Trials@uspto.gov
`571-272-7822
`
`
`Paper 62
`Entered: March 15, 2017
`
`
`
`UNITED STATES PATENT AND TRADEMARK OFFICE
`____________
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`____________
`
`PALO ALTO NETWORKS, INC. and SYMANTEC CORP.,
`Petitioner,
`
`v.
`
`FINJAN, INC.,
`Patent Owner.
`____________
`
`Case IPR2015-019791
`Patent 8,141,154 B2
`
`____________
`
`
`
`Before, THOMAS L. GIANNETTI, RICHARD E. RICE, and
`MIRIAM L. QUINN, Administrative Patent Judges.
`
`QUINN, Administrative Patent Judge.
`
`FINAL WRITTEN DECISION
`35 U.S.C. § 318(a) and 37 C.F.R. § 42.73
`
`
`
`
`1 This case is joined with IPR2016-00919. Paper 28 (“Decision on
`Institution of Inter Partes Review and Grant of Motion for Joinder,” filed by
`Symantec Corp.).
`
`
`571-272-7822
`
`
`Paper 62
`Entered: March 15, 2017
`
`
`
`UNITED STATES PATENT AND TRADEMARK OFFICE
`____________
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`____________
`
`PALO ALTO NETWORKS, INC. and SYMANTEC CORP.,
`Petitioner,
`
`v.
`
`FINJAN, INC.,
`Patent Owner.
`____________
`
`Case IPR2015-019791
`Patent 8,141,154 B2
`
`____________
`
`
`
`Before, THOMAS L. GIANNETTI, RICHARD E. RICE, and
`MIRIAM L. QUINN, Administrative Patent Judges.
`
`QUINN, Administrative Patent Judge.
`
`FINAL WRITTEN DECISION
`35 U.S.C. § 318(a) and 37 C.F.R. § 42.73
`
`
`
`
`1 This case is joined with IPR2016-00919. Paper 28 (“Decision on
`Institution of Inter Partes Review and Grant of Motion for Joinder,” filed by
`Symantec Corp.).
`
`
`
`IPR2015-01979
`Patent 8,141,154 B2
`
`Palo Alto Networks, Inc. and Symantec Corp. (collectively,
`
`“Petitioner”) have each filed petitions to institute inter partes review of
`claims 18, 10, and 11 of U.S. Patent No. 8,141,154 B2 (“the ’154 patent”)
`pursuant to 35 U.S.C. § 311319. In response to the first petition, filed by
`Palo Alto Networks, Inc.,2 Finjan, Inc. (“Patent Owner”) filed a Preliminary
`Response. Paper 6 (“Prelim. Resp.”). Upon consideration of the Petition
`and the Preliminary Response filed by Finjan, we instituted trial as to all the
`challenged claims. Paper 8 (“Dec.”).
`
`Subsequently, Symantec filed a petition seeking review of the same
`claims of the ’154 patent. IPR2016-00919, Paper 3. With this second
`petition, Symantec filed a motion to join IPR2016-00919 with this
`proceeding. We granted Symantec’s motion, joined the cases, terminated
`IPR2016-00919, and ordered consolidation of all Petitioner filings in this
`proceeding. Paper 10, at 5.
`During trial, Patent Owner filed a Patent Owner Response;3 and
`Petitioner filed a Reply.4 Patent Owner also filed Motions for Observations
`of the November 14, 2016 cross- examination of Petitioner’s declarant, Dr.
`Aviel Rubin. Paper 47 (“Mot. for Obs.”). Petitioner responded to Patent
`Owner’s Motion for Observations. Paper 49 (“Resp. Obs.”). Both parties
`also filed Motions to Exclude. Paper 46 (“Pet. Mot. to Exclude”); Paper 48
`(“PO Mot. to Exclude”). Both parties filed Oppositions and Replies
`concerning the Motions to Exclude. Papers 50, 51, 53, 55.
`
`
`2 Paper 2 (“Petition” or “Pet.”).
`3 Paper 22 (“PO Resp.”).
`4 Paper 35 (“Reply”).
