Petition for Inter Partes Review of
`Patent No. 8,677,494
`
`
`UNITED STATES PATENT AND TRADEMARK OFFICE
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`
`
`
`
`
`Palo Alto Networks, Inc.
`Petitioner
`
`v.
`
`Finjan, Inc.
`Patent Owner
`
`U.S. Patent No. 8,677,494
`Filing Date: Nov. 7, 2011
`Issue Date: Mar. 18, 2014
`Title: Malicious Mobile Code Runtime Monitoring System and Methods
`
`
`
`Inter Partes Review No. 2016-00159
`
`Petition for Inter Partes Review of U.S. Patent No. 8,677,494
`
`
`
`

`
`Table of Contents
`
`
`INTRODUCTION .............................................................................................. 1
`MANDATORY NOTICES UNDER 37 C.F.R. § 42.8(A)(1) ..................................... 2
`A.
`Real Party-ln-Interest Under 37 C.F.R. § 42.8(b)(1) ........................... 2
`B.
`Related Matters Under 37 C.F.R. § 42.8(b)(2) .................................... 2
`C.
`Lead and Back-Up Counsel under 37 C.F.R. § 42.8(b)(3) .................. 3
`D.
`Service Information .............................................................................. 3
`E.
`Power of Attorney ................................................................................ 3
`PAYMENT OF FEES - 37 C.F.R. § 42.103 ............................................................ 3
`REQUIREMENTS FOR INTER PARTES REVIEW UNDER 37 C.F.R. §§
`42.104 AND 42.108 ............................................................................................ 4
`A. Grounds for Standing Under 37 C.F.R. § 42.104(a) ............................ 4
`B.
`Identification of Challenge Under 37 C.F.R. § 42.104(b) and
`Statement of Precise Relief Requested ................................................ 4
`Status of the Cited References as Prior Art .......................................... 5
`1.
`Touboul is prior art .................................................................... 6
`2.
`Swimmer is prior art .................................................................. 6
`3.
`The Ji patent is prior art ............................................................. 7
`4. Martin is prior art ....................................................................... 7
`Threshold Requirement for Inter Partes Review 37 C.F.R.
`§ 42.108(c) ............................................................................................ 8
`BACKGROUND OF TECHNOLOGY RELATED TO THE ʼ494 PATENT ................ 8
`SUMMARY OF THE ʼ494 PATENT ................................................................... 10
`A.
`Brief Description of the ʼ494 Patent .................................................. 10
`B.
`The Petitioned Claims of the ʼ494 Patent .......................................... 12
`C.
`Priority Dates of the Petitioned Claims .............................................. 13
`1.
`Claimset 2 – Claims 2 and 11 lack written description
`support until May 26, 2009 ...................................................... 14
`Claimset 3 – Claims 7, 8, 16 and 17 lack written
`description support until May 7, 2006 ..................................... 14
`
`C.
`
`D.
`
`2.
`
`i
`
`
`
`
`I.
`II.
`
`III.
`IV.
`
`V.
`VI.
`
`
`
`
`
`

`
`
`
`Table of Contents
`(continued)
`
`3.
`
`4.
`
`Claimset 1 – The priority date for claims 1, 3-6, 9, 10,
`12-15, and 18 is March 30, 2000 ............................................. 15
`Claimset 1 – Even if Patent Owner can fix the ‘822
`patent, the earliest possible priority date for claims 1, 3-6,
`9, 10, 12-15, and 18 is Nov. 6, 1997 ........................................ 18
`VII. CLAIM CONSTRUCTION UNDER 37 C.F.R. § 42.104(B)(3) ............................... 19
`A.
`Legal Overview .................................................................................. 19
`B.
`“Downloadable security profile data” (all claims) ............................. 19
`C.
`“Database” (all claims) ....................................................................... 21
`D.
`“Downloadable” (all claims) .............................................................. 23
`VIII. PERSON HAVING ORDINARY SKILL IN THE ART & STATE OF THE ART ...... 23
`IX.
`CLAIMS 1-18 OF THE ʼ494 PATENT ARE UNPATENTABLE ............................ 24
`A. Overview of Touboul ......................................................................... 25
`B. Overview of Swimmer ....................................................................... 25
`C. Overview of Ji .................................................................................... 26
`D. Overview of Martin ............................................................................ 27
`E.
`Touboul, Swimmer, Ji, and Martin Are All Analogous Art .............. 28
`F.
`Ground 1 – Claims 1, 3-6, 9, 10, 12-15, and 18 Are Anticipated
`Under 35 U.S.C. § 102 by Touboul ................................................... 29
`1.
`Claim 1 ..................................................................................... 29
`2.
`Claim 10 – A System Implementing the Method of Claim
`1 ................................................................................................ 31
`a.
`Claim element 10[d] – Database Manager .................... 31
`Claims 3-5 & 12-14 – Specific types of Downloadables ........ 32
`3.
`Claims 6 & 15 – Specific suspicious computer operations ..... 32
`4.
`Claims 9 & 18 – Disassembling downloadables ..................... 33
`5.
`G. Ground 2 – Touboul, or Touboul in light of Swimmer Renders
`Claims 2 & 11 Obvious Under 35 U.S.C. § 103(a) ........................... 33
`H. Ground 3 – Touboul, or Touboul in Light of Ji Renders Claims
`7 & 16 Obvious Under 35 U.S.C. § 103(a) ........................................ 36
`
`
`
`
`
`ii
`
`
`
`

