`_____________________
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`_____________________
`
`Cisco Systems, Inc.,
`Petitioner,
`
`v.
`
` Finjan, Inc.,
`Patent Owner.
`____________
`
`U.S. Patent No. 8,677,494
`Issue Date: March 18, 2014
`Title: Malicious Mobile Code Runtime Monitoring System and Methods
`_____________________
`
`Inter Partes Review No.: Unassigned
`_____________________
`
`PETITION FOR INTER PARTES REVIEW OF U.S. PATENT NO. 8,677,494
`UNDER 35 U.S.C. §§ 311-319 and 37 C.F.R. §§ 42.1-.80, 42.100-.107
`
`
`
`
`
`
`
`
`Mail Stop “PATENT BOARD”
`Patent Trial and Appeal Board
`U.S. Patent and Trademark Office
`P.O. Box 1450
`Alexandria, VA 22313-1450
`
`
`
`
`
`TABLE OF CONTENTS
`
`Page
`I.
`INTRODUCTION ........................................................................................... 1
`OVERVIEW .................................................................................................... 1
`II.
`III. MANDATORY NOTICES UNDER 37 C.F.R. § 42.8 ................................ 4
`A.
`Real Party-in-Interest (37 C.F.R. § 42.8(b)(1)) ..................................... 4
`B.
`Related Matters (37 C.F.R. § 42.8(b)(2)) .............................................. 4
`1.
`Judicial Matters ......................................................................... 4
`2.
`Administrative Matters ............................................................ 5
`3.
`Related Patents .......................................................................... 5
`Lead/Back-up Counsel (37 C.F.R. § 42.8(b)(3)) .................................. 6
`C.
`D. Notice of Service Information (37 C.F.R. § 42.8(b)(4)) ....................... 6
`IV. GROUNDS FOR STANDING (37 C.F.R. § 42.104(A)) ............................. 6
`V. RELIEF REQUESTED (37 C.F.R. § 42.22(A)) .......................................... 6
`VI. REASONS FOR THE REQUESTED RELIEF .......................................... 6
`A.
`Summary of the ‘494 Patent .................................................................. 7
`B.
`Prosecution History ............................................................................. 10
`C.
`Claim Construction ............................................................................. 11
`1.
`The Applicable Claim Construction Standard .................... 11
`“a list of suspicious computer operations” (Claim 10) ........... 11
`2.
`Priority Date of the Challenged Claims .............................................. 12
`Person of Ordinary Skill in the Art ..................................................... 12
`State of the Art .................................................................................... 13
`
`D.
`E.
`F.
`
`
`
`
`i
`
`
`
`
`
`VII. IDENTIFICATION OF CHALLENGES .................................................. 24
`A.
`Challenged Claims .............................................................................. 24
`B.
`Statutory Grounds for Challenges ....................................................... 24
`VIII. IDENTIFICATION OF HOW THE CHALLENGED CLAIMS
`ARE UNPATENTABLE ............................................................................. 26
`A.
`Challenge 1: Claims 10, 11, 14, 15 and 16 Are Obvious Over
`Shear in View of Kerchen ................................................................... 26
`1.
`The Shear Reference ............................................................... 26
`2.
`The Kerchen Reference .......................................................... 33
`3.
`The Motivation to Combine Shear with Kerchen ................ 35
`4.
`Detailed Application of Shear and Kerchen to Claims ....... 37
`Challenge 2: Claims 10, 11, 14, 15 and 16 Are Obvious Over
`Crawford 91 in view of Knowledge of a POSA ................................. 56
`1.
`The Crawford 91 Reference ................................................... 56
`2.
`Detailed Application of Crawford 91 to the Claims ............ 58
`IX. CONCLUSION ............................................................................................ 70
`
`
`
`B.
