`
`
`
`
`UNITED STATES PATENT AND TRADEMARK OFFICE
`
`____________________
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`
`____________________
`
`Palo Alto Networks, Inc.,
`Petitioner
`
`v.
`
`Finjan, Inc.,
`Patent Owner
`
`
`Patent No. 8,141,154
`Issue Date: Mar. 20, 2012
`Title: System and Method for Inspecting Dynamically Generated Executable Code
`
`____________________
`
`Inter Partes Review No. IPR2016-00151
`
`
`
`
`
`PETITION FOR INTER PARTES REVIEW OF U.S. PATENT NO. 8,141,154
`
`
`
`va-461570
`
`
`
`
`
`TABLE OF CONTENTS
`
`Page
`
`PETITION FOR INTER PARTES REVIEW OF U.S. PATENT NO.
`8,141,154 ........................................................................................................ 1
`
`I.
`
`INTRODUCTION .......................................................................................... 1
`
`II.
`
`SUMMARY OF THE ’154 PATENT ............................................................ 2
`
`A.
`
`B.
`
`Background .......................................................................................... 2
`
`Purported features of the ’154 Patent ................................................... 4
`
`a.
`b.
`c.
`
`Content modifier .............................................................. 4
`Content processor ............................................................ 5
`Input inspector ................................................................. 6
`
`C.
`
`The claims of the ’154 patent ............................................................... 7
`
`III. CLAIM CONSTRUCTION ........................................................................... 7
`
`A.
`
`“dynamically generated” ...................................................................... 8
`
`IV. SUMMARY OF THE PRIOR ART OF THE ’154 PATENT
`FORMING THE BASIS OF THIS PETITION ............................................. 9
`
`A.
`
`Ross ...................................................................................................... 9
`
`Hook script generator (i.e., content modifier) ......................... 11
`1.
`Script Processing Engine (i.e., content processor) .................. 12
`2.
`Decision Service (i.e., content inspector) ................................ 12
`3.
`Calder ................................................................................................. 13
`
`B.
`
`V.
`
`IDENTIFICATION OF CHALLENGE (37 C.F.R. §42.104(B)) ................ 14
`
`A. GROUND 1: Claims 1-8 and 10-11 are invalid as obvious over
`Ross. ................................................................................................... 14
`
`1.
`
`Ross renders independent claim 1 and its dependent
`claims 2-3 obvious under 35 U.S.C. §103(a). .......................... 14
`a.
`Claim 1 ........................................................................... 14
`
`(i)
`
`[1.P]: A system for protecting a computer
`from dynamically generated malicious
`content ................................................................. 14
`
`va-461570
`
`i
`
`
`
`(ii)
`
`(iii)
`
`(iv)
`
`(v)
`
`(vi)
`
`[1.1.a] a content processor (i) for processing
`content received over a network.......................... 15
`[1.1.b] the content including a call to a first
`function, and the call including an input ............. 16
`[1.1.c] and (ii) for invoking a second
`function with the input, only if a security
`computer indicates that such invocation is
`safe ....................................................................... 18
`[1.2] a transmitter for transmitting the input
`to the security computer for inspection,
`when the first function is invoked ....................... 20
`[1.3] a receiver for receiving an indicator
`from the security computer whether it is safe
`to invoke the second function with the input ...... 21
`
`b.
`
`Claim 2 ........................................................................... 22
`
`(i)
`
`(ii)
`
`[2.1] wherein said content processor
`suspends processing of the content after said
`transmitter transmits the input to the security
`computer .............................................................. 22
`[2.2] and resumes processing of the content
`after said receiver receives the indicator
`from the security computer. ................................ 23
`
`c.
`
`Claim 3 ........................................................................... 23
`
`(i)
`
`[3.1]: wherein the input is dynamically
`generated by said content processor prior to
`being transmitted by said transmitter .................. 23
`
`2.