`
`Ground 4 – Touboul Renders Claims 8 & 17 Obvious Under 35
`U.S.C. § 103(a) ................................................................................... 38
`Ground 5 – Swimmer Renders Claims 1-2, 6, 10-11, and 15
`Obvious Under 35 U.S.C. § 103(a) .................................................... 40
`1.
`Claim 1 ..................................................................................... 40
`a.
`Claim element 1[b] – Receiving .................................... 43
`b.
`Claim element 1[c] – Deriving Security Profile
`Data ................................................................................ 44
`Claim element 1[d] – Database ..................................... 46
`c.
`Claim 10 ................................................................................... 47
`a.
`Claim element 10[b] – Receiver .................................... 47
`b.
`Claim element 10[c] – Downloadable Scanner ............. 48
`c.
`Claim element 10[d] – Database Manager .................... 49
`Claims 2 and 11 – Date and Time ............................................ 49
`Claims 6 and 15 – Specific Types of Suspicious
`Operations ................................................................................ 50
`K. Ground 6 – Swimmer in Light of Martin Renders Claims 3-5
`and 12-14 Obvious Under 35 U.S.C. § 103(a) ................................... 51
`No Secondary Considerations of Non-obviousness Exist ................. 54
`L.
`CONCLUSION ................................................................................................ 55
`
`2.
`
`3.
`4.
`
`I.
`
`J.
`
`
`
`X.
`
`
`
`
`
`
`Table of Contents
`(continued)
`
`iii
`
`
`
`

`
`List of Exhibits
`
`
`
`Exhibit
`Description of Document
`No.
`1001 U.S. Patent No. 8,677,494 to Edery, et al. (“the ʼ494 patent”)
`1002 Declaration of Dr. Aviel D. Rubin
`Excerpts from trial transcripts of Finjan, Inc. v. Symantec Corp., et al.,
`1003
`Case No. 10-593-GMS (December 12, 2012)
`1004 Virus Bulletin (May 1996)
`ThunderBYTE Anti-Virus Utilities-User Manual (1996)
`1005
`(“ThunderBYTE”, or “TB”)
`Morton Swimmer, “Dynamic Detection and Classification of Computer
`1006
`Viruses Using General Behaviour Patterns” (Sept. 1995)
`INFOWorld (Dec. 11, 1995)
`1007
`1008 U.S. Patent No. 5,761,436 (“the ʼ436 Patent”)
`1009 U.S. Patent No. 5,925,106 (“the ʼ106 Patent”)
`1010 U.S. Patent No. 5,983,348 (“Ji”)
`Dmitry O. Gryaznov, “Scanners of the Year 2000: Heuristics, Virus
`1011
`Bulletin Conference” (Sept. 1995)
`1012 The Virus Bulletin (Sept. 1995)
`1013 U.S. Patent No. 6,092,194 (“the ʼ194 Patent”)
`1014 U.S. Patent Application No. 09/861,229 (“the ʼ229 Application”)
`1015 U.S. Patent No. 7,613,926 (“the ʼ926 Patent”)
`1016 U.S. Patent No. 7,058,822 (“the ʼ822 Patent”)
`Decision Granting Petition to Accept Unintentionally Delayed Priority
`1017
`Claim Under 37 C.F.R. U.S. Patent No 7,058,822 File History
`1018 SurfinGate Press Release (1996)
`Joint Claim Construction and Pre-Hearing Statement Pursuant to Patent
`Local Rule 4-3. Finjan v. Proofpoint, Inc., and Armorize Technologies,
`Inc. (Jan. 26, 2015)
`1020 U.S. Patent No. 6,154,844 (“the ʼ844 Patent”)
`Elmasri and Navathe, Fundamentals of Database Systems, 2d. Ed.,
`1021
`Addison-Wesley Publishing Co. (1994)
`
`1019
`
`
`
`
`
`iv
`
`
`
`

