UNITED STATES PATENT AND TRADEMARK OFFICE
`__________
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`__________
`
`
`Juniper Networks, Inc.,
`
`Petitioner
`
`v.
`
`Finjan, Inc.,
`
`Patent Owner
`___________
`
`U.S. Patent No. 8,141,154
`
`Issued: March 20, 2012
`
`Named Inventors:
`David Gruzman and Yuval Ben-Itzhak
`
`Title: System And Method For
`Inspecting Dynamically Generated Executable Code
`
`___________
`
`DECLARATION OF DR. SETH NIELSON
`IN SUPPORT OF
`PETITION FOR INTER PARTES REVIEW
`OF U.S. PATENT NO. 8,141,154
`
`
`
`
`
`Juniper Ex. 1004-p. 1
`Juniper v Finjan
`
`
`__________
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`__________
`
`
`Juniper Networks, Inc.,
`
`Petitioner
`
`v.
`
`Finjan, Inc.,
`
`Patent Owner
`___________
`
`U.S. Patent No. 8,141,154
`
`Issued: March 20, 2012
`
`Named Inventors:
`David Gruzman and Yuval Ben-Itzhak
`
`Title: System And Method For
`Inspecting Dynamically Generated Executable Code
`
`___________
`
`DECLARATION OF DR. SETH NIELSON
`IN SUPPORT OF
`PETITION FOR INTER PARTES REVIEW
`OF U.S. PATENT NO. 8,141,154
`
`
`
`
`
`Juniper Ex. 1004-p. 1
`Juniper v Finjan
`
`
`
`I.
`
`INTRODUCTION
`
`1.
`
`I have been asked by Juniper Networks, Inc. (“Petitioner” or
`
`“Juniper”) to provide my expert opinion in support of this petition for inter partes
`
`review (IPR) of claim 1 of U.S. Patent No. 8,141,154 (“the ‘154 Patent,” Ex.
`
`1001).
`
`2.
`
`I am a U.S. citizen over eighteen years of age. I am fully competent
`
`to testify as to the matters addressed in this declaration. I currently hold the
`
`opinions set forth in this declaration. It is my opinion that the prior art references
`
`in the associated petition for IPR render claim 1 of the ‘154 Patent obvious. My
`
`detailed opinion is set forth below.
`
`3.
`
`I am the founder and Chief Scientist of Crimson Vista, Inc., a
`
`computer security consulting company as well as the Director of Advanced
`
`Research Projects at Johns Hopkins University Information Security Institute. My
`
`curriculum vitae is attached to the associated petition for IPR as Exhibit 1003. I
`
`believe that my background and expertise qualify me as an expert in the technical
`
`issues in this matter.
`
`4.
`
`I am being compensated for my time by Petitioner at my standard rate
`
`of $475 per hour. This compensation is not contingent upon my performance, the
`
`outcome of this matter, or any issues involved in or related to this matter.
`
`Juniper Ex. 1004-p. 2
`Juniper v Finjan
`
`
`
`5.
`
`I have no direct personal, commercial, or financial interest in
`
`Petitioner or Patent Owner, or any other party related to this matter.
`
`6.
`
`I have considered all of the exhibits and documents referred to herein,
`
`as well as the complete prosecution history (including prior IPRs). Although not
`
`expressly cited in my analysis, I also considered Exhibits 1009, 1014, and 1018. I
`
`am also aware of information generally available to, and relied upon by, persons of
`
`ordinary skill in the art at the relevant times, including, for example, textbooks,
`
`manuals, technical papers, and articles.
`
`7.
`
`I understand that, due to procedural limitations for IPR proceedings,
`
`the grounds of invalidity that may be presented can be based solely on prior art
`
`patents and other printed publications. I understand that Petitioner reserves all
`
`rights to assert at a later time other grounds for invalidity not addressed herein.
`
`The absence of discussion of such matters here should not be interpreted as
`
`indicating that there are no such additional grounds for invalidity of the ‘154
`
`Patent. Similarly, absence of discussion of other printed prior art references here
`
`should not be interpreted as indicating that there are no other printed prior art
`
`references that either anticipate or render obvious the ‘154 Patent.
