`
`
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`
`
`
`Palo Alto Networks, Inc. and
`Blue Coat Systems, Inc.,
`Petitioners
`
`v.
`
`Finjan, Inc.
`Patent Owner
`
`Case IPR2016-001591
`Patent No. 8,677,494
`
`
`
`PETITIONER’S REPLY
`
`
`
`
`
`
`1 Case IPR2016-01174 has been joined with the instant proceeding.
`
`
`
`
`
`Table of Contents
`
`
`I.
`II.
`
`Page
`INTRODUCTION ........................................................................................ 1
`SWIMMER & MARTIN WERE PUBLICLY AVAILABLE ................. 3
`A.
`Swimmer was publicly available ......................................................... 3
`B. Martin was publicly available .............................................................. 5
`III. SWIMMER AND MARTIN RENDER CLAIMS 1-6, 10, AND 11-
`15 OBVIOUS ................................................................................................. 6
`A.
`Swimmer Renders Obvious Claims 1-2, 6, 10-11, and 15 ................... 6
`1.
`Swimmer renders obvious “deriving security profile data
`for the Downloadable, including a list of suspicious
`computer operations.” (cls. 1[c], 10[c], 6, 15) ........................... 6
`a.
`Finjan improperly reads a limitation into the
`claims. .............................................................................. 6
`Swimmer renders obvious the deriving DSP data
`limitation under its plain and ordinary meaning. ............ 8
`Swimmer renders obvious the deriving DSP data
`limitation even under Finjan’s interpretation. ............... 10
`Swimmer renders obvious “a Downloadable scanner” (cl.
`10[c]) ........................................................................................ 13
`Swimmer renders obvious “storing the DSP data in a
`database.” (cls. 1[d], 10[d]) ...................................................... 14
`Swimmer renders obvious “a database manager coupled
`with said Downloadable scanner, for storing the DSP
`data in a database.” (cl. 10[d]) ................................................. 18
`Swimmer renders obvious storing “a date & time when
`the Downloadable Security profile data was derived, in
`the database” (cls. 2, 11) .......................................................... 18
`Swimmer and Martin Render Obvious Claims 3-5, 12-14 ................ 19
`1.
`Swimmer and Martin render obvious “wherein the
`Downloadable includes an “applet” (cls. 3, 12), “active
`control” (cls. 4, 13), or “program script” (cls. 5, 14) ............... 19
`
`b.
`
`c.
`
`2.
`
`3.
`
`4.
`
`5.
`
`B.
`
`
`
`-i-
`
`
`
`Table of Contents
`(continued)
`
`Page
`
`2.
`
`A POSA would have been motivated to combine
`Swimmer and Martin. .............................................................. 20
`C. None of Finjan’s Remaining Arguments Carry Any Weight ............ 22
`IV. SECONDARY CONSIDERATIONS ....................................................... 22
`A.
`Finjan fails to establish nexus between its licensing program
`and the challenged claims .................................................................. 23
`Finjan fails to establish nexus between alleged commercial
`success and the challenged claims ..................................................... 24
`Finjan fails to establish nexus between alleged praise by others
`and the challenged claims .................................................................. 25
`Finjan fails to show long-felt need, skepticism, or failure by
`others .................................................................................................. 25
`V. CONCLUSION ........................................................................................... 26
`
`B.
`
`C.
`
`D.