`
`2
`
`
`
`IPR2015-01979
`Patent 8,141,154 B2
`
`
`An oral hearing was held on December 15, 2016.5
`We have jurisdiction under 35 U.S.C. § 6. This Final Written
`
`Decision is issued pursuant to 35 U.S.C. § 318(a). For the reasons discussed
`herein, and in view of the record in this trial, we determine that Petitioner
`has not shown by a preponderance of the evidence that claims 18, 10, and
`11 of the ’154 patent are unpatentable.
`
`I.
`
`BACKGROUND
`
`A. RELATED MATTERS
`
`Petitioner identifies that the ’154 patent as the subject of various
`district court cases filed in the U.S. District Court for the Northern District
`of California (Case Nos. 3:14-cv-04908, 3:14-cv-02998, 5:15-cv-01353,
`5:14-cv-04398, 3:14-cv-01197, and 3:13-cv-05808). Pet. 3. Petitioner also
`states that petitions for inter partes review have been filed regarding other
`related patents. Id. The ’154 patent is also the subject of another inter
`partes review: IPR2016-00151 (and IPR2016-01071, joined therewith). In
`IPR2016-0151, we have issued a Final Written Decision, under 35 U.S.C.
`§ 318(a), concurrently with the instant Final Written Decision.
`
`B. INSTITUTED GROUNDS
`
`We instituted inter partes review of claim 18, 10, and 11 (“the
`challenged claims”) based on the following specific grounds:
`
`
`5 A transcript of the oral hearing is entered in the record as Paper 60 (“Tr.”).
`
`3
`
`
`
`IPR2015-01979
`Patent 8,141,154 B2
`
`
`Reference[s]
`
`Khazan6 and Sirer7
`
`Basis
`35 U.S.C.§ 103
`
`Claims challenged
`15
`
`68, 10, and 11
`
`35 U.S.C. § 103
`
`Khazan, Sirer, and Ben-Natan8
`
`Petitioner supports its contentions of unpatentability with declarations
`from Dr. Aviel Rubin. Ex. 1002 (“Aviel Declaration”); Ex. 1045 (“Supp.
`Aviel Declaration”). Patent Owner supports its contentions with a
`declaration from Dr. Nenad Medvidovic. Ex. 2002 (“Medvidovic
`Declaration”). The cross-examinations of Dr. Rubin and Dr. Medvidovic are
`entered in the record as Exhibits 2005 and 1038, respectively.
`
`C. THE ’154 PATENT (EX. 1001)
`
`The ’154 patent relates to computer security and, more particularly, to
`systems and methods for protecting computers against malicious code such
`as computer viruses. Ex. 1001, 1:79, 8:3840. The ’154 patent identifies
`the components of one embodiment of the system as follows: a gateway
`computer, a client computer, and a security computer. Id. at 8:4547. The
`gateway computer receives content from a network, such as the Internet,
`over a communication channel. Id. at 8:4748. “Such content may be in the
`form of HTML pages, XML documents, Java applets and other such web
`content that is generally rendered by a web browser.” Id. at 8:4851. A
`content modifier modifies original content received by the gateway
`
`6 Patent Application Pub. No. US 2005/0108562 A1 (Exhibit 1003)
`(“Khazan”).
`7 Sirer et al., Design and Implementation of a Distributed Virtual machine
`for Networked Computers (1999) (Exhibit 1004) (“Sirer”).
`8 U.S. Patent No. 7,437,362 B1 (Exhibit 1005) (“Ben-Natan”).
`
`4
`
`
`
`IPR2015-01979
`Patent 8,141,154 B2
`
`computer and produces modified content that includes a layer of protection
`to combat dynamically generated malicious code. Id. at 9:1316.
`
`D. ILLUSTRATIVE CLAIM
`
`Challenged claims 1, 4, 6, and 10 are independent, and illustrative
`claim 1 is reproduced below.
`1. A system for protecting a computer from dynamically
`generated malicious content, comprising:
`a content processor (i) for processing content received
`over a network, the content including a call to a first function,
`and the call including an input, and (ii) for invoking a second
`function with the input, only if a security computer indicates
`that such invocation is safe;
`a transmitter for transmitting the input to the security
`computer for inspection, when the first function is invoked; and
`a receiver for receiving an indicator from the security
`computer whether it is safe to invoke the second function with
`the input.
