`571-272-7822
`
`
`Paper 33
`Entered: May 23, 2019
`
`
`
`
`UNITED STATES PATENT AND TRADEMARK OFFICE
`____________
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`____________
`
`CISCO SYSTEMS, INC.,
`Petitioner,
`
`v.
`
`FINJAN, INC.,
`Patent Owner.
`____________
`
`Case IPR2018-00391
`Patent 7,647,633 B2
`____________
`
`
`
`Before THOMAS L. GIANNETTI, MIRIAM L. QUINN, and
`PATRICK M. BOUCHER, Administrative Patent Judges.
`
`QUINN, Administrative Patent Judge.
`
`
`
`FINAL WRITTEN DECISION
`35 U.S.C. § 318
`
`
`
`
`
`
`
`IPR2018-00391
`Patent 7,647,633 B2
`
`
`I.
`INTRODUCTION
`We instituted inter partes review pursuant to 35 U.S.C. § 314 to
`review claims 14, 8, and 1114 of U.S. Patent No. 7,647,633 B2 (“the ’633
`patent”), owned by Finjan, Inc. We have jurisdiction under 35 U.S.C. § 6.
`This Final Written Decision is entered pursuant to 35 U.S.C. § 318(a) and 37
`C.F.R. § 42.73. For the reasons discussed below, Petitioner has shown by a
`preponderance of the evidence that claims 14, 8, and 1113 of the ’633
`patent are unpatentable. Petitioner, however, has not shown by a
`preponderance of the evidence that claim 14 of the ’633 patent is
`unpatentable.
`
`II.
`
`BACKGROUND
`
`A. RELATED MATTERS
`The parties identify several district court cases (N.D. Cal.) involving
`the ʼ633 patent. Pet. 5; see also Paper 4. The ’633 patent also has been the
`subject of various proceedings at the USPTO, including Palo Alto Networks,
`Inc. v. Finjan, Inc., Case IPR2015-01974 (PTAB), in which the Board issued
`a Final Written Decision concerning claims 14 and 19 of the ’633 patent.
`Paper 4; Ex. 2002. The ’633 patent also has been the subject of an ex parte
`reexamination (Control No. 90/013,016). Ex. 2001.
`
`B. THE ’633 PATENT (EX. 1001)
`The ’633 patent relates to a system and a method for protecting
`network-connectable devices from undesirable downloadable operations.
`Ex. 1001, 1:3033. The patent describes that “[d]ownloadable information
`comprising program code can include distributable components (e.g.
`
`2
`
`
`
`IPR2018-00391
`Patent 7,647,633 B2
`
`JAVATM applets and JAVAScript scripts, ActiveXTM controls, Visual Basic,
`add-ins and/or others).” Id. at 1:6063. Protecting against only some
`distributable components does not protect against application programs,
`Trojan horses, or zip or meta files, which are other types of “Downloadable
`information.” Id. at 1:632:2. The ’633 patent “enables more reliable
`protection.” Id. at 2:2728. According to the Summary of the Invention,
`In one aspect, embodiments of the invention provide for
`determining, within one or more network “servers” (e.g.
`firewalls,
`resources, gateways, email
`relays or other
`devices/processes that are capable of receiving-and-transferring
`a Downloadable) whether received
`information
`includes
`executable code (and is a “Downloadable”). Embodiments also
`provide for delivering static, configurable and/or extensible
`remotely operable protection policies to a Downloadable-
`destination, more typically as a sandboxed package including
`the mobile protection code, downloadable policies and one or
`more received Downloadables. Further client-based or remote
`protection code/policies can also be utilized in a distributed
`manner. Embodiments also provide for causing the mobile
`protection code to be executed within a Downloadable-
`destination in a manner that enables various Downloadable
`operations to be detected, intercepted or further responded to
`via protection operations.
` Additional server/information-
`destination device security or other protection is also enabled,
`among still further aspects.
`
`Id. at 2:3957.
