Paper No. ____
`Filed: April 14, 2016
`
`Filed on behalf of: Blue Coat Systems, Inc.
`By: Michael T. Rosato (mrosato@wsgr.com)
`
`Andrew S. Brown (asbrown@wsgr.com)
`
`WILSON SONSINI GOODRICH & ROSATI
`
`
`
`UNITED STATES PATENT AND TRADEMARK OFFICE
`_____________________________
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`
`_____________________________
`
`
`
`BLUE COAT SYSTEMS, INC.,
`Petitioner,
`
`v.
`
`FINJAN, INC.,
`Patent Owner.
`
`_____________________________
`
`Patent No. 8,677,494
`
`_____________________________
`
`
`
`PETITION FOR INTER PARTES REVIEW
`OF U.S. PATENT NO. 8,677,494
`
`
`
`
`Filed: April 14, 2016
`
`Filed on behalf of: Blue Coat Systems, Inc.
`By: Michael T. Rosato (mrosato@wsgr.com)
`
`Andrew S. Brown (asbrown@wsgr.com)
`
`WILSON SONSINI GOODRICH & ROSATI
`
`
`
`UNITED STATES PATENT AND TRADEMARK OFFICE
`_____________________________
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`
`_____________________________
`
`
`
`BLUE COAT SYSTEMS, INC.,
`Petitioner,
`
`v.
`
`FINJAN, INC.,
`Patent Owner.
`
`_____________________________
`
`Patent No. 8,677,494
`
`_____________________________
`
`
`
`PETITION FOR INTER PARTES REVIEW
`OF U.S. PATENT NO. 8,677,494
`
`
`
`
`
`
`
`TABLE OF CONTENTS
`
`Page
`
`I.
`
`MANDATORY NOTICES (37 C.F.R. § 42.8) ...................................................... 1
`
`II.
`
`GROUNDS FOR STANDING (37 C.F.R. § 42.104(A)) ......................................... 2
`
`III.
`
`IDENTIFICATION OF CHALLENGE (37 C.F.R. § 42.104(B)) ............................... 3
`
`A.
`
`Claims for Which Review Is Requested .............................................. 3
`
`B.
`
`C.
`
`Priority Date of the ’494 Patent ........................................................... 3
`
`The Specific Art on Which the Challenge Is Based ............................. 4
`
`D.
`
`The Statutory Grounds on Which the Challenge Is Based ................... 4
`
`IV. OVERVIEW OF THE ’494 PATENT .................................................................... 5
`
`A.
`
`The Specification ................................................................................ 5
`
`B.
`
`The Challenged Claims ....................................................................... 7
`
`V.
`
`LEVEL OF ORDINARY SKILL ........................................................................... 8
`
`VI. CLAIM CONSTRUCTION .................................................................................. 9
`
`A.
`
`“Database” ........................................................................................ 10
`
`VII. GROUNDS OF UNPATENTABILITY .................................................................. 11
`
`A.
`
`Swimmer Renders Obvious Claims 1, 2, 5, 6, 10, 11, 14, and 15 ...... 11
`
`1.
`
`Swimmer Renders Obvious Independent Claims 1 and 10 ...... 12
`
`a.
`
`b.
`
`c.
`
`Swimmer discloses “[a] system for managing
`Downloadables” (10[P]) and “[a] computer-based
`method” (1[P]) .............................................................. 12
`
`Swimmer discloses [a receiver for] receiving an
`incoming Downloadable (1[A], 10[A]) ......................... 13
`
`Swimmer discloses [a Downloadable scanner
`coupled with said receiver, for] deriving security
`
`-i-
`
`
`
`profile data for the Downloadable, including a list
`of suspicious computer operations that may be
`attempted by the Downloadable (1[B], 10[B]) .............. 16
`
`
`
`d.
`
`Swimmer discloses [a database manager coupled
`with said Downloadable scanner, for] storing the
`Downloadable security profile data in a database
`(1[C], 10[C]) ................................................................. 18
`
`Swimmer Renders Obvious Claims 2 and 11 .......................... 20
`
`Swimmer Renders Obvious Claims 6 and 15 .......................... 21
`
`Swimmer Renders Obvious Claims 5 and 14 .......................... 22
`
`2.
`
`3.
`
`4.
