Paper No. ____
`Filed: June 10, 2016
`
`Filed on behalf of: Blue Coat Systems, Inc.
`By: Michael T. Rosato (mrosato@wsgr.com)
`
`Andrew S. Brown (asbrown@wsgr.com)
`WILSON SONSINI GOODRICH & ROSATI
`701 Fifth Avenue, Suite 5100
`Seattle, WA 98104-7036
`
`
`
`UNITED STATES PATENT AND TRADEMARK OFFICE
`_____________________________
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`_____________________________
`
`BLUE COAT SYSTEMS, INC.,
`Petitioner,
`
`v.
`
`FINJAN, INC.,
`Patent Owner.
`
`_____________________________
`
`Case IPR2016-01174
`Patent No. 8,677,494
`_____________________________
`
`PETITION FOR INTER PARTES REVIEW OF
`U.S. PATENT NO. 8,677,494
`
`

`
`
`
`TABLE OF CONTENTS
`
`Page
`
`I.
`
`Introduction .................................................................................................. 1
`
`II. Mandatory Notices Under 37 C.F.R. § 42.8(A)(1) ........................................ 2
`
`A.
`
`B.
`
`C.
`
`D.
`
`E.
`
`Real Party-ln-Interest Under 37 C.F.R. § 42.8(b)(1) ........................... 2
`
`Related Matters Under 37 C.F.R. § 42.8(b)(2) .................................... 2
`
`Lead and Back-Up Counsel under 37 C.F.R. § 42.8(b)(3) ................... 3
`
`Service Information ............................................................................ 3
`
`Power of Attorney ............................................................................... 3
`
`III.
`
`Payment of Fees - 37 C.F.R. §§ 42.15(A) and 42.103 ................................... 4
`
`IV. Requirements for Inter Partes Review under 37 C.F.R. §§ 42.104 And
`42.108 ........................................................................................................... 4
`
`A. Grounds for Standing Under 37 C.F.R. § 42.104(a) ............................ 4
`
`B.
`
`Identification of Challenge Under 37 C.F.R. § 42.104(b) and
`Statement of Precise Relief Requested ................................................ 4
`
`C.
`
`Status of the Cited References as Prior Art ......................................... 5
`
`1.
`
`Swimmer is prior art ................................................................. 6
`
`2. Martin is prior art ...................................................................... 6
`
`D.
`
`Threshold Requirement for Inter Partes Review 37 C.F.R. §
`42.108(c)............................................................................................. 7
`
`V.
`
`Background of Technology Related to the ʼ494 Patent ................................. 7
`
`VI. Summary of the ’494 Patent ........................................................................ 10
`
`A.
`
`B.
`
`C.
`
`Brief Description of the ’494 Patent .................................................. 10
`
`The Petitioned Claims of the ʼ494 Patent .......................................... 11
`
`Priority Dates of the Petitioned Claims ............................................. 13
`
`VII. Claim Construction Under 37 C.F.R. § 42.104(b)(3)................................... 14
`
`A.
`
`B.
`
`C.
`
`Legal Overview ................................................................................ 14
`
`“Downloadable security profile data” (all claims) ............................. 14
`
`“Database” (all claims) ..................................................................... 16
`
`-i-
`
`

`
`TABLE OF CONTENTS
`(continued)
`
`Page
`
`“Downloadable” (all claims) ............................................................. 18
`
`D.
`
`VIII. Person Having Ordinary Skill in the Art & State of the Art ........................ 18
`
`IX. Claims 1-18 of the ʼ494 Patent Are Unpatentable ....................................... 19
`
`A. Overview of Swimmer ...................................................................... 19
`
`B.
`
`C.
`
`Overview of Martin .......................................................................... 20
`
`Swimmer and Martin Are Analogous Art ......................................... 21
`
`D. Ground 1 – Swimmer Renders Claims 1-2, 6, 10-11, and 15
`Obvious Under 35 U.S.C. § 103(a) ................................................... 22
`
`1.
`
`2.
`
`3.
`
`4.
`
`Claim 1 ................................................................................... 22
`a.
`Claim element 1[b] – Receiving .................................... 25
`b.
`Claim element 1[c] – Deriving Security Profile
`Data .............................................................................. 26
`Claim element 1[d] – Database ..................................... 28
`c.
`Claim 10 ................................................................................. 29
`a.
`Claim element 10[b] – Receiver .................................... 29
`b.
`Claim element 10[c] – Downloadable Scanner.............. 30
`c.
`Claim element 10[d] – Database Manager .................... 30
`Claims 2 and 11 – Date and Time ........................................... 31
`
`Claims 6 and 15 – Specific Types of Suspicious
`Operations .............................................................................. 32
`
`E.
`
`Ground 2 – Swimmer in Light of Martin Renders Claims 3-5
`and 12-14 Obvious Under 35 U.S.C. § 103(a) ................................... 33
`
`F.
`
`No Secondary Considerations of Non-obviousness Exist .................. 35
`
`X.
`
`Conclusion .................................................................................................. 37
`
`XI. Appendix – List of Exhibits ........................................................................ 38
`
`
`
`
`
`-ii-
`
`

