`571-272-7822
`
`
`Paper 8
`Entered: March 25, 2019
`
`
`UNITED STATES PATENT AND TRADEMARK OFFICE
`____________
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`____________
`
`JUNIPER NETWORKS, INC.,
`Petitioner,
`
`v.
`
`FINJAN, INC.,
`Patent Owner.
`____________
`
`Case IPR2019-00031
`Patent 8,141,154 B2
`____________
`
`
`Before THOMAS L. GIANNETTI, MIRIAM L. QUINN, and
`PATRICK M. BOUCHER, Administrative Patent Judges.
`
`QUINN, Administrative Patent Judge.
`
`
`
`
`DECISION
`Denying Institution of Inter Partes Review
`35 U.S.C. § 314
`
`
`
`
`
`
`
`
`
`
`IPR2019-00031
`Patent 8,141,154 B2
`
`
`I.
`INTRODUCTION
`Juniper Networks, Inc. (“Petitioner”) filed a Petition to institute inter
`partes review of claim 1 of U.S. Patent No. 8,141,154 B2 (Ex. 1001, “the
`’154 patent”). Paper 2 (“Pet.”). Finjan, Inc. (“Patent Owner”) timely filed a
`Preliminary Response. Paper 7 (“Prelim. Resp.”).
`We have jurisdiction under 35 U.S.C. § 314. For the reasons
`discussed below, we do not institute inter partes review of claim 1 of the
`’154 patent.
`
`Related Matters
`A.
`The parties indicate that the ’154 patent is involved in Finjan, Inc. v.
`Juniper Networks, Inc., Case No. 3:17-cv-05659-WHA (N.D. Cal.) and
`other proceedings. Pet. 1; Paper 5.
`
`The ’154 Patent (Ex. 1001)
`B.
`The ’154 patent relates to computer security, and, more particularly,
`to systems and methods for protecting computers against dynamically
`generated malicious code, such as viruses that enter a computer over the
`Internet. Ex. 1001, 1:79, 34–37, 8:3840. The ’154 patent identifies two
`types of anti-virus applications that are available to protect against internet
`viruses: gateway security applications that shield web content before it is
`delivered to a computer, and desktop security applications that shield web
`content after it is delivered to the computer. Id. at 1:43–53. Each system
`has its disadvantages. Id. at 2:31–45. Gateway security applications fail to
`detect certain types of viruses, such as viruses that are generated
`dynamically at run-time of a computer program. Id. at 3:31–36. Desktop
`security applications may be able to shield dynamically generated viruses;
`
`2
`
`
`
`IPR2019-00031
`Patent 8,141,154 B2
`
`however, these applications require the installation of client computer
`software and can be vulnerable to hackers. Id. at 4:15–22.
`With regard to the embodiment shown in Figure 2, reproduced below,
`the ’154 patent describes shielding a client computer from dynamically
`generated malicious code by passing the input of a function to a security
`computer for inspection before the client computer invokes the function. Id.
`at 4:35–43, 8:41–44.
`
`
`Figure 2 depicts a system for protecting a computer from dynamically
`generated malicious executable code, including gateway computer 205,
`client computer 210, and security computer 215. Id. at 8:45–47. The
`gateway computer 205 receives content from a network, such as the Internet,
`
`3
`
`
`
`IPR2019-00031
`Patent 8,141,154 B2
`
`over communication channel 220. Id. at 8:4748. “Such content may be in
`the form of HTML pages, XML documents, Java applets and other such web
`content that is generally rendered by a web browser.” Id. at 8:4851. Client
`computer 210 communicates with gateway computer 205 over
`communication channel 225, and communicates with security computer 215
`over communication channel 230. Id. at 8:51–54. The client computer
`receives content data at client receiver 245, processes the data at content
`processor 270, and transmits data at client transmitter 250.
`Content modifier 265 modifies original content received by gateway
`computer 205 and produces modified content that includes a layer of
`protection to combat dynamically generated malicious code. Id. at 9:1316.
`Specifically, content modifier 265 identifies certain function calls and
`replaces them with a substitute function call, and when content processor
`270 processes the substitute function, the input is sent to security computer
`215 for inspection. Id. at 9:16–28, 10:60–64. Input inspector 275 compares
`the input’s security profile to the client computer’s security policy. Id. at
`11:40–41. If the operations of the function violate the client computer’s
`security policy and are potentially malicious, input inspector 275 sets an
`“inspection_result” value to false and the client computer does not invoke
`the original function. Id. at 11:1–4, 12:20–24. Otherwise, the
`“inspection_result” value is set to true, and the client computer invokes the
`original function. Id.
