Trials@uspto.gov
`$71-272-7822
`
`Paper8
`Entered: March 25, 2019
`
`UNITED STATES PATENT AND TRADEMARK OFFICE
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`
`JUNIPER NETWORKS, INC.,
`Petitioner,
`
`Vv.
`
`FINJAN, INC.,
`Patent Owner.
`
`Case IPR2019-00031
`Patent 8,141,154 B2
`
`Before THOMASL. GIANNETTI, MIRIAM L. QUINN,and
`PATRICK M. BOUCHER,Administrative Patent Judges.
`
`QUINN, Administrative Patent Judge.
`
`DECISION
`Denying Institution of Inter Partes Review
`35 US.C. § 314
`
`
`$71-272-7822
`
`Paper8
`Entered: March 25, 2019
`
`UNITED STATES PATENT AND TRADEMARK OFFICE
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`
`JUNIPER NETWORKS, INC.,
`Petitioner,
`
`Vv.
`
`FINJAN, INC.,
`Patent Owner.
`
`Case IPR2019-00031
`Patent 8,141,154 B2
`
`Before THOMASL. GIANNETTI, MIRIAM L. QUINN,and
`PATRICK M. BOUCHER,Administrative Patent Judges.
`
`QUINN, Administrative Patent Judge.
`
`DECISION
`Denying Institution of Inter Partes Review
`35 US.C. § 314
`
`
`
`IPR2019-0003 1
`Patent 8,141,154 B2
`
`I.
`
`INTRODUCTION
`
`Juniper Networks,Inc. (“Petitioner”) filed a Petition to institute inter
`
`partes review of claim 1 of U.S. Patent No. 8,141,154 B2 (Ex. 1001, “the
`
`"154 patent”). Paper 2 (“Pet.”). Finjan, Inc. (“Patent Owner”) timely filed a
`
`Preliminary Response. Paper 7 (“Prelim. Resp.”).
`
`Wehavejurisdiction under 35 U.S.C. § 314. For the reasons
`
`discussed below, we do notinstitute inter partes review of claim 1 of the
`
`”154 patent.
`
`A.
`
`Related Matters
`
`The parties indicate that the ?154 patent is involved in Finjan, Inc. v.
`
`Juniper Networks, Inc., Case No. 3:17-cv-05659-WHA (N.D.Cal.) and
`
`other proceedings. Pet. 1; Paper S.
`
`B.
`
`The °154 Patent (Ex. 1001)
`
`The ’154 patent relates to computer security, and, more particularly,
`
`to systems and methods for protecting computers against dynamically
`
`generated malicious code, such as viruses that enter a computer overthe
`
`Internet. Ex. 1001, 1:7-9, 34-37, 8:38-40. The ’154 patent identifies two
`
`types of anti-virus applications that are available to protect against internet
`
`viruses: gateway security applications that shield web content beforeit is
`
`delivered to a computer, and desktop security applications that shield web
`
`content after it is delivered to the computer. Jd. at 1:43-53. Each system
`
`has its disadvantages. Jd. at 2:31-45. Gateway security applicationsfail to
`
`detect certain types of viruses, such as viruses that are generated
`dynamically at run-time of a computer en Id. at 3:31-36. Desktop
`security applications maybe able to shield dynamically generated viruses;
`
`
`
`IPR2019-00031
`Patent 8,141,154 B2
`
`however, these applications require the installation of client computer
`
`software and can be vulnerable to hackers. Jd. at 4:15-22.
`
`With regard to the embodiment shownin Figure 2, reproduced below,
`
`the ’154 patent describes shielding a client computer from dynamically
`
`generated malicious code by passing the input of a function to a security
`
`computer for inspection before the client computer invokesthe function. Jd.
`
`at 4:35-43, 8:41-44.
`
`ANAQOW
`
`
`
`GILNAND“UteNt
`
` ANZTDOOLYOLVAIONI= LNANI
`
` ¥YOSSII0Nd
`LNSINOS
`
`ANdNi34VS40HBLNdWOS
`
`
`
`FIG. 2
`
`Figure 2 depicts a system for protecting a computer from dynamically
`
`generated malicious executable code, including gateway computer 205,
`
`chent computer 210, and security computer 215. Jd. at 8:45-47. The
`
`gateway computer 205 receives content from a network, such as the Internet,
`
`
`
`IPR2019-00031
`Patent 8,141,154 B2
`
`over communication channel 220. Id. at 8:47—48. “Such content may be in
`
`the form of HTML pages, XML documents, Java applets and other such web
`
`content that is generally rendered by a web browser.” Jd. at 8:48—-51. Client
`
`computer 210 communicates with gateway computer 205 over
`
`communication channel 225, and communicates with security computer 215
`
`over communication channel 230. Jd. at 8:51-54. The client computer
`
`receives content data at client receiver 245, processes the data at content
`
`processor 270, and transmits data at client transmitter 250.
