Trials@uspto.gov
`571-272-7822
`
`
`Paper 8
`Entered: March 25, 2019
`
`
`UNITED STATES PATENT AND TRADEMARK OFFICE
`____________
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`____________
`
`JUNIPER NETWORKS, INC.,
`Petitioner,
`
`v.
`
`FINJAN, INC.,
`Patent Owner.
`____________
`
`Case IPR2019-00031
`Patent 8,141,154 B2
`____________
`
`
`Before THOMAS L. GIANNETTI, MIRIAM L. QUINN, and
`PATRICK M. BOUCHER, Administrative Patent Judges.
`
`QUINN, Administrative Patent Judge.
`
`
`
`
`DECISION
`Denying Institution of Inter Partes Review
`35 U.S.C. § 314
`
`
`
`
`
`
`
`
`
`571-272-7822
`
`
`Paper 8
`Entered: March 25, 2019
`
`
`UNITED STATES PATENT AND TRADEMARK OFFICE
`____________
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`____________
`
`JUNIPER NETWORKS, INC.,
`Petitioner,
`
`v.
`
`FINJAN, INC.,
`Patent Owner.
`____________
`
`Case IPR2019-00031
`Patent 8,141,154 B2
`____________
`
`
`Before THOMAS L. GIANNETTI, MIRIAM L. QUINN, and
`PATRICK M. BOUCHER, Administrative Patent Judges.
`
`QUINN, Administrative Patent Judge.
`
`
`
`
`DECISION
`Denying Institution of Inter Partes Review
`35 U.S.C. § 314
`
`
`
`
`
`
`
`
`
`
`IPR2019-00031
`Patent 8,141,154 B2
`
`
`I.
`INTRODUCTION
`Juniper Networks, Inc. (“Petitioner”) filed a Petition to institute inter
`partes review of claim 1 of U.S. Patent No. 8,141,154 B2 (Ex. 1001, “the
`’154 patent”). Paper 2 (“Pet.”). Finjan, Inc. (“Patent Owner”) timely filed a
`Preliminary Response. Paper 7 (“Prelim. Resp.”).
`We have jurisdiction under 35 U.S.C. § 314. For the reasons
`discussed below, we do not institute inter partes review of claim 1 of the
`’154 patent.
`
`Related Matters
`A.
`The parties indicate that the ’154 patent is involved in Finjan, Inc. v.
`Juniper Networks, Inc., Case No. 3:17-cv-05659-WHA (N.D. Cal.) and
`other proceedings. Pet. 1; Paper 5.
`
`The ’154 Patent (Ex. 1001)
`B.
`The ’154 patent relates to computer security, and, more particularly,
`to systems and methods for protecting computers against dynamically
`generated malicious code, such as viruses that enter a computer over the
`Internet. Ex. 1001, 1:79, 34–37, 8:3840. The ’154 patent identifies two
`types of anti-virus applications that are available to protect against internet
`viruses: gateway security applications that shield web content before it is
`delivered to a computer, and desktop security applications that shield web
`content after it is delivered to the computer. Id. at 1:43–53. Each system
`has its disadvantages. Id. at 2:31–45. Gateway security applications fail to
`detect certain types of viruses, such as viruses that are generated
`dynamically at run-time of a computer program. Id. at 3:31–36. Desktop
`security applications may be able to shield dynamically generated viruses;
`
`2
`
`
`
`IPR2019-00031
`Patent 8,141,154 B2
`
`however, these applications require the installation of client computer
`software and can be vulnerable to hackers. Id. at 4:15–22.
`With regard to the embodiment shown in Figure 2, reproduced below,
`the ’154 patent describes shielding a client computer from dynamically
`generated malicious code by passing the input of a function to a security
`computer for inspection before the client computer invokes the function. Id.
`at 4:35–43, 8:41–44.
