IPR2016-01071
`Paper No. 1
`
`
`
`UNITED STATES PATENT AND TRADEMARK OFFICE
`
`____________________
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`
`____________________
`
`Symantec Corp.,
`Petitioner
`
`v.
`
`Finjan, Inc.,
`Patent Owner
`
`Patent No. 8,141,154
`Issue Date: Mar. 20, 2012
`Title: System and Method for Inspecting Dynamically Generated Executable Code
`
`____________________
`
`Inter Partes Review No. IPR2016-01071
`
`_________________________________________________________________
`
`PETITION FOR INTER PARTES REVIEW OF U.S. PATENT NO. 8,141,154
`
`
`Paper No. 1
`
`
`
`UNITED STATES PATENT AND TRADEMARK OFFICE
`
`____________________
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`
`____________________
`
`Symantec Corp.,
`Petitioner
`
`v.
`
`Finjan, Inc.,
`Patent Owner
`
`Patent No. 8,141,154
`Issue Date: Mar. 20, 2012
`Title: System and Method for Inspecting Dynamically Generated Executable Code
`
`____________________
`
`Inter Partes Review No. IPR2016-01071
`
`_________________________________________________________________
`
`PETITION FOR INTER PARTES REVIEW OF U.S. PATENT NO. 8,141,154
`
`
`
`IPR2016-01071
`Paper No. 1
`
`TABLE OF CONTENTS
`
`Page
`
`PETITION FOR INTER PARTES REVIEW OF U.S. PATENT NO. 8,1419,154 ........ 1
`
`I.
`
`INTRODUCTION ............................................................................................... 1
`
`II.
`
`SUMMARY OF THE ’154 PATENT ................................................................. 3
`
`A.
`
`B.
`
`Background ............................................................................................... 3
`
`Purported features of the ’154 Patent ....................................................... 5
`
`1.
`
`2.
`
`3.
`
`Content modifier ............................................................................ 5
`
`Content processor ........................................................................... 5
`
`Input inspector ................................................................................ 6
`
`C.
`
`The claims of the ’154 patent ................................................................... 7
`
`III. CLAIM CONSTRUCTION ................................................................................ 8
`
`A.
`
`“dynamically generated” ........................................................................... 9
`
`IV.
`
`SUMMARY OF THE PRIOR ART OF THE ’154 PATENT FORMING
`THE BASIS OF THIS PETITION .................................................................... 10
`
`A.
`
`Ross ......................................................................................................... 10
`
`a.
`
`b.
`
`c.
`
`Hook script generator (i.e., content modifier) ................... 11
`
`Script Processing Engine (i.e., content processor) ............ 12
`
`Decision Service (i.e., content inspector) .......................... 13
`
`V.
`
`OF CHALLENGE (37 C.F.R. §42.104(B)) ...................................................... 14
`
`A.
`
`GROUND 1: Claims 1-8 and 10-11 are invalid as obvious over
`Ross. ........................................................................................................ 14
`
`1.
`
`Ross renders independent claim 1 and its dependent claims
`2-3 obvious under 35 U.S.C. §103(a). ......................................... 14
`
`a.
`
`Claim 1 .............................................................................. 14
`
`(i)
`
`[1.P]: A system for protecting a computer
`from dynamically generated malicious content ...... 14
`
`
`
`i
`
`
`
`IPR2016-01071
`Paper No. 1
`
`(ii)
`
`(iii)
`
`(iv)
`
`(v)
`
`(vi)
`
`[1.1.a] a content processor (i) for processing
`content received over a network ............................. 15
`
`[1.1.b] the content including a call to a first
`function, and the call including an input ................ 16
`
`[1.1.c] and (ii) for invoking a second function
`with the input, only if a security computer
`indicates that such invocation is safe ...................... 18
`
`[1.2] a transmitter for transmitting the input to
`the security computer for inspection, when the
`first function is invoked .......................................... 19
`
`[1.3] a receiver for receiving an indicator from
`the security computer whether it is safe to
`invoke the second function with the input .............. 21
`
`b.