`
`Ross renders independent claim 4 and its dependent
`claim 5 obvious under 35 U.S.C. §103(a)................................ 25
`a.
`Claim 4 ........................................................................... 25
`
`(i)
`
`(ii)
`
`(iii)
`
`[4.P]: A non-transitory computer-readable
`storage medium storing program code for
`causing a computing device to ............................ 26
`[4.1]: process content received over a
`network, the content including a call to a
`first function, and the call including an input ..... 26
`[4.2]: transmit the input for inspection, when
`the first function is invoked, and suspend
`processing of the content ..................................... 27
`
`va-461570
`
`ii
`
`
`
`(iv)
`
`(v)
`
`(vi)
`
`[4.3]: receive an indicator of whether it is
`safe to invoke a second function with the
`input ..................................................................... 27
`[4.4.a]: resume processing of the content
`after receiving the indicator................................. 28
`[4.4.b]: and invoke the second function with
`the input only if the indicator indicates that
`such invocation is safe ......................................... 28
`
`b.
`
`Claim 5 ........................................................................... 29
`
`(i)
`
`[5.1] wherein the program code causes the
`computer device to dynamically generate the
`input prior to transmitting the input for
`inspection ............................................................. 29
`
`3.
`
`Ross renders independent claim 6 and its dependent
`claims 7-8 obvious under 35 U.S.C. §103(a). .......................... 29
`a.
`Claim 6 ........................................................................... 29
`
`(i)
`
`(ii)
`
`(iii)
`
`(iv)
`
`(v)
`
`(vi)
`
`[6.P]: A system for protecting a computer
`from dynamically generated malicious
`content ................................................................. 29
`[6.1.a] a content processor for processing
`content received over a network, the content
`including a call to a first function, and the
`first function including an input variable ............ 29
`[6.1.b] and for calling a second function
`with a modified input variable. ........................... 30
`[6.2]: a transmitter for transmitting the input
`variable to a security computer for
`inspection, when the first function is called ........ 31
`[6.3]: a receiver for receiving the modified
`input variable from the security computer .......... 32
`[6.4] wherein the modified input variable is
`obtained by modifying the input variable if
`the security computer determines that
`calling a function with the input variable
`may not be safe .................................................... 32
`
`b.
`
`Claim 7 ........................................................................... 33
`
`va-461570
`
`iii
`
`
`
`(i)
`
`(ii)
`
`[7.1.a]wherein said content processor
`suspends processing of the content after said
`transmitter transmits the input variable to the
`security computer, and ........................................ 33
`[7.1.b]: resumes processing of the content
`after said receiver receives the modified
`input variable from the security computer .......... 33
`
`c.
`
`Claim 8 ........................................................................... 34
`
`(i)
`
`[8.1]: wherein the input variable in
`dynamically generated by said content
`processor prior to being transmitted by said
`transmitter ............................................................ 34
`
`4.
`
`Ross renders independent claim 10 and its dependent
`claim 11 obvious under 35 U.S.C. §103(a).............................. 34
`a.
`Claim 10 ......................................................................... 34
`
`(i)
`
`(ii)
`
`(iii)
`
`[10.P]: A non-transitory computer-readable
`storage medium storing program code for
`causing a computing device to ............................ 34
`[10.1]: process content received over a
`network, the content including a call to a
`first function, and the first function
`including an input variable .................................. 34
`[10.2]: transmit the input variable for
`inspection, when the first function is called,
`and suspend processing of the content ................ 35
`[10.3]: receive a modified input variable ............ 35
`[10.4.a] resume processing of the content
`after receiving the modified input variable,
`and ....................................................................... 35
`[10.4.b] calling a second function with the
`modified input variable ....................................... 36
`(vii) [10.5] wherein the modified input variable is
`obtained by modifying the input variable if
`the inspection of the input variable indicates
`that calling a function with the input
`variable may not be safe ...................................... 36
`
`(iv)
`(v)
`
`(vi)
`
`b.
