IN THE UNITED STATES PATENT AND TRADEMARK OFFICE
`_____________________
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`_____________________
`
`Cisco Systems, Inc.,
`Petitioner,
`
`v.
`
` Finjan, Inc.,
`Patent Owner.
`____________
`
`U.S. Patent No. 8,677,494
`Issue Date: March 18, 2014
`Title: Malicious Mobile Code Runtime Monitoring System and Methods
`_____________________
`
`Inter Partes Review No.: Unassigned
`_____________________
`
`PETITION FOR INTER PARTES REVIEW OF U.S. PATENT NO. 8,677,494
`UNDER 35 U.S.C. §§ 311-319 and 37 C.F.R. §§ 42.1-.80, 42.100-.107
`
`
`
`
`
`
`
`
`Mail Stop “PATENT BOARD”
`Patent Trial and Appeal Board
`U.S. Patent and Trademark Office
`P.O. Box 1450
`Alexandria, VA 22313-1450
`
`
`_____________________
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`_____________________
`
`Cisco Systems, Inc.,
`Petitioner,
`
`v.
`
` Finjan, Inc.,
`Patent Owner.
`____________
`
`U.S. Patent No. 8,677,494
`Issue Date: March 18, 2014
`Title: Malicious Mobile Code Runtime Monitoring System and Methods
`_____________________
`
`Inter Partes Review No.: Unassigned
`_____________________
`
`PETITION FOR INTER PARTES REVIEW OF U.S. PATENT NO. 8,677,494
`UNDER 35 U.S.C. §§ 311-319 and 37 C.F.R. §§ 42.1-.80, 42.100-.107
`
`
`
`
`
`
`
`
`Mail Stop “PATENT BOARD”
`Patent Trial and Appeal Board
`U.S. Patent and Trademark Office
`P.O. Box 1450
`Alexandria, VA 22313-1450
`
`
`
`
`
`TABLE OF CONTENTS
`
`Page
`I.
`INTRODUCTION ........................................................................................... 1
`OVERVIEW .................................................................................................... 1
`II.
`III. MANDATORY NOTICES UNDER 37 C.F.R. § 42.8 ................................ 4
`A.
`Real Party-in-Interest (37 C.F.R. § 42.8(b)(1)) ..................................... 4
`B.
`Related Matters (37 C.F.R. § 42.8(b)(2)) .............................................. 4
`1.
`Judicial Matters ......................................................................... 4
`2.
`Administrative Matters ............................................................ 5
`3.
`Related Patents .......................................................................... 5
`Lead/Back-up Counsel (37 C.F.R. § 42.8(b)(3)) .................................. 6
`C.
`D. Notice of Service Information (37 C.F.R. § 42.8(b)(4)) ....................... 6
`IV. GROUNDS FOR STANDING (37 C.F.R. § 42.104(A)) ............................. 6
`V. RELIEF REQUESTED (37 C.F.R. § 42.22(A)) .......................................... 6
`VI. REASONS FOR THE REQUESTED RELIEF .......................................... 6
`A.
`Summary of the ‘494 Patent .................................................................. 7
`B.
`Prosecution History ............................................................................. 10
`C.
`Claim Construction ............................................................................. 11
`1.
`The Applicable Claim Construction Standard .................... 11
`“a list of suspicious computer operations” (Claim 10) ........... 11
`2.
`Priority Date of the Challenged Claims .............................................. 12
`Person of Ordinary Skill in the Art ..................................................... 12
`State of the Art .................................................................................... 13
`
`D.
`E.
`F.
`
`
`
`
`i
`
`
`
`
`
`VII. IDENTIFICATION OF CHALLENGES .................................................. 24
`A.
`Challenged Claims .............................................................................. 24
`B.
`Statutory Grounds for Challenges ....................................................... 24
`VIII. IDENTIFICATION OF HOW THE CHALLENGED CLAIMS
`ARE UNPATENTABLE ............................................................................. 26
`A.
`Challenge 1: Claims 10, 11, 14, 15 and 16 Are Obvious Over
`Shear in View of Kerchen ................................................................... 26
`1.
`The Shear Reference ............................................................... 26
`2.
`The Kerchen Reference .......................................................... 33
`3.
`The Motivation to Combine Shear with Kerchen ................ 35
`4.
`Detailed Application of Shear and Kerchen to Claims ....... 37
`Challenge 2: Claims 10, 11, 14, 15 and 16 Are Obvious Over
`Crawford 91 in view of Knowledge of a POSA ................................. 56
`1.