`
`
`
`
`ii
`
`
`
`
`
`
`
` Exhibit #
`1001
`
`1002
`
`1003
`1004
`
`1005
`
`1006
`1007
`1008
`
`1009
`1010
`1011
`
`1012
`
`1013
`
`1014
`1015
`
`
`
`
`Petitioner’s Exhibit List
`
`Description
`
`U.S. Patent No. 8,677,494 entitled “System and Method of Attaching a
`Downloadable Security Profile to a Downloadable”, issued November
`28, 2000 to Touboul, et al. (“the ‘494 Patent”)
`Select portions of the prosecution history of the ‘494 Patent (“File
`History”)
`Declaration of Petitioner’s Expert Dr. Paul Clark (“Clark”)
`U.S. Patent No. 6,157,721 entitled “Systems and Methods Using
`Cryptography to Protect Secure Computing Environments”, issued
`December 5, 2000 to Shear (“Shear”)
`U.S. Patent Application Serial No. 08/388,107 entitled “Systems and
`Methods for Secure Transaction Management and Electronic Rights
`Protection,” filed February 13, 1995 by Ginter (“Ginter”)
`Intentionally Left Blank
`Intentionally Left Blank
`“Network Firewalls,” IEEE Communications Magazine, Steven M.
`Bellovin and William R. Cheswick, September 1994 (“Bellovin”)
`Intentionally Left Blank
`Intentionally Left Blank
`A Testbed for Malicious Code Detection: A Synthesis of Static and
`Dynamic Analysis Techniques, 14th Department of Energy Computer
`Security Group Conference Proceedings, R. Crawford et al., May 1991
`(“Crawford ‘91”)
`U.S. Patent No. 5,623,600 entitled “Virus Detection and Removal
`Apparatus for Computer Networks,” issued April 22, 1997 to Ji et al.
`(“Ji”)
`Dynamic Detection and Classification of Computer Viruses Using
`General Behavior Patterns, Virus Bulletin Conference, Morton
`Swimmer, September 1995 (“Swimmer”)
`Intentionally Left Blank
`“Microsoft and VeriSign Provide First Technology for Secure
`Downloading of Software Over the Internet,” Microsoft PressPass,
`August 7, 1996 (“MS-96”)
`
`iii
`
`
`
`
`
` Exhibit #
`1016
`
`1017
`
`1018
`1019
`
`1020
`
`1021
`
`1022
`
`1023
`
`1024
`
`1025
`
`1026
`
`1027
`1028
`1029
`1030
`
`
`
`
`Description
`
`U.S. Patent No. 6,195,587 entitled “Validity Checking,” issued
`February 27, 2001 to Hruska (“Hruska”)
`Automated Assistance for Detecting Malicious Code, Sixth
`International Computer Security & Virus Conference & Expo,
`Crawford et al., June 18, 1993 (“Automated Tools”)
`Listing of Related Patents
`Static Analysis Virus Detection Tools for Unix Systems, 13th National
`Computer Security Conference, Volume 1, Information Systems
`Security: Standards-the Key to the Future, Kerchen et al., 1990
`(“Kerchen”)
`Identifying and Controlling Undesirable Programs Behaviors, 14th
`National Computer Security Conference, King, October 1991
`(“King”)
`U.S. Provisional Application No. 60/030,639, entitled “System and
`Method for Protecting a Computer and a Network from Hostile
`Downloadables,” filed November 8, 1996, by Touboul et al. (“the ’639
`Provisional”)
`U.S. Application Serial No. 08/964,388 entitled “System and Method
`for Protecting a Computer and a Network from Hostile
`Downloadables,” filed November 6, 1997 by Touboul (“the ‘388
`Application”)
`PACL’s An Access Control List Approach to Anti-Virus Security,
`Wichers et al., 13th Nat’l Computer Security Conference, Proceedings,
`October 1-4, 1990 (“Wichers”).
`Java Security: From HotJava to Netscape and Beyond, Dean et al.,
`1996.
`Software Architecture To Support Misuse Intrusion Detection,
`Spafford et al., March 1995.
`1996 CERT Advisories, Software Engineering Institute, Carnegie
`Mellon University.
`Declaration of Ingrid Hsieh-Yee, dated September 21, 2017
`Declaration of Justus L. Getty, Esq., dated September 19, 2017
`Intentionally Left Blank
`Select pages of 13th National Computer Security Conference,
`Proceedings, Volume 1, Information Security Systems: Standards-The
`Key to the Future, October 1990.