`
`8.
`
`I reserve the right to supplement my opinions to address any
`
`information obtained, or positions taken, based on any new information that comes
`
`to light.
`
`Juniper Ex. 1004-p. 3
`Juniper v Finjan
`
`
`
`II. LEGAL STANDARDS
`
`9.
`
`I am not a lawyer and my opinions are limited to my technical
`
`training, experience, and what I believe a person of ordinary skill in the art would
`
`have understood. However, in order to reach my conclusions, I use the principles
`
`below that have been explained to me by Petitioner’s counsel as a guide in
`
`formulating my opinions.
`
`10. My understanding is that a primary step in determining the validity of
`
`patent claims is to properly construe the claims to determine claim scope and
`
`meaning.
`
`11.
`
`It is my understanding that a claim’s preamble has the import that the
`
`claim as a whole suggests for it. I further understand that, if the preamble, when
`
`read in the context of the entire claim, recites limitations of the claim, or, if the
`
`claim preamble is necessary to give life, meaning, and vitality to the claim, then
`
`the claim preamble should be construed as if in the balance of the claim. I further
`
`understand that if the body of a claim fully and intrinsically sets forth all of the
`
`limitations of the claimed invention, and the preamble merely states, for example,
`
`the purpose or intended use of the invention, rather than any distinct definition of
`
`any of the claimed invention’s limitations, then the preamble is not considered a
`
`limitation and is of no significance to claim construction.
`
`Juniper Ex. 1004-p. 4
`Juniper v Finjan
`
`
`
`12.
`
`In an IPR proceeding, I understand that claims are to be given their
`
`broadest reasonable construction in light of the patent’s specification. In other
`
`forums, such as in federal District Courts, different standards of claim
`
`interpretation control, which are not applied by the Patent Office for IPR.
`
`Accordingly, I reserve the right to argue for a different interpretation or
`
`construction of the challenged claims in other proceedings, as appropriate.
`
`13.
`
`It is my understanding that a claim is obvious, and therefore
`
`unpatentable, under 35 U.S.C. § 103 if the claimed subject matter as a whole
`
`would have been obvious to a person of ordinary skill in the art at the time of the
`
`alleged invention. I understand that obviousness is a question of law based on
`
`underlying factual issues. I also understand that an obviousness analysis takes into
`
`account the scope and content of the prior art, the differences between the claimed
`
`subject matter and the prior art, the level of ordinary skill in the art at the time of
`
`the invention, and the existence of secondary considerations such as commercial
`
`success or long-felt but unresolved needs.
`
`14.
`
`In determining the scope and content of the prior art, it is my
`
`understanding that a reference may be considered analogous prior art if it falls
`
`within the field of the inventor’s endeavor. In addition, I understand that a
`
`reference may also be considered analogous prior art if it is reasonably pertinent to
`
`the particular problem with which the inventor was involved. A reference is
`
`Juniper Ex. 1004-p. 5
`Juniper v Finjan
`
`
`
`reasonably pertinent if it logically would have commended itself to an inventor’s
`
`attention in considering his problem. If a reference relates to the same problem as
`
`the claimed invention, that supports the use of the reference as prior art in an
`
`obviousness analysis.
`
`15. To assess the differences between prior art and the claimed subject
`
`matter, it is my understanding that 35 U.S.C. § 103 requires the claimed invention
`
`to be considered as a whole. This “as a whole” assessment requires showing that
`
`one of ordinary skill in the art at the time of invention, confronted by the same
`
`problems as the inventor and with no knowledge of the claimed invention, would
`
`have selected the elements from the prior art and combined them in the claimed
`
`manner.
`
`16.
