UNITED STATES PATENT AND TRADEMARK OFFICE
`_____________________________
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`_____________________________
`
`BLUE COAT SYSTEMS, INC.,
`Petitioner,
`
`v.
`
`FINJAN, INC.,
`Patent Owner.
`_____________________________
`
`Patent No. 8,225,408
`_____________________________
`
`
`
`DECLARATION OF AZER BESTAVROS, PH.D.
`
`FireEye - Exhibit 1002 Page 1
`
`

`
`TABLE OF CONTENTS
`
`I.QUALIFICATIONS ................................................................................................. 3
`
`II.SCOPE OF WORK ................................................................................................. 8
`
`III.OVERVIEW OF THE ’408 PATENT ................................................................... 9
`
`IV.LEGAL STANDARD .......................................................................................... 11
`
`V.OVERVIEW OF THE PRIOR ART ..................................................................... 13
`
`Chandnani ............................................................................................. 13
`A.
`Kolawa ................................................................................................. 16
`B.
`Knuth .................................................................................................... 17
`C.
`D. Huang ................................................................................................... 18
`E. Walls .................................................................................................... 19
`F.
`Chandnani, Kolawa, Knuth, Huang, and Walls Are All Analogous
`Art ........................................................................................................ 19
`
`VI.LEVEL OF ORDINARY SKILL AND RELEVANT TIME ............................... 25
`
`VII.CLAIM CONSTRUCTION ................................................................................ 26
`
`VIII.GROUND 1: Claims 2, 11, 24-28, and 30-34 are rendered obvious by
`Chandnani in view of Kolawa and Knuth ........................................................ 28
`
`IX.GROUND 2: Claim 8 is rendered obvious by Chandnani in view of Kolawa
`and Huang ....................................................................................................... 89
`
`X.GROUNDS 3 and 4: Claims 2, 8, 11, 24-28, and 30-34 are rendered obvious
`by the above-identified grounds further in view of Walls ................................ 96
`
`XI.CONCLUDING STATEMENTS........................................................................106
`
`XII.Appendix – List of Exhibits ...............................................................................108
`
`
`
`
`
`
`
`FireEye - Exhibit 1002 Page 2
`
`

`
`I, Azer Bestavros, declare as follows:
`
`I.
`
`QUALIFICATIONS
`1.
`
`I am a Professor of Computer Science at Boston University, whose
`
`faculty I joined in 1991. I chaired the Computer Science Department from 2000 to
`
`2007, overseeing a period of significant growth, culminating in the Chronicle of
`
`Higher Education’s ranking of the Department as seventh in the U.S. in terms of
`
`scholarly productivity.
`
`2.
`
`I am the Founding Director of the BU Hariri Institute for Computing at
`
`Boston University, which was set up in 2010 to “create and sustain a community of
`
`scholars who believe in the transformative potential of computational perspectives in
`
`research and education.” I am also the co-Chair of the Council on Educational
`
`Technology & Learning Innovation, which was set up in 2012 to develop Boston
`
`University’s strategy as it relates to leveraging on-line technology in on-campus,
`
`residential programs.
`
`3.
`
`In addition to my academic responsibilities at Boston University, over the
`
`years I have taken significant regional and national research leadership
`
`responsibilities. This includes: serving since 2010 as co-chair for Research, Education,
`
`and Outreach of the Massachusetts Green High-Performance Computing Center – a
`
`consortium of the five major research institutions in the Commonwealth of
`
`
`
`
`
`-3-
`
`FireEye - Exhibit 1002 Page 3
`
`