`
`
`II. ANALYSIS
`
`A. CLAIM INTERPRETATION
`
`In an inter partes review, claim terms in an unexpired patent are
`interpreted according to their broadest reasonable construction in light of the
`specification of the patent in which they appear. 37 C.F.R. § 42.100(b);
`Cuozzo Speed Techs., LLC v. Lee, 136 S. Ct. 2131, 2142–46 (2016).
`Consistent with that standard, claim terms also are given their ordinary and
`customary meaning, as would be understood by one of ordinary skill in the
`art in the context of the entire disclosure. See In re Translogic Tech., Inc.,
`504 F.3d 1249, 1257 (Fed. Cir. 2007). There are, however, two exceptions
`to that rule: “1) when a patentee sets out a definition and acts as his own
`
`5
`
`
`
`IPR2015-01979
`Patent 8,141,154 B2
`
`lexicographer,” and “2) when the patentee disavows the full scope of a claim
`term either in the specification or during prosecution.” See Thorner v. Sony
`Computer Entm’t Am. LLC, 669 F.3d 1362, 1365 (Fed. Cir. 2012).
`If an inventor acts as his or her own lexicographer, the definition must
`be set forth in the specification with reasonable clarity, deliberateness, and
`precision. Renishaw PLC v. Marposs Societa’ per Azioni, 158 F.3d 1243,
`1249 (Fed. Cir. 1998) (citing In re Paulsen, 30 F.3d 1475, 1480 (Fed. Cir.
`1994)). Although it is improper to read a limitation from the specification
`into the claims, In re Van Geuns, 988 F.2d 1181, 1184 (Fed. Cir. 1993),
`claims still must be read in view of the specification of which they are a part.
`Microsoft Corp. v. Multi-Tech Sys., Inc., 357 F.3d 1340, 1347 (Fed. Cir.
`2004).
`
`“content”
`In our Decision on Institution, we did not construe expressly any
`claim terms. Dec. 5. During trial, however, Patent Owner proposed a
`construction of the term “content” as “a data container that can be rendered
`by a client web browser.” PO Resp. 5. Petitioner challenges this
`construction as unduly narrow in view of the Specification. Reply 6. In
`particular, Petitioner argues that the Specification does not define the term
`and provides no “clear disavowal” of claim scope. Id. 67. According to
`Petitioner, the Specification and extrinsic evidence support a broader
`construction of “content” to mean “code.” Id. at 78 (citing Ex. 1001,
`12:4952; Ex. 2005, 80:1123).
`Because they are not consistent with the broadest reasonable
`interpretation in light of the specification, and as discussed further below, we
`
`6
`
`
`
`IPR2015-01979
`Patent 8,141,154 B2
`
`do not adopt either of the parties’ proposed constructions. Our reasoning
`follows.
`The ’154 patent is titled “System and Method for Inspecting
`Dynamically Generated Executable Code.” Ex. 1001, [54]. Although the
`title refers to “executable code,” the term “content” is used elsewhere in the
`patent when describing the invention. The Abstract further clarifies that a
`“method for protecting a client computer from dynamically generated
`malicious content, includ[es] receiving at a gateway computer content being
`sent to a client computer for processing, the content including a call to an
`original function[.]” Id. Abstract (emphasis added). The gateway computer
`modifies the “content,” which is then transmitted to the client computer for
`processing there. Id.
`By way of background, the ’154 patent explains that the “ability to
`run executable code such as scripts within Internet browsers” has caused a
`new form of viruses “embedded within web pages and other web content,
`and[, which] begin executing within an Internet browser as soon as they
`enter a computer.” Id. at 1:3440. In particular, the ’154 patent describes
`these new “dynamically generated viruses” as “taking advantage of features
`of dynamic HTML generation, such as executable code or scripts that are
`embedded within HTML pages, to generate themselves on the fly at
`runtime.” Id. at 3:3139. Therefore, according to the ’154 patent
`“dynamically generated malicious code cannot be detected by conventional
`reactive content inspection and conventional gateway level behavioral
`analysis content inspection, since the malicious JavaScript is not present in
`the content prior to run-time.” Id. at 3:654:2. The invention, therefore,
`seeks to protect against “dynamically generated malicious code, in addition
`
`7
`
`
`
`IPR2015-01979
`Patent 8,141,154 B2
`
`to conventional computer viruses that are statically generated.” Id. at
`4:3034.