`
`Claim 11 ......................................................................... 36
`
`va-461570
`
`iv
`
`
`
`(i)
`
`[11.1] wherein the program code causes the
`computer device to dynamically generate the
`input variable prior to transmitting the input
`variable for inspection ......................................... 36
`
`B. GROUND 2: Claims 9 and 12 are invalid as obvious over Ross
`in view of Calder. ............................................................................... 37
`
`1.
`2.
`
`3.
`
`Prima Facie case for obviousness ........................................... 37
`Claim 9 ..................................................................................... 38
`[9.1] wherein the input variable includes a
`(i)
`call to an additional function ............................... 38
`[9.2] and wherein the modified input
`variable includes a call to a modified
`additional function instead of the call to the
`additional function ............................................... 40
`
`(ii)
`
`Claim 12 ................................................................................... 41
`[12.1] wherein the input variable includes a
`(i)
`call to an additional function ............................... 41
`[12.2] and wherein the modified input
`variable includes a call to a modified
`additional function instead of the call to the
`additional function ............................................... 41
`
`(ii)
`
`VI. MANDATORY NOTICES UNDER 37 C.F.R. §42.8(A)(1) ...................... 42
`
`A.
`
`B.
`
`C.
`
`Real Parties-In-Interest Under 37 C.F.R. §42.8(b)(1) ........................ 42
`
`Related Matters Under 37 C.F.R. §42.8(b)(2) ................................... 42
`
`Lead and Back-Up Counsel ................................................................ 42
`
`VII. STANDING (37 C.F.R. §42.104(A)) ........................................................... 43
`
`VIII. CONCLUSION ............................................................................................. 43
`
`
`
`va-461570
`
`v
`
`
`
`
`CASES
`
`TABLE OF AUTHORITIES
`
`Page(s)
`
`Finjan, Inc. v. Blue Coat Systems, Inc.,
`5-13-cv-03999-BLF (N.D. Cal. Aug. 28, 2013) ................................................. 42
`
`Finjan, Inc. v. Blue Coat Systems, Inc.,
`5-15-cv-03295-BLF (N.D. Cal. July 15, 2015) .................................................. 42
`
`Finjan, Inc. v. Palo Alto Networks, Inc.,
`3-14-cv-04908-JSC (N.D. Cal. Nov. 4, 2014) .................................................... 42
`
`Finjan Software, Ltd. v. Aladdin Knowledge Systems, Inc. et al,
`1-08-cv-00300-GMS (D. Del. May 21, 2008) .................................................... 42
`
`In re Paulsen,
`30 F.3d 1475 (Fed. Cir. 1994) .............................................................................. 8
`
`In re Translogic Tech., Inc.,
`504 F.3d 1249 (Fed. Cir. 2007) ............................................................................ 8
`
`Phillips v. AWH Corp.,
`415 F.3d 1303 (Fed. Cir. 2005) ............................................................................ 7
`
`STATUTES
`
`35 U.S.C. §102(b) .................................................................................................... 13
`
`35 U.S.C. §102(e) ...................................................................................................... 9
`
`35 U.S.C. §103(a) .............................................................................................passim
`
`35 U.S.C. §§ 311-319................................................................................................. 1
`
`OTHER AUTHORITIES
`
`37 C.F.R. §42.8(a)(1) ............................................................................................... 42
`
`37 C.F.R. §42.8(b)(1) ............................................................................................... 42
`
`37 C.F.R. §42.8(b)(2) ............................................................................................... 42
`
`va-461570
`
`vi
`
`
`
`37 C.F.R. §42.8(b)(4) ............................................................................................... 43
`
`37 C.F.R. §42.100(b) ................................................................................................. 7
`
`37 C.F.R. §42.100 et seq. ........................................................................................... 1
`
`37 C.F.R. §42.104(A)............................................................................................... 43
`
`37 C.F.R. §42.104(B) ............................................................................................... 14
`
`37 CFR §42.6(e)(4)(i) et seq. ................................................................................... 45
`
`37 CFR §42.105(b) .................................................................................................. 45
`
`va-461570
`
`vii
`
`
`
`Exhibit
`No.
