`Filed: April 14, 2016
`
`Filed on behalf of: Blue Coat Systems, Inc.
`By: Michael T. Rosato (mrosato@wsgr.com)
`
`Andrew S. Brown (asbrown@wsgr.com)
`
`WILSON SONSINI GOODRICH & ROSATI
`
`
`
`UNITED STATES PATENT AND TRADEMARK OFFICE
`_____________________________
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`
`_____________________________
`
`
`
`BLUE COAT SYSTEMS, INC.,
`Petitioner,
`
`v.
`
`FINJAN, INC.,
`Patent Owner.
`
`_____________________________
`
`Patent No. 8,677,494
`
`_____________________________
`
`
`
`PETITION FOR INTER PARTES REVIEW
`OF U.S. PATENT NO. 8,677,494
`
`
`
`
`
`
`
`TABLE OF CONTENTS
`
`Page
`
`I.
`
`MANDATORY NOTICES (37 C.F.R. § 42.8) ...................................................... 1
`
`II.
`
`GROUNDS FOR STANDING (37 C.F.R. § 42.104(A)) ......................................... 2
`
`III.
`
`IDENTIFICATION OF CHALLENGE (37 C.F.R. § 42.104(B)) ............................... 3
`
`A.
`
`Claims for Which Review Is Requested .............................................. 3
`
`B.
`
`C.
`
`Priority Date of the ’494 Patent ........................................................... 3
`
`The Specific Art on Which the Challenge Is Based ............................. 4
`
`D.
`
`The Statutory Grounds on Which the Challenge Is Based ................... 4
`
`IV. OVERVIEW OF THE ’494 PATENT .................................................................... 5
`
`A.
`
`The Specification ................................................................................ 5
`
`B.
`
`The Challenged Claims ....................................................................... 7
`
`V.
`
`LEVEL OF ORDINARY SKILL ........................................................................... 8
`
`VI. CLAIM CONSTRUCTION .................................................................................. 9
`
`A.
`
`“Database” ........................................................................................ 10
`
`VII. GROUNDS OF UNPATENTABILITY .................................................................. 11
`
`A.
`
`Swimmer Renders Obvious Claims 1, 2, 5, 6, 10, 11, 14, and 15 ...... 11
`
`1.
`
`Swimmer Renders Obvious Independent Claims 1 and 10 ...... 12
`
`a.
`
`b.
`
`c.
`
`Swimmer discloses “[a] system for managing
`Downloadables” (10[P]) and “[a] computer-based
`method” (1[P]) .............................................................. 12
`
`Swimmer discloses [a receiver for] receiving an
`incoming Downloadable (1[A], 10[A]) ......................... 13
`
`Swimmer discloses [a Downloadable scanner
`coupled with said receiver, for] deriving security
`
`-i-
`
`
`
`profile data for the Downloadable, including a list
`of suspicious computer operations that may be
`attempted by the Downloadable (1[B], 10[B]) .............. 16
`
`
`
`d.
`
`Swimmer discloses [a database manager coupled
`with said Downloadable scanner, for] storing the
`Downloadable security profile data in a database
`(1[C], 10[C]) ................................................................. 18
`
`Swimmer Renders Obvious Claims 2 and 11 .......................... 20
`
`Swimmer Renders Obvious Claims 6 and 15 .......................... 21
`
`Swimmer Renders Obvious Claims 5 and 14 .......................... 22
`
`2.
`
`3.
`
`4.
`
`VIII. CONCLUSION ............................................................................................... 23
`
`IX. APPENDIX – LIST OF EXHIBITS...................................................................... 24
`
`
`
`
`
`-ii-
`
`
`
`
`
`Blue Coat Systems Inc. (“Petitioner” or “Blue Coat”) petitions the United
`
`States Patent & Trademark Office (“PTO”) to institute an inter partes review of
`
`claims 1, 2, 5, 6, 10, 11, 14, and 15 (“challenged claims”) of U.S. Patent No.
`
`8,677,494 to Edery et al. (“the ’494 patent”). According to PTO records, the ’494
`
`patent is assigned to Finjan, Inc. (“Finjan” or “Patent Owner”). A copy of the ’494
`
`patent is provided as Exhibit 1001.