`
`C. ILLUSTRATIVE CLAIMS
`Challenged claims 1, 8, 13, and 14 of the ’633 patent are independent.
`Illustrative claims 1 and 14 are reproduced below.
`1. A computer processor-based method, comprising:
`receiving, by a computer, downloadable-information;
`determining, by the computer, whether the
`
`3
`
`
`
`IPR2018-00391
`Patent 7,647,633 B2
`
`
`downloadable-information includes executable code; and
`based upon the determination, transmitting from the
`computer mobile protection code to at least one information-
`destination of the downloadable-information, if the
`downloadable-information is determined to include executable
`code.
`
`14. A computer program product, comprising a
`computer usable medium having a computer readable program
`code therein, the computer readable program code adapted to be
`executed for computer security, the method comprising:
`providing a system, wherein the system comprises
`distinct software modules, and wherein the distinct software
`modules comprise an information re-communicator and a
`mobile code executor;
`receiving, at the information re-communicator,
`downloadable-information including executable code; and
`causing mobile protection code to be executed by the
`mobile code executor at a downloadable-information
`destination such that one or more operations of the executable
`code at the destination, if attempted, will be processed by the
`mobile protection code.
`
`Id. at 20:5462, 21:58–22:5. We refer to the three steps of claim 1
`as the “receiving step,” the “determining step,” and the “transmitting
`step,” respectively.
`
`D. PROCEDURAL HISTORY
`Petitioner, Cisco Systems, Inc., filed a Petition for inter partes review
`challenging claims 14, 8, and 1114 of the ’633 patent. Paper 1 (“Pet.”).
`Patent Owner, Finjan, Inc., filed a Preliminary Response. Paper 6 (“Prelim.
`Resp.”). On June 5, 2018, we determined that Petitioner had shown a
`reasonable likelihood of prevailing on its unpatentability challenge as at
`least one claim, and we instituted trial. Paper 7 (“Dec. on Inst.”).
`
`4
`
`
`
`IPR2018-00391
`Patent 7,647,633 B2
`
`
`During trial, Patent Owner filed a Patent Owner Response (Paper 12
`(“PO Resp.”)) and Petitioner filed a Reply (Paper 16 (“Reply”)). Patent
`Owner requested authorization to file a Sur-reply, which we granted. Paper
`18; Paper 22 (“Sur-reply”). Both parties filed Motions to Exclude and
`corresponding responsive papers. Papers 19, 23, 24, 2729. We heard oral
`argument on March 6, 2019, a transcript of which is filed in the record.
`Paper 32 (“Tr.”).
`
`E. EVIDENCE OF RECORD
`Petitioner relies upon the following references as evidence of prior art:
`1) Hanson: PCT Published Application WO 98/31124, published on
`July 16, 1998 (Exhibit 1004);
`2) Hyppӧnen: U.S. Patent No. 6,577,920 B1, issued on June 10, 2003
`(Exhibit 1005); and
`3) Touboul: PCT Published Application WO 98/21683 (Exhibit
`1007).
`In addition, Petitioner supports its contentions with the Declaration of
`Paul Clark, Ph.D. Ex. 1003 (“Clark Declaration”). With its Patent Owner
`Response, Patent Owner provides a Declaration of Nenad Medvidovic,
`Ph. D. Ex. 2008 (“Medvidovic Declaration”).
`
`F. GROUNDS OF UNPATENTABILITY
`The following grounds of unpatentability are at issue (Pet. 32):
`Claim(s)
`Basis
`References
`14, 8, 11, 13, 14 § 103
`Hanson and Hyppӧnen
`12
`§ 103
`Hanson, Hyppӧnen, and
`Touboul
`
`
`
`5
`
`
`
`IPR2018-00391
`Patent 7,647,633 B2
`
`
`III. ANALYSIS
`
`A. CLAIM CONSTRUCTION
`The Board interprets claim terms of an unexpired patent using the
`“broadest reasonable construction in light of the specification of the patent.”