`
`
`
`-ii-
`
`
`
`Table of Authorities
`
`
`Page(s)
`
`Cases
`In re Am. Acad. of Sci. Tech Ctr.,
`367 F.3d 1359 (Fed. Cir. 2004) ............................................................................ 7
`In re Antor Media Corp.,
`689 F.3d 1282 (Fed. Cir. 2012) .......................................................................... 23
`Apple, Inc. v. Ameranth, Inc.,
`CBM2015-00080, Paper 44 .................................................................... 22, 24, 25
`B/E Aerospace, Inc. v. MAG Aerospace Industries, LLC,
`IPR2014-01513, Paper 104 (PTAB Mar. 18, 2016) ........................................... 25
`Bruckelmyer v. Ground Heaters, Inc.,
`445 F.3d 1374 (Fed. Cir. 2006) ............................................................................ 3
`Ebay Inc. v. MoneyCat Ltd.,
`CBM2014-00091, Paper 50 (PTAB Sept. 23, 2015) ............................................ 6
`Facebook, Inc. v. Software Rights Archive, LLC,
`IPR2013-00479, Paper 54 (PTAB Feb. 2, 2015) ................................................ 24
`Garmin Int’l, Inc. v. Cuozzo Speed Techs. LLC,
`IPR2012-00001, Paper 59 (PTAB Nov. 13, 2013) ....................................... 17, 18
`Geosys-Intl, Inc. v. Farmers Edge,
`IPR2015-00711, Paper 34 (PTAB Aug. 17, 2016) ............................................. 25
`GrafTech Int’l Holdings, Inc. v. Laird Techs.,
`652 Fed. Appx. 973 (Fed. Cir. June 17, 2016) ................................................... 22
`In re Hall,
`781 F.2d 897 (Fed. Cir. 1986) .......................................................................... 3, 4
`In re Klopfenstein,
`380 F.3d 1345 (Fed. Cir. 2004) ............................................................................ 5
`Mass. Institute of Tech. v. AB Fortia,
`774 F.2d 1104 (Fed. Cir. 1985) ............................................................................ 5
`
`
`
`-iii-
`
`
`
`Table of Authorities
`(continued)
`
`Page(s)
`
`Merck v. Biocraft Labs.,
`874 F.2d 804 (Fed. Cir.), cert. denied, 493 U.S. 975 (1989) ............................. 12
`MotivePower, Inc. v. Cutsforth, Inc.,
`IPR2013-00274, Paper 44 (PTAB Sept. 9, 2016) ............................................... 25
`Ormco Corp. v. Align Tech., Inc.,
`463 F.3d 1299 (Fed. Cir. 2006) .......................................................................... 23
`In re Paulsen,
`30 F.3d 1475 (Fed. Cir. 1994) ............................................................................ 24
`Sophos, Inc. v. Finjan, Inc.,
`IPR2015-01022, Paper 7 (PTAB Sept. 24, 2015) ............................................... 16
`Tissue Transplant Tech. v. Mimedx Group,
`IPR2015-00420, Paper 25 (PTAB July 7, 2016) ................................................ 13
`Universal Remote Control v. Universal Elecs. Inc.,
`IPR2014-01106, Paper 49 (PTAB Dec. 15, 2015) ............................................. 24
`In re Wyer,
`655 F.2d 221 (Fed. Cir. 1981) .............................................................................. 5
`
`
`
`
`
`-iv-
`
`
`
`Petitioner’s Reply
`IPR2016-00159
`
`List of Exhibits
`
`
`
`
`
`
`Exhibit
`Description of Document
`No.
`1001 U.S. Patent No. 8,677,494 to Edery, et al. (“the ʼ494 patent”)
`1002 Declaration of Dr. Aviel D. Rubin
`Excerpts from trial transcripts of Finjan, Inc. v. Symantec Corp., et al.,
`1003
`Case No. 10-593-GMS (December 12, 2012)
`1004 Virus Bulletin (May 1996)
`ThunderBYTE Anti-Virus Utilities-User Manual (1996)
`1005
`(“ThunderBYTE”, or “TB”)
`Morton Swimmer, “Dynamic Detection and Classification of Computer
`1006
`Viruses Using General Behaviour Patterns” (Sept. 1995)
`INFOWorld (Dec. 11, 1995)
`1007
`1008 U.S. Patent No. 5,761,436 (“the ʼ436 Patent”)
`1009 U.S. Patent No. 5,925,106 (“the ʼ106 Patent”)
`1010 U.S. Patent No. 5,983,348 (“Ji”)
`Dmitry O. Gryaznov, “Scanners of the Year 2000: Heuristics, Virus
`1011
`Bulletin Conference” (Sept. 1995)
`1012 The Virus Bulletin (Sept. 1995)
`1013 U.S. Patent No. 6,092,194 (“the ʼ194 Patent”)
`1014 U.S. Patent Application No. 09/861,229 (“the ʼ229 Application”)
`1015 U.S. Patent No. 7,613,926 (“the ʼ926 Patent”)
`1016 U.S. Patent No. 7,058,822 (“the ʼ822 Patent”)
`Decision Granting Petition to Accept Unintentionally Delayed Priority
`1017
`Claim Under 37 C.F.R. U.S. Patent No 7,058,822 File History
`1018 SurfinGate Press Release (1996)
`Joint Claim Construction and Pre-Hearing Statement Pursuant to Patent
`Local Rule 4-3. Finjan v. Proofpoint, Inc., and Armorize Technologies,
`Inc. (Jan. 26, 2015)
`1020 U.S. Patent No. 6,154,844 (“the ʼ844 Patent”)
`Elmasri and Navathe, Fundamentals of Database Systems, 2d. Ed.,
`1021
`Addison-Wesley Publishing Co. (1994)
`-v-
`
`1019
`
`
`
`Petitioner’s Reply
`IPR2016-00159
`
`List of Exhibits
`
`
`
`
`
`Exhibit
`No.
