`
`
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`
`
`
`Palo Alto Networks, Inc.
`Petitioner
`
`v.
`
`Finjan, Inc.
`Patent Owner
`
`U.S. Patent No. 8,225,408
`Filing Date: August 30, 2004
`Issue Date: July 17, 2012
`Title: Method and System for Adaptive Rule-Based Content Scanners
`____________________
`
`Inter Partes Review No. IPR2016-00157
`
`
`
`
`PETITION FOR INTER PARTES REVIEW OF U.S. PATENT NO. 8,225,408
`
`
`
`
`
`
`sf-3590040
`
`
`
`
`
`Petition for Inter Partes Review of
`Patent No. 8,225,408
`
` Docket No. 719712801500
`
`Table of Contents
`
`Page
`
`I.
`
`INTRODUCTION .......................................................................................... 1
`
`II. MANDATORY NOTICES UNDER 37 C.F.R. § 42.8(A)(1) ....................... 2
`
`A.
`
`B.
`
`C.
`
`Real Party-ln-Interest Under 37 C.F.R. § 42.8(b)(1) ........................... 2
`
`Related Matters Under 37 C.F.R. § 42.8(b)(2) .................................... 2
`
`Lead and Back-Up Counsel under 37 C.F.R. § 42.8(b)(3) .................. 3
`
`III. REQUIREMENTS FOR INTER PARTES REVIEW UNDER 37
`C.F.R. §§ 42.104 AND 42.108 ....................................................................... 3
`
`A. Grounds for Standing Under 37 C.F.R. § 42.104(a) ............................ 3
`
`B.
`
`C.
`
`Identification of Challenge Under 37 C.F.R. § 42.104(b) and
`Statement of Precise Relief Requested ................................................ 3
`
`Threshold Requirement for Inter Partes Review Under 37
`C.F.R. § 42.108(c) ................................................................................ 4
`
`IV. BACKGROUND OF TECHNOLOGY RELATED TO THE ’408
`PATENT ......................................................................................................... 4
`
`A. Malware Detection ............................................................................... 5
`
`B.
`
`Static Analysis Using Parse Trees ........................................................ 5
`
`C. Malware and Vulnerability Detection .................................................. 8
`
`V.
`
`SUMMARY OF THE ’408 PATENT ............................................................ 8
`
`A.
`
`B.
`
`C.
`
`Brief Description of the ’408 Patent .................................................... 8
`
`Petitioned Claims of the ’408 Patent .................................................... 9
`
`Priority Date of the ’408 Patent.......................................................... 11
`
`VI. CLAIM CONSTRUCTION UNDER 37 C.F.R. § 42.104(B)(3) ................. 12
`
`“Parse tree” (all claims) ...................................................................... 12
`
`“Dynamically building . . . while said receiving receives the
`incoming stream” (variants in all claims) .......................................... 12
`
`i
`
`
`
`A.
`
`B.
`
`
`
`
`sf-3590040
`
`
`
`Petition for Inter Partes Review of
`Patent No. 8,225,408
`
` Docket No. 719712801500
`
`Table of Contents
`(continued)
`
`Page
`
`C.
`
`D.
`
`“Dynamically detecting . . . while said dynamically building
`builds the parse tree” (variants in all claims) ..................................... 13
`
`“Instantiating . . . a scanner for the specific programming
`language” (variants in all claims) ....................................................... 14
`
`VII. PERSON HAVING ORDINARY SKILL IN THE ART & STATE
`OF THE ART ............................................................................................... 15
`
`VIII. PETITIONED CLAIMS 3-7, 12-16, AND 18-21 OF THE ’408
`PATENT ARE UNPATENTABLE ............................................................. 15
`
`A. Overview of Chandnani ..................................................................... 16
`
`B.
`
`C.
`
`Overview of Kolawa .......................................................................... 17
`
`Overview of Walls.............................................................................. 18
`
`D. Overview of Huang ............................................................................ 18
`
`E.
`
`F.
`
`Chandnani, Kolawa, Walls, and Huang Are All Analogous Art ....... 19
`
`General Motivations to Combine the Prior Art Teachings ................ 20
`
`IX. CHANDNANI IN VIEW OF KOLAWA RENDERS THE
`PETITIONED CLAIMS 3-5, 12-16, AND 18-19 INVALID AS
`OBVIOUS UNDER 35 U.S.C. § 103 (GROUND 1) ................................... 21
`
`A.
`
`Claim 1 ............................................................................................... 21
`
`1.
`
`2.
`
`3.
`
`4.
`
`5.
