throbber
UNITED STATES PATENT AND TRADEMARK OFFICE
`
`
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`
`
`
`Palo Alto Networks, Inc.
`Petitioner
`
`v.
`
`Finjan, Inc.
`Patent Owner
`
`U.S. Patent No. 8,225,408
`Filing Date: August 30, 2004
`Issue Date: July 17, 2012
`Title: Method and System for Adaptive Rule-Based Content Scanners
`____________________
`
`Inter Partes Review No. IPR2016-00157
`
`
`
`
`PETITION FOR INTER PARTES REVIEW OF U.S. PATENT NO. 8,225,408
`
`
`
`
`
`
`sf-3590040
`
`
`
`

`
`Petition for Inter Partes Review of
`Patent No. 8,225,408
`
` Docket No. 719712801500
`
`Table of Contents
`
`Page
`
`I.
`
`INTRODUCTION .......................................................................................... 1
`
`II. MANDATORY NOTICES UNDER 37 C.F.R. § 42.8(A)(1) ....................... 2
`
`A.
`
`B.
`
`C.
`
`Real Party-ln-Interest Under 37 C.F.R. § 42.8(b)(1) ........................... 2
`
`Related Matters Under 37 C.F.R. § 42.8(b)(2) .................................... 2
`
`Lead and Back-Up Counsel under 37 C.F.R. § 42.8(b)(3) .................. 3
`
`III. REQUIREMENTS FOR INTER PARTES REVIEW UNDER 37
`C.F.R. §§ 42.104 AND 42.108 ....................................................................... 3
`
`A. Grounds for Standing Under 37 C.F.R. § 42.104(a) ............................ 3
`
`B.
`
`C.
`
`Identification of Challenge Under 37 C.F.R. § 42.104(b) and
`Statement of Precise Relief Requested ................................................ 3
`
`Threshold Requirement for Inter Partes Review Under 37
`C.F.R. § 42.108(c) ................................................................................ 4
`
`IV. BACKGROUND OF TECHNOLOGY RELATED TO THE ’408
`PATENT ......................................................................................................... 4
`
`A. Malware Detection ............................................................................... 5
`
`B.
`
`Static Analysis Using Parse Trees ........................................................ 5
`
`C. Malware and Vulnerability Detection .................................................. 8
`
`V.
`
`SUMMARY OF THE ’408 PATENT ............................................................ 8
`
`A.
`
`B.
`
`C.
`
`Brief Description of the ’408 Patent .................................................... 8
`
`Petitioned Claims of the ’408 Patent .................................................... 9
`
`Priority Date of the ’408 Patent.......................................................... 11
`
`VI. CLAIM CONSTRUCTION UNDER 37 C.F.R. § 42.104(B)(3) ................. 12
`
`“Parse tree” (all claims) ...................................................................... 12
`
`“Dynamically building . . . while said receiving receives the
`incoming stream” (variants in all claims) .......................................... 12
`
`i
`
`
`
`A.
`
`B.
`
`
`
`
`sf-3590040
`
`

`
`Petition for Inter Partes Review of
`Patent No. 8,225,408
`
` Docket No. 719712801500
`
`Table of Contents
`(continued)
`
`Page
`
`C.
`
`D.
`
`“Dynamically detecting . . . while said dynamically building
`builds the parse tree” (variants in all claims) ..................................... 13
`
`“Instantiating . . . a scanner for the specific programming
`language” (variants in all claims) ....................................................... 14
`
`VII. PERSON HAVING ORDINARY SKILL IN THE ART & STATE
`OF THE ART ............................................................................................... 15
`
`VIII. PETITIONED CLAIMS 3-7, 12-16, AND 18-21 OF THE ’408
`PATENT ARE UNPATENTABLE ............................................................. 15
`
`A. Overview of Chandnani ..................................................................... 16
`
`B.
`
`C.
`
`Overview of Kolawa .......................................................................... 17
`
`Overview of Walls.............................................................................. 18
`
`D. Overview of Huang ............................................................................ 18
`
`E.
`
`F.
`
`Chandnani, Kolawa, Walls, and Huang Are All Analogous Art ....... 19
`
`General Motivations to Combine the Prior Art Teachings ................ 20
`
`IX. CHANDNANI IN VIEW OF KOLAWA RENDERS THE
`PETITIONED CLAIMS 3-5, 12-16, AND 18-19 INVALID AS
`OBVIOUS UNDER 35 U.S.C. § 103 (GROUND 1) ................................... 21
`
`A.
`
`Claim 1 ............................................................................................... 21
`
`1.
`
`2.
`
`3.
`
`4.
`
`5.
`
`Claim 1 – preamble .................................................................. 21
`
`Claim element 1[a] – receiving a stream of code .................... 22
`
`Claim element 1[b] – determining a programming
`language ................................................................................... 22
`
`Claim element 1[c] – instantiating a scanner ........................... 23
`
`Claim element 1[d] – scanner with language-specific
`rules .......................................................................................... 23
`
`a.
`
`Claim element 1[e] - parser rules .................................. 24
`
`
`
`
`sf-3590040
`
`ii
`
`
`
`

