Paper No. ____
`Filed: July 15, 2016
`
`Filed on behalf of: Blue Coat Systems, Inc.
`By: Michael T. Rosato (mrosato@wsgr.com)
`
`Andrew S. Brown (asbrown@wsgr.com)
`Matthew A. Argenti (margenti@wsgr.com)_
`WILSON SONSINI GOODRICH & ROSATI
`701 Fifth Avenue, Suite 5100
`Seattle, WA 98104-7036
`
`
`
`
`
`UNITED STATES PATENT AND TRADEMARK OFFICE
`_____________________________
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`
`_____________________________
`
`
`BLUE COAT SYSTEMS, INC.,
`Petitioner,
`
`v.
`
`FINJAN, INC.,
`Patent Owner.
`
`_____________________________
`
`Patent No. 8,677,494
`
`_____________________________
`
`
`PETITION FOR INTER PARTES REVIEW OF
`U.S. PATENT NO. 8,677,494
`
`
`
`

`

`
`
`TABLE OF CONTENTS
`
`Page
`
`I.
`
`Introduction .................................................................................................. 1
`
`A.
`
`Brief Overview of the ’494 Patent....................................................... 3
`
`B.
`
`C.
`
`Brief Overview of the Prosecution History ......................................... 4
`
`Brief Overview of the Scope and Content of the Prior Art .................. 7
`
`D.
`
`Brief Overview of the Level of Skill in the Art ................................. 14
`
`II.
`
`Grounds for Standing .................................................................................. 14
`
`III. Mandatory Notices under 37 C.F.R. § 42.8 ................................................. 14
`
`IV. Statement Of Non-Redundancy................................................................... 16
`
`V.
`
`Statement Of The Precise Relief Requested For Each Claim
`Challenged .................................................................................................. 17
`
`VI. Claim Construction ..................................................................................... 17
`
`VII. Detailed Explanation Of Grounds For Unpatentability ................................ 18
`
`A.
`
`B.
`
`C.
`
`D.
`
`E.
`
`Swimmer Discloses or Renders Obvious Each Element of
`Independent Claims 1 and 10 ............................................................ 18
`
`[Ground 1] Claims 7 and 16 are Obvious under 35 U.S.C. § 103
`over Swimmer in view of Ji .............................................................. 29
`
`[Ground 2] Claims 7 and 16 are Obvious under 35 U.S.C. § 103
`over Swimmer in view of Luotonen .................................................. 33
`
`[Ground 3] Claims 8 and 17 are Obvious under 35 U.S.C. § 103
`over Swimmer in view of Apperson .................................................. 38
`
`[Ground 4] Claims 9 and 18 are Obvious under 35 U.S.C. § 103
`over Swimmer in view of Lo............................................................. 42
`
`VIII. Conclusion .................................................................................................. 48
`
`-i-
`
`

`

`
`IX. Certificate of Compliance ........................................................................... 49
`IX.
`Certificate of Compliance ......................................................................... ..49
`
`X.
`X.
`
`Payment of Fees under 37 C.F.R. §§ 42.15(a) and 42.103........................... 50
`Payment of Fees under 37 C.F.R. §§ 42.15(a) and 42.103 ......................... ..50
`
`XI. Appendix – List of Exhibits ........................................................................ 51
`XI. Appendix — List of Exhibits ...................................................................... ..51
`
`
`
`
`
`
`
`-ii-
`
`

