`
`UNITED STATES PATENT AND TRADEMARK OFFICE
`__________
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`__________
`
`
`Juniper Networks, Inc.,
`
`Petitioner
`
`v.
`
`Finjan, Inc.,
`
`Patent Owner
`___________
`
`U.S. Patent No. 8,141,154
`
`Issued: March 20, 2012
`
`Named Inventors:
`David Gruzman and Yuval Ben-Itzhak
`
`Title: System And Method For
`Inspecting Dynamically Generated Executable Code
`___________
`
`PETITION FOR INTER PARTES REVIEW
`OF U.S. PATENT NO. 8,141,154
`
`
`
`
`Mail Stop: PATENT BOARD
`Patent Trial and Appeal Board
`U.S. Patent & Trademark Office
`P.O. Box 1450
`Alexandria, VA 22313-1450
`
`
`
`

`

`TABLE OF CONTENTS
`
`Page
`
`I.
`
`STATUTORY REQUIREMENTS .............................................................. 1
`
`A. Notice of Real Party-In-Interest (37 C.F.R. § 42.8(b)(1)) ................. 1
`
`B.
`
`Notice of Related Matters (37 C.F.R. § 42.8(b)(2)) ........................... 1
`
`C.
`
`Designation of Lead and Back-up Counsel (37 C.F.R.
`§ 42.8(b)(3)) ....................................................................................... 3
`
`D.
`
`Service Information (37 C.F.R. § 42.8(b)(4)) .................................... 4
`
`E.
`
`F.
`
`Certification of Word Count .............................................................. 4
`
`Fees ..................................................................................................... 4
`
`G. Grounds for Standing ......................................................................... 4
`
`H.
`
`Identification of Challenge and Grounds ........................................... 4
`
`II.
`
`TECHNOLOGY BACKGROUND ON CLAIM 1 ...................................... 6
`
`III. LEVEL OF ORDINARY SKILL IN THE ART ........................................ 13
`
`IV. CLAIM CONSTRUCTION ....................................................................... 14
`
`A.
`
`Prior Constructions ........................................................................... 14
`
`B.
`
`―Content Processor‖ ......................................................................... 14
`
`C.
`
`―First Function‖ / ―Second Function‖ .............................................. 15
`
`D. Other Constructions .......................................................................... 16
`
`V. OVERVIEW OF THE PRIOR ART .......................................................... 17
`
`A.
`
`Ji ....................................................................................................... 17
`
`B.
`
`Chander............................................................................................. 19
`
`10554416.48 10
`
`
`- i -
`
`
`
`

`

`Page
`
`C.
`
`Gladstone .......................................................................................... 21
`
`VI. GROUND 1: CLAIM 1 IS OBVIOUS OVER GLADSTONE IN
`VIEW OF JI ................................................................................................ 25
`
`A. Overview of the Combination .......................................................... 25
`
`B.
`
`Preamble: ―A system for protecting a computer from
`dynamically generated malicious content, comprising‖ .................. 26
`
`C.
`
`Element 1(a) ..................................................................................... 29
`
`i.
`
`ii.
`
`iii.
`
`―a content processor for processing content received
`over a network,‖ ..................................................................... 29
`
`―the content including a call to a first function, and the
`call including an input, and‖ .................................................. 30
`
`―for invoking a second function with the input, only if
`a security computer indicates that such invocation is
`safe;‖ ...................................................................................... 31
`
`D.
`
`E.
`
`Element 1(b): ―a transmitter for transmitting the input to the
`security computer for inspection, when the first function is
`invoked; and‖ ................................................................................... 34
`
`Element 1(c): ―a receiver for receiving an indicator from the
`security computer whether it is safe to invoke the second
`function with the input.‖ ................................................................... 37
`
`F.
`
`The Combination Is Predictable ....................................................... 41
`
`G.
`
`Reasons to Combine ......................................................................... 44
`
`i.
`
`Known Technique Improving a Known Device by
`Reducing Burdensome Manual Administration .................... 44
`
`ii.
`
`Enhanced Security Incentivizes Design Choice .................... 46
`
`10554416.48 10
`
`
`- ii -
`
`
`
`