`To accomplish this objective, the ’154 patent describes the gateway
`computer receiving “content from a network, such as the Internet, over a
`communication channel.” Id. at 8:4748. The “content may be in the form
`of HTML pages, XML documents, Java applets and other such web content
`that is generally rendered by a web browser.” Id. at 8:4851; see also id. at
`13:4952 (“Such content may be in the form of an HTML web page, an
`XML document, a Java applet, an EXE file, JavaScript, VBScript, an Active
`X Control, or any such data container that can be rendered by a client web
`browser.”); 13:4952. A “content modifier 265” at the gateway modifies
`“original content received” by the gateway computer and produces modified
`“content, which includes a layer of protection to combat dynamically
`generated malicious code.” Id. at 9:1316. It does this by scanning the
`“original content” and identifying certain function calls. Id. at 9:1620.
`Selected function calls are then replaced with a corresponding substitute
`function call. Id. at 9:2126.
`One example of a function call in the original content is identified as
`“Document.write (‘content that is dynamically generated at run-time’).” Id.
`at 11:5512:2. The original content is modified by replacing the original
`function call Document.write() with a substitute function call
`Substitute_document.write(). Id. at 10:3136. The client computer then
`receives the “content, as modified by the gateway computer.” Id. at
`11:6364. And it is this modified content that the client computer processes,
`
`8
`
`
`
`IPR2015-01979
`Patent 8,141,154 B2
`
`by invoking the substitute function call and transmitting the input of that
`substitute function for inspection. Id. at 16:2229.
`From the above descriptions, we understand the ‘154 patent
`Specification to refer to three categories of content. First, there is the
`“original content” that is scanned and modified at the gateway computer.
`Second, there is the “modified content” transmitted to, and received by, the
`client computer. Third is the “dynamically generated malicious content”
`that is generated at runtime and, thus, is undetected by the gateway computer
`in the “original content.”
`We also understand that the purpose of the ’154 patent is to protect
`the client computer from this “dynamically generated malicious content,”
`which is sometimes also referred to in the Specification as “dynamically
`generated malicious code.” See, e.g., Ex. 1001, 4:3133 (“new behavioral
`analysis technology affords protection against dynamically generated
`malicious code”); 4:3840 (“before the client computer invokes a function
`call that may potentially dynamically generate malicious code”); 8:1720
`(“FIG. 2 is a simplified block diagram of a system for protecting a computer
`from dynamically generated malicious executable code, in accordance with a
`preferred embodiment of the present invention”); 8:3840 (“The present
`invention concerns systems and methods for protecting computers against
`dynamically generated malicious code.”).
`Notwithstanding the variety of content described in the Specification,
`the term “content” is recited broadly in all challenged claims as “content
`including a call to a first function.” For example, claim 1 recites a content
`processor for “processing content received over a network, the content
`
`9
`
`
`
`IPR2015-01979
`Patent 8,141,154 B2
`
`including a call to a first function, and the call including an input.” Id. at
`17:3436.
`The claim language also requires that the processed “content” be
`received over a network. Because the recited “first function” is the
`substituted function whose input is verified, the claimed “content,” in the
`context of the surrounding claim language, must refer to the modified
`content received at the client computer. See id. at 17:3940 (“transmitting
`the input [of the first function call] to the security computer for inspection,
`when the first function is invoked”). The claimed content cannot refer to the
`“original content” that is received by the gateway computer and over the
`Internet because that content, according to the Specification, would be
`capable of generating the undetected dynamically generated malicious
`content from which the client computer is to be protected.