`
`Petition for Inter Partes Review of
`Patent No. 8,677,494
`
`I.
`
`INTRODUCTION
`
`Blue Coat Systems, Inc. (“Petitioner”) petitions for inter partes review
`
`(“IPR”) under 35 U.S.C. §§ 311-319 and 37 C.F.R. § 42 of claims 1-6 and 10-15
`
`(the “Petitioned Claims”) of U.S. Patent No. 8,677,494 (the “’494 patent”). (Ex.
`
`1001.)
`
`The ’494 patent is directed at protecting computers from potentially-
`
`malicious programs in the form of “Downloadables,” such as programs that a user
`
`might download on her computer from the Internet or a CD-ROM. The claims of
`
`the ’494 patent are extremely broad and cover basic concepts that were well-
`
`known at the time of the alleged inventions. Specifically, the ’494 patent claims
`
`analyzing Downloadables to derive and store “digital security profile” (DSP) data.
`
`DSP data identifies suspicious operations the Downloadable may perform if it is
`
`run on a computer.
`
`The Swimmer reference renders most of the ’494 claims obvious, either
`
`alone or in view of the Martin reference. Though Swimmer was cited during the
`
`prosecution of the ’494 patent (Ex. 1025 at 10), the Examiner did not make out any
`
`claim rejections based on Swimmer.
`
`Petitioner respectfully submits that there is a reasonable likelihood that
`
`Petitioner will prevail with respect to each of the Petitioned Claims and requests
`
`institution of inter partes review of claims 1-18 of the ’494 patent.
`
`1
`
`

`
`Petition for Inter Partes Review of
`Patent No. 8,677,494
`
`II. MANDATORY NOTICES UNDER 37 C.F.R. § 42.8(A)(1)
`
`A. Real Party-ln-Interest Under 37 C.F.R. § 42.8(b)(1)
`
`Blue Coat Systems, Inc. is the real party-in-interest.
`
`B. Related Matters Under 37 C.F.R. § 42.8(b)(2)
`
` The ’494 patent is currently involved in the following proceedings: Finjan,
`
`Inc. v. Blue Coat, Inc. 5:15-cv-03295 (N.D. Cal.); Finjan, Inc. v. Symantec Corp.,
`
`Case No. 3:14-cv-02998 (N.D. Cal.), Finjan, Inc. v. Sophos Inc., 3:14-cv-01197
`
`(N.D. Cal.); and Finjan, Inc. v. Palo Alto Networks, Inc., 3:14-cv-04908 (N.D.
`
`Cal.). An inter partes review, Symantec Corp.v. Finjan, Inc. (IPR2015-01892, “the
`
`Symantec IPR”) was instituted on March 18, 2016. An inter partes review petition
`
`(IPR2016-00890) was filed by Petitioner on April 14, 2016 along with a motion to
`
`join the Symantec IPR. A second inter partes review petition challenging the ’494
`
`patent, Palo Alto Networks, Inc. v. Finjan, Inc. (IPR2016-00159, “the PAN IPR”),
`
`was instituted on May 13, 2016. A motion for joinder to the PAN IPR has been
`
`filed concurrently with this petition.
`
`-2-
`
`