`The Crawford 91 Reference ................................................... 56
`2.
`Detailed Application of Crawford 91 to the Claims ............ 58
`IX. CONCLUSION ............................................................................................ 70
`
`
`
`B.
`
`
`
`
`ii
`
`
`
`
`
`
`
` Exhibit #
`1001
`
`1002
`
`1003
`1004
`
`1005
`
`1006
`1007
`1008
`
`1009
`1010
`1011
`
`1012
`
`1013
`
`1014
`1015
`
`
`
`
`Petitioner’s Exhibit List
`
`Description
`
`U.S. Patent No. 8,677,494 entitled “System and Method of Attaching a
`Downloadable Security Profile to a Downloadable”, issued November
`28, 2000 to Touboul, et al. (“the ‘494 Patent”)
`Select portions of the prosecution history of the ‘494 Patent (“File
`History”)
`Declaration of Petitioner’s Expert Dr. Paul Clark (“Clark”)
`U.S. Patent No. 6,157,721 entitled “Systems and Methods Using
`Cryptography to Protect Secure Computing Environments”, issued
`December 5, 2000 to Shear (“Shear”)
`U.S. Patent Application Serial No. 08/388,107 entitled “Systems and
`Methods for Secure Transaction Management and Electronic Rights
`Protection,” filed February 13, 1995 by Ginter (“Ginter”)
`Intentionally Left Blank
`Intentionally Left Blank
`“Network Firewalls,” IEEE Communications Magazine, Steven M.
`Bellovin and William R. Cheswick, September 1994 (“Bellovin”)
`Intentionally Left Blank
`Intentionally Left Blank
`A Testbed for Malicious Code Detection: A Synthesis of Static and
`Dynamic Analysis Techniques, 14th Department of Energy Computer
`Security Group Conference Proceedings, R. Crawford et al., May 1991
`(“Crawford ‘91”)
`U.S. Patent No. 5,623,600 entitled “Virus Detection and Removal
`Apparatus for Computer Networks,” issued April 22, 1997 to Ji et al.
`(“Ji”)
`Dynamic Detection and Classification of Computer Viruses Using
`General Behavior Patterns, Virus Bulletin Conference, Morton
`Swimmer, September 1995 (“Swimmer”)
`Intentionally Left Blank
`“Microsoft and VeriSign Provide First Technology for Secure
`Downloading of Software Over the Internet,” Microsoft PressPass,
`August 7, 1996 (“MS-96”)
`
`iii
`
`
`
`
`
` Exhibit #
`1016
`
`1017
`
`1018
`1019
`
`1020
`
`1021
`
`1022
`
`1023
`
`1024
`
`1025
`
`1026
`
`1027
`1028
`1029
`1030
`
`
`
`
`Description
`
`U.S. Patent No. 6,195,587 entitled “Validity Checking,” issued
`February 27, 2001 to Hruska (“Hruska”)
`Automated Assistance for Detecting Malicious Code, Sixth
`International Computer Security & Virus Conference & Expo,
`Crawford et al., June 18, 1993 (“Automated Tools”)
`Listing of Related Patents
`Static Analysis Virus Detection Tools for Unix Systems, 13th National
`Computer Security Conference, Volume 1, Information Systems
`Security: Standards-the Key to the Future, Kerchen et al., 1990
`(“Kerchen”)
`Identifying and Controlling Undesirable Programs Behaviors, 14th
`National Computer Security Conference, King, October 1991
`(“King”)
`U.S. Provisional Application No. 60/030,639, entitled “System and
`Method for Protecting a Computer and a Network from Hostile
`Downloadables,” filed November 8, 1996, by Touboul et al. (“the ’639
`Provisional”)
`U.S. Application Serial No. 08/964,388 entitled “System and Method
`for Protecting a Computer and a Network from Hostile
`Downloadables,” filed November 6, 1997 by Touboul (“the ‘388
`Application”)
`PACL’s An Access Control List Approach to Anti-Virus Security,
`Wichers et al., 13th Nat’l Computer Security Conference, Proceedings,
`October 1-4, 1990 (“Wichers”).
`Java Security: From HotJava to Netscape and Beyond, Dean et al.,
`1996.
`Software Architecture To Support Misuse Intrusion Detection,
`Spafford et al., March 1995.