`
`I. MANDATORY NOTICES (37 C.F.R. § 42.8)
`
`Real Party In Interest: Blue Coat Systems, Inc. is the real party-in-interest.
`
`Related Matters: The ’494 patent is currently involved in the following
`
`proceedings: Finjan, Inc. v. Blue Coat, Inc. 5:15-cv-03295 (N.D. CA); Finjan, Inc.
`
`v. Symantec Corp., Case No. 3:14-cv-02998 (N.D. CA), Finjan, Inc. v. Sophos
`
`Inc., 3:14-cv-01197 (N.D. Cal.); and Finjan, Inc. v. Palo Alto Networks, Inc., 3:14-
`
`cv-04908 (N.D. Cal.). An inter partes review, Symantec Corp.v. Finjan, Inc.
`
`(IPR2015-01892, “the Symantec IPR”) was instituted on March 18, 2016. A
`
`motion for joinder to the Symantec IPR has been filed concurrent with this
`
`petition. A second inter partes review petition challenging the ’494 patent, Palo
`
`Alto Networks, Inc. v. Finjan, Inc. (IPR2016-00159), is currently pending pre-
`
`institution.
`
`1
`
`
`
`
`
`LEAD AND BACKUP COUNSEL:
`
`Lead Counsel
`
`Back-Up Counsel
`
`Michael T. Rosato
`
`Andrew S. Brown
`
`USPTO Reg. No. 52,182
`
`USPTO Reg. No. 74,177
`
`WILSON SONSINI GOODRICH &
`
`WILSON SONSINI GOODRICH &
`
`ROSATI
`
`ROSATI
`
`701 Fifth Avenue
`
`701 Fifth Avenue
`
`Suite 5100
`
`Suite 5100
`
`Seattle, WA 98104-7036
`
`Seattle, WA 98104-7036
`
`Tel.: 206-883-2529
`
`Tel.: 206-883-2584
`
`Fax: 206-883-2699
`
`Fax: 206-883-2699
`
`Email: mrosato@wsgr.com
`
`
`Email: asbrown@wsgr.com
`
`SERVICE INFORMATION: Service information for lead and back-up
`
`counsel is provided in the designation of lead and back-up counsel above.
`
`Petitioner consents to electronic service by email at the email addresses provided
`
`above.
`
`II. GROUNDS FOR STANDING (37 C.F.R. § 42.104(A))
`
`The undersigned and Blue Coat certify that the ’494 patent is available for
`
`inter partes review and Petitioner is not barred or estopped from requesting an
`
`inter partes review of the challenged claims of the ’494 patent. Petitioner has not
`
`filed a civil action challenging the validity of any claim of the ’494 patent, and no
`
`
`
`-2-
`
`
`
`
`
`complaint alleging infringement of the ’494 patent was served on Petitioner more
`
`than a year before the date of this Petition. The ’494 patent issued more than nine
`
`months prior to the date of this Petition. This Petition is filed within a month of
`
`institution of the Symantec IPR, and is being filed concurrently with a motion for
`
`joinder to the Symantec IPR.
`
`III.
`
`IDENTIFICATION OF CHALLENGE (37 C.F.R. § 42.104(B))
`
`Petitioner requests an Order cancelling the challenged claims as
`
`unpatentable under 35 U.S.C. § 103.
`
`A. Claims for Which Review Is Requested
`
`Petitioner requests inter partes review of claims 1, 2, 5, 6, 10, 11, 14, and 15
`
`of the ’494 patent.
`
`B.
`
`Priority Date of the ’494 Patent
`
`The ’494 patent issued from U.S. Application No. 13/290,708 filed on
`
`November 7, 2011. Given that the ’494 patent was filed before March 16, 2013,
`
`the provisions of pre-AIA 35 U.S.C. §§ 102 and 103 apply.
`
`The ’494 patent claims priority to a number of applications, the earliest of
`
`which, U.S. Provisional Application No. 60/030,639 (“the ’639 provisional,”
`
`provided as Ex. 1002) was filed on November 8, 1996. Because the prior art
`
`reference pre-dates November 8, 1996, the cited reference qualifies as prior art to
`
`the ’494 patent.
`
`
`
`-3-
`
`
`
`
`
`C. The Specific Art on Which the Challenge Is Based
`
`The reference cited in this Petition is prior art to the ’494 patent, which, in
`
`this Petition, is assumed to have an effective filing date and earliest possible
`
`priority date of November 8, 1996. The cited reference is as follows:
`
`1.