`1022
`
`1023
`
`Description of Document
`Terry Halpin, Conceptual Schema Relational Database Design, 2d. Ed.,
`Prentice Hall Australia (1995)
`Order Construing the Terms of U.S. Patent Nos. 6,092,194; 6,804,780;
`7,058,822; 6,357,010; and 7,185,361, Finjan v. Secure Computing
`Corp., et al. Case 1:06-cv-00369-GMS (Dec. 11, 2007) (D.I. 142)
`Order Construing the Terms of U.S. Patent Nos. 6,092,194 & 6,480,962
`1024
`Finjan v. McAfee, Inc., et al. Case No. 10-cv-593-GMS (Feb. 29, 2012)
`1025 Excerpted U.S. Patent No. 8,677,494 File History
`International Publ. No. WO 98/21683 to Touboul (“Touboul”)
`1026
`1027 Provisional Patent Application No. 60/030,639
`CheckPoint Software Technologies Ltd., Press Release, “Leading
`Content Security Vendors Announce Support for Check Point FireWall-
`13.0” (Oct. 7, 1996)
`1029 Great Circle, Firewalls Mailing List and Correspondence
`1030 Glenn Fowler , “cql – A Flat File Database Query Language” (1994)
`1031 Webpage: Welcome to Finjan Software (Dec. 1996)
`Paul Merenbloom, “Don’t Let Rogue Java Applets Imperil Network
`1032
`Security” (Dec. 1996)
`1033 Rohit Khare, Microsoft Authenticode Analyzed (July 22, 1996)
`David Chappell, Understanding ActiveX and OLE: A Guide for
`1034
`Developers and Managers (Strategic Technology) (1996) (“Chappell”)
`1035 Dan Raywood, Press Release - M86 Security completes acquisition of
`Finjan (Nov. 3, 2009)
`iMPERVA, Hacker Intelligence Initiative, Monthly Trend Report #14
`(2012)
`1037 Curriculum Vitae of Dr. Aviel Rubin
`1038 The Virus Bulletin Paper (Nov. 1994)
`1039 Drew Dean, et al. “Java Security: Web Browsers and Beyond” (1997)
`1040 Chung Kei Wong, “PGP Enhancement to Java Applet” (1996)
`1041 Pat Newcombe, “Librarians in Quandary Over Web Access” (1996)
`-vi-
`
`1028
`
`1036
`
`
`
`Petitioner’s Reply
`IPR2016-00159
`
`List of Exhibits
`
`
`
`
`
`1046
`
`Exhibit
`Description of Document
`No.
`1042 Phillip A. Porras, et al. “Live Traffic Analysis of TCP/IP Gateways”
`(1997)
`1043 Steve Suehring MySQL Bible (2002)
`1044 Press Release:“Microsoft Announces ActiveX Technologies” (1996)
`1045 U.S. Patent No. 6,268,852 (“the ʼ852 Patent”)
`Press Release, “Netscape and Sun Announce JavaScript, the Open,
`Cross-Platform Object Scripting Language for Enterprise Networks and
`the Internet” (1995)
`1047 David M. Martin, et al. “Blocking Applets at the Firewall” (1997)
`1048 Benjamin Schwarz, et al. “Disassembly of Executable Code
`Revisited” (2002)
`1049 Karen Kent, et al. “Guide to Computer Security Log Management”
`(2006)
`1050 Webpage: Wikipedia, Syslog
`1051 Python Documentation by Version
`Jaime Jaworski “JAVA Developer’s Guide” (1996)
`1052
`1053 Colin Jackson, et al. “Protecting Browser State from Web Privacy
`Attacks” (2006)
`JavaScript Security: Same Origin (2001)
`1054
`Li Gong, et al. “Going Beyond the Sandbox: An Overview of the New
`1055
`Security Architecture in the Java Development Kit 1.2” (1997)
`1056 Douglas Terry, et al. “Continuous Queries over Append-Only
`Databases” (1992)
`1057 Drew Dean, et al. “Java Security: From HotJava to Netscape and
`Beyond” (1996)
`1058 Webpage: “Crackers Shuffle Cash with Quicken, ActiveX” (1997)
`1059 Alan Mark, “Exploring the NetWare Web Server, Part 3: A Complete
`Innerweb Solution” (1996)
`
`-vii-
`
`
`
`Petitioner’s Reply
`IPR2016-00159
`
`List of Exhibits
`
`
`
`
`
`Exhibit
`Description of Document
`No.
`1060 Larry Masinter, “Document Management, Digital Libraries and the
`Web” (1995)
`1061 Dr. Eugene Spafford Declaration (March 20, 2015)
`1062 Virus Bulletin (Nov. 1991)
`1063 Claim Construction Order, Finjan v. Sophos, Case No. 14-cv-01197-
`WHO, D.I. 73 (N.D. Cal., 2014)
`1064 Finjan, Inc. v. Symantec Corp., et al. 2013 WL 5302560 (D. Del.