`

`
`
`I.
`
`INTRODUCTION
`
`Pursuant to the provisions of 35 U.S.C. § 311 and § 6 of the Leahy-Smith
`
`America Invents Act (“AIA”), and to 37 C.F.R. Part 42, Blue Coat Systems, Inc.,
`
`(“Petitioner”) hereby requests review of United States Patent No. 8,677,494 to
`
`Edery et al. (hereinafter “the ’494 patent,” EX1001) that issued on March 18,
`
`2014, and is currently assigned to Finjan, Inc. (“Patent Owner”). This Petition
`
`demonstrates that there is a reasonable likelihood that Petitioner will prove by a
`
`preponderance of the evidence that claims 7-9 and 16-18 of the ’494 patent are
`
`unpatentable for failing to distinguish over prior art. Thus, claims 7-9 and 16-18 of
`
`the ’494 patent should be found unpatentable and canceled.
`
`The Board has previously instituted inter partes review of the ’494 patent,
`
`including of the independent claims from which claims 7-9 and 16-18 depend, in
`
`Nos. IPR2015-01892 and IPR2016-00159. This Petition presents essentially the
`
`same disclosure and arguments for those independent claims. The additional
`
`requirements of the challenged dependent claims 7-9 and 16-18 are insufficient to
`
`lend them patentability.
`
`The challenged claims generally recite systems and methods for detecting
`
`suspicious “Downloadables” (executable application programs), including: (1)
`
`receiving a Downloadable software program, (2) deriving Downloadable security
`
`profile data (“DSP data”) for the Downloadable; and (3) saving that DSP data in a
`
`database. EX1002 ¶16. Similar systems and methods, however, were known in the
`
`art since as late as 1995. For example, a system that analyzed executable programs
`
`to derive a DSP was demonstrated in in “Dynamic Detection and Classification of
`
`1
`
`

`

`
`
`
`
`Computer Viruses Using General Behaviour Patterns,” by Morton Swimmer et al.
`
`(“Swimmer,” EX1003, Abstract). The DSP contained a list of suspicious
`
`operations that may be attempted by the Downloadable, as shown highlighted
`
`below:
`
`
`IDs of suspicious operations
`
`EX1003 at FIG. 3; Ex. 1002 ¶67.
`
`It was also well-known in the art that a number of specific types of
`
`information could be utilized when detecting suspicious code. Based on the
`
`foregoing, the specific components of the DSP required by the challenged
`
`dependent claims (i.e., a URL, a digital certificate, or disassembled Downloadable
`
`code) also fail to render those claims patentable over the prior art as described in
`
`more detail below. Accordingly, the systems and methods claims in the ‘494
`
`patent were well known and obvious. EX1002 ¶¶ 55-109.
`
`-2-
`
`

`

`
`
`A. Brief Overview of the ’494 Patent
`
`The ’494 patent is entitled “Malicious Mobile Code Runtime Monitoring
`
`System and Methods.” In a general sense, the ’494 patent is directed to receiving a
`
`Downloadable, creating a security profile for the Downloadable, and saving the
`
`security profile to a database. EX1001, claim 1; EX1002 ¶16. The DSP data
`
`includes a profile of the security risks that may be posed by the downloadable,
`
`such as suspicious code, unusual inputs to that code, and other data relevant to the
`
`trustworthiness of the code. EX1002 ¶17.
`
`Each of the six challenged claims depends from either independent claim 1
`
`or 10. Claim 1 is representative and recites the following:
`
`A computer-based method, comprising the steps of:
`
`receiving an incoming Downloadable;
`
`deriving security profile data for the Downloadable, including a list
`
`of suspicious computer operations that may be attempted by the
`
`Downloadable; and
`
`storing the Downloadable security profile in a database.
`
`Independent claim 10 is a system claim analogous to claim 1. It recites well-known
`
`components for performing the method of claim 1, including a “receiver,” a
`
`“Downloadable scanner,” and a “database manager.” EX1002 ¶¶21, 62, 74.
`
`The dependent claims challenged in this petition merely add requirement
`
`that the DSP data include types of information well-known in computer
`
`networking and security technology. Specifically, claims 7 and 16 require that the
`
`DSP data includes a URL indicating the origin of the Downloadable, claims 8 and
`
`-3-
`
`

`

`
`
`17 require that the DSP data includes a digital certificate, and claims 9 and 18
`
`require that the DSP data includes disassembling the incoming Downloadable.
`
`Each of these types of information was well-known in the context of computer
`
`networking and detection of suspicious or potentially malicious code. EX1002
`
`¶¶ 19-21.
`
`B.
`
`Brief Overview of the Prosecution History
`
`Application No. 13/290,708 was filed on November 7, 2011 and issued on
`
`March 18, 2014 as U.S. Patent No. 8,677,494. The first paragraph of the ’494
`
`patent states that it claims priority through a series of continuations and
`
`continuations in part to 7 different non-provisional applications and 2 provisional
`
`applications. The following graphic illustrates the relationships of these
`
`applications as described by the ’494 patent:
`
`-4-
`
`