`
`Illustrative Claim
`C.
`Challenged claim 1, reproduced below, is independent.
`1. A system for protecting a computer from dynamically
`generated malicious content, comprising:
`
`4
`
`
`
`IPR2019-00031
`Patent 8,141,154 B2
`
`
`a content processor (i) for processing content received over a
`network, the content including a call to a first function, and the
`call including an input, and (ii) for invoking a second function
`with the input, only if a security computer indicates that such
`invocation is safe;
`a transmitter for transmitting the input to the security computer
`for inspection, when the first function is invoked; and
`a receiver for receiving an indicator from the security computer
`whether it is safe to invoke the second function with the input.
`Ex. 1001, 17:32–44.
`
`Asserted Prior Art and Grounds of Unpatentability
`D.
`The Petition identifies the following references in connection with
`Petitioner’s challenge of unpatentability (Pet. 4–5):
`
`a) Gladstone: U.S. Patent No. 7,594,267 B2, filed in the record as
`Exhibit 1006;
`
`b) Ji: U.S. Patent No. 5,983,348, filed in the record as Exhibit 1005;
`and
`
`c) Chander: Mobile Code Security by Java Bytecode Instrumentation,
`DARPA Information Survivability Conference and Exposition II,
`June 12–14, 2001, filed in the record as Exhibit 1008.
`
`Petitioner asserts the following grounds of unpatentability based on
`the aforementioned references (Pet. 5):
`
`Challenged Claim
`1
`1
`
`Basis
`§ 103(a)
`§ 103(a)
`
`References
`Gladstone and Ji
`Chander and Gladstone
`
`
`
`5
`
`
`
`IPR2019-00031
`Patent 8,141,154 B2
`
`
`II. DISCUSSION
`
`A. Claim Construction
`In an inter partes review, claim terms in an unexpired patent are given
`their broadest reasonable construction in light of the specification of the
`patent in which they appear. 37 C.F.R. § 42.100(b) (2017);1 see Cuozzo
`Speed Techs., LLC v. Lee, 136 S. Ct. 2131, 2144–46 (2016). We presume a
`claim term carries its plain meaning, which is the meaning customarily used
`by those of skill in the relevant art at the time of the invention. Trivascular,
`Inc. v. Samuels, 812 F.3d 1056, 1062 (Fed. Cir. 2016).
`Petitioner acknowledges that at least two terms recited in the claims of
`the ’154 patent have been construed previously by the Board. Pet. 14. The
`Final Written Decision in IPR2015-01979 provided a construction of the
`term “content” as “data or information, which has been modified and is
`received over a network.” IPR2015-01979, Paper 62 at 14. We also
`determined that the term “call to a first function” means “a statement or
`instruction in the content, the execution of which causes the function to
`provide a service.” Id. at 16. The Federal Circuit has affirmed the Final
`Written Decision in IPR2015-01979, and, accordingly, those constructions
`are adopted here. See Palo Alto Networks, Inc., v. Finjan, Inc., Case No.
`2017-2314, slip op. at 912 (Fed. Cir. Nov. 19, 2018). Further, although not
`construed by the Board in the Final Written Decision, the Federal Circuit, in
`
`
`1 A recent amendment to this rule does not apply here because the Petition
`was filed before November 13, 2018. See Changes to the Claim
`Construction Standard for Interpreting Claims in Trial Proceedings Before
`the Patent Trial and Appeal Board, 83 Fed. Reg. 51340 (Oct. 11, 2018) (to
`be codified at 37 C.F.R. pt. 42).
`
`6
`
`
`
`IPR2019-00031
`Patent 8,141,154 B2
`
`the Palo Alto case, addressed the scope of the “invoke” term, concluding
`that it does not require execution of a function. Id. at 1112. To the extent
`the scope of “invoke” is disputed and necessary to render this Decision, we
`adopt the interpretation of “invoke” that does not require execution of a
`function.
`The construction of other terms is not necessary for us to decide
`whether to institute trial.
`
`Level of Ordinary Skill in the Art
`B.