`1996 CERT Advisories, Software Engineering Institute, Carnegie
`Mellon University.
`Declaration of Ingrid Hsieh-Yee, dated September 21, 2017
`Declaration of Justus L. Getty, Esq., dated September 19, 2017
`Intentionally Left Blank
`Select pages of 13th National Computer Security Conference,
`Proceedings, Volume 1, Information Security Systems: Standards-The
`Key to the Future, October 1990.
`iv
`
`
`
`
`
` Exhibit #
`1031
`
`1032
`
`1033
`
`1034
`
`1035
`
`1036
`
`1037
`
`1038
`
`
`
`Description
`
`An Intrusion-Detection Model, IEEE Transactions on Software
`Engineering, Vol. SE-13, No. 2, Dorothy E. Denning, February 1987
`(“Denning”)
`Copy of the public catalog of the library at Purdue University
`identifying the Proceedings of the 13th National Computer Science
`Conference as part of its holdings.
`MARC record for the Proceedings of the 13th National Computer
`Security Conference created by the Purdue University Library
`Copy of the public Catalog of US Government Publications (CGP)
`identifying the Proceedings of 14th Department of Energy Computer
`Security Group Conference as published by the GPO.
`MARC record for the Proceedings of 14th Department of Energy
`Computer Security Group Conference created by GPO.
`Copy of the public card catalog of the University of Virginia Library
`identifying the Proceedings of 14th Department of Energy Computer
`Security Group Conference.
`MARC record from the University of Virginia Library for the
`Proceedings of 14th Department of Energy Computer Security Group
`Conference
`Declaration of John Hawes.
`
`
`
`
`v
`
`
`
`
`
`I.
`
`INTRODUCTION
`Pursuant to 35 U.S.C. § 311 et seq. and 37 C.F.R. § 42.1 et seq., Cisco
`
`Systems, Inc. (“Petitioner”) hereby petitions for an inter partes review of U.S.
`
`Patent No. 8,677,494 (“the ‘494 Patent”). Petitioner respectfully submits that
`
`Claims 10, 11, 14, 15 and 16 (the “Challenged Claims”) of the ‘494 Patent are
`
`unpatentable under 35 U.S.C. § 103 in view of the prior art references discussed
`
`herein. This Petition demonstrates by a preponderance of the evidence that there is
`
`a reasonable likelihood that Petitioner will prevail with respect to at least one of
`
`these claims. Accordingly, it is respectfully requested that the Board institute an
`
`inter partes review of the ‘494 Patent pursuant to 37 C.F.R. § 42.108.
`
`II. OVERVIEW
`The Challenged Claims are unpatentable as obvious over the prior art. The
`
`claims are directed to prior art systems and combinations of conventional
`
`components to perform conventional functions that were well-known in the art of
`
`protecting computers against computer viruses and computer programs with
`
`suspicious code.
`
`More specifically, the ‘494 Patent describes a system receiving a computer
`
`program and deriving a “Downloadable security profile” for the computer
`
`program. The “Downloadable security profile” is then stored in a database for
`
`later use. According to the ‘494 Patent, this “Downloadable security profile” is
`
`
`
`
`1
`
`
`
`
`
`derived using conventional “computer-based software testing techniques”. The
`
`“Downloadable security profile” includes an identification of operations that would
`
`be performed by the computer program which may be considered suspicious—in
`
`other words, operations that may be undesirable because they could harm a
`
`computer. The “Downloadable security profile” is saved so that a downstream user
`
`can examine the “Downloadable security profile” and determine whether it
`
`complies with the security policy of the user before the user’s computer executes
`
`the computer program. Long before the filing of the ‘494 Patent, the claimed
`
`“Downloadable security profile” was already known as a “specification.” As
`
`discussed in more detail in the State of the Art section below, a “specification” was
`
`used to combat what the prior art referred to as the “undecidable” problem – which
`
`was the problem that it is impossible to be 100% sure that a given computer
`
`program is safe. The prior art used methods of analyzing a computer program –
`
`including both “static” and “dynamic” methods – to generate these specifications.
`
`The prior art understood that these were subject to the “undecidable” problem,
`
`meaning that these detection methods could only positively determine if a virus or
`
`malware was present, but could not positively declare the program was free of
`
`viruses or malware.