`37 C.F.R. § 42.100(b) (2018);1 see Cuozzo Speed Techs., LLC v. Lee, 136 S.
`Ct. 2131, 2144–46 (2016). We presume a claim term carries its “ordinary
`and customary meaning,” which is the meaning “the term would have to a
`person of ordinary skill in the art” at the time of the invention. In re
`Translogic Tech., Inc., 504 F.3d 1249, 1257 (Fed. Cir. 2007) (citation
`omitted).
`With regard to terms drafted in means-plus-function language,
`“[a]pplication of § 112, ¶ 6 requires identification of the structure in the
`specification which performs the recited function.” Micro Chemical, Inc., v.
`Great Plains Chemical Co., Inc., 194 F.3d 1250, 1257 (Fed. Cir. 1999); see
`also 37 C.F.R. § 42.104(b)(3). Further, the statute does not permit
`“incorporation of structure from the written description beyond that
`necessary to perform the claimed function.” Id. at 1258.
`1. Means-Plus-Function Terms
`Claim 13 recites limitations written in means-plus-function format. In
`our Decision on Institution, we reviewed the parties’ proposed constructions
`for these terms. Dec. on Inst. 59; Pet. 2022; Prelim. Resp. 1113. We
`
`
`1 A recent amendment to this rule does not apply here because the Petition
`was filed before November 13, 2018. See Changes to the Claim
`Construction Standard for Interpreting Claims in Trial Proceedings Before
`the Patent Trial and Appeal Board, 83 Fed. Reg. 51,340 (Oct. 11, 2018)
`(amending 37 C.F.R. § 42.100(b) effective November 13, 2018).
`
`6
`
`
`
`IPR2018-00391
`Patent 7,647,633 B2
`
`preliminarily determined for each term the structure corresponding to the
`recited function as follows:
`Term
`
`means for receiving
`downloadable-information
`means for determining whether
`the downloadable-information
`includes executable code
`
`means for causing mobile code
`to be communicated to at least
`one information-destination of
`the downloadable-information,
`if the downloadable-
`information is determined to
`include executable code
`
`Board’s Preliminary Claim
`Construction (Structure)
`Re-communicating device,
`such as a server or firewall
`Protection engine (Fig 3) in a
`re-communicating device,
`such as a server or firewall; or
`
`Detection engine (Fig. 4)
`within a protection engine in a
`re-communicating device,
`such as a server or firewall
`Protection engine (Fig 3) in a
`re-communicating device,
`such as a server or firewall; or
`
`Transfer engine (Fig. 4)
`within the protection engine
`in a re-communicating device,
`such as a server or firewall
`
`
`Dec. on Inst. 59. Neither party raises any disputes concerning the proper
`scope of these terms. Accordingly, we adopt our preliminary claim
`construction as indicated above and for the reasons stated in our Decision on
`Institution. Id.
`2. Prior Board Claim Constructions
`In our Decision on Institution, we noted that the Board has previously
`had occasion to analyze two claim terms recited in the ’633 patent. First, we
`noted that a panel of the Board issued a Decision on Appeal in connection
`with the reexamination (Control No. 90/013,016) of the ’633 patent.
`Ex. 2001. Regarding the “determining whether” phrase, the Decision on
`
`7
`
`
`
`IPR2018-00391
`Patent 7,647,633 B2
`
`Appeal states: “In order to disclose determining whether the downloadable-
`information includes executable code, [the prior art] must disclose
`distinguishing between two alternative possibilities: executable code is
`included in the downloadable-information, and executable code is not
`included in the downloadable-information.” Id. at 5.2 Petitioner does not
`address this prior Board Decision in its Petition. Patent Owner does not
`further address the construction of this term in its Response. Petitioner, in
`its Reply and during oral argument, asserts that “the claim term should be
`given its plain and ordinary meaning,” but otherwise does not propose any
`particular construction for the term. Reply 6; Tr. 17:1320:22 (arguing also
`that the Board does not need to construe the term because the prior art shows
`the limitation under any reasonable construction of the term). Because
`resolution of the scope of the phrase “determining whether” is not necessary
`to our determination, we do not discuss this term further. See Nidec Motor
`Corp. v. Zhongshan Broad Ocean Motor Co., 868 F.3d 1013, 1017 (Fed.