`
`Claim 1 – preamble .................................................................. 21
`
`Claim element 1[a] – receiving a stream of code .................... 22
`
`Claim element 1[b] – determining a programming
`language ................................................................................... 22
`
`Claim element 1[c] – instantiating a scanner ........................... 23
`
`Claim element 1[d] – scanner with language-specific
`rules .......................................................................................... 23
`
`a.
`
`Claim element 1[e] - parser rules .................................. 24
`
`
`
`
`sf-3590040
`
`ii
`
`
`
`
`
`Petition for Inter Partes Review of
`Patent No. 8,225,408
`
` Docket No. 719712801500
`
`Table of Contents
`(continued)
`
`Page
`
`b.
`
`Claim element 1[f] - analyzer rules ............................... 25
`
`Claim element 1[g] – identifying tokens ................................. 26
`
`Claim element 1[h] – dynamically building a parse tree ......... 27
`
`6.
`
`7.
`
`a.
`
`b.
`
`Building a parse tree ...................................................... 27
`
`Dynamically building .................................................... 32
`
`8.
`
`Claim element 1[i] – dynamically detecting exploits .............. 33
`
`a.
`
`b.
`
`Detecting potential exploits ........................................... 34
`
`Dynamically detecting ................................................... 35
`
`9.
`
`Claim element 1[j] – indicating presence of exploits .............. 36
`
`B.
`
`Claim 9 ............................................................................................... 36
`
`1.
`
`2.
`
`3.
`
`4.
`
`5.
`
`6.
`
`7.
`
`8.
`
`9.
`
`Claim 9 – preamble .................................................................. 38
`
`Claim element 9[a] – computer-readable storage medium ...... 38
`
`Claim element 9[b] – receiver.................................................. 39
`
`Claim element 9[c] – multi-lingual language detector ............ 39
`
`Claim element 9[d] – scanner instantiator ............................... 40
`
`Claim element 9[e] – rules accessor ........................................ 41
`
`Claim elements 9[f]-[g] – parser and analyzer rules ............... 42
`
`Claim element 9[h] – tokenizer................................................ 42
`
`Claim element 9[i] – parser ...................................................... 42
`
`10. Claim element 9[j] – analyzer .................................................. 43
`
`11. Claim element 9[k] – notifier ................................................... 44
`
`C.
`
`Dependent Claim 3: “The method of claim 1 wherein the parser
`rules and analyzer rules include actions to be performed when
`rules are matched” .............................................................................. 45
`
`D. Dependent Claim 4: “The method of claim 1 wherein the
`specific programming language is JavaScript” .................................. 47
`
`
`
`
`sf-3590040
`
`iii
`
`
`
`
`
`Petition for Inter Partes Review of
`Patent No. 8,225,408
`
` Docket No. 719712801500
`
`Table of Contents
`(continued)
`
`Page
`
`E.
`
`F.
`
`Dependent Claim 5: “The method of claim 1 wherein the
`specific programming language is Visual Basic VBScript” .............. 47
`
`Dependent Claim 12: “The system of claim 9 wherein said
`parser comprises a pattern-matching engine, for matching a
`pattern within a sequence of tokens in accordance with the
`parser rules accessed by said rules accessor” ..................................... 48
`
`G. Dependent Claim 13: “The system of claim 12 wherein the
`parser rules accessed by said rules accessor are represented as
`finite-state machines” ......................................................................... 49
`
`H. Dependent Claim 14: “The system of claim 12 wherein the
`parser rules are represented as pattern expression trees” ................... 49
`
`I.
`
`J.
`
`Dependent Claim 15: “The system of claim 12 wherein parser
`rules are merged into a single deterministic finite automaton
`(DFA)” ................................................................................................ 50
`
`Dependent Claim 16: “The system of claim 9 wherein the
`parser rules and analyzer rules include actions to be performed
`when rules are matched” .................................................................... 51
`
`K. Dependent Claim 18: “The system of claim 9 wherein the
`parser rules and analyzer rules include actions to be performed
`when rules are matched” .................................................................... 51
`
`L.
`
`Dependent Claim 19: “The system of claim 9 wherein the
`parser rules and analyzer rules include actions to be performed
`when rules are matched” .................................................................... 52
`
`X.
`
`CHANDNANI IN VIEW OF KOLAWA AND HUANG RENDERS
`THE PETITIONED CLAIMS 6-7 AND 20-21 INVALID AS
`OBVIOUS UNDER 35 U.S.C. § 103 (GROUND 2) ................................... 52
`
`A. Dependent Claim 6: “The method of claim 1 wherein the
`specific programming language is HTML” ....................................... 52
`
`
`
`
`sf-3590040
`
`iv
`
`
`
`
`
`Petition for Inter Partes Review of
`Patent No. 8,225,408
`
` Docket No. 719712801500
`
`Table of Contents
`(continued)
`
`Page
`
`B.