`
`It is my further understanding that the Supreme Court has recognized
`
`several non-exhaustive rationales for combining references or modifying a
`
`reference to show obviousness of claimed subject matter. Some of these rationales
`
`include: combining prior art elements according to known methods to yield
`
`predictable results; simple substitution of one known element for another to obtain
`
`predictable results; use of a known technique to improve similar devices (methods
`
`or products) in the same way; applying a known technique to a known device
`
`(method or product) ready for improvement to yield predictable results; choosing
`
`from a finite number of identified, predictable solutions, with a reasonable
`
`Juniper Ex. 1004-p. 6
`Juniper v Finjan
`
`
`
`expectation of success; known work in one field of endeavor prompting variations
`
`of it for use in either the same field or a different one based on design incentives or
`
`other market forces if the variations are predictable to one of ordinary skill in the
`
`art; and some teaching, suggestion, or motivation in the prior art that would have
`
`led one of ordinary skill to modify the prior art reference or to combine prior art
`
`reference teachings to arrive at the claimed invention.
`
`17.
`
`It is further my understanding that a proper obviousness analysis
`
`focuses on what was known or obvious to a person of ordinary skill in the art.
`
`Accordingly, I understand that any need or problem known in the field of endeavor
`
`at the time of invention can provide a reason for combining the elements in the
`
`manner claimed.
`
`18.
`
`I understand that secondary indicia of non-obviousness may include:
`
`(1) a long felt but unmet need in the prior art that was satisfied by the invention of
`
`the patent; (2) commercial success of processes covered by or products made by
`
`the patent; (3) unexpected results achieved by the invention; (4) praise of the
`
`invention by others skilled in the art; (5) licensing of the patent by others; (6)
`
`deliberate copying of the invention; (7) failure of others to find a solution to the
`
`long felt need; and (8) skepticism by experts. I also understand that there must be
`
`a relationship between any such secondary considerations and the invention. I
`
`Juniper Ex. 1004-p. 7
`Juniper v Finjan
`
`
`
`further understand that contemporaneous and independent invention by others is a
`
`secondary consideration supporting an obviousness determination.
`
`19.
`
`In summary, my understanding is that prior art teachings are properly
`
`combined where a person of ordinary skill in the art having the understanding and
`
`knowledge reflected in the prior art and motivated by the general problem facing
`
`the inventor would have been led to make the combination of elements recited in
`
`the claims. Under this analysis, the prior art references themselves, or any need or
`
`problem known in the field of endeavor at the time of the invention, can provide a
`
`reason for combining the elements of multiple prior art references in the claimed
`
`manner.
`
`III. TECHNOLOGY BACKGROUND ON THE ‘154 PATENT
`
`20. The ‘154 Patent relates to protecting computers against malware.
`
`‘154 Patent (Ex. 1001) at 1:7-9. The specification differentiates a special class of
`
`malware that is “dynamically generated” or, in other words, parts of the malicious
`
`code are written dynamically at runtime to avoid detection. Id at 3:31-39. The
`
`‘154 Patent uses dynamically generated malware as the motivation for the alleged
`
`invention and some embodiments are directed to the same. Id generally. While
`
`Claim 1 itself, as explained in subsequent paragraphs, is broader and not limited to
`
`dynamically generated content, my description and explanation of the patent will
`
`be primarily directed toward this embodiment.
`
`Juniper Ex. 1004-p. 8
`Juniper v Finjan
`
`
`
`21. There are two pieces to the ‘154 Patent’s approach to computer
`
`security. The first piece addresses the question of where a code operation should
`
`be inspected to determine if it is potentially malicious. As background, Figure 1 of
`
`the ‘154 Patent shows that, in the prior art, code operations were either inspected at
`
`the network gateway or at the client computer or both; the “content inspector”
`
`where such analysis was performed is outlined below in red:
`
`Juniper Ex. 1004-p. 9
`Juniper v Finjan
`
`
`
`The ‘154 Patent alleged various drawbacks in the prior art. According to the
`
`specification, on the one hand, inspecting software at the client computer is
`
`vulnerable to hackers that can easily obtain copies of consumer (i.e., client-side)
`
`antivirus software and reverse engineer the software in order to design viruses
`
`
`
`Juniper Ex. 1004-p. 10
`Juniper v Finjan
`
`
`
`specifically to avoid those detection capabilities. Client-side software also requires
`
`more complicated administration. ‘154 Patent at 4:15-22. On the other hand, the
`
`‘154 Patent also asserts that inspecting software at the network gateway may not
`
`identify dynamically generated viruses that do not behave maliciously until they
`
`begin executing at the client computer. ‘154 Patent at 3:65-4:8. Accordingly, the
`
`‘154 Patent asserted “a need for a new form of behavioral analysis, which can
`
`shield computers from dynamically generated malicious code without running on
`
`the computer itself that is being shielded.” ‘154 Patent at 4:23-26.1 In other
`
`words, the ‘154 Patent proposes an approach for inspecting software for potential
`
`malware that it believes provides advantages over either pre-execution scanning at
`
`the network gateway or scanning at the client computer.
