U.S. Patent No. 8,141,154
`Declaration in Support of Petition for Inter Partes Review
`
`UNITED STATES PATENT AND TRADEMARK OFFICE
`_______________
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`_______________
`
`Palo Alto Networks, Inc.
`Petitioner
`
`v.
`
`Finjan, Inc.
`Patent Owner
`
`Patent No. 8,141,154
`Issue Date: Mar. 20, 2012
`Title: System and Method for Inspecting Dynamically Generated Executable Code
`
`_______________
`
`Inter Partes Review No. IPR2016-00151
`
`____________________________________________________________
`
`DECLARATION OF DR. AVIEL D. RUBIN IN SUPPORT OF PETITION
`FOR INTER PARTES REVIEW
`
`UNDER 35 U.S.C. §§ 311-319 AND 37 C.F.R. § 42.100 et seq.
`
`
`
`
`
`va-461599
`
` Exhibit 1002 Page 1
`
` SYMANTEC
`
`

`
`
`
`
`
`
`I.
`
`TABLE OF CONTENTS
`
`INTRODUCTION ........................................................................................... 1
`
`II.
`
`BACKGROUND AND QUALIFICATIONS ................................................. 2
`
`A.
`
`B.
`
`C.
`
`D.
`
`Education ............................................................................................... 2
`
`Career .................................................................................................... 2
`
`Publications: .......................................................................................... 5
`
`Curriculum Vitae ................................................................................... 6
`
`III. MATERIALS CONSIDERED ........................................................................ 7
`
`IV. LEGAL STANDARDS ................................................................................... 7
`
`A.
`
`B.
`
`C.
`
`Person Having Ordinary Skill in the Art ............................................... 7
`
`Broadest Reasonable Interpretation ...................................................... 9
`
`Prior Art ................................................................................................. 9
`
`V.
`
`BRIEF OVERVIEW OF THE ’154 PATENT .............................................. 12
`
`A.
`
`B.
`
`C.
`
`Summary of the ’154 Patent ................................................................ 12
`
`Purported features of the ’154 Patent .................................................. 14
`
`The claims of the ’154 patent .............................................................. 17
`
`VI. CLAIM CONSTRUCTION .......................................................................... 18
`
`VII. STATE OF THE ART ................................................................................... 19
`
`VIII. ANALYSIS OF THE PRIOR ART ............................................................... 30
`
`A. U.S. Patent Publication No. 2007/0113282 to Ross et al.
`(“Ross”) ............................................................................................... 31
`
`B. U.S. Patent Publication No. 2002/0066022 to Calder et al.
`(“Calder”) ............................................................................................ 35
`
`IX. CLAIMS 1-8 AND 10-11 OF THE ’154 PATENT ARE INVALID
`AS OBVIOUS OVER ROSS. ....................................................................... 36
`
`X.
`
`CLAIMS 9 AND 12 OF THE ’154 PATENT ARE INVALID AS
`OBVIOUS OVER ROSS IN VIEW OF CALDER ....................................... 59
`
`1.
`
`Prima Facie case for obviousness........................................................ 59
`
`XI. CONCLUSION .............................................................................................. 65
`
`
`va-461599
`
`i
`
` Exhibit 1002 Page 2
`
` SYMANTEC
`
`

`
`
`
`
`
`Exhibit List for Declaration of Dr. Aviel Rubin
`
`Exhibit Description
`
`Exhibit
`
`Dr. Aviel D. Rubin Curriculum Vitae
`
`Fred Cohen, Computer Viruses Theory and Experiments, Elsevier
`Science Publishers, North-Holland, Computers & Security 6, at 22-
`35 (1987); Ex. C, David M. Chess and Steve R. White, An
`Undetectable Computer Virus, IBM Thomas J. Watson Research
`Center (2000)
`
`David M. Chess and Steve R. White, An Undetectable Computer
`Virus, IBM Thomas J. Watson Research Center (2000)
`
`Fridrik Skulason, Developing a Virus Scanner, Virus Bulletin at 7-9
`(March 1991)
`
`David M. Chess, Tools and Techniques, Virus Bulletin (November
`1991)
`
`Living Together – Without False Alarms!, Virus Bulletin at 19
`(November 1991); Ex. G, James Beckett, Maltese Amoeba… Poetic
`Justice, Virus Bulletin at 15-16 (December 1991)
`
`James Beckett, Maltese Amoeba… Poetic Justice, Virus Bulletin at
`15-16 (December 1991)
`
`The Shape Shifters, Virus Bulletinat 13-15 (November 1993)
`
`Dmitry Gryaznov, Scanners of the Year 2000: Heuristics,
`Proceedings of the Fifth Int’l Virus Bulletin Conference at 225,
`228-30, and 233-34 (Sept. 1999.)
`
`Sarah Gordon, What a (Winword.) Concept, Virus Bulletin at 8-9
`(Sept. 1995)
`
`How Does An IBM PC Virus Infect A Computer, Virus Bulletin at
`11-12 (Apr. 1990)
`
`Eric Chien, Malware Do You Want To Go Today? Part 2, Virus
`
`A
`
`B
`
`C
`
`D
`
`E
`
`F
`
`G
`
`H
`
`I
`
`J
`
`K
`
`L
`
`
`va-461599
`
`i
`
` Exhibit 1002 Page 3
`
` SYMANTEC
`
`