`

`VII. GROUND 2: CLAIM 1 IS OBVIOUS OVER CHANDER IN
`VIEW OF GLADSTONE ........................................................................... 50
`
`Page
`
`A. Overview of the Combination .......................................................... 50
`
`B.
`
`C.
`
`D.
`
`E.
`
`Preamble: ―A system for protecting a computer from
`dynamically generated malicious content, comprising‖ .................. 52
`
`Element 1(a): ―a content processor (i) for processing content
`received over a network, the content including a call to a first
`function, and the call including an input, and (ii) for invoking
`a second function with the input, only if a security computer
`indicates that such invocation is safe;‖ ............................................ 53
`
`i.
`
`Safe$Socket:init ..................................................................... 55
`
`ii.
`
`Safe$Thread:setPriority ......................................................... 58
`
`Element 1(b): ―a transmitter for transmitting the input to the
`security computer for inspection, when the first function is
`invoked; and‖ ................................................................................... 62
`
`Element 1(c): ―a content processor (i) for processing content
`received over a network, the content including a call to a first
`function, and the call including an input, and (ii) for invoking
`a second function with the input, only if a security computer
`indicates that such invocation is safe;‖ ............................................ 64
`
`F.
`
`The Combination Is Predictable ....................................................... 67
`
`G.
`
`Reasons to Combine ......................................................................... 72
`
`VIII. THERE ARE NO OBJECTIVE INDICIA OF NON-
`OBVIOUSNESS ......................................................................................... 73
`
`IX.
`
`35 U.S.C. § 325(d) DOES NOT APPLY ................................................... 75
`
`A.
`
`This petition does not rely on the same prior art or
`arguments. ........................................................................................ 78
`
`10554416.48 10
`
`
`- iii -
`
`
`
`

`

`B.
`
`This petition does not involve substantially the same prior art
`or arguments. .................................................................................... 81
`
`C.
`
`Juniper is a new petitioner relying on non-cumulative art. .............. 85
`
`X.
`
`35 U.S.C. § 314(a) DOES NOT APPLY .................................................... 85
`
`Page
`
`
`
`10554416.48 10
`
`
`- iv -
`
`
`
`

`

`
`
`
`TABLE OF AUTHORITIES
`
` Page(s)
`
`Cases
`
`Alcatel-Lucent USA Inc. v. Oyster Optics, LLC,
`IPR2017-02146, Paper 12 (P.T.A.B. Feb. 28, 2018) ................................... 85
`
`Becton, Dickinson & Co. v. B. Braun Melsungen AG,
`IPR2017-01587, Paper 8 (P.T.A.B. Dec. 15, 2017) ............................... 76, 85
`
`Gen. Plastic Indus. Co. v. Canon Kabushiki Kaisha,
`IPR2016-01357 et al., Paper 19 (P.T.A.B. Sept. 6, 2017) ..................... 85, 86
`
`Unified Patent Inc. v. John L. Berman,
`IPR2016-01571, Paper 10 (P.T.A.B. Dec. 14, 2016) ................................... 77
`
`Statutes
`
`35 U.S.C. § 102 .................................................................................................... 5
`
`35 U.S.C. § 314(a) ............................................................................................. 85
`
`35 U.S.C. § 325(d) ................................................................................. 75, 77, 85
`
`Other Authorities
`
`37 C.F.R. § 42.8 ............................................................................................... 3, 4
`
`
`
`v
`
`

`

`
`
`
`EXHIBIT LIST
`
`Exhibit Description
`
`1001
`
`U.S. Patent No. 8,141,154 (―the ‗154 Patent‖)
`
`1002
`
`File History for the ‗154 Patent
`
`1003
`
`Curriculum Vitae of Dr. Seth Nielson
`
`1004
`
`Expert Declaration of Dr. (―Nielson Dec.‖)
`
`1005
`
`U.S. Patent No. 5,983,348 (―Ji‖)
`
`1006
`
`U.S. Patent 7,594,267 (―Gladstone‖)
`
`1007
`
`U.S. Patent Pub. No. US 2003/0023774 A1
`
`1008
`
`Ajay Chander et al., ―Mobile Code Security by Java Bytecode
`Instrumentation‖, DARPA Information Survivability Conference and
`Exposition II, June 12-14, 2001 (―Chander‖)
`
`1009
`
`Declaration of Gerard P. Grenier (authenticating Chander)
`
`1010
`
`Press Release: ―Finjan Announces License and Settlement Agreement
`with Proofpoint‖ (June 8, 2016)
`
`1011
`
`Email correspondence between counsel for Petitioner and Patent Owner
`
`1012 May 22, 2015 Office Action in Ex Parte Reexamination Application
`No. 90/013,016
`
`1013
`
`U.S. Patent App. No. 11/281,839 (―Ross‖)
`
`1014
`
`Drew Dean et al., ―Java Security: From HotJava to Netscape and
`Beyond,‖ IEEE Symposium on Security and Privacy (1996)
`
`1015
`
`U.S. Patent No. 6,065,118
`
`1016
`
`U.S. Provisional App. No. 60/711,972
`
`1017
`
`Tim Lindholm & Frank Yellin, ―The Java Virtual Machine
`Specification,‖ 2d ed. (1999)
`
`
`
`vi
`
`