`
`Dynamic Detection and Classification of Computer Viruses Using
`
`General Behaviour Patterns, by Morton Swimmer, Virus Bulletin Conference,
`
`Virus Bulletin Ltd., September 1995 (“Swimmer,” provided as Ex. 1005).
`
`Swimmer was presented at the Virus Bulletin International Conference held
`
`September 20-22, 1995 in Boston, MA. Moreover, the declaration by Dr. Sylvia
`
`Hall-Ellis (Exs. 1006 and 1007), together with certain evidence discussed therein
`
`(Exs. 1010 and 1011), demonstrates that Swimmer was available to the public as of
`
`December 1, 1995. Ex. 1006 at ¶¶ 7-8, 11-12, 18-20. Thus, Swimmer is a printed
`
`publication that was publicly available before the November 8, 1996 earliest
`
`possible priority date of the ’494 patent. Accordingly, Swimmer is prior art to the
`
`’494 patent under pre-AIA 35 U.S.C. § 102(b), or at the very least pre-AIA 35
`
`U.S.C. § 102(a).
`
`D. The Statutory Grounds on Which the Challenge Is Based
`
`Petition identifies the following ground of unpatentability:
`
`Ground 1: Swimmer renders obvious claims 1, 2, 5, 6, 10, 11, 14, and 15
`
`under § 103.
`
`
`
`-4-
`
`
`
`
`
`IV. OVERVIEW OF THE ’494 PATENT
`
`A. The Specification
`
`The ’494 patent generally relates to the protection of computers from
`
`potentially undesirable or suspicious software programs or code received over a
`
`network, referred to as “Downloadables.” ’494 patent, Abstract, col. 1:59-63,
`
`2:22-3:9. According to the ’494 patent a Downloadable is “received information
`
`[that] includes executable code.” ’494 patent, col. 3:3-8, col. 4:5-14, col. 5:64-6:2,
`
`col. 9:46-52, col. 15:22-39. Some examples of Downloadables described in the
`
`specification include: distributed components, Java applets, JavaScript scripts,
`
`ActiveX controls, and VisualBasic scripts. ’494 patent, Abstract, col. 2:22-30 &
`
`59-64, col. 9:46-52; see also Davidson Decl., ¶¶ 37-42, 76.1
`
`Curiously, besides this general discussion of “Downloadables,” the
`
`specification of the ’494 patent does not appear to include any description of the
`
`particular features recited in the claims. In particular, the ’494 patent specification
`
`does not even use the term “security profile,” much less provide any description
`
`related to deriving a security profile from a Downloadable or storing the security
`
`profile in a database, which are recited in both independent claims of the ’494
`
`patent. Certain other applications to which the ’494 patent claims priority,
`
`however, appear to provide at least some disclosure corresponding to these claimed
`
`
`
`1 The Declaration of Dr. Jack Davidson is provided as Ex. 1018. Citations to
`
`Dr. Davidson’s Declaration are provided in the form: “Davidson Decl., ¶ #.”
`
`
`
`-5-
`
`
`
`
`
`“security profile” features. See ’639 provisional; U.S. Patent No. 6,092,194 (“ the
`
`’194 patent,” provided as Ex. 1013); see also Davidson Decl., ¶ 77.
`
`As explained in the ’194 patent, a Downloadable is “received from [an]
`
`external computer network” and delivered to a “code scanner.” ’194 patent, col.
`
`4:33-40, 5:36-42. If the Downloadable is “unknown,” the code scanner generates
`
`Downloadable Security Profile (DSP) data for the Downloadable by “us[ing]
`
`conventional parsing techniques to decompose the code (including all prefetched
`
`components) of the Downloadable into the DSP data.” ’194 patent, col. 5:41-45,
`
`col. 9:20-42, FIG. 7. The DSP data “includes the fundamental computer
`
`operations included in each known Downloadable 307, and may include, READs,
`
`WRITEs, file management operations, system management operations, memory
`
`management operations and CPU allocation operations.” ’639 provisional, p. 18, l.