`Based on this understanding, we do not agree with Patent Owner that
`the recited “content” is “a data container that can be rendered by a client
`web browser.” See PO Resp. 6. Although the Specification states that
`“content may be in the form of an HTML web page, an XML document, a
`Java applet, an EXE file, JavaScript, VBScript, an ActiveX Control, or any
`such data container that can be rendered by a client web browser,” that
`passage describes the “original content,” not the “modified content.” See
`Ex. 1001, 13:4952. Furthermore, even if that description were applicable
`to the “modified content,” the Specification uses the permissive words
`“may” and “can,” which suggests that the description of the form of the
`content in the Specification was not intended to set forth a definition for the
`term “content.” See i4i Ltd. P’ship v. Microsoft Corp., 598 F.3d 831, 844
`
`10
`
`
`
`IPR2015-01979
`Patent 8,141,154 B2
`
`(Fed. Cir. 2010) (declining to limit claim term where the specification used
`permissive language).
`Furthermore, although the Specification addresses embodiments
`concerning web pages received over the Internet, the Specification does not
`limit the “content” to web content only, or to content that can be rendered by
`a web browser. For example, in describing a content processor, the
`Specification states that it “may be a web browser running on client
`computer 210.” Ex. 1001, 10:6062. This description again uses permissive
`language that suggests the intent not to limit the content to a data container
`that can be rendered by a client web browser. We also find it informative
`that in discussing the communication channels over which the client
`computer receives the “modified content,” the Specification states that
`“communication channels 220, 225 and 230 [of Figure 2] may each be
`multiple channels using standard communication protocols such as TCP/IP.”
`Ex. 1001, 8:679:2.9 That is, the network over which the content is received
`may be any network that delivers data using a standard communication
`protocol, not just the Internet.
`Accordingly, we are not persuaded that the Specification supports a
`construction of “content” that is limited to the specific embodiment of a data
`container that can be rendered by a client web browser, as Patent Owner
`argues. In re Van Geuns, 988 F.2d 1181, 1184, (Fed. Cir. 1993)
`(“Moreover, limitations are not to be read into the claims from the
`specification.”) (internal citations omitted).
`
`9 TCP/IP is an abbreviation for Transmission Control Protocol over Internet
`Protocol, and it is the most widely used communication protocol for delivery
`of data over networks, including the Internet. TCP/IP, WILEY ELECTRICAL
`AND ELECTRONICS ENGINEERING DICTIONARY, 774 (2004) (Ex. 3001).
`
`11
`
`
`
`IPR2015-01979
`Patent 8,141,154 B2
`
`
`We are not persuaded, in addition, that Petitioner has made a
`sufficient showing that a person of ordinary skill in the art would understand
`the plain meaning of “content” as “code.” To support its proposed
`construction, Petitioner relies on the cross-examination testimony of its own
`expert, Dr. Aviel Rubin. Ex. 2005, 80:1123. His testimony, however, is
`not persuasive because he proffers no reasoning for the conclusion that
`“content” is “code” under the broadest reasonable interpretation:
`Q· · What is your understanding of what “content” means?
`A· · In the context of the ’154 patent, content would be code.
`Q· · What do you mean by code?
`A· · Code, like an HTML page that has JavaScript in it.
`Q· · When you say code, do you mean any type of code?
`A· · Well, if you just say content, we are going to take the broadest
`reasonable interpretation of that. It would be any type of code, yes.
`
`Id.10
`Although it seems reasonable to say that the content includes “code,”
`
`no persuasive evidence limits the claimed content to only code. As we noted
`above, the Specification refers to code, sometimes interchangeably with
`content, but only in the context of dynamically generated code. The
`dynamically generated code, however, is not generated until runtime and,
`therefore, is not contained in the “modified content” that the client receives.
`See Ex. 1001, 3:654:2 (“dynamically generated code cannot be detected by
`conventional reactive content inspection and conventional gateway level
`
`
`10 We do not give weight to the testimony proffered by Dr. Medvidovic with
`regard to claim construction of this term given the contradictory positions
`asserted in this regard. See Reply 8.
`
`12
`
`
`
`IPR2015-01979
`Patent 8,141,154 B2
`
`behavioral analysis content inspection, since the malicious JavaScript is not
`present in the content prior to run-time.”). Furthermore, the Specification
`describes various forms in which the content occurs, such as an HTML web
`page and Java applets (id. at 13:4952), but does not address sufficiently
`what is the “content” itself. But see, id. at 11:5051 (“suppose the content is
`an HTML page”).