`
`List of Exhibits
`
`
`
`Exhibit
`No.
`1022
`
`1023
`
`
`
`
`
`Description of Document
`Terry Halpin, Conceptual Schema Relational Database Design, 2d. Ed.,
`Prentice Hall Australia (1995)
`Order Construing the Terms of U.S. Patent Nos. 6,092,194; 6,804,780;
`7,058,822; 6,357,010; and 7,185,361, Finjan v. Secure Computing
`Corp., et al. Case 1:06-cv-00369-GMS (Dec. 11, 2007) (D.I. 142)
`Order Construing the Terms of U.S. Patent Nos. 6,092,194 & 6,480,962
`1024
`Finjan v. McAfee, Inc., et al. Case No. 10-cv-593-GMS (Feb. 29, 2012)
`1025 Excerpted U.S. Patent No. 8,677,494 File History
`International Publ. No. WO 98/21683 to Touboul (“Touboul”)
`1026
`1027 Provisional Patent Application No. 60/030,639
`CheckPoint Software Technologies Ltd., Press Release, “Leading
`Content Security Vendors Announce Support for Check Point FireWall-
`13.0” (Oct. 7, 1996)
`1029 Great Circle, Firewalls Mailing List and Correspondence
`1030 Glenn Fowler , “cql – A Flat File Database Query Language” (1994)
`1031 Webpage: Welcome to Finjan Software (Dec. 1996)
`Paul Merenbloom, “Don’t Let Rogue Java Applets Imperil Network
`1032
`Security” (Dec. 1996)
`1033 Rohit Khare, Microsoft Authenticode Analyzed (July 22, 1996)
`David Chappell, Understanding ActiveX and OLE: A Guide for
`1034
`Developers and Managers (Strategic Technology) (1996) (“Chappell”)
`1035 Dan Raywood, Press Release - M86 Security completes acquisition of
`Finjan (Nov. 3, 2009)
`iMPERVA, Hacker Intelligence Initiative, Monthly Trend Report #14
`(2012)
`1037 Curriculum Vitae of Dr. Aviel Rubin
`1038 The Virus Bulletin Paper (Nov. 1994)
`1039 Drew Dean, et al. “Java Security: Web Browsers and Beyond” (1997)
`1040 Chung Kei Wong, “PGP Enhancement to Java Applet” (1996)
`1041 Pat Newcombe, “Librarians in Quandary Over Web Access” (1996)
`
`v
`
`1028
`
`1036
`
`

`
`List of Exhibits
`
`
`
`1046
`
`Exhibit
`Description of Document
`No.
`1042 Phillip A. Porras, et al. “Live Traffic Analysis of TCP/IP Gateways”
`(1997)
`1043 Steve Suehring MySQL Bible (2002)
`1044 Press Release:“Microsoft Announces ActiveX Technologies” (1996)
`1045 U.S. Patent No. 6,268,852 (“the ʼ852 Patent”)
`Press Release, “Netscape and Sun Announce JavaScript, the Open,
`Cross-Platform Object Scripting Language for Enterprise Networks and
`the Internet” (1995)
`1047 David M. Martin, et al. “Blocking Applets at the Firewall” (1997)
`1048 Benjamin Schwarz, et al. “Disassembly of Executable Code
`Revisited” (2002)
`1049 Karen Kent, et al. “Guide to Computer Security Log Management”
`(2006)
`1050 Webpage: Wikipedia, Syslog
`1051 Python Documentation by Version
`Jaime Jaworski “JAVA Developer’s Guide” (1996)
`1052
`1053 Colin Jackson, et al. “Protecting Browser State from Web Privacy
`Attacks” (2006)
`1054
`JavaScript Security: Same Origin (2001)
`Li Gong, et al. “Going Beyond the Sandbox: An Overview of the New
`1055
`Security Architecture in the Java Development Kit 1.2” (1997)
`1056 Douglas Terry, et al. “Continuous Queries over Append-Only
`Databases” (1992)
`1057 Drew Dean, et al. “Java Security: From HotJava to Netscape and
`Beyond” (1996)
`1058 Webpage: “Crackers Shuffle Cash with Quicken, ActiveX” (1997)
`1059 Alan Mark, “Exploring the NetWare Web Server, Part 3: A Complete
`Innerweb Solution” (1996)
`
`
`
`
`
`vi
`
`
`
`