`
`The “undecidable” problem was further complicated by executable code
`
`(e.g., java, ActiveX, and JavaScript) that when executed would perform seemingly
`
`
`
`
`2
`
`
`
`
`
`innocuous and ubiquitous operations such as “read” and “write.” Often, however,
`
`these operations were not innocuous but rather were intended to do harm. The
`
`content, functions and operations of programs were therefore analyzed (via “static”
`
`or “dynamic” analysis) and identified in an associated specification (which the
`
`prior art also referred to as a “class” or a “profile”). This specification could then
`
`be passed downstream to users. In the event that the performed analysis did not
`
`detect any known virus or malware, the downstream users understood that there
`
`were still operations/code within the program that could be harmful and should be
`
`considered suspicious. With this knowledge, the downstream user was empowered
`
`to take the appropriate action tailored for that user by applying the user’s security
`
`policy. Thus, the downstream user could decide what level of risk to take, i.e., the
`
`downstream user could use its own security policies to decide whether the
`
`description in the specification was acceptable, or posed too high a risk. CS-1008
`
`p. 50.
`
`Ground 1 is based on Shear and Kerchen, and Ground 2 is based on
`
`Crawford 91. Both Shear and Crawford 91 disclose a system for receiving a
`
`computer program and deriving a “specification” for the computer program. These
`
`references disclose creating the specification by using conventional computer-
`
`based software testing techniques, such that the specification can be used in the
`
`same way and for the same purpose as described in the ‘494 Patent.
`
`
`
`
`3
`
`
`
`
`
`
`Both Kerchen and Crawford 91, in turn, describe specific conventional
`
`computer-based software testing techniques that can be used to identify suspicious
`
`code in the computer program – in other words, they describe the well-known
`
`techniques used to create a “specification” (i.e., a “Downloadable security
`
`profile”).
`
`Finally, the storage of the specification in a database was a conventional
`
`design choice, and is not even suggested as an inventive step in the ‘494 Patent.
`
`Because these references are all directed to the same problem and describe
`
`different levels of detail regarding the same set of solutions, these references are
`
`naturally combined together, and the combination discloses each limitation recited
`
`in the Challenged Claims. CS-1003 ¶75.
`
`
`
`III. MANDATORY NOTICES UNDER 37 C.F.R. § 42.8
`A. Real Party-in-Interest (37 C.F.R. § 42.8(b)(1))
`The real party-in-interest in this Petition is Cisco Systems, Inc.
`
`B. Related Matters (37 C.F.R. § 42.8(b)(2))
`1.
`Judicial Matters
`As of the filing date of this Petition and to the best knowledge of Petitioner,
`
`the ‘494 Patent is involved in the following litigations:
`
`Finjan, Inc. v. Symantec Corp., 3:14-cv-02998 (N.D. Cal. 2014)
`
`Finjan, Inc. v. Websense, Inc., 3:14-cv-01353 (N.D. Cal. 2014)
`4
`
`
`
`
`
`
`
`
`
`Finjan, Inc. v. Palo Alto Networks, Inc., 3:14-cv-04908 (N.D. Cal. 2014)
`
`Finjan, Inc. v. Sophos, Inc., 3:14-cv-01197 (N.D. Cal. 2014)
`
`Finjan, Inc. v. Blue Coat Systems, Inc., 5:15-cv-03295 (N.D. Cal. 2015)
`
`Finjan, Inc. v. Cisco Systems, Inc., 5:17-cv-00072 (N.D. Cal. 2017)
`
`2.
`Administrative Matters
`As of the filing date of this Petition and to the best knowledge of Petitioner,
`
`the ’494 Patent was subject to the following inter partes reviews:
`
`Sophos, Inc. v. Finjan, Inc., IPR2015-01022 (review not instituted)
`
`Symantec Corp, and Blue Coat Systems, Inc., v. Finjan, Inc., IPR2015-
`
`018921 (Claims 1, 2 and 6 found unpatentable)
`
`Symantec Corp., v. Finjan, Inc., IPR2015-01897 (review not instituted)
`
`Palo Alto Networks, Inc., v. Finjan, Inc., IPR2016-00159 (Claims 1, 2 and 6
`
`found unpatentable.)
`
`Blue Coat Systems, Inc. v. Finjan, Inc., IPR2016-01443 (review not
`
`instituted).
`
`3.
`Related Patents
`See Exhibit CS-1018.
`
`
`1 Blue Coat Systems, Inc., v. Finjan, Inc., IPR2016-00890 was joined with
`
`IPR2015-01892.