`Cir. 2017); Vivid Techs., Inc. v. Am. Sci. & Eng’g, Inc., 200 F.3d 795, 803
`(Fed. Cir. 1999) (“[O]nly those terms need be construed that are in
`controversy, and only to the extent necessary to resolve the controversy.”)
`Second, our Decision on Institution noted that we issued a Final
`Written Decision in IPR2015-01974 (Paper 49, March 15, 2017) in which
`we construed “executable code” in the phrase recited in claims 14 and 19 of
`the ’633 patent, in the context of the surrounding claim language and the
`Specification, to mean that the “the executable code whose operations are
`processed by the mobile protection code at the destination is the same as the
`executable code received, i.e., it undergoes no modification.” Ex. 2002, 18
`
`2 See Ex. 1001, 9:5257, Fig. 3.
`
`8
`
`
`
`IPR2018-00391
`Patent 7,647,633 B2
`
`(emphasis added). Petitioner mentions the “no modification” requirement
`while contending that the prior art meets the claim language, but does not
`argue the meaning of the claim language further. Pet. 57 n.5. Neither party
`urges that we revisit the construction of the “executable code” phrase of
`claim 14 (“causing mobile protection code to be executed . . . at the
`downloadable-information destination such that one or more operations of
`the executable code at the destination, if attempted, will be processed by
`mobile protection code”). Accordingly, we adopt our prior determination
`here.
`3. “information re-communicator” and “information monitor”
`Patent Owner proposes construction for these terms as follows (PO
`Resp. 11, 14):
`Term
`Information re-communicator
`
`Patent Owner’s Proposal
`A computing device that receives
`downloadable-information from an
`external network and then sends it on
`to its destination
`A component of an information re-
`communicator that monitors
`downloadable-information from an
`external network
`
`Information monitor
`
`
`
`The particular dispute concerning these terms focuses on whether the
`downloadable-information must be received from an external network.
`Asserting the terms so require, Patent Owner argues that Hanson does not
`disclose the limitation because Petitioner relies on “downloadable-
`information” that is received from an internal company network. PO Resp.
`2526 (relying on Medvidovic Decl. ¶ 71). Petitioner responds that the
`recited re-communicator is a server. Reply 4 (citing Ex. 1001, 2:6063).
`
`9
`
`
`
`IPR2018-00391
`Patent 7,647,633 B2
`
`Petitioner also argues that the Specification describes an embodiment in
`which a “user-device” could be configured as a firewall or server and
`therefore would receive information from an internal network. Id. (citing
`Ex. 1001, 7:4362).
`We agree with Petitioner that the “information re-communicator” is
`not limited to receiving downloadable-information from an external
`network. First, the claims are silent as to the source of the “downloadable-
`information.” Therefore, from the plain meaning of the claim language,
`there is no requirement that the “re-communicator” receive downloadable-
`information from an external network. Second, the Specification describes
`consistently a server or a firewall as a “re-communicator.” These
`descriptions are general, and do not restrict the server or firewall to
`processing the downloadable-information solely to that coming from an
`“external network.” For instance, the Abstract states that a “protection
`engine embodiment provides, within a server, firewall or other suitable ‘re-
`communicator,’ for monitoring information received by the communicator.”