`

`
`
`
`David Flanagan, ―Java Foundation Classes in a Nutshell: A Desktop
`Quick Reference‖ (1999)
`
`David M. Beazley, ―SWIG: an easy to use tool for integrating scripting
`languages with C and C++,‖ TCLTK Proceedings of the 4th conference
`on USENIX Tcl/Tk Workshop, Vol. 4 (1996)
`
`David John Perreault, ―Interactive Computer Support for Remote
`Design Teams: A New Approach,‖ MIT these (1991)
`
`Dennis Matthew, ―Choosing an Intrusion Detection System that Best
`Suits Your Organization,‖ SANS Institute (2002)
`
`Kenneth. R. Wood et al., ―Global Teleporting with Java: Toward
`Ubiquitous Personalized Computing,‖ Computer, vol. 30, no. 2, pp. 53-
`59, (Feb. 1997)
`
`D. Dean et al., ―Java Security: From HotJava to Netscape and
`Beyond,‖ Proceedings 1996 IEEE Symposium on Security and Privacy,
`pp. 190-200 (1996)
`
`Atsushi Futakata, ―Patch Control Mechanism for Large Scale Software,‖
`Ninth System Administration Conference (1995)
`
`Socket.java from Java 1.5.0, available at:
`https://www.jcp.org/en/jsr/detail?id=176
`
`Plaintiff Finjan, Inc.‘s Opening Claim Construction Brief, Dkt. No. 176,
`Finjan, Inc. v. Juniper Networks, Inc., Case No. 3:17-cv-05659 (N.D.
`Cal. Aug. 6, 2018)
`
`Plaintiff Finjan, Inc.‘s Opening Claim Construction Brief, Dkt. No. 72,
`Finjan, Inc. v. Symantec Corp., Case No. 4:14-cv-02998-HSG (N.D.
`Cal. Apr. 20, 2015)
`
`Claim Construction Order, Dkt. No. 170, Finjan, Inc. v. Symantec
`Corp., Case No. 4:14-cv-02998-HSG (N.D. Cal. Feb. 10, 2017)
`
`Verdict Form, Dkt. No. 398, Finjan, Inc. v. Sophos Inc., Case No. 3:14-
`cv-01197-WHO (N.D. Cal. Sept. 21, 2016)
`
`vii
`
`1018
`
`1019
`
`1020
`
`1021
`
`1022
`
`1023
`
`1024
`
`1025
`
`1026
`
`1027
`
`1028
`
`1029
`
`
`
`

`

`U.S. Patent No. 8,141,154
`
`
`I.
`
`STATUTORY REQUIREMENTS
`
`A. Notice of Real Party-In-Interest (37 C.F.R. § 42.8(b)(1))
`
`Petitioner Juniper Networks, Inc. (―Juniper‖) is a public company with no
`
`parent corporation and is the sole real party-in-interest.
`
`B. Notice of Related Matters (37 C.F.R. § 42.8(b)(2))
`
`The ‗154 Patent was previously the subject of six IPR proceedings, all of
`
`which are now terminated: IPR2015-01547; IPR2015-01979; IPR2016-00151;
`
`IPR2016-00919; IPR2016-00937; and IPR2016-01071. IPR2015-01979 is
`
`currently pending appeal at the Federal Circuit, No. 17-2314, which has been
`
`consolidated with the appeal of IPR2016-00151 currently pending at the Federal
`
`Circuit, No. 17-2315. Oral argument was held on the combined appeals on June 6,
`
`2018.
`
`Petitioner and Patent Owner are currently involved in pending litigation that
`
`includes the assertion of the ‗154 Patent challenged herein. See Finjan, Inc. v.
`
`Juniper Networks, Inc., Case No. 3:17-cv-05659-WHA (N.D. Cal.). The ‗154
`
`Patent is currently asserted in the following other ongoing litigations:
`
` Finjan, Inc. v. Palo Alto Networks, Inc., No. 4:14-cv-04908-PJH (N.D. Cal.)
`
`(―Palo Alto Networks‖)
`
` Finjan, Inc. v. Bitdefender Inc., No. 4:17-cv-04790-HSG (N.D. Cal.)
`
`(―Bitdefender‖)
`
`
`
`1
`
`