`
`9-13, p. 24, l. 19-p. 25, l. 2 (describing loop commands such as “goto”, “while”
`
`“if”, “than” or the like as further examples of potentially suspicious commands);
`
`’194 patent, col. 5:45-6:3, col. 9:20-42; see also Davidson Decl., ¶ 78. The
`
`Downloadable and its DSP data may then be stored (e.g., in a database). ’639
`
`provisional, p. 20, l. 12-16 (“the non-hostile Downloadable is stored in known
`
`Downloadable’s 307 and its corresponding DSP data is stored in DSP data 310.”),
`
`p. 22, l. 15-21, p. 17, l. 13-19 (describing items 307 and 310 as portions of a
`
`“security database”); ’194 patent, col. 6:9-12; see also Davidson Decl., ¶ 79.
`
`In other words, the DSP data is an assessment of the Downloadable that
`
`identifies the fundamental computer operations (e.g., potentially suspicious system
`
`
`
`-6-
`
`
`
`
`
`operations) that the Downloadable may attempt to invoke. Davidson Decl., ¶ 80.
`
`Among other things, this DSP data can be verified against “security policies” at a
`
`client computer, before allowing the Downloadable to execute. ’639 provisional,
`
`p. 20, l. 2-12; ’194 patent, col. 6:13-24. Generally speaking, a “security policy” is
`
`a set of rules associated with an organization or user that can be used to determine
`
`whether a Downloadable (and/or the operations being invoked thereby) should be
`
`blocked or allowed to execute. Davidson Decl., ¶¶ 70-72, 81-82.
`
`Significantly, the ’494 patent does not disclose any new or improved
`
`mechanism for generating security profile data (i.e., a list of potentially suspicious
`
`operations) associated with a program. Rather, as acknowledged by the related
`
`applications, various techniques for deriving such data, such as by parsing and
`
`decomposing executable code, were widely used and conventional at the time of
`
`the ’494 patent. ’639 provisional, p. 19, l. 16-20; ’194 patent, col. 5:42-45; see
`
`also Davidson Decl., ¶ 83. Thus, the purported patentability of the challenged
`
`claims hinges on the fact that the security profile data is generated for “an
`
`incoming Downloadable” and is then stored in a database. Id. These features,
`
`however, are not only simple and straightforward, but were also well known long
`
`before the ’494 patent. Id.
`
`B.
`
`The Challenged Claims
`
`The text of the two challenged independent claims (1 and 10) is reproduced
`
`in the chart below. For ease of reference, labels have been assigned to each
`
`limitation, such as 1[Pre] which refers to the preamble of claim 1 and 10[C] which
`
`
`
`-7-
`
`
`
`
`
`refers to the final limitation of claim 10. Other than the claim format (i.e., system
`
`or method) and small variations in the claim language, independent claims 1 and
`
`10 recite substantially similar limitations. The only meaningful difference is that
`
`claim 10 is directed to a system and includes components (e.g., a receiver) for
`
`performing each of the steps recited in claim 1. Accordingly, where applicable,
`
`claims 1 and 10 are discussed together in this Petition.
`
`
`
`
`Claim 1
`[Pre] A computer-based method,
`comprising the steps of:
`[A] receiving an incoming
`Downloadable;
`[B] deriving security profile
`data for the Downloadable,
`including a list of
`suspicious computer
`operations that may be
`attempted by the
`Downloadable; and
`[C] storing the Downloadable
`security profile data in a
`database.
`
`
`
`V. LEVEL OF ORDINARY SKILL
`
`Claim 10
`A system for managing Downloadables,
`comprising:
`a receiver for receiving an incoming
`Downloadable;
`a Downloadable scanner coupled with said
`receiver, for deriving security profile data
`for the Downloadable, including a list of
`suspicious computer operations that may be
`attempted by the Downloadable; and
`
`a database manager coupled with said
`Downloadable scanner, for storing the
`Downloadable security profile data in a
`database.