`In determining the level of ordinary skill in the art, various factors
`may be considered, including the “type of problems encountered in the art;
`prior art solutions to those problems; rapidity with which innovations are
`made; sophistication of the technology; and educational level of active
`workers in the field.” In re GPAC Inc., 57 F.3d 1573, 1579 (Fed. Cir. 1995)
`(internal quotation and citation omitted). In that regard, Petitioner asserts
`that a person of ordinary skill in the art would include someone with “a
`bachelor’s degree in computer science or related field and either two years
`of industry experience or an advanced degree in computer science or related
`[field].” Pet. 13. Patent Owner does not challenge Petitioner’s definition of
`a person of ordinary skill in the art.
`Accordingly, for purposes of this Decision, we adopt Petitioner’s
`proposed level of ordinary skill in the art.
`
`Summary of Asserted Prior Art
`C.
`1.
`Overview of Gladstone (Exhibit 1006)
`Gladstone is directed to methods and apparatus for securing one or
`more nodes on a computer network. Ex. 1006, 1:18–20. Gladstone
`
`7
`
`
`
`IPR2019-00031
`Patent 8,141,154 B2
`
`describes conventional network security systems that use active protection to
`prevent security breaches with pre-programmed intrusion detection
`measures, or passive protection to examine data about previous breaches in
`order to prevent future intrusions. Id. at 1:21–32. According to Gladstone,
`neither type of conventional network security protection “provides the
`adaptation capability sometimes necessary to counter novel types of attacks
`as they occur.” Id. at 1:63–66.
`With regard to the embodiment of Figure 1, reproduced below,
`Gladstone describes securing a networked computer system using active
`security measures in real time. Id. at 4:28–35, 5:46–49.
`
`
`
`8
`
`
`
`IPR2019-00031
`Patent 8,141,154 B2
`
`
`Figure 1 depicts a system for securing a networked computer,
`including computer node A connected via network 5 to event processor
`server 100. Instruction 10, which “may be an e-mail, browser, terminal
`server, or other software application running on Node A,” arrives from
`network 5 to application 15. Id. at 7:15–18. Application 15 issues a request
`for system resources 35, and this request is routed through reference monitor
`25 to determine if the request violates administrative policies. Id. at 7:18–
`23. Reference monitor 25, using interceptors 26 that are inserted into the
`request’s communication paths, may allow application 15 to access system
`resources 35, or the reference monitor may prevent the access request and
`work with event agent 45 and event processing server 100 to provide
`adaptive security protection to node A. Id. at 5:61–64, 7:23–33. “Reference
`Monitor 25 may perform basic analysis on the instruction [] 10 and
`communicate with Event Agent 45 in 40 as to its nature, as defined by
`current administrative policy.” Id. at 7:33–36.
`Event Agent 45 then sends a notification regarding instruction 10 via
`network 5 to transceiver 115 in event processing server 100, and instruction
`engine 135 processes the notification to determine an appropriate response
`to the instruction. Id. at 7:36–47. “Instruction Engine 135 determines
`whether an update to administrative policies is warranted, and determines
`other steps to be taken, including placing Node A in quarantine, defining
`system operations which may not be performed on Node A, tuning Node A’s
`operating system, or modifying network or firewall parameters.” Id.
`at 7:47–53. Instruction engine 35 sends its response via transceiver 115 and
`network 5 to event agent 45 in Node A.
`
`9
`
`
`
`IPR2019-00031
`Patent 8,141,154 B2
`
`
`Figure 2 of Gladstone, reproduced below, is another embodiment of a
`network security system that diagnoses an attack on one computer node and
`acts to prevent subsequent attacks on another computer node. Id. at 8:7–10.
`
`
`Figure 2 depicts first computer node A in communication with event
`processing server 100, similar to the embodiment of Figure 1, with the
`addition of second computer node B. Event processing server 100 uses
`information obtained in response to a malicious request at node A to
`transmit updated administrative policies to event agent 45B and reference
`monitor 35B at node B, thereby preventing potentially damaging activity
`from affecting other nodes of the network. Id. at 8:24–31, 43–55.
`
`10
`
`
`
`IPR2019-00031
`Patent 8,141,154 B2
`
`
`2.