`
`
`
`Bulletin at 10-11 (Feb. 2000)
`
`Aviel D. Rubin and Daniel E. Greer, Mobile Code Security at 1
`(1998)
`
`M
`
`
`
`va-461599
`
`ii
`
` Exhibit 1002 Page 4
`
` SYMANTEC
`
`

`
`
`
`
`
`1.
`
`I, Aviel D. Rubin, Ph.D., submit the following declaration (the
`
`“Declaration”) in connection with the proceeding identified above.
`
`I.
`
`2.
`
`INTRODUCTION
`
`I have been retained by counsel for Palo Alto Networks, Inc., (“Palo
`
`Alto Networks”) as a technical expert in connection with the proceeding identified
`
`above. I submit this Declaration in support of Petitioner Palo Alto Networks’
`
`Petition for Inter Partes Review (“Petition”) of United States Patent No. 8,141,154
`
`(“the ’154 patent”) (Exhibit 1001) against Patent Owner Finjan, Inc. (“Finjan”).
`
`All “Ex. 10__” cites herein are to the Exhibits to the Petition. All “Ex. _” cites with
`
`letters A through M herein are to Exhibits to this Declaration.
`
`3.
`
`I understand that Finjan has filed a patent infringement lawsuit in the
`
`U.S. District Court for the Northern District of California alleging infringement by
`
`Palo Alto Networks of claims the ’154 patent. Finjan, Inc. v. Palo Alto Networks,
`
`Inc., Civil Action No. 2:14-cv-01526-CB (W.D. Pa.).
`
`4.
`
`For the purposes of this Declaration, I will address certain claims of
`
`the ’154 patent. Inclusion of a claim in my analysis is not an indication that I
`
`believe it could reasonably be asserted against Palo Alto Networks.
`
`
`
`
`va-461599
`
`1
`
` Exhibit 1002 Page 5
`
` SYMANTEC
`
`

`
`
`
`II. BACKGROUND AND QUALIFICATIONS
`
`A. Education
`
`5.
`
`I received my Ph.D. in Computer Science and Engineering from the
`
`University of Michigan, Ann Arbor in 1994, with a specialty in computer security
`
`and cryptographic protocols. My thesis was titled “Nonmonotonic Cryptographic
`
`Protocols” and concerned authentication in long-running networking operations.
`
`B. Career
`
`6.
`
`I will discuss my current position as a professor first, followed by a
`
`synopsis of my career and work from when I received my Ph.D. to the present.
`
`7.
`
`I am currently employed as Professor of Computer Science at Johns
`
`Hopkins University, where I perform research, teach graduate courses in computer
`
`science and related subjects, and supervise the research of Ph.D. candidates and
`
`other students. Courses I have taught include Security and Privacy in Computing
`
`and Advanced Topics in Computer Security. I am also the Technical Director of
`
`the Johns Hopkins University Information Security Institute, the University’s focal
`
`point for research and education in information security, assurance, and privacy.
`
`The University, through the Information Security Institute’s leadership, has been
`
`designated as a Center of Academic Excellence in Information Assurance by the
`
`National Security Agency and leading experts in the field. The focus of my work
`
`over my career has been computer security, and my current research concentrates
`
`
`
`va-461599
`
`2
`
` Exhibit 1002 Page 6
`
` SYMANTEC
`
`