`
`Petition for Inter Partes Review of
`Patent No. 8,677,494
`
`
`C. Lead and Back-Up Counsel under 37 C.F.R. § 42.8(b)(3)
`
`Lead Counsel
`
`Back-Up Counsel
`
`Michael T. Rosato
`
`Andrew S. Brown
`
`USPTO Reg. No. 52,182
`
`USPTO Reg. No. 74,177
`
`WILSON SONSINI GOODRICH &
`
`WILSON SONSINI GOODRICH &
`
`ROSATI
`
`ROSATI
`
`701 Fifth Avenue
`
`701 Fifth Avenue
`
`Suite 5100
`
`Suite 5100
`
`Seattle, WA 98104-7036
`
`Seattle, WA 98104-7036
`
`Tel.: 206-883-2529
`
`Tel.: 206-883-2584
`
`Fax: 206-883-2699
`
`Fax: 206-883-2699
`
`Email: mrosato@wsgr.com
`
`Email: asbrown@wsgr.com
`
`
`
`D.
`
`Service Information
`
`Service information for lead and back-up counsel is provided in the
`
`designation of lead and back-up counsel above. Petitioner consents to electronic
`
`service by email at the email addresses provided above.
`
`E.
`
`Power of Attorney
`
`Filed concurrently with this petition per 37 C.F.R. § 42.10(b).
`
`-3-
`
`

`
`Petition for Inter Partes Review of
`Patent No. 8,677,494
`
`III. PAYMENT OF FEES - 37 C.F.R. §§ 42.15(A) AND 42.103
`
`The required fees are submitted herewith. If any additional fees are due at
`
`any time during this proceeding, the Office is authorized to charge such fees to
`
`Deposit Account No. 23-2415.
`
`IV. REQUIREMENTS FOR INTER PARTES REVIEW UNDER 37 C.F.R. §§ 42.104
`AND 42.108
`
`A. Grounds for Standing Under 37 C.F.R. § 42.104(a)
`
`Petitioner certifies that the ’494 patent is eligible for IPR and further
`
`certifies that Petitioner is not barred or estopped from requesting this IPR.
`
`Petitioner has not filed a civil action challenging the validity of any claim of the
`
`’494 patent, and no complaint alleging infringement of the ’494 patent was served
`
`on Petitioner more than a year before the date of this Petition. The ’494 patent
`
`issued more than nine months prior to the date of this Petition. This Petition is
`
`filed within a month of institution of the PAN IPR, and is being filed concurrently
`
`with a motion for joinder to the PAN IPR.
`
`B.
`
`Identification of Challenge Under 37 C.F.R. § 42.104(b) and
`Statement of Precise Relief Requested
`
`Petitioner requests IPR of claims 1-18 of the ’494 patent and requests that
`
`each claim be found unpatentable. The prior art cited in this Petition includes:
`
`• Morton Swimmer et al., “Dynamic Detection and Classification of
`
`Computer Viruses Using General Behaviour Patterns,” Proceedings of the
`
`-4-
`
`

`
`Petition for Inter Partes Review of
`Patent No. 8,677,494
`
`
`Fifth International Virus Bulletin Conference, Virus Bulletin Ltd.,
`
`September 1995 (“Swimmer”);
`
`• David M. Martin, Jr. et al., “Blocking Java Applets at the Firewall,”
`
`Proceedings of the 1997 Symposium on Network and Distributed System
`
`Security, IEEE Computer Society Press, February 1997 (“Martin”).
`
`An explanation why each claim is unpatentable under the statutory grounds
`
`identified below is provided in § IX. Additional support for each ground of
`
`rejection is set forth in the Declaration of Dr. Aviel Rubin (Ex. 1002, “Rubin”), an
`
`expert in the field.
`
`Ground
`1.
`
`’494 Claim(s)
`1-2, 6, 10-11,
`
`Description
`Obvious over Swimmer under 35 U.S.C. § 103(a).
`
`15
`
`2.
`
`3-5, 12-14
`
`Obvious over Swimmer in view of Martin under 35
`
`U.S.C. § 103(a).
`
`
`
`C.
`
`Status of the Cited References as Prior Art
`
`The cited prior art references qualify as prior art under 35 U.S.C. § 102 (pre-
`
`AIA) because each reference was filed, published, and/or issued in the United
`
`States prior to the priority dates of the various claims of the ’494 patent. The
`
`-5-
`
`