`
`C.
`
`Dependent Claim 7: “The method of claim 1 wherein the
`specific programming language is Uniform Resource Identifier
`(URI)” ................................................................................................. 53
`
`Dependent Claim 20: “The system of claim 9 wherein the
`specific programming language is HTML” ....................................... 54
`
`D. Dependent Claim 21: “The system of claim 9 wherein the
`specific programming languages language is Uniform Resource
`Identifier (URI)” ................................................................................. 54
`
`XI. CHANDNANI IN VIEW OF KOLAWA AND WALLS RENDERS
`THE PETITIONED CLAIMS 3-5, 12-16, AND 18-19 INVALID AS
`OBVIOUS UNDER 35 U.S.C. § 103 (GROUND 3) ................................... 54
`
`A. Dynamically building a parse tree ...................................................... 55
`
`B.
`
`Dynamically detecting potential exploits ........................................... 57
`
`XII. CHANDNANI IN VIEW OF KOLAWA, WALLS, AND HUANG
`RENDERS THE PETITIONED CLAIMS 6-7 AND 20-21 INVALID
`AS OBVIOUS UNDER 35 U.S.C. § 103 (GROUND 4) ............................. 58
`
`XIII. NO SECONDARY CONSIDERATIONS OF NON-OBVIOUSNESS
`EXIST ........................................................................................................... 59
`
`
`
`
`
`
`sf-3590040
`
`v
`
`
`
`
`
`Petition for Inter Partes Review of
`Patent No. 8,225,408
`
` Docket No. 719712801500
`
`List of Exhibits
`
`Exhibit No.
`
`Description of Document
`
`1001
`
`1002
`
`1003
`
`1004
`
`1005
`
`1006
`
`1007
`
`1008
`
`1009
`
`1010
`
`1011
`
`1012
`
`1013
`
`1014
`
`1015
`
`1016
`
`1017
`
`1018
`
`U.S. Patent No. 8,225,408 (“the ’408 patent”)
`
`Declaration of Dr. Aviel D. Rubin
`
`U.S. Patent No. 7,636,945 (“Chandnani”)
`
`U.S. Patent No. 5,860,011 (“Kolawa”)
`
`U.S. Patent No. 7,284,274 (“Walls”)
`
`U.S. Patent No. 7,437,362 (“Ben-Natan” or the “Ben-Natan
`Patent”)
`Ron Ben-Natan, “Protecting Your Payload,” SQL Server Magazine,
`Vol. 5, No. 8 (August 2003) (the “Ben-Natan Article”)
`
`U.S. Patent No. 6,697,950 (“Ko”)
`
`U.S. Patent No. 7,210,041 (“Gryaznov”)
`
`Mihai Christodorescu & Somesh Jha, “Static Analysis of
`Executables to Detect Malicious Patterns,” Proc. of the 12th
`USENIX Security Symposium, at 169-86 (Aug. 7, 2003)
`(“Christodorescu”)
`
`U.S. Patent No. 8,185,003 (“Bayliss”)
`
`U.S. Patent No. 7,546,234 (“Deb”)
`
`David Wagner and Drew Dean, “Intrusion Detection via Static
`Analysis,” In Proc. IEEE Symposium on Security and Privacy
`(2001) (“Wagner”)
`Microsoft Press, Computer Dictionary, 3rd ed. (1997) (Excerpt)
`
`U.S. Patent No. 7,950,059 (“Aharon”)
`
`Yichen Xie, et al., “ARCHER: Using Symbolic, Path-Sensitive
`Analysis to Detect Memory Access Errors,” Proc. of the 10th ACM
`SIGSOFT International Symposium on Foundations of Software
`Engineering (Sept. 2003) (“ARCHER”)
`
`U.S. Patent No. 7,207,065 (“Chess”)
`
`James F. Power and Brian A. Malloy, “Program Annotation in
`XML: A Parse Tree-Based Approach,” 9th IEEE Working
`
`
`
`
`sf-3590040
`
`vi
`
`
`
`
`
`Petition for Inter Partes Review of
`Patent No. 8,225,408
`
` Docket No. 719712801500
`
`List of Exhibits
`
`Exhibit No.