`
`List of Exhibits
`
`Exhibit
`Description of Document
`No.
`1060 Larry Masinter, “Document Management, Digital Libraries and the
`Web” (1995)
`1061 Dr. Eugene Spafford Declaration (March 20, 2015)
`1062 Virus Bulletin (Nov. 1991)
`1063 Claim Construction Order, Finjan v. Sophos, Case No. 14-cv-01197-
`WHO, D.I. 73 (N.D. Cal., 2014)
`1064 Finjan, Inc. v. Symantec Corp., et al. 2013 WL 5302560 (D. Del. Sept.
`19, 2013)
`1065 U.S. Patent No. 5,696,822 (“Nachenberg”)
`1066 Virus Bulletin (Sept. 1994)
`Excerpts from trial transcripts of Finjan, Inc. v. Secure Computing, et
`1067
`al. Case No. 05-369-GMS (March 10, 2008)
`1068 Riel & Feng, Documentation for /proc/sys/kernel/* (2009)
`1069 U.S. Patent Application No. 11/370,114
`1070 U.S. Patent Application No. 09/861,229
`1071 U.S. Patent Application No. 09/539,667
`1072 U.S. Patent Application No. 09/551,302
`1073 U.S. Provisional Patent Application No. 60/205,591
`1074 U.S. Patent Application No. 08/964,388
`1075 U.S. Patent Application No. 08/790,097
`1076 Webpage: Oracle 3.4 JDK 1.4 java.util.logging
`Sun Press Release “Sun Announces Latest Version of Java 2 Platform
`1077
`Standard Edition (February 6, 2002)
`1078 Webpage: Oracle 2.3 Logging Framework
`Michael Reiter and Aviel Rubin “Crowds: Anonymity for Web
`1079
`Transactions
`1080 Webpage: Oracle man pages section 3: Basic Library Functions
`1081 Stephen Hansen and E. Todd Atkins “Automated System Monitoring
`
`vii
`
`
`
`
`
`
`
`

`
`List of Exhibits
`
`Exhibit
`No.
`
`Description of Document
`and Notification with Swatch” (November 1-5, 1993)
`Final Office Action mailed September 8, 2014, in U.S. Control No.
`1082
`90/013,017
`IBM Dictionary of Computing (1994)
`1083
`1084 Ray Duncan, Advanced MS-DOS Programming, 2nd Ed. (1988)
`Insik Shin and John C., Mitchell “Java Bytecode Modification and
`1085
`Applet Security” (1998)
`1086 U.S. Patent No. 6,061,515 to Chang, et al. (“the ʼ515 patent”)
`1087 Fred R. McFadden et al. Modern Database Management, 4th Ed. (1994)
`1088 Declaration of John Hawes of Virus Bulletin
`
`
`
`
`
`
`
`
`
`viii
`
`
`
`

`
`Petition for Inter Partes Review of
`Patent No. 8,677,494
`
`I.
`
`INTRODUCTION
`Palo Alto Networks, Inc. (“Petitioner”) petitions for inter partes review
`
`(“IPR”) under 35 U.S.C. §§ 311-319 and 37 C.F.R. § 42 of claims 1-18 (the
`
`“Petitioned Claims”) of U.S. Patent No. 8,677,494 (the “ʼ494 patent”). (Ex. 1001.)
`
`The ʼ494 patent is directed at protecting computers from potentially-
`
`malicious programs in the form of “Downloadables,” such as programs that a user
`
`might download on her computer from the Internet or a CD-ROM. The claims of
`
`the ’494 patent are extremely broad and cover basic concepts that were well-
`
`known at the time of the alleged inventions. Specifically, the ʼ494 patent claims
`
`analyzing Downloadables to derive and store “digital security profile” (DSP) data.
`
`DSP data identifies suspicious operations the Downloadable may perform if it is
`
`run on a computer.
`
`Faults in the ʼ494 patent’s priority claims render the Touboul PCT
`
`publication invalidating prior art to the ʼ494 patent. Touboul shares the same
`
`disclosure as U.S. Patent No. 6,092,194, a patent in the alleged priority chain of the
`
`ʼ494 patent. Indeed, Touboul anticipates most of the claims and renders the
`
`remaining claims obvious—either by itself or in combination with other references.
`
`Additionally, the Swimmer reference renders most of the ʼ494 claims obvious.
`
`Though Swimmer was cited during the prosecution of the ʼ494 patent (Ex. 1025 at
`
`10), the Examiner did not make out any claim rejections based on Swimmer.
`
`
`
`1
`
`