`
`
`
`on systems and networking security, with special attention to software and network
`
`security.
`
`8.
`
`After receiving my Ph.D., I began working at Bellcore in its
`
`Cryptography and Network Security Research Group from 1994 to 1996. During
`
`this period I focused my work on Internet and Computer Security. While at
`
`Bellcore, I published an article titled “Blocking Java Applets at the Firewall” about
`
`the security challenges of dealing with JAVA applets and firewalls, and a system
`
`that we built to overcome those challenges.
`
`9.
`
`In 1997, I moved to AT&T Labs, Secure Systems Research
`
`Department, where I continued to focus on Internet and computer security. From
`
`1995 through 1999, in addition to my work in industry, I served as Adjunct
`
`Professor at New York University, where I taught undergraduate classes on
`
`computer, network and Internet security issues.
`
`10.
`
`I stayed in my position at AT&T until 2003, when I left to accept a
`
`full time academic position at Johns Hopkins University. The University promoted
`
`me to full professor with tenure in April, 2004.
`
`11.
`
`I serve, or have served, on a number of technical and editorial
`
`advisory boards. For example, I served on the Editorial and Advisory Board for the
`
`International Journal of Information and Computer Security. I also served on the
`
`Editorial Board for the Journal of Privacy Technology. I have been Associate
`
`
`
`va-461599
`
`3
`
` Exhibit 1002 Page 7
`
` SYMANTEC
`
`

`
`
`
`Editor of IEEE Security and Privacy Magazine, and served as Associate Editor of
`
`ACM Transactions on Internet Technology. I am currently an Associate Editor of
`
`the journal Communications of the ACM. I was an Advisory Board Member of
`
`Springer’s Information Security and Cryptography Book Series. I have served in
`
`the past as a member of the DARPA Information Science and Technology Study
`
`Group, a member of the Government Infosec Science and Technology Study
`
`Group of Malicious Code, a member of the AT&T Intellectual Property Review
`
`Team, Associate Editor of Electronic Commerce Research Journal, Co-editor of
`
`the Electronic Newsletter of the IEEE Technical Committee on Security and
`
`Privacy, a member of the board of directors of the USENIX Association, the
`
`leading academic computing systems society, and a member of the editorial board
`
`of the Bellcore Security Update Newsletter.
`
`12.
`
`I have spoken on information security and electronic privacy issues at
`
`more than 50 seminars and symposia. For example, I presented keynote addresses
`
`on the topics “Security of Electronic Voting” at Computer Security 2004 Mexico
`
`in Mexico City in May 2004; “Electronic Voting” to the Secure Trusted Systems
`
`Consortium 5th Annual Symposium in Washington DC in December 2003;
`
`“Security Problems on the Web” to the AT&T EUA Customer conference in
`
`March, 2000; and “Security on the Internet” to the AT&T Security Workshop in
`
`
`
`va-461599
`
`4
`
` Exhibit 1002 Page 8
`
` SYMANTEC
`
`

`
`
`
`June 1997. I also presented a talk about hacking devices at the TEDx conference in
`
`October, 2011.
`
`13.
`
`I was founder and President of Independent Security Evaluators (ISE),
`
`a computer security consulting firm, from 2005-2011. In that capacity, I guided
`
`ISE through the qualification as an independent testing lab for Consumer Union,
`
`which produces Consumer Reports magazine. As an independent testing lab for
`
`Consumer Union, I managed an annual project where we tested all of the popular
`
`anti-virus products. Our results were published in Consumer Reports each year for
`
`three consecutive years.
`
`14.
`
`I am currently the founder and managing partner of Harbor Labs, a
`
`software and networking consulting firm.
`
`15. As is apparent from the above description, virtually my entire
`
`professional career has been dedicated to issues relating to information and
`
`network security. Moreover, through my consulting work and my work at AT&T
`
`and Bellcore, I am familiar with the practical aspects of designing, analyzing, and
`
`deploying security applications in network environments.
`
`C.
`
`Publications:
`
`16.
`
`I am a named inventor on nine United States patents, all in the
`
`information security area. The patent numbers and titles as well as my co-inventors
`
`are listed on the attached curriculum vitae. See Ex. A.
`
`
`
`va-461599
`
`5
`
` Exhibit 1002 Page 9
`
` SYMANTEC
`
`