`
`22. The ‘154 Patent’s solution was to move the inspector to a (preferably)
`
`remote location that can be different from both the client computer and the network
`
`gateway. This solution is depicted in Figure 2, which shows the inspector
`
`(outlined in red again) deployed to a remote “Security Computer” that is connected
`
`to but separate from the client computer:
`
`1 All emphasis is added unless indicated otherwise.
`
`Juniper Ex. 1004-p. 11
`Juniper v Finjan
`
`
`
`
`
`23. The second piece to the ‘154 Patent’s approach to computer security
`
`was to leverage a well-known set of techniques referred to as “wrapping,”
`
`“hooking,” or “instrumenting.” These terms are often interrelated and sometimes
`
`interchanged, but they have technically distinct meanings.
`
`24.
`
`“Wrapping” is typically understood to be the process of taking one
`
`function within a program and replacing it in some way with an intermediary
`
`Juniper Ex. 1004-p. 12
`Juniper v Finjan
`
`
`
`function. When the intermediary function is called, it can subsequently call the
`
`original function after optional preprocessing. For example, using a framework
`
`called “SWIG” (Simplified Wrapper and Interface Generator), I have worked on
`
`software projects that merged two different languages. A function in one language
`
`was wrapped into the function of another. This framework was described in a
`
`research paper in 1996. See generally Ex. 1019.
`
`25.
`
`“Hooking” typically means that some operation or function has been
`
`changed such that different or additional operations or functions can be called
`
`when the hooked function is called. Hooking is also one method for wrapping a
`
`function. By way of example, hooking was used in DOS as a way of modifying
`
`how signals from the operating system were processed. Ex. 1020 at 25.
`
`26.
`
`“Instrumenting” almost always refers to modifying computer code
`
`with additional instructions. Instrumenting is another way to wrap a function or to
`
`insert certain “hook” functions. Ex 1021 at 4-5. For purposes of my analysis, I
`
`will generally use the term “instrument” with the understanding that instrumenting
`
`code may be used to wrap or hook functions.
`
`27. The specification of the ‘154 Patent, describes substituting the original
`
`function with a different function that instructs the computer to first inspect the
`
`input to the original function to make sure that the input is not malicious before
`
`executing the original function. To illustrate, the ‘154 Patent provides the example
`
`Juniper Ex. 1004-p. 13
`Juniper v Finjan
`
`
`
`of receiving the following original function that would display the word “hello” on
`
`the screen of a web browser:
`
`
`
`‘154 Patent at 10:25. The ‘154 Patent teaches defining a different function with
`
`the name “Substitute_document.write()” that would be passed the input
`
`to the original document.write() function in order to check if the input is
`
`malicious:
`
`
`
`‘154 Patent at 10:48:54. Starting at the top of this excerpt, a substitute function is
`
`defined labeled “Substitute_document.write()” (everything between the
`
`{ } brackets serves to define the substitute function) and then, in the last line
`
`(after the closing } bracket), the newly defined substitute function is passed the
`
`“<h1>hello</h1>” input from the original function document.write() in
`
`order to check whether there is an issue with the <h1>hello</h1> input. In
`
`short, the solution substitutes the original function with a different function that
`
`Juniper Ex. 1004-p. 14
`Juniper v Finjan
`
`
`
`serves as a guard or monitor to ensure that the input to the original function is
`
`inspected. See, e.g., ‘154 Patent at 4:55-60 (“the present invention operates by
`
`replacing original function calls with substitute function calls within the content …
`
`prior to the content being received at the client computer.”).