`

`
`
`
`
`While the ’494 on its face claims priority to U.S. provisional application No.
`
`60/030,639 at least one intervening patent in the priority chain fails to do so.
`
`Specifically, U.S. Patent No. 7,613,926 fails to claim priority to the ’639
`
`provisional application and instead the earliest priority document cited in the ’926
`
`patent is U.S. Patent No. 6,092,194 (“the ’194 patent”). EX1010 at 1:8-32.
`
`Accordingly, the priority date of the ’494 patent is no earlier than the November 6,
`
`1997 filing date of U.S. patent application No. 08/964,388.
`
`During prosecution of the application for the ’494 patent the pending claims
`
`were rejected twice as anticipated by the Ji reference relied upon herein in
`
`-5-
`
`

`

`
`
`combination with Swimmer in Ground 1. EX1004 at 00864, 814. On May 7, 2013,
`
`the applicants filed a declaration by Shlomo Touboul, asserting that Touboul was
`
`the sole inventor of the subject matter described in claims 1, 3-6, 9, 10, 12-15, and
`
`18, and that these claims were invented prior to the filing date of Ji. Id. at 00288-
`
`89. The Examiner then issued a Notice of Allowance on August 29, 2013, citing
`
`the declaration of Shlomo Touboul as overcoming Ji. Id. at 00223.
`
`Despite the Examiner’s reliance on the Touboul declaration as overcoming
`
`the Ji reference, the declaration is insufficient for this purpose with respect to the
`
`challenged claims. First, the declaration did not address claims 2, 7, 8, 11, 16, or
`
`17, except to state that Touboul was a co-inventor of those claims. EX1004 at
`
`00288-89. (“The remaining pending dependent claims were co-invented by or
`
`with one or more of the other listed inventors.”). The declaration does not purport
`
`to provide evidence of the date the subject matter of those claims was conceived
`
`and reduced to practice. See id. at 00288-90 (addressing public availability of
`
`product purportedly embodying “my sole invention,” i.e., the invention recited in
`
`“claims 1, 3, 4-6, 10, 12-15, and 18” and omitting claims 2, 7, 8, 11, 16, and 17
`
`from assertions). The Touboul declaration is therefore facially insufficient to
`
`antedate Ji with respect to claims 7 and 16, as it is applied in this petition.
`
`Second, the Touboul declaration does not present sufficient antedating
`
`evidence with respect to any claim of the ’494 patent, because the “facts” asserted
`
`by Mr. Touboul are conclusory and unsubstantiated. The declaration merely lists a
`
`subset of claims and asserts that the invention reflected in those claims was
`
`“developed and released to the public before September 10, 1997 by its
`
`-6-
`
`

`

`
`
`incorporation” into a Finjan product called SURFINGATE. In support of this the
`
`declaration cites to a press release and product marketing materials, without
`
`discussing the specific content of those documents. The declaration contains no
`
`discussion of what specific features of the SURFINGATE product might have
`
`corresponded to particular limitations of even the dependent claims of the ’494
`
`patent, let alone the numerous dependent claims identified as also reflecting Mr.
`
`Touboul’s “sole invention.” In failing to identify how the identified product
`
`allegedly embodied the identified claims, the declaration falls short of
`
`demonstrating conception and reduction to practice before Ji’s filing date.
`
`C. Brief Overview of the Scope and Content of the Prior Art
`
`As explained in detail in the corresponding Declaration of Dr. Azer
`
`Bestavros, Ph.D. (Exhibit 1002) and addressed in further detail below (Section
`
`VII), the involved claims would not have been considered new or non-obvious to a
`
`person of ordinary skill in the art at the relevant time. The idea of deriving and
`
`saving security profile data from a Downloadable in order to identify suspicious
`
`code was well-known, as were the use of URLs, digital certificates, and
`
`disassembled code in assessing and tracking the trustworthiness of software files.
`
`As Dr. Bestavros explains, and as the Ji and Swimmer references disclose,
`
`since at least the late 1980s antivirus software has been employed to screen
`
`malicious code from execution. Antivirus software can evaluate unknown or
`
`untrusted programs in a process referred to as “scanning” and determine whether
`
`the code is malicious. EX1002 ¶¶29-31. The earliest form of scanning was
`
`“signature scanning,” also known as “lexical scanning,” whereby whenever a new
`
`-7-
`
`