`
`
`Figure 2 depicts a system for protecting a computer from dynamically
`generated malicious executable code, including gateway computer 205,
`client computer 210, and security computer 215. Id. at 8:45–47. The
`gateway computer 205 receives content from a network, such as the Internet,
`
`3
`
`
`
`IPR2019-00031
`Patent 8,141,154 B2
`
`over communication channel 220. Id. at 8:4748. “Such content may be in
`the form of HTML pages, XML documents, Java applets and other such web
`content that is generally rendered by a web browser.” Id. at 8:4851. Client
`computer 210 communicates with gateway computer 205 over
`communication channel 225, and communicates with security computer 215
`over communication channel 230. Id. at 8:51–54. The client computer
`receives content data at client receiver 245, processes the data at content
`processor 270, and transmits data at client transmitter 250.
`Content modifier 265 modifies original content received by gateway
`computer 205 and produces modified content that includes a layer of
`protection to combat dynamically generated malicious code. Id. at 9:1316.
`Specifically, content modifier 265 identifies certain function calls and
`replaces them with a substitute function call, and when content processor
`270 processes the substitute function, the input is sent to security computer
`215 for inspection. Id. at 9:16–28, 10:60–64. Input inspector 275 compares
`the input’s security profile to the client computer’s security policy. Id. at
`11:40–41. If the operations of the function violate the client computer’s
`security policy and are potentially malicious, input inspector 275 sets an
`“inspection_result” value to false and the client computer does not invoke
`the original function. Id. at 11:1–4, 12:20–24. Otherwise, the
`“inspection_result” value is set to true, and the client computer invokes the
`original function. Id.
`
`Illustrative Claim
`C.
`Challenged claim 1, reproduced below, is independent.
`1. A system for protecting a computer from dynamically
`generated malicious content, comprising:
`
`4
`
`
`
`IPR2019-00031
`Patent 8,141,154 B2
`
`
`a content processor (i) for processing content received over a
`network, the content including a call to a first function, and the
`call including an input, and (ii) for invoking a second function
`with the input, only if a security computer indicates that such
`invocation is safe;
`a transmitter for transmitting the input to the security computer
`for inspection, when the first function is invoked; and
`a receiver for receiving an indicator from the security computer
`whether it is safe to invoke the second function with the input.
`Ex. 1001, 17:32–44.
`
`Asserted Prior Art and Grounds of Unpatentability
`D.
`The Petition identifies the following references in connection with
`Petitioner’s challenge of unpatentability (Pet. 4–5):
`
`a) Gladstone: U.S. Patent No. 7,594,267 B2, filed in the record as
`Exhibit 1006;
`
`b) Ji: U.S. Patent No. 5,983,348, filed in the record as Exhibit 1005;
`and
`
`c) Chander: Mobile Code Security by Java Bytecode Instrumentation,
`DARPA Information Survivability Conference and Exposition II,
`June 12–14, 2001, filed in the record as Exhibit 1008.
`
`Petitioner asserts the following grounds of unpatentability based on
`the aforementioned references (Pet. 5):
`
`Challenged Claim
`1
`1
`
`Basis
`§ 103(a)
`§ 103(a)
`
`References
`Gladstone and Ji
`Chander and Gladstone
`
`
`
`5
`
`
`
`IPR2019-00031
`Patent 8,141,154 B2
`
`
`II. DISCUSSION
`
`A. Claim Construction
`In an inter partes review, claim terms in an unexpired patent are given
`their broadest reasonable construction in light of the specification of the
`patent in which they appear. 37 C.F.R. § 42.100(b) (2017);1 see Cuozzo
`Speed Techs., LLC v. Lee, 136 S. Ct. 2131, 2144–46 (2016). We presume a
`claim term carries its plain meaning, which is the meaning customarily used
`by those of skill in the relevant art at the time of the invention. Trivascular,
`Inc. v. Samuels, 812 F.3d 1056, 1062 (Fed. Cir. 2016).
`Petitioner acknowledges that at least two terms recited in the claims of
`the ’154 patent have been construed previously by the Board. Pet. 14. The
`Final Written Decision in IPR2015-01979 provided a construction of the
`term “content” as “data or information, which has been modified and is
`received over a network.” IPR2015-01979, Paper 62 at 14. We also
`determined that the term “call to a first function” means “a statement or
`instruction in the content, the execution of which causes the function to
`provide a service.” Id. at 16. The Federal Circuit has affirmed the Final
`Written Decision in IPR2015-01979, and, accordingly, those constructions
`are adopted here. See Palo Alto Networks, Inc., v. Finjan, Inc., Case No.