`
`Massachusetts (Boston University, Harvard University, MIT, Northeastern University,
`
`and the University of Massachusetts); serving since 2013 as board member of the
`
`Cloud Computing Caucus, a non-profit, non-partisan coalition of industry and key
`
`government stakeholders, focused on raising awareness and educating lawmakers and
`
`the public on issues associated with cloud computing; and serving from 2007 to 2012
`
`as the elected chair of the IEEE Computer Society Technical Committee on the
`
`Internet.
`
`4.
`
`I also organized Computer Science leadership workshops at the
`
`Computing Research Association (CRA) Snowbird conferences on models for
`
`university-led technology transfer and incubation in 2000, and on models for
`
`publications in CS in 2006. In addition, I organized a number of meetings to develop
`
`research agendas and recommendations to government agencies, including the PI
`
`meeting of the CRI program at NSF, and the HCCS committee of the National
`
`Coordination Office for Networking and Information Technology. Most recently, I
`
`served as chair of the 2014 Committee of Visitors tasked to review the performance of
`
`the CNS Division of the CISE Directorate of the National Science Foundation.
`
`5.
`
`I am a senior member of the Association for Computer Machinery
`
`(ACM) and a senior member of the Computer Society of the Institute of Electrical and
`
`Electronics Engineers (IEEE), among other professional societies and organizations.
`
`
`
`
`
`-4-
`
`FireEye - Exhibit 1002 Page 4
`
`

`
`Within these organizations, I served as general chair, PC chair or PC member of most
`
`flagship technical conferences in networking, real-time systems, and databases,
`
`including ACM Sigmetrics, IEEE Infocom, ACM PODC, IEEE ICNP, ACM MMSys,
`
`IEEE HotWeb, IEEE RTSS, IEEE RTAS, ICDCS, ACM LCTES, IEEE ICDE, ACM
`
`Sigmod, and VLDB. I co-organized formative workshops that led to ACM SIGPLAN
`
`LCTES and ACM SIGCOMM IMC. I have also served on the editorial board of major
`
`journals and periodicals, currently including IEEE Internet Computing and
`
`Communications of the ACM.
`
`6.
`
`Prior to joining the faculty at Boston University, from June 1988 to
`
`September 1991, I was a Research Fellow, Teaching Fellow, and Research Assistant
`
`at Harvard University. From September 1985 to June 1987, I was a Research
`
`Assistant, Teaching Assistant, and Instructor at Alexandria University (Egypt).
`
`7.
`
`I obtained my Ph.D. in Computer Science in 1992 from Harvard
`
`University under Thomas E. Cheatham, one of the “roots” of the academic genealogy
`
`of applied computer scientists. I also hold a Master of Science degree in Computer
`
`Science from Harvard University, which I obtained in 1988; a Master of Science
`
`degree in Computer Science and Automatic Control from Alexandria University,
`
`which I obtained in 1987; and a Bachelor of Science degree in Computer Engineering
`
`from Alexandria University, which I obtained in 1984.
`
`
`
`
`
`-5-
`
`FireEye - Exhibit 1002 Page 5
`
`

`
`8.
`
`I have studied, taught, practiced, and conducted research in Computer
`
`Science and Computer Engineering for more than 30 years. My expertise is in the
`
`broad fields of computer networking, distributed systems, and real-time computing,
`
`with significant experience in Web content caching and distribution systems, scalable
`
`Internet services, cloud computing, Internet architecture and networking protocols,
`
`among others.
`
`9.
`
`I have extensive consulting and industrial research experience, including
`
`past and current engagements with a number of technology firms, including BBN
`
`Technologies, Sycamore Networks, NetApp, Microsoft, Verizon Labs, Macromedia,
`
`Allaire, Bowne, SUTI Technologies, and AT&T Bell Labs. I have consulted and
`
`served on the technical advisory board of many companies, and I have been retained
`
`by a number of law firms as a consultant on intellectual property issues related to
`
`Internet technologies and applications.
`
`10. My curricular development efforts include my CS-350 course, which I
`
`developed and have taught since 1998. Through a rigorous treatment of the invariant
`
`concepts underlying computing systems design, CS-350 familiarizes students with
`
`canonical problems that reoccur in software systems, including operating systems,
`
`networks, databases, and distributed systems, and provides students with a set of
`
`classical algorithms and basic performance evaluation techniques for tackling such
`
`
`
`
`
`-6-
`
`FireEye - Exhibit 1002 Page 6
`
`