`
`
`
`17.
`
`In March, 2004, I was asked by the Federal Trade Commission to
`
`submit a report commenting on the viability and usefulness of a national do not e-
`
`mail registry. I submitted my report entitled, “A Report to the Federal Trade
`
`Commission on Responses to Their Request For Information on Establishing a
`
`National Do Not E-mail Registry,” on May 10, 2004.
`
`18.
`
`I have also testified before Congress regarding the security issues with
`
`electronic voting machines and in the United States Senate on the issue of
`
`censorship. I also testified in Congress on November 19, 2013 about security
`
`issues related to the government’s Healthcare.gov website.
`
`19.
`
`I am author or co-author of five books regarding information security
`
`issues: Brave New Ballot, Random House, 2006; Firewalls and Internet Security
`
`(second edition), Addison Wesley, 2003; White-Hat Security Arsenal, Addison
`
`Wesley, 2001; Peer-to-Peer, O’Reilly, 2001; and Web Security Sourcebook, John
`
`Wiley & Sons, 1997. I am also the author of numerous journal and conference
`
`publications.
`
`D. Curriculum Vitae
`
`20. Additional details of my education and employment history, recent
`
`professional service, patents, publications, and other testimony are set forth in my
`
`current curriculum vitae, attached to this declaration as Ex. A.
`
`
`
`
`
`va-461599
`
`6
`
` Exhibit 1002 Page 10
`
` SYMANTEC
`
`

`
`
`
`III. MATERIALS CONSIDERED
`
`21.
`
`I have considered information from various sources in forming my
`
`opinions. Besides drawing from over two decades of experience in the computer
`
`industry, I also have reviewed the following documents: (a) the ’154 patent (Ex.
`
`1001); (b) U.S. Patent Publication No. 2007/0113282 to Ross, (c) U.S. Patent
`
`Publication No. 2002/0066022 to Calder, and the other documents and references
`
`as cited herein. I reviewed the Petition in detail and agree with both its analysis and
`
`conclusions.
`
`IV. LEGAL STANDARDS
`
`22.
`
`I am not a patent attorney, nor have I independently researched the
`
`law on patent validity. I have relied on instructions from counsel as to the
`
`applicable legal standards to use in arriving at my opinions in this Declaration.
`
`A.
`
`Person Having Ordinary Skill in the Art
`
`23.
`
`I understand that I must undertake my assessment of the claims of the
`
`’154 patent from the perspective of what would have been known or understood by
`
`a person of ordinary skill in the art at the time of the earliest claimed priority date
`
`of the ’154 patent.
`
`24. Counsel has advised me that to determine the appropriate level of one
`
`of ordinary skill in the art, I may consider the following factors: (a) the types of
`
`
`
`va-461599
`
`7
`
` Exhibit 1002 Page 11
`
` SYMANTEC
`
`

`
`
`
`problems encountered by those working in the field and prior art solutions thereto;
`
`(b) the sophistication of the technology in question, and the rapidity with which
`
`innovations occur in the field; (c) the education level of active workers in the field;
`
`and (d) the educational level of the inventor.
`
`25. The relevant technology field for the ’154 patent is security programs,
`
`including content scanners for program code. Based on this, and the four factors
`
`above, it is my opinion that a POSA would hold a bachelor’s degree or the
`
`equivalent in computer science (or related academic fields) and three to four years
`
`of additional experience in the field of computer security, or equivalent work
`
`experience. This definition of the POSA applies to the time of the alleged
`
`invention which is 2005.
`
`26. Unless otherwise specified, when I mention a POSA or someone of
`
`ordinary skill, I am referring to someone with the above level of knowledge and
`
`understanding.
`
`27. Based on my experiences, I have a good understanding of the
`
`capabilities of a person ordinary skill in the relevant field. Indeed, in addition to
`
`being a person of at least ordinary skill in the art, I have worked closely with many
`
`such persons over the course of my career, and I have regularly taught material that
`
`is fundamental to the art in my role as professor and researcher over the past 22
`
`years.
`
`
`
`va-461599
`
`8
`
`Exhibit 1002 Page 12
`
` SYMANTEC
`
`