`
`VIII. CONCLUSION ............................................................................................... 23
`
`IX. APPENDIX – LIST OF EXHIBITS...................................................................... 24
`
`
`
`
`
`-ii-
`
`
`
`
`
`Blue Coat Systems Inc. (“Petitioner” or “Blue Coat”) petitions the United
`
`States Patent & Trademark Office (“PTO”) to institute an inter partes review of
`
`claims 1, 2, 5, 6, 10, 11, 14, and 15 (“challenged claims”) of U.S. Patent No.
`
`8,677,494 to Edery et al. (“the ’494 patent”). According to PTO records, the ’494
`
`patent is assigned to Finjan, Inc. (“Finjan” or “Patent Owner”). A copy of the ’494
`
`patent is provided as Exhibit 1001.
`
`I. MANDATORY NOTICES (37 C.F.R. § 42.8)
`
`Real Party In Interest: Blue Coat Systems, Inc. is the real party-in-interest.
`
`Related Matters: The ’494 patent is currently involved in the following
`
`proceedings: Finjan, Inc. v. Blue Coat, Inc. 5:15-cv-03295 (N.D. CA); Finjan, Inc.
`
`v. Symantec Corp., Case No. 3:14-cv-02998 (N.D. CA), Finjan, Inc. v. Sophos
`
`Inc., 3:14-cv-01197 (N.D. Cal.); and Finjan, Inc. v. Palo Alto Networks, Inc., 3:14-
`
`cv-04908 (N.D. Cal.). An inter partes review, Symantec Corp.v. Finjan, Inc.
`
`(IPR2015-01892, “the Symantec IPR”) was instituted on March 18, 2016. A
`
`motion for joinder to the Symantec IPR has been filed concurrent with this
`
`petition. A second inter partes review petition challenging the ’494 patent, Palo
`
`Alto Networks, Inc. v. Finjan, Inc. (IPR2016-00159), is currently pending pre-
`
`institution.
`
`1
`
`
`
`
`
`LEAD AND BACKUP COUNSEL:
`
`Lead Counsel
`
`Back-Up Counsel
`
`Michael T. Rosato
`
`Andrew S. Brown
`
`USPTO Reg. No. 52,182
`
`USPTO Reg. No. 74,177
`
`WILSON SONSINI GOODRICH &
`
`WILSON SONSINI GOODRICH &
`
`ROSATI
`
`ROSATI
`
`701 Fifth Avenue
`
`701 Fifth Avenue
`
`Suite 5100
`
`Suite 5100
`
`Seattle, WA 98104-7036
`
`Seattle, WA 98104-7036
`
`Tel.: 206-883-2529
`
`Tel.: 206-883-2584
`
`Fax: 206-883-2699
`
`Fax: 206-883-2699
`
`Email: mrosato@wsgr.com
`
`
`Email: asbrown@wsgr.com
`
`SERVICE INFORMATION: Service information for lead and back-up
`
`counsel is provided in the designation of lead and back-up counsel above.
`
`Petitioner consents to electronic service by email at the email addresses provided
`
`above.
`
`II. GROUNDS FOR STANDING (37 C.F.R. § 42.104(A))
`
`The undersigned and Blue Coat certify that the ’494 patent is available for
`
`inter partes review and Petitioner is not barred or estopped from requesting an
`
`inter partes review of the challenged claims of the ’494 patent. Petitioner has not
`
`filed a civil action challenging the validity of any claim of the ’494 patent, and no
`
`
`
`-2-
`
`
`
`
`
`complaint alleging infringement of the ’494 patent was served on Petitioner more
`
`than a year before the date of this Petition. The ’494 patent issued more than nine
`
`months prior to the date of this Petition. This Petition is filed within a month of
`
`institution of the Symantec IPR, and is being filed concurrently with a motion for
`
`joinder to the Symantec IPR.
`
`III.
`
`IDENTIFICATION OF CHALLENGE (37 C.F.R. § 42.104(B))
`
`Petitioner requests an Order cancelling the challenged claims as
`
`unpatentable under 35 U.S.C. § 103.
`
`A. Claims for Which Review Is Requested
`
`Petitioner requests inter partes review of claims 1, 2, 5, 6, 10, 11, 14, and 15
`
`of the ’494 patent.
`
`B.
`
`Priority Date of the ’494 Patent
`
`The ’494 patent issued from U.S. Application No. 13/290,708 filed on
`
`November 7, 2011. Given that the ’494 patent was filed before March 16, 2013,
`
`the provisions of pre-AIA 35 U.S.C. §§ 102 and 103 apply.