`
`Claim 2 .............................................................................. 21
`
`(i)
`
`(ii)
`
`[2.1] wherein said content processor suspends
`processing of the content after said transmitter
`transmits the input to the security computer ........... 21
`
`[2.2] and resumes processing of the content
`after said receiver receives the indicator from
`the security computer. ............................................. 22
`
`c.
`
`Claim 3 .............................................................................. 23
`
`(i)
`
`[3.1]: wherein the input is dynamically
`generated by said content processor prior to
`being transmitted by said transmitter ...................... 23
`
`2.
`
`Ross renders independent claim 4 and its dependent claim 5
`obvious under 35 U.S.C. §103(a). ................................................ 25
`
`a.
`
`Claim 4 .............................................................................. 25
`
`(i)
`
`(ii)
`
`(iii)
`
`[4.P]: A non-transitory computer-readable
`storage medium storing program code for
`causing a computing device to ................................ 26
`
`[4.1]: process content received over a
`network, the content including a call to a first
`function, and the call including an input ................ 26
`
`[4.2]: transmit the input for inspection, when
`the first function is invoked, and suspend
`processing of the content ........................................ 27
`
`
`
`ii
`
`
`
`IPR2016-01071
`Paper No. 1
`
`(iv)
`
`(v)
`
`(vi)
`
`[4.3]: receive an indicator of whether it is safe
`to invoke a second function with the input ............. 27
`
`[4.4.a]: resume processing of the content after
`receiving the indicator ............................................ 28
`
`[4.4.b]: and invoke the second function with
`the input only if the indicator indicates that
`such invocation is safe ............................................ 28
`
`b.
`
`Claim 5 .............................................................................. 29
`
`(i)
`
`[5.1] wherein the program code causes the
`computer device to dynamically generate the
`input prior to transmitting the input for
`inspection ................................................................ 29
`
`3.
`
`Ross renders independent claim 6 and its dependent claims
`7-8 obvious under 35 U.S.C. §103(a). ......................................... 29
`
`a.
`
`Claim 6 .............................................................................. 29
`
`(i)
`
`(ii)
`
`(iii)
`
`(iv)
`
`(v)
`
`(vi)
`
`[6.P]: A system for protecting a computer
`from dynamically generated malicious content ...... 29
`
`[6.1.a] a content processor for processing
`content received over a network, the content
`including a call to a first function, and the first
`function including an input variable ....................... 29
`
`[6.1.b] and for calling a second function with
`a modified input variable. ....................................... 30
`
`[6.2]: a transmitter for transmitting the input
`variable to a security computer for inspection,
`when the first function is called .............................. 31
`
`[6.3]: a receiver for receiving the modified
`input variable from the security computer ............. 32
`
`[6.4] wherein the modified input variable is
`obtained by modifying the input variable if
`the security computer determines that calling
`a function with the input variable may not be
`safe .......................................................................... 32
`
`b.
`
`Claim 7 .............................................................................. 33
`
`(i)
`
`[7.1.a]wherein said content processor
`suspends processing of the content after said
`
`
`
`iii
`
`
`
`IPR2016-01071
`Paper No. 1
`
`transmitter transmits the input variable to the
`security computer, and ............................................ 33
`
`(ii)
`
`[7.1.b]: resumes processing of the content
`after said receiver receives the modified input
`variable from the security computer ....................... 33
`
`c.
`
`Claim 8 .............................................................................. 34
`
`(i)
`
`[8.1]: wherein the input variable in
`dynamically generated by said content
`processor prior to being transmitted by said
`transmitter ............................................................... 34
`
`4.
`
`Ross renders independent claim 10 and its dependent claim
`11 obvious under 35 U.S.C. §103(a). ........................................... 34
`
`a.