`Ex. 1001, Abst. As another example, Figure 9 depicts, at step 901, “Monitor
`re-communicator (e.g., server) operation.” Id. at Fig. 9. And significantly,
`in the Summary of the Invention, the Specification identifies a “server” as
`synonymous with “re-communicator” without limitation: “one or more
`network servers, firewalls or other network connectable information re-
`communicating devices (as are referred to herein summarily [as] one or
`more ‘servers’ or ‘re-communicators’).” Id. at 2:5862; see also id. at
`5:3436 (“Embodiments provide, within one or more ‘servers’ (e.g.,
`firewalls, resources, gateways, email relays or other information re-
`communicating devices)”), 7:25 (“system 104a . . . can include a
`
`10
`
`
`
`IPR2018-00391
`Patent 7,647,633 B2
`
`protection-initiating host ‘server’ or ‘re-communicator’ (e.g., ISP server
`140a), 7:5052 (“(i.e., as a ‘re-communicator’ or ‘server’)”), 18:3335 (“a
`protection engine monitors the receipt, by a server or other re-communicator
`of information, and receives such information intended for a protected
`information-destination (i.e., a potential Downloadable)”).
`The broad description of the “re-communicating” devices as, for
`example, servers, leads us to the conclusion that the “information re-
`communicators” of claims 2, 9, 10, and 14 are generally devices or processes
`that “re-communicate” the received information, much like a server,
`firewall, gateway, or other device that transfers the received information.
`See, e.g., id. at 7:811 (“IPS server 140a includes one or more email,
`Internet or other servers 141a, or other devices or processes capable of
`transferring or otherwise ‘re-communicating’ downloadable information to
`user devices 145.”). Thus, we conclude that the term “information re-
`communicator” is not limited to receiving “downloadable-information” from
`an external network. Because the “information monitor” term (claim 8),
`likewise, is recited as “receiving downloadable-information by a computer”
`without requiring any specific network source, this term also is not limited to
`an external network.
`4. “downloadable-information”
`Patent Owner contends that the term “downloadable-information”
`means “information which is downloaded from a source computer which
`may or may not include executable code.” PO Resp. 10. Patent Owner
`relies on the Medvidovic Declaration in support of its construction. Id.
`(citing Medvidovic Decl. ¶ 45). Patent Owner argues that Dr. Clark
`
`11
`
`
`
`IPR2018-00391
`Patent 7,647,633 B2
`
`provided support for its contention during cross-examination by giving the
`following testimony:
`Q. So how do you interpret the term “downloadable
`information”?
`
`A. As it says in paragraph 32 and as we discussed earlier, it
`explains that downloadable information includes data that
`can be downloaded and that may or may not include
`executable code.
`
`Q. What does the term “download” mean?
`
`A. Generally to retrieve something from a server.
`
`Id. (quoting Ex. 1027, 44:2045:6) (emphasis by Patent Owner). The
`dispute centers on whether the downloadable-information is limited only to
`data that is capable of being downloaded. See PO Resp. 23 (arguing that
`Hanson’s “request for server resources” are not “data that can be
`downloaded and that may or may not include executable code”).
`Petitioner, in response, focuses on whether the claim term requires a
`source computer. Reply 3. But, more importantly, Petitioner argues that we
`need not construe the term because the asserted prior art teaches
`“downloadable-information” under any reasonable interpretation. Id. at 4.
`We agree with Petitioner that we need not construe the term because, as
`discussed below, Petitioner has shown that prior art teaches the limitation,
`even under Patent Owner’s interpretation.
`
`B. PRINCIPLES OF LAW AND LEVEL OF ORDINARY SKILL IN THE ART
`A claim is unpatentable under 35 U.S.C. § 103(a) if the differences
`between the claimed subject matter and the prior art are such that the subject
`matter, as a whole, would have been obvious at the time the invention was
`
`12
`
`
`
`IPR2018-00391
`Patent 7,647,633 B2
`
`made to a person having ordinary skill in the art to which said subject matter
`pertains. KSR Int’l Co. v. Teleflex Inc., 550 U.S. 398, 406 (2007). The
`question of obviousness is resolved on the basis of underlying factual
`determinations including (1) the scope and content of the prior art; (2) any
`differences between the claimed subject matter and the prior art; (3) the level
`of skill in the art; and, (4) where in evidence, so-called secondary
`considerations, including commercial success, long-felt but unsolved needs,
`failure of others, and unexpected results. Graham v. John Deere Co.,
`383 U.S. 1, 1718 (1966) (“the Graham factors”).