`

`
`
`example of malicious code was identified, a “signature” of that code would be
`
`stored in a database. Id. ¶32; EX1006 at 2:1-11; EX1005 at 77. A drawback of
`
`signature scanning is that it could not identify novel malware. EX1002 ¶ 33.
`
`Solutions therefore arose to detect new viruses.
`
`Two important forms of analysis often used for malware detection were
`
`static and dynamic analysis. EX1002 ¶33; EX1009 at 162, Table 2. Static analysis
`
`took machine code and analyzed it through a process of disassembly and
`
`decompilation to produce assembly code and source code. EX1002 ¶34; EX1009 at
`
`165; EX1018 at 8:26-27; EX1022 at 812-13. The assembly code and source code
`
`could then be analyzed to understand the behavior of the program. Id. Dynamic
`
`analysis involved executing the program or simulating its execution while
`
`performing “heuristic scanning,” monitoring the program’s behavior to identify
`
`particular code fragments, operations, or other properties that are characteristic of
`
`virus behavior, but not in bona fide programs. EX1002 ¶¶ 35-37; EX1005 at 77;
`
`EX1017 at 0008.
`
`Notably, Swimmer discloses a computer system called Virus Intrusion
`
`Detection Expert System (“VIDES”), which was “a prototype for an automatic
`
`analysis system for computer viruses” and could be used “as a type of firewall for
`
`programs entering a protected network.” EX1005 at 75, 87, EX1002 ¶¶58-59.
`
`Swimmer was published in the Proceedings of the Fifth International Virus
`
`Bulletin Conference. The Fifth International Virus Bulletin Conference was held
`
`on September 20-22, 1995, in Boston, MA. EX1020 ¶3. Swimmer was published
`
`to all 163 conference attendees and made available for sale by Virus Bulletin after
`
`-8-
`
`

`

`
`
`the Conference, as evidenced by the Declaration of John Hawes, Virus Bulletin’s
`
`Chief of Operations. EX1020 ¶3. Accordingly, Swimmer was published no later
`
`than September 22, 1995, the final day of the Fifth International Virus Bulletin
`
`Conference. Swimmer was independently confirmed to have been publicly
`
`available no later than December 1, 1995, as evidenced by the declaration of Dr.
`
`Sylvia Hall-Ellis. EX1024 at ¶¶19-20.
`
`Swimmer’s VIDES system dynamically detects and classifies computer
`
`viruses based on general behavior patterns. EX1002 ¶58; EX1005 at Title. To
`
`overcome the limited ability of lexical scanners to detect unknown viruses, the
`
`VIDES system implemented an emulator and an expert ASAX system that used
`
`heuristics to detect viruses. EX1002 ¶60. The emulator outputs a security profile
`
`in the form of an “audit trail” or “audit profile” that provides information about the
`
`potential threats, which renders the claimed security profile that a Downloadable
`
`poses well-known in the art. Id.
`
`In addition, it was well known prior to the claimed invention that security
`
`profiles can take the form of a list of suspicious operations that may be executed by
`
`the Downloadable. EX1002 ¶¶37-38. For example, the emulator in Swimmer’s
`
`VIDES system emulates the program as it would run on a destination processor.
`
`EX1002 ¶59. The emulator outputs “activity data” (i.e., the operations the
`
`programs attempts to execute) in an “audit report” or “audit trail,” shown in Figure
`
`3 below:
`
`-9-
`
`

`

`
`
`
`
`The audit trail provides a list of operations in the form of structured schema
`
`that follows the format: <code segment, RecType, StartTime, EndTime, function
`
`number, arg(...), ret(...)>.EX1002 ¶60; EX1005 at 83. Swimmer explains that
`
`“code segment” represents the address in memory of the executable image of the
`
`program, and “function number” is the number of the DOS function requested by
`
`the program. EX1002 ¶66; EX1005 at 83. The “function number” identifies the
`
`MS-DOS operations that the emulated program requests and will attempt to
`
`perform if run on a destination processor. EX1002 ¶67.
`
`The ’494 patent refers to certain operations as “suspicious operations,”
`
`including calls to memory, calls to a network system, calls to a file system, and
`
`calls to an operating system. As was well known in the field prior to the ‘494
`
`patent, DOS functions performed these operations. For example, “Advanced
`
`MSDOS Programming,” by Ray Duncan (2nd Ed. 1988) (“Duncan,” EX1021)
`
`maps DOS function numbers to their operations. Examples include function
`
`numbers 72-74 (memory-related operations), 15-16 (file-related operations “Open
`
`-10-
`
`

