Trials@uspto.gov
`571-272-7822
`
`Paper 62
`Entered: March 15, 2017
`
`UNITED STATES PATENT AND TRADEMARK OFFICE
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`
`PALO ALTO NETWORKS, INC. and SYMANTEC CORP.,
`Petitioner,
`
`Vv.
`
`FINJAN,INC.,
`Patent Owner.
`
`Case IPR2015-01979!
`Patent 8,141,154 B2
`
`Before, THOMASL. GIANNETTI, RICHARD E. RICE, and
`MIRIAM L. QUINN,Administrative Patent Judges.
`
`QUINN, Administrative Patent Judge.
`
`FINAL WRITTEN DECISION
`35 USC. § 318(a) and 37 C.F.R. § 42.73
`
`1 This case is joined with IPR2016-00919. Paper 28 (“Decision on
`Institution of Inter Partes Review and Grant of Motion for Joinder,”filed by
`Symantec Corp.).
`
`
`571-272-7822
`
`Paper 62
`Entered: March 15, 2017
`
`UNITED STATES PATENT AND TRADEMARK OFFICE
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`
`PALO ALTO NETWORKS, INC. and SYMANTEC CORP.,
`Petitioner,
`
`Vv.
`
`FINJAN,INC.,
`Patent Owner.
`
`Case IPR2015-01979!
`Patent 8,141,154 B2
`
`Before, THOMASL. GIANNETTI, RICHARD E. RICE, and
`MIRIAM L. QUINN,Administrative Patent Judges.
`
`QUINN, Administrative Patent Judge.
`
`FINAL WRITTEN DECISION
`35 USC. § 318(a) and 37 C.F.R. § 42.73
`
`1 This case is joined with IPR2016-00919. Paper 28 (“Decision on
`Institution of Inter Partes Review and Grant of Motion for Joinder,”filed by
`Symantec Corp.).
`
`
`
`IPR2015-01979
`Patent 8,141,154 B2
`
`Palo Alto Networks, Inc. and Symantec Corp.(collectively,
`
`Petitioner”) have eachfiled petitions to institute inter partes review of
`
`claims 1-8, 10, and 11 of U.S. Patent No. 8,141,154 B2 (“the ’154 patent”)
`
`pursuant to 35 U.S.C. § 311-319. In response to the first petition, filed by
`Palo Alto Networks,Inc.,* Finjan, Inc. (“Patent Owner’) filed a Preliminary
`
`Response. Paper6 (‘“Prelim. Resp.”). Upon consideration of the Petition
`
`and the Preliminary Responsefiled by Finjan, we institutedtrial as to all the
`
`challenged claims. Paper 8 (“Dec.”).
`
`Subsequently, Symantec filed a petition seeking review of the same
`
`claims of the ’154 patent. IPR2016-00919, Paper 3. With this second
`
`petition, Symantec filed a motion to join IPR2016-00919 withthis
`proceeding. We granted Symantec’s motion, joined the cases, terminated
`IPR2016-00919, and ordered consolidation ofall Petitionerfilings in this
`
`proceeding. Paper 10,at 5.
`Duringtrial, Patent Ownerfiled a Patent Owner Response;? and
`Petitioner filed a Reply.’ Patent Owneralso filed Motions for Observations
`of the November 14, 2016 cross- examination of Petitioner’s declarant, Dr.
`
`Aviel Rubin. Paper 47 (“Mot. for Obs.”). Petitioner responded to Patent
`
`Owner’s Motion for Observations. Paper 49 (“Resp. Obs.”). Both parties
`
`also filed Motions to Exclude. Paper 46 (“Pet. Mot. to Exclude”); Paper 48
`
`(“PO Mot. to Exclude”). Both parties filed Oppositions and Replies
`
`concerning the Motions to Exclude. Papers 50, 51, 53, 55.
`
`2 Paper 2 (“Petition”or “Pet.”).
`3 Paper 22 (“PO Resp.”).
`4 Paper 35 (“Reply”).
`
`
`
`IPR2015-01979
`Patent 8,141,154 B2
`
`Anoral hearing was held on December15, 2016.°
`Wehavejurisdiction under 35 U.S.C. § 6. This Final Written
`Decision is issued pursuant to 35 U.S.C. § 318(a). For the reasons discussed
`
`herein, and in view oftherecordinthis trial, we determine that Petitioner
`
`has not shownby a preponderanceofthe evidence that claims 1-8, 10, and
`
`11 of the ’154 patent are unpatentable.
`
`I.