`iv
`
`
`
`
`
` Exhibit #
`1031
`
`1032
`
`1033
`
`1034
`
`1035
`
`1036
`
`1037
`
`1038
`
`
`
`Description
`
`An Intrusion-Detection Model, IEEE Transactions on Software
`Engineering, Vol. SE-13, No. 2, Dorothy E. Denning, February 1987
`(“Denning”)
`Copy of the public catalog of the library at Purdue University
`identifying the Proceedings of the 13th National Computer Science
`Conference as part of its holdings.
`MARC record for the Proceedings of the 13th National Computer
`Security Conference created by the Purdue University Library
`Copy of the public Catalog of US Government Publications (CGP)
`identifying the Proceedings of 14th Department of Energy Computer
`Security Group Conference as published by the GPO.
`MARC record for the Proceedings of 14th Department of Energy
`Computer Security Group Conference created by GPO.
`Copy of the public card catalog of the University of Virginia Library
`identifying the Proceedings of 14th Department of Energy Computer
`Security Group Conference.
`MARC record from the University of Virginia Library for the
`Proceedings of 14th Department of Energy Computer Security Group
`Conference
`Declaration of John Hawes.
`
`
`
`
`v
`
`
`
`
`
`I.
`
`INTRODUCTION
`Pursuant to 35 U.S.C. § 311 et seq. and 37 C.F.R. § 42.1 et seq., Cisco
`
`Systems, Inc. (“Petitioner”) hereby petitions for an inter partes review of U.S.
`
`Patent No. 8,677,494 (“the ‘494 Patent”). Petitioner respectfully submits that
`
`Claims 10, 11, 14, 15 and 16 (the “Challenged Claims”) of the ‘494 Patent are
`
`unpatentable under 35 U.S.C. § 103 in view of the prior art references discussed
`
`herein. This Petition demonstrates by a preponderance of the evidence that there is
`
`a reasonable likelihood that Petitioner will prevail with respect to at least one of
`
`these claims. Accordingly, it is respectfully requested that the Board institute an
`
`inter partes review of the ‘494 Patent pursuant to 37 C.F.R. § 42.108.
`
`II. OVERVIEW
`The Challenged Claims are unpatentable as obvious over the prior art. The
`
`claims are directed to prior art systems and combinations of conventional
`
`components to perform conventional functions that were well-known in the art of
`
`protecting computers against computer viruses and computer programs with
`
`suspicious code.
`
`More specifically, the ‘494 Patent describes a system receiving a computer
`
`program and deriving a “Downloadable security profile” for the computer
`
`program. The “Downloadable security profile” is then stored in a database for
`
`later use. According to the ‘494 Patent, this “Downloadable security profile” is
`
`
`
`
`1
`
`
`
`
`
`derived using conventional “computer-based software testing techniques”. The
`
`“Downloadable security profile” includes an identification of operations that would
`
`be performed by the computer program which may be considered suspicious—in
`
`other words, operations that may be undesirable because they could harm a
`
`computer. The “Downloadable security profile” is saved so that a downstream user
`
`can examine the “Downloadable security profile” and determine whether it
`
`complies with the security policy of the user before the user’s computer executes
`
`the computer program. Long before the filing of the ‘494 Patent, the claimed
`
`“Downloadable security profile” was already known as a “specification.” As
`
`discussed in more detail in the State of the Art section below, a “specification” was
`
`used to combat what the prior art referred to as the “undecidable” problem – which
`
`was the problem that it is impossible to be 100% sure that a given computer
`
`program is safe. The prior art used methods of analyzing a computer program –
`
`including both “static” and “dynamic” methods – to generate these specifications.
`
`The prior art understood that these were subject to the “undecidable” problem,
`
`meaning that these detection methods could only positively determine if a virus or
`
`malware was present, but could not positively declare the program was free of
`
`viruses or malware.