`
`Petition for Inter Partes Review of
`Patent No. 8,677,494
`
`
`Petitioner respectfully submits that there is a reasonable likelihood that
`
`Petitioner will prevail with respect to each of the Petitioned Claims and requests
`
`institution of inter partes review of claims 1-18 of the ʼ494 patent.
`
`II. MANDATORY NOTICES UNDER 37 C.F.R. § 42.8(A)(1)
`A. Real Party-ln-Interest Under 37 C.F.R. § 42.8(b)(1)
`Palo Alto Networks, Inc. is the real party-in-interest.
`
`B. Related Matters Under 37 C.F.R. § 42.8(b)(2)
`Finjan, Inc. (“Patent Owner,” “PO,” or “Finjan”) asserted the ʼ494 patent in
`
`Finjan, Inc. v. Palo Alto Networks, Inc., No. 3-14-cv-04908 (N.D. Cal.); Finjan,
`
`Inc. v. Symantec, No. 3-14-cv-02998 (N.D. Cal.); Finjan, Inc. v. Websense, Inc.,
`
`No. 5-14-cv-01353 (N.D. Cal.); Finjan, Inc. v. Websense, Inc., No. 5-13-cv-04398
`
`(N.D. Cal.); Finjan, Inc. v. Sophos, Inc., No. 3-14-cv-01197 (N.D. Cal.); and
`
`Finjan, Inc. v. Blue Coat Systems, Inc., No. 5-15-cv-03295 (N.D. Cal.) (the
`
`“Related Litigations”). Palo Alto Networks was served with process on November
`
`7, 2014.
`
`Petitioner filed the following petitions for inter partes review of patents
`
`assigned
`
`to Patent Owner:
`
`IPR2015-01974
`
`(7,647,633);
`
`IPR2015-01979
`
`(8,141,154); IPR2015-01999 (7,058,822); IPR2015-02000 (7,418,731); and
`
`IPR2015-2001 (8,225,408). Petitioner is filing petitions for inter partes review of
`
`U.S. Patent Nos. 7,613,926, 6,804,780, 6,965,968, and 7,613,918, which are also
`
`
`
`2
`
`

`
`Petition for Inter Partes Review of
`Patent No. 8,677,494
`
`assigned to Patent Owner.
`
`Petitions IPR2015-01892 and IPR2015-01897 are also pending for the ʼ494
`
`patent. The Board did not institute inter partes review of the ʼ494 patent in
`
`IPR2015-01022.
`
`C. Lead and Back-Up Counsel under 37 C.F.R. § 42.8(b)(3)
`
`Lead Counsel: Orion Armon (Reg. No. 65,421) / oarmon@cooley.com
`Back-up Counsel:
`Jennifer Volk (Reg. No. 62,305) / jvolkfortier@cooley.com
`Max Colice (Reg. No. 65,634) / mcolice@cooley.com
`Brian Eutermoser (Reg. No. 64,058) / beutermoser@cooley.com
`zPaloAltoNetworksIPR@cooley.com
`zpatdcdocketing@cooley.com
`Cooley LLP ATTN: Patent Group
`1299 Pennsylvania Ave., NW, Suite 700 Washington, DC 20004
`Tel: (720) 566-4119 Fax: (720) 566-4099
`
`
`Service Information
`
`D.
`The Petition is being served by FEDERAL EXPRESS to the ʼ494 Patent
`
`Owner’s attorneys of record, Dawn-Marie Bey, Bey & Cotropia PLLC. Palo Alto
`
`Networks consents to service by e-mail at the addresses provided above.
`
`Power of Attorney
`
`E.
`Filed concurrently with this petition per 37 C.F.R. § 42.10(b).
`
`III. PAYMENT OF FEES - 37 C.F.R. § 42.103
`This Petition requests review of claims 1-18 of the ʼ494 patent and is
`
`accompanied by a payment of $24,200. 37 C.F.R. § 42.15. This Petition meets the
`
`fee requirements of 35 U.S.C. § 312(a)(1).
`3
`
`
`
`

`
`Petition for Inter Partes Review of
`Patent No. 8,677,494
`
`IV. REQUIREMENTS FOR INTER PARTES REVIEW UNDER 37 C.F.R. §§ 42.104
`AND 42.108
`A. Grounds for Standing Under 37 C.F.R. § 42.104(a)
`Petitioner certifies that the ʼ494 patent is eligible for IPR and further
`
`certifies that Petitioner is not barred or estopped from requesting this IPR.
`
`B.
`
`Identification of Challenge Under 37 C.F.R. § 42.104(b) and
`Statement of Precise Relief Requested
`
`Petitioner requests IPR of claims 1-18 of the ʼ494 patent and requests that
`
`each claim be found unpatentable. The prior art cited in this Petition includes:
`
` International Publ. No. WO 98/21683 to Touboul (“Touboul”);
`
` 
`
` Morton Swimmer et al., “Dynamic Detection and Classification of Computer
`
`Viruses Using General Behaviour Patterns,” Proceedings of
`
`the Fifth
`
`International Virus Bulletin Conference, Virus Bulletin Ltd., September 1995
`
`(“Swimmer”);
`
` U.S. Patent No. 5,983,348 to Ji et al. (“Ji”); and
`
` 
`
` David M. Martin, Jr. et al., “Blocking Java Applets at the Firewall,”
`
`Proceedings of the 1997 Symposium on Network and Distributed System
`
`Security, IEEE Computer Society Press, February 1997 (“Martin”).
`
`An explanation why each claim is unpatentable under the statutory grounds
`
`identified below is provided in § IX. Additional support for each ground of
`
`rejection is set forth in the Declaration of Dr. Aviel Rubin (Ex. 1002, “Rubin”), an
`
`
`
`4
`
`