`Sept. 19, 2013)
`1065 U.S. Patent No. 5,696,822 (“Nachenberg”)
`1066 Virus Bulletin (Sept. 1994)
`Excerpts from trial transcripts of Finjan, Inc. v. Secure Computing, et
`1067
`al. Case No. 05-369-GMS (March 10, 2008)
`1068 Riel & Feng, Documentation for /proc/sys/kernel/* (2009)
`1069 U.S. Patent Application No. 11/370,114
`1070 U.S. Patent Application No. 09/861,229
`1071 U.S. Patent Application No. 09/539,667
`1072 U.S. Patent Application No. 09/551,302
`1073 U.S. Provisional Patent Application No. 60/205,591
`1074 U.S. Patent Application No. 08/964,388
`1075 U.S. Patent Application No. 08/790,097
`1076 Webpage: Oracle 3.4 JDK 1.4 java.util.logging
`Sun Press Release “Sun Announces Latest Version of Java 2 Platform
`1077
`Standard Edition (February 6, 2002)
`1078 Webpage: Oracle 2.3 Logging Framework
`Michael Reiter and Aviel Rubin “Crowds: Anonymity for Web
`1079
`Transactions
`1080 Webpage: Oracle man pages section 3: Basic Library Functions
`1081 Stephen Hansen and E. Todd Atkins “Automated System Monitoring
`-viii-
`
`
`
`Petitioner’s Reply
`IPR2016-00159
`
`List of Exhibits
`
`Exhibit
`No.
`
`-ix-
`
`Description of Document
`and Notification with Swatch” (November 1-5, 1993)
`Final Office Action mailed September 8, 2014, in U.S. Control No.
`1082
`90/013,017
`IBM Dictionary of Computing (1994)
`1083
`1084 Ray Duncan, Advanced MS-DOS Programming, 2nd Ed. (1988)
`Insik Shin and John C., Mitchell “Java Bytecode Modification and
`1085
`Applet Security” (1998)
`1086 U.S. Patent No. 6,061,515 to Chang, et al. (“the ʼ515 patent”)
`1087 Fred R. McFadden et al. Modern Database Management, 4th Ed. (1994)
`1088 Declaration of John Hawes of Virus Bulletin
`1089 Supplemental Declaration of John Hawes of Virus Bulletin
`1090 Supplemental Declaration of Dr. Aviel D. Rubin
`Ondrej Vicek “A New Toy in the Avast Research Lab” (December 3,
`1091
`2012)
`Plaintiff Finjan, Inc.’s Opening Claim Construction Brief, Finjan, Inc. v.
`Blue Coat Sys., Inc., No. 13-cv-03999-BLF (N.D. Cal. Aug. 22, 2014),
`ECF 65.
`1093 U.S. Patent No. 5,361,359
`1094 U.S. Patent No. 5,434,562
`Exhibits 1006, 1007, 1011, 1037, Symantec Corp. v. Finjan, Inc.,
`1095
`IPR2015-01892 (PTAB Sept. 10, 2015)
`Exhibits 1038, 1039, 1040, Symantec Corp. v. Finjan, Inc., IPR2015-
`01892 (PTAB Sept. 16, 2016)
`Exhibits 1041, 1026, Symantec Corp. v. Finjan, Inc., IPR2015-01892
`(PTAB Sept. 16, 2016)
`Deposition Transcript of Michael T. Goodrich, Ph.D., IPR2016-00159
`(Oct. 17, 2016)
`Deposition Transcript of Sang Hui Kim, IPR2016-00159 (Oct. 19,
`2016)
`Deposition Transcript of Dr. Nenad Medvidovic, IPR2016-00159
`(Nov. 3, 2016)
`
`1092
`
`1096
`
`1097
`
`1098
`
`1099
`
`1100
`
`
`
`
`
`
`
`Petitioner’s Reply
`IPR2016-00159
`
`
`
`I.
`
`INTRODUCTION
`Finjan’s Response fails to rebut Petitioner’s showing that the instituted
`
`claims are obvious in light of Swimmer and Martin. Unable to rebut the prior art
`
`teachings directly, Finjan improperly attempts to (1) redefine the scope of the ’494
`
`patent’s claims, and (2) argue that the claims are distinguishable over the preferred
`
`embodiments described in the prior art (while ignoring that art’s full disclosure).
`
`None of Finjan’s arguments are persuasive.
`
`Finjan’s lead argument is that neither Swimmer nor Martin were published.