`

`File” and “Close File,” respectively), and 94-95 (network-related operations), each
`
`of which is also a call to an operating system. EX1002 ¶67.
`
`
`
`
`
`
`
`
`
`EX1021 at 6; EX1002 ¶67. Function number 74, for example, which corresponds
`
`to a call to memory, is shown in the audit trail in Figure 3 of Swimmer. Thus, the
`
`audit trail presents a list of suspicious operations that the Downloadable may
`
`perform. EX1002 ¶67-68.
`
`It was also known to save Downloadable security profile data to a database.
`
`Dr. Bestavros explains that the audit report shown in Swimmer is considered a
`
`database. EX1002 ¶¶69-71. As shown in Figure 3, the audit records contain
`
`newline terminated records with a single character that delimits each field in the
`
`-11-
`
`

`

`
`
`record. “cql – A Flat File Database Query Language,” to Glenn Fowler (“Fowler,”
`
`EX1013) explains that this format corresponds to a flat-file database. EX1002 ¶69
`
`Swimmer also discloses using databases to identify previously-detected viruses,
`
`and also discloses updating virus information databases with the results of its
`
`analysis. EX1005 at 77 (“Usually, a scanner uses a database of virus identification
`
`information which enable it to detect all viruses previously analysed”) 81
`
`(“Moreover, the ID system must not be prevented from reporting (raising alarms,
`
`updating virus information databases) the results of such analysis.”); EX1002 ¶72.
`
`Beyond the concept of deriving DSP data and saving it to a database, it was
`
`also well understood in the art that certain specific types of information could be
`
`useful when determining whether code was potentially malicious. For example, it
`
`was common to track the URL identifying the origin of the software. EX1002
`
`¶¶42, 44. If the program came from a source that had previously supplied infected
`
`programs, it was generally considered unsafe to continue visiting; to serve this
`
`purpose it was known that a firewall could maintain “a blacklist of Web sites that
`
`serve potentially dangerous active codes.” EX1002 ¶44; EX1014 at 0041; see also
`
`EX1006 at 5:22-41 (discussing recording URLs of scanned Downloadables in a
`
`database). Beyond providing a network protection function firewalls were also
`
`commonly used as a caching proxy, storing files associated with particular URLs
`
`to save time and cost by providing a copy of a requested file from the cache instead
`
`of retrieving a duplicate copy from a remote source. EX1002 ¶¶40-42; EX1007 at
`
`147-48, 151-52. In such an implementation the URL was saved at the file with the
`
`software itself.
`
`-12-
`
`

`

`
`
`Similarly, it was known to associate a digital certificate with a piece of
`
`software as an additional, cryptographic, method for assessing the safety of the
`
`program. As Dr. Bestavros explains, a downloadable program could be digitally
`
`signed by embedding a digital certificate within it or by transmitting the two
`
`together. EX1002 ¶43; EX1014 at 0021, 0031; see also EX1008 at Abstract, 4:28-
`
`31. Figs. 2 and 4.
`
`Finally, it was also known to disassemble software when assessing whether
`
`it contained suspicious code. “Disassembly” refers to the conversion of binary
`
`machine code into assembly code, which can then be further processed into source
`
`code, in a process known as “decompiling.” EX1002 ¶34. These processes were
`
`used in static analysis such as the detection of patterns in code fragments, and it
`
`was understood that such conventional static analysis methods such as disassembly
`
`and decompilation could be used to aid dynamic analysis that monitored program
`
`behavior. Id.; EX1005 at 77; EX1018 at 8:26-27; EX1022 at 812; EX1002 ¶¶34,
`
`42-43. In fact, it was common to employ static scanning (such as disassembly) and
`
`dynamic scanning (such as heuristic analysis) in the same security solution.
`
`EX1002 ¶¶37-38, 50; EX1017 at 0008; EX1009 at 160; EX1005 at 79; EX1014 at
`
`0022 (explaining that various different methods of determining which files were
`
`trustworthy could “be combined to create an even more robust variation” of anti-
`
`malware protection).
`
`For these reasons, and as described in greater detail below and in Dr.
`
`Bestavros’s declaration, the systems and methods for detecting suspicious
`
`Downloadables as recited in claims 7-9 and 16-18 were already described in the
`
`-13-
`
`