`
`EXHIBIT LIST
`
`Description
`
`1001 U.S. Patent No. 8,141,154 "the '154 Patent"
`
`1002
`
`Declaration of Dr. Aviel D. Rubin in Support of Petition for Inter
`Partes Review
`
`1003 U.S. Publication No. 2007/0113282 A1 "Ross"
`
`1004 U.S. Publication No. 2002/0066022 A1 "Calder"
`
`va-461570
`
`viii
`
`
`
`Petitioner Palo Alto Networks, Inc. respectfully petitions for inter partes
`
`review of claims 1-12 of U.S. Patent No. 8,141,154 (“the ’154 patent” (Ex. 1001))
`
`in accordance with 35 U.S.C. §§ 311-319 and 37 C.F.R. § 42.100 et seq.
`
`I.
`
`INTRODUCTION
`
`The ’154 patent is directed to a “system and method for inspecting
`
`dynamically generated executable code.” (’154 patent, title). However, as detailed
`
`below, not only were such “inspections” of dynamically generated executable code
`
`well known long before the priority date of the ’154 patent, the precise system and
`
`structure for inspecting such code that the ’154 patent alleges to be inventive were
`
`also well-known (Rubin Decl. ¶ 54-87.)
`
`At its core, the ’154 patent discloses and claims a system for inspecting
`
`executable code that: (i) receives content (including the executable code to be
`
`inspected) over a network at a content processor, (ii) transmits the code to a
`
`security computer for inspection, and (iii) executes the executable code if the
`
`security computer indicates that such code is safe. This type of inspection system
`
`was well-known long before the priority date of the ’154 patent.
`
`Petitioner presents U.S. Patent Publication 2007/0113282 to Ross (“Ross”
`
`(Ex. 1003)), which teaches a system for inspecting executable code that utilizes a
`
`decision service (i.e., a security computer) to inspect executable code that is
`
`substantially identical to the alleged invention of the ’154 patent. For claims with
`
`va-461570
`
`1
`
`
`
`additional limitations, Petitioner adds additional references that show how these
`
`associated limitations were obvious to one of ordinary skill in the art. Ross was not
`
`cited during prosecution of the ’154 patent. If the Examiner had been aware of
`
`Ross, the claims would not have been allowed. Thus, each and every claim of the
`
`’154 patent is obvious in view of the cited references. Section II of this petition
`
`summarizes the ’154 patent. Section III provides claim constructions for a number
`
`of limitations. Section IV of this petition summarizes the prior art asserted in this
`
`petition. Section V sets forth the detailed grounds for invalidity. This showing is
`
`accompanied by the Declaration of Dr. Aviel D. Rubin, Ph.D (“Rubin Decl.,” Ex.
`
`1002). Petitioner respectfully requests a Decision to institute inter partes review
`
`based on the grounds presented below.
`
`II.
`
`SUMMARY OF THE ’154 PATENT
`
`A. Background
`
`The ’154 patent is directed to a system that protects a computer from being
`
`infected by a computer virus. (See Rubin Decl. ¶ 36.) As an example, in the system
`
`described by the ’154 patent, a piece of web content can be received over the
`
`internet and is modified, prior to execution, so that when executed by a client
`
`computer, one or more functional calls and inputs associated with the web content
`
`are routed to an external security computer. (Id.) The security computer inspects
`
`the web content, determines if it is safe to be executed, and if it is, the security
`
`va-461570
`
`2
`
`
`
`computer sends an indication to the client computer that it can process the original
`
`web content. (Id.)
`
`The system that implements the above process includes three central
`
`components: (i) a content modifier, (ii) a content processor, and (iii) a content
`
`inspector.