`
`The ’494 patent claims priority to a number of applications, the earliest of
`
`which, U.S. Provisional Application No. 60/030,639 (“the ’639 provisional,”
`
`provided as Ex. 1002) was filed on November 8, 1996. Because the prior art
`
`reference pre-dates November 8, 1996, the cited reference qualifies as prior art to
`
`the ’494 patent.
`
`
`
`-3-
`
`
`
`
`
`C. The Specific Art on Which the Challenge Is Based
`
`The reference cited in this Petition is prior art to the ’494 patent, which, in
`
`this Petition, is assumed to have an effective filing date and earliest possible
`
`priority date of November 8, 1996. The cited reference is as follows:
`
`1.
`
`Dynamic Detection and Classification of Computer Viruses Using
`
`General Behaviour Patterns, by Morton Swimmer, Virus Bulletin Conference,
`
`Virus Bulletin Ltd., September 1995 (“Swimmer,” provided as Ex. 1005).
`
`Swimmer was presented at the Virus Bulletin International Conference held
`
`September 20-22, 1995 in Boston, MA. Moreover, the declaration by Dr. Sylvia
`
`Hall-Ellis (Exs. 1006 and 1007), together with certain evidence discussed therein
`
`(Exs. 1010 and 1011), demonstrates that Swimmer was available to the public as of
`
`December 1, 1995. Ex. 1006 at ¶¶ 7-8, 11-12, 18-20. Thus, Swimmer is a printed
`
`publication that was publicly available before the November 8, 1996 earliest
`
`possible priority date of the ’494 patent. Accordingly, Swimmer is prior art to the
`
`’494 patent under pre-AIA 35 U.S.C. § 102(b), or at the very least pre-AIA 35
`
`U.S.C. § 102(a).
`
`D. The Statutory Grounds on Which the Challenge Is Based
`
`Petition identifies the following ground of unpatentability:
`
`Ground 1: Swimmer renders obvious claims 1, 2, 5, 6, 10, 11, 14, and 15
`
`under § 103.
`
`
`
`-4-
`
`
`
`
`
`IV. OVERVIEW OF THE ’494 PATENT
`
`A. The Specification
`
`The ’494 patent generally relates to the protection of computers from
`
`potentially undesirable or suspicious software programs or code received over a
`
`network, referred to as “Downloadables.” ’494 patent, Abstract, col. 1:59-63,
`
`2:22-3:9. According to the ’494 patent a Downloadable is “received information
`
`[that] includes executable code.” ’494 patent, col. 3:3-8, col. 4:5-14, col. 5:64-6:2,
`
`col. 9:46-52, col. 15:22-39. Some examples of Downloadables described in the
`
`specification include: distributed components, Java applets, JavaScript scripts,
`
`ActiveX controls, and VisualBasic scripts. ’494 patent, Abstract, col. 2:22-30 &
`
`59-64, col. 9:46-52; see also Davidson Decl., ¶¶ 37-42, 76.1
`
`Curiously, besides this general discussion of “Downloadables,” the
`
`specification of the ’494 patent does not appear to include any description of the
`
`particular features recited in the claims. In particular, the ’494 patent specification
`
`does not even use the term “security profile,” much less provide any description
`
`related to deriving a security profile from a Downloadable or storing the security
`
`profile in a database, which are recited in both independent claims of the ’494
`
`patent. Certain other applications to which the ’494 patent claims priority,
`
`however, appear to provide at least some disclosure corresponding to these claimed
`
`
`
`1 The Declaration of Dr. Jack Davidson is provided as Ex. 1018. Citations to
`
`Dr. Davidson’s Declaration are provided in the form: “Davidson Decl., ¶ #.”
`
`
`
`-5-
`
`
`
`
`
`“security profile” features. See ’639 provisional; U.S. Patent No. 6,092,194 (“ the
`
`’194 patent,” provided as Ex. 1013); see also Davidson Decl., ¶ 77.
`
`As explained in the ’194 patent, a Downloadable is “received from [an]
`
`external computer network” and delivered to a “code scanner.” ’194 patent, col.
`
`4:33-40, 5:36-42. If the Downloadable is “unknown,” the code scanner generates
`
`Downloadable Security Profile (DSP) data for the Downloadable by “us[ing]
`
`conventional parsing techniques to decompose the code (including all prefetched
`
`components) of the Downloadable into the DSP data.” ’194 patent, col. 5:41-45,
`
`col. 9:20-42, FIG. 7. The DSP data “includes the fundamental computer
`
`operations included in each known Downloadable 307, and may include, READs,
`
`WRITEs, file management operations, system management operations, memory
`
`management operations and CPU allocation operations.” ’639 provisional, p. 18, l.