`
`problems. More recently, I have spearheaded a team effort to develop a set of courses
`
`for non-majors that can be used to introduce elements of mathematical abstraction,
`
`quantitative and methodical thinking, as utilized in mathematics, statistics, and
`
`computer science, with an emphasis on their relevance in our daily lives as reflected in
`
`widely used Internet and Web technologies and applications. In addition to these
`
`courses, I have taught undergraduate courses and graduate seminars on large-scale
`
`Internet systems, sensor networks, computer architecture, and real-time systems, and
`
`have guest-lectured in Sociology on issues related to Technology, Society and Public
`
`Policy.
`
`11. Over the years, my contributions in research, teaching, and service have
`
`been recognized by a number of awards, including multiple best-paper awards from
`
`IEEE and ACM conferences, multiple distinguished ACM and IEEE service awards,
`
`and being selected multiple times as a distinguished speaker of the IEEE Computer
`
`Society (last time in 2010). In 2010, I received the United Methodist Scholar Teacher
`
`Award in recognition of “outstanding dedication and contributions t3o the learning
`
`arts and to the institution” at Boston University, and the ACM Sigmetrics Inaugural
`
`Test of Time Award for research results “whose impact is still felt 10-15 years after its
`
`initial publication.”
`
`
`
`
`
`-7-
`
`FireEye - Exhibit 1002 Page 7
`
`

`
`12. A copy of my Curriculum Vitae, attached as EX10XX, contains further
`
`details on my education, experience, publications, patents, and other qualifications to
`
`render an expert opinion in this matter.
`
`II.
`
`SCOPE OF WORK
`13.
`
`I understand that a petition is being filed with the United States Patent
`
`and Trademark Office for Inter Partes Review of U.S. Patent No. 8,225,408 to Rubin
`
`et al. (“the ’408 Patent,” attached as EX1001), entitled “Method and System for
`
`Adaptive Rule-Based Content Scanners.”
`
`14.
`
`I have been retained by Blue Coat Systems, Inc. (“Blue Coat”) to offer an
`
`expert opinion on the patentability of the claims of the ’408 patent, as well as several
`
`other patents assigned to Finjan. I receive $550 per hour for my services. No part of
`
`my compensation is dependent on my opinions or on the outcome of this proceeding. I
`
`have previously testified for Blue Coat as an expert on the issue of noninfringement in
`
`case 13-cv-03999-BLF, which involved different patents. I do not have any other
`
`current or past affiliation as an expert witness or consultant with Blue Coat.
`
`15.
`
`I have been specifically asked to provide my opinions on claims 2, 8, 11,
`
`24-29, and 31-34 of the ’408 patent. In connection with this analysis, I have reviewed
`
`the ’408 patent and its file history. I have also reviewed and considered various other
`
`documents in arriving at my opinions, and may cite to them in this declaration. For
`
`
`
`
`
`-8-
`
`FireEye - Exhibit 1002 Page 8
`
`

`
`convenience, the information considered in arriving at my opinions is listed in
`
`Appendix A.
`
`III. OVERVIEW OF THE ’408 PATENT
`16.
`
`
`
`The ’408 patent is directed to protecting computers against
`
`potentially malicious programs using programming language-specific sets of rules and
`
`a “parse tree” data structure. EX1001 at Title, Abstract.
`
`17. The ’408 patent describes scanning an incoming stream of computer code
`
`by creating tokens, generating a parse tree using patterns in those tokens, and
`
`identifying patterns of tokens in the parse tree as potential exploits. See id. Patterns are
`
`identified using “parser rules” and “analyzer rules” specific to one of multiple
`
`programming languages. Accordingly, the challenged claims recite “multi-lingual”
`
`methods that determine a specific computer language from a plurality of languages
`
`and use a “scanner” specific to that language to scan the incoming stream of computer
`
`code.
`
`18. The ’408 patent was filed in August 2004 and was subject to a first office
`
`action rejecting and/or objecting to all claims in July 2008. Over the next four years,
`
`the applicant amended the claims in response to eight separate rejections. In 2012, the
`
`applicant substantially re-wrote the claims, adding additional limitations to the
`
`independent claims, including (1) multi-language processing capability and
`
`
`
`
`
`-9-
`
`FireEye - Exhibit 1002 Page 9
`
`