`
`
`
`
`
`
`5
`
`
`
`
`
`
`C. Lead/Back-up Counsel (37 C.F.R. § 42.8(b)(3))
`
`Lead Counsel: Patrick D. McPherson, USPTO Reg. No. 46,255
`DUANE MORRIS LLP, 505 9th St. NW, Suite 1000, Washington, D.C. 20004
`P: (202) 776-5214; F: (202) 776-7801; PDMcPherson@duanemorris.com
`
`Back-Up Counsel: Patrick Muldoon, USPTO Reg. No. 47,343
`DUANE MORRIS LLP, 505 9th St. NW, Suite 1000, Washington, D.C. 20004
`P: (202) 776-7840; F: (202) 776-7801; PCMuldoon@duanemorris.com
`D. Notice of Service Information (37 C.F.R. § 42.8(b)(4))
`Please direct all correspondence to lead and back-up counsel at the above
`
`addresses. Petitioner consents to electronic service at the email addresses above.
`
`IV. GROUNDS FOR STANDING (37 C.F.R. § 42.104(A))
`Petitioner certifies that the Patent for which review is sought is available for
`
`inter partes review and that Petitioner is not barred or estopped from requesting an
`
`inter partes review of the Challenged Claims on the grounds identified herein. 37
`
`C.F.R. § 42.104(a). This Petition is filed pursuant to 37 C.F.R. § 42.106(a).
`
`V. RELIEF REQUESTED (37 C.F.R. § 42.22(A))
`Petitioner respectfully requests institution of an inter partes review pursuant
`
`to 37 C.F.R. § 42.108 and cancellation of the Challenged Claims of the ‘494
`
`Patent.
`
`VI. REASONS FOR THE REQUESTED RELIEF
`As explained in §§ II and VII-VIII of this Petition and in the attached
`
`Declaration of Petitioner’s Expert, Dr. Paul Clark (“Clark,” CS-1003), the systems
`
`
`
`
`6
`
`
`
`
`
`and methods of deriving and storing a Downloadable security profile that is
`
`described and claimed in the ‘494 Patent were known or were obvious over the
`
`prior art. As detailed in §§ II and VII-VIII, this Petition and Dr. Clark explain
`
`where each element is found in the prior art and why each claim would have been
`
`obvious to a person of ordinary skill in the art (“POSA”) at the time of the
`
`invention.
`
`A.
`Summary of the ‘494 Patent
`The ’494 Patent generally relates to the protection of computers from
`
`potentially undesirable or suspicious software programs or code, referred to as
`
`“Downloadables,” that are received over a network. CS-1001 Abstract, 1:59-63,
`
`2:22-3:9. According to the ‘494 Patent, a Downloadable is “received information
`
`[that] includes executable code.” CS-1001 3:3-8, 4:5-14, 5:64-6:2, 9:46-52, 15:22-
`
`39. Some examples of Downloadables described in the ‘494 Patent specification
`
`include the following: distributed components; Java applets; JavaScript scripts;
`
`ActiveX controls; and VisualBasic scripts. CS-1001 Abstract, 2:22-30 & 59-64,
`
`9:46-52.
`
`While asserted in the Claims, the written description of the ‘494 Patent does
`
`not include the term “scanner”, nor does it describe a scanner “for deriving security
`
`profile data.” However, other patent applications to which the ‘494 Patent claims
`
`priority (e.g., the ’639 Provisional, CS-1021, and the ‘388 Application, CS-1022)
`
`
`
`
`7
`
`
`
`
`
`provide a disclosure corresponding to how the Downloadable security profile
`
`(called the “DSP” in the ‘388 Application) is derived – but those applications only
`
`refer to “conventional” techniques for the details. For example, the ’388
`
`Application explains that a Downloadable is “received from [an] external computer
`
`network” and delivered to a “code scanner” that “uses conventional parsing
`
`techniques to decompose the code (including all prefetched components) of the
`
`Downloadable into the DSP data 310.” CS-1022 p. 10 ll. 6-10, p. 12 ll. 11-17
`
`(emphasis supplied), p. 20 l. 14- p. 21 l. 6, FIG. 7; CS-1021 p. 19, ll. 16-20.