`
`Claim 10 ............................................................................ 34
`
`(i)
`
`(ii)
`
`(iii)
`
`(iv)
`
`(v)
`
`(vi)
`
`(vii)
`
`[10.P]: A non-transitory computer-readable
`storage medium storing program code for
`causing a computing device to ................................ 34
`
`[10.1]: process content received over a
`network, the content including a call to a first
`function, and the first function including an
`input variable .......................................................... 34
`
`[10.2]: transmit the input variable for
`inspection, when the first function is called,
`and suspend processing of the content ................... 35
`
`[10.3]: receive a modified input variable
`Claim element [10.3] is substantially identical
`to claim element [6.3]. Thus ................................... 35
`
`[10.4.a] resume processing of the content after
`receiving the modified input variable, and ............. 35
`
`[10.4.b] calling a second function with the
`modified input variable ........................................... 36
`
`[10.5] wherein the modified input variable is
`obtained by modifying the input variable if
`the inspection of the input variable indicates
`that calling a function with the input variable
`may not be safe ....................................................... 36
`
`b.
`
`Claim 11 ............................................................................ 36
`
`
`
`iv
`
`
`
`IPR2016-01071
`Paper No. 1
`
`(i)
`
`[11.1] wherein the program code causes the
`computer device to dynamically generate the
`input variable prior to transmitting the input
`variable for inspection ............................................ 36
`
`VI. MANDATORY NOTICES UNDER 37 C.F.R. §42.8(A)(1) ........................... 37
`
`A.
`
`Real Parties-In-Interest Under 37 C.F.R. §42.8(b)(1) ............................ 37
`
`B.
`
`C.
`
`Related Matters Under 37 C.F.R. §42.8(b)(2) ........................................ 37
`
`Lead and Back-Up Counsel .................................................................... 37
`
`D.
`
`Power of Attorney ................................................................................... 38
`
`VII. STANDING (37 C.F.R. §42.104(A)) ................................................................ 38
`
`VIII. CONCLUSION ................................................................................................. 39
`
`
`
`v
`
`
`
`
`
`
`
`IPR2016-01071
`Paper No. 1
`
`CASES
`
`TABLE OF AUTHORITIES
`
`Page(s)
`
`Finjan, Inc. v. Palo Alto Networks, Inc.,
`3-14-cv-04908-JSC (N.D. Cal. Nov. 4, 2014) ............................................................. 37
`
`Finjan, Inc. v. Proofpoint, Inc.,
`No. 3-13-cv-05808 (N.D. Cal.) .................................................................................... 37
`
`Finjan, Inc. v. Sophos, Inc.,
`No. 3-14-cv-01197 (N.D. Cal.) .................................................................................... 37
`
`Finjan, Inc. v. Symantec,
`No. 3-14-cv-02998 (N.D. Cal.) .................................................................................... 37
`
`Finjan, Inc. v. Websense, Inc.,
`No. 5-14-cv-01353 (N.D. Cal.) .................................................................................... 37
`
`Finjan, Inc. v. Websence, Inc.,
`5-13-cv-04398 (N.D. Cal.) ........................................................................................... 37
`
`In re Paulsen,
`30 F.3d 1475 (Fed. Cir. 1994) ........................................................................................ 8
`
`In re Translogic Tech., Inc.,
`504 F.3d 1249 (Fed. Cir. 2007) ...................................................................................... 8
`
`Phillips v. AWH Corp.,
`415 F.3d 1303 (Fed. Cir. 2005) ...................................................................................... 7
`
`STATUTES
`
`37 C.F.R. §42.100(b) ........................................................................................................... 8
`
`
`
`
`
`
`
`vi
`
`
`
`IPR2016-01071
`Paper No. 1
`
`Exhibit
`No.
`
`EXHIBIT LIST
`
`
`Description
`
`1001
`
`U.S. Patent No. 8,141,154 "the '154 Patent"
`
`1002
`
`Declaration of Dr. Aviel D. Rubin in Support of Petition for Inter
`Partes Review
`
`1003
`
`U.S. Publication No. 2007/0113282 A1 "Ross"
`
`1004
`
`U.S. Publication No. 2002/0066022 A1 "Calder"
`
`
`
`
`
`vii
`
`
`
`IPR20016-__
`Paper No. 1
`
`Petitioner Symantec Corp. (“Petitioner” or “Symantec”) respectfully
`
`petitions for inter partes review of claims 1-8, 10, and 11 of U.S. Patent No.
`
`8,141,154 (“the ’154 patent” (Ex. 1001)) in accordance with 35 U.S.C. §§ 311-319
`
`and 37 C.F.R. § 42.100 et seq.
