UNITED STATES PATENT AND TRADEMARK OFFICE
`
`
`
`
`
`
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`
`Palo Alto Networks, Inc.
`Petitioner
`
`v.
`
`Finjan, Inc.
`Patent Owner
`
`U.S. Patent No. 8,225,408
`Filing Date: Aug. 30, 2004
`Issue Date: July 17, 2012
`Title: Method and System for Adaptive Rule-Based Content Scanners
`
`DECLARATION OF DR. AVIEL D. RUBIN IN SUPPORT OF PETITION
`FOR INTER PARTES REVIEW OF U.S. PATENT NO. 8,225,408
`
`Inter Partes Review No. 2015-02001
`
`
`Blue Coat Systems - Exhibit 1002 Page 1
`
`

`
`Table of Contents
`
`I. 
`
`Introduction and Qualifications ........................................................................... 1 
`A.  Engagement Overview..................................................................................... 1 
`B.  Summary of Opinions ...................................................................................... 1 
`C.  Qualifications and Experience ......................................................................... 3 
`1. 
`Education .................................................................................................... 3 
`2.  Career ......................................................................................................... 3 
`3. 
`Publications ................................................................................................ 7 
`4.  Curriculum Vitae ........................................................................................ 8 
`D.  Materials Considered ....................................................................................... 8 
`II.  Legal Principles Used in the Analysis ............................................................... 11 
`A.  Person Having Ordinary Skill in the Art ....................................................... 12 
`B.  Prior Art ......................................................................................................... 14 
`C.  Broadest Reasonable Interpretations ............................................................. 14 
`D.  Legal Standard for Obviousness .................................................................... 15 
`III.  State of the Art of Technology Related to the ’408 patent at the Time of the
`Alleged Invention .............................................................................................. 19 
`A.  Computer Security Concerns in 2004 ............................................................ 19 
`B.  Malware in Macros and Scripts ..................................................................... 21 
`C.  Malware Detection ......................................................................................... 23 
`1. 
`Signature Scanning ................................................................................... 24 
`2.  Detection of Polymorphic Viruses ........................................................... 25 
`3. 
`Static Analysis Using Parse Trees ........................................................... 26 
`4.  Use of Static Analysis for Malware and Vulnerability Detection ........... 29 
`D.  Firewalls......................................................................................................... 32 
`IV. The ’408 Patent .................................................................................................. 35 
`A.  Overview of the ’408 Patent .......................................................................... 35 
`B.  Interpretation of Claim Limitations in the ’408 Patent ................................. 36 
`C.  Priority Date of the ’408 Patent ..................................................................... 37 
`V.  Overview of the Prior Art .................................................................................. 38 
`
`
`
`i
`
`Blue Coat Systems - Exhibit 1002 Page 2
`
`

`
`Table of Contents (continued)
`
`A.  Overview of Chandnani ................................................................................. 38 
`B.  Overview of Kolawa ...................................................................................... 40 
`C.  Overview of Walls ......................................................................................... 41 
`D.  Chandnani, Kolawa, and Walls Are All Analogous Art ............................... 41 
`VI. Motivations to Combine .................................................................................... 47 
`VII The Prior Art Renders The Petitioned Claims Invalid as Obvious ................... 52 
`A.  Claim 1 – Grounds 1 and 2 ............................................................................ 53 
`1.  Claim element 1[c] – instantiating a scanner ........................................... 53 
`2.  Claim element 1[d] – scanner with language-specific rules .................... 55 
`a.  Claim element 1[e] - parser rules .......................................................... 55 
`b.  Claim element 1[f] - analyzer rules ...................................................... 57 
`3.  Claim element 1[h] – dynamically building a parse tree ......................... 58 
`a.  Building a parse tree ............................................................................. 58 
`(1) Chandnani implicitly teaches use of a parse tree ............................... 59
`(2) Using a parse tree to store tokens was obvious ................................. 60
`(3) Combining Chandnani with Kolawa’s parse-tree teachings was
`obvious ............................................................................................... 65
`(4) A POSA would have been motivated to combine Chandnani with
`Kolawa ............................................................................................... 68
`b.  Dynamically building ............................................................................ 69 
`(1) Ground 1 – Chandnani + Kolawa ...................................................... 69 
`(2) Ground 2 – Chandnani + Kolawa + Walls ......................................... 73 
`4.  Claim element 1[i] – dynamically detecting exploits ................................ 79 
`a.  Detecting potential exploits .................................................................. 79 
`b.  Dynamically detecting .......................................................................... 81 
`B.  Claim 9 – Grounds 1 and 2 ............................................................................ 84 
`1.  Claim element 9[a] – computer-readable storage medium ........................ 85 
`2.  Claim element 9[b] – receiver .................................................................... 86 
`3.  Claim element 9[c] – multi-lingual language detector .............................. 87 
`4.  Claim element 9[d] – scanner instantiator ................................................. 89 
`ii
`
`
`
`Blue Coat Systems - Exhibit 1002 Page 3
`
`