`2017-2314, slip op. at 912 (Fed. Cir. Nov. 19, 2018). Further, although not
`construed by the Board in the Final Written Decision, the Federal Circuit, in
`
`
`1 A recent amendment to this rule does not apply here because the Petition
`was filed before November 13, 2018. See Changes to the Claim
`Construction Standard for Interpreting Claims in Trial Proceedings Before
`the Patent Trial and Appeal Board, 83 Fed. Reg. 51340 (Oct. 11, 2018) (to
`be codified at 37 C.F.R. pt. 42).
`
`6
`
`
`
`IPR2019-00031
`Patent 8,141,154 B2
`
`the Palo Alto case, addressed the scope of the “invoke” term, concluding
`that it does not require execution of a function. Id. at 1112. To the extent
`the scope of “invoke” is disputed and necessary to render this Decision, we
`adopt the interpretation of “invoke” that does not require execution of a
`function.
`The construction of other terms is not necessary for us to decide
`whether to institute trial.
`
`Level of Ordinary Skill in the Art
`B.
`In determining the level of ordinary skill in the art, various factors
`may be considered, including the “type of problems encountered in the art;
`prior art solutions to those problems; rapidity with which innovations are
`made; sophistication of the technology; and educational level of active
`workers in the field.” In re GPAC Inc., 57 F.3d 1573, 1579 (Fed. Cir. 1995)
`(internal quotation and citation omitted). In that regard, Petitioner asserts
`that a person of ordinary skill in the art would include someone with “a
`bachelor’s degree in computer science or related field and either two years
`of industry experience or an advanced degree in computer science or related
`[field].” Pet. 13. Patent Owner does not challenge Petitioner’s definition of
`a person of ordinary skill in the art.
`Accordingly, for purposes of this Decision, we adopt Petitioner’s
`proposed level of ordinary skill in the art.
`
`Summary of Asserted Prior Art
`C.
`1.
`Overview of Gladstone (Exhibit 1006)
`Gladstone is directed to methods and apparatus for securing one or
`more nodes on a computer network. Ex. 1006, 1:18–20. Gladstone
`
`7
`
`
`
`IPR2019-00031
`Patent 8,141,154 B2
`
`describes conventional network security systems that use active protection to
`prevent security breaches with pre-programmed intrusion detection
`measures, or passive protection to examine data about previous breaches in
`order to prevent future intrusions. Id. at 1:21–32. According to Gladstone,
`neither type of conventional network security protection “provides the
`adaptation capability sometimes necessary to counter novel types of attacks
`as they occur.” Id. at 1:63–66.
`With regard to the embodiment of Figure 1, reproduced below,
`Gladstone describes securing a networked computer system using active
`security measures in real time. Id. at 4:28–35, 5:46–49.
`
`
`
`8
`
`
`
`IPR2019-00031
`Patent 8,141,154 B2
`
`
`Figure 1 depicts a system for securing a networked computer,
`including computer node A connected via network 5 to event processor
`server 100. Instruction 10, which “may be an e-mail, browser, terminal
`server, or other software application running on Node A,” arrives from
`network 5 to application 15. Id. at 7:15–18. Application 15 issues a request
`for system resources 35, and this request is routed through reference monitor
`25 to determine if the request violates administrative policies. Id. at 7:18–
`23. Reference monitor 25, using interceptors 26 that are inserted into the
`request’s communication paths, may allow application 15 to access system
`resources 35, or the reference monitor may prevent the access request and
`work with event agent 45 and event processing server 100 to provide
`adaptive security protection to node A. Id. at 5:61–64, 7:23–33. “Reference
`Monitor 25 may perform basic analysis on the instruction [] 10 and
`communicate with Event Agent 45 in 40 as to its nature, as defined by
`current administrative policy.” Id. at 7:33–36.