`
`Content modifier 265 modifies original content received by gateway
`
`computer 205 and produces modified content that includes a layer of
`
`protection to combat dynamically generated malicious code. Jd. at 9:13-16.
`
`Specifically, content modifier 265 identifies certain function calls and
`
`replaces them with a substitute function call, and when content processor
`
`270 processes the substitute function, the input is sent to security computer
`
`215 for inspection. Jd. at 9:16—28, 10:60-64. Input inspector 275 compares
`
`the input’s security profile to the client computer’s security policy. Jd. at
`
`11:40-41. Ifthe operations of the function violate the client computer’s
`
`security policy and are potentially malicious, input inspector 275 sets an
`
`“inspection_result” value to false and the client computer does not invoke
`
`the original function.
`
`/d. at 11:1-4, 12:20-24. Otherwise, the
`
`“inspection_result” value is set to true, and the client computer invokes the
`
`original function. Id.
`
`C.
`
`Illustrative Claim
`
`Challenged claim 1, reproduced below,is independent.
`
`1. A system for protecting a computer from dynamically
`generated malicious content, comprising:
`
`
`
`IPR2019-00031
`Patent 8,141,154 B2
`
`a content processor (i) for processing content received over a
`network, the content including a call to a first function, and the
`call including an input, and (11) for invoking a second function
`with the input, only if a security computer indicates that such
`invocationis safe;
`
`a transmitter for transmitting the input to the security computer
`for inspection, whenthe first function is invoked; and
`
`a receiver for receiving an indicator from the security computer
`whetherit is safe to invoke the second function with the input.
`
`Ex. 1001, 17:32-44.
`
`D.
`
` Asserted Prior Art and Grounds of Unpatentability
`
`The Petition identifies the following references in connection with
`
`Petitioner’s challenge of unpatentability (Pet. 4—5):
`
`a) Gladstone: U.S. Patent No. 7,594,267 B2, filed in the record as
`
`Exhibit 1006;
`
`b) Ji: U.S. Patent No. 5,983,348, filed in the record as Exhibit 1005;
`
`and
`
`c) Chander: Mobile Code Security by Java Bytecode Instrumentation,
`
`DARPAInformation Survivability Conference and ExpositionII,
`
`June 12-14, 2001, filed in the record as Exhibit 1008.
`
`Petitioner asserts the following grounds of unpatentability based on
`
`the aforementionedreferences(Pet. 5):
`
`
`
`
`Challenged Claim|_Basis__|References
`§ 103(a
`Gladstone andJi
`
`
`
`Chander and Gladstone
`
`
`
`IPR2019-00031
`Patent 8,141,154 B2-
`
`II.
`
`DISCUSSION
`
`A. Claim Construction
`
`In an inter partes review, claim terms in an unexpired patentare given
`
`their broadest reasonable construction in light of the specification of the
`
`patent in which they appear. 37 C.F.R. § 42.100(b) (2017);! see Cuozzo
`
`Speed Techs., LLC v. Lee, 1368. Ct. 2131, 2144-46 (2016). We presume a
`
`claim term carries its plain meaning, which is the meaning customarily used
`
`by those of skill in the relevant art at the time of the invention. Jrivascular,
`
`Inc. v. Samuels, 812 F.3d 1056, 1062 (Fed. Cir. 2016).
`
`Petitioner acknowledgesthat at least two termsrecited in the claims of
`
`the ’154 patent have been construed previously by the Board. Pet. 14. The
`Final Written Decision in IPR2015-01979 provided a construction of the
`term “content” as “data or information, which has been modified andis
`
`received over a network.” IPR2015-01979, Paper 62 at 14. We also
`
`determined that the term “call to a first function” means“a statement or
`
`instruction in the content, the execution of which causesthe function to
`
`provide a service.” Jd. at 16. The Federal Circuit has affirmed the Final
`
`Written Decision in IPR2015-01979, and, accordingly, those constructions
`
`are adopted here. See Palo Alto Networks, Inc., v. Finjan, Inc., Case No.