`
`Petition for Inter Partes Review of
`Patent No. 8,225,408
`
` Docket No. 719712801500
`
`Table of Contents
`(continued)
`
`Page
`
`b.
`
`Claim element 1[f] - analyzer rules ............................... 25
`
`Claim element 1[g] – identifying tokens ................................. 26
`
`Claim element 1[h] – dynamically building a parse tree ......... 27
`
`6.
`
`7.
`
`a.
`
`b.
`
`Building a parse tree ...................................................... 27
`
`Dynamically building .................................................... 32
`
`8.
`
`Claim element 1[i] – dynamically detecting exploits .............. 33
`
`a.
`
`b.
`
`Detecting potential exploits ........................................... 34
`
`Dynamically detecting ................................................... 35
`
`9.
`
`Claim element 1[j] – indicating presence of exploits .............. 36
`
`B.
`
`Claim 9 ............................................................................................... 36
`
`1.
`
`2.
`
`3.
`
`4.
`
`5.
`
`6.
`
`7.
`
`8.
`
`9.
`
`Claim 9 – preamble .................................................................. 38
`
`Claim element 9[a] – computer-readable storage medium ...... 38
`
`Claim element 9[b] – receiver.................................................. 39
`
`Claim element 9[c] – multi-lingual language detector ............ 39
`
`Claim element 9[d] – scanner instantiator ............................... 40
`
`Claim element 9[e] – rules accessor ........................................ 41
`
`Claim elements 9[f]-[g] – parser and analyzer rules ............... 42
`
`Claim element 9[h] – tokenizer................................................ 42
`
`Claim element 9[i] – parser ...................................................... 42
`
`10. Claim element 9[j] – analyzer .................................................. 43
`
`11. Claim element 9[k] – notifier ................................................... 44
`
`C.
`
`Dependent Claim 3: “The method of claim 1 wherein the parser
`rules and analyzer rules include actions to be performed when
`rules are matched” .............................................................................. 45
`
`D. Dependent Claim 4: “The method of claim 1 wherein the
`specific programming language is JavaScript” .................................. 47
`
`
`
`
`sf-3590040
`
`iii
`
`
`
`

`
`Petition for Inter Partes Review of
`Patent No. 8,225,408
`
` Docket No. 719712801500
`
`Table of Contents
`(continued)
`
`Page
`
`E.
`
`F.
`
`Dependent Claim 5: “The method of claim 1 wherein the
`specific programming language is Visual Basic VBScript” .............. 47
`
`Dependent Claim 12: “The system of claim 9 wherein said
`parser comprises a pattern-matching engine, for matching a
`pattern within a sequence of tokens in accordance with the
`parser rules accessed by said rules accessor” ..................................... 48
`
`G. Dependent Claim 13: “The system of claim 12 wherein the
`parser rules accessed by said rules accessor are represented as
`finite-state machines” ......................................................................... 49
`
`H. Dependent Claim 14: “The system of claim 12 wherein the
`parser rules are represented as pattern expression trees” ................... 49
`
`I.
`
`J.
`
`Dependent Claim 15: “The system of claim 12 wherein parser
`rules are merged into a single deterministic finite automaton
`(DFA)” ................................................................................................ 50
`
`Dependent Claim 16: “The system of claim 9 wherein the
`parser rules and analyzer rules include actions to be performed
`when rules are matched” .................................................................... 51
`
`K. Dependent Claim 18: “The system of claim 9 wherein the
`parser rules and analyzer rules include actions to be performed
`when rules are matched” .................................................................... 51
`
`L.
`
`Dependent Claim 19: “The system of claim 9 wherein the
`parser rules and analyzer rules include actions to be performed
`when rules are matched” .................................................................... 52
`
`X.
`
`CHANDNANI IN VIEW OF KOLAWA AND HUANG RENDERS
`THE PETITIONED CLAIMS 6-7 AND 20-21 INVALID AS
`OBVIOUS UNDER 35 U.S.C. § 103 (GROUND 2) ................................... 52
`
`A. Dependent Claim 6: “The method of claim 1 wherein the
`specific programming language is HTML” ....................................... 52
`
`
`
`
`sf-3590040
`
`iv
`
`
`
`