`
`Petition for Inter Partes Review of
`Patent No. 8,677,494
`
`earliest priority date for the Petitioned Claims is no earlier than November 6, 1997.
`
`(See § VI.C, infra.)
`
`1.
`
`Swimmer is prior art
`
`Swimmer is prior art under 35 U.S.C. § 102(b) because it was published in
`
`the Proceedings of the Fifth International Virus Bulletin Conference and was
`
`available to the public more than one year before the earliest priority date for the
`
`Petitioned Claims. (Ex. 1006 at 1.) The Fifth International Virus Bulletin
`
`Conference was held on September 20-22, 1995, in Boston, MA. (Ex. 1088 at ¶ 3.)
`
`Swimmer was published to all 163 conference attendees and made available for
`
`sale by Virus Bulletin after the Conference, as evidenced by the Declaration of
`
`John Hawes, Virus Bulletin’s Chief of Operations. (Ex. 1088, Hawes Declaration
`
`at ¶¶ 3-4.) Accordingly, Swimmer is § 102(b) prior art even if the Petitioned
`
`Claims are entitled to a priority date as early as November 6, 1997.
`
`2. Martin is prior art
`
`Martin qualifies as prior art because it was published prior to the earliest
`
`available priority date of the Petitioned claims. Martin was made publicly available
`
`in the Proceedings of the 1997 Symposium on Network and Distributed Systems
`
`Security distributed to those who attended the symposium, which was held in San
`
`Diego, California on February 10-11, 1997. (Ex. 1047 at 1.) Furthermore, Dr.
`
`Aviel D. Rubin, one of the co-authors of the Martin paper, confirms that Martin
`
`-6-
`
`

`
`Petition for Inter Partes Review of
`Patent No. 8,677,494
`
`was published in the above publicly available conference proceedings and that
`
`Martin was distributed, as part of the printed proceedings, to approximately 400
`
`conference attendees in February 1997. (Ex. 1002 at ¶ 58.) Therefore, assuming
`
`the Petitioned Claims are entitled to a priority date as early as November 6, 1997,
`
`Martin would still be at least § 102(a) prior art to all of the Petitioned Claims.
`
`D. Threshold Requirement for Inter Partes Review 37 C.F.R. §
`42.108(c)
`
`Inter partes review of claims 1-6 and 10-15 should be instituted because this
`
`Petition establishes a reasonable likelihood that Petitioner will prevail with respect
`
`to at least one of the Petitioned Claims. 35 U.S.C. § 314(a).
`
`V. BACKGROUND OF TECHNOLOGY RELATED TO THE ʼ494 PATENT
`
`A computer will generally execute a program it is given with exactness, no
`
`matter how harmful that program is. (Ex. 1002, Rubin Decl., at ¶ 36.) Individuals
`
`who want to cause harm (e.g., stealing data, destroying data, disrupting operations,
`
`etc.) can do so by simply getting a computer to run their “bad” instructions. (Id.)
`
`Those in the art generically refer to harmful, deceptive, or otherwise unauthorized
`
`programs as “malicious software” or simply “malware.” As was the case in the
`
`mid-1990’s, the majority of malware programs are downloaded by users from the
`
`Internet or media such as CD-ROMs. (Id.)
`
`-7-
`
`

`
`Petition for Inter Partes Review of
`Patent No. 8,677,494
`
`
`Processors cannot protect themselves, and they operate too fast for any kind
`
`of meaningful human inspection. Accordingly, they are protected with other
`
`programs. Since at least 1988, antivirus software has served as a barrier between
`
`malware and the processor. (Id. at ¶ 37; Ex. 1036 at 3.) The concept is to have a
`
`trusted program evaluate untrusted programs before they execute.
`
`The earliest approach to antivirus software was a technique known as
`
`“signature scanning.” Signature scanning requires a database of known patterns
`
`found in (and preferably only in) malware. (Ex. 1002 at ¶ 38-39.) The scanning
`
`software uses that database when scanning other programs. If the scanned program
`
`had the same sequence of bytes of a known malicious program, the scanner would
`
`not allow the program to run. (Id.) The problem with signature scanning is that it
`
`only recognizes malware after it has been identified and its signature placed in a
`
`database. Signature scanning is unable to recognize or protect against previously-
`
`unseen harmful programs or even small variants of such programs. (Id.)
`
`Unsurprisingly then, since the early 1990s, antivirus makers have also
`
`researched and produced software that generically recognizes bad programs. (Id.)
`
`One such mechanism was called “heuristic scanning.” Heuristic scanning analyzes
`
`a program by decomposing the instructions into a usable representation (a process
`
`called “decompilation”) and then evaluates whether those instructions (individually
`
`or collectively) are suspicious. (Id. at ¶¶ 39-40.) As early as 1995, persons of
`
`-8-
`
`