`
`2017-2314, slip op. at 9-12 (Fed. Cir. Nov. 19, 2018). Further, although not
`
`construed by the Board in the Final Written Decision, the Federal Circuit, in
`
`' A recent amendmenttothis rule does not applyhere because the Petition
`wasfiled before November 13, 2018. See Changes to the Claim
`ConstructionStandard for Interpreting Claims in Trial Proceedings Before
`the Patent Trial and Appeal Board, 83 Fed. Reg. 51340 (Oct. 11, 2018) (to
`be codified at 37 C.F.R. pt. 42).
`
`
`
`IPR2019-00031
`Patent 8,141,154 B2
`
`the Palo Alto case, addressed the scope of the “invoke” term, concluding
`
`that it does not require execution of a function.
`
`/d. at 11-12. To the extent
`
`the scope of “invoke” is disputed and necessary to render this Decision, we
`
`adopt the interpretation of “invoke” that does not require execution of a
`
`function.
`
`.
`
`The construction of other terms is not necessary for us to decide
`
`whetherto institute trial.
`
`B.
`Level of Ordinary Skill in the Art
`In determining the level of ordinary skill in the art, various factors
`maybe considered, including the “type of problems encounteredin the art;
`prior art solutions to those problems; rapidity with which innovationsare
`
`|
`
`made; sophistication of the technology; and educational level of active
`
`workersin the field.” Jn re GPAC Inc., 57 F.3d 1573, 1579 (Fed. Cir. 1995)
`
`(internal quotation and citation omitted). In that regard, Petitioner asserts
`
`that a person of ordinary skill in the art would include someone with “a
`
`bachelor’s degree in computer science or related field and either two years
`
`of industry experience or an advanced degree in computer science or related
`
`[field].” Pet. 13. Patent Owner does not challenge Petitioner’s definition of
`
`a person of ordinary skill in theart.
`
`Accordingly, for purposes of this Decision, we adopt Petitioner’s
`
`proposed level of ordinary skill in the art.
`
`C.
`
`Summary ofAsserted Prior Art
`
`1.
`
`Overview of Gladstone (Exhibit 1006)
`
`Gladstoneis directed to methods and apparatus for securing one or
`
`more nodes on a computer network. Ex. 1006, 1:18-20. Gladstone
`
`
`
`IPR2019-0003 1
`Patent 8,141,154 B2
`
`describes conventional network security systems that use active protection to
`
`prevent security breaches with pre-programmedintrusion detection
`
`measures, or passive protection to examine data about previous breaches in
`
`order to prevent future intrusions. Jd. at 1:21-32. According to Gladstone,
`
`neither type of conventional network security protection “provides the
`
`adaptation capability sometimes necessary to counter novel types of attacks
`
`as they occur.” Id. at 1:63—66.
`
`With regard to the embodimentof Figure 1, reproduced below,
`
`Gladstone describes securing a networked computer system using active
`
`security measures in real time. Jd. at 4:28-35, 5:46-49.
`
`FIGURE 1.
`
`;
`
`
`a
`
`i
`Resources
`4-30
`Sysxem
`(eg., disk):
`35
`
`
`Reference
`Monitar
`25
`Interceptors
`
`Lace
`|
`
`26
`
`110
`
`180
`
`Transcelver
`115
`
`160
`
`170
`
`
`
`
`120
`
`Loader
`125
`
`
`
`
`
`
`Correlation Engine
`145
`
`instruction Engine
`135
`
`140
`
`180
`
`130
`
`
`
`IPR2019-00031
`Patent 8,141,154 B2
`
`Figure 1 depicts a system for securing a networked computer,
`
`including computer node A connected via network 5 to event processor
`
`server 100. Instruction 10, which “may be an e-mail, browser, terminal
`
`server, or other software application running on Node A,”arrives from
`
`network 5 to application 15. Jd. at 7:15-18. Application 15 issues a request
`
`for system resources 35, and this request is routed through reference monitor
`
`25 to determineif the request violates administrative policies. Jd. at 7:18—
`23. Reference monitor 25, using interceptors 26 that are inserted into the
`
`request’s communication paths, may allow application 15 to access system
`
`resources 35, or the reference monitor may prevent the access request and
`
`workwith event agent 45 and event processing server 100 to provide
`
`adaptive security protection to node A.
`
`/d. at 5:61-64, 7:23—-33. “Reference
`
`Monitor 25 may perform basic analysis on the instruction [] 10 and
`
`communicate with Event Agent 45 in 40 asto its nature, as defined by
`
`current administrative policy.” Jd. at 7:33-36.