`
`This argument is unavailing because the unrebutted evidence shows both
`
`references were published in printed conference proceedings that were widely
`
`disseminated.
`
`Finjan next argues that the Board should read a limitation into the “deriving”
`
`DSP data limitation that requires the computer to “deem” computer operations
`
`suspicious. Neither the claims nor the specification support Finjan’s narrowing
`
`construction, and Finjan’s district court admissions demonstrate its proposed
`
`construction is incorrect. Regardless, Swimmer’s teachings render the “deriving”
`
`DSP data limitation obvious under either of the two constructions before the
`
`Board.
`
`Finjan’s third argument is that Swimmer fails to render obvious the
`
`“database” and “database manager” limitations. These arguments fail because
`
`
`
`1
`
`
`
`Petitioner’s Reply
`IPR2016-00159
`
`
`Swimmer teaches storing security profile data according to a “canonical format”
`
`corresponding to the schema of a flat-file database. This schema satisfies Finjan’s
`
`own expert’s definition of “database,” and the obviousness of the “database
`
`manager” cannot be disputed once the obviousness of the “database” limitation is
`
`established.
`
`Fourth, despite Finjan’s admission that Swimmer discloses recording a “time
`
`stamp,” Finjan asserts that Swimmer fails to render obvious “storing a date and
`
`time,” because the time stamp is not illustrated in Swimmer. A detailed description
`
`of such a commonplace item is not required. Moreover, Swimmer specifically
`
`describes the stamp as including the “StartTime and EndTime…of action start and
`
`end respectively,” rendering obvious storing the date and time when data is
`
`derived.
`
`Finjan’s fifth argument is that Martin teaches away from securing systems
`
`against active controls or Javascript. Martin contradicts these arguments by
`
`“emphasize[ing]” that “Netscape’s Javascript and Microsoft’s ActiveX…must be
`
`blocked in the enabling document.” A POSA would, therefore, have been
`
`motivated to apply Swimmer’s security techniques to active control and program
`
`script.
`
`
`
`2
`
`
`
`Petitioner’s Reply
`IPR2016-00159
`
`
`Finally, Finjan’s alleged objective evidence of non-obviousness is entitled to
`
`no weight because Finjan failed to show a nexus between the instituted claims and
`
`its evidence of non-obviousness.
`
`For each of the foregoing reasons, which are explained fully below, the
`
`Board should find Claims 1-6, 10, and 11-15 of the ’494 patent invalid for
`
`obviousness.
`
`II.
`
`SWIMMER & MARTIN WERE PUBLICLY AVAILABLE
`“A given reference is ‘publicly accessible’” when it “has been disseminated
`
`or otherwise made available to the extent that persons interested and ordinarily
`
`skilled in the subject matter or art exercising reasonable diligence, can locate it.”
`
`Bruckelmyer v. Ground Heaters, Inc., 445 F.3d 1374, 1378 (Fed. Cir. 2006).
`
`Swimmer was publicly available
`A.
`Finjan provides no evidence rebutting Mr. Hawes’s testimony that Swimmer
`
`was presented at Virus Bulletin’s (“VB’s”) September 1995 conference, published
`
`to 163 attendees in a conference proceedings book, and subsequently made
`
`available for purchase. (Ex. 2014 at 32:21-50:6; In re Hall, 781 F.2d 897, 899
`
`(Fed. Cir. 1986).) Furthermore, Symantec presented additional evidence proving
`
`the public availability of Swimmer in a related proceeding:
`
`• Dr. Sylvia Hall-Ellis’s declaration establishing that University of
`
`Washington Libraries created a MARC record corresponding to the
`
`
`
`3
`
`
`
`Petitioner’s Reply
`IPR2016-00159
`
`
`VB Proceedings on December 1, 1995, affirming Swimmer would
`
`have been publicly available then (Ex. 1095 at 8-9);
`
`• A declaration by Dr. Richard Ford—VB’s executive director in
`
`1995—confirming he attended the conference and received a copy of
`
`Swimmer identical to the copy attached to Mr. Hawes’s declaration
`
`that is still in his possession today (Ex. 1096); and
`
`• Joseph Kiegel’s declaration confirming VB’s 1995 Proceedings were
`
`received by University of Washington’s Engineering Library, from
`
`the main library, and stamped on December 9, 1995 (Ex. 1097, ¶4-6).
`
`Finjan argues Mr. Hawes’s testimony is insufficient, because it is based on
`
`Virus Bulletin’s business records and practices. (Paper 17 at 7-8, 13-14.) But “[t]he
`
`probative value of routine business practice to show the performance of a specific
`
`act has long been recognized.” Hall, 781 F.2d at 899.