`
`BACKGROUND
`
`A. RELATED MATTERS
`
`Petitioneridentifies that the ’154 patent as the subject of various
`
`district court cases filed in the U.S. District Court for the Northern District
`
`of California (Case Nos. 3:14-cv-04908, 3:14-cv-02998, 5:15-cv-01353,
`5:14-cv-04398, 3:14-cv-01197, and 3:13-cv-05808). Pet. 3. Petitioner also
`
`states that petitions for inter partes review have been filed regarding other
`related patents. Jd. The ’154 patent is also the subject of anotherinter
`partes review: IPR2016-00151 (and IPR2016-01071, joined therewith). In
`IPR2016-0151, we have issued a Final Written Decision, under 35 U.S.C.
`
`§ 318(a), concurrently with the instant Final Written Decision.
`
`B. INSTITUTED GROUNDS
`
`Weinstituted inter partes review of claim 1-8, 10, and 11 (“the
`challenged claims”) based on the following specific grounds:
`
`5 A transcript of the oral hearing is entered in the record as Paper 60 (“Tr.”).
`
`3
`
`
`
`IPR2015-01979
`Patent 8,141,154 B2
`
`
`
`mr ee
`Claimschallenged
`Khazan*®andSirer’
`35 U.S.C.§ 103
`
`Khazan, Sirer, and Ben-Natan®
`
`35 U.S.C. § 103
`
`
`
`6~8, 10, and 11
`
`
`
`
`
`
`
`
`Petitioner supports its contentions of unpatentability with declarations
`from Dr. Aviel Rubin. Ex. 1002 (“Aviel Declaration’); Ex. 1045 (“Supp.
`
`Aviel Declaration”). Patent Owner supportsits contentions with a
`declaration from Dr. Nenad Medvidovic. Ex. 2002 (“Medvidovic
`
`Declaration”). The cross-examinations of Dr. Rubin and Dr. Medvidovic are
`entered in the record as Exhibits 2005 and 1038, respectively.
`
`C. THE 154 PATENT (Ex. 1001)
`
`The °154 patent relates to computer security and, moreparticularly, to
`systems and methodsfor protecting computers against malicious code such
`as computerviruses. Ex. 1001, 1:7-9, 8:38-40. The ’154 patentidentifies
`the components of one embodimentof the system as follows: a gateway
`computer, a client computer, and a security computer. Jd. at 8:45-47. The
`gateway computer receives content from a network, such as the Internet,
`over a communication channel. Id. at 8:47—-48. “Such content may be in the
`
`form of HTML pages, XML documents, Java applets and other such web
`content that is generally rendered by a web browser.” Jd. at 8:48-51. A
`content modifier modifies original content received by the gateway
`
`6 Patent Application Pub. No. US 2005/0108562 Al (Exhibit 1003)
`(“Khazan’”).
`7 Sirer et al., Design and Implementation ofa Distributed Virtual machine
`for Networked Computers (1999) (Exhibit 1004) (“Sirer’”).
`8 L1.S. Patent No. 7,437,362 B1 (Exhibit 1005) (““Ben-Natan”).
`
`.
`
`4
`
`
`
`IPR2015-01979
`Patent 8,141,154 B2
`
`computer and produces modified content that includesa layer of protection
`to combat dynamically generated malicious code. Id. at 9:13-16.
`
`D. ILLUSTRATIVE CLAIM
`
`Challenged claims 1, 4, 6, and 10 are independent, andillustrative
`
`claim 1 is reproduced below.
`1. Asystem for protecting a computer from dynamically
`generated malicious content, comprising:
`a content processor(i) for processing content received
`over a network, the content includingacall to a first function,
`and thecall including an input, and (ii) for invoking a second
`function with the input, only if a security computerindicates
`that such invocation is safe;
`a transmitter for transmitting the input to the security
`computerfor inspection, whenthe first function is invoked; and
`a receiver for receiving an indicator from the security
`computer whetherit is safe to invoke the second function with
`the input.
`
`II.
`
`ANALYSIS
`
`A. CLAIM INTERPRETATION
`
`In an inter partes review,claim terms in an unexpiredpatentare
`interpreted accordingto their broadest reasonable construction in light of the
`specification of the patent in which they appear. 37 C.F.R. § 42.100(b);
`Cuozzo Speed Techs., LLC v. Lee, 136 S. Ct. 2131, 2142-46 (2016).