`
`Table of Contents (continued)
`
`5.  Claim element 9[e] – rules accessor .......................................................... 91 
`6.  Claim element 9[h] – tokenizer .................................................................. 93 
`7.  Claim element 9[i] – parser ........................................................................ 93 
`8.  Claim element 9[j] – analyzer .................................................................... 94 
`9.  Claim element 9[k] – notifier ..................................................................... 95 
`C.  Claim 22 – Grounds 1 and 2 .......................................................................... 96 
`1.  Claim 22 – preamble .................................................................................. 97 
`2.  Claim element 22[f] – analyzer rules ......................................................... 97 
`D.  Claim 23 – Grounds 1 and 2 .......................................................................... 98 
`1.  Claim element 23[g] – dynamically building a parse tree ......................... 99 
`2.  Claim element 23[h] – dynamically detecting exploits ...........................101 
`E.  Claim 29 – Grounds 1 and 2 ........................................................................102 
`1.  Claim 29 – limitations 29[a], [f], and [g] .................................................103 
`2.  Claim element 29[b] – accessor ...............................................................104 
`3.  Claim element 29[h] – parser ...................................................................104 
`4.  Claim element 29[i] – analyzer ................................................................105 
`5.  Claim element 29[k] – notifier .................................................................106 
`F.  Claim 35 – Grounds 1 and 2 ........................................................................107 
`1.  Claim 35 – preamble ................................................................................108 
`2.  Claim element 35[a] – expressing exploits ..............................................108 
`3.  Claim element 35[g] – dynamically building ..........................................109 
`VIII.  No Secondary Indicia of Non-Obviousness Exist ........................................109 
`IX. Conclusion ......................................................................................................110 
`
`
`
`iii
`
`Blue Coat Systems - Exhibit 1002 Page 4
`
`

`
`1.
`
`2.
`
`I, Aviel Rubin, declare as follows:
`
`I have personal knowledge of the facts stated in this declaration, and
`
`could and would testify to these facts under oath if called upon to do so.
`
`I.
`
`INTRODUCTION AND QUALIFICATIONS
`A. Engagement Overview
`3.
`I have been retained by counsel for Palo Alto Networks, Inc.
`
`(Petitioner) in this case as an expert in the relevant art. I am being compensated
`
`for my work at the rate of $688 per hour. No part of my compensation is
`
`contingent upon the outcome of this petition.
`
`4.
`
`I was asked to study U.S. Patent No. 8,225,408, its prosecution
`
`history, and the prior art, and to render opinions concerning the obviousness or
`
`non-obviousness of the independent claims of the ’408 patent in light of the
`
`teachings of the prior art, as understood by one skilled in the art when the ’408
`
`patent was filed in 2004.
`
`5.
`
`I was also asked to review and assist in the preparation of the Petition
`
`for Inter Partes Review of U.S. Patent No. 8,225,408, which I understand is being
`
`submitted along with my declaration.
`
`B.
`6.
`
`Summary of Opinions
`
`After studying the ’408 patent, relevant excerpts of its file history, and
`
`the prior art, and considering the subject matter of the claims of the ’408 patent in
`
`light of the state of technical advancement in the development of antivirus software
`1
`
`
`
`Blue Coat Systems - Exhibit 1002 Page 5
`
`