`
`Petition for Inter Partes Review of
`Patent No. 8,225,408
`
` Docket No. 719712801500
`
`Table of Contents
`(continued)
`
`Page
`
`B.
`
`C.
`
`Dependent Claim 7: “The method of claim 1 wherein the
`specific programming language is Uniform Resource Identifier
`(URI)” ................................................................................................. 53
`
`Dependent Claim 20: “The system of claim 9 wherein the
`specific programming language is HTML” ....................................... 54
`
`D. Dependent Claim 21: “The system of claim 9 wherein the
`specific programming languages language is Uniform Resource
`Identifier (URI)” ................................................................................. 54
`
`XI. CHANDNANI IN VIEW OF KOLAWA AND WALLS RENDERS
`THE PETITIONED CLAIMS 3-5, 12-16, AND 18-19 INVALID AS
`OBVIOUS UNDER 35 U.S.C. § 103 (GROUND 3) ................................... 54
`
`A. Dynamically building a parse tree ...................................................... 55
`
`B.
`
`Dynamically detecting potential exploits ........................................... 57
`
`XII. CHANDNANI IN VIEW OF KOLAWA, WALLS, AND HUANG
`RENDERS THE PETITIONED CLAIMS 6-7 AND 20-21 INVALID
`AS OBVIOUS UNDER 35 U.S.C. § 103 (GROUND 4) ............................. 58
`
`XIII. NO SECONDARY CONSIDERATIONS OF NON-OBVIOUSNESS
`EXIST ........................................................................................................... 59
`
`
`
`
`
`
`sf-3590040
`
`v
`
`
`
`

`
`Petition for Inter Partes Review of
`Patent No. 8,225,408
`
` Docket No. 719712801500
`
`List of Exhibits
`
`Exhibit No.
`
`Description of Document
`
`1001
`
`1002
`
`1003
`
`1004
`
`1005
`
`1006
`
`1007
`
`1008
`
`1009
`
`1010
`
`1011
`
`1012
`
`1013
`
`1014
`
`1015
`
`1016
`
`1017
`
`1018
`
`U.S. Patent No. 8,225,408 (“the ’408 patent”)
`
`Declaration of Dr. Aviel D. Rubin
`
`U.S. Patent No. 7,636,945 (“Chandnani”)
`
`U.S. Patent No. 5,860,011 (“Kolawa”)
`
`U.S. Patent No. 7,284,274 (“Walls”)
`
`U.S. Patent No. 7,437,362 (“Ben-Natan” or the “Ben-Natan
`Patent”)
`Ron Ben-Natan, “Protecting Your Payload,” SQL Server Magazine,
`Vol. 5, No. 8 (August 2003) (the “Ben-Natan Article”)
`
`U.S. Patent No. 6,697,950 (“Ko”)
`
`U.S. Patent No. 7,210,041 (“Gryaznov”)
`
`Mihai Christodorescu & Somesh Jha, “Static Analysis of
`Executables to Detect Malicious Patterns,” Proc. of the 12th
`USENIX Security Symposium, at 169-86 (Aug. 7, 2003)
`(“Christodorescu”)
`
`U.S. Patent No. 8,185,003 (“Bayliss”)
`
`U.S. Patent No. 7,546,234 (“Deb”)
`
`David Wagner and Drew Dean, “Intrusion Detection via Static
`Analysis,” In Proc. IEEE Symposium on Security and Privacy
`(2001) (“Wagner”)
`Microsoft Press, Computer Dictionary, 3rd ed. (1997) (Excerpt)
`
`U.S. Patent No. 7,950,059 (“Aharon”)
`
`Yichen Xie, et al., “ARCHER: Using Symbolic, Path-Sensitive
`Analysis to Detect Memory Access Errors,” Proc. of the 10th ACM
`SIGSOFT International Symposium on Foundations of Software
`Engineering (Sept. 2003) (“ARCHER”)
`
`U.S. Patent No. 7,207,065 (“Chess”)
`
`James F. Power and Brian A. Malloy, “Program Annotation in
`XML: A Parse Tree-Based Approach,” 9th IEEE Working
`
`
`
`
`sf-3590040
`
`vi
`
`
`
`