`
`Event Agent 45 then sends a notification regarding instruction 10 via
`
`network5 to transceiver 115 in event processing server 100, and instruction
`
`engine 135 processesthe notification to determine an appropriate response
`
`to the instruction. Jd. at 7:36-47. “Instruction Engine 135 determines
`
`whether an update to administrative policies is warranted, and determines
`
`other steps to be taken, including placing NodeA in quarantine, defining
`
`system operations which may not be performed on Node A,tuning Node A’s
`
`operating system, or modifying network or firewall parameters.” Jd.
`
`at 7:47-53. Instruction engine 35 sendsits response via transceiver 115 and
`
`network 5 to event agent 45 in NodeA.
`
`
`
`IPR2019-00031
`Patent 8,141,154 B2
`
`Figure 2 of Gladstone, reproduced below,is another embodimentof a
`
`network security system that diagnoses an attack on one computer node and
`
`acts to prevent subsequent attacks on another computer node. Jd. at 8:7—10.
`
`FIGURE2.
`
`{
`
`0A
`
`1Application
`SA
`
`20A
`
`
`
`Node Al
`
`2 3
`
`04
`
`
`
`
`Reference
`458
`
`Monitor=|}--40A-+1 Event Agent
`SA
`
`EventAgent
`
`,
`
`|
`
`
`
`
`
`
`
`/
`
`\50A
`
`1908
`
`
`Disk
`35A
`
`|
`
`
`
`Figure 2 depicts first computer node A in communication with event
`
`processing server 100, similar to the embodiment of Figure 1, with the
`
`addition of second computer node B. Event processing server 100 uses
`
`information obtained in response to a malicious request at node A to
`
`transmit updated administrative policies to event agent 45B and reference
`
`monitor 35B at node B, thereby preventing potentially damaging activity
`
`from affecting other nodes of the network. Jd. at 8:24-31, 43-55.
`
`10
`
`
`
`IPR2019-0003 1
`Patent 8,141,154 B2
`
`2.
`
`Overview of Ji (Exhibit 1005)
`
`Ji is directed to detecting and preventing operation of computer
`
`viruses and other types of malicious computer code. Ex. 1005, 1:5—7. Ji
`
`describes the developmentof Internet-based application programs, such as
`
`Java applets, that allow seamless integration of network code with local
`
`computer resources. Jd. at 1:9-15, 26-27. Because these applets are given
`
`access to local computer resources such as the hard disk drive, however,
`
`they can also pose a security risk to users. Id. at 1:15—19. Code scanning
`
`programsthat can analyze and monitor applets have been developed, which
`
`include static scanning done on the server or run-time monitoring done on
`
`the local client. Jd. at 1:63-66, 2:65-67. According to Ji, conventional
`
`applet monitoring systems cause an imbalance betweenthe load of the server
`
`and the client, and Ji describes a combination of static scanning and run-time
`
`monitoring that distributes the respective loads evenly. Id. at 1:65—2:4.
`
`Figure | of Ji, reproduced below,illustrates one embodiment of an
`
`applet scanner system. Jd. at 4:55—56.
`
`11
`
`
`
`IPR2019-00031
`Patent 8,141,154 B2
`
`
`Server Machine
`2
`wane
`
`
`
`HTIP Proxy Server
`
`
`
`
`
`Client Machine
`
`
`
` 30
`
`Local Resources
`
`FIG.
`
`1.
`
`Figure 1 depicts an applet scanner system including client machine 14
`
`and server machine 20 connected to Internet 10. “Upon receipt of a
`
`particular Java applet, the HTTP proxyserver 32, which is software running
`
`on server machine 20 and which has associated scannersoftware 26, then
`
`scans the applet and instruments it using an instrumenter 28 whichis part of
`
`scanner software 26.” Id. at 4:66—-5:3. If a suspicious instruction thatcalls
`
`an insecure function is found during this static scanning, the Java applet
`
`code sequenceis instrumentedto insert a first instruction sequence (pre-
`
`filter) before that suspicious instruction and a second instruction sequence
`(post-filter) after that instruction. Jd. at 5:16-27. Ji provides the following
`example of code that disallows a suspicious function of directory listing
`
`access (“java.IO.File.list”) on the client computer:
`
`12
`
`
`
`IPR2019-00031
`Patent 8,141,154 B2
`
`pre-filter(function_name, parameters)
`
`if (Function_name == “java.io. File.list”)
`throw newSecurityException();
`
`1Sp
`
`ost-filter(result)
`
`}
`
`Id. at 5:44-6:9, 6:10—20.