`
`28.
`
` Putting the pieces of a remote security computer and instrumentation
`
`together, Figure 2 of the ‘154 Patent is now represented in annotated formatted to
`
`illustrate the process:
`
`The process begins when an original function with input comes in over a network.
`
`The network gateway then replaces the original function with a substitute function
`
`
`
`Juniper Ex. 1004-p. 15
`Juniper v Finjan
`
`
`
`that has the same input and then sends the substitute function to the content
`
`processor2 (e.g., a web browser on a client computer). When the content processor
`
`invokes the substitute function, it transmits the input to the security computer,
`
`which analyzes it and returns an indication of whether it is safe to execute the
`
`original function with the input.
`
`Claim 1 of the ‘154 Patent captures this setup and reads as follows:
`
`A system for protecting a computer from dynamically
`
`generated malicious content, comprising:
`
`a content processor (i) for processing content received
`
`over a network, the content including a call to a first function,
`
`and the call including an input, and (ii) for invoking a second
`
`function with the input, only if a security computer indicates that
`
`such invocation is safe;
`
`a transmitter for transmitting the input to the security
`
`computer for inspection, when the first function is invoked; and
`
`a receiver for receiving an indicator from the security
`
`computer whether it is safe to invoke the second function with
`
`the input.
`
`The claim as written, however, is worded a bit oddly because the claim only recites
`
`the client computer and security computer components of the setup illustrated
`
`2 As shown in Figure 2 of the ‘154 Patent, the “content processor” is actually a
`component within the client computer. The entire client computer has been
`outlined in blue in this diagram (in addition to the content processor therein) just to
`help illustrate the challenged claim.
`
`Juniper Ex. 1004-p. 16
`Juniper v Finjan
`
`
`
`above and skips the network gateway component, taking as a given that the
`
`function received by the content processor is already a substitute function. As a
`
`result, the “first” function that appears in the claim is the substituted function, and
`
`the “second” function recited in the claims is actually a reference to the original
`
`function received by the network gateway. The annotated diagram above is shown
`
`here with a dashed line encompassing the structural components actually recited in
`
`the claim:
`
`Claim 1 is now re-presented here, annotated to correspond to the diagram above:
`
`
`
`Juniper Ex. 1004-p. 17
`Juniper v Finjan
`
`
`
`A system for protecting a computer from dynamically
`
`generated malicious content, comprising:
`
`a content processor (i) for processing content received
`
`over a network, the content including a call to a first [i.e.,
`
`substitute] function, and the call including an input, and (ii) for
`
`invoking a second [i.e. original] function with the input, only if
`
`a security computer indicates that such invocation is safe;
`
`a transmitter for transmitting the input to the security
`
`computer for inspection, when the first [i.e., substitute] function
`
`is invoked; and
`
`a receiver for receiving an indicator from the security
`
`computer whether it is safe to invoke the second [i.e. original]
`
`function with the input.
`
`IV. LEVEL OF ORDINARY SKILL IN THE ART
`
`29. A person of ordinary skill in the art of the ‘154 Patent would have a
`
`bachelor’s degree in computer science or related field and either (1) two years of
`
`industry experience or (2) an advanced degree in computer science or related filed.
`
`See also IPR2015-01979, Ex. 2002 ¶ 35. This level of ordinary skill in the art is
`
`approximate and a higher level of education or skill might make up for less
`
`experience, and vice-versa. My analysis would not change if the level of ordinary
`
`skill in the art were deemed to be somewhat higher or lower.
`
`30.
`
`I was a person of ordinary skill in the art at the time of the filing of the
`
`‘154 Patent. Moreover, from my research and my education, I am familiar with the
`
`Juniper Ex. 1004-p. 18
`Juniper v Finjan
`
`
`
`evolution of the state of the art over time, and I therefore have additional
`
`understanding of the ordinary skill in the art at the time of the invention. In my
`
`research at Johns Hopkins, I also manage people that are persons of ordinary skill
`
`in the art and therefore have an understanding of their perspective and ordinary
`
`creativity. I therefore believe I am qualified to offer an opinion regarding what a
`
`person of ordinary skill in the art at the relevant time would have understood and
`
`known.