`
`Description of Document
`Conference on Reverse Engineering (Nov. 1, 2002) (“Power”)
`
`1019
`
`1020
`
`1021
`
`1022
`
`1023
`
`1024
`
`1025
`
`1026
`
`1027
`
`1028
`
`1029
`
`1030
`
`1031
`
`1032
`
`1033
`
`1034
`
`1035
`
`1036
`
`1037
`
`
`
`
`sf-3590040
`
`U.S. Patent No. 6,061,513 (“Scandura”)
`
`Stephen C. Johnson, “YACC: Yet Another Compiler Computer,”
`Bell Laboratories, Murray Hill, NJ (1978) (“YACC”)
`Excerpt of the File History of U.S. Patent No. 8,225,408 (“408 File
`History”)
`
`Curriculum Vitae of Dr. Aviel Rubin
`
`F-SCRIPT, F-Secure Script Viruses Detector and Eliminator,
`Version 1.6, Data Fellows Corp. (1998-99)
`
`U.S. Patent Application Publication No. 2004/0181677 (“Hong”)
`Webster’s New World Computer Dictionary, 9th ed. (2001)
`David M. Chess and Steve R. White, “An Undetectable Computer
`Virus” (“Chess and White”)
`Symantec.com, “Updating virus definitions on a daily basis with
`Symantec AntiVirus”
`
`Wikipedia.org, “Lexical Analysis”
`Computer Desktop Encyclopedia, 2nd ed. (1999)
`David Patterson and John Hennessy, “Computer Organization &
`Design, The Hardware / Software Interface” (1994)
`
`U.S. Patent No. 5,996,059 (“Porten”)
`
`John Lockwood, “Internet Worm and Virus Protection for Very
`High-Speed Networks” (August 1998)
`Sebastian Gerlach and Roger D. Hersch, “DPS – Dynamic Parallel
`Schedules,” IEEE Press (2003)
`B. Ramakrishna Rau and Joseph A. Fisher, “Instruction-Level
`Parallel Processing: History, Overview, and Perspective,” The
`Journal of Supercomputing (1993)
`
`U.S. Patent Application No. 08/964,388
`
`U.S. Patent Application No. 09/539,667
`Webster’s New World Dictionary of Computer Terms, 5th ed.
`
`vii
`
`
`
`Petition for Inter Partes Review of
`Patent No. 8,225,408
`
` Docket No. 719712801500
`
`List of Exhibits
`
`Exhibit No.
`
`Description of Document
`
`(1994)
`
`1038
`
`1039
`
`1040
`
`1041
`
`1042
`
`1043
`
`1044
`
`1045
`
`1046
`
`J. Mark Smith, et al., “Protecting a Private Network: The AltaVista
`Firewall,” Digital Technical Journal (1997)
`
`Martin Hitz and Behzad Montazeri, “Measuring Coupling and
`Cohesion in Object-Oriented Systems” (“Hitz”)
`
`Intentionally Left Blank
`Testimony of Stephen R. Malphrus, “The ‘I Love You’ computer
`virus and the financial services industry,” Before the Subcommittee
`on Financial Institutions of the Committee on Banking, Housing,
`and Urban Affairs, U.S. Senate, May 18, 2000
`
`Intentionally Left Blank
`
`ccm.net, “The Klez Virus” (September 2015)
`
`Jakob Nielsen, “100 Million Websites”
`
`Margrethe H. Olson, “Remote Office Work: Changing Work
`Patterns In Space and Time” (March 1983)
`
`“Intrusion Detection Systems,” Group Test (Edition 2), An NSS
`Group Report (December 2001)
`
`1047
`
`Carey Nachenberg, “The Evolving Virus Threat” (“Nachenberg”)
`
`Dmitry O. Gryaznov, “Scanners of the Year 2000: Heuristics,”
`Virus Bulletin (1995)
`
`Emin Gun Sirer, et al., “Design and Implementation of a
`Distributed Virtual Machine for Networked Computers,” 33 ACM
`SIGOPS Operating Systems Review 202 (Dec. 5, 1999) (“Sirer”)
`
`Frederick B. Cohen, “A Short Course on Computer Viruses” (1990)
`(Excerpt)
`
`U.S. Patent No. 5,842,002 (“Schnurer”)
`
`Hal Berghel, “The Client Side of the Web” (April 8, 1996)
`
`w3schools.com, “My First JavaScript Tutorial”
`
`viii
`
`
`
`1048
`
`1049
`
`1050
`
`1051
`
`1052
`
`1053
`
`
`
`
`sf-3590040
`
`
`
`Petition for Inter Partes Review of
`Patent No. 8,225,408
`
` Docket No. 719712801500
`
`List of Exhibits
`
`Exhibit No.