`
`As explained in the concurrently filed Motion for Joinder (Paper 3),
`
`Petitioner seeks to join as a party to IPR2016-000151, filed by Palo Alto Networks,
`
`a proceeding instituted against the same patent on the basis of the same prior art.
`
`Symantec presents patentability challenges that are identical to those instituted in
`
`IPR2016-000151.
`
`I.
`
`INTRODUCTION
`
`The ’154 patent is directed to a “system and method for inspecting
`
`dynamically generated executable code.” (’154 patent, title). However, as detailed
`
`below, not only were such “inspections” of dynamically generated executable code
`
`well known long before the priority date of the ’154 patent, the precise system and
`
`structure for inspecting such code that the ’154 patent alleges to be inventive were
`
`also well-known (Rubin Decl. ¶ 54-87.)
`
`At its core, the ’154 patent discloses and claims a system for inspecting
`
`executable code that: (i) receives content (including the executable code to be
`
`inspected) over a network at a content processor, (ii) transmits the code to a
`
`security computer for inspection, and (iii) executes the executable code if the
`
`03869-00010/7949078.4
`
`
`
`IPR2016-01071
`Paper No. 1
`
`security computer indicates that such code is safe. This type of inspection system
`
`was well-known long before the priority date of the ’154 patent.
`
`Petitioner presents U.S. Patent Publication 2007/0113282 to Ross (“Ross”
`
`(Ex. 1003)), which teaches a system for inspecting executable code that utilizes a
`
`decision service (i.e., a security computer) to inspect executable code that is
`
`substantially identical to the alleged invention of the ’154 patent. For claims with
`
`additional limitations, Petitioner adds additional references that show how these
`
`associated limitations were obvious to one of ordinary skill in the art. Ross was not
`
`cited during prosecution of the ’154 patent. If the Examiner had been aware of Ross,
`
`the claims would not have been allowed. Thus, each and every claim of the ’154
`
`patent is obvious in view of the cited references. Section II of this petition summarizes
`
`the ’154 patent. Section III provides claim constructions for a number of limitations.
`
`Section IV of this petition summarizes the prior art asserted in this petition. Section V
`
`sets forth the detailed grounds for invalidity. This showing is accompanied by the
`
`Declaration of Dr. Aviel D. Rubin, Ph.D (“Rubin Decl.,” Ex. 1002). Petitioner
`
`respectfully requests a Decision to institute inter partes review based on the grounds
`
`presented below.
`
`03869-00010/7949078.4
`
`2
`
`
`
`IPR2016-01071
`Paper No. 1
`
`II.
`
`SUMMARY OF THE ’154 PATENT
`
`A.
`
`Background
`
`The ’154 patent is directed to a system that protects a computer from being
`
`infected by a computer virus. (See Rubin Decl. ¶ 36.) As an example, in the system
`
`described by the ’154 patent, a piece of web content can be received over the
`
`internet and is modified, prior to execution, so that when executed by a client
`
`computer, one or more functional calls and inputs associated with the web content
`
`are routed to an external security computer. (Id.) The security computer inspects
`
`the web content, determines if it is safe to be executed, and if it is, the security
`
`computer sends an indication to the client computer that it can process the original
`
`web content. (Id.)
`
`The system that implements the above process includes three central
`
`components: (i) a content modifier, (ii) a content processor, and (iii) a content
`
`inspector.
`
`FIG. 2 of ’154 (reproduced below with annotations) illustrates how each of
`
`these components is placed within the system.
`
`03869-00010/7949078.4
`
`3
`
`
`
`IPR2016-01071
`Paper No. 1
`
`The content modifier receives the web content and modifies it so that when
`
`
`
`the web content is executed by a content processor, the web content is sent to a
`
`content inspector. The content inspector analyzes the web content, and if it
`
`determines that the content is safe, the content inspector will send an indication
`
`back to the content processor indicating that the original web content can be
`
`processed. (Rubin Decl. ¶ 39.)
`
`As discussed in detail below, each of these components serves to provide a
`
`system that “can shield computers from dynamically generated malicious code
`
`without running on the computer itself that is being shielded.” (’154 Patent, 4:23-
`
`26.)
