`
`
`
`
`
`
`
`UNITED STATES PATENT AND TRADEMARK OFFICE
`_______________
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`_____________
`
`PALO ALTO NETWORKS, INC.,
`Petitioner
`
`v.
`
`FINJAN, INC.,
`Patent Owner
`
`Patent No. 8,141,154
`_______________
`
`Inter Partes Review No. IPR2016-00151
`____________________________________________________________
`
`DECLARATION OF DR. AVIEL D. RUBIN IN SUPPORT OF
`PETITIONER’S REPLY TO PATENT OWNER RESPONSE
`
`Palo Alto Networks, Inc. Exhibit 1005 Page 1
`
`
`
`Docket No. 719712801200
`
`IPR2016-00151
`
`
`
`I, Aviel D. Rubin, Ph.D., submit the following declaration in connection
`
`with the proceeding identified above.
`
`I.
`
`INTRODUCTION
`
`1.
`
`I have been asked to study U.S. Patent 8,141,154, its prosecution
`
`history, and the prior art, and to render opinions on the obviousness or non-
`
`obviousness of the claims of the ’154 patent in light of the teachings of the prior
`
`art, as understood by a person of ordinary skill in the art in the 2005 timeframe. I
`
`previously executed a declaration in support of Palo Alto Network’ Petition for
`
`Inter Partes Review. (Ex. 1002.) This supplemental declaration addresses
`
`positions and testimony raised by the Patent Owner Finjan in its Patent Owner
`
`Response.
`
`II. MATERIALS CONSIDERED
`
`2.
`
`In preparing this declaration, I have reviewed, among other things,
`
`the following materials: (a) The Patent Owner Response and supporting exhibits,
`
`(b) The declaration of Dr. Nenand Medvidovic Ph.D and supporting exhibits,
`
`and (c) the Petition for Inter Partes Review of the ’154 patent to which my
`
`declaration relates.
`
`
`va-485808
`
`1
`
`Palo Alto Networks, Inc. Exhibit 1005 Page 2
`
`
`
`Docket No. 719712801200
`
`IPR2016-00151
`
`
`
`III. BASED ON THE TEACHINGS OF ROSS, A PERSON OF ORDINARY
`SKILL IN THE ART WOULD HAVE KNOWN THAT THE HOOK
`SCRIPTS COULD INCLUDE A CALL TO A FIRST FUNCTION
`3.
`It remains my opinion that based on the disclosures in Ross, it
`
`would have been obvious to a person of ordinary skill in the art, in 2005, to ensure
`
`that the act of having a hook function supersede a call to an original function could
`
`be achieved via a call to a hook function within the hook script.
`
`4.
`
`Ross states that the example high-level pseudocode provided in
`
`FIG. 4 is meant only as an example, and that the functionality of the code provided
`
`in FIG. 4 could be achieved through other means. “FIG. 4 shows an example of a
`
`combined script 402 including a generated hook script 404 and original script code
`
`302 shown in FIG. 3, according to an embodiment of the present invention.
`
`Although shown as a single, combined script 402, generated hook script 404 and
`
`original script code 302 may be introduced, or injected, into script processing
`
`engine 618 individually by any means as long as a hook script function
`
`corresponding to an original script function is processed first.” (Ex. 1003 ¶ 31
`
`(emphasis added).)
`
`5.
`
`The pseudocode provided in FIG. 4 illustrates one example of a
`
`way to ensure that a call to a hook function supersedes a call to its corresponding
`
`
`va-485808
`
`2
`
`Palo Alto Networks, Inc. Exhibit 1005 Page 3
`
`
`
`Docket No. 719712801200
`
`IPR2016-00151
`
`
`
`original function. The pseudocode of FIG. 4 appears to be high-level pseudocode
`
`written in the JavaScript programming language.
`
`6.
`
`It would have been obvious to a POSITA, at the time of the filing
`
`of the ’154 patent, that one way to ensure that the hook script function
`
`corresponding to an original script is processed first would have been to include a
`
`call to the hook function within the hook script.
`
`7.
`
`Below, I provide pseudocode (also written in high-level
`
`JavaScript pseudocode) that illustrates a method for ensuring that a hook function
`
`is called first, before the original function, that utilizes a call to the hook function
`
`within the hook script itself. I also include Ross’ FIG. 4 pseudocode on the left of
`
`the illustration to show how few edits are necessary to achieve this method.
`
`8.
`
`In my pseudocode, I show a combined script that includes the
`
`original script code, a generated hook script, and a hook function. A call to the
`3
`
`va-485808
`
`
`
`Palo Alto Networks, Inc. Exhibit 1005 Page 4
`
`
`
`Docket No. 719712801200
`
`IPR2016-00151
`
`
`
`original function ActiveXObject invokes the hook script HookedActiveXObject,
`
`this script then calls the hook function substituteActiveXObject, and lastly some
`
`associated security checks are called. I name the hook function with the familiar
`
`“substitute_” prefix to emphasize the similarity between my pseudocode and that
`
`of Table III in the ‘154 patent. My hook function is equivalent to a call to the
`
`original function with a corresponding call to a substitute function as described in
`
`the ’154 patent.