`
`Description of Document
`
`1054
`
`1055
`
`Sarah Gordon and David Chess, “Attitude Adjustment: Trojans and
`Malware on the Internet”
`
`Stephane Bressan and Thomas Lee, “Information Brokering on the
`World Wide Web” (June 1997)
`
`1056
`
`David M. Chess, “Security Issues in Mobile Code Systems”
`
`1057
`
`Andrew W. Appel and Jens Palsberg, “Modern Compiler
`Implementation in Java,” 2nd ed. (2002) (Excerpt)
`
`1058
`
`Graham Hutton, “Higher-Order Functions for Parsing” (July 1992)
`
`1059
`
`1060
`
`1061
`
`1062
`
`1063
`
`1064
`
`John Lockwood, et al., “An Extensible, System-On-Programmable-
`Chip, Content-Aware Internet Firewall”
`
`“M86 Security Acquires Finjan,” Reuters Business Wire (Nov. 3,
`2009)
`
`Final Office Action, Ex Parte Reexamination of U.S. Patent No.
`7,647,633 (May 22, 2015)
`
`U.S. Patent No. 6,968,539 (“Huang”)
`
`The Authoritative Dictionary of IEEE Standards Terms (7th ed.)
`(Except)
`John E. Hopcraft et al., Introduction to Automata Theory,
`Language and Computation § 2.2.1 (2001) (Except)
`
`
`
`
`
`
`sf-3590040
`
`ix
`
`
`
`
`
`Petition for Inter Partes Review of
`Patent No. 8,225,408
`
` Docket No. 719712801500
`
`I.
`
`INTRODUCTION
`
`Pursuant to 35 U.S.C. §§ 311-319 and 37 C.F.R. § 42, Palo Alto Networks,
`
`Inc. (“Petitioner”) petitions for inter partes review (“IPR”) of claims 3-7, 12-16,
`
`and 18-21 (the “Petitioned Claims”) of U.S. Patent No. 8,225,408 (Ex. 1001),
`
`assigned on its face to Finjan, Inc. The ’408 patent is directed to protecting
`
`computers against potentially malicious programs using a programming language-
`
`specific set of rules and a “parse tree” data structure.
`
`When the ’408 patent was filed in 2004, there was already a crowded field of
`
`prior art security software that analyzed computer code for security problems such
`
`as viruses and other malicious code. After approximately four years of prosecution
`
`without a single allowed claim, the patentee was forced to amend each of the
`
`independent claims from which the Petitioned Claims depend to add two elements:
`
`(1) multi-language scanning capability; and (2) the ability to “dynamically”
`
`analyze a parse tree as it was being built. But numerous prior art references that
`
`were not before the Examiner—including the primary references discussed in this
`
`Petition—confirm that these features were both well-known and obvious for use in
`
`security scanners.
`
`The Chandnani patent, for example, teaches dynamically parsing a data
`
`stream to detect computer viruses in a multi-language environment. It was obvious
`
`to use a parse tree data structure with Chandnani for storing suspect programs, as
`1
`
`
`sf-3590040
`
`
`
`Petition for Inter Partes Review of
`Patent No. 8,225,408
`
` Docket No. 719712801500
`
`in the ’408 patent. And it was obvious to combine Chandnani with other prior art,
`
`such as Kolawa, that expressly taught using a parse tree to represent and analyze
`
`programming code, because both Chandnani and Kolawa taught parsing code and
`
`then searching for patterns that identify problematic code. Chandnani in
`
`combination with Kolawa and other prior art references described in this Petition
`
`therefore render the Petitioned Claims invalid as obvious.
`
`II. MANDATORY NOTICES UNDER 37 C.F.R. § 42.8(A)(1)
`
`A. Real Party-ln-Interest Under 37 C.F.R. § 42.8(b)(1)
`
`Petitioner Palo Alto Networks, Inc. is the real party-in-interest.
`
`B. Related Matters Under 37 C.F.R. § 42.8(b)(2)
`
`Finjan, Inc. (“Patent Owner” or “Finjan”) has asserted the ’408 patent in
`
`Finjan, Inc. v. FireEye, Inc., 4:13-cv-03133 (N.D. Cal. July 8, 2013); Finjan, Inc.
`
`v. Websense, Inc., 5:13-cv-04398 (N.D. Cal. Sept. 23, 2013); Finjan, Inc. v.
`
`Proofpoint, Inc., 3:13-cv-05808 (N.D. Cal. Dec. 16, 2013); Finjan, Inc. v. Palo
`
`Alto Networks, Inc., No. 4:14-cv-04908, (N.D. Cal. November 4, 2014); Finjan,
`
`Inc. v. Blue Coat Systems, Inc., No. 5:15-cv-03295 (N.D. Cal. July 15, 2015)
`
`Petitioner previously filed a petition for inter partes review of U.S. Patent No.