`As to the level of ordinary skill in the art, Petitioner provides
`testimony from Dr. Clark that a person of ordinary skill in the art would
`have had a working knowledge of downloading information from the World
`Wide Web, the vulnerability of downloadable-information to contain
`malicious operations, and methods for preventing the execution of malicious
`operations. Clark Decl. ¶ 21. Dr. Clark opines that a person of ordinary
`skill in the art would have gained the requisite knowledge and experience
`through education, such as a Bachelor’s degree in computer science,
`computer programming, electrical engineering, and four years of experience
`in programming, or by obtaining a Master’s degree in electrical engineering,
`but having only one to two years of programming experience. Id. Dr. Clark
`also opines that a person of ordinary skill in the art may have had no formal
`education, but may have gained the requisite level of knowledge through
`eight years of computer programming experience. Id. Patent Owner’s
`expert, Dr. Medvidovic, acknowledges the opinion of Dr. Clark and states
`his opinions “would be the same if rendered from the perspective of a person
`of ordinary skill in the art set out by Dr. Clark.” Medvidovic Decl. ¶ 38.
`
`13
`
`
`
`IPR2018-00391
`Patent 7,647,633 B2
`
`Accordingly, we adopt the level of ordinary skill in the art articulated by Dr.
`Clark.
`
`C. OVERVIEW OF HANSON AND HYPPӦNEN
`For all independent claims, Petitioner relies on Hanson or Hanson and
`Hyppӧnen as teaching all the recited limitations. An overview of these
`references follows.
`1. Hanson
`Hanson is an international application published under the Patent
`Cooperation Treaty as WO 98/31124 (published July 16, 1998). Ex. 1004,
`(11), (43). Hanson is directed to client/server computer communication over
`an internetwork system and to improved access of firewall protected servers.
`Id. at 1, 35. Hanson notes the problem of growing Internet use with respect
`to security, particularly for “internal company computers being
`compromised by an external entity.” Id. at 2:59. Hanson describes that
`security of internal computers is provided by a firewall, which is a filter that
`blocks communication in both directions: “input to the internal network of
`the company and output to the Internet.” Id. at 2:914. Hanson also
`describes further security provided by a proxy server, which behaves as a
`relay between an internal network and the Internet for communication
`requests initiated inside the company’s network. Id. at 2:1517. Proxy
`servers trust all internal computers and assume that communication from an
`internal computer (to the proxy server) will not compromise security of other
`internal computers. Id. at 2:1820. Hanson, however, recognizes that
`communications received from computers on the Internet at large are a
`
`14
`
`
`
`IPR2018-00391
`Patent 7,647,633 B2
`
`security threat, especially for a company that selectively wants to share
`internal company resources on the Internet. Id. at 2:2024.
`Hanson aims to provide secure two-way data communication over the
`Internet without having to open the firewall or installing a new network open
`to the Internet. Id. at 2:323:6. Figure 2, reproduced below, illustrates the
`components of Hanson’s system.
`
`
`
`Figure 2 depicts a network system for secured communication
`between a requester or client 15 and servers 20, protected by firewall 22. Id.
`at 4:1618. Figure 2 also illustrates bastion server 18, which includes
`internal address file 26 and rules file 24 stored in memory. Hanson
`describes that when client 15 sends a data packet identifying any server 20,
`behind firewall 22, as the destination, the data packet is delivered first to
`
`15
`
`
`
`IPR2018-00391
`Patent 7,647,633 B2
`
`bastion server 18. Id. at 5:216. The address of server 20 is resolved at
`bastion server 18 because internal address file 26 contains the server names
`of servers 20. Id. at 6:910. If an internal address matching the desired
`server is found in internal address file 26, the received packet “is checked
`against rules contained within the rules file.” Id. at 6, 1617. Rules file 24
`“provides a predetermined set of rules for maintaining secured
`communication of data packets passing in both directions through bastion
`server 18.” Id. at 5:810. “The rule checks include certain security[]
`programs that operate upon received data packets and, particularly data
`packets that are or include programs.” Id. at 6:2223. In particular, Hanson
`describes the rules with respect to Table 3, reproduced below.