`Overview of Ji (Exhibit 1005)
`Ji is directed to detecting and preventing operation of computer
`viruses and other types of malicious computer code. Ex. 1005, 1:5–7. Ji
`describes the development of Internet-based application programs, such as
`Java applets, that allow seamless integration of network code with local
`computer resources. Id. at 1:9–15, 26–27. Because these applets are given
`access to local computer resources such as the hard disk drive, however,
`they can also pose a security risk to users. Id. at 1:15–19. Code scanning
`programs that can analyze and monitor applets have been developed, which
`include static scanning done on the server or run-time monitoring done on
`the local client. Id. at 1:63–66, 2:65–67. According to Ji, conventional
`applet monitoring systems cause an imbalance between the load of the server
`and the client, and Ji describes a combination of static scanning and run-time
`monitoring that distributes the respective loads evenly. Id. at 1:65–2:4.
`Figure 1 of Ji, reproduced below, illustrates one embodiment of an
`applet scanner system. Id. at 4:55–56.
`
`11
`
`
`
`IPR2019-00031
`Patent 8,141,154 B2
`
`
`
`Figure 1 depicts an applet scanner system including client machine 14
`and server machine 20 connected to Internet 10. “Upon receipt of a
`particular Java applet, the HTTP proxy server 32, which is software running
`on server machine 20 and which has associated scanner software 26, then
`scans the applet and instruments it using an instrumenter 28 which is part of
`scanner software 26.” Id. at 4:66–5:3. If a suspicious instruction that calls
`an insecure function is found during this static scanning, the Java applet
`code sequence is instrumented to insert a first instruction sequence (pre-
`filter) before that suspicious instruction and a second instruction sequence
`(post-filter) after that instruction. Id. at 5:16–27. Ji provides the following
`example of code that disallows a suspicious function of directory listing
`access (“java.IO.File.list”) on the client computer:
`
`12
`
`
`
`IPR2019-00031
`Patent 8,141,154 B2
`
`
`
`
`Id. at 5:44–6:9, 6:10–20.
`The instrumenter generates a call to pre-filter function, “with the
`name of the suspicious function, parameters to the suspicious function, and
`possibly other information about [t]his suspicious function invocation as the
`parameters.” Id. at 5:44–61. The pre-filter checks the security policy
`associated with scanner 26 and decides whether the particular instruction is
`allowed. Id. at 5:33–36. The second instruction sequence generates a call to
`a post-filter function provided by the scanner, and reports the result of the
`call to the post-filter function. Id. at 5:37–40. Ji describes that this static
`scanning and instrumentation are both performed on HTTP proxy server 32.
`Id. at 5:41–43.
`
`3.
`Overview of Chander (Exhibit 1008)
`Chander is directed to mobile code security by Java bytecode
`instrumentation. Ex. 1008, 1 (see Title). Chander explains that, although
`the Java Virtual Machine (“JVM”) includes steps to verify programs and
`perform run-time tests, the Java mobile code may still behave in ways that
`are harmful to users. Id. at 1 (see Abstract). Chander describes an improved
`security technique called bytecode instrumentation that inserts additional
`
`13
`
`
`
`IPR2019-00031
`Patent 8,141,154 B2
`
`run-time tests into Java code using class modification or method-level
`modification. Id. at 2.
`According to Chander, method-level modification can be “applied on
`a method-by-method basis without regard to class hierarchy restrictions.”
`Id. Chander describes a first example of a method modification, where the
`method “Thread.setPriority[]” is replaced with a safer version of the method
`“Safe$Thread:setPriority[]” that “does not allow threads spawned by mobile
`code to have higher priority than a user-specified upper limit defined in class
`Safe$Thread.” Id. at 4. The safeguarding method
`“Safe$Thread:setPriority[]” takes the priority integer value “I” of the
`original method and compares it to the safeguard upper limit; if the priority
`value I is higher than this upper limit, then the priority value is set to this
`upper limit and the “Thread.setPriority[]” method is invoked with the
`verified priority value I. Id.
`In a second a second example of a method modification, an applet is
`prevented from disclosing a user’s confidential information through email by
`blocking a connection to a particular port on the web server. Id. at 10–11.
`The method “Socket.<init>[]” is replaced by the safeguard method
`“Safe$Socket:init” that monitors the port number “I” for every socket
`connection request, and will establish the socket connection unless the port
`number “I” is the particular port on the web server to be blocked. Id. at 11.
`Figure 5, reproduced below, depicts the basic architecture of
`Chander’s sytem. Id. at 5.