`
`Petition for Inter Partes Review of
`Patent No. 8,225,408
`
` Docket No. 719712801500
`
`List of Exhibits
`
`Exhibit No.
`
`Description of Document
`Conference on Reverse Engineering (Nov. 1, 2002) (“Power”)
`
`1019
`
`1020
`
`1021
`
`1022
`
`1023
`
`1024
`
`1025
`
`1026
`
`1027
`
`1028
`
`1029
`
`1030
`
`1031
`
`1032
`
`1033
`
`1034
`
`1035
`
`1036
`
`1037
`
`
`
`
`sf-3590040
`
`U.S. Patent No. 6,061,513 (“Scandura”)
`
`Stephen C. Johnson, “YACC: Yet Another Compiler Computer,”
`Bell Laboratories, Murray Hill, NJ (1978) (“YACC”)
`Excerpt of the File History of U.S. Patent No. 8,225,408 (“408 File
`History”)
`
`Curriculum Vitae of Dr. Aviel Rubin
`
`F-SCRIPT, F-Secure Script Viruses Detector and Eliminator,
`Version 1.6, Data Fellows Corp. (1998-99)
`
`U.S. Patent Application Publication No. 2004/0181677 (“Hong”)
`Webster’s New World Computer Dictionary, 9th ed. (2001)
`David M. Chess and Steve R. White, “An Undetectable Computer
`Virus” (“Chess and White”)
`Symantec.com, “Updating virus definitions on a daily basis with
`Symantec AntiVirus”
`
`Wikipedia.org, “Lexical Analysis”
`Computer Desktop Encyclopedia, 2nd ed. (1999)
`David Patterson and John Hennessy, “Computer Organization &
`Design, The Hardware / Software Interface” (1994)
`
`U.S. Patent No. 5,996,059 (“Porten”)
`
`John Lockwood, “Internet Worm and Virus Protection for Very
`High-Speed Networks” (August 1998)
`Sebastian Gerlach and Roger D. Hersch, “DPS – Dynamic Parallel
`Schedules,” IEEE Press (2003)
`B. Ramakrishna Rau and Joseph A. Fisher, “Instruction-Level
`Parallel Processing: History, Overview, and Perspective,” The
`Journal of Supercomputing (1993)
`
`U.S. Patent Application No. 08/964,388
`
`U.S. Patent Application No. 09/539,667
`Webster’s New World Dictionary of Computer Terms, 5th ed.
`
`vii
`
`

`
`Petition for Inter Partes Review of
`Patent No. 8,225,408
`
` Docket No. 719712801500
`
`List of Exhibits
`
`Exhibit No.
`
`Description of Document
`
`(1994)
`
`1038
`
`1039
`
`1040
`
`1041
`
`1042
`
`1043
`
`1044
`
`1045
`
`1046
`
`J. Mark Smith, et al., “Protecting a Private Network: The AltaVista
`Firewall,” Digital Technical Journal (1997)
`
`Martin Hitz and Behzad Montazeri, “Measuring Coupling and
`Cohesion in Object-Oriented Systems” (“Hitz”)
`
`Intentionally Left Blank
`Testimony of Stephen R. Malphrus, “The ‘I Love You’ computer
`virus and the financial services industry,” Before the Subcommittee
`on Financial Institutions of the Committee on Banking, Housing,
`and Urban Affairs, U.S. Senate, May 18, 2000
`
`Intentionally Left Blank
`
`ccm.net, “The Klez Virus” (September 2015)
`
`Jakob Nielsen, “100 Million Websites”
`
`Margrethe H. Olson, “Remote Office Work: Changing Work
`Patterns In Space and Time” (March 1983)
`
`“Intrusion Detection Systems,” Group Test (Edition 2), An NSS
`Group Report (December 2001)
`
`1047
`
`Carey Nachenberg, “The Evolving Virus Threat” (“Nachenberg”)
`
`Dmitry O. Gryaznov, “Scanners of the Year 2000: Heuristics,”
`Virus Bulletin (1995)
`
`Emin Gun Sirer, et al., “Design and Implementation of a
`Distributed Virtual Machine for Networked Computers,” 33 ACM
`SIGOPS Operating Systems Review 202 (Dec. 5, 1999) (“Sirer”)
`
`Frederick B. Cohen, “A Short Course on Computer Viruses” (1990)
`(Excerpt)
`
`U.S. Patent No. 5,842,002 (“Schnurer”)
`
`Hal Berghel, “The Client Side of the Web” (April 8, 1996)
`
`w3schools.com, “My First JavaScript Tutorial”
`
`viii
`
`
`
`1048
`
`1049
`
`1050
`
`1051
`
`1052
`
`1053
`
`
`
`
`sf-3590040
`
`

`
`Petition for Inter Partes Review of
`Patent No. 8,225,408
`
` Docket No. 719712801500
`
`List of Exhibits
`
`Exhibit No.
`
`Description of Document
`
`1054
`
`1055
`
`Sarah Gordon and David Chess, “Attitude Adjustment: Trojans and
`Malware on the Internet”
`
`Stephane Bressan and Thomas Lee, “Information Brokering on the
`World Wide Web” (June 1997)
`
`1056
`
`David M. Chess, “Security Issues in Mobile Code Systems”
`
`1057
`
`Andrew W. Appel and Jens Palsberg, “Modern Compiler
`Implementation in Java,” 2nd ed. (2002) (Excerpt)
`
`1058
`
`Graham Hutton, “Higher-Order Functions for Parsing” (July 1992)
`
`1059
`
`1060
`
`1061
`
`1062
`
`1063
`
`1064
`
`John Lockwood, et al., “An Extensible, System-On-Programmable-
`Chip, Content-Aware Internet Firewall”
`
`“M86 Security Acquires Finjan,” Reuters Business Wire (Nov. 3,
`2009)
`
`Final Office Action, Ex Parte Reexamination of U.S. Patent No.
`7,647,633 (May 22, 2015)
`
`U.S. Patent No. 6,968,539 (“Huang”)
`
`The Authoritative Dictionary of IEEE Standards Terms (7th ed.)
`(Except)
`John E. Hopcraft et al., Introduction to Automata Theory,
`Language and Computation § 2.2.1 (2001) (Except)
`
`
`
`
`
`
`sf-3590040
`
`ix
`
`
`
`