`

`
`
`prior art as of the earliest priority date for the ’494 patent.
`
`D. Brief Overview of the Level of Skill in the Art
`
`As Dr. Bestavros explains, a person of ordinary skill in the relevant field
`
`prior to November 6, 1997 would include someone who had, through education or
`
`practical experience, the equivalent of a bachelor’s degree in computer science or a
`
`related field and at least an additional three to four years of work experience in the
`
`field of computer security. EX1002, ¶¶46-51. Such a person would have been
`
`aware of and would have been working with computer security trends from the
`
`early-to-mid 1990s, including trends toward heuristic classification of program
`
`behavior and the incorporation of different security features within malware
`
`detection platforms. Id.
`
`II. GROUNDS FOR STANDING
`
`Petitioner certifies that, under 37 C.F.R. § 42.104(a), the ’494 patent is
`
`available for inter partes review, and Petitioner is not barred or estopped from
`
`requesting inter partes review of the ’494 patent on the grounds identified.
`
`III. MANDATORY NOTICES UNDER 37 C.F.R. § 42.8
`
`Real Party-in-Interest (37 C.F.R. § 42.8(b)(1)): Petitioner Blue Coat
`
`Systems, Inc., a subsidiary of Blue Coat, Inc., is the real party-in-interest.
`
`On June 12, 2016, Blue Coat, Inc. and Symantec Corporation announced
`
`that they have entered into a definitive agreement under which Symantec will
`
`acquire Blue Coat, Inc. The transaction is expected to close in the third quarter of
`
`2016. As of the filing date of this petition the transaction has not been executed
`
`and Symantec is not a privy of Blue Coat Systems, Inc. See VMWare, Inc. v. Good
`
`-14-
`
`

`

`
`
`Tech. Software, IPR2014-01324, Paper 28 at 3-4 (analyzing whether privity existed
`
`at time petition was filed because “the relevant dates for § 315(b) include the filing
`
`date of the petition”); Synopsys, Inc. v. Mentor Graphics Corp., IPR2012-00042,
`
`Paper 16 at 15-16 (Feb. 22, 2013) (finding agreement to acquire insufficient to
`
`establish privity at time petition was filed, where petitioner did not become wholly
`
`owned subsidiary of acquirer until later date). Moreover, Symantec has not
`
`controlled or had the ability to control the filing of this petition, whether through
`
`funding or strategy. Symantec is not a real party-in-interest.
`
`Related Matters (37 C.F.R. § 42.8(b)(2)):
`
`The ’494 patent is currently involved in the following proceedings: Finjan,
`
`Inc. v. Blue Coat, Inc., 5:15-cv-03295 (N.D. CA); Finjan, Inc. v. Symantec Corp.,
`
`Case No. 3:14-cv-02998 (N.D. CA), Finjan, Inc. v. Sophos Inc., 3:14-cv-01197
`
`(N.D. Cal.); and Finjan, Inc. v. Palo Alto Networks, Inc., 3:14-cv-04908 (N.D.
`
`Cal.). An inter partes review, Symantec Corp. v. Finjan, Inc. (IPR2015-01892)
`
`was instituted on March 18, 2016. A second inter partes review, Palo Alto
`
`Networks, Inc. v. Finjan, Inc. (IPR2016-00159), was instituted on May 13, 2012.
`
`On April 16, 2016, Blue Coat filed a petition for inter partes review (IPR2016-
`
`00890) of claims 1, 2, 5, 6, 10, 11, 14, and 15 of the ’494 patent, along with a
`
`motion for joinder to IPR2015-01892. On June 10, 2016, Blue Coat filed a petition
`
`for inter partes review (IPR2016-01174) of claims 1-6 and 10-15 of the ’494
`
`patent, along with a motion for joinder to IPR2016-00159.
`
`Lead and Back-Up Counsel (37 C.F.R. § 42.8(b)(3))
`
`Lead Counsel: Michael T. Rosato (Reg. No. 52,182)
`
`-15-
`
`