`
`Moreover, the ‘388 Application explains that after the Downloadable is
`
`decomposed, the code scanner identifies the operations that the code performed
`
`(such as “read” and “send”). The ‘388 Application also describes that the code
`
`scanner “may search the code for any pattern.” This described functionality of the
`
`code scanner was already known in the prior art. CS-1003 ¶33. For example,
`
`identifying the operations that computer code performs was a common prior art
`
`technique, as described in Shear and Kerchen, described below. CS-1003 ¶33.
`
`Likewise, the functionality of searching the code by using “pattern
`
`matching” was a common prior art technique used in “static analysis,” as described
`
`in the State of the Art Section. In static analysis, the “binary or source code” was
`
`examined to detect the presence of malicious sections in programs by code pattern
`
`matching – i.e., matching patterns of code from the downloadable program with
`
`
`
`
`8
`
`
`
`
`
`code that is known to be harmful. CS-1011 pp. 17-4, 17-5; CS-1003 ¶34. In
`
`other words, the data for the security profile is generated using “conventional”
`
`techniques by a “code scanner” (which was a known device using commonly used
`
`techniques). CS-1003 ¶34.
`
`The written description of the ‘494 Patent only uses the term “suspicious”
`
`once in describing that the goal of the present invention is to prevent a computer
`
`from “harmful, undesirable, suspicious, or other ‘malicious’ operations.” CS-1001
`
`2:52-56.
`
` The ‘388 Application uses the term “suspicious” broadly to include the
`
`concepts of “hostile, potentially hostile, undesirable, potentially undesirable, etc.”
`
`CS-1022 p. 7 ll. 12-16. In one embodiment of the ‘388 Application, the DSP data
`
`is “a list of all operations in the Downloadable code which could ever be deemed
`
`potentially hostile.” CS-1022 p. 20 ll. 14-20.
`
`
`
`The ‘494 Patent has very little discussion of storing a Downloadable or its
`
`DSP in a database as recited in the claims, and does not distinguish the claimed
`
`database from other types of storage means. CS-1001 17:10-14.
`
`The ’639 Provisional describes that the Downloadable and its DSP data may
`
`be stored, for example, in a database. CS-1021, p. 20, 1. 12-16 (“the non-hostile
`
`Downloadable is stored in known Downloadable’s 307 and its corresponding DSP
`
`
`
`
`9
`
`
`
`
`
`data is stored in DSP data 310.”) p. 22, 1. 15-21; p. 17, 1. 13-19 (describing items
`
`307 and 310 as portions of a “security database”); CS-1022 p. 13 ll. 16-19.
`
`In summary, the ‘494 Patent does not describe the claimed “scanner” that is
`
`for deriving security profile data (i.e., a list of potentially suspicious operations)
`
`associated with a program. Rather the ‘494 Patent relies on the disclosure of the
`
`‘388 Application. The ‘388 Application, in turn, describes “conventional parsing
`
`techniques” for deriving such data. CS-1021 p. 19, 1. 16-20; CS-1022 p. 12 ll. 11-
`
`17. CS-1003 ¶39. Based on the relevant ‘494 Patent disclosures, therefore, the
`
`purported novelty of the ‘494 Patent claims cannot be based on the concept of
`
`deriving security profile data nor any specific technique for doing so; the relevant
`
`disclosure describes previously used techniques for deriving this data from a
`
`Downloadable. CS-1003 ¶39. Nor does the disclosure regarding the database
`
`suggest that there is anything inventive about using a database versus any other
`
`storage means. Instead, the novelty would have to hinge on the fact that the
`
`security profile data is derived for “an incoming Downloadable”. This feature,
`
`however, was also well-known and commonly used to protect computer systems
`
`long before the ‘494 Patent.
`
`B.
`Prosecution History
`All substantive rejections were withdrawn in response to a § 131 declaration
`
`alleging prior invention and the subsequent grant of a petition. CS-1002 pp. 1, 37
`
`
`
`
`10
`
`
`
`
`
`
`C. Claim Construction
`1.
`The Applicable Claim Construction Standard
`The ‘494 Patent has expired.
`
`Because the ‘494 Patent as expired, the Board’s claim construction analysis
`
`is similar to that of a district court. The claims should be given “their ordinary and
`
`customary meaning” as understood by a person of ordinary skill at the time of the
`
`claimed invention.
`
`Petitioner asserts that each of the claim terms in the Challenged Claims
`
`should be given their plain and ordinary meaning and that specific construction of
`
`any claim terms is not required because the prior art relied on meets each of the
`
`claim terms under any reasonable construction of the terms. However, Petitioner
`
`addresses several claim terms below in light of arguments that Patent Owner has
`
`made in previous proceedings.