`
`9-13, p. 24, l. 19-p. 25, l. 2 (describing loop commands such as “goto”, “while”
`
`“if”, “than” or the like as further examples of potentially suspicious commands);
`
`’194 patent, col. 5:45-6:3, col. 9:20-42; see also Davidson Decl., ¶ 78. The
`
`Downloadable and its DSP data may then be stored (e.g., in a database). ’639
`
`provisional, p. 20, l. 12-16 (“the non-hostile Downloadable is stored in known
`
`Downloadable’s 307 and its corresponding DSP data is stored in DSP data 310.”),
`
`p. 22, l. 15-21, p. 17, l. 13-19 (describing items 307 and 310 as portions of a
`
`“security database”); ’194 patent, col. 6:9-12; see also Davidson Decl., ¶ 79.
`
`In other words, the DSP data is an assessment of the Downloadable that
`
`identifies the fundamental computer operations (e.g., potentially suspicious system
`
`
`
`-6-
`
`
`
`
`
`operations) that the Downloadable may attempt to invoke. Davidson Decl., ¶ 80.
`
`Among other things, this DSP data can be verified against “security policies” at a
`
`client computer, before allowing the Downloadable to execute. ’639 provisional,
`
`p. 20, l. 2-12; ’194 patent, col. 6:13-24. Generally speaking, a “security policy” is
`
`a set of rules associated with an organization or user that can be used to determine
`
`whether a Downloadable (and/or the operations being invoked thereby) should be
`
`blocked or allowed to execute. Davidson Decl., ¶¶ 70-72, 81-82.
`
`Significantly, the ’494 patent does not disclose any new or improved
`
`mechanism for generating security profile data (i.e., a list of potentially suspicious
`
`operations) associated with a program. Rather, as acknowledged by the related
`
`applications, various techniques for deriving such data, such as by parsing and
`
`decomposing executable code, were widely used and conventional at the time of
`
`the ’494 patent. ’639 provisional, p. 19, l. 16-20; ’194 patent, col. 5:42-45; see
`
`also Davidson Decl., ¶ 83. Thus, the purported patentability of the challenged
`
`claims hinges on the fact that the security profile data is generated for “an
`
`incoming Downloadable” and is then stored in a database. Id. These features,
`
`however, are not only simple and straightforward, but were also well known long
`
`before the ’494 patent. Id.
`
`B.
`
`The Challenged Claims
`
`The text of the two challenged independent claims (1 and 10) is reproduced
`
`in the chart below. For ease of reference, labels have been assigned to each
`
`limitation, such as 1[Pre] which refers to the preamble of claim 1 and 10[C] which
`
`
`
`-7-
`
`
`
`
`
`refers to the final limitation of claim 10. Other than the claim format (i.e., system
`
`or method) and small variations in the claim language, independent claims 1 and
`
`10 recite substantially similar limitations. The only meaningful difference is that
`
`claim 10 is directed to a system and includes components (e.g., a receiver) for
`
`performing each of the steps recited in claim 1. Accordingly, where applicable,
`
`claims 1 and 10 are discussed together in this Petition.
`
`
`
`
`Claim 1
`[Pre] A computer-based method,
`comprising the steps of:
`[A] receiving an incoming
`Downloadable;
`[B] deriving security profile
`data for the Downloadable,
`including a list of
`suspicious computer
`operations that may be
`attempted by the
`Downloadable; and
`[C] storing the Downloadable
`security profile data in a
`database.
`
`
`
`V. LEVEL OF ORDINARY SKILL
`
`Claim 10
`A system for managing Downloadables,
`comprising:
`a receiver for receiving an incoming
`Downloadable;
`a Downloadable scanner coupled with said
`receiver, for deriving security profile data
`for the Downloadable, including a list of
`suspicious computer operations that may be
`attempted by the Downloadable; and
`
`a database manager coupled with said
`Downloadable scanner, for storing the
`Downloadable security profile data in a
`database.
`
`A person of ordinary skill in the art (“POSITA”) is a hypothetical person
`
`who is presumed to have known the relevant art at the time of the alleged
`
`invention. Custom Accessories, Inc. v. Jeffrey-Allan Indus., Inc., 807 F.2d 955,
`
`962 (Fed. Cir. 1986) (“The person of ordinary skill is a hypothetical person who is
`
`presumed to be aware of all the pertinent prior art.”). A POSITA at the time of
`
`
`
`-8-
`
`
`
`
`
`alleged invention of the ’494 patent would have a Master’s degree in computer
`
`science, computer engineering, or a similar field, or a Bachelor’s degree in
`
`computer science, computer engineering, or a similar field, with approximately two
`
`years of industry experience relating to computer security. Additional graduate
`
`education might substitute for experience, while significant experience in the field
`
`of computer programming and malicious code might substitute for formal
`
`education. Davidson Decl., ¶ 30. Such a person would have been capable of
`
`understanding the ’494 patent and applying the prior art references discussed
`
`herein. Id.