`
`Given the broad disclosure of a network, as discussed above, the
`reference to a “data container” (id. at 13:5152) and “network content” (id.
`at 4:3737), the concern over scripts embedded in web pages or “other web
`content” (id. at 1:3739), we conclude that the Specification of the ’154
`patent uses the claimed “content” to refer broadly to the data or information,
`modified for processing, that the client receives from the network, where, in
`the case of the Internet, it may refer to a web page and its elements. This
`interpretation is consistent also with the meaning of the term in the art, as
`evidenced by dictionaries concerning computing and engineering. See
`content, Microsoft Computer Dictionary, 125 (5th ed. 2002) (Ex. 3002)
`(defining “content” as (1) “the data that appears between the starting and
`ending tags of an element in an SGML, XML, or HTML document. The
`content of an element may consist of plain text or other elements,” (2) “The
`message body of a newsgroup article or e-mail message;” and (3) “The
`‘meat’ of a document, as opposed to its format or appearance.”); see also
`content, WILEY ELECTRICAL AND ELECTRONICS ENGINEERING DICTIONARY,
`142 (2004) (Ex. 3001) (“Information, especially that which is available
`online, which may be any combination of text, audio, video, files, or the
`like.”).
`
`13
`
`
`
`IPR2015-01979
`Patent 8,141,154 B2
`
`
`Accordingly, under the broadest reasonable interpretation in the
`context of the Specification and the surrounding claim language, we
`conclude that “content” is data or information, which has been modified and
`is received over a network.
`“call to a first function”
`The term “call to a first function” is recited in all challenged claims.
`The arguments presented regarding this limitation turn on the scope of the
`word “call.” Specifically, Patent Owner attempts to distinguish the claims
`over Khazan by arguing that a “jump” instruction is not the recited “call” to
`a function. PO Resp. 2527. Dr. Medvidovic, Patent Owner’s expert,
`proffers opinions on the issue by relying on a definition of “function call”
`derived from the Microsoft Press Computer Dictionary. Ex. 2002 ¶ 110
`(citing Ex. 2014). That Dictionary provides that a “function call” is “[a]
`program’s request for the services of a particular function.” Id.; Ex. 2014. It
`also explains that “[a] function call is coded as the name of the function
`along with any parameters needed for the function to perform its task.” Id.
`The Specification of the ’154 patent does not define the term “call to a
`first function.” The Specification, however, does use the phrase “function
`call” to state that “before the client computer invokes a function call that
`may potentially dynamically generate malicious code, the client computer
`passes the input to the function to the security computer for inspection.” Ex.
`1001, 4:3743 (emphasis added). The Specification also states that “the
`present invention operates by replacing original function calls with substitute
`function calls within the content, at a gateway computer, prior to the content
`being received at the client computer.” Id. at 4:5760. Therefore, we
`understand the Specification to use the phrase “function call” in the same
`
`14
`
`
`
`IPR2015-01979
`Patent 8,141,154 B2
`
`sense as the phrase “call to a [] function.” That is, a program instruction
`specifies the function name and its parameters, where execution of the
`instruction results in the function providing a service. Thus, we find the
`dictionary definition of the term “function call” applicable here and
`indicative of the meaning of the term to a person of ordinary skill in the art.
`Furthermore, the dictionary definition is consistent with the
`embodiments described in the Specification. For example, one embodiment
`of the ’154 patent provides for modifying an original function call with
`“corresponding function calls Substitute_function(input,*).” Id. at 9:2124.
`That is, the specification describes that the services of the function
`Substitute_function are being requested by the modified content.
`Furthermore, the format of the function in this particular embodiment,
`identifies the name of the function and the parameters “input” and “*”. See
`also id.at 9:2628 (explaining that the “input intended for the original
`function is also passed to the substitute function, along with possible
`additional input denoted by ‘*’”). We note that the “first function” is the
`substitute function included in the modified content, as discussed above in
`connection with our analysis of the term “content.”