`
`Petition for Inter Partes Review of
`Patent No. 8,677,494
`
`ordinary skill recognized that heuristic scanning was necessary in antivirus
`
`software. (Id. at ¶ 39; Ex. 1011 at 1; Ex. 1012 at 2, 6, 8-9.)
`
`To illustrate how heuristic scanning works, anti-virus researchers could
`
`often review the code of a program and recognize if it had a virus, even one that
`
`had not been previously seen, because viruses often employ similar operations.
`
`For example, Gryaznov explains that viruses often displayed the following
`
`operations:
`
`• The program immediately passes control to an address near its end
`
`• It modifies some bytes at the beginning of its copy in memory
`
`• It starts looking for other programs on the computer
`
`• When found, a file is opened, and some data is read from the file
`
`• Some data is written to the end of that file (such as the virus code)
`
`(Ex. 1011 at 5.) Gryaznov went on to explain that a heuristic scanner was capable
`
`of analyzing files for these kinds of operations, identifying files as malware, and
`
`reacting accordingly. (Id. at 6, 9.) Since the mid-1990s, heuristic scanning has
`
`continued to be a part of anti-malware products. (Ex. 1002 at ¶ 42.) The ’494
`
`patent claims obvious variants of these same well-known heuristic scanning
`
`operations. (Id. at ¶¶ 41-42.)
`
`-9-
`
`

`
`Petition for Inter Partes Review of
`Patent No. 8,677,494
`
`VI. SUMMARY OF THE ’494 PATENT
`
`A. Brief Description of the ’494 Patent
`
`The alleged invention of the ’494 patent is the basic and well-known concept
`
`of receiving data, analyzing the data, and storing the result of the analysis in a
`
`database. Specifically, the ’494 patent claims receiving Downloadable programs,
`
`deriving “Downloadable security profile data” (DSP data) for the Downloadables,
`
`and storing that data in a database. There is nothing novel in this basic concept,
`
`and the dependent claims simply add obvious limitations such as the type of the
`
`Downloadable, certain information contained in the security profile, and details of
`
`how the system derives DSP data. For example, claims 3-5 recite well-known
`
`Downloadable programs that respectively include applets, active controls, and
`
`program script. (Ex. 1002 at ¶¶ 65-68.) Other claims include storing the
`
`Downloadable’s source URL, the date and time when the DSP data was derived, or
`
`a digital certificate, as part of the DSP data. See claims 2, 7, and 8.
`
`Almost none of the subject matter of the Petitioned Claims appears in the
`
`specification of the ’494 patent. Instead, that material exists in related earlier-filed
`
`patents and applications such as the ’194 patent, which the ’494 patent says it
`
`incorporates by reference, and the ’639 provisional application. (Ex. 1001 at 1:35-
`
`38; Ex. 1027 at 11:9-13 (discussing “DSP data”).) For example, the ’194 patent
`
`describes deriving DSP data through the use of a “code scanner.” (Ex. 1013 at
`
`-10-
`
`

`
`Petition for Inter Partes Review of
`Patent No. 8,677,494
`
`9:20-42; 5:36-58.) The scanner uses “conventional parsing techniques to
`
`decompose the code (including all prefetched components) of the Downloadable.”
`
`(Id. at 5:41-45.) “Parsing” is synonymous with “disassembling the machine code”
`
`of the program per claims 9 & 18. (Id. at 9:20-24; Ex. 1002 at ¶ 48.) The result of
`
`the parsing/disassembling is DSP data, which can include a list of program
`
`commands (e.g., a “WRITE_FILE” command to the operating system). (Ex. 1013
`
`at 6:16-24, 9:20-42.) DSP data can also include the parameters to the program’s
`
`command, e.g., the italicized portion of the following example command:
`
`WRITE_FILE (system_file, “<instructions to wipe out the hard-drive>”). (Ex.
`
`1002 at ¶ 48-49.)
`
`B.
`
`The Petitioned Claims of the ʼ494 Patent
`
`The elements of the Petitioned Claims are shown and labeled below:
`
`
`
`Claim Limitation
`
`1[a] A computer-based method, comprising the steps of:
`
`1[b]
`
`receiving an incoming Downloadable;
`
`1[c] deriving security profile data for the Downloadable, including a list of
`
`suspicious computer operations that may be attempted by the
`
`Downloadable; and
`
`-11-
`
`