`
`A person of ordinary skill in the art (“POSITA”) is a hypothetical person
`
`who is presumed to have known the relevant art at the time of the alleged
`
`invention. Custom Accessories, Inc. v. Jeffrey-Allan Indus., Inc., 807 F.2d 955,
`
`962 (Fed. Cir. 1986) (“The person of ordinary skill is a hypothetical person who is
`
`presumed to be aware of all the pertinent prior art.”). A POSITA at the time of
`
`
`
`-8-
`
`
`
`
`
`alleged invention of the ’494 patent would have a Master’s degree in computer
`
`science, computer engineering, or a similar field, or a Bachelor’s degree in
`
`computer science, computer engineering, or a similar field, with approximately two
`
`years of industry experience relating to computer security. Additional graduate
`
`education might substitute for experience, while significant experience in the field
`
`of computer programming and malicious code might substitute for formal
`
`education. Davidson Decl., ¶ 30. Such a person would have been capable of
`
`understanding the ’494 patent and applying the prior art references discussed
`
`herein. Id.
`
`VI. CLAIM CONSTRUCTION
`
`For unexpired patents, claims should be given the “broadest reasonable
`
`interpretation in light of the specification” (“BRI”). See 37 C.F.R. § 42.100(b); see
`
`also, In re Yamamoto, 740 F.2d 1569, 1571 (Fed. Cir. 1984); In re Am. Acad. Of
`
`Sci. Tech. Ctr., 367 F.3d 1359, 1363-64 (Fed, Cir. 2004).2
`
`
`
`2 No claim construction decision has been rendered in the foregoing related
`
`District Court proceeding concerning the ’494 patent. Because of the differing claim
`
`construction standards, Petitioner expressly reserves the right to assert different
`
`claim constructions or take different positions with respect to any term/phrase of the
`
`’494 patent construed in a U.S. District Court proceeding.
`
`
`
`-9-
`
`
`
`
`
`A.
`
` “Database”
`
`All of the challenged claims require storing data in a “database.” Based on
`
`the claim language and the specification, the broadest reasonable interpretation of
`
`this claim term is: “an organized collection of data.”
`
`This construction is consistent with the plain and ordinary meaning of the
`
`term “database” to a POSITA at the time of the ’494 patent. See Davidson
`
`Decl., ¶¶ 84-85 (explaining that a POSITA would have understood a “database”
`
`to be any collection of organized or related data); see also Ex. 1014, p. 339 (“a
`
`collection or organized, related data”); Ex. 1015, p. 325 (“a collection of data
`
`organized”); Ex. 1016, p. 95 (“any clearly identified collection of data,”
`
`typically having “all its information in one central store or file”; “a database
`
`[means] a coherent collection of data entered into a computer system.”).
`
`Moreover, the ’494 patent does not provide any indication that the claimed
`
`“database” has a different meaning. Indeed, neither the specification, nor the
`
`challenged claims, say anything about the form or structure of the claimed
`
`“database.” Rather, both the specification and claims merely describe the type
`
`of data that is stored in the database (e.g., DSP data). See, e.g., ’194 patent, col.
`
`3:47-50 (“[t]he data storage device 230 stores a security database 240, which
`
`includes security information”); col. 4:14-18; col. 9:52-55, FIGS. 2, 3; ’494
`
`patent, claim 1 (“storing the Downloadable security profile data in a database”).
`
`Thus, the “database” should be construed as “an organized collection of data.”
`
`Davidson Decl., ¶ 86.
`
`
`
`-10-
`
`
`
`
`
`This construction is also consistent with Symantec’s position concerning the
`
`proper construction of this claim term in related district court proceedings. See
`
`Joint Claim Construction and Pre-Hearing Statement, Dkt. No. 68, p. 4 (provided
`
`as Ex. 1017). In fact, in the district court, Patent Owner agreed that a “database” is
`
`a collection of organized data. Ex. 1017, p. 4. Patent Owner argued, however, that
`
`the claimed “database” further requires the data to be organized “according to a
`
`database schema” and must “serve one or more applications.” See Ex. 1017, p. 4.
`
`Patent Owner’s proposed construction adds limitations that are unnecessary,
`
`confusing and, more importantly, have no support whatsoever in the intrinsic
`
`record. This appears to be nothing more than attempt to salvage the challenged
`
`claims by excluding certain types of databases described in the prior art, such as
`
`log files. See Ex. 1017, p. 4. Significantly, in the district court proceeding, Patent
`
`Owner and its expert acknowledged that, even under Patent Owner’s proposed
`
`construction, at least some types of log files are “databases.” Accordingly, any
`
`similar attempts by Patent Owner to limit the BRI of a “database” in the challenged
`
`claims should be rejected as improper for being inconsistent with the specification,
`
`the claim language, and the understanding of a POSITA.