`
`in the 2004 time frame, I reached the following conclusions:
`
`(a) The state of the art in antivirus software development was
`
`advanced by 2004, and persons of ordinary skill in the art possessed an extensive
`
`understanding of how to scan for malware in downloadable programs.
`
`(b) By 2004, there were a number of prior art patents and
`
`applications directed to detecting viruses in scripts and macros.
`
`(c) Techniques for building parse trees were well known by 2004.
`
`(d) Use of a parse tree data structure to represent and analyze
`
`computer code was well known at the time the ’408 patent was filed in 2004.
`
`(e) Combining
`
`the use of a parse-tree data structure with
`
`techniques for parsing a data stream into tokens was well known and obvious in
`
`2004.
`
`(f) A streaming approach was common to network security
`
`applications at the time the ’408 patent was filed in 2004.
`
`7.
`
`In light of these general conclusions, and as explained in more detail
`
`throughout this declaration, it is my opinion that each of the claims of the ’408
`
`patent addressed in this declaration was invalid as obvious in the 2004 time frame
`
`in light of the knowledge of one skilled in the art at that time and the teachings,
`
`suggestions, and motivations present in the prior art.
`
`
`
`2
`
`Blue Coat Systems - Exhibit 1002 Page 6
`
`

`
`C. Qualifications and Experience
`8.
`I possess the knowledge, skills, experience, training and education to
`
`form an expert opinion and testimony in this matter. I have 22 years of experience
`
`in the field of computer science, and specifically in Internet and computer security.
`
`Education
`
`1.
`I received my Ph.D. in Computer Science and Engineering from the
`
`9.
`
`University of Michigan, Ann Arbor in 1994, with a specialty in computer security
`
`and cryptographic protocols. My thesis was titled “Nonmonotonic Cryptographic
`
`Protocols” and concerned authentication in long-running networking operations.
`
`Career
`
`2.
`I will discuss my current position as a professor first, followed by a
`
`10.
`
`synopsis of my career and work from when I received my Ph.D. to the present.
`
`11.
`
`I am currently employed as Professor of Computer Science at Johns
`
`Hopkins University, where I perform research, teach graduate courses in computer
`
`science and related subjects, and supervise the research of Ph.D. candidates and
`
`other students. Courses I have taught include Security and Privacy in Computing
`
`and Advanced Topics in Computer Security. I am also the Technical Director of
`
`the Johns Hopkins University Information Security Institute, the University’s focal
`
`point for research and education in information security, assurance, and privacy.
`
`The University, through the Information Security Institute’s leadership, has been
`
`designated as a Center of Academic Excellence in Information Assurance by the
`3
`
`
`
`Blue Coat Systems - Exhibit 1002 Page 7
`
`

`
`National Security Agency and leading experts in the field. The focus of my work
`
`over my career has been computer security, and my current research concentrates
`
`on systems and networking security, with special attention to software and network
`
`security.
`
`12. After receiving my Ph.D., I began working at Bellcore in its
`
`Cryptography and Network Security Research Group from 1994 to 1996. During
`
`this period I focused my work on Internet and Computer Security. While at
`
`Bellcore, I published an article titled “Blocking Java Applets at the Firewall” about
`
`the security challenges of dealing with JAVA applets and firewalls, and a system
`
`that we built to overcome those challenges.
`
`13.
`
`In 1997, I moved to AT&T Labs, Secure Systems Research
`
`Department, where I continued to focus on Internet and computer security. From
`
`1995 through 1999, in addition to my work in industry, I served as Adjunct
`
`Professor at New York University, where I taught undergraduate classes on
`
`computer, network and Internet security issues.
`
`14.
`
`I stayed in my position at AT&T until 2003, when I left to accept a
`
`full time academic position at Johns Hopkins University. The University promoted
`
`me to full professor with tenure in April, 2004.
`
`15.
`
`I serve, or have served, on a number of technical and editorial
`
`advisory boards. For example, I served on the Editorial and Advisory Board for the
`
`
`
`4
`
`Blue Coat Systems - Exhibit 1002 Page 8
`
`