`
`The “undecidable” problem was further complicated by executable code
`
`(e.g., java, ActiveX, and JavaScript) that when executed would perform seemingly
`
`
`
`
`2
`
`
`
`
`
`innocuous and ubiquitous operations such as “read” and “write.” Often, however,
`
`these operations were not innocuous but rather were intended to do harm. The
`
`content, functions and operations of programs were therefore analyzed (via “static”
`
`or “dynamic” analysis) and identified in an associated specification (which the
`
`prior art also referred to as a “class” or a “profile”). This specification could then
`
`be passed downstream to users. In the event that the performed analysis did not
`
`detect any known virus or malware, the downstream users understood that there
`
`were still operations/code within the program that could be harmful and should be
`
`considered suspicious. With this knowledge, the downstream user was empowered
`
`to take the appropriate action tailored for that user by applying the user’s security
`
`policy. Thus, the downstream user could decide what level of risk to take, i.e., the
`
`downstream user could use its own security policies to decide whether the
`
`description in the specification was acceptable, or posed too high a risk. CS-1008
`
`p. 50.
`
`Ground 1 is based on Shear and Kerchen, and Ground 2 is based on
`
`Crawford 91. Both Shear and Crawford 91 disclose a system for receiving a
`
`computer program and deriving a “specification” for the computer program. These
`
`references disclose creating the specification by using conventional computer-
`
`based software testing techniques, such that the specification can be used in the
`
`same way and for the same purpose as described in the ‘494 Patent.
`
`
`
`
`3
`
`
`
`
`
`
`Both Kerchen and Crawford 91, in turn, describe specific conventional
`
`computer-based software testing techniques that can be used to identify suspicious
`
`code in the computer program – in other words, they describe the well-known
`
`techniques used to create a “specification” (i.e., a “Downloadable security
`
`profile”).
`
`Finally, the storage of the specification in a database was a conventional
`
`design choice, and is not even suggested as an inventive step in the ‘494 Patent.
`
`Because these references are all directed to the same problem and describe
`
`different levels of detail regarding the same set of solutions, these references are
`
`naturally combined together, and the combination discloses each limitation recited
`
`in the Challenged Claims. CS-1003 ¶75.
`
`
`
`III. MANDATORY NOTICES UNDER 37 C.F.R. § 42.8
`A. Real Party-in-Interest (37 C.F.R. § 42.8(b)(1))
`The real party-in-interest in this Petition is Cisco Systems, Inc.
`
`B. Related Matters (37 C.F.R. § 42.8(b)(2))
`1.
`Judicial Matters
`As of the filing date of this Petition and to the best knowledge of Petitioner,
`
`the ‘494 Patent is involved in the following litigations:
`
`Finjan, Inc. v. Symantec Corp., 3:14-cv-02998 (N.D. Cal. 2014)
`
`Finjan, Inc. v. Websense, Inc., 3:14-cv-01353 (N.D. Cal. 2014)
`4
`
`
`
`
`
`
`
`
`
`Finjan, Inc. v. Palo Alto Networks, Inc., 3:14-cv-04908 (N.D. Cal. 2014)
`
`Finjan, Inc. v. Sophos, Inc., 3:14-cv-01197 (N.D. Cal. 2014)
`
`Finjan, Inc. v. Blue Coat Systems, Inc., 5:15-cv-03295 (N.D. Cal. 2015)
`
`Finjan, Inc. v. Cisco Systems, Inc., 5:17-cv-00072 (N.D. Cal. 2017)
`
`2.
`Administrative Matters
`As of the filing date of this Petition and to the best knowledge of Petitioner,
`
`the ’494 Patent was subject to the following inter partes reviews:
`
`Sophos, Inc. v. Finjan, Inc., IPR2015-01022 (review not instituted)
`
`Symantec Corp, and Blue Coat Systems, Inc., v. Finjan, Inc., IPR2015-
`
`018921 (Claims 1, 2 and 6 found unpatentable)
`
`Symantec Corp., v. Finjan, Inc., IPR2015-01897 (review not instituted)
`
`Palo Alto Networks, Inc., v. Finjan, Inc., IPR2016-00159 (Claims 1, 2 and 6
`
`found unpatentable.)
`
`Blue Coat Systems, Inc. v. Finjan, Inc., IPR2016-01443 (review not
`
`instituted).
`
`3.
`Related Patents
`See Exhibit CS-1018.
`
`
`1 Blue Coat Systems, Inc., v. Finjan, Inc., IPR2016-00890 was joined with
`
`IPR2015-01892.