`

`
`
`Back-Up Counsel: Andrew S. Brown (Reg. No. 74,177)
`
`Back-Up Counsel: Matthew A. Argenti (Reg. No. 61,846)
`
`Service Information – 37 C.F.R. § 42.8(b)(4). Petitioners hereby consent to
`
`electronic service.
`
`Email: mrosato@wsgr.com; asbrown@wsgr.com; margenti@wsgr.com
`
`Post: WILSON SONSINI GOODRICH & ROSATI, 701 Fifth Avenue, Suite 5100,
`
`
`
`Seattle, WA 98104-7036
`
`Tel.: 206-883-2529
`
`
`
`Fax: 206-883-2699
`
`IV. STATEMENT OF NON-REDUNDANCY
`
`While Blue Coat filed an earlier IPR petition against the ’494 patent, the
`
`present petition is not redundant, because it does not challenge the same claims
`
`previously challenged. As noted above in the identification of related matters,
`
`Blue Coat filed a petition for inter partes review of the ’494 patent on April 16,
`
`2016, along with a motion for joinder to IPR2015-01892 (“the Symantec IPR”).
`
`See IPR2016-00890 Papers 2, 3. Blue Coat also filed a second IPR petition on
`
`June 10, 2016 along with a motion for joinder to IPR2016-00159 (“the Palo Alto
`
`Networks IPR”). See IPR016-01174 Papers 2, 3. Blue Coat’s earlier, still-pending
`
`IPR petitions are limited to challenging claims 1, 2, 5, 6, 10, 11, 14, and 15 in the
`
`Symantec IPR and claims 1-6 and 10-15 in the Palo Alto Networks IPR, the same
`
`sets of claims for which the Board instituted trial in those proceedings. Blue Coat
`
`could not reasonably have addressed claims 7-9 and 16-18 in those petitions
`
`because doing so would have added issues not present in the Symantec and Palo
`
`Alto Networks IPRs and jeopardized Blue Coat’s joinder requests. Accordingly,
`
`-16-
`
`

`

`
`
`this Petition advances challenges to claims 7-9 and 16-18 not previously presented
`
`by Blue Coat, and is not redundant of Blue Coat’s joinder petitions. See, e.g., Life
`
`Techs. Corp. v. Unisone Strategic IP, Inc., CBM2016-00035, Paper 7 at 18-19
`
`(July 5, 2016) (declining to exercise discretion to deny petition under § 325(d)
`
`where second CBM petition challenged different set of claims than first).
`
`V.
`
`STATEMENT OF THE PRECISE RELIEF REQUESTED FOR EACH
`CLAIM CHALLENGED
`
`Petitioners request review of claims 7-9 and 16-18 of the ’494 patent under
`
`35 U.S.C. § 311 and AIA § 6. The grounds for relief are as follows:
`
`Ground
`
`Claims
`
`Description
`
`1
`
`2
`
`3
`
`4
`
`7 and 16 Obvious under § 103 over Swimmer and Ji
`
`7 and 16 Obvious under § 103 over Swimmer and Luotonen
`
`8 and 17 Obvious under § 103 over Swimmer and Apperson
`
`9 and 18 Obvious under § 103 over Swimmer and Lo
`
`VI. CLAIM CONSTRUCTION
`
`A claim subject to inter partes review receives the broadest reasonable
`
`construction in light of the specification of the patent in which it appears. Cuozzo
`
`Speed Techs., Inc. v. Lee, -- S. Ct. ----; 2016 WL 3369425 *10 (June 20, 2016); see
`
`also 37 C.F.R. § 42.100(b).
`
`“database”: The broadest reasonable interpretation of the term “database”
`
`includes “a collection of interrelated data organized according to a database
`
`schema to serve one or more applications.” The Board adopted this construction
`
`for the term “database” as used in the ’494 patent in the Symantec IPR and the
`
`-17-
`
`