`
`Petition for Inter Partes Review of
`Patent No. 8,677,494
`
`
`1[d]
`
`storing the Downloadable security profile data in a database.
`
`2
`
`The computer-based method of claim 1 further comprising storing a date &
`
`time when the Downloadable security profile data was derived, in the
`
`database.
`
`3
`
`The computer-based method of claim 1 wherein the Downloadable includes
`
`an applet.
`
`4
`
`The computer-based method of claim 1 wherein the Downloadable includes
`
`an active control.
`
`5
`
`The computer-based method of claim 1 wherein the Downloadable includes
`
`program script.
`
`6
`
`The computer-based method of claim 1 wherein suspicious computer
`
`operations include calls made to an operating system, a file system, a
`
`network system, and to memory.
`
`10[a] A system for managing Downloadables, comprising:
`
`10[b] a receiver for receiving an incoming Downloadable;
`
`10[c] a Downloadable scanner coupled with said receiver, for deriving security
`
`-12-
`
`

`
`Petition for Inter Partes Review of
`Patent No. 8,677,494
`
`
`profile data for the Downloadable, including a list of suspicious computer
`
`operations that may be attempted by the Downloadable; and
`
`10[d] a database manager coupled with said Downloadable scanner, for storing the
`
`Downloadable security profile data in a database.
`
`11
`
`The system of claim 10 wherein said database manager also stores a date &
`
`time when the Downloadable security profile data was derived by said
`
`Downloadable scanner, in the database.
`
`12
`
`The system of claim 10 wherein the Downloadable includes an applet.
`
`13
`
`The system of claim 10 wherein the Downloadable includes an active
`
`control.
`
`14
`
`The system of claim 10 wherein the Downloadable includes program script.
`
`15
`
`The system of claim 10 wherein suspicious computer operations include
`
`calls made to an operating system, a file system, a network system, and to
`
`memory.
`
`
`
`C.
`
`Priority Dates of the Petitioned Claims
`
`In its decision granting institution in the PAN IPR on substantially the same
`
`grounds as presented here, the Board held that the priority date of the ’494 patent
`
`-13-
`
`

`
`Petition for Inter Partes Review of
`Patent No. 8,677,494
`
`was no earlier than November 6, 1997. IPR2016-00159, paper 8, at 13. For the
`
`purposes of this petition, Petitioner assumes that the priority date of the petitioned
`
`claims is November 6, 1997. Accordingly, the Martin and Swimmer references
`
`qualify as prior art at least under 35 USC § 102(a) and 102(b), respectively.
`
`VII. CLAIM CONSTRUCTION UNDER 37 C.F.R. § 42.104(B)(3)
`
`A. Legal Overview
`
`A claim subject to IPR is given its “broadest reasonable construction
`
`(“BRI”) in light of the specification of the patent in which it appears.”1 37 C.F.R. §
`
`42.100(b). Terms that require claim construction are discussed below.
`
`B.
`
`“Downloadable security profile data” (all claims)
`
`The BRI of the term “Downloadable security profile data” is “information
`
`related to whether executing a downloadable is a security risk.” This BRI is
`
`consistent with the use of the term in the claims and specification and the Patent
`
`Owner’s Markman positions.
`
`Other than the ’639 provisional application (Ex. 1027 at 11:9-13), the ’194
`
`patent provides the only written description of DSP data, noting that “DSP data
`
`310 includes the list of all potentially hostile or suspicious computer operations
`
`
`1 Petitioner reserves the right to pursue different constructions in litigation. In re
`
`Zletz, 893 F.2d 319, 321 (Fed. Cir. 1989).
`
`-14-
`
`