`
`International Journal of Information and Computer Security. I also served on the
`
`Editorial Board for the Journal of Privacy Technology. I have been Associate
`
`Editor of IEEE Security and Privacy Magazine, and served as Associate Editor of
`
`ACM Transactions on Internet Technology. I am currently an Associate Editor of
`
`the journal Communications of the ACM. I was an Advisory Board Member of
`
`Springer’s Information Security and Cryptography Book Series. I have served in
`
`the past as a member of the DARPA Information Science and Technology Study
`
`Group, a member of the Government Infosec Science and Technology Study
`
`Group of Malicious Code, a member of the AT&T Intellectual Property Review
`
`Team, Associate Editor of Electronic Commerce Research Journal, Co-editor of
`
`the Electronic Newsletter of the IEEE Technical Committee on Security and
`
`Privacy, a member of the board of directors of the USENIX Association, the
`
`leading academic computing systems society, and a member of the editorial board
`
`of the Bellcore Security Update Newsletter.
`
`16.
`
`I have spoken on information security and electronic privacy issues at
`
`more than 50 seminars and symposia. For example, I presented keynote addresses
`
`on the topics “Security of Electronic Voting” at Computer Security 2004 Mexico
`
`in Mexico City in May 2004; “Electronic Voting” to the Secure Trusted Systems
`
`Consortium 5th Annual Symposium in Washington DC in December 2003;
`
`“Security Problems on the Web” to the AT&T EUA Customer conference in
`
`
`
`5
`
`Blue Coat Systems - Exhibit 1002 Page 9
`
`

`
`March, 2000; and “Security on the Internet” to the AT&T Security Workshop in
`
`June 1997. I also presented a talk about hacking devices at the TEDx conference in
`
`October, 2011.
`
`17.
`
`I was founder and President of Independent Security Evaluators (ISE),
`
`a computer security consulting firm, from 2005-2011. In that capacity, I guided
`
`ISE through the qualification as an independent testing lab for Consumer Union,
`
`which produces Consumer Reports magazine. As an independent testing lab for
`
`Consumer Union, I managed an annual project where we tested all of the popular
`
`anti-virus products. Our results were published in Consumer Reports each year for
`
`three consecutive years.
`
`18.
`
`I am currently the founder and managing partner of Harbor Labs, a
`
`software and networking consulting firm.
`
`19. As is apparent from the above description, virtually my entire
`
`professional career has been dedicated to issues relating to information and
`
`network security. Moreover, through my consulting work and my work at AT&T
`
`and Bellcore, I am familiar with the practical aspects of designing, analyzing, and
`
`deploying security applications in network environments.
`
`
`
`6
`
`Blue Coat Systems - Exhibit 1002 Page 10
`
`