`
`
`
`
`
`
`5
`
`
`
`
`
`
`C. Lead/Back-up Counsel (37 C.F.R. § 42.8(b)(3))
`
`Lead Counsel: Patrick D. McPherson, USPTO Reg. No. 46,255
`DUANE MORRIS LLP, 505 9th St. NW, Suite 1000, Washington, D.C. 20004
`P: (202) 776-5214; F: (202) 776-7801; PDMcPherson@duanemorris.com
`
`Back-Up Counsel: Patrick Muldoon, USPTO Reg. No. 47,343
`DUANE MORRIS LLP, 505 9th St. NW, Suite 1000, Washington, D.C. 20004
`P: (202) 776-7840; F: (202) 776-7801; PCMuldoon@duanemorris.com
`D. Notice of Service Information (37 C.F.R. § 42.8(b)(4))
`Please direct all correspondence to lead and back-up counsel at the above
`
`addresses. Petitioner consents to electronic service at the email addresses above.
`
`IV. GROUNDS FOR STANDING (37 C.F.R. § 42.104(A))
`Petitioner certifies that the Patent for which review is sought is available for
`
`inter partes review and that Petitioner is not barred or estopped from requesting an
`
`inter partes review of the Challenged Claims on the grounds identified herein. 37
`
`C.F.R. § 42.104(a). This Petition is filed pursuant to 37 C.F.R. § 42.106(a).
`
`V. RELIEF REQUESTED (37 C.F.R. § 42.22(A))
`Petitioner respectfully requests institution of an inter partes review pursuant
`
`to 37 C.F.R. § 42.108 and cancellation of the Challenged Claims of the ‘494
`
`Patent.
`
`VI. REASONS FOR THE REQUESTED RELIEF
`As explained in §§ II and VII-VIII of this Petition and in the attached
`
`Declaration of Petitioner’s Expert, Dr. Paul Clark (“Clark,” CS-1003), the systems
`
`
`
`
`6
`
`
`
`
`
`and methods of deriving and storing a Downloadable security profile that is
`
`described and claimed in the ‘494 Patent were known or were obvious over the
`
`prior art. As detailed in §§ II and VII-VIII, this Petition and Dr. Clark explain
`
`where each element is found in the prior art and why each claim would have been
`
`obvious to a person of ordinary skill in the art (“POSA”) at the time of the
`
`invention.
`
`A.
`Summary of the ‘494 Patent
`The ’494 Patent generally relates to the protection of computers from
`
`potentially undesirable or suspicious software programs or code, referred to as
`
`“Downloadables,” that are received over a network. CS-1001 Abstract, 1:59-63,
`
`2:22-3:9. According to the ‘494 Patent, a Downloadable is “received information
`
`[that] includes executable code.” CS-1001 3:3-8, 4:5-14, 5:64-6:2, 9:46-52, 15:22-
`
`39. Some examples of Downloadables described in the ‘494 Patent specification
`
`include the following: distributed components; Java applets; JavaScript scripts;
`
`ActiveX controls; and VisualBasic scripts. CS-1001 Abstract, 2:22-30 & 59-64,
`
`9:46-52.
`
`While asserted in the Claims, the written description of the ‘494 Patent does
`
`not include the term “scanner”, nor does it describe a scanner “for deriving security
`
`profile data.” However, other patent applications to which the ‘494 Patent claims
`
`priority (e.g., the ’639 Provisional, CS-1021, and the ‘388 Application, CS-1022)
`
`
`
`
`7
`
`
`
`
`
`provide a disclosure corresponding to how the Downloadable security profile
`
`(called the “DSP” in the ‘388 Application) is derived – but those applications only
`
`refer to “conventional” techniques for the details. For example, the ’388
`
`Application explains that a Downloadable is “received from [an] external computer
`
`network” and delivered to a “code scanner” that “uses conventional parsing
`
`techniques to decompose the code (including all prefetched components) of the
`
`Downloadable into the DSP data 310.” CS-1022 p. 10 ll. 6-10, p. 12 ll. 11-17
`
`(emphasis supplied), p. 20 l. 14- p. 21 l. 6, FIG. 7; CS-1021 p. 19, ll. 16-20.