`
`Petition for Inter Partes Review of
`Patent No. 8,677,494
`
`expert in the field.
`
`Ground ʼ494 Claim(s)
`1.
`1, 3-6, 9, 10,
`12-15, 18
`2, 11
`
`2.
`
`3.
`
`7, 16
`
`4.
`5.
`
`6.
`
`8, 17
`1-2, 6, 10-11,
`15
`3-5, 12-14
`
`Basis for Challenge
`Anticipated by Touboul under 35 U.S.C. § 102.
`
`Obvious over Touboul, including in view of Swimmer
`under 35 U.S.C. § 103(a).
`Obvious over Touboul in view of Ji under 35 U.S.C.
`§ 103(a).
`Obvious over Touboul under 35 U.S.C. § 103(a).
`Obvious over Swimmer under 35 U.S.C. § 103(a).
`
`Obvious over Swimmer in view of Martin under 35
`U.S.C. § 103(a).
`
`
`The above proposed grounds of invalidity are not redundant because they
`
`address different possible conclusions regarding the priority date to which the
`
`Petitioned Claims of the ʼ494 patent are entitled. If the Board agrees with
`
`Petitioner that the ʼ494 patent’s earliest priority date is March 30, 2000, the Board
`
`should institute Grounds 1-4. If the Board determines that any of the Petitioned
`
`Claims are entitled to a priority date earlier than March 30, 2000, the Board should
`
`institute Grounds 5-6 based on Swimmer for those claims instead of the Touboul-
`
`based grounds.
`
`Status of the Cited References as Prior Art
`
`C.
`The cited prior art references qualify as prior art under 35 U.S.C. § 102 (pre-
`
`AIA) because each reference was filed, published, and/or issued in the United
`
`States prior to the priority dates of the various claims of the ʼ494 patent. March 30,
`
`
`
`5
`
`

`
`Petition for Inter Partes Review of
`Patent No. 8,677,494
`
`2000, is the earliest priority date for the Petitioned Claims. (See § VI.C, infra.)
`
`Touboul is prior art
`
`1.
`Touboul is prior art under 35 U.S.C. § 102(b) because it was published on
`
`May 22, 1998. As explained in § 0, infra, that date is more than a year before the
`
`dates to which the ʼ494 patent claims should be entitled, based on defects in the
`
`patent’s priority claims. If the Board disagrees that the ʼ494 patent’s priority claims
`
`are deficient, Touboul is still 102(b) art to claims 2, 7, 8, 11, 16, and 17, because it
`
`published more than one year prior to the earliest priority dates of those claims,
`
`May 7, 2006 (for claims 7, 8, 16, and 17) or May 26, 2009 (for claims 2 and 11).
`
`(§ 0, below.)
`
`Swimmer is prior art
`
`2.
`Swimmer is prior art under 35 U.S.C. § 102(b) because it was published in
`
`the Proceedings of the Fifth International Virus Bulletin Conference and was
`
`available to the public more than one year before the earliest priority date for the
`
`Petitioned Claims (March 30, 2000). (Ex. 1006 at 1.) The Fifth International Virus
`
`Bulletin Conference was held on September 20-22, 1995, in Boston, MA. (Ex.
`
`1088 at ¶ 3.) Swimmer was published to all 163 conference attendees and made
`
`available for sale by Virus Bulletin after the Conference, as evidenced by the
`
`Declaration of John Hawes, Virus Bulletin’s Chief of Operations. (Ex. 1088,
`
`Hawes Declaration at ¶¶ 3-4.) Swimmer is § 102(b) prior art even if the Petitioned
`
`
`
`6
`
`