`
`The instrumenter generates a call to pre-filter function, “with the
`
`nameof the suspicious function, parameters to the suspicious function, and
`
`possibly other information about[t]his suspicious function invocation as the
`
`parameters.” Jd. at 5:44-61. The pre-filter checks the security policy
`
`associated with scanner 26 and decides whetherthe particular instruction is
`
`allowed. Id. at 5:33-36. The secondinstruction sequence generatesa call to
`a post-filter function provided by the scanner, and reports the result of the
`call to the post-filter function. Jd. at 5:37-40. Ji describes that this static
`
`scanning and instrumentation are both performed on HTTPproxy server32.
`
`Id. at 5:41-43.
`
`3.
`
`Overview of Chander (Exhibit 1008)
`
`Chanderis directed to mobile code security by Java bytecode
`
`instrumentation. Ex. 1008, 1 (see Title). Chander explains that, although
`
`the Java Virtual Machine (“JVM”) includes steps to verify programs and
`
`perform run-time tests, the Java mobile code maystill behave in waysthat
`
`are harmful to users. Jd. at 1 (see Abstract). Chander describes an improved
`
`security technique called bytecode instrumentation that inserts additional
`
`13
`
`
`
`IPR2019-00031
`Patent 8,141,154 B2
`
`run-timetests into Java code using class modification or method-level
`
`modification.
`
`/d. at 2.
`
`According to Chander, method-level modification can be “applied on
`
`a method-by-method basis without regard to class hierarchy restrictions.”
`
`Id. Chander describes a first example of a method modification, where the
`
`method “Thread.setPriority[]” is replaced with a safer version of the method
`
`“Safe$Thread:setPriority[]” that “does not allow threads spawned by mobile
`
`code to have higherpriority than a user-specified upper limit defined in class
`
`Safe$Thread.” Jd. at 4. The safeguarding method
`
`“Safe$Thread:setPriority[]” takes the priority integer value “I” of the
`
`original method and comparesit to the safeguard upperlimit; if the priority
`
`value I is higher than this upperlimit, then the priority valueis set to this
`
`upper limit and the “Thread.setPriority[]” method is invoked with the
`
`verified priority value I. Jd.
`
`In a second a second example of a method modification, an applet is
`
`prevented from disclosing a user’s confidential information through email by
`
`blocking a connection to a particular port on the web server.
`
`/d. at 10-11.
`
`The method “Socket.<init>[]” is replaced by the safeguard method
`
`“SafeSSocket:init” that monitors the port number“I” for every socket
`
`connection request, and will establish the socket connection unless the port
`
`number“T”is the particular port on the web serverto be blocked.
`
`/d. at 11.
`
`Figure 5, reproduced below,depicts the basic architecture of
`
`Chander’s sytem. Jd. at 5.
`
`14
`
`
`
`IPR2019-0003 1
`Patent 8,141,154 B2
`
`Web
`Server
`
`Modified
`
` Intemet
`
`2)
`
`
`
`
`
`
`Bytecode
`Filter
`
`Figure 5. Architecture for instrumenting Java applets
`
`Figure 5 illustrates a system including a web browser running on a
`
`networked computer (element on right side, labeled as running a “Modified
`
`Applet”), which is connected to an Internet Web Server via a network proxy
`
`and the Internet. Jd. at 5; see also id. at 1 (networked computer executing
`
`Java). When the web browser requests a web pageor applet, the request
`
`goes through the networkproxy to the web server, which responds by
`
`sending the requested data to the proxy. Jd. at 5. If the request was for a
`
`Java applet, “the proxy will pass the applet code to the bytecode filter,”
`
`whichthen “will examine the bytecode for potential risks and modify the
`
`bytecode before sending the code for execution to the web browser.” Id.
`
`Thus, “the web browseronly receives bytecode that has been screened.” Jd.
`
`Chander further describes the proxy, which “also has accessto a repository
`
`of Java classes, including secure safe classes that can be substituted for
`
`standard library classes and implementations of user-interface methods.” Id.
`
`
`
`IPR2019-00031
`Patent 8,141,154 B2
`
`D.
`
`Reasonable Likelihood Determination
`
`After considering Petitioner’s contentions and Patent Owner’s
`
`arguments in opposition, we are not persuaded that Petitioner has
`
`demonstrated a reasonable likelihood of prevailing in showing that the
`
`challenged claim would have been obvious overthe asserted priorart.
`
`For both asserted grounds, Petitioner relies on Gladstone’s event
`
`processing server as teaching the “security computer” that inspects the input
`
`of a first function, and indicates whetherit is safe to invoke a second
`
`function with the input. Pet. 29-30, 62-64. We determinethat Petitioner
`
`has not shown a reasonable likelihood of prevailing in its assertion that it
`
`would have been obvious to combine Gladstone’s event processing server
`
`with either Ji or Chander.