`
`Moreover, the ‘388 Application explains that after the Downloadable is
`
`decomposed, the code scanner identifies the operations that the code performed
`
`(such as “read” and “send”). The ‘388 Application also describes that the code
`
`scanner “may search the code for any pattern.” This described functionality of the
`
`code scanner was already known in the prior art. CS-1003 ¶33. For example,
`
`identifying the operations that computer code performs was a common prior art
`
`technique, as described in Shear and Kerchen, described below. CS-1003 ¶33.
`
`Likewise, the functionality of searching the code by using “pattern
`
`matching” was a common prior art technique used in “static analysis,” as described
`
`in the State of the Art Section. In static analysis, the “binary or source code” was
`
`examined to detect the presence of malicious sections in programs by code pattern
`
`matching – i.e., matching patterns of code from the downloadable program with
`
`
`
`
`8
`
`
`
`
`
`code that is known to be harmful. CS-1011 pp. 17-4, 17-5; CS-1003 ¶34. In
`
`other words, the data for the security profile is generated using “conventional”
`
`techniques by a “code scanner” (which was a known device using commonly used
`
`techniques). CS-1003 ¶34.
`
`The written description of the ‘494 Patent only uses the term “suspicious”
`
`once in describing that the goal of the present invention is to prevent a computer
`
`from “harmful, undesirable, suspicious, or other ‘malicious’ operations.” CS-1001
`
`2:52-56.
`
` The ‘388 Application uses the term “suspicious” broadly to include the
`
`concepts of “hostile, potentially hostile, undesirable, potentially undesirable, etc.”
`
`CS-1022 p. 7 ll. 12-16. In one embodiment of the ‘388 Application, the DSP data
`
`is “a list of all operations in the Downloadable code which could ever be deemed
`
`potentially hostile.” CS-1022 p. 20 ll. 14-20.
`
`
`
`The ‘494 Patent has very little discussion of storing a Downloadable or its
`
`DSP in a database as recited in the claims, and does not distinguish the claimed
`
`database from other types of storage means. CS-1001 17:10-14.
`
`The ’639 Provisional describes that the Downloadable and its DSP data may
`
`be stored, for example, in a database. CS-1021, p. 20, 1. 12-16 (“the non-hostile
`
`Downloadable is stored in known Downloadable’s 307 and its corresponding DSP
`
`
`
`
`9
`
`
`
`
`
`data is stored in DSP data 310.”) p. 22, 1. 15-21; p. 17, 1. 13-19 (describing items
`
`307 and 310 as portions of a “security database”); CS-1022 p. 13 ll. 16-19.
`
`In summary, the ‘494 Patent does not describe the claimed “scanner” that is
`
`for deriving security profile data (i.e., a list of potentially suspicious operations)
`
`associated with a program. Rather the ‘494 Patent relies on the disclosure of the
`
`‘388 Application. The ‘388 Application, in turn, describes “conventional parsing
`
`techniques” for deriving such data. CS-1021 p. 19, 1. 16-20; CS-1022 p. 12 ll. 11-
`
`17. CS-1003 ¶39. Based on the relevant ‘494 Patent disclosures, therefore, the
`
`purported novelty of the ‘494 Patent claims cannot be based on the concept of
`
`deriving security profile data nor any specific technique for doing so; the relevant
`
`disclosure describes previously used techniques for deriving this data from a
`
`Downloadable. CS-1003 ¶39. Nor does the disclosure regarding the database
`
`suggest that there is anything inventive about using a database versus any other
`
`storage means. Instead, the novelty would have to hinge on the fact that the
`
`security profile data is derived for “an incoming Downloadable”. This feature,
`
`however, was also well-known and commonly used to protect computer systems
`
`long before the ‘494 Patent.
`
`B.
`Prosecution History
`All substantive rejections were withdrawn in response to a § 131 declaration
`
`alleging prior invention and the subsequent grant of a petition. CS-1002 pp. 1, 37
`
`
`
`
`10
`
`
`
`
`
`
`C. Claim Construction
`1.
`The Applicable Claim Construction Standard
`The ‘494 Patent has expired.