`
`Publications
`
`3.
`I am a named inventor on ten United States patents, all in the
`
`20.
`
`information security area. The patent numbers and titles as well as my co-inventors
`
`are listed on the attached curriculum vitae. (See Ex. 1022.)
`
`21.
`
`In March 2004, I was asked by the Federal Trade Commission to
`
`submit a report commenting on the viability and usefulness of a national do not e-
`
`mail registry. I submitted my report entitled “A Report to the Federal Trade
`
`Commission on Responses to Their Request For Information on Establishing a
`
`National Do Not E-mail Registry” on May 10, 2004.
`
`22.
`
`I have also testified before Congress regarding the security issues with
`
`electronic voting machines and in the United States Senate on the issue of
`
`censorship. I also testified in Congress on November 19, 2013, about security
`
`issues related to the government’s Healthcare.gov web site.
`
`23.
`
`I am author or co-author of five books regarding information security
`
`issues: Brave New Ballot, Random House, 2006; Firewalls and Internet Security
`
`(Second Edition), Addison Wesley, 2003; White-Hat Security Arsenal, Addison
`
`Wesley, 2001; Peer-to-Peer, O’Reilly, 2001; and Web Security Sourcebook, John
`
`Wiley & Sons, 1997. I am also the author of numerous journal and conference
`
`publications.
`
`
`
`7
`
`Blue Coat Systems - Exhibit 1002 Page 11
`
`

`
`4.
`Curriculum Vitae
`24. Additional details of my education and employment history, recent
`
`professional service, patents, publications, and other testimony are set forth in my
`
`current curriculum vitae, attached to this declaration as Ex. 1022.
`
`D. Materials Considered
`25. My analysis is based on my experience in the computer industry since
`
`1994, including the documents I have read and authored and systems I have
`
`developed and used since then.
`
`26. Furthermore, I have reviewed the various relevant publications from
`
`the art at the time of the alleged invention and the Petition for Inter Partes Review
`
`of the ’408 patent, to which this Declaration relates. Based on my experience as a
`
`person having ordinary skill in the art (“POSA”) at the time of the alleged
`
`invention, the references accurately characterize the state of the art at the relevant
`
`time. Specifically, I have reviewed the following:
`
`Exhibit
`No.
`1001
`1003
`1004
`1005
`1006
`1007
`
`
`
`Description of Document
`U.S. Patent No. 8,225,408 (“the ’408 patent”)
`U.S. Patent No. 7,636,945 (“Chandnani”)
`U.S. Patent No. 5,860,011 (“Kolawa”)
`U.S. Patent No. 7,284,274 (“Walls”)
`U.S. Patent No. 7,437,362 (“Ben-Natan” or the “Ben-Natan Patent”)
`Ron Ben-Natan, “Protecting Your Payload,” SQL Server Magazine,
`Vol. 5, No. 8 (August 2003) (the “Ben-Natan Article”)
`
`8
`
`Blue Coat Systems - Exhibit 1002 Page 12
`
`

`
`Exhibit
`No.
`1008
`1009
`
`1010
`
`1011
`1012
`
`1013
`
`Description of Document
`U.S. Patent No. 6,697,950 (“Ko”)
`U.S. Patent No. 7,210,041 (“Gryaznov”)
`Mihai Christodorescu & Somesh Jha, “Static Analysis of Executables
`to Detect Malicious Patterns,” Proc. of the 12th USENIX Security
`Symposium, at 169-86 (Aug. 7, 2003) (“Christodorescu”)
`U.S. Patent No. 8,185,003 (“Bayliss”)
`U.S. Patent No. 7,546,234 (“Deb”)
`David Wagner and Drew Dean, “Intrusion Detection via Static
`Analysis,” In Proc. IEEE Symposium on Security and Privacy (2001)
`(“Wagner”)
`1014 Microsoft Press, Computer Dictionary, 3rd ed. (1997)
`U.S. Patent No. 7,950,059 (“Aharon”)
`1015
`Yichen Xie, et al., “ARCHER: Using Symbolic, Path-Sensitive
`Analysis to Detect Memory Access Errors,” Proc. of the 10th ACM
`SIGSOFT International Symposium on Foundations of Software
`Engineering (Sept. 2003) (“ARCHER”)
`U.S. Patent No. 7,207,065 (“Chess”)
`James F. Power and Brian A. Malloy, “Program Annotation in XML:
`A Parse Tree-Based Approach,” 9th IEEE Working Conference on
`Reverse Engineering (Nov. 1, 2002) (“Power”)
`U.S. Patent No. 6,061,513 (“Scandura”)
`1019
`Stephen C. Johnson, “YACC: Yet Another Compiler Computer,”
`1020
`Bell Laboratories, Murray Hill, NJ (1978) (“YACC”)
`File History of U.S. Patent No. 8,225,408 (“408 File History”)
`1021
`F-SCRIPT, F-Secure Script Viruses Detector and Eliminator,
`1023
`Version 1.6, Data Fellows Corp. (1998-99)
`U.S. Patent Application Publication No. 2004/0181677 (“Hong”)
`1024
`1025 Webster’s New World Computer Dictionary, 9th ed. (2001)
`David M. Chess and Steve R. White, “An Undetectable Computer
`1026
`Virus” (“Chess and White”)
`Symantec.com, “Updating virus definitions on a daily basis with
`Symantec AntiVirus”
`
`1016
`
`1017
`
`1018
`
`1027
`
`
`
`9
`
`Blue Coat Systems - Exhibit 1002 Page 13
`
`