`Consistent with that standard, claim termsalso are given their ordinary and
`customary meaning, as would be understood by oneofordinary skill in the
`art in the context of the entire disclosure. See In re Translogic Tech., Inc.,
`504 F.3d 1249, 1257 (Fed. Cir. 2007). There are, however, two exceptions
`to that rulc: “1) whena patentee sets out a definition and acts as his own
`
`5
`
`
`
`IPR2015-01979
`Patent 8,141,154 B2
`
`lexicographer,” and “2) when the patentee disavowsthe full scope of a claim
`
`term either in the specification or during prosecution.” See Thorner v. Sony
`
`Computer Entm’t Am. LLC, 669 F.3d 1362, 1365 (Fed. Cir. 2012).
`If an inventoracts as his or her own lexicographer, the definition must
`
`be set forth in the specification with reasonable clarity, deliberateness, and
`
`precision. Renishaw PLC v. Marposs Societa’ per Azioni, 158 F.3d 1243,
`
`1249 (Fed. Cir. 1998) (citing In re Paulsen, 30 F.3d 1475, 1480 (Fed.Cir.
`
`1994)). Althoughit is improperto read a limitation from the specification
`
`into the claims, Jn re Van Geuns, 988 F.2d 1181, 1184 (Fed. Cir. 1993),
`
`claimsstill must be read in view of the specification of which they areapart.
`
`Microsoft Corp. v. Multi-Tech Sys., Inc., 357 F.3d 1340, 1347 (Fed. Cir.
`
`2004).
`
`“content”
`
`In our Decision on Institution, we did not construe expressly any
`
`claim terms. Dec. 5. Duringtrial, however, Patent Owner proposed a
`
`construction of the term “content” as “a data container that can be rendered
`by a client web browser.” PO Resp. 5. Petitioner challengesthis
`|
`construction as unduly narrow in view of the Specification. Reply 6. In
`particular, Petitioner argues that the Specification does not define the term
`
`and provides no “clear disavowal”of claim scope. Jd. 6-7. According to
`Petitioner, the Specification and extrinsic evidence support a broader
`construction of “content” to mean “code.” Jd. at 7—8 (citing Ex. 1001,
`
`12:49-52; Ex. 2005, 80:11—23).
`
`Becausethey are not consistent with the broadest reasonable
`interpretation in light of the specification, and as discussed further below, we
`
`
`
`1PR2015-01979
`Patent 8,141,154 B2
`
`do not adopteither of the parties’ proposed constructions. Our reasoning
`
`follows.
`
`The *154 patentis titled “System and Methodfor Inspecting
`Dynamically Generated Executable Code.” Ex. 1001, [54]. Although the
`title refers to “executable code,” the term “content” is used elsewherein the
`
`patent when describing the invention. The Abstract furtherclarifies that a
`“method for protecting a client computer from dynamically generated
`malicious content, includ[es] receiving at a gateway computer content being
`
`sent to a client computer for processing, the content includingacall to an
`
`original function[.}” Jd. Abstract (emphasis added). The gateway computer
`modifies the “content,” which is then transmitted to the client computer for
`
`|
`processing there. Jd.
`By way of background,the ’154 patent explains that the “ability to
`run executable code suchas scripts within Internet browsers” has caused a
`
`new form of viruses “embedded within web pages and other web content,
`and{, which] begin executing within an Internet browser as soon as they
`
`enter a computer.” Jd. at 1:34—40. In particular, the ’154 patent describes
`these new “dynamically generated viruses” as “taking advantageof features
`of dynamic HTML generation, such as executable codeor scripts that are
`embedded within HTML pages,to generate themselves onthefly at
`runtime.” Jd. at 3:3 1-39. Therefore, according to the °154 patent
`“dynamically generated malicious code cannot be detected by conventional
`reactive content inspection and conventional gateway level behavioral
`analysis content inspection, since the malicious JavaScript is not present in
`the contentprior to run-time.” Jd. at 3:65—4:2. The invention,therefore,
`seeks to protect against “dynamically generated malicious code, in addition
`
`
`
`IPR2015-01979
`Patent 8,141,154 B2
`
`to conventional computervirusesthatare statically generated.” Jd. at
`
`4:30-34.
`
`To accomplish this objective, the ’154 patent describes the gateway
`
`computer receiving “content from a network, such as the Internet, over a
`
`communication channel.” Jd. at 8:47—48. The “content may be in the form
`
`of HTML pages, XML documents, Java applets and other such web content
`
`that is generally rendered by a web browser.” Id. at 8:48—51; see alsoid. at
`
`13:49-52 (“Such content may be in the form of an HTML webpage, an
`
`XML document, a Java applet, an EXE file, JavaScript, VBScript, an Active
`X Control, or any such data containerthat can be rendered by a client web
`
`browser.”); 13:49-52. A “content modifier 265”at the gateway modifies
`“original content received” by the gateway computer and produces modified
`“content, which includes a layer of protection to combat dynamically
`
`generated malicious code.” Jd. at 9:13-16. It does this by scanning the
`
`“original content”and identifying certain function calls. Jd. at 9:16—20.