`
`Petition for Inter Partes Review of
`Patent No. 8,677,494
`
`Claims were entitled to a priority date as early as November 6, 1997.
`
`The Ji patent is prior art
`
`3.
`The Ji patent is prior art under 35 U.S.C. § 102(e) because it was filed on
`
`September 10, 1997. (Ex. 1010 at 1.) In fact, Ji is § 102(e) art to all of the
`
`Petitioned Claims even if the Board were to determine that one or more of the
`
`Petitioned Claims are entitled to a priority date of November 6, 1997.
`
`4. Martin is prior art
`Martin qualifies as prior art under 35 U.S.C. § 102(b) because it is a printed
`
`publication bearing a copyright date of 1997, more than one year before the earliest
`
`priority date for the Petitioned Claims (March 30, 2000), and it was publicly
`
`available in the Proceedings of the 1997 Symposium on Network and Distributed
`
`Systems Security distributed to those who attended the symposium, which was held
`
`in San Diego, California on February 10-11, 1997. (Ex. 1047 at 1.) Furthermore,
`
`Dr. Aviel D. Rubin, one of the co-authors of the Martin paper, confirms that
`
`Martin was published in the above publicly available conference proceedings and
`
`that Martin was distributed, as part of the printed proceedings, to approximately
`
`400 conference attendees in February 1997. (Ex. 1002 at ¶ 58.) Therefore, even if
`
`the Board were to conclude that one or more of the Petitioned Claims are entitled
`
`to a priority date as early as November 6, 1997, Martin would still be at least
`
`§ 102(a) prior art to all of the Petitioned Claims.
`
`
`
`7
`
`

`
`Petition for Inter Partes Review of
`Patent No. 8,677,494
`
`
`D. Threshold Requirement for Inter Partes Review 37 C.F.R.
`§ 42.108(c)
`Inter partes review of claims 1-18 should be instituted because this Petition
`
`establishes a reasonable likelihood that Palo Alto Networks will prevail with
`
`respect to at least one of the Petitioned Claims. 35 U.S.C. § 314(a).
`
`V. BACKGROUND OF TECHNOLOGY RELATED TO THE ʼ494 PATENT
`A computer will generally execute a program it is given with exactness, no
`
`matter how harmful that program is. (Ex. 1002, Rubin Decl., at ¶ 36.) Individuals
`
`who want to cause harm (e.g., stealing data, destroying data, disrupting operations,
`
`etc.) can do so by simply getting a computer to run their “bad” instructions. (Id.)
`
`Those in the art generically refer to harmful, deceptive, or otherwise unauthorized
`
`programs as “malicious software” or simply “malware.” As was the case in the
`
`mid-1990’s, the majority of malware programs are downloaded by users from the
`
`Internet or media such as CD-ROMs. (Id.)
`
`Processors cannot protect themselves, and they operate too fast for any kind
`
`of meaningful human inspection. Accordingly, they are protected with other
`
`programs. Since at least 1988, antivirus software has served as a barrier between
`
`malware and the processor. (Id. at ¶ 37; Ex. 1036 at 3.) The concept is to have a
`
`trusted program evaluate untrusted programs before they execute.
`
`The earliest approach to antivirus software was a technique known as
`
`“signature scanning.” Signature scanning requires a database of known patterns
`8
`
`
`
`

`
`Petition for Inter Partes Review of
`Patent No. 8,677,494
`
`found in (and preferably only in) malware. (Ex. 1002 at ¶ 38-39.) The scanning
`
`software uses that database when scanning other programs. If the scanned program
`
`had the same sequence of bytes of a known malicious program, the scanner would
`
`not allow the program to run. (Id.) The problem with signature scanning is that it
`
`only recognizes malware after it has been identified and its signature placed in a
`
`database. Signature scanning is unable to recognize or protect against previously-
`
`unseen harmful programs or even small variants of such programs. (Id.)
`
`Unsurprisingly then, since the early 1990s, antivirus makers have also
`
`researched and produced software that generically recognizes bad programs. (Id.)
`
`One such mechanism was called “heuristic scanning.” Heuristic scanning analyzes
`
`a program by decomposing the instructions into a usable representation (a process
`
`called “decompilation”) and then evaluates whether those instructions (individually
`
`or collectively) are suspicious. (Id. at ¶¶ 39-40.) As early as 1995, persons of
`
`ordinary skill recognized that heuristic scanning was necessary in antivirus
`
`software. (Id. at ¶ 39; Ex. 1011 at 1; Ex. 1012 at 2, 6, 8-9.)
`
`To illustrate how heuristic scanning works, anti-virus researchers could
`
`often review the code of a program and recognize if it had a virus, even one that
`
`had not been previously seen, because viruses often employ similar operations. For
`
`example, Gryaznov explains that viruses often displayed the following operations:
`
` The program immediately passes control to an address near its end
`
`
`
`9
`
`