`We recognize that the definition of “call to a first function” need not
`define the particular format of the instruction or further detail regarding its
`parameters. We reach this determination because the claim language itself
`requires that either the “call” or the “function” include an input. For
`example, claim 1 recites the “call including an input,” while claim 6 recites
`“the first function including an input variable.”
`
`15
`
`
`
`IPR2015-01979
`Patent 8,141,154 B2
`
`
`Accordingly, we determine that a “call to a first function” means an a
`statement or instruction in the content, the execution of which causes the
`function to provide a service.
`
`B. PRINCIPLES OF LAW
`
`A claim is unpatentable under 35 U.S.C. § 103(a) if the differences
`
`between the claimed subject matter and the prior art are such that the subject
`matter, as a whole, would have been obvious at the time the invention was
`made to a person having ordinary skill in the art to which said subject matter
`pertains. KSR Int’l Co. v. Teleflex Inc., 550 U.S. 398, 406 (2007). The
`question of obviousness is resolved on the basis of underlying factual
`determinations including: (1) the scope and content of the prior art; (2) any
`differences between the claimed subject matter and the prior art; (3) the level
`of ordinary skill in the art; and (4) objective evidence of nonobviousness.
`Graham v. John Deere Co., 383 U.S. 1, 17–18 (1966).
`
`C. THE LEVEL OF SKILL IN THE ART
`
`In determining the level of ordinary skill in the art at the time of the
`
`invention, we note that various factors may be considered, including “type of
`problems encountered in the art; prior art solutions to those problems;
`rapidity with which innovations are made; sophistication of the technology;
`and educational level of active workers in the field.” In re GPAC, Inc., 57
`F.3d 1573, 1579 (Fed. Cir. 1995) (citing Custom Accessories, Inc. v. Jeffrey-
`Allan Indus., Inc., 807 F.2d 955, 962 (Fed. Cir. 1986)).
`
`Petitioner asserts, through its expert, Dr. Aviel Rubin, that the
`“relevant technology field for the ’154 patent is security programs, including
`content scanners for program code.” Ex. 1002 ¶ 21. Further, Dr. Rubin
`
`16
`
`
`
`IPR2015-01979
`Patent 8,141,154 B2
`
`opines that a person of ordinary skill in the art would “hold a bachelor’s
`degree or the equivalent in computer science (or related academic fields) and
`three to four years of additional experience in the field of computer security,
`or equivalent work experience.” Id.
`
`Patent Owner, through its expert, Dr. Nenad Medvidovic, offers a
`level of ordinary skill that is different from Petitioner’s. Ex. 2002 ¶ 35. In
`Particular, Dr. Medvidovic opines that a person of ordinary skill in the art
`would have a “bachelor’s degree in computer science or related field, and
`either (1) two or more years of industry experience and/or (2) an advanced
`degree in computer science or related field.” Id. In comparison, it appears
`that the minimum experience under Patent Owner’s proffered level of skill is
`one year less than Petitioner’s. Also, Patent Owner proffers an alternative to
`work experience, namely an advanced degree. There is no specific
`articulation regarding how the difference of one year experience or the
`proposed alternative of an advanced degree in lieu of experience tangibly
`affects our obviousness inquiry. Further, there is no evidence in this record
`that the differences noted above impact in any meaningful way the level of
`expertise of a person of ordinary skill in the art. Indeed, we note that Dr.
`Medvidovic’s opinions would not change if he had considered instead the
`level or ordinary skill in the art proffered by Dr. Rubin. Id. ¶ 38.
`
`Accordingly, we determine that in this case no express definition of
`the level of ordinary skill in the art is necessary and that the level of ordinary
`skill in the art is reflected by the prior art of record. See Okajima v.
`Bourdeau, 261 F.3d 1350, 1355 (Fed. Cir. 2001); In re GPAC Inc., 57 F.3d
`1573, 1579 (Fed. Cir. 1995); In re Oelrich, 579 F.2d 86, 91 (CCPA 1978).