`
`VII. GROUNDS OF UNPATENTABILITY
`
`A.
`
`Swimmer Renders Obvious Claims 1, 2, 5, 6, 10, 11, 14, and 15
`
`Swimmer is generally directed to a computer system, called Virus Intrusion
`
`Detection Expert System (VIDES), for detecting and classifying computer viruses.
`
`Swimmer, Title. For example, Swimmer explains that this VIDES system can be
`
`
`
`-11-
`
`
`
`
`
`used “as a type of firewall for programs entering a protected network,” i.e.,
`
`programs downloaded over a network. Swimmer, p. 13. In order to detect viruses
`
`or virus behaviors, Swimmer discloses using an emulator to monitor the activity of
`
`a virtual PC, including application programs and code being executed by the PC.
`
`Swimmer, p. 1. The emulator creates a stream of system activity data, which
`
`includes operations and functions that these programs attempt to invoke.
`
`Swimmer, p. 1, 7. Swimmer explains that the activity data is recorded in a
`
`database according to a structured schema. Swimmer, p. 9 (“<code segment,
`
`RecType, StartTime, EndTime, function number, arg ( ... }, ret( … )>“). This
`
`structured data is then used by an expert system (e.g., Advanced Security audit trail
`
`Analysis on UniX, “AS-AX”) to detect viruses by employing rules that model
`
`typical virus behavior. Swimmer, p. 2, 4-5, 10-12; Davidson Decl., ¶ 87.
`
`1.
`
`Swimmer Renders Obvious Independent Claims 1 and 10
`
`a.
`
`Swimmer discloses “[a] system for managing
`Downloadables” (10[P]) and “[a] computer-based
`method” (1[P])
`
`Swimmer describes a computer system called “VIDES,” which is
`
`“comprise[d] of a PC emulation and an IDES-like expert system.” Swimmer p. 2,
`
`Figure 4. In turn, Swimmer discloses methods for detecting viruses using this
`
`VIDES system. Swimmer, p. 1 (“The resulting system is called VIDES: it is a
`
`prototype for an automatic analysis system for computer viruses.”). An emulator
`
`monitors and records the operations of a virtual computer and an expert system
`
`then analyzes the recorded data using rules associated with virus behavior.
`
`
`
`-12-
`
`
`
`
`
`Swimmer, p. 1 (“an emulator is used to monitor the system activity of a virtual PC
`
`[and] the expert system ASAX is used to analyse the stream of data whicg [sic] the
`
`emulator produces [using] general rules to detect real viruses generically and
`
`reliably, and specific rules to extract details of their behaviour.”), p. 4-7, 10, 12
`
`(describing exemplary rules), p. 8-10 (describing the use of the emulator to
`
`develop/record system activity information), p. 11-12 (describing the application of
`
`the expert system ASAX to rules and recorded data); Davidson Decl., ¶ 88.
`
`Moreover, Swimmer explains that its VIDES system is used to detect viruses
`
`in application programs and program code by monitoring and analyzing the
`
`functions and operations these programs attempt to invoke. Swimmer, p. 7;
`
`Davidson Decl., ¶ 89. These application programs can include “programs entering
`
`a protected network” (i.e., executable code being downloaded over a network).
`
`Swimmer, p. 13. Accordingly, Swimmer discloses a computer-based method and a
`
`system for managing Downloadables (e.g., application programs and executable
`
`code). Davidson Decl., ¶ 90; see also ’494 patent, col. 2:59-3:8 (stating that
`
`“application programs” and “executable code” are examples of “Downloadables”),
`
`9:46-52 (same).
`
`b.
`
`Swimmer discloses [a receiver for] receiving an
`incoming Downloadable (1[A], 10[A])
`
`As discussed above, Swimmer describes methods for detecting viruses in
`
`application programs and program code using its VIDES system. Swimmer, p. 1
`
`(“The resulting system is called VIDES: it is a prototype for an automatic analysis
`
`
`
`-13-
`
`
`
`
`
`system for computer viruses.”). This VIDES system includes an emulator, which
`
`monitors the programs and executable code and records certain operations and
`
`functions that they attempt to invoke. Swimmer, Abstract, p. 8. In other words,
`
`Swimmer discloses techniques for monitoring and analyzing application programs
`
`and executable code (i.e., Downloadables). Davidson Decl., ¶ 91 Indeed, the ’494
`
`patent refers to these exact same items as examples of the claimed Downloadable.