`Selected function calls are then replaced with a corresponding substitute
`
`function call. Jd. at 9:21—26.
`
`One example of a functioncall in the original contentis identified as
`“Document.write (‘content that is dynamically generated at run-time’).” Jd.
`
`at 11:55-12:2. The original content is modified by replacing the original
`
`function call Document.write() with a substitute function call
`
`Substitute_document.write(). Jd. at 10:31-36. The client computer then °
`receives the “content, as modified by the gateway computer.” Jd. at
`
`11:63-64. Andit is this modified content that the client computer processes,
`
`
`
`IPR2015-01979
`Patent 8,141,154 B2
`
`by invoking the substitute function call and transmitting the inputof that
`
`substitute function for inspection. Jd. at 16:22—29.
`
`From the above descriptions, we understand the ‘154 patent
`
`Specification to refer to three categories of content. First, there is the
`
`“original content” that is scanned and modified at the gateway computer.
`Second,there is the “modified content” transmitted to, and received by, the
`
`client computer. Third is the “dynamically generated malicious content”
`
`that is generated at runtime and,thus, is undetected by the gateway computer
`
`in the “original content.”
`
`Wealso understand that the purpose of the ’154 patentis to protect
`the client computer from this “dynamically generated malicious content,”
`which is sometimesalso referred to in the Specification as “dynamically
`
`generated malicious code.” See, e.g., Ex. 1001, 4:31—33 (“new behavioral
`analysis technology affords protection against dynamically generated
`
`malicious code”); 4:38—40 (“before the client computer invokes a function
`
`call that may potentially dynamically generate malicious code”); 8:17—20
`
`(“FIG.2 is a simplified block diagram of a system for protecting a computer
`from dynamically generated malicious executable code, in accordance with a
`
`preferred embodimentofthe present invention”); 8:38—40 (“The present
`invention concerns systems and methodsfor protecting computers against
`
`dynamically generated malicious code.”).
`Notwithstanding the variety of content described in the Specification,
`the term “content” is recited broadly in all challenged claims as “content
`
`includinga call to a first function.” For example, claim 1 recites a content
`processor for “processing content received over a network,the content
`
`
`
`IPR2015-01979
`Patent 8,141,154 B2
`
`including a call to a first function, and the call including an input.” Jd. at
`
`17:34-36.
`
`The claim languagealso requires that the processed “content” be
`
`received over a network. Becausetherecited “‘first function”is the
`
`substituted function whoseinputis verified, the claimed “content,” in the
`
`context of the surrounding claim language, mustrefer to the modified
`
`content received at the client computer. See id. at 17:39-40 (“transmitting
`
`the input [of the first function call] to the security computerfor inspection,
`whenthefirst function is invoked”). The claimed content cannotrefer to the
`
`“original content”that is received by the gateway computer and overthe
`
`Internet because that content, according to the Specification, would be
`
`capable of generating the undetected dynamically generated malicious
`
`content from whichthe client computeris to be protected.
`
`Based on this understanding, we do not agree with Patent Ownerthat
`
`the recited “content”is “a data container that can be renderedbya client
`
`web browser.” See PO Resp. 6. Although the Specification states that
`
`“content may be in the form of an HTML webpage, an XML document, a
`Java applet, an EXE file, JavaScript, VBScript, an ActiveX Control, or any
`such data container that can be rendered by a client web browser,”that
`
`passage describesthe “original content,” not the “modified content.” See
`Ex. 1001, 13:49-52. Furthermore, even if that description were applicable
`
`to the “modified content,” the Specification uses the permissive words
`“may” and “can,” which suggests that the description of the form of the
`content in the Specification wasnot intendedto set forth a definition for the
`term “content.” See i4i Ltd. P’ship v. Microsoft Corp., 598 F.3d 831, 844
`
`10
`
`
`
`IPR2015-01979
`Patent 8,141,154 B2
`
`(Fed. Cir. 2010) (decliningto limit claim term where the specification used
`
`permissive language).