`
`Finjan speculates Swimmer was never distributed based on a statement on
`
`Swimmer’s face asking that unauthorized copies not be made. (Paper 17 at 12-13.)
`
`Finjan’s speculation is misplaced—a statement discouraging future copyright
`
`violations is not probative of initial publication or the authorized sale of copies. In
`
`fact, if anything, the statement supports the fact that the article was disseminated to
`
`those other than the authors or publishers. (Ex. 1006 at 1.) Whether or not
`
`Swimmer had “a reasonable expectation” that the disseminated information not be
`4
`
`
`
`
`
`Petitioner’s Reply
`IPR2016-00159
`
`
`copied is irrelevant here, where the information was already published,
`
`disseminated, and going to be offered for sale. See In re Klopfenstein, 380 F.3d
`
`1345, 1351 (Fed. Cir. 2004). Mr. Hawes testified that Swimmer was published in
`
`the conference proceedings distributed to 163 attendees and offered for sale,
`
`therefore, showing that Swimmer was already publicly accessible. (Ex. 1088; Ex.
`
`1089; Mass. Institute of Tech. v. AB Fortia, 774 F.2d 1104, 1109 (Fed. Cir. 1985);
`
`In re Wyer, 655 F.2d 221, 227 (Fed. Cir. 1981).)
`
`B. Martin was publicly available
`Finjan provides no evidence to dispute Dr. Rubin’s testimony that Martin,
`
`which he co-authored, was distributed in printed conference proceedings in
`
`February 1997 to approximately 400 attendees, including Dr. Rubin. (Ex. 1002 at
`
`¶58.)
`
`Finjan asserts that Dr. Rubin’s “declaration does not establish that the
`
`version of Martin attached to the Petition is the same version” distributed. (Paper
`
`17 at 14.) But Dr. Rubin testified that “[t]hose who attended the NDSS conference
`
`received a copy, at the conference, of the printed conference proceedings, which
`
`included the Martin paper. I still have my personal copy of the proceedings that I
`
`received at the 1997 NDSS conference.” (Ex. 1002 at ¶58 (emphasis added).) To
`
`the extent it is not already clear, Dr. Rubin confirms the copy of Martin relied upon
`
`is the same version distributed during the proceedings. (Ex. 1090.)
`
`
`
`5
`
`
`
`Petitioner’s Reply
`IPR2016-00159
`
`
`Finjan also cites a stamp on Martin indicating it was later submitted to
`
`Michigan Technological University’s library. (Ex. 1047 at 1, 3.) This evidence
`
`does not contradict Dr. Rubin’s testimony or Martin itself, which carries a 1997
`
`copyright date and states “[t]he papers in this book comprise the proceedings of the
`
`meeting mentioned on the cover and title page.” (Id. at 2; Ebay Inc. v. MoneyCat
`
`Ltd., CBM2014-00091, Paper 50 at *18-19 (PTAB Sept. 23, 2015).)
`
`III. SWIMMER AND MARTIN RENDER CLAIMS 1-6, 10, AND 11-15 OBVIOUS
`Swimmer Renders Obvious Claims 1-2, 6, 10-11, and 15
`A.
`Swimmer renders obvious “deriving security profile data
`1.
`for the Downloadable,
`including a
`list of suspicious
`computer operations.” (cls. 1[c], 10[c], 6, 15)
`Finjan improperly reads a limitation into the claims.
`a.
`In its Institution Decision, the Board construed “Downloadable security
`
`profile data” as having its plain and ordinary meaning. (Paper 8.) The Board stated
`
`that “[a]lthough the challenged claims require that the Downloadable security
`
`profile data ‘includ[e] a list of suspicious computer operations that may be
`
`attempted by the Downloadable,’ the claims do not require that the list consist only
`
`of suspicious operations.” (Id. at 24.)
`
`Finjan argues that “deriving DSP data, including a list of suspicious
`
`computer operations that may be attempted by the Downloadable, necessarily
`
`includes deeming certain computer operations suspicious.” (Paper 17 at 23.)
`
`
`
`6
`
`
`
`Petitioner’s Reply
`IPR2016-00159
`
`
`However, Finjan presents no evidence supporting an additional requirement that
`
`the claimed system “deem” certain operations suspicious.
`
`First, construing the claims to “necessarily” require “deeming certain
`
`computer operations suspicious” would improperly read-in limitations. It is
`
`improper to read limitations into a claim unless the specification includes an
`
`explicit definition of terms or a disavowal of claim scope. In re Am. Acad. of Sci.
`
`Tech Ctr., 367 F.3d 1359, 1365-67 (Fed. Cir. 2004). The ’494 patent does not
`
`define “deriving” DSP data to require a separate act of “deeming” certain
`
`operations suspicious, nor does it disavow listing non-suspicious operations. The
`
`specification does not support Finjan’s interpretation.