`
`Petition for Inter Partes Review of
`Patent No. 8,677,494
`
`that may be attempted by each known Downloadable 307, and may also include
`
`the respective arguments of these operations.” (Ex. 1013 at 4:33-37.) The context
`
`of the particular claims in the ’494 patent show that DSP data must have a broader
`
`meaning here. While claims 1 and 10 note that the DSP data can “include[] a list
`
`of suspicious computer operations that may be attempted by the Downloadable,”
`
`dependent claims 8 and 17 recite that the DSP data may also “include[] a digital
`
`certificate.” Claims 7 and 16 recite that the DSP data “includes a URL from where
`
`the Downloadable originated.” Together, these claims confirm Petitioner’s BRI by
`
`characterizing DSP data as encompassing data (e.g., operations or certificates or
`
`URLs), all of which are useful for determining the likelihood that a Downloadable
`
`will perform hostile operations. (Ex. 1002 at ¶ 29-30.)
`
`Lists of suspicious computer operations, URLs, and digital certificates are
`
`used to determine whether executing a downloadable poses a security risk. (See,
`
`e.g., Ex. 1013 at 5:4-15; 6:49-7:2; 2:11-28.) For example, in the ’194 patent, the
`
`list of suspicious computer operations is compared against a security policy to
`
`determine whether the Downloadable poses a security risk. (Id. at 6:13-24.) The
`
`URL is used “to determine whether the Downloadable comes from a trusted
`
`source.” (Id. at 6:38-48.) If the URL is from an unknown/untrusted source, then
`
`the Downloadable is “deemed suspicious and presumed hostile” and presented as a
`
`possible security risk. (Id.) Similarly, the digital certificate is used to “determine[]
`
`-15-
`
`

`
`Petition for Inter Partes Review of
`Patent No. 8,677,494
`
`whether the received Downloadable was signed by a [trusted] certificate
`
`authority.” (Id. at 6:26-36.) If the digital certificate is from an unknown/untrusted
`
`certificate authority, then the Downloadable is also deemed hostile and presented
`
`as a possible security risk. (Id. at 6:53-59.) In the PAN IPR, the Board concluded
`
`that the term “Downloadable security profile data” did not require construction.
`
`IPR2016-00159, paper 8 at 7.
`
`C.
`
`“Database” (all claims)
`
`The BRI of the term “database” includes “a collection of interrelated data
`
`organized according to a database schema to serve one or more applications.” The
`
`Board adopted this construction in the PAN IPR. IPR2016-00159, paper 8 at 8. In a
`
`recent non-instituted inter partes review of the ʼ494 patent, the Board adopted this
`
`BRI of “database,” which was Patent Owner’s proposed construction in that
`
`proceeding. IPR2015-01022, Paper No. 7, at 9-10. There, the Board agreed with
`
`Patent Owner that the BRI of “database” coincides with the district court’s
`
`construction of the term in Patent Owner’s litigation with Sophos, Inc. (“a
`
`collection of interrelated data organized according to a database schema to serve
`
`one or more applications”). (See Ex. 1063 at 17.) The BRI of “database” should
`
`be at least as broad as the BRI of “database” adopted in the Sophos IPR and
`
`litigation. (See also Ex. 1002 at ¶ 31.)
`
`-16-
`
`

`
`Petition for Inter Partes Review of
`Patent No. 8,677,494
`
`
`The proposed BRI of “database” is supported by the intrinsic evidence.
`
`Requiring a “database schema” and that the database “serve one or more
`
`applications” is consistent with the specifications of the ’494 patent and the
`
`applications and patents related to the ’494 patent. For example, Fig. 3 of the ’194
`
`patent shows “Security Database 240” as being separate and distinct from “Event
`
`Log 245,” indicating that the “database” recited in the claims of the ’494 patent is
`
`not merely a log file—that it is instead organized in accordance with a structured
`
`database schema:
`
`
`
`
`
`(Ex. 1013 at 5.) Furthermore, the security database 240 in the above figure
`
`“serve[s] one or more applications” because it serves “security program 255”
`
`-17-
`
`