`
`’494 patent, col. 2:59-3:8, 9:46-52.
`
`Moreover, to the extent Patent Owner argues that this claim limitation
`
`requires that the “incoming Downloadable” be received over a network, Swimmer
`
`explicitly discloses this feature. In particular, Swimmer explains that the VIDES
`
`system can be used in a networked environment as part of a firewall for a protected
`
`network (e.g., an intranet). Swimmer, p. 13 (explaining that VIDES could be used
`
`“to detect viruses in a real environment” and that “[o]ne possibility is to use it as a
`
`type of firewall for programs entering a protected network.”). In other words,
`
`Swimmer discloses that VIDES can be used at a firewall in order to monitor and
`
`analyze incoming Downloadables received at the firewall (e.g., programs that are
`
`being downloaded by or sent to a computer on the protected network). Davidson
`
`Decl., ¶¶ 92-93 (explaining that firewalls are security devices/software located
`
`between the outside network, such as an Internet and an internal network, such as
`
`an intranet which connects a number of client computers).
`
`Swimmer also discloses that the VIDES system includes a “receiver” for
`
`receiving the Downloadable (i.e., the firewall components at the firewall for
`
`
`
`-14-
`
`
`
`
`
`interfacing with the networks). Davidson Decl., ¶ 94. Indeed, in order for
`
`VIDES to be used at a firewall for “programs entering a protected network” (i.e.,
`
`receive and analyze incoming Downloadables), a POSITA would have
`
`understood that the system necessarily included a “receiver” (i.e., networking
`
`components) for receiving these Downloadables. Davidson Decl., ¶ 94.
`
`To the extent Patent Owner argues, however, that Swimmer does not
`
`explicitly disclose [a receiver for] receiving incoming Downloadables, this
`
`feature would have been obvious based on the teachings in Swimmer. In
`
`particular, it would have been obvious that Swimmer’s VIDES system could be
`
`used at a network device, such as a gateway or FTP or Web server in order to
`
`intercept incoming Downloadables and analyze them before they are sent to a
`
`destination computer (e.g., a client computer). Davidson Decl., ¶ 95. One of
`
`ordinary skill in the art would have been motivated to do so for a number of
`
`reasons, such as to improve the efficiency when checking incoming
`
`Downloadables. Id. For one of ordinary skill in the art, this would have
`
`involved nothing more than combining well-known prior art elements (i.e., a
`
`gateway with Swimmer’s VIDES system) according to well-known software
`
`programming techniques in order to yield a predictable result (i.e., a gateway
`
`scanner that receives Downloadables and analyzes their behavior). Id.
`
`Additionally, when using Swimmer’s system in this manner, one of ordinary
`
`skill in the art would have understood that the system would include components
`
`
`
`-15-
`
`
`
`
`
`(e.g., network cards and modems) for receiving the Downloadables over the
`
`networks (i.e., a receiver). Id. at ¶ 96.
`
`c.
`
`Swimmer discloses [a Downloadable scanner coupled
`with said receiver, for] deriving security profile data
`for the Downloadable, including a list of suspicious
`computer operations that may be attempted by the
`Downloadable (1[B], 10[B])
`
`VIDES uses an emulator to monitor application programs and code (i.e.,
`
`Downloadables) and generate a stream of system activity data. Swimmer, p. 7
`
`(“The prerequisite for using an Intrusion Detection (ID) system like ASAX is an
`
`audit system which securely collects system activity data.”). To generate this
`
`system activity data, the emulator, “accepts the entire instruction set of a processor
`
`as input, and interprets the binary code as the original processor would.”
`
`Swimmer, p. 8, 9 (“audit record attributes of records as collected by the PC
`
`emulator have the following meaning... [t]he final format for an MS-DOS audit
`
`record is as follows: <code segment, RecType, StartTime, EndTime, function
`
`number, arg ( … }, ret( … )>“). Swimmer also explains that the “audit system was
`
`integrated into an existing PC emulation by placing hooks into the module for
`
`processing all opcodes corresponding with the events.” Swimmer, p. 9. In other
`
`words, the audit system and/or emulator generates audit records for the
`
`Downloadables (i.e., Downloadable security profile data) that identifies and lists
`
`functions (i.e., operations) that the Downloadables attempt to invoke. Swimmer,
`
`Figure 3 (illustrating an exemplary audit record listing identified operations);
`
`Davidson Decl., ¶ 98-99.