`
`9.
`
`A person of skill in the art would have known that invoking the
`
`hook script in the manner described above, and having the hook script include a
`
`call to a hook function was an available method to ensure that the hook script
`
`function corresponding to an original script is processed first. A person of skill in
`
`the art would have readily generated similar pseudocode provided above to effect
`
`the functionality described in Ross.
`
`10.
`
`In addition, the pseudocode provided in FIG. 4 (reproduced
`
`below, with annotations) itself suggests a call to a function within the hook script.
`
`
`va-485808
`
`4
`
`Palo Alto Networks, Inc. Exhibit 1005 Page 5
`
`
`
`Docket No. 719712801200
`
`IPR2016-00151
`
`
`
`
`
`11.
`
`As illustrated in FIG. 4, the hook script 404 includes a hook
`
`function (labeled in the figure as HookdActiveXObject). The example of FIG. 4
`
`illustrates that the hook function can include security checks using the comment
`
`line //Security checks go here (see highlighted portion of figure). Ross explains
`
`that an “executed hook function may pass a message to decision service 624 that is
`
`used in a vulnerability assessment,” and that the “information passed to the
`
`decision service may include the method name, the object name, any parameters
`
`passed to the method, as well as relevant object properties or global variable
`
`values.” (Ross ¶¶ 38, 36.)
`
`va-485808
`
`5
`
`Palo Alto Networks, Inc. Exhibit 1005 Page 6
`
`
`
`Docket No. 719712801200
`
`IPR2016-00151
`
`
`
`12.
`
`It would have been obvious to a POSITA that the security checks
`
`illustrated in FIG. 4 of Ross and taught in the disclosure of Ross could be
`
`implemented by calling a separate hook function within the hook script as Ross
`
`teaches that “[a] hook script generator 606 may receive some portion or all of data
`
`content 602 and supply a generated script code including one or more hook
`
`functions.” (Ross ¶ 34 (emphasis added).)
`
`13.
`
`The procedural programming design paradigm is supported by
`
`many languages such as JavaScript. Statements are structured into procedures that
`
`are known as subroutines or functions. Functions encapsulate a task in a program
`
`and, thus, provide readability and reusability in the program. The procedural
`
`programming design was used by programmers well before 2005, and it is
`
`considered a component of achieving good program design.
`
`14.
`
`One of skill in the art would know that the “security checks”
`
`illustrated in FIG. 4 of Ross could have been implemented by a call to a separate
`
`function, following the procedural programming design paradigm, within the
`
`function HookedActiveXObject.
`
`
`va-485808
`
`6
`
`Palo Alto Networks, Inc. Exhibit 1005 Page 7
`
`
`
`Docket No. 719712801200
`
`IPR2016-00151
`
`
`
`IV. BASED ON THE TEACHINGS OF ROSS, A PERSON OF ORDINARY
`SKILL IN THE ART WOULD HAVE KNOWN THAT THE HTTP
`CONTENT AND THE HOOK SCRIPTS COULD BE RECEIVED
`OVER THE SAME NETWORK
`15.
`It remains my opinion that Ross teaches or suggests that the
`
`HTTP content and the hook scripts can be received over the same network.
`
`16.
`
`The Patent Owner Response furnishes an annotated FIG. 6 from
`
`Ross as evidence that the HTTP content and the hook scripts are received by the
`
`script injector over separate networks. Their annotated FIG. 6 (reproduced below)
`
`is misleading and incorrect.
`
`
`
`17.
`
`FIG. 6 of Ross is labeled as a data flow block diagram. (See Ross
`
`¶ 20.) A person of skill in the art would understand that a data flow diagram is not
`
`meant to represent a network topology of a computing system. FIG. 6 does not
`
`
`va-485808
`
`7
`
`Palo Alto Networks, Inc. Exhibit 1005 Page 8
`
`
`
`Docket No. 719712801200
`
`IPR2016-00151
`
`
`
`represent a networking diagram. A person of skill in the art would not interpret
`
`Figure 6 as teaching that the HTTP content and the hook scripts of Ross are
`
`received through separate networks.
`
`18.
`
`Ross plainly states that “[s]ome portion or all of detection engine
`
`240 may be moved onto another platform termed a third device, and may be
`
`implemented as another client device (not shown), an auxiliary device
`
`operationally connected to client 202 . . ., and/or a network device. . . . In one
`
`example, the script injection and generation could be accomplished by the third
`
`device.” (Ross ¶ 26 (emphasis added).)