`Furthermore, although the Specification addresses embodiments
`concerning webpagesreceived overthe Internet, the Specification doesnot
`limit the “content” to web content only, or to content that can be rendered by
`
`a web browser. For example, in describing a content processor, the
`
`Specification states that it “may be a web browserrunning onclient
`computer 210.” Ex. 1001, 10:60-62. This description again uses permissive
`language that suggeststhe intent not to limit the content to a data container
`that can be rendered by a client web browser. Wealso findit informative
`
`that in discussing the communication channels over whichthe client
`computer receives the “modified content,” the Specification states that
`“communication channels 220, 225 and 230 [of Figure 2] may each be
`
`multiple channels using standard communication protocols such as TCP/IP.”
`Ex. 1001, 8:67—9:2.° That is, the network over which the contentis received
`may be any network that delivers data using a standard communication
`protocol, not just the Internet.
`Accordingly, we are not persuaded that the Specification supports a
`construction of “content”that is limited to the specific embodimentof a data
`
`container that can be rendered by a client web browser, as Patent Owner
`argues. In re Van Geuns, 988 F.2d 1181, 1184, (Fed. Cir. 1993)
`(“Moreover, limitations are not to be read into the claims from the
`specification.”) (internal citations omitted).
`
`9 TCP/IP is an abbreviation for Transmission Control Protocol over Internet
`Protocol, and it is the most widely used communication protocol for delivery
`of data over networks, including the Internet. TCP/ZP, WILEY ELECTRICAL
`AND ELECTRONICS ENGINEERING DICTIONARY, 774 (2004) (Ex. 3001).
`
`11
`
`
`
`IPR2015-01979
`Patent 8,141,154 B2
`
`Weare not persuaded, in addition, that Petitioner has made a
`sufficient showing that a person of ordinary skill in the art would understand
`the plain meaning of “content” as “code.” To support its proposed
`construction, Petitioner relies on the cross-examination testimony of its own
`
`expert, Dr. Aviel Rubin. Ex. 2005, 80:11—23. His testimony, however,is
`not persuasive becauseheproffers no reasoning for the conclusion that
`“content”is “code” under the broadest reasonable interpretation:
`
`Q_ Whatis your understanding of what “content” means?
`
`In the context of the ’154 patent, content would be code.
`
`QO-HD& Whenyousay code, do you mean any type of code?
`
`What do you mean by code?
`
`Code, like an HTML pagethat has JavaScriptinit.
`
`A Well, if you just say content, we are going to take the broadest
`reasonable interpretation of that. It would be any type of code, yes.
`
`Id."
`
`Althoughit seems reasonable to say that the contentincludes “code,”
`no persuasive evidencelimits the claimed content to only code. As we noted
`above, the Specification refers to code, sometimes interchangeably with
`content, but only in the context of dynamically generated code. The
`dynamically generated code, however, is not generated until runtimeand,
`therefore, is not contained in the “modified content” that the client receives.
`
`See Ex. 1001, 3:65—4:2 (“dynamically generated code cannot be detected by
`conventionalreactive content inspection and conventional gatewaylevel
`
`10 We do not give weight to the testimony proffered by Dr. Medvidovic with
`regard to claim construction of this term given the contradictory positions
`asserted in this regard. See Reply 8.
`
`12
`
`
`
`IPR2015-01979
`Patent 8,141,154 B2
`
`behavioral analysis content inspection, since the malicious JavaScriptis not
`
`present in the content prior to run-time.”). Furthermore, the Specification
`describes various forms in which the content occurs, such as an HTML web
`
`page and Java applets (id. at 13:49-52), but does not address sufficiently
`
`whatis the “content”itself. But see, id. at 11:50—51 (“suppose the contentis
`
`an HTML page”).
`
`Given the broad disclosure of a network, as discussed above,the
`
`reference to a “data container”(id. at 13:51-52) and “network content” (id.
`
`at 4:37—37), the concern over scripts embedded in web pagesor “other web
`
`content”(id. at 1:37—39), we conclude that the Specification of the °154
`patent uses the claimed “content” to refer broadly to the data or information,
`modified for processing, that the client receives from the network, where,in
`the case of the Internet, it may refer to a web page andits elements. This
`
`interpretation is consistent also with the meaning ofthe term in theart, as
`evidenced by dictionaries concerning computing and engineering. See
`content, Microsoft Computer Dictionary, 125 (5ed. 2002) (Ex. 3002)
`(defining “content” as (1) “the data that appears between the starting and
`| ending tags of an element in an SGML, XML, or HTML document. The
`content of an element mayconsistof plain text or other elements,” (2) “The
`message body of a newsgrouparticle or e-mail message;”and (3) “The
`‘meat’ of a document, as opposedto its format or appearance.”); see also
`
`content, WILEY ELECTRICAL AND ELECTRONICS ENGINEERING DICTIONARY,
`142 (2004) (Ex. 3001) (Information, especially that which is available
`online, which may be any combination oftext, audio, video,files, or the
`
`like.”).