`
`1.
`
`Gladstone and Ji Combination
`
`Petitioner summarizes the asserted combination as follows: “The
`
`proposed combination adds Ji’s server with scannerto the perimeter of
`
`Gladstone’s network in order to deliver instrumented applets to Gladstone’s
`
`nodes. The two references would cometogether as shownin the diagram
`
`below based on figures from Ji and Gladstone and annotated in color.”
`
`Pet. 25. Reproduced below is theannotated diagram providedin the Petition
`
`showingPetitioner’s overall contentions of how Ji and Gladstone would
`
`have been combined. Jd.
`
`16
`
`
`
`a0
`
`IPR2019-0003 1
`Patent 8,141,154 B2
`
`oaO
`
`o~~
`wy
`ne]
`
`(t“Btq)Ur
`
`The diagram above mergesFigure 1 of Ji with Figure 2 of Gladstone
`
`to illustrate the combination of Ji’s Server Machine (including Scanner 25)
`
`(colored in purple) with Gladstone’s Nodes (A and B) (colored in blue) and
`
`event processing server 100 (colored in red). We discussfirst Petitioner’s
`
`contention that Ji’s pre-filter code would have been modified and
`
`Petitioner’s contention of the motivation to combine the teachings ofJi’s
`
`pre-filter code with Gladstone’s nodes and event processing server. Second,
`
`wediscuss how Petitioner’s argument of modification of Ji, in view of
`
`Gladstone’s teachings,is not persuasive to show that claim 1 would have
`
`been obviousover the alleged combination.
`
`17
`
`
`
`IPR2019-00031
`Patent 8,141,154 B2
`
`Petitioner’s Contentions Regarding the Modification ofJi
`Claim | requires a “transmitter for transmitting the input to the
`
`security computer for inspection, whenthe first function is invoked.”
`
`Petitioner identifies the Gladstone event agent within the node as the
`
`transmitter. Pet. 34-35. Gladstone’s event agent, however, transmits an
`
`event messageor notification, not an “input” of a functioncall.
`
`Nevertheless, Petitioner asserts that Gladstone’s event agent would transmit
`
`the recited “input” when thefirst function was invoked because the
`
`Gladstone node instead would execute Ji’s pre-filter code. Jd. at 35.
`
`Petitioner explains the combination as a “modification of Ji’: “Modifying
`
`Ji’s pre-filter functions to transmit the input to the remote security computer
`
`via Gladstone’s transmitter is relatively simple and requires only a few
`
`additional lines of code relative to the examples provided in Ji.” Jd. at 36.
`
`To support this statement Petitioner cites the Nielson Declaration,at
`
`paragraph 73.
`
`Essentially, and according to Petitioner’s theory of obviousness, Ji is
`
`modified so that the pre-filter code—inserted in the applet at the server
`
`during scanning—runs on the Gladstone node and transmits “security
`
`checks” to Gladstone’s event processing server, instead of performing
`
`“security checks” locally at the node.
`Claim 1 also requires a “receiver for receiving an indicator from the
`security computer whetherit is safe to invoke the second function with the
`input.” Here too Petitioner relies on Gladstone’s event agent as receiving
`
`notifications from Gladstone’s event processing server.
`
`/d. at 37-38.
`
`Petitioner contends that Gladstone’s server determines whetherthe
`
`individual notification received from the nodes warrant policy updates and
`
`18
`
`
`
`IPR2019-0003 1
`Patent 8,141,154 B2
`
`determines whether to quarantine the node, define operations that may not
`
`be performed, or tune operating system, firewall, or network parameters. Id.
`
`at 39 (citing Ex. 1006, 6:54-65). Petitioner relies on claim 1 of Gladstone,
`
`whichstates that a policy message from the server comprises “disallowing
`
`the access request to continue along the communication path,” as meaning
`that Gladstone’s nodes receive an indication whether the “input” is unsafe.
`
`Id. at 39. Accordingto Petitioner, “the means by which Gladstone’s Server
`
`disallows the access request would simply be by sending a value that forces
`
`the if function to evaluate to ‘true’ such that an exception is thrown before
`
`the original (‘second’) function is invoked.” Jd. at 40 (citing Ex. 1004,
`
`(“Nielson Decl.”’) 4 78; Ex. 1005 6:15-16 and 6:31-32).