`
`Because the ‘494 Patent as expired, the Board’s claim construction analysis
`
`is similar to that of a district court. The claims should be given “their ordinary and
`
`customary meaning” as understood by a person of ordinary skill at the time of the
`
`claimed invention.
`
`Petitioner asserts that each of the claim terms in the Challenged Claims
`
`should be given their plain and ordinary meaning and that specific construction of
`
`any claim terms is not required because the prior art relied on meets each of the
`
`claim terms under any reasonable construction of the terms. However, Petitioner
`
`addresses several claim terms below in light of arguments that Patent Owner has
`
`made in previous proceedings.
`
`2.
` “a list of suspicious computer operations” (Claim 10)
`In prior Inter Partes Review (“IPR”) proceedings for the ‘494 Patent, neither
`
`the previous petitioners nor Patent Owner explicitly sought a construction of the
`
`term “a list of suspicious computer operations.” However, Patent Owner
`
`implicitly sought a narrow claim construction in at least one of previous IPR
`
`proceedings for a related patent by arguing that this element has a negative
`
`limitation, such that it excludes the identification of non-suspicious operations,
`
`code or functions in the DSP. IPR2015-01894 (POPR p. 15). The PTAB did not
`
`11
`
`
`
`
`
`
`adopt the Patent Owner’s implicit claim construction, instead noting that “we
`
`determine that no claim terms require express construction.” IPR2015-01894
`
`(Institution Decision p. 9). Consistent with this decision, there is no support for
`
`Patent Owner’s attempt to limit this claim term such that the DSP lists only
`
`suspicious operations. The claims are written with the transitional phrase
`
`“comprising” which is well recognized in patent practice to mean “including but
`
`not limited to,” making improper the restrictive construction of “only.”
`
`D.
`Priority Date of the Challenged Claims
`The earliest priority date claimed by the ‘494 Patent is that of U.S.
`
`Provisional Application No. 60/030,639, filed November 8, 1996.
`
`E.
`Person of Ordinary Skill in the Art
`A POSA is a hypothetical person who is presumed to be aware of all
`
`pertinent prior art, thinks along the line of conventional wisdom in the art, and is a
`
`person of ordinary creativity. A POSA in the November 1996 timeframe would
`
`have been familiar with security and network programming. CS-1003 ¶22. A
`
`POSA would have a working knowledge of TCP/IP protocols and the World Wide
`
`Web, including the fundamental web client/server architecture. CS-1003 ¶22. A
`
`POSA would have gained knowledge of these concepts through a mixture of
`
`training and work experience, such as by having a Bachelor’s degree in computer
`
`science, computer programming, electrical engineering and four years of
`
`
`
`
`12
`
`
`
`
`
`experience, or by obtaining a Master’s degree in electrical engineering, but having
`
`only one to two years of experience, or by having no formal education but
`
`experience in computer programming of at least eight years. CS-1003 ¶22.
`
`F.
`State of the Art
`The following section describes the state of the art in computer security
`
`systems as of November 1996. CS-1003 ¶41. These prior art references, and
`
`discussions of what was known to a POSA, provide the factual support for the
`
`general description of the state of the art at the time of the invention, provide
`
`motivation to modify the primary references with the knowledge of a POSA or
`
`other references cited herein, rebut any claims of unpredictability in the art, and
`
`rebut any claims of unexpected results. Accordingly, these references should
`
`properly be considered by the Board.
`
`1. Malicious Code in Executable Programs
`By the mid-1990s, it was known that the Internet and the world wide web,
`
`had become an integral part of the development and progress of computer
`
`technology. Newly created websites were able to easily send and receive files,
`
`formulate and execute queries to databases using search engines, send and receive
`
`audio and video, and distribute data and multimedia resources worldwide. CS-
`
`1015 p. 2; CS-1003 ¶42.
`
`
`
`
`13
`
`
`
`
`
`
`The world wide web was largely based on a client/server architecture, in
`
`which (i) web servers host websites and (ii) web clients running web browser
`
`software interacted with the web servers through downloadable programs that
`
`enabled features and functionality to the web clients. It was well-known, however,
`
`that this web client/server architecture provided an entry point for hostile computer
`
`programs, viruses and bugs, which could infect and disrupt the normal operation of
`
`computer systems. CS-1015 pp. 1. CS-1003 ¶43.