`Event Agent 45 then sends a notification regarding instruction 10 via
`network 5 to transceiver 115 in event processing server 100, and instruction
`engine 135 processes the notification to determine an appropriate response
`to the instruction. Id. at 7:36–47. “Instruction Engine 135 determines
`whether an update to administrative policies is warranted, and determines
`other steps to be taken, including placing Node A in quarantine, defining
`system operations which may not be performed on Node A, tuning Node A’s
`operating system, or modifying network or firewall parameters.” Id.
`at 7:47–53. Instruction engine 35 sends its response via transceiver 115 and
`network 5 to event agent 45 in Node A.
`
`9
`
`
`
`IPR2019-00031
`Patent 8,141,154 B2
`
`
`Figure 2 of Gladstone, reproduced below, is another embodiment of a
`network security system that diagnoses an attack on one computer node and
`acts to prevent subsequent attacks on another computer node. Id. at 8:7–10.
`
`
`Figure 2 depicts first computer node A in communication with event
`processing server 100, similar to the embodiment of Figure 1, with the
`addition of second computer node B. Event processing server 100 uses
`information obtained in response to a malicious request at node A to
`transmit updated administrative policies to event agent 45B and reference
`monitor 35B at node B, thereby preventing potentially damaging activity
`from affecting other nodes of the network. Id. at 8:24–31, 43–55.
`
`10
`
`
`
`IPR2019-00031
`Patent 8,141,154 B2
`
`
`2.
`Overview of Ji (Exhibit 1005)
`Ji is directed to detecting and preventing operation of computer
`viruses and other types of malicious computer code. Ex. 1005, 1:5–7. Ji
`describes the development of Internet-based application programs, such as
`Java applets, that allow seamless integration of network code with local
`computer resources. Id. at 1:9–15, 26–27. Because these applets are given
`access to local computer resources such as the hard disk drive, however,
`they can also pose a security risk to users. Id. at 1:15–19. Code scanning
`programs that can analyze and monitor applets have been developed, which
`include static scanning done on the server or run-time monitoring done on
`the local client. Id. at 1:63–66, 2:65–67. According to Ji, conventional
`applet monitoring systems cause an imbalance between the load of the server
`and the client, and Ji describes a combination of static scanning and run-time
`monitoring that distributes the respective loads evenly. Id. at 1:65–2:4.
`Figure 1 of Ji, reproduced below, illustrates one embodiment of an
`applet scanner system. Id. at 4:55–56.
`
`11
`
`
`
`IPR2019-00031
`Patent 8,141,154 B2
`
`
`
`Figure 1 depicts an applet scanner system including client machine 14
`and server machine 20 connected to Internet 10. “Upon receipt of a
`particular Java applet, the HTTP proxy server 32, which is software running
`on server machine 20 and which has associated scanner software 26, then
`scans the applet and instruments it using an instrumenter 28 which is part of
`scanner software 26.” Id. at 4:66–5:3. If a suspicious instruction that calls
`an insecure function is found during this static scanning, the Java applet
`code sequence is instrumented to insert a first instruction sequence (pre-
`filter) before that suspicious instruction and a second instruction sequence
`(post-filter) after that instruction. Id. at 5:16–27. Ji provides the following
`example of code that disallows a suspicious function of directory listing
`access (“java.IO.File.list”) on the client computer:
`
`12
`
`
`
`IPR2019-00031
`Patent 8,141,154 B2
`
`
`
`
`Id. at 5:44–6:9, 6:10–20.
`The instrumenter generates a call to pre-filter function, “with the
`name of the suspicious function, parameters to the suspicious function, and
`possibly other information about [t]his suspicious function invocation as the
`parameters.” Id. at 5:44–61. The pre-filter checks the security policy
`associated with scanner 26 and decides whether the particular instruction is
`allowed. Id. at 5:33–36. The second instruction sequence generates a call to
`a post-filter function provided by the scanner, and reports the result of the
`call to the post-filter function. Id. at 5:37–40. Ji describes that this static
`scanning and instrumentation are both performed on HTTP proxy server 32.
`Id. at 5:41–43.
`
`3.