`
`
`
`B.
`
`Broadest Reasonable Interpretation
`
`28.
`
`I have been informed and understand that patent claims are construed
`
`from the perspective of one of ordinary skill in the art at the time the claimed
`
`invention was made and that, during this proceeding, claims are to be given their
`
`broadest reasonable construction consistent with the specification.
`
`29.
`
`I understand that, in Inter Partes Review, the claim terms are to be
`
`given their broadest reasonable interpretation (“BRI”) in light of the specification.
`
`See 37 C.F.R. §42.100(b). In performing my analysis and rendering my opinions, I
`
`have interpreted claim terms for which the Petitioner has not proposed a BRI
`
`construction by giving them the ordinary meaning they would have to the POSA
`
`reading the ’154 patent with its priority date, December 12, 2005, in mind, and in
`
`light of its specification and file history.
`
`C.
`
`Prior Art
`
`30.
`
`I have been informed and understand that a patent claim is invalid
`
`because of anticipation when every element of the claim is described in a single
`
`prior art reference, such that the elements are arranged as required by the claim. I
`
`have been informed and understand that the description of a claim element in a
`
`prior art reference can be express or inherent. For a prior art reference to describe a
`
`claim element inherently, the claim element must be necessarily present.
`
`Probabilities are not sufficient to establish inherency.
`
`
`
`va-461599
`
`9
`
` Exhibit 1002 Page 13
`
` SYMANTEC
`
`

`
`
`
`31.
`
`I have also been informed and understand that the subject matter of a
`
`patent claim is obvious if the differences between the subject matter of the claim
`
`and the prior art are such that the subject matter as a whole would have been
`
`obvious at the time the invention was made to a person having ordinary skill in the
`
`art to which the subject matter pertains. I have also been informed that the
`
`framework for determining obviousness involves considering the following
`
`factors: (i) the scope and content of the prior art; (ii) the differences between the
`
`prior art and the claimed subject matter; (iii) the level of ordinary skill in the art;
`
`and (iv) any objective evidence of non-obviousness.
`
`32.
`
`I further understand that the claimed subject matter would have been
`
`obvious to one of ordinary skill in the art if, for example, it results from the
`
`combination of known elements according to known methods to yield predictable
`
`results, the simple substitution of one known element for another to obtain
`
`predictable results, the use of a known technique to improve similar devices in the
`
`same way, or the application of a known technique to a known device ready for
`
`improvement to yield predictable results. I have also been informed that the
`
`analysis of obviousness may include recourse to logic, judgment, and common
`
`sense available to the person of ordinary skill in the art that does not necessarily
`
`require explication in any reference. I understand that so-called “secondary
`
`considerations of non-obviousness,” must be considered in an obviousness
`
`
`
`va-461599
`
`10
`
` Exhibit 1002 Page 14
`
` SYMANTEC
`
`

`
`
`
`analysis. I understand that an analysis including these secondary considerations
`
`helps to prevent the forbidden use of hindsight in determining whether a patent
`
`claim is obvious. I understand that secondary considerations of non-obviousness
`
`include: (a) a long-felt but unresolved need for the invention; (b) commercial
`
`success of the invention; (c) copying of the invention; (d) praise and recognition of
`
`the invention by others; (e) licensing of the rights to the invention; and
`
`(f) unexpected results. In rendering my opinions, I followed these guidelines.
`
`33.
`
`In my opinion, a person of ordinary skill in the art pertaining to the
`
`’154 patent at the relevant date would have an undergraduate degree in computer
`
`science (or related academic fields) and three to four years of additional experience
`
`in the field of computer network engineering, computer network security, or
`
`equivalent work experience. Relevant professional or practical experience or
`
`degrees in other subject areas where a person would gain experience with
`
`computer network systems may also suffice.
`
`34. Based on my education and experience in the field of computer
`
`science and computer network security, I believe I am qualified to provide
`
`opinions about how one of ordinary skill in the art at the relevant time would have
`
`interpreted and understood the ’154 patent and the prior art discussed herein.
`
`
`
`
`
`va-461599
`
`11
`
` Exhibit 1002 Page 15
`
` SYMANTEC
`
`