`
`(2) temporal restrictions regarding when the claimed system receives a data stream,
`
`builds a parse tree, and detects viruses within the parse tree. See EX1004 at 40-53.
`
`The claims were allowed following those additions. See EX1004 at 69-71.
`
`19.
`
`I understand that the priority date for a particular claim is based in part on
`
`when in a chain of related patents the written description that supports that claim first
`
`appeared. The ’408 patent was filed on August 30, 2004, as a continuation-in-part of
`
`Application No. 09/539,667 (now U.S. Patent No.6,804,780), filed on March 30,
`
`2000, which is itself a continuation of Application No. 08/964,388 (now U.S. Patent
`
`No. 6,092,194), filed on November 6, 1997.
`
`20. Although filed as a continuation-in-part, the ’408 patent shares almost
`
`nothing with the earlier-filed applications. For example, the ’667 and ’388
`
`applications do not mention “tokens” or “parse trees,” elements that appear throughout
`
`all claims of the ’408 patent. See EX1005, EX1006. The earliest specification that a
`
`person of skill in the art would recognize as providing a description of the subject
`
`matter of those claims was the application filed August 30, 2004, that later issued as
`
`the ’408 patent. See EX1001. As such, the challenged claims are entitled to a priority
`
`date no earlier than August 30, 2004, the ’408 patent’s own filing date.
`
`
`
`
`
`-10-
`
`FireEye - Exhibit 1002 Page 10
`
`

`
`IV. LEGAL STANDARD
`21.
`
`I understand that a claimed invention is not patentable under 35 U.S.C.
`
`§ 103, for obviousness if the differences between the invention and the prior art are
`
`such that the subject matter as a whole would have been obvious at the time the
`
`invention was made to a person having ordinary skill in the art to which the subject
`
`matter pertains.
`
`22.
`
`It is further my understanding that a determination of obviousness
`
`requires inquiries into: (1) the scope and contents of the art when the invention was
`
`made; (2) the differences between the art and the claims at issue; (3) the level of
`
`ordinary skill in the pertinent art when the invention was made; and, to the extent they
`
`exist, (4) secondary indicia of obviousness.
`
`23.
`
`I understand that a claim can be found to be obvious if all the claimed
`
`elements were known in the prior art and one skilled in the art could have combined
`
`the elements as claimed by known methods with no change in their respective
`
`functions, and the combination would have yielded nothing more than predictable
`
`results to one of ordinary skill in the art.
`
`24.
`
`I understand that hindsight must not be used when comparing the prior
`
`art to the invention for obviousness. Thus, a conclusion of obviousness must be firmly
`
`based on knowledge and skill of a person of ordinary skill in the art at the time the
`
`invention was made without the use of post-filing knowledge.
`
`-11-
`
`
`
`FireEye - Exhibit 1002 Page 11
`
`

`
`25.
`
`I understand that in order for a claimed invention to be considered
`
`obvious, there must be some rational underpinning for combining cited references as
`
`proposed.
`
`26.
`
`I understand that obviousness may also be shown by demonstrating that it
`
`would have been obvious to modify what is taught in a single piece of prior art to
`
`create the patented invention. Obviousness may be shown by showing that it would
`
`have been obvious to combine the teachings of more than one item of prior art. In
`
`determining whether a piece of prior art could have been combined with other prior art
`
`or with other information within the knowledge of one of ordinary skill in the art, the
`
`following are examples of approaches and rationales that may be considered:
`
`(a) Combining prior art elements according to known methods to yield
`
`predictable results;
`
`(b)
`
`Simple substitution of one known element for another to obtain
`
`predictable results;
`
`(c) Use of a known technique to improve similar devices (methods, or
`
`products) in the same way;
`
`(d) Applying a known technique to a known device (method, or product)
`
`ready for improvement to yield predictable results;
`
`
`
`
`
`-12-
`
`FireEye - Exhibit 1002 Page 12
`
`