`
`VI. CLAIM CONSTRUCTION
`
`For unexpired patents, claims should be given the “broadest reasonable
`
`interpretation in light of the specification” (“BRI”). See 37 C.F.R. § 42.100(b); see
`
`also, In re Yamamoto, 740 F.2d 1569, 1571 (Fed. Cir. 1984); In re Am. Acad. Of
`
`Sci. Tech. Ctr., 367 F.3d 1359, 1363-64 (Fed, Cir. 2004).2
`
`
`
`2 No claim construction decision has been rendered in the foregoing related
`
`District Court proceeding concerning the ’494 patent. Because of the differing claim
`
`construction standards, Petitioner expressly reserves the right to assert different
`
`claim constructions or take different positions with respect to any term/phrase of the
`
`’494 patent construed in a U.S. District Court proceeding.
`
`
`
`-9-
`
`
`
`
`
`A.
`
` “Database”
`
`All of the challenged claims require storing data in a “database.” Based on
`
`the claim language and the specification, the broadest reasonable interpretation of
`
`this claim term is: “an organized collection of data.”
`
`This construction is consistent with the plain and ordinary meaning of the
`
`term “database” to a POSITA at the time of the ’494 patent. See Davidson
`
`Decl., ¶¶ 84-85 (explaining that a POSITA would have understood a “database”
`
`to be any collection of organized or related data); see also Ex. 1014, p. 339 (“a
`
`collection or organized, related data”); Ex. 1015, p. 325 (“a collection of data
`
`organized”); Ex. 1016, p. 95 (“any clearly identified collection of data,”
`
`typically having “all its information in one central store or file”; “a database
`
`[means] a coherent collection of data entered into a computer system.”).
`
`Moreover, the ’494 patent does not provide any indication that the claimed
`
`“database” has a different meaning. Indeed, neither the specification, nor the
`
`challenged claims, say anything about the form or structure of the claimed
`
`“database.” Rather, both the specification and claims merely describe the type
`
`of data that is stored in the database (e.g., DSP data). See, e.g., ’194 patent, col.
`
`3:47-50 (“[t]he data storage device 230 stores a security database 240, which
`
`includes security information”); col. 4:14-18; col. 9:52-55, FIGS. 2, 3; ’494
`
`patent, claim 1 (“storing the Downloadable security profile data in a database”).
`
`Thus, the “database” should be construed as “an organized collection of data.”
`
`Davidson Decl., ¶ 86.
`
`
`
`-10-
`
`
`
`
`
`This construction is also consistent with Symantec’s position concerning the
`
`proper construction of this claim term in related district court proceedings. See
`
`Joint Claim Construction and Pre-Hearing Statement, Dkt. No. 68, p. 4 (provided
`
`as Ex. 1017). In fact, in the district court, Patent Owner agreed that a “database” is
`
`a collection of organized data. Ex. 1017, p. 4. Patent Owner argued, however, that
`
`the claimed “database” further requires the data to be organized “according to a
`
`database schema” and must “serve one or more applications.” See Ex. 1017, p. 4.
`
`Patent Owner’s proposed construction adds limitations that are unnecessary,
`
`confusing and, more importantly, have no support whatsoever in the intrinsic
`
`record. This appears to be nothing more than attempt to salvage the challenged
`
`claims by excluding certain types of databases described in the prior art, such as
`
`log files. See Ex. 1017, p. 4. Significantly, in the district court proceeding, Patent
`
`Owner and its expert acknowledged that, even under Patent Owner’s proposed
`
`construction, at least some types of log files are “databases.” Accordingly, any
`
`similar attempts by Patent Owner to limit the BRI of a “database” in the challenged
`
`claims should be rejected as improper for being inconsistent with the specification,
`
`the claim language, and the understanding of a POSITA.
`
`VII. GROUNDS OF UNPATENTABILITY
`
`A.
`
`Swimmer Renders Obvious Claims 1, 2, 5, 6, 10, 11, 14, and 15
`
`Swimmer is generally directed to a computer system, called Virus Intrusion
`
`Detection Expert System (VIDES), for detecting and classifying computer viruses.