`
`14
`
`
`
`IPR2019-00031
`Patent 8,141,154 B2
`
`
`
`Figure 5 illustrates a system including a web browser running on a
`networked computer (element on right side, labeled as running a “Modified
`Applet”), which is connected to an Internet Web Server via a network proxy
`and the Internet. Id. at 5; see also id. at 1 (networked computer executing
`Java). When the web browser requests a web page or applet, the request
`goes through the network proxy to the web server, which responds by
`sending the requested data to the proxy. Id. at 5. If the request was for a
`Java applet, “the proxy will pass the applet code to the bytecode filter,”
`which then “will examine the bytecode for potential risks and modify the
`bytecode before sending the code for execution to the web browser.” Id.
`Thus, “the web browser only receives bytecode that has been screened.” Id.
`Chander further describes the proxy, which “also has access to a repository
`of Java classes, including secure safe classes that can be substituted for
`standard library classes and implementations of user-interface methods.” Id.
`
`15
`
`
`
`IPR2019-00031
`Patent 8,141,154 B2
`
`
`Reasonable Likelihood Determination
`D.
`After considering Petitioner’s contentions and Patent Owner’s
`arguments in opposition, we are not persuaded that Petitioner has
`demonstrated a reasonable likelihood of prevailing in showing that the
`challenged claim would have been obvious over the asserted prior art.
`For both asserted grounds, Petitioner relies on Gladstone’s event
`processing server as teaching the “security computer” that inspects the input
`of a first function, and indicates whether it is safe to invoke a second
`function with the input. Pet. 2930, 6264. We determine that Petitioner
`has not shown a reasonable likelihood of prevailing in its assertion that it
`would have been obvious to combine Gladstone’s event processing server
`with either Ji or Chander.
`
`1.
`Gladstone and Ji Combination
`Petitioner summarizes the asserted combination as follows: “The
`proposed combination adds Ji’s server with scanner to the perimeter of
`Gladstone’s network in order to deliver instrumented applets to Gladstone’s
`nodes. The two references would come together as shown in the diagram
`below based on figures from Ji and Gladstone and annotated in color.”
`Pet. 25. Reproduced below is the annotated diagram provided in the Petition
`showing Petitioner’s overall contentions of how Ji and Gladstone would
`have been combined. Id.
`
`16
`
`
`
`IPR2019-00031
`Patent 8,141,154 B2
`
`
`
`The diagram above merges Figure 1 of Ji with Figure 2 of Gladstone
`to illustrate the combination of Ji’s Server Machine (including Scanner 25)
`(colored in purple) with Gladstone’s Nodes (A and B) (colored in blue) and
`event processing server 100 (colored in red). We discuss first Petitioner’s
`contention that Ji’s pre-filter code would have been modified and
`Petitioner’s contention of the motivation to combine the teachings of Ji’s
`pre-filter code with Gladstone’s nodes and event processing server. Second,
`we discuss how Petitioner’s argument of modification of Ji, in view of
`Gladstone’s teachings, is not persuasive to show that claim 1 would have
`been obvious over the alleged combination.
`
`17
`
`
`
`IPR2019-00031
`Patent 8,141,154 B2
`
`
`Petitioner’s Contentions Regarding the Modification of Ji
`Claim 1 requires a “transmitter for transmitting the input to the
`security computer for inspection, when the first function is invoked.”
`Petitioner identifies the Gladstone event agent within the node as the
`transmitter. Pet. 3435. Gladstone’s event agent, however, transmits an
`event message or notification, not an “input” of a function call.
`Nevertheless, Petitioner asserts that Gladstone’s event agent would transmit
`the recited “input” when the first function was invoked because the
`Gladstone node instead would execute Ji’s pre-filter code. Id. at 35.
`Petitioner explains the combination as a “modification of Ji”: “Modifying
`Ji’s pre-filter functions to transmit the input to the remote security computer
`via Gladstone’s transmitter is relatively simple and requires only a few
`additional lines of code relative to the examples provided in Ji.” Id. at 36.
`To support this statement Petitioner cites the Nielson Declaration, at
`paragraph 73.
`Essentially, and according to Petitioner’s theory of obviousness, Ji is
`modified so that the pre-filter code—inserted in the applet at the server
`during scanning—runs on the Gladstone node and transmits “security
`checks” to Gladstone’s event processing server, instead of performing
`“security checks” locally at the node.
`Claim 1 also requires a “receiver for receiving an indicator from the
`security computer whether it is safe to invoke the second function with the
`input.” Here too Petitioner relies on Gladstone’s event agent as receiving
`notifications from Gladstone’s event processing server. Id. at 3738.