`
`V. CLAIM CONSTRUCTION
`
`31. The Board has previously construed two terms in the ‘154 Patent.
`
`The Board construed “content” as “data or information, which has been modified
`
`and is received over a network.” IPR2015-01979, Paper 62 at p. 14. The Board
`
`also construed “call to a first function” as “a statement or instruction in the content,
`
`the execution of which causes the function to provide a service.” Id. at 16; see also
`
`IPR2016-00151, Paper 51 at p. 9 (construing “call to a first function” as “a
`
`statement or instruction in a program requesting the services of a particular (i.e.,
`
`first) function”). I have applied these constructions in my analysis.
`
`32. As I mentioned, “content” has been construed as “data or information,
`
`which has been modified and is received over a network.” A person of ordinary
`
`skill would not recognize “content processor” specifically as the name for a
`
`structure that processes data or information that has been modified and is received
`
`Juniper Ex. 1004-p. 19
`Juniper v Finjan
`
`
`
`over a network. I also agree with Patent Owner that “a ‘processor’ by itself
`
`typically refers to a hardware component, such as an Intel Microprocessor.” Ex.
`
`1026 at 19. Thus, a person of ordinary skill would not understand, based on only
`
`the claim language itself, whether the claimed “content processor” could also be a
`
`physical hardware component or is limited to software. The only specific
`
`structures provided in the specification for a “content processor” are a web browser
`
`and Java virtual machine. See ‘154 Patent at 13:67-14:1 (“web browser or a Java
`
`virtual machine, that processes the modified content”); see also id. at 2:23-24,
`
`2:64-67, 3:62-63, 10:38-39, 10:61-62, 15:35-36 (web browser). Therefore, for
`
`purposes of my opinion, I have construed the term “content processor” to at least
`
`include web browsers and the Java virtual machine.
`
`33. Relatedly, since the claimed content processor must include web
`
`browsers and the Java virtual machine, both the “first function” and “second
`
`function” invoked by those content processors must be construed broadly enough
`
`to include functions that may be executed by those content processors, such as Java
`
`applet functions and Java library functions. See ‘154 Patent at, e.g., 13:49-52
`
`(“Such content may be in the form of … a Java applet….”). There is no support in
`
`the claims or specification to construe “first function” or “second function” as
`
`excluding any types of Java functions.
`
`Juniper Ex. 1004-p. 20
`Juniper v Finjan
`
`
`
`34.
`
`I understand that District Courts have construed other terms.
`
`Specifically, two District Courts construed the term “content processor.” Ex. 1028
`
`at 16-18; Dkt No. 267 at 15-18, Proofpoint, No. 4:13-cv-05808-HSG (N.D. Cal.
`
`Dec. 3, 2015). I understand one court also construed “inspection.” Ex. 1028 at 18-
`
`20. I further understand that two courts have construed first function / second
`
`function. Dkt. No. 134 at 35-39, Finjan, Inc. v. Cisco Systems, Inc., No. 5:17-cv-
`
`00072-BLF (N.D. Cal. July 23, 2018); Dkt. No. 267 at 13-14, Finjan, Inc. v.
`
`Proofpoint, Inc., No. 4:13-cv-05808-HSG (N.D. Cal. Dec. 3, 2015). I understand
`
`that those District Courts applied a different standard than is applicable in this
`
`proceeding.
`
`35.
`
`I also understand that in the parallel litigation involving the parties to
`
`this IPR, the parties briefed the construction of three terms, but the Court has not
`
`yet issued a construction of those terms. See Dkt. No. 115 at 4, Case No. 3:17-cv-
`
`05659-WHA (N.D. Cal. Aug. 6, 2018).
`
`VI. OVERVIEW OF THE PRIOR ART
`
`A.