`
`Swimmer, Title. For example, Swimmer explains that this VIDES system can be
`
`
`
`-11-
`
`
`
`
`
`used “as a type of firewall for programs entering a protected network,” i.e.,
`
`programs downloaded over a network. Swimmer, p. 13. In order to detect viruses
`
`or virus behaviors, Swimmer discloses using an emulator to monitor the activity of
`
`a virtual PC, including application programs and code being executed by the PC.
`
`Swimmer, p. 1. The emulator creates a stream of system activity data, which
`
`includes operations and functions that these programs attempt to invoke.
`
`Swimmer, p. 1, 7. Swimmer explains that the activity data is recorded in a
`
`database according to a structured schema. Swimmer, p. 9 (“<code segment,
`
`RecType, StartTime, EndTime, function number, arg ( ... }, ret( … )>“). This
`
`structured data is then used by an expert system (e.g., Advanced Security audit trail
`
`Analysis on UniX, “AS-AX”) to detect viruses by employing rules that model
`
`typical virus behavior. Swimmer, p. 2, 4-5, 10-12; Davidson Decl., ¶ 87.
`
`1.
`
`Swimmer Renders Obvious Independent Claims 1 and 10
`
`a.
`
`Swimmer discloses “[a] system for managing
`Downloadables” (10[P]) and “[a] computer-based
`method” (1[P])
`
`Swimmer describes a computer system called “VIDES,” which is
`
`“comprise[d] of a PC emulation and an IDES-like expert system.” Swimmer p. 2,
`
`Figure 4. In turn, Swimmer discloses methods for detecting viruses using this
`
`VIDES system. Swimmer, p. 1 (“The resulting system is called VIDES: it is a
`
`prototype for an automatic analysis system for computer viruses.”). An emulator
`
`monitors and records the operations of a virtual computer and an expert system
`
`then analyzes the recorded data using rules associated with virus behavior.
`
`
`
`-12-
`
`
`
`
`
`Swimmer, p. 1 (“an emulator is used to monitor the system activity of a virtual PC
`
`[and] the expert system ASAX is used to analyse the stream of data whicg [sic] the
`
`emulator produces [using] general rules to detect real viruses generically and
`
`reliably, and specific rules to extract details of their behaviour.”), p. 4-7, 10, 12
`
`(describing exemplary rules), p. 8-10 (describing the use of the emulator to
`
`develop/record system activity information), p. 11-12 (describing the application of
`
`the expert system ASAX to rules and recorded data); Davidson Decl., ¶ 88.
`
`Moreover, Swimmer explains that its VIDES system is used to detect viruses
`
`in application programs and program code by monitoring and analyzing the
`
`functions and operations these programs attempt to invoke. Swimmer, p. 7;
`
`Davidson Decl., ¶ 89. These application programs can include “programs entering
`
`a protected network” (i.e., executable code being downloaded over a network).
`
`Swimmer, p. 13. Accordingly, Swimmer discloses a computer-based method and a
`
`system for managing Downloadables (e.g., application programs and executable
`
`code). Davidson Decl., ¶ 90; see also ’494 patent, col. 2:59-3:8 (stating that
`
`“application programs” and “executable code” are examples of “Downloadables”),
`
`9:46-52 (same).
`
`b.
`
`Swimmer discloses [a receiver for] receiving an
`incoming Downloadable (1[A], 10[A])
`
`As discussed above, Swimmer describes methods for detecting viruses in
`
`application programs and program code using its VIDES system. Swimmer, p. 1
`
`(“The resulting system is called VIDES: it is a prototype for an automatic analysis
`
`
`
`-13-
`
`
`
`
`
`system for computer viruses.”). This VIDES system includes an emulator, which
`
`monitors the programs and executable code and records certain operations and
`
`functions that they attempt to invoke. Swimmer, Abstract, p. 8. In other words,
`
`Swimmer discloses techniques for monitoring and analyzing application programs
`
`and executable code (i.e., Downloadables). Davidson Decl., ¶ 91 Indeed, the ’494
`
`patent refers to these exact same items as examples of the claimed Downloadable.
`
`’494 patent, col. 2:59-3:8, 9:46-52.