`
`(e) Applying a technique or approach that would have been “obvious to try”
`
`(choosing from a finite number of identified, predictable solutions, with a
`
`reasonable expectation of success);
`
`(f) Known work in one field of endeavor may prompt variations of it for use
`
`in either the same field or a different one based on design incentives or other
`
`market forces if the variations would have been predictable to one of ordinary
`
`skill in the art; or
`
`(g)
`
`Some teaching, suggestion, or motivation in the prior art that would have
`
`led one of ordinary skill to modify the prior art reference or to combine prior art
`
`reference teachings to arrive at the claimed invention.
`
`V. OVERVIEW OF THE PRIOR ART
`27.
`
`In my opinion, and as explained in further detail below, claims 2, 8, 11,
`
`and 24-28, and 30-34 of the ’408 patent fail to identify anything new or significantly
`
`different from what was already known to individuals of skill in the field prior to the
`
`filing of the application that led to the ’408 patent, including prior to August 30, 2004.
`
`28. Below is an overview of certain of the main prior art references that I rely
`
`on for my opinion that claims 2, 8, 11, and 24-28, and 30-34 of the ’408 are
`
`unpatentable: Chandnani, Kolawa, Knuth, Huang, and Walls.
`
`A. Chandnani
`29. U.S. Patent Appl. Pub. No. 2002/0073330 (“Chandnani,” EX1007), titled
`
`“Detection of Polymorphic Script Language Viruses by Data Driven Lexical
`
`
`
`
`
`-13-
`
`FireEye - Exhibit 1002 Page 13
`
`

`
`Analysis,” was filed on July 14, 2001. I understand that Chandnani is prior art under
`
`35 U.S.C. § 102(b) because it was published on June 13, 2002, more than one year
`
`before the filing date of the ’408 patent.
`
`30. Chandnani teaches detecting polymorphic script language viruses using
`
`data-driven lexical analysis. EX1007 at [0002]. Like the ’408 patent, Chandnani scans
`
`for polymorphic viruses—those that have slightly different code but the same
`
`malicious functionality—by converting a data stream into a stream of tokens and then
`
`searching for patterns that indicate the presence of potentially malicious programs. Id.
`
`at [0014]-[0020], [0056]-[0065]. Also like the ’408 patent, Chandnani scans a
`
`continuous stream of data, and continues to receive upstream data while analyzing
`
`downstream data. See, e.g., id. at [0057] (describing the data stream as a series of
`
`characters), [0060] (describing a two-stage detection process), Fig. 2.
`
`31. Although Chandnani may not expressly describe how tokens are parsed
`
`and analyzed, Chandnani’s disclosure of parsing a stream into tokens and then storing
`
`those tokens suggests and implicitly teaches using a parse tree because a person of
`
`ordinary skill in the art understood that the obvious place to store those tokens was in
`
`a parse tree. See EX1007 at [0040]-[0046]; below ¶¶ 102-109.
`
`32.
`
`In addition, using a parse tree to store portions of an incoming data
`
`stream was obvious, as illustrated by prior art such as Kolawa. Use of a parse tree data
`
`
`
`
`
`-14-
`
`FireEye - Exhibit 1002 Page 14
`
`