`
`Ji (Ex. 1005)
`
`36. U.S. Patent No. 5,983,348 (“Ji”) teaches an insertion-based approach
`
`to instrumentation where it inserts safety-check function calls directly into the code
`
`of an application program such as a Java applet. Specifically, Ji teaches:
`
`The present
`
`applet
`
`scanner
`
`thus uses
`
`applet
`
`instrumentation technology, that is, for Java applets it
`
`Juniper Ex. 1004-p. 21
`Juniper v Finjan
`
`
`
`alters the Java applet byte code sequence during
`
`downloading of the applet to the [network proxy] 32. …
`
`[S]tatic (pre-run time) scanning is performed on the applet
`
`by the scanner 26 [on the network proxy]. If an instruction
`
`(a suspicious instruction) that calls an insecure function …
`
`is found during this static scanning, a first instruction
`
`sequence (pre-filter) is inserted before that instruction….
`
`Ji at 5:15-27. Ji provides pseudo-code to show how this “pre-filter” (sometimes
`
`called “pre-monitor”) function is inserted into the byte code directly before the
`
`original function, and note that the pre-filter function includes the same
`
`“parameters to the [original] function”:
`
`Ji at 5:52-66.
`
`37. As shown in Figure 1, the insertion of this “pre-filter” function
`
`happens at the “scanner” at a network proxy:
`
`
`
`Juniper Ex. 1004-p. 22
`Juniper v Finjan
`
`
`
`
`
`Thus, by the time the (for example) Java applet arrives at the client machine’s web
`
`browser, it has already been instrumented to contain the pre-filter function that,
`
`during execution, performs a safety check before permitting the Java applet to call
`
`the original function. See also Ji at, e.g., 4:66-5:12 (“the HTTP proxy server
`
`32…then scans the applet and instruments it…. The scanned (instrumented)
`
`applet…is then downloaded to the web browser 22 in the client 14. The
`
`Juniper Ex. 1004-p. 23
`Juniper v Finjan
`
`
`
`applet…instructions are executed. The execution is monitored by the monitor
`
`package software, also downloaded from scanner 26, in the web browser 22.”).
`
`B. Chander (Ex. 1008)
`
`38. Some technical background is helpful to understand Ajay Chander et
`
`al., “Mobile Code Security by Java Bytecode Instrumentation”, DARPA
`
`Information Survivability Conference and Exposition II, June 12-14, 2001
`
`(“Chander”). A “class” is a feature of object-oriented programming and essentially
`
`represents a type of thing within the computer program. Illustrating by way of
`
`example, a programmer could define a class “car.” The programmer can then
`
`create many mini-components from the “car” class. These mini-components are
`
`called “objects” and all objects of class “car” have the characteristics, properties,
`
`and functions defined by the class—a motor, wheels, seats, drive forward, stop,
`
`etc. The programmer could also define a new class called “Electric car” that is a
`
`sub-class of class “car” and therefore inherits all of the characteristics, properties,
`
`and functions defined by class “car” but is further limited, namely with the
`
`characteristics of an electric motor, wheels, seats, etc. The functions associated
`
`with the classes are called “methods.”
`
`39. Chander teaches two methods of replacement-based instrumentation:
`
`class-level modification and method-level modification. Chander at 3. Class-level
`
`modification is more straightforward, where a “class such as Window can be
`
`Juniper Ex. 1004-p. 24
`Juniper v Finjan
`
`
`
`replaced with a subclass of Window (say Safe$Window) that restricts resource
`
`usage and functionality.” Chander at 3. Conceptually, Chander’s subclass is a
`
`safer version of the original. Method-level modification is similar to class-level
`
`modification in that a method is replaced with a safer version of the method; for
`
`example, “A method such as Threat.setPriority(I)V can be replaced with
`
`a safer version, say
`
`Safe$Thread:setpriority(Ljava/lang/Threat;I)V”. Chander at
`
`3-4.
`
`40. Chander teaches instrumenting a program (whether by class-level
`
`modification or by method-level modification) before it reaches the client
`
`computer, specifically at a network proxy. Chander describes its setup as follows:
`
`The basic architecture of our system is shown in Figure 5.