`
`
`
`
`
`03869-00010/7949078.4
`
`4
`
`
`
`IPR2016-01071
`Paper No. 1
`
`B.
`
`Purported features of the ’154 Patent
`
`1.
`
`Content modifier
`
`As discussed above, the content modifier described
`
`by the ’154 patent receives web content and modifies it so
`
`that the web content will be inspected by the content
`
`modifier. (Rubin Decl. ¶ 41.)
`
`The ’154 patent describes this “modified content” as
`
`“substitute functions” that replace original function calls.
`
`The “substitute functions” take the original function call as an input and when the
`
`substitute function is called, the input (i.e., the original function) is sent to a
`
`security computer for inspection. (’154 patent, 9:36-37, 9:5560). The content
`
`modifier simply adds additional code to the original function call, so that when
`
`encountered by the content process, the original function is forwarded to a security
`
`computer for inspection. (Rubin Decl. ¶ 42.)
`
`2.
`
`Content processor
`
`As discussed above, the content processor is
`
`the component that receives the modified content,
`
`processes the modified content, and once the
`
`content inspector indicates that it’s safe, also
`
`processes the original web content. (Rubin Decl.
`
`¶ 43.)
`
`03869-00010/7949078.4
`
`5
`
`
`
`IPR2016-01071
`Paper No. 1
`
`The ’154 patent states that the content processor “processes the modified
`
`content generated by [the] content modifier.” (’154 Patent, 10:60-61.) As the ’154
`
`patent explains, the “[c]ontent processor may be a web browser running on [a]
`
`client computer. When [the] content processor invokes the substitution function
`
`call, the input is passed to [a] security computer for inspection. (Id., 10:61-64;
`
`Rubin Decl. ¶ 44.)
`
`The ’154 patent explains that while the input is inspected by the security
`
`computer, the processing of the modified content is “suspended until [the] security
`
`computer returns its inspection results to [the] client computer.” (’154 patent,
`
`10:62-66.) Once the content processor receives the inspection results, the client
`
`computer resumes processing of the modified content, so long as the inspection
`
`results indicate that the inspected input is safe. (’154 patent, 10:64-11:4.) If
`
`however, the inspected input is determined to be unsafe, the content processor does
`
`not invoke the original function call. (Id.; Rubin Decl. ¶ 45.)
`
`3.
`
`Input inspector
`
`As described above, the input inspector
`
`analyzes the original web content, determines if it
`
`is safe, and if it is found to be safe, sends an
`
`indication to a client computer.
`
`The ’154 patent explains that the input
`
`03869-00010/7949078.4
`
`6
`
`
`
`IPR2016-01071
`Paper No. 1
`
`inspector “scans the input to determine the potentially malicious operations that it
`
`may perform.” (’154 patent, 11:13-15.) The ’154 patent alleges that by receiving
`
`the input “from [the] client computer during run-time, after [the] client computer
`
`has invoked the substitute call, the input has been already been dynamically
`
`generated by [the] content processor and can thus be readily analyzed.” (’154
`
`patent, 12:7-11; Rubin Decl. ¶ 47.)
`
`The input inspector may also indicate when an input should be modified in
`
`order to render it safe for execution. As explained in the ’154 patent, a separate
`
`component called an input modifier may be included with the security computer,
`
`and can return modified content to the content processor if the input inspector
`
`determines that such modification is necessary. (’154 patent, 4:51-54, 10:1-6,
`
`10:67-11:4, 14:61-15:7; Rubin Decl. ¶ 48.)
`
`C.
`
`The claims of the ’154 patent
`
`The claims of the ’154 patent broadly claim the features discussed above.
`
`As discussed in detail in the substantive grounds of this petition, the independent
`
`claims of the ’154 recite a first function (i.e., a modified function”) that includes an
`
`“input” that is processed by a content processor and sent to a “security computer.”
`
`The independent claims also recite invoking a “second function” (i.e., the original
`
`function [pre-modification]) “only if a security computer indicates that such
`
`invocation is safe.” (’154 patent, claim 1.)