`
`
`
`V. BRIEF OVERVIEW OF THE ’154 PATENT
`
`A.
`
`Summary of the ’154 Patent
`
`35. The ’154 patent (Ex. 1001), titled “System and Method for Inspecting
`
`Dynamically Generated Executable Code,” issued from U.S. Patent Application
`
`No. 12/814,584, which was filed on June 14, 2010. The ’584 application did not
`
`make any claims of priority. The ’154 patent issued on March 20, 2012.
`
`Therefore, I have been advised by counsel that, under 35 U.S.C. § 371 (c), the ’154
`
`patent is entitled to the June 14, 2010 filing date of the ’584 application.
`
`36. The ’154 patent is directed to a system that protects a computer from
`
`being infected by a computer virus. The ’154 patent describes a system for
`
`protecting a computer from viruses that was well-known to those skilled in the art
`
`long before the priority data of the ’154 patent. The ’154 patent describes a system
`
`in which, a piece of web content can be received over the internet and is modified,
`
`prior to execution, so that when executed by a client computer, one or more
`
`functional calls and inputs associated with the web content are routed to an
`
`external security computer. The security computer inspects the web content,
`
`determines if it is safe to be executed, and if it is, the security computer sends an
`
`indication to the client computer that it can process the original web content.
`
`
`
`
`
`va-461599
`
`12
`
` Exhibit 1002 Page 16
`
` SYMANTEC
`
`

`
`
`
`37. The system the ’154 patent describes is illustrated in FIG. 2
`
`(reproduced below).
`
`(3)
`
`(2)
`
`(1)
`
`
`38. The system that implements the above process includes three central
`
`components: (i) a content modifier, (ii) a content processor, and (iii) a content
`
`inspector.
`
`39. The content modifier receives the web content and modifies it so that
`
`when the web content is executed by a content processor, the web content is sent to
`
`a content inspector. The content inspector analyzes the web content, and if it
`
`determines that the content is safe, the content inspector will send an indication
`
`
`
`va-461599
`
`13
`
` Exhibit 1002 Page 17
`
` SYMANTEC
`
`

`
`
`
`back to the content processor indicating that the original web content can be
`
`processed.
`
`40. As discussed in detail below, each of these components serves to
`
`provide a system that “can shield computers from dynamically generated malicious
`
`code without running on the computer itself that is being shielded.” (’154 Patent,
`
`4:23-26).
`
`B.
`
`Purported features of the ’154 Patent
`
`1.
`
`Content Modifier
`
`41. As discussed above, the content modifier described by the ‘154 patent
`
`receives web content and modifies it so that the web content will be inspected by
`
`the content modifier.
`
`
`
`(1)
`
`
`
`
`
`va-461599
`
`14
`
` Exhibit 1002 Page 18
`
` SYMANTEC
`
`

`
`
`
`42. The ’154 patent describes this “modified content” as “substitute
`
`functions” that replace original function calls. The “substitute functions” take the
`
`original function call as an input and when the substitute function is called, the
`
`input (i.e., the original function) is sent to a security computer for inspection.
`
`(’154 patent, 9:36-37, 9:55-60.) The content modifier simply adds additional code
`
`to the original function call, so that when encountered by the content process, the
`
`original functional is forwarded to a security computer for inspection.
`
`2.
`
`Content Processor
`
`(2)
`
`43. As discussed above, the content processor is the component that
`
`
`
`receives the modified content, processes the modified content, and once the content
`
`inspector indicates that it’s safe, also processes the original web content.
`
`44. The ’154 patent states that the content processor “processes the
`
`modified content generated by [the] content modifier.” (’154 Patent, 10:60-62.) As
`
`the ’154 patent explains, the “[c]ontent processor may be a web browser running
`
`on [a] client computer. When [the] content processor invokes the substitute
`
`
`
`va-461599
`
`15
`
` Exhibit 1002 Page 19
`
` SYMANTEC
`
`

`
`
`
`function call (2), the input is passed to [a] security computer 215 for inspection.
`
`(Id. at 10:62-64.)
`
`45. While the input is inspected by the security computer, the ’154 patent
`
`explains that the processing of the modified content is “suspended until [the]
`
`security computer 215 returns its inspection results to [the] client computer 210.”
`
`(’154 patent, 10:65-66.) Once the content processor receives the inspection results,
`
`the client computer resumes processing of the modified content, so long as the
`
`inspection results indicate that the inspected input is safe. (’154 patent, 10:65-
`
`11:4.) If however, the inspected input is determined to be unsafe, the content
`
`processor does not invoke the original function call. (Id.)
`
`3.
`
`Input Inspector
`
`(3)
`
`
`
`46. As described above, the input inspector analyzes the original web
`
`content, determines if it is safe, and if it is found to be safe, sends an indication to a
`
`client computer.
`
`
`
`va-461599
`
`16
`
` Exhibit 1002 Page 20
`
` SYMANTEC
`
`