`
`Contentions Regarding Motivation to Combine
`According to Petitioner, the combination of Ji and Gladstoneis
`predictable and the modificationistrivial, because a remote service can be
`accessed by a normal methodcall, but is actually a request to a remote
`
`computer. Pet. 43. Petitioner refers to “minimalalteration” of Ji’s pre-filter
`
`code so that instead of Ji performing the security checksat the node for
`
`whichthe applet is intended,Ji transfers the security check to a remote
`computer, i.e., Gladstone’s event processing server. Jd. (citing Nielson Decl.
`
`{4 55, 73, 78). When comparing the Ji pre-filter code with the Gladstone
`
`Reference Monitor, Petitioner asserts that Ji’s pre-filter code is also a
`
`“reference monitor” because the security check is inserted directly into the
`
`code. Id. at 42-43.
`
`Additionally, Petitioner alleges that a person of ordinaryskill in the
`
`art would have been “motivated to apply Ji’s technique for delivering
`
`reference monitors from the proxy to the problem ofinstalling Gladstone’s
`
`19
`
`
`
`IPR2019-00031
`Patent 8,141,154 B2
`
`Reference Monitor on each node.” Id. at 44. Accordingto Petitioner, Ji
`
`teaches a motivation because it recognizesthatit is easier to deploy code
`
`from a single server (read here Ji’s proxy server with the scanner), rather
`
`than “installing software manually on every individual node in Gladstone’s
`
`network.” Jd. at 45. Finally, Petitioner asserts that the combination would
`
`have been motivated by Gladstoneitself, because Gladstone teaches using a
`
`_ centralized server, and it would have beena design incentive to modify Ji’s
`
`pre-filter code for use with a centralized sever, becauseit “dramatically
`
`improves system security.” Jd. at 47 (citing Nielson Decl. 4 56).
`
`Patent Owner’s Exemplary Arguments
`Patent Ownerchallenges Petitioner’s assertion that Ji’s pre-filter
`
`function transmits the input to the remote computer. Prelim. Resp. 26-28.
`
`Patent Ownerfocuses its arguments on Ji’s disclosure of the pre-filter code,
`
`and howit does not pass any input or parameter for inspection anywhere,
`
`and that Gladstone, even if combined with Ji, would not perform any such
`
`inspection because Gladstone only processes event messages. Jd. Patent
`
`Owneralso argues that what the Gladstone nodesreceive is a notification
`
`from the server after the “second tunction” has been invoked because the
`
`access requestis allowed to continue along the communication path.
`
`/d. at
`
`33-34.
`
`Alleged Trivial or Minimal Modifications
`The arguments by Patent Ownerraise the issue of whether Petitioner
`
`has demonstrated that the reasons for the combination of Ji and Gladstone
`
`are rational in light of their teachings. We see that Patent Owner focuses on
`
`distinguishing Ji’s pre-filter code as failing to teach passing of the inputs to a
`
`security computer as required. Petitioner’s contention, we note,is that Ji’s
`
`20
`
`
`
`IPR2019-00031
`Patent 8,141,154 B2
`
`pre-filter code would have been modified, with “trivial” changes or
`
`“minimalalteration,” to perform the transmission of the recited inputs at
`
`Gladstone’s nodes. Upon further inspection of the record, in an effort to
`
`ascertain the asserted modification of Ji, however, we discover eight
`
`separate listings of program code included in the Nielson Declaration as
`
`“Listings.” Ex. 1004, Appendix A. Noneof the “Listings” identify which
`
`portions of the codeare original to Ji and which are added. Thus, whatever
`
`alterations Ji’s pre-filter code may require were not madeclear in these
`
`Listings.
`|
`Further, it is evident that the Listings provide further modifications
`that the Petition does not explain meaningfully, and include various
`
`programsthat must be implemented in other parts of the system, such as
`
`adding code for “remote enforcement”at the server. See Ex. 1004, 91.
`
`These modifications of the server and the additional code that would be
`
`necessary for the server to work in conjunction with Ji’s modified code are
`
`glossed overin the Petition, subsumed within an explanation that the
`
`changesor additionsare “trivial” or “minimal.” But we are not persuaded
`
`that they are as such.
`
`Instead, these program listings show usthat although it is possible to
`
`modify Ji’s program to send an input to a remote computer to achieve the
`
`asserted combination of teachings, one would have needed the foresight of
`the claims. In other words, the reasons given by Petitioner to revise Ji’s pre-
`
`filter code would not compelalso the conclusion that Gladstone’s nodes
`
`would also need further modification and that additional security checks are
`
`to be implemented in Gladstone’s server. In our view, the modification of Ji
`
`21
`
`
`
`IPR2019-0003 1
`Patent 8,141,154 B2
`
`and Gladstoneare the product of hindsight, not of a reasonable motivation to
`
`combine.