`

`
`
`Palo Alto Networks IPR. IPR2015-01892, Paper 9 at 11; IPR2016-00159, Paper 8
`
`at 8. Moreover, this construction is consistent with the position taken by Patent
`
`Owner in the Symantec and Palo Alto Networks IPRs as well as the construction
`
`adopted in district court litigation. See IPR2015-01892, Paper 7 at 9; IPR2016-
`
`00159 Paper 6 at 12; EX1023 at 17 [Sophos claim construction order, Ex. 1063 in
`
`PAN IPR]; see also EX1002 ¶53.
`
`“downloadable”: The broadest reasonable interpretation of the term
`
`“downloadable” includes “an executable application program, which is
`
`downloaded from a source computer and run on a destination computer.” The
`
`Board adopted this construction for the term “Downloadable” as used in the ’494
`
`patent in the Palo Alto Networks IPR after Patent Owner did not oppose it in the
`
`preliminary response. IPR2016-00159, Paper 6 at 12, Paper 8 at 8. Moreover, this
`
`construction corresponds to the definition of the term “downloadable” in the ’194
`
`patent. EX1010 at 1:44-55; see also EX1002 ¶54.
`
`VII. DETAILED EXPLANATION OF GROUNDS FOR
`UNPATENTABILITY
`
`A.
`
`Swimmer Discloses or Renders Obvious Each Element of
`Independent Claims 1 and 10
`
`Claims 7-9 and 16-18, discussed in Grounds 1-4 below, each depend from
`
`claim 1 or 10, respectively. Accordingly, each of claims 7-9 and 16-18
`
`respectively include the limitations of claim 1 or 10. Swimmer, published no later
`
`than September, 1995, qualifies as a prior art printed publication under 35 U.S.C. §
`
`102(b). See supra, Section I.C. As demonstrated below, each and every element
`
`of independent claims 1 and 10 is obvious under 35 U.S.C. § 103 over Swimmer.
`
`-18-
`
`

`

`
`
`The preamble of claim 1 recites “A computer-based method reciting the
`
`steps of.” The preamble of claim 10 recites “A system for managing
`
`Downloadables, comprising.” Insofar as the preambles are limiting, Swimmer
`
`discloses each of these elements, as shown in the following claim chart:
`
`
`
`Claims
`
`Swimmer
`
`[1.a] A
`computer-based
`method,
`comprising the
`steps of:
`
`[10.a] A system
`for managing
`Downloadables,
`comprising:
`
` “In this paper, we will demonstrate how an emulator is used
`to monitor the system activity of a virtual PC, and how the
`expert system ASAX is used to analyse the stream of data
`whicg [sic] the emulator produces. We use general rules to
`detect real viruses generically and reliably, and specific rules
`to extract details of their behaviour. The resulting system is
`called VIDES: it is a prototype for an automatic analysis
`system for computer viruses and possibly a prototype anti-
`virus product for the emerging 32 bit PC operating systems.”
`EX1005 at 75 (Abstract); see also id. at Figure 4.
`
`“VIDES could conceivably be used outside the virus lab to
`detect viruses in a real environment. One possibility is to use it
`as a type of firewall for programs entering a protected
`network. Another possibility is the detection of viruses in the
`DOS sessions of emerging 32- bit desktop operating systems.
`
`“For such a system to be accepted, it must not cause false
`positives. A concept for this is currently under development.
`Such a system must also be unnoticeable unless a virus is
`found. As a virtual 8086 machine will be the basis for this, the
`only extra overhead will come from the audit system and from
`ASAX. The audit system can be tuned to provide only the
`nesessary[sic] data, which eliminates some overhead. ASAX
`has proven itself very fast: only the rules must be tuned for
`speed.
`
`“The prototype VIDES system shows that an automatic
`analysis system for computer viruses is possible and useful. At
`the same time, it is a prototype for the use of intrusion
`
`-19-
`
`

`

`detection technology for desktop systems.” EX1005 at 87.
`
`See also EX1002 ¶¶59, 62, 74.
`
`
`
`Swimmer discloses a computer-based system, called VIDES, the “Virus
`
`Intrusion Detection Expert System.” EX1005 at 76. In Swimmer’s system, “an
`
`emulator is used to monitor the system activity of a virtual PC,” generating a
`
`stream of audit data that is analyzed to detect virus activity. EX1005 at 75
`
`(abstract). Swimmer’s system uses “general rules to detect real viruses generically
`
`and reliably, and specific rules to extract details of their behavior.” Id. Swimmer
`
`describes the utility of this sy