`
`2.
` “a list of suspicious computer operations” (Claim 10)
`In prior Inter Partes Review (“IPR”) proceedings for the ‘494 Patent, neither
`
`the previous petitioners nor Patent Owner explicitly sought a construction of the
`
`term “a list of suspicious computer operations.” However, Patent Owner
`
`implicitly sought a narrow claim construction in at least one of previous IPR
`
`proceedings for a related patent by arguing that this element has a negative
`
`limitation, such that it excludes the identification of non-suspicious operations,
`
`code or functions in the DSP. IPR2015-01894 (POPR p. 15). The PTAB did not
`
`11
`
`
`
`
`
`
`adopt the Patent Owner’s implicit claim construction, instead noting that “we
`
`determine that no claim terms require express construction.” IPR2015-01894
`
`(Institution Decision p. 9). Consistent with this decision, there is no support for
`
`Patent Owner’s attempt to limit this claim term such that the DSP lists only
`
`suspicious operations. The claims are written with the transitional phrase
`
`“comprising” which is well recognized in patent practice to mean “including but
`
`not limited to,” making improper the restrictive construction of “only.”
`
`D.
`Priority Date of the Challenged Claims
`The earliest priority date claimed by the ‘494 Patent is that of U.S.
`
`Provisional Application No. 60/030,639, filed November 8, 1996.
`
`E.
`Person of Ordinary Skill in the Art
`A POSA is a hypothetical person who is presumed to be aware of all
`
`pertinent prior art, thinks along the line of conventional wisdom in the art, and is a
`
`person of ordinary creativity. A POSA in the November 1996 timeframe would
`
`have been familiar with security and network programming. CS-1003 ¶22. A
`
`POSA would have a working knowledge of TCP/IP protocols and the World Wide
`
`Web, including the fundamental web client/server architecture. CS-1003 ¶22. A
`
`POSA would have gained knowledge of these concepts through a mixture of
`
`training and work experience, such as by having a Bachelor’s degree in computer
`
`science, computer programming, electrical engineering and four years of
`
`
`
`
`12
`
`
`
`
`
`experience, or by obtaining a Master’s degree in electrical engineering, but having
`
`only one to two years of experience, or by having no formal education but
`
`experience in computer programming of at least eight years. CS-1003 ¶22.
`
`F.
`State of the Art
`The following section describes the state of the art in computer security
`
`systems as of November 1996. CS-1003 ¶41. These prior art references, and
`
`discussions of what was known to a POSA, provide the factual support for the
`
`general description of the state of the art at the time of the invention, provide
`
`motivation to modify the primary references with the knowledge of a POSA or
`
`other references cited herein, rebut any claims of unpredictability in the art, and
`
`rebut any claims of unexpected results. Accordingly, these references should
`
`properly be considered by the Board.
`
`1. Malicious Code in Executable Programs
`By the mid-1990s, it was known that the Internet and the world wide web,
`
`had become an integral part of the development and progress of computer
`
`technology. Newly created websites were able to easily send and receive files,
`
`formulate and execute queries to databases using search engines, send and receive
`
`audio and video, and distribute data and multimedia resources worldwide. CS-
`
`1015 p. 2; CS-1003 ¶42.
`
`
`
`
`13
`
`
`
`
`
`
`The world wide web was largely based on a client/server architecture, in
`
`which (i) web servers host websites and (ii) web clients running web browser
`
`software interacted with the web servers through downloadable programs that
`
`enabled features and functionality to the web clients. It was well-known, however,
`
`that this web client/server architecture provided an entry point for hostile computer
`
`programs, viruses and bugs, which could infect and disrupt the normal operation of
`
`computer systems. CS-1015 pp. 1. CS-1003 ¶43.
`
`Much of the technology that made this malicious functionality possible
`
`consisted of small, easily downloaded programs that, when executed by the web
`
`client, interacted with the web client’s browser to display media content. CS-1003
`
`¶44. These “executable” programs came in a variety of forms. Some were special-
`
`purpose miniature applications, or “applets,” which were written in Java (Java is a
`
`programming language first developed by Sun Microsystems). CS-1024 sec. 1;
`
`CS-1003 ¶44. Others were developed using ActiveX, a Microsoft technology that
`
`programmers used for similar purposes. CS-1015 pp. 1-2; CS-1003 ¶44.
