1055 Stephane Bressan and Thomas Lee, “Information Brokering on the
`World Wide Web” (June 1997)
`1056 David M. Chess, “Security Issues in Mobile Code Systems”
`1057 Andrew W. Appel and Jens Palsberg, “Modern Compiler
`Implementation in Java,” 2nd ed. (2002)
`1058 Graham Hutton, “Higher-Order Functions for Parsing” (July 1992)
`
`vi
`
`
`
`
`
`

`

`REVISED LIST OF EXHIBITS
`
`Description of Document
`
`Exhibit
`No.
`
`1059
`
`John Lockwood, et al., “An Extensible, System-On-Programmable-
`Chip, Content-Aware Internet Firewall”
`“M86 Security Acquires Finjan,” Reuters Business Wire (Nov. 3, 2009)
`1060
`1061 Final Office Action, Ex Parte Reexamination of U.S. Patent No.
`7,647,633 (May 22, 2015)
`1062 Deposition Transcript of Nenad Medvidovic, IPR2015-02001 (Oct. 28,
`2016)
`1063 Exhibit 4, Deposition of Nenad Medvidovic, IPR2015-02001 (Oct. 28,
`2016)
`1064 Exhibit 6, Deposition of Nenad Medvidovic, IPR2015-02001 (Oct. 28,
`2016)
`1065 Deposition Transcript of Harry Bims, IPR2015-02001 (Oct. 25, 2016)
`1066 Deposition Transcript of Sang Hui Kim, IPR2015-02001 (Oct. 19,
`2016)
`
`vii
`
`
`
`
`
`
`
`

`

`Petitioner’s Reply
`IPR2015-02001
`
`
`
`I.
`
`INTRODUCTION
`Faced with prior art that discloses every limitation of the challenged claims,
`
`Finjan falls back on the “dynamically building” and “dynamically detecting”
`
`limitations in the ‘408 patent, asserting that they are the points of novelty allegedly
`
`not taught by the prior art. But those limitations—which are barely mentioned in
`
`the ’408 patent specification—are expressly disclosed and obvious in light of
`
`Chandnani’s teachings. The “dynamically” limitations merely require that the
`
`claimed content scanner process an incoming data stream by passing packets of
`
`data from one analytical step to the next without waiting for the entire stream to
`
`pass through an earlier step, and Chandnani teaches this approach. Chandnani
`
`discloses (1) that the data stream may be “received via a network, such as the
`
`Internet” (Ex. 1003 at 4:35-38), (2) that its “script language virus detection
`
`methodologies may be performed on a file (or on a data stream received by the
`
`computer through a network) before the file is stored/copied/executed/opened on
`
`the computer” (id. at 9:12-16 (emphases added)), and (3) “to lexically analyze and
`
`parse a data stream” (Ex. 1003 at 6:27-31 (emphasis added)).
`
`A person skilled in the art (“POSA”) would have understood Chandnani as
`
`teaching “dynamic” processing in view of the widespread knowledge that
`
`increasing processing speed (and reducing latency) has always been a fundamental
`
`goal of computer science, particularly in network-based communications. A POSA
`
`
`
`1
`
`

`

`Petitioner’s Reply
`IPR2015-02001
`
`
`therefore would have found it obvious in light of Chandnani’s teachings to
`
`lexically analyze and parse the incoming data stream by passing the stream through
`
`a series of analytical steps without halting the stream at each step, which would be
`
`inconsistent with Chandnani’s teachings and defeat the universal goal of
`
`performing network-based analyses as quickly as possible. The obviousness of the
`
`“dynamic” limitations in light of Chandnani is confirmed by Walls, which shows
`
`that persons skilled in the art appreciated the benefits of pipelined data analysis.
`
`Unable to directly distinguish Chandnani, Finjan ignores Chandnani’s broad
`
`teachings and focuses on an embodiment that scans a file already stored on a
`
`computer. But Chandnani also teaches a stream-based approach to analyzing
`
`content received over a network. Finjan’s characterization of those embodiments is
`
`inconsistent with Chandnani’s teachings as they would be understood by a POSA
`
`who was familiar with how data streams were transmitted over a network.
`
`Chandnani presumptively enables the full range of teachings it discloses. In light of
`
`those teachings, a POSA would have recognized that all elements of the challenged
`
`claims were obvious in light of Chandnani’s detection engine and the teachings of
`
`Kolawa, Walls, and/or Huang.
`
`Finjan’s remaining arguments do not withstand scrutiny. For example,
`
`Finjan argues that Chandnani—which specifically teaches methods for detecting
`
`polymorphic script viruses—fails to teach detection of potential exploits. But the
`
`
`
`2
`
`