`
`
`Table 3 illustrates an example set of rules for checking data packets
`passing through bastion server 18. Id. at 9:23. Hanson explains that the
`bastion server checks data packets against known viruses and data errors by
`checking against the files “viruses.dat” and “ps_error.dat.” Id. at 1014.
`
`16
`
`
`
`IPR2018-00391
`Patent 7,647,633 B2
`
`The rules file also includes “JAVA Checks” and “Active X Checks.” Id. at
`Table 3, 10:88, 11:36. Hanson describes the “JAVA Checks” code line of
`Table 3 as indicating the JAVA class files that execute “if the bastion
`receives a JAVA applet as or in a data packet.” Id. at 10:89. In particular,
`Hanson describes that each of the class files indicated performs “specific
`checks of received JAVA applets.” Id. at 10:910. For the “security.class”
`program, Hanson states that this program “performs security operations
`similar to that performed by a complete, secure JAVA virtual machine.” Id.
`at 1314. The program performs “protective illegal operation overrides by
`attaching itself to the applet being sent in the data packet.” Id. at 10:1416.
`“When the applet intended for the recipient is run at the destination client or
`server, ‘security.class’ is run simultaneously.” Id. at 10:1617. With regard
`to the “Active X Checks” code line of Table 3, Hanson explains that
`“security.ocx,” similar to the description of JAVA Checks, “attaches to an
`Active X program destined for a client or server.” Id. at 11:67. “This
`program is run at the destination client or server and behaves similar to a
`common virus checking program.” Id. at 11:78. It monitors the execution
`of the Active X program that is running on the destination client or server so
`that if the Active X program attempts a destructive operation, the
`“security.ocx” program stops execution and warns the client or server user
`that the Active X program attempted an illegal operation. Id. at 11:812.
`2. Hyppӧnen
`Hyppӧnen, titled “Computer Virus Screening,” is directed to
`screening of computer data for viruses, and more particularly, macro viruses.
`Ex. 1005, [54], 1:68. Hyppӧnen describes the evolution of computer
`viruses from the 1980s and mid-1990s as consisting of a piece of executable
`
`17
`
`
`
`IPR2018-00391
`Patent 7,647,633 B2
`
`code that attached itself to a bona fide computer program. Id. at 1:1116.
`To detect computer programs infected by viruses, a computer software “in
`general relied as a first step upon identifying those data files which contain
`executable code, e.g., .exe, .com, .bat.” Id. at 1:2629. The second step,
`once identified, was to search the files for signatures of known viruses. Id.
`at 1:2933. With the growing use of Microsoft Office, new viruses
`emerged, particularly those that infect macro files. Id. at 1:4156. Macro
`files are used, for example, in templates, to provide customized tool bars,
`and are embedded in files with the extension “.dot” or in Microsoft Office
`files, or “.doc” files. Id. at 1:4653.
`Hyppӧnen’s system “effectively block[s] the transfer and/or
`processing of files which contain a previously unidentified (either to the
`local user or to the software produced) macro virus.” Id. at 2:4044.