`
`structure to represent and analyze computer code was well-known by 2004. Numerous
`
`prior art references describe the use of parse trees for these purposes, including the
`
`following:
`
`• EX1008 (Kolawa) at 3:8-12 (“The parse tree is searched for a match
`
`between such a node in the parse tree having a node type that matches
`
`such a node type in the set of node types for the selected quality rule.”),
`
`5:62-64 (“The quality of the source code 10 is checked on an individual
`
`parse tree basis.”)
`
`• EX1012 at 5:19-22 (“[I]nterceptor determines if the data retrieval request
`
`corresponds to at least one of the rules of the security policy, and
`
`identifies, via a parse tree, selectivity operators indicative of the
`
`allowable data items to be retrieved.”)
`
`• EX1013 at 5 (“The parser output is a full parse tree (a collection of
`
`nodes, each representing a piece of the SQL such as an operator,
`
`function, or value), which reflects all the SQL grammar.”) (“[T]he
`
`firewall compares this parse tree with the rules you’ve devised.”)
`
`• EX1014 at 5:3-5 (“[P]arser 20 processes the suspect string 26 and suspect
`
`filed [sic] 27 on a line-by-line basis and generates a hierarchical parse
`
`tree, as is known in the art.”)
`
`-15-
`
`
`
`
`
`FireEye - Exhibit 1002 Page 15
`
`

`
`• EX1015 at 14:25-28 (“Parser 296 identifies non-terminals and valid
`
`strings and creates a parse tree.”)
`
`• EX1016 at 13:34-36 (“[S]erver 102 converts the source-code instructions
`
`of the submitted query into a parse tree.”)
`
`B. Kolawa
`33. U.S. Patent No. 5,860,011 (“Kolawa,” EX1008), titled “Method and
`
`System for Automatically Checking Computer Source Code Quality Based on Rules,”
`
`was filed on February 19, 1996. I understand that Kolawa is prior art under 35 U.S.C.
`
`§ 102(b) because it issued on January 12, 1999, more than one year before the August
`
`30, 2004 filing date of the ’408 patent.
`
`34. Kolawa teaches a method and system for rule-based evaluation of source
`
`code quality. EX1008 at 1:19-22. In particular, Kolawa discloses using a
`
`“conventional” lexical analyzer that scans code, groups it into tokens, and organizes
`
`the tokens using a parse tree:
`
`The source code 10 is read as input to a lexical analyzer/parser 11 which
`
`is conventional in the art. The lexical analyzer scans the source code 10
`
`and groups the instructions into tokens. The parser performs the
`
`hierarchical analysis which groups the tokens into grammatical phrases
`
`that are represented by a parse tree 12.
`
`
`
`
`
`-16-
`
`FireEye - Exhibit 1002 Page 16
`
`

`
`Id. at 3:66-4:4; see also id. at Fig. 1. Kolawa then searches the parse tree to identify
`
`problematic code based on a set of rules. See id. at 4:48-59. Kolawa reports rule
`
`violations as error messages that describe the corresponding quality concern. Id. at
`
`4:59-60. Kolawa discloses an embodiment that supports two different programming
`
`languages and notes that support for additional languages is also possible. Id. at 3:53-
`
`56.
`
`C. Knuth
`35.
`
`“On the Translation of Languages from Left to Right” (“Knuth,”
`
`EX1009) was published in Information and Control in 1965. I understand that Knuth
`
`is prior art under 35 U.S.C. § 102(b) because it was published more than one year
`
`before the August 30, 2004 filing date of the ’408 patent.
`
`36. Knuth is a foundational paper describing the parsing of programming
`
`languages from left-to-right. EX1009 at Abstract. Knuth provides examples of
`
`parsing code and building parse trees using a shift-and-reduce process. EX1009 at
`
`618-625, Tables I and II. In one example, detailed in Table I, Knuth describes the
`
`shift and reduce process: “’Shift’ means ‘perform the shift left operation’ mentioned
`
`in step 2; ‘reduce p’ means ‘perform the transformation (21) with production p.’”
`
`EX1009 at 620. Knuth also describes the basic parsing steps of recursively matching
`
`
`
`
`
`-17-
`
`FireEye - Exhibit 1002 Page 17
`
`