`
`Both Java and ActiveX made extensive use of software modules, or
`
`“objects.” Programmers could either write objects themselves or take them from
`
`existing sources and then fashion them into plug-ins, applets, device drivers and
`
`other software needed to power the web. These objects were downloaded from
`
`web servers to be run on clients. Java objects were called “classes,” while ActiveX
`
`
`
`
`14
`
`
`
`
`
`objects were called “controls.” CS-1003 ¶45. The principal difference between
`
`these objects (i.e., Java classes versus Active X controls) was how they ran on the
`
`web client’s host system. CS-1003 ¶45. Java classes ran in a Java “virtual
`
`machine” designed specifically to (i) interpret Java programming “byte code” and
`
`(ii) translate the byte code into action on the web client’s host machine. CS-1024
`
`sec. 2. ActiveX controls ran as native Windows programs that linked and passed
`
`data to Windows software. CS-1015 p. 2; CS-1003 ¶45.
`
`Of course, the vast majority of these downloadable executable computer
`
`programs (Java classes and ActiveX controls) were useful parts of any interactive
`
`website – in other words, they were part of the foundation of a user’s Internet
`
`experience. CS-1003 ¶46. But they were also vulnerable to surreptitious
`
`manipulation to hide hostile code. Despite the best efforts to design security
`
`measures into downloadable, executable computer programs, some ill-intentioned
`
`programmers used Java and ActiveX tools to plant harmful objects on a web
`
`server. The harmful objects lurked on the web server until a user visited the
`
`website hosted by the web server, and the user then unknowingly allowed the
`
`harmful objects access into the user’s computer system through the web client.
`
`CS-1003 ¶46.
`
`It was known that Java and ActiveX programs were particularly vulnerable
`
`to such malware because Java and ActiveX programs easily evaded detection due
`
`
`
`
`15
`
`
`
`
`
`to their widespread use on the Internet, combined with their small size and
`
`seemingly innocuous nature. CS-1025 pp. 1-2; CS-1003 ¶47. In fact, a well-
`
`known problem associated with the basic web client/server architecture was the
`
`vulnerability that arose because the typical web browsers included a default
`
`configuration whereby executable programs (including Java classes and ActiveX
`
`controls) were automatically downloaded. For example, Java and ActiveX objects
`
`were automatically downloaded from a web server to the user’s system whenever
`
`the user visited a website that hosted executable programs. CS-1003 ¶47. These
`
`types of executable programs became a host for malware, which could then be
`
`used to deliver a “Trojan horse” (i.e., a malicious computer program which is used
`
`to hack into a computer by misleading users of its true intent) or a virus payload.
`
`CS-1031; CS-1003 ¶47.
`
`By the mid-1990s, a POSA would have been aware that malicious
`
`programmers wrote executable objects that exploited this vulnerability in which
`
`Java and Active X objects were automatically downloaded. Examples of such
`
`executable code include: (i) code that read data from a computer’s hard disk and
`
`sent the data back to the website that was visited; (ii) code that “hijacked” an e-
`
`mail account and sent out offensive messages in the user’s name; and (iii) code that
`
`watched and recorded data that passed between the user’s computer and other
`
`computers. CS-1026 p. 39; CS-1003 ¶48.
`
`
`
`
`16
`
`
`
`
`
`
`2.
`Tools to Combat Malicious Code
`By the mid-1990s, a wide range of methods had been devel
Accessing this document will incur an additional charge of $.
After purchase, you can access this document again without charge.
Accept $ Charge
Still Working On It
This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.
Give it another minute or two to complete, and then try the refresh button.
A few More Minutes ... Still Working
It can take up to 5 minutes for us to download a document if the court servers are running slowly.
Thank you for your continued patience.
This document could not be displayed.
We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.
Your account does not support viewing this document.
You need a Paid Account to view this document. Click here to change your account type.
Your account does not support viewing this document.
Set your membership
status to view this document.
With a Docket Alarm membership, you'll
get a whole lot more, including:
- Up-to-date information for this case.
- Email alerts whenever there is an update.
- Full text search for other cases.
- Get email alerts whenever a new case matches your search.
One Moment Please
The filing “” is large (MB) and is being downloaded.
Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.
Your document is on its way!
If you do not receive the document in five minutes, contact support at support@docketalarm.com.
Sealed Document
We are unable to display this document, it may be under a court ordered seal.
If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.
Access Government Site