`
`Petition for Inter Partes Review of
`Patent No. 8,225,408
`
` Docket No. 719712801500
`
`I.
`
`INTRODUCTION
`
`Pursuant to 35 U.S.C. §§ 311-319 and 37 C.F.R. § 42, Palo Alto Networks,
`
`Inc. (“Petitioner”) petitions for inter partes review (“IPR”) of claims 3-7, 12-16,
`
`and 18-21 (the “Petitioned Claims”) of U.S. Patent No. 8,225,408 (Ex. 1001),
`
`assigned on its face to Finjan, Inc. The ’408 patent is directed to protecting
`
`computers against potentially malicious programs using a programming language-
`
`specific set of rules and a “parse tree” data structure.
`
`When the ’408 patent was filed in 2004, there was already a crowded field of
`
`prior art security software that analyzed computer code for security problems such
`
`as viruses and other malicious code. After approximately four years of prosecution
`
`without a single allowed claim, the patentee was forced to amend each of the
`
`independent claims from which the Petitioned Claims depend to add two elements:
`
`(1) multi-language scanning capability; and (2) the ability to “dynamically”
`
`analyze a parse tree as it was being built. But numerous prior art references that
`
`were not before the Examiner—including the primary references discussed in this
`
`Petition—confirm that these features were both well-known and obvious for use in
`
`security scanners.
`
`The Chandnani patent, for example, teaches dynamically parsing a data
`
`stream to detect computer viruses in a multi-language environment. It was obvious
`
`to use a parse tree data structure with Chandnani for storing suspect programs, as
`1
`
`
`sf-3590040
`
`

`
`Petition for Inter Partes Review of
`Patent No. 8,225,408
`
` Docket No. 719712801500
`
`in the ’408 patent. And it was obvious to combine Chandnani with other prior art,
`
`such as Kolawa, that expressly taught using a parse tree to represent and analyze
`
`programming code, because both Chandnani and Kolawa taught parsing code and
`
`then searching for patterns that identify problematic code. Chandnani in
`
`combination with Kolawa and other prior art references described in this Petition
`
`therefore render the Petitioned Claims invalid as obvious.
`
`II. MANDATORY NOTICES UNDER 37 C.F.R. § 42.8(A)(1)
`
`A. Real Party-ln-Interest Under 37 C.F.R. § 42.8(b)(1)
`
`Petitioner Palo Alto Networks, Inc. is the real party-in-interest.
`
`B. Related Matters Under 37 C.F.R. § 42.8(b)(2)
`
`Finjan, Inc. (“Patent Owner” or “Finjan”) has asserted the ’408 patent in
`
`Finjan, Inc. v. FireEye, Inc., 4:13-cv-03133 (N.D. Cal. July 8, 2013); Finjan, Inc.
`
`v. Websense, Inc., 5:13-cv-04398 (N.D. Cal. Sept. 23, 2013); Finjan, Inc. v.
`
`Proofpoint, Inc., 3:13-cv-05808 (N.D. Cal. Dec. 16, 2013); Finjan, Inc. v. Palo
`
`Alto Networks, Inc., No. 4:14-cv-04908, (N.D. Cal. November 4, 2014); Finjan,
`
`Inc. v. Blue Coat Systems, Inc., No. 5:15-cv-03295 (N.D. Cal. July 15, 2015)
`
`Petitioner previously filed a petition for inter partes review of U.S. Patent No.
`
`8,225,408, requesting IPR of claims 1, 9, 22, 23, 29, and 35. Petitioner has also
`
`filed, or is filing, petitions for inter partes review of U.S. Patent Nos. 6,804,780;
`
`6,965,968; 7,058,822; 7,418,731; 7,613,918; 7,613,926; 7,647,633; 8,141,154; and
`
`
`sf-3590040
`
`2
`
`