`
`FIG. 2 of ’154 (reproduced below with annotations) illustrates how each of
`
`these components is placed within the system.
`
`(3)
`
`(2)
`
`(1)
`
`The content modifier receives the web content and modifies it so that when
`
`the web content is executed by a content processor, the web content is sent to a
`
`
`
`va-461570
`
`3
`
`
`
`content inspector. The content inspector analyzes the web content, and if it
`
`determines that the content is safe, the content inspector will send an indication
`
`back to the content processor indicating that the original web content can be
`
`processed. (Rubin Decl. ¶ 39.)
`
`As discussed in detail below, each of these components serves to provide a
`
`system that “can shield computers from dynamically generated malicious code
`
`without running on the computer itself that is being shielded.” (’154 Patent, 4:23-
`
`26).
`
`B.
`
`Purported features of the ’154 Patent
`
`a.
`
`Content modifier
`
`As discussed above, the content modifier described
`
`by the ’154 patent receives web content and modifies it so
`
`that the web content will be inspected by the content
`
`(1)
`
`modifier. (Rubin Decl. ¶ 41.)
`
`The ’154 patent describes this “modified content” as
`
`“substitute functions” that replace original function calls.
`
`The “substitute functions” take the original function call as
`
`an input and when the substitute function is called, the input (i.e., the original
`
`function) is sent to a security computer for inspection. (’154 patent, 9:36-37, 9:55-
`
`60). The content modifier simply adds additional code to the original function call,
`
`va-461570
`
`4
`
`
`
`so that when encountered by the content process, the original function is forwarded
`
`to a security computer for inspection. (Rubin Decl. ¶ 42.)
`
`b.
`
`Content processor
`
`As discussed above, the content processor is the
`
`component that receives the modified content, processes
`
`(2)
`
`the modified content, and once the content inspector
`
`indicates that it’s safe, also processes the original web
`
`content. (Rubin Decl. ¶ 43.)
`
`The ’154 patent states that the content processor “processes the modified
`
`content generated by [the] content modifier.” (’154 Patent, 10:60-61.) As the ’154
`
`patent explains, the “[c]ontent processor may be a web browser running on [a]
`
`client computer. When [the] content processor invokes the substitution function
`
`call, the input is passed to [a] security computer for inspection. (Id., 10:61-64.)
`
`(Rubin Decl. ¶ 44.)
`
`The ’154 patent explains that while the input is inspected by the security
`
`computer, the processing of the modified content is “suspended until [the] security
`
`computer returns its inspection results to [the] client computer.” (’154 patent,
`
`10:62-66.) Once the content processor receives the inspection results, the client
`
`computer resumes processing of the modified content, so long as the inspection
`
`results indicate that the inspected input is safe. (’154 patent, 10:64-11:4.) If
`
`va-461570
`
`5
`
`
`
`however, the inspected input is determined to be unsafe, the content processor does
`
`not invoke the original function call. (Id.) (Rubin Decl. ¶ 45.)
`
`c.
`
`Input inspector
`
`As described above, the input inspector
`
`analyzes the original web content, determines if
`
`it is safe, and if it is found to be safe, sends an
`
`(3)
`
`indication to a client computer.
`
`The ’154 patent explains that the input
`
`inspector “scans the input to determine the
`
`potentially malicious operations that it may perform.” (’154 patent, 11:13-15.) The
`
`’154 patent alleges that by receiving the input “from [the] client computer during
`
`run-time, after [the] client computer has invoked the substitute call, the input has
`
`been already been dynamically generated by [the] content processor and can thus
`
`be readily analyzed.” (’154 patent, 12:7-11.) (Rubin Decl. ¶ 47.)
