Fortinet Inc v. Sophos Inc

1. Case Identification

• Case #: IPR2015-00618
• Patent #: 8,261,344
• Filed: January 23, 2015
• Petitioner(s): Fortinet Inc.
• Patent Owner(s): Sophos LLC
• Challenged Claims: 1-2, 10, 13, 16-17

2. Patent Overview

• Title: Method and System for Classification of Software Using Characteristics and Combinations of Such Characteristics
• Brief Description: The ’344 patent discloses a method for classifying software, particularly malware, by extracting features referred to as "genes" from "functional blocks" of the software code. These extracted genes, which can be sequences of API calls and strings, are then compared against a library of known gene classifications to identify, report, and potentially block the software.

3. Grounds for Unpatentability

Ground 1: Anticipation by Bodorin - Claims 1-2 are anticipated by Bodorin.

• Prior Art Relied Upon: Bodorin (Patent 7,913,305).
• Core Argument for this Ground:
  • Prior Art Mapping: Petitioner argued that Bodorin discloses every element of claims 1 and 2. Bodorin teaches a malware detection system that executes software in a virtual environment to record "interesting behaviors," which include API calls and strings. These recorded behaviors are compiled into a "behavior signature." Petitioner contended that Bodorin's "interesting behaviors" are analogous to the ’344 patent’s "genes" and "functional blocks." Bodorin then compares the generated signature against a "malware behavior signature store"—a repository of known malware signatures—which directly corresponds to the claimed "library of gene information." Finally, Bodorin reports when a match is found, thus teaching the final limitations of the claims.
  • Key Aspects: This ground relies on the premise that Bodorin’s behavior-based dynamic analysis system is structurally and functionally identical to the gene-based classification system claimed in the ’344 patent, especially under the broad claim constructions advanced by the Patent Owner in co-pending litigation.

Ground 2: Obviousness over Kissel and Apap - Claims 16-17 are obvious over Kissel in view of Apap.

• Prior Art Relied Upon: Kissel (Patent 7,373,644) and Apap (Patent 7,448,084).
• Core Argument for this Ground:
  • Prior Art Mapping: This ground targets claims 16 and 17, which add limitations related to generating and updating software classifications by testing for false positives. Petitioner asserted that Kissel discloses the core method of detecting malicious code (in emails) by extracting "feature vectors" (analogous to a "set of genes") and comparing them to a "blocked feature instance library." Kissel further teaches updating this library based on whether a feature vector exceeds a certain maliciousness threshold, a process calibrated by "testing for false-positives." To the extent Kissel does not explicitly teach using reference files for this testing, Petitioner argued Apap supplies this element. Apap discloses an intrusion detection algorithm trained by comparing anomalous behavior against recorded normal behavior to calculate statistics like the "false positive rate," a well-known method for improving detection accuracy.
  • Motivation to Combine: A Person of Ordinary Skill in the Art (POSITA) would combine Kissel with Apap to improve the reliability of Kissel’s malware detection system. Since testing for false positives to refine detection algorithms was a common and understood practice, a POSITA would have been motivated to implement the specific reference-based testing method from Apap to enhance the library update mechanism in Kissel.
  • Expectation of Success: A POSITA would have a high expectation of success, as combining these known elements—a feature-based detection system and a standard false-positive reduction technique—involved applying a predictable solution to improve a known system.

Ground 3: Obviousness over Bodorin, Kissel, and Apap - Claims 16-17 are obvious over Bodorin in view of Kissel and Apap.

• Prior Art Relied Upon: Bodorin (Patent 7,913,305), Kissel (Patent 7,373,644), and Apap (Patent 7,448,084).

• Core Argument for this Ground:

  • Prior Art Mapping: Petitioner argued this combination teaches the method of claims 16 and 17. Bodorin provides the foundational system of generating behavior signatures ("genes") and comparing them to a signature store ("library"). Bodorin explicitly states that its signature store should be "periodically updated" to account for new malware but does not specify how. The combination of Kissel and Apap, as argued in Ground 2, teaches the precise method for performing such an update: testing the generated signatures for false positives against reference files and then storing the tested signatures to update the library.
  • Motivation to Combine: A POSITA, recognizing Bodorin's stated need to update its malware signature store, would be motivated to implement an effective and known updating method. The technique taught by Kissel and Apap—using false-positive testing to ensure the accuracy of new library entries—provides a direct and advantageous solution to Bodorin's challenge of keeping its detection database current and reliable.
  • Expectation of Success: The combination was argued to be a predictable integration of known technologies to achieve a desired, explicitly stated goal (updating a malware signature library).

• Additional Grounds: Petitioner asserted additional anticipation challenges against claims 1, 2, 10, and 13 based on Kissel and Chen (Patent 5,951,698), and an obviousness challenge against claims 10 and 13 based on Bodorin alone. These grounds relied on similar mappings of prior art malware detection features to the challenged claims.

4. Key Claim Construction Positions

Petitioner's invalidity arguments were predicated on adopting the broad claim constructions that the Patent Owner allegedly advanced in parallel district court litigation. Petitioner argued these constructions should apply for the inter partes review (IPR).

• "gene": Petitioner proposed construing this term as "a piece of functionality or property of a program," based on the Patent Owner's litigation position. Petitioner argued that this broad construction reads on prior art systems that analyze any software characteristic, such as the "interesting behaviors" in Bodorin or the "features" in Kissel.
• "functional block": Petitioner proposed construing this term as "a segment of the program that illustrates the function and execution flow of the program." This broad definition was argued to encompass prior art that analyzes program "behaviors," "instructions," or other functional segments, thereby bringing references like Bodorin and Chen within the scope of the claims.

5. Relief Requested

• Petitioner requests institution of IPR and cancellation of claims 1-2, 10, 13, and 16-17 of the ’344 patent as unpatentable.