`

`U.S. Patent No. 8,141,154
`
`
` Finjan, Inc. v. Cisco Systems, Inc., No. 5:17-cv-00072-BLD (N.D. Cal.)
`
`(―Cisco‖)
`
` Finjan, Inc. v. Sonicwall, Inc., No. 5:17-cv-04467-BLF (N.D. Cal.)
`
`(―Sonicwall‖)
`
` Finjan, Inc. v. Check Point Software Technologies Inc., No. 5:18-cv-02621-
`
`WHO (N.D. Cal.) (―Check Point‖)
`
`The ‗154 Patent was previously asserted in the following completed litigations:
`
` Finjan, Inc. v. Carbon Black, Inc., No. 5:18-cv-01760-NC (N.D. Cal.)
`
`(―Carbon Black‖)
`
` Finjan, Inc. v. Symantec Corp., No. 4:14-cv-02998-HSG (N.D. Cal.)
`
`(―Symantec‖)
`
` Finjan, Inc. v. FireEye, Inc., No. 4:13-cv-03133-SBA (N.D. Cal.)
`
`(―FireEye‖)
`
` Finjan, Inc. v. Sophos Inc., No. 3:14-cv-01197-WHO (N.D. Cal.)
`
`(―Sophos‖)
`
` Finjan, Inc. v. F5 Networks, No. 3:16-cv-06955-JCS (N.D. Cal.) (―F5‖)
`
` Finjan, Inc. v. Proofpoint, Inc., No. 4:13-cv-05805-HSG (N.D. Cal.)
`
`(―Proofpoint‖)
`
` Finjan, Inc. v. Websense, Inc., No. 5:13-cv-04398-BLF (N.D. Cal.)
`
`consolidated with 5:14-cv-01353-BLF (N.D. Cal.) (―Websense‖)
`
`
`
`2
`
`

`

`U.S. Patent No. 8,141,154
`
`
` Finjan, Inc. v. AVG Technologies CZ, No. 5:17-cv-00283-BLF (N.D. Cal.)
`
`(―AVG‖)
`
`The ‗154 Patent purports to be a divisional of U.S. Patent No. 7,757,289.
`
`The ‗289 Patent was the subject of one IPR proceeding, IPR2015-01552, now
`
`terminated. The ‗289 Patent was also asserted in the Symantec and Sophos
`
`litigations referenced above.
`
`U.S. Patent 7,614,918 purports to be a continuation-in-part of the ‗289
`
`Patent, and U.S. Patent 9,294,493 purports to be a continuation of U.S. Patent App.
`
`No. 12/174,592 (abandoned) which in turns purports to be a continuation-in-part of
`
`the ‗918 patent. The ‗918 patent is asserted in the Palo Alto Networks litigation
`
`referenced above and was asserted in the Sophos and Proofpoint litigations
`
`referenced above.
`
`To the best of Petitioner‘s knowledge, there are no other judicial or
`
`administrative matters that would affect or be affected by a decision in this
`
`proceeding.
`
`C. Designation of Lead and Back-up Counsel (37 C.F.R. § 42.8(b)(3))
`
`Lead Counsel: Michael Fleming, Reg. No. 67,933
`
`Backup Counsel: Joshua Glucoft, Reg. No. 67,696
`
`Backup Counsel: Rebecca Carson (Pro Hac Vice motion forthcoming)
`
`Contact information for Lead and Backup Counsel is as follows:
`
`
`
`3
`
`