`
`13
`
`
`
`IPR2015-01979
`Patent 8,141,154 B2
`
`Accordingly, under the broadest reasonable interpretation in the
`
`context of the Specification and the surrounding claim language, we
`
`concludethat “content” is data or information, which has been modified and
`
`is received over a network.
`
`“call to a firstfunction”’
`
`The term “call to a first function”is recited in all challenged claims.
`
`The arguments presented regardingthis limitation turn on the scope ofthe
`
`word “call.” Specifically, Patent Owner attempts to distinguish the claims
`
`over Khazan by arguing that a “jump”instruction is not the recited “call” to
`
`a function. PO Resp. 25-27. Dr. Medvidovic, Patent Owner’s expert,
`
`proffers opinions on the issue by relying on a definition of “function call”
`derived from the Microsoft Press Computer Dictionary. Ex. 2002 4 110
`(citing Ex. 2014). That Dictionary provides that a “function call”is “[a]
`program’s requestfor the services of a particular function.” Jd.; Ex. 2014. It
`also explains that “[a] function call is coded as the nameof the function
`along with any parameters neededfor the function to perform its task.” Jd.
`The Specification of the ’154 patent does not define the term “call to a
`first function.” The Specification, however, does use the phrase “function
`
`call”to state that “before the client computer invokes afunction call that
`
`may potentially dynamically generate malicious code, the client computer
`passes the input to the function to the security computer for inspection.” Ex.
`1001, 4:37—43 (emphasis added). The Specification alsostates that “the
`present invention operates by replacing original function calls with substitute
`function calls within the content, at a gateway computer, prior to the content
`
`being receivedat the client computer.” /d. at 4:57-60. Therefore, we
`understand the Specification to use the phrase “function call” in the same
`
`14
`
`
`
`IPR2015-01979
`Patent 8,141,154 B2
`
`sense as the phrase “‘call to a [] function.” That is, a program instruction
`specifies the function nameandits parameters, where execution of the
`instruction results in the function providing a service. Thus, we find the
`
`dictionary definition of the term “function call” applicable here and
`indicative of the meaningofthe term to a person ofordinary skill in theart.
`
`Furthermore, the dictionary definition is consistent with the
`
`embodiments described in the Specification. For example, one embodiment
`
`of the ’154 patent provides for modifying an original function call with
`
`“corresponding function calls Substitute_function(input,*).” Jd. at 9:21-24.
`
`Thatis, the specification describes that the services of the function
`
`Substitute_function are being requested by the modified content.
`Furthermore, the format of the function in this particular embodiment,
`662K 99
`
`identifies the name of the function and the parameters “input” and
`
`“*”. See
`
`also id.at 9:26—-28 (explaining that the “input intended for the original
`
`function is also passed to the substitute function, along with possible
`additional input denoted by ‘*’”). We note that the “first function”is the
`substitute function included in the modified content, as discussed above in
`
`connection with our analysis of the term “content.”
`Werecognizethat the definition of “call to a first function” need not
`define the particular format ofthe instruction or further detail regardingits
`parameters. Wereachthis determination becausethe claim languageitself
`requires that either the “call” or the “function”include an input. For
`example, claim 1 recites the “call including an input,” while claim 6 recites
`“the first function including an input variable.”
`
`15
`
`
`
`IPR2015-01979
`Patent 8,141,154 B2
`
`Accordingly, we determine that a “call to a first function” means an a
`
`statementorinstruction in the content, the execution of which causesthe
`
`function to provide a service.
`
`B. PRINCIPLES OF LAW
`
`A claim is unpatentable under 35 U.S.C. § 103(a) if the differences
`
`between the claimed subject matter and the prior art are such that the subject
`
`matter, as a whole, would have been obviousat the time the invention was
`
`madeto a person having ordinary skill in the art to which said subject matter
`pertains. KSR Int’l Co. v. Teleflex Inc., 550 U.S. 398, 406 (2007). The
`question of obviousnessis resolved on the basis of underlying factual
`determinations including: (1) the scope and contentof the prior art; (2) any
`differences between the claimed subject matter and theprior art; (3) the level
`
`of ordinary skill in the art; and (4) objective evidence of nonobviousness.