`
`Petition for Inter Partes Review of
`Patent No. 8,225,408
`
` Docket No. 719712801500
`
`8,677,494, which are assigned to Patent Owner.
`
`C. Lead and Back-Up Counsel under 37 C.F.R. § 42.8(b)(3)
`
`Lead Counsel
`
`Back-Up Counsel
`
`Back-Up Counsel
`
`Matthew I. Kreeger
`Reg. No. 56,398
`MORRISON &
`FOERSTER LLP
`425 Market Street
`San Francisco, CA 94105
`MKreeger@mofo.com
`Tel: (415) 268-6467
`Fax: (415) 268-7522
`
`Jonathan Bockman
`Reg. No. 45,640
`MORRISON &
`FOERSTER LLP
`1650 Tysons Boulevard
`McLean, VA 22102
`JBockman@mofo.com
`Tel: (703) 760-7769
`Fax: (703) 760-7777
`
`Matthew Chivvis
`Reg. No. 61,256
`MORRISON &
`FOERSTER LLP
`425 Market Street
`San Francisco, CA 94105
`MChivvis@mofo.com
`Tel: (415) 268-7307
`Fax: (415) 268-7522
`
`Pursuant to 37 C.F.R. § 42.8(b)(4), service information for lead and back-up
`
`counsel is provided above. Petitioner consents to electronic service by email to
`
`FinjanPANMofoTeam@mofo.com.
`
`III. REQUIREMENTS FOR INTER PARTES REVIEW UNDER 37 C.F.R. §§ 42.104
`AND 42.108
`
`A. Grounds for Standing Under 37 C.F.R. § 42.104(a)
`
`Petitioner certifies that the ’408 patent is eligible for IPR and further
`
`certifies that Petitioner is not barred or estopped from requesting this IPR.
`
`B.
`
`Identification of Challenge Under 37 C.F.R. § 42.104(b) and
`Statement of Precise Relief Requested
`
`Petitioner requests IPR of claims 3-7, 12-16, and 18-21 of the ’408 patent
`
`and requests that each claim be found unpatentable. An explanation of why each
`
`claim is unpatentable under the grounds identified in Table 1 below is provided in
`
`
`sf-3590040
`
`3
`
`

`
`Petition for Inter Partes Review of
`Patent No. 8,225,408
`
` Docket No. 719712801500
`
`Section VIII. Additional explanation and support
`
`for each ground of
`
`unpatentability are set forth in the Declaration of Dr. Aviel Rubin (Ex. 1002), an
`
`expert in the field.
`
`Table 1 – Asserted Grounds of Unpatentability
`
`Ground
`1
`
`2
`
`3
`
`4
`
`6, 7, 20, 21
`
`Basis for Challenge
`’408 Patent Claims
`3, 4, 5, 12-16, 18, 19 Obvious under § 103(a) by Chandnani in view
`of Kolawa
`Obvious under § 103(a) by Chandnani in view
`of Kolawa and Huang
`3, 4, 5, 12-16, 18, 19 Obvious under § 103(a) by Chandnani in view
`of Kolawa and Walls
`Obvious under § 103(a) by Chandnani in view
`of Kolawa, Walls, and Huang
`
`6, 7, 20, 21
`
`C. Threshold Requirement for Inter Partes Review Under 37 C.F.R.
`§ 42.108(c)
`
`Inter partes review of claims 3-7, 12-16, and 18-21 should be instituted
`
`because this Petition establishes a reasonable likelihood that Petitioner will prevail
`
`with respect to one or more of the challenged claims. 35 U.S.C. § 314(a).
`
`IV. BACKGROUND OF TECHNOLOGY RELATED TO THE ’408 PATENT
`
`Computer viruses have long been a major security problem. For example,
`
`viruses can damage a computer, perform unauthorized operations, or otherwise
`
`inconvenience a user. (Ex. 1002 ¶ 42.) Those in the art often refer to harmful or
`
`unauthorized programs as “malicious software” or “malware.” (Id. ¶ 43.)
`
`
`sf-3590040
`
`4
`
`

`
`Petition for Inter Partes Review of
`Patent No. 8,225,408
`
`A. Malware Detection
`
` Docket No. 719712801500
`
`Since at least 1988, antivirus software has served as a barrier between
`
`malware and the processor. (Id. ¶ 56.) The concept is to have a trusted program
`
`evaluate untrusted programs before they execute. (Id.)
`
`Security applications identify “exploits” (such as viruses) by scanning for a
`
`signature, i.e., a particular pattern of characters or instructions found in each
`
`instance of a known virus. (Id. ¶¶ 58-59; Ex. 1003 at 2:17-21.) Signature scanning
`
`requires a database of known patterns found in (and preferably only in) malware.
`
`(Ex. 1002 ¶ 59.) If the scanned program has the same sequence of bytes as a
`
`known malicious program, the scanner will not allow the program to run. (Id.) The
`
`problem with signature scanning is that it only recognizes malware after the
`
`malware has been identified and its signature placed in a database; it is therefore
`
`unable to protect against previously-unseen harmful programs. (Id. ¶ 60.)
`
`B.
`
`Static Analysis Using Parse Trees
`
`A polymorphic virus is a virus that can copy itself slightly differently as it
`
`spreads in order to change its signature and evade detection by signature scanners.
`
`(Id. ¶ 61; Ex. 1003 at 2:54-61.) Small changes, like the addition of extraneous
`
`program code, comments, or other changes, can create a new signature that is
`
`different from earlier versions of the same virus. (Ex. 1002 ¶¶ 61-62.)
`
`In 2004, one approach to detecting polymorphic viruses was known as
`
`
`sf-3590040
`
`5
`
`