`

`Petitioner’s Reply
`IPR2015-02001
`
`
`’408 patent broadly defines “exploits” as “portions of code that are malicious,” and
`
`even Finjan’s experts admit that Chandnani detects malicious code. Chandnani’s
`
`pattern match methodologies are no different than those described in the
`
`challenged claims. Finjan also fails to address the argument that Chandnani itself
`
`suggests the use of a parse tree to store and analyze tokens. Finally, Finjan makes
`
`no effort to prove a nexus between the challenged claims and any alleged evidence
`
`of secondary considerations, so that evidence is entitled to no weight.
`
`For each of these reasons, which are explained below, the Board should find
`
`that claims 1, 3-6, 9, 12-16, 18-23, 29, and 35 of the ’408 patent are obvious.
`
`II. CLAIM CONSTRUCTION
`In its Institution Decision, the Board adopted PAN’s proposed constructions
`
`for the “dynamically building” and “dynamically detecting” limitations. (Paper 7 at
`
`8-10.) Finjan does not contest those constructions for purposes of this proceeding.
`
`(Paper 19 at 12-13.)
`
`The Board provided constructions for
`
`the
`
`terms “parse
`
`tree” and
`
`“instantiating . . . a scanner for the specific programming language” that differ
`
`from those proposed by PAN. (Paper 7 at 8-12.) As the Board correctly noted, the
`
`same disclosures identified in the Petition teach the relevant limitations under the
`
`Board’s constructions and PAN’s proposed constructions. (Id. at 19.) Expert
`
`testimony supports the Board’s conclusion (Ex. 2010, Rubin Dep. at 92:14-
`
`
`
`3
`
`

`

`Petitioner’s Reply
`IPR2015-02001
`
`
`106:10), and Finjan does not challenge the obviousness grounds in the Petition
`
`based on any differences between the Board’s constructions and those described in
`
`the Petition. (See Paper 19 at 12-13.)
`
`III. “DYNAMIC” ANALYSIS OF A DATA STREAM WAS KNOWN IN 2004
`Finjan attacks the sufficiency of Chandnani’s disclosure as it relates to the
`
`“dynamically building” and “dynamically detecting” limitations. (Paper 19 at 19-
`
`38). Chandnani’s teachings must be interpreted in view of the knowledge of a
`
`POSA. KSR Int’l Co. v. Teleflex Inc., 127 S. Ct. 1727, 1731 (2007). At the time of
`
`the ’408 patent’s priority date in 2004, persons skilled in the art understood how to
`
`analyze a data stream “dynamically” and why it was beneficial to do so, and would
`
`have understood that Chandnani taught and suggested the “dynamic” stream-based
`
`analysis recited in the claims.
`
`Modern computer networks are packet-based, meaning that content is
`
`transmitted as a series of data packets. (Ex. 1062, Medvidovic Dep. at 13:18-14-11,
`
`60:17-61:11.) The content of a web page, for example, is typically fragmented into
`
`components that fit inside individual packets, which are transmitted in serial
`
`fashion from a web server to a client computer. (Ex. 1065, Bims Dep. at 20:21-
`
`21:9, 27:24-29:13.) The content scanner claimed in the ’408 patent processes an
`
`incoming data stream by passing each data packet in the stream sequentially
`
`
`
`4
`
`

`

`Petitioner’s Reply
`IPR2015-02001
`
`
`through a tokenizer, a parser, and an analyzer. (Ex. 1062, Medvidovic Dep. at
`
`14:22-17:18; Ex. 1001 at 19:45-20:7.)
`
`The data packets that make up a typical web page contain HTML code and
`
`may also contain one or more scripts embedded within the HTML. (Ex. 1062,
`
`Medvidovic Dep. at 19:16-20:11.) Scripts are often used in web pages because, as
`
`“interpreted” programs, they do not have to be specially designed for a specific
`
`operating system. (Ex. 1002 at ¶ 51.) JavaScript files, for example, were (and are)
`
`used primarily to embed active content in web pages. (See Ex. 1053 at 1 (noting
`
`that JavaScript is “one of the 3 languages all web developers must learn” in order
`
`to “program the behavior of web pages”).)
`
`Persons skilled in the art of malware detection before 2004 understood how
`
`to analyze the contents of data packets flowing through a network. (Ex. 1062,
`
`Medvidovic Dep. at 78:1-23; 83:3-84:23.) HTML files, for example, include tags
`
`that identify the programming language as HTML. (Id. at 22:18-23:6.) And at least
`
`by 1999, HTML files included start tags that specified the scripting language of an
`
`embedded script element. (See Ex. 1064, Medvidovic Dep. Ex. 6 at 29-30; Ex.
`
`1062, Medvidovic Dep. at 73:19-76:21.) Because those tags alone were sufficient
`
`to identify the relevant scripting language, it was not necessary to download or
`
`analyze an entire file to determine the language—it was only necessary to use
`
`known techniques to analyze individual packets or, at most, a group of packets for
`
`
`
`5
`
`