`
`19.
`
`Ross’ suggestion of implementing the hook script generator as a
`
`network device, would suggest that the hook scripts could be received over a
`
`TCP/IP network, as network devices commonly communicate data using TCP/IP.
`
`Mr. Craig Hunt, the author of “TCP/IP Network Administration” describes
`
`TCP/IP, as the preeminent communications protocol for linking together diverse
`
`computer systems since 1992. (Ex. 1012 at 14.) An example network topology
`
`described by Mr. Hunt includes multiple workstations and a gateway. (Id. at 46.)
`
`With respect to Ross, one of these workstations would represent the hook script
`
`generator, another workstation as the script processing engine, and so forth.
`
`
`va-485808
`
`8
`
`Palo Alto Networks, Inc. Exhibit 1005 Page 9
`
`
`
`Docket No. 719712801200
`
`IPR2016-00151
`
`
`
`20.
`
`Web content such as HTTP data is commonly received by a
`
`device over a TCP/IP network. Thus, since Ross explicitly discloses that the hook
`
`script generator can be implemented as a network device, it plainly suggests that
`
`the HTTP content and the hook scripts could be received over the same network.
`
`V. BASED ON THE TEACHINGS OF ROSS, A PERSON OF ORDINARY
`SKILL IN THE ART WOULD HAVE KNOWN TO INVOKE AN
`ORIGINAL FUNCTION WITH ITS ORIGINAL INPUT IF A
`SECURITY COMPUTER FOUND THE ORIGINAL FUNCTION TO
`BE SAFE
`21.
`It remains my opinion that the teachings of Ross clearly suggest
`
`“a content processor . . . for invoking a second function with the input,” as recited
`
`in the challenged claims.
`
`22.
`
`Ross teaches that the calls to the hook functions can contain
`
`inputs and the inputs can be used by the decision service to evaluate an original
`
`function. Ross specifically states that “information passed to the decision service
`
`may include the method name, the object name, any parameters passed to the
`
`method, as well as relevant object properties or global variable values. . . .
`
`[D]ecision service 624 may exchange data with a vulnerability assessment service
`
`
`va-485808
`
`9
`
`Palo Alto Networks, Inc. Exhibit 1005 Page 10
`
`
`
`Docket No. 719712801200
`
`IPR2016-00151
`
`
`
`626 that performs detailed analysis of suspected malicious code functions and one
`
`or more arguments.” (Ross ¶ 36 (emphasis added).)
`
`23.
`
`Ross also teaches or suggests invoking a second function (i.e., the
`
`original function) only if a security computer indicates that such invocation is safe.
`
`Specifically Ross explains that “[d]ecision service 624 can receive messages . . .
`
`and determine whether the suspected malicious code behavior should be allowed or
`
`prohibited.” (Ross ¶ 36.) Ross further states that the “[o]nce decision service 624
`
`[i.e., a security computer] has made a determination regarding a particular script,
`
`that decision information may be passed through script relay interface 622 to web
`
`browser 618 in order to produce a filtered script behavior.” (Id. ¶ 37.)
`
`24.
`
`It would have been obvious to one or ordinary skill in the art that
`
`the invocation of the second function (i.e., original function) would be done with
`
`its original inputs if a decision service (i.e., security computer) determined that the
`
`original function was safe. Thus, Ross teaches or suggests “a content processor . . .
`
`for invoking a second function with the input,” as recited in the challenged claims.
`
`
`va-485808
`
`10
`
`Palo Alto Networks, Inc. Exhibit 1005 Page 11
`
`
`
`Docket No. 719712801200
`
`IPR2016-00151
`
`
`
`VI. ROSS RENDERS OBVIOUS “A RECEIVER FOR RECEIVING AN
`INDICATOR FROM THE SECURITY COMPUTER WHETHER IT IS
`SAFE TO INVOKE THE SECOND FUNCTION WITH THE INPUT”
`25.
`It remains my opinion that Ross’ disclosure relating to the script
`
`interface relay 622 teaches or suggests “a receiver for receiving an indicator from
`
`the security computer whether it is safe to invoke the second function with the
`
`input,” as recited in challenged claims 1 and 4.
`
`26.
`
`The Patent Owner Response seems to contend that Ross’ teaching
`
`of making a “determination regarding a particular script” does not teach “whether
`
`it is safe to invoke the second function with the input,” as recited in the challenged
`
`claims. However, in my opinion this assertion is incorrect.
`
`27.
`
`Ross states that “[d]ecision service 624 can receive messages . . .