`
`Moreover, to the extent Patent Owner argues that this claim limitation
`
`requires that the “incoming Downloadable” be received over a network, Swimmer
`
`explicitly discloses this feature. In particular, Swimmer explains that the VIDES
`
`system can be used in a networked environment as part of a firewall for a protected
`
`network (e.g., an intranet). Swimmer, p. 13 (explaining that VIDES could be used
`
`“to detect viruses in a real environment” and that “[o]ne possibility is to use it as a
`
`type of firewall for programs entering a protected network.”). In other words,
`
`Swimmer discloses that VIDES can be used at a firewall in order to monitor and
`
`analyze incoming Downloadables received at the firewall (e.g., programs that are
`
`being downloaded by or sent to a computer on the protected network). Davidson
`
`Decl., ¶¶ 92-93 (explaining that firewalls are security devices/software located
`
`between the outside network, such as an Internet and an internal network, such as
`
`an intranet which connects a number of client computers).
`
`Swimmer also discloses that the VIDES system includes a “receiver” for
`
`receiving the Downloadable (i.e., the firewall components at the firewall for
`
`
`
`-14-
`
`
`
`
`
`interfacing with the networks). Davidson Decl., ¶ 94. Indeed, in order for
`
`VIDES to be used at a firewall for “programs entering a protected network” (i.e.,
`
`receive and analyze incoming Downloadables), a POSITA would have
`
`understood that the system necessarily included a “receiver” (i.e., networking
`
`components) for receiving these Downloadables. Davidson Decl., ¶ 94.
`
`To the extent Patent Owner argues, however, that Swimmer does not
`
`explicitly disclose [a receiver for] receiving incoming Downloadables, this
`
`feature would have been obvious based on the teachings in Swimmer. In
`
`particular, it would have been obvious that Swimmer’s VIDES system could be
`
`used at a network device, such as a gateway or FTP or Web server in order to
`
`intercept incoming Downloadables and analyze them before they are sent to a
`
`destination computer (e.g., a client computer). Davidson Decl., ¶ 95. One of
`
`ordinary skill in the art would have been motivated to do so for a number of
`
`reasons, such as to improve the efficiency when checking incoming
`
`Downloadables. Id. For one of ordinary skill in the art, this would have
`
`involved nothing more than combining well-known prior art elements (i.e., a
`
`gateway with Swimmer’s VIDES system) according to well-known software
`
`programming techniques in order to yield a predictable result (i.e., a gateway
`
`scanner that receives Downloadables and analyzes their behavior). Id.
`
`Additionally, when using Swimmer’s system in this manner, one of ordinary
`
`skill in the art would have understood that the system would include components
`
`
`
`-15-
`
`
`
`
`
`(e.g., network cards and modems) for receiving the Downloadables over the
`
`networks (i.e., a receiver). Id. at ¶ 96.
`
`c.
`
`Swimmer discloses [a Downloadable scanner coupled
`with said receiver, for] deriving security profile data
`for the Downloadable, including a list of suspicious
`computer operations that may be attempted by the
`Downloadable (1[B], 10[B])
`
`VIDES uses an emulator to monitor application programs and code (i.e.,
`
`Downloadables) and generate a stream of system activity data. Swimmer, p. 7
`
`(“The prerequisite for using an Intrusion Detection (ID) system like ASAX is an
`
`audit system which securely collects system activity data.”). To generate this
`
`system activity data, the emulator, “accepts the entire instruction set of a processor
`
`as input, and interprets the binary code as the original processor would.”
`
`Swimmer, p. 8, 9 (“audit record attributes of records as collected by the PC
`
`emulator have the following meaning... [t]he final format for an MS-DOS audit
`
`record is as follows: <code segment, RecType, StartTime, EndTime, function
`
`number, arg ( … }, ret( … )>“). Swimmer also explains that the “audit system was
`
`integrated into an existing PC emulation by placing hooks into the module for
`
`processing all opcodes corresponding with the events.” Swimmer, p. 9. In other
`
`words, the audit system and/or emulator generates audit records for the
`
`Downloadables (i.e., Downloadable security profile data) that identifies and lists
`
`functions (i.e., operations) that the Downloadables attempt to invoke. Swimmer,
`
`Figure 3 (illustrating an exemplary audit record listing identified operations);
`
`Davidson Decl., ¶ 98-99.
`
`
`
`-16-
`
`
`
`
`
`More specifically, Swimmer explains that audit records generated by the
`
`audit system include a field, called “function number,” which is the “number of the
`
`DOS function requested by the program.” Swimmer, p. 9. As explained by Dr.