`
`Petition for Inter Partes Review of
`Patent No. 8,677,494
`
`shown in Fig. 2 of the ’194 patent, and Fig. 3 above shows “details of the security
`
`program 255 and the security database 240.” (Ex. 1013 at 3:58-63, Figs. 2-3.)
`
`Also, the proposed BRI coincides with at least one well-known definition of
`
`“database.” (Ex. 1083 at 3 (defining “database” as “A collection of interrelated
`
`data organized according to a database schema to serve one or more
`
`applications.”).)
`
`D.
`
`“Downloadable” (all claims)
`
`The BRI of the term “downloadable” is “an executable application program,
`
`which is downloaded from a source computer and run on the destination
`
`computer.” The incorporated ’194 patent defines “Downloadable” (capitalizing
`
`the term as a definition) as a program that is downloaded (Ex. 1013 at 1:44-55):
`
`“A Downloadable is an executable application program, which is
`
`downloaded from a source computer and run on the destination
`
`computer.” (emphasis added)
`
`A POSA would ascribe the same meaning to “downloadable” as the Petitioner’s
`
`BRI to the term. (Ex. 1002 at ¶ 32.) The Board agreed with this construction in
`
`the PAN IPR. IPR2016-00159, paper 8 at 8.
`
`VIII. PERSON HAVING ORDINARY SKILL IN THE ART & STATE OF THE ART
`
`The ’494 patent is directed at the field of computer security programs,
`
`including content scanners for program code. (Ex. 1002 at ¶ 20-22.) At the time
`
`-18-
`
`

`
`Petition for Inter Partes Review of
`Patent No. 8,677,494
`
`of the alleged invention, a person having ordinary skill in the art (“POSA”) would
`
`have held a bachelor’s degree or the equivalent in computer science (or related
`
`academic fields) and three to four years of additional experience in the field of
`
`computer security, or equivalent work experience. (Id.)
`
`IX. CLAIMS 1-18 OF THE ʼ494 PATENT ARE UNPATENTABLE
`
`As detailed in the sections below, claims 1-6 and 10-15 of the ’494 patent
`
`are unpatentable. Petitioner analyzes below two grounds for invalidity based on
`
`Swimmer as a primary reference.
`
`Under Ground 1, Swimmer, by itself, renders obvious claims 1-2, 6, 10-11,
`
`and 15. Under Ground 2, Swimmer, in view of Martin, renders obvious claims 3-5
`
`and 12-14.
`
`A. Overview of Swimmer
`
`Swimmer discloses a computer system, called Virus Intrusion Detection
`
`Expert System (VIDES), for dynamically detecting and classifying computer
`
`viruses based on general behavior patterns. (Ex. 1006 at 1 (Title, Abstract).)
`
`Swimmer explains that the VIDES system can be used “as a type of firewall for
`
`programs entering a protected network.” (Ex. 1006 at 13.) To detect viruses based
`
`on behavioral patterns, Swimmer discloses using an emulator to monitor the
`
`activity of a virtual PC, including its execution of application programs. (Ex. 1006
`
`at 1, 8-9.) The emulator outputs a stream of system activity data, which includes
`
`-19-
`
`

`
`Petition for Inter Partes Review of
`Patent No. 8,677,494
`
`functions (e.g., system calls) that the executed programs attempt to invoke. (Ex.
`
`1006 at 1, 7, 9-10.) Swimmer explains that the activity data is recorded in a
`
`database according to a structured schema. (Ex. 1006 at 9 (explaining that the final
`
`format for an audit record is “<code segment, RecType. StartTime, EndTime,
`
`function number, arg (...), ret(...)>”).) This structured activity data is then analyzed
`
`by an expert system (Advanced Security audit trail Analysis on UniX, “ASAX”) to
`
`detect viruses by employing rules that model typical virus behavior. (Ex. 1006 at
`
`1-2, 4-5, and 10-12.)
`
`B. Overview of Martin
`
`Martin is entitled “Blocking Java Applets at the Firewall.” (Ex. 1047 at 5
`
`(Title).) Martin explains that a firewall is an “intentional bottleneck” between two
`
`networks designed to prohibit particular types of communication. (Ex. 1047 at 6.)
`
`Martin discloses a firewall architecture that includes a secured proxy host to which
`
`all relevant data packets are forwarded before being permitted to pass through the
`
`firewall. (Ex. 1047 at 6-7.) The proxy host can employ any of several different
`
`techniques or a combination of those techniques to identify Java applets so they
`
`can be blocked at the firewall. (Ex. 1047 at 11-13.) For example, the proxy can
`
`scan incoming content for <applet> tags, for a particular sequence of bytes (“CA
`
`FE BA BE”) that appears near the beginning of every Java class file, or for a file
`
`name ending in the extension “.class”. (Id.) Though Martin focuses primarily on
`
`-20-
`
`

`
`Petition for Inter Partes Review of
`Patent No. 8,677,494
`
`the problem of blocking Java applets at a firewall, it also discusses the importance
`
`of blocking ActiveX contr