`
`1033
`
`1034
`
`Exhibit
`Description of Document
`No.
`1028 Wikipedia.org, “Lexical Analysis”
`Computer Desktop Encyclopedia, 2nd ed. (1999)
`1029
`David Patterson and John Hennessy, “Computer Organization &
`1030
`Design, The Hardware / Software Interface” (1994)
`U.S. Patent No. 5,996,059 (“Porten”)
`1031
`John Lockwood, “Internet Worm and Virus Protection for Very
`1032
`High-Speed Networks” (August 1998)
`Sebastian Gerlach and Roger D. Hersch, “DPS – Dynamic Parallel
`Schedules,” IEEE Press (2003)
`B. Ramakrishna Rau and Joseph A. Fisher, “Instruction-Level
`Parallel Processing: History, Overview, and Perspective,” The
`Journal of Supercomputing (1993)
`1035
`U.S. Patent Application No. 08/964,388
`1036
`U.S. Patent Application No. 09/539,667
`1037 Webster’s New World Dictionary of Computer Terms, 5th ed. (1994)
`J. Mark Smith, et al., “Protecting a Private Network: The AltaVista
`1038
`Firewall,” Digital Technical Journal (1997)
`1039 Martin Hitz and Behzad Montazeri, “Measuring Coupling and
`Cohesion in Object-Oriented Systems” (“Hitz”)
`1040
`Dictionary.com, “vis-à-vis”
`Testimony of Stephen R. Malphrus, “The ‘I Love You’ computer
`virus and the financial services industry,” Before the Subcommittee
`on Financial Institutions of the Committee on Banking, Housing, and
`Urban Affairs, U.S. Senate, May 18, 2000
`Jack D. Shorter, et al., “Aspects of Information Security: Penetration
`Testing Is Crucial for Maintaining System Security Viability,”
`Journal of Information Systems Technology and Planning, Volume 5,
`Issue 12 (Spring 2012)
`1043
`ccm.net, “The Klez Virus” (September 2015)
`Jakob Nielsen, “100 Million Websites”
`1044
`1045 Margrethe H. Olson, “Remote Office Work: Changing Work
`Patterns In Space and Time” (March 1983)
`
`1041
`
`1042
`
`
`
`10
`
`Blue Coat Systems - Exhibit 1002 Page 14
`
`