`
`Davidson, in DOS, function numbers are assigned to “INT 21h” functions, which
`
`include various types of system operations. Swimmer, p. 7 (“Primarily, interrupt
`
`0x21 is used”); Davidson Decl., ¶ 100. For example, function numbers 0, 49, 76
`
`are program termination operations. Function numbers 15 are file operations
`
`(open, close). Functions 72-74, and 88 are memory operations. Function numbers
`
`68, 94, and 95 are network operations. Davidson Decl., ¶ 101. Significantly, these
`
`operations identified by Swimmer’s audit system are the very same types of
`
`operations referred to by the applications related to the ’494 patent as examples of
`
`“suspicious operations.” ’639 provisional, p. 18, l. 9-13 (DSP data “includes the
`
`fundamental computer operations,” in a Downloadable such as “file management
`
`operations, system management operations, memory management operations and
`
`CPU allocation operations.”). Thus, Swimmer discloses deriving security profile
`
`data (e.g., audit records) that includes a list of suspicious operations that the
`
`Downloadable may attempt to invoke (e.g., INT 21h system functions). Davidson
`
`Decl., ¶ 102.
`
`Additionally, Swimmer discloses that this Downloadable security profile
`
`data is derived by a Downloadable scanner (e.g., an emulator and/or audit system).
`
`Swimmer, p. 8 (the emulator is “a program which accepts the entire instruction set
`
`of a processor as input, and interprets the binary code as the original processor
`
`
`
`-17-
`
`
`
`
`
`would.”); Davidson Decl., ¶ 103-105 (explaining that identification and
`
`recordation of DOS function call numbers in Swimmer determines and identifies
`
`suspicious operations in the same manner as the code scanner described in the ’194
`
`patent). This Downloadable scanner is also coupled to the receiver (e.g., the
`
`network components at the firewall). For example, both components are located
`
`on the same computer system (e.g., a firewall) and would be stored together in
`
`memory (e.g., RAM). Davidson Decl., ¶ 106; ’194 patent, col. 3:23-46 (describing
`
`the same form of “coupling” for the “code scanner” and “receiver”), FIG. 3.
`
`d.
`
`Swimmer discloses [a database manager coupled with
`said Downloadable scanner, for] storing the
`Downloadable security profile data in a database
`(1[C], 10[C])
`
`As discussed directly above, Swimmer discloses an emulator and/or audit
`
`system that monitors Downloadables and generates audit records that list
`
`suspicious operations (i.e., security profile data). Swimmer further discloses that
`
`these audit records are stored in a database. Swimmer, p. 9 (“The final format for
`
`an MS-DOS audit record is as follows: <code segment, RecType, StartTime,
`
`EndTime, function number, arg ( … }, ret( … )>“). For example, Figure 3
`
`(partially reproduced below) illustrates an exemplary audit record.
`
`
`
`-18-
`
`
`
`
`
`
`
`As shown in Figure 3, the audit record includes a list of suspicious
`
`operations identified by the audit system that are organized according to a clearly
`
`defined structure with various fields (i.e., an organized collection of data that is
`
`organized based on a particular schema). Davidson Decl., ¶ 107 (explaining that a
`
`POSITA would have considered this audit record format to be a type of database,
`
`e.g., a flat-file database). Thus, Swimmer discloses storing security profile data for
`
`a Downloadable (e.g., audit records) in a database. Davidson Decl., ¶ 108.
`
`Moreover, to the extent Patent Owner argues that the claimed “database”
`
`must “serve one or more applications,” Swimmer discloses this feature. In
`
`particular, Swimmer discloses that the audit records stored in the database are used
`
`by other processes. For example, the database is u
Accessing this document will incur an additional charge of $.
After purchase, you can access this document again without charge.
Accept $ Charge
Still Working On It
This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.
Give it another minute or two to complete, and then try the refresh button.
A few More Minutes ... Still Working
It can take up to 5 minutes for us to download a document if the court servers are running slowly.
Thank you for your continued patience.
This document could not be displayed.
We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.
Your account does not support viewing this document.
You need a Paid Account to view this document. Click here to change your account type.
Your account does not support viewing this document.
Set your membership
status to view this document.
With a Docket Alarm membership, you'll
get a whole lot more, including:
- Up-to-date information for this case.
- Email alerts whenever there is an update.
- Full text search for other cases.
- Get email alerts whenever a new case matches your search.
One Moment Please
The filing “” is large (MB) and is being downloaded.
Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.
Your document is on its way!
If you do not receive the document in five minutes, contact support at support@docketalarm.com.
Sealed Document
We are unable to display this document, it may be under a court ordered seal.
If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.
Access Government Site