`
`
`17
`
`
`
`IPR2015-01979
`Patent 8,141,154 B2
`
`
`D. OBVIOUSNESS GROUND BASED ON KHAZAN AND SIRER
`
`Petitioner asserts that Khazan discloses “every element of the
`Petitioned Claims except a modified input variable and details of performing
`dynamic analysis on a remote computer.” Pet. 16. In particular, Petitioner
`relies on a combination of Khazan and Sirer as teaching the “content
`including a call to a first function,” “only if a security computer indicates
`that such invocation is safe,” “transmitter,” and “receiver” limitations. Pet.
`2039. Petitioner relies on Khazan alone as disclosing the remaining
`limitations of independent claims 1 and 4. Id. at 1920.
`1. Overview of Khazan (Exhibit 1003)
`Khazan is titled “Technique for detecting executable malicious code
`using a combination of static and dynamic analyses.” The Abstract of
`Khazan states that:
`Described are techniques used for automatic detection of
`malicious code by verifying that an application executes
`in accordance with a model defined using calls to a
`predetermined set of targets, such as external routines. A
`model is constructed using a static analysis of a binary
`form of the application, and is comprised of a list of calls
`to targets, their invocation and target locations, and
`possibly other call-related
`information.
` When
`the
`application is executed, dynamic analysis is used to
`intercept calls to targets and verify them against the
`model.
`
`Ex. 1003, Abstract. Figure 7, reproduced below, shows in more detail the
`flow of control between functions at run time to intercept calls to the
`predetermined functions or routines being monitored as part of dynamic
`analysis. Id. ¶ 25.
`
`18
`
`
`
`IPR2015-01979
`Patent 8,141,154 B2
`
`
`
`
`The flow in Figure 7 depicts the control flow when a WIN32 API
`function is invoked at run time from an application using a call instruction.
`Id. ¶ 82. A call is made to the target function API_A. Id. ¶ 83. Control
`transfers (arrow 202) to the target function API_A within the kernel32 DLL.
`Id. The target function API_A includes a transfer or jump instruction to a
`wrapper function. Id. Control, therefore, transfers (arrow 204) to the
`wrapper function (API_A_STUB). Id. The intercepted call is verified. Id.
`¶ 84. This verification includes using static analysis information, including
`parameter information. Id. ¶ 87. After verification, a trampoline function is
`invoked (arrow 206) to execute previously saved instructions of API_A,
`which are the first instructions of the routine API_A that were replaced with
`a jump instruction to the wrapper function. Id. ¶ 88. Control transfers back
`to the target function to continue execution of the target function body as
`indicated by arrow 208. Id.
`
`19
`
`
`
`IPR2015-01979
`Patent 8,141,154 B2
`
`
`2. Overview of Sirer (Ex. 1004)
`Sirer is a technical paper from an ACM symposium titled “Design and
`implementation of a distributed virtual machine for networked computers.”
`Ex. 1004, 1. Sirer describes centralizing service functionality in a
`distributed virtual machine by portioning static and dynamic components. Id
`at 2. Figure 1, reproduced below, illustrates the organization of those
`components.
`
`
`
`Figure 1 shows static service components, such as security
`enforcement, running at a network trust boundary. Id. at 3. Dynamic
`service components provide service functionality to clients during run-time
`as necessary. Id. “The code for the dynamic service components res
Accessing this document will incur an additional charge of $.
After purchase, you can access this document again without charge.
Accept $ Charge
Still Working On It
This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.
Give it another minute or two to complete, and then try the refresh button.
A few More Minutes ... Still Working
It can take up to 5 minutes for us to download a document if the court servers are running slowly.
Thank you for your continued patience.
This document could not be displayed.
We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.
Your account does not support viewing this document.
You need a Paid Account to view this document. Click here to change your account type.
Your account does not support viewing this document.
Set your membership
status to view this document.
With a Docket Alarm membership, you'll
get a whole lot more, including:
- Up-to-date information for this case.
- Email alerts whenever there is an update.
- Full text search for other cases.
- Get email alerts whenever a new case matches your search.
One Moment Please
The filing “” is large (MB) and is being downloaded.
Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.
Your document is on its way!
If you do not receive the document in five minutes, contact support at support@docketalarm.com.
Sealed Document
We are unable to display this document, it may be under a court ordered seal.
If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.
Access Government Site