`Overview of Chander (Exhibit 1008)
`Chander is directed to mobile code security by Java bytecode
`instrumentation. Ex. 1008, 1 (see Title). Chander explains that, although
`the Java Virtual Machine (“JVM”) includes steps to verify programs and
`perform run-time tests, the Java mobile code may still behave in ways that
`are harmful to users. Id. at 1 (see Abstract). Chander describes an improved
`security technique called bytecode instrumentation that inserts additional
`
`13
`
`
`
`IPR2019-00031
`Patent 8,141,154 B2
`
`run-time tests into Java code using class modification or method-level
`modification. Id. at 2.
`According to Chander, method-level modification can be “applied on
`a method-by-method basis without regard to class hierarchy restrictions.”
`Id. Chander describes a first example of a method modification, where the
`method “Thread.setPriority[]” is replaced with a safer version of the method
`“Safe$Thread:setPriority[]” that “does not allow threads spawned by mobile
`code to have higher priority than a user-specified upper limit defined in class
`Safe$Thread.” Id. at 4. The safeguarding method
`“Safe$Thread:setPriority[]” takes the priority integer value “I” of the
`original method and compares it to the safeguard upper limit; if the priority
`value I is higher than this upper limit, then the priority value is set to this
`upper limit and the “Thread.setPriority[]” method is invoked with the
`verified priority value I. Id.
`In a second a second example of a method modification, an applet is
`prevented from disclosing a user’s confidential information through email by
`blocking a connection to a particular port on the web server. Id. at 10–11.
`The method “Socket.<init>[]” is replaced by the safeguard method
`“Safe$Socket:init” that monitors the port number “I” for every socket
`connection request, and will establish the socket connection unless the port
`number “I” is the particular port on the web server to be blocked. Id. at 11.
`Figure 5, reproduced below, depicts the basic architecture of
`Chander’s sytem. Id. at 5.
`
`14
`
`
`
`IPR2019-00031
`Patent 8,141,154 B2
`
`
`
`Figure 5 illustrates a system including a web browser running on a
`networked computer (element on right side, labeled as running a “Modified
`Applet”), which is connected to an Internet Web Server via a network proxy
`and the Internet. Id. at 5; see also id. at 1 (networked computer executing
`Java). When the web browser requests a web page or applet, the request
`goes through the network proxy to the web server, which responds by
`sending the requested data to the proxy. Id. at 5. If the request was for a
`Java applet, “the proxy will pass the applet code to the bytecode filter,”
`which then “will examine the bytecode for potential risks and modify the
`bytecode before sending the code for execution to the web browser.” Id.
`Thus, “the web browser only receives bytecode that has been screened.” Id.
`Chander further describes the proxy, which “also has access to a repository
`of Java classes, including secure safe classes that can be substituted for
`standard library classes and implementations of user-interface methods.” Id.
`
`15
`
`
`
`IPR2019-00031
`Patent 8,141,154 B2
`
`
`Reasonable Likelihood Determination
`D.
`After considering Petitioner’s contentions and Patent Owner’s
`arguments in opposition, we are not persuaded that Petitioner has
`demonstrated a reasonable likelihood of prevailing in showing that the
`challenged claim would have been obvious over the asserted prior art.
`For both asserted grounds, Petitioner relies on Gladstone’s event
`processing server as teaching the “security computer” that inspects the input
`of a first function, and indicates whether it is safe to invoke a second
`function with the input. Pet. 2930, 6264. We determine that Petitioner
`has not shown a reasonable likelihood of prevailing in its assertion that it
`would have been obvious to combine Gladstone’s event processing server
`with either Ji or Chander.
`
`1.
`Gladstone and Ji Combination
`Petitioner summarizes the asserted combination as follows: “The
`proposed combination adds Ji’s server with scanner to the perimeter of
`Gladstone’s network in order to deliver instrumented applets to Gladstone’s
`nodes. The two references would come together as shown in the diagram
`below based on figures from Ji and Gladstone and annotated in color.”
`Pet. 25. Reproduced below is the annotated diagram provided in the Petition
`showing Petitioner’s overall contentions of how Ji and Gladstone would
`have been combined. Id.