`Petitioner contends that Gladstone’s server determines whether the
`individual notification received from the nodes warrant policy updates and
`
`18
`
`
`
`IPR2019-00031
`Patent 8,141,154 B2
`
`determines whether to quarantine the node, define operations that may not
`be performed, or tune operating system, firewall, or network parameters. Id.
`at 39 (citing Ex. 1006, 6:5465). Petitioner relies on claim 1 of Gladstone,
`which states that a policy message from the server comprises “disallowing
`the access request to continue along the communication path,” as meaning
`that Gladstone’s nodes receive an indication whether the “input” is unsafe.
`Id. at 39. According to Petitioner, “the means by which Gladstone’s Server
`disallows the access request would simply be by sending a value that forces
`the if function to evaluate to ‘true’ such that an exception is thrown before
`the original (‘second’) function is invoked.” Id. at 40 (citing Ex. 1004,
`(“Nielson Decl.”) ¶ 78; Ex. 1005 6:1516 and 6:3132).
`
`Contentions Regarding Motivation to Combine
`According to Petitioner, the combination of Ji and Gladstone is
`predictable and the modification is trivial, because a remote service can be
`accessed by a normal method call, but is actually a request to a remote
`computer. Pet. 43. Petitioner refers to “minimal alteration” of Ji’s pre-filter
`code so that instead of Ji performing the security checks at the node for
`which the applet is intended, Ji transfers the security check to a remote
`computer, i.e., Gladstone’s event processing server. Id. (citing Nielson Decl.
`¶¶ 55, 73, 78). When comparing the Ji pre-filter code with the Gladstone
`Reference Monitor, Petitioner asserts that Ji’s pre-filter code is also a
`“reference monitor” because the security check is inserted directly into the
`code. Id. at 4243.
`Additionally, Petitioner alleges that a person of ordinary skill in the
`art would have been “motivated to apply Ji’s technique for delivering
`reference monitors from the proxy to the problem of installing Gladstone’s
`
`19
`
`
`
`IPR2019-00031
`Patent 8,141,154 B2
`
`Reference Monitor on each node.” Id. at 44. According to Petitioner, Ji
`teaches a motivation because it recognizes that it is easier to deploy code
`from a single server (read here Ji’s proxy server with the scanner), rather
`than “installing software manually on every individual node in Gladstone’s
`network.” Id. at 45. Finally, Petitioner asserts that the combination would
`have been motivated by Gladstone itself, because Gladstone teaches using a
`centralized server, and it would have been a design incentive to modify Ji’s
`pre-filter code for use with a centralized sever, because it “dramatically
`improves system security.” Id. at 47 (citing Nielson Decl. ¶ 56).
`
`Patent Owner’s Exemplary Arguments
`Patent Owner challenges Petitioner’s assertion that Ji’s pre-filter
`function transmits the input to the remote computer. Prelim. Resp. 2628.
`Patent Owner focuses its arguments on Ji’s disclosure of the pre-filter code,
`and how it does not pass any input or parameter for inspection anywhere,
`and that Gladstone, even if combined with Ji, would not perform any such
`inspection because Gladstone only processes event messages. Id. Patent
`Owner also argues that what the Gladstone nodes receive is a notification
`from the server after the “second function” has been invoked because the
`access request is allowed to continue along the communication path. Id. at
`3334.
`
`Alleged Trivial or Minimal Modifications
`The arguments by Patent Owner raise the issue of whether Petitioner
`has demonstrated that the reasons for the combination of Ji and Gladstone
`are rational in light of their teachings. We see that Patent Owner focuses on
`distinguishing Ji’s pre-filter code as failing to teach passing of the inputs to a
`security computer as required. Petitioner’s contention, we note, is that Ji’s
`
`20
`
`
`
`IPR2019-00031
`Patent 8,141,154 B2
`
`pre-filter code would have been modified, with “trivial” changes or
`“minimal alteration,” to perform the transmission of the recited inputs at
`Gladstone’s nodes. Upon further inspection of the record, in an effort to
`ascertain the asserted modification of Ji, however, we discover eight
`separate listings of program code included in the Nielson Declaration as
`“Listings.” Ex. 1004, Appendix A. None of the “Listings” identify which
`portions of the code are original to Ji and which are added. Thus, whatever
`alterations Ji’s pre-filter code may require were not made clear in these
`Listings.