`
`The input inspector may also indicate when an input should be modified in
`
`order to render it safe for execution. As explained in the ’154 patent, a separate
`
`component called an input modifier may be included with the security computer,
`
`and can return modified content to the content processor if the input inspector
`
`determines that such modification is necessary. (’154 patent, 4:51-54, 10:1-6,
`
`10:67-11:4, 14:61-15:7.) (Rubin Decl. ¶ 48.)
`
`va-461570
`
`6
`
`
`
`C. The claims of the ’154 patent
`
`The claims of the ’154 patent broadly claim the features discussed above. As
`
`discussed in detail in the substantive grounds of this petition, the independent
`
`claims of the ’154 recite a first function (i.e., a modified function”) that includes an
`
`“input” that is processed by a content processor and sent to a “security computer.”
`
`The independent claims also recite invoking a “second function” (i.e., the original
`
`function [pre-modification]) “only if a security computer indicates that such
`
`invocation is safe.” (’154 patent, claim 1.)
`
`The dependent claims of the ’154 patent also broadly recite features such as
`
`“suspend” and resuming of the “second function”, “dynamically generated” inputs,
`
`and the invocation of “additional functions.” As will be shown further below, these
`
`broad recitations of features are readily taught or suggested by the references
`
`presented in the petition.
`
`III. CLAIM CONSTRUCTION
`
`Petitioner notes that a claim is given the “broadest reasonable construction in
`
`light of the specification” in inter partes review. See 37 C.F.R. §42.100(b). 1 Under
`
`
`1 In accordance with 37 C.F.R. § 42.100(b), Petitioner provides the broadest
`
`reasonable construction for the challenged claims. Petitioner notes that this is not
`
`the appropriate claim construction standard in litigation. Phillips v. AWH Corp.,
`
`415 F.3d 1303 (Fed. Cir. 2005). Accordingly, Petitioner may propose a different
`
`va-461570
`
`7
`
`
`
`the broadest reasonable construction standard, claim terms are given their ordinary
`
`and customary meaning, as would be understood by one of ordinary skill in the art
`
`in the context of the entire disclosure. In re Translogic Tech., Inc., 504 F.3d 1249,
`
`1257 (Fed. Cir. 2007). An inventor may rebut that meaning by providing a
`
`definition of the term in the specification with reasonable clarity, deliberateness,
`
`and precision. In re Paulsen, 30 F.3d 1475, 1480 (Fed. Cir. 1994).
`
`A.
`
`“dynamically generated”
`
`The claim term “dynamically generated” appears in dependent claims 3, 5, 8
`
`and 11. Based on the claim language, the specification and the understanding of a
`
`person of ordinary skill in the art, the broadest reasonable interpretation of the term
`
`“dynamically generate[d]” is: “generate[d] at run-time.”
`
`Claims 3, 5, 8, and 11 each recite that the input associated with the first
`
`function is “dynamically generate[d].” These dependent claims make clear that the
`
`input is generated while the content processor is processing the content and
`
`invoking the functions (i.e., during run-time). (Rubin Decl. ¶ 52.)
`
`The proposed construction is also consistent with the specification of the
`
`’154 patent. The ’154 patent is replete with disclosure equating dynamically
`
`generated inputs to inputs that are generated at run-time. In one example, the ’154
`
`
`claim construction in litigation or may argue that the challenged claims are invalid
`
`under 35 U.S.C. §§ 101, 102, 103, or 112.
`
`va-461570
`
`8
`
`
`
`patent explains that “viruses take advantage of features of dynamic HTML
`
`generation . . . to generate themselves on the fly at run time.” (’154 patent, 3:35-
`
`37.) In another example, the ’154 patent states that “[s]ince the input to the
`
`function is being passed at run-time, it has already been dynamically generated.”
`
`(’154 patent, 4:43-45.) Thus, one of ordinary skill in the art at the time of the ’154
`
`patent would have understood the term “dynamically generate[d],” as used in the
`
`’154 patent, to mean “generate[d] at run-time.” (Rubin Decl. ¶ 53.)