`
`16
`
`
`
`IPR2019-00031
`Patent 8,141,154 B2
`
`
`
`The diagram above merges Figure 1 of Ji with Figure 2 of Gladstone
`to illustrate the combination of Ji’s Server Machine (including Scanner 25)
`(colored in purple) with Gladstone’s Nodes (A and B) (colored in blue) and
`event processing server 100 (colored in red). We discuss first Petitioner’s
`contention that Ji’s pre-filter code would have been modified and
`Petitioner’s contention of the motivation to combine the teachings of Ji’s
`pre-filter code with Gladstone’s nodes and event processing server. Second,
`we discuss how Petitioner’s argument of modification of Ji, in view of
`Gladstone’s teachings, is not persuasive to show that claim 1 would have
`been obvious over the alleged combination.
`
`17
`
`
`
`IPR2019-00031
`Patent 8,141,154 B2
`
`
`Petitioner’s Contentions Regarding the Modification of Ji
`Claim 1 requires a “transmitter for transmitting the input to the
`security computer for inspection, when the first function is invoked.”
`Petitioner identifies the Gladstone event agent within the node as the
`transmitter. Pet. 3435. Gladstone’s event agent, however, transmits an
`event message or notification, not an “input” of a function call.
`Nevertheless, Petitioner asserts that Gladstone’s event agent would transmit
`the recited “input” when the first function was invoked because the
`Gladstone node instead would execute Ji’s pre-filter code. Id. at 35.
`Petitioner explains the combination as a “modification of Ji”: “Modifying
`Ji’s pre-filter functions to transmit the input to the remote security computer
`via Gladstone’s transmitter is relatively simple and requires only a few
`additional lines of code relative to the examples provided in Ji.” Id. at 36.
`To support this statement Petitioner cites the Nielson Declaration, at
`paragraph 73.
`Essentially, and according to Petitioner’s theory of obviousness, Ji is
`modified so that the pre-filter code—inserted in the applet at the server
`during scanning—runs on the Gladstone node and transmits “security
`checks” to Gladstone’s event processing server, instead of performing
`“security checks” locally at the node.
`Claim 1 also requires a “receiver for receiving an indicator from the
`security computer whether it is safe to invoke the second function with the
`input.” Here too Petitioner relies on Gladstone’s event agent as receiving
`notifications from Gladstone’s event processing server. Id. at 3738.
`Petitioner contends that Gladstone’s server determines whether the
`individual notification received from the nodes warrant policy updates and
`
`18
`
`
`
`IPR2019-00031
`Patent 8,141,154 B2
`
`determines whether to quarantine the node, define operations that may not
`be performed, or tune operating system, firewall, or network parameters. Id.
`at 39 (citing Ex. 1006, 6:5465). Petitioner relies on claim 1 of Gladstone,
`which states that a policy message from the server comprises “disallowing
`the access request to continue along the communication path,” as meaning
`that Gladstone’s nodes receive an indication whether the “input” is unsafe.
`Id. at 39. According to Petitioner, “the means by which Gladstone’s Server
`disallows the access request would simply be by sending a value that forces
`the if function to evaluate to ‘true’ such that an exception is thrown before
`the original (‘second’) function is invoked.” Id. at 40 (citing Ex. 1004,
`(“Nielson Decl.”) ¶ 78; Ex. 1005 6:1516 and 6:3132).
`
`Contentions Regarding Motivation to Combine
`According to Petitioner, the combination of Ji and Gladstone is
`predictable and the modification is trivial, because a remote service can be
`accessed by a normal method call, but is actually a request to a remote
`computer. Pet. 43. Petitioner refers to “minimal alteration” of Ji’s pre-filter
`code so that instead of Ji performing the security checks at the node for
`which the applet is intended, Ji transfers the security check to a remote
`computer, i.e., Gladstone’s event processing server. Id. (citing Nielson Decl.
`¶¶ 55, 73, 78). When comparing the Ji pre-filter code with the Gladstone
`Reference Monitor, Petitioner asserts that Ji’s pre-filter code is also a
`“reference monitor” because the security check is inserted directly into the
`code. Id. at 4243.