`
`8,225,408, requesting IPR of claims 1, 9, 22, 23, 29, and 35. Petitioner has also
`
`filed, or is filing, petitions for inter partes review of U.S. Patent Nos. 6,804,780;
`
`6,965,968; 7,058,822; 7,418,731; 7,613,918; 7,613,926; 7,647,633; 8,141,154; and
`
`
`sf-3590040
`
`2
`
`
`
`Petition for Inter Partes Review of
`Patent No. 8,225,408
`
` Docket No. 719712801500
`
`8,677,494, which are assigned to Patent Owner.
`
`C. Lead and Back-Up Counsel under 37 C.F.R. § 42.8(b)(3)
`
`Lead Counsel
`
`Back-Up Counsel
`
`Back-Up Counsel
`
`Matthew I. Kreeger
`Reg. No. 56,398
`MORRISON &
`FOERSTER LLP
`425 Market Street
`San Francisco, CA 94105
`MKreeger@mofo.com
`Tel: (415) 268-6467
`Fax: (415) 268-7522
`
`Jonathan Bockman
`Reg. No. 45,640
`MORRISON &
`FOERSTER LLP
`1650 Tysons Boulevard
`McLean, VA 22102
`JBockman@mofo.com
`Tel: (703) 760-7769
`Fax: (703) 760-7777
`
`Matthew Chivvis
`Reg. No. 61,256
`MORRISON &
`FOERSTER LLP
`425 Market Street
`San Francisco, CA 94105
`MChivvis@mofo.com
`Tel: (415) 268-7307
`Fax: (415) 268-7522
`
`Pursuant to 37 C.F.R. § 42.8(b)(4), service information for lead and back-up
`
`counsel is provided above. Petitioner consents to electronic service by email to
`
`FinjanPANMofoTeam@mofo.com.
`
`III. REQUIREMENTS FOR INTER PARTES REVIEW UNDER 37 C.F.R. §§ 42.104
`AND 42.108
`
`A. Grounds for Standing Under 37 C.F.R. § 42.104(a)
`
`Petitioner certifies that the ’408 patent is eligible for IPR and further
`
`certifies that Petitioner is not barred or estopped from requesting this IPR.
`
`B.
`
`Identification of Challenge Under 37 C.F.R. § 42.104(b) and
`Statement of Precise Relief Requested
`
`Petitioner requests IPR of claims 3-7, 12-16, and 18-21 of the ’408 patent
`
`and requests that each claim be found unpatentable. An explanation of why each
`
`claim is unpatentable under the grounds identified in Table 1 below is provided in
`
`
`sf-3590040
`
`3
`
`
`
`Petition for Inter Partes Review of
`Patent No. 8,225,408
`
` Docket No. 719712801500
`
`Section VIII. Additional explanation and support
`
`for each ground of
`
`unpatentability are set forth in the Declaration of Dr. Aviel Rubin (Ex. 1002), an
`
`expert in the field.
`
`Table 1 – Asserted Grounds of Unpatentability
`
`Ground
`1
`
`2
`
`3
`
`4
`
`6, 7, 20, 21
`
`Basis for Challenge
`’408 Patent Claims
`3, 4, 5, 12-16, 18, 19 Obvious under § 103(a) by Chandnani in view
`of Kolawa
`Obvious under § 103(a) by Chandnani in view
`of Kolawa and Huang
`3, 4, 5, 12-16, 18, 19 Obvious under § 103(a) by Chandnani in view
`of Kolawa and Walls
`Obvious under § 103(a) by Chandnani in view
`of Kolawa, Walls, and Huang
`
`6, 7, 20, 21
`
`C. Threshold Requirement for Inter Partes Review Under 37 C.F.R.
`§ 42.108(c)
`
`Inter partes review of claims 3-7, 12-16, and 18-21 should be instituted
`
`because this Petition establishes a reasonable likelihood that Petitioner will prevail
`
`with respect to one or more of the challenged claims. 35 U.S.C. § 314(a).
`
`IV. BACKGROUND OF TECHNOLOGY RELATED TO THE ’408 PATENT
`
`Computer viruses have long been a major security problem. For example,
`
`viruses can damage a computer, perform unauthorized operations, or otherwise
`
`inconvenience a user. (Ex. 1002 ¶ 42.) Those in the art often refer to harmful or
`
`unauthorized programs as “malicious software” or “malware.” (Id. ¶ 43.)
`
`
`sf-3590040
`
`4
`
`
`
`Petition for Inter Partes Review of
`Patent No. 8,225,408
`
`A. Malware Detection
`
` Docket No. 719712801500
`
`Since at least 1988, antivirus software has served as a barrier between
`
`malware and the processor. (Id. ¶ 56.) The concept is to have a trusted program
`
`evaluate untrusted programs before they execute. (Id.)