`Hyppӧnen provides a file system driver that detects a file system event,
`which involves writing, reading or copying of a file.” Id. at 4:3739,
`5:2327. The file system driver enables file system events to proceed
`normally, or prevents file system events and issues appropriate alert
`messages to the file system. Id. at 4:4449. After detecting a file system
`event, Hyppӧnen determines if the file involved includes a macro by
`examining the file name extension (e.g., to identify “.dot” or “.doc” files)
`“and/or scanning the file for embedded macros.” Id. at 5:2532. Hyppӧnen
`determines a signature for the found macro(s) and checks its database(s) to
`ascertain whether the macro has a known virus or is an unknown macro that
`warrants further scrutiny. Id. at 5:2962. If the signature obtained
`corresponds to a known virus, the file system event is suspended. Id. at
`
`18
`
`
`
`IPR2018-00391
`Patent 7,647,633 B2
`
`5:3339. If the signature obtained is of a known, benevolent macro, the file
`system is allowed to proceed. Id. at 5:4349. If no virus is found, and the
`macro is unknown and unverifiable, Hyppӧnen suspends the event. Id. at
`5:5361.
`Hyppӧnen explains that its file system driver may be arranged to
`screen files for viruses other than macro viruses. Id. at 6:67. Hyppӧnen
`further describes the file system event as receiving all file access traffic, not
`just that of a hard disk. Id. at 6:911. For example, the file system drive
`may also process floppy disk data transfers, network data transfer, and
`CDROM data transfers. Id. at 6:1116.
`
`D. ANALYSIS OF INDEPENDENT CLAIMS 1, 8, AND 13
`The parties extensively focus their arguments on the determining step
`of claim 1. Claim 1 recites “determining, by the computer, whether the
`downloadable-information includes executable code.” Claim 8 recites a
`content inspection engine as performing the determining step recited in
`claim 1. And claim 13 recites a means for determining, where the function
`is the determining step recited in claim 1. Although not the first-recited
`limitation in the claims, we begin our analysis with the determining step,
`given the prominent role of this limitation in this proceeding. The Petition
`relies on Hanson alone or in combination with Hyppӧnen as disclosing the
`determining step. Pet. 4854. We find that Petitioner did not prove that
`Hanson alone teaches the determining step. We find, however, that
`Petitioner has proven by a preponderance of the evidence that Hyppӧnen
`teaches the determining step and that it would have been obvious to combine
`
`19
`
`
`
`IPR2018-00391
`Patent 7,647,633 B2
`
`Hyppӧnen’s teachings with Hanson. We discuss our reasons for these
`findings under the separate headings below.
`1. Whether Hanson Alone Teaches the Determining Step
`With regard to Hanson, alone, Petitioner states that two disclosures
`regarding the bastion server are relevant to the determining step. Id. at
`4849. The first disclosure pertains to Hanson’s rule check. Id. According
`to Petitioner, the rule checks operate “on data packets that are or include
`programs.” Id. We are not persuaded that this teaches that Hanson
`determines whether the downloadable-information includes executable code.
`Hanson describes that the rule checks are performed on data packets that
`may include programs, but does not describe detecting programs in “data
`packets.” Moreover, the fact that a reply packet may pass the checks against
`send rules does not teach the determining step either. All data packets in
`Hanson pass through the bastion server and are checked against the rules
`file, regardless of whether they include programs.
`The second disclosure of Hanson that Petitioner relies on is the JAVA
`Checks and Active X Checks in the rules file. Id. at 5051. We are not
`persuaded that Hanson’s disclosures of JAVA Checks and Active X Checks
`teach the determining step. These checks indicate that certain security files
`attach to a data packet if there are JAVA applets or Active X programs in the
`data packet. But Hanson says nothing about detecting applets, Active X
`components, or any other purported “executable code.” Petitioner’s expert,
`Dr. Clark, opines that a person of ordinary skill in the art “would have
`understood that Hanson’s disclosure of applying ‘JAVA Checks,’ and
`‘Active X Checks’ or other security program includes a determination of
`whether the data packet is or includes a JAVA applet, Active X program or
`
`20
`
`
`
`IPR2018-00391
`Patent 7,647,633 B2
`
`other executable program.” Clark Decl. ¶ 107. This is a conclusory
`statement—there is no reasoning provided for why or how, if Hanson