`

`Petitioner’s Reply
`IPR2015-02001
`
`
`known HTML or script tags. (Ex. 1062, Medvidovic Dep. at 23:20-24:22; 78:1-
`
`80:22; 83:3-84:23.)
`
`Persons skilled in the art in 2004 were motivated to speed up the malware
`
`detection process. Faster processing speed has always been a goal of computing in
`
`general, and malware detection is no different. (Ex. 1062, Medvidovic Dep. at
`
`65:6-16.) Dr. Medvidovic, Finjan’s expert, explained that processing speed has
`
`always been important in computer security applications because “very often that
`
`activity happens in real time.” (Id. at 68:20-69:17.) Since content is continuously
`
`arriving over a network, the incoming stream of data packets does not stop to wait
`
`for a security application to finish its processing—so the goal for security
`
`applications was to completely process the data stream as it passed. (See id.)
`
`Dr. Bims, another Finjan expert, testified that the need to perform “realtime
`
`analysis” makes it obvious to analyze an incoming stream of programming code
`
`while it is still being received:
`
` As a person of ordinary skill, understanding the complexity of real-
`time analysis and the difficulty of performing such analysis with no
`user-perceptible delay, a person of ordinary skill would understand
`that techniques such as detecting, as well as the analyzing the parse
`tree nodes, would take place as the program code is being
`downloaded, and that potentially, exploits could be identified before
`the entire Web page content has been streamed to the computer.
`
`
`
`6
`
`

`

`Petitioner’s Reply
`IPR2015-02001
`
`
`(Ex. 1065, Bims Dep. at 30:4-15 (emphasis added); see also id. at 20:1-22:7, 26:1-
`
`28:24.).) Performing real-time analysis on a stream of web content to minimize
`
`user-perceptible delay was no less important in 2004 than it is today. (See Ex.
`
`1062, Medvidovic Dep. at 66:9-70:1.) Dr. Medvidovic’s and Dr. Bims’s testimony
`
`therefore confirms that a person skilled in the art who read Chandnani’s disclosure
`
`would have understood it to teach (and found it obvious) to tokenize, parse, and
`
`analyze the incoming program code as it was still being received. No more is
`
`required to satisfy the Board’s construction of “dynamically building” and
`
`“dynamically detecting.” (Paper 7 at 8-10.)
`
`IV. GROUND 1: CHANDNANI IN VIEW OF KOLAWA RENDERS CLAIMS 1, 3-5, 9,
`12-16, 18, 19, 22, 23, 29, AND 35 OBVIOUS UNDER 35 U.S.C. § 103(a)
`As explained below, the teachings of Chandnani and Kolawa render every
`
`limitation of the challenged claims obvious. A POSA would have understood
`
`Chandnani to render every limitation of the challenged claims obvious, with or
`
`without Kolawa’s express parse tree teachings.
`
`A. Chandnani renders obvious “dynamically building”
`Finjan’s arguments with respect to this limitation ignore Chandnani’s
`
`express teachings about lexically analyzing and parsing a stream of data and the
`
`POSA’s knowledge of network-based communications discussed in Section III.
`
`Finjan also misinterprets Chandnani by incorrectly treating a “data stream” as a
`
`single discrete object, rather than a byte-by-byte flow of packetized data.
`7
`
`
`
`