`
`Petition for Inter Partes Review of
`Patent No. 8,225,408
`
` Docket No. 719712801500
`
`“static analysis.” (See, e.g., Ex. 1008, Ex. 1010, Ex. 1002 ¶¶ 63-64.) Rather than
`
`looking for a specific pattern of bytes, static analysis involves a deeper “parsing”
`
`analysis of computer code to determine how the code is structured and expected to
`
`function. (Ex. 1002 ¶ 63.) Static analysis is particularly useful for detecting viruses
`
`in scripts because such viruses propagate in source code form, and source code can
`
`be parsed to ascertain the functions it will perform. (Id.; Ex. 1008 at Abstract.)
`
`One common static analysis method in 2004 was to create a representation
`
`of computer code in a “parse tree” data structure—the same technique disclosed in
`
`the ’408 patent. (See, e.g., Ex. 1009 at 5:3-5 (“[P]arser 20 processes the suspect
`
`string 26 and suspect [file] 27 on a line-by-line basis and generates a hierarchical
`
`parse tree, as is known in the art.”); Ex. 1007 at 5 (“[T]he firewall compares this
`
`parse tree with the rules you’ve devised.”); Ex. 1004 at 5:62-64 (“The quality of
`
`the source code 10 is checked on an individual parse tree basis.”); Ex. 1002 ¶¶ 65-
`
`70.)
`
`A parse tree is a representation of suspect code at a higher level of
`
`abstraction than the code itself. (Ex. 1002 ¶ 66.) Parse trees preserve the code’s
`
`structure and substantive patterns but remove details
`
`like spacing and
`
`capitalization. (Id.) Below are graphical representations of an example parse tree
`
`from a patent filed in 2003:
`
`
`sf-3590040
`
`6
`
`

`
`Petition for Inter Partes Review of
`Patent No. 8,225,408
`
` Docket No. 719712801500
`
`
`
`(Ex. 1006 at Fig. 14; see also Ex. 1002 ¶ 66.)
`
`Parse trees are built by first converting a sequence of characters, such as a
`
`stream of code, into a sequence of “tokens,” or strings of related characters.
`
`(Ex. 1002 ¶¶ 67-69.) Token creation is performed using a process called “lexical
`
`analysis.” (Id. ¶ 69.) Then, a parsing process is used to convert tokens into nodes of
`
`a parse tree (such as “SELECT” or “WHERE” above) using “grammar” rules that
`
`describe the syntax of a particular computer programming language. (Id.)
`
`Parse trees can be used to abstract away extraneous details of the underlying
`
`code. (Ex. 1002 ¶¶ 66, 70, 72; Ex. 1011 at 13:33-50.) Parse trees are useful for
`
`detecting viral structures while ignoring details of the exact code used in the virus.
`
`(Ex. 1002 ¶¶ 71-72; Ex. 1012 at 2:14-17.) Parse tree detection methods are thus
`
`more robust than virus detection methods that compare a signature to those of
`
`
`sf-3590040
`
`7
`
`

`
`Petition for Inter Partes Review of
`Patent No. 8,225,408
`
` Docket No. 719712801500
`
`known viruses. (Ex. 1002 ¶ 72.)
`
`Techniques for building parse trees were well known in 2004, when the ’408
`
`patent was filed. (Id. ¶ 68.) In fact, the Examiner of the application that issued as
`
`the ’408 patent noted that parsing is a fundamental and generally applicable
`
`method for dividing a sequence of characters into individual elements. (Ex. 1021 at
`
`34.)
`
`C. Malware and Vulnerability Detection
`
`By 2004, static analysis was commonly used in two closely related and
`
`overlapping sub-disciplines: malware detection and vulnerability detection (code
`
`quality analysis). (Ex. 1002 ¶¶ 71-76.) The person of ordinary skill in the art
`
`(“POSA”) recognized the extensive overlap between these two sub-disciplines
`
`because malware was often designed to exploit vulnerabilities in software. (Id.; see
`
`Ex. 1005 at 1:48-65; Ex. 1013 at 1.) For that reason, the POSA stayed current with
`
`(and sometimes taught) advancements in both disciplines. (Ex. 1002 ¶ 76.)
`
`V.
`
`SUMMARY OF THE ’408 PATENT
`
`A. Brief Description of the ’408 Patent
`
`The ’408 patent is directed at protecting computers against potentially
`
`malicious programs using programming language-specific sets of rules and a
`
`“parse tree” data structure. (Ex. 1001 at Title, Abstract; Ex. 1002 ¶¶ 83-86.) The
`
`’408 patent describes scanning an incoming stream of computer code by creating
`
`
`sf-3590040
`
`8
`
`