`
`Westart with the fact that Gladstone is designed for the nodes to
`
`apply locally a current pre-programmed administrative policy. See Ex.
`
`1006, 7:22-29, 7:33-38 (stating that the event agent at the node may,in
`
`addition to of instead of local protection, send the notification to the server
`
`as “defined by current administrative policy”). For example, Gladstone’s
`
`server receives event notifications from the node because, in accordance
`
`with the pre-programmedpolicy, the node’s event agent intercepted an
`
`access to a system resource, such as a disk. Ex. 1006, 8:7-23. Gladstone
`
`explains that the node sends the notification of the access to the server, but
`
`the access at the node has already occurred; the server,if it finds the access
`
`was potentially harmful, updates the node’s policy to prevent future accesses
`
`of the same type. Jd. at 8:24-42, 8:67-9:21 (explaining that the Gladstone
`
`server may also send a policy update to the other nodes in the network). The
`
`server may also determine whetherto quarantine the affected node, change
`operation of the affected node through defining operations that may not be
`performed, or tune the operating system. Id. at 6:54-62. Thus, although
`Gladstone provides for centralized event processing, to correlate seemingly
`
`innocuous networkactivity that turns out to be an attack in progress, it also
`
`allowsthe nodes to monitor themselves andto notify the server only of
`
`certain activities as dictated by the node’s pre-programmedpolicy, with the
`
`server updating the policies across nodesas the attack is detected. See id.;
`
`see also id. 6:63-7:13.
`
`In contrast, Ji anticipates that all Java applets and Active X
`
`componentsare to be secured before they are allowedto run in the node.
`
`22
`
`
`
`IPR2019-0003 1
`Patent 8,141,154 B2
`
`Ji’s scanner instruments the applet to alter suspiciousinstructions before
`
`they are executed at the node. Ex. 1005, 3:45—56. In this manner, the
`
`instrumented applet of Ji includes the alternative instruction and can perform
`
`an alternative action when malicious code is encountered. Thus, Ji is
`
`designed to anticipate how much and whatprotection the nodeswill need at
`
`run-time. Petitioner’s theory of obviousness, however, modifies Ji to instead
`
`delegate the suspicious function check to a remote computer, even though Ji
`
`provides whatever code the nodes need to protect themselvesat run-time
`
`from applets and Active X components (or any other executable malicious
`
`program, accordingto Petitioner). Pet. 45 (stating that Ji can be used to
`
`distribute reference monitors for any type of application programs, not just
`
`Java applets).
`
`Therationale Petitioner provides for this purported delegation is not
`
`persuasive. Petitioner posits that the modification of Ji is an improvement
`
`motivated by Ji, because Ji’s delivery of instrumented applets avoids the
`
`expense of manual deploymentthat Gladstone utilizes. Pet. 44-45. This
`
`reason may motivate the automated delivery of code from Ji’s sever to
`
`Gladstone’s nodes, but goes no further to support the contention that Ji’s
`
`pre-filter code would have been modified to perform its security check at the
`
`Gladstone event processing server, instead of performing the check locally at
`
`the node.
`
`The secondrationale Petitioner provides fares no better. Petitioner
`
`posits that Gladstoneitself provides “the strongest motivation to use a
`
`centralized Server.” Jd. at 47. In particular, Petitioner argues that a
`
`centralized server is in a position to correlate events across nodes andcatch
`
`more advanced attacks. Jd. Petitioner alludes to it being well-knownfor a
`
`23
`
`
`
`IPR2019-0003 1
`Patent 8,141,154 B2
`
`centralized server to communicate with mult
Accessing this document will incur an additional charge of $.
After purchase, you can access this document again without charge.
Accept $ Charge
Still Working On It
This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.
Give it another minute or two to complete, and then try the refresh button.
A few More Minutes ... Still Working
It can take up to 5 minutes for us to download a document if the court servers are running slowly.
Thank you for your continued patience.
This document could not be displayed.
We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.
Your account does not support viewing this document.
You need a Paid Account to view this document. Click here to change your account type.
Your account does not support viewing this document.
Set your membership
status to view this document.
With a Docket Alarm membership, you'll
get a whole lot more, including:
- Up-to-date information for this case.
- Email alerts whenever there is an update.
- Full text search for other cases.
- Get email alerts whenever a new case matches your search.
One Moment Please
The filing “” is large (MB) and is being downloaded.
Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.
Your document is on its way!
If you do not receive the document in five minutes, contact support at support@docketalarm.com.
Sealed Document
We are unable to display this document, it may be under a court ordered seal.
If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.
Access Government Site