`
`03869-00010/7949078.4
`
`7
`
`
`
`IPR2016-01071
`Paper No. 1
`
`The dependent claims of the ’154 patent also broadly recite features such as
`
`“suspend” and resuming of the “second function”, “dynamically generated” inputs,
`
`and the invocation of “additional functions.” As will be shown further below,
`
`these broad recitations of features are readily taught or suggested by the references
`
`presented in the petition.
`
`III. CLAIM CONSTRUCTION
`
`Petitioner notes that a claim is given the “broadest reasonable construction in
`
`light of the specification” in inter partes review. See 37 C.F.R. §42.100(b).1 Under
`
`the broadest reasonable construction standard, claim terms are given their ordinary
`
`and customary meaning, as would be understood by one of ordinary skill in the art
`
`in the context of the entire disclosure. In re Translogic Tech., Inc., 504 F.3d 1249,
`
`1257 (Fed. Cir. 2007). An inventor may rebut that meaning by providing a
`
`definition of the term in the specification with reasonable clarity, deliberateness,
`
`and precision. In re Paulsen, 30 F.3d 1475, 1480 (Fed. Cir. 1994).
`
`
`1 In accordance with 37 C.F.R. § 42.100(b), Petitioner provides the broadest
`
`reasonable construction for the challenged claims. Petitioner notes that this is not the
`
`appropriate claim construction standard in litigation. Phillips v. AWH Corp., 415 F.3d
`
`1303 (Fed. Cir. 2005). Accordingly, Petitioner may propose a different claim
`
`construction in litigation or may argue that the challenged claims are invalid under 35
`
`U.S.C. §§ 101, 102, 103, or 112.
`
`03869-00010/7949078.4
`
`8
`
`
`
`IPR2016-01071
`Paper No. 1
`
`A.
`
`“dynamically generated”
`
`The claim term “dynamically generated” appears in dependent claims 3, 5, 8
`
`and 11. Based on the claim language, the specification and the understanding of a
`
`person of ordinary skill in the art, the broadest reasonable interpretation of the term
`
`“dynamically generate[d]” is: “generate[d] at run-time.”
`
`Claims 3, 5, 8, and 11 each recite that the input associated with the first
`
`function is “dynamically generate[d].” These dependent claims make clear that the
`
`input is generated while the content processor is processing the content and
`
`invoking the functions (i.e., during run-time). (Rubin Decl. ¶ 52.)
`
`The proposed construction is also consistent with the specification of the
`
`’154 patent. The ’154 patent is replete with disclosure equating dynamically
`
`generated inputs to inputs that are generated at run-time. In one example, the ’154
`
`patent explains that “viruses take advantage of features of dynamic HTML
`
`generation . . . to generate themselves on the fly at run time.” (’154 patent, 3:3537.)
`
`In another example, the ’154 patent states that “[s]ince the input to the function is
`
`being passed at run-time, it has already been dynamically generated.” (’154 patent,
`
`4:43-45.) Thus, one of ordinary skill in the art at the time of the ’154 patent would
`
`have understood the term “dynamically generate[d],” as used in the ’154 patent, to
`
`mean “generate[d] at run-time.” (Rubin Decl. ¶ 53.)
`
`03869-00010/7949078.4
`
`9
`
`
`
`IPR2016-01071
`Paper No. 1
`
`IV. SUMMARY OF THE PRIOR ART OF THE ’154 PATENT FORMING
`THE BASIS OF THIS PETITION
`
`A. Ross
`
`Ross,2 like the ’154 patent, is directed to a system that protects a computer
`
`from being infected by a computer virus. Like the ’154 patent, the system in Ross
`
`receives web content, modifies it so that it is can be analyzed by a security
`
`computer, and then executes the original content if the security computer
`
`determines that the content is safe. (Rubin Decl. ¶ 92.)
`
`The system in Ross for detecting and disabling malicious script code is
`
`illustrated in FIG. 6 (reproduced below with annotations). The system includes
`
`three main components: (1) a hook script generator, (2) a script processing engine,
`
`and (3) a decision service.