`
`Second, the incorporated ’194 specification makes clear that “deriving” DSP
`
`data does not necessarily require “deeming certain computer operations
`
`suspicious.” Rather, “DSP data 310 includes the list of all potentially hostile or
`
`suspicious computer operations,” indicating that DSP data includes operations not
`
`deemed hostile or suspicious when derived. (Ex. 1013 at 5:45-48 (emphasis
`
`added), 5:50-57 (“The code scanner may generate the DSP data 310 as a list of all
`
`operations in the Downloadable code which could ever be deemed potentially
`
`hostile….”).) This disclosure
`
`is consistent with Finjan’s admission
`
`that
`
`“suspicious” “includes hostile, potentially hostile, undesirable, potentially
`
`undesirable, etc.” (Ex. 1092 at 10 (emphasis added).)
`7
`
`
`
`
`
`Petitioner’s Reply
`IPR2016-00159
`
`
`Third, the ’494 patent supports the Board’s finding that DSP data is not
`
`limited to suspicious operations. (Ex. 1001, cls. 7-8, 16-17.) The ’494 claims
`
`identify many intrinsic examples of DSP data that are not suspicious operations.
`
`(Id.; Paper 2 at 20-21; Ex. 1013 at 5:50-57.) Thus, the Board correctly determined
`
`that “DSP data” is not limited to only suspicious operations. (Paper 8 at 24.)
`
`b.
`
`Swimmer renders obvious the deriving DSP data
`limitation under its plain and ordinary meaning.
`Swimmer’s virus detection system is based on an audit system that monitors
`
`a program’s activity by collecting activity data, which ASAX analyzes to detect
`
`virus attacks. (Id. at 1, 4, 10-11; Paper 2 at 44.) Swimmer identifies a software
`
`emulator as an example of an audit system. (Ex. 1006 at 8 (§ 4.4); Paper 2 at 44.)
`
`Swimmer’s emulator monitors a program by deriving and recording activity data,
`
`including a list of functions (e.g., system calls) that an executed application
`
`program (Downloadable) attempts to invoke. (Ex. 1006 at 1, 7-10; Paper 2 at 44-
`
`46.) The audit records “represent[] the program behavior in general, and virus
`
`activity in particular.” (Ex. 1006 at 9.)
`
`Swimmer’s emulator monitors program activity, collecting the function
`
`numbers of the DOS function requested by the program. (Ex. 1006 at 9; Paper 2 at
`
`44-45.) The functions included in the activity data correspond to computer
`
`operations that match examples of “malicious” operations in the ’494 specification.
`
`
`
`8
`
`
`
`Petitioner’s Reply
`IPR2016-00159
`
`
`(Paper 2 at 45-46; Ex. 1002 at ¶96.) For example, as explained by an MS-DOS
`
`programming book:
`
`• function numbers 0, 49, and 76 are program/process-termination
`
`operations;
`
`• function numbers 15 and 16 are, respectively, “Open File” and “Close
`
`File” (calls made to a file system);
`
`• function numbers 72-74 and 88 are calls made to memory; and
`
`• function numbers 94 and 95 are calls made to a network system.
`
`(Ex. 1084 at 6-11; Paper 2 at 44-46.) These operations are identical to the
`
`“suspicious computer operations” in claims 6 and 15. (Ex. 1001, cls. 6, 15.)
`
`Finjan counters that the MS-DOS book does not describe these functions as
`
`suspicious, but Petitioner and Dr. Rubin only rely on this book to support that
`
`Swimmer’s function numbers correspond to computer operations. (Paper 2 at 45-
`
`46.) In particular, the function numbers correspond to computer operations
`
`identified by the ’494 as examples of operations that POSAs already understood to
`
`be suspicious. (Ex. 1001 at 18:62-19:2, 2:54-55; Ex. 1002 at ¶ 96 (identifying a
`
`write to the beginning of a file as suspicious); Ex. 1093 at 6:27-42 (identifying file
`
`write operations as potentially malicious); Ex. 1094 at 1:25-53 (identifying “write
`
`access” as a potentially malicious operation that may be disabled to avoid
`
`viruses).)
`
`
`
`9
`
`
`
`Petitioner’s Reply
`IPR2016-00159
`
`Finally, Dr. Medvidovic admits
`
`
`that “SEND, WRITE, RECEIVE,
`
`DISABLE, ACCESS, MOUNT, UNMOUNT, CALL and LOG” are “suspicious
`
`operations,” because he identifies these operations as evidence that Avast’s
`
`products embody the limitation. (Ex. 2027 at 3.) The article Dr. Medvidovic cites
`
`also explains that Avast’s products “take into account both static properties of the
`
`file as well as the outcome of a dynamic analysis (i.e. basically logs gathered
`
`during the execution of the file.” (Ex. 1091.) Finjan and Dr. Medvidovic identify
`
`Avast’s logs as meeting the DSP data limitation, including “suspicious operations.”