`
`Graham v. John Deere Co., 383 U.S. 1, 17-18 (1966).
`
`C. THE LEVEL OF SKILL IN THE ART
`
`In determiningthe level of ordinary skill in the art at the time of the
`invention, we note that various factors may be considered,including “type of
`problems encounteredinthe art; prior art solutions to those problems;
`rapidity with which innovations are made; sophistication of the technology;
`and educationallevel of active workers in the field.” Jn re GPAC, Inc., 57
`
`F.3d 1573, 1579 (Fed. Cir. 1995) (citing Custom Accessories, Inc. v. Jeffrey-
`
`Allan Indus., Inc., 807 F.2d 955, 962 (Fed. Cir. 1986)).
`
`Petitioner asserts, through its expert, Dr. Aviel Rubin,that the
`“relevant technology field for the ’154 patent is security programs,including
`content scanners for program code.” Ex. 1002 § 21. Further, Dr. Rubin
`
`16
`
`
`
`IPR2015-01979
`Patent 8,141,154 B2
`
`opinesthat a person ofordinary skill in the art would “hold a bachelor’s
`
`degree or the equivalent in computer science (or related academic fields) and
`
`three to four years of additional experience in the field of computersecurity,
`
`or equivalent work experience.” Jd.
`Patent Owner, through its expert, Dr. Nenad Medvidovic,offers a
`level of ordinary skill that is different from Petitioner’s. Ex. 2002 435. In
`
`Particular, Dr. Medvidovic opines that a person ofordinary skill in the art
`
`would have a “bachelor’s degree in computer scienceorrelated field, and
`
`either (1) two or more years of industry experience and/or (2) an advanced
`
`degree in computerscienceorrelated field.” Jd.
`
`In comparison,it appears
`
`that the minimum experience under Patent Owner’s proffered level of skill is
`
`oneyearless than Petitioner’s. Also, Patent Ownerproffers an alternative to
`work experience, namely an advanced degree. Thereis no specific
`articulation regarding how the difference of one year experience or the
`proposedalternative of an advanced degreein lieu of experience tangibly
`
`affects our obviousness inquiry. Further, there is no evidencein this record
`
`that the differences noted above impact in any meaningful waythe level of
`expertise ofa person ofordinary skill in the art. Indeed, we note that Dr.
`Medvidovic’s opinions would not changeif he had considered instead the
`
`level or ordinary skill in the art proffered by Dr. Rubin. Jd. { 38.
`Accordingly, we determinethatin this case no express definition of
`the level of ordinary skill in the art is necessary and thatthe level of ordinary
`skill in the art is reflected by theprior art of record. See Okajimav.
`
`Bourdeau, 261 F.3d 1350, 1355 (Fed. Cir. 2001); In re GPAC Inc., 57 F.3d
`1573, 1579 (Fed. Cir. 1995); In re Oelrich, 579 F.2d 86, 91 (CCPA 1978).
`
`17
`
`
`
`IPR2015-01979
`Patent 8,141,154 B2
`
`D. OBVIOUSNESS GROUND BASED ON KHAZAN AND SIRER
`
`Petitioner asserts that Khazan discloses “every element of the
`
`Petitioned Claims except a modified input variable and details of performing
`dynamic analysis on a remote computer.” Pet. 16. In particular, Petitioner
`relies on a combination of Khazan andSirer as teaching the “content
`
`including a call to a first function,” “only if a security computerindicates
`that such invocationis safe,” “transmitter,” and “receiver”limitations. Pet.
`
`20-39. Petitioner relies on Khazan aloneas disclosing the remaining
`
`limitations of independent claims 1 and 4. Jd. at 19-20.
`
`1. Overview ofKhazan (Exhibit 1003)
`Khazanis titled “Technique for detecting executable malicious code
`using a combinationofstatic and dynamic analyses.” The Abstract of
`
`Khazanstates that:
`
`Described are techniques used for automatic detection of
`malicious code by verifying that an application executes
`in accordance with a model defined using calls to a
`predetermined set of targets, such as external routines. A
`model is constructed using a static analysis of a binary
`form of the application, and is comprised of a list ofcalls
`to targets,
`their
`invocation and target
`locations, and
`possibly other call-related information.|When the
`application is executed, dynamic analysis
`is used to
`intercept calls to targets and verify them against
`the
`model.
`
`Ex. 1003, Abstract. Figure 7, reproduced below, shows in more detail the
`flow of control between functionsat run timeto intercept calls to the
`predetermined functions or routines being monitored as part of dynamic
`analysis. Id. J 25.