`

`U.S. Patent No. 8,141,154
`
`
`Irell & Manella LLP
`1800 Avenue of the Stars, Suite 900
`Los Angeles, CA 90067
`Telephone: (310) 277-1010
`Fax: (310) 203-7199
`
`Service Information (37 C.F.R. § 42.8(b)(4))
`
`D.
`
`Please address all correspondence to lead counsel at the address above.
`
`Petitioner consents to email service at: Juniper-FinjanIPRs@irell.com.
`
`E. Certification of Word Count
`
`Petitioner certifies that the word count in this petition is 13,677words, as
`
`counted by the word-processing program used to generate this petition, where such
`
`word count excludes the title page, table of contents, table of authorities, exhibit
`
`list, mandatory notices under § 42.8, certificate of service, and this word count.
`
`F.
`
`Fees
`
`The Office is authorized to charge Deposit Account No. 09-0946 for any
`
`fees required.
`
`G. Grounds for Standing
`
`Petitioner certifies that the ‗154 Patent is eligible for IPR and that Petitioner
`
`is not barred or estopped from requesting an IPR of the ‗154 Patent.
`
`H.
`
`Identification of Challenge and Grounds
`
`The asserted grounds rely on the following references:
`
`
`
`4
`
`

`

`U.S. Patent No. 8,141,154
`
`
` U.S. Patent No. 7,594,267 (filed June 14, 2002; published December
`
`19, 2002; issued September 22, 2009) (hereinafter ―Gladstone‖) is
`
`prior art under pre-AIA 35 U.S.C. § 102(b). Gladstone at 1:11-14
`
`incorporates by reference U.S. Application No. 10/071,328 (Ex. 1007
`
`hereto).
`
` U.S. Patent No. 5,983,348 (filed September 10, 1997; issued
`
`November 9, 1999) (hereinafter ―Ji‖) is prior art under § 102(b).
`
` Ajay Chander, et al., ―Mobile Code Security by Java Bytecode
`
`Instrumentation‖, DARPA Information Survivability Conference and
`
`Exposition II, June 12-14, 2001 (hereinafter ―Chander‖) is prior art
`
`under § 102(b).
`
`The asserted grounds are as follows:
`
` Ground 1: Claim 1 is obvious over Gladstone in view of Ji.
`
` Ground 2: Claim 1 is obvious over Chander in view of Gladstone.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`5
`
`

`

`U.S. Patent No. 8,141,154
`
`
`II. TECHNOLOGY BACKGROUND ON CLAIM 1
`
`The ‗154 Patent describes two key concepts in its approach to computer
`
`security. First, it addresses the question of where code should be inspected to
`
`determine if it is potentially malicious. Second, it does not execute the original
`
`function the code would ordinarily execute until another function verifies the input
`
`to the original function is not malicious.
`
`Figure 1 illustrates the first concept regarding where code inspection occurs.
`
`Figure 1shows that, in the prior art, code was either inspected at the network
`
`gateway or at the client computer or both (the ―content inspector‖ where such
`
`analysis was performed has been outlined in red):
`
`
`
`6
`
`
`
`

`

`U.S. Patent No. 8,141,154
`
`
`The ‗154 Patent noted several drawbacks in the prior art. On one hand, inspecting
`
`software at the client computer is not secure because hackers can easily obtain
`
`copies of consumer (i.e., client-side) software and reverse engineer the software to
`
`design viruses that avoid those detection capabilities. ‗154 Patent at 4:15-22. On
`
`the other hand, inspecting software at the network gateway is also not secure
`
`because some viruses do not exhibit malicious behavior until they begin executing
`
`at the client computer. ‗154 Patent at 3:65-4:8. And inspecting at both locations
`
`does not necessarily solve these problems. Accordingly, the ‗154 Patent
`
`recognized ―a need for a new form of behavioral analysis, which can shield
`
`computers from dynamically generated malicious code without running on the
`
`computer itself that is being shielded.‖ ‗154 Patent at 4:23-26.1 In other words,
`
`the ‗154 Patent recognized a need to inspect software for potential malware at a
`
`location other than the network gateway or the client computer.
`
`
`
`The ‗154 Patent‘s solution was to move the inspector to a location that is
`
`different from both the client computer and the network gateway. This solution is
`
`depicted in Figure 2, which shows the inspector (outlined in red) located on a
`
`
`1 All emphasis is added unless indicated otherwise.
`
`
`
`7
`
`