`Additionally, Petitioner alleges that a person of ordinary skill in the
`art would have been “motivated to apply Ji’s technique for delivering
`reference monitors from the proxy to the problem of installing Gladstone’s
`
`19
`
`
`
`IPR2019-00031
`Patent 8,141,154 B2
`
`Reference Monitor on each node.” Id. at 44. According to Petitioner, Ji
`teaches a motivation because it recognizes that it is easier to deploy code
`from a single server (read here Ji’s proxy server with the scanner), rather
`than “installing software manually on every individual node in Gladstone’s
`network.” Id. at 45. Finally, Petitioner asserts that the combination would
`have been motivated by Gladstone itself, because Gladstone teaches using a
`centralized server, and it would have been a design incentive to modify Ji’s
`pre-filter code for use with a centralized sever, because it “dramatically
`improves system security.” Id. at 47 (citing Nielson Decl. ¶ 56).
`
`Patent Owner’s Exemplary Arguments
`Patent Owner challenges Petitioner’s assertion that Ji’s pre-filter
`function transmits the input to the remote computer. Prelim. Resp. 2628.
`Patent Owner focuses its arguments on Ji’s disclosure of the pre-filter code,
`and how it does not pass any input or parameter for inspection anywhere,
`and that Gladstone, even if combined with Ji, would not perform any such
`inspection because Gladstone only processes event messages. Id. Patent
`Owner also argues that what the Gladstone nodes receive is a notification
`from the server after the “second function” has been invoked because the
`access request is allowed to continue along the communication path. Id. at
`3334.
`
`Alleged Trivial or Minimal Modifications
`The arguments by Patent Owner raise the issue of whether Petitioner
`has demonstrated that the reasons for the combination of Ji and Gladstone
`are rational in light of their teachings. We see that Patent Owner focuses on
`distinguishing Ji’s pre-filter code as failing to teach passing of the inputs to a
`security computer as required. Petitioner’s contention, we note, is that Ji’s
`
`20
`
`
`
`IPR2019-00031
`Patent 8,141,154 B2
`
`pre-filter code would have been modified, with “trivial” changes or
`“minimal alteration,” to perform the transmission of the recited inputs at
`Gladstone’s nodes. Upon further inspection of the record, in an effort to
`ascertain the asserted modification of Ji, however, we discover eight
`separate listings of program code included in the Nielson Declaration as
`“Listings.” Ex. 1004, Appendix A. None of the “Listings” identify which
`portions of the code are original to Ji and which are added. Thus, whatever
`alterations Ji’s pre-filter code may require were not made clear in these
`Listings.
`Further, it is evident that the Listings provide further modifications
`that the Petition does not explain meaningfully, and include various
`programs that must be implemented in other parts of the system, such as
`adding code for “remote enforcement” at the server. See Ex. 1004, 91.
`These modifications of the server and the additional code that would be
`necessary for the server to work in conjunction with Ji’s modified code are
`glossed over in the Petition, subsumed within an explanation that the
`changes or additions are “trivial” or “minimal.” But we are not persuaded
`that they are as such.
`Instead, these program listings show us that although it is possible to
`modify Ji’s program to send an input to a remote computer to achieve the
`asserted combination of teachings, one would have needed the foresight of
`the claims. In other words, the reasons given by Petitioner to revise Ji’s pre-
`filter code would not compel also the conclusion that Gladstone’s nodes
`would also need further modification and that additional security checks are
`to be implemented in Gladstone’s server. In our view, the modification of Ji
`
`21
`
`
`
`IPR2019-00031
`Patent 8,141,154 B2
`
`and Gladstone are the product of hindsight, not of a reasonable motivation to
`combine.
`We start with the fact that Gladstone is designed for the nodes to
`apply locally a current pre-programmed administrative policy. See Ex.