`
`Petition for Inter Partes Review of
`Patent No. 8,225,408
`
` Docket No. 719712801500
`
`tokens, generating a parse tree using patterns in those tokens, and identifying
`
`patterns of tokens in the parse tree as potential exploits. (See id.) Patterns are
`
`identified using “parser rules” and “analyzer rules” specific to one of multiple
`
`programming languages.
`
`B.
`
`Petitioned Claims of the ’408 Patent
`
`Petitioned Claims 3-7 depend from independent claim 1, and Petitioned
`
`Claims 12-16 and 18-21 depend directly or indirectly from independent claim 9.
`
`Petitioned Claims 3-7, 16, 18-21 recite essentially the same elements in method
`
`(claims 3-7) and system (claims 16 and 18-21) form, respectively. Petitioned
`
`Claims 12-15 depend directly or indirectly from claim 9. The elements of
`
`representative independent claim 1 are shown below:
`
`No.
`Claim Limitation
`1[pre] A computer processor-based multi-lingual method for scanning incoming
`program code, comprising:
`
`1[a]
`
`receiving, by a computer, an incoming stream of program code;
`
`1[b] determining, by the computer, any specific one of a plurality of
`programming languages in which the incoming stream is written;
`
`1[c]
`
`1[d]
`
`instantiating, by the computer, a scanner for the specific programming
`language, in response to said determining,
`
`the scanner comprising parser rules and analyzer rules for the specific
`programming language,
`
`1[e] wherein the parser rules define certain patterns in terms of tokens, tokens
`being lexical constructs for the specific programming language, and
`1[f] wherein the analyzer rules identify certain combinations of tokens and
`patterns as being indicators of potential exploits, exploits being portions of
`
`
`sf-3590040
`
`9
`
`

`
`Petition for Inter Partes Review of
`Patent No. 8,225,408
`
` Docket No. 719712801500
`
`No.
`
`1[g]
`
`Claim Limitation
`program code that are malicious;
`
`identifying, by the computer, individual tokens within the incoming
`stream;
`
`1[h] dynamically building, by the computer while said receiving receives the
`incoming stream, a parse tree whose nodes represent tokens and patterns in
`accordance with the parser rules;
`
`1[i]
`
`dynamically detecting, by the computer while said dynamically building
`builds the parse tree, combinations of nodes in the parse tree which are
`indicators of potential exploits, based on the analyzer rules; and
`
`1[j]
`
`indicating, by the computer, the presence of potential exploits within the
`incoming stream, based on said dynamically detecting.
`
`The additional elements of the Petitioned Claims are shown below:
`
`No.
`Claim Limitation
`3 and 16 wherein the parser rules and actions analyzer rules include actions to be
`performed when rules are matched
`
`4 and 18 wherein the specific programming language is JavaScript
`
`5 and 19 wherein the specific programming language is Visual Basic script
`
`6 and 20 wherein the specific programming language is HTML
`
`7 and 21 wherein the specific programming language is Uniform Resource
`Identifier (URI)
`
`12
`
`13
`
`14
`
`15
`
`wherein said parser comprises a pattern-matching engine, for matching
`a pattern within a sequence of tokens in accordance with the parser
`rules accessed by said rules accessor
`
`wherein the parser rules accessed by said rules accessor are represented
`as finite-state machines
`
`wherein the parser rules are rep

This document is available on Docket Alarm but you must sign up to view it.


Or .

Accessing this document will incur an additional charge of $.

After purchase, you can access this document again without charge.

Accept $ Charge
throbber

Still Working On It

This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.

Give it another minute or two to complete, and then try the refresh button.

throbber

A few More Minutes ... Still Working

It can take up to 5 minutes for us to download a document if the court servers are running slowly.

Thank you for your continued patience.

This document could not be displayed.

We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.

Your account does not support viewing this document.

You need a Paid Account to view this document. Click here to change your account type.

Your account does not support viewing this document.

Set your membership status to view this document.

With a Docket Alarm membership, you'll get a whole lot more, including:

  • Up-to-date information for this case.
  • Email alerts whenever there is an update.
  • Full text search for other cases.
  • Get email alerts whenever a new case matches your search.

Become a Member

One Moment Please

The filing “” is large (MB) and is being downloaded.

Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.

Your document is on its way!

If you do not receive the document in five minutes, contact support at support@docketalarm.com.

Sealed Document

We are unable to display this document, it may be under a court ordered seal.

If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.


Access Government Site

We are redirecting you
to a mobile optimized page.





Document Unreadable or Corrupt

Refresh this Document
Go to the Docket

We are unable to display this document.

Refresh this Document
Go to the Docket