`
`Security applications identify “exploits” (such as viruses) by scanning for a
`
`signature, i.e., a particular pattern of characters or instructions found in each
`
`instance of a known virus. (Id. ¶¶ 58-59; Ex. 1003 at 2:17-21.) Signature scanning
`
`requires a database of known patterns found in (and preferably only in) malware.
`
`(Ex. 1002 ¶ 59.) If the scanned program has the same sequence of bytes as a
`
`known malicious program, the scanner will not allow the program to run. (Id.) The
`
`problem with signature scanning is that it only recognizes malware after the
`
`malware has been identified and its signature placed in a database; it is therefore
`
`unable to protect against previously-unseen harmful programs. (Id. ¶ 60.)
`
`B.
`
`Static Analysis Using Parse Trees
`
`A polymorphic virus is a virus that can copy itself slightly differently as it
`
`spreads in order to change its signature and evade detection by signature scanners.
`
`(Id. ¶ 61; Ex. 1003 at 2:54-61.) Small changes, like the addition of extraneous
`
`program code, comments, or other changes, can create a new signature that is
`
`different from earlier versions of the same virus. (Ex. 1002 ¶¶ 61-62.)
`
`In 2004, one approach to detecting polymorphic viruses was known as
`
`
`sf-3590040
`
`5
`
`
`
`Petition for Inter Partes Review of
`Patent No. 8,225,408
`
` Docket No. 719712801500
`
`“static analysis.” (See, e.g., Ex. 1008, Ex. 1010, Ex. 1002 ¶¶ 63-64.) Rather than
`
`looking for a specific pattern of bytes, static analysis involves a deeper “parsing”
`
`analysis of computer code to determine how the code is structured and expected to
`
`function. (Ex. 1002 ¶ 63.) Static analysis is particularly useful for detecting viruses
`
`in scripts because such viruses propagate in source code form, and source code can
`
`be parsed to ascertain the functions it will perform. (Id.; Ex. 1008 at Abstract.)
`
`One common static analysis method in 2004 was to create a representation
`
`of computer code in a “parse tree” data structure—the same technique disclosed in
`
`the ’408 patent. (See, e.g., Ex. 1009 at 5:3-5 (“[P]arser 20 processes the suspect
`
`string 26 and suspect [file] 27 on a line-by-line basis and generates a hierarchical
`
`parse tree, as is known in the art.”); Ex. 1007 at 5 (“[T]he firewall compares this
`
`parse tree with the rules you’ve devised.”); Ex. 1004 at 5:62-64 (“The quality of
`
`the source code 10 is checked on an individual parse tree basis.”); Ex. 1002 ¶¶ 65-
`
`70.)
`
`A parse tree is a representation of suspect code at a higher level of
`
`abstraction than the code itself. (Ex. 1002 ¶ 66.) Parse trees preserve the code’s
`
`structure and substantive patterns but remove details
`
`like spacing and
`
`capitalization. (Id.) Below are graphical representations of an example parse tree
`
`from a patent filed in 2003:
`
`
`sf-3590040
`
`6
`
`
`
`Petition for Inter Partes Review of
`Patent No. 8,225,408
`
` Docket No. 719712801500
`
`
`
`(Ex. 1006 at Fig. 14; see also Ex. 1002 ¶ 66.)
`
`Parse trees are built by first converting a sequence of characters, such as a
`
`stream of code, into a sequence of “tokens,” or strings of related characters.
`
`(Ex. 1002 ¶¶ 67-69.) Token creation is performed using a process called “lexical
`
`analysis.” (Id. ¶ 69.) Then, a parsing process is used to convert tokens into nodes of
`
`a parse tree (such as “SELECT” or “WHERE” above) using “grammar” rules that
`
`describe the syntax of a particular computer programming language. (Id.)
`
`Parse trees can be used to abstract away extraneous details of the underlying
`
`code. (Ex. 1002 ¶¶ 66, 70, 72; Ex. 1011 at 13:33-50.) Parse trees are useful for
`
`detecting viral structures while ignoring details of the exact code used in the virus.
`
`(Ex. 1002 ¶¶ 71-72; Ex. 1012 at 2:14-17.) Parse tree detection methods are thus
`
`more robust than virus detection methods that compare a signature to those of
`
`
`sf-3590040
`
`7
`
`
`
`Petition for Inter Partes Review of
`Patent No. 8,225,408
`
` Docket No. 719712801500
`
`known viruses. (Ex. 1002 ¶ 72.)