`

`U.S. Patent No. 8,141,154
`
`remote2 ―security computer‖ that is connected to but separate from the client
`
`computer:
`
`
`
`
`
`The second component of the ‗154 Patent‘s approach—using a function that
`
`verifies the input before executing the original function—leveraged a well-known
`
`set of techniques referred to as ―wrapping,‖ ―hooking,‖ or ―instrumenting.‖ See
`
`Declaration of Dr. Nielson (Ex. 1004) (―Nielson Dec.‖) ¶¶ 23-27. The general
`
`
`2 The security computer need not be remote from the client computer. ‗154
`
`Patent at 4:35-36.
`
`
`
`8
`
`

`

`U.S. Patent No. 8,141,154
`
`
`approach involves substituting the original function the code would ordinarily
`
`execute with a different function that causes the computer to inspect and verify the
`
`input to the original function before executing that function. To illustrate, the ‗154
`
`Patent provides the example of receiving the function
`
`document.write(“<h1>hello</h1>”) that would display the word
`
`―hello‖ on a computer screen. ‗154 Patent at 10:25. The ‗154 Patent teaches
`
`defining a different, substitute function with the name
`
`Substitute_document.write() that would be passed
`
`<h1>hello</h1>, which is the input to the original document.write()
`
`function. ‗154 Patent at 10:33-35. When
`
`Substitute_document.write()is invoked, instead of displaying the word
`
`―hello‖ on the screen, the computer checks the input <h1>hello</h1>, making
`
`sure it was safe to write ―hello‖ on the screen. ‗154 Patent at Table III. This
`
`solution substitutes the original function with a different function that serves as a
`
`flag to indicate that the input to the original function must be inspected. For
`
`purposes of this petition, this general concept of patching code to include a safety
`
`check before executing a potentially malicious function is called
`
`―instrumentation.‖
`
`Claim 1 of the ‗154 Patent combines these two concepts of a ―security
`
`computer‖ and instrumentation:
`
`
`
`9
`
`

`

`U.S. Patent No. 8,141,154
`
`
`A system for protecting a computer from dynamically
`
`generated malicious content, comprising:
`
`a content processor (i) for processing content received over a
`
`network, the content including a call to a first function, and the call
`
`including an input, and (ii) for invoking a second function with the
`
`input, only if a security computer indicates that such invocation is
`
`safe;
`
`a transmitter for transmitting the input to the security computer
`
`for inspection, when the first function is invoked; and
`
`a receiver for receiving an indicator from the security
`
`computer whether it is safe to invoke the second function with the
`
`input.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`10
`
`

`

`U.S. Patent No. 8,141,154
`
`
`Figure 2 of the ‗154 Patent is annotated below to illustrate how Claim 1
`
`maps to the teachings of the specification, as discussed further in the table below:
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`11
`
`
`
`

`

`U.S. Patent No. 8,141,154
`
`
`Claim 1
`
`Specification
`
`A system for protecting
`a computer from
`dynamically generated
`malicious content,
`comprising:
`
`The system for protecting a computer from
`dynamically generated malicious content is disclosed in
`Figure 2.
`
`The computer that is protected is the client computer
`210.
`
`a content processor (i)
`for processing content
`received over a
`network, the content
`including a call to a
`first function, and the
`call including an input,
`and (ii) for invoking a
`second function with
`the input, only if a
`security computer
`indicates that such
`invocation is safe;
`
`The content processor 270 processes content received
`over a network from the gateway computer 205 via
`network connection 225.
`
`The content received over the network includes a call
`to a first function,
`Substitute_document.write, which includes
`an input <h1>hello</h1> . (10:54-61)
`
`The content processor 270 invokes a second function
`Document.write() with the input
`<h1>hello</h1> only if a security computer 215
`indicates that such invocation is safe. (11:1-4)
`
`a transmitter for
`transmitting the input
`to the security
`computer for
`inspection, when the
`first function is
`invoked; and
`
`The transmitter is client transmitter 250.
`
`The transmitter 250 transmits the input
`<h1>hello</h1> via a communications channel
`230 to the security computer 215, when the first
`function Substitute_document.write is
`invoked. (10:62-64)
`
`a receiver for receiving
`an indicator from the
`security computer
`whether it is safe to
`invoke the second
`function with the input.
`
`The receiver is client receiver 245.
`
`The receiver 245 receives via a communications
`channel 230 an indication from the security computer
`215 whether it is safe to invoke the second function
`Document.write() with the input
`<h1>hello</h1> . (10:65-67)
`
`
`
`12
`
`