`Further, it is evident that the Listings provide further modifications
`that the Petition does not explain meaningfully, and include various
`programs that must be implemented in other parts of the system, such as
`adding code for “remote enforcement” at the server. See Ex. 1004, 91.
`These modifications of the server and the additional code that would be
`necessary for the server to work in conjunction with Ji’s modified code are
`glossed over in the Petition, subsumed within an explanation that the
`changes or additions are “trivial” or “minimal.” But we are not persuaded
`that they are as such.
`Instead, these program listings show us that although it is possible to
`modify Ji’s program to send an input to a remote computer to achieve the
`asserted combination of teachings, one would have needed the foresight of
`the claims. In other words, the reasons given by Petitioner to revise Ji’s pre-
`filter code would not compel also the conclusion that Gladstone’s nodes
`would also need further modification and that additional security checks are
`to be implemented in Gladstone’s server. In our view, the modification of Ji
`
`21
`
`
`
`IPR2019-00031
`Patent 8,141,154 B2
`
`and Gladstone are the product of hindsight, not of a reasonable motivation to
`combine.
`We start with the fact that Gladstone is designed for the nodes to
`apply locally a current pre-programmed administrative policy. See Ex.
`1006, 7:2229, 7:3338 (stating that the event agent at the node may, in
`addition to of instead of local protection, send the notification to the server
`as “defined by current administrative policy”). For example, Gladstone’s
`server receives event notifications from the node because, in accordance
`with the pre-programmed policy, the node’s event agent intercepted an
`access to a system resource, such as a disk. Ex. 1006, 8:723. Gladstone
`explains that the node sends the notification of the access to the server, but
`the access at the node has already occurred; the server, if it finds the access
`was potentially harmful, updates the node’s policy to prevent future accesses
`of the same type. Id. at 8:2442, 8:679:21 (explaining that the Gladstone
`server may also send a policy update to the other nodes in the network). The
`server may also determine whether to quarantine the affected node, change
`operation of the affected node through defining operations that may not be
`performed, or tune the operating system. Id. at 6:5462. Thus, although
`Gladstone provides for centralized event processing, to correlate seemingly
`innocuous network activity that turns out to be an attack in progress, it also
`allows the nodes to monitor themselves and to notify the server only of
`certain activities as dictated by the node’s pre-programmed policy, with the
`server updating the policies across nodes as the attack is detected. See id.;
`see also id. 6:637:13.
`In contrast, Ji anticipates that all Java applets and Active X
`components are to be secured before they are allowed to run in the node.
`
`22
`
`
`
`IPR2019-00031
`Patent 8,141,154 B2
`
`Ji’s scanner instruments the applet to alter suspicious instructions before
`they are executed at the node. Ex. 1005, 3:4556. In this manner, the
`instrumented applet of Ji includes the alternative instruction and can perform
`an alternative action when malicious code is encountered. Thus, Ji is
`designed to anticipate how much and what protection the nodes will need at
`run-time. Petitioner’s theory of obviousness, however, modifies Ji to instead
`delegate the suspicious function check to a remote computer, even though Ji
`provides whatever code the nodes need to protect themselves at run-time
`from applets and Active X components (or any other executable malicious
`program, according to Petitioner). Pet. 45 (stating that Ji can be used to
`distribute reference monitors for any type of application programs, not just
`Java applets).
`The rationale Petitioner provides for this purported delegation is not
`persuasive. Petitioner posits that the modification of Ji is an improvement
`motivated by Ji, because Ji’s delivery of instrumented applets avoids the
`expense of manual deployment that Gladstone utilizes. Pet. 4445. This
`reason may motivate the automated delivery of code from Ji’s sever to
`Gladstone’s nodes, but goes no further to support the contention that Ji’s
`pre-filter code would have been modified to perform its security check at the
`Gladstone event processing server, instead of performing the check locally at
`the node.
`The second rationale Petitioner provides fares no better. Petitioner
`posits that Gladstone itself provides “the strongest motivation to use a
`centralized Server.” Id. at 47. In particular, Petitioner argues that a
`centralized server is in a position to correlate events across nodes and catch
`more advanced attacks. Id. Petitioner alludes to it being well-known for a
`
`23
`
`
`
`IPR2019-00031
`Patent 8,141,154 B2
`
`centralized server to communicate with multiple nodes running instrumented
`code programs to detect more advanced attacks. Id. We are not persuaded
`by Petitioner’s reliance on Gladstone or the “w