`1006, 7:2229, 7:3338 (stating that the event agent at the node may, in
`addition to of instead of local protection, send the notification to the server
`as “defined by current administrative policy”). For example, Gladstone’s
`server receives event notifications from the node because, in accordance
`with the pre-programmed policy, the node’s event agent intercepted an
`access to a system resource, such as a disk. Ex. 1006, 8:723. Gladstone
`explains that the node sends the notification of the access to the server, but
`the access at the node has already occurred; the server, if it finds the access
`was potentially harmful, updates the node’s policy to prevent future accesses
`of the same type. Id. at 8:2442, 8:679:21 (explaining that the Gladstone
`server may also send a policy update to the other nodes in the network). The
`server may also determine whether to quarantine the affected node, change
`operation of the affected node through defining operations that may not be
`performed, or tune the operating system. Id. at 6:5462. Thus, although
`Gladstone provides for centralized event processing, to correlate seemingly
`innocuous network activity that turns out to be an attack in progress, it also
`allows the nodes to monitor themselves and to notify the server only of
`certain activities as dictated by the node’s pre-programmed policy, with the
`server updating the policies across nodes as the attack is detected. See id.;
`see also id. 6:637:13.
`In contrast, Ji anticipates that all Java applets and Active X
`components are to be secured before they are allowed to run in the node.
`
`22
`
`
`
`IPR2019-00031
`Patent 8,141,154 B2
`
`Ji’s scanner instruments the applet to alter suspicious instructions before
`they are executed at the node. Ex. 1005, 3:4556. In this manner, the
`instrumented applet of Ji includes the alternative instruction and can perform
`an alternative action when malicious code is encountered. Thus, Ji is
`designed to anticipate how much and what protection the nodes will need at
`run-time. Petitioner’s theory of obviousness, however, modifies Ji to instead
`delegate the suspicious function check to a remote computer, even though Ji
`provides whatever code the nodes need to protect themselves at run-time
`from applets and Active X components (or any other executable malicious
`program, according to Petitioner). Pet. 45 (stating that Ji can be used to
`distribute reference monitors for any type of application programs, not just
`Java applets).
`The rationale Petitioner provides for this purported delegation is not
`persuasive. Petitioner posits that the modification of Ji is an improvement
`motivated by Ji, because Ji’s delivery of instrumented applets avoids the
`expense of manual deployment that Gladstone utilizes. Pet. 4445. This
`reason may motivate the automated delivery of code from Ji’s sever to
`Gladstone’s nodes, but goes no further to support the contention that Ji’s
`pre-filter code would have been modified to perform its security check at the
`Gladstone event processing server, instead of performing the check locally at
`the node.
`The second rationale Petitioner provides fares no better. Petitioner
`posits that Gladstone itself provides “the strongest motivation to use a
`centralized Server.” Id. at 47. In particular, Petitioner argues that a
`centralized server is in a position to correlate events across nodes and catch
`more advanced attacks. Id. Petitioner alludes to it being well-known for a
`
`23
`
`
`
`IPR2019-00031
`Patent 8,141,154 B2
`
`centralized server to communicate with multiple nodes running instrumented
`code programs to detect more advanced attacks. Id. We are not persuaded
`by Petitioner’s reliance on Gladstone or the “w
Accessing this document will incur an additional charge of $.
After purchase, you can access this document again without charge.
Accept $ Charge
Still Working On It
This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.
Give it another minute or two to complete, and then try the refresh button.
A few More Minutes ... Still Working
It can take up to 5 minutes for us to download a document if the court servers are running slowly.
Thank you for your continued patience.
This document could not be displayed.
We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.
Your account does not support viewing this document.
You need a Paid Account to view this document. Click here to change your account type.
Your account does not support viewing this document.
Set your membership
status to view this document.
With a Docket Alarm membership, you'll
get a whole lot more, including:
- Up-to-date information for this case.
- Email alerts whenever there is an update.
- Full text search for other cases.
- Get email alerts whenever a new case matches your search.
One Moment Please
The filing “” is large (MB) and is being downloaded.
Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.
Your document is on its way!
If you do not receive the document in five minutes, contact support at support@docketalarm.com.
Sealed Document
We are unable to display this document, it may be under a court ordered seal.
If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.
Access Government Site