`

`U.S. Patent No. 8,141,154
`
`
`The claim language refers to the original function that the code was written
`
`to invoke—the function that will now be invoked only if the security computer
`
`determines it is safe—as the ―second function.‖ See, e.g., Claim 1 (―a content
`
`processor …for invoking a second function with the input, only if a security
`
`computer indicates that such invocation is safe‖). In other words, the claim
`
`language does not expressly call out the substitution of the original function with
`
`the verification function; it assumes that the function received by the content
`
`processor on the client computer has already been substituted. As a result, the
`
`―first‖ function that appears in the claim is the substitute (verification) function
`
`received by the client computer, and the ―second‖ function recited in the claim is a
`
`reference to the original function received by the network gateway. See ‗154
`
`Patent at 4:55-60 (―the present invention operates by replacing original function
`
`calls with substitute function calls within the content … prior to the content being
`
`received at the client computer.‖).
`
`III. LEVEL OF ORDINARY SKILL IN THE ART
`
`A person of ordinary skill in the art of the ‗154 Patent would have a
`
`bachelor‘s degree in computer science or related field and either two years of
`
`industry experience or an advanced degree in computer science or related filed.
`
`See Nielson Dec. ¶ 29; see also IPR2015-01979, Ex. 2002 ¶ 35 (expert testimony
`
`setting forth substantially similar level of skill).
`
`
`
`13
`
`

`

`U.S. Patent No. 8,141,154
`
`
`IV. CLAIM CONSTRUCTION
`
`A.
`
`Prior Constructions
`
`The Board has previously construed two terms in the ‗154 Patent.3 The
`
`Board construed ―content‖ as ―data or information, which has been modified and is
`
`received over a network.‖ IPR2015-01979, Paper 62 at p. 14. The Board also
`
`construed ―call to a first function‖ as ―a statement or instruction in the content, the
`
`execution of which causes the function to provide a service.‖ Id. at 16; see also
`
`IPR2016-00151, Paper 51 at p. 9 (construing ―call to a first function‖ as ―a
`
`statement or instruction in a program requesting the services of a particular (i.e.,
`
`first) function‖). For purposes of this Petition, Juniper adopts the Board‘s prior
`
`constructions.
`
`B.
`
`“Content Processor”
`
`A ―content processor‖ should be construed under § 112 as a ―web browser or
`
`Java virtual machine‖ because ―content processor‖ is a nonce term not understood
`
`by persons of ordinary skill in the art to have a sufficiently definite meaning as the
`
`name for structure. See Nielson Dec. ¶ 32. Patent Owner itself points out
`
`confusion in the understanding of one of ordinary skill that supports the argument
`
`
`3 District Courts have construed other terms under a different claim
`
`construction standard than the Board will apply here.
`
`
`
`
`
`14
`
`

`

`U.S. Patent No. 8,141,154
`
`
`that a ―content processor‖ fails to recite sufficiently definite structure: ―a
`
`‗processor‘ by itself typically refers to a hardware component, such as an Intel
`
`Microprocessor. However, the specification explicitly states that the content
`
`processor can be software components such as a web browser.‖ Ex. 1026 at 19;
`
`see also Nielson Dec. ¶ 32. Thus, the claim language does not even clarify
`
`whether the claimed ―content processor‖ is a physical hardware component or is
`
`limited to software. A ―content processor [] for processing content‖ is therefore a
`
`nonce word and should be construed under § 112.
`
`The only specific structures provided in the specification for a ―content
`
`processor‖ are a web browser and Java virtual machine. See ‗154 Patent at 13:67-
`
`14:1 (―web browser or a Java virtual machine, that processes the modified
`
`content‖); see also id. at 2:23-24, 2:64-67, 3:62-63, 10:38-39, 10:61-62, 15:35-36
`
`(every other disclosure of a component processing content limited to a web
`
`browser). Therefore, a ―content processor‖ should be construed to be limited to ―a
`
`web browser or Java virtual machine.‖ Even if § 112 does not apply, the term
`
`must be construed broadly enough to at least include web browsers and the Java
`
`Virtual Machine.
`
`C.
`
`“First Function” / “Second Function”
`
`As discussed above, the claimed content processor must include web
`
`browsers and the Java virtual machine. Therefore, the ―first function‖ and ―second
`
`
`
`15
`
`