`
`
`
`47. The ’154 patent explains that the input inspector “scans the input to
`
`determine the potentially malicious operations that it may perform.” (’154 patent,
`
`11:13-15.) The ’154 alleges that by receiving the input “from the client-computer
`
`at run-time, after the client computer has invoked the substitute call, the input has
`
`been already been dynamically generated by the content processor and can thus be
`
`readily analyzed.” (’154 patent, 12:7-13.)
`
`48. The input inspector may also indicate when an input should be
`
`modified in order to render it safe for execution. As explained in the ’154 patent, a
`
`separate component called an input modifier may be included with the security
`
`computer, and can return modified content to the content processor if the input
`
`inspector determines that such modification is necessary. (’154 patent, 4:51-54,
`
`10:1-6, 10:66-11:4, 14:61-15:7.)
`
`C. The claims of the ’154 patent
`
`49. The claims of the ’154 patent broadly claim the features discussed
`
`above. As discussed in detail in the substantive grounds of this petition, the
`
`independent claims of the ’154 recite a first function (i.e., “a modified function”)
`
`that includes an “input” that is processed by a content processor and sent to a
`
`“security computer.” The independent claims also recite invoking a “second
`
`function” (i.e., the original function [pre-modification]) “only if a security
`
`computer indicates that such invocation is safe.” (’154 patent, claim 1.)
`
`
`
`va-461599
`
`17
`
` Exhibit 1002 Page 21
`
` SYMANTEC
`
`

`
`
`
`50. The dependent claims of the ’154 patent also broadly recite features
`
`such as “suspending” and resuming of the second function,” “dynamically
`
`generated inputs,” and the invocation of “additional functions.” As will be shown
`
`further below, these broad recitations of features are readily taught or suggested by
`
`the references presented in the petition.
`
`VI. CLAIM CONSTRUCTION
`
`1.
`
`“dynamically generated”
`
`51. The claim term “dynamically generated appears in dependent claims
`
`3, 5, 8 and 11. Based on the claim language, the specification and the
`
`understanding of a person of ordinary skill in the art at the time of the alleged
`
`invention of the ’154 patent, the broadest reasonable interpretation of the term
`
`“dynamically generate[d]” is: “generate[d] at run-time.”
`
`52. Claims 3, 5, 8, and 11 each recite that the input associated with the
`
`first function is “dynamically generate[d].” These dependent claims make clear
`
`that the input is generated while the content processor is processing the content and
`
`invoking the functions (i.e., during run-time).
`
`53. The proposed construction is also consistent with the specification of
`
`the ’154 patent. The ’154 patent is replete with disclosure equating dynamically
`
`generated inputs to inputs that are generated at run-time. In one example, the ’154
`
`patent explains that “viruses take advantage of features of dynamic HTML
`
`
`
`va-461599
`
`18
`
` Exhibit 1002 Page 22
`
` SYMANTEC
`
`

`
`
`
`generation . . . to generate themselves on the fly at runtime.” (’154 patent, 3:34-
`
`37.) In another example, the ’154 patent states that “[s]ince the input to the
`
`function is being passed at run-time, it has already been dynamically generated.”
`
`(’154 patent, 4:44-45, 4:21-33, 4:50-53.) Thus, one of ordinary skill in the art at
`
`the time of the ’154 patent would have understood the term “dynamically
`
`generate[d],” as used in the ‘154 patent, to mean “generate[d] at run-time.” This
`
`construction of the term dynamically generated comports with the broadest
`
`reasonable interpretation that a person of ordinary skill in the art would have of the
`
`term given the disclosure in the ’154 patent.
`
`VII. STATE OF THE ART
`
`1.
`
`Viruses Scanning and Heuristics
`
`54. A computer program is a sequence of instructions that tell a computer
`
`processor what to do. Although the author of a computer program would be
`
`understandably upset if processors refused to obey the instructions, the blind
`
`obedience they are designed to deliver makes them incredibly vulnerable to
`
`misuse. Computer processors will not question the instructions they are given no
`
`matter how harmful. And processors can run millions and billions of instructions
`
`per second all day and all night whether a human is monitoring them or not.
`
`55. Even when they can be monitored, computer instructions in a software
`
`program are generally too large, too complicated, and too cryptic for a human to
`
`
`
`va-461599
`
`19
`
` Exhibit 1002 Page 23
`
` SYMANTEC
`
`

`
`
`
`easily review. Even if they could be inspected, it is very difficult to ensure that
`
`they are not modified at any time before they reach the process