`
`Exhibit
`No.
`
`Description of Document
`
`1046
`
`1047
`
`1048
`
`1049
`
`1050
`1051
`1052
`1053
`
`1054
`
`“Intrusion Detection Systems,” Group Test (Edition 2), An NSS
`Group Report (December 2001)
`Carey Nachenberg, “The Evolving Virus Threat” (“Nachenberg”)
`Dmitry O. Gryaznov, “Scanners of the Year 2000: Heuristics,” Virus
`Bulletin (1995)
`Emin Gun Sirer, et al., “Design and Implementation of a Distributed
`Virtual Machine for Networked Computers,” 33 ACM SIGOPS
`Operating Systems Review 202 (Dec. 5, 1999) (“Sirer”)
`Frederick B. Cohen, “A Short Course on Computer Viruses” (1990)
`U.S. Patent No. 5,842,002 (“Schnurer”)
`Hal Berghel, “The Client Side of the Web” (April 8, 1996)
`w3schools.com, “My First JavaScript Tutorial”
`Sarah Gordon and David Chess, “Attitude Adjustment: Trojans and
`Malware on the Internet”
`Stephane Bressan and Thomas Lee, “Information Brokering on the
`World Wide Web” (June 1997)
`David M. Chess, “Security Issues in Mobile Code Systems”
`Andrew W. Appel and Jens Palsberg, “Modern Compiler
`Implementation in Java,” 2nd ed. (2002)
`Graham Hutton, “Higher-Order Functions for Parsing” (July 1992)
`John Lockwood, et al., “An Extensible, System-On-Programmable-
`Chip, Content-Aware Internet Firewall”
`“M86 Security Acquires Finjan,” Reuters Business Wire (Nov. 3,
`2009)
`Final Office Action, Ex Parte Reexamination of U.S. Patent No.
`7,647,633 (May 22, 2015)
`II. LEGAL PRINCIPLES USED IN THE ANALYSIS
`27.
`I am not a patent attorney, nor have I independently researched the
`
`1055
`
`1056
`
`1057
`
`1058
`
`1059
`
`1060
`
`1061
`
`
`
`11
`
`Blue Coat Systems - Exhibit 1002 Page 15
`
`

`
`law on patent validity. Attorneys for the Petitioner have explained certain legal
`
`principles to me that I have relied upon in forming my opinions set forth in this
`
`report.
`
`A.
`28.
`
`Person Having Ordinary Skill in the Art
`
`I understand that an assessment of claims of the ʼ408 patent should be
`
`undertaken from the perspective of a person of ordinary skill in the art as of the
`
`relevant priority date, which I understand is August 30, 2004. The opinions and
`
`statements that I provide herein regarding the ’408 patent and the references that I
`
`discuss are made from the perspective of the person of ordinary skill in the art in
`
`the mid-2004 time frame.
`
`29. Counsel advised me that to determine the appropriate level of one of
`
`ordinary skill in the art, I may consider the following factors: (a) the types of
`
`problems encountered by those working in the field and prior art solutions thereto;
`
`(b) the sophistication of the technology in question, and the rapidity with which
`
`innovations occur in the field; (c) the educational level of active workers in the
`
`field; and (d) the educational level of the inventor.
`
`30. The relevant technology field for the ʼ408 patent is computer security
`
`programs, including content scanners for analyzing program code.
`
`31. With over 20 years of experience in computer science and security, I
`
`have a good understanding of the capabilities of a person of ordinary skill in the
`
`
`
`12
`
`Blue Coat Systems - Exhibit 1002 Page 16
`
`

`
`relevant field. Indeed, in addition to being a person of at least ordinary skill in the
`
`art, I have worked closely with many such persons over the course of my career.
`
`32. Unless otherwise specified, when I mention a POSA or someone of
`
`ordinary skill, I am referring to someone with the level of knowledge and
`
`understanding I have indicated below.
`
`33.
`
`In my opinion, a person of ordinary skill in the art as of August 2004
`
`held a bachelor’s degree or the equivalent in computer science (or related academic
`
`fields) and three to four years of additional experience in the field of computer
`
`security, or equivalent work experience.
`
`34. Although my qualifications and experience exceed those of the
`
`hypothetical person having ordinary skill in the art defined above, my analysis and
`
`opinions regarding the ʼ408 patent are based on the perspective of a person of
`
`ordinary skill in the art in the August 2004 time frame.
`
`35. My opinions regarding the level of ordinary skill in the art are based
`
`on, among other things, the content of the ’408 patent, my years of experience in
`
`the field of computer security, my understanding of the basic qualifications that
`
`would be relevant to an engineer or scientist tasked with investigating methods and
`
`systems in the relevant area, and my familiarity with the backgrounds of colleagues
`
`and coworkers, both past and present.
`
`36. My opinions herein regarding the person of ordinary skill in the art
`
`
`
`13
`
`Blue Coat Systems - Exhibit 1002 Page 17
`
`