`
`IV. SUMMARY OF THE PRIOR ART OF THE ’154 PATENT FORMING
`THE BASIS OF THIS PETITION
`
`A. Ross
`
`Ross2, like the ’154 patent, is directed to a system that protects a computer
`
`from being infected by a computer virus. Like the ’154 patent, the system in Ross
`
`receives web content, modifies it so that it is can be analyzed by a security
`
`computer, and then executes the original content if the security computer
`
`determines that the content is safe. (Rubin Decl. ¶ 92.)
`
`
`2 Ross (U.S. Patent Pub. 2007/0113282) published from an application filed
`
`on November 17, 2005 and thus qualifies as prior art under § 102(e) based on the
`
`earliest effective priority date of the ’154 patent. Ross was not considered during
`
`the original prosecution of the ’154 patent.
`
`va-461570
`
`9
`
`
`
`The system in Ross for detecting and disabling malicious script code is
`
`illustrated in FIG. 6 (reproduced below with annotations). The system includes
`
`three main components: (1) a hook script generator, (2) a script processing engine,
`
`and (3) a decision service.
`
`(1)
`
`(2)
`
`(3)
`
`As detailed below, each of these components operate in substantially the
`
`same manner as the (1) content modifier, (2) content processor, and (3) content
`
`inspector described in the ’154 patent.
`
`
`
`
`
`
`
`va-461570
`
`10
`
`
`
`1. Hook script generator (i.e., content modifier)
`
`Ross’ hook script generator operates in
`
`substantially the same manner as the content modifier
`
`(1)
`
`disclosed in the ’154 patent. (Rubin Decl. ¶ 95.) Ross
`
`discloses a script injector that receives data (HTTP)
`
`content, and hook scripts generated from a hook script generator. Ross explains
`
`that the hook script generator receives data content, which is content downloaded
`
`from a web page and may include “a script program with one or more original
`
`functions for execution [by] the receiving client.” (Ross ¶ 34.) Ross describes the
`
`hook script generator as “receiv[ing] some portion or all of data content 602 and
`
`supply[ing] a generated script code including one or more hook functions
`
`configured to replace corresponding original functions [contained within the data
`
`content].” (Id.) Ross explains that the“process of substituting an original function
`
`or method with a filtered function [i.e., hook script] can be denoted [as]
`
`instantiating a ‘hooked’ process.” (Id.)
`
`Ross further explains that the hooked processes “are installed before any
`
`other script on the web page loads, ensuring that any script provided as a part of
`
`the data content, such as a web page, will call the new hooked function.” (Ross
`
`¶ 35.) Thus, in substantially the same manner as the content modifier produces a
`
`modified first function as disclosed in the ’154 patent, the hook script generator
`
`va-461570
`
`11
`
`
`
`takes in original functions from the HTTP data content (i.e., scripts) and substitutes
`
`them with “hooked” functions. (Rubin Decl. ¶ 96.)
`
`2.
`
`Script Processing Engine (i.e., content processor)
`
`Ross’ script processing engine operates in
`
`(2)
`
`substantially the same manner as the content
`
`processor disclosed in the ’154 patent. (Rubin
`
`Decl. ¶ 97.) Ross states that the script processing engine “is configured to receive
`
`and process a combination of the hook script and the data content.” (Ross ¶¶ 10-
`
`13.) As part of the processing, the script processing engine can pass information
`
`about the data content and the hook functions to a decision service for a
`
`determination as to whether the data content contains malicious code. (Id. ¶¶ 35-
`
`36.) Ross states that the script processing engine can be implemented using a web
`
`browser and can translate the web content it receives (e.g. the HTTP data content
`
`and the hook scripts) into one or more client actions. (Id. ¶ 23.)
`
`3.
`
`Decision Service (i.e., content inspector)
`
`Ross’ decision service operates in
`
`(3)
`
`substantially the same manner as the content
`
`modifier disclosed in the ’154 patent. (Rubin Decl.