`
`
`2 Ross (U.S. Patent Pub. 2007/0113282) published from an application filed on
`
`November 17, 2005 and thus qualifies as prior art under § 102(e) based on the earliest
`
`effective priority date of the ’154 patent. Ross was not considered during the original
`
`prosecution of the ’154 patent.
`
`03869-00010/7949078.4
`
`10
`
`
`
`IPR2016-01071
`Paper No. 1
`
`As detailed below, each of these components operate in substantially the
`
`same manner as the (1) content modifier, (2) content processor, and (3) content
`
`
`
`inspector described in the ’154 patent.
`
`a.
`
`Hook script generator (i.e., content modifier)
`
`Ross’ hook script generator operates in
`
`substantially the same manner as the content
`
`modifier disclosed in the ’154 patent. (Rubin Decl.
`
`¶ 95.) Ross discloses a script injector that receives
`
`data (HTTP) content, and hook scripts generated
`
`from a hook script generator. Ross explains that the hook script generator receives
`
`data content, which is content downloaded from a web page and may include “a script
`
`program with one or more original functions for execution [by] the receiving client.”
`
`(Ross ¶ 34.) Ross describes the hook script generator as “receiv[ing] some portion or
`
`03869-00010/7949078.4
`
`11
`
`
`
`IPR2016-01071
`Paper No. 1
`
`all of data content 602 and supply[ing] a generated script code including one or more
`
`hook functions configured to replace corresponding original functions [contained
`
`within the data content].” (Id.) Ross explains that the “process of substituting an
`
`original function or method with a filtered function [i.e., hook script] can be denoted
`
`[as] instantiating a ‘hooked’ process.” (Id.)
`
`Ross further explains that the hooked processes “are installed before any
`
`other script on the web page loads, ensuring that any script provided as a part of
`
`the data content, such as a web page, will call the new hooked function.” (Ross ¶
`
`35.) Thus, in substantially the same manner as the content modifier produces a
`
`modified first function as disclosed in the ’154 patent, the hook script generator
`
`takes in original functions from the HTTP data content (i.e., scripts) and substitutes
`
`them with “hooked” functions. (Rubin Decl. ¶ 96.)
`
`b.
`
`Script Processing Engine (i.e., content processor)
`
`Ross’ script processing engine operates in
`
`substantially the same manner as the content
`
`processor disclosed in the ’154 patent. (Rubin
`
`Decl. ¶ 97.) Ross states that the script processing
`
`engine “is configured to receive and process a combination of the hook script and
`
`the data content.” (Ross ¶¶ 1013.) As part of the processing, the script processing
`
`engine can pass information about the data content and the hook functions to a
`
`03869-00010/7949078.4
`
`12
`
`
`
`IPR2016-01071
`Paper No. 1
`
`decision service for a determination as to whether the data content contains
`
`malicious code. (Id. ¶¶ 3536.) Ross states that the script processing engine can be
`
`implemented using a web browser and can translate the web content it receives
`
`(e.g. the HTTP data content and the hook scripts) into one or more client actions.
`
`(Id. ¶ 23.)
`
`c.
`
`Decision Service (i.e., content inspector)
`
`Ross’ decision service operates in
`
`substantially the same manner as the content
`
`modifier disclosed in the ’154 patent. (Rubin Decl.
`
`¶ 98.) Ross states that the decision service “can
`
`receive messages describing the run-time behavior of JavaScript that has been
`
`loaded in web browser and determine whether the suspected malicious code
`
`behavior should be allowed or prohibited as well as provide event logging by
`
`recording when one or more different types of behavior ... occurs.” (Ross ¶ 36.)
`
`Once the decision service indicates that a suspected malicious code is safe,
`
`Ross discloses that the decision information is passed back to the script processing
`
`engine in order to execute the original function. (Ross ¶ 37.)
`
`
`
`03869-00010/7949078.4
`
`13
`
`
`
`IPR2016-01071
`Paper No. 1
`
`V. OF CHALLENGE (37 C.F.R. §42.104(B))
`
`A. GROUND 1: Claims 1-8 and 10-11 are invalid as obvious over Ross.
`
`1.
`
`Ross renders independent claim 1 and its dependent claims 2-
`3 obvious under 35 U.S.C. §103(a).
`
`a.