`
`and my other opinions set forth herein would remain the same if the priority date
`
`were determined to be a year or two earlier, or if the person of ordinary skill in the
`
`art were determined to have somewhat more or less education and/or experience
`
`than I have identified above.
`
`B.
`37.
`
`Prior Art
`
`I understand that the law provides categories of information that
`
`constitute prior art that may be used to anticipate or render obvious patent claims.
`
`To be prior art to a particular patent under the relevant law, a reference must have
`
`been made, known, used, published, or patented, or be the subject of a patent
`
`application by another, before the priority date of the patent. I also understand that
`
`a POSA is presumed to have knowledge of the relevant prior art.
`
`C. Broadest Reasonable Interpretations
`38.
`I understand that, in inter partes review, patent claim terms are to be
`
`given their broadest reasonable interpretation (BRI) in light of the specification.
`
`See 37 C.F.R. § 42.100(b). In performing my analysis and rendering my opinions,
`
`I have applied the BRI proposed by Petitioner where applicable. I have interpreted
`
`claim terms for which the Petitioner has not proposed a BRI by giving them the
`
`ordinary meaning they would have to a POSA, reading the ʼ408 patent with its
`
`filing date (August 30, 2004) in mind, and in light of its specification and file
`
`history.
`
`
`
`14
`
`Blue Coat Systems - Exhibit 1002 Page 18
`
`

`
`D. Legal Standard for Obviousness
`39.
`I have been provided the following instruction from the Federal
`
`Circuit Bar Association Model Instructions regarding obviousness, which states in
`
`part as follows. I apply this understanding in my analysis, with the caveat that I
`
`have been informed that the Patent Office will find a patent claim invalid in inter
`
`partes review if it concludes that it is more likely than not that the claim is invalid
`
`(i.e., a preponderance of the evidence standard), which is a lower burden of proof
`
`than the “clear and convincing” standard that is applied in United States district
`
`court (and described in the jury instruction below):
`
`4.3c OBVIOUSNESS
`
`Even though an invention may not have been identically disclosed or
`described before it was made by an inventor, in order to be patentable,
`the invention must also not have been obvious to a person of ordinary
`skill in the field of technology of the patent at the time the invention
`was made.
`
`[Alleged infringer] may establish that a patent claim is invalid by
`showing, by clear and convincing evidence, that the claimed invention
`would have been obvious to persons having ordinary skill in the art at
`the time the invention was made in the field of [insert the field of the
`invention].
`
`In determining whether a claimed invention is obvious, you must
`consider the level of ordinary skill in the field [of the invention] that
`someone would have had at the time the claimed invention was made,
`
`
`
`15
`
`Blue Coat Systems - Exhibit 1002 Page 19
`
`

`
`the scope and content of the prior art, and any differences between the
`prior art and the claimed invention.
`
`Keep in mind that the existence of each and every element of the
`claimed invention in the prior art does not necessarily prove
`obviousness. Most, if not all, inventions rely on building blocks of
`prior art. In considering whether a claimed invention is obvious, you
`may but are not required to find obviousness if you find that at the
`time of the claimed invention there was a reason that would have
`prompted a person having ordinary skill in the field of [the invention]
`to combine the known elements in a way the claimed invention does,
`taking into account such factors as (1) wheth