`
`(Paper 17 at 56; Ex. 2027 at 1-3.) Similarly, Swimmer discloses deriving activity
`
`data that further includes function numbers of operations matching Finjan’s
`
`exemplary suspicious operations. (See above.) Thus, Swimmer discloses deriving
`
`DSP data, including a list of suspicious computer operations.
`
`c.
`
`Swimmer renders obvious the deriving DSP data
`limitation even under Finjan’s interpretation.
`Even if the Board adopts Finjan’s argument that certain operations must be
`
`“deemed” suspicious (Part III.A.1.a), Swimmer discloses tuning the audit system
`
`to “provide only the necessary data” for detecting viruses—for example, to only
`
`record data regarding “actions relevant to the infection scenario.” (Ex. 1006 at 5
`
`(§ 3.1), 13 (§ 6); Paper 2 at 53 (focusing on file infectors).)
`
`
`
`10
`
`
`
`Petitioner’s Reply
`IPR2016-00159
`
`
`As discussed above and explained in the Petition, Swimmer identifies a
`
`software emulator as an example of an audit system. (Ex. 1006 at 8 (§ 4.4); Paper 2
`
`at 44.) The emulator uses “special emulation hooks” in the code that allow it to
`
`scan and record “useful available attributes,” including activity data such as the
`
`DOS functions described above. (Ex. 1006 at 8 (§ 4.4), 9 (§ 4.6); Paper 2 at 44-46.)
`
`In arguing that Swimmer does not “deem” operations as suspicious, Finjan and
`
`Dr. Medvidovic ignore the full scope of Swimmer’s teachings—that “[t]he audit
`
`system can be tuned to provide only the necessary data,” suggesting, for example,
`
`modification of the emulator’s hooks to capture in the activity data only those
`
`operations that represent “virus activity in particular”—i.e., suspicious operations.
`
`(Ex. 1006 at 13 (§6), 9 (§4.5); Paper 2 at 43 (emphasis added).) Swimmer further
`
`explains that limiting the audit system’s data to virus activity or suspicious
`
`operations is desirable to “eliminate[] some overhead.” (Ex. 1006 at 13 (§6).)
`
`As explained in the Petition, Swimmer’s purpose is virus detection, which
`
`further motivates tuning the audit system to focus on suspicious actions or
`
`operations. (Paper 2 at 25-26; Ex. 1006 at 4 (§ 3.1).) Swimmer discloses a
`
`transition diagram that represents an infection process—a sequence of actions “a”
`
`that drive the system “from an initial clean state to a final infectious state.” (Id. at
`
`4, Fig. 1; Paper 2 at 53 (focusing on file infectors).) Swimmer teaches that its
`
`system is designed to “represent those actions relevant to the infection scenario”
`11
`
`
`
`
`
`Petitioner’s Reply
`IPR2016-00159
`
`
`and that “many possible actions may occur between adjacent states, but are not
`
`recorded because they do not entail a modification in the current state.” (Ex. 1006
`
`at 5 (§ 3.1), 9 (§ 4.5) (emphasis added); Petition at 53 (focusing on file infectors).)
`
`Dr. Medvidovic admitted Swimmer suggests only recording actions that involve a
`
`modification of the current state. (Ex. 1100, Medvidovic Dep. at 45:25-46:14.)2
`
`And further, Dr. Medvidovic acknowledged an example of an action that may take
`
`a system from a clean to an infectious state is a computer operation, such as a file
`
`write command. (Id. at 34:15-35:13.) Swimmer’s focus on actions resulting in
`
`infection—i.e., suspicious operations—further motivates tuning the emulator to
`
`reduce overhead, as suggested by Swimmer. (Id. at 5, 9, 13.) By suggesting tuning
`
`the emulator to provide only the data necessary for detecting virus activity,
`
`Swimmer teaches “deeming” certain activity data—including DOS functions or
`
`computer operations—to be suspicious. (Id.) Accordingly, even under Finjan’s
`
`
`2 The additional constraints that Dr. Medvidovic attempts to place on Swimmer are
`
`entitled to no weight because he distinguishes the illustrated embodiment while
`
`ignoring the rest of Swimmer’s teachings. Merck v. Biocraft Labs., 874 F.2d 804
`
`(Fed. Cir.), cert. denied, 493 U.S. 975 (1989) (“A reference may be relied upon for