`
`Techniques for building parse trees were well known in 2004, when the ’408
`
`patent was filed. (Id. ¶ 68.) In fact, the Examiner of the application that issued as
`
`the ’408 patent noted that parsing is a fundamental and generally applicable
`
`method for dividing a sequence of characters into individual elements. (Ex. 1021 at
`
`34.)
`
`C. Malware and Vulnerability Detection
`
`By 2004, static analysis was commonly used in two closely related and
`
`overlapping sub-disciplines: malware detection and vulnerability detection (code
`
`quality analysis). (Ex. 1002 ¶¶ 71-76.) The person of ordinary skill in the art
`
`(“POSA”) recognized the extensive overlap between these two sub-disciplines
`
`because malware was often designed to exploit vulnerabilities in software. (Id.; see
`
`Ex. 1005 at 1:48-65; Ex. 1013 at 1.) For that reason, the POSA stayed current with
`
`(and sometimes taught) advancements in both disciplines. (Ex. 1002 ¶ 76.)
`
`V.
`
`SUMMARY OF THE ’408 PATENT
`
`A. Brief Description of the ’408 Patent
`
`The ’408 patent is directed at protecting computers against potentially
`
`malicious programs using programming language-specific sets of rules and a
`
`“parse tree” data structure. (Ex. 1001 at Title, Abstract; Ex. 1002 ¶¶ 83-86.) The
`
`’408 patent describes scanning an incoming stream of computer code by creating
`
`
`sf-3590040
`
`8
`
`
`
`Petition for Inter Partes Review of
`Patent No. 8,225,408
`
` Docket No. 719712801500
`
`tokens, generating a parse tree using patterns in those tokens, and identifying
`
`patterns of tokens in the parse tree as potential exploits. (See id.) Patterns are
`
`identified using “parser rules” and “analyzer rules” specific to one of multiple
`
`programming languages.
`
`B.
`
`Petitioned Claims of the ’408 Patent
`
`Petitioned Claims 3-7 depend from independent claim 1, and Petitioned
`
`Claims 12-16 and 18-21 depend directly or indirectly from independent claim 9.
`
`Petitioned Claims 3-7, 16, 18-21 recite essentially the same elements in method
`
`(claims 3-7) and system (claims 16 and 18-21) form, respectively. Petitioned
`
`Claims 12-15 depend directly or indirectly from claim 9. The elements of
`
`representative independent claim 1 are shown below:
`
`No.
`Claim Limitation
`1[pre] A computer processor-based multi-lingual method for scanning incoming
`program code, comprising:
`
`1[a]
`
`receiving, by a computer, an incoming stream of program code;
`
`1[b] determining, by the computer, any specific one of a plurality of
`programming languages in which the incoming stream is written;
`
`1[c]
`
`1[d]
`
`instantiating, by the computer, a scanner for the specific programming
`language, in response to said determining,
`
`the scanner comprising parser rules and analyzer rules for the specific
`programming language,
`
`1[e] wherein the parser rules define certain patterns in terms of tokens, tokens
`being lexical constructs for the specific programming language, and
`1[f] wherein the analyzer rules identify certain combinations of tokens and
`patterns as being indicators of potential exploits, exploits being portions of
`
`
`sf-3590040
`
`9
`
`
`
`Petition for Inter Partes Review of
`Patent No. 8,225,408
`
` Docket No. 719712801500
`
`No.
`
`1[g]
`
`Claim Limitation
`program code that are malicious;
`
`identifying, by the computer, individual tokens within the incoming
`stream;
`
`1[h] dynamically building, by the computer while said receiving receives the
`incoming stream, a parse tree whose nodes represent tokens and patterns in
`accordance with the parser rules;
`
`1[i]
`
`dynamically detecting, by the computer while said dynamically building
`builds the parse tree, combinations of nodes in the parse tree which are
`indicators of potential exploits, based on the analyzer rules; and
`
`1[j]
`
`indicating, by the computer, the presence of potential exploits within the
`incoming stream, based on said dynamically detecting.
`
`The additional elements of the Petitioned Claims are shown below:
`
`No.
`Claim Limitation
`3 and 16 wherein the parser rules and actions analyzer rules include actions to be
`performed when rules are matched
`
`4 and 18 wherein the specific programming language is JavaScript
`
`5 and 19 wherein the specific programming language is Visual Basic script
`
`6 and 20 wherein the specific programming language is HTML
`
`7 and 21 wherein the specific programming language is Uniform Resource
`Identifier (URI)
`
`12
`
`13
`
`14
`
`15
`
`wherein said parser comprises a pattern-matching engine, for matching
`a pattern within a sequence of tokens in accordance with the parser
`rules accessed by said rules accessor
`
`wherein the parser rules accessed by said rules accessor are represented
`as finite-state machines
`
`wherein the parser rules are rep