`
`Petition for Inter Partes Review of
`Patent No. 8,677,494
`
`
` It modifies some bytes at the beginning of its copy in memory
`
` It starts looking for other programs on the computer
`
` When found, a file is opened, and some data is read from the file
`
` Some data is written to the end of that file (such as the virus code)
`
`(Ex. 1011 at 5.) Gryaznov went on to explain that a heuristic scanner was capable
`
`of analyzing files for these kinds of operations, identifying files as malware, and
`
`reacting accordingly. (Id. at 6, 9.) Since the mid-1990s, heuristic scanning has
`
`continued to be a part of anti-malware products. (Ex. 1002 at ¶ 42.) The ʼ494
`
`patent claims obvious variants of these same well-known heuristic scanning
`
`operations. (Id. at ¶¶ 41-42.)
`
`VI. SUMMARY OF THE ʼ494 PATENT
`A. Brief Description of the ʼ494 Patent
`The alleged invention of the ʼ494 patent is the basic and well-known concept
`
`of receiving data, analyzing the data, and storing the result of the analysis in a
`
`database. Specifically, the ’494 patent claims receiving Downloadable programs,
`
`deriving “Downloadable security profile data” (DSP data) for the Downloadables,
`
`and storing that data in a database. There is nothing novel in this basic concept, and
`
`the dependent claims simply add obvious limitations such as the type of the
`
`Downloadable, certain information contained in the security profile, and details of
`
`how the system derives DSP data. For example, claims 3-5 recite well-known
`
`
`
`10
`
`

`
`Petition for Inter Partes Review of
`Patent No. 8,677,494
`
`Downloadable programs that respectively include applets, active controls, and
`
`program script. (Ex. 1002 at ¶¶ 65-68.) Other claims include storing the
`
`Downloadable’s source URL, the date and time when the DSP data was derived, or
`
`a digital certificate, as part of the DSP data. See claims 2, 7, and 8.
`
`Almost none of the subject matter of the Petitioned Claims appears in the
`
`specification of the ʼ494 patent. Instead, that material exists in related earlier-filed
`
`patents and applications such as the ʼ194 patent, which the ʼ494 patent says it
`
`incorporates by reference, and the ʼ639 provisional application. (Ex. 1001 at 1:35-
`
`38; Ex. 1027 at 11:9-13 (discussing “DSP data”).) For example, the ʼ194 patent
`
`describes deriving DSP data through the use of a “code scanner.” (Ex. 1013 at
`
`9:20-42; 5:36-58.) The scanner uses “conventional parsing techniques to
`
`decompose the code (including all prefetched components) of the Downloadable.”
`
`(Id. at 5:41-45.) “Parsing” is synonymous with “disassembling the machine code”
`
`of the program per claims 9 & 18. (Id. at 9:20-24; Ex. 1002 at ¶ 48.) The result of
`
`the parsing/disassembling is DSP data, which can include a list of program
`
`commands (e.g., a “WRITE_FILE” command to the operating system). (Ex. 1013
`
`at 6:16-24, 9:20-42.) DSP data can also include the parameters to the program’s
`
`command, e.g., the italicized portion of the following example command:
`
`WRITE_FILE (system_file, “<instructions to wipe out the hard-drive>”). (Ex.
`
`1002 at ¶ 48-49.)
`
`
`
`11
`
`

`
`Petition for Inter Partes Review of
`Patent No. 8,677,494
`
`
`The Petitioned Claims of the ʼ494 Patent
`
`B.
`The elements of the Petitioned Claims are shown and labeled below:
`
`1[d]
`2
`
`3
`
`4
`
`5
`
`6
`
`Claim Limitation
`
`1[a] A computer-based method, comprising the steps of:
`1[b]
`receiving an incoming Downloadable;
`1[c] deriving security profile data for the Downloadable, including a list of
`suspicious computer operations that may be attempted by the
`Downloadable; and
`storing the Downloadable security profile data in a database.
`The computer-based method of claim 1 further comprising storing a date &
`time when the Downloadable security profile data was derived, in the
`database.
`The computer-based method of claim 1 wherein the Downloadable includes
`an applet.
`The computer-based method of claim 1 wherein the Downloadable includes
`an active control.
`The computer-based method of claim 1 wherein the Downloadable includes
`program script.
`The computer-based method of claim 1 wherein suspicious computer
`operations include calls made to an operating system, a file system, a
`network system, and to memory.
`The computer-based method of claim 1 wherein the Downloadable security
`profile data includes a URL from where the Downloadable originated.
`The computer-based method of claim 1 wherein the Downloadable security
`profile data includes a digital certificate.
`The computer-based method of claim 1 wherein said deriving
`Downloadable security profile data comprises disassembling the incoming
`Downloadable
`10[a] A system for managing Downloadables, compris