`
`When the web browser requests a web page or applet, this
`
`request goes through the network proxy. The proxy forwards
`
`the request to the web server and receives the desired display
`
`or executable content. When the web server sends a Java
`
`applet, the proxy will pass the applet code to the bytecode
`
`filter. The bytecode filter will examine the bytecode for
`
`potential risks and modify the bytecode before sending the
`
`code for execution to the web browser. In this way, the web
`
`browser only receives bytecode that has been screened. The
`
`proxy also has access to a repository of Java classes, including
`
`Juniper Ex. 1004-p. 25
`Juniper v Finjan
`
`
`
`secure safe classes that can be substituted for standard library
`
`classes….
`
`
`
`Chander at 5.
`
`C. Gladstone (Ex. 1006)
`
`41. U.S. Patent No. 7,594,267 (“Gladstone”) at 1:11-14 incorporates by
`
`reference U.S. Patent App. No. 10/071,328 (Ex. 1007).
`
`42. Gladstone discloses a networked computer system comprised of
`
`multiple “nodes” in communication with a central “Event Processing Server.”
`
`Gladstone at Abstract, 6:35-42. A simplified diagram of such a system is
`
`illustrated at, for example, Figure 2 of Gladstone:
`
`Juniper Ex. 1004-p. 26
`Juniper v Finjan
`
`
`
`
`
`When an application “attempts to access system resources…, the attempt is
`
`intercepted by [the] Reference Monitor” sitting on each node. Gladstone at, e.g.,
`
`8:16-18. A “reference monitor” is a term of art; informally, it is a component that
`
`enforces conformance to a policy such as a security policy. Thus, in Gladstone, the
`
`Reference Monitor conveys that information to the Event Agent sitting on each
`
`node, which in turn communicates those events to the Server and subsequently
`
`receives directions back from the Server. Gladstone at, e.g., 7:30-59. The Server
`
`can detect attacks and direct responses. Gladstone at, e.g., 2:12-2:40, 4:28-35,
`
`Juniper Ex. 1004-p. 27
`Juniper v Finjan
`
`
`
`6:54-63 (“determining whether a notification indicates an [] attack...and
`
`determining steps to be taken”). Since the Server receives reports from multiple
`
`nodes, the “Server 100 is able to correlate events that may seem unrelated across
`
`the distributed system to recognize potential attacks.” Gladstone at 6:67-7:4. In
`
`other words, one of the key benefits of Gladstone is that while any individual node
`
`can only see one tree, a centralized Server can see the forest, thereby better
`
`protecting the system by spotting more complex attacks and by sharing information
`
`among computers in the network. See id.
`
`43. One of the key capabilities of the Server is its ability to decide
`
`whether to allow intercepted requests. As background, Reference Monitors detect
`
`events through use of software “interceptors” that “are inserted in the control or
`
`communication paths traversed by [the] events” within the local node. Gladstone
`
`at 5:57-64. By virtue of its location within the control or communications path, the
`
`interceptor has the ability to either allow or block a function from proceeding:
`
`For example, if a particular monitored event is a network
`
`access request, an Interceptor 26 may be inserted in the
`
`operating system at a point where the network access
`
`request is communicated from one portion of the
`
`operating system to another. Interceptor 26 may generate
`
`an event message for each event intercepted. Ev
Accessing this document will incur an additional charge of $.
After purchase, you can access this document again without charge.
Accept $ Charge
Still Working On It
This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.
Give it another minute or two to complete, and then try the refresh button.
A few More Minutes ... Still Working
It can take up to 5 minutes for us to download a document if the court servers are running slowly.
Thank you for your continued patience.
This document could not be displayed.
We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.
Your account does not support viewing this document.
You need a Paid Account to view this document. Click here to change your account type.
Your account does not support viewing this document.
Set your membership
status to view this document.
With a Docket Alarm membership, you'll
get a whole lot more, including:
- Up-to-date information for this case.
- Email alerts whenever there is an update.
- Full text search for other cases.
- Get email alerts whenever a new case matches your search.
One Moment Please
The filing “” is large (MB) and is being downloaded.
Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.
Your document is on its way!
If you do not receive the document in five minutes, contact support at support@docketalarm.com.
Sealed Document
We are unable to display this document, it may be under a court ordered seal.
If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.
Access Government Site