`
`18
`
`
`
`200°)
`
`LOCLA::
`
`ADDRESSAPI_A
`API_A_OFFSET:
`
`
`
`CALLAPILA
`
`IPR2015-01979
`Patent 8,141,154 B2
`
`Application.EXE (Source Function)
`
`kernel 32 DLL (Target Function)
`
`
`
`Wrapper Function
`
` 212
`or Stub Function
`
`frampoline Function
`
`API_LALTRAMPOLINE:
`AP]_ALSTUB:
`
`
`<VERIFY CALL- PRE
`
`
`<saved instructions from
`MONITORING CODE>
`
`
`
`API_LA>
`CALL API_LA_LTRAMPOLINE
`
`
`JUMP API_A + API_A_OFFSET|
`
`
`<POST MONITORING CODE>
`
`RETURN /* To source */
`
`
`
`The flow in Figure 7 depicts the control flow when a WIN32 API
`
`function is invoked at run time from an application using a call instruction.
`Id. 4 82. A call is madeto the target function API_A. Jd. { 83. Control
`transfers (arrow 202) to the target function API_A within the kernel32 DLL.
`Id. Thetarget function API_A includes a transfer or jumpinstruction to a
`wrapperfunction. Jd. Control, therefore, transfers (arrow 204) to the
`wrapper function (API_A_STUB). Jd. Theintercepted call is verified. Id.
`4 84. This verification includesusing static analysis information, including
`parameter information. Jd. J 87. After verification, a trampoline functionis
`invoked (arrow 206)to execute previously saved instructions of API_A,
`whicharethefirst instructions of the routine API_A that were replaced with
`a jumpinstruction to the wrapperfunction. Jd. J 88. Control transfers back
`to the target function to continue execution of the target function body as
`
`indicated by arrow 208. Id.
`
`19
`
`
`
`IPR2015-01979
`Patent 8,141,154 B2
`
`-
`
`2. Overview ofSirer (Ex. 1004)
`
`Sirer is a technical paper from an ACM symposiumtitled “Design and
`
`implementation of a distributed virtual machine for networked computers.”
`
`Ex. 1004, 1. Sirer describes centralizing service functionality in a
`
`distributed virtual machine by portioning static and dynamic components. Jd
`at 2. Figure 1, reproducedbelow,illustrates the organization ofthose
`
`components.
`
`Static Service Components
`
`Dynamic Service
`Components
`
`Perimeter Services
`
`Verifier
`
`
`
`Security
`
`
`Execution Sves
`
`Management Sve
`Client
`
`a
`
` Intemet
`
`
`Clients
`
`
`
`
`
`
`
`Network
`
`Security
`
`Library
`meneaer
`
`Administration
`Console
`
`
`
`Figure 1. The organization ofstatic and dynamic service components in a distributed virtual machine.
`
`Figure 1 showsstatic service components, such as security
`
`enforcement, running at a network trust boundary. Jd. at 3. Dynamic
`service components provide service functionality to clients during run-time
`as necessary. Id. “The codefor the dynamic service components resides on
`the central proxy andis distributed to clients on demand.” Jd. at 4. The
`security service “forces applications to comply with an organization’s
`security policy by inserting appropriate checks through binary rewriting.”
`Id. at 5. “During execution of the rewritten application, the enforcement
`managerexecutes the inserted access checks, querying the security service
`basedon the security identifiers and permissions it maintains.” Jd.
`
`3. WhetherSirer is a Printed Publication
`
`Patent Owner contendsthat Sirer is not prio
Accessing this document will incur an additional charge of $.
After purchase, you can access this document again without charge.
Accept $ Charge
Still Working On It
This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.
Give it another minute or two to complete, and then try the refresh button.
A few More Minutes ... Still Working
It can take up to 5 minutes for us to download a document if the court servers are running slowly.
Thank you for your continued patience.
This document could not be displayed.
We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.
Your account does not support viewing this document.
You need a Paid Account to view this document. Click here to change your account type.
Your account does not support viewing this document.
Set your membership
status to view this document.
With a Docket Alarm membership, you'll
get a whole lot more, including:
- Up-to-date information for this case.
- Email alerts whenever there is an update.
- Full text search for other cases.
- Get email alerts whenever a new case matches your search.
One Moment Please
The filing “” is large (MB) and is being downloaded.
Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.
Your document is on its way!
If you do not receive the document in five minutes, contact support at support@docketalarm.com.
Sealed Document
We are unable to display this document, it may be under a court ordered seal.
If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.
Access Government Site