`
`patterns in strings and generating parent nodes attached to those patterns, thereby
`
`generating a parse tree. EX1009 at 609-610.
`
`D. Huang
`37. U.S. Patent No. 6,968,539 (“Huang,” EX1010), titled “Methods and
`
`Apparatus for a Web Application Processing System,” was filed on August 4, 2000. I
`
`understand that Huang is prior art under 35 U.S.C. § 102(e) because it was filed before
`
`the August 30, 2004 filing date of the ’408 patent.
`
`38. Huang teaches a method and system for installing and processing web
`
`applications written as web pages that have access to the full range of operating
`
`system resource, including resources not typically accessible through a web browser.
`
`EX1010 at Abstract, 5:7-20. Huang teaches that scripting languages such as
`
`JavaScript are commonly used in web content such as HTML documents, and that
`
`they can be provided as program code embedded in an HTML document. EX1010 at
`
`8:57-64
`
`39. Huang further teaches a method and system for parsing, for example, the
`
`HTML code of the web applications to determine whether it contains references to
`
`Uniform Resource Locators (URLs) of web objects that may not be allowed by the
`
`web application’s security setting. Id. at 10:25-36. Huang teaches that if a violation is
`
`
`
`
`
`-18-
`
`FireEye - Exhibit 1002 Page 18
`
`

`
`detected, for example, if the HTML code includes a link to an URL that is not allowed
`
`by the security setting, an exception is generated. EX1010 at 10:31-40.:
`
`E. Walls
`40. U.S. Patent No. 7,284,274 (“Walls,” EX1011), titled “System and
`
`Method for Identifying and Eliminating Vulnerabilities in Computer Software
`
`Applications,” was filed on January 18, 2002. I understand that Walls is prior art
`
`under 35 U.S.C. § 102(e) because it was filed before the August 30, 2004 filing date
`
`of the ’408 patent.
`
`41. Walls, like Kolawa, teaches a methodology for identifying potential
`
`source code vulnerabilities. EX1011 at Abstract. Walls, like Kolawa, generates a parse
`
`tree of the code being analyzed and then searches the parse tree for matches that
`
`indicate potential vulnerabilities. Id. at 7:25-31, 8:31-36. Walls uses a “pipelined”
`
`approach to analyze code in stages, such that different parts of a single code stream
`
`can be parsed and analyzed at the same time. Id. at 7:3-6. One advantage of this
`
`technique is “the advantage of pipelining the process where multiple components can
`
`be analyzed simultaneously.” Id. at 7:7-11.
`
`F.
`Art
`42.
`
`Chandnani, Kolawa, Knuth, Huang, and Walls Are All Analogous
`
`I understand that to combine prior art references when evaluating
`
`validity, those references must generally be “analogous.” To be analogous, the art
`
`
`
`
`
`-19-
`
`FireEye - Exhibit 1002 Page 19
`
`

`
`must be in the same field of endeavor as the ’408 patent and/or must be pertinent to
`
`the problems to which the ’408 patent is directed.
`
`43. This requirement is met by each of the references that are used in
`
`combination in this declaration. Each reference is in the same field of endeavor as the
`
`’408 patent—a field that includes rule-driven “content scanners” for analyzing
`
`program code. See EX1001 at Title, Abstract.
`
`44. Although the ’408 patent focuses on detecting potentially malicious code,
`
`a POSA would have understood that scanning for malicious code involves the same or
`
`similar techniques as scanning for related code quality and security issues. Most of the
`
`written description in the ’408 patent focuses on the structure and function of the
`
`patent’s rule-based scanner, rather than on what the scanner is trying to detect. See,
`
`e.g., EX1001 at 6:14-16, Figs. 1-4.
`
`45. The rule-based nature of the ’408 patent’s scanner means that the
`
`underlying structure of the purported invention would not change based on what type
`
`of code is being scanned. Instead, because rules can be established to search for
`
`arbitrary patterns, the only change necessary to convert from scanning for exploits to
`
`scanning for code vulnerabilities (or other code quality issues) would be the inclusion
`
`of rules designed specifically to search for tokens and patterns of tokens indicative of
`
`code quality problems. See EX1001 at 6:17-20 (“An ARB scanner system is
`
`
`
`
`
`-20-
`
`FireEye - Exhibit 1002 Page 20
`
`