`
`Much of the technology that made this malicious functionality possible
`
`consisted of small, easily downloaded programs that, when executed by the web
`
`client, interacted with the web client’s browser to display media content. CS-1003
`
`¶44. These “executable” programs came in a variety of forms. Some were special-
`
`purpose miniature applications, or “applets,” which were written in Java (Java is a
`
`programming language first developed by Sun Microsystems). CS-1024 sec. 1;
`
`CS-1003 ¶44. Others were developed using ActiveX, a Microsoft technology that
`
`programmers used for similar purposes. CS-1015 pp. 1-2; CS-1003 ¶44.
`
`Both Java and ActiveX made extensive use of software modules, or
`
`“objects.” Programmers could either write objects themselves or take them from
`
`existing sources and then fashion them into plug-ins, applets, device drivers and
`
`other software needed to power the web. These objects were downloaded from
`
`web servers to be run on clients. Java objects were called “classes,” while ActiveX
`
`
`
`
`14
`
`
`
`
`
`objects were called “controls.” CS-1003 ¶45. The principal difference between
`
`these objects (i.e., Java classes versus Active X controls) was how they ran on the
`
`web client’s host system. CS-1003 ¶45. Java classes ran in a Java “virtual
`
`machine” designed specifically to (i) interpret Java programming “byte code” and
`
`(ii) translate the byte code into action on the web client’s host machine. CS-1024
`
`sec. 2. ActiveX controls ran as native Windows programs that linked and passed
`
`data to Windows software. CS-1015 p. 2; CS-1003 ¶45.
`
`Of course, the vast majority of these downloadable executable computer
`
`programs (Java classes and ActiveX controls) were useful parts of any interactive
`
`website – in other words, they were part of the foundation of a user’s Internet
`
`experience. CS-1003 ¶46. But they were also vulnerable to surreptitious
`
`manipulation to hide hostile code. Despite the best efforts to design security
`
`measures into downloadable, executable computer programs, some ill-intentioned
`
`programmers used Java and ActiveX tools to plant harmful objects on a web
`
`server. The harmful objects lurked on the web server until a user visited the
`
`website hosted by the web server, and the user then unknowingly allowed the
`
`harmful objects access into the user’s computer system through the web client.
`
`CS-1003 ¶46.
`
`It was known that Java and ActiveX programs were particularly vulnerable
`
`to such malware because Java and ActiveX programs easily evaded detection due
`
`
`
`
`15
`
`
`
`
`
`to their widespread use on the Internet, combined with their small size and
`
`seemingly innocuous nature. CS-1025 pp. 1-2; CS-1003 ¶47. In fact, a well-
`
`known problem associated with the basic web client/server architecture was the
`
`vulnerability that arose because the typical web browsers included a default
`
`configuration whereby executable programs (including Java classes and ActiveX
`
`controls) were automatically downloaded. For example, Java and ActiveX objects
`
`were automatically downloaded from a web server to the user’s system whenever
`
`the user visited a website that hosted executable programs. CS-1003 ¶47. These
`
`types of executable programs became a host for malware, which could then be
`
`used to deliver a “Trojan horse” (i.e., a malicious computer program which is used
`
`to hack into a computer by misleading users of its true intent) or a virus payload.
`
`CS-1031; CS-1003 ¶47.
`
`By the mid-1990s, a POSA would have been aware that malicious
`
`programmers wrote executable objects that exploited this vulnerability in which
`
`Java and Active X objects were automatically downloaded. Examples of such
`
`executable code include: (i) code that read data from a computer’s hard disk and
`
`sent the data back to the website that was visited; (ii) code that “hijacked” an e-
`
`mail account and sent out offensive messages in the user’s name; and (iii) code that
`
`watched and recorded data that passed between the user’s computer and other
`
`computers. CS-1026 p. 39; CS-1003 ¶48.
`
`
`
`
`16
`
`
`
`
`
`
`2.
`Tools to Combat Malicious Code
`By the mid-1990s, a wide range of methods had been devel