`

`Petitioner’s Reply
`IPR2015-02001
`
`1.
`
`
`Chandnani renders obvious a detection process performed
`before the data stream is resident on the computer
`Chandnani expressly discloses that the data stream may be “received via a
`
`network, such as the Internet” (Ex. 1003 at 4:35-38) and that its “script language
`
`virus detection methodologies may be performed on a file (or on a data stream
`
`received by
`
`the computer
`
`through a network) before
`
`the
`
`file
`
`is
`
`stored/copied/executed/opened on the computer” (Id. at 9:12-16 (emphases
`
`added)). The “dynamically building” limitation is obvious in light of these express
`
`disclosures.
`
`The fact that Chandnani’s virus detection methodologies—which include
`
`tokenizing, parsing, and analyzing a data stream—are performed before an
`
`incoming file is stored on the computer means that the parsing operation is
`
`performed on at least part of the data stream before the entire stream is received, as
`
`the claims require under the Board’s construction. (See Ex. 1001 at 19:44-20:7;
`
`Paper 7 at 8-9.) More broadly, Chandnani’s disclosure taught or suggested that the
`
`packetized data in an incoming stream should be passed from one analytical step to
`
`the next without waiting for each step to analyze the entire stream.
`
`Finjan argues that Chandnani’s analysis of an incoming file before it is
`
`stored on the computer “only means that the data stream is processed before a file
`
`represented by the data stream is stored, copied, executed, or opened.” (Paper 19 at
`
`
`
`8
`
`

`

`Petitioner’s Reply
`IPR2015-02001
`
`
`22.) Finjan’s argument is contrary to the plain language of the specification, which
`
`describes another embodiment in which the data stream may already exist as “a
`
`file” that is analyzed by the detection engine before being “stored” on the
`
`computer. (Ex. 1003 at 9:12-16.) And nothing in Chandnani indicates that the
`
`incoming data stream is received by the computer at some earlier point in time
`
`before being “stored” as a file. Finjan’s assertion to the contrary is nothing more
`
`than attorney argument, lacking even expert support. (See Paper 19 at 22.)
`
`Moreover, even accepting Finjan’s argument that Chandnani discloses an
`
`embodiment where the data steam is generated from a file already resident on a
`
`computer, Chandnani still discloses an additional embodiment where the entire
`
`virus detection process is performed while the incoming stream is still being
`
`received. Even Finjan’s expert, Dr. Medvidovic, acknowledged that Chandnani
`
`describes at least one embodiment of a distributed (i.e., network-based) system.
`
`(Ex. 1062, Medvidovic Dep. at 105:8-106:5.) Dr. Medvidovic also acknowledged
`
`the distinction between two Chandnani embodiments, explaining that, while “a file
`
`is a collection of data available on a local computer[,] a data stream is a collection
`
`of data that comes across the network.” (Id. at 106:17-107:13.)
`
`Consistent with Dr. Medvidovic’s testimony and Chandnani’s express
`
`teachings, the Board previously rejected Finjan’s argument that the data stream in
`
`Chandnani must be generated from a file already resident on the computer, noting
`
`
`
`9
`
`

`

`Petitioner’s Reply
`IPR2015-02001
`
`
`in its Institution Decision that “Chandnani does not dissociate receipt of the subject
`
`file from scanning.” (Paper 7 at 17.) Finjan’s Response identifies no evidence that
`
`justifies a different conclusion now.
`
`2.
`
`Chandnani renders obvious tokenizing a data stream while
`the stream is still being received
`Finjan argues that “the data stream that Chandnani lexically analyzes to
`
`generate a stream of tokens must be resident on the computer before that lexical
`
`analysis begins.” (Paper 19 at 20.) Finjan cites Chandnani’s disclosure that “an
`
`exemplary process for tokenizing a data stream” includes two lexical analysis steps
`
`that operate on the data stream. (Paper 19 at 21-22; Ex. 1003 at 7:60-8:17.)
`
`According to Finjan, by stating that “the data stream is lexically analyzed
`
`again,” Chandnani teaches that the entire data stream must be lexically analyzed
`
`the first time. But this description just means that two different operations—
`
`language detection and token generation—are performed on the data stream
`
`sequentially. (See id.) It does not suggest that each stage must analyze the entire
`
`stream before the next stage begins. (See § III, supra.) Finjan’s expert speculates
`
`that the stream could be stored in “buffer storage,” but that is mere speculation and
`
`that term that does not appear in Chandnani. (See Ex. 2007 at ¶¶ 73-74.)
`
`Finjan’s argument is based on the false assumption that a scanner must
`
`analyze an entire data stream to determine the language used in the stream. (See
`
`
`
`10
`
`