`
`and determine whether the suspected malicious code behavior should be allowed or
`
`prohibited.” (Ross ¶ 36.) Ross also discloses that the determination by the
`
`decision is received by the script relay interface stating “[o]nce decision 624 has
`
`made a determination regarding a particular script, that decision information may
`
`be passed through script relay interface 622 to web browser 618.” (Id. ¶ 37,
`
`referring to FIG. 6.) It would have been obvious to a person of skill in the art that
`
`when the decision service 624 determines that the suspected malicious code
`
`
`va-485808
`
`11
`
`Palo Alto Networks, Inc. Exhibit 1005 Page 12
`
`
`
`Docket No. 719712801200
`
`IPR2016-00151
`
`
`
`behavior is allowable, and transmits that determination to the script relay interface
`
`622, the script relay interface is in fact receiving an indication from the security
`
`computer whether it is safe to invoke the second function with the input.
`
`28.
`
`As discussed above, Ross clearly teaches invoking a second
`
`function (i.e., the original function) only if a security computer indicates such
`
`invocation is safe. (See ¶ 22 above.) Given this teaching and Ross’ teachings of
`
`receiving a determination regarding a particular script from the decision service, it
`
`is my opinion that Ross teaches or suggests “a receiver for receiving an indicator
`
`from the security computer whether it is safe to invoke the second function with
`
`the input,” as recited in the challenged claims.
`
`VII. BASED ON THE TEACHINGS OF ROSS IT WOULD HAVE BEEN
`OBVIOUS TO REDIRECT TO AN ALTERNATIVE DIRECTORY BY
`MODIFYING AN INPUT VARIABLE OF A FUNCTION CALL
`29.
`It remains my opinion that Ross’ disclosure relating to modifying
`
`the execution of an original function so as to change the directory to where a file is
`
`written teaches “calling a second function with a modified input variable,” as
`
`recited in the challenged claims.
`
`30.
`
`Ross discloses that “execution of the original function may be
`
`modified. . . . For example, the original function may include writing an output
`12
`
`va-485808
`
`Palo Alto Networks, Inc. Exhibit 1005 Page 13
`
`
`
`Docket No. 719712801200
`
`IPR2016-00151
`
`
`
`into a first directory that is undesirable for practical or security reasons . . . . [T]he
`
`hook function may instead cause the output to be redirected to a second directory
`
`that is desirable.” (Ross ¶ 38 (emphasis added).) While Ross provides an example
`
`of how to modify the directory, stating that “[i]n this manner, some portion of the
`
`original function may be preserved, while another portion may be modified” (id.),
`
`it would have been obvious to one of skill in the art that the effect of modifying the
`
`output directory could be achieved using other methods.
`
`31.
`
`One such method that was known to a person of skill in the art
`
`would be to modify the input variable to the original function with a new directory
`
`name, rather than modify the function itself. Ross explicitly states that the
`
`example provided in paragraph 38 is an example only, and thus doesn’t preclude
`
`modifying the output directory by modifying the input to the call to the original
`
`function.
`
`32.
`
`In light of the teachings of Ross described above, it is my opinion
`
`that Ross teaches or suggests “calling a second function with a modified input
`
`variable,” as recited in claims 6 and 10.
`
`I declare that all statements made herein of my own knowledge are true and
`
`that all statements made on information and belief are believed to be true, and that
`
`
`va-485808
`
`13
`
`Palo Alto Networks, Inc. Exhibit 1005 Page 14
`
`
`
`Docket No. 719712801200
`
`IPR2016-00151
`
`
`
`these statements were made with knowledge that willful false statements and the
`
`like so made are punishable by fine or imprisonment, or both, under section 1001
`
`of Title 18 of the United States Code.
`
`
`
`
`
`Dated: December 6, 2016
`
`
`
`
`
`_______________________
`Aviel D. Rubin
`
`
`
`
`
`
`
`
`va-485808
`
`14
`
`Palo Alto Networks, Inc. Exhibit 1005 Page 15
`
`
Accessing this document will incur an additional charge of $.
After purchase, you can access this document again without charge.
Accept $ Charge
Still Working On It
This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.
Give it another minute or two to complete, and then try the refresh button.
A few More Minutes ... Still Working
It can take up to 5 minutes for us to download a document if the court servers are running slowly.
Thank you for your continued patience.
This document could not be displayed.
We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.
Your account does not support viewing this document.
You need a Paid Account to view this document. Click here to change your account type.
Your account does not support viewing this document.
Set your membership
status to view this document.
With a Docket Alarm membership, you'll
get a whole lot more, including:
- Up-to-date information for this case.
- Email alerts whenever there is an update.
- Full text search for other cases.
- Get email alerts whenever a new case matches your search.
One Moment Please
The filing “” is large (MB) and is being downloaded.
Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.
Your document is on its way!
If you do not receive the document in five minutes, contact support at support@docketalarm.com.
Sealed Document
We are unable to display this document, it may be under a court ordered seal.
If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.
Access Government Site