`
`
`
`-16-
`
`
`
`
`
`More specifically, Swimmer explains that audit records generated by the
`
`audit system include a field, called “function number,” which is the “number of the
`
`DOS function requested by the program.” Swimmer, p. 9. As explained by Dr.
`
`Davidson, in DOS, function numbers are assigned to “INT 21h” functions, which
`
`include various types of system operations. Swimmer, p. 7 (“Primarily, interrupt
`
`0x21 is used”); Davidson Decl., ¶ 100. For example, function numbers 0, 49, 76
`
`are program termination operations. Function numbers 15 are file operations
`
`(open, close). Functions 72-74, and 88 are memory operations. Function numbers
`
`68, 94, and 95 are network operations. Davidson Decl., ¶ 101. Significantly, these
`
`operations identified by Swimmer’s audit system are the very same types of
`
`operations referred to by the applications related to the ’494 patent as examples of
`
`“suspicious operations.” ’639 provisional, p. 18, l. 9-13 (DSP data “includes the
`
`fundamental computer operations,” in a Downloadable such as “file management
`
`operations, system management operations, memory management operations and
`
`CPU allocation operations.”). Thus, Swimmer discloses deriving security profile
`
`data (e.g., audit records) that includes a list of suspicious operations that the
`
`Downloadable may attempt to invoke (e.g., INT 21h system functions). Davidson
`
`Decl., ¶ 102.
`
`Additionally, Swimmer discloses that this Downloadable security profile
`
`data is derived by a Downloadable scanner (e.g., an emulator and/or audit system).
`
`Swimmer, p. 8 (the emulator is “a program which accepts the entire instruction set
`
`of a processor as input, and interprets the binary code as the original processor
`
`
`
`-17-
`
`
`
`
`
`would.”); Davidson Decl., ¶ 103-105 (explaining that identification and
`
`recordation of DOS function call numbers in Swimmer determines and identifies
`
`suspicious operations in the same manner as the code scanner described in the ’194
`
`patent). This Downloadable scanner is also coupled to the receiver (e.g., the
`
`network components at the firewall). For example, both components are located
`
`on the same computer system (e.g., a firewall) and would be stored together in
`
`memory (e.g., RAM). Davidson Decl., ¶ 106; ’194 patent, col. 3:23-46 (describing
`
`the same form of “coupling” for the “code scanner” and “receiver”), FIG. 3.
`
`d.
`
`Swimmer discloses [a database manager coupled with
`said Downloadable scanner, for] storing the
`Downloadable security profile data in a database
`(1[C], 10[C])
`
`As discussed directly above, Swimmer discloses an emulator and/or audit
`
`system that monitors Downloadables and generates audit records that list
`
`suspicious operations (i.e., security profile data). Swimmer further discloses that
`
`these audit records are stored in a database. Swimmer, p. 9 (“The final format for
`
`an MS-DOS audit record is as follows: <code segment, RecType, StartTime,
`
`EndTime, function number, arg ( … }, ret( … )>“). For example, Figure 3
`
`(partially reproduced below) illustrates an exemplary audit record.
`
`
`
`-18-
`
`
`
`
`
`
`
`As shown in Figure 3, the audit record includes a list of suspicious
`
`operations identified by the audit system that are organized according to a clearly
`
`defined structure with various fields (i.e., an organized collection of data that is
`
`organized based on a particular schema). Davidson Decl., ¶ 107 (explaining that a
`
`POSITA would have considered this audit record format to be a type of database,
`
`e.g., a flat-file database). Thus, Swimmer discloses storing security profile data for
`
`a Downloadable (e.g., audit records) in a database. Davidson Decl., ¶ 108.
`
`Moreover, to the extent Patent Owner argues that the claimed “database”
`
`must “serve one or more applications,” Swimmer discloses this feature. In
`
`particular, Swimmer discloses that the audit records stored in the database are used
`
`by other processes. For example, the database is u