`
`preferably designed as a generic architecture that is language independent, and is
`
`customized for a specific language through use of a set of language-specific rules.”);
`
`6:35-37 (“It may thus be appreciated that the present invention provides a flexible
`
`content scanning method and system, which can be adapted to any language syntax.”).
`
`46. Detection of exploits is closely intertwined with detection of code
`
`weaknesses because malware often takes advantage of and attacks vulnerabilities and
`
`other weaknesses in software code:
`
`For an experienced hacker or rogue insider, manipulating software to this
`
`end is made especially easy due to the variety of information and tools
`
`available on-line. An attacker’s biggest challenge is simply finding the
`
`vulnerabilities in the context of a large business application.
`
`EX1017 at 1:43-48.
`47.
`
`In some respects, the only difference between a code quality problem and
`
`a vulnerability to a malicious virus is the intent of the person who creates or exploits
`
`the problem. A quality problem, such as a pattern of code that creates a security hole,
`
`might be innocently created by one programmer. That same security hole might also
`
`be used by a hacker to propagate a virus.
`
`48. Prior art references confirm the link between code quality and malicious
`
`software attacks. For example, the ARCHER reference shows that coding errors “can
`
`be exploited by malicious attackers to compromise a system.” EX1018 at 1. Similarly,
`
`
`
`
`
`-21-
`
`FireEye - Exhibit 1002 Page 21
`
`

`
`the Chess patent notes that “security vulnerabilities are subtle, logical errors that can
`
`span thousands of lines of code” and that an “attacker’s biggest challenge is simply
`
`finding the vulnerabilities in the context of a large business application.” EX1017 at
`
`2:25-28, 1:46-48.
`
`49. As discussed in more detail below, each reference combined in this
`
`declaration is directed to scanning and analyzing programming code and to scanning
`
`for potential exploits and/or other security concerns. For example, Chandnani is
`
`directed to analyzing code to detect potential viruses. See id.; EX1007. Kolawa
`
`discloses rule-based systems for detecting potential problems in source code. See
`
`EX1008 at 2:34-36 (“automatically checking source code quality based on rules”).
`
`Knuth is a foundational paper describing the parsing of programming languages from
`
`left-to-right. EX1009 at Abstract. Huang is directed to analyzing the code of web
`
`application to ensure, among other things, that no security rules are violated. See
`
`EX1010. Walls scans for security vulnerabilities in programming code. See EX1011.
`
`50. Chandnani is directed to rule-driven code scanning. Chandnani uses the
`
`term “data driven” in its title and through its specification. See EX1007. A person of
`
`ordinary skill in the art would have understood “data driven” to be synonymous with
`
`“rule-based,” not least because Chandnani equates the two. Id. at [0069] (“a rule-
`
`based approach may be used for script language detection”). Like the ’408 patent,
`
`
`
`
`
`-22-
`
`FireEye - Exhibit 1002 Page 22
`
`

`
`Chandnani can search for different patterns by modifying the data that defines those
`
`patterns. Id. at [0055]. Also like the ’408 patent, Chandnani parses suspect code into
`
`tokens and can detect token patterns that correspond to potential exploits even if the
`
`byte-for-byte coding of those tokens differs from one iteration to another.
`
`51. Kolawa is also directed to rule-driven code scanning. Kolawa’s
`
`disclosure focuses on rule-based systems for analyzing code to identify potential
`
`problems in the code. EX1008 at 2:34-37 (“automatically checking source code
`
`quality based on rules”), Title (“Method and System for Automatically Checking
`
`Computer Source Code Quality Based on Rules”). Kolawa also describes its systems
`
`as a scanner. Id. at 3:66-4:2. Although Kolawa’s rule-based scanner is intended to
`
`detect “program errors and bugs of all kinds” (as opposed to the “potential exploits”
`
`described in the ’408 patent), both references detect potentially harmful patterns in
`
`code, notwithstanding the intent of the code’s author. Id. at 1:26-29.
`
`52. A person of ordinary skill in the art would understand that Kolawa is
`
`directed to the same general