`

`Petitioner’s Reply
`IPR2015-02001
`
`
`Paper 19 at 19-23.) But, as discussed above in Section III, it was unnecessary to
`
`scan an entire incoming data stream—i.e., every data packet that made up one or
`
`more web pages—in order to determine the relevant language. (Ex. 1062,
`
`Medvidovic Dep. at 18:11-20:11, 22:21-23:6, 23:20-24:22, 73:19-76:21, 78:1-23.)
`
`Persons skilled in the art knew how to identify a scripting language based on a
`
`single tag in a single data packet, rather than waiting to receive an entire data
`
`stream. (See id.; § III, supra.)
`
`Finjan also ignores the fact that Chandnani generates tokens by examining
`
`each character in the data stream, checking for a match against a state transition
`
`table, and, depending on the result of that comparison, outputting a token—all
`
`before retrieving the next character from the data stream. (Ex. 1003 at 8:17-31
`
`(emphasis added).) Thus, it would have been obvious that the tokenization stage
`
`processes individual characters one at a time, rather than as a single,
`
`undifferentiated block of data, because each pattern match check is interleaved
`
`with the step of retrieving the next character from the data stream. (See id.) And
`
`since each subsequent character is retrieved from the data stream, rather than from
`
`a file or some fixed object, it would have been obvious that the lexical analyzer
`
`tokenized the stream while the data stream was still being received. Any other
`
`interpretation would contradict with the universally understood goal of processing
`
`in real time. (Ex. 1062, Medvidovic Dep. at 65:6-16, 68:20-69:17.)
`
`
`
`11
`
`

`

`Petitioner’s Reply
`IPR2015-02001
`
`Chandnani renders obvious parsing a token stream
`3.
`Finjan next argues that Chandnani does not disclose parsing, and that
`
`
`
`parsing is completely distinct from lexical analysis. (Paper 19 at 25-26.) Finjan is
`
`wrong on both counts.
`
`First, Finjan’s assertion that Chandnani does not disclose parsing the data
`
`stream (Paper 19 at 26; Ex. 2007 at ¶ 75) is mistaken. Chandnani expressly states
`
`that its detection engine lexically analyzes and parses the data stream:
`
`The language description data for a target script language is a
`representation of the language definition rules and the language check
`rules (if defined) sufficient for the detection engine 63 to lexically
`analyze and parse a data stream. (Ex. 1003 at 6:27-31 (emphasis
`added.)
`
`Chandnani also provides an exemplary “grammar rule,” or series of operations,
`
`“for parsing a[n] IF-THEN conditional statement in a hypothetical script
`
`language.” (Id. at 6:10-12 (emphasis added).) Chandnani further teaches that this
`
`grammar rule represents a pattern of tokens that corresponds to a particular
`
`grammatical construct. (See id. at 5:63-6:9.) Thus, Chandnani renders obvious the
`
`same parsing methodology described in the claims of the ’408 patent. (See Ex.
`
`1001 at 19:45-20:7.)
`
`
`
`12
`
`

`

`Petitioner’s Reply
`IPR2015-02001
`
`
`Chandnani also discloses that its detection engine analyzes the token stream
`
`output by the lexical analyzer to identify patterns that correspond to specified
`
`grammatical constructs:
`
`The data stream, in an embodiment in which the target script
`languages are defined by pattern matching rules and the patterns are
`associated with output tokens (described above), may be converted to
`a stream of tokens. (Ex. 1003 at 7:50-54.)
`*
`
`*
`
`*
`
`*
`
`*
`
`If the check is a pattern match, the token stream is analyzed lexically
`using the pattern match detection data and language description
`data (step 44). In step 45, it is determined whether there is a pattern
`match. (Ex. 1003 at 8:50-53 (emphasis added).)
`
`The fact that this operation relies on “language description data” and “pattern
`
`match data” confirms that it includes parsing, since this data defines grammatical
`
`constructs in terms of tokens and patterns of tokens. (Id. at 5:38-7:27.)
`
`The ’408 patent itself makes clear that its parsing rules describe “patterns of
`
`tokens that form syntactical constructs of program code.” (Ex. 1001 at 2:8-13.)
`
`Dr. Bims confirmed during his deposition that “parsing” involves identifying
`
`tokens and patterns of tokens. (Ex. 1065, Bims Dep. at 17:8-18.) Dr. Medvidovic
`
`likewise testified that parsing is the process of identifying patterns of tokens. (Ex.
`
`1062, Medvidovic Dep. at 38:2-6.) This is exactly what Chandnani describes,
`
`whether or not