`

`U.S. Patent No. 8,141,154
`
`
`function‖ invoked by those content processors must be construed broadly enough
`
`to at least include all functions that may be executed by those content processors.
`
`That includes Java applet functions and Java library functions for the Java virtual
`
`machine. See ‗154 Patent at, e.g., 13:49-52 (―Such content may be in the form of
`
`… a Java applet….‖). There is no support in the claims or specification to construe
`
`―first function‖ or ―second function‖ as excluding any types of Java functions. See
`
`Nielson Dec. ¶ 33.
`
`D. Other Constructions
`
`For purposes of this petition, Juniper does not contend that ―transmitter for‖
`
`or ―receiver for‖ require construction under § 112 nor that the broadest reasonable
`
`interpretation limits these terms to structures disclosed in the specification. Even if
`
`these elements were interpreted as means-plus-function terms, however, the
`
`grounds identified in this Petition would still invalidate Claim 1.
`
`No other terms require construction for purposes of this petition.4
`
`
`
`
`4 The fact that Juniper and its expert do not propose express constructions
`
`for other terms in this petition does not mean that an unspecified ―plain and
`
`ordinary meaning‖ is sufficient for purposes of litigation in District Court where
`
`the parties dispute the meaning.
`
`
`
`16
`
`

`

`U.S. Patent No. 8,141,154
`
`
`V. OVERVIEW OF THE PRIOR ART
`
`A.
`
`Ji
`
`Ji teaches an insertion-based approach to instrumentation where it inserts
`
`safety-check function calls directly into the code of an application program such as
`
`a Java applet. Specifically, Ji teaches:
`
`The present
`
`applet
`
`scanner
`
`thus uses
`
`applet
`
`instrumentation technology, that is, for Java applets it
`
`alters
`
`the Java applet byte code sequence during
`
`downloading of the applet to the [network proxy] 32. …
`
`[S]tatic (pre-run time) scanning is performed on the
`
`applet by the scanner 26 [on the network proxy]. If an
`
`instruction (a suspicious
`
`instruction)
`
`that calls an
`
`insecure function … is found during this static scanning,
`
`a first instruction sequence (pre-filter) is inserted before
`
`that instruction….
`
`Ji at 5:15-27. Ji at 5:52-66 provides pseudo-code to show how this ―pre-filter‖
`
`function is inserted into the code directly before the original function; note that the
`
`pre-filter function includes the same ―parameters to the [original] function‖:
`
`
`
`
`
`17
`
`

`

`U.S. Patent No. 8,141,154
`
`
`As shown in Figure 1, the insertion of this ―pre-filter‖ function happens at
`
`the ―scanner‖ 26 at a network proxy 32:
`
`Thus, by the time the (for example) Java applet arrives at the client machine‘s web
`
`browser, it has already been instrumented to contain the pre-filter function that
`
`performs a safety check. See also Ji at, e.g., 4:66-5:12.
`
`
`
`
`
`
`
`
`
`
`
`
`
`18
`
`

`

`U.S. Patent No. 8,141,154
`
`
`B. Chander
`
`Chander teaches two methods of replacement-based instrumentation: class-
`
`level modification and method-level modification.5 Chander at 3. In class-level
`
`modification, a ―class such as Window can be replaced with a subclass of Window
`
`(say Safe$Window) that restricts resource usage and functionality.‖ Chander at
`
`3. Method-level modification is similar to class-level modification in that a
`
`method is replaced with a safer version of the method; for example, ―A method
`
`such as Threat.setPriority(I)V can be replaced with a safer version, say
`
`Safe$Thread:setpriority(Ljava/lang/Threat;I)V‖. Chander at
`
`3-4.
`
`Chander teaches instrumenting a program (by class-level modification or by
`
`method-level modification) before it reaches the client computer, specifically at a
`
`network proxy. Chander at 5 describes its setup as follows:
`
`The basic architecture of our system is shown in Figure 5.
`
`When the web browser requests a web page or applet, this
`
`request goes through the network proxy. The proxy forwards
`
`
`5 A ―class‖ is a feature of object-oriented programming and essentially
`
`represents a type of thing. All ―objects‖ of the same ―class‖ share the same
`
`characteristics. A ―method‖ is a type of function associated specifically with an
`
`object in object-oriented programming. See Nielson De