`
`Claim 1
`
`(i)
`
`[1.P]: A system for protecting a computer from
`dynamically generated malicious content
`
`The detection engine of Ross, along
`
`with its components teach or suggest a
`
`system for protection a computer from
`
`dynamically generated malicious content.
`
`(Rubin Decl. ¶ 101.) FIG. 2 of Ross
`
`(reproduced to the right with annotations)
`
`illustrates “an exemplary client-server system including a client network device
`
`[client] and a server network device [server].” (Ross ¶ 16.) Ross states that the
`
`system illustrated in FIG. 2 includes a detection engine 240 (highlighted in
`
`reproduced figure) that is “configured to catch actual script method calls regardless
`
`of the formatting of the code text.” (Ross ¶ 25.)
`
`Ross further explains that the detection engine 240 includes a script injector
`
`242, and a hook script generator 244. Ross explains that these elements use hook
`
`functions that replace or wrap original functions and allow the inputs to these
`
`functions be checked at run-time, specifically stating that the hook function
`
`03869-00010/7949078.4
`
`14
`
`
`
`IPR2016-01071
`Paper No. 1
`
`“provides a run-time detection and control of the data content processing.” (Ross
`
`¶ 11.)
`
`Given Ross’ disclosure of a system that employs “run-time” hook functions
`
`to detect malicious content, a POSITA would have understood that the system
`
`described in Ross teaches or suggests “a system for protecting a computer from
`
`dynamically generated malicious content,” as recited in claim 1. (Rubin Decl.
`
`¶ 103.)
`
`(ii)
`
`[1.1.a] a content processor (i) for processing
`content received over a network
`
`Ross’ description of a script processing
`
`engine that receives HTTP data content and
`
`generates hook scripts received over a network
`
`discloses or suggests “a content processor for
`
`processing content received over a network,” as recited in claim 1. (Rubin Decl.
`
`¶ 104.)
`
`As illustrated in FIG. 6, the script processing engine 618 receives its input
`
`from script injector browser 604. The script injector browser 604 can receive two
`
`forms of content at its input, HTTP data content, and hook script generated by
`
`hook script generator 606. (Ross, FIG. 6.) Ross discloses that each of these inputs
`
`can be sent to the script injector browser 604 over a network. (Id. ¶ 35.) Ross
`
`teaches that the HTTP data content can be downloaded from a web page. (Ross
`
`03869-00010/7949078.4
`
`15
`
`
`
`IPR2016-01071
`Paper No. 1
`
`¶ 34.) Ross also teaches that the hook scripts generated by hook script generator
`
`606 can be transmitted over a network. (Rubin Decl. ¶ 105.) Ross explicitly states
`
`that “some portion or all of detection engine 240 may be moved onto another
`
`platform termed a third device, and may be implement as another client device (not
`
`shown), an auxiliary device operationally connected to client 202 . . ., and/or a
`
`network device. . .. In one example, the script injection and generation could be
`
`accomplished by the third device.” (Ross ¶ 26; (emphasis added).) It would have
`
`been obvious to a POSITA that if a script generator was situated on a device that is
`
`separate from a client device, the two devices could be connected b
Accessing this document will incur an additional charge of $.
After purchase, you can access this document again without charge.
Accept $ Charge
Still Working On It
This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.
Give it another minute or two to complete, and then try the refresh button.
A few More Minutes ... Still Working
It can take up to 5 minutes for us to download a document if the court servers are running slowly.
Thank you for your continued patience.
This document could not be displayed.
We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.
Your account does not support viewing this document.
You need a Paid Account to view this document. Click here to change your account type.
Your account does not support viewing this document.
Set your membership
status to view this document.
With a Docket Alarm membership, you'll
get a whole lot more, including:
- Up-to-date information for this case.
- Email alerts whenever there is an update.
- Full text search for other cases.
- Get email alerts whenever a new case matches your search.
One Moment Please
The filing “” is large (MB) and is being downloaded.
Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.
Your document is on its way!
If you do not receive the document in five minutes, contact support at support@docketalarm.com.
Sealed Document
We are unable to display this document, it may be under a court ordered seal.
If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.
Access Government Site