`
`¶ 98.) Ross states that the decision service “can receive messages describing the
`
`run-time behavior of JavaScript that has been loaded in web browser and
`
`va-461570
`
`12
`
`
`
`determine whether the suspected malicious code behavior should be allowed or
`
`prohibited as well as provide event logging by recording when one or more
`
`different types of behavior … occurs.” (Ross ¶ 36.)
`
`Once the decision service indicates that a suspected malicious code is safe,
`
`Ross discloses that the decision information is passed back to the script processing
`
`engine in order to execute the original function. (Ross ¶ 37.)
`
`B. Calder
`
`Calder (U.S. Patent Publication 2002/0066022) (“Calder” (Ex. 1004))
`
`published on May 30, 2002 and is thus prior art to the ’154 patent under pre-AIA
`
`35 U.S.C. §102(b).
`
`Calder teaches a system directed to “securing an application for execution on
`
`a computer.” (Calder, Title). Like Ross, Calder teaches the use of a content
`
`inspector (referred to in Calder as an interceptor module). (Rubin Decl. ¶ 100.)As
`
`discussed in detail below, the interceptor module in Calder teaches that input
`
`variables passed to the interceptor module can include a call to a function, and that
`
`modified variables sent to the interceptor module can include calls to modified
`
`functions. Thus Calder, in combination with Ross, renders various dependent
`
`claims obvious, as explained below.
`
`va-461570
`
`13
`
`
`
`V.
`
`IDENTIFICATION OF CHALLENGE (37 C.F.R. §42.104(B))
`
`A. GROUND 1: Claims 1-8 and 10-11 are invalid as obvious over
`Ross.
`
`1.
`
`Ross renders independent claim 1 and its dependent claims
`2-3 obvious under 35 U.S.C. §103(a).
`
`a.
`
`Claim 1
`(i)
`
`[1.P]: A system for protecting a computer from
`dynamically generated malicious content
`
`The detection engine of Ross,
`
`along with its components teach or
`
`suggest a system for protection a
`
`computer from dynamically generated
`
`malicious content. (Rubin Decl. ¶
`
`101.) FIG. 2 of Ross (reproduced to
`
`the right with annotations) illustrates
`
`“an exemplary client-server system including a client network device [client] and a
`
`server network device [server].” (Ross ¶ 16.) Ross states that the system illustrated
`
`in FIG. 2 includes a detection engine 240 (highlighted in reproduced figure) that is
`
`“configured to catch actual script method calls regardless of the formatting of the
`
`code text.” (Ross ¶ 25.)
`
`Ross further explains that the detection engine 240 includes a script injector
`
`242, and a hook script generator 244. Ross explains that these elements use hook
`
`va-461570
`
`14
`
`
`
`functions that replace or wrap original functions and allow the inputs to these
`
`functions be checked at run-time, specifically stating that the hook function
`
`“provides a run-time detection and control of the data conten
Accessing this document will incur an additional charge of $.
After purchase, you can access this document again without charge.
Accept $ Charge
Still Working On It
This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.
Give it another minute or two to complete, and then try the refresh button.
A few More Minutes ... Still Working
It can take up to 5 minutes for us to download a document if the court servers are running slowly.
Thank you for your continued patience.
This document could not be displayed.
We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.
Your account does not support viewing this document.
You need a Paid Account to view this document. Click here to change your account type.
Your account does not support viewing this document.
Set your membership
status to view this document.
With a Docket Alarm membership, you'll
get a whole lot more, including:
- Up-to-date information for this case.
- Email alerts whenever there is an update.
- Full text search for other cases.
- Get email alerts whenever a new case matches your search.
One Moment Please
The filing “” is large (MB) and is being downloaded.
Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.
Your document is on its way!
If you do not receive the document in five minutes, contact support at support@docketalarm.com.
Sealed Document
We are unable to display this document, it may be under a court ordered seal.
If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.
Access Government Site
